Re: REST call failure on newer tomcat version/update
Sean Dawson wrote: Am working on testing the 8 versions between the one that works and the one that doesn't. We use tomcat to host our gwt/restygwt app - gwt rpc calls work (as far as we've tested) - restygwt REST calls to another process (jetty server - RestEasy) work up to the point of that PUT request (which isn't alot of them, but it's getting to the server and some succeed). There's almost no info to go on when the gwt app doesn't proceed - fiddler says the call succeeded with a 200 - but no data returned - and so the gwt app that should proceed on onSuccess or onFailure, does not. So with the restygwt async calls, we're not receiving anything back - despite fiddler claiming that the call completed with 200 status (this can all be on the same machine - but once you put the two processes or different ones using different client browsers - sometimes get the other messages indicated). So the problem might lie with RestyGwt - but that's not what changes between the working and non-working scenario. Thanks for info from the spec. Sean, a word of advice : for someone not on your system, and not immersed in your application and your setup, your explanation of the configuration you are using, what is where, and what happens where when, is less than clear. That makes it more difficult to really help you. In addition, whislt I have not consulted right now the corresponding applicable RFCs, and have just browsed the starting page of GWT right now for the first time, it seems to me that you are making some assumptions that may not be valid, and may lead you to surmise the wrong thing or look in the wrong place. I believe that everyone understands that you are trying to figure out why your whole thing seems to work with some versions of Tomcat and not others. As a couple of people have already mentioned, it does not seem guaranteed that a PUT request to a webserver, no matter in what context, would always return a response *body*. You say : fiddler says the call succeeded with a 200. That is not exactly true : Fiddler (apparently) shows you that a response was received from the webserver; that this response consists only of a HTTP status line; and that this status line includes a status code 200, which from a HTTP protocol perspective should mean OK. Fiddler does not tell you anything else. It does not know what happened after the PUT request was received by Tomcat, nor if the webapp really succeded in doing what it was supposed to do. It just shows you the content of the received status line. A HTTP response consists of, in that order, - a HTTP status line (always) - possibly, immediately following the status line, some additional HTTP response header lines - possibly, a blank line followed by a response body (what you call data) (So basically, a HTTP response /could/ consist of a single status line, and be perfectly valid from a pure HTTP perspective - and thus from a Tomcat HTTP server perspective). We are further guessing that the Fiddler which you are mentioning sits between the browser and Tomcat - it is not extremely clear, because you are also at other times talking about Jetty, then about a Proxy webapp, then about RESTy calls which sometimes succeed and sometime not etc.. And - at least as far as I am concerned- we are supposing that the GWT application of which you are talking runs inside of a browser page, and makes some kind of HTTP calls to Tomcat. We will also suppose that the webapp which you occasionally mention, runs on that same Tomcat server, and that it is the one supposed to answer these HTTP calls from the GWT application which lives in the browser. Well, guess what ? unless I am deeply mistaken - which is always a serious possibility - I do not believe that Tomcat per se contains any code which actually handles a PUT request and responds to it. So in all likelihood, it is that webapp which you barely mention which controls what the PUT actually does on the server, and which also controls the response that is being sent back to the browser (or not, as the case may be). From other bits of your explanation, I also surmise that the GWT code in the browser, after receiving the HTTP 200 status line response, expects additional HTTP headers and/or a HTTP response body with data in it, that it is not receiving such a response body, and that in consequence it blocks, waiting for it. (Which may or may not be its expected behaviour, we also don't know that.) Very little of all the above actually happens in Tomcat code, which in this case merely passes things back and forth between the browser and the web application. And this Tomcat code has no idea what your GWT code on the one hand, and the webapp code on the other, expect from eachother beyond the HTTP spec. So, as long as what goes through appears relatively HTTP-standard, and as long as the webapp does not really misbehave (aka, crash), Tomcat has no particular reason to log anything.
Re: configuring Tomcat service to use more heap (Windows 7)
Christoph P.U. Kukulies wrote: Am 18.12.2014 um 15:08 schrieb Christopher Schultz: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Christoph, On 12/18/14 5:52 AM, Christoph P.U. Kukulies wrote: I would like to increase the jvm heap size to, say, 1GB, in Tomcat 6.x Windows 7 service. Using the configuration program I see fields to set initial and max and max memory pool, but I don't see these parameters in the service startup command. Shouldn't there be something like -Xmx1024m in the parameters? Where are you looking? The Tomcat service runner will add those Wasn't aware of this. I was expecting them to show up in the service start line. And where do I configure these? Under Linux I'm seeing a lot of parameters being passed to the java start command for tomcat. parameters to the JVM launch command. Are you saying that you've specified those parameters but they don't seem to be affecting the JVM that starts, or are you just looking at the parameters tab and expecting them to show up? They won't show up because they are configured elsewhere. May I suggest that you read this FAQ article : http://wiki.apache.org/tomcat/FAQ/Windows#Q11 It should clear up much of the apparent obscurity linked to running Tomcat on Windows. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat on windows 2012 weirdness
Cris Berneburg - US wrote: Hi Folks I'm having trouble with my JSP web app using Tomcat 6 and 7 on Windows Server 2012. The issue is that no matter what file I request in the browser URL, it always returns the app welcome file, that is, the login page. Even when requesting an image. The one exception is that after logging in, the main menu page appears, but none of the graphics or CSS files load. Clicking on the app links, it just brings up the welcome page again. Checking the Tomcat log files, I see that Tomcat is returning the welcome page instead of the files requested in the main menu page. Using the Tomcat manager, I see that my application has a ridiculous number of sessions, instead of just one. I interpret that for every single file requested, a new Tomcat session is being generated and possibly invalidated.. FYI, using the same setup on Windows Server 2003 and 2008 works fine. Opening the same firewall ports on all three OS's has been done. Even disabling the firewall on 2012 does not affect the issue in any way. And to make things even weirder, accessing the application from a browser on the server itself using localhost works fine! I wonder if there is some mystery setting somewhere that is crippling the app. Got any suggestions? Please help. Thanks! Without realling getting to the bottom of it, the way you describe it sounds like an authentication problem, where a bunch of near simultaneous requests to the server (for embedded images, css, etc.) all hit some not yet authenticated condition, and all together (or rather each separately) return a 401 or similar (or a login page instead of a requested image e.g.). Maybe there is something new in that respect with Windows Server 2012, which your application's authentication framework does not handle well ? (or the structure of your application). (e.g. the login page itself contains references to images and css which themselves are in a protected area and so on). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: question
Hi Gerardo. The information which you are pointing to below, is relative to Tomcat 4.1, which has been archived probably more than 10 years ago and is no longer being developed or supported. Please don't do that. The current version of Tomcat is 8.0, and its documentation can be found here : http://tomcat.apache.org/tomcat-8.0-doc/index.html Gerardo Juarez wrote: On 11/24/2014 03:29 PM, Fabio Ricci wrote: Hi Joe Yes. You do not need to run apache for html and php (although it seems to me more practical). For PHP you might want to have a look at http://php-java-bridge.sourceforge.net/pjb/ Kind regards / Meilleures salutations / Freundliche Grüsse Fabio Ricci semweb Semantic Web Technologies · Records Management Software systems · ICT coaching · ICT Projects leading www.semweb.ch Weinmanngasse 26 CH-8700 Küsnacht ZH (Switzerland) Tel. +41 (076) 5281961 +39 (389) 0681334 Skype: semweb-llc Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipients, are confidential and maybe privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return email, and delete this message and any attachments from your system. Thank you. From: Balderrama, Jose A CTR (US) jose.a.balderrama4@mail.mil Reply: Tomcat Users List users@tomcat.apache.org Date: 24 November 2014 at 22:17:49 To: users@tomcat.apache.org users@tomcat.apache.org Subject: question Can tomcat run php apps and static html pages well? Or should I run apache as well? Thanks, Joe Check the information on Coyote. This is a connector that allows Tomcat to serve HTTP requests in addition to servlets and jsps: http://tomcat.apache.org/tomcat-4.1-doc/config/coyote.html Gerardo Juárez M. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat7 shutdown himself without trace
Métairie wrote: Hi all We have a tomcat7 standalone in Redhat6. Sometime the Tomcat7 suddenly stop to reply to all requests, but all server parameters are ok (cpu, memory, disk, ... all are ok). There is no error inside the logs. No exception, nothing. The http-thread do not reply anymore, because the pool is fallen to a minimum to 5 or 6 threads. I guess all http-thread are killed without any reason. Can you paste the server.xml file here ? (Remove all comments, domain names and other confidential information if any) To save time for everyone in the long run, can you also provide : - the exact version of Tomcat used (7.y.z) - the JVM version used (You should be able to see all that by going to the Tomcat bin directory and executing version.sh) There may be a reason for the Tomcat threads disappearing : if the minimum you set in the configuration is the above 5-6, and if the threads have nothing to do (Tomcat does not receive any requests anymore, due to some network issue e.g.) then the threads would naturally die, and Tomcat would not necessarily start new ones to replace them, since there is no need to. Also maybe helpful : when the case occurs (Tomcat not responding), run the command : netstat -pan --tcp and check if anything unusual appears there (like hundreds of connections to the Tomcat HTTP port, in some unexpected state). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Redirecting to default webapp when domain name is entered
Kernel freak wrote: Hello friends, I already have a project ready for deployment. It is in the form of war file. Currently I have renamed the war file to ROOT.war and pasted it inside webapps. I am able to access the webapp by giving domainname.com:8080. Instead of that I would just like to use domainname.com and it should go to the webapp. Thank you very much. System : Debian Wheezy(64 bit) Apache tomcat : 7.0 8080 is the port on which Tomcat is listening for requests. That depends on your own configuration of Tomcat. In the server.xml file, look for the HTTP Connector tag, and the 'port=8080' indicated there. If there is nothing else on that system that is already using port 80 (another webserver like Apache httpd for example), then change this Tomcat port to be 80, save the server.xml file, restart Tomcat and that's it (basically). If Tomcat does not start, look in its logfiles why, and if you do not understand it, copy the relevant part of the log in a new email to the list. If there is already something else on the system listening to port 80, then it is quite a bit more complicated.. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Running Manager App with Security Manager turned on - Tomcat 8.0.15
Luka Pavlič wrote: Hi, I am running tomcat 8.0.15, win64 ZIP, on Windows 2008R2, Oracle JRE 8.0.20. Running with catalina start, /manager app works perfectly. Running catalina start -security will result in not deployed manager app. I would *definitely need* both: running Tomcat with Security Manager turned on, and manager application. (I would like to enable non-trusted people to deploy their applications to my server via manager app) Any idea what to do? Thank you in advance! Error log: 20-Nov-2014 11:28:46.242 SEVERE [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory The web application with context path [/manager] was not deployed because it contained a deployment descriptor [C:\Deployments\SOA\apache-tomcat-8.0.15\webapps\manager\META-INF\context.xml] which may include configuration necessary for the secure deployment of the application but processing of deployment descriptors is prevented by the deployXML setting of this host. An appropriate descriptor should be created at [C:\Deployments\SOA\apache-tomcat-8.0.15\conf\Catalina\localhost\manager.xml] to deploy this application. Good idea to copy the error log. It seems that it does provide some clues as to what is happening, which can be examined in the online documentation, here : http://tomcat.apache.org/tomcat-8.0-doc/config/host.html#Standard_Implementation See deployXML. I'm not sure that I fully understand myself what it says there, but maybe you do. I think that the appropriate way to understand that very dense (but probably very precise and accurate) paragraph may be to draw a little logical flowchart of it. In any case, the last phrase seems to say that : - if you start without -security, then the default is true - and if you start with -security, then the default is false Which then matches the thing that the last line of the log above is telling you. It's really nice, when the documentation and the logs match perfectly. And even more when the logs tell you exactly what to do to correct the problem. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to run CGI script using Apache tomcat server?
Sumankumar Panchal wrote: Hello All, I would like to run CGI script using Apache tomcat server on Linux. I have added following lines in apache/conf/web.xml file.and create directory cgi inside WEB-INF with all necessary file/dir permission. Still I am unable to run CGI script. When you say this, what do you mean ? In terms of being a helpful problem description, I am unable to run CGI script ranks close to it does not work.. What happens when you try to send a request to Tomcat which should run the cgi script ? Can you show the URL used ? What kind of response do you get in the browser ? Do you you see the source code of the cgi script ? do you get some error, and if yes which one ? Did you look at the Tomcat logfiles to see if there are any interesting messages showing why it does not do what you expect ? If you do not understand the log messages, copy/paste them here, for someone to have a look. Since you apparently did not define an executable to run your cgi-bin script, Tomcat assumes that it is perl. Is perl installed on your system ? Is your cgi-bin script a perl script ? Also, by the way, please indicate what version of Tomcat you are running, under which JVM version, and on which platform OS (*). It all saves time in the end, specially for you : the better the information you provide, the sooner you will get a helpful response. Note: a bonus point for having copied your configuration below, but you did not mention where you got these instructions from, or which web.xml file you are talking about. (There is a general/default web.xml in (tomcat-dir)/conf, and another one under each of your webbapps WEB-INF sub-directory.) (*) Ooops, sorry, you did say that. But if it is Linux, then an additional question : did you install Tomcat from the official version on the tomcat website, or did you install a pre-packaged version from the Linux distribution ? can someone suggest me how to configure CGI environment in Apache Tomcat Server? web.xml --- servlet servlet-namecgi/servlet-name servlet-classorg.apache.catalina.servlets.CGIServlet/servlet-class init-param param-namedebug/param-name param-value0/param-value /init-param init-param param-namecgiPathPrefix/param-name param-valueWEB-INF/cgi/param-value /init-param load-on-startup5/load-on-startup /servlet servlet-mapping servlet-namecgi/servlet-name url-pattern/cgi-bin/*/url-pattern /servlet-mapping Regards, Suman - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: High thread count load on Tomcat8 when accessing AJP port with no request
Lisa Woodring wrote: ... In order to monitor the availability of the HTTPS/AJP port (Apache--Tomcat), our monitoring software opens a port to verify that this works -- but then does not follow that up with an actual request. This happens every 2 minutes. ... This sounds like the perfect recipe for simulating a DOS attack. Your monitoring system is forcing Tomcat to allocate a thread to process the request which should subsequently arrive on that connection, yet that request never comes; so basically this thread is wasted, until the ConnectionTimeout triggers (after 20 seconds, according to your HTTP connector settings). ... The thread count grows over time (goes up to 130-150 threads after 2 hours). Setting 'connectionTimeout' (as opposed to the default of never timing out) does seems to help some Have you tried setting it shorter ? 2 = 2 ms = 20 seconds. That is still quite long if you think about a legitimate browser/application making a connection, and then sending a request on that connection. Why would it wait so long ? A browser would never do that : it would open a connection to the server when it needs to send a request, and then send the request immediately, as soon as the connection is established. In other words : anything which opens a HTTP connection to your server, and then waits more than 1 or 2 seconds before sending a request on that connection, is certainly not a browser. And it probably is either a program designed to test or attack your server, or else a badly-designed monitoring system.. ;-) -- the # of threads isn't quite as bad (only 60-80 threads after 2 hours). However, the CPU Idle % is still not good -- was only 10% idle with default tomcat settings, is something like 40% idle with current settings. Also tried setting Apache's 'KeepAliveTimeout = 5' (currently set to 15) but this did not make any difference. Note : this value is in milliseconds. setting it to 5 or 15 is almost equivalent to disabling keep-alive altogether. 3000 may be a reasonable value. KeepAlive only happens after at least one request has been received and processed, waiting for another (possible) request on the same connection. If there is never any request sent on that connection, then it would not apply here, and only the connectionTimeout would apply. Note that my comments above are relative to your HTTP Connector. For the AJP Connector, other circumstances apply. If you are using AJP, it implies that there is a front-end server, using a module such as mod_jk or mod_proxy_ajp to connect to Tomcat's AJP Connector. In that case, you should probably leave Tomcat's connectionTimeout to its default value, and let the front-end server handle such things as the connection timeout and the keep-alive timeout. The connector module on the front-end server will manage these connections to Tomcat, and it may pre-allocate some connections, to constitute a pool of available connections for when it actually does need to send a request to Tomcat over one such connection. Timing out these connections at the Tomcat level may thus be contra-productive, forcing the front-end to re-create them constantly. Is there some configuration we can set to make Tomcat tolerant of this monitoring? (We have tried setting connectionTimeout keepAliveTimeout on the Connector. And we have tried putting the Connector behind an Executor with maxIdleTime.) OR, should we modify our monitoring somehow? And if so, suggestions? I would think so. Have your monitoring send an actual request to Tomcat (and read the response); even a request that results in an error would probably be better than no request at all. But better would be to request something real but small, which at the Tomcat level would be efficient to respond to (e.g. not a 5 MB image file). Create a little webapp which just responds I'm fine (*), and check that response in your monitor. It will tell you not only that Tomcat has opened the port, but also that Tomcat webapps are actually working (and how quickly it answers). And do not try to monitor the AJP port directly. Monitor a request to the front-end, which should arrive to Tomcat via the AJP port. The AJP connector module on the front-end will respond with its own error, if it cannot talk to Tomcat. (*) actually, there may even exist some built-in mechanism in Tomcat, designed precisely for such kind of usage (or at least usable for it). Any of the experts on the list ? does the standard vanilla Tomcat offer some URL which can be called, and triggers some small efficient response readable by a monitoring program ? ... * Running on Linux CentOS release 5.9 * running Apache in front of Tomcat for authentication, using mod_jk * Tomcat 8.0.14 relevant sections of tomcat/conf/server.xml: Executor name=tomcatThreadPool namePrefix=catalina-exec-
Re: jespa (jcifs) does not works in Tomcat but works in single app
Ignacio Ocampo wrote: Hi all, I've a simple *app (A)* that uses *JESPA* (and *JCIFS*), it works perfectly when I run this isolated. This app, has a *functionA* that call a URL with NTLM authentication and I use JESPA to authenticate. I have another *app (B)* that uses *app (A)* as library with *TOMCAT*, but, when I call the *functionA* it doesn't work. That is not very helpful as a problem description. What does not work ? How do you know that it does not work ? What appears in the logfiles ? What does your webapp try to do with Jespa ? In both cases, I'm sure of: 1. I register java protocol handler with: *System.setProperty(java.protocol.handler.pkgs, jespa)* at the start of the program (I tried with *JAVA_OPTS* too). 2. I've *jespa-1.1.20.jar* and *jcifs-1.3.18.jar* in /opt/tomcat/lib/ and /opt/tomcat/webapps/ROOT/WEB-INF/lib If your purpose is only to authenticate the user of your webapp, you do not need a copy in /opt/tomcat/lib/. That is probably a bad idea anyway. Did you follow the steps in the Jespa manual, page 9, Step 2: Test the Computer account with the Example Webapp ? Using CLASSPATH: /root/apache-tomcat-7.0.57/bin/bootstrap.jar:/root/apache-tomcat-7.0.57/bin/tomcat-juli.jar:/root/apache-tomcat-7.0.57/lib/ *jespa.jar*:/root/apache-tomcat-7.0.57/lib/*jcifs.jar* Jespa is a commercial product, not a part of Tomcat (*). Should you not be contacting the support at www.ioplex.com / supp...@ioplex.com for this ? (*) This being said, it works fine with Tomcat for me, at multiple sites and since years. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat performance goes down after install apr.
杨华杰 wrote: Tomcat performance goes down after install apr. I followed this doc http://tomcat.apache.org/native-doc/, I think the different is I didn't set sslengine setting as I don't use it. And I saw the error in catilina.out, I simply ignore it as I don't use it. I fired 300 concurrent calls from another server and I found tomcat just dead. Performance is much worse. Anything I did wrong? Hi. For a question like this (and basically any other question), you should really communicate - the platform (OS) under which you are running this - the Java JVM version used (x.y.z) - the Tomcat version used (x.y.z) - the APR version used (x.y.z) otherwise, how do you want anyone to comment ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem when rebooting....
Bjørn T Johansen wrote: On Mon, 10 Nov 2014 00:35:46 +0300 Konstantin Kolinko knst.koli...@gmail.com wrote: Rules: http://tomcat.apache.org/lists.html#tomcat-users - 6. Do not top-post. Ok, did a thread dump that resulted in the following dump..: Full thread dump Java HotSpot(TM) 64-Bit Server VM (25.25-b02 mixed mode): localhost-startStop-1 #15 daemon prio=5 os_prio=0 tid=0x7fdc84002000 nid=0x702 runnable [0x7fdc8ebe7000] java.lang.Thread.State: RUNNABLE at java.io.UnixFileSystem.checkAccess(Native Method) at java.io.File.canRead(File.java:768) at org.apache.catalina.startup.ContextConfig.processAnnotationsFile(ContextConfig.java:1975) at org.apache.catalina.startup.ContextConfig.processAnnotationsFile(ContextConfig.java:1971) As it is visible from the method name, the start thread is busy scanning classes for annotations. This behaviour is explained here: https://wiki.apache.org/tomcat/HowTo/FasterStartUp#General But it never finishes? And also I do not have this problem when stopping and starting the Tomcat server without booting, why is that? Shouldn't the result be the same? http://en.wikipedia.org/wiki/Entropy_%28computing%29 Maybe your problem is there ? (When the system boots, it has little entropy available, and it may already be consumed by other processes starting around the same time). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Weird (apocryphal) reference to Tomcat in Wikipedia
Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, I was reading the Wikipedia entry on .properties format yesterday (http://en.wikipedia.org/wiki/.properties) and I saw a mention of Apache Tomcat that doesn't make any kind of sense to me: In Apache Tomcat the exclamation mark denotes a Negation operator when used as the first non blank character in a line[citation needed]. I'm the one that added the [citation needed] with a note that I think this is false. Does anyone know if there was some kind of ancient version of Tomcat that read its own .properties files and added some kind of magic to do what the above says? I think it's a complete fabrication with no basis in reality. Any ideas? Maybe a very indirect reference to : http://tomcat.apache.org/connectors-doc/reference/uriworkermap.html (see : Exclusions and rule disabling) but, like you, I think that this reference is quite irrelevant in that Wikipedia article. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Authentication Memcached + Tomcat
Nilson Uehara wrote: I'm testing Memcached to implement failover on my Tomcat servers. Is there any way of implementing security by user / password? Probably. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Anyway to enable just all TLS protocols in APR connector?
Bob Hall wrote: On Friday, October 17, 2014 1:05 PM, Jeffrey Janner jeffrey.jan...@polydyne.com wrote: With baited breath, but not holding it. Should be bated breath. But perhaps, dear Bob, Jeffrey meant exactly what he wrote. Having posted to the list and expecting a response, he rested with a glass of milk, waiting for the Tomcat to pounce. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat windows authentication domain login issue
Tantaryu, The problem currently is that you messages appear to the list readers, as pretty unreadable blobs of text. Not many of the busy people here will feel motivated enough to decrypt/reformat them, before they understand even the basics of your questions. Since you are the one who needs help, making it easier for someone to provide it is the way to go. If such an option is available in your email client, please select send messages as plain text. If it is not available, install Thunderbird or similar and try again. If everything else fails, inserting a blank line between each of the real lines of text /may/ help. Next, do not send your configuration snippets as attachments. Paste them directly in the email to the list (also as plain text of course). Next, do not top-post. Respond below the message portion to which you are responding. It helps keeping a natural flow to the the conversation. Thanks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: a problem: tomcat exits unexpectedly
bo zhao wrote: Warnier, Thank you for your reply. AbstractScheduleTaskProcess class use the ExecutorService to create thread and runs some custom tasks. These tasks will be done in a few seconds. Sample code is following: for (final ListT list : lists) { executor.submit(new CallableObject() { @Override public Object call() throws Exception { try { executeTasks(list); .. But I don't think that this class causes the serious prolbem. the max size of lists is 4 -- that is a parameter of application. In our server, we have 12 tomcat instances that run the different application, but the default value of os parameter(open files and max processes) is 1024, at first, I modified these value to 65535. but some of these instance had still exited unexpectedly, I has found the same things in these log: pause, reinit, stop. So I think that the os resource limit maybe cause all of these, especially the parameter of the open files. I don't know well the tomcat, so I maybe has not found the key cause and I expect your reply. In such circumstances, you can (probably) consider Tomcat as just a process like any other. It looks like something in that process is holding on to a lot of open files/sockets. The Linux utility lsof provides (among a zillion other things) a good way to list all the files/sockets linked to one process. Try it for one of your Tomcat instances, and probably the names of these files/sockets will give you a hint. Thank you very much. On Sun, Sep 28, 2014 at 6:37 PM, André Warnier a...@ice-sa.com wrote: bo zhao wrote: I had modified the os ulimit parameter: open files and max processes, after that, Tomcat does't exit unexpectedly, and the log of Tomcat have not the ... pause, ... init. It seems work normally. But I still don't know the reason. I want to know if the two parameter is the key to solve probelm and how the two parameter of os limit cause the exit of tomcat? I believe that you are understanding this wrongly. These paraneters are not the /cause/ of the problem, they are a /symptom/. The default value fo these parameters is set so that they are ok for any normal process/system, and rarely need to be adjusted. By increasing their value, you are moving the problem further down the line, but are not solving the real (possible) problem. Ognjen is asking a question below. Why do you not start by answering it ? On Fri, Sep 19, 2014 at 5:17 PM, Ognjen Blagojevic ognjen.d.blagoje...@gmail.com wrote: Zhao, On 19.9.2014 3:42, bo zhao wrote: but I can't find any error message in the log? what causes the tomcat to pause and stop? One of the suspects for restarts and shutdown seems to be the class com.jd.clover.center.service.AbstractScheduleTaskProcess, as there is a log message regarding it, at the first line of each log excerpt you sent. What is AbstractScheduleTaskProcess class for? -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Open quote is expected for attribute {1} associated with an element type username
Konstantin Kolinko wrote: 2014-10-02 22:16 GMT+04:00 Gibran Castillo gibran.e.casti...@gmail.com: I installed Tomcat 8.0.12 in my MacBook OS X 10.9.5 here /Library/Tomcat/Home. Home is a symbolic link that will always point to the current version Tomcat directory, in this case /Library/Tomcat/apache-tomcat-8.0.12 In the /Library/Tomcat/Home/conf/tomcat-users.xml file I added the following: role rolename=manager-gui/ user username=“admin” password=password” roles=manager-gui”/ When I start tomcat with the out of the box setup everything looks good except that is throwing an exception regarding user *username=“admin”* (...) The quote character before a in admin is not the straight quote character expected in XML files, but left quote character ( ` `) as inserted by text processors... +1 Also the one at the end of admin and the one at the end of manager-gui look suspicious. *02-Oct-2014 12:19:44.726 SEVERE [main] org.apache.tomcat.util.digester.Digester.fatalError Parse Fatal Error at line 37 column 18: Open quote is expected for attribute {1} associated with an element type username.* * org.xml.sax.SAXParseException; lineNumber: 37; columnNumber: 18; Open quote is expected for attribute {1} associated with an element type username.* - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Open quote is expected for attribute {1} associated with an element type username
Gibran Castillo wrote: Tomcat did not like the double quotes use by TextEdit.app so I use the ones that were in the commented out section of tomcat-users.xml I was able to authenticate Oh my.. It is not Tomcat which does not like your quotes, it is XML. These quotes are not valid characters to delimit attribute values *in XML*. You will have the same problem with any XML file that you edit with that editor : you will generate XML that is not well formed and thus invalid. And that will crash any program which reads your XML files. Use another editor, this one is not suitable for editing XML files. On Thu, Oct 2, 2014 at 2:24 PM, Konstantin Kolinko knst.koli...@gmail.com wrote: 2014-10-02 22:16 GMT+04:00 Gibran Castillo gibran.e.casti...@gmail.com: I installed Tomcat 8.0.12 in my MacBook OS X 10.9.5 here /Library/Tomcat/Home. Home is a symbolic link that will always point to the current version Tomcat directory, in this case /Library/Tomcat/apache-tomcat-8.0.12 In the /Library/Tomcat/Home/conf/tomcat-users.xml file I added the following: role rolename=manager-gui/ user username=“admin” password=password” roles=manager-gui”/ When I start tomcat with the out of the box setup everything looks good except that is throwing an exception regarding user *username=“admin”* (...) The quote character before a in admin is not the straight quote character expected in XML files, but left quote character ( ` `) as inserted by text processors... *02-Oct-2014 12:19:44.726 SEVERE [main] org.apache.tomcat.util.digester.Digester.fatalError Parse Fatal Error at line 37 column 18: Open quote is expected for attribute {1} associated with an element type username.* * org.xml.sax.SAXParseException; lineNumber: 37; columnNumber: 18; Open quote is expected for attribute {1} associated with an element type username.* - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat returns Jsp source code as text/plain to the browser
Gadi Sastiel wrote: I have in httpd.conf: LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so # Configure mod_proxy_html to understand HTML4/XHTML1 IfModule proxy_html_module Include conf/extra/proxy-html.conf /IfModule LoadModule jk_module modules/mod_jk.so Gadi Maybe to gain some time, let me point you to the explanation of what both Konstantin and Daniel are looking for : https://tomcat.apache.org/connectors-doc/reference/apache.html See the text in red ? In more words : a frequent configuration error in such cases (where Apache httpd in a front-end for Tomcat, and both are on the same machine), is to allow Apache httpd to see the contents of the Tomcat application directories (/webapps/*). Tomcat knows that a JSP page is something which has to be processed, and that it is the result that should be returned to the client, not the source. But httpd doesn't know that, and for him a JSP page is just text, and it returns it as is. So if the URL of the request is such, that Apache does not think that this request has to be forwarded to Tomcat, it will try to process this request itself. And if it can do that (aka it sees the directory where this file is located, and the file in it), then it will return that page itself to the client, as text. And that seems to be what you are seeing. From there comes the suspicion of Konstantin and Daniel, because Tomcat, correctly configured, wouldn't do that. Except that you mention somwhere else that the request is visible in the Tomcat access log. That would normally mean that httpd /is/ forwarding this request to Tomcat, and that the error is on the Tomcat side. So before going any further, make absolutely sure that that is the case, and that it is really /this/ request that you are seeing in the tomcat logs. Otherwise everyone is going to lose a lot of time searching in the wrong places. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: a problem: tomcat exits unexpectedly
bo zhao wrote: I had modified the os ulimit parameter: open files and max processes, after that, Tomcat does't exit unexpectedly, and the log of Tomcat have not the ... pause, ... init. It seems work normally. But I still don't know the reason. I want to know if the two parameter is the key to solve probelm and how the two parameter of os limit cause the exit of tomcat? I believe that you are understanding this wrongly. These paraneters are not the /cause/ of the problem, they are a /symptom/. The default value fo these parameters is set so that they are ok for any normal process/system, and rarely need to be adjusted. By increasing their value, you are moving the problem further down the line, but are not solving the real (possible) problem. Ognjen is asking a question below. Why do you not start by answering it ? On Fri, Sep 19, 2014 at 5:17 PM, Ognjen Blagojevic ognjen.d.blagoje...@gmail.com wrote: Zhao, On 19.9.2014 3:42, bo zhao wrote: but I can't find any error message in the log? what causes the tomcat to pause and stop? One of the suspects for restarts and shutdown seems to be the class com.jd.clover.center.service.AbstractScheduleTaskProcess, as there is a log message regarding it, at the first line of each log excerpt you sent. What is AbstractScheduleTaskProcess class for? -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: RV: Help for configuration in App Manager in apache-tomcat-7.0.29
Rosario Marin wrote: Hello gays I still have the problem!!! Hello Rosario. I think that there is indeed a problem, but it may be first with the language. :-) This is non-discriminating forum, and we try to help all persuasions, but maybe you could have a look here first : http://www.youtube.com/watch?v=Fzahn-tapWk -Mensaje original- De: Rosario Marin Enviado el: jueves, 25 de septiembre de 2014 04:43 p.m. Para: 'Tomcat Users List' Asunto: RE: Help for configuration in App Manager in apache-tomcat-7.0.29 Hello little more precise about my problem with the Undeploy button for all test applications as I can see active, but not for my services. And you can be more specific in the package path and jar should I change? Post a picture of what I see, my installation is in Spanish. Greetings and thanks -Mensaje original- De: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Enviado el: jueves, 25 de septiembre de 2014 02:21 p.m. Para: Tomcat Users List Asunto: Re: Help for configuration in App Manager in apache-tomcat-7.0.29 2014-09-25 19:21 GMT+04:00 Rosario Marin rosario.ma...@stratus.com.mx: Do you run one Tomcat, listening on 2 different ports ? Yes What do you mean with App Manager ? For example : http://164.152.40.70:7533/manager/html (GUI for deploy of applications). Ok, I have installed apache-tomcat-7.0.29 in the next address IP: http://164.152.40.70/ and Had only the port to the deploy for my web services : http://164.152.40.70:7533/ , but I asked one of those services are deployed on a different port and set up another in the file server.xml which remained follows http://164.152.40.70:7550/ . Then in the first port http://164.152.40.70:7533/manager/html , Here, ' replegar' button is disabled and the second new port http://164.152.40.70:7550/manager/html all good! In that part of the settings I can fix this? From LocalStrings_es.properties file: htmlManagerServlet.appsUndeploy = Replegar You cannot undeploy the Manager application that you are currently using. The button should have been disabled in both cases. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Response mixed between users with mod_jk-1.2.40
Philippe Mouawad wrote: Hello, Any feedback on this ? Thanks Hi. I don't think that you should reasonably expect any feedback. It is not that people here do not want to help, but your version of Tomcat is so hopelessly outdated (2007 ?)(see: https://tomcat.apache.org/whichversion.html) that it would cost them a lot of time, and time is something that most of them don't have too much of. So they concentrate on the latest versions, because for that there is a chance that they still have a similar system somewhere, or remember the issue and how to fix it. Your best hope is to search the Tomcat list archives (see https://tomcat.apache.org/lists.html), for something that looks like a similar issue. But if it is a Tomcat issue, the result will probably be that you need to upgrade your Tomcat to solve it. On Sun, Sep 7, 2014 at 11:49 PM, Philippe Mouawad philippe.moua...@gmail.com wrote: Hello, I am working currently on an issue where an application is facing either Response mix or Session mix. For example: 1/ a user A gets the basket of customer B when going on basket detail (response mix) 2/ Cookies also get mixed up, more of session mix in this case The versions of components are the following: - Load Balancer = modjk_1.2.40 = Tomcat 5.5.23 (Yes very old) I have made some searches on bug database and found this issue which seems similar: - https://issues.apache.org/bugzilla/show_bug.cgi?id=47714 But the issue is in state WORKSFORME so it is not a bug AFAIU. Also issue seems to be related to a bug fix that occured in mod_jk 1.2.27 : AJP13: [CVE-2008-5519] Always send initial POST packet even if the client disconnected after sending request but before providing POST data. In that case or in case the client broke the connection in a middle of read send an zero size packet informing container about broken client connection. (mturk) What makes me say this is that there is a JBoss solution document that says this: https://access.redhat.com/solutions/19239 There is a known bug in mod_jk versions 1.2.26 and below that can cause session crosstalk AJP13: [CVE-2008-5519] Always send initial POST packet even if the client disconnected after sending request but before providing POST data. In that case or in case the client broke the connection in a middle of read send an zero size packet informing container about broken client connection. (mturk) So with version 1.2.40 no issue should remain Afaik. So I have 3 questions: 1) Does the fix in mod_jk require an upgrade to a particular tomcat version ? 2) The issue was related to a security problem, but how response mix did occur ? 3) The Bug 47714 close as Worksforme is not clear for me. Is it possible that non optimal config can lead to this issue, for example: - Not setting recovery_options ? what would be the technical explanation ? Request would be retried but how mix would occur ? I am besides this investigating load balancer and application issues. Thanks for help Regards Philippe M. -- Cordialement. Philippe Mouawad. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Response mixed between users with mod_jk-1.2.40
Philippe Mouawad wrote: Hello André, I understand your answer although my 3 questions are also related to current version of Tomcat. Ok, then, to increase your chances of getting a response : - download and setup a current version of Tomcat - reproduce the issue in that one - and repost your question mentioning that version of mod_jk and Tomcat Understand : the issue as you describe it could be in mod_jk, but it also /could be/ some bug in Tomcat 5.5.x, that has been already corrected in one of the very many Tomcat versions since that one (50 ? 100?). Before anyone is going to even look at it, /you/ will have to convince them that it is probably not the case. Or else, find a $consultant that will do that research for you. But that's just me saying. I am just trying to help, by helping you to avoid losing time waiting. But you are welcome to keep on trying and prove me wrong. I was hoping that the person who fixed the issue could explain how the problem occured. To recap my 3 questions : 1) Does the fix in mod_jk require an upgrade to a particular tomcat version ? I suppose that if I upgrade to last 6.X it should be fine (Cannot upgrade for now to 7 or 8) 2) The issue was related to a security problem, but how response mix did occur ? This one is more to understand technically the issue 3) The Bug 47714 close as Worksforme is not clear for me. Is it possible that non optimal config can lead to this issue, for example: - Not setting recovery_options ? what would be the technical explanation ? Request would be retried but how mix would occur ? This one still concerns modern versions of Tomcat. Anyway thanks for answer. Regards Philippe On Thu, Sep 25, 2014 at 12:02 PM, André Warnier a...@ice-sa.com wrote: Philippe Mouawad wrote: Hello, Any feedback on this ? Thanks Hi. I don't think that you should reasonably expect any feedback. It is not that people here do not want to help, but your version of Tomcat is so hopelessly outdated (2007 ?)(see: https://tomcat.apache.org/ whichversion.html) that it would cost them a lot of time, and time is something that most of them don't have too much of. So they concentrate on the latest versions, because for that there is a chance that they still have a similar system somewhere, or remember the issue and how to fix it. Your best hope is to search the Tomcat list archives (see https://tomcat.apache.org/lists.html), for something that looks like a similar issue. But if it is a Tomcat issue, the result will probably be that you need to upgrade your Tomcat to solve it. On Sun, Sep 7, 2014 at 11:49 PM, Philippe Mouawad philippe.moua...@gmail.com wrote: Hello, I am working currently on an issue where an application is facing either Response mix or Session mix. For example: 1/ a user A gets the basket of customer B when going on basket detail (response mix) 2/ Cookies also get mixed up, more of session mix in this case The versions of components are the following: - Load Balancer = modjk_1.2.40 = Tomcat 5.5.23 (Yes very old) I have made some searches on bug database and found this issue which seems similar: - https://issues.apache.org/bugzilla/show_bug.cgi?id=47714 But the issue is in state WORKSFORME so it is not a bug AFAIU. Also issue seems to be related to a bug fix that occured in mod_jk 1.2.27 : AJP13: [CVE-2008-5519] Always send initial POST packet even if the client disconnected after sending request but before providing POST data. In that case or in case the client broke the connection in a middle of read send an zero size packet informing container about broken client connection. (mturk) What makes me say this is that there is a JBoss solution document that says this: https://access.redhat.com/solutions/19239 There is a known bug in mod_jk versions 1.2.26 and below that can cause session crosstalk AJP13: [CVE-2008-5519] Always send initial POST packet even if the client disconnected after sending request but before providing POST data. In that case or in case the client broke the connection in a middle of read send an zero size packet informing container about broken client connection. (mturk) So with version 1.2.40 no issue should remain Afaik. So I have 3 questions: 1) Does the fix in mod_jk require an upgrade to a particular tomcat version ? 2) The issue was related to a security problem, but how response mix did occur ? 3) The Bug 47714 close as Worksforme is not clear for me. Is it possible that non optimal config can lead to this issue, for example: - Not setting recovery_options ? what would be the technical explanation ? Request would be retried but how mix would occur ? I am besides this investigating load balancer and application issues. Thanks for help Regards Philippe M. -- Cordialement. Philippe Mouawad. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h
Re: Help for configuration in App Manager in apache-tomcat-7.0.29
Hi Rosario. There is no need to repost your message two days in a row. If you did not get an answer to your first message of yesterday, it is probably because it is not clear what your problem is, or what your configuration is. Can you explain better what you mean by I have two web services in the same server, but in different port of deploy ? Do you run 2 Tomcat instances in the same host, listening on different ports ? Do you run one Tomcat, listening on 2 different ports ? What exactly do you mean with web services, in a Tomcat context ? web applications ? What do you mean with App Manager ? the Tomcat Manager application, like here : https://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html ? Maybe you should copy and paste some relevant configuration file parts here,to help us understand ? (please copy and paste in the message itself; do not put them in an attachment, as this list strips most attachments) Rosario Marin wrote: Hi Guys, Hi I´m using the next version : apache-tomcat-7.0.29, and I have two web services in the same server, but in different port of deploy, The question is that one of my ports in the App Manager to 'replegar' the button is disabled. In that part of the settings I can fix this? Help and thanks! Rosario Marín | Consultor | Stratus Technologies México, S.A. de C.V | Tel.: +52(55)80-00-41-00 ext. 4242 Stratus: For an Always-On World | rosario.ma...@stratus.com.mxmailto:rosario.ma...@stratus.com.mx | www.stratus.mxhttp://www.stratus.mx/ Stratus Technologies México, S.A. de C.V. con domicilio en Vito Alessio Robles No. 39-201 Col. Chimalistac, México 01050, D.F. es responsable de sus datos personales, los cuales serán tratados a efecto de dar contestación a las comunicaciones generadas por esta vía y para prestarle los servicios que se nos encomienden. Nuestro aviso de privacidad puede ser consultado en el sitio web www.stratusmexico.comhttp://www.stratusmexico.com/ La presente comunicación ha sido dirigida únicamente para el destinatario y constituye información confidencial de nuestra empresa para todos los efectos de la ley. Si usted no es el destinatario, le pedimos destruya esta información y agradeceremos nos lo haga saber respondiendo a esta misma dirección. El contenido de este correo no implica ninguna obligación contractual para Stratus Technologies México, S.A. de C.V. ni relación formal alguna con el destinatario del mismo. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: File download using a servlet and error handling
Hassan Schroeder wrote: On Thu, Sep 25, 2014 at 7:18 AM, Léa Massiot lmhe...@orange.fr wrote: I was thinking maybe about an error-page... (never done that before): in case an exception is thrown after the response has been committed, maybe this error page could be sent to the user... Since the user's browser will still be displaying download-file.jsp after the download, why not add some JS/AJAX to the page to poll for a status update and display that? Just another possibility :-) +1, yes, something like that. Lea, the problem is that what you want to achieve, goes against the very logic of the standard HTTP protocol. In HTTP, the client sends one request, and expects one response for that request; and the server receives one request, and sens one response. The server *can not* send a second response for that same request; and if it did, the client would not know what to do with it. So in your case, the client sends a request to get one file; and it expects in return that file, not more, not less. If you try to send something else in addition to (or instead of) the file, then the client is going to get very confused, and either see this as an error, or it will save or display a corrupted file. And another thing : if the server at some point notices an error while sending the response (the file), in 99.95% of the cases this will be because the connection with the client has been lost, and Tomcat can not write any more data on that connection. So whatever you would try to send as an error message or page, has nowhere to go, and your webapp would get an I/O exception. If you really want to do something like this, then you need a collaboration between the server and the client. For example, something like the above suggestion : when the client clicks on the link to downoad the file, this does not send a request to the server directly from the HTML page. Instead, it triggers some javascript function (AJAX-like) which is the one that will send the request to the server, and receive the file. And then, if at some point there is a problem in that download, the javascript function can inform the user, by writing a message into the original browser window which is displayed to the user, and which originated the javascript call. But this is not as easy to do as you might think, because this javascript may not have the permission to write to the user workstation disk, to save the received file (security). So you may need a java applet instead, and signed, so that the user can give it the required permissions. So you see what you are getting into. It is certainly do-able, but do you want to go through the effort of doing that ? (and if you do, then search Google for jquery). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ipfiltering in Tomcat 6 fails, works fine on Tomcat 7
Baran Topal wrote: Hi; Thanks for your interest. Yes, I realized context idea once i read the documentation.I must admit the hierarchy is weird but it's a custom installer of a site that installs on Windows machine. There is no Tomcat manager console in place (at least I didn't see/enable). The hierarchy is as this: programnameunderCdriveProgramFilestomcat/webapps/ROOT/WEB-INF and under WEB-INF, there is jsp folder in which it covers the jsp pages of admin that i want to filter out for a particular IP. I think, there is no concern to make the change in server.xml because there will be absolutely one web application under this Tomcat. So, the change can be application-wide i guess. For just testing, within the given valve above, i can filter out index.jsp which is in the path, programnameunderCdriveProgramFiles/tomcat/webapps/ROOT/ and i can filter that particular file successfully but fail to filter programnameunderCdriveProgramFiles/tomcat/webapps/ROOT/WEB-INF/jsp/admin folder. Thanks for your help. Regards. Boran, you are either not listening, or not understanding what Christopher - who is one of the Tomcat experts on this list - is trying to tell you : The design of Tomcat is such that, for any normally-configured Tomcat, a client (any client) should not normally be able to obtain *anything* that is located below the /WEB-INF/ directory of an application. If your clients can access these files, then it means that you have found a way to misconfigure Tomcat so badly, that you are bypassing one of its built-in security features. (And if so, you should file it as a bug). The /WEB-INF/ sub-directory is a special place, that serves to store configuration files, compiled java classes and jars, which the clients should /never/ be able to obtain. It is not meant to contain any JSP's or HTML pages of an application. 2014-09-25 14:52 GMT+02:00 Christopher Schultz ch...@christopherschultz.net : -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Baran, On 9/24/14 5:04 PM, Baran Topal wrote: Hi, following works under server.xml Context path=/index.jsp reloadable=true Valve className=org.apache.catalina.valves.RemoteAddrValve deny=127\.0\.0\.1/ /Context Yes, it will work, but declaring a Context in server.xml is a Bad Idea. It's better to use a META-INF/context.xml file, or, even better, a file in CATALINA_BASE/conf/[engine]/[host]/[webapp].xml But, i need to hide my admin directory containing admin.jsp pages (more than 1 jsp page) The above configuration will deny all users from localhost (but only using IPv4) for all URL patterns matching your /index.jsp context (why in the world would you have a context path /index.jsp?). Something tells me you are seriously misconfiguring this server. My admin directory is in WEB-INF and WEB-INF is in the same level with /index.jsp but simply, not working when i ref. the context as /WEB-INF/admin No remote client should be able to directly access anything in /WEB-INF/ unless you have really done some damage to your server. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUJA/9AAoJEBzwKT+lPKRYeTYP/ArKK6QUQvbLTpIOWn4Pg4Ha Uys9JOuv0nCLHXj3B7Y21vRwc0fuRvfdjN4J0VML+K0kWUqt4Tp8AkDBTSG7yD2P tIsUXUUlcOpa1p998d3xtdkLcHQpTkn7nhpcnJwcOQqUUFesKwP9HYNBQI5m5pKX s/IcX1cj0AV2rXMjOBK1RWU7WZPQGUVR2RRNtVS0Nc4w9RlYyjQjA+hBxpUFG1HS 91OdkcX7sJxerlsIAfewTdYZ1oVd/3KGFlj+zSFcv9E17sOdpvBy+HuFdU9kGkQF QDCBagmoFNrZmzPktNC0r5BXn1RDOdZ2wAsI9D+ZQyTTG4CPdXZvJRflRIX1QWZe jjj8ZhlAH2nrLuKHNnwqWY9KK9GHc7+zs3H6hfe7JuJ/i8Z5u2lwrfK7DpquyUK+ gcircWL0dEmosmvNWfm3/G+MvyudgUrDihgiuYZY2s1g5CWRr48TAkhEadr4cdOb OOMcVTQOyzPLkeNA+5vBBDDEn3dzUq42Semds3HNByumM7Z7/DkALFQ0FYLxk6wd spjeYFZP1IFjq5R8Ipdr0NngCmoVzqSnBowYgayvBfIO8P89u6i1Q0KjsL1SVefx RmpJhevt/TSPcHurQpM/4tSQnQQqOXorTkAnKxw6csDiaY7IDEtBnTti2dIMe2Ny yOF8Ee0Tn2XgILN24ogQ =JV6J -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ipfiltering in Tomcat 6 fails, works fine on Tomcat 7
Baran Topal wrote: Hi; Recently joined, first mail I have the following filtering which works fine on Tomcat 7 but not on Tomcat 6... It gives just 404. filter filter-nameRemote Address Filter/filter-name filter-classorg.apache.catalina.filters.RemoteAddrFilter/filter-class init-param param-nameallow/param-name param-value127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1/param-value /init-param /filter filter-mapping filter-nameRemote Address Filter/filter-name url-pattern/administrator/*/url-pattern /filter-mapping How can I apply this filter on Tomcat 6. Details of Tomcat 6 Server version: Apache Tomcat/6.0.36 Server built: Oct 16 2012 09:59:09 Server number: 6.0.36.0 OS Name:Windows 7 OS Version: 6.1 Architecture: amd64 JVM Version:1.7.0_21-b11 JVM Vendor: Oracle Corporation Regards. Hi. I had a quick look at the on-line documentation for Tomcat 6, and I don't see a remote address *filter* there. Tomcat 7 has it, but Tomcat 6 does not seem to have it. Tomcat 6 has a Valve for that. https://tomcat.apache.org/tomcat-6.0-doc/config/filter.html https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to set up TLS-PSK with Tomcat
Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Borislav, On 9/20/14 11:57 PM, Borislav Trifonov wrote: Switched to a configuration where Tomcat is now front-ended by Nginx acting as a load balancer, so now the problem has moved to a different spot. Just curious: how does Nginx do this? IIRC, Nginx can use either OpenSSL or GnuTLS. What does the configuration look like? It seems reasonable for httpd/APR to support PSK... perhaps it can be added if it does not already exist. As for the PSK: the computational expense of key exchange (we have many frequent short lived connections) is a con that brings zero benefit to our setup, as the clients are fixed and already have the symmetric keys. Makes sense. I could ask the inverse question: if one controls not just the server but also the clients, what's the point of public key crypto? You never mentioned that you had control of the clients. Using PSKs of course means you have some measure of control over the clients, but it is not always so. The only reason I'm relying on TLS is because the same server also needs to occasionally support regular connections using certificates. Would it be an option to use something like stunnel (I'm not sure if that allows PSKs, either) between the client and server? It's a lot of extra processes, but it might get the job done. And maybe a stupid question : since you are saying that you have control over both the clients and the server, are your clients/servers really external ? And if they are, would it not make sense to have them connected first via a VPN, and then do the HTTP exchanges in clear, but over that (encrypted) VPN ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: WAR file deployment question
Jeffrey Janner wrote: -Original Message- From: James H. H. Lampert [mailto:jam...@touchtonecorp.com] Sent: Monday, September 15, 2014 7:11 PM To: Tomcat Users List Subject: WAR file deployment question We have a rather large WAR file. 89,925,956 bytes. And we have cable internet. With its usual extremely asymmetrical bandwidth: a download pipe the size of an air conditioning duct, and an upload pipe the size of an insulin needle. Squirting this huge WAR file through such a narrow pipe takes over half an hour. But our web and FTP servers are on a hosting service's server, so they're not passing through the narrow pipe. Can I, from Manager, deploy a WAR file that's sitting on a web or FTP site, instead of on my local system? -- James H. H. Lampert James, The question becomes How does the war file get to the Web/FTP site? My supposition is from your local system through the same narrow pipe, so there is no real solution, you've just moved the delay to another step. If that's not the case, then there are myriad ways. The manager app only deploys war files in one of two ways: already on the server, or from the system running the browser. So it sounds like some form of RDP is going to be necessary. Jeff Alternatively : - create a little program which will automatically transfer the WAR-file to the intended destination via SFTP - wrap this program, together with the original WAR file, in a secret.war.exe file, and leave it somewhere on your PC (preferably in a directory named confidential) - then just wait Chances are that you PC already has a couple of virii or trojans running, and that file will be uploaded somewhere in no time at all. You won't even notice. And as soon as someone at the other end opens it, it will send the WAR file to the intended destination, using their bandwidth, which is guaranteed to be much wider than yours. Problem solved. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: jmx query
vicky wrote: Hi, Can someone please explain step by step instruction that how to setup the LDAP authentication for JMX console ? Pre-requisite : read http://www.catb.org/esr/faqs/smart-questions.html then Step 1 : open a browser Step 2 : go to www.google.com Step 3 : enter setup LDAP authentication for JMX console in the search box Step 4 : press the search icon Step 5 : read the articles listed there Once you have tried one of the procedures listed there, if you still have a problem, come back here for a specific question. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Why does mod_jk bypass Apache authorization?
Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 9/12/14 8:36 PM, Mark Eggers wrote: Here was my naive thought. haven't tested this yet (may be a project for this weekend). Outside of a Location or LocatioMatch directive, the JkMount directive parses the configured URL prefix. If requested URL passes the rules, then mod_jk gets to handle the request. Inside of Location or LocationMatch, things are a bit different. Apache HTTPD parses the incoming request. If the requested URL passes, then it's sent along to whatever is inside of the directive. So you can think of a JkMount wrapped in a Location or LocationMatch directive as a 'dynamic' JkMount. It gets rewritten with whatever passes the Location or LocationMatch directives. mod_jk must modify its own internal map of URL (patterns) - workers when it finds a one-argument JkMount within a Location. Simply using Set-Handler is not quite enough: you have to use JkMount (or set JK_WORKER_NAME - or whatever you set with JkWorkerIndicator), otherwise mod_jk will have no idea how to route the request. So, if mod_jk were to skip the URL-matching and rely on httpd's Location (or whatever construct) and Set-Handler, it would also require that JkMount [workerName] (or SetEnv JK_WORKER_NAME [workerName)] also be present. I would imagine that, at configuration time, it would be difficult to determine if all of these things requirements have been met. At request-time, it would be easy to tell if things were okay, but then you may have a bit of confusion by users who haven't quite configured things properly and get a different default behavior then they were expecting. Something like: JkMount [i-made-it-inside] worker At least that was my understanding. And yes, the documentation is not so clear. It doesn't seem to me that obvious that JkMount would somehow read the parameter from Location or LocationMatch and use that in a configuration such as: JkMount /*faddle.jsp$ worker Especially since that regular expression would make no since to JkMount. Correct. It's perfectly reasonable to do something like this: Location ~/.*/abc/*.exe JkMount workerX /Location ... and have a URL pattern that mod_jk has no idea how to handle. It's starting to sound more and more like mod_jk should just not try to over-think things and re-evaluate URLs, etc: it needs a mode where it will take the worker name from JkMount (or Set-Handler) and just use it without checking the URL. On the other hand, I'm not sure how mod_jk can detect (during a request) when it's being called from within a Location. You may have to set some other environment variable to disable mod_jk's URL (re)evaluation logic. Under Apache httpd, why does mod_jk even need to know where it is called from ? It could just assume that httpd is calling it when appropriate and not otherwise. If you want a universal JkMount-equivalent to JkMount /*, then do Location / SetHandler jakarta-servlet /Location , and it will be inherited by all sub-Locations (aka handle all URI's) unless overridden by another SetHandler (like SetHandler None). If you need it more focused or conditional, use the very powerful and flexible Apache Location* sections, and don't second-guess them. All the other Jk* directives can be emulated by the setting (or lack of setting) of Apache variables such as no_jk, JK_WORKER_NAME et al. This may sound counter-intuitive (if not anathema) to Tomcat-focused people. But don't forget that from a httpd point of view, mod_jk (and the possible umpteen Tomcats behind it) is just one way of generating a HTTP response for some request URI's, among many others. Sometimes you need to think out of the box. Or maybe in the box in this case; because after all, we are talking here of a configuration file which belongs to httpd. So it sounds rather logical to me that the directives in it, would have an Apache httpd look and feel; which Jk* directives do not. After all also, when you use either mod_proxy_http or mod_proxy_ajp as a connector, you do use only httpd-style directives. Finally, all this is - in my view - a rather strong argument for using the SetHandler jakarta-servlet in Apache, rather than JkMount/JkUnMount. I originally thought that it was more a matter of preference only, but as a result of this discussion and the pittfalls that it showed, it seems rather more than that : it is much less error-prone. And it would allow mod_jk to avoid its own URI-mapping logic entirely, thus removing a probably sizeable chunk of code, and making it even more efficient. (This becomes rather evident if you turn on mod_jk logging high enough that it shows its efforts at matching every URI it is given). mod_jk 2.x anyone ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Setting CacheTTL on Apache Tomcat 8
Mark Eggers wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/14/2014 1:55 PM, Robert Boyle wrote: Hi, Here's what I'm trying to do: I'm building a web-based cueing system for a theatre. Until I figure out how to use WebSockets, my system will use JavaScript to refresh the webpage every second with a cue status file. This is an HTML file built on the fly by VB (or Python). One second latency is no problem. The problem: Unfortunately (for this application) Tomcat caches the web page internally for 5 seconds by default, so the maximum cumulative latency is 6 seconds which is a bit much. I believe I can change this by setting the CacheTTL parameter but, when I try to do this in BASEDIR/conf/context.xml by adding the line cacheTTL=1000, the server won't start and spews out many lines of error messages. I am a total newcomer to Tomcat but I've spend some hours trying to find examples of config files on the web with little success. Obviously I haven't understood the syntax required here so any help is gratefully received. Environment: Tomcat 8.0.12 Windows 7 / 32bit Robert Robert, That doesn't appear to be available in Tomcat 8 (quick view of the Javadoc). Also, I tried the following (after reading the 7.x docs) which failed as expected. Context cacheTTL=1000 /Context In Tomcat 7 (7.0.55), you can set this with the following syntax. Context cacheTTL=1000 /Context See the reference here: http://tomcat.apache.org/tomcat-7.0-doc/config/context.html 7.0.55 has WebSockets. . . . just my two cents /mde/ And mine : https://tomcat.apache.org/tomcat-6.0-doc/config/context.html#Attributes In 6.0, these Context - cache* attributes seem to have been there, but they have disappeared in 8.0. Or at least in the doc : https://tomcat.apache.org/tomcat-8.0-doc/config/context.html#Attributes - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 RPM download
Krishna Saranathan wrote: Hi All Is there any distro portal from where i can download rpm, to install Tomcat 7. I understand its available in zip/gz formats, but there is requirement for rpm to be written as part of chef cookbook. It looks like you are going to have to do some work yourself here, very unfortunately. You may even, horror, have to find out how to create a rpm yourself, for the OS distribution which you are using (whatever that is). But imagine your satisfaction afterward, to know that you can now at any time, create your own entirely up-to-date tomcat 7.x.y rpm package from the official Tomcat website download, with all the latest security fixes and enhancements and all. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Why does mod_jk bypass Apache authorization?
Daniel Pfeiffer wrote: On 2014-09-10 22:12, Mark Eggers wrote: I don't think that the trailing /* is valid for a simple Location directive. If you want regular expressions you'll have to use either LocationMatch or Location ~ (Location followed by the ~) This was the decisive hint! JkMount needs /*, but Location doesn't seem to handle it well. This makes the one-argument-form of JkMount quite useless. The solution was using the two-argument-form isolated with /* and Location without. Still doesn't explain why it sometimes works, but I'll leave that as an exercise for mod_jk fans. This is a matter of preference, and if you are happy with the above, so be it. You may want to document this well in the Apache config file though, because someone viewing this later (maybe yourself even, in 6 months time) would not really understand, and may think it was a typo. I personally am a fan of the SetHandler jakarta-servlet and associated SetEnvIf instructions, mainly for this reason : Essentially, both types of directives do the same thing, but this is an Apache httpd configuration file, likely to be viewed and edited later by people who understand the Apache httpd logic, and maybe not so much of the mod_jk and Tomcat logic. So I find it better to use the Apache-style Location*, SetEnv(If) etc. kind of configuration directives, because they fit better in the standard Apache configuration and scope logic, than the Jk directives. You have just seen an example yourself : the way in which JkMount handles wildcards is not the same a the way Location* directives do, so this - in my view - leads to confusion for the unsuspecting (or just un-mod_jk-educated) sysadmin. It can also lead to confusion if later you need to implement Rewrite or Proxy directives in your Apache configuration, and start having cross-interaction with these Jk* directives. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Why does mod_jk bypass Apache authorization?
Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 9/12/14 11:14 AM, Mark Eggers wrote: Chris, On 9/12/2014 7:13 AM, Christopher Schultz wrote: Daniel, On 9/11/14 4:15 PM, Daniel Pfeiffer wrote: On 2014-09-10 22:12, Mark Eggers wrote: I don't think that the trailing /* is valid for a simple Location directive. If you want regular expressions you'll have to use either LocationMatch or Location ~ (Location followed by the ~) This was the decisive hint! JkMount needs /*, but Location doesn't seem to handle it well. This makes the one-argument-form of JkMount quite useless. The solution was using the two-argument-form isolated with /* and Location without. Still doesn't explain why it sometimes works, but I'll leave that as an exercise for mod_jk fans. Would you please log a bug in Tomcat's Bugzilla for this? At the very least, it warrants a documentation fix, and possibly a review of how mappings for Locations are expressed/evaluated. -chris - From the documentation: Inside Location, one omits the first argument (path), which gets inherited from the Location. That's where I took my clue. In Tomcat documentation fashion, the density of information is quite high. I personally don't have a problem with this, even though it's not normally my style (obviously :-p). The problem is that most people would write: Location /foo JkMount worker /Location The /foo in location will handle any URL beginning with /foo while mod_jk will handle a URL with /exactly/ that path /foo. Basically, Location /foo behaves like Location /foo/* without actually saying it, nitpick : more like /foo* and mod_jk will stupidly do exactly as requested, which is not always what might be expected. That's why the above doesn't work as expected, but using Set-Handler does: when Location/JkMount is used, we get a bad JkMount result (mod_jk maps only /foo, not /foo/*). If you use Set-Handler, then /httpd/ makes the decision that the URL matches the Location amd then sets the handler for it. I really do think this warrants at least a documentation update. Clearly explained, thanks. As an addendum, I would venture that the situation gets even more complicated (or downright nonsensical) with LocationMatch regexp, because there is no way JkMount can possibly match that. And as a bit more than an addendum : When you think about it, it would probably greatly simplify mod_jk itself, if it just assumed that any request passed to it was for it, period, and not have his own match evaluation. And let the front-end entirely decide whether mod_jk is the appropriate content-generating handler for this request.(*) Right now, basically, 2 consecutive evaluations are taking place (or at least seem to) : - first httpd, going through all its Location, LocationMatch and File sections, and then if mod_jk is called, it re-does its own evaluation in function of its own separate URI-mapping table. And one has to hope that the results match, which they don't always, as per above. (**) I would guess this is a design left over from a time when maybe Apache httpd's URL-matching was not entirely able to match Tomcat's (***), and nobody thought of questioning it ever after. At the very least, one possibility would be for mod_jk, when it sees a JkMount inside any Location* section, to turn its own uri-mapping off entirely, and just accept the request as it is. In other words, such a JkMount would just become an alias to SetHandler myself. (Unless no-jk is set of course). Oh do those things get complicated.. (*) because from the httpd point of view, the content generator is mod_jk. And httpd doesn't know, and doesn't give a damn, that there is a cluster of 16 Tomcats behind mod_jk. (**) and then there is Tomcat of course, doing its own URI-to-webapp mapping. And then the webapp itself doing its own URI-to-servlet mapping. It all looks kind of redundant, doesn't it ? (***) or maybe there was no way then, for Apache httpd to change its content-handler on-the-fly, and mod_jk had to sneak its way in there to set itself. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Deploy application as Root
Konstantin Kolinko wrote: 2014-09-11 7:52 GMT+04:00 Kiran Badi ki...@poonam.org: Hi, I am trying to deploy application as ROOT.war in tomcat 7.50 provided by hosting service provider, but for some reasons I get below message FAIL - War file ROOT.war cannot be uploaded if context is defined in server.xml I have below in server xml, Host name=Myapp.com appBase=path to public_html folder Aliaswww.myapp.com/Alias Aliasmyuserid.myhostingprovider.com/Alias Context path= reloadable=true docBase= path to public_html debug=1/ Context path=/manager debug=0 privileged=true docBase=path to /tomcat/webapps/manager /Context /Host However the ROOT.war gets deployed correctly in my local machine.Appreciate some help here for fixing this issue. 1. What Tomcat version does your local machine have? 2. Context path= and ROOT.war define the same context. Thus the error message is correct. [1] http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Naming And maybe read this too : http://wiki.apache.org/tomcat/HowTo#How_do_I_make_my_web_application_be_the_Tomcat_default_application.3F - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: record security manager
Wim Bertels wrote: Hallo, as i tested setup debian + tomcat7 there are many versions of Tomcat 7.x. Which version precisely ? (There is a version.sh script somewhere, which will tell you) following the documentation, i was refered to http://tomcat.apache.org/tomcat-7.0-doc/security-manager-howto.html for enabling the security manager, As I recall, under Debian, there is a setting in /etc/default/tomcatx, like SECURITY=YES/NO which takes care of that for you. as it seems in debian stable (with tomcat + examples + admin debian packages installed): - enabling the security manager: tomcat does not start -- the logs are not clear to me But maybe they would be clear to someone here. What do they say ? This is not a tomcat problem, but debian it seems to me. Also note, if it is not clear : the security manager is not a specific Tomcat thing, it is a Java JVM thing. It is the JVM which runs Tomcat which enforces some security restrictions upon Java programs which run under it. That includes Tomcat java code, and the java code of the applications which run under Tomcat. So i looked further, and came across http://www.jchains.org/ but it is quiet old (2009); if correct: - it basically runs the application without security manager and records the permissions needed. - then u use that recording as a policy for your security manager - now run the application with security manager. So my question is: are there recent alternatives to this, or other good practices? mvg, Wim - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Context parameter override?
Mark Eggers wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/10/2014 8:40 AM, sbre...@hotmail.com wrote: Hello We have a setup which compiles WAR applications once and deploys them in various environments. Each environment has its own per application Log4j configuration (WARN for production, DEBUG for development etc.) which should survive application redeployment. So far the solution is: webapps/myapp/WEB-INF/web.xml ... context-param param-namelog4jConfigLocation/param-name param-valuefile:///opt/tomcat6/conf/myapp/log4j.xml/param-value /context-param ... Pretty standard, works. Question is, how can I make sure the Log4j configuration path is not hard coded in the 'web.xml' at development time. Idea was: webapps/myapp/META-INF/context.xml ... Parameter name=log4jConfigLocation value=file://TBD / ... and change it after the application deployment: conf/Catalina/localhost/myapp.xml ... Parameter name=log4jConfigLocation value=file:///opt/tomcat6/conf/myapp/log4j.xml / ... Tomcat simply ignores both of these context XML files, or at least the parameters defined in them. I read through all mailing lists, all documentations, switched on debug to the 'finest' level, still no avail. How difficult can this be? Details: Server version: Apache Tomcat/6.0.35 Server built: Nov 28 2011 11:20:06 Server number: 6.0.35.0 OS Name:Linux OS Version: 2.6.18-348.el5 Architecture: amd64 JVM Version: 1.6.0_30-b12 JVM Vendor: Sun Microsystems Inc. Cheers B. I'm just noodling - haven't tried this. Your mileage may vary, void where prohibited, etc., etc., etc. How about: 1. use Parameter in context.xml to set the logging level: Parameter name=LoggingLevel value=DEBUG override=false/ 2. Write a servlet context listener to read the parameter 3. Set the logging level accordingly Place the servlet context listener as the first one in your web.xml so the new logging level is set before any other logging occurs. This way your log4j.xml doesn't have to change, and you can just use an appropriate $CATALINA_BASE/conf/Catalina/[hostname]/[appname].xml to set the desired logging level. This seems as if it should work. . . . just my two cents /mde/ Mark, I was watching this thread, because I think that the original question has a wider scope, which has been touched a few times in the past, but to which I have never seen a really convincing answer. Example : I have customers who are security-conscious, and I do not have access to their servers. When I need to send them an application update, it must be in the form of a WAR, which the local sysadmins then deploy on the server. But in that application, there is a third-party authentication servlet filter, which requires 3 parameters in web.xml : - the FQDN of an authentication server - a login on that authentication server - a password for that login This is specific to each customer. (Of course, there are plenty more parameters in web.xml which are not customer-specific, but may change with a new version of the app). So I cannot make a single WAR, and just send it to all. I have (for now) to create a separate WAR for each customer. And I have to know their password, which they do not like. Otherwise, my customer sysadmins would have to unpack the WAR, edit web.xml to insert their specific values, and re-pack the WAR. Which they do not like to do either. My customers also do not like a solution consisting in having these parameters defined somehow as JVM properties that must be given on the java command-line, because then any user with a console on the server can see them by doing a simple ps -ef. So, yes, there are a lot of things which they don't like. But such it is, and I am only a small supplier happy to have them as customer, and I do not want to pick a fight with the sysadmins. Because that's like picking a fight with a waiter in a restaurant (*). So is there an easy generic way to solve this, without having to write some specific code to do it ? (which I think would also solve the OP's problem) (*) I once heard one say to a colleague : Did you see ? he ate it. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Why does mod_jk bypass Apache authorization?
Daniel Pfeiffer wrote: Since switching from Apache 2.2 authorization gets bypassed for many JkMounts (except jk-status). If I cancel the browser password popup, I get a 401-page. It is not, as I expect, the one from Apache, but instead from JBoss, which it shouldn't have been allowed to talk to. (I found this because unauthorized users are talking to JBoss.) On the receiving end we have both JBoss 4 and Wildfly 7. This is both with Apache/2.4.3 (Unix) mod_jk/1.2.37 and Apache/2.4.10 (Unix) mod_jk/1.2.40. Configuration is always like Location /XYZ/* JkMount XYZ AuthType basic AuthUserFile conf/passwd/XYZ AuthName XYZ security Require valid-user /Location I even have a case where the identical setup (worker definition, Location, file permission and content) works on 2.4.3 but not on 2.4.10. For other JkMounts both versions behave wrongly. If I raise the debug level, I don't see anything about how it parses this. When I call the URL, it says there is no directive protecting it. It doesn't make a difference whether AuthName is the same as the Realm in JBoss or not. Hi. I think that the problem may be the scope of the JkMount that you have above. I do not think that it is limited to your Location section. It may be global, even when it is in that section. Can you try instead : Location /XYZ/* SetHandler jakarta-servlet AuthType basic AuthUserFile conf/passwd/XYZ AuthName XYZ security Require valid-user /Location See here for more details : https://tomcat.apache.org/connectors-doc/reference/apache.html section : Using SetHandler and Environment Variables - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Stop writing System.our and System.err in catalina.out
Vijay Kumar wrote: Hi, I have deployed one web application in Tomcat which uses JULI logger internally for application level logging. I can change the Mode to OFF while going to production. But there are few System.out.println statements along with e.printStackTrace which are writing in catalina.out file. This is causing to shutdown Tomcat when catalina.out file grows huge. Can any one suggest me how to stop writing these statement in catalina.out file. Search the list archives ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Logging Issue in Tomcat v7.0.0.32
Hi. Sorry for top-posting, in this case it's easier to read. Bomma, Nithun wrote: The tomcat-users.xml is an XML file (as its name hints at). This is a valid XML comment : !-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the License); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an AS IS BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. -- This is not a valid XML comment : #tomcat-users #user name=admin password=Admin123 roles=admin-gui,manager-gui / Maybe it has something to do with the problem ? Doesn't any of the Tomcat logfiles mention anything about this, when you start Tomcat ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Share point integration
NK V wrote: Hi All I have a requirement where I need to access share point 2013 site in one of the site developed on Tomcat Server. Site on Tomcat server has its own authentication mechanism and share point 2013 is authenticated via LDAP. Any ideas on how to get the share point website into a website running on Tomcat. Any help in this regard is appreciated. As phrased, your question does not make very clear what exactly you want to do, nor how this is a real Tomcat question. Both Tomcat and Sharepoint are webservers, independent of one another. Accessing Sharepoint in Tomcat is a bit confusing. Or is your question more about the authentication ? Again, it's not very clear what you want, and/or what you want from this list. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: UTF-8 encoded request URI
Lulseged Zerfu wrote: Hi I am getting bad request from tomcat when I send UTF-8 encoded request to my application. I have configured connector in my server.xml with URIEncoding=”UTF-8”. I have set charset in the request to UTF-8. How can I solve 400 Bad request? How can I tell tomcat to decode request URI instead of responding with 400 Bad request? I will appreciate any help. I am using tomcat 8.0.11 on windows 8 x64. I have also tried with tomcat 7.0.55. BRLulseged Hi. To post to this list, you should probably set your email program to send messages as plain text. That would make it easier to read them. About your question : If Tomcat responds that the request is invalid, then it probably is. So the question is not how to make Tomcat consider it as valid, but rather how to generate a valid request, from the client side. You do not provide the real request that results in such a Tomcat response, so it is difficult to tell. If I had to guess, I would guess that it is the page in which there is the link that you click, to generate this error in Tomcat, that is not correct. Maybe the page says that it is UTF-8, but the link itself (in the a href=... that you click on) is in another encoding, or vice-versa ? It may also be wrongly URL-encoded. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: question on different version of tomcat running on the same pc
Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 André, On 8/19/14, 7:06 PM, André Warnier wrote: Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Shawn, On 8/19/14, 2:31 PM, NEW IT wrote: So you meant after I fired up the Tomcat 7 then change the environment variables for the version 6 and startup there too? Yes, you can do that, but... CATALINA_HOME could set to version 7 and CATALINA_BASE set to version 6 OK? No, CATALINA_BASE has to agree with CATALINA_HOME's configuration. So you can't for example create a setup under /opt/tomcats/mywebapp/ and then launch with CATALINA_BASE=/opt/tomcats/mywebapp/ under both Tomcat 6 and Tomcat 7. The reason is that server.xml usually contains certain things that are version-specific. But, if you want to deply the same web application to Tomcat 6 and Tomcat 7, you could do something like this: $ JAVA_HOME=/opt/java-7 $ CATALINA_HOME=/opt/apache-tomcat-7.0.55 $ CATALINA_BASE=/opt/tomcats/mywebapp-tc7/ $ CATALINA_HOME/startup.sh $ JAVA_HOME=/opt/java-6 $ CATALINA_HOME=/opt/apache-tomcat-6.0.41 $ CATALINA_BASE=/opt/tomcats/mywebapp-tc6/ $ CATALINA_HOME/startup.sh This will launch Tomcat 6 on Java 6 with your webapp configured in mywebapp-tc6 and a similar setup with later versions for mywebapp-tc7. - -chris On Tue, Aug 19, 2014 at 10:43 AM, Christopher Schultz ch...@christopherschultz.net wrote: To whom it may concern, On 8/19/14, 1:32 PM, NEW IT wrote: Besides setting for the 2 different ports, how do deal with the Environment Variables of Path, CATALINA_HOME? They are having the values for the 7 for now and JAVA_HOME could be using the the same one for Tomcat 7 and 6? You can do anything you want, here. CATALINA_HOME specifies where the Tomcat installation is. CATALINA_BASE specifies where your local deployment goes: this allows you to use a single CATALINA_HOME with multiple Tomcat instances running with separate configurations (those with different CATALINA_BASEs). JAVA_HOME specifies the JVM to use. You can set the above environment variables, launch Tomcat, then set them to other values and launch another instance of Tomcat. You can change your JVM, Tomcat version, etc. whenever you want. Once the JVM is launched, that process is independent of the shell you used to launch it. On our development servers, we have multiple developers with multiple per-webapp JVMs running all off the same CATALINA_HOME under different JVMs. All you have to worry about is the port settings in each CATALINA_BASE/conf/server.xml. Hope that helps, -chris The subject says on the same pc. Now that is not a guarantee that we are talking about Windows here, but at least a strong suspicion. In such a case, there is the question of whether this relates to running Tomcat as a Windows Service, or in a command window, or both. So this may all be a bit more complicated than meets the eye. While that may be true, that's an implementation detail (e.g. Windows Service versus Debian Linux package-maintained service, etc.). The point is that Tomcat can in fat be run side-by-side on the same machine: the mechanisms exist to do so... you may have to work a bit to get it working with your deployment strategy. I understand that. What I meant is that the OP may need some guidance as to what parameters / environment variables / system variables etc.. are used when running as a Windows Service, or in a Windows command window e.g. For example, if running Tomcat in a command window, then the file bin/setenv.bat would be run if it exists. But when running as a Service, it won't. (Neither do I know how you would have to set CATALINA_HOME e.g., if you have 2 different Tomcats running as Services; neither in fact whether it matters in that case). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: question on different version of tomcat running on the same pc
Caldarale, Charles R wrote: From: Neven Cvetkovic [mailto:neven.cvetko...@gmail.com] Subject: Re: question on different version of tomcat running on the same pc Hope this helps. You deserve a medal for the clear and precise descriptions. Would you consider adding this to the Tomcat Wiki, perhaps on this page? http://wiki.apache.org/tomcat/HowTo#Installation +1 Now all that's left to do is for someone to make a version of this that works for installing and starting the same as Windows Services. Despite what Christopher wrote - which is basically right - there is still some tricky element there, in that you cannot set the system-wide environment variables JAVA_HOME, CATALINA_HOME and CATALINA_BASE. If you do, then each of the respective (tomcat6, tomcat7, tomcat8) service.bat will use the set values, and never prompt for another. I have not actually tested this scenario, but looking at the code of the service.bat file, I believe that in case you install multiple Tomcat services, there is a potential for misbehaving there (for example, it requires JAVA_HOME to be set, but which one ?). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to get the configured HTTP and HTTPS port numbers in server.xml from Java code at runtime
Cassian Raja Thomas wrote: In our project, we have implemented SOAP webservices using Apache CXF framework. Clients used to request the server for some command execution. The request consists of host, port and the protocol used for connection. If the client uses a HTTPS configured port number and specify the protocol as HTTP, then we get a connection refused - socket exception as expected. But, I need to throw a proper error message like Unable to connect to host XYZ with port ABC using http protocol. For this, I need to get the configured http and https port numbers from tomcat server.xml file at runtime and then compare it with my request parameters. Anyone, please help me out on how to do that? I think that you are chasing windmills (attemting something impossible), because if the connection is refused, the Tomcat code itself probably never even sees this. The connection refused message is coming from your own client's TCP/IP stack. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: question on different version of tomcat running on the same pc
Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Shawn, On 8/19/14, 2:31 PM, NEW IT wrote: So you meant after I fired up the Tomcat 7 then change the environment variables for the version 6 and startup there too? Yes, you can do that, but... CATALINA_HOME could set to version 7 and CATALINA_BASE set to version 6 OK? No, CATALINA_BASE has to agree with CATALINA_HOME's configuration. So you can't for example create a setup under /opt/tomcats/mywebapp/ and then launch with CATALINA_BASE=/opt/tomcats/mywebapp/ under both Tomcat 6 and Tomcat 7. The reason is that server.xml usually contains certain things that are version-specific. But, if you want to deply the same web application to Tomcat 6 and Tomcat 7, you could do something like this: $ JAVA_HOME=/opt/java-7 $ CATALINA_HOME=/opt/apache-tomcat-7.0.55 $ CATALINA_BASE=/opt/tomcats/mywebapp-tc7/ $ CATALINA_HOME/startup.sh $ JAVA_HOME=/opt/java-6 $ CATALINA_HOME=/opt/apache-tomcat-6.0.41 $ CATALINA_BASE=/opt/tomcats/mywebapp-tc6/ $ CATALINA_HOME/startup.sh This will launch Tomcat 6 on Java 6 with your webapp configured in mywebapp-tc6 and a similar setup with later versions for mywebapp-tc7. - -chris On Tue, Aug 19, 2014 at 10:43 AM, Christopher Schultz ch...@christopherschultz.net wrote: To whom it may concern, On 8/19/14, 1:32 PM, NEW IT wrote: Besides setting for the 2 different ports, how do deal with the Environment Variables of Path, CATALINA_HOME? They are having the values for the 7 for now and JAVA_HOME could be using the the same one for Tomcat 7 and 6? You can do anything you want, here. CATALINA_HOME specifies where the Tomcat installation is. CATALINA_BASE specifies where your local deployment goes: this allows you to use a single CATALINA_HOME with multiple Tomcat instances running with separate configurations (those with different CATALINA_BASEs). JAVA_HOME specifies the JVM to use. You can set the above environment variables, launch Tomcat, then set them to other values and launch another instance of Tomcat. You can change your JVM, Tomcat version, etc. whenever you want. Once the JVM is launched, that process is independent of the shell you used to launch it. On our development servers, we have multiple developers with multiple per-webapp JVMs running all off the same CATALINA_HOME under different JVMs. All you have to worry about is the port settings in each CATALINA_BASE/conf/server.xml. Hope that helps, -chris The subject says on the same pc. Now that is not a guarantee that we are talking about Windows here, but at least a strong suspicion. In such a case, there is the question of whether this relates to running Tomcat as a Windows Service, or in a command window, or both. So this may all be a bit more complicated than meets the eye. On Sun, Aug 17, 2014 at 4:54 AM, André Warnier a...@ice-sa.com wrote: NEW IT wrote: Thanks Sapir for the fast and helpful answer! On Sat, Aug 16, 2014 at 11:50 PM, Igal Sapir i...@getrailo.org wrote: Sure, as long as each instance listens on a unique IP:port combination. On Aug 16, 2014 11:25 PM, NEW IT newi...@gmail.com wrote: Hello experts, For development purpose, I wonder if I could install and run Tomcat 6 and 7 the same time on my same development box? You probably also want to use 2 different ports here : Server port=8005 shutdown=SHUTDOWN (see conf/server.xml) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: question on different version of tomcat running on the same pc
NEW IT wrote: Thanks Sapir for the fast and helpful answer! On Sat, Aug 16, 2014 at 11:50 PM, Igal Sapir i...@getrailo.org wrote: Sure, as long as each instance listens on a unique IP:port combination. On Aug 16, 2014 11:25 PM, NEW IT newi...@gmail.com wrote: Hello experts, For development purpose, I wonder if I could install and run Tomcat 6 and 7 the same time on my same development box? You probably also want to use 2 different ports here : Server port=8005 shutdown=SHUTDOWN (see conf/server.xml) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JKS keystore password Encryption
Mark Thomas wrote: On 14/08/2014 15:46, George Sexton wrote: On 8/14/2014 8:33 AM, Mark Thomas wrote: On 14/08/2014 15:10, George Sexton wrote: graph. Can you help me understand why tomcat doesn't take the approach of Apache httpd which is to ask the user for the decryption key at startup time? Because it is largely a waste of time. Anyone with root on the box can do a heap dump and retrieve the actual key or the password used to protect the key. Much simpler just to not bother with a password and configure the key file so only root and the Tomcat user can read it. Same ends, simpler means. The issue with root makes sense. Thanks for explaining it to me. The case I see it being an improvement is where there's a defect in the web server that makes the file available to the uid the tomcat process runs under. Using tomcat as an example, say there were some directory traversal bug that would make the file available. Using httpd as an example, say there were some stack overflow bug in PHP that could be exploited. With httpd that attack wouldn't work as the worker processes run as a different user to the main process which runs as root. Only the main process can read the key file. In Tomcat I think (but have never tested) that Commons Daemon can do a similar thing. It starts as root, reads the keystore and then drops to non-root. The problem with that is that if the connector needs to be restarted you have to restart the entire process. A similar issue with restarting the connector exists with the 'enter the password on the command line' solution. To look at it another way, I don't think the benefit is worth the effort necessary to implement it. advert I believe Pivotal's (my employer) tc Server product which is based on Tomcat does offer an enter the password on start-up option of some form. /advert In which cases, humans being humans, the password probably ends up on a Post-It stuck on the console.. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Help me to understand why Tomcat is creating random WEB-INF folders.
Rene Scheffler wrote: Hey guys, i just added some entries to the default web.xml and server.xml. [...] I do not have a lot of time today, so I'll let someone else pick apart what you did, and maybe try to figure out why what you did created WEB-INF directories all over the place. But there are a few general principles in Tomcat, which are not always very explicit in the standard documentation (*), but which are quite important nevertheless, to understand how it works. (*) they are there if you know where to look, but it takes a while before you get to that point. 1) whatever you put in server.xml is really top-level with Tomcat. That file is read only when Tomcat starts, so whatever you put in there is static, and cannot be undone later (unless you reboot Tomcat). So the general idea is : you should only put there what really needs to be there, and not more. For example, Host's need to be there, but anything to do with web applications (or webapps or contexts) is better defined somewhere else. 2) Similarly, the generic conf/web.xml applies to *all* web applications running under your Tomcat. (it is merged with the individual web.xml's of each web application, before these applications are started). So there also, you should use caution when modifying it, because whatever you change will probably have far-reaching side-effects. And of course also because to undo what's in there, you need to restart the whole Tomcat. 3) when Tomcat starts, it scans its /webapps directory, and takes note of any sub-directory that it finds there (and also any WAR file, but let's leave this for later). In the absence of any further instructions, each of these sub-directory names becomes the name of a webapp, and that is later used by Tomcat to map a URL received by Tomcat, to one of these webapps. So for example is a client sends a request for http://yourhost/name1/*;, Tomcat is going to look for a webapp named name1, and if it finds it, it will pass the request to that webapp for processing. And if Tomcat does not find a webapp named name1, then it will pass the request to its default webapp, the one named ROOT (located in /webapps/ROOT/). 4) Once Tomcat has delegated the processing of a request to a specific webapp, another level of mapping takes place inside of that webapp, using the rest of the request URL (the part after http://hostname/name1/...;. That's where the url-mapping elements, in the WEB-INF/web.xml of that webapp, enter in play. If Tomcat finds a mapping that matches one of the webapp's servlets, then that servlet will be called to process the request. If no specific mapping is found, then Tomcat will pass the request to the default servlet of that webapp (which is built-in in Tomcat, and automatically added to each webapp). (That is the servlet which just returns a static document from the filesystem). So, I don't know CFML at all, and I don't know if this is the kind of application which wants to take over your whole Tomcat, and not leave anything to decide by any other webapp. But if it is not your intention to let CFML take over you whole Tomcat, then you should not make those changes in the general web.xml, but make them in the WEB-INF/web.xml *of your CFML webapp*, and not at any higher level. And similarly, if there are things that need to be specified in the Context of your webapp, these things should normally go in ../webapps/yourwebapp/META-INF/context.xml, and not in the general server.xml. And maybe read the page : https://tomcat.apache.org/tomcat-7.0-doc/deployer-howto.html (although it is not for the faint of heart) and particularly the section A word on Contexts. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Help me to understand why Tomcat is creating random WEB-INF folders.
Rene Scheffler wrote: Hey! I installed apache-tomcat-7.0.47 on debian and also installed and configured railo 4.1.1.009. I added the servlet for CFML and now i ended up with lots of WEB-INF directories in my tomcat directory and the subdirectories. A find gives me the following output : ./lib/WEB-INF ./bin/WEB-INF ./work/WEB-INF ./logs/WEB-INF ./temp/WEB-INF ./conf/WEB-INF ./default/examples/WEB-INF ./default/WEB-INF ./default/manager/WEB-INF ./default/host-manager/WEB-INF ./default/ROOT/WEB-INF ./default/docs/appdev/sample/web/WEB-INF ./default/docs/WEB-INF ./webapps/WEB-INF ./webapps/ROOT/WEB-INF The tomcat takes quite a while (350s) to start up and this is really starting to annoy me. So, whats this and what are some common settings to achieve a faster start up of the tomcat? Here is a 3-part response, each part to be considered separately : 1) a WEB-INF sub-directory, is a normal sub-directory of any web application. So, *some* of the ones which you list above, are expected and normal. (Like ./webapps/ROOT/WEB-INF for example) But, for example, it is not expected to have a (tomcat_dirrectory)/bin/WEB-INF directory. 2) it looks very much as if the installation script used for whatever you added to Tomcat, did not do its job correctly, and added a WEB-INF directory everywhere, even where it should not have done that. Can you de-install that package, and see if it removes all these things ? If not, then I would suggest to remove Tomcat completely (and all the subdirectories and links which the package installed just about everywhere), and start anew. A question : did you also use a Debian package (with apt-get e.g.) to install CFML ?) 3) the question of Tomcat taking a long time to start may be due to all the unexpected stuff above. So I would keep that question for later, when your installation is clean again. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Help me to understand why Tomcat is creating random WEB-INF folders.
André Warnier wrote: Rene Scheffler wrote: Hey! I installed apache-tomcat-7.0.47 on debian and also installed and configured railo 4.1.1.009. I added the servlet for CFML and now i ended up with lots of WEB-INF directories in my tomcat directory and the subdirectories. A find gives me the following output : ./lib/WEB-INF ./bin/WEB-INF ./work/WEB-INF ./logs/WEB-INF ./temp/WEB-INF ./conf/WEB-INF ./default/examples/WEB-INF ./default/WEB-INF ./default/manager/WEB-INF ./default/host-manager/WEB-INF ./default/ROOT/WEB-INF ./default/docs/appdev/sample/web/WEB-INF ./default/docs/WEB-INF ./webapps/WEB-INF ./webapps/ROOT/WEB-INF The tomcat takes quite a while (350s) to start up and this is really starting to annoy me. So, whats this and what are some common settings to achieve a faster start up of the tomcat? Here is a 3-part response, each part to be considered separately : 1) a WEB-INF sub-directory, is a normal sub-directory of any web application. So, *some* of the ones which you list above, are expected and normal. (Like ./webapps/ROOT/WEB-INF for example) But, for example, it is not expected to have a (tomcat_dirrectory)/bin/WEB-INF directory. 2) it looks very much as if the installation script used for whatever you added to Tomcat, did not do its job correctly, and added a WEB-INF directory everywhere, even where it should not have done that. Can you de-install that package, and see if it removes all these things ? If not, then I would suggest to remove Tomcat completely (and all the subdirectories and links which the package installed just about everywhere), and start anew. A question : did you also use a Debian package (with apt-get e.g.) to install CFML ?) 3) the question of Tomcat taking a long time to start may be due to all the unexpected stuff above. So I would keep that question for later, when your installation is clean again. Addendum : Installing packages like Tomcat etc. via the Debian apt-get is nice and easy. But 1) the version of Tomcat that you get that way, is generally not the most recent one 2) Debian packages have a tendency to install things all over the place, with lots of symlinks between these places (/etc/tomcat, /var/lib/tomcat, /usr/share/tomcat, etc..) 3) if you then use an installation script for some add-on, which is not really designed to understand this Debian layout, you probably get a mess like the one you mentioned. In that case, it may be better to install the latest Tomcat from the official Tomcat website version, which installs everything in one directory (like /usr/local/tomcat or similar), and then install the add-ons by hand there also. But then of course, you are on your own for startup scripts etc.. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Help me to understand why Tomcat is creating random WEB-INF folders.
Rene Scheffler wrote: Hallo André and thanks for your fast reponse, im sorry i didn't provide any more info on that. We've installed manually, i downloaded the tomcat from the apache website (we've got some picky customers and we've made some stable experiences with that tomcat version, hence we didnt install it via apt-get). I managed to figure out, that some part of the configuration used in the web.xml/server.xml was responsible for the creation of that many WEB-INF folders. I did all the configuration manually, following resources like http://corfield.org/entry/Railo_on_Tomcat__multiweb stated here. We got 7 websites running and when i reduced it to 1 site, the startup time went from 350s to barely 1 minute. But still, 1 minute is quite a long time for a server startup. Right now im configuring the prepacked Railo Server with Tomcat and try to get some more info on how to properly configure our own Tomcat. You may want to read this then : http://wiki.apache.org/tomcat/HowTo/FasterStartUp - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Help me to understand why Tomcat is creating random WEB-INF folders.
Mark Thomas wrote: On 13/08/2014 17:24, Rene Scheffler wrote: Hallo André and thanks for your fast reponse, im sorry i didn't provide any more info on that. We've installed manually, i downloaded the tomcat from the apache website (we've got some picky customers and we've made some stable experiences with that tomcat version, hence we didnt install it via apt-get). I managed to figure out, that some part of the configuration used in the web.xml/server.xml was responsible for the creation of that many WEB-INF folders. Not possible. Tomcat never adds a WEB-INF folder to a directory that doesn't already contain one. So, for directories that already contain one, it sometimes does ? (Just kidding) Getting back to what Rene wrote above, my guess would be that whatever script was installing CFML, may have read the web.xml/server.xml, misinterpreted it/them, and decided to ad these WEB-INF directories where it shouldn't have. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Websocket impl limits message rate?
Messinides, Mike wrote: Tomcat 7.0.54/JVM 1.7.0_51-b13/Win2008x64 I have a websocket server endpoint in Tomcat and a Tyrus 1.7 client. When I try to send text messages from the Tyrus client to Tomcat, it appears that messages get dropped when sent at a rate greater than 1 every ten seconds. I cannot comment on the base issue, but it seems that you should be a bit more specific here, about how you are determining this. Why do you think / how do you know, that messages are being dropped at the Tomcat level ? Is there configuration that limits the rate of messages from clients? Couldn't find in docs and I don't see it in source, but suspect it might be DOS prevention. Perhaps this is a Tyrus limit, but please let me know if you know of limits or config in Tomcat. Thanks. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache Tomcat 6.0 Tomcat6 service stopped unexpectedly in windows server 2012
Alapan Sur wrote: Hi Team, We have .Net application consuming tomcat solr3.5 services and deployed on Windows Server 2012. Its is 64 bit machine with 32 GB RAM and Tomcat veriosn is 6 and is installed at :C:\Program Files (x86)\Apache Software Foundation\Tomcat 6.0. During the peak load, the solr sevice stops/unresponsive and it is happening very frequently. We didnt fount any erro logs in windows event viewer but in tomcat logs we got the following exception : Aug 06, 2014 10:51:18 AM org.apache.solr.common.SolrException log SEVERE: ClientAbortException: java.net.SocketException: Software caused connection abort: socket write error at org.apache.catalina.connector.OutputBuffer.realWriteBytes(OutputBuffer.java: 369) at org.apache.tomcat.util.buf.ByteChunk.append(ByteChunk.java:339) at org.apache.catalina.connector.OutputBuffer.writeBytes(OutputBuffer.java:392) at org.apache.catalina.connector.OutputBuffer.write(OutputBuffer.java:381) at org.apache.catalina.connector.CoyoteOutputStream.write(CoyoteOutputStream.ja va:89) at sun.nio.cs.StreamEncoder.writeBytes(Unknown Source) at sun.nio.cs.StreamEncoder.implWrite(Unknown Source) at sun.nio.cs.StreamEncoder.write(Unknown Source) at java.io.OutputStreamWriter.write(Unknown Source) at org.apache.solr.common.util.FastWriter.write(FastWriter.java:55) at org.apache.solr.common.util.FastWriter.write(FastWriter.java:50) at org.apache.solr.response.XMLWriter.startTag(XMLWriter.java:269) at org.apache.solr.response.XMLWriter.writePrim(XMLWriter.java:780) at org.apache.solr.response.XMLWriter.writeInt(XMLWriter.java:691) at org.apache.solr.response.XMLWriter.writeVal(XMLWriter.java:565) at org.apache.solr.response.XMLWriter.writeNamedList(XMLWriter.java:621) at org.apache.solr.response.XMLWriter.writeVal(XMLWriter.java:594) at org.apache.solr.response.XMLWriter.writeNamedList(XMLWriter.java:621) at org.apache.solr.response.XMLWriter.writeVal(XMLWriter.java:594) at org.apache.solr.response.XMLWriter.writeNamedList(XMLWriter.java:621) at org.apache.solr.response.XMLWriter.writeVal(XMLWriter.java:594) at org.apache.solr.response.XMLWriter.writeResponse(XMLWriter.java:132) at org.apache.solr.response.XMLResponseWriter.write(XMLResponseWriter.java:35) at org.apache.solr.servlet.SolrDispatchFilter.writeResponse(SolrDispatchFilter. java:343) at org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter.java: 265) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.ja va:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.ja va:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127 ) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103 ) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java :109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http 11Protocol.java:606) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) at java.lang.Thread.run(Unknown Source) Caused by: java.net.SocketException: Software caused connection abort: socket write error at java.net.SocketOutputStream.socketWrite0(Native Method) at java.net.SocketOutputStream.socketWrite(Unknown Source) at java.net.SocketOutputStream.write(Unknown Source) at org.apache.coyote.http11.InternalOutputBuffer.realWriteBytes(InternalOutputB uffer.java:761) at org.apache.tomcat.util.buf.ByteChunk.flushBuffer(ByteChunk.java:448) at org.apache.tomcat.util.buf.ByteChunk.append(ByteChunk.java:363) at org.apache.coyote.http11.InternalOutputBuffer$OutputStreamOutputBuffer.doWri te(InternalOutputBuffer.java:785) at org.apache.coyote.http11.filters.ChunkedOutputFilter.doWrite(ChunkedOutputFi lter.java:126) at org.apache.coyote.http11.InternalOutputBuffer.doWrite(InternalOutputBuffer.j ava:598) at org.apache.coyote.Response.doWrite(Response.java:560) at org.apache.catalina.connector.OutputBuffer.realWriteBytes(OutputBuffer.java: 364) ... 36 more Aug 06, 2014 10:51:29 AM org.apache.solr.common.SolrException log SEVERE: java.lang.OutOfMemoryError: Java heap space at org.apache.lucene.search.ExactPhraseScorer.(ExactPhraseScorer.java:38) at org.apache.lucene.search.PhraseQuery$PhraseWeight.scorer(PhraseQuery.java:22 7) at org.apache.lucene.search.BooleanQuery$BooleanWeight.scorer(BooleanQuery.java :298) at org.apache.lucene.search.IndexSearcher.search(IndexSearcher.java:577) at org.apache.lucene.search.IndexSearcher.search(IndexSearcher.java:364) at org.apache.solr.search.SolrIndexSearcher.getDocListAndSetNC(SolrIndexSearche r.java:1408) at
Re: Apache Tomcat 6.0 Tomcat6 service stopped unexpectedly in windows server 2012
Luciano, 1) try to not top-post on this list. See https://tomcat.apache.org/lists.html#tomcat-users, item # 6 2) Luciano Fioriti wrote: Hi, try to increase Maximum number of threads in server.xml bie Not so fast... Tomcat is indeed running out of threads, as the last INFO message indicates. But this is probably more a *symptom* of some other underlying issue, as shown by the previous exceptions. Don't treat the symptom, treat the cause. 2014-08-07 6:57 GMT+02:00 Alapan Sur alapan@valuelabs.com: Hi Team, We have .Net application consuming tomcat solr3.5 services and deployed on Windows Server 2012. Its is 64 bit machine with 32 GB RAM and Tomcat veriosn is 6 and is installed at :C:\Program Files (x86)\Apache Software Foundation\Tomcat 6.0. During the peak load, the solr sevice stops/unresponsive and it is happening very frequently. We didnt fount any erro logs in windows event viewer but in tomcat logs we got the following exception : Aug 06, 2014 10:51:18 AM org.apache.solr.common.SolrException log SEVERE: ClientAbortException: java.net.SocketException: Software caused connection abort: socket write error at this is ClientAbortException, happening (as the chain below seems to show) when the application is trying to write a response to the client (presumably the user browser). This generally happens when Tomcat tries to send back a response, but the client has already closed the connection. Which in turn may happen if the client has been waiting too long for this response (more than 2-3 minutes). (It can also happen if the human user of that browser got tired of waiting, and clicked somewhere else, or closed the window). But a web application should not normally take so long to respond (or at least not without letting the user know that it can take long, or provide some kind of feedback while the user is waiting). So again, there is probably something else going on.. org.apache.catalina.connector.OutputBuffer.realWriteBytes(OutputBuffer.java: 369) at org.apache.tomcat.util.buf.ByteChunk.append(ByteChunk.java:339) at org.apache.catalina.connector.OutputBuffer.writeBytes(OutputBuffer.java:392) at org.apache.catalina.connector.OutputBuffer.write(OutputBuffer.java:381) at org.apache.catalina.connector.CoyoteOutputStream.write(CoyoteOutputStream.ja va:89) at sun.nio.cs.StreamEncoder.writeBytes(Unknown Source) at sun.nio.cs.StreamEncoder.implWrite(Unknown Source) at sun.nio.cs.StreamEncoder.write(Unknown Source) at java.io.OutputStreamWriter.write(Unknown Source) at org.apache.solr.common.util.FastWriter.write(FastWriter.java:55) at org.apache.solr.common.util.FastWriter.write(FastWriter.java:50) at org.apache.solr.response.XMLWriter.startTag(XMLWriter.java:269) at org.apache.solr.response.XMLWriter.writePrim(XMLWriter.java:780) at org.apache.solr.response.XMLWriter.writeInt(XMLWriter.java:691) at org.apache.solr.response.XMLWriter.writeVal(XMLWriter.java:565) at org.apache.solr.response.XMLWriter.writeNamedList(XMLWriter.java:621) at org.apache.solr.response.XMLWriter.writeVal(XMLWriter.java:594) at org.apache.solr.response.XMLWriter.writeNamedList(XMLWriter.java:621) at org.apache.solr.response.XMLWriter.writeVal(XMLWriter.java:594) at org.apache.solr.response.XMLWriter.writeNamedList(XMLWriter.java:621) at org.apache.solr.response.XMLWriter.writeVal(XMLWriter.java:594) at org.apache.solr.response.XMLWriter.writeResponse(XMLWriter.java:132) at org.apache.solr.response.XMLResponseWriter.write(XMLResponseWriter.java:35) at org.apache.solr.servlet.SolrDispatchFilter.writeResponse(SolrDispatchFilter. java:343) at org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter.java: 265) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.ja va:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.ja va:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127 ) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103 ) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java :109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http 11Protocol.java:606) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) at java.lang.Thread.run(Unknown Source) Caused by: java.net.SocketException: Software caused connection abort: socket write error at java.net.SocketOutputStream.socketWrite0(Native Method) at java.net.SocketOutputStream.socketWrite(Unknown Source) at java.net.SocketOutputStream.write(Unknown Source) at
Re: Apache Tomcat 6.0 Tomcat6 service stopped unexpectedly in windows server 2012
Alapan Sur wrote: Hi Andre, Thanks for the quick reply. I have verified the below requested memory related queries as suggested by you. The Initial memory pool and Maximum memory pool are empty and please find the attachment for the same. This list usually strips attachments. Either paste the info in-line (if it is text), or load the attachments somewhere else and post a link. We have checked the heap size with the command : java -XX:+PrintFlagsFinal -version | findstr /i HeapSize PermSize ThreadStackSize Can you please guide how to increase the java memory pool heap size to 1GB ? I will, but please read this first, to understand how it works : http://wiki.apache.org/tomcat/FAQ/Windows#Q11 It will save you time in the end, and will save us further questions which are already answered. It will also explain why the numbers which you are getting with the above command, do not represent the same settings as your Tomcat, running as a Windows Service. As a Windows Service, the JVM which runs Tomcat uses the settings which you see in the GUI program tomcat6w.exe (and which are stored in the Windows Registry). This same program tomcat6w.exe, is also the one which should appear as a little Tomcat icon on the task bar of your Windows server. Thus : - call up this GUI program - navigate to the java tab - set Initial Memory pool and Maximum Memory pool to, for example, 1024 MB (or more). Use the same value for both. - click OK - then restart the Tomcat Service Cheers, Alapan -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: 07 August 2014 13:47 To: Tomcat Users List Subject: Re: Apache Tomcat 6.0 Tomcat6 service stopped unexpectedly in windows server 2012 Alapan Sur wrote: Hi Team, We have .Net application consuming tomcat solr3.5 services and deployed on Windows Server 2012. Its is 64 bit machine with 32 GB RAM and Tomcat veriosn is 6 and is installed at :C:\Program Files (x86)\Apache Software Foundation\Tomcat 6.0. During the peak load, the solr sevice stops/unresponsive and it is happening very frequently. We didnt fount any erro logs in windows event viewer but in tomcat logs we got the following exception : Aug 06, 2014 10:51:18 AM org.apache.solr.common.SolrException log SEVERE: ClientAbortException: java.net.SocketException: Software caused connection abort: socket write error at org.apache.catalina.connector.OutputBuffer.realWriteBytes(OutputBuffer.java: 369) at org.apache.tomcat.util.buf.ByteChunk.append(ByteChunk.java:339) at org.apache.catalina.connector.OutputBuffer.writeBytes(OutputBuffer.jav a:392) at org.apache.catalina.connector.OutputBuffer.write(OutputBuffer.java:381 ) at org.apache.catalina.connector.CoyoteOutputStream.write(CoyoteOutputStr eam.ja va:89) at sun.nio.cs.StreamEncoder.writeBytes(Unknown Source) at sun.nio.cs.StreamEncoder.implWrite(Unknown Source) at sun.nio.cs.StreamEncoder.write(Unknown Source) at java.io.OutputStreamWriter.write(Unknown Source) at org.apache.solr.common.util.FastWriter.write(FastWriter.java:55) at org.apache.solr.common.util.FastWriter.write(FastWriter.java:50) at org.apache.solr.response.XMLWriter.startTag(XMLWriter.java:269) at org.apache.solr.response.XMLWriter.writePrim(XMLWriter.java:780) at org.apache.solr.response.XMLWriter.writeInt(XMLWriter.java:691) at org.apache.solr.response.XMLWriter.writeVal(XMLWriter.java:565) at org.apache.solr.response.XMLWriter.writeNamedList(XMLWriter.java:621) at org.apache.solr.response.XMLWriter.writeVal(XMLWriter.java:594) at org.apache.solr.response.XMLWriter.writeNamedList(XMLWriter.java:621) at org.apache.solr.response.XMLWriter.writeVal(XMLWriter.java:594) at org.apache.solr.response.XMLWriter.writeNamedList(XMLWriter.java:621) at org.apache.solr.response.XMLWriter.writeVal(XMLWriter.java:594) at org.apache.solr.response.XMLWriter.writeResponse(XMLWriter.java:132) at org.apache.solr.response.XMLResponseWriter.write(XMLResponseWriter.jav a:35) at org.apache.solr.servlet.SolrDispatchFilter.writeResponse(SolrDispatchFilter. java:343) at org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter.java: 265) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appli cation FilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFi lterCh ain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVa lve.ja va:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextVa lve.ja va:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.ja va:127 ) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.ja va:103 ) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValv e.java
Re: Increasing incoming connection request in a queue
Dhaval Jaiswal wrote: David, Resources are enough. what happened in current configurations, When I will receive more than 200 connections. Will it keep on hold or it will give the blank page. Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Rather than keep asking the same question over and over again, should you not make an effort at trying to *understand* what is going on, and how it works ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: custom actions after accessed
Patcharee Thongtra wrote: Hi, Is it possible to have Tomcat do some custom actions after a specific page/file is accessed/downloaded? If so, how to? Any suggestions are appreciated. What kind of custom actions, for what kind of pages/files ? What prevents you from doing such custom actions in your own webapp/servlet, or in a servlet filter, after you have returned the response to the client ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: custom actions after accessed
Patcharee Thongtra wrote: On 08/04/2014 11:26 AM, André Warnier wrote: Patcharee Thongtra wrote: Hi, Is it possible to have Tomcat do some custom actions after a specific page/file is accessed/downloaded? If so, how to? Any suggestions are appreciated. What kind of custom actions, for what kind of pages/files ? What prevents you from doing such custom actions in your own webapp/servlet, or in a servlet filter, after you have returned the response to the client ? Actually I set my web app as directory listing That's not very clear. Can you be more specific ? and I would like to keep logs after users finish download files. What kind of logs ? If it is information that the AccessLogValve /can/ log, then the easiest way to obtain what you want may be to just process the Access logfiles, and extract what you need. I do not know how to do that in my web app. Any ideas? As mentioned earlier, a java servlet filter may be the way to go. A servlet filter wraps your webapp, more or less like this : HTTP Request from client | v |--- servlet filter code --- || |v |webapp code (servlets) || |v |--- servlet filter code --- | v HTTP Response to client In other words : - the filter sees the Request before your webapp does - then the webapp processes the Request and produces a Response - then the servlet filter sees the Response before it goes out so you can do things like keeping info about the request/response, and log it somewhere if you wish. There are some example of servlet filters shipped with Tomcat, which you could use as base for your own servlet filter code. Note that when it is Tomcat itself which serves a request for a static file, this is also done by running a servlet : the default servlet. You can also wrap that one with a filter, as illustrated above. Then I found tomcat is aware of downloading file done (logged in access log), so I though maybe I can make Tomcat activate my servlet after the downloaded and the servlet logs the download activity. There is no standard method for doing this in Tomcat, that you can just enable/disable by changing the configuration. But the whole of Tomcat is open-source, so you can use any part and modify it to do what you want. Maybe the AccessLogValve for example. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JKS keystore password Encryption
Sanaullah wrote: Hi, is there a way i ca replace plain JKS keystore password with encrypted password in tomcat server.xml? This kind of question comes regularly on this list, I would say 2 or 3 times each year. Searching the list archives (mentioned in the superb on-line Tomcat documentation) would provide a number of discussions on the topic. The basic answer is no, because then Tomcat would need to be able to decrypt it; and to do that, it would need to know a decryption key; and to know that, this decryption key would need to be stored somewhere; loop to the beginning of this paragraph. And if someone non-authorized has access to Tomcat's server.xml, then you have bigger problems than a non-encrypted password. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Increasing incoming connection request in a queue
Hi. There are a number of problems with your post, which make it difficult to understand exactly what you want to know. Dhaval Jaiswal wrote: acceptCount variable: Following is the current configuration in server.xml I am using version. 6. Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 That tag is incomplete. Resource name=jdbc/DB_NAME auth=Container type=javax.sql.DataSource driverClassName=org. postgresql.Driver url=jdbc:postgresql://IP:PORT/DB_NAME username= password= maxActive=100 maxIdle=20 maxWait=3 validationQuery=select 1 testOnBorrow=true removeAbandoned=true removeAbandonedTimeout=120 logAbandoned=true / That tag is also incomplete, and it has basically nothing to do with the Connector tag above (nor with acceptCount or maxThreads). Planning to add below parameters. maxThreads=2 acceptCount=500 Where ? The situation I got is some times i am not getting timely response from the outsiders. What is the outsiders ? The browser clients trying to get a connection to Tomcat, or the postgres database which you seem to be using for authentication ? In this case i need to make the bigger queue in connection pool. What connection pool ? As per document and forums says default queue size of acceptCount is 100. During the time if new connection request comes in it simply refuse it. That has nothing to do with any connection pool. A new connection (from a client) will be refused if : - all Tomcat threads of the Connector are already busy handling other requests AND - there are already acceptCount previous connection requests waiting for an accept in the accept queue of the Connector 1) I just do not want to refuse the new connection, but want to keep that connection in a pool. That does not really make sense, as a phrase. I want to make the queue size of 500 and if possible more than that. Why ? What is your opinion on below configuration. Will it help me. Is it going to degrade the performance if i will increase the value of acceptCount variable along with maxThreads. maxThreads=2 acceptCount=500 These two parameters are not directly related, and each of those parameters should only be modified (compared to the default) in very specific circumstances. We cannot have an opinion on whether changing one or the other will help or not, before we know 1) if you really have a problem now, or if you are just speculating without real facts. If you have a real problem, what is it ? is your Tomcat really refusing browser connections ? if yes, does this happen all the time, or only at specific times ? 2) what is the expected load of your server ? how many clients are expected to connect to your server at the same time ? how many HTTP requests are you expecting to have to process at the same time ? how long does it take, on average, to process one request ? 3) what are the characteristics of your server ? (how fast is the CPU, how much memory does it have, how much of that is available to Tomcat) etc.. Here are some general tips : 1) the default parameters of Tomcat are set by people who know what they are doing, in a way that they determine is appropriate for the large majority of practical cases. There are thousands of Tomcats which are running fine on the WWW, using these default parameters. Changing them without knowing why, and without konwing exactly what effect they have, is more likely to make the situation worse, than improving it. 2) to determine if you need to change a parameter, and which parameter to change and how to change it, you need first to *measure* what is happening. 2) the acceptCount of the Connector is a parameter which relates to the TCP/IP stack of your machine. Tomcat just passes this parameter to the underlying OS, when it opens the TCP socket which is used by this Connector. It is the TCP/IP stack of the OS which is going to refuse new client connections, if the accept queue fills up. The accept queue fills up, when Tomcat (for any of many possible reasons) cannot handle anymore the number of client requests which arrive over a period of time. 3) the maxThreads parameter of a Connector, represents how many threads maximum, this Connector can start at the same time. Each of those threads handles one request of one client. So, *if you know* : a) that it takes on average 1 second for your Tomcat (and your webapp) to process one request b) that, sometimes, there can be 300 clients sending one request each to your Tomcat over 1 second (for a total of 300 requests over the same second) then, you would know that you need to set the maxThreads parameter to (at least) 300. If processing one request takes on average 2 seconds, then if during 1 second Tomcat can receive 300 requests, you will need to set maxThreads higher (because at the end of this first second, the first 300 threads
Re: NoSuchMethodError: org/apache/xml/utils/TreeWalker
Deme Carv wrote: I am getting the error from subject when running the below code in Websphere in my RAD. It is very interesting that this code doesn't cause any error in Server. The server runs up Tomcat 6 but I must set the same code to run in Websphere. Well, if it is working in Tomcat but not in Websphere, then are you not asking your question on the wrong help forum ? I have searched for hours in web but I didn't find nothing that I could at least give a try. I attached a pdf with the libs that I found in each place. I guess that it might exist some conflict but I have no idea why it is working in Tomcat but it is not working in Websphere. Error message in browser: Error 500: org/apache/xml/utils/TreeWalker.init(Lorg/xml/sax/ContentHandler;Lorg/apache/xpath/DOMHelperV Error message in RAD console: java.lang.NoSuchMethodError: org/apache/xml/utils/TreeWalker.init(Lorg/xml/sax/ContentHandler;Lorg/apache/xpath/DOMHelperV at org.apache.xalan.serialize.SerializerToXML.seriali ze(SerializerToXML.java:2578) org.apache.xalan.serialize.SerializerToXML serializertoxml = new org.apache.xalan.serialize.SerializerToXML(); My code snippet: java.io.FileWriter filewriter = new java.io.FileWriter(file); serializertoxml.setWriter(filewriter); serializertoxml.serialize(node); // the error happens here serializertoxml.flushWriter(); filewriter.write(\n); filewriter.close(); - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: NoSuchMethodError: org/apache/xml/utils/TreeWalker
André Warnier wrote: Deme Carv wrote: I am getting the error from subject when running the below code in Websphere in my RAD. It is very interesting that this code doesn't cause any error in Server. The server runs up Tomcat 6 but I must set the same code to run in Websphere. Well, if it is working in Tomcat but not in Websphere, then are you not asking your question on the wrong help forum ? I have searched for hours in web but I didn't find nothing that I could at least give a try. Addendum : You could try asking here : http://www.websphereusergroup.org/go/forum/view/108057/185109/websphere_application_server (found after a single Google search for websphere help forum) I attached a pdf with the libs that I found in each place. I guess that it might exist some conflict but I have no idea why it is working in Tomcat but it is not working in Websphere. Error message in browser: Error 500: org/apache/xml/utils/TreeWalker.init(Lorg/xml/sax/ContentHandler;Lorg/apache/xpath/DOMHelperV Error message in RAD console: java.lang.NoSuchMethodError: org/apache/xml/utils/TreeWalker.init(Lorg/xml/sax/ContentHandler;Lorg/apache/xpath/DOMHelperV at org.apache.xalan.serialize.SerializerToXML.seriali ze(SerializerToXML.java:2578) org.apache.xalan.serialize.SerializerToXML serializertoxml = new org.apache.xalan.serialize.SerializerToXML(); My code snippet: java.io.FileWriter filewriter = new java.io.FileWriter(file); serializertoxml.setWriter(filewriter); serializertoxml.serialize(node); // the error happens here serializertoxml.flushWriter(); filewriter.write(\n); filewriter.close(); - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL redirect problems
Daniel Mikusa wrote: On Fri, Aug 1, 2014 at 11:13 AM, John Smith tomcat.ran...@gmail.com wrote: TC 7.0.54 / RHEL 6 I have two physical servers, each running an instance of TC. The servers are behind a hardware loadbalancer. IPTables is routing request on 80 to 8080. This seems unnecessary. If you have a hardware load balancer in front of Tomcat, it is the only thing that would ever talk to Tomcat. Thus if you just configure it to go to port 8080 you don't need the iptables rule. I can't imagine it's hurting anything, but just thought I'd mention it. Tomcat runs under a non-root user. All good. I needed to protect an area of our webapp under SSL. Went ahead and installed the cert on each server. I can go directly to each server by IP under SSL and get the cert (with the expected IP doesn't match FQDN warning). You probably want the SSL certificate installed on your hardware load balancer. End client's browsers are going to connect to the hardware load balancer, not Tomcat. Thus you'd want the certificate there so your end users can benefit from it. Ex: browser - HTTPS - load balancer - HTTP or HTTPS - Tomcat If you put an SSL certificate on your Tomcat servers, that would allow you to secure the connection between your load balancer and Tomcat. Depending on your network and security requirements this may or may not be necessary. I'd say most people don't do this because terminating SSL on the load balancer is sufficient. It just depends on your requirements though. But when I go through the loadbalancer I can't access anything under port 8443. I redirected 443 to 8443 on each TC server using IPTables, but still no luck. Is there anything I'm missing? The load balancer is almost certainly listening on port 80 and 443. To test, you'd want to connect to the load balancer on one of those ports. The load balancer would then connect to one of your backend nodes and proxy the request on your behalf. Your browser will not connect directly to the backend nodes (see my point above about not needing the iptables rule), unless you specifically point it to the ip address of one of the backend nodes. I understand I can install the cert on the loadbalancer instead, or use httpd as a proxy, but I'd rather just leave it the way it is if there's any other option. I think you'd want it on the load balancer. Possibly with additional certs on your backend nodes, if you want HTTPS communication between the load balancer and the Tomcat nodes. Not contradicting anything Daniel is saying, but maybe something to add, and maybe that's the missing part of the original puzzle : If Tomcat is expecting HTTPS requests on port 8443, then any re-direct or response that it is sending back is going to include that port number after the hostname. (even inside the pages, if you use absolute URL links there). So the browser who ultimately receives this, is going to try to talk to port 8443. But that will not work, if your front-end is expecting further requests on port 443, and blocks 8443. Unless in all your Tomcat responses, you arrange to replace any reference to port 8443, by 443, before they reach the browser again. Maybe using a browser plugin like HttpFox, LiveHttpHeaders or Fiddler2 would allow you to see more clearly what is going on there. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: NoSuchMethodError: org/apache/xml/utils/TreeWalker
By the way, pardon my ignorance, but what's a RAD ? I did look it up in Google, but it comes up with either Rite Aid Corporation or a unit of nuclear radiation.. Deme Carv wrote: Fistlly, thank you both of all for answering. I am very glad for very rapid comments. I attached a file in my original question which tells the jar I have in both situation. I guess it might not be delivered to the forum. I know that there is RAD involved but there are as well apache libraries included and I am sure there are a lot of people in this forum with huge experience in such libraries. I don't think my root cause is related to the Websphere server. I guess that there are some conflict between jars. Even though you might think different, could you at least tell me if you see some conflict in this libraries? The problem arises when apache.xalan.serialize.SerializerToXML run with libraries below. C:\IBM\SDP\runtimes\base_v61\lib C:\Rad\workspace\my_app\WebContent\WEB-INF\lib.eclipseproductactivation.jar activation-impl.jarclasses12.jaraspectjrt.jarcommons-collections.jarbase.jar commons-fileupload.jarbootstrap.jarcommons-io-1.4.jarbsf-engines.jar commons-logging.jarcommandlineutils.jaribmjzos.jarEJBCommandTarget.jar javax.jarffdcSupport.jarjstl.jarhtmlshell.jarjta.jarinstallver.jarjzos.jar installxml.jarlog4j-1.2.14.jariscdeploy.jarmail.jarivblogbr.jar quartz-1.6.0.jarIVTClient.jarquartz-all-1.6.0.jarj2ee.jarspring.jarjacl.jar standard.jarlaunchclient.jarxalan-2.4.1.jarlmproxy.jarxerces-1.4.4.jar mail-impl.jarmarshall.jarnif.jarpc-appext.jarphysicalrep.jarpmirm4arm.jar rrd-appext.jarrsadbutils.jarrsahelpers.jarserviceadapter.jar sib.api.jmsra.rarsib.ra.rarsljc.jarspy-sl.jarspy.jarsqlserver.jarstartup.jar tcljava.jarurlprotocols.jarutil.jarwsatlib.jarwsif-compatb.jar 2014-08-01 9:05 GMT-03:00 Daniel Mikusa dmik...@pivotal.io: On Thu, Jul 31, 2014 at 8:13 PM, Deme Carv demec...@gmail.com wrote: I am getting the error from subject when running the below code in Websphere in my RAD. It is very interesting that this code doesn't cause any error in Server. The server runs up Tomcat 6 but I must set the same code to run in Websphere. I have searched for hours in web but I didn't find nothing that I could at least give a try. I attached a pdf with the libs that I found in each place. I guess that it might exist some conflict but I have no idea why it is working in Tomcat but it is not working in Websphere. Error message in browser: Error 500: org/apache/xml/utils/TreeWalker.init(Lorg/xml/sax/ContentHandler;Lorg/apache/xpath/DOMHelperV Error message in RAD console: java.lang.NoSuchMethodError: org/apache/xml/utils/TreeWalker.init(Lorg/xml/sax/ContentHandler;Lorg/apache/xpath/DOMHelperV NoSuchMethodErrors often occur when you have the wrong version of a library on your class path. This happens because your code is looking for one version, that has method X while the library you've included has a different version without method X. I don't know a lot about WebSphere, but I do recall that it ships with an older set of libraries and that it prefers those libraries (it calls this parent first) over ones in the application (it calls this parent last). I've seen cases where switching to parent last mode has resolved similar issues. If that doesn't help, I second André's suggestion to look for help in a more appropriate forum. Dan at org.apache.xalan.serialize.SerializerToXML.seriali ze(SerializerToXML.java:2578) org.apache.xalan.serialize.SerializerToXML serializertoxml = new org.apache.xalan.serialize.SerializerToXML(); My code snippet: java.io.FileWriter filewriter = new java.io.FileWriter(file); serializertoxml.setWriter(filewriter); serializertoxml.serialize(node); // the error happens here serializertoxml.flushWriter(); filewriter.write(\n); filewriter.close(); - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL redirect problems
John Smith wrote: Not contradicting anything Daniel is saying, but maybe something to add, and maybe that's the missing part of the original puzzle : If Tomcat is expecting HTTPS requests on port 8443, then any re-direct or response that it is sending back is going to include that port number after the hostname. (even inside the pages, if you use absolute URL links there). So the browser who ultimately receives this, is going to try to talk to port 8443. But that will not work, if your front-end is expecting further requests on port 443, and blocks 8443. Unless in all your Tomcat responses, you arrange to replace any reference to port 8443, by 443, before they reach the browser again. Maybe using a browser plugin like HttpFox, LiveHttpHeaders or Fiddler2 would allow you to see more clearly what is going on there. Well, that's the part that seems confusing. Left as default, I would have thought connecting through the LB on 8443 would have worked. Actually I'm still not clear on which part of the chain is having a problem. Originally, I had no iptable redirect - I just added it in the great tradition of programming - try everything and anything until it works. I don't care if the user has to have 8443 in the URL. Just to be clear, you are suggesting that then problem would be the iptables redirect? No, I am not really going that far. I am suggesting that that may be the kind of thing that is happening, and that you may want to investigate with a browser plugin, that the requests/responses are really what you are expecting. Your initial explanation was a bit confusing and lacking in precise details, as to what the load balancer really does, where IPtables does what, and how your tomcats are configured (re Connectors, and possibly IPtables too). So we're all kind of guessing here, and just trying to give you some tips, to either simplify your setup, or to figure out better what is happening. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL redirect problems
John Smith wrote: No, I am not really going that far. I am suggesting that that may be the kind of thing that is happening, and that you may want to investigate with a browser plugin, that the requests/responses are really what you are expecting. Your initial explanation was a bit confusing and lacking in precise details, as to what the load balancer really does, where IPtables does what, and how your tomcats are configured (re Connectors, and possibly IPtables too). So we're all kind of guessing here, and just trying to give you some tips, to either simplify your setup, or to figure out better what is happening. Well, lets remove the IP tables. I know the certs work because as I said I can access them directly by going to either server on 8443 directly. The connectors are configured correctly. There's no security info in web.xml. The entire site should be available over SSL. Using Charles, with LB:8443 I get connection refused - without any other particularly useful info in the response. There is no response, since you are not even able to connect to that IP:port. If you are using the IP of the LB, then the LB is not accepting connections on port 8443. You won't get much further, unless you solve that first. But I thought that you wanted your users to access via port 443 ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: making all pages to fo index.jsp
Aryeh Friedman wrote: I want to make it so every page that does not have a actual .jsp file gets sent back index.jsp. I am doing it with error-page but that also sends a 404 I want zero clue they landed on a non-existent page There are certainly ways to achieve what you describe above. But I think that you should really question the basic logic of doing so. The 404 response is there for a reason : to stop clients from repeating requests for something that does not exist. If you hide that condition to the client, and return what appears to be a real content, then how can a client ever determine that what he requests does not exist, and react intelligently ? What is there to stop this client looping forever, and swamping your server with useless requests ? Imagine that the file system of your server would do the same : if some program tries to open a file which does not exist, the OS does not return an error, but opens some other file instead. Doesn't make sense, does it ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Programmatically retrieve number of tomcat connections
Caldarale, Charles R wrote: From: Igal Sapir [mailto:i...@getrailo.org] Subject: RE: Programmatically retrieve number of tomcat connections Isn't Filter.doFilter() called once for each incoming http request? Yes, which is why it has nothing to do with the number of _connections_. To elaborate just a little : Presumably when the OP wrote connections, he meant connections, and this was not just sloppy language. In that case, consider keep-alive connections : a browser establishes *one* connection to Tomcat, and then uses that same connection to send 100 HTTP requests (and get 100 HTTP responses) over that same connection. A filter would count 100 requests (assuming that they are all to that same application), but there would still be a single connection. (On the other hand of course, if all the request were directed to another application which does not have the filter, then the filter would count 0 requests, and there would still be 1 connection). Talking about fuzzy language though, review Mark's original response : which connections are we talking about here ? and are we talking about a snapshot, where we want to know how many connections with Tomcat are active at a specific moment in time, or how many connections with Tomcat have been established/closed over a period of time ? Or about something else altogether ? And if one really wanted to count connections at the Tomcat level, I would imagine that the sensible place to do this would be at the Connector level, no ? (all of them) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: java.net.SocketTimeoutException: Accept timed out
fachhoch wrote: Any Ideas what is causing this exception?, Is this anything to do with increase ulimit? Googling for tcp accept state seems to provide some info. Googling for java.net.SocketTimeoutException: Accept timed out also works. -- View this message in context: http://tomcat.10.x6.nabble.com/error-in-logs-and-application-got-undeployed-tp5020214p5020244.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Configuring tomcat to be a kerberos client
kulkarni.swar...@gmail.com wrote: Hello, I was wondering if there is a defined way to configuring tomcat to act as a kerberos client? I have a web application running within tomcat that would be accessing a kerberos secured service. My initial thought was that similar to other java based services, running a simple kinit to get the ticket and then running the webapp should do the trick, but that did not work as expected. Any help will be greatly appreciated. Hi. You are giving few details about what you are really trying to do or what exactly isn't working as expected, but I believe that the issue here may be a question of perspective. Your Tomcat potentially runs many instances of many webapps, on behalf of many clients (users). It would be each such instance of a running webapp that would be the Kerberos client, and would need its own ticket. (Or, if your webapp runs in a client session context, each such session might be a Kerberos client and need its own ticket). Does it make sense in your context to have a global ticket at the Tomcat level, being used by any client that runs any webapp within Tomcat ? Or am I misunderstanding your question above ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: VERY HIGH TRAFFIC TUNING
doomito wrote: Thank you for the answer. I will begging experimenting on 1 box with this configuration: Connector port=8009 protocol=AJP/1.3 address=127.0.0.1 emptySessionPath=true redirectPort=8443 maxThreads=2048 minSpareThreads=32 connectionTimeout=2 keepAliveTimeout=1 enableLookups=false request.registerRequests=false / I a couple of questions raises from your reply: 1) a couple of years ago we did a BENCHMARK mod_proxy vs mod_jk and the difference was noticeable in favor of mod_jk. There was any improvement on mod_proxy connector in particular? 2) this is definitely an ignorant question, but I see a lot of connections made to 8080 port instead of 8009. That said, I don't fully understand WHY and also, do I need to also tuned this? I have nothing going directly to tomcat, everything goes trough Apache mod_jk. Connector executor=tomcatThreadPool port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Well, obviously something is going to port 8080 of Tomcat, since you are seeing connections made there. You can configure an AccessLogValve, which will give you a log of the requests that are going there. Is that server directly on the Internet ? If yes, then you probably have (mostly nasty) people trying to connect to that port via HTTP. If you do not want these connections at all, just comment-out that connector above, and restart Tomcat. (But be aware then, that even *you* will not be able to access Tomcat directly with a browser). If you want these connections, but only from the local host e.g., you can also make this connector listen only to the localhost IP address. It will then reject any connections to port 8080 that are /not/ coming from localhost. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: VERY HIGH TRAFFIC TUNING
Christopher Schultz wrote: ... Interesting... load average is a crude measure of activity; I suppose that having those timeouts means that there is activity on a thread even when there is no real work to be done. I do recommend leaving the timeouts set to their defaults (-1 = infinite). In general terms, I would definitely not put the connectionTimeout nor the keepAliveTimeout to infinite, if that is what you meant here. ConnectionTimeout infinite seems like a perfect setup for a DOS attack. Keep-alive timeout infinite seems like the perfect way to block a lot of threads doing nothing (and opening yourself to another kind of DOS attack). However, in this case, we are talking about the AJP Connector, which processes requests coming in via Apache httpd and mod_jk, so I guess that one can rely on the Apache front-end not to relay anything nasty to Tomcat. Presumably, the Apache httpd configuration does not have infinite connection timeout nor keep-alive timeout. Which in a way, raises the question of why these parameters are even available for setting on the AJP Connector. Should these not better be left to the discretion of Apache httpd and mod_jk in the first place ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: VERY HIGH TRAFFIC TUNING
Hi. This kind of question is very difficult to answer reasonably, for anyone that is not you and does not have direct access to your system, to see what happens, when it happens. The general and reasonable answer would be that you need to use some monitoring tools, to find out where exactly the bottleneck is, and then, very carefully, start tuning your system one parameter at a time, to try to improve the situation. The worst thing to do is to start changing multiple things without really knowing what they are doing, because then you will get very confused very quickly. Ah, one more thing : the default parameters of both Apache httpd and Tomcat, are chosen by people who know what they are doing, to cover a majority of reasonable cases. So, changing these parameters without knowing exactly what each parameters does, and how different parameters interact with one another, is always risky. (This being said, the mere fact that you are asking on this list before doing that, is a bonus point for you). All this being said, a couple of notes below : Hernán Marsili wrote: Hi, For the past 4 years we has been working with a 'stable' configuration in which we put APACHE in front of TOMCAT7 (previously Tomcat6) with mod_jk connector. We usually serve high traffic sites with about 7000 to 10.000 concurrent users per box (8gb RAM / 4 vcpu) (50.000 active users total). So, basically, your configuration is fine and has been running reliably and in a stable way for 4 years, including a Tomcat version change. Good. One more reason for only changing things carefully. We are OK with the performance, but sometimes we notice Tomcat stops responding normally while there are at least 2 full CPU left to be consumed (JAVA memory is fine). You may want to indicate a bit more precisely what you mean by sometimes and by stops responding normally. This is the configuration we use for the connector: Connector port=8009 protocol=AJP/1.3 address=127.0.0.1 emptySessionPath=true redirectPort=8443 maxThreads=1024 minSpareThreads=32 enableLookups=false request.registerRequests=false / Note # 1 : you say that you have up to 10,000 concurrent users. Yet, there are only 1024 Threads in Tomcat. Users is not necessarily equal to requests, but let's assume for a moment that they are. Basically, Tomcat will use one Thread to process one HTTP request, from the time the request is received, to the time when the response to that request has been sent back to the user. So, maybe, there are times when your Tomcat is running out of available Threads to process all the requests that come in at some moments ? If that is the case, what will happen is : - The TCP/IP stack on Tomcat will accept the client connection - but this connection will be put in a queue, waiting for a thread to become available (iow : when it finishes the current request that it is processing). If all 1024 threads are currently busy processing requests (or waiting for additional requests from the same client, because of the keep-alive timeout, see below), then it will appear for the client as if Tomcat is not responding normally. I have a couple of questions: 1) should we set a particular connector or let Tomcat7 decide? I understand using protocol=AJP/1.3 the auto-switch kicks in. But, for non-SSL high concurrency sites maybe is best to fixed on APR? I cannot answer that and will wait for someone else more qualified to do that. 2) how many THREADS can we have? can we go beyond the 1024? Yes, there is no limit other than the available memory and the general performance of the machine. That is also a very easy parameter to change, and one that does not have a lot of obscure side-effects. Apart from everything else, I would suggest raising it to e.g. 4096, and see what happens. (As someone else commented however : if the problem is not really in Tomcat, but in some back-end database server, then this will make things worse). 3) is there any advantage on using processorCache? don't know. 4) We are not defining a CONNECTION TIMEOUT not a KEEP ALIVE. Any advice on this one? The average user session is 7 minutes. I do not rememember what the default value is for keep-alive. But this may also be something easy to adjust, and with potentially big effects. If it is currently anywhere larger than some 5 seconds, change it to 5 seconds maximum. The keep-alive logic was introduced at a time when networks were slower, and when setting up a new TCP/IP connection between a client and a server for each new request, was quite expensive. So the idea was : after a first request by a client, let's leave the connection open, to see if this client has more requests to send, over that same connection, within just a few seconds. This way, we avoid closing the connection each time, and have to re-create a connection for each request. (Example : a HTML page, with a lot of img tags in it.). Unfortunately, what happens in a
Re: Problem with Transfer-Encoding
Konstantin Kolinko wrote: 2014-07-07 21:07 GMT+04:00 Terence M. Bandoian tere...@tmbsw.com: On 7/5/2014 6:36 PM, André Warnier wrote: I agree with André about the difficulties of debugging character encodings. A couple of things you might check are the character encodings of the page and the form. The character encoding of the page may be set with the Content-type meta tag: meta http-equiv=Content-type content=text/html;charset=UTF-8/ Setting explicit value for content attribute like that is risky. The value must match the Content-Type HTTP header produced by web server. If they do not match, some browsers ignore both and start guessing the encoding. I usually write it as %@ page contentType=text/html; charset=UTF-8 % ... META http-equiv=Content-type content=%=response.getContentType() % Yes, this is why I requested from the OP that he verifies *in the browser*, what the browser thinks the character set of the page is. That is because browsers are inconsistent in interpreting server-sent responses. Some browsers will strictly respect what the server sends as a Content-type header (which, according to the RFCs, they should do), but some will not (IE various versions over the years are particular offenders in that respect). By asking this, I was trying not to confuse the matter even further. If the OP had answered and mentioned anything else than Unicode UTF-8, then that would have been the trigger to dig deeper as to why this was the case. It is often easy, and often tempting, to just provide a recipe that sems to work and solves the immediate problem. Unfortunately, such recipes then have a tendency to break down when conditions change slightly, such as one user using a slightly different version of browser e.g. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem with Transfer-Encoding
Konstantin Kolinko wrote: 2014-07-05 9:24 GMT+04:00 Sushil Prusty sushil.pru...@gmail.com: Hello, summary of my Problem: When a client POSTs Tranfer-Encoding data using browser , my server is not processing the request character encoding properly . I send the following request: Content-Type text/html;charset=UTF-8 Date Sat, 05 Jul 2014 05:10:09 GMT Server Apache-Coyote/1.1 Transfer-Encoding chunked *disclaimerTextZażółć gęślą jaźń! ta funkcjonalność nie jest wspierana* Full details: My application running on apache-tomcat-7.0.40 and Java 1.6.x) in linux box. Below response is changed once it's reach to my controller *ZażóÅÄ gÄÅlÄ jaźÅ! ta funkcjonalnoÅÄ nie jest wspierana* I have below configuration in server.xml Connector port=80 protocol=HTTP/1.1 connectionTimeout=2 maxPostSize=5242880 maxParameterCount=25000/ Connector port=443 protocol=HTTP/1.1 scheme=https noCompressionUserAgents=gozilla, traviata compressableMimeType=text/html,text/xml,text/javascript,text/css,application/javascript,application/json URIEncoding=UTF-8 / and in my catalina.sh set JAVA_OPTS=-Djavax.servlet.request.encoding=UTF-8 -Dfile.encoding=UTF-8 (...) As a sanity check: 1) That I send the following request listing looks more like a response, not a request. (E.g. the Server Apache-Coyote/1.1 header makes no sense in a request). So you are lying somewhere. There is no point for me to try guessing what you are doing. You may have confused reading with writing somewhere, and without source code one cannot verify your words. You have to provide a step-by-step instruction and enough source code so that a person who is not familiar with your system were able to reproduce your problem. 2) Content-Type says text/html, but that line of text is not a valid HTML document. +1 Character encoding/decoding issues are hell to debug as it is, because they are like quantum physics : even looking at them can change them.(*) So you need to provide *accurate* and raw information, otherwise it is just a loss of time for everyone. Use a browser plugin like HttpFox, LiveHttpHeaders, HttpFox or similar to monitor the requests being sent and responses being received, at the browser level. All these plugins allow you to selectively dump requests/responses to a file. Do that. Also, check in your browser that when you receive a response page back from the server, your browser is really seeing this response in the proper character set (use View.. Character encoding..). Transfer Encoding has nothing to do with the *character encoding* of either the request or the response. The little imprecise data that the OP provided above /suggests/ that there is some double encoding taking place /somewhere/, but so far it could as well be in the email client that he used to post to the list, as anywhere else. (*) with the wrong editor, or the wrong locale e.g. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem with Transfer-Encoding
Sushil Prusty wrote: Dear User Thanks for you input. You're welcome. First, a foreword : I will try my best to help you, but doing this is very difficult, and doing it via email is even more difficult. I was not kidding when I wrote earlier that even looking at the data may make it change. Of course, that is not really true, but the fact of cutting and pasting this data, from your saved HTTPFox trace into an email that you send to the Tomcat list, and then the Tomcat list server forwarding this to other people in a new email, may again decode and re-encode this data several times, and confuse the situation totally. So we need to be very, very systematic, and make sure that what we see is really what we get, ok ? What you should really do, is to save the original HttpFox data to a file, then save that file, then zip that file, then post it somewhere where we can get this zip-file. So that we can download it, unzip it, and then be sure that we are really seeing the same data as you do. In the meantime, a question : I just debugged using HttpFox here is below you find header (Request-Line)POST /test/testUserEditAction.do?dojoIframeSend=true The above request line is triggered by something. By what ? Is that a link or button on a HTML page which is currently loaded in your browser ? If yes, then before you actually click this link, can you in your browser use the View..Character set function, and tells us what the browser thinks about the current page loaded in the browser, before you even send this request to the server ? The reason why I am asking, is that this is the character set which the browser will most probably use to encode the text data that it sends to the server (when you click the link). Then see the note below, in the text. HTTP/1.1 Host** User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:30.0) Gecko/20100101 Firefox/30.0 Accepttext/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Languageen-US,en;q=0.5 Accept-Encodinggzip, deflate Refererhttps://s Action.do?action=loginflashVersion=9.0.47.0hasCorrectFlashVersion=falseproduct=xyz CookieJSESSIONID=**; doNotShowStartupOnLoad=true Connectionkeep-alive Content-Typemultipart/form-data; boundary=---*** Content-Length4039 In Post body -1550434539176507601876254213 Content-Disposition: form-data; name=disclaimerText ZażóÅÄ gÄÅlÄ jaźÅ! ta funkcjonalnoÅÄ nie jest wspierana The line above may or may not have been further corrupted (compared to the original that you see), by the simple fact of copying this text into your email. But assuming for a moment that it was not, and that it really is what it looks like above, there is some kind of a problem : (You'll have to follow carefully here) If I take the original text line which you posted in your first message : Zażółć gęślą jaźń! ta funkcjonalność nie jest wspierana* and I imagine that internally, this is encoded as UTF-8; Then if I look at that same series of UTF-8 characters, but now examine the *bytes* that compose these characters and view them in ASCII, I should see this : Zażółć gęślÄ… jaźń! ta funkcjonalność nie jest wspierana* But if you compare this carefully, with the string as it appears in your HttpFox trace, you will see that it does not match exactly. For example, look at the last 2 letters of the word funkcjonalność, in both versions. So there appears to be some discrepancy between the character set which your browser is really using (to send data to the server), and the UTF-8 that your server seems to expect. Furthermore (and put this on account of my suspicious nature if you want) : The second part of that message, in Polish, means : This functionality is not supported. Which triggers the question : what kind of HTML page would be sending this phrase, as part of the data, in a POST to a server ? Can you give us some context as to what you are trying to do here ? -1550434539176507601876254213 I believe psot data got changed before reaching to server . Do you have any ideas what's wrong here, where the error might be ? On Sat, Jul 5, 2014 at 9:08 PM, André Warnier a...@ice-sa.com wrote: Konstantin Kolinko wrote: 2014-07-05 9:24 GMT+04:00 Sushil Prusty sushil.pru...@gmail.com: Hello, summary of my Problem: When a client POSTs Tranfer-Encoding data using browser , my server is not processing the request character encoding properly . I send the following request: Content-Type text/html;charset=UTF-8 Date Sat, 05 Jul 2014 05:10:09 GMT Server Apache-Coyote/1.1 Transfer-Encoding chunked *disclaimerTextZażółć gęślą jaźń! ta funkcjonalność nie jest wspierana* Full details: My application running on apache-tomcat-7.0.40 and Java 1.6.x) in linux box. Below response is changed once it's
Re: [somewhat OT] Apache Tomcat7 service start randomly after the installation of McAfee antivirus.
Leo Donahue wrote: On Wed, Jul 2, 2014 at 2:33 AM, André Warnier a...@ice-sa.com wrote: Blachon, Philippe wrote: Good morning, We have 4 identical servers with a scheduled task running every night on each of them. This task Stop Tomcat - Update some data - Start Tomcat. This worked fine for months. We have installed a new antivirus McAfee 3 weeks ago. Now the Tomcat7 service starts randomly. At least 1 of the 4 server needs a manual start of the Tomcat7 service every morning. Do you know if there is specifics problems between Tomcat and Mc Afee ? We have already tried to exclude Tomcat.exe from McAfee scanning. Is there other thing we could exclude without compromising the security ? Configuration: Windows server 2008 R2 Standard - SP1 Apache Tomcat 7.0.29 Server McAffee Agent 4.8.0.1500 Mcafee VirusScan Enterprise 8.8.04001 Thanks, have a nice day, Philippe Blachon. Not a direct answer to your question, but maybe a bit of lateral and logical thinking here : Why would one run a virus scanner permanently on a Tomcat server ? Does the OP work in the government? My former employer had virus scanning software on every server. You couldn't get a server image without it. The answer to that question is really based on policy, if he works in government. Eventually, that server has the potential for getting a virus somehow from something or someone, and someone has to answer the question: why wasn't there virus scanning software on the server? Leo, I understand what you're saying above. But if one extrapolates that logic, then at some point the whole IT infrastructure and the whole Internet would grind to a halt, as only the POTUS would be allowed to upload anything onto a computer. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [somewhat OT] Apache Tomcat7 service start randomly after the installation of McAfee antivirus.
Blachon, Philippe wrote: Good morning, We have 4 identical servers with a scheduled task running every night on each of them. This task Stop Tomcat - Update some data - Start Tomcat. This worked fine for months. We have installed a new antivirus McAfee 3 weeks ago. Now the Tomcat7 service starts randomly. At least 1 of the 4 server needs a manual start of the Tomcat7 service every morning. Do you know if there is specifics problems between Tomcat and Mc Afee ? We have already tried to exclude Tomcat.exe from McAfee scanning. Is there other thing we could exclude without compromising the security ? Configuration: Windows server 2008 R2 Standard - SP1 Apache Tomcat 7.0.29 Server McAffee Agent 4.8.0.1500 Mcafee VirusScan Enterprise 8.8.04001 Thanks, have a nice day, Philippe Blachon. Not a direct answer to your question, but maybe a bit of lateral and logical thinking here : Why would one run a virus scanner permanently on a Tomcat server ? And why run it on most of the disk space, as opposed to just the few directories where some client /might/ upload external files ? Do the applications even allow clients to put files on that server ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: start tomcat 7
Francesco Viscomi wrote: hi all I'm using windows 8; java: java version 1.7.0_60 Java(TM) SE Runtime Environment (build 1.7.0_60-b19) Java HotSpot(TM) 64-Bit Server VM (build 24.60-b09, mixed mode) and tomcat 7: Apache Tomcat/7.0.35 As reported below Server Information Tomcat Version JVM Version JVM Vendor OS Name OS Version OS Architecture Hostname IP Address Apache Tomcat/7.0.35 1.7.0_60-b19 Oracle Corporation Windows 8 6.2 amd64 I'm asking why i get the following error and how to solve it; thanks a lot This is the error: java.lang.UnsatisfiedLinkError: D:\swPCvale\lispa-tomcat-release-2.0.0\server\bin\tcnative-1.dll: Can't load IA 32-bit .dll on a AMD 64-bit platform Here is the problem. You appear to have installed Tomcat as part of some other program package (lispa ?), and the version of tcnative-1.dll that this package contains, is not adapted to the type of CPU of your workstation. To do this right, you should contact the people of this lispa package, and ask them for help as to what to do. As a quick-and-dirty solution to try (no guarantees, specially not in terms of compatibility with the rest), you could : - download the latest Tomcat 7 binaries for Windows 64-bit, here : http://apache.mirror.iphh.net/tomcat/tomcat-7/v7.0.54/bin/apache-tomcat-7.0.54-windows-x64.zip - unzip this somewhere - copy the bin/tcnative-1.dll that you find there, to your own D:\swPCvale\lispa-tomcat-release-2.0.0\server\bin\ and try starting Tomcat again. Note that this is not a fatal error for Tomcat. It is just telling you that it did not find this DLL (at least not a usable one), and that it is starting up without it. Tomcat in the end is starting up just fine, see the last line. at java.lang.ClassLoader$NativeLibrary.load(Native Method) at java.lang.ClassLoader.loadLibrary1(ClassLoader.java:1965) at java.lang.ClassLoader.loadLibrary0(ClassLoader.java:1890) at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1880) at java.lang.Runtime.loadLibrary0(Runtime.java:849) at java.lang.System.loadLibrary(System.java:1088) at org.apache.tomcat.jni.Library.init(Library.java:42) at org.apache.tomcat.jni.Library.initialize(Library.java:174) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.core.AprLifecycleListener.init(AprLifecycleListener.java:180) at org.apache.catalina.core.AprLifecycleListener.isAprAvailable(AprLifecycleListener.java:85) at org.apache.catalina.connector.Connector.setProtocol(Connector.java:595) at org.apache.catalina.connector.Connector.init(Connector.java:69) at org.apache.catalina.startup.ConnectorCreateRule.begin(ConnectorCreateRule.java:62) at org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1276) at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.startElement(AbstractSAXParser.java:509) at com.sun.org.apache.xerces.internal.parsers.AbstractXMLDocumentParser.emptyElement(AbstractXMLDocumentParser.java:182) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanStartElement(XMLDocumentFragmentScannerImpl.java:1342) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2770) at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:606) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:510) at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:848) at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:777) at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141) at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213) at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:648) at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1537) at org.apache.catalina.startup.Catalina.load(Catalina.java:610) at org.apache.catalina.startup.Catalina.load(Catalina.java:658) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at
Re: Connection count explosion due to thread http-nio-80-ClientPoller-x death
Lars Engholm Johansen wrote: Thanks for all the replies guys. Have you observed a performance increase by setting acceptorThreadCount to 4 instead of a lower number? I'm just curious. No, but this was the consensus after elongated discussions in my team. We have 12 cpu cores - better save than sorry. I know that the official docs reads although you would never really need more than 2 :-) The GC that Andre suggested was to get rid of some of CLOSE_WAIT connections in netstat output, in case if those are owned by some abandoned and non properly closed I/O classes that are still present in JVM memory. Please check out the open connections graph at http://imgur.com/s4fOUte As far as I interpret, we only have a slight connection count growth during the days until the poller thread die. These may or may not disappear by forcing a GC, but the amount is not problematic until we hit the http-nio-80-ClientPoller-x thread death. Just to make sure : what kind of connections does this graph actually show ? in which TCP state ? does it count only the established, or also the FIN_WAIT, CLOSE_WAIT, LISTEN etc.. ? The insidious part is that everything may look fine for a long time (apart from an occasional long list of CLOSE_WAIT connections). A GC will happen from time to time (*), which will get rid of these connections. And those CLOSE_WAIT connections do not consume a lot of resources, so you'll never notice. Until at some point, the number of these CLOSE_WAIT connections gets just at the point where the OS can't swallow any more of them, and then you have a big problem. (*) and this is the insidious squared part : the smaller the Heap, the more often a GC will happen, so the sooner these CLOSE_WAIT connections will disappear. Conversely, by increasing the Heap size, you leave more time between GCs, and make the problem more likely to happen. You are correct. The bigger the Heap size the rarer a GC will happen - and we have set aside 32GiB of ram. But again, referring to my connection count graph, a missing close in the code does not seem to be the culprit. A critical error (java.lang.ThreadDeath, java.lang.VirtualMachineError) will cause death of a thread. A subtype of the latter is java.lang.OutOfMemoryError. I just realized that StackOverflowError is also a subclass of VirtualMachineError, and remembered that we due to company historical reasons had configured the JVM stack size to 256KiB (down from the default 1GiB on 64 bit machines). This was to support a huge number of threads on limited memory in the past. I have now removed the -Xss jvm parameter and are exited if this solves our poller thread problems. Thanks for the hint, Konstantin. I promise to report back to you guys :-) On Fri, Jun 20, 2014 at 2:49 AM, Filip Hanik fi...@hanik.com wrote: Our sites still functions normally with no cpu spikes during this build up until around 60,000 connections, but then the server refuses further connections and a manual Tomcat restart is required. yes, the connection limit is a 16 bit short count minus some reserved addresses. So your system should become unresponsive, you've run out of ports (the 16 bit value in a TCP connection). netstat -na should give you your connection state when this happens, and that is helpful debug information. Filip On Thu, Jun 19, 2014 at 2:44 PM, André Warnier a...@ice-sa.com wrote: Konstantin Kolinko wrote: 2014-06-19 17:10 GMT+04:00 Lars Engholm Johansen lar...@gmail.com: I will try to force a GC next time I am at the console about to restart a Tomcat where one of the http-nio-80-ClientPoller-x threads have died and connection count is exploding. But I do not see this as a solution - can you somehow deduct why this thread died from the outcome from a GC? Nobody said that a thread died because of GC. The GC that Andre suggested was to get rid of some of CLOSE_WAIT connections in netstat output, in case if those are owned by some abandoned and non properly closed I/O classes that are still present in JVM memory. Exactly, thanks Konstantin for clarifying. I was going per the following in the original post : Our sites still functions normally with no cpu spikes during this build up until around 60,000 connections, but then the server refuses further connections and a manual Tomcat restart is required. CLOSE_WAIT is a normal state for a TCP connection, but it should not normally last long. It indicates basically that the other side has closed the connection, and that this side should do the same. But it doesn't, and as long as it doesn't the connection remains in the CLOSE_WAIT state. It's like half-closed, but not entirely, and as long as it isn't, the OS cannot get rid of it. For a more precise explanation, Google for TCP CLOSE_WAIT state. I have noticed in the past, with some Linux versions, that when the number of such CLOSE_WAIT connections goes above a certain level (several hundred), the TCP/IP stack can become
Re: CGI script to work on Tomcat
Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 André, On 6/20/14, 6:19 PM, André Warnier wrote: Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rahul, On 6/20/14, 3:10 PM, Rahul R wrote: This is from my conf/web.xml servlet servlet-namecgi/servlet-name servlet-classorg.apache.catalina.servlets.CGIServlet/servlet-class init-param param-namedebug/param-name param-value0/param-value /init-param init-param param-namecgiPathPrefix/param-name param-valueWEB-INF/cgi/param-value /init-param init-param param-namepassShellEnvironment/param-name param-valuetrue/param-value /init-param init-param param-nameexecutable/param-name param-valueperl/param-value /init-param load-on-startup5/load-on-startup /servlet servlet-mapping servlet-namecgi/servlet-name url-pattern/cgi-bin/*/url-pattern /servlet-mapping Please let me know what do you mean by privileged usage. https://tomcat.apache.org/tomcat-7.0-doc/cgi-howto.html Since you have mapped the CGIServlet to /cgi-bin, then you will want to have your HTML file (located in the webapp root) to reference /cgi-bin/read_toggle.cgi as the action. Note that the URL reference is mapped from the URL space (/cgi-bin/read_toggle.cgi) into the webapp's resource space (WEB-INF/cgi/read_toggle.cgi) which is why the paths don't appear to match. Finally, if the Perl script isn't that complicated, you should consider re-writing it in Java since you are using a Java application server. It will be much easier to deal with everything that way. Who said that the cgi-bin script was perl ? The OP. Look up in the configuration: the executable is set to perl. That's just the default, as it comes in the standard Tomcat distribution. See also https://tomcat.apache.org/tomcat-7.0-doc/cgi-howto.html#Configuration The OP never actually said what the script was. Which is a reason why I raised the question. (perl may not even be installed on that system; but since so far Tomcat did not even trigger the CGI servlet, we are not yet at the point where this would show up.) I suppose he could be using a tcl/tk binary re-named to perl just to have a laugh, but probably not. He could also be using a stand-alone Java application as a cgi-bin script, for all we know.. Wouldn't that be interesting ? Would the JVM which runs Tomcat actually be smart enough to notice this, and not load and run another JVM then ? (not saying that it isn't, but nobody said it was either). As it stands, whatever it is, it is being run (at first) by perl. But if perl notice another interpreter in the shebang line, it will happily cede its turn. Fair enough. I've seen some stupid things in my time, but having Perl hand-off to some other binary just seems wasteful. It is. Tomcat runs the CGI servlet (actually, a Java JVM does that); the CGI servlet sets up a complete CGI environment (variables and all), then asks the JVM to load and run a perl interpreter (and the JVM probably asks the underlying OS to do that). The perl interpreter loads, reads the cgi script, sees the shebang line, and exec's a shell to run the script. Then the shell reads and runs the script. And the same at each invocation. If one is looking for a small footprint and/or performance, that's not exactly the way to go. I was basically raising the question, because it seems to me that, if the OP actually read the page https://tomcat.apache.org/tomcat-7.0-doc/cgi-howto.html, it nevertheless does not seem that he read it very carefully. So the fact that perl is the default executable may have escaped his attention. And since perl will call a shell to run the script if this actually is a shell script with a proper shebang line, he may never notice all the above. And then wonder why this appears so resource-intensive. Anyway, it raises the fundamental question of why go though all the trouble to run a (possibly perl) cgi-bin script within Tomcat ? +1 (Also @David) : Let's face it : Tomcat is not particularly optimised to run cgi-bin scripts, be they perl or otherwise. There are better tools to do this, such as an Apache httpd front-end which the OP seems to have been using so far. In this particular case, I believe it would probably be better to keep the configuration maybe a bit more complex, but probably more efficient. There are cases where simpler is not necessarily better, and I felt that it was worthwhile pointing this out. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Webapps directory query
Vicky, please do not top-post. Reply below the paragraph you are responding to. vicky wrote: Thanks Mark, but it doesn't have the details of scenario when we'll carry out a redeployment along with a restart/ How the exploded directories will then be updated , is it only the files are going to be updated within it ? Please give some directions. You do not mention the OS under wich this is happening (not the Tomcat nor Java versions); you should, if only for saving us the trouble asking. But under Linux, and as far as I know also under Windows, whenever a file inside a directory changes, the corresponding directory entry (and thus the directory itself) is updated *by the OS*. This has nothing to do with Tomcat, and Tomcat can do nothing to prevent that (or force it to happen). Vicky On Friday, 20 June 2014 11:00 AM, Mark Eggers its_toas...@yahoo.com.INVALID wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 6/19/2014 10:12 PM, vicky wrote: Hi Guys, Ideally when a redeployment happens in a tomcat , is it standard that the exploded war directory will again be updated with the latest timestamps or is it the case that only files will be updated within that directory. Please share if there is any online documentation available for this behavior Kindly suggest Thanks Vicky Please read the following links, and search for the word 'redeploy'. http://tomcat.apache.org/tomcat-6.0-doc/deployer-howto.html http://tomcat.apache.org/tomcat-7.0-doc/deployer-howto.html http://tomcat.apache.org/tomcat-8.0-doc/deployer-howto.html . . . just my two cents /mde/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTo8a8AAoJEEFGbsYNeTwt5kcH/1Lrmw9PeIJq6Y4P6RZCMc+K 8T4q8uCC70U/Bkesd5b7e+uaVLiv/kmutnTKB+0vSzhn12iy/fbkO8RC+6gbNjp0 sicu1y6kHaCp3t0djRk+rRqzWi0gg0yGgbJNz26FVkauXFQoPYAD6/gvApH54bp/ V1bXY0eGRgNdv2lUneMOEOk4vVaciUmIoKWSVznBISYlLNRaqg609u4ChoStAZm+ NDu6z4vrx435XZ4OygIhSzh/hBxhuNZv4VZ3gCx88a/NV4mxqiB4K4fSeGmrpF6U uffuhsfj0+INTclNk/Y0avWe+B26e2GKRDkujcWVpJS1fXb4id9uTamdRX1+N4c= =x1Ow -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: CGI script to work on Tomcat
Rahul R wrote: More info: http://localhost:8180/toggle_read.html is html. But after using action='./read_toggle.cgi' in the html the url loading is http://localhost:8180/read_toggle.cgi and again its giving 404 error. :( Are you listening to what you are told ? Did you read https://tomcat.apache.org/tomcat-7.0-doc/cgi-howto.html ? Did you understand it, and did you do all that is mentioned there ? To prove it, copy and paste here the content of your conf/web.xml file : -- start here -- -- end here -- On Fri, Jun 20, 2014 at 5:59 PM, Rahul R rahul.ra...@gmail.com wrote: Thanks Mark for your suggestion. But by privileged, did you mean to add an entry like below on context.xml? Context privileged=true /Context On Fri, Jun 20, 2014 at 5:46 PM, Mark Thomas ma...@apache.org wrote: On 20/06/2014 12:49, Rahul R wrote: Hi I am trying to migrate something which was working under apache to tomcat. I had an html form which takes user input values and pass those values and executes some cgi scripts. But when I moved html and cgi under tomcat, the html form is loading properly, but when I click submit, its giving 404 error for the cgi execution. I have my html files under ROOT and cgi scripts under ROOT/WEB-INF/cgi Tomcat Version: 7.0.54 And in my html form I have mentioned the cgi location as action='./WEB-INF/cgi/read_toggle.cgi' I followed the steps mentioned in the below url. http://www.wellho.net/solutions/java-running-cgi-scripts-in-apache-tomcat.html I don't see anything in the catalina.out or any other logs. Kindly me help to fix this issue. Try using the real Tomcat documentation rather than some random Google result that doesn't even bother to mention which version of Tomcat it was written for (hint: it wasn't written for Tomcat 7). Given how you have configured Tomcat, the behaviour you are seeing is exactly as expected. If you want your script to work with the minimum of changes you need to: - Make your web application privileged - Use action='./read_toggle.cgi' Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Thanks, Regards, Rahul R .~. /V\ // \\ /( )\ ^`~'^ Mob: 09008030921 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: CGI script to work on Tomcat
Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rahul, On 6/20/14, 3:10 PM, Rahul R wrote: This is from my conf/web.xml servlet servlet-namecgi/servlet-name servlet-classorg.apache.catalina.servlets.CGIServlet/servlet-class init-param param-namedebug/param-name param-value0/param-value /init-param init-param param-namecgiPathPrefix/param-name param-valueWEB-INF/cgi/param-value /init-param init-param param-namepassShellEnvironment/param-name param-valuetrue/param-value /init-param init-param param-nameexecutable/param-name param-valueperl/param-value /init-param load-on-startup5/load-on-startup /servlet servlet-mapping servlet-namecgi/servlet-name url-pattern/cgi-bin/*/url-pattern /servlet-mapping Please let me know what do you mean by privileged usage. https://tomcat.apache.org/tomcat-7.0-doc/cgi-howto.html Since you have mapped the CGIServlet to /cgi-bin, then you will want to have your HTML file (located in the webapp root) to reference /cgi-bin/read_toggle.cgi as the action. Note that the URL reference is mapped from the URL space (/cgi-bin/read_toggle.cgi) into the webapp's resource space (WEB-INF/cgi/read_toggle.cgi) which is why the paths don't appear to match. Finally, if the Perl script isn't that complicated, you should consider re-writing it in Java since you are using a Java application server. It will be much easier to deal with everything that way. Who said that the cgi-bin script was perl ? (not saying that it isn't, but nobody said it was either). As it stands, whatever it is, it is being run (at first) by perl. But if perl notice another interpreter in the shebang line, it will happily cede its turn. Anyway, it raises the fundamental question of why go though all the trouble to run a (possibly perl) cgi-bin script within Tomcat ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Connection count explosion due to thread http-nio-80-ClientPoller-x death
Konstantin Kolinko wrote: 2014-06-19 17:10 GMT+04:00 Lars Engholm Johansen lar...@gmail.com: I will try to force a GC next time I am at the console about to restart a Tomcat where one of the http-nio-80-ClientPoller-x threads have died and connection count is exploding. But I do not see this as a solution - can you somehow deduct why this thread died from the outcome from a GC? Nobody said that a thread died because of GC. The GC that Andre suggested was to get rid of some of CLOSE_WAIT connections in netstat output, in case if those are owned by some abandoned and non properly closed I/O classes that are still present in JVM memory. Exactly, thanks Konstantin for clarifying. I was going per the following in the original post : Our sites still functions normally with no cpu spikes during this build up until around 60,000 connections, but then the server refuses further connections and a manual Tomcat restart is required. CLOSE_WAIT is a normal state for a TCP connection, but it should not normally last long. It indicates basically that the other side has closed the connection, and that this side should do the same. But it doesn't, and as long as it doesn't the connection remains in the CLOSE_WAIT state. It's like half-closed, but not entirely, and as long as it isn't, the OS cannot get rid of it. For a more precise explanation, Google for TCP CLOSE_WAIT state. I have noticed in the past, with some Linux versions, that when the number of such CLOSE_WAIT connections goes above a certain level (several hundred), the TCP/IP stack can become totally unresponsive and not accept any new connections at all, on any port. In my case, this was due to the following kind of scenario : Some class Xconnection instantiates an object, and upon creation this object opens a TCP connection to something. This object is now used as an alias for this connection. Time passes, and finally the object goes out of scope (e.g. the reference to it is set to null), and one may believe that the underlying connection gets closed as a side-effect. But it doesn't, not as long as this object is not actually garbage-collected, which triggers the actual object destruction and the closing of the underlying connection. Forcing a GC is a way to provoke this (and restarting Tomcat another, but more drastic). If a forced GC gets rid of your many CLOSE_WAIT connections and makes your Tomcat operative again, that would be a sign that something similar to the above is occurring; and then you would need to look in your application for the oversight. (e.g. the class should have a close method (closing the underlying connection), which should be invoked before letting the object go out of scope). The insidious part is that everything may look fine for a long time (apart from an occasional long list of CLOSE_WAIT connections). A GC will happen from time to time (*), which will get rid of these connections. And those CLOSE_WAIT connections do not consume a lot of resources, so you'll never notice. Until at some point, the number of these CLOSE_WAIT connections gets just at the point where the OS can't swallow any more of them, and then you have a big problem. That sounds a bit like your case, doesn't it ? (*) and this is the insidious squared part : the smaller the Heap, the more often a GC will happen, so the sooner these CLOSE_WAIT connections will disappear. Conversely, by increasing the Heap size, you leave more time between GCs, and make the problem more likely to happen. I believe that the rest below may be either a consequence, or a red herring, and I would first eliminate the above as a cause. And could an Exception/Error in Tomcat thread http-nio-80-ClientPoller-0 or http-nio-80-ClientPoller-1 make the thread die with no Stacktrace in the Tomcat logs? A critical error (java.lang.ThreadDeath, java.lang.VirtualMachineError) will cause death of a thread. A subtype of the latter is java.lang.OutOfMemoryError. As of now, such errors are passed through and are not logged by Tomcat, but are logged by java.lang.ThreadGroup.uncaughtException(). ThreadGroup prints them to System.err (catalina.out). Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Remote Tomcat webapps bidirectional communication
Lmhelp1 wrote: Hello, My question is about what code to write to allow two remote Tomcat webapps to communicate with one another through the Internet. Let me explain more precisely what I would like to do. (I'm just simplifying a bit the real situation). - I have a Tomcat webapp running on a server in England. - I have another Tomcat webapp running on a server in France. - I have a JSP inside the England webapp. - This JSP contains a form with two fields First name and Last name. - I would like to send these information to the France webapp. - After the England form has been submitted, I can collect the information First name and Last name in a servlet. Can you tell me what I shall do then to send these information to the France webapp? Is it something like a response.sendRedirect(...? How does it have to be written? - Meantime, the France webapp needs to be able to wait for these information and, when they arrive, to get them and do something with them. For example store the First name and Last name in a database, etc. What kind of a code has to be written in the France webapp? Is it a servlet with a doGet() retrieving the information First name and Last name? - Moreover, when the France webapp has finished it's job, it needs to tell the England webapp that it has finished, send it a file and some information. So the communication has to be bidirectional. Can you please give me some indications on how to start dealing with this? Or maybe a tutorial or an example? This is only vaguely a Tomcat question, in the sense that : - for receiving and processing a HTTP POST request (from a browser usually, but in your case it would be a Tomcat servlet or a program running somewhere else), a normal webapp is what you need. - for creating and sending a HTTP POST request, you will need a library that offers such functions, such as the HTTPClient library, found here : http://projects.apache.org/projects/httpcomponents_client.html There is documentation and examples available at : http://hc.apache.org/index.html. Make sure you read them. Note that any java program could use this, there is nothing special about using it within a java servlet. And note that when one of your servlets issues a HTTP request to another server, Tomcat knows absolutely nothing about it, and there is no Tomcat code involved (on the request-sending side). Note also that for what you describe as the France webapp above, that functionality does not necessarily need a Tomcat and a Tomcat webapp. You could use the code of http://projects.apache.org/projects/httpcomponents_core.html to create a stand-alone java network server, which just listens for this particular kind of request, and responds by the information that you describe. Similarly, your England webapp does not necessarily need to send the request to the France server as a HTTP request, nor expect a HTTP response. What I believe would be the trickiest part in that kind of application, is to handle the various error scenarios : network down between England and France, French server down, French server taking a (too) long time to respond, French server returning an error, etc.. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Connection count explosion due to thread http-nio-80-ClientPoller-x death
Lars Engholm Johansen wrote: Our company are running several Tomcat 7.0.52 high volume Ubuntu 12.04 production servers. We are using Tomcat WebSockets (JSR356 implementation) heavily with 100M text messages (100GiB) per day. We monitor webserver health by measuring several key parameters every minute, including tomcat connection count using: mBeanServer.getAttribute(threadPool, connectionCount); // threadPool is MBean of type=ThreadPool __The problem__ Our sites can run for days without problems, but once in a while the tomcat connection count suddenly starts growing abnormally fast. See this graph: http://imgur.com/s4fOUte netstat shows these TCP connections to be mostly in CLOSE_WAIT state. And if at that moment, you force the JVM that runs Tomcat to do a Garbage Collection, do you still have these numerous connections in CLOSE_WAIT state after the GC completed ? Our sites still functions normally with no cpu spikes during this build up until around 60,000 connections, but then the server refuses further connections and a manual Tomcat restart is required. We have no output in tomcat or our logs at the time when this event occurs. The only sign is when comparing full java thread dump with a dump from a newly launched Tomcat: One of http-nio-80-ClientPoller-0 or http-nio-80-ClientPoller-1 is missing/has died. We have observed this problem at least since Tomcat 7.0.48 and can not find indications in Tomcat 7.0.x change logs that it should have been fixed in newer releases. Any help or advises are appreciated, Best regards, Lars Engholm Johansen Our connector configuration: Connector acceptCount=1500 acceptorThreadCount=4 asyncTimeout=10 connectionTimeout=6 connectionUploadTimeout=12 disableUploadTimeout=false enableLookups=false keepAliveTimeout=12 maxConnections=10 maxPostSize=300 maxThreads=300 port=80 protocol=org.apache.coyote.http11.Http11NioProtocol socket.soKeepAlive=true / - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Working mod_jk related to loglevel with wildfly?
Martin Stolk wrote: Hello, We are migrating our applications from tomcat to wildfly. We are using mod_= jk (1.2.40) to connect apache to the wildfly ajp port. When using tomcat there are no problems, but with wilfdly there is a strang= e behavior in our application. It is a bit of a puzzle then, why you are asking for help here. Would http://wildfly.org/gethelp/; not be a better place to start ? Our application is written in java (wicket) and when entering a search form= every field fills with a semi-colon after entering the find button. When i= set the JkLogLevel to trace or debug the problems remains but less frequen= tly and not in every form. I also tried different ForwardURI** JkOptions, but that make no difference. I can't think of a reason off-hand why this should ever make any difference. It would seem that the first thing to look at, is what this Find button in the form really does. Is it just a submit button, or does it call something (some javascript perhaps) ? Does the form send a POST, or a GET request ? Can anyone help me where to find a solution? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Working mod_jk related to loglevel with wildfly?
André Warnier wrote: Martin Stolk wrote: Hello, We are migrating our applications from tomcat to wildfly. We are using mod_= jk (1.2.40) to connect apache to the wildfly ajp port. When using tomcat there are no problems, but with wilfdly there is a strang= e behavior in our application. It is a bit of a puzzle then, why you are asking for help here. Would http://wildfly.org/gethelp/; not be a better place to start ? Our application is written in java (wicket) and when entering a search form= every field fills with a semi-colon after entering the find button. When i= set the JkLogLevel to trace or debug the problems remains but less frequen= tly and not in every form. I also tried different ForwardURI** JkOptions, but that make no difference. I can't think of a reason off-hand why this should ever make any difference. It would seem that the first thing to look at, is what this Find button in the form really does. Is it just a submit button, or does it call something (some javascript perhaps) ? Does the form send a POST, or a GET request ? Can anyone help me where to find a solution? Ok, I'll bite again. As I understand the issue, you have the following schema : B + BA -HTTP- A + M -AJP- E + EA where : - B is the browser - BA is the application in the browser. That can be pure HTML, or HTML + javascript, or a Java Applet, or whatever - A is the Apache httpd front-end - M is the mod_jk module running inside Apache httpd - E is the Servlet Engine (Tomcat or Wildfly) - EA is the java application running inside of E and we assume that the only element which varies is E, which is either Tomcat or Wildfly. You say that when E is Tomcat, everything works fine. But when E is Wildfly, strange things happen. Given that B + BA are the same and would send the same HTTP requests in both cases to A, - there is no reason why A would do anything different when E is Wildfly, than when E is Tomcat. A does not even know which Servlet Engine E is being used. - there is no reason why M would do anything different when E is Wildfly, than when E is Tomcat. M does not even know which Servlet Engine E is being used. It just knows that it is talking to an AJP connector of a webserver, and that it needs to translate the HTTP request, to an AJP request, before forwarding it. The only impact that I can think of, of changing the mod_jk loglevel, is to make mod_jk perhaps a little bit slower, because it has to log more. (But we should be talking of at most milliseconds here). So, on the face of it, logically, I would think that if there is a problem when E is Wildfly, the problem must be with Wildfly, or with how Wildfly is running the EA application. Or else, our premise is wrong, and BA is not exactly the same in both cases, and does not send exactly the same thing to A. But since BA comes from E + EA originally, that would also mean that the problem is with Wildfly + the EA application. So I would still go to the Wildfly support list, present the same case as you did above, and ask them if they have a clue as to what may be happening. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Working mod_jk related to loglevel with wildfly?
Mark Eggers wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 6/10/2014 8:29 AM, André Warnier wrote: André Warnier wrote: Martin Stolk wrote: Hello, We are migrating our applications from tomcat to wildfly. We are using mod_= jk (1.2.40) to connect apache to the wildfly ajp port. When using tomcat there are no problems, but with wilfdly there is a strang= e behavior in our application. It is a bit of a puzzle then, why you are asking for help here. Would http://wildfly.org/gethelp/; not be a better place to start ? Our application is written in java (wicket) and when entering a search form= every field fills with a semi-colon after entering the find button. When i= set the JkLogLevel to trace or debug the problems remains but less frequen= tly and not in every form. I also tried different ForwardURI** JkOptions, but that make no difference. I can't think of a reason off-hand why this should ever make any difference. It would seem that the first thing to look at, is what this Find button in the form really does. Is it just a submit button, or does it call something (some javascript perhaps) ? Does the form send a POST, or a GET request ? Can anyone help me where to find a solution? Ok, I'll bite again. As I understand the issue, you have the following schema : B + BA -HTTP- A + M -AJP- E + EA where : - B is the browser - BA is the application in the browser. That can be pure HTML, or HTML + javascript, or a Java Applet, or whatever - A is the Apache httpd front-end - M is the mod_jk module running inside Apache httpd - E is the Servlet Engine (Tomcat or Wildfly) - EA is the java application running inside of E and we assume that the only element which varies is E, which is either Tomcat or Wildfly. You say that when E is Tomcat, everything works fine. But when E is Wildfly, strange things happen. Given that B + BA are the same and would send the same HTTP requests in both cases to A, - there is no reason why A would do anything different when E is Wildfly, than when E is Tomcat. A does not even know which Servlet Engine E is being used. - there is no reason why M would do anything different when E is Wildfly, than when E is Tomcat. M does not even know which Servlet Engine E is being used. It just knows that it is talking to an AJP connector of a webserver, and that it needs to translate the HTTP request, to an AJP request, before forwarding it. The only impact that I can think of, of changing the mod_jk loglevel, is to make mod_jk perhaps a little bit slower, because it has to log more. (But we should be talking of at most milliseconds here). So, on the face of it, logically, I would think that if there is a problem when E is Wildfly, the problem must be with Wildfly, or with how Wildfly is running the EA application. Or else, our premise is wrong, and BA is not exactly the same in both cases, and does not send exactly the same thing to A. But since BA comes from E + EA originally, that would also mean that the problem is with Wildfly + the EA application. So I would still go to the Wildfly support list, present the same case as you did above, and ask them if they have a clue as to what may be happening. To extend André's excellent examination . . . . It would be nice if you could remove A + M from the equation. In other words: B + BA -HTTP- E + EA Then vary E (Wildfly or Tomcat). If both work, then the issue might be with Firefly's AJP configuration (or its AJP implementation). If Firefly does not work, then the issue might be with Firefly's configuration (or Firefly and Wicket). If neither work, then that's a puzzle. . . . . just my (coffee-less) 2 cents Now wait, Firefly ? Is that linked to the coffee-less state ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Adding user session id to access log with %S doesn't work?
Mark Thomas wrote: On 09/06/2014 01:41, Fred Toth wrote: Hi Dan, Yes, the rest of the log is correct, and yes, I am certain I have an active session (I can see the cookie in my browser). Then something is messed up in your configuration. I've just checked this works and it does. You'll need to provide your full server.xml (comments removed please). Replace and passwords with *** or similar. Does the fact of having a session necessarily imply that the corresponding user is authenticated ? Marl Thanks, Fred On 6/8/2014 4:30 PM, Daniel Mikusa wrote: On Jun 8, 2014 4:01 PM, Fred Toth ft...@synernet.com wrote: Hi, This feature is in the doc since at least tomcat 5. I'm using tomcat 7.0.47 and I just tried to add the user session id to the access log by adding %S to the pattern attribute. However, it's not working. All I'm getting is - in the log. Have to ask, but are you sure that the request has an active session? Usually when you see - it means the value is absent for that request. Is there some trick to this? I haven't found anything online or in bugzilla. Also posted to stack overflow: Not aware of any tricks. AccessLogValve is pretty straightforward. Is the rest of the log record correct? Dan http://stackoverflow.com/questions/24110188/cant-configure-tomcat-access-log-session-id-with-s Thanks, Fred - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SingleSignOn valve in combination with SPNego
Konstantin Kolinko wrote: 2014-06-04 17:02 GMT+04:00 Maarten van Hulsentop maar...@vanhulsentop.nl: Hello all, We are encountering an issue with the use of the SingleSignOn valve and SPNego and are looking for a best practice on this. Let me describe our situation; Our suite consists of multiple end-user webapplications but also a few webapplications that accept interaction from other systems. Authentication from other systems is always done on a BASIC authentication basis, using username/password. For the end-user webapplications the method of authentication and authorization (Valve and Realm) is configurable in the application specific realms. The end-user applications are closely related so we use the SingleSignOn valve at global (server.xml) level to share end-user 'logins'. To make sure that users who succesfully authenticated by an end-user webapplication cannot access the webapplications for external systems, the SingleSignOn valve has requireReauthentication set to true. This way a user can only access the applications for which the username/credential matches. Now, when we configure SPNego, we have to have a realm for that web application that always grants the user access, as the authentication for SPNego is performed completely in the valve. But when a user who authenticated in a non-SPNego web application tries to access the SPNego web application, the realm will also allow that user. This is a problematic situation. Maybe we could prevent this with the role mechanism, but in some cases we like to use the tomcatAuthentication=false on the AJP connector, and in those cases a role would complicate things. Any ideas? Just some thoughts. 1. What Realm implementation are you using? SpnegoAuthenticator calls principal = context.getRealm().authenticate(gssContext, isStoreDelegatedCredential()); SingleSignOn.reauthenticate( ) calls Principal reauthPrincipal = realm.authenticate(username, entry.getPassword()); So if you have a custom realm, the two use cases can be distinguished by the methods that they call. 2. Programmatically, re-authentication can be suppressed by either one of the following a) clearing REQ_SSOID_NOTE note from Request, in any valve in the chain before the authenticator is invoked request.removeNote(Constants.REQ_SSOID_NOTE); b) in a custom Authenticator, by overwriting reauthenticateFromSSO(..) or by setting AuthenticatorBase.sso to the value null I wonder whether it makes sense to add a flag to an AuthenticatorBase to allow to configure whether it participates in SSO. If it does not, then skip sso lookup in startInternal() and return early from reauthenticateFromSSO() method. 4. Maybe you can move the web applications that require SPNEGO to a different Host container, so that they do not share the SSO valve? I would tend to add +1 to item 4 above. I do not know how the SPNEGO valve in Tomcat really works, so what follows may, or may not be applicable, but in any case be careful. Windows WIA (web integrated authentication) generally requires several back-and-forth exchanges between the server and the browser (invisibly to the user), and it is imperative that these exchanges happen in a strict sequence and over the same TCP connection (because, from a WIA perspective, it is the *connection* which is authenticated) (which also means that when there is a new connection, a re-authentication must take place). So it is generally a bad idea to mix WIA authentication with any other form of AAA (or to try to smartly shortcut the WIA authentication), because you may end up with the wrong sequence of messages between the browser and the WIA authentication mechanism. And then you would start getting random Forbidden responses or random browser authentication popup dialogs, without really understanding why. And it is a bitch to debug. As mentioned earlier, I do not know the details of your setup or what you intend to do, so this may be irrelevant in your case. But if you start receiving unexplained 401/404 responses or seeing random popup login dialogs, remember this. --- At a different level, separately from the above : The point of SSO is generally to avoid an inconvenience for the user : to have to re-enter login details each time they switch to another application. Well, in the case of SPNEGO authentication, this is basically irrelevant anyway : the user never has to introduce his login details; these are picked up automatically by the browser, from the underlying Windows session, which is already authenticated ever since the user logged-in in Windows. Whether this SPNEGO authentication has to be repeated when the browser/server connection changes, is similarly irrelevant from the user's perspective (*), since it is done automatically in the background when needed. In other words, SPNEGO has its own built-in SSO (**), and there is no /need/ to
Re: Tomcat autodeploy doesn't return actual files via HTTP
Arseny wrote: ... Thanks again, Chris, for your very helpful message. I never heard earlier about documentation and never visited http://tomcat.apache.org/tomcat-7.0-doc/ before. Even assuming that you don't mean documentation in general, that seems a bit hard to swallow. But I guess that when one just uses pre-packaged pre-installed versions, it might be possible. But a thought just strikes me : maybe you never heard of Google either ? If so, here is a tip : http://lmgtfy.com/?q=tomcat+documentation Amazing, he ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Hosts and ROOT folder
Michael Salmon wrote: Hi all I'am new to Tomcat, so please do not kill me if the issue is simple or my english is bad. I'am running Tomcat 7.0.42 on WinServer 2012 R2. It is front end for a Digital Asset Management system. The Tomcat is installed as part of the DAM system and could be different from a plain vanilla install. My problem is Host and path to webapps. I basically only have one webapp witch is duplicated when I get a new customer. But when I deploy a new webapp and make a host element in conf\server.xml, I have to make a folder named ROOT in my webapp (webapps/customer/ROOT) and move all files to this folder to get things working. We also did that in a very old version (3 or 4), but haven't done that in several years. I can see the default webapp is also in a ROOT folder. When I put the files in the ROOT folder my application guy can't see the site in his administration tool for the DAM system. Where is it defined that files for my webapps goes in a ROOT folder? I tried to make a folder in conf/Catalina/ reflecting the name of the webapp, I can't get that to work either. My last try will be to define docbase in the host element in server.conf, but in the documentation this is not recommended. All help would be appreciated. If you need more info please tell me. Well, you're right, it's hard not to kill you, but we will try. This list would quickly get boring if we killed all the newcomers. And I personally welcome that kind of question anway, because it is one of the few kinds which I can answer, so I get bonus points. First, a note : whenever possible, you should try to avoid modifying conf/server.xml. That's mainly because if you make a change there, you have to restart Tomcat to make it notice. But in your case, if you create a new Host for each new customer, there is no other way, so keep doing it. Some data : each Host in server.xml has its own appBase, which is the top directory in which webapps (also named context) for that Host are located. By default, this is webapps, which is a relative location, which by default points to : (tomcat-installation-directory)/webapps/. But you can create another directory somewhere, and point the appBase of another Host to this new directory, and then this Host will look in that place for its own webapps. Normally, any given application (or webapp or context) is accessed by a URL of the form : http://hostname[:port]/webapp-name/ where webapp-name is the name of a sub-directory just below the appBase directory for that Host. So - if your application would be (imaginatively) named myWebApp - and your Host name would be (imaginatively) named customer1.customers.com - and the corresponding Host tage would be like Host name=customer1.customers.com appBase=C:/websites/customer1/webapps/ ... then - the place to put your application would be in C:/websites/customer1/webapps/myWebApp/ - and the customer would access it via a URL like : http://customer1.customers.com/myWebApp/...; Then, one more thing : If you want your application to be the default webapp, which the user could call up with a URL like : http://customer1.customers.com/ then you have to do the following : - create a directory C:/websites/customer1/webapps/ROOT/ - and place your application there (That name ROOT (in capitals, important) is interpreted by Tomcat in a special way, so that if Tomcat does not recognise the name of the application requested in the URL, it will default to looking there). (Kind of). Of course, for all of this to work (and for the users to be able to get to that webserver), the name customer1.customers.com would have to be registered in the DNS system, with the IP address of your Tomcat server. Hope this helps. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [SECURITY] CVE-2014-0097 Apache Tomcat information disclosure
Mark Thomas wrote: CVE-2014-0097 Information Disclosure ... Description: The code used to parse the request content length header did not check for overflow in the result. This exposed a request smuggling vulnerability when Tomcat was located behind a reverse proxy that correctly processed the content length header. I believe you, but I must admit that I don't really get what the problem is, here. If someone feels like explaining.. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [SECURITY] CVE-2014-0099 Apache Tomcat information disclosure
Mark Thomas wrote: On 27/05/2014 14:05, André Warnier wrote: Mark Thomas wrote: CVE-2014-0099 Information Disclosure ... Description: The code used to parse the request content length header did not check for overflow in the result. This exposed a request smuggling vulnerability when Tomcat was located behind a reverse proxy that correctly processed the content length header. I believe you, but I must admit that I don't really get what the problem is, here. Sure. First of all exploiting this is not easy. The problem occurs when the content-length overflows during parsing. Tomcat ends up with a lower value for the content length than is really the case. Tomcat will, therefore, read the first part of the request (up to the length it thinks it is) and process it. Assuming keep-alive is being used, Tomcat will then process the remainder of the request as a new request and generate a response for that. Things get messy when there is a reverse proxy in the mix that correctly processes the content length. What ends up happening is this. User A sends request A to proxy. Proxy sends request A to Tomcat. Tomcat process the first part of request A and sends response A1 to the proxy. The proxy sends response A1 to user A. User B sends request B to proxy. Proxy sends request B to Tomcat (using the same connection as for request A) Tomcat processes the remainder of request A and sends response A2 to the proxy Proxy sends response A2 to user B. And you end up with all future responses on that connection going to the wrong user until (which will probably happen fairly soon) Tomcat or the proxy get to a point they realise something is wrong and close the connection. How much deliberate, targeted harm you can do depends a lot on the application. It is certainly easy to trigger response mix-up and - for example on a banking site - that would be bad even if that was all you could do. Thank you for the limpid explanation. Yes, difficult to take advantage of, but certainly confusing for user B, to get something he didn't ask for.. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org