Re: I'm using jdk1.6 + tomcat 7.0.23

[chedana jayasinghe]

Christopher,

*Is there a big change of how tomcat manage sessions, in versions before
tomcat 6.  still I'm little confused about the behavior of my application
  *

On Thu, Jun 18, 2015 at 11:39 AM, chedana jayasinghe <
chedanajayasin...@gmail.com> wrote:

> request goes to a doPost method of a servlet and there it used to return
> some values in the response, and there is a one filter which encode
> request's characters to UTF-8. But how come it effects the session last
> accessed time get updated, because as to my knowledge  It is monitored by
> the servlet container and all the filters are within the servlet container
> .
>
> On Tue, Jun 16, 2015 at 12:39 AM, Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>>
>> Chedana,
>>
>> On 6/15/15 9:07 AM, chedana jayasinghe wrote:
>> > Christopher,
>> >
>> > I'm not using "strict servlet compliance", still *I've tried
>> > setting * org.apache.catalina.core.StandardHostValve.ACCESS_SESSION
>> > system property to false in catalina properties but no luck. still
>> > the problem is same. Javascript heartbeat  keeps the session alive
>> > only in tomcat 7 and higher versions.
>> >
>> > On Thu, Jun 11, 2015 at 6:59 PM, Christopher Schultz <
>> > ch...@christopherschultz.net> wrote:
>> >
>> > Chedana,
>> >
>> > On 6/11/15 12:42 AM, chedana jayasinghe wrote:
>>  HI, In my web application, in a jsp there is a javascript
>>  which sends request to a servlet every twenty seconds, so it
>>  kills my applications user idle time tracking by resetting
>>  the  lastAccessed time. the funny thing is lastAccessed time
>>  doesn't get updated in tomcat  6 and my applications idle
>>  time tracking works fine in it, but in 7 it gets updated and
>>  kills that functionality of the application . so I'm little
>>  bit confused about the changes in the session tracking of
>>  tomcat 6 and tomcat 7
>> >
>> > Are you using "strict servlet compliance"?
>> >
>> > If so, you will want to set the
>> > org.apache.catalina.core.StandardHostValve.ACCESS_SESSION system
>> > property to false and re-try your tests.
>> >
>> > If you are upgrading from Tomcat 6 to Tomcat 7:
>> >
>> > 1. Don't bother going to 7.0.23 (almost 4 years old). Go all the
>> > way up to 7.0.62.
>> >
>> > 2. You may want to skip Tomcat 7 altogether and go all the way up
>> > to Tomcat 8.0.23.
>> >
>> > -chris
>>
>> What does your application actually do when the heartbeat comes in?
>> Don't forget the various Filters that might also be processing the
>> request on the way in or out.
>>
>> - -chris
>> -BEGIN PGP SIGNATURE-
>> Comment: GPGTools - http://gpgtools.org
>>
>> iQIcBAEBCAAGBQJVfyMBAAoJEBzwKT+lPKRYXsYP/0osrijFMEDL4HW/H6zZiCyC
>> brpPG5HCLr9BT8zNGzj9r4iMCp10w8smTtQDbpyX73UNKfxKtX119myJLDuoJOlV
>> nYv3UCn5g8apNwylFGl59KSCtmpytW1kNinP0D/iQWhUdnbDOZnWczlGW6QupNr0
>> I4+NTizUu7t77Ba60uLM78jf2R2J1ujRL4+epXXS0IKPuOmUvU8AJWWQtbXwS+Wu
>> JbAw1OYpffcHJSNZWLYTB4q9NKE3of65Cs4LPAHtJ8lOlauhLiYC1Qc2jjMeiWlu
>> Ho0FKyCvkns2Rqay/wqJrmhJJNfeAwtvAhMQIz8PbY5jPl2FF8YAvaCju6/17LyC
>> uOVVHyoUhmvF4LdOS55ut7XO+LE0pTQzwOoN5kKk4opsomHLd32icBFzrQU+TH3b
>> Pa3MTJKONIocoh/DNSA0dVvTaGeeGDDdwEmcjZHfPPHY57IZEmqtLsCuVUlf4m7Q
>> xNWa9+Yoas53Oe4T/S2s3FnPiH3kT3bS1MCqaXDQwUcVc+BwpcsBWkCdgsJxn7DC
>> 3zzLrEB/Wiw+xdQhYIhIKwUytV5HLPU1wwZzqFgIJqnVfzx/keSbXwsszkk2TUz8
>> iRx2yGdy8bxAkYncTJKd/0hBwKcVm/kz2AKQYYo1txITRORP+Wu+c8xwhlNIQuS9
>> dhvquvV3qsoJ8H1xZvEu
>> =oyiY
>> -END PGP SIGNATURE-
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>

Re: FormAuthenticator, Tomcat restart

[Leonid Rozenblyum]

Thank you, Christopher!

On Thu, Jun 11, 2015 at 4:34 PM, Christopher Schultz
 wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Leonid,
>
> On 6/11/15 4:18 AM, Leonid Rozenblyum wrote:
>> Hello. Just to double-check. By writing own login-handler, do you
>> mean, overriding FormAuthenticator.authenticate() (looks risky
>> since it's a big method which can change from one to another Tomcat
>> version)?
>>
>> Or are there more painless ways to inject such custom login
>> handler?
>>
>> On Thu, May 28, 2015 at 6:49 PM, Christopher Schultz
>>  wrote: Mark,
>>
>> On 5/28/15 5:29 AM, Mark Thomas wrote:
> On 28/05/2015 10:22, Leonid Rozenblyum wrote:
>> Hello experts.
>>
>> We are using FormAuthenticator and face a following issue:
>>
>> 1) Session persistence is disabled 2) User is on login page
>> 3) Restart Tomcat 4) User tries authentication
>>
>> He receives error 400 or 408.
>>
>> While digging deeper we discovered that in this case
>> Tomcat validates session id and if it's old/invalid -
>> prevents logging-in even though valid credentials are
>> passed.
>>
>> We tried landingPage solution - it looks better than error
>> 400/408 but anyway it forces user to enter credentials
>> twice (or we don't know how to pass credentials to
>> landingPage implicitly).
>>
>> We think that an improvement of user experience would be :
>>
>> FormAuthenticator: 255 if (session == null) { session =
>> request.getSessionInternal(false); }
>>
>> ==> if (session == null) { session =
>> request.getSessionInternal(true); }
>>
>> So if session is invalid or missing - simply create it.
>>
>> Does this idea make sense?
>
> No. It makes no sense at all.
>
>> Can we achieve the goal of not forcing user entering
>> credentials twice without changes in Tomcat ?
>
> No. The credentials are stored in the session. If you
> restart Tomcat with session persistence disabled those
> credentials are lost and the user is going to have to
> re-enter them.
>>
>> I think the OP is saying that the credentials are only entered a
>> single time. The Tomcat restart between showing and submitting the
>> login page is the source of the problem.
>>
>> Leonid, the servlet spec is very clear about the workflow for
>> authentication: the client must request a protected resource, then
>> the container challenges the client for authentication (shows the
>> login page), and then the client must submit valid credentials
>> (send a request to j_security_check). After that, the container
>> must re-process the client's original request with the
>> newly-authenticated principal.
>>
>> Tomcat stores the original request in the session. If you lose
>> your session between presenting the login page and submitting the
>> credentials, Tomcat has no way to re-process the original request.
>>
>> IMO, this is a hole in the spec, because it doesn't allow people
>> to login simply because they want to; instead, they must first
>> attempt to reach a protected resource.
>>
>> If you want your users to be able to login without requesting a
>> protected resource, you may write your own login-handler and call
>> ServletRequest.login(). That way, you won't require a session to
>> exist during that whole workflow.
>>
>> -chris
>
> No, I was suggesting that you write your own servlet or filter that
> handles your logins. Instead of pointing your login form at
> /j_security_check, you point it at /your/login/servlet and then call
> Request.login() yourself. That way, you can decide what to do if the
> session has timed-out in the meantime.
>
> Note that you are opening-up a large can of worms by doing this. You
> will be introducing lots of other problems that you will have to solve.
>
> You might want to check out securityfilter, a project that is quite
> long in the tooth, but somewhat gracefully handles situations like
> this. It has its own set of awkward things you'll have to deal with
> (like not being able to authenticate against Tomcat's realms, for
> instance).
>
> [One of these days, I'm going to get off my butt and update that project
> .]
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJVeY5OAAoJEBzwKT+lPKRYdpkQAJ4BGgPNJWU34mAKo0YljHBN
> rAeIjl4gn4k+xU7mHwWH3h45hgCQVh+iCkqjH7rbgeGI1/IqETJcK2lXoXk/B+ZY
> VjmMjh+fqRsUZG/UoP2T3cvrqCs0tl1Sm17WzJOLePYNNuowQVbmFznl4GAVoKsI
> yRFYz7fPD4nXiS7+endkdVPGEn1sYSCQP5+EyVUNIlvqwOb9PN3bAlDSczidVHCN
> oDgSrOvE9SGC88igS8sLW3NiWXPYqXVeI1YiX46S5AC/1JApFPzdVhYsbgvRUegG
> k1EPo0YusG1jtBLj6fsqz6bsXZSIGchjZf2hwm/rrrpWdxJnKNAds8FRJ8Gfz43w
> uJWRXZtwpBYXdl1btBLUlCHTUTUPkQZDqcT2pktmtAK7tDCQm7BA8x4cibRwztMI
> QstMMgPjdjhS4ChuCcfEPoNzKNVDMDDH4pdjHj8hXE/b7PA7BSjRGtZIAvu0ZYZc
> RauQUnsTGMzQyNeDAZBCqMhAxQO42B82Yu0cpMTVHqRDw5uEJq2+bhgzi7slJOMO
> jLFxVT/k6DNdTG8+Z7eEfvaZXkf11o4arRGOH3gzZLtzPZgJQ3pDJ9gjKkvpcc4F
> FzTTDDkMRuZG2

Re: I'm using jdk1.6 + tomcat 7.0.23

[chedana jayasinghe]

request goes to a doPost method of a servlet and there it used to return
some values in the response, and there is a one filter which encode
request's characters to UTF-8. But how come it effects the session last
accessed time get updated, because as to my knowledge  It is monitored by
the servlet container and all the filters are within the servlet container
.

On Tue, Jun 16, 2015 at 12:39 AM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Chedana,
>
> On 6/15/15 9:07 AM, chedana jayasinghe wrote:
> > Christopher,
> >
> > I'm not using "strict servlet compliance", still *I've tried
> > setting * org.apache.catalina.core.StandardHostValve.ACCESS_SESSION
> > system property to false in catalina properties but no luck. still
> > the problem is same. Javascript heartbeat  keeps the session alive
> > only in tomcat 7 and higher versions.
> >
> > On Thu, Jun 11, 2015 at 6:59 PM, Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> > Chedana,
> >
> > On 6/11/15 12:42 AM, chedana jayasinghe wrote:
>  HI, In my web application, in a jsp there is a javascript
>  which sends request to a servlet every twenty seconds, so it
>  kills my applications user idle time tracking by resetting
>  the  lastAccessed time. the funny thing is lastAccessed time
>  doesn't get updated in tomcat  6 and my applications idle
>  time tracking works fine in it, but in 7 it gets updated and
>  kills that functionality of the application . so I'm little
>  bit confused about the changes in the session tracking of
>  tomcat 6 and tomcat 7
> >
> > Are you using "strict servlet compliance"?
> >
> > If so, you will want to set the
> > org.apache.catalina.core.StandardHostValve.ACCESS_SESSION system
> > property to false and re-try your tests.
> >
> > If you are upgrading from Tomcat 6 to Tomcat 7:
> >
> > 1. Don't bother going to 7.0.23 (almost 4 years old). Go all the
> > way up to 7.0.62.
> >
> > 2. You may want to skip Tomcat 7 altogether and go all the way up
> > to Tomcat 8.0.23.
> >
> > -chris
>
> What does your application actually do when the heartbeat comes in?
> Don't forget the various Filters that might also be processing the
> request on the way in or out.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJVfyMBAAoJEBzwKT+lPKRYXsYP/0osrijFMEDL4HW/H6zZiCyC
> brpPG5HCLr9BT8zNGzj9r4iMCp10w8smTtQDbpyX73UNKfxKtX119myJLDuoJOlV
> nYv3UCn5g8apNwylFGl59KSCtmpytW1kNinP0D/iQWhUdnbDOZnWczlGW6QupNr0
> I4+NTizUu7t77Ba60uLM78jf2R2J1ujRL4+epXXS0IKPuOmUvU8AJWWQtbXwS+Wu
> JbAw1OYpffcHJSNZWLYTB4q9NKE3of65Cs4LPAHtJ8lOlauhLiYC1Qc2jjMeiWlu
> Ho0FKyCvkns2Rqay/wqJrmhJJNfeAwtvAhMQIz8PbY5jPl2FF8YAvaCju6/17LyC
> uOVVHyoUhmvF4LdOS55ut7XO+LE0pTQzwOoN5kKk4opsomHLd32icBFzrQU+TH3b
> Pa3MTJKONIocoh/DNSA0dVvTaGeeGDDdwEmcjZHfPPHY57IZEmqtLsCuVUlf4m7Q
> xNWa9+Yoas53Oe4T/S2s3FnPiH3kT3bS1MCqaXDQwUcVc+BwpcsBWkCdgsJxn7DC
> 3zzLrEB/Wiw+xdQhYIhIKwUytV5HLPU1wwZzqFgIJqnVfzx/keSbXwsszkk2TUz8
> iRx2yGdy8bxAkYncTJKd/0hBwKcVm/kz2AKQYYo1txITRORP+Wu+c8xwhlNIQuS9
> dhvquvV3qsoJ8H1xZvEu
> =oyiY
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: redirect to website not working

[Ankur Gupta]

*Fiddler Error:*

#   Result  Protocol   HostURL BodyCaching
Content-Type   Process CommentsCustom



2   302 HTTPxx.xxx.xx.81:81/abc/abc/a.asp 191
privatetext/html  iexplore:6656

3   302 HTTPxx.xxx.xx.99:8080
/examples/smstrial.jsp?mobileNumber=01234567890
text/html;charset=ISO-8859-1  iexplore:6656

4   502 HTTP180.179.218.150
/sendurl.aspx?user=xxx&pwd=xxx&senderid=xxx&mobileno=0123456789&msgtext=Hello&smstype=0
512 no-cache, must-revalidatetext/html; charset=UTF-8
iexplore:6656



Request Count:   1

Bytes Sent:  630  (headers:630; body:0)

Bytes Received:  719  (headers:207; body:512)



ACTUAL PERFORMANCE

--

ClientConnected:   11:07:26.500

ClientBeginRequest:11:07:26.734

GotRequestHeaders: 11:07:26.765

ClientDoneRequest: 11:07:26.765

Determine Gateway: 0ms

DNS Lookup:0ms

TCP/IP Connect:21025ms

HTTPS Handshake:   0ms

ServerConnected:   11:07:47.781

FiddlerBeginRequest:   00:00:00.000

ServerGotRequest:  00:00:00.000

ServerBeginResponse:   00:00:00.000

GotResponseHeaders:00:00:00.000

ServerDoneResponse:00:00:00.000

ClientBeginResponse:   11:07:47.812

ClientDoneResponse:11:07:47.812



Overall Elapsed:   00:00:21.0781250



RESPONSE BYTES (by Content-Type)

--

text/html: 512

~headers~: 207





ESTIMATED WORLDWIDE PERFORMANCE

--

The following are VERY rough estimates of download times when hitting
servers based in Seattle.



US West Coast (Modem - 6KB/sec)

RTT:   0.10s

Elapsed:   0.10s



Japan / Northern Europe (Modem)

RTT:   0.15s

Elapsed:   0.15s



China (Modem)

RTT:   0.45s

Elapsed:   0.45s



US West Coast (DSL - 30KB/sec)

RTT:   0.10s

Elapsed:   0.10s



Japan / Northern Europe (DSL)

RTT:   0.15s

Elapsed:   0.15s



China (DSL)

RTT:   0.45s

Elapsed:   0.45s







*IE giving error:*

[Fiddler] The connection to '180.179.218.150' failed.
Error: TimedOut (0x274c).
System.Net.Sockets.SocketException A connection attempt failed because the
connected party did not properly respond after a period of time, or
established connection failed because connected host has failed to respond
180.179.218.150:80

Re: OT: Random Form Resubmissions

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Jerry,

On 6/17/15 11:55 AM, Jerry Malcolm wrote:
> OT:  I have a simple 'contact-us' webapp that has been running for 
> years.  I'm not having any problems with it directly.  However, 
> periodically, I get resubmissions of the form from the client's 
> computer, sometimes randomly once a day for several days/weeks,
> and sometimes once or twice two weeks after the original form was 
> submitted.  The obvious answer to this would be that the client
> just keeps hitting the back button and resubmitting the form.  But
> I know that is not the case.  I have a little javascript snippit
> that sets the current date in a hidden field when the user hits the
> submit button (spam robots don't recognize this, so
> spam-robot-submissions will not have a valid date in the hidden
> field).   When these random form resubmissions come in they have
> the original date/time in that hidden field from when they actually
> requested and submitted the form.
> 
> So what I know at this point:
> 
> 1) This is rare.  But when it starts with a particular form, I'll
> get resubmissions anywhere from once ever few hours to once every
> couple of weeks.
> 
> 2) It finally stops.  But one specific form kept coming in once a
> day (random time each day) for over 2 months (still with original
> date/time from two months earlier in that hidden field)
> 
> 3) I checked the apache httpd logs, and the resubmissions are
> coming from the original user's IP address.  They are definitely
> coming in as a new request each time to apache/tomcat (as opposed
> to my webapp code somehow reprocessing the original request)
> 
> 4) The user is NOT hitting the submit button over and over as
> proven by the time/date in the hidden field.
> 
> I have written defensive code in my webapp to detect this situation
> and handle it.  So it's not a critical problem now. But it just
> frustrates me that I have no clue what is going on.  And I'm
> curious if the users are seeing something strange as this is
> occurring.  It appears that the client's browser is holding onto
> the form and just randomly resending it the server without the
> user's knowledge.  And it finally stops when they close their
> browser or reboot their computer.  I know this makes zero sense.
> 
> So I know this is not precisely tomcat related.  But I know
> this forum has followers with a vast range of knowledge in many
> areas. I'm just curious if this rings any bells, or if anyone can
> explain what is going on here.  Anybody know what would cause a
> browser to keep randomly resending a form request to the server?

Could this be happening when someone submits the form and then leaves
the page open forever in a forgotten tab in their web browser?

Perhaps even after a restart, the tab is resurrected, and the browser
re-submits the POST that originally generated the page?

If you aren't already doing this, I would recommend adopting a
redirect-after-POST strategy so that even RELOADING the page after the
form doesn't re-POST the initial form.

Another thing you can do is generate a token on the server and stick
it in the page. When you accept the form, check to see if the token is
valid. If not, bomb to a "sorry" page, otherwise, process it as usual.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVgd7ZAAoJEBzwKT+lPKRYxZ0P/A/TC6mHiaSihVKrjQGM0QDo
vEMzAUiTZNoEMq94gKtTj4K/iN9kqsj44nltMNHZAnntq6xPXzgtpwI45jRv7x0R
/XeouZqYhzdVzKAhZKFtkwgyWugISRl44NeRGvQ3jL6RHmmXVpCPgzX7wplrO2p6
H0F2iald73s/KnBWivVxZ9yXRhN8VH5kn7qAjtN7ttNZGYcBNOph0CDatT8G15tj
N9hUXIjsPvKAtFsnFHnL8B9twdmxGKmUTufEJKhBD++KHyE504fOUhJ+mttxJypt
UdK67sO4mxzPpkloVSTOYgCjTilxoSTNRwNsf8KXqV9sv9Hz7Rz0Ky1dUNKbZV+A
iobzlCgq88CZjJvfnP19j4Hn0PEARqshge/kFY3BExVP57S/+3Y2R683mN89q4vc
F3uIZWMmD0cOsRIgF4e6guQHLecgIYZ04iQO2fwhUl6cEByYjxAGKbam/4I/OJ3D
qvRh4m+QNQ0BajhNZhfnz6wydNAoFChX3jXCdiB+tOPqTEyxni9f1wdAhMpCn8lJ
jylvygmSq0sn9kjY04KeTXE5/UwJhYFA/7m7+1ATnmDNMvysmL3eYfsf1qORJfVK
f7U5wDg48nqqHyBmkvyR6OUpviWXxTKTXd6AIxtjaYScZpZFIf0TmWvWMHmtiIKi
mshk3sucuf7JI/mk8HCU
=BdrV
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: logging input and output HTTP message payload

[Mark Eggers]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 6/17/2015 11:32 AM, André Warnier wrote:
> Just to make sure..
> 
> Milinda Perera wrote:
>> Hi all,
>> 
>> Thanks for suggestions,
>> 
>> Actually I want to log all HTTP / HTTPS requests from client
>> applications to my Tomcat server and the Response sent back to
>> the client. And logging requests and payloads are not target
>> specific application running in the Tomcal server, which means
>> all the request to the Tomcat server and all the responses from
>> the Tomcat server
>> 
>> My requirement cannot be fulfilled with external tools like
>> wireshark because: 1. unable to log HTTPS requests and responses 
>> 2. And I need to get logged requests and responses in server side
>> log files without external tools.
> 
> Are you aware of the volume of data that this could be ? and about
> the performance impact ? and about the complexity of doing this in
> any way that would be useful ?
> 
> HTTP requests tend to be small  : a request line like "GET
> /mylogo.jpg HTTP/1.1", and a few text headers). But the response to
> that request may be very large (a 120 KB jpeg file).  Multiply by
> the number of requests for your homepage etc. (and never mind if
> you are returning large PDF documents sometimes...)
> 
> And then, to log this jpeg logo file in any useful manner, you
> would have to a) analyse the response, to see what is sent back b)
> encode this in some way, to write it usefully to your logfile (you
> do not want binary data there, I presume)
> 
> These are probably some of the reasons why the standard logging
> methods don't do that.
> 
>> 
>> by changing  *org.apache.coyote.level=FINE *in log properties
>> logs HTTP requests to the server, but does not log response.
>> 
>> Highly appreciate if you guys can share your thoughts to achieve
>> this.
>> 
> 
> Ask the NSA for some tips ?
> 
>> Thanks, Milinda
>> 
>> 
>> 
>> On Wed, Jun 17, 2015 at 5:56 PM, André Warnier 
>> wrote:
>> 
>>> Frederik Nosi wrote:
>>> 
 It helps only with HTTP though, no HTTPS or at least not
 easily.
 
 While we are at this, are you trying to debug a SOAP / REST
 connection from your application running on Tomcat to another
 server or a connection coming from outside to your Tomcat?
 
 
 On 06/17/2015 11:16 AM, Mark Thomas wrote:
 
> On 17/06/2015 10:10, Milinda Perera wrote:
> 
>> Hi,
>> 
>> I need to log HTTP payload content for debugging
>> purposes.
>> 
> Use Wireshark. That has the added benefit of not having any
> unwanted side-effects on your application.
> 
> Mark
> 
> 
>>> If this is for one debugging session, you could also simply use
>>> an add-on to a browser (such as Fiddler2 for IE), and record
>>> the full exchanges there. It has the advantage that you see the
>>> complete traffic in both directions (headers and content), and
>>> that you can easily switch between different presentations of
>>> the data, and save it to file if you need to.  And depending on
>>> what you are looking for, it may be a lot easier to handle than
>>> Wireshark.

As others have pointed out, this will potentially generate a huge
amount of information, most of it completely useless (logging your JPG
logo over and over again?), and impact performance . . .

That being said, I suppose one way to do this is to write a servlet
filter, wrap the ServletResponse object, then do the logging in the
filter.

You could be careful in what you log (don't put the filter in front of
images or pdf files, for example), and also have a servlet filter init
parameter which could control the logging (or turn it off).

Consider the volume of information you will generate. For example, I'm
using the standard access logging that is configured with Tomcat
7.0.62. A web site gets about 250K requests per day, and I strip out a
bunch of stuff using Perl. After all is said and done, a day's worth
of logs is about 60 MB.

Now, add response information and do the math. You'll find that it's
not going to be a very pleasant. In order to handle that amount of
data, you'll need to invest in streaming logging, a NoSQL database,
and the infrastructure to support those tools.

If that's what you wish to do, then great. Just be aware of what
you're walking into.

You might want to go back and actually determine the underlying
business requirements before embarking on such a task.

. . . just my two cents
/mde/

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBAgAGBQJVgcQ/AAoJEEFGbsYNeTwtAPkIAIDO334dMWLbejAVQ4us0jv7
a/cE69LwTpHJ7zxfGE4jbYsD3BvAJWQduBjuP83ePb37BiaYA9ImtJsXwkjfpPpk
TTv3Xrse4gRXueR2x+cOQbx/1BMMmPyeUenBXwFoPA2V3xhAH0N5DUdyC9mb5Hju
fk/2kquPHHuNNM3L9W3UE9BS7yhWed8wP93RG78oaopGm+anojwp6NQ2QZLxtdCc
fSZ9QrFhuKfizvU2emyRznIdUx88fVnwvFt5wBzTlJf3EgRTGt1B2VGTUuVMPmTy
SXJIzkZePAkGUswt35uh51n9IuKJXzPr5NEzNzAMMsbHVb828KbLY01YFiomGfU=
=6WmU
-END PGP SIGNATURE-

---
This email is free from viruses and malware because ava

Re: logging input and output HTTP message payload

[André Warnier]

Just to make sure..

Milinda Perera wrote:

Hi all,

Thanks for suggestions,

Actually I want to log all HTTP / HTTPS requests from client applications
to my Tomcat server and the Response sent back to the client. And logging
requests and payloads are not target specific application running in the
Tomcal server, which means all the request to the Tomcat server and all the
responses from the Tomcat server

My requirement cannot be fulfilled with external tools like wireshark
because:
  1. unable to log HTTPS requests and responses
  2. And I need to get logged requests and responses in server side log
files without external tools.


Are you aware of the volume of data that this could be ? and about the performance impact 
? and about the complexity of doing this in any way that would be useful ?


HTTP requests tend to be small  : a request line like "GET /mylogo.jpg HTTP/1.1", and a 
few text headers). But the response to that request may be very large (a 120 KB jpeg 
file).  Multiply by the number of requests for your homepage etc. (and never mind if you 
are returning large PDF documents sometimes...)


And then, to log this jpeg logo file in any useful manner, you would have to
a) analyse the response, to see what is sent back
b) encode this in some way, to write it usefully to your logfile (you do not want binary 
data there, I presume)


These are probably some of the reasons why the standard logging methods don't 
do that.



by changing  *org.apache.coyote.level=FINE *in log properties logs HTTP
requests to the server, but does not log response.

Highly appreciate if you guys can share your thoughts to achieve this.



Ask the NSA for some tips ?


Thanks,
Milinda



On Wed, Jun 17, 2015 at 5:56 PM, André Warnier  wrote:


Frederik Nosi wrote:


It helps only with HTTP though, no HTTPS or at least not easily.

While we are at this, are you trying to debug a SOAP / REST connection
from your application running on Tomcat to another server or a connection
coming from outside to your Tomcat?


On 06/17/2015 11:16 AM, Mark Thomas wrote:


On 17/06/2015 10:10, Milinda Perera wrote:


Hi,

I need to log HTTP payload content for debugging purposes.


Use Wireshark. That has the added benefit of not having any unwanted
side-effects on your application.

Mark



If this is for one debugging session, you could also simply use an add-on
to a browser (such as Fiddler2 for IE), and record the full exchanges there.
It has the advantage that you see the complete traffic in both directions
(headers and content), and that you can easily switch between different
presentations of the data, and save it to file if you need to.  And
depending on what you are looking for, it may be a lot easier to handle
than Wireshark.





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org








-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: logging input and output HTTP message payload

[Frederik Nosi]

If you have this:

1) Tomcat listening in HTTP, not HTTPS
2) ssh access to the machine
3) administrator access to the machine

and are on Linux (or Unix in general, but my command is linux specific) 
do this as root:



tcpdump -nnpi any -s0 -vvv -w /tmp/dump.pcap port  8080

After the request you're interested in are done press CTRl+C

from your client, assuming it's linux but on win you can use putty or 
whatever:


scp remote-machine:/tmp/dump.pcap .
wireshark dump.pcap


Done.

P.S.
If your tomcat's HTTP Connector isn't listening at port 8080 change the 
port accordingly in my tcpdump command




On 06/17/2015 08:04 PM, Milinda Perera wrote:

Hi all,

Thanks for suggestions,

Actually I want to log all HTTP / HTTPS requests from client applications
to my Tomcat server and the Response sent back to the client. And logging
requests and payloads are not target specific application running in the
Tomcal server, which means all the request to the Tomcat server and all the
responses from the Tomcat server

My requirement cannot be fulfilled with external tools like wireshark
because:
   1. unable to log HTTPS requests and responses
   2. And I need to get logged requests and responses in server side log
files without external tools.

by changing  *org.apache.coyote.level=FINE *in log properties logs HTTP
requests to the server, but does not log response.

Highly appreciate if you guys can share your thoughts to achieve this.

Thanks,
Milinda



On Wed, Jun 17, 2015 at 5:56 PM, André Warnier  wrote:


Frederik Nosi wrote:


It helps only with HTTP though, no HTTPS or at least not easily.

While we are at this, are you trying to debug a SOAP / REST connection
from your application running on Tomcat to another server or a connection
coming from outside to your Tomcat?


On 06/17/2015 11:16 AM, Mark Thomas wrote:


On 17/06/2015 10:10, Milinda Perera wrote:


Hi,

I need to log HTTP payload content for debugging purposes.


Use Wireshark. That has the added benefit of not having any unwanted
side-effects on your application.

Mark



If this is for one debugging session, you could also simply use an add-on
to a browser (such as Fiddler2 for IE), and record the full exchanges there.
It has the advantage that you see the complete traffic in both directions
(headers and content), and that you can easily switch between different
presentations of the data, and save it to file if you need to.  And
depending on what you are looking for, it may be a lot easier to handle
than Wireshark.





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org







-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Settings when SSL terminates on the front-end

[Jeffrey Janner]

I've been deploying letting Tomcat do it all when it came to connectors and 
SSL, with the app forcing everything to SSL in the  
section.  Now I'm setting up a haproxy front-end that will both terminate the 
SSL and take care of the redirect from HTTP to HTTPS for me and tomcat only 
running a standard HTTP port on 8080.
So my question is, Is it still important for the app to know that it operating 
"secure", and if so, what settings are a must?
Here is the old setup:

SERVER.XML:




  

  

  

CONTEXT.XML:  No tomcat-level parameters specified

WEB.XML: (only the important bits, assume servlets and filters won't change)


Everything
/*


CONFIDENTIAL



Here is the new setup:
SERVER.XML:


   
  

  

  

CONTEXT.XML: no changes
WEB.XML: drop the  section?

Am I missing something from a security standpoint here?
And yes, I'm aware I need to adjust some parameters in the  that are 
left out in the second example.  I'm just interested in things like 
secure-cookie, etc.


Jeffrey Janner
Sr. Network Administrator
jeffrey.jan...@polydyne.com
PolyDyne Software Inc.
Main:   512.343.9100
Direct:  512.583.8930

 [cid:image002.png@01CC0FB7.4FF43CE0]

Speed, Intelligence & Savings in Sourcing

Re: logging input and output HTTP message payload

[Milinda Perera]

Hi all,

Thanks for suggestions,

Actually I want to log all HTTP / HTTPS requests from client applications
to my Tomcat server and the Response sent back to the client. And logging
requests and payloads are not target specific application running in the
Tomcal server, which means all the request to the Tomcat server and all the
responses from the Tomcat server

My requirement cannot be fulfilled with external tools like wireshark
because:
  1. unable to log HTTPS requests and responses
  2. And I need to get logged requests and responses in server side log
files without external tools.

by changing  *org.apache.coyote.level=FINE *in log properties logs HTTP
requests to the server, but does not log response.

Highly appreciate if you guys can share your thoughts to achieve this.

Thanks,
Milinda



On Wed, Jun 17, 2015 at 5:56 PM, André Warnier  wrote:

> Frederik Nosi wrote:
>
>> It helps only with HTTP though, no HTTPS or at least not easily.
>>
>> While we are at this, are you trying to debug a SOAP / REST connection
>> from your application running on Tomcat to another server or a connection
>> coming from outside to your Tomcat?
>>
>>
>> On 06/17/2015 11:16 AM, Mark Thomas wrote:
>>
>>> On 17/06/2015 10:10, Milinda Perera wrote:
>>>
 Hi,

 I need to log HTTP payload content for debugging purposes.

>>> Use Wireshark. That has the added benefit of not having any unwanted
>>> side-effects on your application.
>>>
>>> Mark
>>>
>>>
> If this is for one debugging session, you could also simply use an add-on
> to a browser (such as Fiddler2 for IE), and record the full exchanges there.
> It has the advantage that you see the complete traffic in both directions
> (headers and content), and that you can easily switch between different
> presentations of the data, and save it to file if you need to.  And
> depending on what you are looking for, it may be a lot easier to handle
> than Wireshark.
>
>
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


-- 
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
   / \  / \ |  ||
  /   \/   \|  ||  N D A
 /  \   |  | |
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
* "please consider our environment before printing this e-mail"*

Re: [OT] Random Form Resubmissions

[Andy Wang]

On 06/17/2015 12:43 PM, Caldarale, Charles R wrote:

From: Jerry Malcolm [mailto:techst...@malcolms.com]
Subject: OT: Random Form Resubmissions



I have written defensive code in my webapp to detect this situation and
handle it.  So it's not a critical problem now. But it just frustrates
me that I have no clue what is going on.  And I'm curious if the users
are seeing something strange as this is occurring.  It appears that the
client's browser is holding onto the form and just randomly resending it
the server without the user's knowledge.  And it finally stops when they
close their browser or reboot their computer.  I know this makes zero sense.


This sounds like a lot of fun.


HAH!! I was thinking the exact same thing :)


Can you tell from the logs (or doing some traceroute runs) if there's anything 
in common about the clients?  Things such as a small set of origins (e.g., PRC, 
NK, AOL, NSA) or client environment (iOS, Android, IE7) might give a clue.

I wonder if some intermediary box thinks it's being useful by trying to get 
responses to unacknowledged requests and keeps replaying them, but the real 
client lost interest and disconnected a long time ago.



The comment:
"And it finally stops when they close their browser or reboot their 
computer."
has me thinking, proxy/internet security software on the system doing 
it?  Or a browser extension.  But why and what eludes me.



  - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: [OT] Random Form Resubmissions

[Caldarale, Charles R]

> From: Jerry Malcolm [mailto:techst...@malcolms.com] 
> Subject: OT: Random Form Resubmissions

> I have written defensive code in my webapp to detect this situation and 
> handle it.  So it's not a critical problem now. But it just frustrates 
> me that I have no clue what is going on.  And I'm curious if the users 
> are seeing something strange as this is occurring.  It appears that the 
> client's browser is holding onto the form and just randomly resending it 
> the server without the user's knowledge.  And it finally stops when they 
> close their browser or reboot their computer.  I know this makes zero sense.

This sounds like a lot of fun.  Can you tell from the logs (or doing some 
traceroute runs) if there's anything in common about the clients?  Things such 
as a small set of origins (e.g., PRC, NK, AOL, NSA) or client environment (iOS, 
Android, IE7) might give a clue.

I wonder if some intermediary box thinks it's being useful by trying to get 
responses to unacknowledged requests and keeps replaying them, but the real 
client lost interest and disconnected a long time ago.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

OT: Random Form Resubmissions

[Jerry Malcolm]

OT:  I have a simple 'contact-us' webapp that has been running for 
years.  I'm not having any problems with it directly.  However, 
periodically, I get resubmissions of the form from the client's 
computer, sometimes randomly once a day for several days/weeks, and 
sometimes once or twice two weeks after the original form was 
submitted.  The obvious answer to this would be that the client just 
keeps hitting the back button and resubmitting the form.  But I know 
that is not the case.  I have a little javascript snippit that sets the 
current date in a hidden field when the user hits the submit button 
(spam robots don't recognize this, so spam-robot-submissions will not 
have a valid date in the hidden field).   When these random form 
resubmissions come in they have the original date/time in that hidden 
field from when they actually requested and submitted the form.


So what I know at this point:

1) This is rare.  But when it starts with a particular form, I'll get 
resubmissions anywhere from once ever few hours to once every couple of 
weeks.


2) It finally stops.  But one specific form kept coming in once a day 
(random time each day) for over 2 months (still with original date/time 
from two months earlier in that hidden field)


3) I checked the apache httpd logs, and the resubmissions are coming 
from the original user's IP address.  They are definitely coming in as a 
new request each time to apache/tomcat (as opposed to my webapp code 
somehow reprocessing the original request)


4) The user is NOT hitting the submit button over and over as proven by 
the time/date in the hidden field.


I have written defensive code in my webapp to detect this situation and 
handle it.  So it's not a critical problem now. But it just frustrates 
me that I have no clue what is going on.  And I'm curious if the users 
are seeing something strange as this is occurring.  It appears that the 
client's browser is holding onto the form and just randomly resending it 
the server without the user's knowledge.  And it finally stops when they 
close their browser or reboot their computer.  I know this makes zero sense.


So I know this is not precisely tomcat related.  But I know this 
forum has followers with a vast range of knowledge in many areas. I'm 
just curious if this rings any bells, or if anyone can explain what is 
going on here.  Anybody know what would cause a browser to keep randomly 
resending a form request to the server?


Thanks.

Jerry


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: redirect to website not working

[André Warnier]

Ankur Gupta wrote:

I had installed fiddler and deactivated ie stupid feature . how can I share
the result of fiddler to you if the system dosent allow attachments?



Well, on this list here we try to help, and we provide tips.
But we do not do all the work for you, and you are expected to do some of it 
yourself.
(You can of course always ask for a private consultant, there are pointers for that on the 
Tomcat website.)


You have already gotten now to the point where you know that your webapp under Tomcat, is 
sending the (presumably) correct 302 response to the browser.
With Fiddler, you can now examine this server response more in detail, to see if it is 
really what it should be.
And you have disabled the friendly error pages, so you can see what the error really is, 
from the browser point of view.

Does that help to diagnose your problem ?

And if you need to send more information to the list about what you see in Fiddler, I 
believe that you just need to do a right-click on that specific response, and it will 
propose a choice of things to do, among which there must be a copy-to-clipboard option.

You can then paste that specific line into your next message to the list, if 
needed.

But try to do some thinking by yourself first.  It helps in the long run.

One request : if you find the solution yourself, please post it to the list 
also.
It will help someone else in the future, if they are smart enough to search the list 
archives first.

See : http://tomcat.apache.org/lists.html







-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: redirect to website not working

[chris derham]

> ... how can I share
> the result of fiddler to you if the system dosent allow attachments?

Ankur,

Copy/paste the text of the raw response into an email should do it

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: redirect to website not working

[Ankur Gupta]

I had installed fiddler and deactivated ie stupid feature . how can I share
the result of fiddler to you if the system dosent allow attachments?

Re: redirect to website not working

[André Warnier]

Ankur Gupta wrote:

Log says this:

xx.xxx.xx.81 - - [17/Jun/2015:12:51:47 -0400] "GET
/examples/smstrial.jsp?mobileNumber=0123456789 HTTP/1.1" 302 -

xx.xxx.xx.81 - - [17/Jun/2015:12:52:16 -0400] "GET
/examples/smstrial.jsp?mobileNumber=0123456789 HTTP/1.1" 302 -

xx.xxx.xx.81 - - [17/Jun/2015:12:53:05 -0400] "GET /examples/smstrial.jsp
HTTP/1.1" 302 -

xx.xxx.xx.81 - - [17/Jun/2015:12:53:17 -0400] "GET /examples/smstrial.jsp
HTTP/1.1" 302 -

xx.xxx.xx.81 - - [17/Jun/2015:12:53:32 -0400] "GET /examples/smstrial.jsp
HTTP/1.1" 302 -

xx.xxx.xx.81 - - [17/Jun/2015:12:54:39 -0400] "GET /examples/smstrial.jsp
HTTP/1.1" 302 139

xx.xxx.xx.81 - - [17/Jun/2015:12:55:16 -0400] "GET /examples/smstrial.jsp
HTTP/1.1" 302 139



Browser is Internet Explorer and it gives error

 [image: Inline image 1]



Ankur Gupta wrote:
> [image: Inline image 1]
>
Yes, that is the stupid built-in Internet Explorer "friendly error page", which doesn't 
tell you anything worth knowing.


Go to Tools -> Internet Options -> advanced
and disable the "friendly error pages" option.

Better : get Fiddler (http://www.telerik.com/fiddler)
install it, activate it, repeat your session and look at what is really sent and received 
by the browser. Look in particular at the content of the "Location" header received by the 
browser in the 302 responses, if it is what you expect.

(Note : the content of that header should be a full absolute URL to the desired 
site)





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: logging input and output HTTP message payload

[André Warnier]

Frederik Nosi wrote:

It helps only with HTTP though, no HTTPS or at least not easily.

While we are at this, are you trying to debug a SOAP / REST connection 
from your application running on Tomcat to another server or a 
connection coming from outside to your Tomcat?



On 06/17/2015 11:16 AM, Mark Thomas wrote:

On 17/06/2015 10:10, Milinda Perera wrote:

Hi,

I need to log HTTP payload content for debugging purposes.

Use Wireshark. That has the added benefit of not having any unwanted
side-effects on your application.

Mark



If this is for one debugging session, you could also simply use an add-on to a browser 
(such as Fiddler2 for IE), and record the full exchanges there.
It has the advantage that you see the complete traffic in both directions (headers and 
content), and that you can easily switch between different presentations of the data, and 
save it to file if you need to.  And depending on what you are looking for, it may be a 
lot easier to handle than Wireshark.





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: logging input and output HTTP message payload

[Frederik Nosi]

It helps only with HTTP though, no HTTPS or at least not easily.

While we are at this, are you trying to debug a SOAP / REST connection 
from your application running on Tomcat to another server or a 
connection coming from outside to your Tomcat?



On 06/17/2015 11:16 AM, Mark Thomas wrote:

On 17/06/2015 10:10, Milinda Perera wrote:

Hi,

I need to log HTTP payload content for debugging purposes.

Use Wireshark. That has the added benefit of not having any unwanted
side-effects on your application.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: redirect to website not working

[André Warnier]

Hi.

Ankur Gupta wrote:

Log says this:

xx.xxx.xx.81 - - [17/Jun/2015:12:51:47 -0400] "GET
/examples/smstrial.jsp?mobileNumber=0123456789 HTTP/1.1" 302 -

xx.xxx.xx.81 - - [17/Jun/2015:12:52:16 -0400] "GET
/examples/smstrial.jsp?mobileNumber=0123456789 HTTP/1.1" 302 -

xx.xxx.xx.81 - - [17/Jun/2015:12:53:05 -0400] "GET /examples/smstrial.jsp
HTTP/1.1" 302 -

xx.xxx.xx.81 - - [17/Jun/2015:12:53:17 -0400] "GET /examples/smstrial.jsp
HTTP/1.1" 302 -

xx.xxx.xx.81 - - [17/Jun/2015:12:53:32 -0400] "GET /examples/smstrial.jsp
HTTP/1.1" 302 -

xx.xxx.xx.81 - - [17/Jun/2015:12:54:39 -0400] "GET /examples/smstrial.jsp
HTTP/1.1" 302 139

xx.xxx.xx.81 - - [17/Jun/2015:12:55:16 -0400] "GET /examples/smstrial.jsp
HTTP/1.1" 302 139




That log seems fine to me. It shows that your application is indeed returning the 302 
responses to the browser.
Unfortunately, this does not really show us *to what* the re-direction is, from the point 
of view of the browser.




Browser is Internet Explorer and it gives error

 [image: Inline image 1]



Unfortunately, the list software strips embedded images, and most attachments.
Do you have any way to post that image somewhere (or describe it), so that we know what 
error this is exactly ?


Note : if you are using IE, you may need to change a setting, in order to see the real 
error page sent by the server, rather than the "friendly" page that IE itself is showing.
Go to preferences, in "advanced", and disable the "send friendly error messages" box, then 
try again.


I also suggest that you add a plugin to the browser, such as Fiddler2 for IE.
This will allow you to see "exactly" what the server sends as a response, including the 
"Location:" header, which is essential here to determine what the problem is.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: redirect to website not working

[Ankur Gupta]

Log says this:

xx.xxx.xx.81 - - [17/Jun/2015:12:51:47 -0400] "GET
/examples/smstrial.jsp?mobileNumber=0123456789 HTTP/1.1" 302 -

xx.xxx.xx.81 - - [17/Jun/2015:12:52:16 -0400] "GET
/examples/smstrial.jsp?mobileNumber=0123456789 HTTP/1.1" 302 -

xx.xxx.xx.81 - - [17/Jun/2015:12:53:05 -0400] "GET /examples/smstrial.jsp
HTTP/1.1" 302 -

xx.xxx.xx.81 - - [17/Jun/2015:12:53:17 -0400] "GET /examples/smstrial.jsp
HTTP/1.1" 302 -

xx.xxx.xx.81 - - [17/Jun/2015:12:53:32 -0400] "GET /examples/smstrial.jsp
HTTP/1.1" 302 -

xx.xxx.xx.81 - - [17/Jun/2015:12:54:39 -0400] "GET /examples/smstrial.jsp
HTTP/1.1" 302 139

xx.xxx.xx.81 - - [17/Jun/2015:12:55:16 -0400] "GET /examples/smstrial.jsp
HTTP/1.1" 302 139



Browser is Internet Explorer and it gives error

 [image: Inline image 1]

Re: redirect to website not working

[André Warnier]

Ankur Gupta wrote:

xx.xx.xx.81 has classic asp page sms.asp having code:

<%@ language=vbscript%>

<%

   mobileNumber="0123456789"

   Response.redirect("
http://xx.xxx.xx.99:8080/examples/smstrial.jsp?mobileNumber="&; mobileNumber)

%>



Linux server(xx.xxx.xx.99:8080) with apache tomcat and linux v6.1
Enterprise has jsp page named smstrial.jsp having jsp code:

<%@ page import="java.io.*,java.util.*"%>





 New Document 







Page Redirection



<%

   String mobile=request.getParameter("mobileNumber");

   String site="
http://180.179.218.150:80/sendurl.aspx?user=xyz&pwd=xyz&sen
derid=xyz&mobileno="+mobile+"&msgtext=Hello&smstype=0";

   response.sendRedirect(site);

%>











Now from xx.xx.xx.81 iam  calling sms.asp page from internet explorer and
 getting error.


Ahaaa ! you are getting an error !

Do you care to share what error you are getting, and where ?

And have you looked into any relevant server log, to find out what that error 
may be due to ?



If i change redirect webpage called in jsp code to some intranet server,e.g
xx.xx.xx.54 (which is not use for public website. It is used internally in
the organization and xx.xx.xx.81  server is connected to xx.xx.xx.54  )
then  xx.xx.xx.81 browser successfully redirects to it without any issue.



Linux server xx.xxx.xx.99:8080 is connected to internet.

When we use wget command like

Wget  http://180.179.218.150:80/sendurl.aspx?user=xyz&pwd=xyz&sen
derid=xyz&mobileno="+mobile+"&msgtext=Hello&smstype=0  then it successfully
executes it.



I hope this helps . Thank you for giving you time.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: logging input and output HTTP message payload

[Mark Thomas]

On 17/06/2015 10:10, Milinda Perera wrote:
> Hi,
> 
> I need to log HTTP payload content for debugging purposes.

Use Wireshark. That has the added benefit of not having any unwanted
side-effects on your application.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

logging input and output HTTP message payload

[Milinda Perera]

Hi,

I need to log HTTP payload content for debugging purposes. Following are my
findings:

1. Using HTTP message content Access Log Valve [1] and Extended Access Log
Valve [2]
  But it does not provide functionality to log HTTP payload

2. Then I tried by changing  *org.apache.coyote.level=FINE*
 With this it logs the entire HTTP request (header + payload). But
does not log response

Since in my 2nd method it logged the request, Is it possible to log
response also?

[1]
https://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Access_Log_Valve
[2]
https://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Extended_Access_Log_Valve

Thanks,
Milinda

-- 
* "please consider our environment before printing this e-mail"*

Re: redirect to website not working

[Ankur Gupta]

xx.xx.xx.81 has classic asp page sms.asp having code:

<%@ language=vbscript%>

<%

   mobileNumber="0123456789"

   Response.redirect("
http://xx.xxx.xx.99:8080/examples/smstrial.jsp?mobileNumber="&; mobileNumber)

%>



Linux server(xx.xxx.xx.99:8080) with apache tomcat and linux v6.1
Enterprise has jsp page named smstrial.jsp having jsp code:

<%@ page import="java.io.*,java.util.*"%>





 New Document 







Page Redirection



<%

   String mobile=request.getParameter("mobileNumber");

   String site="
http://180.179.218.150:80/sendurl.aspx?user=xyz&pwd=xyz&sen
derid=xyz&mobileno="+mobile+"&msgtext=Hello&smstype=0";

   response.sendRedirect(site);

%>











Now from xx.xx.xx.81 iam  calling sms.asp page from internet explorer and
 getting error.

If i change redirect webpage called in jsp code to some intranet server,e.g
xx.xx.xx.54 (which is not use for public website. It is used internally in
the organization and xx.xx.xx.81  server is connected to xx.xx.xx.54  )
then  xx.xx.xx.81 browser successfully redirects to it without any issue.



Linux server xx.xxx.xx.99:8080 is connected to internet.

When we use wget command like

Wget  http://180.179.218.150:80/sendurl.aspx?user=xyz&pwd=xyz&sen
derid=xyz&mobileno="+mobile+"&msgtext=Hello&smstype=0  then it successfully
executes it.



I hope this helps . Thank you for giving you time.

Re: redirect to website not working

[André Warnier]

Ankur Gupta wrote:

Sorry if I was unable to make you understand .
At my workplace we have one production server which have iis and classic
asp pages are deployed.


Ok, that I understand.
Server-A = IIS + whatever

 Now as per the requirement
(of which we do not have a copy, so we know nothing about it)

 , we have to send SMS to

the customers,


Who is "we" ?

 so , a request from production server say A(having asp page)

ok, Server-A above sends HTTP request directly to ..


is sent to Linux server having tomcat say B(having jsp page).


So Server-B is your Tomcat server with your application..

 B server has
jsp page which is called and a simple code 

(of which we do not have a copy either, so we know nothing about it)

is written to redirect to public
website 


"redirect", in HTTP terms, has a very precise meaning.  It means that your application is 
sending a response *to the browser*, and this response is a "redirect" response

with a status code 301 or 302.
See : https://en.wikipedia.org/wiki/HTTP_301
or : https://en.wikipedia.org/wiki/HTTP_302

and when your application sends such a response to the browser, and the browser receives 
it, *the browser* immediately and automatically sends another request to the indicated 
website.

(And this does not involve Tomcat at all anymore).

Is that what happens ?


which is responsible for sending SMS.



(so that also has nothing to do with Tomcat)



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: redirect to website not working

[Ankur Gupta]

Sorry if I was unable to make you understand .
At my workplace we have one production server which have iis and classic
asp pages are deployed. Now as per the requirement , we have to send SMS to
the customers, so , a request from production server say A(having asp page)
is sent to Linux server having tomcat say B(having jsp page). B server has
jsp page which is called and a simple code is written to redirect to public
website which is responsible for sending SMS.

Re: redirect to website not working

[André Warnier]

Ankur Gupta wrote:

I have apache tomacat 7.0.61 and linux server 6.1 enterprise.
There is a requirment of sending sms to the customers, but the request to
send sms to the vendor is throught this sftp linux server.
Now, when i redirect to the page it does not respond.But when i access the
same website through command line wget "http://xyz.com"; linux does execute
that and i can get sms.
one more information before wget i set http_proxy in command line like
$export http_proxy=xx.xx.xx.xx:yy/
so there is a need to set proxy in apache tomcat too in order to redirect
to public page?
Thank you



Hi.
On this list, we have quite a lot of experience at decyphering user requests 
for help.
We even have some good SSL specialists available to answer questions.
But your question above is hopelessly confusing.
Could you try to rephrase this, so that we could have a hope to understand what your 
question is really about ? (maybe a little schema may help)


In the meantime, I'll answer this :

Q : > so there is a need to set proxy in apache tomcat too in order to redirect
> to public page?

A: no.
In simplified terms : the browser makes the connection to Tomcat to send its request; and 
Tomcat sends responses to the browser on that same connection. So it does not need a proxy 
for that.
If your application is sending a redirect response to the browser, that is a response, so 
it goes through that same connection.


If your webapp itself needs to access another webserver, then it would be another matter, 
and it might need a proxy for doing that.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org