Re: javax.naming.NamingException: Resource DTMManager not found on Tomcat 6.0
On 14/10/2014 05:52, Rajeev Singh wrote: Hi, Environment: Redhat Linux Tomcat: Version 6.0 I'm getting exception like javax.naming.NamingException: Resource /WEB-INF/classes/META-INF/services/com.sun.org.apache.xml.internal.dtm.DTMManager not found javax.naming.NamingException: Resource /WEB-INF/classes/net/sourceforge/jtds/jdbc/Driver.class not found in lookup method of org.apache.naming.resources.ProxyDirContext. In my application this isn't causing a logic issue, but this bug is manifesting as a notable performance problem. Every time a bad path is passed into the ProxyDirContext it's actually causing quite a lot of NamingExceptions to be thrown as it tries alternative paths (see BaseDirContext.lookup). All of these exceptions are swallowed but what I'm seeing is that this is happening many times over the course of a request as my application is looking up different resources, and the time it takes to build all of these swallowed NamingExceptions has become significant. The path where the tomcat tries to search the resource doesn't exists. I tried searching the configuration files in conf folder of Tomcat but nowhere this type of path is mentioned. Any help/pointer on how tomcat figures out resource path will be of great help. https://issues.apache.org/bugzilla/show_bug.cgi?id=56771 Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
How can Tomcat be started at boot time as a non-root user
Hello and thank you for reading my post. My question is about how can Tomcat be started at boot time as a non-root user. The OS is Debian Wheezy. Below is what I did already: root chown -R tomcat7.tomcat7 /opt/tomcat7/ I created a new file: /etc/init.d/tomcat7 Owner and owner group: root Permissions: 755 --- #! /bin/sh export JAVA_HOME=/opt/jdk1.7.0_67/ case $1 in start) /bin/bash /opt/tomcat7/bin/startup.sh ;; stop) /bin/bash /opt/tomcat7/bin/shutdown.sh ;; restart) /bin/bash /opt/tomcat7/bin/shutdown.sh /bin/bash /opt/tomcat7/bin/startup.sh ;; esac exit 0 --- I ran: root update-rc.d tomcat7 defaults Added to /etc/rc0.d/: K01tomcat7 Added to /etc/rc1.d/: K01tomcat7 Added to /etc/rc2.d/: S17tomcat7 Added to /etc/rc3.d/: S17tomcat7 Added to /etc/rc4.d/: S17tomcat7 Added to /etc/rc5.d/: S17tomcat7 Added to /etc/rc6.d/: K01tomcat7 At boot time, tomcat is started as root. How can it be started as tomcat7? Best regards. -- View this message in context: http://tomcat.10.x6.nabble.com/How-can-Tomcat-be-started-at-boot-time-as-a-non-root-user-tp5023810.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How can Tomcat be started at boot time as a non-root user
On Tue, Oct 14, 2014 at 7:06 AM, Léa Massiot lmhe...@orange.fr wrote: Hello and thank you for reading my post. My question is about how can Tomcat be started at boot time as a non-root user. The OS is Debian Wheezy. Below is what I did already: root chown -R tomcat7.tomcat7 /opt/tomcat7/ I created a new file: /etc/init.d/tomcat7 Owner and owner group: root Permissions: 755 --- #! /bin/sh export JAVA_HOME=/opt/jdk1.7.0_67/ case $1 in start) /bin/bash /opt/tomcat7/bin/startup.sh ;; stop) /bin/bash /opt/tomcat7/bin/shutdown.sh ;; restart) /bin/bash /opt/tomcat7/bin/shutdown.sh /bin/bash /opt/tomcat7/bin/startup.sh ;; esac exit 0 --- I ran: root update-rc.d tomcat7 defaults Added to /etc/rc0.d/: K01tomcat7 Added to /etc/rc1.d/: K01tomcat7 Added to /etc/rc2.d/: S17tomcat7 Added to /etc/rc3.d/: S17tomcat7 Added to /etc/rc4.d/: S17tomcat7 Added to /etc/rc5.d/: S17tomcat7 Added to /etc/rc6.d/: K01tomcat7 At boot time, tomcat is started as root. How can it be started as tomcat7? What about this? http://tomcat.apache.org/tomcat-7.0-doc/setup.html#Unix_daemon Dan Best regards. -- View this message in context: http://tomcat.10.x6.nabble.com/How-can-Tomcat-be-started-at-boot-time-as-a-non-root-user-tp5023810.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat windows authentication domain login issue
Am 14.10.2014 um 05:32 schrieb tantaryu: I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the manager web application comes with tomcat to do a poc. In my web.xml I change and also changes the auth-constraint to the following Maybe it is just me, but I can't see, what you have added. Did you send your mail as html? If so, try to send it as text again. Regards Felix . This is my krb5.ini This is my jaas.conf The weird thing is regardless of what username and password I put in when I accessed the tomcat manager web-app the debug message shown is the same. I added this in my server.xml When I tried login, it doesn't seem to recognize the valid credential. The app keeps on asking me to enter a valid credential. What do I need to change to make it work? -- View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Accessing Connector from within Servlet
Am 13.10.2014 um 18:20 schrieb Sean K: Hi, I am new to the tomcat user group but have been using tomcat for some years. My situation is odd -- the customer wants the product to remove an external JAR which requires me to make the SSL mutual connection manually, and then post the Soap message. So far I have been successful in doing that. However, this overall solution is installed on different computer locations, I need to allow this to work flexibly. Right now, I have hard coded the path to the TrustStore and KeyStore so that my code can access those and use the password which I know, so that my HttpClient side code to build the correct SSL connection to the external SSL server. (This is a mutual peer authenticated SSL connection). From the ServletContext or when the java servlet starts (where my httpclient component runs witihin), I need to get access to the tomcat connector, and determine the attributes of it. I guess one brute force method is to get the environment variable for catalina.home or catalina.base and then scan for the conf/server.xml and parse that But I figure there must be a cleaner and better way. You can't and shouldn't access container internals from the official api's, which ServletContext and HttpServlet are. If I understood you right, you want to access the attributes from tomcat internal components to read the filename/path and passwords to reuse the keystore for your client, which happens to live inside a servlet. I believe your are better off, when you give your servlet its own keystore and configure the filename/path and credentials in a more conventional way with environment or context variables. If you do insist on getting the parameters from tomcat internal components, you could try using tomcat internal components like a Valve. I also scanned the objects that are acessible from the Response, Request, or ServletContext. None of them seem to point to the Connector in a way that I can inspect it, or get current properties of it. For example, within the org.apache.catalina.connector.ResponseFacade, I noticed that its embedded object of HttpResponse is protected but it has the Connector. Seems like I need to hack that to get that Connector info. There must be a better way. I think the better way is to configure your components independently. Regards Felix - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Custom Realm
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Meeraj,
On 10/12/14 8:26 AM, Service Symphony wrote:
I have got it working, since the server is not started yet, none
of the underlying infrastructure is available in the realm class
constructor.
If you extend RealmBase (a good idea), then you can use the lifecycle
interface to receive calls when Tomcat changes states (e.g. is actually
started and the JNDI service is available).
If you use Tomcat 8, there was recently a change to the realm code to
allow for customized credential handling (i.e. password-munging). If
you only need to customize how passwords are checked -- for example,
by using a different hashing algorithm than what MessageDigest
provides -- then you might want to look into using that instead.
- -chris
On 11 Oct 2014, at 22:37, Meeraj Kunnumpurath
mee...@servicesymphony.com wrote:
Hi,
I have some specific requirements for security and I have been
trying to right a custom realm, that reads information from the
database.
1. I have added a datasource in the global naming resources
section in the server.xml 2. I have packaged the realm class in a
JAR file and copied it the server lib 3. I have included a
context.xml in the WAR META-INF, that declares the realm from
(2)
In the constructor of the realm class, I try to look up the
datasource,
1. If I use new InitialContext().lookup, I get a name not found
exception. 2. If I try to get the global naming context, by
calling getServer from RealBase, getServer returns a null
reference.
This is the entry in server.xml
Resource name=MyDS auth=Container
type=javax.sql.DataSource
driverClassName=oracle.jdbc.OracleDriver
factory=org.apache.tomcat.jdbc.pool.DataSourceFactory
url=jdbc:oracle:thin:@10.211.55.7:1521:xe username=meeraj
password=password maxTotal=20 maxIdle=10 maxWaitMillis=-1
accessToUnderlyingConnectionAllowed=true/
This is the entry in the context.xml
Realm className=com.ss.security.provider.DatabaseRealm
digest=SHA1/
This is the constructor of the Realm class
public DatabaseRealm() throws NamingException { Context context
= null; try { context = new InitialContext(); template = new
SimpleJdbcTemplate((DataSource) context.lookup(MyDS)); }
finally { if (context != null) context.close(); } }
Any pointers will be highly appreciated.
Many thanks
-- Meeraj Kunnumpurath Director and Executive Principal Service
Symphony Ltd 00 44 7702 693597 mee...@servicesymphony.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUPUKgAAoJEBzwKT+lPKRYHZsP/iLYc/DvR8Ur/1RrViqQmx9a
/8L8BuXwls6G7hLPKiF2H+rzzEChhgqIzIgSQG81gOooqvkStqzdubagcBpcpZbC
HTwkvSnRuDDrK5kXJttsjx4aeDeFuIZwrnMaThKMSyGAuyxCarjdjHrwLPJQFfuC
/alN8lsMCGQVjbEPjrGsT7oNWAqT+AiEQLJhpgnDciWNLshHNlSKDhbS6hj+/yMA
k7vPn8JMvDWAXcWAjoMsRA9KqZXFc2IgHy1j4J0yG7BJ0bwVPvJWZS5vSpjzSJgI
4f8gvtTacePDjw5yBWISAAb8lwUgIK8o82kVuoO5FJiL4M/QpKXa7/yv4WOWmqcp
SqDU7iFDX3AaI3KFeToS1NYzRbB3C4V+galKlVOI2oJxC2W02qR/IjDSsbgCe4GI
tsI+xW5s5tT2bE0PCAEtQXzvEv5L91pIIAhvFPNfQfm2h6tqqnPrndEguLXyicnb
zU0ooQJMZhso2m7C25qmy7K/3RZHjFKkYIbvSUV9C2GNRoc2+FScJugr1gQC3wUI
rO4TX2xYM07M6Dmu2OH7neMfwuIPIafjsBtIEg9+/ZnpXX5YtZm7erL9jJrX/+0b
HOtQywd/RKo7BHnpPztsF8jB5DgiT512vzoLbsJtdjkTDZ+A95z3/CkiunR/FSNm
hkTk4IJAzW9Amv09xRBb
=yrK1
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How can Tomcat be started at boot time as a non-root user
Hello Dan and thank you for your answer. I installed the JSVC tool as indicated in your document http://tomcat.apache.org/tomcat-7.0-doc/setup.html#Unix_daemon I copied the jsvc executable into /opt/tomcat7/bin/. I also copied /opt/tomcat7/bin/daemon.sh into /etc/init.d and renamed it as tomcat7. I added the following lines at the beginning of /etc/init.d/tomcat7: - CATALINA_HOME=/opt/tomcat7 export CATALINA_HOME TOMCAT_USER=webadmin export TOMCAT_USER JAVA_HOME=/opt/jdk1.7.0_67 - I hope I did all this the right way... ? Now, if I reboot, log in as root and launch the command: root ps aux | grep tomcat7 I notice that there are two jsvc.exec processes, one run by root and the other one run by webadmin which UID is 1000: - root 2841 0.0 0.0 16752 412 ?Ss 16:30 0:00 jsvc.exec -java-home /opt/jdk1.7.0_67 -user webadmin -pidfile /opt/tomcat7/logs/catalina-daemon.pid -wait 10 -outfile /opt/tomcat7/logs/catalina-daemon.out -errfile 1 -classpath /opt/tomcat7/bin/bootstrap.jar:/opt/tomcat7/bin/commons-daemon.jar:/opt/tomcat7/bin/tomcat-juli.jar -Djava.util.logging.config.file=/opt/tomcat7/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.endorsed.dirs= -Dcatalina.base=/opt/tomcat7 -Dcatalina.home=/opt/tomcat7 -Djava.io.tmpdir=/opt/tomcat7/temp org.apache.catalina.startup.Bootstrap 1000 2842 8.9 1.1 2434512 97444 ? Sl 16:30 0:03 jsvc.exec -java-home /opt/jdk1.7.0_67 -user webadmin -pidfile /opt/tomcat7/logs/catalina-daemon.pid -wait 10 -outfile /opt/tomcat7/logs/catalina-daemon.out -errfile 1 -classpath /opt/tomcat7/bin/bootstrap.jar:/opt/tomcat7/bin/commons-daemon.jar:/opt/tomcat7/bin/tomcat-juli.jar -Djava.util.logging.config.file=/opt/tomcat7/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.endorsed.dirs= -Dcatalina.base=/opt/tomcat7 -Dcatalina.home=/opt/tomcat7 -Djava.io.tmpdir=/opt/tomcat7/temp org.apache.catalina.startup.Bootstrap - If I kill -9 the process owned by user 1000, another process is immediately created to replace the killed one. If I kill the process owned by root, no new process is created. And if I kill the last remaining process, the one owned by user 1000, no new process is created either. I noticed that the $CATALINA_PID file contain the PID of the process owned by user 1000. I am wondering if this is normal behavior and if it is, why is it behaving like this? Thank you for helping. Best regards. -- View this message in context: http://tomcat.10.x6.nabble.com/How-can-Tomcat-be-started-at-boot-time-as-a-non-root-user-tp5023810p5023823.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How can Tomcat be started at boot time as a non-root user
On 10/14/2014 10:09 AM, Léa Massiot wrote: Hello Dan and thank you for your answer. I installed the JSVC tool as indicated in your document http://tomcat.apache.org/tomcat-7.0-doc/setup.html#Unix_daemon I copied the jsvc executable into /opt/tomcat7/bin/. I also copied /opt/tomcat7/bin/daemon.sh into /etc/init.d and renamed it as tomcat7. I added the following lines at the beginning of /etc/init.d/tomcat7: - CATALINA_HOME=/opt/tomcat7 export CATALINA_HOME TOMCAT_USER=webadmin export TOMCAT_USER JAVA_HOME=/opt/jdk1.7.0_67 - I hope I did all this the right way... ? Now, if I reboot, log in as root and launch the command: root ps aux | grep tomcat7 I notice that there are two jsvc.exec processes, one run by root and the other one run by webadmin which UID is 1000: The root process forks the child process and then sticks around. You'll see why below. - root 2841 0.0 0.0 16752 412 ?Ss 16:30 0:00 jsvc.exec -java-home /opt/jdk1.7.0_67 -user webadmin -pidfile /opt/tomcat7/logs/catalina-daemon.pid -wait 10 -outfile /opt/tomcat7/logs/catalina-daemon.out -errfile 1 -classpath /opt/tomcat7/bin/bootstrap.jar:/opt/tomcat7/bin/commons-daemon.jar:/opt/tomcat7/bin/tomcat-juli.jar -Djava.util.logging.config.file=/opt/tomcat7/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.endorsed.dirs= -Dcatalina.base=/opt/tomcat7 -Dcatalina.home=/opt/tomcat7 -Djava.io.tmpdir=/opt/tomcat7/temp org.apache.catalina.startup.Bootstrap 1000 2842 8.9 1.1 2434512 97444 ? Sl 16:30 0:03 jsvc.exec -java-home /opt/jdk1.7.0_67 -user webadmin -pidfile /opt/tomcat7/logs/catalina-daemon.pid -wait 10 -outfile /opt/tomcat7/logs/catalina-daemon.out -errfile 1 -classpath /opt/tomcat7/bin/bootstrap.jar:/opt/tomcat7/bin/commons-daemon.jar:/opt/tomcat7/bin/tomcat-juli.jar -Djava.util.logging.config.file=/opt/tomcat7/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.endorsed.dirs= -Dcatalina.base=/opt/tomcat7 -Dcatalina.home=/opt/tomcat7 -Djava.io.tmpdir=/opt/tomcat7/temp org.apache.catalina.startup.Bootstrap - If I kill -9 the process owned by user 1000, another process is immediately created to replace the killed one. The parent process which runs as ROOT re-starts the child process if it accidentally dies. So, if you have a segfault, your app gets re-started. If I kill the process owned by root, no new process is created. And if I kill the last remaining process, the one owned by user 1000, no new process is created either. That's expected. I noticed that the $CATALINA_PID file contain the PID of the process owned by user 1000. Which is the UID of your webadmin user that you specified on the command line to jsvc. I am wondering if this is normal behavior and if it is, why is it behaving like this? It's behaving that way by design. If you stop and think about what it's doing, it makes perfect sense. If you want to shut the app down, you need to use the JSVC executable to do so, or do a killall -9 jsvc. -- George Sexton *MH Software, Inc.* Voice: 303 438 9585 http://www.mhsoftware.com
systemd tomcat.service
hi, is there an official tomcat.service for systemd? thanks, Igal -- Igal Sapir Railo Core Developer http://getRailo.org/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How can Tomcat be started at boot time as a non-root user
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Léa, On 10/14/14 7:06 AM, Léa Massiot wrote: My question is about how can Tomcat be started at boot time as a non-root user. The OS is Debian Wheezy. Below is what I did already: root chown -R tomcat7.tomcat7 /opt/tomcat7/ I created a new file: /etc/init.d/tomcat7 Owner and owner group: root Permissions: 755 --- #! /bin/sh export JAVA_HOME=/opt/jdk1.7.0_67/ case $1 in start) /bin/bash /opt/tomcat7/bin/startup.sh Change this to: su -c /bin/bash /opt/tomcat7/bin/startup.sh tomcat7 Look at the man page for su to see what's going on. Or you can use jsvc as others have suggested. I think jsvc is probably more robust (because it can restart Tomcat if it dies) but it's a bit more hassle, too. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUPVNqAAoJEBzwKT+lPKRYZJ8P/1DXo1ow0Zq++J4ECW/J80wx P4CRFc5pclJoO6sh+P5jYdzec7GTcXk4eK/i8yJypa5cVmvpLFsZeeupeyQC0xob s3rovHYdp10jnx/JtxyQIotG+lABWG3kL+ujdVs0OBrN/4aV7MLvKdWaEa6L4S7k F9NbyD6U5iAfmBooeyZP+5gCLTTSlFKv9yJ3Yh0BnsAzd8yAbXiBTEex9rfi2VfO cynKXKrtMlnmaEfTidwjlQ+sb4z+waNl5HIVf9RWZNBP4n6ov4BBP51FqzkyfmB4 qZcwu32C3PRwzarP6d3ZSD6oy8aEu4YcvLJz7cwSg9zLI843Pq1YfX/2eZEJZfFY MTH1Ct2gMqlYuStUVw1bq0qf0i2kso4s+q6Yp5gJlc3k9JbAQUNjoBEzM9+L93zp CwB/oVgVpj6h9hn803ZAghi+wAPtuwNnXDbDb0QzTC94TLv6/H5epua+H6ySDfWF d6eah/ju0aZS2+4MliT5pBfbeUg+DM9duQig92LNDZEvpdUmBqgkugSTE40+OQnF miCl6EQpy08Xb9xZkSwQ07r9FrLwhf02NwaP2SxJ5XGiWsUkU7uBI2lWNXbr9wBu TyONCdX2q6nbAFF3smlszlwbUqmGM6itspNaVS1cepi7M3znvoiXB46axbxXTzEI KHGuNSXOuAUpZZTEcK53 =6cGF -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [ANN] Apache Tomcat 8.0.14 available
Congrats on the release! It seems docs haven't been updated (completely), there are still WebSocket 1.0 references like ones on http://tomcat.apache.org/tomcat-8.0-doc/web-socket-howto.html Kind regards, Stevo Slavic On Wed, Oct 1, 2014 at 12:08 PM, Mark Thomas ma...@apache.org wrote: On 01/10/2014 11:00, Johan Compagner wrote: On 1 October 2014 10:48, Mark Thomas ma...@apache.org wrote: Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-8.0-doc/changelog.html that one only goes to max .12 (at least at this time) The changelog for 8.0.14 was published before I sent out the announcement. It looks like the US web server is behind on updates (they should be live within seconds of the update). Until the US catches up, you can use tomcat.eu.apache.org. Mart - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How can Tomcat be started at boot time as a non-root user
Chris, On Tuesday, October 14, 2014 9:47 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Léa, On 10/14/14 7:06 AM, Léa Massiot wrote: My question is about how can Tomcat be started at boot time as a non-root user. The OS is Debian Wheezy. Below is what I did already: root chown -R tomcat7.tomcat7 /opt/tomcat7/ I created a new file: /etc/init.d/tomcat7 Owner and owner group: root Permissions: 755 --- #! /bin/sh export JAVA_HOME=/opt/jdk1.7.0_67/ case $1 in start) /bin/bash /opt/tomcat7/bin/startup.sh Change this to: su -c /bin/bash /opt/tomcat7/bin/startup.sh tomcat7 You might need to use runuser in the above line if you're running SELinux. Look at the man page for su to see what's going on. Or you can use jsvc as others have suggested. I think jsvc is probably more robust (because it can restart Tomcat if it dies) but it's a bit more hassle, too. I've not tried the jsvc route yet, but I'm sorely tempted (especially now with systemd). Writing an init script that takes care of all the issues is complicated. - -chris . . . just my two cents /mde/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 6 APR SSL Issue
Hi, I have a question that may be a bug, or I'm just not doing something right (I'll happily believe either). Configuration: Tomcat 6.0 running on Windows Server The tcnative-1.dll is the latest from the download site http://tomcat.apache.org/download-native.cgi Item #1 In our tomcat server.xml config, we have: Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / Connector port=443 protocol=org.apache.coyote.http11.Http11AprProtocol maxHttpHeaderSize=8192 scheme=https secure=true SSLEnabled=true SSLDisableCompression=true SSLHonorCipherOrder=true SSLProtocol=TLSv1+SSLv3 SSLCertificateFile=certificate.crt SSLCertificateKeyFile=certificate.key SSLCertificateChainFile=chain.crt SSLCipherSuite=kEECDH+AES256+AESGCM:kEECDH+AES256:kEDH+AES256+AESGCM:kEDH+AES256:kEECDH+AESGCM:kEDH+AESGCM:kEECDH:kEDH:kECDH:kDH:HIGH:-ADH:-MD5:-RC4:-CAMELLIA128:-3DES:-MEDIUM:-LOW:-EXP:-aNULL:-eNULL / The issue here is tomcat is only binding to the IPv4 (0.0.0.0) address, and not binding to the IPv6 on the box. If I add a address=0.0.0.0 and then duplicate this connector and replace the address option with: address=:: It binds to both IPv4 and IPv6 as expected. However, tomcat will no longer stop when you try to stop the windows service. I have to kill the process to get it to stop. If I only have one or the other of the two connectors present, it will stop as expected. Also of note, if I used: protocol=org.apache.coyote.http11.Http11Protocol instead, it would bind to both IPv4 and IPv6 as expected when no address option is specified (but that method won't take some of the options we want to have set). Issue #2 We would like to have it use: SSLProtocol=TLSv1 but when you have just that as the option, it will only talk TLS v1.0, not TLSv1.1 or TLSv1.2. Looking briefly at the source code, it looks like you only have the option to specify a combination of TLSv1, SSLv2 and SSLv3. If we use the option as specified above (TLSv1+SSLv3), it will do all three TLS versions and SSLv3. Is there a way to get it to do TLS and all three versions of it? Also, with SSLv2 not specified, it will still accept that protocol, but in the end will fail because no encryption methods for it are enabled. Is there a way to have it refuse to talk SSLv2 from the start? Thanks James smime.p7s Description: S/MIME Cryptographic Signature
Re: How can Tomcat be started at boot time as a non-root user
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 10/14/14 1:21 PM, Mark Eggers wrote: Chris, On Tuesday, October 14, 2014 9:47 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Léa, On 10/14/14 7:06 AM, Léa Massiot wrote: My question is about how can Tomcat be started at boot time as a non-root user. The OS is Debian Wheezy. Below is what I did already: root chown -R tomcat7.tomcat7 /opt/tomcat7/ I created a new file: /etc/init.d/tomcat7 Owner and owner group: root Permissions: 755 --- #! /bin/sh export JAVA_HOME=/opt/jdk1.7.0_67/ case $1 in start) /bin/bash /opt/tomcat7/bin/startup.sh Change this to: su -c /bin/bash /opt/tomcat7/bin/startup.sh tomcat7 You might need to use runuser in the above line if you're running SELinux. Oh, I wasn't aware of that. I don't use SELinux myself. Look at the man page for su to see what's going on. Or you can use jsvc as others have suggested. I think jsvc is probably more robust (because it can restart Tomcat if it dies) but it's a bit more hassle, too. I've not tried the jsvc route yet, but I'm sorely tempted (especially now with systemd). I'm interested to hear what you have to say about systemd and how it relates to Tomcat deployments. systemd can (allegedly) work just fine with plain-old init scripts if you want to use them. Writing an init script that takes care of all the issues is complicated. We have one that works just fine under both Debian and RHEL, with dependencies, etc. It's a bare-bones script that basically just calls our ant build script which understands how to launch Tomcat with all the right environment variables set. We do this because we have multiple VMs running -- one per webapp -- and everything is configured in one place. Basically, /etc/init.d/webapp start for us just translates into ant tomcat-start, etc. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUPW9qAAoJEBzwKT+lPKRY3twQAL4x/Msm1XTSlRn1/Llzx7Ve 4WHaq+kFAk1Z83acpq/elRbNA+FU2iChnl7r4ICKk03iInL9kDS36M41c+v52sH6 NcM+oOHJv7UNywfnEdUpKD2eUIOrvU7kp+Y3SgutOPOanzOwprZSPlDuIJVJnAeq i0W4yKl/lVVDET+71laUHqLh8arIv/Oa/Yq40L0DdGsOADHUuasND/CcTRwfkzrM MdGRuY69AevI5htZDealPcUmn7TJxmmTE/kI2R7ubvc68F2E0lXeBMVgXMS1daGI 29wg74LvFAnssYVDQffSh0ClpVVkoHUPAhnAMU0XCWe2UataW1DkCG/6nvJwZv8Z FRBy/yeyEOZnL1z46WUIcIZZhLqP358j80dCRsFhr4ESngLVO75xvup/uzy9SN9q UFTJya5G1RZWUKk/6H6XaMO/8diExXBfWlDI7IhtVFgx1b/5iT+qhhI8WUeMtDDv ttp8jduHmZRfx7EsHtkhMHdbpULvx8YTpcIhIoB75vCwTMDxuqNY38USavhLSHwt qHqZGMPQKok6/tsGSDOHK+1twx8isqhp0LUt7eJEvCsyjqTL7B8cPBoCaF+7fDV8 vgUTpmKC14PzA8C/z3/Xg+kNA1D7vaKHLpO2Rp9JmD0PSCQJ/iQ5shGGML7XcdMA urgEHwBHccjxU/yNHDhv =sUik -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: systemd tomcat.service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Igal, On 10/14/14 12:34 PM, Igal @ getRailo.org wrote: is there an official tomcat.service for systemd? Nope. There also was never an official rc.d init script, either. Would you care to write a tomcat.service for systemd and post it to the wiki? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUPXABAAoJEBzwKT+lPKRYRycP/2OSrZzPInHDdHt8Rd8qrH2i ge8dFMQ2mBrpH4V4ScJ35T7aI7PlyWycTNa8YQVItfsaNgNrr69YF5/iAB5OC4NR SyEcgHlyJXpwb62S8Yxpq3XcbWvLMV+8aNNnEk+ZdXN37brV6q8p/8rnXbYTB96C hyt66MA0i7iTNtaldXErJ9oEqlcLodl9iAkroCuCv1pev4FKlycIwoGocP7/E29z lT6vL9UyVM9KL3P3uk9cnH6fG7uIU5g3/54KQ8ASKsa6fJjYpk2eT8XMnA/cuVHY /gCRPOIMR5vWOmA9doAoSFdUCH4gizEQirSyq5042DS5irhsrw0OZzBDHQh40HFe 3K0iPN2FgvvUOatJ5jY5mUzvjNfJLacEmO9zPZPpSnmamF5jQEACnzmSaBHFFiga AJf7QFWxVU3unGEh3UctGgPMUJV9LSLcDeDJA+B350PkYD7DClBDJQymemEzn5Vj /LK32rCZgCaZInz79rQaoWUASbkoEItKdrzAmUG5JeMlmqU1FkrnssS+CmoJFewh uWHCgxCixVpPvuk/u0tlKGSmPeRmlNhHi6K9d68wZ/tOnA+BjT060pUmfrQoQVME /C3kFMpmBx5Tk8tJ6DYmdaigh5DygnuBEx+1ZjbHjWnhDbnu1j2OnhoJgqZBBk0V JGhzlNBwcDGIEChbFLzH =LvBm -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: systemd tomcat.service
Chris, On 10/14/2014 11:48 AM, Christopher Schultz wrote: Would you care to write a tomcat.service for systemd and post it to the wiki? I'd love to, after I iron out the details. I've been running Tomcat on Windows for years and am now migrating to Linux. Once I have things running properly I'd love to help in any way I can. Best, Igal -- Igal Sapir Railo Core Developer http://getRailo.org/
Re: [ANN] Apache Tomcat 8.0.14 available
On 14/10/2014 17:57, Stevo Slavić wrote: Congrats on the release! It seems docs haven't been updated (completely), there are still WebSocket 1.0 references like ones on http://tomcat.apache.org/tomcat-8.0-doc/web-socket-howto.html Thanks. Fixed for the next release. Mark Kind regards, Stevo Slavic On Wed, Oct 1, 2014 at 12:08 PM, Mark Thomas ma...@apache.org wrote: On 01/10/2014 11:00, Johan Compagner wrote: On 1 October 2014 10:48, Mark Thomas ma...@apache.org wrote: Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-8.0-doc/changelog.html that one only goes to max .12 (at least at this time) The changelog for 8.0.14 was published before I sent out the announcement. It looks like the US web server is behind on updates (they should be live within seconds of the update). Until the US catches up, you can use tomcat.eu.apache.org. Mart - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How can Tomcat be started at boot time as a non-root user
Chris, On Tuesday, October 14, 2014 11:47 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 10/14/14 1:21 PM, Mark Eggers wrote: Chris, On Tuesday, October 14, 2014 9:47 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Léa, On 10/14/14 7:06 AM, Léa Massiot wrote: My question is about how can Tomcat be started at boot time as a non-root user. The OS is Debian Wheezy. Below is what I did already: root chown -R tomcat7.tomcat7 /opt/tomcat7/ I created a new file: /etc/init.d/tomcat7 Owner and owner group: root Permissions: 755 --- #! /bin/sh export JAVA_HOME=/opt/jdk1.7.0_67/ case $1 in start) /bin/bash /opt/tomcat7/bin/startup.sh Change this to: su -c /bin/bash /opt/tomcat7/bin/startup.sh tomcat7 You might need to use runuser in the above line if you're running SELinux. Oh, I wasn't aware of that. I don't use SELinux myself. We use SELinux, and so far it's not bitten us too hard. Look at the man page for su to see what's going on. Or you can use jsvc as others have suggested. I think jsvc is probably more robust (because it can restart Tomcat if it dies) but it's a bit more hassle, too. I've not tried the jsvc route yet, but I'm sorely tempted (especially now with systemd). I'm interested to hear what you have to say about systemd and how it relates to Tomcat deployments. systemd can (allegedly) work just fine with plain-old init scripts if you want to use them. I've seen that, but it seems more like a hack (and some of the systemd people think so as well). I'd rather look at some examples and see if I can do things correctly. My biggest systemd complaints so far are service level logging, feedback, and status information. Writing an init script that takes care of all the issues is complicated. We have one that works just fine under both Debian and RHEL, with dependencies, etc. It's a bare-bones script that basically just calls our ant build script which understands how to launch Tomcat with all the right environment variables set. We do this because we have multiple VMs running -- one per webapp -- and everything is configured in one place. Basically, /etc/init.d/webapp start for us just translates into ant tomcat-start, etc. Ours works more or less like that. One script per Tomcat, and the script name matches the service name, matches the configuration file name. Our script is a bit more complex, since it does some of the RedHat / CentOS housekeeping. It also has some checks for sane starts and restarts (checks to see if things are running cleanly or not, etc.). - -chris We have a nice environment based on $CATALINA_HOME, $CATALINA_BASE, separate appBase directories, and soft links. This allows us to upgrade Tomcat without impacting production. The final (production impact) upgrade steps are: 1. Shut down service 2. Move links 3. Bring up service One of these days, we'll look at Chef / Puppet / et. al. . . . just my two cents /mde/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Embedded Tomcat
Hi I'm currently working on integrating embedded tomcat in the OPS4j Pax Web OSGi container as alternativ underlying web container. Right now I'm stuck on a certain point that is kind of hard to understand so I'm sure I'm doing something awfully wrong :) So here is what I'm struggling with. Using Tomcat 8 embedded core While the context is started I eventually end up at [1] This is the point I don't get cause I'd expect Servlets to be started at [2], but obviously the Servlets are already started at [1]. Therefore the ServletContainerInitializers are never called [3]. Now my question, what am I doing wrong, as all servlets are registered as children. I'm very well aware that these questions might not really make a lot of sense, therefore you'll find the current implementation at [4]. regards, Achim [1] - https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/core/StandardContext.java#L5098 [2] - https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/core/StandardContext.java#L5229 [3] - https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/core/StandardContext.java#L5182 [4] - https://github.com/ops4j/org.ops4j.pax.web/blob/master/pax-web-tomcat/src/main/java/org/ops4j/pax/web/service/tomcat/internal/TomcatServerWrapper.java#L342 -- Apache Member Apache Karaf http://karaf.apache.org/ Committer PMC OPS4J Pax Web http://wiki.ops4j.org/display/paxweb/Pax+Web/ Committer Project Lead blog http://notizblog.nierbeck.de/ Co-Author of Apache Karaf Cookbook http://bit.ly/1ps9rkS Software Architect / Project Manager / Scrum Master
Re: Tomcat windows authentication domain login issue
Oh, let me try again. I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the manager web application comes with tomcat to do a poc. In my web.xml I change to and also changes the auth-constraint to the following . This is my krb5.ini This is my jaas.conf The weird thing is regardless of what username and password I put in when I accessed the tomcat manager web-app the debug message shown is the same. I added this in my server.xml When I tried login, it doesn't seem to recognize the valid credential. The app keeps on asking me to enter a valid credential. What do I need to change to make it work? -- View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023851.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat windows authentication domain login issue
Let me know if you can read it still. I didn't checked the Message is in HTML Format option. -- View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023853.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat windows authentication domain login issue
From: tantaryu [mailto:ming...@outlook.com] Subject: Re: Tomcat windows authentication domain login issue Let me know if you can read it still. I didn't checked the Message is in HTML Format option. It didn't help. Don't use Nabble - post to the user's list directly from an e-mail client. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat windows authentication domain login issue
Okay, now I tried with a email client. Let's see if it works.
I need some idea on what's wrong with my tomcat configuration for windows
authentication. I followed the tomcat windows authentication tutorial and uses
the manager web application comes with tomcat to do a poc. In my web.xml I
change auth-methodBASIC/auth-method to auth-methodSPNEGO/auth-method
and also changes the auth-constraint to the following auth-constraint
role-name*/role-name/auth-constraint.
This is my krb5.ini [libdefaults]default_realm = ACMEdefault_keytab_name =
FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes =
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes =
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true[realms]ACME
= {kdc = AD-Server:88}[domain_realm]acme= ACME.acme= ACME
This is my jaas.conf com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule requireddebug=true
doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true
keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true
storeKey=true;};com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule requireddebug=true
doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true
keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true
storeKey=true;};
The weird thing is regardless of what username and password I put in when I
accessed the tomcat manager web-app the debug message shown is the same. Debug
is true storeKey true useTicketCache false useKeyTab true doNotPrompt true
ticketCache is null isInitiator true KeyTab is C:/tomcat/conf/tomcat.keytab
refreshKrb5Config is false principal is HTTP/Client2@ACME tryFirstPass is false
useFirstPass is false storePass is false clearPass is false
KeyTabInputStream, readName(): acme KeyTabInputStream, readName(): HTTP
KeyTabInputStream, readName(): Client2 KeyTab: load() entry length: 52;
type: 23Looking for keys for: HTTP/Client2@ACMEJava config name:
C:\tomcat\conf\krb5.iniLoaded from Java configAdded key: 23version: 0
KdcAccessibility: resetLooking for keys for: HTTP/Client2@ACMEAdded key:
23version: 0default etypes for default_tkt_enctypes: 23 17. KrbAsReq
creating message KrbKdcReq send: kdc=AD-Server UDP:88, timeout=3, number
of retries =3, #bytes=124 KDCCommunication: kdc=AD-Server UDP:88,
timeout=3,Attempt =1, #bytes=124
KrbKdcReq send: #bytes read=538 KdcAccessibility: remove
AD-Server:88Looking for keys for: HTTP/Client2@ACMEAdded key: 23version:
0 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep
cons in KrbAsReq.getReply HTTP/Client2principal is HTTP/Client2@ACMEWill
use keytabCommit Succeeded
Search Subject for SPNEGO ACCEPT cred (DEF,
sun.security.jgss.spnego.SpNegoCredElement)Search Subject for Kerberos V5
ACCEPT cred (DEF, sun.security.jgss.krb5.Krb5AcceptCredential)Found KeyTab
C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound KeyTab
C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound ticket for
HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29 CST
2014[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
I added this in my server.xml Realm
className=org.apache.catalina.realm.LockOutRealmRealm
className=org.apache.catalina.realm.JAASRealm appName=JspKerberosDemo
allRolesMode=strictAuthOnly / /Realm
When I tried login, it doesn't seem to recognize the valid credential. The app
keeps on asking me to enter a valid credential. What do I need to change to
make it work?
Date: Tue, 14 Oct 2014 18:03:07 -0700
From: ml-node+s10n5023854...@n6.nabble.com
To: ming...@outlook.com
Subject: RE: Tomcat windows authentication domain login issue
From: tantaryu [mailto:[hidden email]]
Subject: Re: Tomcat windows authentication domain login issue
Let me know if you can read it still. I didn't checked the Message is in
HTML Format option.
It didn't help. Don't use Nabble - post to the user's list directly from an
e-mail client.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
-
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
If you reply to this email, your message will be added to the
discussion below:
http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023854.html
To unsubscribe from Tomcat windows authentication domain login
issue, click here.
