date:20141031

How do you catch these exceptions

2014-10-31 Thread Campbell, Lance

Tomcat 7.0.56
Java 7.0_72

I received the below Tomcat error messages in a web application.  Is there a 
way for me to catch these exceptions so that I can then either execute Java 
code or trigger a Linux shell script?

Oct 31, 2014 7:38:25 PM org.apache.tomcat.util.net.NioEndpoint$SocketProcessor 
doRun
SEVERE:
java.lang.OutOfMemoryError: Java heap space

Oct 31, 2014 7:38:46 PM org.apache.tomcat.util.net.NioEndpoint$Acceptor run
SEVERE:
java.lang.OutOfMemoryError: Java heap space

Oct 31, 2014 7:38:49 PM org.apache.tomcat.util.net.NioEndpoint$Poller run


Thanks,

Lance Campbell
Software Architect
Web Services at Public Affairs
217-333-0382
[University of Illinois at Urbana-Champaign logo]

Re: Authentication Memcached + Tomcat

2014-10-31 Thread Daniel Mikusa

On Fri, Oct 31, 2014 at 3:51 PM, Nilson Uehara  wrote:

> I'm testing Memcached to implement failover on my Tomcat servers.
>
> Is there any way of implementing security by user / password?
>

Can you clarify this request?  Are these two separate thoughts, or is
memcached somehow related to the security question?

If it's just security you're after, then see this section in the docs.

  http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html

Dan

Re: Authentication Memcached + Tomcat

2014-10-31 Thread André Warnier


Nilson Uehara wrote:

I'm testing Memcached to implement failover on my Tomcat servers.

Is there any way of implementing security by user / password?


Probably.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Authentication Memcached + Tomcat

2014-10-31 Thread Nilson Uehara

I'm testing Memcached to implement failover on my Tomcat servers.

Is there any way of implementing security by user / password?

Re: From HTTP to HTTPS request.getHeader("referer")

2014-10-31 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Léa,

On 10/31/14 8:06 AM, Léa Massiot wrote:
> Hello and thank you for reading my post.
> 
> I'm trying to make a webapp work with HTTPS. It was working
> properly with HTTP. Below is the problem I have.
> 
> Inside a servlet, in its "doPost()" method, to check whether the
> "incoming JSP" is "example1.jsp" or "example2.jsp", I am using the
> following piece of code: 
> --- 
> s_referer = request.getHeader("referer");
> 
> if(s_referer.contains("example1.jsp") == true)

Note that true == true is always true and true == false is always false.

> { b_jspReferer1 = true; } if(s_referer.contains("example2.jsp") ==
> true) { b_jspReferer2 = true; }

What is the referrer contains both example1.jsp *and* example2.jsp?

> ---
> 
> In "example1.jsp" and "example2.jsp" there is a "" element 
> which "action" attribute is set to "do_example": 
> ---  method="post" action="do_example"> [...]  
> ---
> 
> Now that I'm using HTTPS, "s_referer" is always equal to
> "do_example" in the servlet.

That's weird. Does do_example do an internal forward to
example(1|2).jsp for redisplay?

If the browser doesn't want to send the Referer header, it won't send
one... it's not going to send something bogus.

> Before, it used to be either "example1.jsp" in case the "incoming"
> JSP was "example1.jsp" and "example2.jsp" in case the "incoming"
> JSP was "example2.jsp".
> 
> I don't know how to correct my code to be able to discriminate
> between the two JSPs. Can you please help me?
> 
> I apologize in advance for the barbaric expression "incoming JSP". 
> I hope my point is understandable despite unfortunate expression.

The Referer is going to be the URL that was showing in the web browser
when the user clicked on the Submit button. If do_example forwards to
example1.jsp (instead of performing a redirect), then the browser
thinks that the current page is "do_example" and you'll get that in
your Referer header.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUU+KZAAoJEBzwKT+lPKRYtFAQALwANlt5SQJNdeNOBhdw1rd+
bmzpsLoKUYER29dl6xFlfJogS2fu/Wym1EQI1E3+wBWSc3L9VwXUx+qcCSEwfBQ9
aP5AiIp6WoVXw8l1f8vxgZ5iuLqawrMNs3WvypTAS+VCcAk+hx6G83auX/PriVIR
HsnUbmcXISiKwbe2BUB5QKICNeWbXacifE8NPDQvpUGtak+xcWf7kolNUWbl/9Gs
bSUUEVINkerBTeHisJnTRoQ7sN7fFKZ1ZouDgIh6uTkvKtCjN6EJhR6/sgkFB+cC
T92TyaqRtWxJD+gZOCUWY7IJbPgxu04ASLexS796WHRggRr+k31YWOZDIBz1BS0p
dkz42wavfj15TPAiZ07NsWxU3hlFl66xpv1EaLWexK2Q7Fqdiy3oVobnHsoUIsa9
gotOV91tATzK9JXWIX/AaALyGvqMXYJAzbRuOnAEEJHES3IJDKdim849zHfFKajJ
JvnEFf3gt1A+tWEwussyxVAbWXir+guwTp9IidegXhKNvPmNj1sjiJk/cciVTc54
ZKypluktYedERfJcld/tycaKJY9NFdEHhm+1rv0tV8cPwenlg/qsxQpgUgESksc0
vNOgATWMlPNZLzoLstwigrgHD5d+Non2O+bFl7lUYeFYXKz6jjq4X0yfMvRPiTHL
z6TgpoBFrXbfjCAUgQ+x
=rl+Q
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Unable to disable SSL in Tomcat 6 !

2014-10-31 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Utkarsh,

On 10/31/14 11:52 AM, Utkarsh Dave wrote:
> Nothing helped much. Please let me know how can i disable SSL in
> Tomcat 6.0.37.
> 
> I tried below configuration in server.xml on Tomcat 6.0.37
> 
>  protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150"
> SSLEnabled="true" scheme="https" secure="true" clientAuth="false"
> sslProtocols = "TLSv1"
> 
> The same with sslEnabledProtocols instead of sslProtocols worked
> for Tomcat 7. I am also following solution at 
> https://access.redhat.com/solutions/1232233

The configuration attributes "protocols", "sslProtocols", and
"sslEnabledProtocols" are all equivalent in Tomcat 6.0.38 and later.
Before Tomcat 6.0.38, "protocols" and "sslProtocols" are equivalent.

So it shouldn't really matter which one you use. But since you are
using 6.0.37, then you definitely can't use "sslEnabledProtocols".

So.. what's the problem? With the above configuration, what protocols
end up being enabled? How are you performing your testing?

You are using the Java BIO connector so it's using JSSE for crypto.
Those settings you have should work. The default for "sslProtocol" is
"TLS" which should get you pretty much everything, and restricting
sslProtocols to "TLSv1" should get you only TLSv1, as long as your JVM
recognizes that particular protocol string.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUU+FoAAoJEBzwKT+lPKRYHscQAIRhapwkrWIhVvGv6GJxkUVV
uhWrZQm/mBj4+kGCy+/Ca3b9oE6i5IKAQCLRxF5sVDABplZcAM80w8HSAXcSUtXd
vw1lLxZ7/0iwJ5sukceypw+zlbSgsg3OFCDBBpBrk9bikUBVQUN5PCmMxnsyS8X3
fOMi8hrEbqHSZWu6qPq3I5u4BJVBSvzCpGlF5KXrQH1kovCekULH5HAmQ93V3umL
6oD06LzF4Qef5x6wUHCRb8Kz7o7xC9Sk+bclvajJx2UCWAH5flEvlT+gR0+ERFbT
B4M6fSvEpdrOHz6jsgixOBkJz1yXsH2d6uNztvtitIwuDCHP6T32xQ3lWvwma4Cn
3prT1Z+ytJUI3E9MhEwWZ1rWNSZgR/alm3k+zmud9Gm3Msr+Zl61uKKsAQPW8/YG
BlfC4c1PR3VpquhqDP6eSw9E4CP/4LwvO0mQO7+t4ZDSEmxwT9DSBjvy5tjWRqo7
flmtwFsfVkQ/qwCjgJFRneRYM4+7zJ8IVnEhnXLiXQhZYU8NMAJ1bcxHpd9Yz6O7
gQXQRlA7bZDW2dgRNsMwimVPovY+36XrS92Bsn8VEcc/uuLx/XyGgcqYnNnhvfjk
UKpB4Uj38zjjBBEnjYnI5JVmDBam5I44Y12eSsxBS0elvBGc3U3Pv8W7ijFz74u7
NzqKsmZJjk2x5bbHZERQ
=9f5b
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: require infomation on tomcat 6.0 EOL and support

2014-10-31 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Vinay,

On 10/30/14 11:50 PM, Hareshbhai Desai,Vinaykumar (Vinaykumar) wrote:
> As per my understanding tomcat 6.0 is EOL but it's not yet 
> announced.

This is not yet true. There is likely to be a release of Tomcat 6.0
somewhat soon, as there were recent modifications required to use the
newer protocols in OpenSSL.

Tomcat 6 is is more of a "maintenance mode" in that serious problems
are fixed, but no new features are being added.

> Generally EOL announcement to EOL timeframe would be 1 year.

If you say so.

> That mean tomcat 6.0 support time frame would be minimum 1 yr from
>  now.

That sounds logical, based upon your above assertion.

> Just wanted to confirm that any security vulnerability found in
> this period then Apache tomcat will provide support of Tomcat 6.
> Please correct me if my understanding is wrong.

Tomcat 6 will continue to be supported as long as the community wants
it to be supported. Nobody can forcibly stop anyone from supporting
it. The currently active Tomcat committers are still supporting Tomcat
6 but, for many reasons, are concentrating their efforts on the newer
versions. If you are relying on long-term support for Tomcat 6, you
should probably hire someone to do that.

Let me put it this way: don't wait for an EOL announcement for Tomcat
6 to do anything about it. Start using Tomcat 8 right now.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUU97ZAAoJEBzwKT+lPKRYqREP/0csfQ96itUS/dMd7+HXkY10
e9tBFmdhdaama6UZxOGYOxi5m4RJKYxFyBM3qcWa0tSanBk5Ytd+Kn0NRgN/V+gW
Zuzqq/bLR+a0PEskOrd2gqK29zDIRW9yWDt06PXswtBbYLxkJUFxO5NeCfJNopW4
hpvb5LKtNGD5mA4MPpECPgw2srcTAMThXdpe6xhsYD5Wo42rfb/cdQOJWs5CyDYV
28SOikrTFF/tQAOYwJLl4aHMUY1PIs4mAx12bZ+QKJ4PF4fUdEGQs7bcuTBK0hnf
JWwke4qC8JxuNXZsALuwvSvEZcSphFxmDrxxYMp3Tv0qHd/UHP55cqGzY3SZcRTq
dJSfJ8D9YTAnUmnWtCjFaBtU6TYTfIZzjNMZcSUGTq/UVGA3s6i51EWxoD/dH4gE
zE6fGS9GD9pgtMkwHprR3qi3lR2j2sBzCJy0vHVSlFWMSpsg0iEI6QgHU+KnQ9Q1
WlGNIAOol99wKekq6R7sqNIU5+yxyPbirIBCHLRqDw/W0D/iKk2n7hfDBIzbJ7te
iwwmPvjn7JMLMLU2MbE316Q91W4bPDwRvZdUK6EyGWhbsKj2d8Sj3TT3GWoxYAmw
tOmgIVaghEnN0fcvEYV++Ei4p3+N3CdZQX1fvrtvtkEJcsBVceownH9nDC5zW4KG
7UIB2ulbHPrJy93hbsbX
=emai
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: From HTTP to HTTPS request.getHeader("referer")

2014-10-31 Thread Mark Eggers

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 10/31/2014 5:06 AM, Léa Massiot wrote:
> Hello and thank you for reading my post.
> 
> I'm trying to make a webapp work with HTTPS. It was working
> properly with HTTP. Below is the problem I have.
> 
> Inside a servlet, in its "doPost()" method, to check whether the
> "incoming JSP" is "example1.jsp" or "example2.jsp", I am using the
> following piece of code: 
> --- 
> s_referer = request.getHeader("referer");
> 
> if(s_referer.contains("example1.jsp") == true) { b_jspReferer1 =
> true; } if(s_referer.contains("example2.jsp") == true) { 
> b_jspReferer2 = true; } 
> ---
> 
> In "example1.jsp" and "example2.jsp" there is a "" element 
> which "action" attribute is set to "do_example": 
> ---  method="post" action="do_example"> [...]  
> ---
> 
> Now that I'm using HTTPS, "s_referer" is always equal to
> "do_example" in the servlet. Before, it used to be either
> "example1.jsp" in case the "incoming" JSP was "example1.jsp" and
> "example2.jsp" in case the "incoming" JSP was "example2.jsp".
> 
> I don't know how to correct my code to be able to discriminate
> between the two JSPs. Can you please help me?
> 
> I apologize in advance for the barbaric expression "incoming JSP". 
> I hope my point is understandable despite unfortunate expression.
> 
> Best regards.
> 
> 
> 
> -- View this message in context:
> http://tomcat.10.x6.nabble.com/From-HTTP-to-HTTPS-request-getHeader-referer-tp5024782.html
>
> 
Sent from the Tomcat - User mailing list archive at Nabble.com.

Times the referer will be empty:

1. entered the site URL in browser address bar itself.
2. visited the site by a browser-maintained bookmark.
3. visited the site as first page in the window/tab.
4. switched from a https URL to a http URL.
5. switched from a https URL to a different https URL.
6. has security software installed (antivirus/firewall/etc) which
strips the
   referrer from all requests.
7. is behind a proxy which strips the referrer from all requests.
8. visited the site programmatically (like, curl) without setting the
   referrer header (searchbots!).

Have you looked in various tools on the browser (developer tools on
Chrome, Tamper on Firefox, Fiddler on IE) to see if the referer is
being set?

. . . just my two cents
/mde/
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBAgAGBQJUU7ZlAAoJEEFGbsYNeTwtqbEH/RkgyGagCetRJXRf1rNRwF9x
o66i7Ghq2kdfOV8bMqU3jlWEQ7NaRZI6l2aOqkbgsRQBJQqopOn2IakV3EiIdzg3
DoeJmXypucroKAJPKlkUJoI/b6wv8pftjIwaOoqulKcICs5EFA+x+MQPKAOD6Xrp
ystXeAy+FD5ChxkAPXzzQQr7BMvUYJptZfOv++s5meS6uAK+u3jpZq5OG0CCLWer
K2V15WwswEd2GVZE+ohAnxYkzuheQbxIsTZ+eRwEIl+kiEKLCTruohTqS7fGHOtb
TcSxMJvZEQi9Y8B24V6xEbYaWLLwPvk8B2qQ1Uuxwu50ZA4nilUa2wd74jw1zVo=
=NOdV
-END PGP SIGNATURE-

---
This email is free from viruses and malware because avast! Antivirus protection 
is active.
http://www.avast.com


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Unable to disable SSL in Tomcat 6 !

2014-10-31 Thread Utkarsh Dave

Nothing helped much. Please let me know how can i disable SSL in Tomcat
6.0.37.

I tried below configuration in server.xml on Tomcat 6.0.37

https://access.redhat.com/solutions/1232233

-Regards

Utkarsh



On Thu, Oct 30, 2014 at 10:30 PM, Mark Thomas  wrote:

> On 30/10/2014 16:38, Utkarsh Dave wrote:
> > Hello all,
> >
> > To avoid poodle vulnerability we are trying to disable SSL v3 and all its
> > versions through below configuration.
> >
> >  >maxThreads="150" SSLEnabled="true" scheme="https"
> secure="true"
> >clientAuth="false" sslProtocols = "TLSv1" />
> >
> >
> > Can you please tell me if we are missing anything and how can we make
> this
> > thing work?
>
> http://wiki.apache.org/tomcat/Security/POODLE
>
> Mark
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

From HTTP to HTTPS request.getHeader("referer")

2014-10-31 Thread Léa Massiot

Hello and thank you for reading my post.

I'm trying to make a webapp work with HTTPS.
It was working properly with HTTP.
Below is the problem I have.

Inside a servlet, in its "doPost()" method, 
to check whether the "incoming JSP" is "example1.jsp" or "example2.jsp",
I am using the following piece of code:
---
s_referer = request.getHeader("referer");

if(s_referer.contains("example1.jsp") == true)
{
b_jspReferer1 = true;
}
if(s_referer.contains("example2.jsp") == true)
{
b_jspReferer2 = true;
}
---

In "example1.jsp" and "example2.jsp" there is a "" element 
which "action" attribute is set to "do_example":
---

  [...]

---

Now that I'm using HTTPS, "s_referer" is always equal to "do_example" in the
servlet.
Before, it used to be either "example1.jsp" in case the "incoming" JSP was
"example1.jsp"
and "example2.jsp" in case the "incoming" JSP was "example2.jsp".

I don't know how to correct my code to be able to discriminate between the
two JSPs.
Can you please help me?

I apologize in advance for the barbaric expression "incoming JSP".
I hope my point is understandable despite unfortunate expression.

Best regards.



--
View this message in context: 
http://tomcat.10.x6.nabble.com/From-HTTP-to-HTTPS-request-getHeader-referer-tp5024782.html
Sent from the Tomcat - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

How do you catch these exceptions

Re: Authentication Memcached + Tomcat

Re: Authentication Memcached + Tomcat

Authentication Memcached + Tomcat

Re: From HTTP to HTTPS request.getHeader("referer")

Re: Unable to disable SSL in Tomcat 6 !

Re: require infomation on tomcat 6.0 EOL and support

Re: From HTTP to HTTPS request.getHeader("referer")

Re: Unable to disable SSL in Tomcat 6 !

From HTTP to HTTPS request.getHeader("referer")

10 matches

Site Navigation

Mail list logo

Footer information