Re: Custom web application as default web app
sasuke wrote: Hello all. I have recently started developing J2EE applications using Tomcat and have come across a stumbling block. Suppose I want to run Tomcat in an environment close to what it would be in production; to do I need to do the following: 1. • Make sure Tomcat is running on port 80 so that there is no need to provide the port number. 2. • Make sure that hitting http://myhost.com/ brings up my custom application and not the tomcat manager. 3. • Make sure that a light web server like lighttpd or Apache is used for serving static content and redirecting to tomcat when dynamic jsp compilation is required. 4. • Make sure that the sessions are persisted when the above arrangement is put in clustered mode. Hi. I can't answer all your questions competently, but here is a start : a) your requirements 1 and 3 above seem to be contradictory. The usual way to do this is to have the light httpd server in front, answering all requests to port 80. Then, inside that front-end httpd server, there is a mechanism for detecting which requests should go to a *background* Tomcat, and re-direct these requests, in a way transparent to the client. For example, using Apache and Tomcat, you would use the following setup : - Apache answering on port 80 - a re-director module within Apache (like mod_jk), gets told which URLs have to go to Tomcat, and intercepts those URLs. The other URLs are served by the local httpd server. - in Tomcat, a corresponding connector receives these requests, and Tomcat processes them, and sends the response back through the connector. - Apache receives the response from the mod_jk re-director, and sends them to the client. But, there are many people on this list that will tell you that if the purpose is simply to serve some static pages, you do not need a front-end http server, and you can do it all with Tomcat alone. On the other hand, I believe that your requirement #4 means that you must have a front-end server. b) to have Tomcat respond to port 80 (assuming there is no other httpd server that already does), is simple : just change the port number of the HTTP connector in Tomcat's server.xml file. By default it is set to 8080 or 8180, it's easy to find. But decide first which architecture you want, because you cannot have 2 http servers (Tomcat and another one) both listening on the same port. For 2 you need more expert help than I can provide. But I believe it consists of deleting what is now the ROOT application of Tomcat, and put yours in it's place. Roughly. Wait for more expert advice, or look at previous messages on this list. This has been explained many times before. André - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: enabling/disabling a servlet filter conditionally
André Warnier wrote: Thanks, a lot. [etc..] I have one more question, if you would be so kind and if it is not too heavy to handle here (and at the risk of sounding very amateur) : In the standard condiguration, the JCIFS filter comes as a jar, which gets placed in the WEB-INF/lib sub-dir of the webapp. If I need to build it into my owen filter, how do I do that ? Do I unpack the jar first when and where I compile my own filter, so that the classes are available then ? I compile my filter right now with a very basic method, using a command-file (under Windows) like : echo on set JAVA_HOME=c:\java1.5 javac -classpath %CLASSPATH%;C:\java1.5\lib\tools.jar;C:\java1.5\jre1.5\lib\jsse.jar;C:\Tomcat5\common\lib\servlet-api.jar;C:\Tomcat5\common\lib\commons-el.jar %1 Do I just add the jar in question to the classpath above ? André Shows what I know about Java and servlets, right ? It works though. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat Service is stopped automatically???
Thangavel Sankaranarayanan wrote: Hi, I dont find any Hkey..instead i find a Hkey_Current_user.. I have loggged in to a remote system through RDC... and i could'nt find any system or other things in it... Oh well, that means you (or rather your user-id) are probably not a Local Administrator on that system. At this stage, I'm not quite sure anymore, because I don't have a Tomcat 4.1 system to compare this with. So I'm working from memory. Try this : Supposing you can find the top directory where Tomcat was installed. It may be something like c:\Programs\Apache Group\Tomcat4.1, or C:\Tomcat4 or whatever. Under that directory should be a sub-directory bin, with some programs in it, and maybe some .bat or .cmd files. (With Tomcat 5, there are just 2 programs tomcat5.exe and tomcat5w.exe, and I used the tomcat5.exe in my previous example.) But I believe that in Tomcat4.x, there is a command-file called startup.bat. If so, then : - anyway stop the Tomcat service - open a command window, and go to the Tomcat/bin directory - type : startup.bat To stop Tomcat later, just type a CTRL-C in the window. (And restart the service if needed). - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: List remote files in Servlet
Nathan Thatcher wrote: Turns out that was the issue. I set tomcat to run as a local user and now it works. Thanks for the help. Tomcat is running on a windows machine under the SYSTEM account so I assume that it has the permissions. Is there a way to check if this is the problem? Under Windows, the LocalSystem account *specifically* has no network access rights (you cam still make TCP/IP connections and so, but you cannot access Windows network resources). To be perfectly ok, you would need to set up a Domain user that has the appropriate rights, and start Tomcat as that user. Don't forget to create this user with a password that does not need to be changed regularly, or you might have problems starting Tomcat after a while. André - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can't start Tomcat5 service on Windows Vista Home Premium
Mark Thomas wrote: Barry Kimelman wrote: ... This is a 'feature' of newer versions of Java where the required dlls aren't placed where they are meant to be. I believe there is a fix in the works in commons-daemon to try and work around this. More details (including background and workarounds) can be found in the associated JIRA. https://issues.apache.org/jira/browse/DAEMON-110 I stand corrected thus. Please ignore my previous answer about the 64-bit tomcatX.exe. Things seem to have moved ahead while I was on holiday.. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat App Configuration
Markus, that was a bad recommendation. Look here instead : http://wiki.apache.org/tomcat/HowTo#head-2e16a614a1be6e03102fc69dd59587a30e20bc5c Markus Meyer wrote: I'm not sure what's the problem, but I would not put the app into /usr/share/tomcat5.5/webapps because this is the default location. I would put the webapp into a different location. Also, check if you already have a ROOT directory in your webapps/ path which may interfere with your other root setting. Markus skarahan schrieb: Hi , thanks your help.I add this line server.xml Context path=/ docBase=/usr/share/tomcat5.5/webapp/myapp/ I can see it manager page path column.But its not running.is there another xml file to congire it.? Markus Meyer wrote: Hi, just use an entry like the following in your Tomcat's server.xml configuration file: Context path=/ docBase=/path/to/where/your/webapp/resides/ HTH Markus skarahan schrieb: Hi, I use tomcat5.5 on ubuntu and have java web application.When I run it, its address looks like http://servername:8180/myapp; on browser address line.But I don't like this.when I write http://servername:8180/; address on web browser address line,I want to open my application. I hope that I can explain my question.. Thanks for your help. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk fails to forward request on high traffic
Rainer Jung wrote: On 08.09.2009 17:49, Mark Thomas wrote: John Cherouvim wrote: Hello I have a website which during peak time (peak lasts around ~4 hours with 14 pageviews/sec, 140 http requests/sec) starts to drop pageview requests. My guess is that all of your Tomcat AJP threads are tied up with idle httpd threads. Try the following in your httpd.conf: JkOptions +DisableReuse ... or read about the necessary timeouts on http://tomcat.apache.org/connectors-doc/generic_howto/timeouts.html Or start a lot more threads on that AJP Connector, since you have a lot of spare everything on that machine. And if these are a lot of small requests by many separate clients, you may want to reduce your Apache KeepAliveTimeout to 4, then 3,.. The idea is : - a browser connects to Apache and issues a request - Apache is passing this request to one free Apache child - this child sees that the request is for mod_jk (and, in the background, Tomcat) - so one instance of an Apache child and mod_jk is now busy - mod_jk connects to Tomcat - to handle the request, the Tomcat Connector allocates one Tomcat thread (possibly starting a new one) - the thread works and returns the response to mod_jk - mod_jk returns the response to the Apache child - the Apache child returns the response to the browser but... since the connection is keep-alive, if the same browser does not, on the same connection, issue any more requests, then the Apache child anyway waits on that connection for the duration of the KeepAliveTimeout. Only when the timeout expires without new request, does the child close the connection and return itself to the available child pool. So if the request takes 100 milliseconds to fulfill, and your KeepAliveTimeout is 5000 milliseconds, your Apache children sit there doing nothing (and being unavailable for other browsers requests) for : (5000 ms + 100 ms) = 5100 ms = total time of which 100 ms = time to actually fulfill request thus 100 ms / 5100 ms = 0.0196.. = 1.9 % productive and 100 - 1.96 = 98.04 % unproductive during which time they probably hold on to their mod_jk connection to Tomcat also, and thus there is also a Tomcat thread waiting, and doing nothing for the same unproductive time, and not being available for other clients and requests. This is a horror scenario and, probably, in reality things are not so bad, depending on how your pages are and how smart all these little Apache/mod_jk/Tomcat pieces are. But maybe worth thinking about anyway ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk fails to forward request on high traffic
John Cherouvim wrote: ... Is there a possibility that there is a problem with the fact that I use: IfModule mpm_prefork_module ... ServerLimit1024 MaxClients 1024 and default Connector settings? Connector port=8010 protocol=AJP/1.3 redirectPort=8443 address=127.0.0.1 / Do those 2 need to have the same thread count (MaxClients=maxThreads)? I think you're on the right track there. See the previous response from Mark : ... My guess is that all of your Tomcat AJP threads are tied up with idle httpd threads. .. doing nothing. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: catalina error file
mateo-jl wrote: Hello, i would like to have a circular catalina error file is it possible ? Mmmm. The concept of a circular file sounds interesting. Maybe you want to explain a bit what you mean ? there may be a great technical breakthrough lurking there. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: catalina error file
David Smith wrote: .. :-D The circular file still is the trash can. In that case, /dev/null should work. :-) Yeah but you want a buffer before the /dev/null, to give one a chance to peek at the contents. I like Chuck's proposal for the name. I mean, under Unix/Linux we already have stuff like head, tail, cut, truncate, etc.. It should not be that difficult to implement a type of file that never exceeds a given size, and be done with all these localhost.mmdd.log files and logrotate and rotatelogs thingies. Seriously now. Kind of. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: catalina error file
David Smith wrote: ... Pure speculation on my part, but maybe the OP is looking for log rotation. Nah, much too simple. And so are syslog and other Windows Event logs. Neither did the OP tell us on which platform this would be, nor really even if it is related to Tomcat (though I admit that catalina is a clue). I was rather thinking of a new file open mode, where one could say I want this file to never exceed 1 lines. Then as you append line 10001, line 1 gets popped off to nowhere automatically. Right now we have read, write, and append, and we've had them for many years. Any proposals for a new name for this new mode ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: catalina error file
Caldarale, Charles R wrote: From: Hassan Schroeder [mailto:hassan.schroe...@gmail.com] Subject: Re: catalina error file Basically a fixed-size serialized FIFO, right? Yes, but the complication occurs when the records are of unbounded variable size. But we are talking about logfiles (e.g.), so there is a line separator. head and tail seem to deal with this happily. Considering also we're talking about logfiles, and considering that the part that would be obliterated would be the oldest, I believe it would not hurt that much if the obliterated part at the top was just the same number of bytes (or characters) as the size of the last line added. But maybe some kind of pre-allocated space, with a current pointer would work in a nicer way. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: very high CPU and load...
keeplearning wrote: I am running a load test with 2 web (apache) and 2 appservers (tomcat). I am noticing that after 250 users, I start seeing very high CPU usage and very high load. Below is the o/p from top command. I also saw this message in catalina.out: SEVERE: All threads (250) are currently busy, waiting. Increase maxThreads (250) or check the servlet status Well, yes. The last message above is pretty explicit. What is it that is mysterious ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Need Help - Mod_jk/Apache - Mutiple Content issue
balakarthik.baska...@wipro.com wrote: ... Just jumping in here, but doesn't that request to /test/test.jsp appear to be looping ? or is that by design ? ReplyTimeout_Analysis.txt : [Thu Sep 10 14:46:47 2009][5024:2952] [debug] jk_ajp_common.c (1259): 00f06D 20 74 65 73 74 69 6E 63 6C 75 64 65 31 20 50 - m.testinclude1.P [Thu Sep 10 14:46:47 2009][5024:2952] [debug] jk_ajp_common.c (1259): 010061 67 65 0D 0A 48 65 6C 6C 6F 6F 6F 6F 6F 20 66 - age..Hello.f [Thu Sep 10 14:46:47 2009][5024:2952] [debug] jk_ajp_common.c (1259): 011072 6F 6D 20 74 65 73 74 69 6E 63 6C 75 64 65 31 - rom.testinclude1 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: bypassing a servlet mapping to /*
Leon Rosenberg wrote: and if i use mapping with asterisk (/net/java/dev/moskito/webui/jsp/*) , i see log errors from dispatcher servlet that it doesn't know how to map /net/java/dev/moskito/webui/jsp/Producer.jsp. Yep (from a dummie) : does that not indeed look like the dispatcher thingie you're using does not know how to map wildcards ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Need Help - Mod_jk/Apache - Mutiple Content issue
balakarthik.baska...@wipro.com wrote: No I explicitly made it to loop so that I can write a content for a time longer than the reply_timout setting to simulate and look at the behaviour. Ok, but does a reply timeout really apply in that case ? I would intuitively think that a reply timeout would be irrelevant as soon as the first byte of the reply arrives. How long the response is after that, should not matter. No ? As I mentioned, I was just jumping in in the middle. Disregard my comments if they are not relevant. I was just looking at the logs and trying to figure out what the problem is. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Need Help - Mod_jk/Apache - Mutiple Content issue
balakarthik.baska...@wipro.com wrote: Yes you are right.I think I didn't mention it clearly.I am having this while loop for writing a huge chunk of data followed by a thread that sleeps for some time and that is where I am expecting my reply_timeout to be timed out and the data written till the sleep of the thread is seen in the browser and the log file. Ok, now I do understand better, I think. There is a request. The Tomcat app starts answering (a long chunk of data), then crashes. This is simulated by your test script, which sends a long chunk of data, then sleeps (to simulate a crash). Eventually, some timeout occurs, which (may) cause another element to consider this Tomcat unresponsive, and switch the request to another one. This other one then restarts the request from the beginning. The final result being that the requesting browser first received an incomplete chunk of data from the first webapp, and now starts receiving the same data (again) from another webapp. Again intuitively, I don't know how any server-side scheme is going to solve that. When the first webapp starts answering, that Tomcat has to start sending the answer back to the client. If it then crashes, it is too late to call it back; the data is already on the wire to the client. It would be in my view the client's responsibility to ensure that it discards any incomplete data received. But I don't know of any browser for instance, which does that. They all start to try to display the data as soon as they have the beginning of it. I think that if you really need this, then you would have to insert some other item between Tomcat and the client, which acts as a proxy, and only starts sending the response to the client when it is sure that it has received and buffered a complete response from the server. But then, this item becomes the weak link. It could also crash.. Or else you need an applet at the client side, which does the same thing. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat url rewrite
WILLIAMer wrote: I get a problem with the URL. My application has url rewrite for SEO. I use this format http://mydomain/item.html for display. There is an error that if the item name like LF/123, then the url become http://mydomain/LF/123.html. Because of the name include / character. I got the error like tomcat think i has a directory named LF under my application root directory. I dont know this question belong tomcat or url rewrite. William, Tomcat is right. I think it is the concept of your application that needs to be revisited. The / character is *universally* considered as a path separator under HTTP, and as a directory separator under most OS (including Windows). You may be able to find some solution that will work in some cases, but you will anyway have problems with this sooner or later somwhere else. I suggest that you change your item names, rather than trying to patch this stuff left and right. You will save yourself a lot of trouble in the long run. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: 3 question for the form
Karthik Nanjangude wrote: Hi 3 question for the form 1) Under What condition the MaxThreads should be increased in server.xml? maxThreads=150 when SSL is Configured with APACHE2x / Tomcat 6.0.2.0 setup 2) Is there a Process / Command to constantly monitor maxThreads this thread activity? 3) Does this same rules applies for TOMCAT embedded within JBOSS 4.2.1 Appserver? Hi. I suggest you search this forum's archives (or Google), because there are lots of threads related to these issues. In particular, there is a recent thread here, entitled : mod_jk fails to forward request on high traffic The OP also pointed out a good document to get a basic understanding of these issues : http://kbase.redhat.com/faq/docs/DOC-15866 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windwos Integrated Authentication using AD and Tomcat (no prompt to the users)
Quick answer : Look at http://www.ioplex.com, Jespa. Derlei Luff wrote: Hi all, I’m new to Tomcat and normally work in a Microsoft Windows world. I’ve stumbled into a problem using Tomcat as a web server, that I’m sure there is a simple solution for though I can’t find it. I’m sure it works if I use a MS IIS server instead of a Tomcat server at least. I hope some of you more experienced users of Tomcat can either point me in the right direction or perhaps come up with the conclusion J My problem is: I have a running Active Directory which holds the users and groups. I have a Windows XP client, which is member of the Active Directory domain. If a users logs into the client using he’s username and password and then open Internet Explore I would like him to gain access to a web page hosted on the Tomcat server. The problem is that the Tomcat server shall validate the user’s Active Directory credentials and the credentials should be sent to Tomcat without user interaction. In other words I want “Windows Integrated Authentication” from the MS world, so that Internet Explore takes the users credentials and send them to the Tomcat server (Kerberos). So far I can only get this to work if Internet Explorer prompts the users for he’s credentials (Basic Authentication). In other words I want to archive this: · Users logs onto the Windows XP computer using he’s username and password · User opens Internet explorer and write the URL to the page hosted on the Tomcat server · Internet Explore sends the users username and password automatically to tomcat (Kerberos) · The Tomcat validates the user’s credentials and accepts the request. This is some form of Single Sign On and I know it works if I use IIS instead of Tomcat. I’ve found several guides on the net, but no one which tells me if this is possible or not. Hope some of you of you can point me in the right direction, but perhaps I have to use a third part application to archive this?? Thanks in advance, Derlei - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windwos Integrated Authentication using AD and Tomcat (no prompt to the users)
To Martin, Steve and others : Samba's JCIFS works fine, but only for NTLMv1 authentication. (It is also no longer maintained, see http://jcifs.samba.org.) It does NOT work for NTLMv2 authentication, which is fast becoming the norm, and the default from Vista onwards. Jespa works with NTLMv2, and is free for up to 25 users. I have no shares in ioplex or Jespa. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: decouple authentication and authorization of TOMCAT
John Chen wrote: ... I am also thinking using Apache Web Server to do the authentication and use tomcat for authorization, do you think it would work? With the Apache/mod_jk/Tomcat combination it can, certainly. There exists (I believe in the Connector element of Tomcat), an attribute tomcatAuthentication, which when set to false makes Tomcat accept the user-id authenticated by Apache as its own. I do not know with other connectors. But if this would be the only reason to put Apache in front of your Tomcat, it would be a lot of complication for that sole purpose. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: decouple authentication and authorization of TOMCAT
John Chen wrote: Hi, We have installed a third-party software running on tomcat. Is there anyway to decouple tomcat authentication and authorization? We have to use AD for authentication and we are not encouraged to add groups to AD just for the new software. Any help would be appreciated. Since you said any, here is mine : I think you want to look at the following 2 things : 1) search Google for tomcat +securityfilter 2) http://www.ioplex.com, look at Jespa As I understand it, - Jespa will allow you to authenticate users based on their Windows Domain login - securityfilter should then allow you to allow access or not, based on that prior authentication (and, basically, you do not use Tomcat realm-based AAA) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: decouple authentication and authorization of TOMCAT
John Chen wrote: Apache front-end will do the authentication, does tomcat still use tomcat-users.xml for the authorization part? I am not quite sure. I believe Tomcat's integrated AAA is pretty much an all-or-nothing proposition. But maybe, if the request is authenticated by Apache beforehand, it may work, since after all the request is authenticated before Tomcat even hits the webapp. What I do not know, is if Tomcat, having accepted the prior Authentication of the request, would still anyway check if this user-id is in a role which allows running the webapp, and if it would do this using the tomcat-users.xml database, even though it did not use it to authenticate the user. Need an expert to confirm this. Anyway, for production usage, it is not recommended to use tomcat-users.xml, and it would also be rather unpractical if you have many users : you would still need to list all your expected user-id's in tomcat-users.xml, with their respective roles. I have been having this same kind of issue myself, fortunately with a very low ratio of users/tomcat, so I could find other workarounds. But I am interested also in a more general solution, in case the need ever crops up. Basically, I would present the problem as follows; (sorry if this is not very rigorous in Java or Servlet Spec or Tomcat terms) : - in Tomcat's flavor of AAA, one can specify, in the web-xml of a webapp, which role a user has to belong to, to be allowed to run the webapp. I suppose this is quite efficient, because Tomcat can read this in advance (when the webapp is deployed), and buffer it, so it does not have to check an external source at each request. - however, this notion of role does not really extend beyond Tomcat, so one would have to map it to, for example, some attribute of the AD (or LDAP) record of the user, and then arrange for Tomcat to be able to determine if the current user-id is in that role. (I believe there exists a method like ServletRequest.getRemoteUser().isUserInRole(role) or something of the kind). If the answer is positive, the request gets through, otherwise it doesn't. So the way I would see a practical solution, in a Windows Domain context (and in a platform-independent way) would be : - first you need to authenticate the user and obtain a user-id. This could be done via a front-end Apache, or via a servlet filter such as jCIFS or Jespa. - then you would need something which, on the base of the user-id, obtains a list of attributes of this user which can be mapped to Tomcat roles. For example, this could also be done at the front-end Apache stage, by accessing the user's AD directory record directly, and passing the corresponding attributes to Tomcat via request attributes or via added HTTP headers in the request. (*) - then, at the Tomcat level, you would need to override the isUserInRole() method, so that it would compare the webapp's required role or roles, with these additional attributes or HTTP headers. Of course, since by that time you are not really using the Tomcat AAA much anyway, you might as well bypass it completely and do your own form of authorization (via e.g. a servlet filter), based on any sort of group list your filter has access to. I guess we should have a look at the securityfilter servlet filter, since it may already do something of the kind. What I don't know and cannot comment on, is if the above kind of scheme would be easier to implement than creating a new Tomcat Realm which does all that. I am also not sure (because I'm too lazy to check right now) if a Tomcat Realm is specific to Tomcat, or part of the Servlet Spec and thus portable. (*) and, to make this more efficient, you could save this in a cookie, so that on subsequent requests you can re-use it without re-looking up the AD record. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Error 401 deploying war to Tomcat with Ant
Charl Gerber wrote: .. Hi. I am not really competent, but following the steps and symptoms you describe, the following scenario would fit : - you initially installed Java - then you installed Ant. This Ant installation overwrote something the Java installation had done. - then you de-installed Java and re-installed a new one. This new Java re-overwrote whatever Ant had done before, and thus Ant does not work anymore Conclusion : have you tried re-installing Ant ? (and I have no idea what that implies, it is just a question) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Error 401 deploying war to Tomcat with Ant
Charl Gerber wrote: Nevermind Turns out oracle database had a web page running at same port (8080). Via web browser I correctly saw Tomcat, via ant task it went to oracle. Stopped Oracle and all was back to normal. Hi. I am not saying that my previous suggestion was any better, but (with respect) what you write above does not really seem to make sense. Either Oracle was listening on port 8080, or Tomcat was. But both could not be at the same time. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: 64-bit connector issues on W2K8 IIS7
Jordan Michaels wrote: .. Can't really help, never tried that combination. But just by curiosity : is the IIS you are running, itself really a 64-bit program ? Also, there are I believe 2 versions of the 64-bit connector DLL : one for AMD processors, the other for Intel. Did you pick the right one ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: error listenerstart Tomcat 6.0.20
Sarah_Sh wrote:
Hi all,
Hi.
I have no idea about all the other stuff, but at least here there seems
to be a small typo :
WARNUNG: [SetPropertiesRule]{Server/Service/Engine/Host/Context} Setting
property 'relaodable' to 'false' did not find a matching property.
'relaodable' probably needs to be 'reloadable' somewhere.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Create FileInputStream in servlet from remote file with accentuated character name
Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Sylvie,
On 9/17/2009 9:12 AM, Sylvie Perrin wrote:
I have a shared directory on a windows system named SHAREDDIR and
containing one file named fichié.txt
Sylvie,
why do you not name your file fichier.txt, like it should be written
in French ? That would solve your problem immediately, save a lot of
ink on this thread, and save you a lot of time in the end.
Seriously.
There are so many pieces that play their part between on the one side a
browser that you do not control, on a workstation that you do not
control, in the middle HTML and HTTP for which the default character set
is iso-8859-1 and Java for which the internal character set is Unicode,
a local Linux filesystem which is charset-agnostic, and on the other
side a Windows system which stores its filenames in directories as
Unicode, that you will never get a solution that is totally foolproof.
If you have to play with a web application which involves files on
different platforms, stick with filenames that are purely made of
US-ASCII characters.
André
Seriously now, let's start at the beginning.
You are, like many of us, the victim of these horrible English-speaking
imperialists in the computer industry. They just don't understand
alphabets with more than 27 letters, and get totally confused by our és
and às and cédilles and sharfe s'eses. But since they got there first
(mainly because of all the anti-competitive subsidies they gave to
Boeing and GM), we are the ones who have to adapt.
So, you have a file, which on your Unix/Linux system looks like
/home/me/mountDir/fichié.txt.
Or, does it really ?
Try the following :
- open a console window on your Linux system
- enter the command locale -a, and find 2 result lines like :
fr_FR.iso8859-1
fr_FR.utf8
(or something similar, the point being to have one looking like it
contains 8859-1 and the other looking like it contains utf8).
- now enter export LC_CTYPE=fr_FR.iso8859-1
(adapt this in function of what you found above with locale -a)
- now enter ls -l /home/me/mountDir/
How does the filename look like ?
- now enter export LC_CTYPE=fr_FR.utf8
(adapt this in function of what you found above with locale -a)
- now enter ls -l /home/me/mountDir/ again
How does the filename look like now ?
I would bet the file name looks different.
Now go to your Windows systems, open the Windows Explorer, and look at
what this filename loks like.
Then on your Windows system, open a command window, navigate to the same
directory, do a dir, and look at what the filename loks like.
A difference, also ?
Why is that ?
The filename itself did not change in the directory of your Windows system.
But the name of that file is going to look different, depending on how
many layers of software there are between that directory entry and the
process that uses that filename, and on the settings of each of these
layers.
The above are simple cases, involving just a few layers : the original
directory, the CIFS filesystem drivers on your Linux machine, the ls
program itself, and the display interface between that program and your
console.
Now you add Java and Tomcat on top of that, and you add HTTP, and you
add URI encoding/decoding, and you add the browser, and you add the
encoding of your html pages.
In other words, give it up.
I mount this shared directory on my Linux system with the following
command:
mount -t cifs -o iocharset=utf8 //IpWindows/SHAREDDIR /home/me/mountDir/
In a standalone Java application running on my Linux system, I can
create a FileInputStream from the file located in the remote directory
like this:
String mountPath = /home/me/mountDir;
File[] list = new File(mountPath).listFiles();
File file = list[0];
try {
FileInputStream fStream = new FileInputStream(file);
}
catch (FileNotFoundException e) {
e.printStackTrace();
}
Can you have your standalone Java program print the following information:
1. The full path of the file
2. The values for these system properties:
a. file.encoding
b. sun.jnu.encoding
When I execute the same code in a servlet running on the same machine,
the call to FileInputStream constructor always throws a
FileNotFountException because it doesn't recognize the é character in
the path of the file.
Please post the above values within your servlet environment, too.
Are you sure that it's because of the é, or is it because the user that
Tomcat is running under does not have permission to read that file?
Under what user /is/ Tomcat running?
Since I don't know what the problem is I have had a hard time tracking
down a solution online. I especialy take care to follow all steps
described in the FAQ/CharacterEncoding parts of wiki. Here is my
configuration:
I set URIEncoding in my port 8080 connector to UTF-8 (I use this port to
execute my servlet)
Connector port=8080 protocol=HTTP/1.1
connectionTimeout=2
redirectPort=8443
URIEncoding=UTF-8
Re: Virtual host configuration - best practise?
hepabolu wrote: ... However, from the Tomcat docs I understand that any change to server.xml requires a restart of Tomcat which would mean that the existing (non-dummy) hosts which are already in production, i.e. up and running, will also be taken offline. This is the heart of the problem... Just as another look on the issue. You mentioned previously that all the hosts run the same webapp, but that the configuration varies somewhat from host to host. The applicability to your case depends a bit on how many distinct settings this means, but how about a setup like this : - a front-end Apache, with VirtualHosts defined, and a mod_jk connector to the back-end Tomcat. Adding a VirtualHost to Apache does not require a full Apache restart, just a reload of the configuration, which is less disruptive. - in Tomcat, a single default virtual host, with a single webapp - when an Apache VirtualHost proxies a request to Tomcat, it arranges to pass some request attributes to distinguish which Apache VirtualHost this was - at the Tomcat level, the webapp reacts differently, not in function of its static setup, but in function of the request attributes it gets from Apache (this can be done with a servlet filter e.g.) You can also have different webapps under Tomcat (one per virtual host), and have the front-end Apache can, depending on the VirtualHost, proxy calls to the one or the other. At the Tomcat level, adding a webapp (as opposed to adding a Host) does not require a restart. This may be one case where the added complication of having an Apache httpd in front of Tomcat is justified. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Create FileInputStream in servlet from remote file with accentuated character name
Sylvie Perrin wrote: Christopher, Here is the stack trace of the FileNotFoundException: java.io.FileNotFoundException: /home/me/mountDir/fichi��.txt (No such file or directory) Sylvie, maybe what appears above shows the origin of the problem, and explains what I was trying previously to tell you. It is difficult to be sure, because (again) there are several layers of encoding/decoding between your logfile, and how it may show up in this email. The problem is not your problem per se. You are not necessarily doing anything wrong. The problem is basically in the lack of a common standard between different OS'es and filesystem types, about how to represent filenames containing non-US-ASCII characters. Below, I am trying to explain the root of the problem, concisely but fully. It *is* a complex matter, that's why it is confusing. But you are not alone in being confused or puzzled. Unless one has had to deal with such issues many times, it is really easy to get confused, because in this case, what one sees is not necessarily what one gets. Assuming that what I see above is also what you see in the logfile (fichi + 2 strange characters + .txt) : - java is trying to open a file named fichi + 2 strange characters + .txt - these two characters *may* be the Unicode/UTF-8 encoding of the character é (e with acute accent) - but java is not finding that file (obviously) Furthermore : The file is really located on a Windows server. The Windows directory where the file is located, is mounted through the CIFS filesystem, onto a local mountpoint on your (Linux) Java and Tomcat host. On your Java/Tomcat host, Java is seeing the contents of this directory *through* this CIFS filesystem mount. In principle (but that is only an assumption here), the CIFS filesystem code (running on the localhost) shows this (remote) directory content to a local application as is, without making any character set translation. Now Java (on your local system) is trying to find this file fichiXX.txt, and not finding it. (XX being 2 the two unknown bytes) That means that, on the remote system, this file fichXX.txt does not exist. If you connect to that remote system via, for instance, a Remote Desktop or a VNC console (or even from your local station, just browse this share through the Windows Explorer), and examine the content of that directory, you probably see a file named fichié.txt. But that is only what you *see*, through whatever interface you use. In reality, the é in this filename may (or may not) be encoded, in the Windows directory entry, as 2 bytes. Or it may be encoded with (for instance) a Windows 8-bit codepage, as a single byte. If so, that is why Java, which is trying to find this é as 2 bytes, does not find it. Now comes the difficult part : To solve your problem thus, you have to make sure that when Java is looking for a filename which, from the Java point of view, contains an é character, this Java é *character* (whatever its representation is as bytes in Java), matches the byte representation of the é character, in the filesystem of the remote host where the file actually resides. And the problem is, that these two systems (Java and your current platform) and the remote OS, do not necessarily agree on what this byte representation of an é character is. For example, suppose you find the right set of measures that make your Java program find the file in the end. Then, you replace the Windows fileserver by a Linux server, sharing its files through Samba. Well, the problem may then show up again, because the encoding may be different again. That is why I was recommending to stick to US-ASCII names. It was not a joke. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Security Constraint conflict
Caldarale, Charles R wrote: From: Pid [mailto:p...@pidster.com] Subject: Re: Security Constraint conflict The logical union of 'no methods' and 'some methods' is 'some methods', isn't it? But... Yes, except the spec says the operation is *not* a union when a constraint has no roles. Rather than an or effect, a no-roles constraint does an and. My interpretation for this instance is that the result should be that operations other than PUT, DELETE, TRACE, and OPTIONS are allowed for all requests other than those ending in *.xhtml. I suggest that the Servlet Spec be revised by a German engineer, to the effect that everything not specifically allowed is forbidden. That would make this all a lot less ambiguous. ;-) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Create FileInputStream in servlet from remote file with accentuated character name
Sylvie Perrin wrote: André, Thank you for your help but I can't follow your main recommendation, ie. avoid using non US-ASCII names. Actually, file names are part of information my servlet have to process and they cannot be changed. I am not the owner of these names and I must deal with them. Ok, then : who is creating those files inside the Windows directory, and how do they create them ? (using which tool ?). This is important, to figure out if the process(es) creating these files are consistent, and if you can always expect a specific character encoding scheme for those file names. Let me give you an example, as a tutorial : - with Windows Explorer : - inside your shared directory, create a test sub-directory - in this directory, use the right mouse click to create a new text document. Name it, for example, fichié.txt. Notice that you did this, from your workstation, using your keyboard, and under Windows Explorer. The file in the directory looks like it has the name fichié.txt, right ? - now on that same server, you will need a console window, to open a Windows Command Window (the black DOS window). In that command window, use cd to navigate to your test directory. When you are there, enter dir and look at the file list. How does your file name look like ? - in the same command window, create a new file by using this command : echo Hello André fichié-deux.txt - do a dir. How does that one look like ? - then go back to Explorer and compare the two filenames. Do they look the same ? (as far as the é s are concerned) - now go back to your Tomcat host, and using cd, navigate to your Windows test directory (should be /mnt/). - use the same command echo Hello André fichié-trois.txt to create a file (from linux) on the Windows server. Do an ls -l to see what it looks like from Linux. Then again, compare the names in (1) the Windows Explorer, (2) the DOS command window and (3) your Linux window. Is everything still consistent ? If not (you see different names depending on the interface), make a table showing what the filenames look like in the 3 cases. Also, under Linux, enter the command locale and note the result. The above is the first step, and concerns only the filenames. Next, you should have a look at file contents, and check if accented text words in the contents also look consistent or not. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Create FileInputStream in servlet from remote file with accentuated character name
Christopher Schultz wrote: ... What is the source of that file name? Is it hard-coded into your Java code? If so, how? Did you just type fichié.txt into your .java file, or did you use \uxyz syntax to specify the UNICODE character you intended? If you are reading the filename from a remote client, then all the request URI encodings and all that stuff are definitely relevant (ion spite of my previous statements to the contrary). ... Honestly, I think the above should not be a problem. ... Christopher, what I am trying to say is that such matters are horrible, because *everything* matters. One cannot even be sure that the logfile message, as seen by the user and as pasted in the email to the list, and as further seen by the reader on this list, is really how the message is physically stored in the logfile. That's because in-between, there can be umpteen layers of decoding/encoding which can make matters really confusing. (Even the encoding used by the process which writes the logfile may matter, because fichié.txt may already have been re-encoded right there.) Your note about making sure, in the source code of the program, that the filename is really made out of the bytes which the OP thinks it is made of, is a good example. If, to create this program source, one uses an editor which is set to save its files in the iso-latin-1 charset, then fichié.txt will be saved, in the program source, as a string of 10 bytes. Conversely, if one uses an editor set to save its files in Unicode/UTF-8, then this same string will be saved as 11 bytes (the é occupying 2 bytes). Then comes the compiler.. I don't know how a Java compiler handles source code respectively saved as an iso-8859-1 encoded file, or as a UTF-8 encoded file. How does it tell the difference ? does it make assumptions based on the locale it is running under ? About the creation and subsequent finding of a file : Generally-speaking, filesystems are encoding agnostic, in the precise sense that : - if on a given platform and with a given programming language, you arrange for a string variable S to contain a precise series of bytes (for example, the UTF-8 encoding of the string fichié.txt, 11 bytes long) - if you then use that variable as the name of a file which you create on disk - then no matter where this file directory ultimately resides, the name of the file in it will generally be these same exact 11 bytes. - if you then, from the same platform and using the same programming languages, use this same variable A as the name of a file which you try to open, it will work. However, as soon as you deviate from the strict case above, what looks to you like fichié.txt /may/ not be the same series of bytes anymore, and that's where the problems start. How the filename will look like is however another matter, depending on what you use to display it and from where you do it. In the case of Sylvie (and I am talking here about the final issue she is trying to handle, not just about the test case) - presumably, some (other) users and/or applications, running on some (other) platform and using some (other) tools, are creating files inside of a Windows host's directory. One item of interest here would be to know how these files are created, and if that process is consistent (meaning, are these files always created by the same programs, running always on the same platform, using the same encoding etc..). That is to make sure that when a file named fichié.txt is created there by whatever, it will always be created the same way, with a name of either 10 or 11 bytes (it does not matter which, just that it be consistent). - then, some program created by Sylvie, has to access that directory, and pick up files from there. So this program may have to know how a filename fichié.txt will be encoded in that directory (either as 10 or 11 bytes). It also does not matter which, as long as Sylvie's program has a way to consistently spell this name correctly. The problem is generally unsolvable, if the original entry in the directory can be created in several ways, because there are multiple agents capable of creating it, and these agents use inconsistent encodings. The issue can be simpler, if Sylvie's program just opens the directory, reads the filenames that it finds there (whatever their encoding is), into some variable, and then just uses this variable as the filename to open the file and that's it. But if, in Sylvie's program, the filename itself has to be compared to some pre-defined other string stored in the program, and some action taken or not whether it is considered equal or not, then there may be a problem. Yet another aspect to consider, is whether Sylvie is really testing the right thing. For instance, when Sylvie runs her Java test program, she does this from inside a Linux session, which is set for a specific locale. However, the Tomcat server may well be started under a different
Re: Create FileInputStream in servlet from remote file with accentuated character name
Sylvie Perrin wrote: André, I follow your tutorial and all outputs in Widows Explorer, DOS Command Window and Linux Window are consistents concerning file names display. That's good. For locale set under Linux, here is the output: LANG=fr_FR.UTF-8 LC_CTYPE=fr_FR.UTF-8 LC_NUMERIC=fr_FR.UTF-8 LC_TIME=fr_FR.UTF-8 LC_COLLATE=fr_FR.UTF-8 LC_MONETARY=fr_FR.UTF-8 LC_MESSAGES=fr_FR.UTF-8 LC_PAPER=fr_FR.UTF-8 LC_NAME=fr_FR.UTF-8 LC_ADDRESS=fr_FR.UTF-8 LC_TELEPHONE=fr_FR.UTF-8 LC_MEASUREMENT=fr_FR.UTF-8 LC_IDENTIFICATION=fr_FR.UTF-8 LC_ALL= That's good too. I just remind that I have these lines in my tomcat auto-start script : LC_ALL=fr_FR export LC_ALL Thuis, you should probably change, to be the same as your own locale fr_FR.UTF-8 above. André Warnier a écrit : The problem is generally unsolvable, if the original entry in the directory can be created in several ways, because there are multiple agents capable of creating it, and these agents use inconsistent encodings. That's my case. Actually, entries in the Windows shared should become from everywhere, with I suppose various encoding. In fact, files I need to process are stored in an external support (CD, USB...) and under Windows, I share the corresponding drive. Then, this shared drive becomes the directory I mount under my Linux system. Note that it is a key requierement having the external support loaded under Windows system ONLY. The issue can be simpler, if Sylvie's program just opens the directory, reads the filenames that it finds there (whatever their encoding is), into some variable, and then just uses this variable as the filename to open the file and that's it. I don't understand your point ? I just try to open my file and read it with a FileInputStream. Allright. Let me see if I understand correctly your basic issue (not the test program, but the real application you need to create). - miscellaneous agents create files, on some media, which is later connected to a Windows system and becomes a shared directory. You do not control these agents, nor the file names that they choose to put there. - your application, running (later) under Tomcat, is supposed to read these files and do something with them. I suppose that you do not know in advance, what the names of these files will be, and you just have to take what is there. Is that correct ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [ANN] Compile Tomcat Web apps into native Windows/Linux executables (beta)
Leon Rosenberg wrote: ... As for preventing decompilation, how many people/companies are actually delivering a war which they need to protect from decompiling? How many people would install such a product, one they can't configure anymore, one that is even infectable by viruses? This just sounds plain wrong :-) Leon, I can't comment on the speed aspect etc.. But I have a number of corporate customers who have sub-contracted their IT infrastructure to an external service company. In my experience these external people then, usually, tend to adopt the umbrella attitude, whereby they want every other external software supplier to supply their software in a manner that will cause themselves the least work and the least trouble. In other words, their ideal is that the software be delivered in the form of a single executable, pre-parameterised so that they don't even have to choose options in an installer, and that they would not bear any responsibility if anything should not work as expected. They are certainly not interested in even having to think about tricky customising options. I am not saying that these are my preferred kind of customers. (I prefer smart ones, up to a point). But this is a use case for the proposed package, it seems to me. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Create FileInputStream in servlet from remote file with accentuated character name
Christopher Schultz wrote: ... Then of course, after the above trivial matter of the filename is resolved, one may have to tackle the matter of how the file contents are encoded. At least the programmer has some measure of control over that. Not if she doesn't know what they have been created with though. But let's leave that for a later stage, and first deal with the filenames. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Create FileInputStream in servlet from remote file with accentuated character name
Sylvie Perrin wrote:
...
- your application, running (later) under Tomcat, is supposed to read
these files and do something with them.
I suppose that you do not know in advance, what the names of these
files will be, and you just have to take what is there. Is that correct ?
You perfectly undestood requirements of my real application.
I know that I will expect others wonderful problems :-)
Ok, then we need Christopher's Java knowledge now.
Christopher, how does one, in Java, read a directory item by item ?
We need this kind of thing :
- open the directory
- while (variable fn = next directory item) {
- next if item is not a regular file
- open the file named fn
- do something to that file
- close the file
- delete the file ?
}
- close the directory
And (just to anticipate the next issue), Sylvie, does your program
actually need to read the content of the file and do something with that
content ?
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Deploying Tomcat on Windows CE
Ajay Kapur wrote: Hi, We have a web application that runs on Tomcat 6x. We want to deploy this application on a symbol MC 3090 device running windows CE as the OS. Would it be possible to deploy Tomcat 6x on Windows CE and run our application on that? Probably. How much are you willing to pay ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Create FileInputStream in servlet from remote file with accentuated character name
Christopher Schultz wrote: ... I wonder if Java uses the file.encoding system property (which is set by the portion of $LC_ALL after the .) to convert bytes returned from the filesystem into filenames and vice versa. Yeah, that appears to be the case: Christopher, your detailed analysis is impressive and undoubtedly accurate, but beyond what I can swallow right now in Java and after 2 glasses of Spanish wine. So let me ask a simple question : - a file named fichié.txt has been created in a directory, by a process that spoke iso-8859-1 (so the filename is 10 bytes long). - a Tomcat runs in a process whose locale is set to UTF-8, and an application inside this Tomcat reads the filename from the directory into a Java String variable S. What happens ? - does the application get an exception due to invalid encoding ? - if not, why not ? - if not, what is now the content, in bytes, of variable S ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Create FileInputStream in servlet from remote file with accentuated character name
Christopher Schultz wrote: ... I dunno. This is pretty ugly. Again, setting everything to UTF-8 dramatically reduces headaches in these areas. Thanks, Christopher. I fully agree. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: accesing webapplication without the web context
rama.honge wrote: Hi, What to know to to access a webapp without using the context in the url in tomcat 6.0 for ex: Instead of using http://myserver.com/TestApp, it should be accessible with http://myserver.com There is only one web application deployed in tomcat. Any help on this much appreciated.. See : http://wiki.apache.org/tomcat/HowTo#How_do_I_make_my_web_application_be_the_Tomcat_default_application_.3F - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Create FileInputStream in servlet from remote file with accentuated character name
Sylvie Perrin wrote: Christopher, André, Christopher Schultz a écrit : And (just to anticipate the next issue), Sylvie, does your program actually need to read the content of the file and do something with that content ? Yeah, remember to use a Reader and specify the character encoding. Yes, my program needs to do something with the content of files of the shared Windows directory. Actually, the main action is to parse each files and read content throught an InputStreamReader(new FileInputStream(file)). According to what Christopher says, I need to always specify the character encoding, so doing InputStreamReader(new FileInputStream(file), encoding) Yes. If you know that all the files dropped there will be UTF-8 encoded, then specify UTF-8 as the encoding. The problem is that, if you do not control who puts files there or how, then at some point you may encounter a file whose content is encoded in, say, iso-8859-1 instead of UTF-8. In that case, at some point your InputStreamReader may trigger an exception (when it encounters something that is not valid UTF-8). You have to be prepared to deal with that. The general point of this all is : as long as the whole computing world will not have agreed to use Unicode/UTF-8 encoding everywhere (in directories, in text files, in URLs, in program source code,..), dealing with a priori unknown directory entries and text files is messy, and without additional constraints on the clients or additional information provided separately, there is no 100% sure way to determine what you are going to get. If as you indicate above, you are being asked to parse these files, there I suppose that they must have some pre-defined form. Does that form also impose a given character set and encoding ? If not yet, I strongly suggest that you try to add this to the requirements, because otherwise the application will be unreliable. Not because your programs would be bad, but because it is just impossible to be 100% reliable in such cases. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache/Tomcat with SSL
Miguel Ortiz wrote: ... [u...@localhost conf.d]# tail -f /var/log/httpd/ssl_error_log [Mon Sep 28 08:51:41 2009] [error] [client xxx.xxx.xxx.xxx] File does not exist: /var/lib/tomcat5/webapps/favicon.ico [Mon Sep 28 08:51:44 2009] [error] [client xxx.xxx.xxx.xxx] File does not exist: /var/lib/tomcat5/webapps/favicon.ico [Mon Sep 28 09:03:04 2009] [error] [client xxx.xxx.xxx.xxx] Directory index forbidden by Options directive: /var/lib/tomcat5/webapps/ Nothing to, I think, with your problem, but it would seem from the above that you have configured your Apache front-end with something like DocumentRoot /var/lib/tomcat5/webapps which, in principle, is not a good idea. What do you get in your browser when you request http://your-hostname/ROOT/WEB-INF/web.xml (or with https:// as the case may be) ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache/Tomcat with SSL
Miguel Ortiz wrote: André, This server was configured by our web development contractors. I was only tasked with setting up the SSL. When I go to the specified URL, firefox throws a server not found. When I mentioned the URL http://your-hostname/ROOT/WEB-INF/web.xml I meant for you to replace the your-hostname part by your own host's name. :-) Also, basically I think that this discussion belongs more to the Apache user's list, than Tomcat's, because it seems that the SSL part is done at the Apache httpd level, not at Tomcat's level. It is also not easy to just add SSL to an Apache httpd, if this Apache httpd uses VirtualHosts. In the first responses to your first post, some very relevant questions were asked, which I don't think you have answered fully yet. It is difficult for someone to help you with the partial information you have supplied so far. Tell us : - on which platform (OS) this is running - how Apache httpd and Tomcat are connected together (using mod_jk, mod_proxy_ajp, or mod_proxy_http?) - is (was) your Apache httpd configured with multiple VirtualHost sections ? - can you append your main Apache httpd configuration file (httpd.conf or apache2.conf, depending on platform). Don't put it as an attachment, because chances are this list will strip it. Paste it right into your message. - what exactly did you add, and where, to add the SSL capability ? Miguel Ortiz Network Engineer x4818 wk: 954-331-4818 bbry: 954-649-1863 miguel.or...@macneillgroup.com -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Monday, September 28, 2009 11:25 AM To: Tomcat Users List Subject: Re: Apache/Tomcat with SSL Miguel Ortiz wrote: ... [u...@localhost conf.d]# tail -f /var/log/httpd/ssl_error_log [Mon Sep 28 08:51:41 2009] [error] [client xxx.xxx.xxx.xxx] File does not exist: /var/lib/tomcat5/webapps/favicon.ico [Mon Sep 28 08:51:44 2009] [error] [client xxx.xxx.xxx.xxx] File does not exist: /var/lib/tomcat5/webapps/favicon.ico [Mon Sep 28 09:03:04 2009] [error] [client xxx.xxx.xxx.xxx] Directory index forbidden by Options directive: /var/lib/tomcat5/webapps/ Nothing to, I think, with your problem, but it would seem from the above that you have configured your Apache front-end with something like DocumentRoot /var/lib/tomcat5/webapps which, in principle, is not a good idea. What do you get in your browser when you request http://your-hostname/ROOT/WEB-INF/web.xml (or with https:// as the case may be) ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.409 / Virus Database: 270.13.112/2390 - Release Date: 09/28/09 05:51:00 This email and any files transmitted with it are the confidential property of Focus Holdings, LLC and its subsidiaries, and intended solely for the use of the individual or entity to whom they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[OT] Re: How to check if the client dropped the connection
Martin Gainty wrote: could you explain just a bit more what is a tile? http://en.wikipedia.org/wiki/Tile It's the same idea, but for images. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to check if the client dropped the connection
aaime74 wrote: ... Hi. Kind of restarting from the beginning, I think that the first question to ask is whether whatever method which actually does the rendering of the maps, and which is heavy in terms of resources, is capable of being interrupted cleanly in the middle. Is it capable itself of checking regularly if it should continue doing the work ? Or else, if you shoot it down does it mop up after itself, or does it leave stuff to clean up all over the place ? From an overall design point of view, it seem to me that you have two very different types of processes going on : the first type is the management of the HTTP requests, connections, protocol, etc.., which is something that should be efficient, light-weight and quick, should detect (whenever possible) that the client has broken the connection and so on. That part should also serve the response to the client, when the full response is ready as a static object on disk e.g. The second part is the generation of that content, which by it's nature is slow and heavy, but has a very simple interface (create this content; stop right now; ..). Personally, I would tend to try to separate the two parts, and create a separate process to handle the content generation, a bit like a database back-end. It seems to me that it would then be easier to wrap this process in a simple management wrapper which can interrupt the content generation when receiving some signal from the first part, and cleanup properly, without tying up resources useful to the HTTP part in the meantime. Such a separation may also simplify aspects such as caching of previously generated content, or load-balancing several content generators. Maybe you should have a look at Apache MINA for the content-generation side ? (http://mina.apache.org/) The (whenever possible) above refers to the fact that a number of things outside of your control can come in the way of such detection : proxies, firewalls and the like. If the ultimate client breaks the connection, it is not guaranteed that Tomcat itself would notice this right away. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to check if the client dropped the connection
aaime74 wrote: ... Ok, but let's say Tomcat is capable of that. How does one check from within the servlet that the connection has been dropped without writing out anything? I have been looking (starting at the HttpServletResponse object), trying to follow the trail to see if one at some point can get hold of some Connection object which would have some isConnected property. No luck so far, but I am really not a java expert. What I've tried so far is trying to block on the input stream provided by the Http request and hoping it would throw an exception if the client drop the conntection, but that does not work, the input stream just return -1 to any read operation no matter if the client is still connected or not. Yes, but that is because each TCP connection really consists of two separate parts or sides. For each actor (server and client), there is one part that is the incoming connection, and another separate part that is the outgoing connection (the sides being crossed-over in the middle for the server and the client). Each actor can close its own incoming or outgoing connection, independently, without warning to the other part. (E.g., suppose it just crashes). When that happens, the other side of that connection is left dangling : basically, it does not known that the other side is gone, until it tries to send something on that connection, and the TCP stack (deep down in the bowels of the underlying OS) returns an error, which then filters back up all the way to your java OutputStream object. In your case, what matters to you is the response output stream, not the input stream, which could have been (validly) closed by the client already, if it has no further use for it. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: IIS, Tomcat, JNDI and ActiveDirectory
Hi Joerg.
The following remarks are more a question from me, than an answer to
you. I am interested also in a real answer from someone who really knows..
Buchner, Joerg [T0I] (VW Sachsen) wrote:
Hi,
i've got a Microsoft IIS 6.0 Webservice.
Behind the IIS is an Apache Tomcat 5.5.26 (connected via ISAPI and
AJP/1.3) protocoll.
In the IIS Integrated Windows Authentication is enabled.
Ok, so IIS authenticates the user's browser session, and gets a Windows
Domain user-id.
Then the AJP protocol passes this user-id to Tomcat (presumably as a
request attribute).
On server.xml tomcatauthentication is set to false.
Allright, so Tomcat believes the user-id as it is given by AJP, and
sets this in its own internal UserPrincipal structure.
Also o've configured a JNDI REALM:
Realm className=org.apache.catalina.realm.JNDIRealm debug=99
connectionURL=ldap://:389/;
connectionName=*
connectionPassword=*
userBase=OU=**,OU=,OU=**,DC=**,DC=
userSearch=(sAMAccountName={0})
userSubtree=true
userRoleName=memberOf
roleBase=OU=**,OU=**,OU=**,OU=**,OU=*,DC=*,
DC=*
roleName=name
roleSubtree=true
roleSearch=(cn={0})
/
Does the above not *interfere* with what you are trying to do, more than
it helps ?
I mean, you already have an authenticated user-id, of which you are sure
that it is in the AD directory. All that is needed now, is to get from
AD, whatever fields that contain the role-name(s) which we are looking
for, and compare with what we want to allow for this webapp.
Do the roles or groups, as understood by AD, match the roles as
understood by Tomcat ?
in the web.xml of Tomcat (/conf/web.xml) i've configured an
security-constraint:
security-constraint
web-resource-collection
web-resource-nameTest/web-resource-name
url-pattern/*/url-pattern
http-methodGET/http-method
http-methodPOST/http-method
http-methodPUT/http-method
http-methodDELETE/http-method
/web-resource-collection
auth-constraint
role-namesome_ad_role_name/role-name
/auth-constraint
/security-constraint
security-role
descriptionOnly 'tomcat' role is allowed to access this web
application/description
role-namesome_ad_role_name/role-name
/security-role
As far as I understand, with the above, Tomcat is going to issue a
HttpServletRequest.isUserInRole(some_ad_role_name) call, and only
allow access if the response is true.
Is that going to work in this case ?
It is not very clear (to me at least), what this isUserInRole() is going
to refer to.
Now,
i'ld like to realize, that Tomcat give access only to users,
which are in one Active Directory Group detected on IIS.
Since you already receive an authenticated user-id from IIS (but only a
user-id), I would do the rest with a servlet filter wrapping your
application (and allowing access or not depending on what it finds in AD
for this user), rather than with the standard Tomcat declarative
security model.
But maybe that's only my own ignorance speaking.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AW: IIS, Tomcat, JNDI and ActiveDirectory
Hi Joerg. To clear up a bit, you are talking about 2 distinct aspects : Authentication and Authorization. Authentication = to find out who the user is Authorization = when we know who the user is, determine if he has or not the authorization required to access some resource (in this case, some Tomcat webapps or JSP pages). With the Integrated Windows Authentication Tomcat gets only authenticated AD Users. Right. And that solves the Authentication part : your users will not have to enter their login again, to access Tomcat-based applications. Tomcat already knows who they are. (*) Unfortunately, IIS+AJP do not pass to Tomcat the names of the Windows groups to which this user belongs. They pass only the user-id. But the problem is an other: The SourceCodes (JSP/Servlets) are secured with NTFS rights on filesystem. (Windows Server 2003 x64) I've tried to secure the whole application with NTFS Rights, but the NTFS ACL does not work for JSP Files. In fact, you should not look at the JSP files as files. *Nobody* should have access to these files, as files, except Tomcat. Tomcat reads these files, and compiles them into executable java code, and they then become web applications (in short webapps) in memory. (To enforce the above, you can make these JSP files belong to the local user-id on your Tomcat server which is used to run Tomcat, and forbid anyone else from accessing them (except you)). The point is now that you want to control who can have access to the webapps that Tomcat creates from these pages. That is a matter for Tomcat, and for nobody else. Tomcat does not care about the NTFS permissions of the JSP files (as long as it can read them himself). Tomcat cares only about the compiled webapps in memory, and who can call them. And Tomcat cares about that from a purely Tomcat point of view, not from an NTFS or Windows point of view. in fact, Tomcat has no idea of what an authorized Windows Domain user is, or an AD user. Tomcat also has no idea of what an AD or Windows group means. It cares only about Tomcat user-id's, and maybe Tomcat roles associated to these user-id's. The point is, you are trying to combine two different worlds : one is the proprietary, single-platform world of Microsoft Windows Domain authentication and group membership and NTFS file permissions based on that; the other one is the open-source, multi-platform world of Java servlets and Tomcat, and access to webapps. These worlds do not fit together perfectly, so you have to make some adjustments. (Just like if you wanted to fit a Porsche engine in a Polo, you would have to make a special gearbox ;-)). So your problem is that you want (entweder/oder) : (a) to translate some AD/Windows attribute/group of an AD/Windows user-id, into something that Tomcat can understand (Tomcat roles) and then let Tomcat use its built-in role-based security model to allow or not access to the webapps. OR (b)(different thing), to bypass the role-based built-in security of Tomcat, and give access or not to the webapps, based on these AD attributes of the user, using some other mechanism. For (a) above, what you have to achieve is that when Tomcat calls isUserInRole(some_AD_attribute), the response comes back as true or false, appropriately. Maybe there is some standard Tomcat+AD method that can be used to do that. I really don't know, but maybe someone else on the list knows. For (b), you could use a servlet filter. This servlet filter would need to take the Tomcat user-id (the same as the one obtained from IIS and passed to Tomcat by the AJP module and accepted by Tomcat as its own), build a connection to the AD system, and retrieve the group attributes of this user in AD. Then, the servlet filter would compare these groups (as strings) to one or more strings contained in some filter configuration parameter (init-param in web.xml), and decide if it lets this call go through to the webapp, or not. A servlet filter does not modify the application in any way. It is a separate java module, and it installs on top of an existing application. The application does not even know that it is there. I don't know which solution between (a) and (b) above is simpler. Writing a servlet filter like above is not very complicated. It may even exist already. One issue with this, would be that you should save the result of the user lookup in AD (in the Tomcat session or in a cookie), to avoid having to do the same lookup at each new request of the same browser, otherwise it would be quite inefficient. I hope this helps. (*) there are other methods to achieve that, not depending on a front-end IIS, and where Tomcat obtains the user-id directly from the browser and the Windows DC (just like IIS does). See www.ioplex.com for one such solution. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For
Re: errors after install
Daniel Wittenberg wrote: I'm setting up spacewalk, all default settings, and I'm getting this in the catalina.out. Any ideas ? Sep 29, 2009 7:19:34 PM com.mchange.v2.resourcepool.BasicResourcePool $AcquireTask run WARNING: com.mchange.v2.resourcepool.BasicResourcePool $acquiret...@7da79447 -- Acquisition Attempt Failed!!! Clearing pending acquires. While trying to acquire a needed new resource, we failed to succeed more than the maximum number of allowed acquisition attempts (30). http://markmail.org/message/tqrw65zjaqsgsokc#query:+page:1+mid:2ygqrc36ppkwatfa+state:results See #5 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: errors after install
Daniel Wittenberg wrote: I'm setting up spacewalk, all default settings, and I'm getting this in the catalina.out. Any ideas ? Sep 29, 2009 7:19:34 PM com.mchange.v2.resourcepool.BasicResourcePool $AcquireTask run WARNING: com.mchange.v2.resourcepool.BasicResourcePool $acquiret...@7da79447 -- Acquisition Attempt Failed!!! Clearing pending acquires. While trying to acquire a needed new resource, we failed to succeed more than the maximum number of allowed acquisition attempts (30). Hi. We'd be really good if we solved it on the base of the info above, wouldn't we ? So I'll try : selinux ? Other than that, if you really want help about this, you'll have to do a bit better. Admittedly, the mention of catalina.out up there is a clue that there might, maybe, be a Tomcat installed on your system. The error message above however is no such clue. It does not seem to come from any Tomcat code. So you might start by telling us a bit more about - what spacewalk is supposed to be - if it is supposed to contain a Tomcat - if yes, which version - on what platform (OS) this is happening - since the above does not seem to be really a Tomcat problem, make a little effort at convincing us that it is, by : - stopping this spacewalk and the perhaps associated Tomcat - delete all logfiles of either that you can find - restart the application, or preferably, only Tomcat - then send us a new copy of the catalina.out, showing any messages that look like errors or warnings, but from the moment when Tomcat starts up - if you find the base Tomcat installation directory, and find a bin sub-directory in it, and in there you find a version.sh or version.bat script, run it in a console window, and paste the output in your next message. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Explanation mod_jk error messages
Bocalinda wrote: ... My mod_jk configuration only has the following settings (apart from the port and IP address settings ofcourse): That is exactly what it would have been interesting to see, along with the Connector tags in your Tomcat's server.xml files. What is strange with the error messages you show, is that you never see an error in your applications. Maybe your back-end Tomcats are just overloaded from time to time, and have so many connection requests piled up that they start refusing new ones ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: errors after install
Daniel Wittenberg wrote: Very true, sorry for so vague. So selinux is turned off, I don't enable unless I have to most of the time. - Spacewalk = RHN = Linux server management tool - It is running on CentOS 5 and uses latest tomcat5 RPM's The problem is I know little to nothing about tomcat, I only figured those were tomcat errors since they were in the catalina.out, but from what you are saying other webapps that run under tomcat can log there too? Yes. Not the purest recommended practice, but yes. I mainly posted here because spacewalk isn't working, complains that it can't talk to tomcat on port 8009 (ajp?), well, that something else you never mentioned before. At least not here.. and notice these errors and figured tomcat was having issues. That help? A bit, but it's still vague. For instance, there are umpteen versions of tomcat 5.0.x and tomcat 5.5.x around, and they are quite different, and we have no idea what CentOS 5 might, in their wisdom, consider the latest rpms. Running the version.sh script in tomcat/bin, as previously requested, and pasting the result here would go a long way to provide accurate information to help you. Also, providing the beginning of catalina.out, after a cleanup and a fresh tomcat start, also as previously requested, would probably tell us right away if there is a problem with port 8009, and what it might be. It's like pulling teeth here.. See, I have no wish to start learning spacewalking unless I have to, and so far it is not very clear why or how that thing would want to talk to Tomcat on its AJP Connector, nor if Tomcat is even trying to provide one. So if you don't willingly start providing the information requested, I'm gonna wash my hands off it all, and leave you in the hands of Chuck or Pid here. Then, you'll see what abrupt means. ;-) To gain some time, also look around for a tomcat server.xml file, and paste here parts of its content : specifically, any uncommented XML Connector ... tags you find in there. That server.xml file may be either in (tomcat_install_dir)/conf, or maybe in /etc/tomcat5??? (That would tell us which server ports Tomcat is *supposed* to listen on). Oh, and something else : usually when Tomcat does not, by default, open an AJPconnector on port 8009, it is either because it is not configured to do so, or because it is, but something else is already using that port. catalina.out would tell us, but if you feel adventurous you may want to try the command : netstat -pan | grep 8009 at a moment when Tomcat is NOT running. Just to see if you're fishing something. Then you can start Tomcat and do it again, and tell us about the result of both. Thanks, Dan On Sep 29, 2009, at 7:17 PM, André Warnier wrote: Daniel Wittenberg wrote: I'm setting up spacewalk, all default settings, and I'm getting this in the catalina.out. Any ideas ? Sep 29, 2009 7:19:34 PM com.mchange.v2.resourcepool.BasicResourcePool $AcquireTask run WARNING: com.mchange.v2.resourcepool.BasicResourcePool $acquiret...@7da79447 -- Acquisition Attempt Failed!!! Clearing pending acquires. While trying to acquire a needed new resource, we failed to succeed more than the maximum number of allowed acquisition attempts (30). Hi. We'd be really good if we solved it on the base of the info above, wouldn't we ? So I'll try : selinux ? Other than that, if you really want help about this, you'll have to do a bit better. Admittedly, the mention of catalina.out up there is a clue that there might, maybe, be a Tomcat installed on your system. The error message above however is no such clue. It does not seem to come from any Tomcat code. So you might start by telling us a bit more about - what spacewalk is supposed to be - if it is supposed to contain a Tomcat - if yes, which version - on what platform (OS) this is happening - since the above does not seem to be really a Tomcat problem, make a little effort at convincing us that it is, by : - stopping this spacewalk and the perhaps associated Tomcat - delete all logfiles of either that you can find - restart the application, or preferably, only Tomcat - then send us a new copy of the catalina.out, showing any messages that look like errors or warnings, but from the moment when Tomcat starts up - if you find the base Tomcat installation directory, and find a bin sub-directory in it, and in there you find a version.sh or version.bat script, run it in a console window, and paste the output in your next message. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk with Apache HTTP server version 2.2 and Tomcat 6.0
François Gravel wrote: Greetings, I'm a newbie trying my hand at setting up a local PHP and Java development environment. I use a laptop with Windows XP SP3. Both service are running fine locally, after install. I will describe what I did as I followed the procedure to have mod_jk handle the communication between them (from http://tomcat.apache.org/connectors-doc/webserver_howto/apache.html). I got the binary for Windows (mod_jk-1.2.28-httpd-2.2.3.so). Then I created a workers.properties file which I placed in a folder I created at $TOMCAT_HOME/conf/jk; the file content is: worker.list=worker1 worker.worker1.type=ajp13 worker.worker1.host=localhost worker.worker1.port=8009 So far, so good. I copied the file mod_jk-1.2.28-httpd-2.2.3.so to $HTTPD_HOME/modules and renamed it mod_jk.so. It was suggested at this point to also modify Apache's httpd.conf file. I imagine that meant to add a line to have the module loaded by Apache (I added LoadModule mod_jk modules/mod_jk.so). That's wrong, and probably the cause of the following messages. It should be : LoadModule jk_module modules/mod_jk.so Doing this, however, leads to an intriguing message if you try to test the configuration: Can't locate API module structure 'mod_jk' in file $HTTPD_HOME/modules/mod_jk.so: No error. Is it an error or not, I'm not sure, but since I'm not done with the procedure, I keep going. Rectify the above, and then try again. There may be other problems, but solve that one first. I then went through the steps to use Tomcat to auto-configure. As far as I remember, that is not a very good idea either anymore. I think I remember Rainer admitting that the mod_jk auto-configuration was somewhat broken. So I've added the line Include $TOMCAT_HOME/conf/jk/mod_jk.conf-auto to the file $HTTPD_HOME/conf/httpd.conf. I also added the listener by way of the line Listener className=org.apache.jk.config.ApacheConfig modJk=/path/to/mod_jk.so / in the file $TOMCAT_HOME/conf/server.xml. Then I re-started Tomcat to generate mod_jk.conf-auto: it is of note to specify that the name of the file is mod_jk.conf and not mod_jk.conf-auto. Finally, I modified the Apache webserver configuration file $HTTPD_HOME/conf/httpd.conf to include the simple configuration example. The end result being a failure to start the Apache 2.2 server: testing the configuration reveals the same error listed above: Can't locate API module structure 'mod_jk' in file $HTTPD_HOME/modules/mod_jk.so: No error. Please, I've spent hours getting to this point, but I have no idea how to get around this error. Thank you, See above. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk with Apache HTTP server version 2.2 and Tomcat 6.0
François Gravel wrote: ... Apart from the earlier message, I suggest you go back and undo the following : I then went through the steps to use Tomcat to auto-configure. So I've added the line Include $TOMCAT_HOME/conf/jk/mod_jk.conf-auto to the file $HTTPD_HOME/conf/httpd.conf. Remove that. I also added the listener by way of the line Listener className=org.apache.jk.config.ApacheConfig modJk=/path/to/mod_jk.so / in the file $TOMCAT_HOME/conf/server.xml. Remove. Just make sure the server.xml contains an uncommented AJP Connector for port 8009 (matching the worker.worker1.port=8009). Like this : Connector port=8009 enableLookups=false redirectPort=8443 protocol=AJP/1.3 / and start Tomcat, then start Apache. What you are still missing then, probably, is to tell the mod_jk module (now properly loaded in Apache) which request URLs it should grab and pass on to Tomcat through port 8009. That is done in httpd.conf by either directives like JkMount /my-tomcat-urls worker1 JkMount /my-tomcat-urls/* worker1 (you need both) , or sections like Location /my-tomcat-urls SetHandler jakarta-servlet ... /Location I prefer the second notation, because it fits better with the general Apache configuration idea. But they are roughly equivalent and it's more a matter of personal preference. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: errors after install
To agree and augment on everything Peter wrote, the whole thing stinks of a very broken installation and configuration package, or packages. Not for lack of desire to help, but I believe you should really go back to the spacewalker (or CentOS) help forum, and enquire there about working packages for your specific platform. We have no idea what is needed by this application. It seems that you have indeed some kind of Tomcat installed now, with some /rhn webapp half-installed in it. On the other hand, some other bits and pieces needed by that /rhn webapp appear to be missing, and some standard parts of Tomcat also (like the version.sh script). Even the standard Tomcat 8005 shutdown port doesn't seem to be there, which as Peter wrote is very strange. I am starting to wonder if this CentOS spacewalker package is not installing its own embedded Tomcat, which conflicts with another one already installed. Alternatively, you could try to de-install what you have installed so far, then install *only* the latest CentOS pure-Tomcat package you can find, and test if that one, on its own, works. Test it by simply calling the URL http://your-hostname:8080 in your browser. You should then get some Tomcat page, with an easily recognisable cat on it. Most standard Tomcat packages I have seen so far, have Tomcat configured so that it will, by default, listen on 3 ports : - port 8005 : that's Tomcat's shutdown port; you see it in the server.xml file as an attribute to the Server tag. - port 8080 : that's Tomcat's standard HTTP connector, which allows you to use it as a standard webserver (that one, you will find in a Connector ... protocol=HTTP tag in server.xml - port 8009 : that is Tomcat's standard listening port for the AJP connector, another Connector tag in server.xml. This one may or may not be activated, depending on how the CentOS packagers structured their stuff. It may only get installed/activated if you install another complementary package containing mod_jk or mod_proxy_ajp, and this complementary package may in turn depend on the Apache httpd package being installed. And so on... Variations are endless, and depend on the whims and competence of whoever creates these packages for each platform. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Default character encoding for ServletRequest
Halm Reusser wrote: Hi, Calling %= request.getCharacterEncoding() % in a jsp deployed in a Tomcat 6.0.20 container returns null. Is there any possibility to force a default CharacterEncoding for such requests? Don't worry, there is already a default. The only problem is to figure out what it is.. ;-) My guess, at this stage, is that it is either iso-8859-1 (which is the default charset for the HTTP protocol), or else it is tied to whatever locale your Tomcat's JVM has been started under. It would also depend on whether the request which you are processing is a GET or a POST. And, whatever you would decide to set as a default at the server level, you can still not be quite sure that the client's choice matches yours. Confused enough ? Sorry, but that's about the most definite thing that can be said on the subject, considering the various often conflicting specifications that play a role here. If the past is any guide however, this post will probably trigger a lively discussion. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Installing Tomcat: how much do versions matter?
Kreshna Aryaguna Nurzaman wrote: I need to install the following components on Windows XP (for ArcIMS): 1) Apache 2.0.43 (MSI installer for Windows, no crypto) 2) JSDK 1.4.1_01 3) Tomcat 4.1.12 4) mod_jk2-2.0.43.dll Problem is, Apache 2.0.43 and Tomcat 4.1.12 are just _nowhere_ to be found. These are what I got instead: 1) Apache 2.0.63 (MSI installer for Windows, no crypto) 2) JSDK 1.4.1_01 3) Tomcat 4.1.40 4) mod_jk2-2.0.43.dll The Tomcat 4.1.40 is the JDK 1.4 version, so I think (or hope) there should be no problem with that. However, the Apache is 2.0.63, while the mod_jk2 connector is clearly named mod_jk2-2.0.43.dll. Will I be able to run everything smoothly, or will they just fail? What if I go with newest version of every component instead? Thus, I'll be using: 1) Apache 2.2.13 2) JSDK 6u16 3) Tomcat 6.0.20 4) mod_jk-1.2.28-httpd-2.2.3.so Are those safe choices? Definitely. Why would you start with versions (as you mention at the beginning) which are at least 5 years old, and most of them not developed and not maintained and not supported anymore ? (Apache 2.0.63 being, I think, the only exception here). Contrary to what the numbering may lead you to believe, mod_jk2.x is a different product, older than mod_jk-1.2.28, and it is no longer developed nor supported. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SEVERE: Error getConfigured
jay wrote: SEVERE: Occurred at line 87 column 14 ... SEVERE: Marking this application unavailable due to previous error(s) ... SEVERE: Context [/test] startup failed due to previous errors ... What's wrong with my tomcat ? With your Tomcat, probably nothing. With your application, however, it's another matter. Maybe the lines above give you a clue ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SEVERE: Error getConfigured
andre wrote: Hello : When I start tomcat ,I find the error msg in my tomcat log . what's wrong with my tomcat ? ... SEVERE: Error starting static Resources java.lang.IllegalArgumentException: Document base /usr/share/tomcat5.5/server/webapps/admin does not exist or is not a readable directory ... SEVERE: Context [/admin] startup failed due to previous errors .. INFO: Container org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/admin] has not been started Amazing how some people can write, but not read. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[Fwd: FW: SEVERE: Error getConfigured]
Hi Jay. Please respond to the list, not to me personally. Original Message Subject: FW: SEVERE: Error getConfigured Date: Fri, 2 Oct 2009 15:16:57 +0800 From: jay uniojnqoif...@gmail.com To: a...@ice-sa.com Hi andrew~ I am download the war from http://www.perfsonar.net/download/bundles/perfsonar-mdm-bundle/3.1/war/perfs onar-clmp.war and put the file in /var/lib/tomcat5.5/webapps/ , but when I input the url to browser http://localhost:8180/perfsonar-clmp , show me the error msg as follows : HTTP Status 404 - type Status report message description The requested resource () is not available. Apache Tomcat/5.5 Attach file is my tomcat error log Thanks and best regards, jay -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Friday, October 02, 2009 2:53 PM To: Tomcat Users List Subject: Re: SEVERE: Error getConfigured jay wrote: SEVERE: Occurred at line 87 column 14 ... SEVERE: Marking this application unavailable due to previous error(s) ... SEVERE: Context [/test] startup failed due to previous errors ... What's wrong with my tomcat ? With your Tomcat, probably nothing. With your application, however, it's another matter. Maybe the lines above give you a clue ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Oct 2, 2009 3:14:50 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent INFO: The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/java/packages/lib/i386:/lib:/usr/lib:/usr/lib/jni Oct 2, 2009 3:14:50 PM org.apache.coyote.http11.Http11BaseProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8180 Oct 2, 2009 3:14:50 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 443 ms Oct 2, 2009 3:14:51 PM org.apache.catalina.core.StandardService start INFO: Starting service Catalina Oct 2, 2009 3:14:51 PM org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/5.5 Oct 2, 2009 3:14:51 PM org.apache.catalina.core.StandardHost start INFO: XML validation disabled Oct 2, 2009 3:14:51 PM org.apache.catalina.core.StandardContext resourcesStart SEVERE: Error starting static Resources java.lang.IllegalArgumentException: Document base /usr/share/tomcat5.5/server/webapps/admin does not exist or is not a readable directory at org.apache.naming.resources.FileDirContext.setDocBase(FileDirContext.java:141) at org.apache.catalina.core.StandardContext.resourcesStart(StandardContext.java:3855) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4024) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:760) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:122) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:144) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:738) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:544) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:626) at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:553) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:488) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1149) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:120) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1022) at org.apache.catalina.core.StandardHost.start(StandardHost.java:736) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1014) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) at org.apache.catalina.core.StandardService.start(StandardService.java:448) at org.apache.catalina.core.StandardServer.start(StandardServer.java:700) at org.apache.catalina.startup.Catalina.start(Catalina.java:552) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:616) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57
Re: SEVERE: Error getConfigured
andre wrote: Hello : When I start tomcat ,I find the error msg in my tomcat log . what's wrong with my tomcat ? Apologies to the list, it seems that I started another thread by mistake. Jay, please respond to the list, not to me. About your Tomcat : It looks like your Tomcat package is broken. Tomcat expects to find a series of webapps (manager, host-manager, admin,..) and does not find them. So it complains. Maybe you manually deleted some applications in the /webapps directory, without telling Tomcat properly about it. I suggest that you de-install your Tomcat package, and also the Tomcat-webapps package if any, and also the war application which you added later. (Also delete the Tomcat logfiles in /var/log/tomcat??? Then, re-install Tomcat (and maybe Tomcat-webapps) cleanly. Then, fist verify that Tomcat is working, before you add anything else. If there is another problem then, post another message to this list. About your application's war-file : this is not part of Tomcat, and probably nobody here knows this application. If there is a problem with it, you should contact the makers of that application. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SEVERE: Parse error in default web.xml
Eric B. wrote: andre andrewarn...@gmail.com wrote in message news:003c01ca43b9$0ef57ae0$2ce070...@com... ... Are your all your files readable by the process that is running tomcat? For instance, if tomcat is running under user tomcat, and your files are only readable by andre, you will get errors like that. I would like to add that despite the OP's unabashed use of an email address evidently meant to introduce confusion, I never read those files and I have nothing to do with their access permissions, as I haven't managed to break into his server yet. (s) André, the genuine article P.S. Jay, knock it off. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Help management access
richard mycroft wrote: OK, I ran into the same thing a few weeks ago and wasted a lot of time before finding the silly XML comment elements. There should be an English language note, or a default user with no rights that is not commented out in order to help those of us not possessing a nice. context sensitive XML editor or experience with XML sufficient to quickly let us note this. Just a thought as I am very sure I am not the only person to wasted lots of time on this situation. You mean an XML comment, warning that an XML comment follows ? :-) I respectfully suggest that getting yourself an XML-aware editor may be the better way to go, to save you grief there and in many other XML-rich situations. They are cheap, too. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: java.lang.OutOfMemoryError: Java heap space
Joe Hansen wrote: I found the following error message in the Apache logs: [Sat Oct 03 04:10:49 2009] [error] server reached MaxClients setting, consider raising the MaxClients setting Here's a snippet from the httpd.conf, which deals with MaxClients. IfModule prefork.c StartServers 8 MinSpareServers5 MaxSpareServers 20 ServerLimit 256 MaxClients 256 MaxRequestsPerChild 4000 /IfModule IfModule worker.c StartServers 2 MaxClients 150 MinSpareThreads 25 MaxSpareThreads 75 ThreadsPerChild 25 MaxRequestsPerChild 0 /IfModule I will watch out for the increase in the number of httpd processes. I am wondering if I should raise the MaxClients value in prefork.c and worker.c modules. Can anyone on this forum please explain why new httpd processes are spawned and why aren't the old processes terminated? What are your KeepAlive* settings ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: POST request with timeout acts weird
Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ronald, On 10/2/2009 9:20 AM, Ronald Klop wrote: But I don't send any data. My servlet than waits in getParameterMap(), because that try's to read the inputstream and parse the parameters. After 20 seconds (Connector has connectionTimeout=2) the reading of the inputstream ends, but my application just gets an empty Map in stead of some TimeoutException. What leads you to believe that a TimeoutException would be thrown? The documentation for the HTTP connector's connectionTimeout attribute says: The number of milliseconds this Connector will wait, after accepting a connection, for the request URI line to be presented. The default value is 6 (i.e. 60 seconds). You provided the URI line within plenty of time. If you didn't enter anything, Tomcat would disconnect. Since you did, it doesn't. ... Doesn't the fact that the read on the inputstream returns, imply that there is actually a timeout, even if it is not returned to the webapp ? And, to Ronald : if the request is a POST, and it has a Content-length, and you get an empty parameter map after 20 seconds, can't you just reject the request as invalid ? And, curiosity : if you set the Connector timeout to 30 seconds, does your inputstream then return after 30 seconds too ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: resource not available : Apache Tomcat/6.0.20 with java jdk1.6.0_16 on linux 2.6.30.1
Peter Crowther wrote: ... and Tomcat in general. Symlinks in webapps will not work by default - look up allowLinking to allow them, and be Very Careful if you do as I seem to recall that undeploying a webapp with a symlink in it can delete all the files in the area that you've linked to. As things happen, I just spent 2 hours this morning wondering why an old webapp that worked fine under Tomcat 4.1, didn't work anymore when moved to Tomcat 5.5. Until I saw your message above, and added a context.xml in the webapp with allowLinking=true. It seems that the old Tomcat 4.1 had such a Context element in server.xml, which disappeared in the move to 5.5. (catalina_base)/webapps/myapp/META-INF/context.xml : Context allowLinking=true / did it. Thanks. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: POST request with timeout acts weird
Ronald Klop wrote: ... There is even more fun about the documentation of connectionTimeout. It states that it waits for the URI after accepting the connection, but in my example Tomcat is not waiting for the URI, but for data from the request. So connectionTimeout does much more than what is mentioned in the documentation. You can also look at it in another way, consistent with your observations so far : - Tomcat does wait after the initial connection, for connectTimeout seconds, for the URI (and, I suppose, headers) to come in. If these things do not come in in the time set, there is an error. This is documented. And it helps in fighting some specific types of DOS attacks. - but, internally and undocumented, Tomcat also uses the same connectTimeout timeout value when it is subsequently asked to read the request body (for example with getParameters()). But since the getParameters() method, (as per the Servlet Spec I guess) does not allow for a timeout exception to be returned, Tomcat merely returns an empty parameter map when this timeout occurs. It appears that there is no way to explicitly set (individually) the timeout for reading the request body, nor to get a specific error when whatever timeout is being used, is exceeded. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Alias URL
Caldarale, Charles R wrote: From: Johnson, Rob E [mailto:rob.john...@mms.gov] ... Hi guys, can I jump in here ? I believe that you are being a bit tough on Rob here. Obviously, he is not a Tomcat expert, and more used to IIS and the MS way of things, than to Apache httpd and Tomcat. And in IIS, these things are administered through a graphical interface which talks of sites and so, so I think he is getting a bit confused. I don't know if I can redeem all of that in 5 minutes, but I'm willing to try. Rob, you are being blasted here because this is a forum for Apache Tomcat, which is an Open Source product, and as such it, and the people here, are striving to follow the official Internet RFCs and the vocabulary used in those documents. Microsoft on the other hand propose their own proprietary products, with their own interfaces and vocabulary. That is their fundamental right, but it can lead to some confusion when one is trying to marry the two worlds. For example, what MS and IIS call a site, is usually in Apache httpd and Tomcat designated by virtual Host. In a purely MS-world, using the MS proprietary vocabulary is fine, because within the confines of that world that vocabulary is readily understood. In the world of the Internet and Open Source software, where products come from many sources and have to interact with one another, using the official Internet RFC vocabulary is necessary, because it is the only way by which these products and the people using them can understand eachother and communicate (as you just discovered). Usually also, MS products are designed to be configured primarily through a graphical interface, while many open-source products are mainly configured by means of text files (for Tomcat, in XML format), and a graphical interface is often an afterthought. (And in the Open Source world, particularly with older guys like Chuck and me, graphical configuration interfaces are considered like things for kiddies; the real pros use text files, and a vi editor). Tomcat is primarily a java servlet server (special web applications written in java). But it can act as a generic webserver, and serve normal static pages too. The standard port on which a webserver listens for requests from browsers, is port 80. But it can listen for browser requests on any port, as long as it is configured to do so, and as long as that same port is not in use by something else on the same host. Therefore, your initial question is a bit confusing, because you mention both a URL of http://webtop; (thus implying a standard HTTP port 80, thus the equivalent URL to http://webtop:80/;), and http://localhost:8080/webtop; (thus using a non-standard port 8080), and you call them both sites. Plus, in these URLs, only the webtop or localhost parts really have something to do with DNS, and DNS itself (the Domain Name System) has nothing to do with IIS (a webserver), and it seemed in your first post that you were also confusing these things. Plus, you mention in your post that you would like the users to enter in their browser the URL http://webtop; and that they be automatically redirected to the site http://localhost:8080/webtop; which really does not make any sense and is rather impossible. So, for all of that, you got treated a bit roughly, but without malice, and I am sure that it was merely an attempt by the other posters here, to get you to straighten up your vocabulary, in an Internet RFC sense. Before we get back to your question, there is another explanation I want to provide, lest we talk again different languages later. When, in the browser URL bar, a user enters a URL like : http://webtop, the browser really does the following : - it asks the underlying Operating System, to resolve the hostname included in this URL (here webtop) into an IP address (like 1.2.3.4). - then it establishes a TCP connection with the host at that IP address, at the port indicated (here port 80, implicitly for HTTP) - then it sends to that host a HTTP request consisting, as a minimum, of 2 text lines : 1) GET / HTTP/1.1 2) Host: webtop Similarly, when the user enters http://localhost:8080/webtop;, the browser : - asks the underlying Operating System, to resolve the hostname included in this URL (here localhost) into an IP address (and this will always come back as 127.0.0.1, because on any machine localhost is that address). - then it establishes a TCP connection with the host at that IP address, at the port indicated (here thus, to IP 127.0.0.1 and port 8080, as explicitly mentioned) - then it sends to that host a HTTP request consisting, as a minimum, of 2 text lines, in this case : 1) GET /webtop HTTP/1.1 2) Host: localhost So here you can already see why your initial explanation sounded strange : because in the first case, the IP address returned by the OS (and the DNS system to which it talks) would be whatever public IP address corresponds to the Alias
Re: java.lang.OutOfMemoryError: Java heap space
Joe Hansen wrote: Rainer, Here are the KeepAlive values in httpd.conf: KeepAlive Off MaxKeepAliveRequests 100 KeepAliveTimout 15 Well, since you have KeepAlive Off, the other 2 do not matter. But as such, it means that each request of each browser is going to create a new connection to the webserver, just for that one request. So if there is a page with 10 img links inside, you will end up establishing (and tearing down) a total of 11 TCP connections (one for the main page, one each for each img). That may or may not have a bearing on the situation you are seeing. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: java.lang.OutOfMemoryError: Java heap space
Joe Hansen wrote: Thank you for the reply, Andre. I now understand how setting KeepAlive to On would improve the performance of a website (The Apache manual says that a 50% increase in throughput could be expected). So I changed the KeepAlive to On and restarted the server. Now wait. You should probably then lower your setting for KeepAliveTimeout (to 3 e.g.), otherwise you may make the problem much worse. Read conscienciously the relevant Apache doc page : http://httpd.apache.org/docs/2.2/mod/core.html#keepalive The point with KeepAlive is : - the browser makes a connection and issues a first request - the webserver dedicates a child (or thread) to this connection, and passes it the first request - the child/thread responds to the first request, and then waits for more - the browser, in the response page, finds more links. Over the same TCP connection, it sends the next request - the same child/thread - which was waiting on that connection - receives the new request, and responds to it. Then it waits again for the next one. - etc.. - until at some point, the browser does not issue any additional requests on the connection. Then, *after the KeepAliveTimeout has expired*, the child/thread gives up, closesthe connection, and returns to the pool available for other requests from other browsers So the point is, if the KeepAliveTimeout is long (like 15 seconds), it means that a child/thread may be kept waiting, for nothing, up to that many seconds, although there is nothing coming anymore. I however wonder if this will fix the issue. The reason being, I haven't changed the website code at all the past few months and there hasn't been any increase in the website traffic too. Hence I am unable to understand why we are suddenly seeing an increase in the number of httpd processes. The only thing I changed is the session-timeout value from 30 minutes to 240 minutes. I guess that this is the Tomcat session timeout. That should have nothing to do with the above. I don't think that for Tomcat, a session is linked to a connection. It is more of a set of data saved somewhere, linked to the Tomcat session-id (the JSESSIONID cookie for instance). Tomcar retrieves it whenever a request comes in with the same session-id number. But it should not matter whether it is on the same TCP connection or not. What may be linked together however, is that one request to httpd results in one child/thread busy with it at the Apache httpd level. If that request is being forwarded to Tomcat by mod_jk, then it also holds onto one mod_jk/Tomcat connection. This connection then holds on to one thread in Tomcat, until the Tomcat thread (+webapp) has supplied the full response. All the while, this whole chain is unavailable for other requests. Thus, if there are many such requests under way, many Apache children/threads are busy, and Apache httpd will start additional ones (up to its limit) to service new requests that come in. So if for some reason, your Tomcat requests now take longer to be serviced, that should also, by retro-effect, increase the number of httpd children/threads being started. The bottleneck would be in Tomcat, but it would show up at the httpd level. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: java.lang.OutOfMemoryError: Java heap space
André Warnier wrote: ... and still wants to add something : - a new KeepAlive connection is made from the browser to Apache (httpd). - then a request comes in on that connection, and it happens to be one that gets forwarded to Tomcat. So a mod_jk connection is made to Tomcat, Tomcat allocates a thread for it. - I would imagine that mod_jk must pass on to Tomcat the fact that this is a KeepAlive connection, so that Tomcat would know that its thread for that connection, should also wait for subsequent requests. - so now the webapp/thread generates the response to the first request, and waits on the connection for more requests. - however, the browser does send more requests to Apache, but these are not ones that get forwarded to Tomcat (for example, they are for items that Apache serves locally) ... So now I wonder about how Apache + mod_jk + Tomcat react in such a situation. Do the mod_jk connection +Tomcat thread keep waiting anyway, and how long ? Rainer ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Alias URL
Johnson, Rob E wrote: Hi, What you would like is that : - when a user enters the URL http://imsden.mms; (or http://imsden.mms:8080;), he continues to get the standard Tomcat homepage - when a user enters the URL http://webtop; (or http://webtop:8080;), he gets immediately the first page of the webtop application Is that correct ? This is correct Sorry to be slow to respond I have to jump into a few meetings today. And sorry if I leave in the middle somewhere, despite my didactic instincts. I have to take a plane at 5:00. So let's see if I can write this quickly and not forget anything. (If so, peruse the responses you already got, from me and others, because the data is already there). Anyway then, (stop Tomcat first) Step 1 : you will need 2 Host .. sections in Tomcat's configuration file server.xml. Currently, there is only one. The first and only one you already have, is for the hostname localhost, which is also the default Host. Meaning in short that Tomcat will use the settings in that first Host section, for any request - either specifically addressed to localhost (of which there should be few, since they would have to originate on the same system) - or for any request that comes in with a Host: xx header, which x Tomcat cannot readily associate with a Host name=xx .. tag So look for the server.xml file, edit it, duplicate the entire Host name=localhost .. /Host section that you find there, and change the name= attribute value to be webtop instead of localhost. That's basically all it takes to create a new virtual host (or site in MS parlance) into Tomcat. Also : - you currently have a ../webapps/ directory under Tomcat. At the same level, create a directory .../webapps2/ . Then move your complete webtop/* webapp under that new directory (instead of under /webapps/). - then, in the new Host name=webtop .. tag that you created previously, change the appBase attribute as follows : old : appBase=webapps new : appBase=webapps2 Then restart Tomcat. Now the Host named localhost should no longer find an application called webtop. In other words, a browser accessing via http://imsden.mms/webtop; should get an error. (Because the hostname imsden.mms not being found in a Host tag, Tomcat will default to the first Host, and its /webapps dir does not have the webtop application in it any longer). But the host named webtop should find this application. In other words, a browser accessing via http://webtop/webtop; should now get the application. That's getting closer, but.. Step 2 : consists of making this webtop application into the default application of the host webtop. For this, there is a wiki, but in your case it's easier : Stop Tomcat. Rename /webapps2/webtop/ to /webapps2/ROOT/, and restart Tomcat. Then try accessing http://webtop/ Tada ! Or not, but then you need to find another helping hand, cause I'm going to catch some sleep. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Re: Alias URL
Caldarale, Charles R wrote: From: peter.crowth...@googlemail.com [mailto:peter.crowth...@googlemail.com] On Behalf Of Peter Crowther Subject: Re: [OT] Re: Alias URL Well I edited the inodes by hand. With a magnet. (Bonus points if you know the origin of the quote) This may not be the origin, but I think it's one of the first times it was written down: http://ars.userfriendly.org/cartoons/?id=19990508mode=classic I was going to say Evil Geniuses (O'Reilly). But I don't know who was first. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Alias URL
David Kerber wrote: Pid Ster wrote: YDHTVO ??? Haven't seen that one before. D Neither have I. You Don't Have To ... ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Alias URL
Caldarale, Charles R wrote: From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: Alias URL (stop Tomcat first) Step 1 : you will need 2 Host .. sections in Tomcat's configuration file server.xml. Currently, there is only one. Actually, the one will suffice, if the OP is willing to eliminate Tomcat's existing ROOT webapp (no big loss). Eh no. Prodded, he said he wanted this : .. What you would like is that : - when a user enters the URL http://imsden.mms; (or http://imsden.mms:8080;), he continues to get the standard Tomcat homepage - when a user enters the URL http://webtop; (or http://webtop:8080;), he gets immediately the first page of the webtop application Is that correct ? This is correct - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Alias URL
Johnson, Rob E wrote: Andre thanks for all your help that worked. I can use the alias, and I can still hit the other webapps. Also thanks to Martin Gainty and his help. No thanks required, we live to help. Martin and I, the winning team... :-) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: java.lang.OutOfMemoryError: Java heap space
Rainer Jung wrote: On 06.10.2009 21:44, Joe Hansen wrote: ... It seems your application is CPU heavy. Either the data objects handled are to heavy weight (maybe some user having huge Fotoset or Email list) or the request rate is simply to large. Is the CPU saturated during the problems? I would activate a good access log and try to find out from that and your webapp logs what maybe special about these web requests or users. ... The original post was so long ago in relative terms, that I don't remember the details of your system. But, just in case, you may want to also have a look at the *total* memory usage on your system during those events. If the load has increased (even slightly) recently, it might have reached the point where there is sometimes no longer sufficient physical memory available to process all simultaneous tasks, and the system is starting to swap tasks to virtual memory (on disk). That would cause a dramatic slowdown in request processing, which may have something to do with your problems. If you are under Unix/Linux, the first lines displayed by top would already provide some information in that respect. Or else, just plug in an additional memory bar in your server, and see if it changes anything. They are rather cheap right now. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk problem related to multiple hosts on Apache and Tomcat
One real question is why you are bothering with an Apache httpd in front, since unless I saw this wrong, you are proxying absolutely everything to Tomcat, in both virtual hosts. JkMount /* etc.. Why not just turn off Apache, and have Tomcat listen on port 80 ? You would save yourself some complication and some overhead. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JNI problem
Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mohamedin, On 10/7/2009 10:40 AM, Mohamedin wrote: Dear all, I am trying to use a JNI library written by me that uses GraphicsMagick wand. It is working fine as a stand alone java application but when I tried to use it in tomcat it give me this error and tomcat crashed. Considering the above, might it simply be not thread-safe ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Re Directing tomcat console out put to log files
VijayKS wrote: VijayKS wrote: Hi I m using Tomcat 4.1. I try to redirect System.out to log files, but unable to do it. Help me to resolve this issue I installed the exe version of tomcat 4.1 . There is no catalina.log files present. localhost_log.2009-10-09.txt This is the file name is in C:\tomcat4.1\logs\ folder. But the System.out. messages not written in this file and it is written in console window Vijay, by now Tomcat 4.1 must be about 10 years old. It is no longer developed nor maintained. The current version is Tomcat 6.20.x. In-between, there have been Tomcat 5.0 and Tomcat 5.5. So why do you install Tomcat 4.1 ? It is not any cheaper than the latest one. Most people here are probably too young even to remember how to configure that version. And even if they are not, not many people here will be willing to go back digging into that old documentation and find answers for you. (Something by the way which you could do yourself.) I would recommend that you de-install Tomcat 4.1, install the latest version, and then if you have a problem come back and ask. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Does Tomcat http work on port 80?
Peter Crowther wrote: 2009/10/9 Serge Fonville serge.fonvi...@gmail.com: Hi, Yesterday on the JBoss users forum I posted the question how to setup http for Tomcat on port 80 internal to JBoss 5.1.0GA under Windows 2000 Prof. [...] Well known ports require root [...] http://en.lmgtfy.com/?q=tomcat+port+80+linux Serge, the OP is on Windows 2000 Professional ;-). Peter, I don't think that this is so clear in the muddled first OP message. Even after reading that stuff a couple of times, I'm still not quite sure what the question is. ;-) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Does Tomcat http work on port 80?
Tony Anecito wrote: ... When I changed the server.xml recommended by Jboss and others to port 80 I got the white page (no source) Tony, you may get a page that looks empty in your browser. But that is not all that you are getting. If you look at the page source, you will probably see more. If you look at the server logs, you will see much more. If you get some add-on to your browser (like HttpFox or Fiddler2), you will see even more, in the form of HTTP headers and a status code that the server returns. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 5.5.25 shared lib and sharing webapp jars
Caldarale, Charles R wrote: Also be aware that any static fields or singleton objects in the shared classes really will be shared by each webapp, whereas before each webapp had its own copy. You must have meant shared by all webapps. Chuck, you should really watch your usage of the terminology here. ;-) Being ever eager to learn, I have been following this thread with interest. Do I understand this correctly, if I draw the following conclusions : - the Heap is a global structure, managed by the JVM which runs Tomcat - webapps create (instantiate) objects by using classes, which are pieces of code which (among other things) create objects. Such objects are allocated on the Heap. - instances (copies) of classes are loaded into JVM memory (where?) on an as-needed base, for example the first time a webapp invokes some piece of code in the class - a class instance can be loaded from - either a location private/belonging to a particular webapp (WEB-INF/classes/*.class or WEB-INF/lib/*.jar) - or a location common to all webapps, such as Tomcat_dir/shared/classes or Tomcat_dir/shared/lib/*.jar - The JVM remembers where a class instance was loaded from, so that for example an instance of class A loaded from webapp-1/WEB-INF/lib/abc.jar is distinct from an instance of class A loaded from webapp-2/WEB-INF/lib/abc.jar, and both are different from an instance of class A loaded from Tomcat_dir/shared/lib/abc.jar - it would be a bad idea anyway to have abc.jar located in a webapp-x/WEB-INF/lib and simultaneously in Tomcat_dir/shared/lib. (Why this is a bad idea is not very clear to me if the above holds true, but I trust previous communications here saying that it is a bad idea) - an object always holds a reference to the class it was created from - a class instance generally does not, but can, keep a reference to the objects created from it. Class instances which create a singleton object perforce keep a reference to it. - a class instance can be unloaded from memory when - the webapp which loaded it is itself unloaded, and all objects of that class created by (or belonging to) that webapp are thus destroyed - AND the class instance does not contain any reference to any other object(s) created by (an)other webapp(s) In other words, if a class instance was loaded from a jar in Tomcat_dir/shared/lib, then - that class instance would be shared by all webapps referencing the class, and would only be allocated once in memory (?) (thus saving memory space) - but that class instance could not be unloaded (and maybe replaced by another better version) until all objects created by it, on behalf of any webapp, have been destroyed. In the practice, this could mean that it is only possible to unload and reload this class instance by stopping and restarting the entire JVM (and Tomcat). Thus, if one is confident that all webapps are compatible with the same version of some classes, and if these classes do not contain class-level variables or allocate singleton objects whose common usage by different webapps may lead to trouble, and if one never intends to unload/reload a single webapp at a time and always brings down and restarts the whole Tomcat at once, one might as well put the classes in Tomcat_dir/shared. And if in doubt about any of the above, put them in each webapp's WEB-INF and buy more RAM if necessary. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] tomcat 5.5.25 shared lib and sharing webapp jars
Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck, On 10/10/2009 9:26 AM, Caldarale, Charles R wrote: From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: [OT] tomcat 5.5.25 shared lib and sharing webapp jars My direct experience that had led me to believe that ClassLoaders keep lists of their loaded Classes is that a WebappClassLoader held across a webapp restart (due to inadequate cleanup by the webapp) results in all Class objects loaded by that WebappClassLoader staying in memory, essentially forever. I think you are correct about Tomcat's WebappClassLoader; it has to maintain the set of the classes it has loaded since it breaks the normal Java delegation rule, and can't simply ask its parent for the class. Is that because the primordial ClassLoader will hand-out references to any class already loaded by any ClassLoader, so if null is returned, then the current ClassLoader knows it needs to do its own loading (if it can)? The JVM itself keeps track (outside of the heap) of all loaded classes so that classloaders that follow the standard delegation rule don't have to. Also, the WebappClassLoader has to be able to re-load classes that are updated during runtime. In order to do that, it needs to know what has been loaded and when. Not that it was my thread to begin with, and not thjat it's really dramatic either, but I suppose you guys must realise that you lost me, like, about 15 posts ago ? :-) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk inserting Transfer-Encoding Chunked header
Sam Crawford wrote: Apologies for misinterpreting your post. Unfortunately we can't ditch SunONE - it's a requirement from our security guys. We're operating in a two-tier DMZ environment and SunONE will be in the top tier, with an SSO agent running inside it. JBoss will be in the 2nd tier. Just by curiosity (and I do not know SunONE) : you mention SSO. I know that with Apache and mod_jk, the authenticated Apache user can be passed on to Tomcat, and use by Tomcat. But I don't so far know any other connector able to do this. How does it work with SunONE ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] tomcat 5.5.25 shared lib and sharing webapp jars
Caldarale, Charles R wrote: From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: [OT] tomcat 5.5.25 shared lib and sharing webapp jars Not that it was my thread to begin with, and not thjat it's really dramatic either, but I suppose you guys must realise that you lost me, like, about 15 posts ago ? What, are you being rude again? (Just kidding :-) I think one of the non-obvious points is that the word instance in an object-oriented environment is strictly defined, and must be used with discretion. So, where did we start to lose you? If you'd prefer to continue the discussion off-list, that's o.k. for this off-topic. No, no. I have no qualms about splaying out, for everyone to see, my dismal lack of fundamental Java knowledge, when the comparison is with experts like you two. And I am rather proud of having triggered this fascinating discussion about the finer points of java classes and objects relationships, which without doubt will some day become part of the anthology of Tomcat classloading and application deployment techniques. Or the other way around, I am not quite sure anymore. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Re Directing tomcat console out put to log files
Ziggy wrote: Have a look at this page http://tomcat.apache.org/tomcat-4.1-doc/config/logger.html On Sat, Oct 10, 2009 at 11:12 AM, Ziggy zigg...@gmail.com wrote: Sorry vijay my comments were directed at Andre Ziggy, Vijay, my comments were not really /meant/ to be rude. But I admit they were kind of rough. Considering the fact that in his post, Vijay indicated that he /downloaded and installed Tomcat 4.1/, and considering that Vijay, in earlier posts this year, indicated that he was already using Tomcat 5.x, I was just trying to point out to Vijay that restarting with Tomcat 4.1 at this time was likely to be a loss of time, and not only for him. One of the things that changed significantly from Tomcat 4.1 to Tomcat 5.0 and beyond, is logging. So anything that anyone could tell Vijay about Tomcat 4.1 logging, would most probably be invalid for later versions of Tomcat, which Vijay is much more likely to encounter nowadays. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] mod_jk inserting Transfer-Encoding Chunked header
Mark Thomas wrote: André Warnier wrote: Sam Crawford wrote: Apologies for misinterpreting your post. Unfortunately we can't ditch SunONE - it's a requirement from our security guys. We're operating in a two-tier DMZ environment and SunONE will be in the top tier, with an SSO agent running inside it. JBoss will be in the 2nd tier. Just by curiosity (and I do not know SunONE) : you mention SSO. I know that with Apache and mod_jk, the authenticated Apache user can be passed on to Tomcat, and use by Tomcat. But I don't so far know any other connector able to do this. How does it work with SunONE ? All the variants of mod_jk (httpd, IIS, Netscape) support this, as does mod_proxy_ajp. It is a feature supported by the AJP protocol. AFAIR The Netscape variant works with SunOne. Thanks for that clarification. Since I work mostly with Apache, my knowledge of IIS-related stuff is scarce, and I have another follow-up question : If the webserver is IIS, connected to Tomcat (as you imply above) via the appropriate version of mod_jk, does that mean that when a HTTP user's browser (IE) connects to IIS, and IIS authenticates the user (via some NTLM scheme), this IE/IIS user-id is automatically being passed to Tomcat via AJP, and (depending on the Tomcat configuration) Tomcat can make use of it ? Or does the above require additional setup steps at the IE/IIS/mod_jk level ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Logging startup parms for Tomcat...
Caldarale, Charles R wrote: From: Tony Anecito [mailto:adanec...@yahoo.com] Subject: Logging startup parms for Tomcat... I need to see the jvm startup params (memory settings, ect) for Tomcat. How do I enable that to showup in the logs? Without getting into over-engineering, how about adding something like echo $JAVA_OPTS $CATALINA_OPTS logfile into the catalina.sh script ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] mod_jk inserting Transfer-Encoding Chunked header
Rainer Jung wrote: On 11.10.2009 14:35, André Warnier wrote: Mark Thomas wrote: André Warnier wrote: Sam Crawford wrote: Apologies for misinterpreting your post. Unfortunately we can't ditch SunONE - it's a requirement from our security guys. We're operating in a two-tier DMZ environment and SunONE will be in the top tier, with an SSO agent running inside it. JBoss will be in the 2nd tier. Just by curiosity (and I do not know SunONE) : you mention SSO. I know that with Apache and mod_jk, the authenticated Apache user can be passed on to Tomcat, and use by Tomcat. But I don't so far know any other connector able to do this. How does it work with SunONE ? All the variants of mod_jk (httpd, IIS, Netscape) support this, as does mod_proxy_ajp. It is a feature supported by the AJP protocol. AFAIR The Netscape variant works with SunOne. Thanks for that clarification. Since I work mostly with Apache, my knowledge of IIS-related stuff is scarce, and I have another follow-up question : If the webserver is IIS, connected to Tomcat (as you imply above) via the appropriate version of mod_jk, does that mean that when a HTTP user's browser (IE) connects to IIS, and IIS authenticates the user (via some NTLM scheme), this IE/IIS user-id is automatically being passed to Tomcat via AJP, and (depending on the Tomcat configuration) Tomcat can make use of it ? Or does the above require additional setup steps at the IE/IIS/mod_jk level ? As far as I know that works out of the box. In order to let tomcat trust the information, you'd need to set tpomcatAuthentication though. One unfortunate thing: we use the standard request data REMORE_USER to forward, and for IIS this is: The name of the user as it is derived from the authorization header sent by the client, before the user name is mapped to a Windows account. If you have an authentication filter installed on your Web server that maps incoming users to accounts, use LOGON_USER to view the mapped user name. AFAIR this means yo get a lot of different mixtures of upper an dlower case etc. Not a normalized version of the user id. When acivating debug log level in mod_jk, there is a line Service protocol=%s method=%s host=%s addr=%s name=%s port=%d auth=%s user=%s uri=%s which contains the authentication protocol (auth=) and the user name (user=) being forwarded. Thanks, Rainer. Do you also happen to remember if the user-id so forwarded is just the user-id, or (if NTLM) does it include the NTLM domain ? (like domain\user). Or is the answer to that also of the it depends type ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: FOO / HTTP/1.1
Ronald Klop wrote: Hi, If I send this to my Tomcat it responds with HTTP/1.1 200 OK and calls my servlet. :-) telnet localhost 8080 FOO / HTTP/1.1 Host: localhost What is this suppost to do? :-) I don't know what is the context, and how you determine that Tomcat is the target, nor how you know that your servlet is being called, but on the face if it, it does exactly what it is supposed to do. From the above, the conclusions that can be drawn are : - there is a webserver on localhost which answers to port 8080 - it has a valid document to return for the URL / - and it is not too picky about HTTP verbs, since it seems to consider FOO as an acceptable alias for GET If you want more information, I am afraid that you will have to supply more details about your configuration, and maybe explain exactly what the question is. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Questions on Single Sign On?
Josh Gooding wrote: To my knowledge the Single Sign on in Tomcat is a way for all of your back end applications in your VH to recognize that you have logged in to one place, and all of the apps belonging to that VH will be logged into. Well, kind of.. What I am trying to do is restrict the login from users to one single session. (i.e. if you are logged in once, you cannot log in again unless your session expires or you log out.) Is this possible with what is included with Tomcat or is this going to take some custom code? Either way us fine, i'm just trying to use the server to handle as much of the work load as possible and lessen the actual coding load. It really depends on what kind of login (or rather, user authentication) you have set up. If you are using Tomcat's integrated (or container-based) authentication mechanism, then as far as I know the authenticated user-id is something that will be stored in the session data. As long as the session is valid, the user will not be asked to re-authenticate. As soon as the session is invalidated and they try to access a webapp that is submitted to AAA, they will be asked to login again. This is true for all webapps that are in the same realm. It is fairly well explained here : http://tomcat.apache.org/tomcat-6.0-doc/config/host.html#Single%20Sign%20On The keys here are which kind of AAA you are using, the Realm of your webapps, the session and its associated cookie. Note that this kind of SSO is Tomcat-specific, and valid only for a single Tomcat. What many of my customers understand by SSO is a bit different : it means that they wish to login once in the morning when they turn on their workstation, and never again during the day. They then want this single login to be valid, automatically, for all servers and applications they access during the day, whether they are running under Tomcat or not (but also the ones running under Tomcat). That's a different story. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Questions on Single Sign On?
Josh Gooding wrote: ... Andre, your talking about something like Active Directory for Windows Domain's to use with say Communicator, Outlook, etc, across windows environments with domain authentication? Yes, although Windows domain authentication is not the only game in town. I understand what the Tomcat's and most org's SSO means, but I am trying to translate into something that I can talk about and not have a huge amount of keystrokes in typing. And I suggest that you to think this through from the beginning, and not rush into a Tomcat-only authentication, if your users for instance are going to get weary very quickly to have to login (again!) each time they want to access this application on this host. The other snag is if in order to do your type of authentication you need to have your own store of user-id's and passwords. User-id's are usually OK (they can be the same as the user's usual login), but to get a network admin to give you the users passwords, so that you can store them in your own Tomcat-only store, is going to be more tricky. (Users do not, as a rule, like to have to remember several passwords). There are basically two types of authentication usable in Tomcat : the container-based authentication of which mainly question so far, and the servlet filter based authentication mechanisms. These consist of wrapping all your to-be-protected webapps in a servlet filter, which authenticates each request before it even gets to your webapp. Servlet filters are defined at the Servlet Spec level, so are portable. To the webapp, it is transparent. It just finds an authenticated user whenever it runs. The filter itself determines what kind of authentication happens, using which back-end etc.. Here are two examples : http://securityfilter.sourceforge.net/ http://www.ioplex.com Reading their docs should give you some material to think about. There exists a 3rd way : if you have a webserver in front of Tomcat (IIS or Apache), they can do the user authentication, and via mod_jk (*) pass an authenticated user-id to Tomcat (roles is another story). (* : plus, for Apache only, mod_proxy_ajp) In any case, I don't really think that you will need to create new code. There are enough ready-to-use solutions floating around that this should be unnecessary. And, as some people already indirectly pointed out, coding AAA and doing it right can be very tricky. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: file download issue
Tarun Chowdhry wrote: Hi, Getting the following exception when trying to call the FileUpload code: I'm not quite sure, but aren't you mixing up upload and download here, kind of ? upload = workstation -- server download = server -- workstation - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: file download issue
Tarun Chowdhry wrote: Sorry I meant for download. The code and the configuration is for the download only. Ok then the next thing is that this does not look like being a Tomcat issue per se, and more like a Struts issue. Should you not post this rather to the Struts users list ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 5.5 logging-config elegant? Not so much, I think.
larrydlefever wrote: ... a lot of things which I generally support. It's been a while since I've ranted here about Tomcat logging methodology, but I feel this may be the right moment to recant (on my non-ranting I mean) and support your posting. (And sorry to hijack a bit, I'll start a new thread if you wish so). In my humble opinion, the way Tomcat currently (since v 5.5 or so) implements logging, may be perfectly sane, logical, flexible, easy-to-understand and perfect for a confirmed java webapp developer, but it is everything but for people who just want to install and manage Tomcat servers (and apps on them which they themselves did not write) without needing to dig deep into Java and log4j meandres. As a sysadmin, I feel that it is a bit mightmarish to have miscellaneous application developers (of miscellaneous applications needing to be installed and run on my Tomcat servers) deciding all by themselves where their individual apps will do their logging, without giving me (apparently) any way to restore some order into that chaos. From a system setup and management point of view, I feel a deep nostalgy for Tomcat 4.x's Logger elements, which allowed one to catch and redirect all this stuff to the file one wanted, at the level one wanted. Now the mechanism behind the Logger may have been technically unsatisfactory deep down, but it sure was easier to set up than the current ones. Why is this stuff so easy for instance with Apache httpd, and apparently so hard with Tomcat ? What I would like for instance, is to decide that this here Tomcat logs all startup and errors and warnings and everything to this one single logfile (/var/log/tomcat6/errors.log e.g.), and be done with it, no matter what these funny guys defined and packed as classes and properties files in their webapp war's. That's because I am responsible for the server's health, and I am the one that has to get up at 3:00 AM when it doesn't work and find the problem, and I do not want to go scout throughout the system for logfiles. So how do I do that ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Multiple Instance of Tomcat 5 on Centos 5
homerlex wrote: I have Centos 5 on which I yum installed Tomcat5. Does anyone have tips for setting up multiple instances of TC in this configuration? I have seen some how-tos with other flavors of Linux. Its it going to be a matter of copying some files around and customizing the /etc/init.d/tomcat5 script? Basically yes, plus changing the ports used by each instance in its own private conf/server.xml file. But that is easier said than done if you are using a pre-packaged version which sets up symlinks all over the place.. The first question that should probably be asked is whether you really need several Tomcat instances, as opposed to one instance with several Host's. That is a lot easier to achieve, and it may be enough for what you have in mind. Each such Host has a distinct DNS name, and a distinct ../webapps directory, so you can segregate things quite flexibly without going through the hassle of changing startup scripts and links. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Questions on Single Sign On?
Josh Gooding wrote: Andre, I am using a realm for this. I decided that the best route to go on this is if a user is actively logged in and tries to log in again (while already authenticated) to invalidate the 'other' session and continue on, that way of the browser dies, they can still get in. I have however not clue one on how to do this. What is put in the session upon authentication that I could have my code look for to invalidate the other live session? Josh, I think that I fail to see what you are trying to achieve. Assuming you are using container managed security as described here : http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#Quick%20Start then what normally happens is this : - a user, with his browser, accesses a URL on your server - Tomcat maps this requested URL to a webapp - in doing so, Tomcat sees that this webapp is submitted to authentication/authorization - Tomcat then wonders whether this user is already authenticated. For that, it checks if this request is associated with a session (which can be indicated by a JSESSIONID cookie, or a request attribute coming with the request). (*) - If yes, then Tomcat will retrieve the user-id associated with this session, and then check if this user-id has the appropriate role for accessing this webapp. If not, the request is rejected, else it proceeds. - (**) If no, then Tomcat will trigger a user authentication. Depending on how this is set up, it will either send back a html login page to the browser, or a 401 status code to trigger the browser's builtin login dialog. - The browser will then send back the user's credentials. Tomcat will check them (using the configured method for that), and if they are ok, will set the user-id, and record it in the session data. Then we go back to (*) above. If the credentials are not OK, then it probably loops at the (**) stage. Now, how would a user in this case try to login a second time, when they are already authenticated ? And, does it matter ? (are you trying to limit the number of times the same physical user is allowed to run the /application/ simultaneously ?) Ok, let's say that the user leaves his first session open on workstation A, and starts another browser session on station B (or, his browser crashes and he restarts the browser, thus losing the previous session-id information). He thus accesses the original URL again, and Tomcat attributes a new session to this other browser. (Or else, you are doing something like pre-emptive authentication : you start each session by a login page, explicitly. But then, you are no longer really in the logic of Tomcat's container managed security.) Tomcat itself will not provide a way to avoid that (the two or more individual sessions at the Tomcat level), because for Tomcat, these are really two independent sessions, and the second one has no relation to the first, and that second session does not indeed contain any Tomcat-level link to the first session. If you want to provide such a link, then the only way I see would be at the application level, for example with a servlet filter wrapping your webapps, which would store somewhere the fact that this /user-id/ is already in use (and its associated Tomcat session-id). Then it would be the responsibility of this servlet filter also, to destroy the previous Tomcat session linked to that same user-id, when this same user-id shows up with a different session-id. But I cannot tell you if this is possible using the standard Tomcat API. You would have to be able to pass another Tomcat jsessionid (than your own) to the session.invalidate() method, and I'm not sure that this is possible. (I think that it would open the door to all kinds of misbehaviours if it was.) To summarise, from what I think I understand which you want, it does not marry very well with Tomcat's container managed security, and you should think more about a servlet filter based security mechanism, where you can do pretty much as you please. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
