from:"tomcat"

Re: need mod_jk for apache http server 2.0.63 - urgent

2008-10-03 Thread tomcat


At 04:57 PM 10/3/2008, you wrote:

Hi,

I need mod_jk or the comcat connector. I dont know where to get it 
from. I searched on google but could not find. Basically i would 
like to connect from tomcat 5.5.9 to apache http server 2.0.63 
installed on solaris 10 machine. Could some body tell me where to get it.


Thanks,
srinivas jonnalagadda


http://tomcat.apache.org/download-connectors.cgi
or DIRECT Download
(sorry, I'd never do this)
http://apache.osuosl.org/tomcat/tomcat-connectors/jk/source/jk-1.2.26/tomcat-connectors-1.2.26-src.tar.gz

Cheers,
Glenn


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Data source realm, using primary keys (not varchar)?

2005-11-13 Thread tomcat

Hi

I'm trying to learn authentication and authorization within a web application,
and I think I know the basic stuff an maybe a bit more.
I just read the Tomcat howto guide on realm, and especially data source realm.

But I think their data base example is a bit strange. They have a table
user_roles that consists of a user_name and a role_name. The odd thing is,
these fields are not foreign keys, but varchars! This is really not good
database design. What if I for some reason want to change a username? I should
only have to change the username field in the users table.
The same thing goes with the rolename, although a changed rolename would a
demand a change in the authorization code within the web application, but as
far as the database is concerned I should only have to make the change in a
single table.

I would like something like this:

create table users (
  user_id   int not null primary key,
  user_name varchar(15) not null,
  user_pass varchar(15) not null,
);

create table roles (
  role_id   int not null primary key,
  role_name varchar(15) not null,
);

create table user_roles (
  user_roles_id int not null primary key,
  user_id   int not null,
  role_id   int not null,
);

Is this possible? I still want to use the built in authentication and
authorization.
If it is possible, how do I configure it in tomcat?

http://tomcat.apache.org/tomcat-5.0-doc/realm-howto.html#DataSourceRealm

Regards
/Jimi

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

tomcat-apache ajp13 connection problem (answer time)

2005-12-21 Thread tomcat

hello there,

i have two servers inside the dmz, one with redhat 9 the other with
fedora core 4. the box running with fedora core has tomcat 5.5.9
and apache 2.0.54. the connection is made with ajp13.
the redhat 9 has an older apache and java version.
these two servers run separated, so each one has all it
needs on its system.

there are multiple virtual hosts and web applications on each server.
accessing such a web application from localhost works well, the
same when beeing inside the dmz and using a testclient.
now the problem, requests from outside the dmz work still well
for the redhat 9 installation, fedora core 4 however has answer
times between page and image loads that are from multiple seconds
to minutes!

i have looked at all known log files, but got no errors at all, there
is simply a wait time between multiple requests and i dont see why.

running tomcat on port 80 as standalone however works correctly from
outside the dmz. apache as standalone too. however as soon as the
ajp13 connector connects the two, from outside the dmz requests slow
down.

has anybody an idea where i might have a closer look too to get this
problem solved ?

thanks a lot,

stephan






-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: tomcat-apache ajp13 connection problem (answer time)

2005-12-26 Thread tomcat

no, none at all. there is the network switch followed by the firewall.


Quoting Prasad [EMAIL PROTECTED]:

 Any load balancers exist in your enviornment ??
 [EMAIL PROTECTED] wrote:
 
 hello there,
 
 i have two servers inside the dmz, one with redhat 9 the other with
 fedora core 4. the box running with fedora core has tomcat 5.5.9
 and apache 2.0.54. the connection is made with ajp13.
 the redhat 9 has an older apache and java version.
 these two servers run separated, so each one has all it
 needs on its system.
 
 there are multiple virtual hosts and web applications on each server.
 accessing such a web application from localhost works well, the
 same when beeing inside the dmz and using a testclient.
 now the problem, requests from outside the dmz work still well
 for the redhat 9 installation, fedora core 4 however has answer
 times between page and image loads that are from multiple seconds
 to minutes!
 
 i have looked at all known log files, but got no errors at all, there
 is simply a wait time between multiple requests and i dont see why.
 
 running tomcat on port 80 as standalone however works correctly from
 outside the dmz. apache as standalone too. however as soon as the
 ajp13 connector connects the two, from outside the dmz requests slow
 down.
 
 has anybody an idea where i might have a closer look too to get this
 problem solved ?
 
 thanks a lot,
 
 stephan
 
 
 
 
 
 
 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 
 
   
 
 
 
 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 
 
 





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: pls unsubscribe my name from tomcat users group

2008-03-07 Thread tomcat

Please use a mail client that you can read email headers in. The 
unsubscribe address is in your email header from the listgroup.


List-Unsubscribe: mailto:[EMAIL PROTECTED]

Cheers!

At 12:19 PM 3/7/2008, you wrote:


pls unsubscribe [EMAIL PROTECTED] from tomcat uers group

-
 Share files, take polls, and discuss your passions - all under one 
roof.  Click here.

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.




No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.21.6/1316 - Release Date: 
3/6/2008 6:58 PM



--
No virus found in this outgoing message.
Checked by AVG Free Edition. 
Version: 7.5.516 / Virus Database: 269.21.6/1316 - Release Date: 3/6/2008 6:58 PM




--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: How do I unsubscribe ?

2007-07-12 Thread tomcat

My old account was unsubscribed and deleted in a few minutes. Then I 
created a new account and resubscribed the new account. It took all 
of 1 hour from start to finish. The old account was getting spammed 
to DETH! Now I use it to harvest my block list!


Get yourself an email client that will let you read your mail 
headers! You have no idea what you are missing!


At 02:30 PM 7/12/2007, you wrote:


Hi, can you unsubscribe me too.

-Siraj

Sunitha Kumar (sunithak) wrote:
  Hi Mark.,
 could you also unsubscribe me?
 thnx
 -sunitha

 -Original Message-
 From: Mark Thomas [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, July 11, 2007 5:25 AM
 To: Tomcat Users List; [EMAIL PROTECTED]
 Subject: Re: How do I unsubscribe ?

 [EMAIL PROTECTED] wrote:

 Hi,

 Is there an alternative way to unsubscribe from this user group ? I
 have sent numerous blank emails to
 [EMAIL PROTECTED], but it seems to have no effect,


 An e-mail to [EMAIL PROTECTED] will do the trick and one of us will
 manually unsubscribe you.

 I have just done this for your address.

 Mark

 -
 To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
 e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]

 -
 To start a new topic, e-mail: users@tomcat.apache.org
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]





This electronic mail message and any attachments may contain 
information which is privileged, sensitive and/or otherwise exempt 
from disclosure under applicable law. The information is intended 
only for the use of the individual or entity named as the addressee 
above. If you are not the intended recipient, you are hereby 
notified that any disclosure, copying, distribution (electronic or 
otherwise) or forwarding of, or the taking of any action in reliance 
on, the contents of this transmission is strictly prohibited. If you 
have received this electronic transmission in error, please notify 
us by telephone, facsimile, or e-mail as noted above to arrange for 
the return of any electronic mail or attachments. Thank You.




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Legal Risk of Using Tomcat

2007-09-07 Thread tomcat


At 01:19 PM 9/7/2007, you wrote:


 My guess was different:  that they were concerned about using
 software
 that might later be claimed to be covered by somebody else's patent,
 like M$ has been threatening with Linux.  If my guess is
 correct, then I
 seriously doubt there's anything to worry about there, because Tomcat
 has been written as open source from the beginning, and
 nobody has ever
 claimed patent rights over it.


You are right - I think this is the primary concern.


Yes, most likely the M$ vs. Linux and the whole SCO vs Linux and 
Novell deal. It is rather dicey.


Tomcat on Windows would pretty much CYA. However, Tomcat on Linux is 
quite nice and IMHO, more secure (or rather secure-able!). More 
tunable as far as performance too!


Cheers!


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Sending Mail from a Java WebApplication does not work

2007-10-04 Thread tomcat


At 01:30 PM 10/4/2007, you wrote:


Gabe,
That is great.
yes, It is sending mails to junk folder.
Thanks a lot lol.
How can I avoid it ? why does gmail treats this mail as spam?

We were palnning to move our application to a new server.
I had written a build script using perl. Every thing went fine and build was
successfull.
We were trying to test it for user registration and no mails for ever. My PM
will eat my head if it moves to junk folder. HELP!





We send through the localhost sendmail to the mail server that serves 
mail for the host's domain. Sendmail is already set to only relay 
localhost on later 8.12 versions and up, making this setup easy. The 
mail server for the domain needs to be modified to accept mail from 
your application server.


Your mail may be getting flagged for lack of RDNS (PTR record for the 
MX server). A lot of ISPs will flag or refuse your mail if you do not 
have MX and PTR records for your server. AOL immediately comes to mind.



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Spam Score

2008-07-22 Thread tomcat


At 02:38 PM 7/22/2008, you wrote:

What is the tomcat mailing list spam score, and why am I unable to send
my email to post a question?



Patrick


Well, your first message that made it in looked like this:

X-ASF-Spam-Status: No, hits=4.1 required=10.0
tests=DNS_FROM_RFC_BOGUSMX,HTML_MESSAGE,SPF_PASS
X-Spam-Check-By: apache.org

So, apparently your mail server has a bdefective MX record, you don't 
use SPF and your first message was in HTML. Your second message, that 
made it to the group was not HTML.


Go fix that DNS! That's a BIG strike against your getting any mail 
anywhere! I probably would have scored you higher for that!


Cheers!
Received-SPF: pass (athena.apache.org: local policy)
Received: from [67.91.25.34] (HELO barracuda.sim-gtech.com) (67.91.25.34)
by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 22 Jul 2008 18:29:27 +
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=_=_NextPart_001_01C8EC2A.25F5E661


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Context files disapearring

2006-04-03 Thread tomcat

Hello,

I am using Tomcat 5.5.16 and every now and then, my context.xml files get
deleted from the $TOMCAT_HOME/conf/Catalina/localhost directory.  This
seems to be random and it is becoming very frustrating.

Does anyone know what's causing this to happen? and how the problem can be
fixed?

Thanks.
Aladin

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Context files disapearring

2006-04-03 Thread tomcat

Thanks for the response.  I've never seen it happen randomly either... but
what can I say?

I shutdown my server yesterday (as in powered it off) and when I restarted
it, all the context files were gone including the manager.xml.

Any thoughts??

Aladin



 [EMAIL PROTECTED] wrote:
 I am using Tomcat 5.5.16 and every now and then, my context.xml files
 get
 deleted from the $TOMCAT_HOME/conf/Catalina/localhost directory.  This
 seems to be random and it is becoming very frustrating.

 Does anyone know what's causing this to happen? and how the problem can
 be
 fixed?

 I've never seen this happen randomly. I only see this happen upon undeploy
 of
 the correspondent webapp - and that's the way things are designed
 (AFAICT).

 Regards
   mks

 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Context files disapearring

2006-04-03 Thread tomcat

I'm running tomcat on Linux machine (FC2) and it is installed in:
/usr/local/jakarta/tomcat

Aladin


 Sounds to me like some other process is responsible for this.  Out of
 curiosity, what platform are you on (Windows, Linux, etc., ...) and
 where is tomcat installed?

 --David

 [EMAIL PROTECTED] wrote:

Thanks for the response.  I've never seen it happen randomly either...
 but
what can I say?

I shutdown my server yesterday (as in powered it off) and when I
 restarted
it, all the context files were gone including the manager.xml.

Any thoughts??

Aladin





[EMAIL PROTECTED] wrote:


I am using Tomcat 5.5.16 and every now and then, my context.xml files
get
deleted from the $TOMCAT_HOME/conf/Catalina/localhost directory.  This
seems to be random and it is becoming very frustrating.

Does anyone know what's causing this to happen? and how the problem can
be
fixed?


I've never seen this happen randomly. I only see this happen upon
 undeploy
of
the correspondent webapp - and that's the way things are designed
(AFAICT).

Regards
  mks

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]






-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

crossContext breaking class hierarchy?

2006-04-06 Thread tomcat

Hello,

I am experiencing a problem with Tomcat and class hierarchies.  In
particular when an object (which implements interface X) is shared among
serveral contexts I am unable to cast the object back into interface X.

Here is the setup (for simplicity I'll illustrate this with 2 contexts):

* Interface ClassInterface is distributed across all applications in a
.jar.

Application A in context a
--
- Implements ClassInterface and adds an instance of the class in it's
context:

  ClassInterface i = new ClassInterfaceImplementation();
  getServletContext().setAttribute(some.key, i);

Application B in context b
--
- Tries to cast the object in the context back into a ClassInterface but
fails with a classCastException: ClassInterfaceImplementation

  ServletContext context = (ServletContext)
getServletContext.getContext(/a);
  ClassInterface i = (ClassInterface) context.getAttribute(some.key);
  -- EXCEPTION IS THROWN --
  java.lang.ClassCastException: ClassInterfaceImplementation


Has anybody experienced this before?  Does setting an attribute in the
context mess things up with the class hierarchy?

Thanks.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: crossContext breaking class hierarchy?

2006-04-06 Thread tomcat

My interface is only in the 2 context specific locations:

Application A context a: /WEB-INF/lib/interface.jar
Application B context b: /WEB-INF/lib/interface.jar

It is not in the Tomcat common or shared lib folders; I've verified this
just in case I had a brain cramp.



 I've seen this with Oracle jdbc objects.  If you have classes12.jar in
 your
 WEB-INF/lib directory, and a copy in common/lib (for the Tomcat
 Datasource)
 then you will have TWO oracle.jdbc.XX classes loaded, one in the common
 classloader and on in your web app's classloader and although they are
 both
 oracle.jdbc.XX, they are not the SAME class object (instance).

 So, be certain your interface X is not in two visible places.  Or if it
 is,
 you cannot cast objects from one classloader to the other.

 Tim

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 Sent: Thursday, April 06, 2006 10:10 AM
 To: users@tomcat.apache.org
 Subject: crossContext breaking class hierarchy?

 Hello,

 I am experiencing a problem with Tomcat and class hierarchies.  In
 particular when an object (which implements interface X) is shared among
 serveral contexts I am unable to cast the object back into interface X.

 Here is the setup (for simplicity I'll illustrate this with 2 contexts):

 * Interface ClassInterface is distributed across all applications in a
 .jar.

 Application A in context a
 --
 - Implements ClassInterface and adds an instance of the class in it's
 context:

   ClassInterface i = new ClassInterfaceImplementation();
   getServletContext().setAttribute(some.key, i);

 Application B in context b
 --
 - Tries to cast the object in the context back into a ClassInterface but
 fails with a classCastException: ClassInterfaceImplementation

   ServletContext context = (ServletContext)
 getServletContext.getContext(/a);
   ClassInterface i = (ClassInterface) context.getAttribute(some.key);
   -- EXCEPTION IS THROWN --
   java.lang.ClassCastException: ClassInterfaceImplementation


 Has anybody experienced this before?  Does setting an attribute in the
 context mess things up with the class hierarchy?

 Thanks.

 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]



 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: crossContext breaking class hierarchy?

2006-04-06 Thread tomcat

Problem sovled.  Thanks Tim you got me thinking on the right path.

I put the interface.jar in the tomcat shared/lib rather than in the
individual context's  lib folder.

This worked because the jar in the shared/lib folder is common to each of
the context's classloader.  Putting the interface.jar in each context
reflects having two different interfaces (because of the different
classloaders).


 My interface is only in the 2 context specific locations:

 Application A context a: /WEB-INF/lib/interface.jar
 Application B context b: /WEB-INF/lib/interface.jar

 It is not in the Tomcat common or shared lib folders; I've verified this
 just in case I had a brain cramp.



 I've seen this with Oracle jdbc objects.  If you have classes12.jar in
 your
 WEB-INF/lib directory, and a copy in common/lib (for the Tomcat
 Datasource)
 then you will have TWO oracle.jdbc.XX classes loaded, one in the common
 classloader and on in your web app's classloader and although they are
 both
 oracle.jdbc.XX, they are not the SAME class object (instance).

 So, be certain your interface X is not in two visible places.  Or if it
 is,
 you cannot cast objects from one classloader to the other.

 Tim

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 Sent: Thursday, April 06, 2006 10:10 AM
 To: users@tomcat.apache.org
 Subject: crossContext breaking class hierarchy?

 Hello,

 I am experiencing a problem with Tomcat and class hierarchies.  In
 particular when an object (which implements interface X) is shared among
 serveral contexts I am unable to cast the object back into interface X.

 Here is the setup (for simplicity I'll illustrate this with 2 contexts):

 * Interface ClassInterface is distributed across all applications in a
 .jar.

 Application A in context a
 --
 - Implements ClassInterface and adds an instance of the class in it's
 context:

   ClassInterface i = new ClassInterfaceImplementation();
   getServletContext().setAttribute(some.key, i);

 Application B in context b
 --
 - Tries to cast the object in the context back into a ClassInterface but
 fails with a classCastException: ClassInterfaceImplementation

   ServletContext context = (ServletContext)
 getServletContext.getContext(/a);
   ClassInterface i = (ClassInterface) context.getAttribute(some.key);
   -- EXCEPTION IS THROWN --
   java.lang.ClassCastException: ClassInterfaceImplementation


 Has anybody experienced this before?  Does setting an attribute in the
 context mess things up with the class hierarchy?

 Thanks.

 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]



 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]




 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

requested resource not available

2009-05-12 Thread tomcat

I am running Tomcat 5.5.26, Java 1.6.0_13, and Centos 5.2 64 bit.

I am really stumped, getting The requested resource not 
available. I Googled and found quite items on this topic and 
everything points to an incorrect path. I have checked all the 
paths I can find, and am not finding the problem. 

I have another box with this successfully installed and as far as I 
can tell the 2 installations are identical, except one works and 
one does not.

Any ideas? Please let me know, thanks for your help,

Brad


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: requested resource not available

2009-05-12 Thread tomcat

Thank you for your help, Chuck.

I get the message when trying to access the application through a 
browser. I did try with and without the firewall enabled on the 
server, and nothing changed. I am not sure I have Tomcat logging 
set up correctly, so I have not learned anything there.

I am brand new to Tomcat, as you can probably tell.

Brad

On Tue, 12 May 2009 14:34:10 -0500 Caldarale, Charles R 
chuck.caldar...@unisys.com wrote:
 From: tom...@nym.hush.com [mailto:tom...@nym.hush.com]
 Subject: requested resource not available
 
 I am running Tomcat 5.5.26, Java 1.6.0_13, and Centos 5.2 64 
bit.

Thanks for telling us that; an amazing number of people fail to do 
so.

 I am really stumped, getting The requested resource not
 available.

When you do what?  Where is that message displayed?  Have you 
looked in the Tomcat logs?

If the message is being displayed by a browser, is there a 
firewall blocking the access?

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE 
PROPRIETARY MATERIAL and is thus for use only by the intended 
recipient. If you received this in error, please contact the 
sender and delete the e-mail and its attachments from all 
computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: requested resource not available

2009-05-12 Thread tomcat

Ok, I did that and here is what I got:

[r...@li54-122 bin]# less ../logs/localhost_access_log.2009-05-
12.txt 
70.249.74.9 - - [12/May/2009:16:17:00 -0400] GET / HTTP/1.1 200 
347
70.249.74.9 - - [12/May/2009:16:17:00 -0400] GET /pentaho/ 
HTTP/1.1 404 979



On Tue, 12 May 2009 15:11:15 -0500 Caldarale, Charles R 
chuck.caldar...@unisys.com wrote:
 From: tom...@nym.hush.com [mailto:tom...@nym.hush.com]
 Subject: RE: requested resource not available
 
 I am not sure I have Tomcat logging set up correctly,
 so I have not learned anything there.

For a standard Tomcat installation (downloaded from 
tomcat.apache.org), there's really nothing to set up; the log 
files will be in Tomcat's logs directory.  If you're using a 3rd-
party repackaged version of Tomcat, there's no telling where the 
log files might be.

Assuming you can find the logs, try updating conf/server.xml to 
remove the comment markers around the AccessLogValve and restart 
Tomcat.  The logs will then show whether or not the request is 
even reaching Tomcat.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE 
PROPRIETARY MATERIAL and is thus for use only by the intended 
recipient. If you received this in error, please contact the 
sender and delete the e-mail and its attachments from all 
computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: requested resource not available

2009-05-12 Thread tomcat

Those are the requests I expected to see, they do correspond to the 
URLs I entered in the browser.

I am deploying a preconfigured version of Pentaho that I found 
here: 
http://sourceforge.net/project/showfiles.php?group_id=140317package
_id=160028release_id=648414

I deployed this exact same package on my development box with no 
problems. The preconfigured installation of Tomcat does appear (to 
me at least) to follow the deployment guidelines on the link you 
sent.

On Tue, 12 May 2009 15:28:50 -0500 Caldarale, Charles R 
chuck.caldar...@unisys.com wrote:
 From: tom...@nym.hush.com [mailto:tom...@nym.hush.com]
 Subject: RE: requested resource not available
 
 [r...@li54-122 bin]# less ../logs/localhost_access_log.2009-05-
 12.txt
 70.249.74.9 - - [12/May/2009:16:17:00 -0400] GET / HTTP/1.1 
200
 347
 70.249.74.9 - - [12/May/2009:16:17:00 -0400] GET /pentaho/
 HTTP/1.1 404 979

Are those the requests you expected to see?  Do they correspond to 
the URLs you submitted from the browser?

Do you have a webapp named pentaho deployed?  If so, does it have 
a welcome page under its first-level directory?  If not, do you 
have a servlet mapping for it that should have handled all 
requests?

Have you followed the guidelines for webapp deployment described 
in the doc?
http://tomcat.apache.org/tomcat-5.5-doc/appdev/index.html

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE 
PROPRIETARY MATERIAL and is thus for use only by the intended 
recipient. If you received this in error, please contact the 
sender and delete the e-mail and its attachments from all 
computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

which apache

2006-07-03 Thread Tomcat


Hello

I have installed Tomcat and Apache, and both of them works fine,
however , tomcat has been installed as standalone and just listen
to Apache that came with Tomcat, how I can change it, so Tomcat works
with my desired Apache.

Thanks for your help


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

decompile java class

2006-07-26 Thread Tomcat


Hello

I am trying to decompile the java class file with javap command but it  
returns

my-class-name.class  contains some-other-package

so I am unable to decompile it .

is any one has experience with javap command ?
how can I decompile a class that cotains other package or classes.
I am aware of other decompilers, but I can not use them.

thanks for help


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: decompile java class

2006-07-26 Thread Tomcat


Thanks Mohsen for your reply, but I can not download and use jad or
other decompilers, please let me know if you know how to decompile
the java class that contains another class.

Thanks


Mohsen Saboorian wrote:

Use JAD instead. It is quite simple and fast.
http://www.kpdus.com/jad.html

On 7/26/06, Tomcat [EMAIL PROTECTED] wrote:


Hello

I am trying to decompile the java class file with javap command but it
returns
my-class-name.class  contains some-other-package

so I am unable to decompile it .

is any one has experience with javap command ?
how can I decompile a class that cotains other package or classes.
I am aware of other decompilers, but I can not use them.

thanks for help


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]







-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

decompile java class

2006-08-07 Thread Tomcat


Hello

would you pleas help me with this ,

when I am trying to decompile a class file with javap -c myclass.class I 
am receiving following error :

Error: Binary file myclass contains com.cnsw.reveiw.conf

how can I decompile the class file that contain another class , also I 
want to use it with javap and not

other tools.

Thanks for help


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

difference between thread and session

2006-08-14 Thread Tomcat


Hello

what is the difference between thread and session in tomcat ?
I was thinking that they are the same, but  in server setting of tomcat 
manager

it shows different thread number to session number in application list.

Thanks for help



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Multiple apache web servers single Tomcat, how many Connectors are needed?

2006-08-25 Thread tomcat

Hello,

Hopefully someone can clarify a setup query I have as after lots of searching I 
cannot
find a definitive answer.

Although I'm configuring a much more complex system the problem I have boils 
down to
this.

I want to configure two Apache instances running on separate servers to talk to 
a
single
Tomcat instance (on its own server) but need clarification on the number of
Connectors I
need to define on the Tomcat side (server.xml). Is it a Connector listening on
individual ports for each web server or one Connetor for all web servers?

Apache 2.0.59
mod_jk 1.2.18
Tomcat 5.5.17

Thanks in advance

J


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Applet not initiated

2007-03-24 Thread Tomcat


Hello

When I am trying to open a very simple applet on my browser
it returns applet not initiated or failed to load applet.

class file is located in tomcat WEB_INF/classes and I am calling it from
ROOT directory and through index.html file.

thanks for help

Adam


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Applet not initiated

2007-03-26 Thread Tomcat


Hello Rashmi,

Thanks for response,

I put the class file in ROOT directory, the same place that my html file
exist , but still the same problem.

is it possible classpath should include that class location so 
computer's jvm

recognize the place that class is exist ?
and also I found some document that it says
codebase tag should cotnain the directory that class are located and 
code tag should contain

the class name but without class.

your help will be highly appreciated.


Rashmi Rubdi wrote:

Place your Applet's class file anywhere but the WEB-INF folder,
because WEB-INF folder is protected from client/browser's access,
applet classes can't be accessed if they are under WEB-INF.

Also use jsp:plugin tag , if you are accessing the Applet from a JSP 
file.


-Rashmi

On 3/25/07, Tomcat [EMAIL PROTECTED] wrote:

class file is located in tomcat WEB_INF/classes and I am calling it from
ROOT directory and through index.html file.



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

session time out

2007-04-30 Thread Tomcat


Hello

Does application WEB-INF/web.xml override default conf/web.xml setting?
specifically session time out , but want to know if other setting is 
overriden.

and can we disable this through server.xml ?

Thanks
Adam

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: session time out

2007-04-30 Thread Tomcat


Hello Martin,

my main question was :
Does application WEB-INF/web.xml override default conf/web.xml setting?

I mean in a container containing several applications, can each of them 
set session time out
in their /WEB-INF/web.xml and is that over ride the default setting 
which is set in /conf/web.xml


Cheers
Adam


Martin Gainty wrote:

On the Connector you can set
connectionTimeout = 0 for indefinite timeout

also a keepAliveTimeout on the Sender which I believe defaults to 60 sec
http://tomcat.apache.org/tomcat-5.5-doc/cluster-howto.html

also a tcpSelectorTimeout on the Receiver which I believe defaults to 
100 sec


web.xml (webapp) specific
   session-config
   session-timeout30/session-timeout
   /session-config

HTH
M
This email message and any files transmitted with it contain confidential
information intended only for the person(s) to whom this email message is
addressed.  If you have received this email message in error, please 
notify

the sender immediately by telephone or email and destroy the original
message without making a copy.  Thank you.

- Original Message - From: Tomcat [EMAIL PROTECTED]
To: Tomcat Users List users@tomcat.apache.org
Sent: Monday, April 30, 2007 10:27 AM
Subject: session time out



Hello

Does application WEB-INF/web.xml override default conf/web.xml setting?
specifically session time out , but want to know if other setting is 
overriden.

and can we disable this through server.xml ?

Thanks
Adam

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Suspected mod_jk connection problems

2007-05-17 Thread tomcat


Hello All,

I have a server that is not too heavily trafficked (yet!) that, to 
the user appears to hang on pages. This appears to be happening most 
often to users outside my network, as it has not been encountered by 
our developers unless they are working from home.


I am not seeing any network issues, internally, but I do see these 
errors in my jk.log quite a lot:


[error] ajp_service::jk_ajp_common.c (1659): Client connection 
aborted or network problems


I've looked this error up in my search engines with no hits. Any 
suggestions on what to look for or how to clear this up?


Configuration:
CentOS 4.4
Apache 2.0.52
Jakarta-Tomcat 5.5.7
mod_jk-1.2.8

Thanks,
Glenn


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Suspected mod_jk connection problems

2007-05-18 Thread tomcat






Hello All,

I have a server that is not too heavily trafficked (yet!) that, to 
the user appears to hang on pages. This appears to be happening 
most often to users outside my network, as it has not been 
encountered by our developers unless they are working from home.


I am not seeing any network issues, internally, but I do see these 
errors in my jk.log quite a lot:


[error] ajp_service::jk_ajp_common.c (1659): Client connection 
aborted or network problems


I've looked this error up in my search engines with no hits. Any 
suggestions on what to look for or how to clear this up?


Configuration:
CentOS 4.4
Apache 2.0.52
Jakarta-Tomcat 5.5.7
mod_jk-1.2.8

Thanks,
Glenn

At 05:41 PM 5/17/2007, you wrote:

I used to work with a Sys Admin whose expertise was chaing the sys 
admin password
when asked about issues such as interconnecting thru Pix he would 
say let me get back to you..it sounds like this sys admin is working 
for you now

Anyway here is a quick tutorial on configuring pix
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch02_:_Introduction_to_Networking
You'll have to do some fun things like setting up arp tables and such
This will guarantee that IP x.x.x.x:PortX will be forwarded to y.y.y.y:PortY
the other thing that you can do is open up your subnet mask which is 
probably set to something massively restrictive like 255.255.255.254

HTH/


I am the systems administrator. I generally build/install maintain 
the systems that my developers deploy on. Since this looks more like 
a network problem (to management), I've been tasked to solve the 
problem. However, it looks more like a Tomcat connector problem since 
I have not found any obvious network errors.


One important note: I am using multiple virtual ethernet ports to 
support multiple SSL certs on this machine and I think that this 
could be part of the problem.


This is a single Apache/mod_jk/Tomcat server with Apache handling 
port 80 and Tomcat on port 8009. I am also seeing:


mod_jk: Error flushing \n

errors in my Apache error log. I have read that updating the mod_jk 
may solve this problem, but I have not tied the two problems as a 
cause/effect of the other.


Any further comments or suggestions would be kindly appreciated.

Thanks,
Glenn  



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: I've been trying to unsubscribe from this list for years.

2007-05-18 Thread tomcat


At 11:48 PM 5/17/2007, you wrote:


When you send an email to [EMAIL PROTECTED] add the word
Unsubscribe to the email's subject and body, that worked for me when I
was trying to switch my e-mails.

I think it sends you an additional e-mail to confirm unsubscription,
reply to that one as well.

Then you should receive a final email with something like good bye
in the subject.

-Rashmi

On 5/17/07, Keith Adams [EMAIL PROTECTED] wrote:
No matter how many times I send a blank email to: 
[EMAIL PROTECTED], like the one I sent at 11.19 
Eastern this morning, nothing happens. I use a rule to delete them 
permanently when I'm in Outlook, but when I use my company's web 
outlook, it can only move them to the deleted-items folder, which 
rapidly fills up, making it very hard for me to find things in 
there if I need to.


Please help. Thanks,

Keith


I had a broken mail account that was subscribed to this list and that 
I could not reply from.


I successfully unsubscribed yesterday by sending to:
[EMAIL PROTECTED]

I replied from a different account and it worked!

Cheers! 



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

war file name

2007-05-29 Thread Tomcat


Hello

there is a directive in server.xml or context file, which force  us having
war file name be the same as context file or the same as name of 
directory which

war file unpacked, would you please let me know which directive it is.

Thanks
Adam


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

ajp advantages over http connector

2007-06-09 Thread Tomcat


Hello

is there any advantage using ajp over http connector ?
what are those advantages?

Cheers
Adam


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Tomcat 6.0.20 unable to create new native thread

2010-05-19 Thread tomcat

Hi all,

we have a problem with our tomcat 6.0.20 which throws occasionally the 
following exception:
java.lang.OutOfMemoryError: unable to create new native thread
 
Information about the system:
- Win2003 Server Standard Edition 32 bit
- 2GB RAM
- Apache 2.2.13 with open SSL and mod_jk 1.2.28 for the communication with 
tomcat
- 2 instances of tomcat 6.0.20 on different ports. No redundancy / clustering. 
Each tomcat serves different webapps.
- JDK 1.6.0_06

Only one tomcat throws the above noted exception.

Configuration-Details:
- Tomcat 1 (with the problem)
   - MaxPermSize=256m
   - JvmMs 128 
   - JvmMx 768
   - maxThreads for HTTP: 450
   - maxThreads for jk: 3000

- Tomcat 2 (no problem yet)
   - MaxPermSize=256m
   - JvmMs 128 
   - JvmMx 512
   - MaxThreads for HTTP: 800
   - MaxThreads for jk: 450

When Tomcat 1 was throwing the exception the server status was showing the 
following:
   - mem Free  116 MB
   - mem Total 242 MB
   - mem Max   739 MB
   - current Thread jk355
   - busy Threadjk333
   - current Thread HTTP  5
   - busy ThreadHTTP  3

   - all connections shown by netstat -an (not filtered): 4595
   - connections in state close_wait: 3152

The tomcat was not totally stuck. Already connected sessions seemed to have no 
problem, but new sessions (new login) threw the exception and did could not be 
created. The Taskmanager shows that all in all 1.39 GB of RAM are used - much 
below the 2GB Limit. 

On the other hand: Shouldn't  windows start to swap if the ram is full?

In which memory-area does windows handle the memory which is used for the 
threads? Is it shown in the taskmanager?

Can the OS take the mem which is still unused by the JVM (memMax-memTotal) for 
handling threads or is it reserved for the JVM after starting tomcat?


Due to problems with one of our webapps which sometimes does not close the 
threads completely (they stuck in close_wait-state) we increased the max 
threads of windows:

http://publib.boulder.ibm.com/infocenter/pvcvoice/51x/index.jsp?topic=/com.ibm.websphere.wvs.doc/wvs/tun_conwin.html

maxUserPorts have been set to about 30k if i remember correctly.

Does anyone have an idea to get rid of the exception?

kind regards,
Andreas
-- 
Feel free - 10 GB Mailbox, 100 FreeSMS/Monat ...
Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat latency

2011-05-23 Thread tomcat


Hello:

I have a problem where a simple wget call to docs/config/valve.html can 
sometimes take up to 15 seconds to process.


I have a script that does a wget call to valve.html every 5 seconds. 
Most of the time it's fast. However, today in the past 6 hours I had 13 
cases where it took over 3 seconds for wget to return valve.html. This 
is happening across 7 servers pretty consistently and I can't figure out 
why. Any suggestions to help me narrow down the problem?


I'm going to modify the script to check disk i/o and load when the 
problem happens. Normally these numbers are sane with upwards of ~60% 
disk utilization load of ~2.


Dual processor Intel(R) Xeon(R) CPU X5680  @ 3.33GHz.

The stats right now.

top - 22:42:34 up 26 days,  7:17,  1 user,  load average: 1.64, 1.31, 
1.03

Tasks: 115 total,   1 running, 114 sleeping,   0 stopped,   0 zombie
Cpu(s): 11.7%us,  1.1%sy,  0.0%ni, 56.3%id, 30.7%wa,  0.0%hi,  0.2%si,  
0.0%st
Mem:   8197432k total,  8146536k used,50896k free, 3212k 
buffers

Swap: 18723708k total,   397296k used, 18326412k free,   683448k cached

iostat -xd
Device: rrqm/s   wrqm/s r/s w/s   rsec/s   wsec/s 
avgrq-sz avgqu-sz   await  svctm  %util
sda   4.2229.23   77.111.75  1833.10   247.79
26.39 1.04   13.16   5.60  44.20
sdb   0.00 0.000.000.00 0.00 0.00
39.37 0.002.83   2.39   0.00



Ubuntu 9.10

/opt/tomcat6/bin/version.sh
Using CATALINA_BASE:   /opt/tomcat6
Using CATALINA_HOME:   /opt/tomcat6
Using CATALINA_TMPDIR: /opt/tomcat6/temp
Using JRE_HOME:   /usr/lib/jvm/java-6-sun/jre
Server version: Apache Tomcat/6.0.20
Server built:   May 14 2009 01:13:50
Server number:  6.0.20.0
OS Name:Linux
OS Version: 2.6.31-14-server
Architecture:   amd64
JVM Version:1.6.0_22-b04
JVM Vendor: Sun Microsystems Inc.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: starting tomcat

2014-06-11 Thread tomcat


Check this file C:\Users\francesco\.keystore exist or not ?

在 2014年6月11日，下午9:30，Francesco Viscomi fvisc...@gmail.com 写道：

 C:\Users\francesco\.keystore

Re: httpd 2.2 +mod-jk1.2.37+ tomcat 7.0.28 (debian package)

2015-10-21 Thread tomcat

On 20.10.2015 00:13, J Lopez wrote:

Hi all,

is it possible to filter 404 application errors taking into account
content-type beside http return code in jk configuration.
I need to difference between application is not deployed/executing (http
404 content-type html) and application running and returning a 404 json
response (content-type json)

I have put mod-jk in debug mode and content-type is showed in logs. I
have not seen in documentation if a fail_on_status can be combined with
content-type returned.

[...]

I have not seen this in the documentation either, and it does not look like this feature
is available.

But if I understand correctly, you have 2 cases of 404 :

1) if the application is for Tomcat "not there" (meaning for example it is not deployed at
that particular moment), then Tomcat itself returns a 404.

2) if the application is there and working, in some cases it returns a 404
itself.

And for some reason, you want to distinguish these 2 cases.

(It would help to know why, and at what level you want to distinguish this)

But let's suppose that the application is normally installed at (tomcat)/webapps/app1, and
responds to URLs like "/app1/*".

If the "/webapps/app1" application is not there, then Tomcat will try to map this to the
default application, "/webapps/ROOT/app1/*". Then it will probably not find it there
either, and return a 404 response.

If the application is there, then Tomcat will (succesfully) map the call to
/webapps/app1/*", and the application will respond. And, maybe, it will sometimes respond
with a 404.

So two possible solutions :
1) change the application, so that in such a case, it responds with something
else than 404.
2) install something in /ROOT, which will catch everything that gets there, and respond
with something else than 404.
That supposes of course that you do not previously have a default application under
/webapps/ROOT.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: httpd 2.2 +mod-jk1.2.37+ tomcat 7.0.28 (debian package)

2015-10-22 Thread tomcat


On 21.10.2015 19:47, André Warnier (tomcat) wrote:

On 20.10.2015 00:13, J Lopez wrote:

Hi all,

   is it possible to filter 404 application errors taking into account
content-type beside http return code in jk configuration.
   I need to difference between application is not deployed/executing (http
404 content-type html) and application running and returning a 404 json
response (content-type json)

   I have put mod-jk in debug mode and content-type is showed in logs. I
have not seen in documentation if a fail_on_status can be combined with
content-type returned.


[...]

I have not seen this in the documentation either, and it does not look like 
this feature
is available.

But if I understand correctly, you have 2 cases of 404 :

1) if the application is for Tomcat "not there" (meaning for example it is not 
deployed at
that particular moment), then Tomcat itself returns a 404.
2) if the application is there and working, in some cases it returns a 404 
itself.

And for some reason, you want to distinguish these 2 cases.

(It would help to know why, and at what level you want to distinguish this)

But let's suppose that the application is normally installed at 
(tomcat)/webapps/app1, and
responds to URLs like "/app1/*".

If the "/webapps/app1" application is not there, then Tomcat will try to map 
this to the
default application, "/webapps/ROOT/app1/*".  Then it will probably not find it 
there
either, and return a 404 response.

If the application is there, then Tomcat will (succesfully) map the call to
/webapps/app1/*", and the application will respond. And, maybe, it will 
sometimes respond
with a 404.

So two possible solutions :
1) change the application, so that in such a case, it responds with something 
else than 404.
2) install something in /ROOT, which will catch everything that gets there, and 
respond
with something else than 404.
That supposes of course that you do not previously have a default application 
under
/webapps/ROOT.




Addendum :
The above suggests a (possible) way to do this at the Tomcat level.
But you also mention "mod_jk", which implies that you have Apache httpd acting as a 
front-end to Tomcat and this application.


You could also do this at the Apache httpd level.
For Apache httpd, mod_jk (and all that is behind it, but that Apache httpd does not know 
or care about) is seen as the "application", which generates the HTTP response.
To filter such a response and possibly modify it before it goes back to the client, you 
would have to use an "output filter" at the Apache httpd level.

Start from here : http://httpd.apache.org/docs/2.2/filter.html

But again, you did not really indicate the level at which you need this, or for what 
ultimate purpose, so it is not easy to recommend a "better" solution.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [ANN] New committer: Ognjen Blagojevic

2015-10-26 Thread tomcat


On 24.10.2015 15:58, Mark Thomas wrote:

On behalf of the Tomcat committers I am pleased to announce that
Ognjen Blagojevic (ognjen) has been voted in as a new Tomcat committer.



Welcome, Ongjen.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: ClientAbortException: java.io.IOException: Failed to send AJP message

2015-10-27 Thread tomcat


On 27.10.2015 10:46, Yogesh Patel wrote:

Ok Thanks,

My Tomcat version is : 7.0.47

Error stack trace is below:

"

org.apache.catalina.core.StandardWrapperValve.invoke:Line 211 -
ClientAbortException:  java.io.IOException: Failed to send AJP message
at 
org.apache.catalina.connector.OutputBuffer.realWriteBytes(OutputBuffer.java:406)
at org.apache.tomcat.util.buf.ByteChunk.append(ByteChunk.java:342)
at 
org.apache.catalina.connector.OutputBuffer.writeBytes(OutputBuffer.java:431)
at 
org.apache.catalina.connector.OutputBuffer.write(OutputBuffer.java:419)
at 
org.apache.catalina.connector.CoyoteOutputStream.write(CoyoteOutputStream.java:91)
at

"


Thanks, much more readable.

Previously, you wrote :
"In our case user is downloading the document and got message like "document
is deleted or moved" and tomcat has log like "ClientAbortException:
java.io.IOException: Failed to send AJP message""

But, the error message above still means, at the bottom, that Tomcat is trying to still 
send some bytes to the client, but the connection with the client is not there anymore, so 
it cannot send this..


The connection is as follows :

browser <-- (1) HTTP(S) --> Apache httpd + proxy module <-- (2) AJP --> Connector> +  + .


where "proxy module" is either mod_jk or mod_proxy_ajp.

So we have to assume that :
- when Tomcat + application writes to the client "document has moved..", the whole 
connection (1+2) is still there (because the client sees the message)
- but by the time Tomcat writes this error to its logfile, the AJP connection (2) between 
Tomcat and Apache httpd has been dropped;
It is dropped by the proxy module within Apache; and this is probably because the 
corresponding HTTP connection (1) between the browser and Apache httpd has been dropped. 
And this is probably - as someone else already mentioned - because in the meantime, the 
human at the browser side has decided to click away onto another page.


Humans are relatively slow in computer terms. So if they manage to click somewhere else 
between the moment at which they receive the part about the document having been moved, 
and whatever else the Tomcat application is still trying to send to them afterward, there 
must be a considerable delay somewhere at the application level, between the moment it 
sends the "document moved" response part, and the moment it tries to send some additional 
response part.
That is probably what you should be looking at here : what is it that it cannot send 
anymore, and why is it that there is such a delay between the "document moved" part and 
this second part. What is the application doing in the meantime ?


Of course, the problem, if it is occasional, could also be due to a bad network connection 
somewhere..















On 27 October 2015 at 14:59, André Warnier (tomcat) <a...@ice-sa.com> wrote:


Yogesh,

1) please follow the rules of this list, and don't "top-post" :
http://tomcat.apache.org/lists.html#tomcat-users  #6
2) please follow the rules of this list, and post your messages as plain
text :
http://tomcat.apache.org/lists.html#tomcat-users #7

As you can see below, what you are sending comes here as an unreadable
blob, and that makes it all the more difficult and demotivating for anyone
wanting to help you.



On 27.10.2015 06:47, Yogesh Patel wrote:


Tomcat 7:

INFO org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/cms][
ajp-apr-10161-exec-282][2015-10-20 10:02:59,673]-
org.apache.catalina.core.
StandardWrapperValve.invoke:Line 211 - ClientAbortException: java.io.
IOException: Failed to send AJP message at org.apache.catalina.connector..
OutputBuffer.realWriteBytes(OutputBuffer.java:406) at
org.apache.tomcat.util
.buf.ByteChunk.append(ByteChunk.java:342) at
org.apache.catalina.connector.
OutputBuffer.writeBytes(OutputBuffer.java:431) at org.apache.catalina.
connector.OutputBuffer.write(OutputBuffer.java:419) at
org.apache.catalina.
connector.CoyoteOutputStream.write(CoyoteOutputStream.java:91) at com.os..
gfnactions.contentmanager.document.documentDownload.
finalDocumentDownloadProcess(documentDownload.java:140) at sun.reflect.
GeneratedMethodAccessor8388.invoke(Unknown Source) at sun.reflect.
DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at
java.lang.reflect.Method.invoke(Method.java:606) at
com.opensymphony.xwork2.
DefaultActionInvocation.invokeAction(DefaultActionInvocation.java:450) at
com.opensymphony.xwork2.DefaultActionInvocation.invokeActionOnly(
DefaultActionInvocation.java:289) at com.opensymphony.xwork2.
DefaultActionInvocation.invoke(DefaultActionInvocation.java:252) at com.
opensymphony.xwork2.interceptor.ExceptionMappingInterceptor.intercept(
ExceptionMappingInterceptor.java:189) at com.opensymphony.xwork2.
DefaultActionInvocation.invoke(DefaultActionInvocation.java:246) at org.
apache.s

Re: ClientAbortException: java.io.IOException: Failed to send AJP message

2015-10-27 Thread tomcat


Yogesh,

1) please follow the rules of this list, and don't "top-post" :
http://tomcat.apache.org/lists.html#tomcat-users  #6
2) please follow the rules of this list, and post your messages as plain text :
http://tomcat.apache.org/lists.html#tomcat-users #7

As you can see below, what you are sending comes here as an unreadable blob, and that 
makes it all the more difficult and demotivating for anyone wanting to help you.



On 27.10.2015 06:47, Yogesh Patel wrote:

Tomcat 7:

INFO org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/cms][
ajp-apr-10161-exec-282][2015-10-20 10:02:59,673]- org.apache.catalina.core.
StandardWrapperValve.invoke:Line 211 - ClientAbortException: java.io.
IOException: Failed to send AJP message at org.apache.catalina.connector.
OutputBuffer.realWriteBytes(OutputBuffer.java:406) at org.apache.tomcat.util
.buf.ByteChunk.append(ByteChunk.java:342) at org.apache.catalina.connector.
OutputBuffer.writeBytes(OutputBuffer.java:431) at org.apache.catalina.
connector.OutputBuffer.write(OutputBuffer.java:419) at org.apache.catalina.
connector.CoyoteOutputStream.write(CoyoteOutputStream.java:91) at com.os.
gfnactions.contentmanager.document.documentDownload.
finalDocumentDownloadProcess(documentDownload.java:140) at sun.reflect.
GeneratedMethodAccessor8388.invoke(Unknown Source) at sun.reflect.
DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at
java.lang.reflect.Method.invoke(Method.java:606) at com.opensymphony.xwork2.
DefaultActionInvocation.invokeAction(DefaultActionInvocation.java:450) at
com.opensymphony.xwork2.DefaultActionInvocation.invokeActionOnly(
DefaultActionInvocation.java:289) at com.opensymphony.xwork2.
DefaultActionInvocation.invoke(DefaultActionInvocation.java:252) at com.
opensymphony.xwork2.interceptor.ExceptionMappingInterceptor.intercept(
ExceptionMappingInterceptor.java:189) at com.opensymphony.xwork2.
DefaultActionInvocation.invoke(DefaultActionInvocation.java:246) at org.
apache.struts2.interceptor.DeprecationInterceptor.intercept(
DeprecationInterceptor.java:41) at com.opensymphony.xwork2.
DefaultActionInvocation.invoke(DefaultActionInvocation.java:246) at org.
apache.struts2.interceptor.debugging.DebuggingInterceptor.intercept(
DebuggingInterceptor.java:256) at com.opensymphony.xwork2.
DefaultActionInvocation.invoke(DefaultActionInvocation.java:246) at com.
opensymphony.xwork2.interceptor.DefaultWorkflowInterceptor.doIntercept(
DefaultWorkflowInterceptor.java:167) at com.opensymphony.xwork2.interceptor.
MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98) at com.
opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.
java:246) at com.opensymphony.xwork2.validator.ValidationInterceptor.
doIntercept(ValidationInterceptor.java:265) at org.apache.struts2.
interceptor.validation.AnnotationValidationInterceptor.doIntercept(
AnnotationValidationInterceptor.java:68) at com.opensymphony.xwork2.
interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:
98) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(
DefaultActionInvocation.java:246) at com.opensymphony.xwork2.interceptor.
ConversionErrorInterceptor.intercept(ConversionErrorInterceptor.java:138) at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(
DefaultActionInvocation.java:246) at com.opensymphony.xwork2.interceptor.
ParametersInterceptor.doIntercept(ParametersInterceptor.java:249) at com.
opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(
MethodFilterInterceptor.java:98) at com.opensymphony.xwork2.
DefaultActionInvocation.invoke(DefaultActionInvocation.java:246) at com.
opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(
ParametersInterceptor.java:249) at com.opensymphony.xwork2.interceptor.
MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98) at com.
opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.
java:246) at com.opensymphony.xwork2.interceptor.StaticParametersInterceptor
.intercept(StaticParametersInterceptor.java:191) at com.opensymphony.xwork2.
DefaultActionInvocation.invoke(DefaultActionInvocation.java:246) at org.
apache.struts2.interceptor.MultiselectInterceptor.intercept(
MultiselectInterceptor.java:73) at com.opensymphony.xwork2.
DefaultActionInvocation.invoke(DefaultActionInvocation.java:246) at org.
apache.struts2.interceptor.CheckboxInterceptor.intercept(CheckboxInterceptor
.java:91) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(
DefaultActionInvocation.java:246) at org.apache.struts2.interceptor.
FileUploadInterceptor.intercept(FileUploadInterceptor.java:252) at com.
opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.
java:246) at com.opensymphony.xwork2.interceptor.ModelDrivenInterceptor.
intercept(ModelDrivenInterceptor.java:100) at com.opensymphony.xwork2.
DefaultActionInvocation.invoke(DefaultActionInvocation.java:246) at com.
opensymph

Re: AW: Suppress or replace WWW-Authorization header

2015-10-28 Thread tomcat

Hi.

on this list, as per http://tomcat.apache.org/lists.html#tomcat-users #6 ,
it is preferred if you respond below the question being asked (or the previous response)
rather than on top.
(The main reason being that it is easier that way to follow the normal gist of the
conversation, rather than having to scroll back and forth to figure out what you are
responding to.)

On 28.10.2015 13:19, Torsten Rieger wrote:

I have a legacy java-SOAP-client that only supports BASIC authentication
(send the Authorization: Basic... header) and a AngularJS application that
consumes a REST-service (also sending the Authorization: Basic header).

The server supports two kinds of deployment: Standalone with an embedded
Jetty-server and as war-file for app-servers (most of them are
tomcat-server). I try to suppress the browser BASIC-login-dialog for the
REST-service-calls from AngularJS.
On Jetty I modify the 401-responses and replace the "WWW-Authenticate"
header by anything else than "BASIC" and that works, now I try to find a
solution for the deployment on tomcat servers.

Can you copy and paste here the WEB-INF/web.xml of that server application ?
(remove any sensitive data).

There is probably a way to do this via configuration in Tomcat (I haven't looked it up),
but you could also have a look at a standard workhorse for this kind of thing : the
UrlRewriteFilter (http://tuckey.org/urlrewrite/). It might provide a way to do this.

(I have not really checked it either, but this looks promising :
http://cdn.rawgit.com/paultuckey/urlrewritefilter/master/src/doc/manual/4.0/index.html#outbound-rule
See the response-header part.
)

Rewrite (unset header in responses) with an apache proxy in front of the
tomcat is unfortunately not a solution I can implement.

So I'm looking for a solution to remove or modify the headers in 401
responses on application server level.

One thing which is still not clear : do you really want to remove/replace that header, or
do you just want that this application would not request authentication at all ?

(Then there would be no need to play with the 401 header, because there would
never be one).

-Ursprüngliche Nachricht-
Von: André Warnier (tomcat) [mailto:a...@ice-sa.com]
Gesendet: Mittwoch, 28. Oktober 2015 10:26
An: users@tomcat.apache.org
Betreff: Re: Suppress or replace WWW-Authorization header

Hi.

On 28.10.2015 09:36, Torsten Rieger wrote:

Hi,

I try to suppress the browser login-dialog on basic authentication
(basic is a legacy requirement), how can I do that? Filters are called
after login on the container, right?

I am not sure that I understand exactly what you mean here, and I certainly
do not understand
the purpose of what you are trying to do, but here is some informaytion
that may help :

The general authentication logic in HTTP works (roughly) as follows :

1) the browser sends a request to the server, for some resource (HTML page
or else)
2) the server checks if access to the requested resource resource requires
authentication/authorization.
If not, go to 8
3) (if yes) : the server checks if the requesst already contains an
authentication of the required type, and if yes, if it is valid.
If yes, go to 8
4) (if not) : the server returns a status code 401 (authorization required)
to the browser, along with *the kind of authentication* required (this is
defined in the server configuration for that resource)
5) the browser obtains the required authentication credentials (in a way
which depends on the type of AAA required)
6) the browser repeats the request to the server, this time providing the
required credentials, in the form corresponding to what the server indicated
in (4).
7) back to (2) above.

8) the server returns the requested resource.

Now your case is apparently so that at step (4) above, the 401 response that
the server sends back to the browser, specifies "HTTP Basic" as the
requested form of authentication/credentials.
In such a case, the browser (all browsers), at step (5), *will* popup a
Basic authentication dialog, and there is nothing that you can do about it.
It is a behaviour that is built-in in all browsers, and it is what is
expected of them.
(In other words also, this dialog is not something that is sent by the
server, so you cannot "filter it out").

The only way to avoid such a dialog in the browser, is at the level of the
server, ensuring that the 401 responses do not specify "Basic" as the
requested authentication method.

If the above does not answer yopur question, please provide more details
about what you are trying to do, and the purpose of it.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.a

Re: AW: Suppress or replace WWW-Authorization header

2015-10-29 Thread tomcat


On 29.10.2015 10:12, chris derham wrote:

Torsten,

Add an interceptor to AngularJS to detect the 401 and do whatever you
want, e.g. redirect to a login page. Then when you have the
credentials, submit to login rest api, get a token, and then make all
other calls passing this token.

There are loads of examples on how to do this on the internet. This
isn't tomcat specific.

function globalInterceptorResponse($injector, $q) {
 return {
 'response': function (response) {
 return response;
 },
 'responseError': function (rejection) {
 switch (rejection.status) {
...
 case 401:
 console.warn("Hit 401 - redirecting to login");
 window.location = '/login';
 break;
...
 default:
 console.warn(rejection);
 }
 return $q.reject(rejection);
 }
 };
}
globalInterceptorResponse.$inject = ['$injector', '$q'];

then in request config,

$httpProvider.interceptors.push(globalInterceptorResponse);


This won't work because the application doesn't get a chance to do
anything until Tomcat completes its authentication/authorization work.
If the application were handling the authentication/authorization, then
the original Filter would have worked.

-chris


Chris,

I think that you thought the above was server-side java code. The
above was javascript code that runs in the browser. It does work - I
copied it from a project I am working on now.



Hi.

I will not dispute the fact that this solution works for you, and that it could also work 
for Torsten. And I must say that it looks elegant, from a javascript point of view.


I will just submit a personal opinion, based on long experience, that says that any 
solution (for this kind of interacting-with-servers issue) which is browser-based, is 
always more fragile and inherently more unstable, than a solution based on normal HTTP 
interactions and implemented at the server side. (*)
There are always little differences among browsers and browser versions, as to how they 
handle javascript code. And there are many things that a user can do with his browser, 
that can interfere with such things.

And problems on that side will always be very time-consuming to identify and 
debug.
A server-side, protocol-compliant solution on the other hand, will work with any 
HTTP-compliant browser (which does not necessarily include all versions of Internet 
Explorer), and be a lot easier to maintain.


End of opinion.

(*) with an exception for all the marvelous things which you can do with tools like 
jQuery, when used judiciously at the level of the browser-side presentation and user 
interaction.





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: AW: Suppress or replace WWW-Authorization header

2015-10-28 Thread tomcat


On 28.10.2015 15:39, Christopher Schultz wrote:

Torsten,

On 10/28/15 8:19 AM, Torsten Rieger wrote:

I have a legacy java-SOAP-client that only supports BASIC authentication
(send the Authorization: Basic... header) and a AngularJS application that
consumes a REST-service (also sending the Authorization: Basic header).

The server supports two kinds of deployment: Standalone with an embedded
Jetty-server and as war-file for app-servers (most of them are
tomcat-server). I try to suppress the browser BASIC-login-dialog for the
REST-service-calls from AngularJS.
On Jetty I modify the 401-responses and replace the "WWW-Authenticate"
header by anything else than "BASIC" and that works, now I try to find a
solution for the deployment on tomcat servers.

Rewrite (unset header in responses) with an apache proxy in front of the
tomcat is unfortunately not a solution I can implement.

So I'm looking for a solution to remove or modify the headers in 401
responses on application server level.


So you just want to disable HTTP BASIC authentication? Why not just
remove the  from web.xml and disable authentication entirely?

Are you saying that when you connect using a REST client, the client
shows a login dialog in a web browser? That sounds ... weird. The REST
client should see the WWW-Authenticate header and either (a) fail or (b)
re-try with credentials you have provided to it.



Yes, but if the SOAP-client is an applet in the browser, chances are that in order to 
collect the user credentials that it needs, it uses the internal browser mechanism, which 
pops up the dialog to obtain these user credentials.

So not so weird necessarily.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: servlet filter not working over virtual directories in tomcat

2015-10-24 Thread tomcat


On 24.10.2015 05:11, Pradyut Bhattacharya wrote:


The URL

pattern therefore needs to be "/*"


Could not do anything with the above statement. May be an example could suffice.


Then maybe try this :

Instead of :

 
 dir_filter
 /web/*


try :

 
 dir_filter
 /*


Explanation : in  and , the  is *relative to 
the webapp context*. In your case, because of the way you have configured this, the webapp 
has a context of "/TestApp/web". Therefore, if you want the filter to apply to everything 
under "/TestApp/web", you have to map it to "/*".

So that, in URL-space, it will apply to "/TestApp/web/*".

The way you originally mapped it above, it would apply to "/TestApp/web/web/*", which is 
why it seemed not to be working.  The filter was there, but never invoked, because there 
was never any request URL matching "/TestApp/web/web/*".


Clearer ?

Note that this is the same as what Mark was saying, only in many more words.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Java 7 and 8 features

2015-10-27 Thread tomcat


On 27.10.2015 17:01, Vinicius Corrêa de Almeida wrote:

I analized some releases and i noticed that not using java 7 features like
multi catch and in java 8 do not use lambda expressions and others
features, so i came by this email to know why the developers not using this
features?



I believe that you are asking the wrong question.

As per this page : http://tomcat.apache.org/whichversion.html

"Apache Tomcat™ is an open source software implementation of the Java Servlet and 
JavaServer Pages technologies."


In other words, Tomcat is not an implementation of any specific Java version.
If, to fulfill its target of implementing some specific version of the Java Servlet and 
JavaServer Pages technologies, it was necessary for running Tomcat code to use a certain 
minimum version of the Java JVM, then so be it, and the page above would mention that (and 
it does).
But that does not mean that every feature available in such a version of the Java JVM 
/must/ necessarily be used by Tomcat.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: AW: Suppress or replace WWW-Authorization header

2015-10-28 Thread tomcat


On 28.10.2015 16:55, chris derham wrote:

No, container BASIC authentication should be enabled, the container should
handle the authentication, but the browser should not show his ugly default
login dialog when I request resources from the REST-service with wrong
credentials.
When the REST-client (web-application in the browser) receives a failed
login with a WWW-Authenticate header, the default dialog of the browser will
be shown... that’s what I want to suppress.

When I remove the (a)  or (b)   sending requests
with credentials will not work anymore (a: 403 forbidden; b: deployment
fails). But that's not a solution because the rest-service should be still
protected and I need to authenticate via "Authentication: Basic ."
header send credentials, but I don't want to show the ugly browser-dialog to
the users.

Using a AngularJS Client with REST-services based on tomcat should be a
common use-case, it could not be that I'm the first one who wants a custom
login-screen. :-/

-torsten


Torsten,

Add an interceptor to AngularJS to detect the 401 and do whatever you
want, e.g. redirect to a login page. Then when you have the
credentials, submit to login rest api, get a token, and then make all
other calls passing this token.

There are loads of examples on how to do this on the internet. This
isn't tomcat specific.

function globalInterceptorResponse($injector, $q) {
 return {
 'response': function (response) {
 return response;
 },
 'responseError': function (rejection) {
 switch (rejection.status) {
...
 case 401:
 console.warn("Hit 401 - redirecting to login");
 window.location = '/login';
 break;
...
 default:
 console.warn(rejection);
 }
 return $q.reject(rejection);
 }
 };
}
globalInterceptorResponse.$inject = ['$injector', '$q'];

then in request config,

$httpProvider.interceptors.push(globalInterceptorResponse);


Chris



What is maybe not totally clear for the OP above, is that the above is done at the level 
of the client (browser).  Not at the tomcat level.


(Which is maybe also why Torsten did not find anything when he previously searched the web 
: he was searching with the wrong keywords).




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: AW: AW: Suppress or replace WWW-Authorization header

2015-10-28 Thread tomcat

On 28.10.2015 17:42, Torsten Rieger wrote:

-Ursprüngliche Nachricht-
Von: Aurélien Terrestris [mailto:aterrest...@gmail.com]
Gesendet: Mittwoch, 28. Oktober 2015 16:45
An: Tomcat Users List <users@tomcat.apache.org>
Betreff: Re: AW: Suppress or replace WWW-Authorization header

You can choose between a pop-up or an HTML FORM

This one looks like this in web.xml :

FORM
webapp global realm

/login.jsp
/error_login.jsp

2015-10-28 16:28 GMT+01:00 Torsten Rieger <torsten.rie...@promatis.de>:

-Ursprüngliche Nachricht-
Von: Christopher Schultz [mailto:ch...@christopherschultz.net]
Gesendet: Mittwoch, 28. Oktober 2015 15:39
An: Tomcat Users List <users@tomcat.apache.org>
Betreff: Re: AW: Suppress or replace WWW-Authorization header

Torsten,

On 10/28/15 8:19 AM, Torsten Rieger wrote:

I have a legacy java-SOAP-client that only supports BASIC
authentication (send the Authorization: Basic... header) and a
AngularJS application that consumes a REST-service (also sending the
Authorization: Basic header).

The server supports two kinds of deployment: Standalone with an
embedded Jetty-server and as war-file for app-servers (most of them
are tomcat-server). I try to suppress the browser BASIC-login-dialog
for the REST-service-calls from AngularJS.
On Jetty I modify the 401-responses and replace the "WWW-Authenticate"
header by anything else than "BASIC" and that works, now I try to
find a solution for the deployment on tomcat servers.

Rewrite (unset header in responses) with an apache proxy in front of
the tomcat is unfortunately not a solution I can implement.

So I'm looking for a solution to remove or modify the headers in 401
responses on application server level.

So you just want to disable HTTP BASIC authentication? Why not just
remove the from web.xml and disable authentication entirely?

Are you saying that when you connect using a REST client, the client
shows a login dialog in a web browser? That sounds ... weird. The REST
client should see the WWW-Authenticate header and either (a) fail or
(b) re-try with credentials you have provided to it.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

No, container BASIC authentication should be enabled, the container
should handle the authentication, but the browser should not show his
ugly default login dialog when I request resources from the
REST-service with wrong credentials.
When the REST-client (web-application in the browser) receives a
failed login with a WWW-Authenticate header, the default dialog of the
browser will be shown... that’s what I want to suppress.

When I remove the (a) or (b) sending
requests with credentials will not work anymore (a: 403 forbidden; b:
deployment fails). But that's not a solution because the rest-service
should be still protected and I need to authenticate via "Authentication:
Basic ."
header send credentials, but I don't want to show the ugly
browser-dialog to the users.

Using a AngularJS Client with REST-services based on tomcat should be
a common use-case, it could not be that I'm the first one who wants a
custom login-screen. :-/

Torsten,
the people answering on this list are generally competent and helpful.
But they are not magicians. You seem (so far) to be asking something
impossible.
1) if the server sends to the client an authentication header saying HTTP Basic, then the
client will popup a builtin HTTP Basic dialog (which you do not want)
2) if the server sends to the client an authentication header saying something else, then
the client cannot handle it

1 + 2 = solution impossible

You mentioned before that with another server than Tomcat, you solved this apparently
impossible problem. Can you tell us how ?

Or else, can you tell us which authentication methods, /apart/ from HTTP Basic, the client
does support ?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: AW: AW: Suppress or replace WWW-Authorization header

2015-10-28 Thread tomcat

On 28.10.2015 17:42, Torsten Rieger wrote:

You can choose between a pop-up or an HTML FORM

This one looks like this in web.xml :

FORM
webapp global realm

/login.jsp
/error_login.jsp

2015-10-28 16:28 GMT+01:00 Torsten Rieger <torsten.rie...@promatis.de>:

Torsten,

On 10/28/15 8:19 AM, Torsten Rieger wrote:

I have a legacy java-SOAP-client that only supports BASIC
authentication (send the Authorization: Basic... header) and a
AngularJS application that consumes a REST-service (also sending the
Authorization: Basic header).

The server supports two kinds of deployment: Standalone with an
embedded Jetty-server and as war-file for app-servers (most of them
are tomcat-server). I try to suppress the browser BASIC-login-dialog
for the REST-service-calls from AngularJS.
On Jetty I modify the 401-responses and replace the "WWW-Authenticate"
header by anything else than "BASIC" and that works, now I try to
find a solution for the deployment on tomcat servers.

Rewrite (unset header in responses) with an apache proxy in front of
the tomcat is unfortunately not a solution I can implement.

So I'm looking for a solution to remove or modify the headers in 401
responses on application server level.

So you just want to disable HTTP BASIC authentication? Why not just
remove the from web.xml and disable authentication entirely?

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Using a AngularJS Client with REST-services based on tomcat should be
a common use-case, it could not be that I'm the first one who wants a
custom login-screen. :-/

-torsten

The Problem is then, that login via "Authorization: BASIC xyz==" will not
work anymore... the legacy client is not able to handle FORM based login :-/

Torsten, let me try again another way :

1)
>> Using a AngularJS Client with REST-services based on tomcat should be
>> a common use-case, it could not be that I'm the first one who wants a
>> custom login-screen. :-/

No, you probably are not. But *this has nothing to do with Tomcat per se*.
Any other webserver, in the same circumstances, would send a 401 back, with a request for
HTTP Basic authentication.
If, at the server level, you configure that for this application, you want HTTP Basic
authentication, then that is what you will get. It is not a choice of the server, it is
something *imposed* by the HTTP protocol.

If you want something else to happen, but still have the client be authenticated for that
application, then you have to change the authentication method required, at the server
level. No way around it.

2) If the browser receives a 401 response header which indicates that the requested
authentication method should be HTTP Basic, then it will popup its bultin HTTP Basic
authentication popup dialog. There is no easy way around this either, because this
behaviour is built-in into the code of all major browsers.

(Also because the HTTP protocol says that this is what the browser should do).
If you want this to be different, then you have to find a way to modify the browser-side
logic, so that it does not do that. Doing this is possible, but not easy (see some of the
other responses), and if not

Re: AW: AW: Tomcat 6, DB2 Driver Problems

2015-10-29 Thread tomcat

On 29.10.2015 09:09, simone.rodenbach@devk.de wrote:

Hi Christopher,

I attachted some pictures of the threads.

Thx,
Simone

Hi Simone.
Christopher is in the USA, so it will take some time before he responds.
For the sake of gaining some time however : your attachments did not make it to the list,
which strips most attachments.

Better : use a text editor to cut and paste the stack trace right here :

-Ursprüngliche Nachricht-
Von: Christopher Schultz [mailto:ch...@christopherschultz.net]
Gesendet: Mittwoch, 28. Oktober 2015 15:30
An: Tomcat Users List
Betreff: Re: AW: Tomcat 6, DB2 Driver Problems

Simone,

On 10/28/15 4:02 AM, simone.rodenbach@devk.de wrote:

I tried to google for the driver and classloader and found nothing that helped
me :-(

I can only provide you with this information:

I configured the datasource in the context.xml

Why are you overriding Tomcat's default DataSourceFactory with another one?

maxActive="10" minIdle="2" maxIdle="10" maxWait="1"
minEvictableIdleTimeMillis="12" timeBetweenEvictionRunsMillis="6"
username="xxx"
password="xxx"
driverClassName="com.ibm.db2.jcc.DB2Driver"
url="xxx;"
validationQuery="select 1 from sysibm.sysdummy1" />

The spring bean

I created a test project. Because oft hat I'm sure that I don't start a thread.

It doesn't have to be *your code* starting the thread directly. JDBC
drivers have a habit of launching their own cleanup threads and then not
offering any interface to stop them.

But the log says:

Okt 28, 2015 8:41:15 AM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SCHWERWIEGEND: The web application [/test] appears to have started a thread
named [Timer-0] but has failed to stop it. This is very likely to create a
memory leak.

I think this thread is started from
org.apache.commons.dbcp.BasicDataSourceFactory.

Nope, BasicDataSourceFactory doesn't have the word "thread" anywhere in
its code:
http://svn.apache.org/viewvc/commons/proper/dbcp/tags/DBCP_1_4/src/java/org/apache/commons/dbcp/BasicDataSourceFactory.java?view=markup

I removed the db2cc4.jar to get an exception to inspect from where the driver
is loaded and got:

Caused by: java.lang.ClassNotFoundException: com.ibm.db2.jcc.DB2Driver
at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1858)
at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1709)
at
org.apache.commons.dbcp.BasicDataSource.createConnectionFactory(BasicDataSource.java:1420)

That only tells you where the driver is loaded. It doesn't tell you when
the thread was launched.

After shutting-down your web application (and getting the warning about
the Timer-0 thread), can you take a thread dump and show us the stack
trace for the Timer-0 thread?

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Bitte denken Sie an die Umwelt. Müssen Sie diese E-Mail ausdrucken?
Wichtiger Hinweis zum Schutz Ihrer Daten!

Der Schutz von Kundendaten ist uns ein wichtiges Anliegen. Aus diesem Grund hat sich die
DEVK freiwillig verpflichtet, die "Verhaltensregeln für den Umgang mit
personenbezogenen Daten durch die deutsche Versicherungswirtschaft" (Code of
Conduct) einzuhalten. Sie regeln die Erhebung, Verarbeitung und Nutzung von
personenbezogenen Daten. Den vollen Wortlaut des Code of Conduct finden Sie unter
www.devk.de/datenschutz.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat answers on port 80, not on 443

2015-10-23 Thread tomcat

On 23.10.2015 16:53, Beyer, Gregory L wrote:
...
##
# Inbound SSL Settings
##

org.apache.felix.https.enable=true
org.osgi.service.http.port.secure=443
org.apache.felix.https.keystore=E:\\Program Files\\Connector\\.keystore
org.apache.felix.https.keystore.password=REDACTED
org.apache.felix.https.keystore.key.password= REDACTED
org.apache.felix.https.truststore=C:\\Program
Files\\Java\\jre1.8.0_60\\lib\\security\\cacerts

org.apache.felix.https.truststore.password= REDACTED

Question -- Does anyone think " Program Files" (space) above is contributing
to the problem?

Maybe, maybe not. It would depend on how "Felix" parses its configuration
files.

But in any case, admitting spaces in file names is certainly one of the stupidest and most
costly ideas in the history of computing.
A close second would be making this a standard program installation directory in some
widely-distributed operating systems.
A close third would be using the same thing in the standard installation path of some
popular open-source software.

oh well..

Getting back on-topic however : I do not know anything about Felix, and I have not really
followed this thread. But assuming that this Felix is a web application running under
Tomcat, the fact that it has the above in its own configuration file, rather than in some
Tomcat configuration file, would tend to make one suspect that Felix is opening its own
listening socket, of which Tomcat knows nothing. No ?

And in such a case, there would be some conflict if one simultaneously to deploying this
web application, would try to open a Tomcat Connector on the same port.

One of them is bound to fail.

[...]

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Suppress or replace WWW-Authorization header

2015-10-28 Thread tomcat


Hi.

On 28.10.2015 09:36, Torsten Rieger wrote:

Hi,



I try to suppress the browser login-dialog on basic authentication (basic
is a legacy requirement), how can I do that? Filters are called after login
on the container, right?



I am not sure that I understand exactly what you mean here, and I certainly do 
not understand
 the purpose of what you are trying to do, but here is some informaytion that 
may help :

The general authentication logic in HTTP works (roughly) as follows :

1) the browser sends a request to the server, for some resource (HTML page or 
else)
2) the server checks if access to the requested resource resource requires 
authentication/authorization.

If not, go to 8
3) (if yes) : the server checks if the requesst already contains an authentication of the 
required type, and if yes, if it is valid.

If yes, go to 8
4) (if not) : the server returns a status code 401 (authorization required) to the 
browser, along with *the kind of authentication* required (this is defined in the server 
configuration for that resource)
5) the browser obtains the required authentication credentials (in a way which depends on 
the type of AAA required)
6) the browser repeats the request to the server, this time providing the required 
credentials, in the form corresponding to what the server indicated in (4).

7) back to (2) above.

8) the server returns the requested resource.

Now your case is apparently so that at step (4) above, the 401 response that the server 
sends back to the browser, specifies "HTTP Basic" as the requested form of 
authentication/credentials.
In such a case, the browser (all browsers), at step (5), *will* popup a Basic 
authentication dialog, and there is nothing that you can do about it.  It is a behaviour 
that is built-in in all browsers, and it is what is expected of them.
(In other words also, this dialog is not something that is sent by the server, so you 
cannot "filter it out").


The only way to avoid such a dialog in the browser, is at the level of the server, 
ensuring that the 401 responses do not specify "Basic" as the requested authentication method.


If the above does not answer yopur question, please provide more details about what you 
are trying to do, and the purpose of it.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Fwd:

2015-11-13 Thread tomcat

On 12.11.2015 10:17, Yuval Schwartz wrote:

On Wed, Nov 11, 2015 at 7:14 PM, Mark Eggers <its_toas...@yahoo.com.invalid>
wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Yuval,

On 11/11/2015 8:34 AM, Yuval Schwartz wrote:

Hello Mark,

Thanks for the reply. I am interested in finding where the
Document Root is for my application ("applicationName"). As I
understand, since my Catatlina_Home = "c:\tomcat" and the ""
tag in the server.xml specifies "appbase='webapps'", it should be
under c:\tomcat\webapps...but it is not.

Thanks again.

And it will only be there if you actually deploy the WAR file to
Tomcat (and unpackWARs is set to true).

It may be in a different directory if you use a context file. This is
how NetBeans operates. It may not even exist (if unpackWARs is set to
false).

What are you doing that requires knowledge of Document Root? BTW,
document root is really an Apache HTTPD concept, and not an Apache
Tomcat concept.

I just want to place a favicon in the document root.
How can I do this?
Again, the default tomcat favicon was shown up until (I think) when I
changed one of my projects' context path from "applicationName" to "/".
Since then, the favicon has disappeared and I would like to see it again
(and to have a better understanding of these things since I hope to deploy
to a web server in the coming months).

Maybe this will help your basic understanding :
http://wiki.apache.org/tomcat/HowTo#How_do_I_make_my_web_application_be_the_Tomcat_default_application.3F

And maybe additionally, a comparison with Apache httpd :
Under Apache httpd, there isn't really a "default application", but the top of the URL
space (what you get when you request a URL such as "http://hostname/;) is defined by the
DocumentRoot directive in the webserver configuration file.

(And by default, it is something on disk like : ../Apache2/htdocs/).

Under Tomcat, things are a bit different : there is not really a "DocumentRoot"; instead,
there are multiple "web applications", all equal and at the same logical level, each one
of them defined separately in its own sub-directory of (tomcat_directory)/webapps/.

Among those equal webapps, one is a little bit more equal than the others however, and
acts as the "default webapp" (what a client gets when it requests the URL
"http://tomcat_hostname/; (*) : that is the application located at
"(tomcat_directory)/webapps/ROOT/" (capitals important).

(*) or any other URL which Tomcat cannot clearly map to another webapp

Also, it is the convention of this mailing list to either reply inline
or (preferably) at the end of the message. See the following for the
mailing list guidelines:

http://tomcat.apache.org/lists.html

(item 6 of the tomcat-users mailing list)

. . . just my two cents
/mde/

On Wed, Nov 11, 2015 at 6:13 PM, Mark Eggers
<its_toas...@yahoo.com.invalid> wrote:

Yuval,

On 11/11/2015 7:06 AM, Yuval Schwartz wrote:

Hello,

I am using tomcat 8.0.22.0. My Catalina_Home is set to
"C:\tomcat". IDE: Netbeans. Language: Java.

For some reason, when I deploy a web application in Netbeans
that has the name "applicationName" and context path:
"/applicationName" I do not see the application in the
c:\tomcat\webapps folder. Can someone help me figure out
what is not configured correctly? All I see is 4 folders
"docs, examples, host-manager, manager." Interestingly, if I
undeploy one of these 4 folders in netbeans, then this change
is reflected immediately in path c:\tomcat\webapps (ie: I see
3 folders). However, as I said, deploying "applicationName"
does not result in the folder being available in
c:\tomcat\webapps (as it should).

The whole reason I got into this was because I stopped
seeing the tomcat favicon in my application all of a sudden
(I suspect because I changed the context path from
"/applicationName" to "/"). Now I would like to see the
favicon and would like to understand why I am not seeing the
deployed application where I should.

My application is deployed successfully and runs fine (I just
don't see it in c:\tomcat\webapps).

Thank you.

This is due to how NetBeans deploys to Tomcat. NetBeans creates a
config.xml file and copies it to
%CATALINA_BASE%\conf\Catalina\localhost\appname.xml

Inside the appname.xml, there's a docBase that points to where you
built your application (for me it's
ProjectName\target\artifact-id).

This then makes use of Tomcat's default configuration to trigger
reloads of your web application when certain resources are
changed.

Here's a link on how that deployment works:

http://tomcat.apache.org/tomcat-8.0-doc/manager-howto.html

Look for Deploy using a Context configuration ".xml" file.

. . . just my two cents /mde/

Re: Tomcat simple tcp cluster doesn't work on switching browser

2015-11-16 Thread tomcat


On 16.11.2015 11:36, Amit Rawat wrote:

Hi,



I'm observing some strange behaviour between two instances of 
apache-tomcat-7.0.41 running on the same server. Sessions are shared between 
the servers on multiple logins/logouts on the same browser , but when i switch 
browsers , the session sharing stops .

I have posted a question on stack overflow where you can find more details on what 
I have tried & my observations :

http://stackoverflow.com/questions/33546555/tomcat-simple-tcp-cluster-doesnt-work-on-switching-browser

  Any help would be appreciated.



Off the top of my head, I would say
- a "session" saved on the server, is identified by a "session-id" (some kind of large 
alphanumeric string, unique)
- to allow a browser to re-connect to the same session during several interactions, this 
session-id is initially sent to the browser, contained in a cookie
- whenever the browser interacts with the same server/cluster, it resends this cookie, and 
this is what allows the server to re-connect this browser to the saved session


- of course, if you switch browsers, the new browser does not have that cookie. So it does 
not send it to the server/cluster, and it gets a new session, with a different session-id.


Or did I misunderstand your explanation of what happens ?




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: 80ms delay switching between worker threads

2015-10-30 Thread tomcat


On 30.10.2015 01:03, Farzad Panahi wrote:

Hi,

I am using tomcat 8.0.23 to terminate my websocket connections. I was
looking at my trace logs and noticed that when tomcat worker thread
responsible for processing websocket messages switches to a different
thread, there is about 80ms delay. In my OnMessage implementation I
let the work done for each message by thread from the executor service
thread pool. So onMsg method supposed to return immediately.
Here is the OnMessage implementation and trace log messages. Any ideas
what is causing that delay?



Come on, let's be a bit humane here.

According to : https://en.wikipedia.org/wiki/Time_%28Orders_of_magnitude%29
tomcat here thus switches threads in less than the blink of an eye.
Considering that most tomcats out there already process dozens of requests per second, day 
in, day out, without any holidays ever, with end-user clients that they barely know, don't 
you think that they can be allowed this slight pause between conversations ?


Also, for the method supposed to return "immediately" : the (Google) definition of 
"immediately" says "here and now, this very minute". Surely 80 ms is well within the specs 
then ?


After all, websocket is an /asynchronous/ protocol.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] RE: 80ms delay switching between worker threads

2015-11-03 Thread tomcat


On 02.11.2015 21:23, David kerber wrote:

On 11/2/2015 3:09 PM, Farzad Panahi wrote:

Quoting from David Holme's blog:


The nanoTime method uses the highest resolution clock available on the 
platform, and
while its return value is in nanoseconds, the update resolution is typically 
only
microseconds.

https://blogs.oracle.com/dholmes/entry/inside_the_hotspot_vm_clocks

I think we can rely on nanoTime as a clock with microsecond
resolution. Having said that can't we say printing out nanoTime in
websocket message handler will give us a fair number (with microsecond
accuracy) to measure how quickly the message handler is being called?

All I am saying is that I see an obvious hiccup in order of
milliseconds when threads are switching which I have no explanation
for.

Please advise if you think the way I am measuring is wrong.


I'm with Chris on this one:  I think it's due to running on a VM rather than on 
real
hardware.


I am no specialist in the matter, but I believe that what the OP is saying, is that there 
is a clear and systematic difference between 2 cases :

- when the threads are switching
- versus when they are not switching
If so, and assuming that his measurements use the same method and instruments in each 
case, statistically-speaking there would still be an as yet unexplained difference, no ?

(even if it is only a blink of an eye, repeated blinks can amount to something 
significant)








Cheers

Farzad

On Mon, Nov 2, 2015 at 4:56 AM, David kerber <dcker...@verizon.net> wrote:

On 10/31/2015 10:51 AM, David Balažic wrote:


Just a note: When most of you say "resolution" what you think about is
actually called "accuracy".
(also see "precision" , here is a good roundup:
http://www.tutelman.com/golf/measure/precision.php )



I'm not sure about the others, but as an Electrical Engineer, I know the
difference between resolution, precision, and accuracy.  In the post I made
earlier, I said and meant "resolution".






David Balažic
Software Engineer
www.comtrade.com


-Original Message-
From: Konstantin Preißer [mailto:kpreis...@apache.org]
Sent: 31. October 2015 10:27
To: Tomcat Users List
Subject: [OT] RE: 80ms delay switching between worker threads
Importance: Low

Hi Christopher,


-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Saturday, October 31, 2015 3:43 AM

What OS are you using? IIRC, the Windows timer has horrible resolution.
you can call System.currentTimeNanos all you want, but you won't get
anything meaningful lower than some threshold regardless of the actual
least significant digits coming back from those calls.



While that may have been true in ancient versions like XP and Vista, at
least
starting with Win7 QueryPerformanceCounter() uses the processor's TSC [1]
(where Vista used the HPET if available) so you should have a very high
resolution here. E.g. running the following Java program:

  int[] iterations = { 100, 120, 150, 250 };

  for (int i = 0; i < iterations.length; i++) {
  for (int j = 0; j < 3; j++) {
  long currentTime = System.nanoTime();
  double startValue = 1000;
  for (int z = 0; z < iterations[i]; z++) {
  startValue = Math.pow(startValue, 0.99);
  }
  long difference = System.nanoTime() - currentTime;
  System.out.println(iterations[i] + " pow iterations ms took
" +
(difference / 1000L) + " µs");
  }
  }

prints on my system something like:

100 pow iterations ms took 25 µs
100 pow iterations ms took 7 µs
100 pow iterations ms took 7 µs
120 pow iterations ms took 8 µs
120 pow iterations ms took 9 µs
120 pow iterations ms took 8 µs
150 pow iterations ms took 11 µs
150 pow iterations ms took 10 µs
150 pow iterations ms took 13 µs
250 pow iterations ms took 18 µs
250 pow iterations ms took 17 µs
250 pow iterations ms took 17 µs


So there should at least be a microsecond resolution. On a C# program
using
Stopwatch I get similar results in the range from 5 to 12 µs.

Note, QueryPerformanceFrequency() [2] can be used to get the frequency
of the timer which is exposed in .Net through static
System.Diagnostics.Stopwatch.Frequency field as ticks per second. On my
system it prints "3323580" so the resolution should be around ~0.3
microseconds.


Regards,
Konstantin Preißer

[1] https://msdn.microsoft.com/en-
us/library/windows/desktop/dn553408%28v=vs.85%29.aspx
[2] https://msdn.microsoft.com/de-
de/library/windows/desktop/ms644905%28v=vs.85%29.aspx



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [PROPOSAL] Tomcat Webinar series

2015-11-13 Thread tomcat


On 12.11.2015 23:29, Mark Thomas wrote:

All,

I've been wondering if there would be any interest in a Tomcat Webinar
series. I'm thinking ~10 minutes of presentation followed by Q on
topics of interest to this community with the webinars taking place
every 1/2/4 weeks depending on interest. The webinars would also be
recorded and uploaded somewhere - probably youtube - and linked from
tomcat.apache.org.

My initial thoughts on possible topics are:

- Intro to Tomcat 9 (the first milestone release is in progress as
   I type this)

- TLS virtual hosting with Tomcat 9

- Generating TLS keys for Tomcat

- HTTP/2 and Tomcat 9

- Connector selection: BIO vs NIO vs NIO2 vs APR

- Proxy protocol choice HTTP vs AJP

Other topics as requested by the users@ community.

Presenters would be one of the Tomcat committers. Obviously, I'm happy
to do these but I hope some of my fellow committers will agree to do
some presentations as well.

Thoughts, feedback, topic suggestions welcome.


I think it's a great idea, but like someone else mentioned, I believe that 10 minutes may 
be a bit short for any of the above themes.


Additional suggestions for sessions :

- how to set up Tomcat so as to make upgrades easier

- the relationship between Tomcat and the Java Servlet Specification

- for sysadmins : how to set up Tomcat logging

- tools and formulas for tuning Tomcat for specific load scenarios

- when and how to generate heap dumps, and how to (roughly) interpret them



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: HTTP 400 with Form based authentication

2015-09-07 Thread tomcat

Hi.

I have notv really followed this thread from the beginning, but maybe I can contribute
something here..

On 07.09.2015 15:56, Sreyan Chakravarty wrote:
..

Also can I webapp have different realms ? If so how do you distinguish them
? I was looking at the RealmBase source and I haven't noticed a place for
realmName. If not then what is the use of the element in
web.xml ?

One webapp can only have one realm, but several webapps (or let's say more generically
several areas in "URL space" on the server) can share the same realm.

The "realm" is something that the server sends back to the browser in the "401
Authorization required response". It is just a "label", which in terms of AAA, identifies
a certain collection of resources on the server, covered by the same
authentication/authorization requirements.
In the server configuration, you can choose yourself which resources are covered by the
same realm (label).

It is easier to explain this by example, in the general context of the HTTP
protocol.
The basic way in which AAA works in a webserver is this :

1) the client/browser sends a request to the server, with a specific URL, which resolves
on the server to some resource
2) the server evaluates the request, and resolves the resource to which it applies (e.g. a
static html page, a servlet, ..). The server then checks in its configuration, if this
resource is protected. If not, it returns the requested resouerces to the client, and
that's it.
3) if the request is protected, the server checks if the request contains some form of
authentication. If yes, the server checks if this authentication is valid, and applicable
to this resource. If yes, the server returns the requested resource, and that's it.

If not, the server returns a "forbidden" response.
4) If the request did not contain an authentication, the server returns a response to the
client : "401 Authorization required", along with a realm (the "label" applicable to this
resource, as per the server configuration), *and* the required authentication method (e.g.
"Basic" or "Digest").
5) the client sees this response, and interacts with the user to obtain the required
user-id/password. Once obtained, the client/browser repeats the same request to the
server, but this time with some additional HTTP header(s) containing the requested
authentication. At the same time, the client/browser "remembers" this authentication, and
remembers to which "realm" it applies.

Then go back to (1) above.

If the client/browser (within the same browser session), later accesses the same or
another resource, and it receives from the server another 401 "auth required" response
with a realm in it, and the browser knows that *for this same realm* it already had a
remembered authentication, then it can send the same one again to the server, without
needing to ask the user again to fill-in a login dialog.

This is a pure HTTP-level mechanism, which works independently of any "session" that one
may have on the server (as long as the authentication method is "Basic" or "Digest").

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Dynamically Create Subdomains - Tomcat 7x

2015-09-04 Thread tomcat


On 04.09.2015 05:31, Kiran Badi wrote:

Hi,

I need some help, I need to create subdomains dynamically, Is this possible
?

I have a site, www.mymainsite.com

on this main site, I drop the zipcode and city cookie and then I forward it
to front controller, and it's this front controller  which will point it to
city subdomain.

Can we create subdomains on the fly in tomcat ?



Kiran,
Can you try to re-phrase your question in terms which people without a crystal ball would 
understand ?




Ce qui se conçoit bien s'énonce clairement - Et les mots pour le dire arrivent 
aisément.
L'Art poétique (1674)
Nicolas Boileau-Despréaux



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: seeking help with stabilizing the persistence of a JSESSIONID

2015-09-04 Thread tomcat

On 03.09.2015 23:31, Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hardy,

On 9/3/15 2:32 PM, Pottinger, Hardy J. wrote:

Are you actually using HTTP Basic authentication? You may be
configuring the wrong authenticator. (I know nothing about
Shibboleth)

I'm using Apache HTTPD as a front-end (via mod_proxy) for Tomcat,
since Shibboleth works (mostly) with Apache HTTPD. So, the
authentication happens on the HTTPD side.

Are you using AJP or HTTP as your proxy protocol? If AJP, are you
using tomcatAuthentication="false" on your ? I'm not
exactly sure what happens when you do that... you might get a
NonLoginAuthenticator.

You could cause any error to occur in your application and then look
at the stack trace to find out what kind of authenticator you got (the
Valve will be in the stack trace).

I believe there may be some confusion here.
The things to find out would be :

1) if *all* accesses to the application, go through httpd first. And if yes, by what
mechanism does httpd proxy them to Tomcat ? (choices : mod_proxy_http / mod_proxy_ajp /
mod_jk)
2) if yes to the above, then : does httpd do the authentication before proxying these
calls to Tomcat ?

(because if yes to both above, then the issue looks to be more at the httpd level, than at
the Tomcat level)

In other words, it may be helpful to paste a copy of the httpd configuration
here.
(Do not attach it, paste it in (after removing anything irrelevant or confidential); the
list strips most attachments).

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [somewhat OT] Undefined behaviour with Credential Handler

2015-09-10 Thread tomcat


Hi.

I have been following this thread loosely, and I have nothing about Tomcat authentication 
per se, but maybe now may be the moment to suggest another approach : why not use an 
Apache httpd as a front-end to Apache Tomcat, do the user authentication/authorization at 
the Apache httpd level (in almost whatever flavor known to man, and generally dictated by 
the customer circumstances more than by anything else), and pass to Tomcat requests which 
are already authenticated/authorized ?


Apache httpd having been on the market a bit longer than Tomcat, and having a 
comparatively higher "market share" in terms of number of webserver installations, it has 
already acquired over time a very wide range of user authentication mechanisms, which 
Tomcat doesn't match yet, and will probably never match unless a lot of developer time is 
spent at just that aspect (never mind the developer time that has already been spent at 
it).  Developer time which could probably be fruitfully spent at other more Tomcat- and 
Java-servlet-centric issues, rather than at duplicating what is already solved and heavily 
tested elsewhere.


Installing and configuring Apache httpd as a front-end to Tomcat is fairly easy, fairly 
efficient in operation, and fairly frequent for real-world Tomcat sites, even if not 
always for authentication purposes per se.
Adding user authentication/authorization to such a setup is almost trivial from an httpd 
point of view, and totally trivial from the Tomcat point of view (well, at least with AJP).


And, it would stay in the big Apache free and open-source family.

Re: https://en.wikipedia.org/wiki/Law_of_the_instrument
and https://en.wikipedia.org/wiki/Overengineering

I mean, from a human point of view, I understand the temptation for a Java developer, and 
for a Tomcat Java developer, to do everything in Java and in Tomcat rather than 
somewhere/somehow else.  And I do recognise that in some use cases, one can not do 
otherwise.  But at some point, the more bells and whistles you add to something, the 
heavier it becomes and the more resources are needed to develop, debug, document and 
maintain all that stuff. Isn't it so ?




On 10.09.2015 21:49, Sreyan Chakravarty wrote:

"Feel free to do that. You'll have to implement a lot of plumbing code
yourself to use Apache Shiro. (It seems like Tomcat ought to support
Shiro, eh? Maybe we should get together with them to build an
out-of-the-box configurable component in Tomcat)."

Well I don't know that but you people could try making Tomcat Container
managed security easier to use.

On Thu, Sep 10, 2015 at 9:16 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Sreyan,

On 9/10/15 8:10 AM, Sreyan Chakravarty wrote:

Yes but that requires implementing your own credential handler.


Sorry, I thought you had implemented your own credential handler.


But the default one will still have the bug.


Oh, I was just suggesting that fix as something temporary until an
updated version of Tomcat is released where this bug is fixed. The fix
is trivial, so I have no doubt it will be in the next release.


Right now I am thinking of using an authentication framework like
Apache Shiro.


Feel free to do that. You'll have to implement a lot of plumbing code
yourself to use Apache Shiro. (It seems like Tomcat ought to support
Shiro, eh? Maybe we should get together with them to build an
out-of-the-box configurable component in Tomcat).

- -chris


On 9/9/15 12:50 PM, Sreyan Chakravarty wrote:

Well I guess now its confirmed that it is a bug. Do you still
need the code ?


No, I don't think I will.

However, since you wrote your own CredentialHandler, you could
merely patch it to check in the matches() method for null.
Something like this:

@Override public boolean matches(String inputCredentials, String
storedCredentials) { if(null == storedCredentials) return false;

return matchesSaltIterationsEncoded(inputCredentials,
storedCredentials); }

Then you can resume your testing.

-chris


On Wed, Sep 9, 2015 at 8:55 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

Sreyan,

On 9/8/15 6:31 AM, Sreyan Chakravarty wrote:

Okay is if I have stored my password in my DB with
SHA256 encryption, can the credential handler declared
in the realm work if the it is declared with SHA512 ?


No. SHA256 and SHA512 produce hashes of different sizes, so
with the same input, they will always produce different
outputs.

https://en.wikipedia.org/wiki/SHA-2#Comparison_of_SHA_functions






As far as I know it must be same algorithm, salt and

iterations for the hash to be matched perfectly.


Correct.


Now take my case-:



Okay this my credential handler that I am using. In my
DB the password is stored using
PBEWITHHMACSHA384ANDAES_256. A completely different
algorithm that the one specified before. So how come
when I put in my user-id and password on my form-login
page I

Re: heap thrashing

2015-09-12 Thread tomcat


On 11.09.2015 16:43, Leo Donahue wrote:

On Fri, Sep 11, 2015 at 9:36 AM, Leo Donahue  wrote:


Good day,

I see this topic come up from time to time on the list.  Can someone point
me to what heap thrashing looks like?

Googled java heap thrashing and looked at the images, but there isn't much
to look at.

I also tried googling for ventricular tachycardia to see if I could find a
similar graph - it's close to what I'm seeing in VisualVM, but not quite.

Is heap thrashing a very "closely spaced" saw tooth pattern?

Leo



This is about as close as I can find that is similar to what I'm seeing.
On the left side of the graph, imagine the spacing so close together that
it looks like a solid blue read out in the monitor.  When I stop the
webapp, the jvm adjusts itself back to normal.  It's only during servicing
requests that I see the very closely spaced pattern.

http://i.stack.imgur.com/B9oPL.png



What about a GC log with timestamps ?


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: TC Connector IIS .41 build not running on windows 2012

2015-09-15 Thread tomcat


Thanks for providing the solution, as well as the question.
Is this something that should be added to some documentation on the Tomcat website ? Or is 
it already there and you just overlooked it ?


On 15.09.2015 19:30, Thomas, Stuart wrote:

The server simply needs to the C++ Redistributable for VS - answer is to 
install this on the server:
http://www.microsoft.com/en-us/download/details.aspx?id=48145

Now it makes sense why it worked locally and not on the server.



-Original Message-
Sent: Saturday, September 12, 2015 10:38 AM
To: users@tomcat.apache.org
Subject: TC Connector IIS .41 build not running on windows 2012


I did a build from source using MS Blend for VS.  I copied x86 settings to x64 
and my .41 build runs like a charm on Win7 64bit IIS 7.5 - but does not run on 
windows 2012 IIS 8.5.  Is there anything I should be doing differently to build 
for IIS 8.5?

--
This email may contain confidential and privileged material for the sole use of 
the intended recipient(s).
Any review, use, distribution or disclosure by others is strictly prohibited. 
If you are not the intended
recipient (or authorized to receive for the recipient), please contact the 
sender by reply email and delete
all copies of this message.

Littler Mendelson, P.C. is part of the international legal practice Littler 
Global, which operates worldwide
through a number of separate legal entities. Please visit www.littler.com for 
more information.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Question on autoDeploy=true + editing conf/context.xml

2015-09-15 Thread tomcat


On 15.09.2015 20:11, Felipe Jaekel wrote:

Hi,

I use parallel deployment, so I set *autoDeploy=true* to enable newer
versions of webapps as as soon as they are deployed, but if I edit
*conf/context.xml*, I'd like that Tomcat 7.0.62 did not restart
automatically.

Is it possible?




Just a comment from a not-Tomcat-developer :

According to a comment in the file (tomcat_dir)/conf/context.xml :



and it seems that this very file, is telling Tomcat which webapp resource to watch for 
changes, in relation to the applications that may need to be reloaded/restarted :


WEB-INF/web.xml

So to me, it does make sense, if someone changes conf/context.xml, to restart the whole 
Tomcat, to take into account such a possible change to the very thing that controls the 
detection of a change in all applications.


Which is probably the basic reason why it is so. No ?

A further question would be : what is the "use case" for modifying the global 
conf/context.xml while Tomcat is running ?






-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: heap thrashing

2015-09-12 Thread tomcat

On 11.09.2015 18:24, Caldarale, Charles R wrote:

From: Leo Donahue [mailto:donahu...@gmail.com]
Subject: Re: heap thrashing

I see this topic come up from time to time on the list.  Can someone point
me to what heap thrashing looks like?

Is heap thrashing a very "closely spaced" saw tooth pattern?

Should have mentioned that "heap thrashing" does not have a strict definition.  
Often, it's used to describe the heap itself expanding and contracting in a cyclic 
manner.  This is most easily avoided by setting the min and max heap size limits to the 
same value.

What you have appears to be just very rapid object creation and garbage 
collection.  Using a larger heap (if you have the RAM for it) could help to 
reduce the frequency of collections.  Fixing the webapp to not consume so much 
space would be better, of course.

  - Chuck

In terms of looking at the webapp code which may generate that kind of behaviour, while 
searching for an example on the www, I came across this blog post :

http://steve-yegge.blogspot.de/2006/03/execution-in-kingdom-of-nouns.html

Independently of what one may think about the author's opinions and treatment of the 
matter, I find the prose beautiful and witty.
The pseudo-java code example is of course tongue-in-cheek and contrived, but I have seen 
similar code in the real world, and it would probably produce the kind of phenomenon which 
Leo is seeing.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 8 reliability/performance on Windows 2008 R2 Server vs. RHEL/CentOS

2015-09-30 Thread tomcat

On 30.09.2015 22:23, Jason Britton wrote:

Hello Good People -
We currently have multiple Tomcat instances deployed on RHEL in production
with no issues but I am getting asked why we shouldn't migrate everything
to run on Windows 2008 R2 Server instead. My stomach churns at the thought
but I am looking for more concrete information about why this could be
problematic vs. running Tomcat on RHEL/CentOS. My gut says far more Tomcat
deployments in production are done on top of Linux based OS's vs. Windows.
Any thoughts on making an argument for one OS vs another in deploying
Tomcat 8? Thanks for your thoughts,

This looks like the ideal start for some holy war.

Maybe you (not me) could argue that Tomcat being an Open-Source, free software, would
undoubtedly feel more comfortable and cushy living inside a platform that is like him,
open-source and free ?
(Whilst being perfectly able to run under Windows and other platforms, for being a
versatile multi-platform Java application, it may nevertheless always feel a bit like an a
not-so-well integrated immigrant there).

More seriously (and considering that you seem to express a slight personal preference for
the one vs the other) :

The main difference for Tomcat itself is probably going to be in
- what kind of hardware would Tomcat be running on in either case ?
- how stable is the Java JVM which actually runs the Tomcat java code, in
either case ?

But you may also want to give a thought to everything else, apart from Tomcat and around
it, which is currently installed and running on your current platform, and whether the
equivalent exists on the other platform. It may well be for example, that some auxiliary
product of which you are currently using the open-source and free version, is not
available on the other platform, or available only in a different and/or non-free version.

You may also want to consider how you are currently supporting/maintaining your Tomcat and
its applications. If you are using Linux/shell-based tools, that may be more difficult
under Windows, and/or require other tools.

If that system is remote with reference to the people supporting/maintaining it, you may
also want to investigate what kind of access tools you would have to a Windows platform.
In my experience for instance, accessing these platforms via SSH/SCP/SFTP requires some
serious non-standard setup. Also an access via Remote Desktop (almost the standard when
talking about a Windows server), will require a VPN for working correctly, and even then
any file transfers are likely to be much more of a hassle than with a Linux platform.
For example, the file drag-and-drop feature via Remote Desktop, is kind of neat
graphically, but in the principle often turns out to be abysmally slow.

(And of course that works only if your own station is Windows).

You may also want to give a thought to who else (apart from yourself presumably) is going
to provide the support for the platform in question and its OS, and its integration in the
big scheme of things. Quite often in my experience, the teams in charge of each kind of
platform are different. Quite often also, they have a different focus and different sets
of skills.

You may also be interested in finding out what kind of global security and other policies
apply to this other platform. Who for exmple enjoys admin rights to it, and/or how easy
it is to obtain such rights when needed for installation-support-maintenance purposes ?
There may also be global policies regarding allowed and/or mandatory software updates and
patches, different per platform type. And there might be policies regarding mandatory
usage of auxiliary things, such as virus scanners and the like.

Enough yet ?

P.S. In my line of business, we install and support our applications remotely on both
kinds of platforms, and occasionally we move ditto applications from the one to the other
at the customer's request.

(In the IT world, there are also fashions, which come and go).
Such moves are never to be considered lightly, even when you might think at first that
being purely Tomcat and purely Java, it should not be an issue. It usually is an issue,
for the simple fact that over time, you have probably gotten used to the one platform and
its tools and quirks, and you have probably accumulated a lot of peripheral stuff that is
not really multi-platform hanging around, which you initially forget about because you
have gotten so used to it.
So whatever you end up having to do (many times you don't get to choose), make sure that
you and whoever else is concerned, at least have realistic expectations about the time and
effort it takes to move.
It is not that the one platform is necesarily better or worse than the other. It is the
fact that they are *different*, and because of that a lot of things around them are
different too.

-
To unsubscribe, e-mail

Re: [OT] loading images through a Servlet

2015-10-02 Thread tomcat

On 02.10.2015 12:44, Bill Ross wrote:

Whether or not I have masked the file name in the header properly, which I
can't verify easily

Oh yes you can.
Mozilla Firefox, plugins, Web Developer, HttpFox.
click and open in its own window.
click start

then get your page (in the main window)

then go back to the HttpFox window, click on a line and use the various views available to
see exactly what the browser has sent, and what the server returned (headers and all).

but believe is working, I have definitely masked the name in the URL and protected
myself against later downloads:

HTTP ERROR 404

Problem accessing /images/_ewjMC3. Reason:

Not Found

While on the server side:

...TagResourceServlet - DANGER OLD HASH ATTACK ...

Will the fame and money just arrive? I'll settle for 6 month's salary (that's
how long I've been working on my own unpaid :-)

You may want to refine your scheme a tad, thinking of the robots (Google etc) which will
be exploring your site. You don't want to be swamped by DANGER messages above for trivial
cases (nor communicate their IP to the XXX sites).

Other than that, your scheme looks nice to me so far.

Original message From: "André Warnier (tomcat)" <a...@ice-sa.com>
Date:10/02/2015 2:46 AM (GMT-08:00) To: users@tomcat.apache.org Subject: Re:[OT] loading
images through a Servlet
On 02.10.2015 11:39, Bill Ross wrote:

And if I find anyone hitting me with unknown or aged-out hashes I will report
their IP addresses to porn sites so they can be blocked there as well. This
honeypot activity could be an alternate source of income, if I hadn't just
disclosed the method :-)

Never mind that. If you have actually found an innovative solution to the
"browser-knows-all-anyway" conundrum, much bigger fame (and income) awaits you.

Bill

Original message From: Bill Ross <r...@cgl.ucsf.edu> Date:10/02/2015 2:04 AM
(GMT-08:00) To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: loading images through a
Servlet
Thanks Andre for the well-considered reply. To Thad - thanks, I also
asked on stackoverflow after here.

I believe I have solved the obfuscation problem independent of the
javascript issue. What I just got working is logically:

img.src = "/images/" + /servlet/getnext(params)

Where I now have a Servlet at /images that serves the file, thanks to a
generous coder at stackoverflow. I'll post the nicely designed code here
if anyone wants.

I am adding a table to map random hashes to file names. I'll insert
there and have getnext() return the hash instead of the file name. The
new Servlet I just added will look up the hash, check the age of the
record and refuse it if older than a second, and then serve up the
mapped file from the filesystem with current date and some flippant
random file name in the headers.

So as far as I can see, the only thing not obfuscated is the image
itself and my ego, which is harmless here.

I can think of even more hare-brained schemes where for instance some

Ajax function of yours could open a websocket connection to the server,
and receive a stream of image objects from the server over that single
connection and "plug" them into the page as appropriate. But any kind
of thing like that would start to deviate seriously from standard
practices, and need a serious effort of development and debugging before
it could be considered as "production-level".

This is exactly what I was fishing for, and I thought maybe it had been
solved in some javascript library.

P.S. and if you really want to know how to display tons of images

fast, I suggest that you have a look (in a manner of speaking of course)
at some of those many XXX websites. They /must/ have ways to do this
efficiently..

Maybe I will be selling to them :-) Thinking of my slideshow app overall.

Bill

On 10/2/2015 1:16 AM, André Warnier (tomcat) wrote:

On 01.10.2015 23:52, Bill Ross wrote:

Please let me know if there is a better place to ask
Servlet/javascript interface questions.

For the javascript part, there are probably better places. But the
people here are awesome, so it's worth giving it a try.
For the servlet side of it, this /is/ probably one of the best places.
But let's start with javascript :

First a general principle : if you are thinking about security or any
form of obfuscation in the face of a determined and competent client,
basically forget it. To get an image or anything else from a server,
the browser (or else), has to know how to get it, so you need to send
it that information. And once the server sends any information to the
client, it is no longer under your control, because the browser (or
other program, such as curl and the like) is under total control of
the client (user).

So, as long as /that/ is not your ultimate purpose,

I have a slide show web page that does the logical equivalent of:

var img = ne

Re: loading images through a Servlet

2015-10-02 Thread tomcat


On 01.10.2015 23:52, Bill Ross wrote:

Please let me know if there is a better place to ask Servlet/javascript 
interface questions.


For the javascript part, there are probably better places.  But the people here are 
awesome, so it's worth giving it a try.

For the servlet side of it, this /is/ probably one of the best places.

Since you are asking nicely, let's start with javascript :

First a general principle : if you are thinking about security or any form of obfuscation 
in the face of a determined and competent client, basically forget it. To get an image or 
anything else from a server, the browser (or else), has to know how to get it, so you need 
to send it that information. And once the server sends any information to the client, it 
is no longer under your control, because the browser (or other program, such as curl and 
the like) is under total control of the client (user).


So, as long as /that/ is not your ultimate purpose,



I have a slide show web page that does the logical equivalent of:

 var img = new Image();
 img.src = "/images/" + /servlet/getnextfile(params)
 img.[onload]: document["image"].src = img.src; resizeImage();

Rather than using the 'getnextfile' servlet to get a file name and then load 
it, I would
like to have getnextfile return a stream of bytes from the database which seems 
feasible
(streaming a BLOB I assume), but I don't know how to receive that into an Image 
(which
wouldn't have 'src' set - ?).


Have a look here : http://www.w3schools.com/jsref/dom_obj_image.asp

The javascript DOM "img" object does not seem to have any callable method by which it can 
retrieve its own image content.  The only way to have it retrieve that content, is by 
changing its "src" property.  This you can do, and it will apparently refresh its own 
image by itself when you do.
But the "src" property has to be set to a URL, so it "retrieves itself" by making a HTTP 
call to the server.. chicken and egg kind of thing.


In a form of obfuscation, you could try to set the "src" property to something like 
'javascript: retrieve_image("some id")' (Note: I haven't tried this), and then have this 
"retrieve_image()" function be something in one of your javascript libraries, which would 
in turn retrieve the image from the server, in a way less visible to the casual script 
kiddie.  (So in a way, you would be creating your own little internal HTTP forward proxy 
server).


But do not forget that the browser first has to receive that javascript library from the 
server, so it has it, and the person controlling the browser can see it, and turn it off 
at will or modify it to do anything he wants; see basic principle above.


In a more sophisticated way, you can probably add a custom method to the img objects on 
the page (see jquery for that kind of thing), so that you can have them change their own 
src property and retrieve their content in a less-immediately visible way.  But again, 
basic principle above.




One motivation is to reduce the round trips to the server for faster response 
time.


You still have to retrieve each image from the server, which in HTTP 1.1, means one 
request/response per image.  So I do not believe that you can gain much on that side.


Also, over quite a long period by now, as well browsers as webservers have been both 
well-debugged and optimised to death, to respectively retrieve and serve "things" using 
the "normal" HTTP methods (think of caching on both sides, and content compression), and 
avoid introducing security holes in the process (*).

Anything that you would do yourself is likely in the end to be even less 
optimised and secure.
(This is not to discourage innovation of course.  You might after all still invent a 
better mousetrap).


Maybe also read this : https://en.wikipedia.org/wiki/HTTP/2

(*) yes, I know, successive IE versions are kind of a counter-example to that 
statement.


Another motivation is to keep the filename from the user.


Basic principle again.  Anyone who installs the "Web Developer" plugin into his Mozilla 
browser, can ultimately find out anything about anything that is part of the page shown in 
the browser.


I can think of even more hare-brained schemes where for instance some Ajax function of 
yours could open a websocket connection to the server, and receive a stream of image 
objects from the server over that single connection and "plug" them into the page as 
appropriate.  But any kind of thing like that would start to deviate seriously from 
standard practices, and need a serious effort of development and debugging before it could 
be considered as "production-level".

So the question would be : is it worth it ?
(but then again, HTTP 2 ?)

P.S. and if you really want to know how to display tons of images fast, I suggest that you 
have a look (in a manner of speaking of course) at some of those many XXX websites.  They 
/must/ have ways to do this efficiently.. ;-)

Re:[OT] loading images through a Servlet

2015-10-02 Thread tomcat


On 02.10.2015 11:39, Bill Ross wrote:

And if I find anyone hitting me with unknown or aged-out hashes I will report 
their IP addresses to porn sites so they can be blocked there as well. This 
honeypot activity could be an alternate source of income, if I hadn't just 
disclosed the method :-)



Never mind that. If you have actually found an innovative solution to the 
"browser-knows-all-anyway" conundrum, much bigger fame (and income) awaits you.



Bill

 Original message From: Bill Ross <r...@cgl.ucsf.edu> Date:10/02/2015  2:04 AM 
 (GMT-08:00) To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: loading images through a 
Servlet 
Thanks Andre for the well-considered reply. To Thad - thanks, I also
asked on stackoverflow after here.

I believe I have solved the obfuscation problem independent of the
javascript issue. What I just got working is logically:

  img.src = "/images/" + /servlet/getnext(params)

Where I now have a Servlet at /images that serves the file, thanks to a
generous coder at stackoverflow. I'll post the nicely designed code here
if anyone wants.

I am adding a table to map random hashes to file names. I'll insert
there and have getnext() return the hash instead of the file name. The
new Servlet I just added will look up the hash, check the age of the
record and refuse it if older than a second, and then serve up the
mapped file from the filesystem with current date and some flippant
random file name in the headers.

So as far as I can see, the only thing not obfuscated is the image
itself and my ego, which is harmless here.


I can think of even more hare-brained schemes where for instance some

Ajax function of yours could open a websocket connection to the server,
and receive a stream of image objects from the server over that single
connection and "plug" them into the page as appropriate.  But any kind
of thing like that would start to deviate seriously from standard
practices, and need a serious effort of development and debugging before
it could be considered as "production-level".

This is exactly what I was fishing for, and I thought maybe it had been
solved in some javascript library.


P.S. and if you really want to know how to display tons of images

fast, I suggest that you have a look (in a manner of speaking of course)
at some of those many XXX websites.  They /must/ have ways to do this
efficiently..

Maybe I will be selling to them :-) Thinking of my slideshow app overall.

Bill



On 10/2/2015 1:16 AM, André Warnier (tomcat) wrote:

On 01.10.2015 23:52, Bill Ross wrote:

Please let me know if there is a better place to ask
Servlet/javascript interface questions.


For the javascript part, there are probably better places.  But the
people here are awesome, so it's worth giving it a try.
For the servlet side of it, this /is/ probably one of the best places.
But let's start with javascript :

First a general principle : if you are thinking about security or any
form of obfuscation in the face of a determined and competent client,
basically forget it. To get an image or anything else from a server,
the browser (or else), has to know how to get it, so you need to send
it that information. And once the server sends any information to the
client, it is no longer under your control, because the browser (or
other program, such as curl and the like) is under total control of
the client (user).

So, as long as /that/ is not your ultimate purpose,



I have a slide show web page that does the logical equivalent of:

  var img = new Image();
  img.src = "/images/" + /servlet/getnextfile(params)
  img.[onload]: document["image"].src = img.src; resizeImage();

Rather than using the 'getnextfile' servlet to get a file name and
then load it, I would
like to have getnextfile return a stream of bytes from the database
which seems feasible
(streaming a BLOB I assume), but I don't know how to receive that
into an Image (which
wouldn't have 'src' set - ?).


Have a look here : http://www.w3schools.com/jsref/dom_obj_image.asp

The javascript DOM "img" object does not seem to have any callable
method by which it can retrieve its own image content.  The only way
to have it retrieve that content, is by changing its "src" property.
This you can do, and it will apparently refresh its own image by
itself when you do.
But the "src" property has to be set to a URL, so it "retrieves
itself" by making a HTTP call to the server.. chicken and egg kind of
thing.

In a form of obfuscation, you could try to set the "src" property to
something like 'javascript: retrieve_image("some id")' (Note: I
haven't tried this), and then have this "retrieve_image()" function be
something in one of your javascript libraries, which would in turn
retrieve the image from the server, in a way less visible to the
casual script kidd

Re: loading images through a Servlet

2015-10-02 Thread tomcat


Chris, you're kind of breaking down an open door here.
Bill was already at the stage of congratulating himself and dreaming of his retirement 
plan, following his discovery of a brilliant and innovative solution.

Better to start from the beginning of the thread..

On 02.10.2015 16:30, Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Bill,

On 10/2/15 5:04 AM, Bill Ross wrote:

Thanks Andre for the well-considered reply. To Thad - thanks, I
also asked on stackoverflow after here.

I believe I have solved the obfuscation problem independent of the
javascript issue. What I just got working is logically:

img.src = "/images/" + /servlet/getnext(params)

Where I now have a Servlet at /images that serves the file, thanks
to a generous coder at stackoverflow. I'll post the nicely designed
code here if anyone wants.


Why not just use the DefaultServlet... that's what it's job already
is. Or, do you need an image from a database or whatever?


I am adding a table to map random hashes to file names. I'll
insert there and have getnext() return the hash instead of the file
name. The new Servlet I just added will look up the hash, check the
age of the record and refuse it if older than a second, and then
serve up the mapped file from the filesystem with current date and
some flippant random file name in the headers.


You could do your security-checking, and then simply forward() to the
resource, then let the DefaultServlet actually serve the bytes. That
allows you to use range-requests, etags, if-modified-since, and all
that other good stuff.


So as far as I can see, the only thing not obfuscated is the image
itself and my ego, which is harmless here.


What do you need to obfuscate?


I can think of even more hare-brained schemes where for instance
some Ajax function of yours could open a websocket connection to
the server, and receive a stream of image objects from the server
over that single connection and "plug" them into the page as
appropriate.  But any kind of thing like that would start to
deviate seriously from standard practices, and need a serious
effort of development and debugging before it could be considered
as "production-level".


This is exactly what I was fishing for, and I thought maybe it had
been solved in some javascript library.


Do you need the image to be in an Image object, or do you want to put
it into an  on the screen? If the latter, just change the value
of the 'src' of the  and the browser will re-load the image from
the server.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJWDpT2AAoJEBzwKT+lPKRYdj0P/iTqUq5FTYeTgVjJtLXEMile
74ql5SalOtbERrTvyY72d4wHjlnWUYJCJeJOTWyDU3grJsG7OBxHpiWEQEI5c9GV
xEhhGrlI1vOIdJ3gZRCgnrPDV8pdXTS4Sg8zEuLpW5ITRLEJsnHQz6yJDkbLofYz
w9ACt/Dllv/kcJPHrIu9+J5xgLAEUPKIHuu1mM9TkTWeSYepuR8grm3A2GFO999D
+5MIkd/XpkfTK88/yGP6Q2xtXgXAtnI5Ug0e5S72gkGFRsHYV5iWb9yBRoji7W09
G1uOJPm3xiCED2bLsiFBZmhgv/YrmCoVx4EbLnsYO/92tkHT1+2zly2bmKZc/AoC
LXoWI/trEiE2MUWvYlwftyEZvBLsJQCqrHfo6MOwPNwY2YFhv+GYl7E5N+QcQZf5
eCu/vzCvsDZHz7QrVHwInDKXeD2iZ3JxMRVPFT7kIfD/aTzrlFEGqZ+hG/pYsjWh
Gv1l2vmfQkPu7/wmhoCscdcqwk9SMCYOWvK7/5ehSyZl/j/4J/zkqnkbU10HlxO+
wVjt+cVYtrCHf7UXWInF86N5ZHSu9KVsmWdoMUUOxIFbGRQbSIvCVBzFPv+WIoR/
G/hURioQXqcICmslbbhw9QwINuRWz7gpcp+Ll7Jj+3furtxYQwv6IB/qJSWSi/Ih
lvNUQAkYta9Y+ZUGYAfE
=5ruo
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: loading images through a Servlet

2015-10-02 Thread tomcat


On 01.10.2015 23:52, Bill Ross wrote:

Please let me know if there is a better place to ask Servlet/javascript 
interface questions.


For the javascript part, there are probably better places.  But the people here are 
awesome, so it's worth giving it a try.

For the servlet side of it, this /is/ probably one of the best places.
But let's start with javascript :

First a general principle : if you are thinking about security or any form of obfuscation 
in the face of a determined and competent client, basically forget it. To get an image or 
anything else from a server, the browser (or else), has to know how to get it, so you need 
to send it that information. And once the server sends any information to the client, it 
is no longer under your control, because the browser (or other program, such as curl and 
the like) is under total control of the client (user).


So, as long as /that/ is not your ultimate purpose,



I have a slide show web page that does the logical equivalent of:

 var img = new Image();
 img.src = "/images/" + /servlet/getnextfile(params)
 img.[onload]: document["image"].src = img.src; resizeImage();

Rather than using the 'getnextfile' servlet to get a file name and then load 
it, I would
like to have getnextfile return a stream of bytes from the database which seems 
feasible
(streaming a BLOB I assume), but I don't know how to receive that into an Image 
(which
wouldn't have 'src' set - ?).


Have a look here : http://www.w3schools.com/jsref/dom_obj_image.asp

The javascript DOM "img" object does not seem to have any callable method by which it can 
retrieve its own image content.  The only way to have it retrieve that content, is by 
changing its "src" property.  This you can do, and it will apparently refresh its own 
image by itself when you do.
But the "src" property has to be set to a URL, so it "retrieves itself" by making a HTTP 
call to the server.. chicken and egg kind of thing.


In a form of obfuscation, you could try to set the "src" property to something like 
'javascript: retrieve_image("some id")' (Note: I haven't tried this), and then have this 
"retrieve_image()" function be something in one of your javascript libraries, which would 
in turn retrieve the image from the server, in a way less visible to the casual script kiddie.


But do not forget that the browser first has to receive that javascript library from the 
server, so it has it, and the person controlling the browser can see it, and turn it off 
at will or modify it to do anything he wants; see basic principle above.
In a more sophisticated way, you can probably add a custom method to the img objects on 
the page (see jquery for that kind of thing), so that you can have them change their own 
src property and retrieve their content in a less-immediately visible way.  But again, 
refer to basic principle above.




One motivation is to reduce the round trips to the server for faster response 
time.


Basically, you still have to retrieve the image from the server, so I do not believe that 
you will gain much on that side.


Also, over quite a long period by now, as well browsers as webservers have been both 
well-debugged and optimised to death, to respectively retrieve and serve "things" using 
the "normal" HTTP methods (think of caching e.g., on both sides, and content compression), 
and avoid introducing security holes in the process (*).

Anything that you would do yourself is likely in the end to be even less 
optimised and secure.
(This is not to discourage innovation of course.  You might after all still invent a 
better mousetrap).


(*) yes, I know, successive IE versions are kind of a counter-example to that 
statement.


Another motivation is to keep the filename from the user.


See basic principle.  Anyone who installs the "web developer" plugin into his Mozilla 
browser, can ultimately find out anything about anything that is part of the page shown in 
the browser.


I can think of even more hare-brained schemes where for instance some Ajax function of 
yours could open a websocket connection to the server, and receive a stream of image 
objects from the server over that single connection and "plug" them into the page as 
appropriate.  But any kind of thing like that would start to deviate seriously from 
standard practices, and need a serious effort of development and debugging before it could 
be considered as "production-level".

So the question would be : is it worth it ?


P.S. and if you really want to know how to display tons of images fast, I suggest that you 
have a look (in a manner of speaking of course) at some of those many XXX websites.  They 
/must/ have ways to do this efficiently..



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: loading images through a Servlet

2015-10-02 Thread tomcat

On 02.10.2015 17:04, Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

André,

On 10/2/15 10:38 AM, André Warnier (tomcat) wrote:

Chris, you're kind of breaking down an open door here. Bill was
already at the stage of congratulating himself and dreaming of his
retirement plan, following his discovery of a brilliant and
innovative solution. Better to start from the beginning of the
thread..

Yep, I read the whole thread.

I don't think this is a million-dollar idea. If it was, I would never
have gone to college, having written one of these for a client while I
was in high school. In my case, it was a CGI that counted hits to an
image whilst simultaneously serving that image. No security or
anything like that, but the "security" in Bill's case is just a proxy
for "do something first, then serve an image".

It is a bit more than that, though : a user cannot, for example, save the html page
containing the images, and then reload it later, and still see get the images with the
same image links, because they will have "expired". Neither can one of these image links
simply be copied to a friend in an email, and still work for the friend.

He also gets a specific action triggered when someone attempts this.

It is not something infinitely scaleable (the server-side hashtable would get quite
large), but it is a relatively simple scheme, usable in quite a number of scenarios.

I'm suggesting that Bill can focus on his "do something first" task
and delegate the serving of bytes to a tool more appropriate for the
task: the DefaultServlet.

I would agree with you, except that at some point Bill mentioned serving the image content
out of a database blob.

That's something the Default Servlet couldn't do.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: AW: Problems to configure tomcat as windows service

2015-10-02 Thread tomcat


On 02.10.2015 17:12, Arno Schäfer wrote:

Thanks for the hint Aurélien,


there *maybe is* documentation about this, see question & comments from 
Konstantin Kolinko in 
http://tomcat.apache.org/tomcat-7.0-doc/windows-service-howto.html


but I asked this question, because I recognize, that it didn't worked like it 
is described, but in version 6 the description was the same and it has worked.



Maybe it is not only the version of Tomcat that has changed, but also the 
machine/OS on which

you do this ? Maybe the user under which you execute this command does not have 
the required

privileges, at OS level on this machine, to do this ?

Maybe the user-id *to* which you are trying to set the Tomcat service, does not have 
enough privileges to "run as a Service" ?
(In the services.msc applet, it would ask you interactively to grant these privileges 
first, but maybe the command-line tool cannot do that).


(I am not really a Windows OS specialist, but I have seen variations of the above kind of 
issues previously)




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Problems to configure tomcat as windows service

2015-10-02 Thread tomcat


On 02.10.2015 16:36, Arno Schäfer wrote:

Hi all,

using tomcat 7.0.54 on Windows 8.1 64 Bit system, I encounter the problem, that 
I can not configure a user/password
with the tomcat7.exe utility. I run this as a local administrator in a DOS box 
with a valid user and password it returned
with errorlevel 0, but the user was not set in the service settings.

What can be the reason for this? The same solution run before in a tomcat 6 
environment with no problems and I
recognize no changes in the documentation in this area.



Hi.
What exactly /is/ the problem ?
- that you cannot change the user-id under which it runs (which by default should be 
something like LocalService) ?

- or that you can change it, but then it crashes when you run it ?

If the last, then one more question : does your Tomcat or any of its applications need 
access to any network shared directory ?




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] loading images through a Servlet

2015-10-02 Thread tomcat


On 02.10.2015 21:18, Bill Ross wrote:

Installed FF, HttpFox wasn't installed, installed it but it doesn't show up 
under
developer tools, but I found something and here are my headers:

HTTP/1.1 200 OK
Etag: W/"resized_2_33068.jpg-1443146350159"
Last-Modified: Fri, 25 Sep 2015 01:59:10 GMT [random time in past 
22.32455 days]
Expires: Sun, 01 Nov 2015 19:12:45 GMT
Content-Type: image/jpeg



Content-Disposition: inline;filename="resized_2_33068.jpg";
filename*=UTF-8''resized_2_33068.jpg


isn't that a giveaway still ?


Content-Length: 157896
Server: Jetty(9.3.4-SNAPSHOT)

Bill

On 10/2/2015 7:17 AM, André Warnier (tomcat) wrote:

On 02.10.2015 12:44, Bill Ross wrote:

Whether or not I have masked the file name in the header properly, which I 
can't verify
easily


Oh yes you can.
Mozilla Firefox, plugins, Web Developer, HttpFox.
click and open in its own window.
click start

then get your page (in the main window)

then go back to the HttpFox window, click on a line and use the various views 
available
to see exactly what the browser has sent, and what the server returned (headers 
and all).


 but believe is working, I have definitely masked the name in the URL and 
protected
myself against later downloads:


HTTP ERROR 404

Problem accessing /images/_ewjMC3. Reason:

 Not Found

While on the server side:

...TagResourceServlet - DANGER OLD HASH ATTACK ...

Will the fame and money just arrive? I'll settle for 6 month's salary (that's 
how long
I've been working on my own unpaid :-)



You may want to refine your scheme a tad, thinking of the robots (Google etc) 
which will
be exploring your site.  You don't want to be swamped by DANGER messages above 
for
trivial cases (nor communicate their IP to the XXX sites).

Other than that, your scheme looks nice to me so far.





 Original message From: "André Warnier (tomcat)"
<a...@ice-sa.com> Date:10/02/2015 2:46 AM (GMT-08:00) To:
users@tomcat.apache.org Subject: Re:[OT] loading images through a 
Servlet

On 02.10.2015 11:39, Bill Ross wrote:

And if I find anyone hitting me with unknown or aged-out hashes I will report 
their IP
addresses to porn sites so they can be blocked there as well. This honeypot 
activity
could be an alternate source of income, if I hadn't just disclosed the method 
:-)



Never mind that. If you have actually found an innovative solution to the
"browser-knows-all-anyway" conundrum, much bigger fame (and income) awaits you.


Bill

 Original message From: Bill Ross 
<r...@cgl.ucsf.edu>
Date:10/02/2015  2:04 AM  (GMT-08:00) To: Tomcat Users 
List
<users@tomcat.apache.org> Subject: Re: loading images through a 
Servlet

Thanks Andre for the well-considered reply. To Thad - thanks, I also
asked on stackoverflow after here.

I believe I have solved the obfuscation problem independent of the
javascript issue. What I just got working is logically:

   img.src = "/images/" + /servlet/getnext(params)

Where I now have a Servlet at /images that serves the file, thanks to a
generous coder at stackoverflow. I'll post the nicely designed code here
if anyone wants.

I am adding a table to map random hashes to file names. I'll insert
there and have getnext() return the hash instead of the file name. The
new Servlet I just added will look up the hash, check the age of the
record and refuse it if older than a second, and then serve up the
mapped file from the filesystem with current date and some flippant
random file name in the headers.

So as far as I can see, the only thing not obfuscated is the image
itself and my ego, which is harmless here.


I can think of even more hare-brained schemes where for instance some

Ajax function of yours could open a websocket connection to the server,
and receive a stream of image objects from the server over that single
connection and "plug" them into the page as appropriate.  But any kind
of thing like that would start to deviate seriously from standard
practices, and need a serious effort of development and debugging before
it could be considered as "production-level".

This is exactly what I was fishing for, and I thought maybe it had been
solved in some javascript library.


P.S. and if you really want to know how to display tons of images

fast, I suggest that you have a look (in a manner of speaking of course)
at some of those many XXX websites.  They /must/ have ways to do this
efficiently..

Maybe I will be selling to them :-) Thinking of my slideshow app overall.

Bill



On 10/2/2015 1:16 AM, André Warnier (tomcat) wrote:

On 01.10.2015 23:52, Bill Ross wrote:

Please let me know if there is a better place to ask
Servlet/javascript interface questions.


For the javascript part, there are probably better places. But the
people here are awesome, so it's worth giving it a try.
For the servlet side of it, this /is/ probably one of the best places.
But let's start

Re: Need help understanding support for Unix Domain Sockets in Tomcat 7.0.x

2015-09-28 Thread tomcat


On 28.09.2015 18:09, Christopher Schultz wrote:
...




Not sure on this, as AJP is quite handy. Expecialy load balancing
java webapps and i find mod_jk quite good at this.


Remember, it's not mod_jk doing the load-balancing, it's Apache httpd.
mod_jk is simply providing the channel over which the proxying is
being done.


I don't think that's true.

In the case of mod_proxy_ajp, it is mod_proxy and mod_proxy_balancer who do the 
load-balancing.


But mod_proxy* are not used with mod_jk; it does its own balancing.

 In a thread on the dev list, I'm a little more defensive

of AJP because of its ability to pass data out-of-band with respect to
the tunneled HTTP message. There definitely is utility there.

+1.  Passing Apache httpd's "environment variables" for instance, becoming "request 
attributes" in Tomcat.


...



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Log message - APR Error -70014

2015-09-23 Thread tomcat


On 23.09.2015 17:51, DB wrote:

Hello,

For Tomcat 8.0.24 and jre 1.8.0_60.

I have seen this stack trace in catalina.out and I have not found
anything using google search to discover the cause. The error is
intermittent and only shows up after pretty significant load:

17-Sep-2015 13:04:54.941 INFO [http-apr-8443-exec-3082]
org.apache.coyote.AbstractProcessor.setErrorState An error occurred in
processing while on a non-container thread. The connection will be
closed immediately
  java.io.IOException: APR error: -70014
 at 
org.apache.coyote.http11.InternalAprOutputBuffer.writeToSocket(InternalAprOutputBuffer.java:291)
 at 
org.apache.coyote.http11.InternalAprOutputBuffer.writeToSocket(InternalAprOutputBuffer.java:244)
 at 
org.apache.coyote.http11.InternalAprOutputBuffer.flushBuffer(InternalAprOutputBuffer.java:213)
 at 
org.apache.coyote.http11.AbstractOutputBuffer.flush(AbstractOutputBuffer.java:305)
 at 
org.apache.coyote.http11.AbstractHttp11Processor.action(AbstractHttp11Processor.java:765)
 at org.apache.coyote.Response.action(Response.java:179)
 at 
org.apache.catalina.connector.OutputBuffer.doFlush(OutputBuffer.java:349)
 at 
org.apache.catalina.connector.OutputBuffer.flush(OutputBuffer.java:317)
 at 
org.apache.catalina.connector.CoyoteWriter.flush(CoyoteWriter.java:94)
at MyServlet.doGet(MyServlet.java:55)

The code at this line is:  response.getWriter().flush();

What does this error mean?



Hi.
This is way beyond my depth in Tomcat or Java, but searching Google for "non-container 
thread" brought back one item which might be of interest :


https://bz.apache.org/bugzilla/show_bug.cgi?id=57683

Such as : maybe running Tomcat in a console could bring more light on the 
matter ?


P.S.
This should not be construed as even a suggestion that the eminent Tomcat committers 
involved in the mentioned bug report may have missed something.
As mentioned above, this is way beyond my depth, and I do not even really know what 
non-container threads are (that's why I was looking in Google).

It's just that some of the lines in the stack-traces look eerily similar.

P.S.2 :
A better search in Google seems to be : tomcat "non-container threads"


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Which version of Tomcat supports Java 8

2015-09-24 Thread tomcat


On 25.09.2015 01:03, gloria.zh...@wellsfargo.com wrote:

Hi,

We are currently using Tomcat 7.0.62. Does this version officially support Java 
8? If not, which version of Tomcat supports it.



All you wish to know is here : http://tomcat.apache.org/whichversion.html




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

[OT] Re: Parallel Deployment: Can I request a specific webapp version?

2015-09-24 Thread tomcat


On 24.09.2015 23:59, George Sexton wrote:
...



Couldn't you have your load balancer send x% to one instance, and 1-x% to the 
other
instance?


Wait, I didn't get this.
Say that x = 20.
So we send 20% to instance A.
Then we send (1 - 20)% = -19%, to instance B.
So together, instance A and instance B handle (20 + -19)% = 1% of the clients.
What happens to the other 99% ?



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: soap web service (axis based) on tomcat 8

2015-09-19 Thread tomcat


On 19.09.2015 02:20, jennifer zhou wrote:

Hi,

   Our app was running well on Tomcat 7 on linux. Recently we migrated to
Tomcat 8 on linux. However we found the system CPU usage is higher than
normal. When there is no any user interaction, we still see about 25% of
the system CPU usage. After deep dive, we found the tomcat keeps scanning
our app's class path under WEB-INF folder. Actually all our artifacts are
packed within WEB-INF/lib folder, there is nothing within WEB-INF/classes
folder. Is there any way to look for WEB-INF/lib folder first before
looking for artifacts within WEB-INF/classes folder?

Also why does Tomcat keeps scanning our app classpath during app idle time?
Is there anyway to turn this off?


Quick pointer :
http://tomcat.apache.org/tomcat-8.0-doc/config/host.html#Standard_Implementation
See "autoDeploy" (default is true)

If you set this to "false", does the same still happen ?



The detailed information is shown as below for your references.

7196  lstat("/home", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
7196  lstat("/home/jgu-admin", {st_mode=S_IFDIR|0700, st_size=4096, ...}) =
0
7196  lstat("/home/jgu-admin/apache-tomcat-8.0.24", {st_mode=S_IFDIR|0700,
st_size=4096, ...}) = 0
7196  lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps",
{st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
7196  lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps/IDManager",
{st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
7196
lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps/IDManager/WEB-INF",
{st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
7196
lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps/IDManager/WEB-INF/classes",
{st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
7196
lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps/IDManager/WEB-INF/classes/org",
0x2b9a564eb2b0) = -1 ENOENT (No such file or directory)
7196  lstat("/home", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
7196  lstat("/home/jgu-admin", {st_mode=S_IFDIR|0700, st_size=4096, ...}) =
0
7196  lstat("/home/jgu-admin/apache-tomcat-8.0.24", {st_mode=S_IFDIR|0700,
st_size=4096, ...}) = 0
7196  lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps",
{st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
7196  lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps/IDManager",
{st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
7196
lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps/IDManager/WEB-INF",
{st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
7196
lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps/IDManager/WEB-INF/classes",
{st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
7196
lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps/IDManager/WEB-INF/classes/org",
0x2b9a564eb2b0) = -1 ENOENT (No such file or directory)
7196  lstat("/home", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
7196  lstat("/home/jgu-admin", {st_mode=S_IFDIR|0700, st_size=4096, ...}) =
0
7196  lstat("/home/jgu-admin/apache-tomcat-8.0.24", {st_mode=S_IFDIR|0700,
st_size=4096, ...}) = 0
7196  lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps",
{st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
7196  lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps/IDManager",
{st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
7196
lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps/IDManager/WEB-INF",
{st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
7196
lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps/IDManager/WEB-INF/classes",
{st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
7196
lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps/IDManager/WEB-INF/classes/org",
0x2b9a564eb2b0) = -1 ENOENT (No such file or directory)
7196  lstat("/home", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
7196  lstat("/home/jgu-admin", {st_mode=S_IFDIR|0700, st_size=4096, ...}) =
0
7196  lstat("/home/jgu-admin/apache-tomcat-8.0.24", {st_mode=S_IFDIR|0700,
st_size=4096, ...}) = 0
7196  lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps",
{st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
7196  lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps/IDManager",
{st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
7196
lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps/IDManager/WEB-INF",
{st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
7196
lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps/IDManager/WEB-INF/classes",
{st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
7196
lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps/IDManager/WEB-INF/classes/org",
0x2b9a564eb2b0) = -1 ENOENT (No such file or directory)
7196  lstat("/home", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
7196  lstat("/home/jgu-admin", {st_mode=S_IFDIR|0700, st_size=4096, ...}) =
0
7196  lstat("/home/jgu-a

Re: Need help understanding support for Unix Domain Sockets in Tomcat 7.0.x

2015-09-23 Thread tomcat


srini_

On 23.09.2015 19:03, Srinivasan Raman wrote:

Hi Graham,
Unfortunately, the data needs to be encrypted if the communication is over TCP, 
even if it is to a process in the same VM.
Any alternatives that you can suggest for getting Unix domain sockets to work 
with Tomcat? I did come across mention of a connector, JK, that mentions Unix 
Domain sockets - that's what got me interested in this.
Thanks,
srini_



You already got a response from Christopher, one of the Tomcat Committers.
Re-read it.

It basically boils down to this :
either
- you write this yourself from scratch, both at the Apache httpd (mod_jk/mod_proxy_ajp) 
and at the Tomcat level (AJP Connector)

or
- you convince whoever wrote that requirement, that an internal TCP connection within the 
same host, is no less secure than a Unix Domain socket


Your choice.

(Otherwise, look at "socat" : http://www.dest-unreach.org/socat/)
(I am just kidding; you would end up with two local TCP connections instead of one. But it 
/would/ use a UDS in-between. And internally, it must be doing the kind of things needed 
to "adapt" TCP to UDS and vice-versa. So maybe looking at the source code may give you an 
idea of what would be involved).




Subject: Re: Need help understanding support for Unix Domain Sockets in Tomcat 
7.0.x
From: minf...@sharp.fm
Date: Wed, 23 Sep 2015 18:11:06 +0200
To: users@tomcat.apache.org

On 23 Sep 2015, at 5:55 PM, Srinivasan Raman <srini_b...@hotmail.com> wrote:


Sorry, I should have provided more details while posting the query.
Due to a security policy that mandates that a certain type of sensitive data 
flowing over a communication channel must be encrypted, we are using SSL. If 
the communication channel were to be Unix Domain sockets, we do not need to 
encrypt the data, based on the data classification for this use-case.


Would it be possible to confirm the need for encrypting traffic over localhost?

Regards,
Graham
—


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org







-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat, Apache web-server : Simultaneously running both servers and Virtual Hosting.

2015-12-07 Thread tomcat

On 07.12.2015 11:26, Kernel freak wrote:

Hello friends,

I am working on some server side changes in which I have the webapps or
website hosted by Apache server is called by the URL. So if url is
www.domain-one.com, then the specific webapp or website must be served.

I have partial success in these regards as I have already configured Apache
Tomcat to host multiple webapps, and call them based on URL. It is working.

Now on to the 2nd stage of problem, where I have hosted a CMS on Apache
server, and would like to call it with a URL, *but also keep Apache tomcat
running in parallel*, and this is the main problem I am dealing with.

This may seem like a Apache server issue, but it's both, as I want to run
Apache web-server and Apache tomcat simultaneously with Virtual hosting. I
just hope there might be people here who know both servers.

I tried mod_jk without any luck. Here are the changes I made to tomcat and
apache server.

Tomcat changes : server.xml :

www.domain-first.com

www.domain-second.com

Installed mod_jk with following command :

apt-get install libapache2-mod-jk

Created file workers.properties in /etc/apache2/

# Define 1 real worker using ajp13
worker.list=worker
# Set properties for worker (ajp13)
worker.worker.type=ajp13
worker.worker.host=localhost
worker.worker.port=8010

Instructed jk.conf to load this file :

JkWorkersFile /etc/apache2/workers.properties

Finally edited 000-default in sites-enabled to add :

JkMount /home/user/tomcat_directory/* worker1

Then restarted Apache2, and I got this error :

[] Restarting web server: apache2(98)Address already in use:
make_sock: could not bind to address [::]:80
(98)Address already in use: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
Unable to open logs
Action 'start' failed.
The Apache error log may have more information.
failed!

I understand that Tomcat is running on 80, but how do I then configure
the servers so they can run simultaneously.

Kindly let me know..

Hi. You may have a lot of reading to do, specially on the Apache httpd side.
It will be worth it in the end, to be able to think "globally" about the issues, and to be
able to decide where best to do what.

1) Virtual Hosts :
http://httpd.apache.org/docs/2.2/vhosts/ --> name-based virtual hosts
2) Proxying from Apache to Tomcat :
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
http://httpd.apache.org/docs/2.2/mod/mod_proxy_ajp.html (an alternative to
mod_jk)
.. and mod_jk you already know
3) URL Rewriting :
http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html
(allows you to do a lot of things, in combination with mod_proxy, but at a much finer
level)

Also, a tip if you want to use mod_jk in combination with all the Apache-httpd modules
above : look at an alternative way to configure proxying from httpd to Tomcat, here :

http://tomcat.apache.org/connectors-doc/reference/apache.html
section : Using SetHandler and Environment Variables
This method replaces the JkMount/JkUnMount, and fits nicely in Apache httpd's
scheme, together with mod_rewrite, mod_proxy etc..

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Creating another Tomcat copy in hot stand-by when original goes down.

2015-12-08 Thread tomcat

On 08.12.2015 14:07, Kernel freak wrote:

Hello friends,

I am working on a Debian server in which I would like to setup 2 instances
of Apache tomcat which will be load balanced by an Apache HTTP server(Do I
require a http server? ). In-case one copy of Apache tomcat goes down, the
other one will automatically comes online.

While I was creating a configuration for one of our server, I know how to
relay requests based upon URL to Apache Tomcat, these are the 2 things I
don't know.

1) Will this work with https? Reason I ask is, there are many pages which
are served under https and the configuration which I have and shown below
seems to be calling with http instead of https.

2) How to trigger the 2nd copy of tomcat.

[snip]

Hi. To answer this "top-down" :

1) to do "load-balance" 2 tomcats, there are many ways, and you do not necessarily have to
use Apache httpd as a front-end, there are other solutions.

But the Apache httpd solution is probably the easiest to set up, and it's free.

2) picture the following setup :

user browser <-- HTTP or HTTPS --> Apache httpd <-- HTTP/HTTPS/AJP --> tomcat1
+ Connector <-- HTTP/HTTPS/AJP --> tomcat2

tomcat1 and tomcat2 are always active, both. You do not start one when the
other fails.
They are normally both active, and they share the load (the httpd Connector does that for
you).
If one tomcat fails, the Connector under Apache httpd will notice that, and will start
forwarding the requests only to the still-working tomcat.
When the failed tomcat comes back on-line, the Connector notices again, and starts
balancing the requests again to both tomcats.

If both tomcats fail, you get an error at the httpd level.

3) for the httpd-level "Connector" between httpd and tomcat, you have 3 choices
:
a) mod_proxy + mod_proxy_http
b) mod_proxy + mod_proxy_ajp
c) mod_jk
Each one of those can do load-balancing, but their configuration is different.

4) If Apache httpd and the tomcats communicate through a network that is considered as
secure, then the most efficient configuration would be :

Connection A Connection B
user browser <-- HTTP or HTTPS --> Apache httpd <-- HTTP/AJP --> tomcat1
+ Connector <-- HTTP/AJP --> tomcat2

The usual way of describing this is "terminating HTTPS at the httpd level".
In other words, do not use HTTPS between httpd and tomcat (connection B), because it would
unnecessarily force an additional encryption/decryption.
All the additional HTTPS information that may be needed at the tomcat level, to know that
the original user connection with httpd (connection A) was under HTTPS, will be anyway
forwarded by the Connector, to Tomcat (as HTTP request headers).

(So tomcat can always know if the original browser to httpd connection A was
secure or not.)

5)
- The (mod_proxy + mod_proxy_http) Connector, forwards the original (HTTP/HTTPS) client
requests to Tomcat, using the HTTP protocol (and format).

So at the receiving end, in Tomcat, you need a matching HTTP Connector.

- the (mod_proxy + mod_proxy_ajp) Connector, and the mod_jk Connector, forward the
original (HTTP/HTTPS) client requests to Tomcat, using a protocol/format that is not HTTP,
but which essentially carries the same information (it is the AJP protocol/format).

So at the receiving end you need a matching AJP Connector.

- when the request is received by Tomcat using either one of the Tomcat Connectors, it is
the job of the Tomcat-side Connector to "translate" this request into an internal Tomcat
"request object", which is always the same. So from the point of view of your tomcat
webapps, it does not matter through which Connector the request was received, it always
looks the same.

- one difference between proxying through HTTP and proxying through AJP, is that the AJP
protocol does not have a corresponding "AJPS" encrypted version.
In other words, you should probably not use either (mod_proxy + mod_proxy_ajp) or mod_jk,
if your httpd and tomcats communicate over a non-secure channel (such as over an Internet
connection). (You could still do that over an SSH tunnel, but that complicates things).

- another difference is that the AJP protocol can carry to tomcat, a user-id that has been
authenticated at the httpd level. The HTTP protocol does not do that by itself.
(In short, if you authenticate users at the httpd level, and want Tomcat to use this and
avoid authenticating the user again, then use the AJP protocol).

Does this give you enough material to figure out the rest of your questions ?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Detecting Expired Session via JavaScript?

2015-12-02 Thread tomcat

On 02.12.2015 16:55, Christopher Schultz wrote:

Jerry,

On 12/1/15 2:39 PM, Jerry Malcolm wrote:

On 12/1/2015 12:17 PM, Jose María Zaragoza wrote:

ts automatically resets the session timer.
Only if the request goes to the same application.
You can create a HttpSessionListener who saves some info on a shared
store when session is expired.
Anothe REST service could check the status of the session when is
requested by your page

Jose,

I understand the listener and storing the state in common storage. But
I'm confused on your statement above about the same application. I have
several web apps running on the same host instance. They all share a
common login using SingleSignOn.

Each application has a distinct HttpSession object. The SingleSignOn
cookie allows each application to re-authenticate using the SSO
information, so you get a new HttpSession if your old one times out.

If I hit any of the apps it resets the timer.

I don't think hitting app A will reset the session timeout of app B's
session. (Or maybe it does, but I didn't think that's how SSO worked in
Tomcat. Unfortunately, the SSO documentation[1] doesn't actually say
exactly how all this works.)

Do they all have separate sessions but share a common login state?

Yes.

What is the relationship between "logged in" and separate webapp
sessions that come and go independently. What I really care about is
whether the authenticator is going to bounce the request to a login page
or not. It still seems like calling any app is going to reset the
logged-in timer if I'm using single sign-on (?).

The authenticator is not going to sent you to a login page for any
application unless either of these events occurs:

(a) You explicitly log-out from one of the applications. This will
terminate the SSO cookie and revoke your logins on all associated
applications.

(b) Your SSO cookie (or server-based info) expires. Then you will be
asked to authenticate again.

If you are using SSO, this adds a bit of mystery to the situation, since
what you really want to find out is whether the /SSO token/ is still
valid. The validity of any of the various individual-application session
identifiers is irrelevant, since if the SSO token is valid, you will be
automatically re-authenticated to the individual applications.

I think you may have to re-think how you detect the expiration of your
users' logins.

Hi.
I am sorry to barge in this discussion, which I have been loosely following over several
days, but I have to say that at least based on the documentation at

http://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Single_Sign_On_Valve
and
http://tomcat.apache.org/tomcat-8.0-doc/config/host.html#Single_Sign_On

, I still do not understand what the problem is, that Jerry is trying to solve.

In his original post, Jerry said
"But basically, I want to know that the session is no longer valid and force the user back
to the login page."
And he later mentioned that he was using the SSO Valve, and container-based Form
authentication for the webapps.

But as far as I understand, that is the way in which this works :
- as soon as the user (initially) accesses any of the protected applications, he/she gets
a login page and has to login. Thereafter, he/she gets access to the requested
application, which creates an "application session", in which the logged-in state is recorded.
- because of the SSO Valve, some information is also stored separately, regarding the user
authentication
- now if the user accesses another protected application, the container - which would
normally send back a login form - notices that there is stored SSO authentication
information, and automatically authenticates the user for this second application.

Which also creates a separate "application session" stored on the server.
- and so on...
- at some point in the future, any one of these stored application sessions becomes
invalid (either by something actively invalidating the session, or by a session timeout).
At this point - if I believe the documentation - the container immediately invalidates all
the other application sessions and whatever SSO authentication had been saved, so that if
the user subsequently accesses any other (or the same) application, they get a login page
again.

And is that not precisely what Jerry wanted to achieve in the first place ?

Or am I missing/misunderstanding something ?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Fwd: curl and geoserver not working

2015-12-06 Thread tomcat


On 06.12.2015 20:25, pablo zader wrote:

Hello list.

Something strange is happening when I load a file to Geoserver by curl. I
observed in the tomcat manager that the process never leaves the state (s)
of service:

*Sent Time Stage B B Recv Client (Forwarded) Client (Current) VHost Request*
*S 1968673 ms 0 KB 59442 KB 172.xx.xx.xx 172.xx.xx.xx 172.xx.xx.xx
/geoserver/rest/workspaces//coveragestores//file.geotiff PUT HTTP /
1.1*


The curl command is nailed to the command line:

$> Curl -v -u user: pass -XPUT -H 'Content-type: image / tiff'
--data-binary @ / mytif.tif http: // myip: myport / geoserver / rest /
workspaces /  / coveragestores //file.geotiff

* About to connect () to 172.19.12.24 port 8080 (# 0)
* Trying 172.19.12.24 ... Connected
* Server using basic with auth user 'admin'

/geoserver/rest/workspaces//coveragestores//file.geotiff PUT HTTP

/ 1.1

Authorization: Basic YWRtaW46cHJveWVjdG9VREVHRTIwMTU =
User-Agent: curl / 7.22.0 (x86_64-pc-linux-gnu) libcurl / 7.22.0 OpenSSL

/ zlib 1.0.1 / 1.2.3.4 libidn / librtmp 1.23 / 2.3

Host: myip: myport
Accept: * / *
Content-type: image / tiff
Content-Length: 125009107
Expect: 100-continue




And in the file /usr/share/tomcat7-admin/manager/WEB-INF/web.xml


   
400428800 
400428800 
0 
 

I think this must be a problem of Tomcat, but maybe the problem is
Geoserver.



Hello Pablo.
Nothing to do (maybe) with your problem itself, but in your messaqe to the liat, above, 
there are a lot of spaces that do not look like they should be there.


For example, in

> $> Curl -v -u user: pass -XPUT -H 'Content-type: image / tiff'
> --data-binary @ / mytif.tif http: // myip: myport / geoserver / rest /
> workspaces /  / coveragestores //file.geotiff

and in

>> Host: myip: myport
>> Accept: * / *
>> Content-type: image / tiff

and in

> 400428800 


Since any of these spaces could in principle cause something to malfunction, could you 
repost your question with all the not-original spaces removed ?




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Today's Apache Tomcat: TLS Virtual Hosting webinar is now available on YouTube

2015-12-09 Thread tomcat


On 09.12.2015 01:13, Yu, Yujin wrote:

Hi,
Please kindly remove myself in this e-mail group.


Please see instructions for that at the bottom of *each message* on this list.
...



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Custom Connector class

2015-12-09 Thread tomcat


On 09.12.2015 14:03, Roel Storms wrote:

The real requirement is being able to process the body of a request in a
Valve without restricting the servlet to call request.getInputStream,
getReader and getStream. I have tried by wrapping the request but some
behavior can't be masked. It is also much more simple to implement by just
extending the Request class and using this in Connector.createRequest().

So the actual requirement is a Valve wanting to process the body but still
allowing the target application to call whatever processing method they
chose. When the Valve would chose to process the body by calling
Request.getInputStream(). The servlet wouldn't be able to call getReader or
getParam anymore. I would like my Valve to be transparent in that sense.


I am no java nor Tomcat guru, so take this with caution :
Looking at

http://tomcat.apache.org/tomcat-8.0-doc/config/http.html#Common_Attributes
--> maxSavePostSize

makes me think that there is a case where tomcat saves an incoming request body, and 
restores it afterward (after the authentication).  Since the authentication takes place 
before the webapp is called, it cannot know the way in which the webapp is going to 
consume the request body. So the saved body must be saved in such a way, that the webapp 
can afterward consume it in the way it chooses.

Doesn't that provide some clue on how to solve your problem ?





2015-12-09 13:07 GMT+01:00 Konstantin Kolinko <knst.koli...@gmail.com>:


2015-12-09 14:13 GMT+03:00 Roel Storms <roel.sto...@gmail.com>:

Hello,

In Tomcat 4.1 it used to be possible to specify a custom class for the
Connector: https://tomcat.apache.org/tomcat-4.1-doc/config/coyote.html

In the newest versions it's only possible to provide a custom Protocol.
However I would like to modify the Request that is created by the
Connector.createRequest() method. Is this no longer possible via
configuration?




As a note:
If such a feature ever going to be implemented, the place to fix is
org.apache.catalina.startup.ConnectorCreateRule class.

Instances of Connector are created via that rule, instead of a
standard class creation rule, and so (unlike other elements processed
by digester) className attribute does not work here.

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org







-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Failover not working even after configuration.

2015-12-09 Thread tomcat



On 09.12.2015 15:56, Kernel freak wrote:

I am working on Apache and tomcat to setup Load-balancing and fail-over.
Initially I thought that load-balancing would include fail-over, but I was
wrong. I thought that if one instance is not active, then consuming other
instance also becomes a part of load-management.


It should :
quote : http://tomcat.apache.org/connectors-doc/reference/workers.html

 Load balancer management includes:

Instantiating the workers in the web server.
Using the worker's load-balancing factor, perform weighed-round-robin load balancing 
where high lbfactor means stronger machine (that is going to handle more requests)

Keeping requests belonging to the same session executing on the same Tomcat 
worker.
Identifying failed Tomcat workers, suspending requests to them and instead 
fall-backing on other workers managed by the lb worker.


The overall result is that workers managed by the same lb worker are load-balanced (based 
on their lbfactor and current user session) and also fall-backed so a single Tomcat 
process death will not "kill" the entire site.



 Enough with the

terminologies, I setup fail-over, but the ironical part is fail-over itself
is failing.

As soon as I shut down one instance of tomcat, the entire setup is dead and
I am getting 503. Can someone help me understand what is the problem.



Maybe the first step would be to remove the irrelevant parts of he 
configuration below.
Also, please make an effort at formatting your email, in plain text.
What comes below is almost unreadable as it is.
(Even in the original mail to the list, see by yourself)

I have reformatted what I could..


Added this in apache2.conf :

JkWorkersFile /etc/apache2/workers.properties
JkMount /* loadbalancer

workers.properties :

worker.list=loadbalancer
  worker.server1.port=8010
  worker.server1.host=localhost
  worker.server1.type=ajp13

  worker.server2.port=8011
  worker.server2.host=localhost
  worker.server2.type=ajp13

  worker.server1.lbfactor=1
  worker.server2.lbfactor=1

  worker.loadbalancer.type=lb
  worker.loadbalancer.balance_workers=server1,server2
worker.loadbalancer.method=B
worker.balancer.sticky_session=True

000-default in sites-enabled :


JkMountCopy On




 BalancerMember ajp://localhost:8010 route=server1 connectiontimeout=10
 BalancerMember ajp://localhost:8011 route=server2 connectiontimeout=10

ProxySet stickysession=JSESSIONID|jsessionid
Order Deny,Allow
Deny from none
Allow from all

ProxyRequests off
ProxyPass /balancer-manager !


ProxyPass /  balancer://mycluster/
ProxyPassReverse / balancer://mycluster/

SetHandler balancer-manager
Order Deny,Allow
Deny from none
Allow from all




First tomcat's server.xml :



On your front-end, you are re-directing everything to the tomcats, via AJP.
So this Connector is superfluous, and only makes the discussion more confusing :






Same for this one. You are using AJP, so you are never accessing tomcat directly via 
HTTPS. Useless :






This one is being used :



 
 // No modifications inside

Second Tomcat's server.xml :



useless, see above :





useless, see above :




Used:

  
 
 // No modifications here
 




Note : your HTTP(S) Connectors are useless, since nothing should in principle ever reach 
tomcat via HTTP(S). But if you are going to use the

redirectPort="8443"
attribute, you may at least ensure that the corresponding port is attended to.

So, I suggest that you clean up your configuration, and repost it in a more readable 
format. Then maybe we'll see something.














I am working on Apache and tomcat to setup Load-balancing and
fail-over. Initially I thought that load-balancing would include
fail-over,
  but I was wrong. I thought that if one instance is not active, then
consuming other instance also becomes a part of load-management. Enough
with the terminologies, I setup fail-over, but the ironical part is
fail-over itself is failing.

As soon as I shut down one instance of tomcat, the entire setup is
dead and I am getting 503. Can someone help me understand what is the
problem.

Added this in apache2.conf :

JkWorkersFile /etc/apache2/workers.properties
JkMount /* loadbalancer

workers.properties :

GNU nano 2.2.6 File: workers.properties

  worker.list=loadbalancer
  worker.server1.port=8010
  worker.server1.host=localhost
  worker.server1.type=ajp13

  worker.server2.port=8011
  worker.server2.host=localhost
  worker.server2.type=ajp13

  worker.server1.lbfactor=1
  worker.server2.lbfactor=1

  worker.loadbalancer.type=lb
  worker.loadbalancer.balance_workers=server1,server2
worker.loadbalancer.method=B
worker.balancer.sticky_session=True

000-default in sites-enabled :

JkMountCopy On
 BalancerMember ajp://localhost:8010 route=server1 connectiontimeout=10
 BalancerMember ajp://localhost:8011 route=server2 connectiontimeout=10

ProxySet stickysession=JSESSIONID|jsessionid
Order

Apache httpd / mod_proxy_ajp logging

2015-12-03 Thread tomcat


Hi.

Although the above module is a httpd-level, this might still be the right place 
to ask :

I am usually using mod_jk as an Apache httpd / Tomcat connector.
With mod_jk, there is a separate JkLogLevel directive to set the log level, and also a 
separate logfile.


Would anyone here know what is available in that respect with mod_proxy_ajp ?
Can I trace at the httpd level what is actually being proxied to Tomcat ?

Thanks.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Detecting Expired Session via JavaScript?

2015-12-01 Thread tomcat


On 01.12.2015 18:30, Jerry Malcolm wrote:

I'm looking for a way to detect that the current session has expired (or logged 
out via
another tab on the browser).  I know I could just issue dummy requests to the 
server and
see if a login page comes back.  But issuing requests automatically resets the 
session
timer. I need a benign way to query that doesn't keep the session alive forever.

I'm sure this problem has been solved before.  But basically, I want to know 
that the
session is no longer valid and force the user back to the login page.


Isn't that what the standard authentication code does ? (or could do ?)

  I know one

possibility is to set the Tomcat timer to 30 min expiration, and then keep a 
'29 minute'
timer running in the browser. But my clients can change the tomcat session 
timer length.
And also this doesn't account for a logoff using the same session on a 
different browser
tab.  I'd really like a pro-active query method if anything like that exists.

Suggestion?

Thanks.

Jerry

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Failover not working even after configuration.

2015-12-09 Thread tomcat

On 09.12.2015 17:02, Kernel freak wrote:

Hi,

Thank you for finding out that mistake with port-number. What I fail to
understand is, where to redirect the AJP request then?

Why would you need to ?

Again :

Your AJP (in Tomcat) will *never* receive requests that are HTTPS. It expects
(and in your configuration, receives) only requests in the AJP protocol format (from the
Apache-httpd-side mod_jk or mod_proxy_ajp module).

(And if it received anything else, it would bitterly complain).

Also again:
Your configuration is :

User browser <-- HTTP(S) --> Apache httpd + mod_jk <- AJP -> Tomcat AJP Connector
<-->Tomcat webapp

The user's browser talks to Apache httpd using either HTTP or HTTPS.
If it is HTTPS, Apache unencrypts it.
The request is then (partially) processed in Apache httpd (parsing the headers etc.), and
then it is forwarded to (one of the) Tomcat by the mod_jk module, in AJP format (which has
no encrypted version). It is received by the AJP Connector in Tomcat (which understands
AJP, but not HTTP/HTTPS). The AJP Connector in Tomcat makes this into a Tomcat/java HTTP
Request object, that object is passed to the webapp, and that is what the webapp is
dealing with.

The webapp Response object goes the opposite way.
Tomcat outputs this response through the AJP connector, which encodes it as an "AJP
message". This message goes to the Apache mod_jk connector. The mod_jk connector decodes
this back for Apache-httpd, into an "Apache httpd response". Apache httpd then sends this
response back to the browser, in HTTP or HTTPS, depending on how the browser originally
connected to httpd to send that request.

The thing to understand here, is that along with the request in AJP format that mod_jk
sends to the Tomcat AJP Connector, there will be (optionally) a number of "SSL
attributes", which allow the recipient webapp to know that the original browser-to-httpd
connection was HTTPS (or not), even though Tomcat received that request through the AJP
Connector, in non-SSL AJP format.

See here :
http://tomcat.apache.org/connectors-doc/reference/apache.html
--> JkExtractSSL

I do not know Spring, and I do not know under what conditions it would send back https://
links or not. But this should not be a problem, if the configuration on both Apache-httpd
and Tomcat is correct.

Now, all that I am saying above, and also all your load-balancing setup, is only valid
assuming that *all* browser-to-Tomcat communications always goes through Apache httpd.

If you allow browsers to access Tomcat directly, then all this is moot.

A browser cannot talk directly to the Tomcat AJP Connector, they would not understand
eachother. But if your Tomcats have active HTTP/HTTPS Connectors, and the browser is able
to connect to them, then forget all the above, it will not work as you expect.

(Such connections would also bypass the load-balancing that you want).

Can you tell me

that. I am as of now creating additional mail, as I changed the config and
added a Cluster in tomcat. I just need to know what's the deal with those
connectors, as the webapp requires https..

Should I remove that redirectPort in ajp? Kindly let me know. Thank you.

On Wed, Dec 9, 2015 at 4:46 PM, André Warnier (tomcat) <a...@ice-sa.com>
wrote:

On 09.12.2015 15:56, Kernel freak wrote:

I am working on Apache and tomcat to setup Load-balancing and fail-over.
Initially I thought that load-balancing would include fail-over, but I was
wrong. I thought that if one instance is not active, then consuming other
instance also becomes a part of load-management.

It should :
quote : http://tomcat.apache.org/connectors-doc/reference/workers.html

Load balancer management includes:

Instantiating the workers in the web server.
Using the worker's load-balancing factor, perform weighed-round-robin
load balancing where high lbfactor means stronger machine (that is going to
handle more requests)
Keeping requests belonging to the same session executing on the same
Tomcat worker.
Identifying failed Tomcat workers, suspending requests to them and
instead fall-backing on other workers managed by the lb worker.

The overall result is that workers managed by the same lb worker are
load-balanced (based on their lbfactor and current user session) and also
fall-backed so a single Tomcat process death will not "kill" the entire
site.

Enough with the

terminologies, I setup fail-over, but the ironical part is fail-over
itself
is failing.

As soon as I shut down one instance of tomcat, the entire setup is dead
and
I am getting 503. Can someone help me understand what is the problem.

Maybe the first step would be to remove the irrelevant parts of he
configuration below.
Also, please make an effort at formatting your email, in plain text.
What comes below is almost unreadable as it is.
(Even in the original mail to the list, see by yourse

Re: Tomcat available memory

2015-12-11 Thread tomcat


On 11.12.2015 11:17, Yogesh Patel wrote:

In Tomcat's JVM settings following parameters are configured :

-verbose:gc -XX:+PrintGCDateStamps -XX:+PrintGC -Xloggc:logs/gc.log

which prints log in file like below:

2015-12-11T15:42:06.779+0530: 5.662: [GC [PSYoungGen:
115711K->26741K(218624K)] 159969K->71550K(283136K), 0.0305672 secs] [Times:
user=0.02 sys=0.02, real=0.03 secs]


I want to print like below in log file:

Free memory: 244.47 MB Total memory: 512.00 MB Max memory: 910.50 MB

What parameters need to set in JVM option of Tomcat to achieve this?



You need to look at the options for the JVM that you are using.
That is not within the scope of Tomcat.
It is not Tomcat writing this, it is the JVM. And it is not "Tomcat's JVM", it is the "JVM 
vendor's JVM" (Oracle, IBM or whatever).






-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: maxConnection and keepAliveTimeout

2015-12-11 Thread tomcat

On 11.12.2015 07:56, Yogesh Patel wrote:

Hi All,

*If we do not configure "maxConnections" then it will take default value as
maxThread (which is 200) and "keepAliveTimeout" will take default value of
connectionTimeout (which is 60 seconds) then what is a impact of
configuring these parameteres?*

*What value for "keepAliveTimeout" will be consider as the best?*

hi.

This must already have been answered a million times on this list and others,
but anyway :

1) https://en.wikipedia.org/wiki/HTTP_persistent_connection

...

"Disadvantages

If the client does not close the connection when all of the data it needs has been
received, the resources needed to keep the connection open on the server will be
unavailable for other clients. How much this affects the server's availability and how
long the resources are unavailable depend on the server's architecture and configuration.

Imagine the case of a browser requesting a html page from a server, and receiving back a
page which contains 30 further links to other resources on the server, all needed to
represent the initial page correctly (css,javascript,images,..).
The keep-alive setting is meant to allow the browser to fetch these additional resources,
using the same initial TCP connection, instead of having to re-build a separate connection
for each of these additionaln resource calls.

The keep-alive timeout kicks in each time the server has finished serving one resource to
the browser. The server then waits (with the connection still open) for another "timeout
seconds", to see if the browser sends any other request on the same connection. If the
timeout is reached without the server receiving any additional request, the server closes
the connection, /and can free the resources that were waiting on that connection/.

In modern infrastructures, if the server does not receive any more requests on a
connection after a few seconds, it is likely that the browser is not going to send any
additional requests there. So it is better to free such a connection relatively quickly
(lile, 5 s), to allow the server resources to process other requests instead.

And by the way, I would also lower the connectionTimeout, if I was you.
Just to reduce the possibility of one form of DOS attack.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat Conflicting with Group Policy Client

2015-11-19 Thread tomcat


On 19.11.2015 05:19, Nick Childs wrote:

Tomcat Version: 6.0.39

Operating System: Server 2012 R2 Standard

Configuration: We are utilizing Tomcat as part of a Pentaho deployment - Tomcat 
is utilized for Pentaho's Data Integration and Business Analytics services.
Description: We have a custom Deployment of Pentaho using PostgreSQL and Tomcat 
Apache running within the current version of our proprietary Medical Imaging 
software. The integration works well, but we have spent months struggling to 
identify the cause of a major conflict between the PostgreSQL/Tomcat 
integration and group policy client in windows domain environments. Whenever 
the PostgreSQL and Tomcat Apache (Pentaho Data Integration) services are 
running, we begin to see 1 hour + reboot times and gpupdate failures due to the 
group policy client just hanging for long periods of time with no explanation. 
If only Pentaho is running, no problem is experienced. If only Tomcat is 
running, no problem is experienced - it is only when we have both 
running/communicating the Group Policy updates begin to fail.

We have enabled all known debugging in Group Policy, PostgreSQL, Pentaho, and 
Tomcat, performed xBootMgr traces, performed Process Monitor analysis, and 
Packet Captures, but have been unable to determine the cause of the conflict. 
We are also working with Microsoft, Pentaho, and PostgreSQL independently to 
try and flush out the culprit. After spending weeks analyzing and reviewing our 
development team's internal notes, I have become fairly confident that the root 
cause of this problem is related to the way that we deployed Tomcat, and the 
way that Tomcat/PostgreSQL communicate with each other, but I have not found 
solid proof that actually indicates this yet.

I have learned a lot about how PostgreSQL/Tomcat are functioning in this 
environment over the last week, but I am not part of the team that deployed 
this, and am certainly not an expert on Pentaho, PostgreSQL, or Tomcat. I have 
been collecting a list of debug error/warnings from the Tomcat logs over the 
last few days (attached), and I am hoping someone who is an expert on this 
stuff can possibly review this list of errors, provide an explanation/priority 
for each, and answer the following questions:

1. Are there any known conflicts with Tomcat and GroupPolicy in Windows domain 
environments? Required Configurations? Workarounds?
3. Are there any special debugging options or monitoring tools that we could 
use to get more information about what Tomcat is doing during the time periods 
that Group Policy Client is hung? The built-in logging is not helping us.
4. Do you have any suggestions or options that we can try to see if our 
behavior changes?

Please let me know if there is any additional information I can provide to help.



Hi.
I don't know anything about the various non-Tomcat softwares you are mentioning, and just 
a little bit about Tomcat.
But the one thing I see in your Tomcat logfile, is that there seem to be a lot of TCP 
connection errors of the kind "(Connection refused. Check that the hostname and port are 
correct and that the postmaster is accepting TCP/IP connections.)"

These seem to be related mostly to PostgreSQL.
Maybe there is a limit (in the PostgreSQL configuration) to how many connections it 
accepts at the same time ? or maybe the PostgreSQL server is just overloaded ?
Anyway, I would check this first, because there is a chance that many of the other errors 
which you are seeing are cascading down from there.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Source IP filtering on some URLs before Container-managed authentication

2015-11-20 Thread tomcat

On 20.11.2015 17:00, Ognjen Blagojevic wrote:

Andre,
Chris,

On 20.11.2015 9:30, André Warnier (tomcat) wrote:

On 19.11.2015 21:26, Christopher Schultz wrote:

I think that may be the only way to do it. IIRC, someone did some work
to allow Filters to be used in the valve chain, but I don't think there
is any facility for specifying s for those.

Or, you could switch from container-based AAA, to application-based AAA.
You can create a servlet filter which "wraps" your application(s), and
in it apply any rules you want. This is totally portable, not
Tomcat-specific, and doesn't require any change to server.xml for
instance (nor to your application).

Thank you both for looking into this.

Ok, so it is a choice, either
- move RemoteAddrFilter to become a Realm in front of Authenticator Valve, or
- move Authenticator valve to become a Filter behind RemoteAddrFilter.

To avoid having to redo what others have already done, you may also want
to have a look at : http://tuckey.org/urlrewrite/manual/3.0/#filterparams
see : element
--> remote-addr (for instance)

(I'm not saying that urlrewrite fills /all/ your needs, but you could
combine urlrewrite with some simple code of your own, to fill all your
needs. (snip)).

This part I don't get. What is the added value of using urlrewrite compared to
RemoteAddrFilter? It is basically the same functionality?

Well, you can use a lot more conditions in urlrewrite filter, such as a client IP + URL
patterns + lots more. And you can combine them using the type="next".

Your original post said "My webapp have a set of resources, let's call that set R. Some of
those resources need to be accessed only from certain source IP addresses, let's call that
subset R'. And some subset of R' (let's call it R'') needs authentication."

So if I get this correctly,
for R'' you have 3 requirements :
- a URL matching R'' (check with "request-url" or "request-uri")
- a remote IP (check with "remote_addr")
- an authenticated user (check with "remote_user" not blank)
and if it does not match the last 2, return "not found" or "forbidden" or a
login page
(or anything else that strikes your fancy)

then, (with "next"="or")

for R' you have 2 requirements :
- a URL matching R' (check with "request-url" or "request-uri")
- a remote IP (check with "remote_addr")
and if it does not match the last, return "not found" or "forbidden" or a login
page
(or anything else that strikes your fancy)

and for the rest, nothing, which is what urlrewrite will do by default : let the request
through.

Note that I haven't really tried the above. It just looks as if it might fill your needs.
If you do not know urlrewrite yet, it is worth investigating anyway; it is a nice piece of
work, useful in many circumstances.

The above is just an expression of my general view of things.
I interpret 12.2 and 12.3 of the servlet spec as saying that container-based
authentication is meant to match general cases, and if you want more specific things, you
should probably move to application-level authentication (which can be part of your
application, and if based on servlet filters, should be portable to other
containers)(which Valves are not).
And if you are anyway going in that direction, re-using already-developed and tested stuff
like urlrewrite (if possible), is probably less expensive overall, than starting from scratch.
Note also that urlrewrite is open-source, under a BSD license. So you can also re-use
parts of the code (or just get inspiration from it), if you want to turn your own more
specific filter.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Source IP filtering on some URLs before Container-managed authentication

2015-11-20 Thread tomcat

On 19.11.2015 21:26, Christopher Schultz wrote:

Ognjen,

On 11/19/15 10:14 AM, Ognjen Blagojevic wrote:

My webapp have a set of resources, let's call that set R. Some of those
resources need to be accessed only from certain source IP addresses,
let's call that subset R'. And some subset of R' (let's call it R'')
needs authentication.

I have a reqirement to check source IP address before authentication.

Right now, R' is specified in web.xml RemoteAddrFilter s,
and R'' is specified in web.xml s.

The problem is, filters are executed after container-managed
authentication, so login form is presented to the user before
RemoteAddrFilter kicks in, and check source IP address. That is not what
I need. Users outside trusted IP ranges should not be able to even know
about the protected resources, let alone to guess passwords.

RemoteAddrValve, on the other hand, is called before container-managed
authentication, but it does not allow specifying s.

What would be a good solution for the above requirement? Extend
RemoteAddrValve with the ability to specify s?

I think that may be the only way to do it. IIRC, someone did some work
to allow Filters to be used in the valve chain, but I don't think there
is any facility for specifying s for those.

-chris

Or, you could switch from container-based AAA, to application-based AAA.
You can create a servlet filter which "wraps" your application(s), and in it apply any
rules you want. This is totally portable, not Tomcat-specific, and doesn't require any
change to server.xml for instance (nor to your application).

Servlet Spec 3.0 has this to say :
13.3 Programmatic Security
Programmatic security is used by security aware applications when declarative
security alone is not sufficient to express the security model of the
application.

To avoid having to redo what others have already done, you may also want to have a look at
: http://tuckey.org/urlrewrite/manual/3.0/#filterparams

see : element
--> remote-addr (for instance)

(I'm not saying that urlrewrite fills /all/ your needs, but you could combine urlrewrite
with some simple code of your own, to fill all your needs. Servlet filters are "stackable").

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Modsecurity - REQBODY ERROR

2015-11-23 Thread tomcat


On 23.11.2015 10:52, Yogesh Patel wrote:

In modsecurity we have a rule below:

"SecRule REQBODY_ERROR "!@eq 0" \
"id:'21', phase:2,t:none,log,deny,status:400,msg:'Failed to parse
request body.',logdata:'%{reqbody_error_msg}',severity:2"


in mod security log following error message is detected:

"Message: Access denied with code 400 (phase 2). Match of "eq 0"
against "REQBODY_ERROR" required. [file
"D:/tools/Apache2.4.x/conf/extra/highq/modsec/modsecurity.conf"] [line
"132"] [id "21"] [msg "Failed to parse request body."] [data
"Error reading request body: Client went away."] [severity "CRITICAL"]
Action: Intercepted (phase 2)"


What could be the possible reason for this error?



I don't know, but I believe that you may have posted this to the wrong list.
Should you not be sending this to the *Apache httpd* user list, instead of the *Apache 
Tomcat* user list ?

See : http://httpd.apache.org/ versus http://tomcat.apache.org
(They both belong to the Apache organisation, but they are different software 
products)
And modsecurity is yet another separate thing, at http://www.modsecurity.org, but it seems 
more related to Apache httpd than to Tomcat.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: ServletRequest.getInputStream, getReader, getParameter.

2015-11-23 Thread tomcat

On 23.11.2015 21:14, Roel Storms wrote:

Ok, thank you for the clear response. I see the problem with file type
elements.

If you really have an overwhelming need to pre-check whole POST bodies before passing them
to a Tomcat application, you may want to think about fronting your Tomcat server with an
Apache httpd server. You could then do the checking at the Apache httpd level, before
forwarding the request to Tomcat. And of course not forward it at all if the check fails.
Doing this at the front-end level would not "consume" the request body, as it does when
you do this under Tomcat.
All in all, you would still end up reading the request body twice. But depending on your
use case, it may be worth it.

In your initial post below, you wrote "..some integrity checking on HTTP
requests (the details aren't important)..".
But if you want further help or recommendations, I believe that more details about what
exactly you are trying to achieve and/or check, would be important.
After all, Tomcat is already making a fair amount of checking by default, on any received
HTTP request, before it will forward it to any application. So it would be interesting to
have an idea of which extra checks you want to make.

2015-11-23 17:18 GMT+01:00 André Warnier (tomcat) <a...@ice-sa.com>:

On 23.11.2015 16:31, Mark Thomas wrote:

On 23/11/2015 14:30, Roel Storms wrote:

Hello,

I am working on a Valve that does some integrity checking on HTTP
requests
(the details aren't important) where I need this valve to have access to
the HTTP request body as well. I used request.getInputStream to fetch the
data. However when a web application makes use of my valve, the
getParameter method does not return the parameters submitted via POST
anymore. This is documented behavior according to the spec of
ServletRequest (

https://tomcat.apache.org/tomcat-8.0-doc/servletapi/javax/servlet/ServletRequest.html#getInputStream()
).

I was wondering why it was designed this way,

Given the potential size of a request body, streaming is the only viable
option.

since numerous complaints

have arisen from this behavior and some ugly workarounds have been
devised
which unfortunately stop working from Tomcat 7 (servlet 3.0):

https://stackoverflow.com/questions/10210645/http-servlet-request-lose-params-from-post-body-after-read-it-once

This shows how easily code like this could break.

What that shows is the folks haven't thought through what they are
trying to do. Consider the following:

Tomcat provides request R.
Filter reads request body using R.getInputStream().
Filter caches request body.
Filter wraps request R to provide R', over-riding getInputStream() to
provide the cached body.
Filter passes R' to the application.
Application calls R'.getParameter()
R'.getParameter() calls R.getParameter()

Keep in mind at this point R has zero knowledge of R'.

R calls getInputStream() to read request body but that InputStream has
already been read.

The problem is the wrapper, R'. Over-riding getInputStream() is not
enough. It needs to over-ride every method that may access that
InputStream. Which is non-trivial because it means re-implementing a lot
of functionality the container would normally provide for you out of the
box.

Overwriting getInputStream to return a cached version doesn't work anymore

Nope. That never worked. See my explanation above.

since the parameter attribute isn't populated by using getInputStream. How

exactly it is populated remains a mystery to me. Any advice on how to
solve
this properly?

Write a better wrapper.

Performing an integrity check without getInputStream or getReader but with

getParameters, will not work if the data submitted is not in the expected
format.

See above.

Mark

To emphasize a point made by Mark above : a POST body can potentially
contain one or more elements. So imagine a POST
which contains a 50 MB uploaded file.
You'd need to read it once (for your Valve) and cache it, then re-read the
cached version to parse it for parameters. That would have a serious
impact on performance.
(That's what Mark means by "streaming..").
And because it is a Valve, it would run before the request has been mapped
to any application, so the hit would be for all applications in the server.

(Of course, in some authentication scenarios, this already happens behind
the scenes. But you can avoid it by designing the application accordingly.
See : https://tomcat.apache.org/tomcat-8.0-doc/config/http.html -->
Common Attributes --> maxSavePostSize)

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: ServletRequest.getInputStream, getReader, getParameter.

2015-11-23 Thread tomcat

On 23.11.2015 16:31, Mark Thomas wrote:

On 23/11/2015 14:30, Roel Storms wrote:

Hello,

I am working on a Valve that does some integrity checking on HTTP requests
(the details aren't important) where I need this valve to have access to
the HTTP request body as well. I used request.getInputStream to fetch the
data. However when a web application makes use of my valve, the
getParameter method does not return the parameters submitted via POST
anymore. This is documented behavior according to the spec of
ServletRequest (
https://tomcat.apache.org/tomcat-8.0-doc/servletapi/javax/servlet/ServletRequest.html#getInputStream()
).

I was wondering why it was designed this way,

Given the potential size of a request body, streaming is the only viable
option.

since numerous complaints
have arisen from this behavior and some ugly workarounds have been devised
which unfortunately stop working from Tomcat 7 (servlet 3.0):

https://stackoverflow.com/questions/10210645/http-servlet-request-lose-params-from-post-body-after-read-it-once

This shows how easily code like this could break.

What that shows is the folks haven't thought through what they are
trying to do. Consider the following:

Keep in mind at this point R has zero knowledge of R'.

R calls getInputStream() to read request body but that InputStream has
already been read.

Overwriting getInputStream to return a cached version doesn't work anymore

Nope. That never worked. See my explanation above.

since the parameter attribute isn't populated by using getInputStream. How
exactly it is populated remains a mystery to me. Any advice on how to solve
this properly?

Write a better wrapper.

Performing an integrity check without getInputStream or getReader but with
getParameters, will not work if the data submitted is not in the expected
format.

See above.

Mark

(That's what Mark means by "streaming..").
And because it is a Valve, it would run before the request has been mapped to any
application, so the hit would be for all applications in the server.

(Of course, in some authentication scenarios, this already happens behind the scenes. But
you can avoid it by designing the application accordingly.
See : https://tomcat.apache.org/tomcat-8.0-doc/config/http.html --> Common Attributes -->
maxSavePostSize)

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

1 2 3 4 5 6 7 8 9 >

1 - 100 of 861 matches

Mail list logo