Re: Can't get RemoteIpValve to work

[Leon Rosenberg]

Thanks, yes I think my problem never was with the RemoteIpValve, and the
other project I copied configuration from actually didn't work despite me
thinking it did ;)
kr
Leon

On Wed, Mar 29, 2023 at 6:45 AM Mark Thomas  wrote:

> On 28/03/2023 21:08, Leon Rosenberg wrote:
> > Sorry it took a little longer. Turns out that the actual RemoteIpValve
> > works correctly, but the *Access Log Valve *doesn't. We were
> > primarily looking into the localhost_access*logs, hence the confusion:
> >
> > Headers with RemoteIpValue on:
> > header: host; value: api.myhost.com
> > header: user-agent; value: PostmanRuntime/7.29.2
> > header: accept; value: */*
> > header: postman-token; value: 16abea85-a8de-44d2-8885-c92e0eed7d9f
> > header: accept-encoding; value: gzip, deflate, br
> > header: cookie; value: JSESSIONID=5F8CF7FE92569665C1F1BD08FBEC3F22
> > header: x-forwarded-host; value: api.myhost.com
> > header: x-forwarded-server; value: api.myhost.com
> > header: connection; value: Keep-Alive
> >
> > remote host: 77.178.32.184
> > remote ip: 77.178.32.184
> >
> >
> > Headers with RemoteIpValue off:
> > header: host; value: api.myhost.com
> > header: user-agent; value: PostmanRuntime/7.29.2
> > header: accept; value: */*
> > header: postman-token; value: a3e6b8cc-d2e2-45b7-86d7-2f0d4ce16c96
> > header: accept-encoding; value: gzip, deflate, br
> > header: cookie; value: JSESSIONID=A76B5E16C7566DFFF764C43CF34742ED
> > header: x-forwarded-for; value: 77.178.32.184
> > header: x-forwarded-host; value: api.myhost.com
> > header: x-forwarded-server; value: api.myhost.com
> > header: connection; value: Keep-Alive
> > remote host: 10.138.0.3
> > remote ip: 10.138.0.3
> >
> >
> > however, the AccessLogValue, which is configured as:
> >
> >  directory="logs"
> > prefix="localhost_access_log" suffix=".txt"
> > pattern="%{X-Forwarded-For}i %a %l %u %t %r
> %s %b" />
> >
> > Prints the local address as %a. We added %{X-Forwarded-For}i as
> workaround,
> > so it works for now, but I'd expect %a to print the 'real' ip address
> > instead of the local one. Same config works on 8.5 interestingly enough.
>
> I think Konstantin mentioned this earlier in the thread. Look at the
> requestAttributesEnabled attribute for the AccessLogValve
>
> https://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Access_Log_Valve
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Can't get RemoteIpValve to work

[Leon Rosenberg]

Sorry it took a little longer. Turns out that the actual RemoteIpValve
works correctly, but the *Access Log Valve *doesn't. We were
primarily looking into the localhost_access*logs, hence the confusion:

Headers with RemoteIpValue on:
header: host; value: api.myhost.com
header: user-agent; value: PostmanRuntime/7.29.2
header: accept; value: */*
header: postman-token; value: 16abea85-a8de-44d2-8885-c92e0eed7d9f
header: accept-encoding; value: gzip, deflate, br
header: cookie; value: JSESSIONID=5F8CF7FE92569665C1F1BD08FBEC3F22
header: x-forwarded-host; value: api.myhost.com
header: x-forwarded-server; value: api.myhost.com
header: connection; value: Keep-Alive

remote host: 77.178.32.184
remote ip: 77.178.32.184


Headers with RemoteIpValue off:
header: host; value: api.myhost.com
header: user-agent; value: PostmanRuntime/7.29.2
header: accept; value: */*
header: postman-token; value: a3e6b8cc-d2e2-45b7-86d7-2f0d4ce16c96
header: accept-encoding; value: gzip, deflate, br
header: cookie; value: JSESSIONID=A76B5E16C7566DFFF764C43CF34742ED
header: x-forwarded-for; value: 77.178.32.184
header: x-forwarded-host; value: api.myhost.com
header: x-forwarded-server; value: api.myhost.com
header: connection; value: Keep-Alive
remote host: 10.138.0.3
remote ip: 10.138.0.3


however, the AccessLogValue, which is configured as:



Prints the local address as %a. We added %{X-Forwarded-For}i as workaround,
so it works for now, but I'd expect %a to print the 'real' ip address
instead of the local one. Same config works on 8.5 interestingly enough.

Anyway, thanks for the help and sorry for the confusion.

kr
Leon


On Fri, Mar 24, 2023 at 7:54 PM Mark Thomas  wrote:

> And if you dump out the headers and the value of
> ServletRequest.getRemoteAddr() with (and without for completeness) the
> RemoteIpValve ?
>
> Mark
>
>
> On 24/03/2023 14:09, Leon Rosenberg wrote:
> > Full log output (dumping out headers, without the valve):
> >
> > 6049752 2023-03-24 14:07:59,749 [http-apr-8080-exec-13] INFO
> > n.a.c.extapi.ping.PingResource:38 - key: host; value: api.myhost.net
> > 6049752 2023-03-24 14:07:59,749 [http-apr-8080-exec-13] INFO
> > n.a.c.extapi.ping.PingResource:38 - key: user-agent; value: Wget/1.21.3
> > 6049754 2023-03-24 14:07:59,751 [http-apr-8080-exec-13] INFO
> > n.a.c.extapi.ping.PingResource:38 - key: accept; value: */*
> > 6049754 2023-03-24 14:07:59,751 [http-apr-8080-exec-13] INFO
> > n.a.c.extapi.ping.PingResource:38 - key: accept-encoding; value: identity
> > 6049755 2023-03-24 14:07:59,752 [http-apr-8080-exec-13] INFO
> > n.a.c.extapi.ping.PingResource:38 - key: x-forwarded-for; value:
> > 217.110.113.178
> > 6049756 2023-03-24 14:07:59,753 [http-apr-8080-exec-13] INFO
> > n.a.c.extapi.ping.PingResource:38 - key: x-forwarded-host; value:
> > api.myhost.net
> > 6049757 2023-03-24 14:07:59,754 [http-apr-8080-exec-13] INFO
> > n.a.c.extapi.ping.PingResource:38 - key: x-forwarded-server; value:
> > api.myhost.net
> > 6049758 2023-03-24 14:07:59,755 [http-apr-8080-exec-13] INFO
> > n.a.c.extapi.ping.PingResource:38 - key: connection; value: Keep-Alive
> >
> >
> > 217.110.113.178 is my ip, so the value is correct.
> >
> > On Fri, Mar 24, 2023 at 3:07 PM Leon Rosenberg  >
> > wrote:
> >
> >> yeah, interestingly enough removing ipvalve and adding access log magic,
> >> puts the X-Forwarded-For in the localhost_access.log ... but strange
> >> nevertheless.
> >>
> >> On Fri, Mar 24, 2023 at 11:44 AM Mark Thomas  wrote:
> >>
> >>> Maybe try commenting out the RemoteIpValve in Tomcat and retest so you
> >>> can see exactly what headers Tomcat is seeing. Alternatively, since
> this
> >>> is over http, Wireshark or similar could help.
> >>>
> >>> Mark
> >>>
> >>>
> >>> On 24/03/2023 10:29, Leon Rosenberg wrote:
> >>>> Hi,
> >>>>
> >>>> we have following setup
> >>>> apache 2.4 on a ubuntu host, in front of docker-container with tomcat9
> >>> (on
> >>>> same host).
> >>>> Connection is via apache mod_http/proxy.
> >>>>
> >>>> Internal IP of the host is 10.138.0.3 (where httpd and docker are
> >>> running).
> >>>> In localhost_access log we see always 10.138.0.3 address. If going
> >>> through
> >>>> port 8080 directly, without httpd, we see the correct IP-Address.
> >>>>
> >>>> We have added RemoteIpValve to server xml.
> >>>>  >>>>   remoteIpHeader="X-Forwarded-For"
> >>>>   p

Re: Can't get RemoteIpValve to work

[Leon Rosenberg]

Full log output (dumping out headers, without the valve):

6049752 2023-03-24 14:07:59,749 [http-apr-8080-exec-13] INFO
n.a.c.extapi.ping.PingResource:38 - key: host; value: api.myhost.net
6049752 2023-03-24 14:07:59,749 [http-apr-8080-exec-13] INFO
n.a.c.extapi.ping.PingResource:38 - key: user-agent; value: Wget/1.21.3
6049754 2023-03-24 14:07:59,751 [http-apr-8080-exec-13] INFO
n.a.c.extapi.ping.PingResource:38 - key: accept; value: */*
6049754 2023-03-24 14:07:59,751 [http-apr-8080-exec-13] INFO
n.a.c.extapi.ping.PingResource:38 - key: accept-encoding; value: identity
6049755 2023-03-24 14:07:59,752 [http-apr-8080-exec-13] INFO
n.a.c.extapi.ping.PingResource:38 - key: x-forwarded-for; value:
217.110.113.178
6049756 2023-03-24 14:07:59,753 [http-apr-8080-exec-13] INFO
n.a.c.extapi.ping.PingResource:38 - key: x-forwarded-host; value:
api.myhost.net
6049757 2023-03-24 14:07:59,754 [http-apr-8080-exec-13] INFO
n.a.c.extapi.ping.PingResource:38 - key: x-forwarded-server; value:
api.myhost.net
6049758 2023-03-24 14:07:59,755 [http-apr-8080-exec-13] INFO
n.a.c.extapi.ping.PingResource:38 - key: connection; value: Keep-Alive


217.110.113.178 is my ip, so the value is correct.

On Fri, Mar 24, 2023 at 3:07 PM Leon Rosenberg 
wrote:

> yeah, interestingly enough removing ipvalve and adding access log magic,
> puts the X-Forwarded-For in the localhost_access.log ... but strange
> nevertheless.
>
> On Fri, Mar 24, 2023 at 11:44 AM Mark Thomas  wrote:
>
>> Maybe try commenting out the RemoteIpValve in Tomcat and retest so you
>> can see exactly what headers Tomcat is seeing. Alternatively, since this
>> is over http, Wireshark or similar could help.
>>
>> Mark
>>
>>
>> On 24/03/2023 10:29, Leon Rosenberg wrote:
>> > Hi,
>> >
>> > we have following setup
>> > apache 2.4 on a ubuntu host, in front of docker-container with tomcat9
>> (on
>> > same host).
>> > Connection is via apache mod_http/proxy.
>> >
>> > Internal IP of the host is 10.138.0.3 (where httpd and docker are
>> running).
>> > In localhost_access log we see always 10.138.0.3 address. If going
>> through
>> > port 8080 directly, without httpd, we see the correct IP-Address.
>> >
>> > We have added RemoteIpValve to server xml.
>> > > >  remoteIpHeader="X-Forwarded-For"
>> >  protocolHeader="X-Forwarded-Proto"
>> >  internalProxies="10\.138\.0\.3"/>
>> >
>> > http config also has ProxyAddHeaders on, also I understand that to be
>> > default anyway:
>> >ProxyPass / http://10.138.0.3:8080/
>> >ProxyPassReverse / http://10.138.0.3:8080/
>> >ProxyErrorOverride Off
>> >ProxyAddHeaders On
>> >
>> >  Require all granted
>> > ProxyAddHeaders On
>> >
>> >
>> > When we print out all headers in a request, the X-Forwarded-For is
>> missing,
>> > so obviously tomcat does something with it, but doesn't trust the
>> httpd? So
>> > probably the line internalProxies="10\.138\.0\.3" is wrong, bug I can't
>> get
>> > my head around it.
>> >
>> > any help would be highly appreciated
>> > kr
>> > Leon
>> >
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>

Re: Can't get RemoteIpValve to work

[Leon Rosenberg]

yeah, interestingly enough removing ipvalve and adding access log magic,
puts the X-Forwarded-For in the localhost_access.log ... but strange
nevertheless.

On Fri, Mar 24, 2023 at 11:44 AM Mark Thomas  wrote:

> Maybe try commenting out the RemoteIpValve in Tomcat and retest so you
> can see exactly what headers Tomcat is seeing. Alternatively, since this
> is over http, Wireshark or similar could help.
>
> Mark
>
>
> On 24/03/2023 10:29, Leon Rosenberg wrote:
> > Hi,
> >
> > we have following setup
> > apache 2.4 on a ubuntu host, in front of docker-container with tomcat9
> (on
> > same host).
> > Connection is via apache mod_http/proxy.
> >
> > Internal IP of the host is 10.138.0.3 (where httpd and docker are
> running).
> > In localhost_access log we see always 10.138.0.3 address. If going
> through
> > port 8080 directly, without httpd, we see the correct IP-Address.
> >
> > We have added RemoteIpValve to server xml.
> >  >  remoteIpHeader="X-Forwarded-For"
> >  protocolHeader="X-Forwarded-Proto"
> >  internalProxies="10\.138\.0\.3"/>
> >
> > http config also has ProxyAddHeaders on, also I understand that to be
> > default anyway:
> >ProxyPass / http://10.138.0.3:8080/
> >ProxyPassReverse / http://10.138.0.3:8080/
> >ProxyErrorOverride Off
> >ProxyAddHeaders On
> >
> >  Require all granted
> > ProxyAddHeaders On
> >
> >
> > When we print out all headers in a request, the X-Forwarded-For is
> missing,
> > so obviously tomcat does something with it, but doesn't trust the httpd?
> So
> > probably the line internalProxies="10\.138\.0\.3" is wrong, bug I can't
> get
> > my head around it.
> >
> > any help would be highly appreciated
> > kr
> > Leon
> >
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Can't get RemoteIpValve to work

[Leon Rosenberg]

Hi Konstantin,

Server version: Apache Tomcat/9.0.64
Server built:   Jun 2 2022 19:08:46 UTC
Server number:  9.0.64.0
OS Name:Linux
OS Version: 5.4.0-1092-gcp
Architecture:   amd64
JVM Version:1.8.0_332-b09
JVM Vendor: Temurin

kr
Leon



On Fri, Mar 24, 2023 at 1:17 PM Konstantin Kolinko 
wrote:

> пт, 24 мар. 2023 г. в 13:30, Leon Rosenberg :
> >
> > Hi,
> >
> > we have following setup
> > apache 2.4 on a ubuntu host, in front of docker-container with tomcat9
> (on
> > same host).
> > Connection is via apache mod_http/proxy.
> >
> > Internal IP of the host is 10.138.0.3 (where httpd and docker are
> running).
> > In localhost_access log we see always 10.138.0.3 address.
>
> Your version of Tomcat = ?
>
> If access log is all that you care about, you should note that the default
> value
> of requestAttributesEnabled attribute of AccessLogValve is false.
>
>
> https://tomcat.apache.org/tomcat-10.1-doc/config/valve.html#Access_Log_Valve
>
> Best regards,
> Konstantin Kolinko
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Can't get RemoteIpValve to work

[Leon Rosenberg]

Hi,

we have following setup
apache 2.4 on a ubuntu host, in front of docker-container with tomcat9 (on
same host).
Connection is via apache mod_http/proxy.

Internal IP of the host is 10.138.0.3 (where httpd and docker are running).
In localhost_access log we see always 10.138.0.3 address. If going through
port 8080 directly, without httpd, we see the correct IP-Address.

We have added RemoteIpValve to server xml.


http config also has ProxyAddHeaders on, also I understand that to be
default anyway:
  ProxyPass / http://10.138.0.3:8080/
  ProxyPassReverse / http://10.138.0.3:8080/
  ProxyErrorOverride Off
  ProxyAddHeaders On
  
Require all granted
ProxyAddHeaders On
  

When we print out all headers in a request, the X-Forwarded-For is missing,
so obviously tomcat does something with it, but doesn't trust the httpd? So
probably the line internalProxies="10\.138\.0\.3" is wrong, bug I can't get
my head around it.

any help would be highly appreciated
kr
Leon

Re: Tomcat doesn't pick up RemoteIp from RemoteIpValve Configuration

[Leon Rosenberg]

and to add a quick note to that, the log-output when I am using
trustedProxies is "skip" for nearly everything:

15-Jun-2021 00:22:09.543 FINE [ajp-nio-8013-exec-23]
org.apache.catalina.valves.RemoteIpValve.invoke Skip RemoteIpValve for
request
/api/v1/loginpixel/B:0BB57BE90B9C750FE773604354BF6E4D1920EF76D5500AE8673BD599D668983223A8666226FED1087E61D0E99A19F6EBEB8E64DB0BEE6BC3A5F20DCDC06FE4C27EFEE1B535C49367BCFB034E176AF8E40EE0A43F54C1D0D4DEFAAE38C9C2426DD6E585F2A7548076C577D291011712E3BDEEE4D8DCBAE7D5B7A144B0B06011E9
with originalRemoteAddr '198.41.242.13'
15-Jun-2021 00:22:09.544 FINE [ajp-nio-8013-exec-7]
org.apache.catalina.valves.RemoteIpValve.invoke Skip RemoteIpValve for
request /photos/b/EA01F2D2BB616202A4F4A55E650D684D/300/ with
originalRemoteAddr '198.41.242.13'
15-Jun-2021 00:22:09.544 FINE [ajp-nio-8013-exec-9]
org.apache.catalina.valves.RemoteIpValve.invoke Skip RemoteIpValve for
request /photos/d/1390B1ED751C81B39B21785D818F4570/300/ with
originalRemoteAddr '198.41.242.13'
15-Jun-2021 00:22:09.544 FINE [ajp-nio-8013-exec-18]
org.apache.catalina.valves.RemoteIpValve.invoke Skip RemoteIpValve for
request /static-int/js/extRegUpdatePassword.js with originalRemoteAddr
'198.41.242.13'
15-Jun-2021 00:22:09.547 FINE [ajp-nio-8013-exec-15]
org.apache.catalina.valves.RemoteIpValve.invoke Skip RemoteIpValve for
request /static-int/js/websocket/websocket.js with originalRemoteAddr
'198.41.242.49'
15-Jun-2021 00:22:09.544 FINE [ajp-nio-8013-exec-16]
org.apache.catalina.valves.RemoteIpValve.invoke Skip RemoteIpValve for
request /photos/d/531BD3EA43EC8662E9BA9967689AEEBC/300/ with
originalRemoteAddr '198.41.242.13'
15-Jun-2021 00:22:09.548 FINE [ajp-nio-8013-exec-12]
org.apache.catalina.valves.RemoteIpValve.invoke Skip RemoteIpValve for
request /static-int/img/avatars/no_avatar_woman_1_lg.png with
originalRemoteAddr '198.41.242.73'
15-Jun-2021 00:22:09.549 FINE [ajp-nio-8013-exec-6]
org.apache.catalina.valves.RemoteIpValve.invoke Skip RemoteIpValve for
request /static-int/img/avatars/no_avatar_woman_4_lg.png with
originalRemoteAddr '198.41.242.119'
15-Jun-2021 00:22:09.640 FINE [ajp-nio-8013-exec-24]
org.apache.catalina.valves.RemoteIpValve.invoke Skip RemoteIpValve for
request /static-int/img/avatars/no_avatar_woman_5_lg.png with
originalRemoteAddr '198.41.242.153'
15-Jun-2021 00:22:09.651 FINE [ajp-nio-8013-exec-3]
org.apache.catalina.valves.RemoteIpValve.invoke Skip RemoteIpValve for
request /static-ext/firebase/firebase-messaging.js.map with
originalRemoteAddr '198.41.242.13'
15-Jun-2021 00:22:09.666 FINE [ajp-nio-8013-exec-8]
org.apache.catalina.valves.RemoteIpValve.invoke Skip RemoteIpValve for
request /static-ext/firebase/firebase-app.js.map with originalRemoteAddr
'198.41.242.13'

On Tue, Jun 15, 2021 at 12:19 AM Leon Rosenberg 
wrote:

> ok, quick update: it didn't work with 198\.41\..* or .* at first, but it
> worked after I changed attribute name from trustedProxies to
> internalProxies.
> kr
> Leon
>
> On Mon, Jun 14, 2021 at 11:52 PM Leon Rosenberg 
> wrote:
>
>>
>>
>> On Mon, Jun 14, 2021 at 10:57 PM Christopher Schultz <
>> ch...@christopherschultz.net> wrote:
>>
>>> Leon,
>>>
>>> On 6/14/21 16:26, Leon Rosenberg wrote:
>>> > Thanks for the response Mark,
>>> >
>>> > quick question, do I have to add all cloudflare ips? They kindof
>>> > distributed along the world... Can I mark the thrustworthlyness by a
>>> header
>>> > instead?
>>> > kr
>>> > Leon
>>> >
>>> > On Mon, Jun 14, 2021 at 9:45 PM Mark Thomas  wrote:
>>> >
>>> >> On 14/06/2021 17:01, Leon Rosenberg wrote:
>>> >>> hi,
>>> >>> I have a tomcat 8.5.15 behind an apache behind cloudflare. I am
>>> trying to
>>> >>> "see" the user's ip in my logs. When I print out the headers I see
>>> that I
>>> >>> have headers in the request
>>> >>> CF-Connecting-IP
>>> >>> and
>>> >>> X-Forwarded-For
>>> >>> with real user's up, say 93.72.251.122. But when I make a request to
>>> >>> request.getRemoteAddr() it returns 162.158.103.188 which is
>>> cloudflare's
>>> >>> ip address, not the real one.
>>> >>> I added to the server.xml the remoteipvalue in different
>>> configuration
>>> >> und
>>> >>> "Host", i.e.:
>>> >>>>> >>> remoteIpHeader="x-forwarded-for"
>>> >>> protocolHeader="x-forwarded-proto"
>>> >>> />
>>> >>>
>>> >>>>> >>> remoteIpHeader="X-Forwarded-For"

Re: Tomcat doesn't pick up RemoteIp from RemoteIpValve Configuration

[Leon Rosenberg]

ok, quick update: it didn't work with 198\.41\..* or .* at first, but it
worked after I changed attribute name from trustedProxies to
internalProxies.
kr
Leon

On Mon, Jun 14, 2021 at 11:52 PM Leon Rosenberg 
wrote:

>
>
> On Mon, Jun 14, 2021 at 10:57 PM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
>> Leon,
>>
>> On 6/14/21 16:26, Leon Rosenberg wrote:
>> > Thanks for the response Mark,
>> >
>> > quick question, do I have to add all cloudflare ips? They kindof
>> > distributed along the world... Can I mark the thrustworthlyness by a
>> header
>> > instead?
>> > kr
>> > Leon
>> >
>> > On Mon, Jun 14, 2021 at 9:45 PM Mark Thomas  wrote:
>> >
>> >> On 14/06/2021 17:01, Leon Rosenberg wrote:
>> >>> hi,
>> >>> I have a tomcat 8.5.15 behind an apache behind cloudflare. I am
>> trying to
>> >>> "see" the user's ip in my logs. When I print out the headers I see
>> that I
>> >>> have headers in the request
>> >>> CF-Connecting-IP
>> >>> and
>> >>> X-Forwarded-For
>> >>> with real user's up, say 93.72.251.122. But when I make a request to
>> >>> request.getRemoteAddr() it returns 162.158.103.188 which is
>> cloudflare's
>> >>> ip address, not the real one.
>> >>> I added to the server.xml the remoteipvalue in different configuration
>> >> und
>> >>> "Host", i.e.:
>> >>>> >>> remoteIpHeader="x-forwarded-for"
>> >>> protocolHeader="x-forwarded-proto"
>> >>> />
>> >>>
>> >>>> >>> remoteIpHeader="X-Forwarded-For"
>> >>> protocolHeader="X-Forwarded-Proto"
>> >>> />
>> >>>
>> >>> or assuming for defaults:
>> >>>> >>> />
>> >>>
>> >>> or even:
>> >>>> >>> remoteIpHeader="CF-Connecting-IP"
>> >>> />
>> >>>
>> >>> but none of them give me the getRemoteAddr properly. Is there a trick
>> to
>> >>> this configuration?
>> >>
>> >> You need to tell Tomcat that 162.158.103.188 is trusted. Setting
>> >> trustedProxies="162\.158.103\.188" should do the trick.
>> >>
>> >> There is debug logging in that Valve so you can set
>> >>
>> >> org.apache.catalina.valves.RemoteIpValve.level=FINE
>> >>
>> >> in $CATALINA_BASE/conf/logging.properties to get debug logging which
>> >> should help you see what is going on.
>> >>
>> >> Mark
>>
>> trustedProxies=".*" ??
>>
>>
> Hi Chris,
>
>
>> What happens if someone connects to your origin server directly? Would
>> you trust an X-Forwarded-For header from them?
>>
>
> That's an excellent question, Chris! I don't know the answer yet, the only
> thing we need the ip for is to have something in case of payment-fraud, and
> since you can't get any physical goods on this site I guess it would be ok
> to trust it.
> kr
> leon
>
>
>>
>> -chris
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>

Re: Tomcat doesn't pick up RemoteIp from RemoteIpValve Configuration

[Leon Rosenberg]

On Mon, Jun 14, 2021 at 10:57 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Leon,
>
> On 6/14/21 16:26, Leon Rosenberg wrote:
> > Thanks for the response Mark,
> >
> > quick question, do I have to add all cloudflare ips? They kindof
> > distributed along the world... Can I mark the thrustworthlyness by a
> header
> > instead?
> > kr
> > Leon
> >
> > On Mon, Jun 14, 2021 at 9:45 PM Mark Thomas  wrote:
> >
> >> On 14/06/2021 17:01, Leon Rosenberg wrote:
> >>> hi,
> >>> I have a tomcat 8.5.15 behind an apache behind cloudflare. I am trying
> to
> >>> "see" the user's ip in my logs. When I print out the headers I see
> that I
> >>> have headers in the request
> >>> CF-Connecting-IP
> >>> and
> >>> X-Forwarded-For
> >>> with real user's up, say 93.72.251.122. But when I make a request to
> >>> request.getRemoteAddr() it returns 162.158.103.188 which is
> cloudflare's
> >>> ip address, not the real one.
> >>> I added to the server.xml the remoteipvalue in different configuration
> >> und
> >>> "Host", i.e.:
> >>> >>> remoteIpHeader="x-forwarded-for"
> >>> protocolHeader="x-forwarded-proto"
> >>> />
> >>>
> >>> >>> remoteIpHeader="X-Forwarded-For"
> >>> protocolHeader="X-Forwarded-Proto"
> >>> />
> >>>
> >>> or assuming for defaults:
> >>> >>> />
> >>>
> >>> or even:
> >>> >>> remoteIpHeader="CF-Connecting-IP"
> >>> />
> >>>
> >>> but none of them give me the getRemoteAddr properly. Is there a trick
> to
> >>> this configuration?
> >>
> >> You need to tell Tomcat that 162.158.103.188 is trusted. Setting
> >> trustedProxies="162\.158.103\.188" should do the trick.
> >>
> >> There is debug logging in that Valve so you can set
> >>
> >> org.apache.catalina.valves.RemoteIpValve.level=FINE
> >>
> >> in $CATALINA_BASE/conf/logging.properties to get debug logging which
> >> should help you see what is going on.
> >>
> >> Mark
>
> trustedProxies=".*" ??
>
>
Hi Chris,


> What happens if someone connects to your origin server directly? Would
> you trust an X-Forwarded-For header from them?
>

That's an excellent question, Chris! I don't know the answer yet, the only
thing we need the ip for is to have something in case of payment-fraud, and
since you can't get any physical goods on this site I guess it would be ok
to trust it.
kr
leon


>
> -chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Tomcat doesn't pick up RemoteIp from RemoteIpValve Configuration

[Leon Rosenberg]

Thanks for the response Mark,

quick question, do I have to add all cloudflare ips? They kindof
distributed along the world... Can I mark the thrustworthlyness by a header
instead?
kr
Leon

On Mon, Jun 14, 2021 at 9:45 PM Mark Thomas  wrote:

> On 14/06/2021 17:01, Leon Rosenberg wrote:
> > hi,
> > I have a tomcat 8.5.15 behind an apache behind cloudflare. I am trying to
> > "see" the user's ip in my logs. When I print out the headers I see that I
> > have headers in the request
> > CF-Connecting-IP
> > and
> > X-Forwarded-For
> > with real user's up, say 93.72.251.122. But when I make a request to
> > request.getRemoteAddr() it returns 162.158.103.188 which is cloudflare's
> > ip address, not the real one.
> > I added to the server.xml the remoteipvalue in different configuration
> und
> > "Host", i.e.:
> >> remoteIpHeader="x-forwarded-for"
> > protocolHeader="x-forwarded-proto"
> > />
> >
> >> remoteIpHeader="X-Forwarded-For"
> > protocolHeader="X-Forwarded-Proto"
> > />
> >
> > or assuming for defaults:
> >> />
> >
> > or even:
> >> remoteIpHeader="CF-Connecting-IP"
> > />
> >
> > but none of them give me the getRemoteAddr properly. Is there a trick to
> > this configuration?
>
> You need to tell Tomcat that 162.158.103.188 is trusted. Setting
> trustedProxies="162\.158.103\.188" should do the trick.
>
> There is debug logging in that Valve so you can set
>
> org.apache.catalina.valves.RemoteIpValve.level=FINE
>
> in $CATALINA_BASE/conf/logging.properties to get debug logging which
> should help you see what is going on.
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Tomcat doesn't pick up RemoteIp from RemoteIpValve Configuration

[Leon Rosenberg]

hi,
I have a tomcat 8.5.15 behind an apache behind cloudflare. I am trying to
"see" the user's ip in my logs. When I print out the headers I see that I
have headers in the request
CF-Connecting-IP
and
X-Forwarded-For
with real user's up, say 93.72.251.122. But when I make a request to
request.getRemoteAddr() it returns 162.158.103.188 which is cloudflare's
ip address, not the real one.
I added to the server.xml the remoteipvalue in different configuration und
"Host", i.e.:
 

 

or assuming for defaults:
 

or even:
 

but none of them give me the getRemoteAddr properly. Is there a trick to
this configuration?

kr
Leon

Re: Tomcat Bandwidth Utilization Tool

[Leon Rosenberg]

MoSKito (http://www.moskito.org) does visualize the stats
from GlobalRequestProcessor:
http://burgershop-hamburg.demo.moskito.org/burgershop/moskito-inspect/mskShowProducer?pProducerId=GlobalRequestProcessor

You can see the bytes sent/received from every connector.

regards
Leon

On Fri, Aug 30, 2019 at 2:36 AM Michael Duffy  wrote:

> There is a " Bytes received: 0.00 MB Bytes sent: 12.03 MB" in the Tomcat
> Manager; however, the received count does not change and the sent count
> seems low.
>
> On Thu, Aug 29, 2019 at 7:09 PM Michael Duffy  wrote:
>
> > Is there a simple tool that will show bandwidth utilization to and from
> > the Tomcat server?
> >
> > I am looking for something that will provide an exact byte count of the
> > TCP/IP packets.
> >
> > I would have thought this would be an easy find; however, after hours of
> > Googling around I have not yet been successful.
> >
> > There are some options here:
> > https://www.comparitech.com/net-admin/free-bandwidth-monitoring-tools/
> ,but
> > none of them specifically mention integration with Tomcat.
> >
> > At the application level, if I just measure the byte flow into and out of
> > my application, I will miss the bytes in the TCP/IP headers.
> >
> > Any suggestions would be greatly appreciated.
> >
> > Thx.
> >
> > Mike
> >
> >
> >
>

Re: [OT] Question about the longevity of Java ..

[Leon Rosenberg]

Hi John,

personally I do not believe that this will ever happen, but for the sake of
an argument lets assume someone finally builds the skynet and assigns to it
the task to calculate PI with most precision. The skynet then takes over
and diverts all resources in the universe to PI calculation (killing or
enslaving all humans in the process) and calculates happily forever.
In such a case it will most definitely come up with another means of
communication as http, which is outdated even by human standards.
This new communication protocol will be implemented by something, which can
be called TomCat by coincidence, but will more likely be called something
0x234abe456d.
So no, there is no place for tomcat in the future ai.

As for your second question, tomcat to java is nothing close to what java
is to C. Tomcat is one of trillions of programs written with the language,
albeit a very useful and successful one. If you want something to be to
java as java to c, that would be scala (or something new yet to arise).

regards
Leon


On Mon, Mar 25, 2019 at 9:25 AM John Dale  wrote:

> Greetings;
>
> Generally speaking, how would folks feel about an AI taking over
> programming roles (and eventually requirements authoring)?
>
> My deepest curiosity may be this - at some point in the future, will
> AI use Tomcat as we do now, and does Tomcat get embedded deeply into
> some AI subsystem as a wholly complete heuristic collection (note
> lower case collection)?
>
> Or, does the low-level hardware finally climb its way up to Java, the
> most expressive programming language known to mankind, and relegate
> .NET, PHP, etc to their proper statio in life?
>
> Additionally, as such, in the future, when you buy your new computer
> from Wal Mart, it is a matter of deciding which Java/Tomcat flavor you
> want to have; I game, I porn, I database, I quilt, I skype, I like
> turtles?
>
> Second to lastly, is Tomcat to Java as is Java to C?  Will C
> eventually harden to static state and service Java like a good wife?
> Like .. a really good wife?
>
> I think these issues presently concern users of Java.
>
> Note: I have a B.A. in Philosophy with a Computer Science Minor, an MS
> MIS with Concentration in Entrepreneurship.
>
> Lastly, if you are immune to contextually relevant humor, perhaps you
> should reconsider that US H1B.
>
> Sincerely,
>
> John Dale, MS MIS/Entrepreneurship
>
> PS: Have a great week everyone.  Think hard this week (that's what she
> said).
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Number of tomcat downloads

[Leon Rosenberg]

A little background on the original question: we have some legal issues
with a client, among other things, he claims that our code isn't documented
well, because he run checkstyle on it, and it showed 6000 errors. My
argumentation was that default checkstyle settings aren't telling anything
about code quality (unless agreed upon upfront). I run checkstyle with
default settings on tomcat code base and it showed 85.412 errors using sun
code checks (yes, those from 1996). Most of them are like:

 
AbstractFramedStreamSourceChannel
this line produces multiple warnings, for example ',' not followed by a
whitespace and such.

if(attachments == null) - if not followed by a whitespace etc.

Hence if such a mature product like tomcat (with 10.000.000 installations)
contains 85412 errors and is considered well documented, he is using the
wrong tool for the task.

regards
Leon


On Tue, Feb 5, 2019 at 11:25 AM Leon Rosenberg 
wrote:

> Thank you very much Igal, Marc and Emmanuel.
>
> regards
> Leon
>
> On Tue, Feb 5, 2019 at 11:23 AM Emmanuel Bourg  wrote:
>
>> Le 05/02/2019 à 00:48, Leon Rosenberg a écrit :
>>
>> > I vaguely remember Marc naming some figures for number of tomcat
>> downloads
>> > sofar, but I couldn't find anything in the state of the cat slides.
>> > I checked on the website, but all I found was this:
>> >
>> > " Tomcat has been downloaded more than 10 million times: assuming even
>> a 1%
>> > production adoption rate results in more than 10 installations. "
>> > But this is from 2014 and I assume there should be a better number by
>> now.
>> >
>> > Anyone? Asking for a friend ;-)
>>
>> Some numbers, from Debian:
>>
>>
>> https://qa.debian.org/popcon-graph.php?packages=tomcat9+tomcat8+tomcat7+tomcat6_installed=on_legend=on_ticks=on_date=_date=_date=_fmt=%25Y-%25m=1
>>
>> around 2400 installations reported by popcon, rather stable over the
>> years.
>>
>> From Ubuntu:
>>
>>   https://popcon.ubuntu.com/by_inst
>>
>>   tomcat6   15785
>>   tomcat72122
>>   tomcat8 117
>>
>> And from Netcraft:
>>
>>
>> https://news.netcraft.com/archives/2018/12/17/december-2018-web-server-survey.html
>>
>> Netcraft reported ~60 domains served by Tomcat.
>>
>> Emmanuel Bourg
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>

Re: Number of tomcat downloads

[Leon Rosenberg]

Thank you very much Igal, Marc and Emmanuel.

regards
Leon

On Tue, Feb 5, 2019 at 11:23 AM Emmanuel Bourg  wrote:

> Le 05/02/2019 à 00:48, Leon Rosenberg a écrit :
>
> > I vaguely remember Marc naming some figures for number of tomcat
> downloads
> > sofar, but I couldn't find anything in the state of the cat slides.
> > I checked on the website, but all I found was this:
> >
> > " Tomcat has been downloaded more than 10 million times: assuming even a
> 1%
> > production adoption rate results in more than 10 installations. "
> > But this is from 2014 and I assume there should be a better number by
> now.
> >
> > Anyone? Asking for a friend ;-)
>
> Some numbers, from Debian:
>
>
> https://qa.debian.org/popcon-graph.php?packages=tomcat9+tomcat8+tomcat7+tomcat6_installed=on_legend=on_ticks=on_date=_date=_date=_fmt=%25Y-%25m=1
>
> around 2400 installations reported by popcon, rather stable over the years.
>
> From Ubuntu:
>
>   https://popcon.ubuntu.com/by_inst
>
>   tomcat6   15785
>   tomcat72122
>   tomcat8 117
>
> And from Netcraft:
>
>
> https://news.netcraft.com/archives/2018/12/17/december-2018-web-server-survey.html
>
> Netcraft reported ~60 domains served by Tomcat.
>
> Emmanuel Bourg
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Number of tomcat downloads

[Leon Rosenberg]

Hi,

I vaguely remember Marc naming some figures for number of tomcat downloads
sofar, but I couldn't find anything in the state of the cat slides.
I checked on the website, but all I found was this:

" Tomcat has been downloaded more than 10 million times: assuming even a 1%
production adoption rate results in more than 10 installations. "
But this is from 2014 and I assume there should be a better number by now.

Anyone? Asking for a friend ;-)

regards
Leon

[OT] Happy New Year

[Leon Rosenberg]

I wish a happy and sound new year to all of the tomcat family!
See, Hear and Read all of you next year!

Leon

Re: insufficient memory for the Java Runtime Environment to continue

[Leon Rosenberg]

You should provide at least Java version.
Out of the blue you should have at least 2Gb for the OS, so if your server
is having 16 Gb, your Xmx and MaxPermSize shouldn't be more then 14 G
TOGETHER. Of course this only applies to versions of java below 1.8,
because there is no permspace in modern jvms anymore (called metaspace now)
and in this case this setting doesn't do anything. Still, you should reduce
Xmx to 13 or less.
Leon

On Sat, Dec 22, 2018 at 1:35 PM Dhaval Jaiswal 
wrote:

> I am facing issue of crashing JAVA process and log files attached for the
> same.
>
> Server total RAM is 16 GB.
>
> catalina.sh having following setting.
> export JAVA_MEM_OPTS="-Xms1g -Xmx15g -XX:MaxPermSize=1536m"
>
> Can some one help where could be the problem? Which threads are consuming
> memory. How can i get rid out of this issue.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Compression for Resources served through DefaultServlet

[Leon Rosenberg]

On Mon, Nov 26, 2018 at 10:27 PM Mark Thomas  wrote:

> On 26/11/2018 21:19, Leon Rosenberg wrote:
> > Good time of the day,
> >
> > I am debugging bad page insights reported by google for a mobile versus
> > desktop version of our site and I'm seeing that the static resources,
> > served by the DefaultServlet (aka files) aren't compressed, versus to
> > dynamic resources served by a servlet.
> > Tomcat version in question 8.5.15 and 8.5.31 (tested on both)
>
> http://tomcat.apache.org/tomcat-8.5-doc/config/http.html
>
> Search for sendfile.
>
> ?
>

I thought sendfile is NIO only, this was probably the mistake.

Thank you.
Leon


>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Compression for Resources served through DefaultServlet

[Leon Rosenberg]

Good time of the day,

I am debugging bad page insights reported by google for a mobile versus
desktop version of our site and I'm seeing that the static resources,
served by the DefaultServlet (aka files) aren't compressed, versus to
dynamic resources served by a servlet.
Tomcat version in question 8.5.15 and 8.5.31 (tested on both)

Connector setting:

There is a loadbalancer in front of the connector, but its transparent,
doesn't change anything.

Now when I request a resource like this:
https://www.mysite.com/rd/V-2.0.0-SNAPSHOT_2018-11-22T13:39:22,000/static-ext/bootstrap.css
(where rd is mapping to a servlet) the result is shown in inspect tab of
chrome as 18.K (obviously compressed) and the response headers indicate
that the file is gziped:

HTTP/1.1 200 Last-Modified: Tue, 31 Jul 02018 11:42:50 GMT Expires: Tue, 26
Nov 02019 21:15:04 GMT Content-Type: text/css Transfer-Encoding: chunked
Content-Encoding: gzip Vary: Accept-Encoding Date: Mon, 26 Nov 2018
21:15:04 GMT

If I make a request to a static file the file is not gziped:
https://www.mysite.com/static-ext/css/bootstrap.css
HTTP/1.1 200 Accept-Ranges: bytes ETag: W/"131194-1539850288000"
Last-Modified: Thu, 18 Oct 2018 08:11:28 GMT Content-Type: text/css
Content-Length: 131194 Date: Mon, 26 Nov 2018 20:53:37 GMT


Are there any specific settings to the default servlet to enable it to
support compression? Both files are css, hence they should be covered by
default compression types. Are there any other settings to try?

regards
Leon

Re: Number of Web Applications in one Tomcat

[Leon Rosenberg]

Clearly one webapp per tomcat. Makes everything easier. Also, if your apps
aren't really tiny, the memory overhead of tomcat is minimal compared to
the advantages.

Leon

On Mon, Oct 29, 2018 at 9:00 AM Ahmed, Tarek  wrote:

> Hi all,
>
> TLDR? Do you deploy one web application per tomcat instance or several?
>
> ---
>
> The long story:
>
> I'd like to sound out your opinion regarding the number of web
> applications deployed in one tomcat instance. The reason is, that at my
> place of work the developers prefer one webapp per tomcat, the admins would
> rather have as many webapps as possible in one tomcat instance (yeah,
> that's devops at its finest ;-)  ). As a developer I'm probably prejudiced,
> but the argument goes as follows:
>
>
> OPS (one tomcat, many webapps):
>
> - Saves memory (each tomcat has a memory footprint even without a web
> application running)
>
> - Saves extra file systems for each tomcat (logs, tomcat installation,
> temp directory)
>
> - Saves nagios monitoring configuration
>
> - Saves separate ports (security considerations)
>
> - Saves work distributing security patches
>
>
> DEV (one webapp per tomcat)
>
> - Start-up time of "fat tomcats" multiplies, which leads to worsened
> availablity (e.g., our fattest tomcat contains 32 web services. It takes 4
> minutes to start)
>
> - If one webapp goes haywire, it may crash the rest of them (OOM, no more
> threads, etc.)
>
> - For bug fixes in one application, you may need to restart the complete
> tomcat instance. Auto (re)deploy takes you only so far, since loaded
> classes may not always be unloaded cleanly, threads not closed etc. This is
> not always something that can be solved in your own code, third party
> libraries may cause problems, too (we had some issues with quartz and
> infinispan here).
>
> - If you ever need to profile your application in production, there is
> much less noise when analysing heap, thread dumps, cpu usage etc.
>
> - I might even think there is some improved security if webapps are
> isolated in several processes vs. being deployed in one VM (security
> arguments always work well with OPS :-)  )
>
>
> So, I want to get away from the one-tomcat-multiple-webapps scenario. One
> thing I started doing to subvert this policy is using spring boot with
> embedded tomcats which is cool in a lot of ways but not always feasible.
>
> What are your practices? Are there further pros and cons for one way or
> the other? Thanks so much for any input,
>
> many greetings,
>
> tarek
>
> --
> Tarek Ahmed
> Softwareentwicklung
>
>
> DIMDI
> Deutsches Institut für
> Medizinische Dokumentation und Information
> Waisenhausgasse 36-38a
> 50676 Köln
>
> Tel.: +49 221 4724-268
> Fax: +49 221 4724-444
> tarek.ah...@dimdi.de
> www.dimdi.de
>
> [image: tick] Das DIMDI unterstützt die Vereinbarkeit von Beruf und
> Familie und ist entsprechend zertifiziert.
>
>
> Das DIMDI ist ein Institut im Geschäftsbereich des Bundesministeriums für
> Gesundheit (BMG).
>

Re: Tomcat Binary Connector

[Leon Rosenberg]

Hey Anthony,

your last comment seems to indicate that you disagree with tomcat being
fixed requirement. Personally I feel opening a port and implementing all
the protocol handling completely negates of advantages of having tomcat in
your application. So maybe you should force a change in your requirements
instead of undermining them, if you feel they are nonsense.

That being said, if you need a binary protocol on top of http you might
want to check grpc. I am not sure how well it works with tomcat, there
might be issues, since they use netty for default. The advantage of grpc
would be multi-language support, http2 features, and the convenience that
no-one ever got fired for using google technology.

regards
Leon



On Sat, Sep 22, 2018 at 2:49 AM anthony berglas  wrote:

> We would like to run a binary protocol in a Tomcat container, so that
> binary sent to a specific port all ends up in a specific servlet. This is
> not AJP, we do not want Tomcat itself to look at the bits, just pass them
> through.
>
> So in Tomcat parlance we need a special Connector.
>
> Does such a thing exist or do we need to write it ourselves?
>
> Tomcat itself is a fixed requirement for the container architecture. Just
> having a process listening on a port is not considered to be enterprisy
> enough.
>
> Thanks,
>
> Anthony
>
> --
>
> Dr Anthony Berglas, anth...@berglas.org   Mobile: +61 4 4838 8874
> Just because it is possible to push twigs along the ground with ones nose
> does not necessarily mean that that is the best way to collect firewood.
>

Re: ApacheCon NA is in just under 3 weeks

[Leon Rosenberg]

I think that would be nice.
Leon

On Wed, Sep 5, 2018 at 12:40 PM Mark Thomas  wrote:

> All,
>
> ApacheCon North America starts in Montréal in just under three weeks.
> There are 2 days of Tomcat content starting on the Monday. If you
> haven't registered, now would be a good time to do so ;)
>
> The evening schedule is already looking pretty packed but Monday evening
> has been set aside for project gatherings and there are still rooms
> available.
>
> Thoughts on booking a room for a Tomcat related session?
>
> I've no firm thoughts on an agenda other than talk Tomcat stuff for an
> hour or so followed by moving to the hotel bar / coffee shop / somewhere
> with lots of comfy seats to continue chatting.
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: [OT] What can prevent sessions from timeouting apart from real requests

[Leon Rosenberg]

Hi, actually the issue got resolved. The system in question wasn't tomcat
but jboss (hence the offtopic) and in particular undertow. Undertow seems
to have completely different session expiration handling than tomcat, they
actually prolong expiration timestamp every time an attribute is accessed...

Thanks for the insights!

Leon

On Mon, Aug 27, 2018 at 9:07 AM Jäkel, Guido  wrote:

> Dear Leon,
>
> I suggest to use the Tomcat Manager Application to investigate the session
> data:
>
> * Use the Session Display (/manager/html/sessions?path=/foo) to take a
> look on the different Timers (Creation Time, Last Accessed Time, Used Time,
> Inactive Timemm,TTL) or even the session data
>
> * Use the Connector Scoreborads on the Server Status Display
> (/manager/status) to detect stuck requests. I'm not sure if a stuck request
> may prevent a session cleanup (especially of "other" sessions)
>
> Another approach may be to snapshot a memory dump and investigate the
> session objects, e.g. with the Eclipse Memory Analyze Tool (aka MAT).
>
> Greetings
>
> Guido
>
> >-Original Message-
> >From: Leon Rosenberg [mailto:rosenberg.l...@gmail.com]
> >Sent: Friday, August 24, 2018 11:25 AM
> >To: Tomcat Users List 
> >Subject: [OT] What can prevent sessions from timeouting apart from real
> requests
> >
> >Hi,
> >
> >one of the systems we are consulting has encountered a strange problem.
> The
> >sessions will build up indefinitely but never expire. Then, at one point
> >(at 02am in the night, 19K sessions would drop at once).
> >Of course the simplest explanation would be that someone is actively
> >requests something every 15 minutes (session timeout) keeping track of the
> >JSESSIONID. We are trying to track this through the access_log and such.
> >However, my question, is it possible to prevent session from timeouting by
> >doing something stupid code-wise? Like storing a session in a hashmap
> >somewhere, and accessing some attributes from time to time? My
> >understanding was that the session timeout is solely dependent on incoming
> >requests and handled by the container, but I was not 100% sure ;-)
> >
> >Thanks in advance
> >Leon
>

[OT] What can prevent sessions from timeouting apart from real requests

[Leon Rosenberg]

Hi,

one of the systems we are consulting has encountered a strange problem. The
sessions will build up indefinitely but never expire. Then, at one point
(at 02am in the night, 19K sessions would drop at once).
Of course the simplest explanation would be that someone is actively
requests something every 15 minutes (session timeout) keeping track of the
JSESSIONID. We are trying to track this through the access_log and such.
However, my question, is it possible to prevent session from timeouting by
doing something stupid code-wise? Like storing a session in a hashmap
somewhere, and accessing some attributes from time to time? My
understanding was that the session timeout is solely dependent on incoming
requests and handled by the container, but I was not 100% sure ;-)

Thanks in advance
Leon

Re: Tomcat stop and start using bash script

[Leon Rosenberg]

use -force option
bin/shutdown.sh -force

regards
Leon

On Wed, Jun 27, 2018 at 5:51 PM dhanesh1212121212 
wrote:

> Hi All,
>
> Trying to stop and start tomcat in production using bash script for war
> deployment.
>
> If tomcat not stopped properly then how we can kill the correct process and
> make sure it's stopped correctly.
>
> Regards,
> Dhanesh M.
>

Re: tomcat 6 vulnerability scan default error page help

[Leon Rosenberg]

Hi Mark,

I agree with you that the complaint about version number is rather a minor
one, however, I've had the same situation as one of our projects had to
pass through a PCI Compliance test, and this is what they really test for.

regards
Leon

On Wed, May 2, 2018 at 9:42 PM, Mark Thomas  wrote:

> On 02/05/18 20:27, Berneburg, Cris J. - US wrote:
> > We are getting dinged by a vulnerability scan for the default not-found
> error page being returned by Tomcat for a Status 404.
> >
> > On my dev server when requesting an invalid URL, Tomcat returns a Status
> 404 page that displays the Tomcat version.  Right, I need to do something
> about that.
> >
> > However, I can't find where the error-page for 404 is defined.  It's not
> defined in:
> > - webapps/ROOT/WEB-INF/web.xml
> > - conf/web.xml
> > - conf/server.xml
> > - conf/context.xml
> >
> > Also, I can't find a notFound or error page either.
> >
> > How do I get rid of or override the default error / 404 / not-found page
> if I can't find it or where it is currently defined?  Also, how is Tomcat
> returning the default 404 error page if it does not exist?  I hope it's not
> hardcoded in a servlet response.
> >
> > FYI, we're going to remove the ROOT, docs, and examples folders to
> mitigate other scan findings.
> >
> > And we're using Tomcat 6.0.37 (ahem).
>
> And you are worried about returning the version number? Have you seen
> how many real security issues (as opposed to this version number
> non-issue) there are in 6.0.37? I can't help but think your priorities
> are all wrong.
>
> Hiding the version info is trivial
> Create the following directory structure:
> $CATALINA_HOME/lib/org/apache/catalina/util
>
> Download this file:
> https://svn.apache.org/viewvc/tomcat/archive/tc6.0.x/trunk/
> java/org/apache/catalina/util/ServerInfo.properties?
> revision=1803960=co
>
> Place it in that directory and modify the three properties to whatever
> value you like.
>
> Restart Tomcat.
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: tomcat 6 vulnerability scan default error page help

[Leon Rosenberg]

Hi Cris,

try to add following to your web.xml

404   
/error404.html

regards
Leon


On Wed, May 2, 2018 at 9:27 PM, Berneburg, Cris J. - US  wrote:

> We are getting dinged by a vulnerability scan for the default not-found
> error page being returned by Tomcat for a Status 404.
>
> On my dev server when requesting an invalid URL, Tomcat returns a Status
> 404 page that displays the Tomcat version.  Right, I need to do something
> about that.
>
> However, I can't find where the error-page for 404 is defined.  It's not
> defined in:
> - webapps/ROOT/WEB-INF/web.xml
> - conf/web.xml
> - conf/server.xml
> - conf/context.xml
>
> Also, I can't find a notFound or error page either.
>
> How do I get rid of or override the default error / 404 / not-found page
> if I can't find it or where it is currently defined?  Also, how is Tomcat
> returning the default 404 error page if it does not exist?  I hope it's not
> hardcoded in a servlet response.
>
> FYI, we're going to remove the ROOT, docs, and examples folders to
> mitigate other scan findings.
>
> And we're using Tomcat 6.0.37 (ahem).
>
> --
> Cris Berneburg
> CACI Lead Software Engineer
>
>

Re: [ANN] TomcatCon Schedules Announced

[Leon Rosenberg]

Hey Mark et al,

I noticed that for the roadshow only the general track is published but not
times for the single tracks... do you know any details? Also concerning the
length of a talk, is it also 45 minutes?
regards
Leon

On Mon, Apr 30, 2018 at 11:10 AM, Mark Thomas  wrote:

> All,
>
> I am delighted to announce the schedules are now available for:
>
> TomcatCon Berlin 13-14 June, 2018:
> http://apachecon.com/euroadshow18/tomcat-schedule.html
>
> TomcatCon Montréal 24-25 September, 2018:
> http://apachecon.dukecon.org/acna/2018/#/schedule/2018-09-24
>
> Full details, including registration links are available on the Tomcat
> website:
> http://tomcat.apache.org/conference.html
>
> See you there!
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: WebApp Caching Broken

[Leon Rosenberg]

Hello,

can you explain what you mean by 'caching' ?

regards
Leon

On Mon, Mar 5, 2018 at 10:26 PM, Kenneth Taylor <
kenneth.tay...@dataexpress.com> wrote:

> We are having a serious problem with Tomcat (8.5).  Twice it has decided
> to PERMANENTLY cache one of our webapps.  We are unable to update that
> webapp.  We’ve tried everything imaginable, short of uninstalling Tomcat,
> which is the next step.
>
>
>
> Where is this cache and how do we turn it off?
>
>
>
> Why in the world would anyone want Tomcat to work this way?  This is a
> fatal flaw worthy of a Darwin Award.
>
>
>
> Frustrated.
>
>
>
> Ken
>
>
>
> Disclaimer: This email from DMBGroup LLC, DMB Consulting Services LLC, or
> the personnel associated with either entity (collectively "*DMB*") and
> attachments, contain *CONFIDENTIAL, PRIVILEGED AND PROPRIETARY *information
> for exclusive use of the addressee individual(s) or entity. Unauthorized
> viewing, copying, disclosure, distribution or use of this e-mail or
> attachments may be subject to legal restriction or sanction. If received in
> error, notify sender immediately by return e-mail and delete original
> message and attachments. Nothing contained in this e-mail or attachments
> shall satisfy the requirements for a writing unless specifically stated.
> Nothing contained herein shall constitute a contract or electronic
> signature under the Electronic Signatures in Global and National Commerce
> Act, any version of the Uniform Electronic Transactions Act or any other
> statute governing electronic transactions. Opinions and statements
> expressed in this e-mail and any attachments are those of the individual
> sender and not necessarily of DMB. DMB does not guarantee this e-mail
> transmission is secured, error or virus-free. Neither DMB nor the sender of
> this e-mail accepts liability for errors or omissions in the contents of
> this e-mail, which arise as a result of e-mail transmission. .
>

Re: Requests for Tomcat-related topics for ApacheCon North America (Montréal, 24-27 Sept 2018)

[Leon Rosenberg]

On Mon, Feb 26, 2018 at 4:07 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> All,
>
> The CFP is open through the end of March, so if anyone is interested
> in giving a talk in Montréal, please don't be shy and sign-up.
>
> I've never known anyone's proposal to be declined, so don't feel as if
> there is some kind of bar you have to clear to be considered.


I bet, I know someone who'd be the first ;-)

regards
Leon

Re: GC allocation failure

[Leon Rosenberg]

On Mon, Jan 8, 2018 at 10:26 AM, Mark Thomas  wrote:

> On 08/01/18 15:16, Christopher Schultz wrote:
>
> 
>
> >> Therefore, the first time that the GC runs, the process can take
> >> longer. Also, the heap is more likely to be fragmented and require
> >> a heap compaction. To avoid that, till now my strategy is to: -
> >> Start application with the minimum heap size that application
> >> requires - When the GC starts up, it runs frequently and
> >> efficiently because the heap is small
> >
> > I think this is a reasonable expectation for someone who doesn't
> > understand the Black Art of Garbage Collection, but I'm not sure it's
> > actually true. I'm not claiming that I know any better than you do,
> > but I suspect that the collector takes its parameters very seriously,
> > and when you introduce artificial constraints (such as a smaller
> > minimum heap size), the GC will attempt to respect those constraints.
> > The reality is that those constraints are completely unnecessary; you
> > have only imposed them because you think you know better than the GC
> > algorithm.
>
> Generally, the more memory available, the more efficient GC is. The
> general rule is you can optimise for any two of the following at the
> expense of the third:
> - low pause time
> - high throughout
> - low memory usage
>
> It has been a few years since I listened to the experts talk about it
> but a good rule of thumb used to be that you should size your heap 3-5
> times bigger than the minimum heap used once the application memory
> usages reaches steady state (i.e. the minimum value of the sawtooth on
> the heap usage graph)
>
>
Actually G1, which is very usable with java8 and default in jdk9, doesn't
produce the sawtooth graph anymore.
I also think the amount of memory has less influence on GC Performance in
G1 or Shenandoah, but instead influence if they would perform a STW phase
(which of course is also performance related, but differently).
But I am not an expert either, so I might be wrong here.

As for OP's original statement: "When the GC starts up, it runs frequently
and
efficiently because the heap is small", I don't think it is correct
anymore, especially not for G1, as long as the object size is reasonable
(not Humongous).


Leon

Re: GC allocation failure

[Leon Rosenberg]

On Mon, Jan 8, 2018 at 10:16 AM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Suvendu,
>
> On 1/5/18 6:46 AM, Suvendu Sekhar Mondal wrote:
> > I really never found any explanation behind this "initial=max" heap
> > size theory until I saw your mail; although I see this type of
> > configuration in most of the places. It will be awesome if you can
> > tell more about benefits of this configuration.
>
> It's really just about saving the time it takes to resize the heap.
> Because the JVM will never shrink the heap (at least not in any JVMs
> I'm familiar with), a long-running server-side process will (likely)
> eventually use all of the heap you allow it to use. Basically, memory
> exists to be used, so why not use all of it immediately?
>
> > I usually do not set initial and max heap size to same value
> > because garbage collection is delayed until the heap is full.
>
> The heap is divided into sections. The first heap to be GC'd after JVM
> launch is likely to be the eden space which is relatively small, and
> few objects will survive the GC operation (lots of temporary String
> objects, etc. will die without being tenured). The only spaces that
> take a "long" time to clean are the tenured generation and the (until
> recently named/replaced) permanent generation (which isn't actually
> permanent). Cleaning those spaces is long, but a GC to clean those
> spaces should not happen for a long time after the JVM starts.
>
> Also, most collector algorithms/strategies have two separate types of
> operation: a short/minor GC and a long/full GC. As long as short/minor
> GC operations take place regularly, you should not experience
> application-pauses while the heap is reorganized.
>
> Finally, application pauses are likely to be long if the entire heap
> must be re-sized because then *everything* must be re-located.
>
> > Therefore, the first time that the GC runs, the process can take
> > longer. Also, the heap is more likely to be fragmented and require
> > a heap compaction. To avoid that, till now my strategy is to: -
> > Start application with the minimum heap size that application
> > requires - When the GC starts up, it runs frequently and
> > efficiently because the heap is small
>
> I think this is a reasonable expectation for someone who doesn't
> understand the Black Art of Garbage Collection, but I'm not sure it's
> actually true. I'm not claiming that I know any better than you do,
> but I suspect that the collector takes its parameters very seriously,
> and when you introduce artificial constraints (such as a smaller
> minimum heap size), the GC will attempt to respect those constraints.
> The reality is that those constraints are completely unnecessary; you
> have only imposed them because you think you know better than the GC
> algorithm.
>
> > - When the heap is full of live objects, the GC compacts the heap.
> > If sufficient garbage is still not recovered or any of the other
> > conditions for heap expansion are met, the GC expands the heap.
> >
> > Another thing, what if I know the server load varies a lot(from 10s
> > in night time to 1s during day time) during different time
> > frame, does "initial=max heap" apply for that situation also?
>
> My position is that initial==heap is always the right recipe for a
> server-side JVM, regardless of the load profile. Setting initial < max
> may even cause an OOM at the OS level in the future if the memory is
> over-committed (or, rather, WILL BE over-committed if/when the heap
> must expand).
>
>
>
To add some 2 cents to what christoph said (which was a very correct
explanation already), the only valid exception to the initial=heap rule in
my eyes, is when you actually not sure how much memory your process will
need. And if you have a bunch of microservices on one machine, you may want
not to spend all the memory without need.
So start a little bit lower but give room for expansion in case the process
need it.
For example I have a VM with 13 'small' JMVs on it. The difference between
ms and mx would be about 5 GB. In this specific case I suppose it is ok, to
provide different values at least for some time, and adjust later.

However, reading gc logs or using tools like jclarity can help you find the
proper pool size for your collector/jvm version/application better. Unless
you release and change your memory usage pattern every week or so, in this
case using xms!=xmx seems ok to me, as a safety net.

regards
Leon

[OT] JavaOne anyone?

[Leon Rosenberg]

Hi,

is anyone from the list at the java1?

regards
Leon

Re: [ANN] Webinar: Tomcat and MoSKito

[Leon Rosenberg]

Thanks Mark!
Leon

> On 24. Aug 2017, at 15:36, Mark Thomas <ma...@apache.org> wrote:
> 
> Final reminder - this will be starting in just over 20 minutes.
> 
> Do join us if you can.
> 
> Mark
> 
> 
>> On 03/08/17 15:18, Mark Thomas wrote:
>> All,
>> 
>> The Tomcat community is hosting a webinar by Leon Rosenberg:
>> 
>> Monitoring your tomcat web-application in production with MoSKito. Get
>> full control of threads, memory and execution time usage of the JVM and
>> your code.
>> 
>> Topic: Tomcat and MoSKito
>> Time: Aug 24, 2017 14:00 UTC
>>   15:00 London, Dublin
>>   16:00 Amsterdam, Berlin, Rome, Stockholm, Vienna
>> 
>> Join from PC, Mac, Linux, iOS or Android:
>> https://pivotal.zoom.us/j/949439493
>> 
>> The webinar will be recorded and the recording made available on the
>> Tomcat YouTube channel shortly afterwards.
>> 
>> Hope to see you there.
>> 
>> Mark
>> 
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Where Tomcat webapp contexts live on Debian

[Leon Rosenberg]

On Tue, Aug 22, 2017 at 10:55 PM, Emmanuel Bourg <ebo...@apache.org> wrote:

> On 08/16/2017 09:24 AM, Leon Rosenberg wrote:
> > Debian has a long tradition of doing things in a very special way when it
> > comes to java. Long enough they shipped GnuJ as standard JVM with a
> debian
> > distribution, a piece of garbage that wasn't able to start simplest of
> java
> > programs.
>
> GCJ has been superseded by OpenJDK a lng time ago as the default
> Java runtime on Debian.
>
> > But there has been an as long tradition to reply to every question about
> > tomcat behaviour on a specific distribution by suggesting to throw the
> crap
> > away and download the vanilla tomcat form the one and only legal source
> ;-)
> > (at least in the past, to which debian belongs).
>
> FWIW, there is now a Tomcat committer maintaining the Tomcat package in
> Debian and controlling its quality. If you think there is something
> crappy about the packaging feel free to send a mail to me or to the
> debian-j...@lists.debian.org and I'll be happy to help.
>

Thank you. Mea culpa. My information seems outdated.
Leon


>
> Emmanuel Bourg
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Tomcat server apparently bouncing up and down

[Leon Rosenberg]

Since you told the context is rather huge, have you checked gc times? A
long running full gc can block the machine completely resulting in the
up/down behaviour from outside. GC options depend on JVM version I use:

export JAVA_OPTS="$JAVA_OPTS -XX:+DisableExplicitGC -verbose:GC
-XX:+PrintGCDetails -XX:+PrintGCDateStamps -Xloggc:logs/gc.log "

alternatively moskito would also show you avg response times and gcs ;-)


regards

Leon


On Fri, Aug 18, 2017 at 11:13 PM, James H. H. Lampert <
jam...@touchtonecorp.com> wrote:

> On 8/18/17, 1:41 PM, Christopher Schultz wrote:
>
> You say that you aren't running it as a service. How then are you
>> running Tomcat?
>>
>
> startup.sh and shutdown.sh from a command line.
>
> Just starting catalina.sh from the CLI directly? If
>> you run it in the background, are you running it with nohup? If not,
>> your console closing might be killing the Java process. Hmm... but you
>> said that Tomcat does in fact shut down when you login and stop it.
>> Probably not a SIGHUP killing the process.
>>
>
> When it's unresponsive, it's apparently still running. But it's not just
> our context that's unresponsive; manager is also unresponsive. And we run
> with autodeploy disabled: aside from being a huge context that takes a
> while to deploy, it's also one that often needs to be stopped, have
> instance-specific values set in its web.inf, and then get restarted, before
> it can function normally.
>
> If you stop Tomcat (when it's unresponsive), then re-start it, does it
>> appear to work correctly right away, or do you need to do anything
>> else to get it to work again?
>>
>
> It opens up the port immediately, and serves a sign-on page for our webapp
> as soon as it's had a chance to initialize.
>
> I looked in the latest localhost access log, and no sign of anything
> suspicious there.
>
> --
> JHHL
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Tomcat memory

[Leon Rosenberg]

Fady, one thing,

analyzing heap dumps is hard especially a 10GB dump, you will need at least
40 Gb of memory an about 10 hours to start jhat.
What is fast is analyzing a histogram. A histogram is a list of all classes
in your JVM and amount of memory they use. It is very easy to use:

jmap -histo:live  >outputfile
the :live parameter is important, otherwise you will see dead objects as
well. Keep in mind a major gc will be triggered.

The output looks like this:

 num #instances #bytes  class name
--
   1: 98573   13165976  [C
   2:  4376   11325928  [B
   3: 965262316624  java.lang.String
   4: 405221296704  java.util.HashMap$Node
   5: 10954 807552  [Ljava.lang.Object;
   6:  7494 781480  java.lang.Class
   7:  6778 655464  [Ljava.util.HashMap$Node;
...

3103: 1 16
sun.util.locale.provider.TimeZoneNameUtility$TimeZoneNameGetter
3104: 1 16  sun.util.resources.LocaleData
3105: 1 16
sun.util.resources.LocaleData$LocaleDataResourceBundleControl
Total456560   37330672

This won't point you to exact direction of memory leak or resource
consumption, but you will see what classes are consuming memory. So if you
find out that class foo.bar.XYZBean has 10.000.000 instances and occupies 2
gb of memory, you know where to look.

Keep in mind that only memory directly used by a class is counted, so every
string will appear twice, as string and as byte array.

If you see that the used memory amount is growing, take multiple
histograms, every 10 minutes or so and analyse the differences. I wrote a
little script years ago for myself (
https://github.com/dvayanu/ldt/blob/c8b3c2b6f61de5c583db503f6fd5e2d8aa8b9aa0/java/ldt/histo/HistoDiffReader.java)
that takes two histograms and prints out the differences. This way you can
see if new instances of a specific class(es) are accumulated over time. In
this case you have a memory leak.

regards
Leon








On Thu, Aug 17, 2017 at 12:09 PM, André Warnier (tomcat) 
wrote:

> On 17.08.2017 11:21, Fady Haikal wrote:
>
>> Team,
>> Please i need some help her
>>
>
> Maybe start here ? http://lmgtfy.com/?q=analyse+tomcat+heap+dump
>
> (and this looks like it might help you :
> http://docs.oracle.com/javase/7/docs/technotes/tools/share/jhat.html)
>
> To restate the obvious :
> - this list here is manned by volunteers, who donate their time trying to
> help people who have problems with Tomcat, and who are doing their best, but
> - the list works best with people who also help themselves
> - we do not have access to your system, and we do not know your
> applications
> - we can only try to help, on the base of the information which you provide
> - there are 3 (possible) components to your problem :
>   a) the Java JVM which runs Tomcat
>   b) Tomcat itself, which runs your applications
>   c) the applications themselves
> Of these :
>   a) is controlled entirely by you, and is in fact the one which
> ultimately uses all that memory (but we do not know why either). Below you
> are showing the startup parameters of the JVM. They are not the default
> settings. So where do these parameters come from, and do you understand
> them ? (if you don't, you first need help with Java, not with Tomcat)
>   b) That is really the focus of this list. And we know that Tomcat, by
> itself, does not use 60GB or 10GB of memory, nor anywhere near it
>   c) we know nothing about, but it is likely that it is something there,
> which causes Tomcat (and Java) to use all that memory
> And about (c), maybe it is normal that it/they use this gigantic amount of
> memory. Maybe one of the applications allocates some gigantic array of data
> over time. Maybe one of these applications is really badly programmed and
> causes enormous "memory leaks". How would we know ? Are these your
> applications ? If not, have you contacted the people responsible for these
> applications, and described your problem to them ?
> (because again, with 99& probability, that is where the problem is)
>
> Try to collect some more specific data, and when you have it, post it
> here, and maybe someone will have an idea.  But as it is, the only thing
> known so far is that on your system, the Java JVM which runs tomcat is
> using up a lot of memory, increasingly over time, and that it ends up
> crashing with an OOM.
> That is not enough information for us to be able to help you.
>
> If you are desperate and in a hurry, maybe you need first to find a Java
> JVM specialist, who can help you poinpoint the problem more specifically.
>
>
>
>
>> Regards,
>>
>>
>> On Thu, Aug 17, 2017 at 9:46 AM, Fady Haikal 
>> wrote:
>>
>> @Suvendu,
>>> I took a heap dump from Java VisualVM but honestly i didnt know how i
>>> should analyse it, please some help here
>>>
>>> also please 

Re: [OT] Re: Where Tomcat webapp contexts live on Debian

[Leon Rosenberg]

se, and even Windows). I do not remember why we initially chose
> Debian as our main platform, but we now have some 40 servers with it.  We
> are "comfortable" with it (today as well as previously), we have no
> particular problem with it, and it would be costly and time-consuming to
> change to another main platform. Over time, we have learned how Debian (and
> other platforms) install things and where, and we have documented it. Our
> usage of Tomcat may be simple, but I cannot recall exactly how many years
> ago we last had a Tomcat issue which had to do with how Debian installs it
> on the disk.
> Other people's mileage may vary, but I thought it was worth mentioning
> this, to provide a balancing opinion.
>
>
>
> On 16.08.2017 09:24, Leon Rosenberg wrote:
>
>> Debian has a long tradition of doing things in a very special way when it
>> comes to java. Long enough they shipped GnuJ as standard JVM with a debian
>> distribution, a piece of garbage that wasn't able to start simplest of
>> java
>> programs.
>> But there has been an as long tradition to reply to every question about
>> tomcat behaviour on a specific distribution by suggesting to throw the
>> crap
>> away and download the vanilla tomcat form the one and only legal source
>> ;-)
>> (at least in the past, to which debian belongs).
>>
>> regards
>> Leon
>>
>> On Wed, Aug 16, 2017 at 7:43 AM, Peter Kreuser <l...@kreuser.name> wrote:
>>
>> I'd assume the service that starts tomcat sets the bin-Dir, that contains
>>> a setenv.sh, that has the CATALINA_HOME and BASE env-Varaibles, where you
>>> find the context-Files that have a docbase.
>>>
>>> I'd like to repeat the question: who did this setup?
>>>
>>> Peter Kreuser
>>>
>>> Am 15.08.2017 um 23:45 schrieb James H. H. Lampert <
>>>>
>>> jam...@touchtonecorp.com>:
>>>
>>>>
>>>> I think I've mentioned before that I have a Tomcat server on a Google
>>>>
>>> Compute Debian instance, that I installed with an "apt-get," rather than
>>> from an Apache download.
>>>
>>>>
>>>> I had to apt-get manager separately, which is odd to begin with.
>>>>
>>>> And things ended up in unexpected places.
>>>>
>>>> Some stuff (like the Catalina directory) wound up in /etc/tomcat7. Other
>>>>
>>> stuff (like the bin and lib directories) wound up in /usr/share/tomcat7.
>>>
>>>>
>>>> But the weirdest thing is where the webapp contexts wound up. The
>>>>
>>> default ROOT context (which doesn't look quite like the default ROOT
>>> context of anything I've installed from an Apache download) is in
>>> /var/lib/tomcat7/webapps/ROOT. But the manager and host-manager webapps
>>> are
>>> in /usr/share/tomcat7-admin/manager and /usr/share/tomcat7-admin/host-
>>> manager.
>>>
>>>>
>>>> Setting aside any questions of why whoever set this up for Debian did it
>>>>
>>> this way, all of this still raises a very big question:
>>>
>>>>
>>>> How is Tomcat finding all of this?
>>>>
>>>> --
>>>> JHHL
>>>>
>>>> -
>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>>
>>>>
>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>>
>>>
>>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Where Tomcat webapp contexts live on Debian

[Leon Rosenberg]

Debian has a long tradition of doing things in a very special way when it
comes to java. Long enough they shipped GnuJ as standard JVM with a debian
distribution, a piece of garbage that wasn't able to start simplest of java
programs.
But there has been an as long tradition to reply to every question about
tomcat behaviour on a specific distribution by suggesting to throw the crap
away and download the vanilla tomcat form the one and only legal source ;-)
(at least in the past, to which debian belongs).

regards
Leon

On Wed, Aug 16, 2017 at 7:43 AM, Peter Kreuser  wrote:

> I'd assume the service that starts tomcat sets the bin-Dir, that contains
> a setenv.sh, that has the CATALINA_HOME and BASE env-Varaibles, where you
> find the context-Files that have a docbase.
>
> I'd like to repeat the question: who did this setup?
>
> Peter Kreuser
>
> > Am 15.08.2017 um 23:45 schrieb James H. H. Lampert <
> jam...@touchtonecorp.com>:
> >
> > I think I've mentioned before that I have a Tomcat server on a Google
> Compute Debian instance, that I installed with an "apt-get," rather than
> from an Apache download.
> >
> > I had to apt-get manager separately, which is odd to begin with.
> >
> > And things ended up in unexpected places.
> >
> > Some stuff (like the Catalina directory) wound up in /etc/tomcat7. Other
> stuff (like the bin and lib directories) wound up in /usr/share/tomcat7.
> >
> > But the weirdest thing is where the webapp contexts wound up. The
> default ROOT context (which doesn't look quite like the default ROOT
> context of anything I've installed from an Apache download) is in
> /var/lib/tomcat7/webapps/ROOT. But the manager and host-manager webapps are
> in /usr/share/tomcat7-admin/manager and /usr/share/tomcat7-admin/host-
> manager.
> >
> > Setting aside any questions of why whoever set this up for Debian did it
> this way, all of this still raises a very big question:
> >
> > How is Tomcat finding all of this?
> >
> > --
> > JHHL
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Automatically compressing localhost_access_log after rotation

[Leon Rosenberg]

On Thu, Aug 3, 2017 at 8:16 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Martin,
>
> On 8/3/17 5:47 AM, Martin Knoblauch wrote:
> > is there a way to compress the localhost_access_log.#.txt file
> > automatically after rotation?
>
> Not really. The file is rotated *during* log events, and stalling to
> compress a log file is probably not a great solution.
>
> > Alternatively/preferably is there a way to put the access logging
> > under "log4j"?
>
> Also not really, but if you are willing to write code, you can do it.
> The AccessLogValve handles its own logging to a file, but if you were
> to subclass AccessLogValve and override the "open" method and assign a
> value to the AccessLogValve.writer member that writes to a log4j
> logger, then I think you could probably do this.
>
> I believe that log4j will stall your access log during the
> compression, though, so you might want to think about whether or not
> you want to implement it this way.
>
> I think at least logback is performing file operations asynchronously to
log events so maybe using slf4j over logback would be a more reliable way.

regards
Leon

Re: Tomcat on macOS

[Leon Rosenberg]

On Sat, May 20, 2017 at 8:56 AM, Israel Timoteo  wrote:

>
>
> I have an additional question:
>
> 1) Would there be any recommendations for not having one Tomcat instance
> per physical server?
>

Only if your application can't utilise resources properly. If your
application fails to scale, fails to use all available cores or memory, you
should have multiple instances. Also if your total memory is insanely high,
like way above 64 Gb, you'd be better off with multiple instances. Also if
your app uses a lot of synchronisation, having multiple tomcats can help.
However, all of that is pretty improbable with a mac mini.
Rule of thumb: if you can bring your app with tomcat to near 100% CPU or
memory usage, no need for multiple instances.
HTH
Leon

P.S. kudos to you for hosting on macs ;-) Crazy but fun ;-)

Re: TomcatCon Meetup (UPDATE)

[Leon Rosenberg]

Awesome, thanks!

Sent from my iPhone

> On 18. May 2017, at 14:58, Huxing Zhang  wrote:
> 
> Hi All,
> 
> The pic for the meetup yesterday can be found here:
> 
> https://www.dropbox.com/s/vu02lnrs77up5mc/IMG_0591.JPG
> 
>> On Wed, May 17, 2017 at 8:46 PM, Coty Sutherland  wrote:
>> Sorry I had to run off, hopefully you guys had a productive meeting :)
>> 
>>> On May 17, 2017 7:02 PM, "Coty Sutherland"  wrote:
>>> 
>>> We're sitting next to the pool. The room is occupied :(
>>> 
>>> On May 17, 2017 9:12 AM, "Christopher Schultz" <
>>> ch...@christopherschultz.net> wrote:
>>> 
 All,
 
 Let's move the Meetup to "immediately following the Lightning Talks",
 since that is a popular event at the conference.
 
 -chris
 
> 
> All,
> 
> For those of you at ApacheCon in Miami, here are the details for the
 Tomcat Meetup. Come and meet fellow members of the community, committers,
 and new friends.
> 
> Time: 18:00 EDT
> Place: Escorial Conference Room (where all TomcatCon sessions are being
 held)
> 
> All are welcome to the meetup, and also the inevitable dinner and
 drinks to follow.
> 
> Thanks,
> -chris
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
 
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] ApacheCon anyone?

[Leon Rosenberg]

On Fri, May 12, 2017 at 7:25 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Leon,
>
> On 5/12/17 6:04 AM, Leon Rosenberg wrote:
> > Just wondering if there are any plans for an informal get-together
> > at the apache con in Miami next week? I know that Mark, Christopher
> > and some others are there as speakers, so maybe an informal meetup,
> > where non-commiters buy commiters a pizza or burger and have some
> > chat?
>
>
Hello Chris ;-)


> Wait... you are coming and not giving a talk on MosKito?!?
>

Yeah, strange isn't it? Unfortunately I haven't submitted and my decision
to come to apache con was rather spontaneous... But, know what Chris ?
You'll be there, I'll be there and my notebook will be there too, so you
can have a private presentation anytime you want ;-))) And everyone else
who's interested too ;-) So how about MoSkito-private-hour? ;-)

regards
Leon

P.S. and thanks for organisation efforts, I will keep all evenings free ;-)
Looking forward to meet you guys in person, after so many years ;-)


>
>

[OT] ApacheCon anyone?

[Leon Rosenberg]

Just wondering if there are any plans for an informal get-together at the
apache con in Miami next week? I know that Mark, Christopher and some
others are there as speakers, so maybe an informal meetup, where
non-commiters buy commiters a pizza or burger and have some chat?

regards
Leon

Re: Strange wait time in my application - Tomcat 7.0.67

[Leon Rosenberg]

Hi Tullio,

well I am biased of course, but there are multiple.
First, profiles are never used in production, MoSKito is aimed for
production use. Not test lab, not dev machine, production, hardcore on all
servers you've got.
Than MoSKito also offers analysis tools, thresholds, alerts, charts etc.
Finally MoSKito allows you to integrate business data into monitoring,
things like registration count, checkout, gender of user, and so on...

'standard profiler' - is something designed to be used in the development
environment.
moskito is an apm tool.

hope that helps
regards
Leon


On Mon, Oct 3, 2016 at 4:21 PM, Tullio Bettinazzi <tullio0...@live.it>
wrote:

> Please help me to understand diffrences beween Moskito and standard
> profilers.
>
> Tks
>
> Tullio
>
>
> ____
> Da: Leon Rosenberg <rosenberg.l...@gmail.com>
> Inviato: lunedì 3 ottobre 2016 14.29
> A: Tomcat Users List
> Oggetto: Re: Strange wait time in my application - Tomcat 7.0.67
>
> Hi Tullio,
>
> you could download and integrate MoSKito -> http://www.moskito.org. After
> Health and Performance Monitoring for Java Applications | MoSKito<
> http://www.moskito.org/>
> www.moskito.org
> MoSKito: Health and Performance Monitoring for Java applications. Complete
> ecosystem for DevOps. Free and open source
>
>
>
> integration as described here
> blog.anotheria.net/msk/the-complete-moskito-integration-guide-step-1/ or
> here: http://www.moskito.org/integration.html you can start your
> Integration for MoSKito, the Open Source Health and Performance Monitoring
> System for Java Applications<http://www.moskito.org/integration.html>
> www.moskito.org
> MoSKito Integration
>
>
>
> application and setup a tracer.
> A tracer, explained here:
> http://blog.anotheria.net/msk/newest-hottest-tracers/, can be used to
> automatically trace all requests passing a specific point and compare the
> execution times. It will keep the longest requests along with the execution
> time in each monitored component.
> So if there is some part of code you have, that lasts longer from time to
> time, the tracer will find it.
>
> regards
> Leon
>
>
> On Mon, Oct 3, 2016 at 2:12 PM, Mark Thomas <ma...@apache.org> wrote:
>
> > On 03/10/2016 11:19, Tullio Bettinazzi wrote:
> > > I already use Yourkit but it doesn't seems a load problem.
> > >
> > > The delay is not spread over all operaions but concentred in only one
> or
> > two and allways takes 4 secs more than the normal operation  time.
> > >
> > > Could You suggest how to use Yourkit in this schenario ?
> >
> > I'd look at GC activity and detailed CPU profiling.
> >
> > Mark
> >
> > >
> > > Tks
> > >
> > > Tullio
> > >
> > >
> > > 
> > > Da: Mark Thomas <ma...@apache.org>
> > > Inviato: lunedì 3 ottobre 2016 10.39
> > > A: Tomcat Users List
> > > Oggetto: Re: Strange wait time in my application - Tomcat 7.0.67
> > >
> > > On 03/10/2016 08:56, Tullio Bettinazzi wrote:
> > >> I've an application under tomcat.
> > >> When only a one or two users works on it everithing is ok.
> > >> When the number of users grows the application slows down.
> > >> Is not a memory nor a cpu problem : using top I see the system
> > resources quite free.
> > >> I don't see relevant garbage collection : heap size and permgen have
> > correct dimentions.
> > >> No other applications are running on the system.
> > >> I log more or less every relevant operation in my system (db query and
> > so on) and I see that every slowdown is concentered in a single
> operation.
> > >> I mean all operations take "normal" time but one or two of them take 4
> > seconds more.
> > >> The "slowing" operations are not the same in different executions, and
> > theydo not have a specific type (not only DB query, not only DB stored
> > procedures, not only.).
> > >> It seems like if the thread is frozen for a fixed amount fo time (4
> > seconds more or less) and then it restarts.
> > >> I don't think it's a "queue" problem because otherwise the wait time
> > would be unperdictable and not a "fixed" 4 seconds time.
> > >> I don't know any parameter impacting on that behaviour.
> > >> I use Tomcat 7.0.32 with JVM 1.7.0.67 on a Linux server.
> > >> Could someone suggest a solution for my problem or, at least

Re: Strange wait time in my application - Tomcat 7.0.67

[Leon Rosenberg]

Hi Tullio,

you could download and integrate MoSKito -> http://www.moskito.org. After
integration as described here
blog.anotheria.net/msk/the-complete-moskito-integration-guide-step-1/ or
here: http://www.moskito.org/integration.html you can start your
application and setup a tracer.
A tracer, explained here:
http://blog.anotheria.net/msk/newest-hottest-tracers/, can be used to
automatically trace all requests passing a specific point and compare the
execution times. It will keep the longest requests along with the execution
time in each monitored component.
So if there is some part of code you have, that lasts longer from time to
time, the tracer will find it.

regards
Leon


On Mon, Oct 3, 2016 at 2:12 PM, Mark Thomas  wrote:

> On 03/10/2016 11:19, Tullio Bettinazzi wrote:
> > I already use Yourkit but it doesn't seems a load problem.
> >
> > The delay is not spread over all operaions but concentred in only one or
> two and allways takes 4 secs more than the normal operation  time.
> >
> > Could You suggest how to use Yourkit in this schenario ?
>
> I'd look at GC activity and detailed CPU profiling.
>
> Mark
>
> >
> > Tks
> >
> > Tullio
> >
> >
> > 
> > Da: Mark Thomas 
> > Inviato: lunedì 3 ottobre 2016 10.39
> > A: Tomcat Users List
> > Oggetto: Re: Strange wait time in my application - Tomcat 7.0.67
> >
> > On 03/10/2016 08:56, Tullio Bettinazzi wrote:
> >> I've an application under tomcat.
> >> When only a one or two users works on it everithing is ok.
> >> When the number of users grows the application slows down.
> >> Is not a memory nor a cpu problem : using top I see the system
> resources quite free.
> >> I don't see relevant garbage collection : heap size and permgen have
> correct dimentions.
> >> No other applications are running on the system.
> >> I log more or less every relevant operation in my system (db query and
> so on) and I see that every slowdown is concentered in a single operation.
> >> I mean all operations take "normal" time but one or two of them take 4
> seconds more.
> >> The "slowing" operations are not the same in different executions, and
> theydo not have a specific type (not only DB query, not only DB stored
> procedures, not only.).
> >> It seems like if the thread is frozen for a fixed amount fo time (4
> seconds more or less) and then it restarts.
> >> I don't think it's a "queue" problem because otherwise the wait time
> would be unperdictable and not a "fixed" 4 seconds time.
> >> I don't know any parameter impacting on that behaviour.
> >> I use Tomcat 7.0.32 with JVM 1.7.0.67 on a Linux server.
> >> Could someone suggest a solution for my problem or, at least, an
> investigation strategy.
> >
> > https://www.yourkit.com/java/profiler/features/
> > Performance and Memory Java Profiler - YourKit Java Profiler<
> https://www.yourkit.com/java/profiler/features/>
> > www.yourkit.com
> > Easy to use performance and memory profiler for .NET framework. Supports
> ASP.NET, Silverlight, .NET Windows services and more.
> >
> >
> >
> >
> > Mark
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: question on Java / Tomcat / GC

[Leon Rosenberg]

On Thu, Jul 14, 2016 at 9:15 PM, Anthony Biacco  wrote:

> On Thu, Jul 14, 2016 at 11:41 AM, André Warnier (tomcat) 
> wrote:
>
> >
> Well, i'm not a GC expert by any stretch of the imagination, but i think
> with your PrintGC options the "GC (System.gc())" and the "Full GC
> (System.gc())" are the same GC.
> Since they're consistent at every hour, the application may be calling the
> System.gc
> You may want to check the code if you have access to it.
>
> -Tony
>

If you don't have access to the code you could just disable the gc
(recommended anyway):

-XX:+DisableExplicitGC

Since the app is running in tomcat6 it must be old, and a lot has been
happening with the gc since tomcat6 time.

Btw, you may want to add -XX:+PrintGCDetails for more insights into spaces.

Also shouldn't -XX:+UseParallelGC be default since 1.7?


regards

leon

Re: Memory Problem

[Leon Rosenberg]

Well the most obvious way to determine it is to lower your settings unless
it works, then lower it a little bit more.

regards
Leon

On Mon, May 9, 2016 at 6:13 PM, Edwin Quijada 
wrote:

> I am getting this error on my server
> Java HotSpot(TM) 64-Bit Server VM warning: INFO:
> os::commit_memory(0x7fe63ff4, 262144, 0) failed; error='Cannot
> allocate memory' (errno=12)
> #
> # There is insufficient memory for the Java Runtime Environment to
> continue.
> # Native memory allocation (mmap) failed to map 262144 bytes for
> committing reserved memory.
> # An error report file with more information is saved as:
> # /var/lib/tomcat8/bin/hs_err_pid14264.log
> Java HotSpot(TM) 64-Bit Server VM warning: INFO:
> os::commit_memory(0x7fe64b5f8000, 12288, 0) failed; error='Cannot
> allocate memory' (errno=12)
> [thread 140627084805888 also had an error]
>
>
> My server has 2 GB memory and I have 1024mb for Maxmen in catalina.opts
>
> How must be the memory amount ?
>
>
> TIA
>

Re: OT if/else or not if/else

[Leon Rosenberg]

On Mon, Apr 25, 2016 at 5:21 PM, Dougherty, Gregory T., M.S. <
dougherty.greg...@mayo.edu> wrote:

>
>
> Yes, we do, because, well, it is more informative. :-)
>
> if (a) Š
> else if (b) Š
> else if (c) Š
>
> Says you have three mutually exclusive options, and implies that a is more
> likely / more important than b, than c.
>
> Or, if ³a" is a method call, possibly that ³a² has some setup needed for
> ³b² and ³c².
>
> All of this is lost with multiple if statements.
>
>
> Then there¹s the everlasting wisdom of Knuth¹s comment about "premature
> optimization is the root of all evil².
>

Exactly my point.
if (a) Š
if (b) Š
if (c) Š

shorter and therefore easier than the other one ;-) if-else-if is just a
premature optimization to the above statement ;-)

Re: OT if/else or not if/else

[Leon Rosenberg]

On Mon, Apr 25, 2016 at 4:13 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Leon,
>
> On 4/22/16 12:24 PM, Leon Rosenberg wrote:
> > Hi guys,
> >
>
> I would always choose the case with the elses.
>
> First, I think it's more clear: if you expect that only one branch of
> the code will run, and no others, then the elses tell the reader that
> fact without any further commentary. The zero-else case might help you
> catch some logic errors (because for example you can log each entry
> into a branch) but there are of course other ways to do that.
>
> Second, it's more efficient, regardless of what type of processor you
> have. Let's take an example where there are more than 3 branches. How
> about something like a million branches (just to accentuate the
> point)? If one of the branches runs, the others are skipped. If all
> branches have an equal change of being chosen, then the CPU has to
> perform on average 50 predicates. If you put the common cases at
> the top, you can do even better. Let's assume the 80/20 rule applies,
> here, and you can take a guess that, on average, the CPU will only
> have to perform 10 predicates on average.
>

I don't think the example is valid (even if machines with 100.000 cpus and
more actually exist). But I remember from days of my study, which lies way
way back, that languages that are optimized for parallel processing would
be able to tell the compiler to execute all ifs in parallel. So if we stick
with a number of ifs which is less than the number of available cores/pipes
we could run it all in parallel. I don't think it is possible with if else,
unless it is transformed into something else.

The other thing that made me wonder is that most people on the list (or all
except me) actually considered if-else-if-else more readable. It not only
creates a more complex structure (visually and syntactically  (more
letters)). But also the semantics of an *else* are different as of an *if*.
This is like North Carolina ;-)
if (man){ do_man_thing; } else { do_woman_thing(); } doesn't work anymore,
even it worked 20 years ago. Talking about maintaining :-)

regards
Leon

>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlceJg8ACgkQ9CaO5/Lv0PAODQCfRCBvVgM2HSM2/CBEGtlBe0Pg
> MrcAn2OdBYKJR0OSApcBFfONJHOlKGY0
> =YeMH
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

OT if/else or not if/else

[Leon Rosenberg]

Hi guys,

this is completely off-topic ;-)

I was wondering if using if/else is not actually slowing down your code.
Lets say I have three possible conditions, A, B and C, which are exclusive.
My native approach would be:
if (A){...}
if (B){...}
if (C){...}

now some people would 'optimize' it as
if (A){ ...} else if (B) {} else if (C) { }
and I think in the world of single-cpu computers this optimization could
work.

But what is now, given that compilers can optimize stuff like this and tell
the processor to calculate all 3 branches simultaneously, which is not
possible for ifelse.

Which one would you choose?
Equally important, which one do you think is more readable? I would say if
else is hard to read, but this can be just personal impression.

regards
Leon

Re: [OT] Monitoring Tomcat

[Leon Rosenberg]

On Tue, Mar 29, 2016 at 4:57 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Leon,
>
> On 3/28/16 6:34 PM, Leon Rosenberg wrote:
> > Of course MoSKito: http://www.moskito.org
> >
> > Take a look at the step by step guide (start with step 1 not 0).
> > blog.anotheria.net/msk/the-complete-moskito-integration-guide-step-1/
>
> You
> >
> should come to ApacheCon and give a presentation about MoSKito
> sometime. I'd love to see it.
>

Thanks for the invitation, I'd actually love to;-)
When is the next one (and where;-))
Leon


>
>

Re: Monitoring Tomcat

[Leon Rosenberg]

Of course MoSKito:
http://www.moskito.org

Take a look at the step by step guide (start with step 1 not 0).
blog.anotheria.net/msk/the-complete-moskito-integration-guide-step-1/

regards
Leon

On Tue, Mar 29, 2016 at 12:23 AM, Edwin Quijada 
wrote:

> Hi!
> I have an app with Tomcat+Grails+Vaadin+PostgreSQL and I wanna monitor the
> speed and resources of this. I add to 1024mb to Tomcat because the app and
> DB is in the same server.
>
> What application can I use to monitor performance of this Tomcat ?
>
>
> TIA
>

Re: Why the tomcat source code uses obsolete ant build configuration? why not maven or gradle?

[Leon Rosenberg]

Hi Raja,

I think this question arises on this user list every now and then. I even
think there have been some effort to create a pom.xml for tomcat, but
without great success (after few replies you can imagine why).
Personally I totally understand you. From what I see ant is totally gone
and has been replaced by maven virtually everywhere. Also the tool support
for maven is much better as for ant. However, there are reasons why maven
has been so successful, and it is one of the reasons, why it still not used
here.

1) maven has an absolutely superior dependency management to what ant ever
had to offer, with or without ivy.
2) and more important, maven is not only a build tool, it defines the
project layout, the build cycles and how you have to work with the project
(meaning releases, branching etc). All of that is missing completely in
ant, ant lets you create whatever development system you want, but you have
to do it all the way alone. Maven gives you one, and if you agree to use
it, you will safe a lot of time and can put your effort in things that
matter more.

Now, see, this is exactly the problem. Tomcat as a project was there long
before maven team layed out how they imagine people should work. And since
tomcat is doing stuff it's own way, it will be a huge portion of work to
make it work with a pom. So if you want to work with a pom and maven, you
maybe start your work exactly there ;-)

regards
Leon

P.S. The opinion that "ant is gone" is of course solely mine and based on
personal experience only ;-) No flame please.


On Mon, Mar 28, 2016 at 5:57 PM, Raja Anbazhagan <
raja.anbazhagan1...@gmail.com> wrote:

> I'm new to tomcat project and I wanted to take a look at the code base to
> see if I can contribute in any which ways. But after going through the
> build process and setting up every other tools used to build ant, I'm a bit
> frustrated.
>
> Why didnt we migrated this project to a better build tool like maven or
> gradle so that the contributor can spend less time setting up the code and
> more time on actually working on the contribution part.?
>
> - Raja
>

Re: Monitoring Connections

[Leon Rosenberg]

On Wed, Oct 7, 2015 at 11:59 PM, Aurélien Terrestris 
wrote:

> Hi Jamie,
> 
>
> If you enjoy live monitoring, you need to have a look on Christopher's
> presentation (
>
> http://events.linuxfoundation.org/sites/events/files/slides/Monitoring%20Apache%20Tomcat%20with%20JMX.pdf
> ) who posts many answers to this mailing list.
>
>
> or if you want to go deeper, try MoSKito (http://www.moskito.org)

regards
Leon


>
>

Re: [Hardening] Running tomcat under a specific account

[Leon Rosenberg]

Hello Jan,

that would be better yes. For example some time ago, there were a virus
that would place a modified jsp in a webapp and try to access further data
from it. If the user, the tomcat runs under, would have limited permission,
such a malware would have less chances to actually do something harmful.
As for my personal opinion and 10++ years of experience with different
tomcat version in production environment, (attention, flame war can start
here), an apache httpd in front of tomcat does _not_ increase the security
_at_all_.
In fact I would argue that it adds its buffer overflows and bugs to the
bugs that could exists in tomcats code.

regards
Leon


On Wed, Feb 25, 2015 at 11:13 PM, Jan Tosovsky j.tosov...@email.cz wrote:

 Dear All,

 there are plenty resources mentioning it is a must to run tomcat as a
 dedicated user with limited permissions.

 Is it still true when tomcat doesn't run standalone, but via Apache web
 server connected via AJP? That webserver already runs in the restrictive
 mode.

 Thanks, Jan





 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need Help!

[Leon Rosenberg]

On Wed, Jan 28, 2015 at 8:48 PM, David kerber dcker...@verizon.net wrote:

 On 1/28/2015 2:03 PM, Hyder Hashmi wrote:

 Hi,

 I am working on a small project and need your help in this.

 I have a java program in which I read and write in a file that is located
 in the current folder.

 Now I have written a few servlets and trying to use the previous code
 along with servlets.

 Tomcat is searching for the file in its bin folder and giving
 FileNotFoundException.


 To Tomcat, the /bin folder is it's current directory.


Not quite right, the directory you started from is your current directory.
Which can be TOMCAT_HOME or TOMCAT_HOME/bin etc.

Leon





 If I use my java code without the servlet it is checking for the file in
 current folder (which is my requirment).


 It looks like you need to refactor your code to allow you to specify where
 to find the file when you call the method that does the work. Then the
 servlet and your pure java code can both specify as needed.  Of course, a
 servlet may not have permissions to anything outside of its own hierarchy,
 but that's a separate issue.




 I want to ensure that when I use my java code along with servlets, it
 should read and write in the file from current folder(Project folder in
 tomcat's webapps).

 I am not using any IDE, the  code is written in Notepad and being
 executed from CommandLine.

 I have spent long time on Internet to find the resolution but in vain.

 Request to help me with this situation .

 Hoping for a positive reply.

 Thanks for in advance for all the help.

 Regards,
 Hyder.


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org




 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SAML 2.0 with container managed authentication in Tomcat

[Leon Rosenberg]

On Thu, Sep 11, 2014 at 2:26 PM, Maarten van Hulsentop 
maar...@vanhulsentop.nl wrote:

 Dear Tomcat-users,

 We are investigating the best way to support SAML 2.0 (SP) authentication
 with our application. Our application is using container managed
 authentication provided by Tomcat, and works very well with basic
 authentication, form authentication, SPnego and others.

 My expectation would be that it should be possible to add a Valve and a
 Realm and have a 3rd party tool supply the SAML2 Relying Party
 implementation.

 So far, we have identified a couple of possible candidates.
 - Apache CXF Fediz. This project still seems young, but the integration
 would be as i expect.
 - Spring security might be possible to wrap into a Valve and Realm?
 - Picketlink? As stated on

 https://docs.jboss.org/author/display/PLINK/SAML+Authenticators+(Tomcat,JBossAS)


I have used picketlink with tomcat as SP and jboss wildfly as IDP and it
worked very well. Picketlink works great but the support is rather thin.

You may also want to check WSO2.

regards
Leon


P.S. Both provide Filters not Valves.

Re: Question on Thread Local

[Leon Rosenberg]

From practical point of view ThreadLocal is a huge hashmap directly in the
ThreadClass where you can store a map of variables.
Something like Thread.MapThreadId, MapString, Object, in which you can
access variables that are 'attached' logically to the current Thread.
In practice its a nice way to pass information through layers of code
without adding it explicitly as parameter to every function on the way.
regards
Leon

P.S. of course there are some technical aspects like ability to be passed
to the spawned threads etc, which I didn't mention :-)


On Tue, Sep 2, 2014 at 9:47 PM, Leo Donahue donahu...@gmail.com wrote:

 I've been reading about using Thread Local in web applications and the
 general use case is to generate a transaction id in a filter so that the
 rest of the web application running in the thread local will have access to
 that transaction id.

 Thread Local is essentially a way to create a global variable so that you
 don't have to create a bean that generates said global data and pass that
 bean around to other classes, or inject it into the other classes?

 I am not sure I understand the difference between per-thread requests and
 servlet requests that already run in their own thread.

 In other words, what is the difference between using a Thread Local
 variable vs any other variable that is created inside a filter, or during a
 normal servlet request?

Re: Question on Thread Local

[Leon Rosenberg]

no :-)
Allow me to provide an example.
This class : MoSKitoWebUIContext.java (
https://github.com/anotheria/moskito/blob/master/moskito-webui/src/main/java/net/anotheria/moskito/webui/MoSKitoWebUIContext.java
)
Is a ThreadLocal that is used to store some information, for example
HttpSession.
In the beginning of the processing I am calling
MoSKitoWebUIContext.getCallContextAndReset(); //that initializes the
context and than
MoSKitoWebUIContext .getCallContext().setCurrentSession(HttpSession
currentSession);

from this time on the link to current session is stored in the ThreadLocal
variable, and whereever in the call I need it, I can simply call
MoSKitoWebUIContext .getCallContext().getCurrentSession() and obtain it,
without explicitly passing it through call trees. This allows me to pass
parameters from a very beginning of the processing to the very end of the
processing (or just everywhere) without passing them around and having them
in each and every method.

Another popular example would be to store the Locale the user is in for
i18n.

HTH
Leon


P.S. of course you need to clean up the thread locals at the end of
processing (at least in theory) and so on.


On Tue, Sep 2, 2014 at 10:22 PM, Leo Donahue donahu...@gmail.com wrote:

 On Tue, Sep 2, 2014 at 3:00 PM, Leon Rosenberg rosenberg.l...@gmail.com
 wrote:

  From practical point of view ThreadLocal is a huge hashmap directly in
 the
  ThreadClass where you can store a map of variables.
  Something like Thread.MapThreadId, MapString, Object, in which you
 can
  access variables that are 'attached' logically to the current Thread.
  In practice its a nice way to pass information through layers of code
  without adding it explicitly as parameter to every function on the way.
  regards
  Leon
 

 At some point in the web application, a ThreadLocal is instantiated and its
 properties are set and then retrieved in a Filter.  Am I on track here?

 How is that different or more helpful than instantiating any other POJO
 with property setters?

 A POJO will be instantiated on every servlet request whereas the
 ThreadLocal is only created once?

Re: VERY HIGH TRAFFIC TUNING

[Leon Rosenberg]

answering only to the one directed at me (or so I think):

On Thu, Jul 10, 2014 at 4:09 PM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Leon,

  If you have very fast connections, go for a smaller amount. If you
  have keepalive and slow connections, remember that every connection
  can hold 1-2 threads without doing anything at all.

 Hmm?


If you have keepalive enabled, then every client will held an open
connection for some period of time. Depending on browser brand and version,
the browser will typically hold 1-2 connections to the server. So for every
logged in users that is clicking or issuing a request regularly (maybe once
a minute or so), you can end up having one or two threads, dependending on
how many connections the browsers holds.
Those threads would be idle most of the time, but still not available to
your threadpool. Usually they show up as Runnable somewhere in socket.read
in the thread dump. So if you have 100 users with 150 connections and 151
threads in your threadpool you can end up with a completely blocked server
with zero cpu usage.

regards
Leon

Re: VERY HIGH TRAFFIC TUNING

[Leon Rosenberg]

On Wed, Jul 9, 2014 at 4:47 AM, Hernán Marsili her...@cmsmedios.com wrote:

 Hi,


Hello Hernán,



 For the past 4 years we has been working with a 'stable' configuration in
 which we put APACHE in front of TOMCAT7 (previously Tomcat6) with mod_jk
 connector. We usually serve high traffic sites with about 7000 to 10.000
 concurrent users per box (8gb RAM / 4 vcpu) (50.000 active users total).

 We are OK with the performance, but sometimes we notice Tomcat stops
 responding normally while there are at least 2 full CPU left to be consumed
 (JAVA memory is fine).


Hard to tell from here, but dropping performance while still having
resources is often an indicator for synchronization issues. You should
analyze your thread usage. You could do it with jstack (save multiple
stacks in short slots, like every 10 seconds for 2-3 minutes). Check what
threads are in what states:
 - do you have any threads in BLOCKED state? If yes, what they are waiting
for?
 - what are you RUNNABLE threads doing? Are they waiting for something,
even not blocked - for example reading the database or reading the incoming
request.
 - is your amount of TIMED_WAITING threads sufficient? If you have non,
your thread pool is probably out of threads.




 This is the configuration we use for the connector:

  Connector port=8009 protocol=AJP/1.3 address=127.0.0.1
 emptySessionPath=true redirectPort=8443 maxThreads=1024
 minSpareThreads=32 enableLookups=false request.registerRequests=false
 /


Generally removing apache httpd can increase performance. I assume you have
a hardware loadbalancer in front of things, so httpd doesn't do you any
good.



 I have a couple of questions:
 1) should we set a particular connector or let Tomcat7 decide? I understand
 using protocol=AJP/1.3 the auto-switch kicks in. But, for non-SSL high
 concurrency sites maybe is best to fixed on APR?


Warning, flame war is about to begin, but personally I always found that
the plain old java connector is the best option for speed. And the simplest
to use too. If you insist of having apache httpd in front, you may want to
try mod_proxy (or was it mod_proxy_ajp?) instead.



 2) how many THREADS can we have? can we go beyond the 1024?


Depends on your OS. On modern linuxes sky is the limit. However context
switches can kill you too. If you have very fast connections, got for a
smaller amount. If you have keepalive and slow connections, remember that
every connection can hold 1-2 threads without doing anything at all. But
you can go up to 4096 without second thought, if you are really out of
threads. However, if your problem are blocked threads or a slow DB, you
will make things much much much worse.



 3) is there any advantage on using processorCache?

 4) We are not defining a CONNECTION TIMEOUT not a KEEP ALIVE. Any advice on
 this one? The average user session is 7 minutes.


If playing with CONNECTION_TIMEOUT, than better on OS level. But again that
depends on what is really happening within your application and with the
connections. You could monitor it with netstat and see if you have too many
CLOSE_WAITs or something. That it's easier to decide what to do.




 Thanks for the help!
 Hernán.


Leon.

P.S. needless to say, but having a monitoring tool like
http://www.moskito.org will help either ;-)

Re: CATALINA_PID != real PID

[Leon Rosenberg]

Hello Arseniy,

I don't know why it doesn't work for you, it works for me:

export CATALINA_PID=/opt/app/tomcat7/pid

*/opt/app/tomcat7*$ more pid

5856

ps aux | grep 5856:

thales5856  0.0 43.6 642472 228788 ?   Sl   Apr28  29:19
/opt/java/jdk1.7.0_45/bin/java
-Djava.util.logging.config.file=/opt/app/tomcat7/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -server
-Xmx256m -Djava.endorsed.dirs=/opt/app/tomcat7/endorsed -classpath
/opt/app/tomcat7/bin/bootstrap.jar:/opt/app/tomcat7/bin/tomcat-juli.jar
-Dcatalina.base=/opt/app/tomcat7 -Dcatalina.home=/opt/app/tomcat7
-Djava.io.tmpdir=/opt/app/tomcat7/temp
org.apache.catalina.startup.Bootstrap start

I am using CATALINA_PID solely to be able to use the force opton:

bin/shutdown.sh -force

for automatical releases from jenkins (the only way I know to wait until
shutdown is finished).

Maybe you have a wrapper script that starts another script, that starts
tomcat, and this is why your pid differ?


regards

Leon


On Fri, May 23, 2014 at 12:03 PM, Арсений Зинченко setev...@gmail.comwrote:

 Hi, guys.

 I set:

 $ export CATALINA_PID=$CATALINA_HOME/conf/catalina.pid

 Started *Tomcat*:

 $ ./bin/startup.shUsing CATALINA_BASE:
 /home/tomcats/apache-tomcat-7.0.53Using CATALINA_HOME:
 /home/tomcats/apache-tomcat-7.0.53Using CATALINA_TMPDIR:
 /home/tomcats/apache-tomcat-7.0.53/tempUsing JRE_HOME:
 /usr/java/jdk1.6.0_45/jre/Using CLASSPATH:

 /home/tomcats/apache-tomcat-7.0.53/bin/bootstrap.jar:/home/tomcats/apache-tomcat-7.0.53/bin/tomcat-juli.jarUsing
 CATALINA_PID:
 /home/tomcats/apache-tomcat-7.0.53/conf/catalina.pidTomcat started.

 Checked pid-file:

 $ cat /home/tomcats/apache-tomcat-7.0.53/conf/catalina.pid28461

 But - there is no process 28461:

 $ ps aux | grep 28461
 tomcats  28599  0.0  0.0 103240   872 pts/0S+   12:50   0:00 grep 28461

 $ ps -p 28461
   PID TTY  TIME CMD

 And Tomcat's JVM runs with other PID:

 $ ps u | grep tomcat | grep java | grep -v grep | cut -d  -f 330133

 So - for what exactly CATALINA_PID variable needs or - why it's return
 wrong number?

 From *Tomcat the Definitive Guide* of *Jason Brittain* book we know that:

 CATALINA_PID This variable may optionally hold the path to the process ID
 file that Tomcat should use when starting up and shutting down. None

 Use:

 $ cat /etc/redhat-releaseCentOS release 6.4 (Final)

 Thanks for advice.

Re: CATALINA_PID != real PID

[Leon Rosenberg]

The usual Heisenbug.

regards
Leon


On Fri, May 23, 2014 at 1:24 PM, Арсений Зинченко setev...@gmail.comwrote:

 Hi, Leon.

 Thanks for replay.

 Don't know why - but now it works good :-)

Re: Application monitoring

[Leon Rosenberg]

David,

I already asked you why you are reinventing the wheel, but it seems, for
fun, which is a perfectly ok reason though.
However, maybe you'll find some insights on how other people do it here:
http://blog.anotheria.net/msk/the-complete-moskito-integration-guide-step-6-moskito-control/and
here:
http://blog.anotheria.net/msk/case-study-monitoring-a-cluster-of-java-daemon-processes/

regards
Leon


On Mon, May 19, 2014 at 2:42 PM, David kerber dcker...@verizon.net wrote:

 On 5/19/2014 8:27 AM, Neven Cvetkovic wrote:

 On Mon, May 19, 2014 at 8:11 AM, David kerber dcker...@verizon.net
 wrote:


   I've uploaded code examples and the JmxExample.war:

 https://wiki.apache.org/tomcat/Example%20Application%
 20Exposing%20Internals%20Using%20JMX

 So, just deploy JmxExample.war to your Tomcat instance, open up JMX
 console
 through JVisualVM or JConsole, and find the MBean, e.g.
 JmxExampleApp:type=Counter

 You will see that the internal instance of MyCounter is exposed through
 JMX, and you will be able to set the name, initial count, reset the
 counter, etc...

 The trick was to use @WebListener that registers the MBean instance with
 your MBeanServer upon application deployment. Your MBean instance will
 wrap
 around any of your application internals you would with to expose.




What kind of performance hit does this wrapper cause?  A couple of my
 app's instances take more than 4M transactions per day, up to several
 hundred per second at peak times.  So I can't afford much added work per
 request.

 Thanks!


  Hey David,

 Well, that depends what do you do for every transaction (request). In the
 above example with @WebListener, the app's performance should not be
 affected significantly, all it does it registers a JMX MBean at app
 deployment, and exposes the attributes and operations (getters/setters +
 other public methods) to JMX clients invoke this MBean. Once you undeploy
 the app, it unregisters the MBean.


 Ok, that sounds promising.  I was worried that every request might have to
 go through the filter/wrapper before getting to my core processing code.
  If the MBean classes only need to make (for example) getCounter() calls
 into my app's existing counters when needed, then that shouldn't be a
 problem.




 Sure, performance will depend on how often you call JMX, and that might
 shave few OS cycles away from standard app operations (4M tx per day), if
 for example you want to make JMX calls every microsecond/second to plot
 some charts, etc... that might put a dent in your app performance.

 Few questions for you:
 - What kind of attributes/operations would you like to expose in your
 application, by using JMX?


 I am already keeping some counters and other information and exposing it
 through a browser interface into each instance (a .jsp).  But as the number
 of instances has grown from 3 to 12, monitoring each instance's status has
 become burdensome.  Hence my desire to consolidate the monitoring of all
 instances into a single location, and present the same information through
 the new interface I'm discussing here.  That data plus some startup
 parameters (the location of each app's various resources mostly) are all
 that I am looking to expose for now.



  - What would you like to manage using JMX?


 If by managing, you mean controlling (changing settings, etc), I don't
 plan on doing any of that.  At least not for now.




 It would be great to get some performance metrics and see how that affects
 your application!

 Keep us posted :)

 Cheers!
 n.



 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Application monitoring

[Leon Rosenberg]

Hello David,

yes there is. And I sent you two links to blog entries about exactly that.
Did you read them?

regards
Leon

P.S. in the examples the app specific info is monitored directly and not
via jmx, because that saves a lot of overhead, but reading jmx beans is
also supported.





On Mon, May 19, 2014 at 3:01 PM, David kerber dcker...@verizon.net wrote:

 On 5/19/2014 8:52 AM, Leon Rosenberg wrote:

 David,

 I already asked you why you are reinventing the wheel, but it seems, for
 fun, which is a perfectly ok reason though.
 However, maybe you'll find some insights on how other people do it here:
 http://blog.anotheria.net/msk/the-complete-moskito-
 integration-guide-step-6-moskito-control/and
 here:
 http://blog.anotheria.net/msk/case-study-monitoring-a-
 cluster-of-java-daemon-processes/


 Leon -

 I don't want to re-invent the wheel if there's already something that will
 do what I need, but I don't see what you're getting at.  Is there an
 already-existing tool that will let me look into multiple identical but
 independent tomcat apps, read various MBeans from each one and display that
 data in a single window?  The data I want to display is
 application-specific, and not generic stuff like heap usage, GC info, etc.

 I understand that I should be able to connect to any one app and read its
 MBeans with some standard JMX tool/interface, but that's essentially what
 I'm doing now (though without using JMX) and am trying to get away from.

 Dave




 regards
 Leon


 On Mon, May 19, 2014 at 2:42 PM, David kerber dcker...@verizon.net
 wrote:

  On 5/19/2014 8:27 AM, Neven Cvetkovic wrote:

  On Mon, May 19, 2014 at 8:11 AM, David kerber dcker...@verizon.net
 wrote:


I've uploaded code examples and the JmxExample.war:

  https://wiki.apache.org/tomcat/Example%20Application%
 20Exposing%20Internals%20Using%20JMX

 So, just deploy JmxExample.war to your Tomcat instance, open up JMX
 console
 through JVisualVM or JConsole, and find the MBean, e.g.
 JmxExampleApp:type=Counter

 You will see that the internal instance of MyCounter is exposed
 through
 JMX, and you will be able to set the name, initial count, reset the
 counter, etc...

 The trick was to use @WebListener that registers the MBean instance
 with
 your MBeanServer upon application deployment. Your MBean instance will
 wrap
 around any of your application internals you would with to expose.




  What kind of performance hit does this wrapper cause?  A couple
 of my

 app's instances take more than 4M transactions per day, up to several
 hundred per second at peak times.  So I can't afford much added work
 per
 request.

 Thanks!


   Hey David,


 Well, that depends what do you do for every transaction (request). In
 the
 above example with @WebListener, the app's performance should not be
 affected significantly, all it does it registers a JMX MBean at app
 deployment, and exposes the attributes and operations (getters/setters +
 other public methods) to JMX clients invoke this MBean. Once you
 undeploy
 the app, it unregisters the MBean.


 Ok, that sounds promising.  I was worried that every request might have
 to
 go through the filter/wrapper before getting to my core processing code.
   If the MBean classes only need to make (for example) getCounter() calls
 into my app's existing counters when needed, then that shouldn't be a
 problem.




  Sure, performance will depend on how often you call JMX, and that might
 shave few OS cycles away from standard app operations (4M tx per day),
 if
 for example you want to make JMX calls every microsecond/second to plot
 some charts, etc... that might put a dent in your app performance.

 Few questions for you:
 - What kind of attributes/operations would you like to expose in your
 application, by using JMX?


 I am already keeping some counters and other information and exposing it
 through a browser interface into each instance (a .jsp).  But as the
 number
 of instances has grown from 3 to 12, monitoring each instance's status
 has
 become burdensome.  Hence my desire to consolidate the monitoring of all
 instances into a single location, and present the same information
 through
 the new interface I'm discussing here.  That data plus some startup
 parameters (the location of each app's various resources mostly) are all
 that I am looking to expose for now.



   - What would you like to manage using JMX?



 If by managing, you mean controlling (changing settings, etc), I don't
 plan on doing any of that.  At least not for now.




  It would be great to get some performance metrics and see how that
 affects
 your application!

 Keep us posted :)

 Cheers!
 n.



 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org





 -
 To unsubscribe, e-mail: users-unsubscr

Re: Tomcat dependency on application server

[Leon Rosenberg]

Really, there are about 1 gazzillion valid ways to setup an application
consisting of n number of tomcats and m number of jbosses, running in same
or separate processes/vms/datacenters and doing stuff.
Maybe you should first find out, what your deployment architecture is, and
what your app does.
Probably ps is a good way to start to find out what is really running on
your machine and where.

Leon


On Sat, May 17, 2014 at 11:35 AM, Randhir Singh
randhir.si...@sterlite.comwrote:

 I have 1 observation. In our developmental environment, I killed the Tomcat
 process and started the Tomcat it worked. But in the production
 environment,
 starting Tomcat was not enough and I had to restart JBoss  Tomcat in
 sequence for Tomcat to be up. Could it mean that JVM is crashing or
 something because of OOME in Tomcat.

 I could try to increase the heap  Permgen memory in Tomcat, would that
 help?

 Requesting a reply.

 Regards

 -Original Message-
 From: Randhir Singh [mailto:randhir.si...@sterlite.com]
 Sent: Saturday, May 17, 2014 11:00 AM
 To: 'Tomcat Users List'
 Subject: RE: Tomcat dependency on application server

 Thanks Chris for your answer. There were separate PID's on Linux for JBoss
 
 Tomcat and I killed the Tomcat process. Would killing a Tomcat process also
 kill the JVM process? I had another related question of how to know the
 number of JVM's running, I mean the count of the number of JVM's.

 I hope, my query has been put across correctly.

 Requesting a reply.

 Regards

 -Original Message-
 From: Christopher Schultz [mailto:ch...@christopherschultz.net]
 Sent: Saturday, May 17, 2014 1:59 AM
 To: Tomcat Users List
 Subject: Re: Tomcat dependency on application server

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Randhir,

 On 5/15/14, 3:17 AM, Randhir Singh wrote:
  Hi,
 
  We have JBoss as the application server  Tomcat as the web server in
  our production  developmental setup which is on Red Hat Linux 5.X. We
  have tomcat 6.X. My query is that if I need to restart tomcat, do I
  need to restart JBoss  Tomcat both or just restarting Tomcat would be
  enough. I am asking this query because I had killed the tomcat process
  using kill -9 and while restarting tomcat it was not starting but when
  I killed JBoss  tomcat and then restarted, Tomcat was up.
 
  I hope my query is clear whether Tomcat is dependent on JBoss.

 I'm fairly sure that there is only a single JVM for JBoss/Tomcat. If you
 killed one, you've killed the other.

 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1
 Comment: GPGTools - http://gpgtools.org
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

 iQIcBAEBCAAGBQJTdnUaAAoJEBzwKT+lPKRYnH8QALfeHn4XVXB6KANb0hmAPEL3
 7pNRaUW0AypQQjujzr7X4DKv3MOnMwWfIaiVcazNbtC7j+W3Mi6khksZIq1cz0At
 o9K0CDdJhAg5be9a68T7E5ko4mdy+rjX2ZsuX2LDdp5wyQaYWEXRWd3+hfBL2Gk7
 D+225vxnMUeB9gHLaVUQ4k/3TOZvO/DYT9TCnxOlviP1+QEek5chN6a9XDJpQKpg
 O/EVBudYmDMLu9QKbOJJ5jomKUUa/VPsjhwz4O32+2Zok5VWLIrct5joF3r2ej+p
 5RfHLnijRcCX5QkZOAYM9mdvFuFb1+lNAUGKPJwZU47SI7delyJZwxqGJYmo495e
 Q2nGMqepgXlQhOtwuTMdSh9gFV6LqJeaWcW6ZpyMNXbkNSSRSIy3hgcZqRycsSUa
 dvBRg6j57MMhNiCDx9IVtxF+OqKbiiLNdb9tJRArSXdoSx3a1EYbRbmye3xWbrUv
 SYadbr14KBqTXxaK2qJBb7E3j/fn1J5NKEARQbM/ML5Q/0TaNIRMlmjbOt2yccYG
 pNRtC8FRkHWaN3eYtpM0vMNCZ/Cl/atzr3StoN/EX5bWjba6eaaXBaeKdG3FypyY
 jL0nQu7P0Ir1ASrcxlQeN5snLmI2G4AoFjenOhEsCDDQKixSiryzZRR6ZVqCPZ/k
 Bi3P3ZPYqngg8oU6s6b6
 =bJS6
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

 --

 *STL Disclaimer:*
 The content of this message may be legally privileged and confidential and
 are for the use of the intended recipient(s) only. It should not be read,
 copied and used by anyone other than the intended recipient(s). If you have
 received this message in error, please immediately notify the sender,
 preserve its confidentiality and delete it. Before opening any attachments
 please check them for viruses and defects. No employee or agent is
 authorised to conclude any binding agreement on behalf of Sterlite
 Technologies Limited with another party by email without express written
 confirmation by authorised person. Visit us at
 www.sterlitetechnologies.com
  Please consider environment before printing this email !





 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Application monitoring

[Leon Rosenberg]

Hello David,

I will not ask you why you are reinventing the wheel (ok, I lied, why are
you reinventing the wheel?).
You have multiple options available:
1) You could use jmx and publish your information as jmx beans.
2) You could use rmi between you 'collector' and the target apps.
3) You could use simple http (preferably json), but in that case I would
advice to setup a separate collector for it.

For any of the above options there are numbers of classes and utilities you
can use. For example jersey as jax-rs implementation is perfect for
exchange of json data, for rmi you could use DistributeMe (
http://www.distributeme.org) or spring-remote, and so on.

But yet again, why reinventing the wheel?

regards
Leon



On Wed, May 14, 2014 at 6:28 PM, David kerber dcker...@verizon.net wrote:

 I am working on a small Tomcat servlet to monitor other tomcat-based
 applications running on the same physical machine, and am trying to figure
 out the best way to communicate between the monitoring app, and the
 monitored apps.

 My setup has several tomcat instances of a single application, each
 running from its own directory, and listening on its own TCP port.  So
 there is no direct communication between the instances.

 I'm trying to monitor various data about the application, not about tomcat
 itself or the JVM. So I want to collect such things as the number of
 requests it has processed, the last data received, etc, and not things like
 memory and cpu usage.  It is my app, so I can (and expect to need to) add
 methods or servlets to return the information I want to collect.

 My question is, what is the best way to make the request to get the data?
  Would  URL request from the monitoring app to the monitored app be
 appropriate, and then parse the response out for display in a browser?  If
 so, what java class is likely to be useful for this communication?  I will
 have all the information needed to connect to the application instance
 (server, port, etc), but want it to be portable across OS types.

 Thanks!

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Slow page response time in tomcat 8.0.5

[Leon Rosenberg]

Hello Hariprasad,

you could embed moskito webui into your application, annotate your tags
with @Monitor and you would see how long they execute and what is the
execution path, which tags are called during an http request how often and
how long they execute. You can follow this link for more information on the
integration:
blog.anotheria.net/msk/the-complete-moskito-integration-guide-step-1/

MoSKito itself: http://www.moskito.org

regards
Leon


On Thu, May 15, 2014 at 7:04 PM, Hariprasad Manchi
hariprasad...@gmail.comwrote:

 Hi,
 We are trying to use apache-tomcat 8.0.5 for our web application and have
 encountered performance issue with respect to the page response time.
 However, once the application is deployed in 8.0.5 we see a longer delay in
 response time from the server for the login page itself. With older version
 of tomcat i.e., tomcat 7.x(7.0.53), 6.x(6.0.18) we did not see such delay.

 We have 270 custom tags defined across 6 tld files in our application and
 have the tag pooling feature turned off in conf/web.xml (enablepooling is
 set to false; since this is a requirement for the application we had to
 turn it off).

 We tried to root cause the issue and used fidller tool to monitor the
 requests and response times. The browsers - both IE 11 and Chrome - were
 firing the requests quickly but were waiting for the response from the
 server. We do not know what is the actual cause for this delay. We have
 captured the traffic for both IE and Chrome and could send them if needed.

 Could you please advise how to proceed to identify the root cause for this
 delay? Or could you confirm this as already a known issue?

 Any help would be highly appreciated.

 We are not clear to which group the question should be posted, hence
 sending this email to both users and taglib-users email list.

 Regards,
 Hariprasad

Test Mail, Please Ignore

[Leon Rosenberg]

I am wondering that I don't see any mails for a whole day on the list, this
is pretty unusual, so I try with a TestMail

Leon

Re: No activity on tomcat.users since Tues?

[Leon Rosenberg]

I have even checked my email settings. But I've got some mails that google
bounces back some of the tomcat-user's emails. I am not sure if its just me
or google or the list.

regards
Leon


On Sat, May 10, 2014 at 8:54 PM, Tim Watts t...@cliftonfarm.org wrote:

 Markmail seems to confirm this but kind of remarkable, huh?  I think the
 user community should get a promotion in recognition of our quantum leap
 in tomcat problem-solving skills!  (Or perhaps everyone's just busy
 reading the manual?)



 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: catalina.out is 13G

[Leon Rosenberg]

Hello Randhir,

whatever revert means.
However, if you remove the file the place will be occupied on most *'nix
system until a process restart. You will probably have to restart your
server to free this mount point's storage anyway.

regards
Leon


On Tue, Apr 22, 2014 at 4:20 PM, Randhir Singh
randhir.si...@sterlite.comwrote:

 Hi,

 I have a immediate concern as the mount point on which Tomcat is placed is
 99% and on checking I found that catalina.out is 13GB. I wanted to
 implement a solution for this but am not sure, can I take a backup of
 catalina.out and truncate catalina.out on the running application?

 Humbly requesting a revert on an immediate basis on whether I can truncate
 catalina.out after taking a backup on a running tomcat application.

 Regards

 --

 *STL Disclaimer:*
 The content of this message may be legally privileged and confidential and
 are for the use of the intended recipient(s) only. It should not be read,
 copied and used by anyone other than the intended recipient(s). If you have
 received this message in error, please immediately notify the sender,
 preserve its confidentiality and delete it. Before opening any attachments
 please check them for viruses and defects. No employee or agent is
 authorised to conclude any binding agreement on behalf of Sterlite
 Technologies Limited with another party by email without express written
 confirmation by authorised person. Visit us at
 www.sterlitetechnologies.com
  Please consider environment before printing this email !

Re: Performance - Java Profiler, JVM instrmentation

[Leon Rosenberg]

On Tue, Apr 15, 2014 at 4:51 PM, Shanti Suresh sha...@umich.edu wrote:

 Greetings,


Hello Shanti,



 Chris' presentation on monitoring Tomcat is really nice work.  I found that
 quite useful.

 Taking it one step further, could I request some recommendations on how we
 might profile Java code running inside Tomcat?  Often, I am stuck with
 finding out why an application is slow.  It could be a consistent,
 progressive  or a sudden problem.  These applications do not expose metrics
 via MBeans.  Say, for e.g., a vendor application which has been heavily
 customized in-house.

 Some metrics that I find useful during these times are things like
 concurrent invocations, stall counts on components, call-stack,
 response-rate etc.
 Java Melody has a nice built-in dashboard of metrics.  Co-relating metrics
 like that is powerful and helps isolate relatively easy problems.  I find
 that the metrics skim the surface of more involved problems.

 In Tomcat, is there a way to go deeper into the performance of the code for
 root-cause analysis and isolate a section of the code or a flow in the code
 for troubleshooting?  How would one go about getting to that place?  Let's
 say, there is no budget for purchasing tools in that space.  I find Chris'
 example on writing filters to map to URL patterns for response-time metrics
 relevant.  I would also like stall counts, concurrent invocations etc.


There are tools that are doing exactly that for about 7 years out now.
You can go to http://newrelic.com and get it for as much as 150 USD per
server.
Or you can get all the same for free from http://www.moskito.org. And more.

regards
Leon




 Greatly appreciate your thoughts and opinions.

 Thanks,

  -Shanti

Re: Performance - Java Profiler, JVM instrmentation

[Leon Rosenberg]

On Tue, Apr 15, 2014 at 7:58 PM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Shanti,

 On 4/15/14, 10:51 AM, Shanti Suresh wrote:
  Taking it one step further, could I request some recommendations on
  how we might profile Java code running inside Tomcat?  Often, I am
  stuck with finding out why an application is slow.  It could be a
  consistent, progressive  or a sudden problem.  These applications
  do not expose metrics via MBeans.  Say, for e.g., a vendor
  application which has been heavily customized in-house.

 You need to use a Profiler for that. There are a number of fine
 Profilers available for Java. I use YourKit because they give free
 licenses to ASF committers.

 Hello Chris, et al,

last time I tried to use a profile on a production site it killed it within
a second. Usually the performance overhead of a profiler is so huge, that
you have no chance to run it in production.
And real problems do not occur in test labs ;-)

Leon

Re: How to monitor performance of tomcat

[Leon Rosenberg]

How about http://www.moskito.org ?
It has everything you need including full control of jmx beans, memory
management, threads, your beans/pojos/classes, filters, urls, what not...

regards
Leon


On Tue, Apr 8, 2014 at 1:05 PM, Randhir Singh randhir.si...@sterlite.comwrote:

 We have an application which has JBoss as the application server with
 Tomcat as the web server, our application has Oracle 11g as the database. I
 would give some further background to the issue we are facing, since the
 last 1 1/2 months, the application slows down. Sometimes it comes back to
 normal, specially on week-ends. But other times we restart JBoss  Tomcat
 to bring back the application to normal.



 We have been using jconsole to monitor tomcat like



 jconsole 10.101.17.79:8891



 which monitors our tomcat for a work order system. If the memory usage does
 not show spike and shows constant reading, the GC button is clicked to
 invoke the garbage collector.



 I checked out on the net and got some clue as below:



 1)  Javamelody - It seems to be a 3rd party tool which is not
 recommended.

 2)  There is a command mentioned to see the admin console,
 http://IP:port/ but it is not displaying the required page.



 Please give your inputs whether jconsole should be a help in the right
 direction or some other way to monitor the performance of Tomcat.



 Regards

 --

 *STL Disclaimer:*
 The content of this message may be legally privileged and confidential and
 are for the use of the intended recipient(s) only. It should not be read,
 copied and used by anyone other than the intended recipient(s). If you have
 received this message in error, please immediately notify the sender,
 preserve its confidentiality and delete it. Before opening any attachments
 please check them for viruses and defects. No employee or agent is
 authorised to conclude any binding agreement on behalf of Sterlite
 Technologies Limited with another party by email without express written
 confirmation by authorised person. Visit us at
 www.sterlitetechnologies.com
  Please consider environment before printing this email !

Re: The Service Component

[Leon Rosenberg]

Hello,

I do use multiple connectors but one service.
Multiple connectors to separate user traffic from admin/management traffic.
For example if due to overload no threads are available to server http
request on the 'main' connector, I still can look into the app, to see what
is going on, over my administrative connector.

Leon


On Fri, Mar 7, 2014 at 5:44 PM, Leo Donahue donahu...@gmail.com wrote:

 Who uses more than one Service in their server.xml and why?  I get
 that you can have multiple Connectors if you have multiple Service
 components but why use multiple connectors?

 Are there any docs on the use cases for these features?

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: The Service Component

[Leon Rosenberg]

Hello Leo,


On Fri, Mar 7, 2014 at 6:49 PM, Leo Donahue donahu...@gmail.com wrote:

 On Fri, Mar 7, 2014 at 9:01 AM, Leon Rosenberg rosenberg.l...@gmail.com
 wrote:
  Hello,
 
  I do use multiple connectors but one service.
  Multiple connectors to separate user traffic from admin/management
 traffic.
  For example if due to overload no threads are available to server http
  request on the 'main' connector, I still can look into the app, to see
 what
  is going on, over my administrative connector.
 
  Leon

 You are just changing the port number then in your administrative
 connector, in the same Service element?

yes:

for example

Connector executor=tomcatThreadPool port=8080 protocol=HTTP/1.1
 connectionTimeout=2  /

Connector executor=tomcatThreadPool port=8180 protocol=HTTP/1.1
 connectionTimeout=2  /

I would then point the front loadbalancer to 8080 and keep 8180 accessible
from the administration network only.

regards

Leon




 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: sudden increase in tomcat sessions..?

[Leon Rosenberg]

Hello Kumar,

can't you just ask your Ops guys to get your the load balancer config?
That would be much easier as guessing.

Usually you can configure how many samples the load balancer must try to
get and what is the timeout. For example if the setting is 3 with timeout
of 15 seconds, 3 requests would be send, and after a total of 45 seconds
the server would be marked as down and receive no more traffic. But(!) this
is subject of the specific configuration of your load balancer. So why not
just get it and check?

regards
Leon


On Tue, Feb 11, 2014 at 5:56 PM, Kumar Muthuramalingam kumarkm...@gmail.com
 wrote:

 what I mean is if I am supposed to get a response for that Update.jsp file
 and I didn't get it for a while. Will the load balancer will check for it
 connectivity? Is there any timeout set for load balancer to get response.

 Thanks,
 Kumar.


 On Tue, Feb 11, 2014 at 8:13 AM, Daniel Mikusa dmik...@gopivotal.com
 wrote:

  On Feb 10, 2014, at 7:22 PM, Kumar Muthuramalingam kumarkm...@gmail.com
 
  wrote:
 
   Before that can you tell me one thing please. Suppose if a page request
   (eg. /UpdateQuery.JSP) is coming from a load balancer to tomcat and the
   UpdateQuery.JSP is connected to some third party server. Assume if the
   tomcat is not getting any reply from the Query server for some seconds.
   Will the load balancer will send ping requests to tomcat to verify the
   connection of the application ?
 
  I've never seen a load balancer that works like that.  Usually they just
  request a singe resource on a repeating cycle, like every second or two.
  I
  guess it really depends on your load balancer though.
 
  Dan
 
  
   Thanks
   Kumar.
  
  
   On Mon, Feb 10, 2014 at 4:21 PM, Daniel Mikusa dmik...@gopivotal.com
  wrote:
  
   On Feb 10, 2014, at 4:07 PM, Kumar Muthuramalingam 
  kumarkm...@gmail.com
   wrote:
  
   Yes its the load balancer. and recently I found in the log that there
   was a
   memory leak exception while the tomcat server was restarted.The
 session
   increase problem started from this particular date . Could this be a
   cause
   for the tomcat to hang up and DOS occurred?
  
   Can you include the message you saw?  Otherwise it's tough to say.
  
   One more question. I see this memory leak exception in only one
 tomcat
   catalina log file. I didn't see this in other servers log file. One
   tomcat
   can handle 200 sessions. So once if it reaches the limit will the
   requests
   will get diverted to other available servers so that the server
  sessions
   also will increase? If so how to find that redirection in log file.
  
   You'd want to look at how your load balancer is setup.  Tomcat just
   handles the requests that you send to it.  If you want to control how
   requests are delivered to multiple Tomcat servers then you need to do
  that
   before the requests hit your Tomcat servers, like with your load
  balancer.
  
   Dan
  
  
   Sorry if I 'm crazy.
  
   Thanks,
   Kumar
  
  
   On Mon, Feb 10, 2014 at 2:19 PM, Daniel Mikusa 
 dmik...@gopivotal.com
   wrote:
  
   On Feb 10, 2014, at 1:59 PM, Kumar Muthuramalingam 
   kumarkm...@gmail.com
   wrote:
  
   Thanks for the reply. I accept this remedy will clear the issue.
 But
  my
   question is how to verify the root cause of this DOS attack that
   occurred
   earlier?
  
   As previously directed, look at your access logs.  That should show
  you
   who is requesting this JSP file.
  
   If it's your load balancer (or some other trusted IP), then problem
   solved.  Just correct the JSP.
  
   If it's a third party then in additional to fixing the JSP, you'll
   probably want to investigate why they're calling that JSP so much.
  I
   suppose you could even go so far as to blocking them with your
  firewall
   or
   a filter, but that's up to you.
  
   Dan
  
   What ever steps suggested above is to take a precaution or solve
   the issue. please help me.
  
   Thanks,
   Kumar.
  
  
   On Mon, Feb 10, 2014 at 12:06 PM, Daniel Mikusa 
  dmik...@gopivotal.com
   wrote:
  
   On Feb 10, 2014, at 11:56 AM, Kumar Muthuramalingam 
   kumarkm...@gmail.com
   wrote:
  
   Thanks for your reply. I have 3 applications running under the
  tomcat
   and
   only one application got a ping.jsp file others don't. And also I
   could
   see
   from the access logs that only the application that has got
  ping.jsp
   file
   was pinged others were not. And the sessions are high only for
 this
   particular application. Now I got something else in my mind. Is
   ping.jsp
   is
   a mandatory file for tomcat. We got nothing in that ping.jsp. It
 's
   an
   empty file with %=OK%.
  
   Seems like this could be the problem.  This JSP file is going to
   create
   a
   session every time you ping it, since JSP files will create a
   session
   by
   default.  If you're client, whatever is requesting this JSP,
 doesn't
   maintain the session then it'll end up creating a new session
 every
   time it
   requests 

Re: sudden increase in tomcat sessions..?

[Leon Rosenberg]

Hello,

I think some things are mixed up here. Since you are behind a load
balancer, its unlikely that you experience ping (icmp) DoS, at least that
it goes through till your server.
First, setup access logs in server.xml

!-- Access log processes all example.  Documentation at:
/docs/config/valve.html  Note: The pattern used is equivalent to using
pattern=common --

 Valve className=org.apache.catalina.valves.AccessLogValve
directory=logs

prefix=localhost_access_log. suffix=.txt

pattern=%h %{X-Forwarded-For}i %l %u %t quot;%rquot; %s %b /

Note: usually, if the load balancer is configured properly, tomcat will see
the IP of the original request. If not, it will be send in a header field
(in example X-Forwarded-For). If your load balancer doesn't send a header
field - change its configuration to send one, you will need it anyway.

Check that the page your loadbalancer uses to check whether tomcat behind
is available doesn't create a new session (session=false if its a jsp,
don't use request.getSession() if its a servlet).

If that doesn't help, download and install moskito following this guide:
http://blog.anotheria.net/msk/the-complete-moskito-integration-guide-step-1/

This will allow you to make charts of your sessions, you will see if there
are any patterns in session increase/decrease, maybe also together with
other values like users or requests.

If you have multiple tomcats you can setup moskito-control and put all the
sessions from all tomcats into one chart:
http://blog.anotheria.net/msk/the-complete-moskito-integration-guide-step-6-moskito-control/

good luck.

regards

Leon.

















On Sun, Feb 9, 2014 at 6:22 AM, Kumar Muthuramalingam
kumarkm...@gmail.comwrote:

 Thanks for your reply. What happened actually was there was a sudden
 increase in invalid sessions as I said before and we manually deleted those
 sessions using the tomcat manager. And then it appeared to be normal. But
 then it occurred three times in last two weeks. It' s a production
 environment.
 My question is not how to stop some thing so that it could stop the ping
 requests but I would like to know what could be the cause for it and how
 can I find the cause? Please help me.

 Thanks,
 Kumar.


 On Sat, Feb 8, 2014 at 9:01 PM, Martin Gainty mgai...@hotmail.com wrote:

  DOS (Denial of Service) Attack
 
  one type is endless ping
 
  if someone is running a endless loop of ping attacks on your TC server
 
  you can disable ICMP on TC server
 
 
 https://www.serverintellect.com/support/windowsserversecurity/disable-icmp-requests/
 
 
 
  DOC attack usually results in TROJ_MDROPPER.* on system
  NAV and McAfee can detect these malware attachments on Word Docs
 
 
 
 http://blog.trendmicro.com/trendlabs-security-intelligence/trojanized-doc-files-in-targeted-attack/
 
 
  HTH
  Martin
 
 
 
 
 
   Date: Sat, 8 Feb 2014 19:54:32 -0500
   Subject: Re: sudden increase in tomcat sessions..?
   From: kumarkm...@gmail.com
   To: users@tomcat.apache.org
  
   Hi David,
   Thanks for your reply. How can I verify that it is a DOC attack? which
   log i should refer.please guide me.
  
   Thanks,
   Kumar.
  
  
   On Sat, Feb 8, 2014 at 7:42 PM, David Kerber dcker...@verizon.net
  wrote:
  
On 2/8/2014 7:08 PM, Kumar Muthuramalingam wrote:
   
Hi,
I 'm using tomcat version 6 and 7. One day there was a sudden
 increase
in
number of sessions in both tomcats. And all the sessions had no
  username,
same lastaccessed time, same created time and the inactive time was
00:00:00. It is not happening always but it happens some times on
 some
day.
Can't predict. And We have set the idle timeout as -1 because we
 have
  to.
When I try to dig the log. It showed that the load balancer IP was
  sending
many ping requests to our application. Can anybody tell why this is
happening and how can I find the cause?
   
   
DOS attack?
   
   
   
Thanks,
Kumar.
   
   
   
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
   
   
 
 

Re: Tomcat classloader memory leak when an object is stored into session

[Leon Rosenberg]

On Thu, Feb 6, 2014 at 11:58 PM, David Kerber dcker...@verizon.net wrote:

 On 2/6/2014 3:13 PM, Michal Botka wrote:

 When an application stores an object into the session and then the
 application is reloaded using Tomcat Web Application Manager, the
 classloader cannot be garbage collected. As a result, the
 OutOfMemoryError: PermGen space error occurs after several reloads.


 This is true.  What is your question?


I think the OP states, that this shouldn't be the case.

Personally I'm struggling with this one. But since I don't use the
reloading anyway I will relax and wait for enlightenment that is sure to
come from Chuck ;-)

regards
Leon

Re: Tomcat classloader memory leak when an object is stored into session

[Leon Rosenberg]

On Fri, Feb 7, 2014 at 12:45 AM, Caldarale, Charles R 
chuck.caldar...@unisys.com wrote:

  From: Leon Rosenberg [mailto:rosenberg.l...@gmail.com]
  Subject: Re: Tomcat classloader memory leak when an object is stored
 into session

   When an application stores an object into the session and then the
   application is reloaded using Tomcat Web Application Manager, the
   classloader cannot be garbage collected. As a result, the
   OutOfMemoryError: PermGen space error occurs after several reloads.

  I think the OP states, that this shouldn't be the case.

  Personally I'm struggling with this one. But since I don't use the
  reloading anyway I will relax and wait for enlightenment that is sure to
  come from Chuck ;-)

 Since you insist...


Thank you!
I knew we can always count on you (now seriously) ;-)

best regards
Leon



 Start with the Wiki:
 http://wiki.apache.org/tomcat/MemoryLeakProtection

  - Chuck


 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
 MATERIAL and is thus for use only by the intended recipient. If you
 received this in error, please contact the sender and delete the e-mail and
 its attachments from all computers.


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat classloader memory leak when an object is stored into session

[Leon Rosenberg]

On Fri, Feb 7, 2014 at 8:38 AM, Michal Botka mr.bo...@gmail.com wrote:

 Is there a way how to avoid this leak?
 I would like to develop an application which can be safely
 deployed/undeployed without restarting the server.
 OK, now I know that my application cannot store it's objects into
 session, but that is very strong requirement which the most of the
 applications don't meet.
 Thanks for help.


But do you have to serialize your sessions? Switching off session
serialization might help.
regards
Leon



 2014-02-06 22:58 GMT+01:00 David Kerber dcker...@verizon.net:
  On 2/6/2014 3:13 PM, Michal Botka wrote:
 
  When an application stores an object into the session and then the
  application is reloaded using Tomcat Web Application Manager, the
  classloader cannot be garbage collected. As a result, the
  OutOfMemoryError: PermGen space error occurs after several reloads.
 
 
  This is true.  What is your question?
 
 
 
 
  To illustrate the issue, you can find an example below.
  Thanks in advance :-)
 
 
  1. The EvilClass class whose instances are stored into the session:
 
  public class EvilClass implements Serializable {
 
   // Eat 100 MB from the JVM heap to see that the class is not
  garbage collected
   protected static final byte[] MEM = new byte[100  20];
 
   private String value;
 
   public String getValue() {
   return value;
   }
 
   public void setValue(String value) {
   this.value = value;
   }
 
  }
 
 
  2. Servlet which stores EvilClass instances into session
 
  public class TestServlet extends HttpServlet {
 
   @Override
   protected void doGet(HttpServletRequest req, HttpServletResponse
  resp) throws ServletException, IOException {
   EvilClass obj = new EvilClass();
   obj.setValue(req.getRequestURI());
   req.getSession().setAttribute(test, obj);
   getServletContext().log(Attribute stored to session  + obj);
   }
 
  }
 
 
  3. web.xml part which maps the servlet to an URL
 
  servlet
  servlet-nameTestServlet/servlet-name
  servlet-classtest.TestServlet/servlet-class
  /servlet
  servlet-mapping
  servlet-nameTestServlet/servlet-name
  url-pattern/*/url-pattern
  /servlet-mapping
 
 
  Steps to reproduce the issue:
  1. Copy application WAR to the webapps directory.
  2. Start Apache Tomcat.
  3. Hit TestServlet.
  4. Check Heap/PermGen size using Java VisualVM.
  5. Reload the application thru Tomcat Web Application Manager.
  6. Hit TestServlet again.
  7. Perform GC and check Heap/PermGen size again.
 
 
  Environment:
  Apache Tomcat version: 7.0.50
  OS: Windows 7 64
  JVM: Java HotSpot(TM) 64-Bit Server VM (23.6-b04, mixed mode)
  Java: version 1.7.0_10, vendor Oracle Corporation
 
 
 
  -
  To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
  For additional commands, e-mail: users-h...@tomcat.apache.org
 

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Java to JavaScript RMI framework available.

[Leon Rosenberg]

Hello Igor,

this looks really promising, I will take a deeper look in next year ;-)

Btw, Happy New Year to Everyone ;-)

Leon


On Tue, Dec 31, 2013 at 1:55 AM, Igor Urisman igor.uris...@gmail.comwrote:

 Folks,

 I needed to write this for something I am working on and thought there
 might be a wider audience for it.
 Tomcat 8 supports standard compliant Websockets, which provide convenient
 asynchronous full-duplex
 server to client data transport. The framework I am offering builds on top
 of that a feature rich remote
 method invocation paradigm.  Please check it out.

 https://github.com/iurisman/FERMI
 Apache 2.0 license.

 Happy coding.
 Igor.

Re: [OT] Garbage Collectors

[Leon Rosenberg]

Hello,


On Thu, Dec 19, 2013 at 12:11 AM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 All,

 I was recently discussing garbage collectors with a friend (yes, an
 exciting conversation) and I was wondering what the folks in the
 Tomcat community were using for their garbage collection needs.

 I'd like to run an informal poll. Feel free to reply to just me
 directly if you'd like to protect your reputation or not clog the list
 or to the whole list if you'd prefer.

 I know there are lots of lurkers on the list who rarely post and I'd
 encourage them to reply as well even if they don't feel like they are
 running anything of any importance.


I have too many (or consult many) but I will take the most visited.



 So, here are my questions:

 1. What JVM are you using?

[ ] Sun/Oracle/OpenJDK Java 1.5
[ ] IBM Java 1.5
[ ] Sun/Oracle/OpenJDK Java 1.6
[ ] IBM Java 1.6
[x] Sun/Oracle/OpenJDK Java 1.7
[ ] IBM Java 1.7
[ ] Sun/Oracle/OpenJDK Java 1.8
[ ] Something else - please specify:

 2. What kind of web application are you running?

[ ] A toy, a research project, or something with virtually no use
[ ] A moderately busy web site (1M requests/mo/server)
[ ] A moderately busy web site (10M requests/mo/server)
[ ] A busy web site (10M - 100M requests/mo/server)
[x] A super-busy web site

 3. What is your total heap size?

14 GB


 4. Are you explicitly specifying a Garbage Collector? If not, just say
 so and skip the rest of the questions.

CMS + Options


 5. What led you to use [GC X] instead of the JVM's default collector?

GC pauses


 6. Did you do any actual performance testing to see if the switch from
 the default to [GC X] made any difference?

Yes


 6. Have you spent a lot of time tuning [GC X]?

Yes :-)


 7. Did your tuning exercise yield any useful results?

45 sec pauses eliminated


 8. Did your users notice any difference after you implemented [GC X],
 or just your own load-testing team?

I assume so, we had servers taken out of the pool by lb due to connection
timeouts.


 If you think there's anything else I should know about your experience
 with [GC X], please let me know.

Well, it changes from version to version, so each new jdk version means
start from beginning. Some of the options in Java 6 do not make sense in
Java 7 and so on. But in general CMS is my personal choice for low-pause
collector, I haven't yet seen working G1.



 Thanks,
 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.15 (Darwin)
 Comment: GPGTools - http://gpgtools.org
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

 iQIcBAEBCAAGBQJSsiu1AAoJEBzwKT+lPKRYdAsQAKWytJHCv3Kj8p8vWoDsCgEO
 LZd6Yq/j8j5uID+UM4pq8FgRN03TmmjujOZaQ769ljZqtd9w+VFf2+zPbt7gPqGI
 SDFACw+VtQxEmVUDhE4H0tBfz7h7SZ8QOPTyScx384mDAvRzJKaeGPwrbJBogvaW
 cvyzNtgFDywpNTCjyKT3JLoUfjm+CjLryK6bo3+6I7I3ikhyHVsYZHuls5DG9LNf
 mYJ2KGOeYN332VcJWaCElLiK2HQrFY+BxfJ+f7mH6ztmq0iawulg8bApUo+vllwD
 r2Ble1kc0pgwMn4jOoRAP1R9IaFSsPX8a87T1uFtnRS0vdW4BRy6O5xE1wjFQPuq
 52jcFf7i5ZiFYIXO1/vWw9FjZ2DBXnjMuEEdPf5laHNXKJIMCnulKOC6W48eS6Rq
 E7hRa7h+RQ0CVk9Pjp2NGdiPAeRL44LRDWaPWmTH7iXUcaWg2IxC3OXXyezP6aPE
 7DrKhW9jjxbQG/H3GXzX9Sptee+osfPUaU6sOND8EYUYLojg6b6XLxfbjLpedrsh
 eHC1zksbc0WkZxhnXDSPZV4+4y0djC0X+tNX/DPCs/wPpXEqmqeGSXc7sbnXoLYf
 49jGRa6pz8MR1da5D78lSCxm407+UNJzbJuGfHFzjYqxjQEULKJTug4Z7Hs0MGne
 XzAqLyKxfgW0/4P5QzD6
 =EFcD
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] Garbage Collectors

[Leon Rosenberg]

On Thu, Dec 19, 2013 at 12:51 AM, Howard W. Smith, Jr. 
smithh032...@gmail.com wrote:

 On Wed, Dec 18, 2013 at 6:11 PM, Christopher Schultz 
 ch...@christopherschultz.net wrote:


  3. What is your total heap size?
 

 -Xms4096m
 -Xmx4096m
 -XX:MaxPermSize=384m (will share this as well, just because)


 but I think I can change to -Xms/-Xmx1250m, because heap used seem to max
 out at (+/-)1024m.


Don't, GC works best if used heap is  half of allowed heap. So keep at
least 2G (You know that you can specify 4G instead of 4096M, right? :-))
Leon

[OT] Symantic has a first tomcat worm ;-)

[Leon Rosenberg]

Morning everyone,

what can be greater start in the morning as reading about first tomcat worm
found by symantec ;-)

http://www.symantec.com/connect/blogs/all-your-tomcat-are-belong-bad-guys

Enjoy your caffe.

Leon

Re: Tomcat restart utility

[Leon Rosenberg]

Hello Vicky, et al,

I think the easiest way to give the developers the restart capabilities is
to get them ssh access to the user that is running tomcat.

This is easy, secure and convenient.

regards
Leon

On Thu, Nov 14, 2013 at 4:50 AM, vicky vicky007aggar...@yahoo.co.in wrote:

 Thanks Chris, I'm looking for restart capability only.

 Actually I have dozen of tomcat instances running on Linux machines, I
 want to give the restart capability to the developers team, can you please
 explain a bit
 that how I can achieve that .

 Many thanks again for responding  sharing the knowledge


 From: Christopher Schultz ch...@christopherschultz.net
 To: Tomcat Users List users@tomcat.apache.org
 Sent: Wednesday, 13 November 2013 7:58 PM
 Subject: Re: Tomcat restart utility


 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Vicky,


 On 11/13/13, 5:52 PM, vicky wrote:
  Is there any other tool/utility with which we can do the deployment
   tomcat restart like PSI-PROBE.
 
  I'm having issues with PSI-PROBE ,restart functionality is not
  available over there  following message is coming on restart
  screen :-
 
  This JVM is not controlled by Java Service Wrapper
 
  Unable to figure out how to fix this

 Looks like PsiProbe only allows restart capabilities when you are
 using jsvc.

 In any case, using jsvc is probably the easiest way to control your
 JVM if you intend to make it restartable. If you're on Windows, just
 use the Windows Service and use the service controller to restart Tomcat.

 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.15 (Darwin)
 Comment: GPGTools - http://gpgtools.org/
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

 iQIcBAEBCAAGBQJShC4oAAoJEBzwKT+lPKRYUCIP/3+Mcq+8a1Nve4OUWQrMkKsz
 EqRwgFDuCdHLwiqBoDFQDufiH3cKOL2h19FVPopNkf6eA4lnZjZF9bjGaPH7W/m7
 dLF53o1eeeDdFHYLvuO4I5ysJ5a3csx9VgCk7R+GHrw09z8LWsU3rS5pU4EyEy4i
 cbQo00h21Q2PlYZElRj35pCnQzVz1FmpDNqQ802gxyzDXDaexQQEnjEz/yMUg7VG
 2d0igYnzu2Llzc2isNIdvbHb9FjpIJn713P1C093jAEOYtKUPwjvBn98QH7EJMvL
 61QSKx85g+QT+r4k2BJ9MrqQ6BB90NojIYYfNdc8SySM7WRcNJvanGAuoPI0+uka
 MSZby7pji7UqIr/eLWNid42yJ57DJ0zbnaBHjkXH31QPwn3MWBZEwfAnI55ixyAJ
 +M9ZnjeNRxNRJoUjd/t5Amn4eB/Tv6tD2Sk1DTr5vZ2EWYi1mmp6CAAL6yjf1W2+
 nc2UhTwz3s0yNXiIQOfGI4jUpuoMZ0vJDFnkqyWOeMUjBhmLeAG9fF8xDuU2Uvhs
 Y8mfZjGdY6l+WxWfvrgMbrsindQ30RoNBxE+g3rLOEWC3AxV0W3l4Hg7l5MZ9b7H
 qx2GWZ5zCDbsHhwtS9N4qX2cxXtxVb7BlZegLh33CiCsyCU54OuY1rqUzK0E2xFC
 dSvhXBb6CNNaW5rljS38
 =3Bpd
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] [Fwd: TomEE Professional Support]

[Leon Rosenberg]

I got it too. I think its easier to delete and forget it, as to debate
about it. ;-)
regards
Leon


On Wed, Nov 13, 2013 at 2:15 PM, André Warnier a...@ice-sa.com wrote:

 Hi.

 I got the following email in my personal email inbox.

 Isn't there some rule, or at least some matter of self-control, in not
 using email addresses collected on this list for commercial promotion ?

  Original Message 
 From: - Wed Nov 13 13:48:37 2013
 X-Mozilla-Status: 0001
 X-Mozilla-Status2: 
 Return-Path: bounce-mc.us3_22715643.227889-aw=ice-sa.com@mail173.
 us4.mcsv.net
 X-Original-To: a...@ice-sa.com
 Delivered-To: andre.warn...@ice-sa.com
 Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=205.201.128.173; helo=mail173.us4.mcsv.net;
 envelope-from=bounce-mc.us3_22715643.227889-aw=ice-sa.com@
 mail173.us4.mcsv.net; receiver=a...@ice-sa.com
 Received: from mail173.us4.mcsv.net (mail173.us4.mcsv.net[205.201.128.173])   
  by
 tor.combios.es (Postfix) with ESMTP id DCFAB3C0AD2   for a...@ice-sa.com;
 Wed, 13 Nov 2013 13:48:25 +0100 (CET)
 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=
 mail173.us4.mcsv.net; h=Subject:From:Reply-To:To:Date:Message-ID:List-
 Unsubscribe:Sender:Content-Type:MIME-Version; i=gurkanerdogdu=3Dyahoo.com@
 mail173.us4.mcsv.net; bh=Mxp5nGTBAhJ4tiDlAEgNxpJYWwM=;
 b=Ocyx3ymgzmK11vA3/+524g885jWe0hlVlLQwFLGw052EepxX/u3JqrGTIZv6+afps8yWKhHqpMRz
 DR1JqSg9JPIfmn6xVzPvr5X/5Ve5g78ZKmZm5BmxmCRNyqB4fIc5+iLuIas31KKRImjm5cpEh8P5
 RAauIo5RquVVHcBgVbU=
 DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=k1; d=
 mail173.us4.mcsv.net; b=BmLvRK7R5zl2/VRFdLZ09BJy50nOQFBXLcUoHLPQqfO
 o7DkgQbmi8Ug7bwNHNpotAwBLuXBIp2sW w8nzt6XeIcHys59itcvcLBKCt6zoR1
 vBv1RFw1OMSwlwuilV8u0zcNtNcav+LdWoW8zAnksyWOWL /knOPWkSMr9PbtPhtB4=;
 Received: from (127.0.0.1) by mail173.us4.mcsv.net id hgdqg0174lg1 for 
 a...@ice-sa.com; Wed, 13 Nov 2013 12:47:58 + (envelope-from
 bounce-mc.us3_22715643.227889-aw=ice-sa@mail173.us4.mcsv.net)
 Subject: TomEE Professional Support
 From: Apache TomEE Support gurkanerdo...@yahoo.com
 Reply-To: Apache TomEE Support gurkanerdo...@yahoo.com
 To:  a...@ice-sa.com
 Date: Wed, 13 Nov 2013 12:47:58 +
 Message-ID: 9781cf0ccdac7604f1f7fd52ea052bfdbb3.20131113124746@mail173.
 us4.mcsv.net
 X-Mailer: MailChimp Mailer - **CID105b909b64a052bfdbb3**
 X-Campaign: mailchimp9781cf0ccdac7604f1f7fd52e.105b909b64
 X-campaignid: mailchimp9781cf0ccdac7604f1f7fd52e.105b909b64
 X-Report-Abuse: Please report abuse for this campaign here:
 http://www.mailchimp.com/abuse/abuse.phtml?u=9781cf0ccdac7604f1f7fd52eid=
 105b909b64e=a052bfdbb3
 X-MC-User: 9781cf0ccdac7604f1f7fd52e
 x-accounttype: ff
 List-Unsubscribe: mailto:unsubscribe-9781cf0ccdac7604f1f7fd52e-
 105b909b64-a052bfd...@mailin1.us2.mcsv.net?subject=unsubscribe, 
 http://blogspot.us3.list-manage.com/unsubscribe?u=
 9781cf0ccdac7604f1f7fd52eid=b75a8245a1e=a052bfdbb3c=105b909b64
 Sender: Apache TomEE Support gurkanerdogdu=yahoo.com@
 mail173.us4.mcsv.net
 x-mcda: FALSE
 Content-Type: multipart/alternative; boundary=_--=_MCPart_
 1458955636
 MIME-Version: 1.0

 20% off TomEE Support from Java EE Guru Gurkan Erdogdu. He really knows
 Apache Tomcat, TomEE and related Java EE projects in source code level!

 
 Email not displaying correctly?
 View it in your browser (http://us3.campaign-archive1.com/?u=
 9781cf0ccdac7604f1f7fd52eid=105b909b64e=a052bfdbb3) .


 ** Support for Apache TomEE (http://blogspot.us3.list-
 manage1.com/track/click?u=9781cf0ccdac7604f1f7fd52eid=
 bceee0c9bae=a052bfdbb3) Funs
 
 BUY NOW (http://blogspot.us3.list-manage.com/track/click?u=
 9781cf0ccdac7604f1f7fd52eid=6a24f4ee0ee=a052bfdbb3)


 ** TomEE Support : 20% Off
 


 ** professional TomEE Support with NO HIDDEN COST!

 
 divimg src=http://blogspot.us3.list-manage.com/qr/coupon?e=
 a052bfdbb3data=eyJjaWQiOiIxMDViOTA5YjY0IiwidW
 lkIjoiOTc4MWNmMGNjZGFjNzYwNGYxZjdmZDUyZSIsImNvZGUiOiIzYzE0OT
 g3NDIxIiwidGV4dCI6IjIwJSBvZmYgMSBUb21FRSBTdXBwb3J0IiwidGlkIj
 oiOTcxMDJlZDgyNiIsInVzZXMiOjF9s=2 alt=20% off 1 TomEE Support
 title=20% off 1 TomEE Supporta href=http://9781cf0ccdac7604f1f7fd52e.
 105b909b64.list-manage.com/3c14987421 alt= style=display:none;margin-
 left:-px;/a/div
 http://blogspot.us3.list-manage.com/track/click?u=
 9781cf0ccdac7604f1f7fd52eid=909133d7cde=a052bfdbb3


 ** TomEE Support Discount
 
 Would you like to get Apache TomEE professional support from Java EE guru
 with no hidden cost! As a founder of the project Apache OpenWebBeans and
 several other big Java EE projects, Gurkan Erdogdu knows the Apache Tomcat
 and TomEE and related projects in source code level. For initial
 subscribers, we will apply 20% discount.
 

Re: Tomcat Monitoring - Thread usage - currentThreadCount or currentThreadBusy

[Leon Rosenberg]

Hello Vikram,

if you are working on a monitoring solution for tomcat I suggest you take a
look at moskito: http://www.moskito.org.

regards
Leon


On Thu, Aug 15, 2013 at 3:42 AM, Vikram Jain rahulvi...@gmail.com wrote:

 Hi Team,

 I'm Vikram Jain. My first query to Tomcat user group, looking forward to
 hear from you. :)

 I am working on Tomcat monitoring solution for a project and when it comes
 to monitoring 'Thread usage', I am wondering whether I should be comparing
 'currentThreadCount' or 'currentThreadBusy' attribute against 'maxThread'
 to generate an alert.
 Is currentThreadBusy the actual represntation of the activeThread count ?
 If currentThreadCount increases when there is an increase in need of
 request processing threads and once the requests are processed, whether the
 currentThreadCount drops ?

 Please assist. If you find it relevant, please also update the docs to the
 benefit of other users :)

 Regards,
 Vikram

Re: javaagent is messing with webapp classpath

[Leon Rosenberg]

Hello,

yes, your java agent is probably not well coded :-)

regards
Leon


On Thu, Aug 1, 2013 at 8:33 PM, Alberto SOUZA alots@gmail.com wrote:

 Hi,

 I have a javaagent that changes some specific classes of my project. But,
 when i start the server using the agent I get a lot of
 ClassNotFoundException for a  lot of classes... Like
 ServletContextListener. When I don't use the javaagent argument everything
 goes fine. Does anyone have an idea?

 Thanks!!

Re: Tomcat and IP transparency

[Leon Rosenberg]

Hello Joan,

I fear I have to disappoint you. If I understand you correctly you want to
manipulate the packets on the IP level, setting the source ip address to
the ip address of the originator of the packet, similar to what a
loadbalancer would do. It is possible technically, but it's a very
different kind of soup compared to http proxy and really hard to implement
in java, just because native access to the network interface isn't
something java was made for. And since it's not unfamiliar to the attack
vector known as IP Spoofing, it will only work in close distance
(network-wise).  But last time I was programming something on ip leveI is
about 15 years ago, so I may be wrong.

However, you other side, should be able to retrieve the contents of the
X-FORWARDED-FOR header and return it in the getRemoteAddress call to its
application. At least tomcat would do. So the question is, how much access
do you have to your blackbox? If you have access to the machine you could
do it with apache httpd and mod_proxy or mod_proxy_ajp. If not I would ask
the provider of the blackbox, how they handle proxies in general (and if
they do it at all). I they support some kind of proxy behavior, all you
need to do is mimic one, if not... well find another provider ;-)

It sounds a bit like SEO, and there are a lot of SEO providers with better
tech ;-)

regards
Leon


On Wed, Jul 31, 2013 at 9:04 PM, Joan Balagueró Ventus Proxy 
joan.balagu...@ventusproxy.com wrote:

 Hello,



 I already asked this question to the Apache HttpClient Forum. They don't
 know if this is possible with java/Tomcat.



 I have developed a proxy servlet with an xml cache, running in a Tomcat
 6.0.37 on Linux Centos6.4.



 When the incoming xml request (sent from an external client) is not found
 in
 the proxy cache, I use HttpClient 4.2.5 to create a new http request and
 redirect it to the provider application servers to get the xml response.



 So far, everything worked ok with all our clients. But now we've a provider
 that needs ip transparency. Then, the request created by httpclient needs
 to
 carry the origin ip address (that from the external client), not the proxy
 ip. My proxy gets correctly the external IP (using
 request.getRemoteAddr()),
 but when the provider application reads the IP provided by the http client
 using request.getRemoteAddr(), they obviously get the proxy IP.



 The provider software is a blackbox, then reading ips with
 'request.getRemoteAddr()' is something that they cannot change now.
 Therefore, things like adding a 'X-Forwarded-for' header cannot be
 implemented in this scenario.



 Is it possible tot achieve this at  Tomcat level? Has anyone found an
 scenario like this?



 Thanks in advance,

 Joan.

Re: Multiple instances of Tomcat 7.0 on one server

[Leon Rosenberg]

Hello Mr. Random,

as usual there is no easy answer here.
I think the most correct answer would be RATHER NOT.
There is rather no performance to be gained but running multiple instances
of the same app in multiple tomcats on the same physical machine except for:
* you need a lot of heap per session. In this case you will probably be
able to save gc time and performance. So in case you need more than 12 Gb
Heap separation would make sense.
* you have multiple physical resources your app can't use properly. For
example if you could give each instance its own database or its own file
system.
* you have concurrency issues in your application.

Drawbacks:
- Database. If you have one. You will have more connections and evtl. more
locks. And both are limited resources.

If you want a more detailed answer, you should tell us a bit about your
app.
Or, better, you start to monitor your app, run one physical server with one
instance and another one with two and compare.
By using a monitoring tool like moskito: http://www.moskito.org.

regards
Leon


On Fri, Jul 19, 2013 at 7:37 PM, Tomcat Random tomcat.ran...@gmail.comwrote:

 We currently are setting a site that receives fairly heavy traffic (5000
 simultaneous users). We have two physical servers.

 As a general idea, is there performance to be gained by running multiple
 instances of Tomcat 7.0? For example, two instances on one physical server
 and two instances on the other physical server? Assume all are running the
 same webapp.

 TIA

Re: JSP in Static Resources

[Leon Rosenberg]

Hello Alireza,

what exactly was wrong with putting
contentType=text/css;charset=UTF-8
on top of your css-jsps?
Actually each page should have content-type, so why not the css jsps?

Leon



On Sun, Jul 14, 2013 at 12:43 PM, Alireza Fattahi afatt...@yahoo.comwrote:

 Well,

 If we want to follow up that post , then we should belive that:
 Setting the mime type is not working for css
 So
 we should use other ways to solve it.

 Is that true?!
 ~Regards,
 ~~Alireza Fattahi


 
 From: André Warnier a...@ice-sa.com
 To: Tomcat Users List users@tomcat.apache.org
 Sent: Sunday, 14 July 2013, 12:00
 Subject: Re: JSP in Static Resources


 Alireza Fattahi wrote:
  Guys please concentrate on the main issue !!

 I believe that the main issue was already answered thoroughly by
 Konstantin earlier.
 Did you not read it ?

 
  I ask again:
 
  When you set jsp servlet to process the css files by adding:
  servlet-mapping
 servlet-namejsp/servlet-name
 url-pattern*.css/url-pattern
  /servlet-mapping
 
 
  The tomcat does not set the CSS file extension mime type to text/css.
 Although below line is set in localhost-config/web.xml
 
 mime-mapping
 extensioncss/extension
 mime-typetext/css/mime-type
 /mime-mapping
 
 
  When you manually set the content mime type %@page
 contentType=text/css % every thing will work fine
 
 
  ~Regards,
  ~~Alireza Fattahi


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Monitoring Tomcat - In-depth details

[Leon Rosenberg]

Hello,

check http://www.moskito.org out.
MoSKito is an open source project that has been around since 2007. It
supports most of the things you mentioned except byte-code instruction yet
(an agent is currently in development, but its not that easy to implement
;-)).
But you can integrate it along spring-bean, cdi-beans with decorators,
filters, java proxies etc pp. Check
https://confluence.opensource.anotheria.net/display/MSK/Integration+Guidefor
details.

regards
Leon

P.S. Feel free to ask directly or on moskito mailing list for support.


On Tue, Jul 2, 2013 at 4:11 PM, Shanti Suresh sha...@umich.edu wrote:

 All,

 For lack of funds initially and now for a stalemate in the project, we do
 not have a JVM monitoring tool yet.  JavaMelody was recently discussed.   I
 like the fact that there is a dashboard and history of metrics.  In looking
 at it, I find JavaMelody lacking in in-depth diagnostics of the JVM.  Top-N
 SQL statements, Transaction Tracing, metrics co-relation, call-back tree,
 thresholds and alerting are a few.

 Are there are any OpenSource projects that instrument the JVM at byte-code
 and provide detailed metrics more than what JMX offers?  Or am I missing
 something with JavaMelody?

 Thanks!

  -Shanti

Re: Exeptions after upgrading to tomcat 7

[Leon Rosenberg]

Hello Manuel,


On Sat, May 25, 2013 at 10:41 PM, Manuel LeNormand 
manuel.lenorm...@gmail.com wrote:

 Hello all,
 I have a Solr instance running on a Tomcat 6 servlet, everything worked
 fine.
 While upgrading to Tomcat 7.0.34, I get exceptions I'm having a hard time
 to deal with.
 Two kind of exceptions occur on shutdown of service:
 1. Memory leak due to threads that do not close - I understand it is not
 severe, and maybe on previous version was not monitored. Still, is there
 anything that is done on the servlet side that might resolve it, and what
 might be sides effects of this?


Remove following lines from server.xml:
  !-- Prevent memory leaks due to use of particular java/javax APIs--
  Listener
className=org.apache.catalina.core.JreMemoryLeakPreventionListener /
  Listener
className=org.apache.catalina.core.ThreadLocalLeakPreventionListener /

They do no good unless you are hotdeploying new versions of wars in running
production servers, and no one does that ;-)

regards
Leon



 2. Instance of MBeans that cannot be destroyed - btw,  the MBean instance
 is initiated under CATALINA_OPTS.

 Thanks in advance,
 Manuel

 Here are the LOGS:
 INFO: A valid shutdown command was received via the shutdown port. Stopping
 the Server instance.
 May 13, 2013 4:22:32 PM org.apache.coyote.AbstractProtocol pause
 INFO: Pausing ProtocolHandler [http-bio-8080]
 May 13, 2013 4:22:32 PM org.apache.coyote.AbstractProtocol pause
 INFO: Pausing ProtocolHandler [ajp-bio-8009]
 May 13, 2013 4:22:32 PM org.apache.catalina.core.StandardService
 stopInternal
 INFO: Stopping service Catalina
 May 13, 2013 4:22:35 PM org.apache.catalina.loader.WebappClassLoader
 clearReferencesThreads
 SEVERE: The web application [/solr] appears to have started a thread named
 [localhost-startStop-1-SendThread(zookeeper2:2181)] but has failed to stop
 it. This is very likely to create a memory leak.
 May 13, 2013 4:22:35 PM org.apache.catalina.loader.WebappClassLoader
 clearReferencesThreads
 SEVERE: The web application [/solr] appears to have started a thread named
 [localhost-startStop-1-EventThread] but has failed to stop it. This is very
 likely to create a memory leak.
 May 13, 2013 4:22:35 PM org.apache.catalina.loader.WebappClassLoader
 checkThreadLocalMapForLeaks
 SEVERE: The web application [/solr] created a ThreadLocal with key of type
 [org.apache.solr.schema.DateField.ThreadLocalDateFormat] (value
 [org.apache.solr.schema.DateField$ThreadLocalDateFormat@19c212b0]) and a
 value of type [org.apache.solr.schema.DateField.ISO8601CanonicalDateFormat]
 (value
 [org.apache.solr.schema.DateField$ISO8601CanonicalDateFormat@6b2ed43a])
 but failed to remove it when the web application was stopped. Threads are
 going to be renewed over time to try and avoid a probable memory leak.
 May 13, 2013 4:22:35 PM org.apache.catalina.loader.WebappClassLoader
 checkThreadLocalMapForLeaks
 SEVERE: The web application [/solr] created a ThreadLocal with key of type
 [org.apache.solr.schema.DateField.ThreadLocalDateFormat] (value
 [org.apache.solr.schema.DateField$ThreadLocalDateFormat@19c212b0]) and a
 value of type [org.apache.solr.schema.DateField.ISO8601CanonicalDateFormat]
 (value
 [org.apache.solr.schema.DateField$ISO8601CanonicalDateFormat@6b2ed43a])
 but failed to remove it when the web application was stopped. Threads are
 going to be renewed over time to try and avoid a probable memory leak.
 May 13, 2013 4:22:35 PM org.apache.coyote.AbstractProtocol stop
 INFO: Stopping ProtocolHandler [http-bio-8080]
 May 13, 2013 4:22:35 PM org.apache.coyote.AbstractProtocol stop
 INFO: Stopping ProtocolHandler [ajp-bio-8009]
 May 13, 2013 4:22:35 PM org.apache.coyote.AbstractProtocol destroy
 INFO: Destroying ProtocolHandler [http-bio-8080]
 May 13, 2013 4:22:35 PM org.apache.coyote.AbstractProtocol destroy
 INFO: Destroying ProtocolHandler [ajp-bio-8009]
 May 13, 2013 4:22:35 PM org.apache.catalina.util.LifecycleMBeanBase
 unregister
 WARNING: Failed to unregister MBean with name
 [Catalina:type=Executor,name=tomcatThreadPool] during component destruction
 javax.management.InstanceNotFoundException:
 Catalina:type=Executor,name=tomcatThreadPool
 at
 com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.getMBean(Unknown
 Source)
 at

 com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.exclusiveUnregisterMBean(Unknown
 Source)
 at

 com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.unregisterMBean(Unknown
 Source)
 at com.sun.jmx.mbeanserver.JmxMBeanServer.unregisterMBean(Unknown
 Source)
 at

 org.apache.catalina.util.LifecycleMBeanBase.unregister(LifecycleMBeanBase.java:194)
 at

 org.apache.catalina.util.LifecycleMBeanBase.destroyInternal(LifecycleMBeanBase.java:73)
 at

 org.apache.catalina.core.StandardThreadExecutor.destroyInternal(StandardThreadExecutor.java:150)
 at
 org.apache.catalina.util.LifecycleBase.destroy(LifecycleBase.java:305)
 at

 

Re: Exeptions after upgrading to tomcat 7

[Leon Rosenberg]

On Sun, May 26, 2013 at 3:14 PM, Caldarale, Charles R 
chuck.caldar...@unisys.com wrote:

  From: Leon Rosenberg [mailto:rosenberg.l...@gmail.com]
  Subject: Re: Exeptions after upgrading to tomcat 7

  Remove following lines from server.xml:
!-- Prevent memory leaks due to use of particular java/javax APIs--
Listener
  className=org.apache.catalina.core.JreMemoryLeakPreventionListener /
Listener
  className=org.apache.catalina.core.ThreadLocalLeakPreventionListener /

 This is akin to burying one's head in the sand.  It would be much better
 to fix the actual problem by shutting down the auxiliary thread with an
 appropriate listener.  Sloppy programming should not be encouraged.


Chuck, with all respect, this is easier said than done.
First we are talking about a ThreadLocal, not Thread. It's tomcat who shuts
the threads done due to shutdown, not the app and not the library.
Now what is the negative impact of leaving a not-cleaned-up ThreadLocal?
- Memory footprint? Well, we are talking about few small objects, if the
app has millions of threads it probably has other problems.
- Garbage? Yes, but not more than any other Thread variable, it will be
collected by the GC once the Thread is collected.
- Reentrance? Any lib or code that uses ThreadLocals should initialize them
properly.

On the other hand efforts to clean it up.
You have to provide your own mechanism to clean up ThreadLocals someone
else created, because most libs aren't written for redeployment and simple
don't care. If they did, they would provide cleanup interfaces to their
libs, making them harder to use, but what for? Cleaning ThreadLocals up is
a bit like writing destructors.
Further, where is the safe place to actually clean up a ThreadLocal  The
same you created it? So if you want to ensure that you have your
threadlocal where you need it, you would set it up in filter, before
chain.doFilter() and clean it up in the finally block? Wait, what about
forwarded calls? They do not pass a filter, so your code would have to care
how it's been called. So RequestListener remains and it will surely have it
gotcha's too ;-)


All in one, a lot of hustle and bustle, and what for? To clean up 200 bytes
faster?
Maybe I'm missing something here, but I never seen how ThreadLocal does
real harm, neither I can imagine it, please enlighten me ;-)

regards
Leon




  - Chuck


 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
 MATERIAL and is thus for use only by the intended recipient. If you
 received this in error, please contact the sender and delete the e-mail and
 its attachments from all computers.


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Monitoring Tomcat - Delta Values

[Leon Rosenberg]

Hello Shanti,


On Fri, May 3, 2013 at 10:57 PM, Shanti Suresh sha...@umich.edu wrote:


 I am interested in trending of the metrics - so data for four months, let's
 say.
 - Does moskito have a way of storing data?

yes it does:
https://confluence.opensource.anotheria.net/display/MSK/MoSKito+Central
https://confluence.opensource.anotheria.net/display/MSK/HowTo+Run+moskito-central+in+embedded+mode



 - What time-interval granularity have people found useful with JMX, without
 overloading the servers?  I collect some JMX stats in 1 minute intervals,
 but really would like every second.


every second is maybe a little overkill, but possible. What amount of
traffic does your application serve, that you need so detailed data?

regards
Leon



 Thanks.

   -Shanti

Re: getting the request that created the session

[Leon Rosenberg]

Hello Andre,


On Mon, Apr 29, 2013 at 10:13 AM, André Warnier a...@ice-sa.com wrote:


 Leon,
 I apologise for insisting, but your initial post said :
 Background, I want to count sessions by top level domains...



Yes, but @Runtime. Means that I want to know how many sessions from each
tld are active _now_.
Parsing http log continuously and instantly would be an overkill in my
opinion. And I don't see a way to see a session expiry in access log ;-)

kind regards
Leon

Re: getting the request that created the session

[Leon Rosenberg]

On Mon, Apr 29, 2013 at 3:49 PM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Leon,


 So your initial implementation was a Filter that marked each
 HttpSession with the origin IP address (so you could get the TLD of
 the user) and then a Listener to keep track of the sessions? What's
 wrong with that?


It seemed to complicated.
I now could strip it down to 1 file, that is both HttpSession and
ServletRequest- Listener:
http://svn.anotheria.net/opensource/moskito/trunk/moskito-web/java/net/anotheria/moskito/web/session/SessionByTldListener.java

The drawback is, I can count only from second request, because the session
is created later. And I don't want to create sessions on all requests.
I'm thinking about moving (duplicating) the call in requestDestroyed.



  Output for
  http://localhost:8080/moskitodemo/mui/mskShowAllProducers: Request
  1 created /moskitodemo/mui/mskShowAllProducers Session created
  4B842C774B30EE7886CC7243758C7D38 Request 2 created
  /moskitodemo/mui/mskCSS Session? true Session
  4B842C774B30EE7886CC7243758C7D38 new? true Request 3 created
  /moskitodemo/img/moskito_webui_logo.gif Session? true Session
  4B842C774B30EE7886CC7243758C7D38 new? true Request 4 created
  /moskitodemo/js/wz_tooltip.js Session? true Session
  4B842C774B30EE7886CC7243758C7D38 new? true Request 5 created
  /moskitodemo/js/jquery-1.4.min.js Session? true Session
  4B842C774B30EE7886CC7243758C7D38 new? true Request 6 created
  /moskitodemo/js/function.js Session? true Session
  4B842C774B30EE7886CC7243758C7D38 new? true Request 6 destroyed
  /moskitodemo/js/function.js Request 5 destroyed
  /moskitodemo/js/jquery-1.4.min.js Request 4 destroyed
  /moskitodemo/js/wz_tooltip.js Request 3 destroyed
  /moskitodemo/img/moskito_webui_logo.gif

 That does appear a little odd to me. Can you show an HTTP protocol
 trace of that interaction? I'd be interested to see what request was
 what and exactly what it held (and whether they were keepalives, etc.).


The request that occur simultaneously in chrome(only) are pictures and js,
replied with 304:

   1. Request URL:
   http://localhost:8080/moskitodemo/js/wz_tooltip.js
   2. Request Method:
   GET
   3. Status Code:
   304 Not Modified
   4. Request Headersview source
  1. Accept:
  */*
  2. Accept-Encoding:
  gzip,deflate,sdch
  3. Accept-Language:
  en-US,en;q=0.8
  4. Cache-Control:
  max-age=0
  5. Connection:
  keep-alive
  6. Cookie:
  JSESSIONID=71474A695869D2494E2135CBCEAF
  7. Host:
  localhost:8080
  8. If-Modified-Since:
  Sat, 27 Apr 2013 21:49:44 GMT
  9. If-None-Match:
  W/35082-1367099384000
  10. Referer:
  http://localhost:8080/moskitodemo/mui/mskShowAllProducers
  11. User-Agent:
  Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36
  (KHTML, like Gecko) Chrome/27.0.1453.65 Safari/537.36
  5. Response Headersview source
  1. Date:
  Mon, 29 Apr 2013 14:24:36 GMT
  2. ETag:
  W/35082-1367099384000
  3. Server:
  Apache-Coyote/1.1


Even, the requests are keepalived they look to me as if they were executed
parallel. At least from the chrome timeline. But its hard to tell without
further investigation.

You can check yourself:
http://server04.test.anotheria.net:8080/moskitodemo/mui/mskShowAllProducers


The TestListener code:
http://svn.anotheria.net/opensource/moskito/trunk/moskito-web/java/net/anotheria/moskito/web/session/TestListener.java



regards
Leon


 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
 Comment: GPGTools - http://gpgtools.org
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

 iQIcBAEBCAAGBQJRfnpjAAoJEBzwKT+lPKRYp1AP/15ijJOAxMkT8ZvVLm3r8jb8
 w30OVaIOerFINsE3DL74mngd8pcNR/d2SQoYkMLM3oT42Z/p/Qufy9sLfuti9vkR
 RAYq9Q0PUmUGTGilWL3eraEqPfXUo1ZVQrC3W9MyvzGraq1sIaJqqWb8fm/N3z9d
 n0LHenBcjmt8OfySFWSQ8uTfSjdE+KhO0Nqca0sMIUQsGjbrklVwgkyJ8F+auLaY
 CwS4gSR7I6i785ITNu2XHnGeQLQRonYPTQHiXueEniBKbvCQp4In4antwpPVihrO
 2oTUHP2eORe+WvRrUzHDkuZRFhXIHKI5NWuN7HtLsy0xLDgZVJRBys78GI0ulCrG
 M1KYEpkQFXgHFCZdV3foRkW9XNcCBKdX4ExjZcjoE1pLL2yk5sAePrWeYNS9Bfv0
 JKLwdI8J+ofnmJc2ZJazYmA+Ig7PAG74sa02j3izEuRV8B4saUc7mJvUkXusc/qC
 +qxwQY779ucf77LCY5OIvN/KZU1NOsrDrIrUYyFgjK5m8r7PIvRg8l77z1Bh74na
 n70/3dTNWmYC1w5WW1WLEUyXJXcrPeQsijWbfnoY8sBvVvLbxOvb/w5dU7WiwxdD
 3wxOYNc4TQoaAVsoMS9xs1V1+llxVZXDW/cJeBlgotCNoZNYk8MAZhsuHw1PkyqF
 FgADHu45Qxy/bKZbEN7S
 =HgoD
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org