Re: Tomcat bad char issue with new cluster
No Mikel we don't have any filter in conf/web.xml. On Tue, Oct 6, 2015 at 3:14 PM, Mikel Ibiricu wrote: > Do you have any filter defined in conf/web.xml in the old ones which run > properly? > > Regards, > Mikel > El 06/10/2015 15:37, "Saurav Maulick" escribió: > > > Hi Christopher, > > > > > > Please find my answer below > > > > > > *Two new clusters or two new nodes added to an existing cluster?* > > > > Two Nodes > > > > > > *What is the difference between the conf/server.xml on a "working" server > > and one of these new servers that is misbehaving?* > > > > No difference. Apart from Server port –Configuration, non-SSL > > HTTP/1.1Connector port Configuration, AJP 1.3 Connector port > Configuration, > > and jvmRoute Configuration > > > > > > *Identical WAR files deployed to all servers?* > > > > Yes all the nodes have identical WAR file > > > > > > On Mon, Oct 5, 2015 at 9:06 PM, Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > > > -BEGIN PGP SIGNED MESSAGE- > > > Hash: SHA256 > > > > > > Saurav, > > > > > > On 10/5/15 12:23 PM, Saurav Maulick wrote: > > > > I know Tomcat 5.5 is very old and this is outdated, but we are > > > > still using Tomcat 5.5 and we got an issue. Please help. > > > > > > > > Problem description: > > > > > > > > Recently my client has asked me to add two new clusters in the > > > > production, after adding the clusters we found that these two new > > > > clusters are not able to handle special characters. > > > > > > Two new clusters, or two new nodes added to an existing cluster? > > > > > > > When user copies some data (especially from MS-Word which contains > > > > double quote) and paste into the application we have found that > > > > double quote becomes junk character, but these problems only > > > > persist with newly created clusters not with old clusters. > > > > > > > > While creating the new cluster I just copied the old cluster folder > > > > and all the clusters are identical except some changes in > > > > server.xml. > > > > > > > > Could you please help me to resolve this issue? > > > > > > > > NB. UTF-8 char encoding present in the xml files > > > > > > What is the difference between the conf/server.xml on a "working" > > > server and one of these new servers that is misbehaving? Identical WAR > > > files deployed to all servers? > > > > > > - -chris > > > -BEGIN PGP SIGNATURE- > > > Comment: GPGTools - http://gpgtools.org > > > > > > iQIcBAEBCAAGBQJWEx6mAAoJEBzwKT+lPKRYPzIP/iFpPGH+zfPOsgwtqhnqe5ou > > > 5PqaVEJ0G9+854Gs+q19n9Fcug2NHCnjRaDHj/ujhiOjj2phF1KbWtvEOmMeH6rG > > > QpuPTPr6DJZiEZpnvCaK2tolQEwnO7CqJ1AEqQo/TQ7IzKFx+Ou5SxZ9m8kQeBKg > > > ZrPt4vBxrASaELSn+vPPzsA2aBzr9OXijO35Gbjf09FCbR7BC/QnucbAaS6b3z2W > > > jxrFDRzv7QTxSoA9c8QdNPdcJXEbLQF59yf/4JO/Bx68A7apneSWjo9zw9POWfD2 > > > wHysHZJFF8WBbh1lBJXFuyLMT9luu1v4I7nvdYU98S2p9EOqVTnDM84XBVN9xd/r > > > TbNGvcIErLsXeNRqHaXSCF95KbjMSdeKCYKfroPz9/xEZUWWpdFRm6OLVTY6mF1F > > > WDJZUltgGT/O6iM0x39rcEnwapX5XUlPgpolhhEJFC4PXZgLpwQQTwhEBACtClVn > > > 30P4brBZYIW1NIR4Vq7yI0ltpf7CT0X3Y7xSvP53yM5zIpcmwQsWVCnle+8XY9bz > > > 4msgAfpp5Xb2q3ovGwrCKahWCeddTofUfgqCBmg7fgvD7K7812rSgjOQ617QgNl5 > > > FZnt9Td79vcWe7I8J1vJdvWTymuydfVMWEu5ptOpORwsGdWVYI/qnOTCl+b8XW7K > > > oVU1afvuvfBA+abbnz/L > > > =e9Is > > > -END PGP SIGNATURE- > > > > > > - > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > > > > > > > -- > > Thanks and Regards, > > Saurav > > > -- Thanks and Regards, Saurav
Tomcat clustering for simplified config
Hi list, I just signed up to the list - please forgive any newb mistakes but hopefully I'm following the right format, style and content. I currently work in a production environment with eight app servers, all running the same version of Tomcat (currently 7.0.62). Four servers support version 1 of our app, the other four servers support version 2. Within each group of four, two serve completely open content via 80, the other two support queries of sensitive data via 443. Servers are named with a number system where all odd-named servers are for the secure content, all evens are open. So here's the setup in a hopefully clearer portrayal: App Version 1: Server 01: secure queries via 443 Server 02: open content via 80 Server 03: secure queries via 443 Server 04: open content via 80 App Version 2: Server 05: secure queries via 443 Server 06: open content via 80 Server 07: secure queries via 443 Server 08: open content via 80 Each pair of even and odd named servers are *conceptually* linked, but physically stand on their own. All http traffic and https traffic for each version is directed to a particular server by a load balancer. No Apache Web Server is in the mix and we would like to keep it that way for simplicity. Load-wise, our eight Tomcats are not taxed. I'm responsible for upkeep of these servers, which requires regular version upgrades and configuration changes when any vulnerability is found by regular, periodic Nessus scans (http://www.tenable.com/products/nessus-vulnerability-scanner). Sometimes the changes are related to ciphers, sometimes other things, but I'd say 90% of the time, I just need to upgrade to a newer version. So no big deal conceptually, I fully admit, but doing this across eight servers is TEDIOUS. And more importantly, it's a ripe opportunity for introducing user error. On three occasions I have brought our production systems by stupid mistakes in server.xml or other config files, or most recently, accidentally copying the wrong ROOT from a version 2 (05) box into the version one boxes (01 and 03). I got things up and running fine with no serious consequences but this being the third time, I thought "there has to be a better way" right after I talked myself off the "you're a complete idiot" ledge. I'm starting to research Tomcat clustering but everything I see just talks about load balancing and failover. **What about ease of configuration??** I'd like to be able to set up Tomcat (clusters?) to help automate what I've described above to make it less tedious and reduce the chances of making stupid mistakes when I'm on the 6th, 7th, 8th server. I'm not sure if Tomcat clustering is what I need, or if I should look at something else. Can you nice folks help direct me to where I should look for starters? Will Tomcat clustering get me what I want? or something else, like Zookeeper? Thanks, Mark Bramer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat context with /
On 06/10/2015 22:56, Harish Kulkarni wrote: > Hi > > We are migrating a WebSphere app to tomcat. > In Websphere the context is defined as /secure/admin and we have hardcode > redirects with /secure/admin/* Whoops. Applications are meant to be independent of the context path at which they are deployed. > Our war is admin.war. > Tomcat is not allowing /secure/admin as context. > Is there a way using tomcat rewrite or apache config to achieve this. Rename the WAR to secure#admin.war Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat context with /
Hi We are migrating a WebSphere app to tomcat. In Websphere the context is defined as /secure/admin and we have hardcode redirects with /secure/admin/* Our war is admin.war. Tomcat is not allowing /secure/admin as context. Is there a way using tomcat rewrite or apache config to achieve this. Thanks Harish
Re: Tomcat bad char issue with new cluster
Do you have any filter defined in conf/web.xml in the old ones which run properly? Regards, Mikel El 06/10/2015 15:37, "Saurav Maulick" escribió: > Hi Christopher, > > > Please find my answer below > > > *Two new clusters or two new nodes added to an existing cluster?* > > Two Nodes > > > *What is the difference between the conf/server.xml on a "working" server > and one of these new servers that is misbehaving?* > > No difference. Apart from Server port –Configuration, non-SSL > HTTP/1.1Connector port Configuration, AJP 1.3 Connector port Configuration, > and jvmRoute Configuration > > > *Identical WAR files deployed to all servers?* > > Yes all the nodes have identical WAR file > > > On Mon, Oct 5, 2015 at 9:06 PM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA256 > > > > Saurav, > > > > On 10/5/15 12:23 PM, Saurav Maulick wrote: > > > I know Tomcat 5.5 is very old and this is outdated, but we are > > > still using Tomcat 5.5 and we got an issue. Please help. > > > > > > Problem description: > > > > > > Recently my client has asked me to add two new clusters in the > > > production, after adding the clusters we found that these two new > > > clusters are not able to handle special characters. > > > > Two new clusters, or two new nodes added to an existing cluster? > > > > > When user copies some data (especially from MS-Word which contains > > > double quote) and paste into the application we have found that > > > double quote becomes junk character, but these problems only > > > persist with newly created clusters not with old clusters. > > > > > > While creating the new cluster I just copied the old cluster folder > > > and all the clusters are identical except some changes in > > > server.xml. > > > > > > Could you please help me to resolve this issue? > > > > > > NB. UTF-8 char encoding present in the xml files > > > > What is the difference between the conf/server.xml on a "working" > > server and one of these new servers that is misbehaving? Identical WAR > > files deployed to all servers? > > > > - -chris > > -BEGIN PGP SIGNATURE- > > Comment: GPGTools - http://gpgtools.org > > > > iQIcBAEBCAAGBQJWEx6mAAoJEBzwKT+lPKRYPzIP/iFpPGH+zfPOsgwtqhnqe5ou > > 5PqaVEJ0G9+854Gs+q19n9Fcug2NHCnjRaDHj/ujhiOjj2phF1KbWtvEOmMeH6rG > > QpuPTPr6DJZiEZpnvCaK2tolQEwnO7CqJ1AEqQo/TQ7IzKFx+Ou5SxZ9m8kQeBKg > > ZrPt4vBxrASaELSn+vPPzsA2aBzr9OXijO35Gbjf09FCbR7BC/QnucbAaS6b3z2W > > jxrFDRzv7QTxSoA9c8QdNPdcJXEbLQF59yf/4JO/Bx68A7apneSWjo9zw9POWfD2 > > wHysHZJFF8WBbh1lBJXFuyLMT9luu1v4I7nvdYU98S2p9EOqVTnDM84XBVN9xd/r > > TbNGvcIErLsXeNRqHaXSCF95KbjMSdeKCYKfroPz9/xEZUWWpdFRm6OLVTY6mF1F > > WDJZUltgGT/O6iM0x39rcEnwapX5XUlPgpolhhEJFC4PXZgLpwQQTwhEBACtClVn > > 30P4brBZYIW1NIR4Vq7yI0ltpf7CT0X3Y7xSvP53yM5zIpcmwQsWVCnle+8XY9bz > > 4msgAfpp5Xb2q3ovGwrCKahWCeddTofUfgqCBmg7fgvD7K7812rSgjOQ617QgNl5 > > FZnt9Td79vcWe7I8J1vJdvWTymuydfVMWEu5ptOpORwsGdWVYI/qnOTCl+b8XW7K > > oVU1afvuvfBA+abbnz/L > > =e9Is > > -END PGP SIGNATURE- > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > > -- > Thanks and Regards, > Saurav >
Re: Demand CLIENT-CERT only on certain pages but demand SSL in all pages
On 06/10/2015 15:46, George Stanchev wrote: > Mark, > > What are the possible issues with renegotiation? We're on NIO connectors, is > there anything known? NIO should be fine. We've seen odd issues on OSX we haven't been able to track down. Mark > > George > > -Original Message- > From: Mark Thomas [mailto:ma...@apache.org] > Sent: Monday, October 05, 2015 8:32 AM > To: Tomcat Users List > Subject: Re: Demand CLIENT-CERT only on certain pages but demand SSL in all > pages > > On 05/10/2015 12:05, Gael Abadin wrote: >> Hello, fellow users. >> >> I've been trying to configure tomcat to request client certificate >> authentication on a single page, while serving every other SSL page >> without requesting a client certificate (before or after >> authentication). Depending on the configuration I use, one of 2 things >> happen: either I get a request for a client certificate on ANY HTTPS >> page I visit first, or I do not get a request at all, never, even when >> I launch the browser and go straight to the protected page >> (/my-app-name/public/login/login.xhtml). >> >> Am I doing something wrong or is this kind of configuration just not >> possible? > > That should be possible but you'll need two security constraints. One to > require TLS everywhere and one for the pages where you require authentication. > > You may also hit issues with which connectors support renegotiation (don't > use APR). > > Mark > >> >> Here is my web.xml security constraint and login config (I've also >> tried ommitin ): >> >> >> >> Protected Context >> /public/login/* >> >> >> CONFIDENTIAL >> >> >> >> CLIENT-CERT >> >> >> >> And here is my server.xml config (I've also tried clientAuth="false" >> and >> clientAuth="true"): >> >> > shutdown="SHUTDOWN"> >> > className="org.apache.catalina.startup.VersionLoggerListener"/> >> >> >> > className="org.apache.catalina.core.AprLifecycleListener"/> >> >> >> >> > className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/> >> > className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/> >> > className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" >> /> >> >> >> > factory="org.apache.catalina.users.MemoryUserDatabaseFactory" >> name="UserDatabase" pathname="conf/tomcat-users.xml" >> type="org.apache.catalina.UserDatabase"/> >> >> >> >> >> > redirectPort="443"/> >> >> > port="443" protocol="org.apache.coyote.http11.Http11Protocol" >> scheme="https" secure="true" sslProtocol="TLS"/> >> >> >> >> >> >> > resourceName="UserDatabase"/> >> >> > unpackWARs="true"> >> > directory="logs" pattern="%h %l %u %t "%r" %s %b" >> prefix="localhost_access_log." suffix=".txt"/> >> > reloadable="true" source="org.eclipse.jst.jee.server:cividas-core-web"/> >> >> >> >> >> >> It is my first Tomcat SSL client cert set up so I must be missing >> something. Hope you may help me see it :-) >> >> Cheers, >> > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Demand CLIENT-CERT only on certain pages but demand SSL in all pages
Mark, What are the possible issues with renegotiation? We're on NIO connectors, is there anything known? George -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Monday, October 05, 2015 8:32 AM To: Tomcat Users List Subject: Re: Demand CLIENT-CERT only on certain pages but demand SSL in all pages On 05/10/2015 12:05, Gael Abadin wrote: > Hello, fellow users. > > I've been trying to configure tomcat to request client certificate > authentication on a single page, while serving every other SSL page > without requesting a client certificate (before or after > authentication). Depending on the configuration I use, one of 2 things > happen: either I get a request for a client certificate on ANY HTTPS > page I visit first, or I do not get a request at all, never, even when > I launch the browser and go straight to the protected page > (/my-app-name/public/login/login.xhtml). > > Am I doing something wrong or is this kind of configuration just not > possible? That should be possible but you'll need two security constraints. One to require TLS everywhere and one for the pages where you require authentication. You may also hit issues with which connectors support renegotiation (don't use APR). Mark > > Here is my web.xml security constraint and login config (I've also > tried ommitin ): > > > > Protected Context > /public/login/* > > > CONFIDENTIAL > > > > CLIENT-CERT > > > > And here is my server.xml config (I've also tried clientAuth="false" > and > clientAuth="true"): > > shutdown="SHUTDOWN"> >className="org.apache.catalina.startup.VersionLoggerListener"/> > > >className="org.apache.catalina.core.AprLifecycleListener"/> > > > >className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/> >className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/> >className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" > /> > > > factory="org.apache.catalina.users.MemoryUserDatabaseFactory" > name="UserDatabase" pathname="conf/tomcat-users.xml" > type="org.apache.catalina.UserDatabase"/> > > > > > redirectPort="443"/> > > port="443" protocol="org.apache.coyote.http11.Http11Protocol" > scheme="https" secure="true" sslProtocol="TLS"/> > > > > > > resourceName="UserDatabase"/> > >unpackWARs="true"> > directory="logs" pattern="%h %l %u %t "%r" %s %b" > prefix="localhost_access_log." suffix=".txt"/> > reloadable="true" source="org.eclipse.jst.jee.server:cividas-core-web"/> > > > > > > It is my first Tomcat SSL client cert set up so I must be missing > something. Hope you may help me see it :-) > > Cheers, > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat bad char issue with new cluster
Hi Christopher, Please find my answer below *Two new clusters or two new nodes added to an existing cluster?* Two Nodes *What is the difference between the conf/server.xml on a "working" server and one of these new servers that is misbehaving?* No difference. Apart from Server port –Configuration, non-SSL HTTP/1.1Connector port Configuration, AJP 1.3 Connector port Configuration, and jvmRoute Configuration *Identical WAR files deployed to all servers?* Yes all the nodes have identical WAR file On Mon, Oct 5, 2015 at 9:06 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Saurav, > > On 10/5/15 12:23 PM, Saurav Maulick wrote: > > I know Tomcat 5.5 is very old and this is outdated, but we are > > still using Tomcat 5.5 and we got an issue. Please help. > > > > Problem description: > > > > Recently my client has asked me to add two new clusters in the > > production, after adding the clusters we found that these two new > > clusters are not able to handle special characters. > > Two new clusters, or two new nodes added to an existing cluster? > > > When user copies some data (especially from MS-Word which contains > > double quote) and paste into the application we have found that > > double quote becomes junk character, but these problems only > > persist with newly created clusters not with old clusters. > > > > While creating the new cluster I just copied the old cluster folder > > and all the clusters are identical except some changes in > > server.xml. > > > > Could you please help me to resolve this issue? > > > > NB. UTF-8 char encoding present in the xml files > > What is the difference between the conf/server.xml on a "working" > server and one of these new servers that is misbehaving? Identical WAR > files deployed to all servers? > > - -chris > -BEGIN PGP SIGNATURE- > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJWEx6mAAoJEBzwKT+lPKRYPzIP/iFpPGH+zfPOsgwtqhnqe5ou > 5PqaVEJ0G9+854Gs+q19n9Fcug2NHCnjRaDHj/ujhiOjj2phF1KbWtvEOmMeH6rG > QpuPTPr6DJZiEZpnvCaK2tolQEwnO7CqJ1AEqQo/TQ7IzKFx+Ou5SxZ9m8kQeBKg > ZrPt4vBxrASaELSn+vPPzsA2aBzr9OXijO35Gbjf09FCbR7BC/QnucbAaS6b3z2W > jxrFDRzv7QTxSoA9c8QdNPdcJXEbLQF59yf/4JO/Bx68A7apneSWjo9zw9POWfD2 > wHysHZJFF8WBbh1lBJXFuyLMT9luu1v4I7nvdYU98S2p9EOqVTnDM84XBVN9xd/r > TbNGvcIErLsXeNRqHaXSCF95KbjMSdeKCYKfroPz9/xEZUWWpdFRm6OLVTY6mF1F > WDJZUltgGT/O6iM0x39rcEnwapX5XUlPgpolhhEJFC4PXZgLpwQQTwhEBACtClVn > 30P4brBZYIW1NIR4Vq7yI0ltpf7CT0X3Y7xSvP53yM5zIpcmwQsWVCnle+8XY9bz > 4msgAfpp5Xb2q3ovGwrCKahWCeddTofUfgqCBmg7fgvD7K7812rSgjOQ617QgNl5 > FZnt9Td79vcWe7I8J1vJdvWTymuydfVMWEu5ptOpORwsGdWVYI/qnOTCl+b8XW7K > oVU1afvuvfBA+abbnz/L > =e9Is > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Thanks and Regards, Saurav