Re: need mod_jk for apache http server 2.0.63 - urgent
At 04:57 PM 10/3/2008, you wrote: Hi, I need mod_jk or the comcat connector. I dont know where to get it from. I searched on google but could not find. Basically i would like to connect from tomcat 5.5.9 to apache http server 2.0.63 installed on solaris 10 machine. Could some body tell me where to get it. Thanks, srinivas jonnalagadda http://tomcat.apache.org/download-connectors.cgi or DIRECT Download (sorry, I'd never do this) http://apache.osuosl.org/tomcat/tomcat-connectors/jk/source/jk-1.2.26/tomcat-connectors-1.2.26-src.tar.gz Cheers, Glenn -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Data source realm, using primary keys (not varchar)?
Hi I'm trying to learn authentication and authorization within a web application, and I think I know the basic stuff an maybe a bit more. I just read the Tomcat howto guide on realm, and especially data source realm. But I think their data base example is a bit strange. They have a table user_roles that consists of a user_name and a role_name. The odd thing is, these fields are not foreign keys, but varchars! This is really not good database design. What if I for some reason want to change a username? I should only have to change the username field in the users table. The same thing goes with the rolename, although a changed rolename would a demand a change in the authorization code within the web application, but as far as the database is concerned I should only have to make the change in a single table. I would like something like this: create table users ( user_id int not null primary key, user_name varchar(15) not null, user_pass varchar(15) not null, ); create table roles ( role_id int not null primary key, role_name varchar(15) not null, ); create table user_roles ( user_roles_id int not null primary key, user_id int not null, role_id int not null, ); Is this possible? I still want to use the built in authentication and authorization. If it is possible, how do I configure it in tomcat? http://tomcat.apache.org/tomcat-5.0-doc/realm-howto.html#DataSourceRealm Regards /Jimi - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
tomcat-apache ajp13 connection problem (answer time)
hello there, i have two servers inside the dmz, one with redhat 9 the other with fedora core 4. the box running with fedora core has tomcat 5.5.9 and apache 2.0.54. the connection is made with ajp13. the redhat 9 has an older apache and java version. these two servers run separated, so each one has all it needs on its system. there are multiple virtual hosts and web applications on each server. accessing such a web application from localhost works well, the same when beeing inside the dmz and using a testclient. now the problem, requests from outside the dmz work still well for the redhat 9 installation, fedora core 4 however has answer times between page and image loads that are from multiple seconds to minutes! i have looked at all known log files, but got no errors at all, there is simply a wait time between multiple requests and i dont see why. running tomcat on port 80 as standalone however works correctly from outside the dmz. apache as standalone too. however as soon as the ajp13 connector connects the two, from outside the dmz requests slow down. has anybody an idea where i might have a closer look too to get this problem solved ? thanks a lot, stephan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat-apache ajp13 connection problem (answer time)
no, none at all. there is the network switch followed by the firewall. Quoting Prasad [EMAIL PROTECTED]: Any load balancers exist in your enviornment ?? [EMAIL PROTECTED] wrote: hello there, i have two servers inside the dmz, one with redhat 9 the other with fedora core 4. the box running with fedora core has tomcat 5.5.9 and apache 2.0.54. the connection is made with ajp13. the redhat 9 has an older apache and java version. these two servers run separated, so each one has all it needs on its system. there are multiple virtual hosts and web applications on each server. accessing such a web application from localhost works well, the same when beeing inside the dmz and using a testclient. now the problem, requests from outside the dmz work still well for the redhat 9 installation, fedora core 4 however has answer times between page and image loads that are from multiple seconds to minutes! i have looked at all known log files, but got no errors at all, there is simply a wait time between multiple requests and i dont see why. running tomcat on port 80 as standalone however works correctly from outside the dmz. apache as standalone too. however as soon as the ajp13 connector connects the two, from outside the dmz requests slow down. has anybody an idea where i might have a closer look too to get this problem solved ? thanks a lot, stephan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: pls unsubscribe my name from tomcat users group
Please use a mail client that you can read email headers in. The unsubscribe address is in your email header from the listgroup. List-Unsubscribe: mailto:[EMAIL PROTECTED] Cheers! At 12:19 PM 3/7/2008, you wrote: pls unsubscribe [EMAIL PROTECTED] from tomcat uers group - Share files, take polls, and discuss your passions - all under one roof. Click here. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.21.6/1316 - Release Date: 3/6/2008 6:58 PM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.21.6/1316 - Release Date: 3/6/2008 6:58 PM -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How do I unsubscribe ?
My old account was unsubscribed and deleted in a few minutes. Then I created a new account and resubscribed the new account. It took all of 1 hour from start to finish. The old account was getting spammed to DETH! Now I use it to harvest my block list! Get yourself an email client that will let you read your mail headers! You have no idea what you are missing! At 02:30 PM 7/12/2007, you wrote: Hi, can you unsubscribe me too. -Siraj Sunitha Kumar (sunithak) wrote: Hi Mark., could you also unsubscribe me? thnx -sunitha -Original Message- From: Mark Thomas [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 11, 2007 5:25 AM To: Tomcat Users List; [EMAIL PROTECTED] Subject: Re: How do I unsubscribe ? [EMAIL PROTECTED] wrote: Hi, Is there an alternative way to unsubscribe from this user group ? I have sent numerous blank emails to [EMAIL PROTECTED], but it seems to have no effect, An e-mail to [EMAIL PROTECTED] will do the trick and one of us will manually unsubscribe you. I have just done this for your address. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This electronic mail message and any attachments may contain information which is privileged, sensitive and/or otherwise exempt from disclosure under applicable law. The information is intended only for the use of the individual or entity named as the addressee above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution (electronic or otherwise) or forwarding of, or the taking of any action in reliance on, the contents of this transmission is strictly prohibited. If you have received this electronic transmission in error, please notify us by telephone, facsimile, or e-mail as noted above to arrange for the return of any electronic mail or attachments. Thank You. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Legal Risk of Using Tomcat
At 01:19 PM 9/7/2007, you wrote: My guess was different: that they were concerned about using software that might later be claimed to be covered by somebody else's patent, like M$ has been threatening with Linux. If my guess is correct, then I seriously doubt there's anything to worry about there, because Tomcat has been written as open source from the beginning, and nobody has ever claimed patent rights over it. You are right - I think this is the primary concern. Yes, most likely the M$ vs. Linux and the whole SCO vs Linux and Novell deal. It is rather dicey. Tomcat on Windows would pretty much CYA. However, Tomcat on Linux is quite nice and IMHO, more secure (or rather secure-able!). More tunable as far as performance too! Cheers! - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Sending Mail from a Java WebApplication does not work
At 01:30 PM 10/4/2007, you wrote: Gabe, That is great. yes, It is sending mails to junk folder. Thanks a lot lol. How can I avoid it ? why does gmail treats this mail as spam? We were palnning to move our application to a new server. I had written a build script using perl. Every thing went fine and build was successfull. We were trying to test it for user registration and no mails for ever. My PM will eat my head if it moves to junk folder. HELP! We send through the localhost sendmail to the mail server that serves mail for the host's domain. Sendmail is already set to only relay localhost on later 8.12 versions and up, making this setup easy. The mail server for the domain needs to be modified to accept mail from your application server. Your mail may be getting flagged for lack of RDNS (PTR record for the MX server). A lot of ISPs will flag or refuse your mail if you do not have MX and PTR records for your server. AOL immediately comes to mind. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Spam Score
At 02:38 PM 7/22/2008, you wrote: What is the tomcat mailing list spam score, and why am I unable to send my email to post a question? Patrick Well, your first message that made it in looked like this: X-ASF-Spam-Status: No, hits=4.1 required=10.0 tests=DNS_FROM_RFC_BOGUSMX,HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org So, apparently your mail server has a bdefective MX record, you don't use SPF and your first message was in HTML. Your second message, that made it to the group was not HTML. Go fix that DNS! That's a BIG strike against your getting any mail anywhere! I probably would have scored you higher for that! Cheers! Received-SPF: pass (athena.apache.org: local policy) Received: from [67.91.25.34] (HELO barracuda.sim-gtech.com) (67.91.25.34) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 22 Jul 2008 18:29:27 + MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=_=_NextPart_001_01C8EC2A.25F5E661 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Context files disapearring
Hello, I am using Tomcat 5.5.16 and every now and then, my context.xml files get deleted from the $TOMCAT_HOME/conf/Catalina/localhost directory. This seems to be random and it is becoming very frustrating. Does anyone know what's causing this to happen? and how the problem can be fixed? Thanks. Aladin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Context files disapearring
Thanks for the response. I've never seen it happen randomly either... but what can I say? I shutdown my server yesterday (as in powered it off) and when I restarted it, all the context files were gone including the manager.xml. Any thoughts?? Aladin [EMAIL PROTECTED] wrote: I am using Tomcat 5.5.16 and every now and then, my context.xml files get deleted from the $TOMCAT_HOME/conf/Catalina/localhost directory. This seems to be random and it is becoming very frustrating. Does anyone know what's causing this to happen? and how the problem can be fixed? I've never seen this happen randomly. I only see this happen upon undeploy of the correspondent webapp - and that's the way things are designed (AFAICT). Regards mks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Context files disapearring
I'm running tomcat on Linux machine (FC2) and it is installed in: /usr/local/jakarta/tomcat Aladin Sounds to me like some other process is responsible for this. Out of curiosity, what platform are you on (Windows, Linux, etc., ...) and where is tomcat installed? --David [EMAIL PROTECTED] wrote: Thanks for the response. I've never seen it happen randomly either... but what can I say? I shutdown my server yesterday (as in powered it off) and when I restarted it, all the context files were gone including the manager.xml. Any thoughts?? Aladin [EMAIL PROTECTED] wrote: I am using Tomcat 5.5.16 and every now and then, my context.xml files get deleted from the $TOMCAT_HOME/conf/Catalina/localhost directory. This seems to be random and it is becoming very frustrating. Does anyone know what's causing this to happen? and how the problem can be fixed? I've never seen this happen randomly. I only see this happen upon undeploy of the correspondent webapp - and that's the way things are designed (AFAICT). Regards mks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
crossContext breaking class hierarchy?
Hello, I am experiencing a problem with Tomcat and class hierarchies. In particular when an object (which implements interface X) is shared among serveral contexts I am unable to cast the object back into interface X. Here is the setup (for simplicity I'll illustrate this with 2 contexts): * Interface ClassInterface is distributed across all applications in a .jar. Application A in context a -- - Implements ClassInterface and adds an instance of the class in it's context: ClassInterface i = new ClassInterfaceImplementation(); getServletContext().setAttribute(some.key, i); Application B in context b -- - Tries to cast the object in the context back into a ClassInterface but fails with a classCastException: ClassInterfaceImplementation ServletContext context = (ServletContext) getServletContext.getContext(/a); ClassInterface i = (ClassInterface) context.getAttribute(some.key); -- EXCEPTION IS THROWN -- java.lang.ClassCastException: ClassInterfaceImplementation Has anybody experienced this before? Does setting an attribute in the context mess things up with the class hierarchy? Thanks. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: crossContext breaking class hierarchy?
My interface is only in the 2 context specific locations: Application A context a: /WEB-INF/lib/interface.jar Application B context b: /WEB-INF/lib/interface.jar It is not in the Tomcat common or shared lib folders; I've verified this just in case I had a brain cramp. I've seen this with Oracle jdbc objects. If you have classes12.jar in your WEB-INF/lib directory, and a copy in common/lib (for the Tomcat Datasource) then you will have TWO oracle.jdbc.XX classes loaded, one in the common classloader and on in your web app's classloader and although they are both oracle.jdbc.XX, they are not the SAME class object (instance). So, be certain your interface X is not in two visible places. Or if it is, you cannot cast objects from one classloader to the other. Tim -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, April 06, 2006 10:10 AM To: users@tomcat.apache.org Subject: crossContext breaking class hierarchy? Hello, I am experiencing a problem with Tomcat and class hierarchies. In particular when an object (which implements interface X) is shared among serveral contexts I am unable to cast the object back into interface X. Here is the setup (for simplicity I'll illustrate this with 2 contexts): * Interface ClassInterface is distributed across all applications in a .jar. Application A in context a -- - Implements ClassInterface and adds an instance of the class in it's context: ClassInterface i = new ClassInterfaceImplementation(); getServletContext().setAttribute(some.key, i); Application B in context b -- - Tries to cast the object in the context back into a ClassInterface but fails with a classCastException: ClassInterfaceImplementation ServletContext context = (ServletContext) getServletContext.getContext(/a); ClassInterface i = (ClassInterface) context.getAttribute(some.key); -- EXCEPTION IS THROWN -- java.lang.ClassCastException: ClassInterfaceImplementation Has anybody experienced this before? Does setting an attribute in the context mess things up with the class hierarchy? Thanks. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: crossContext breaking class hierarchy?
Problem sovled. Thanks Tim you got me thinking on the right path. I put the interface.jar in the tomcat shared/lib rather than in the individual context's lib folder. This worked because the jar in the shared/lib folder is common to each of the context's classloader. Putting the interface.jar in each context reflects having two different interfaces (because of the different classloaders). My interface is only in the 2 context specific locations: Application A context a: /WEB-INF/lib/interface.jar Application B context b: /WEB-INF/lib/interface.jar It is not in the Tomcat common or shared lib folders; I've verified this just in case I had a brain cramp. I've seen this with Oracle jdbc objects. If you have classes12.jar in your WEB-INF/lib directory, and a copy in common/lib (for the Tomcat Datasource) then you will have TWO oracle.jdbc.XX classes loaded, one in the common classloader and on in your web app's classloader and although they are both oracle.jdbc.XX, they are not the SAME class object (instance). So, be certain your interface X is not in two visible places. Or if it is, you cannot cast objects from one classloader to the other. Tim -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, April 06, 2006 10:10 AM To: users@tomcat.apache.org Subject: crossContext breaking class hierarchy? Hello, I am experiencing a problem with Tomcat and class hierarchies. In particular when an object (which implements interface X) is shared among serveral contexts I am unable to cast the object back into interface X. Here is the setup (for simplicity I'll illustrate this with 2 contexts): * Interface ClassInterface is distributed across all applications in a .jar. Application A in context a -- - Implements ClassInterface and adds an instance of the class in it's context: ClassInterface i = new ClassInterfaceImplementation(); getServletContext().setAttribute(some.key, i); Application B in context b -- - Tries to cast the object in the context back into a ClassInterface but fails with a classCastException: ClassInterfaceImplementation ServletContext context = (ServletContext) getServletContext.getContext(/a); ClassInterface i = (ClassInterface) context.getAttribute(some.key); -- EXCEPTION IS THROWN -- java.lang.ClassCastException: ClassInterfaceImplementation Has anybody experienced this before? Does setting an attribute in the context mess things up with the class hierarchy? Thanks. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
requested resource not available
I am running Tomcat 5.5.26, Java 1.6.0_13, and Centos 5.2 64 bit. I am really stumped, getting The requested resource not available. I Googled and found quite items on this topic and everything points to an incorrect path. I have checked all the paths I can find, and am not finding the problem. I have another box with this successfully installed and as far as I can tell the 2 installations are identical, except one works and one does not. Any ideas? Please let me know, thanks for your help, Brad - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: requested resource not available
Thank you for your help, Chuck. I get the message when trying to access the application through a browser. I did try with and without the firewall enabled on the server, and nothing changed. I am not sure I have Tomcat logging set up correctly, so I have not learned anything there. I am brand new to Tomcat, as you can probably tell. Brad On Tue, 12 May 2009 14:34:10 -0500 Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: tom...@nym.hush.com [mailto:tom...@nym.hush.com] Subject: requested resource not available I am running Tomcat 5.5.26, Java 1.6.0_13, and Centos 5.2 64 bit. Thanks for telling us that; an amazing number of people fail to do so. I am really stumped, getting The requested resource not available. When you do what? Where is that message displayed? Have you looked in the Tomcat logs? If the message is being displayed by a browser, is there a firewall blocking the access? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: requested resource not available
Ok, I did that and here is what I got: [r...@li54-122 bin]# less ../logs/localhost_access_log.2009-05- 12.txt 70.249.74.9 - - [12/May/2009:16:17:00 -0400] GET / HTTP/1.1 200 347 70.249.74.9 - - [12/May/2009:16:17:00 -0400] GET /pentaho/ HTTP/1.1 404 979 On Tue, 12 May 2009 15:11:15 -0500 Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: tom...@nym.hush.com [mailto:tom...@nym.hush.com] Subject: RE: requested resource not available I am not sure I have Tomcat logging set up correctly, so I have not learned anything there. For a standard Tomcat installation (downloaded from tomcat.apache.org), there's really nothing to set up; the log files will be in Tomcat's logs directory. If you're using a 3rd- party repackaged version of Tomcat, there's no telling where the log files might be. Assuming you can find the logs, try updating conf/server.xml to remove the comment markers around the AccessLogValve and restart Tomcat. The logs will then show whether or not the request is even reaching Tomcat. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: requested resource not available
Those are the requests I expected to see, they do correspond to the URLs I entered in the browser. I am deploying a preconfigured version of Pentaho that I found here: http://sourceforge.net/project/showfiles.php?group_id=140317package _id=160028release_id=648414 I deployed this exact same package on my development box with no problems. The preconfigured installation of Tomcat does appear (to me at least) to follow the deployment guidelines on the link you sent. On Tue, 12 May 2009 15:28:50 -0500 Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: tom...@nym.hush.com [mailto:tom...@nym.hush.com] Subject: RE: requested resource not available [r...@li54-122 bin]# less ../logs/localhost_access_log.2009-05- 12.txt 70.249.74.9 - - [12/May/2009:16:17:00 -0400] GET / HTTP/1.1 200 347 70.249.74.9 - - [12/May/2009:16:17:00 -0400] GET /pentaho/ HTTP/1.1 404 979 Are those the requests you expected to see? Do they correspond to the URLs you submitted from the browser? Do you have a webapp named pentaho deployed? If so, does it have a welcome page under its first-level directory? If not, do you have a servlet mapping for it that should have handled all requests? Have you followed the guidelines for webapp deployment described in the doc? http://tomcat.apache.org/tomcat-5.5-doc/appdev/index.html - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
which apache
Hello I have installed Tomcat and Apache, and both of them works fine, however , tomcat has been installed as standalone and just listen to Apache that came with Tomcat, how I can change it, so Tomcat works with my desired Apache. Thanks for your help - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
decompile java class
Hello I am trying to decompile the java class file with javap command but it returns my-class-name.class contains some-other-package so I am unable to decompile it . is any one has experience with javap command ? how can I decompile a class that cotains other package or classes. I am aware of other decompilers, but I can not use them. thanks for help - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: decompile java class
Thanks Mohsen for your reply, but I can not download and use jad or other decompilers, please let me know if you know how to decompile the java class that contains another class. Thanks Mohsen Saboorian wrote: Use JAD instead. It is quite simple and fast. http://www.kpdus.com/jad.html On 7/26/06, Tomcat [EMAIL PROTECTED] wrote: Hello I am trying to decompile the java class file with javap command but it returns my-class-name.class contains some-other-package so I am unable to decompile it . is any one has experience with javap command ? how can I decompile a class that cotains other package or classes. I am aware of other decompilers, but I can not use them. thanks for help - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
decompile java class
Hello would you pleas help me with this , when I am trying to decompile a class file with javap -c myclass.class I am receiving following error : Error: Binary file myclass contains com.cnsw.reveiw.conf how can I decompile the class file that contain another class , also I want to use it with javap and not other tools. Thanks for help - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
difference between thread and session
Hello what is the difference between thread and session in tomcat ? I was thinking that they are the same, but in server setting of tomcat manager it shows different thread number to session number in application list. Thanks for help - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Multiple apache web servers single Tomcat, how many Connectors are needed?
Hello, Hopefully someone can clarify a setup query I have as after lots of searching I cannot find a definitive answer. Although I'm configuring a much more complex system the problem I have boils down to this. I want to configure two Apache instances running on separate servers to talk to a single Tomcat instance (on its own server) but need clarification on the number of Connectors I need to define on the Tomcat side (server.xml). Is it a Connector listening on individual ports for each web server or one Connetor for all web servers? Apache 2.0.59 mod_jk 1.2.18 Tomcat 5.5.17 Thanks in advance J - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Applet not initiated
Hello When I am trying to open a very simple applet on my browser it returns applet not initiated or failed to load applet. class file is located in tomcat WEB_INF/classes and I am calling it from ROOT directory and through index.html file. thanks for help Adam - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Applet not initiated
Hello Rashmi, Thanks for response, I put the class file in ROOT directory, the same place that my html file exist , but still the same problem. is it possible classpath should include that class location so computer's jvm recognize the place that class is exist ? and also I found some document that it says codebase tag should cotnain the directory that class are located and code tag should contain the class name but without class. your help will be highly appreciated. Rashmi Rubdi wrote: Place your Applet's class file anywhere but the WEB-INF folder, because WEB-INF folder is protected from client/browser's access, applet classes can't be accessed if they are under WEB-INF. Also use jsp:plugin tag , if you are accessing the Applet from a JSP file. -Rashmi On 3/25/07, Tomcat [EMAIL PROTECTED] wrote: class file is located in tomcat WEB_INF/classes and I am calling it from ROOT directory and through index.html file. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
session time out
Hello Does application WEB-INF/web.xml override default conf/web.xml setting? specifically session time out , but want to know if other setting is overriden. and can we disable this through server.xml ? Thanks Adam - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: session time out
Hello Martin, my main question was : Does application WEB-INF/web.xml override default conf/web.xml setting? I mean in a container containing several applications, can each of them set session time out in their /WEB-INF/web.xml and is that over ride the default setting which is set in /conf/web.xml Cheers Adam Martin Gainty wrote: On the Connector you can set connectionTimeout = 0 for indefinite timeout also a keepAliveTimeout on the Sender which I believe defaults to 60 sec http://tomcat.apache.org/tomcat-5.5-doc/cluster-howto.html also a tcpSelectorTimeout on the Receiver which I believe defaults to 100 sec web.xml (webapp) specific session-config session-timeout30/session-timeout /session-config HTH M This email message and any files transmitted with it contain confidential information intended only for the person(s) to whom this email message is addressed. If you have received this email message in error, please notify the sender immediately by telephone or email and destroy the original message without making a copy. Thank you. - Original Message - From: Tomcat [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Monday, April 30, 2007 10:27 AM Subject: session time out Hello Does application WEB-INF/web.xml override default conf/web.xml setting? specifically session time out , but want to know if other setting is overriden. and can we disable this through server.xml ? Thanks Adam - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Suspected mod_jk connection problems
Hello All, I have a server that is not too heavily trafficked (yet!) that, to the user appears to hang on pages. This appears to be happening most often to users outside my network, as it has not been encountered by our developers unless they are working from home. I am not seeing any network issues, internally, but I do see these errors in my jk.log quite a lot: [error] ajp_service::jk_ajp_common.c (1659): Client connection aborted or network problems I've looked this error up in my search engines with no hits. Any suggestions on what to look for or how to clear this up? Configuration: CentOS 4.4 Apache 2.0.52 Jakarta-Tomcat 5.5.7 mod_jk-1.2.8 Thanks, Glenn - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Suspected mod_jk connection problems
Hello All, I have a server that is not too heavily trafficked (yet!) that, to the user appears to hang on pages. This appears to be happening most often to users outside my network, as it has not been encountered by our developers unless they are working from home. I am not seeing any network issues, internally, but I do see these errors in my jk.log quite a lot: [error] ajp_service::jk_ajp_common.c (1659): Client connection aborted or network problems I've looked this error up in my search engines with no hits. Any suggestions on what to look for or how to clear this up? Configuration: CentOS 4.4 Apache 2.0.52 Jakarta-Tomcat 5.5.7 mod_jk-1.2.8 Thanks, Glenn At 05:41 PM 5/17/2007, you wrote: I used to work with a Sys Admin whose expertise was chaing the sys admin password when asked about issues such as interconnecting thru Pix he would say let me get back to you..it sounds like this sys admin is working for you now Anyway here is a quick tutorial on configuring pix http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch02_:_Introduction_to_Networking You'll have to do some fun things like setting up arp tables and such This will guarantee that IP x.x.x.x:PortX will be forwarded to y.y.y.y:PortY the other thing that you can do is open up your subnet mask which is probably set to something massively restrictive like 255.255.255.254 HTH/ I am the systems administrator. I generally build/install maintain the systems that my developers deploy on. Since this looks more like a network problem (to management), I've been tasked to solve the problem. However, it looks more like a Tomcat connector problem since I have not found any obvious network errors. One important note: I am using multiple virtual ethernet ports to support multiple SSL certs on this machine and I think that this could be part of the problem. This is a single Apache/mod_jk/Tomcat server with Apache handling port 80 and Tomcat on port 8009. I am also seeing: mod_jk: Error flushing \n errors in my Apache error log. I have read that updating the mod_jk may solve this problem, but I have not tied the two problems as a cause/effect of the other. Any further comments or suggestions would be kindly appreciated. Thanks, Glenn - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: I've been trying to unsubscribe from this list for years.
At 11:48 PM 5/17/2007, you wrote: When you send an email to [EMAIL PROTECTED] add the word Unsubscribe to the email's subject and body, that worked for me when I was trying to switch my e-mails. I think it sends you an additional e-mail to confirm unsubscription, reply to that one as well. Then you should receive a final email with something like good bye in the subject. -Rashmi On 5/17/07, Keith Adams [EMAIL PROTECTED] wrote: No matter how many times I send a blank email to: [EMAIL PROTECTED], like the one I sent at 11.19 Eastern this morning, nothing happens. I use a rule to delete them permanently when I'm in Outlook, but when I use my company's web outlook, it can only move them to the deleted-items folder, which rapidly fills up, making it very hard for me to find things in there if I need to. Please help. Thanks, Keith I had a broken mail account that was subscribed to this list and that I could not reply from. I successfully unsubscribed yesterday by sending to: [EMAIL PROTECTED] I replied from a different account and it worked! Cheers! - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
war file name
Hello there is a directive in server.xml or context file, which force us having war file name be the same as context file or the same as name of directory which war file unpacked, would you please let me know which directive it is. Thanks Adam - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
ajp advantages over http connector
Hello is there any advantage using ajp over http connector ? what are those advantages? Cheers Adam - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat 6.0.20 unable to create new native thread
Hi all, we have a problem with our tomcat 6.0.20 which throws occasionally the following exception: java.lang.OutOfMemoryError: unable to create new native thread Information about the system: - Win2003 Server Standard Edition 32 bit - 2GB RAM - Apache 2.2.13 with open SSL and mod_jk 1.2.28 for the communication with tomcat - 2 instances of tomcat 6.0.20 on different ports. No redundancy / clustering. Each tomcat serves different webapps. - JDK 1.6.0_06 Only one tomcat throws the above noted exception. Configuration-Details: - Tomcat 1 (with the problem) - MaxPermSize=256m - JvmMs 128 - JvmMx 768 - maxThreads for HTTP: 450 - maxThreads for jk: 3000 - Tomcat 2 (no problem yet) - MaxPermSize=256m - JvmMs 128 - JvmMx 512 - MaxThreads for HTTP: 800 - MaxThreads for jk: 450 When Tomcat 1 was throwing the exception the server status was showing the following: - mem Free 116 MB - mem Total 242 MB - mem Max 739 MB - current Thread jk355 - busy Threadjk333 - current Thread HTTP 5 - busy ThreadHTTP 3 - all connections shown by netstat -an (not filtered): 4595 - connections in state close_wait: 3152 The tomcat was not totally stuck. Already connected sessions seemed to have no problem, but new sessions (new login) threw the exception and did could not be created. The Taskmanager shows that all in all 1.39 GB of RAM are used - much below the 2GB Limit. On the other hand: Shouldn't windows start to swap if the ram is full? In which memory-area does windows handle the memory which is used for the threads? Is it shown in the taskmanager? Can the OS take the mem which is still unused by the JVM (memMax-memTotal) for handling threads or is it reserved for the JVM after starting tomcat? Due to problems with one of our webapps which sometimes does not close the threads completely (they stuck in close_wait-state) we increased the max threads of windows: http://publib.boulder.ibm.com/infocenter/pvcvoice/51x/index.jsp?topic=/com.ibm.websphere.wvs.doc/wvs/tun_conwin.html maxUserPorts have been set to about 30k if i remember correctly. Does anyone have an idea to get rid of the exception? kind regards, Andreas -- Feel free - 10 GB Mailbox, 100 FreeSMS/Monat ... Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat latency
Hello: I have a problem where a simple wget call to docs/config/valve.html can sometimes take up to 15 seconds to process. I have a script that does a wget call to valve.html every 5 seconds. Most of the time it's fast. However, today in the past 6 hours I had 13 cases where it took over 3 seconds for wget to return valve.html. This is happening across 7 servers pretty consistently and I can't figure out why. Any suggestions to help me narrow down the problem? I'm going to modify the script to check disk i/o and load when the problem happens. Normally these numbers are sane with upwards of ~60% disk utilization load of ~2. Dual processor Intel(R) Xeon(R) CPU X5680 @ 3.33GHz. The stats right now. top - 22:42:34 up 26 days, 7:17, 1 user, load average: 1.64, 1.31, 1.03 Tasks: 115 total, 1 running, 114 sleeping, 0 stopped, 0 zombie Cpu(s): 11.7%us, 1.1%sy, 0.0%ni, 56.3%id, 30.7%wa, 0.0%hi, 0.2%si, 0.0%st Mem: 8197432k total, 8146536k used,50896k free, 3212k buffers Swap: 18723708k total, 397296k used, 18326412k free, 683448k cached iostat -xd Device: rrqm/s wrqm/s r/s w/s rsec/s wsec/s avgrq-sz avgqu-sz await svctm %util sda 4.2229.23 77.111.75 1833.10 247.79 26.39 1.04 13.16 5.60 44.20 sdb 0.00 0.000.000.00 0.00 0.00 39.37 0.002.83 2.39 0.00 Ubuntu 9.10 /opt/tomcat6/bin/version.sh Using CATALINA_BASE: /opt/tomcat6 Using CATALINA_HOME: /opt/tomcat6 Using CATALINA_TMPDIR: /opt/tomcat6/temp Using JRE_HOME: /usr/lib/jvm/java-6-sun/jre Server version: Apache Tomcat/6.0.20 Server built: May 14 2009 01:13:50 Server number: 6.0.20.0 OS Name:Linux OS Version: 2.6.31-14-server Architecture: amd64 JVM Version:1.6.0_22-b04 JVM Vendor: Sun Microsystems Inc. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: starting tomcat
Check this file C:\Users\francesco\.keystore exist or not ? 在 2014年6月11日,下午9:30,Francesco Viscomi fvisc...@gmail.com 写道: C:\Users\francesco\.keystore
Re: httpd 2.2 +mod-jk1.2.37+ tomcat 7.0.28 (debian package)
On 20.10.2015 00:13, J Lopez wrote: Hi all, is it possible to filter 404 application errors taking into account content-type beside http return code in jk configuration. I need to difference between application is not deployed/executing (http 404 content-type html) and application running and returning a 404 json response (content-type json) I have put mod-jk in debug mode and content-type is showed in logs. I have not seen in documentation if a fail_on_status can be combined with content-type returned. [...] I have not seen this in the documentation either, and it does not look like this feature is available. But if I understand correctly, you have 2 cases of 404 : 1) if the application is for Tomcat "not there" (meaning for example it is not deployed at that particular moment), then Tomcat itself returns a 404. 2) if the application is there and working, in some cases it returns a 404 itself. And for some reason, you want to distinguish these 2 cases. (It would help to know why, and at what level you want to distinguish this) But let's suppose that the application is normally installed at (tomcat)/webapps/app1, and responds to URLs like "/app1/*". If the "/webapps/app1" application is not there, then Tomcat will try to map this to the default application, "/webapps/ROOT/app1/*". Then it will probably not find it there either, and return a 404 response. If the application is there, then Tomcat will (succesfully) map the call to /webapps/app1/*", and the application will respond. And, maybe, it will sometimes respond with a 404. So two possible solutions : 1) change the application, so that in such a case, it responds with something else than 404. 2) install something in /ROOT, which will catch everything that gets there, and respond with something else than 404. That supposes of course that you do not previously have a default application under /webapps/ROOT. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: httpd 2.2 +mod-jk1.2.37+ tomcat 7.0.28 (debian package)
On 21.10.2015 19:47, André Warnier (tomcat) wrote: On 20.10.2015 00:13, J Lopez wrote: Hi all, is it possible to filter 404 application errors taking into account content-type beside http return code in jk configuration. I need to difference between application is not deployed/executing (http 404 content-type html) and application running and returning a 404 json response (content-type json) I have put mod-jk in debug mode and content-type is showed in logs. I have not seen in documentation if a fail_on_status can be combined with content-type returned. [...] I have not seen this in the documentation either, and it does not look like this feature is available. But if I understand correctly, you have 2 cases of 404 : 1) if the application is for Tomcat "not there" (meaning for example it is not deployed at that particular moment), then Tomcat itself returns a 404. 2) if the application is there and working, in some cases it returns a 404 itself. And for some reason, you want to distinguish these 2 cases. (It would help to know why, and at what level you want to distinguish this) But let's suppose that the application is normally installed at (tomcat)/webapps/app1, and responds to URLs like "/app1/*". If the "/webapps/app1" application is not there, then Tomcat will try to map this to the default application, "/webapps/ROOT/app1/*". Then it will probably not find it there either, and return a 404 response. If the application is there, then Tomcat will (succesfully) map the call to /webapps/app1/*", and the application will respond. And, maybe, it will sometimes respond with a 404. So two possible solutions : 1) change the application, so that in such a case, it responds with something else than 404. 2) install something in /ROOT, which will catch everything that gets there, and respond with something else than 404. That supposes of course that you do not previously have a default application under /webapps/ROOT. Addendum : The above suggests a (possible) way to do this at the Tomcat level. But you also mention "mod_jk", which implies that you have Apache httpd acting as a front-end to Tomcat and this application. You could also do this at the Apache httpd level. For Apache httpd, mod_jk (and all that is behind it, but that Apache httpd does not know or care about) is seen as the "application", which generates the HTTP response. To filter such a response and possibly modify it before it goes back to the client, you would have to use an "output filter" at the Apache httpd level. Start from here : http://httpd.apache.org/docs/2.2/filter.html But again, you did not really indicate the level at which you need this, or for what ultimate purpose, so it is not easy to recommend a "better" solution. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [ANN] New committer: Ognjen Blagojevic
On 24.10.2015 15:58, Mark Thomas wrote: On behalf of the Tomcat committers I am pleased to announce that Ognjen Blagojevic (ognjen) has been voted in as a new Tomcat committer. Welcome, Ongjen. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ClientAbortException: java.io.IOException: Failed to send AJP message
On 27.10.2015 10:46, Yogesh Patel wrote: Ok Thanks, My Tomcat version is : 7.0.47 Error stack trace is below: " org.apache.catalina.core.StandardWrapperValve.invoke:Line 211 - ClientAbortException: java.io.IOException: Failed to send AJP message at org.apache.catalina.connector.OutputBuffer.realWriteBytes(OutputBuffer.java:406) at org.apache.tomcat.util.buf.ByteChunk.append(ByteChunk.java:342) at org.apache.catalina.connector.OutputBuffer.writeBytes(OutputBuffer.java:431) at org.apache.catalina.connector.OutputBuffer.write(OutputBuffer.java:419) at org.apache.catalina.connector.CoyoteOutputStream.write(CoyoteOutputStream.java:91) at " Thanks, much more readable. Previously, you wrote : "In our case user is downloading the document and got message like "document is deleted or moved" and tomcat has log like "ClientAbortException: java.io.IOException: Failed to send AJP message"" But, the error message above still means, at the bottom, that Tomcat is trying to still send some bytes to the client, but the connection with the client is not there anymore, so it cannot send this.. The connection is as follows : browser <-- (1) HTTP(S) --> Apache httpd + proxy module <-- (2) AJP --> Connector> + + . where "proxy module" is either mod_jk or mod_proxy_ajp. So we have to assume that : - when Tomcat + application writes to the client "document has moved..", the whole connection (1+2) is still there (because the client sees the message) - but by the time Tomcat writes this error to its logfile, the AJP connection (2) between Tomcat and Apache httpd has been dropped; It is dropped by the proxy module within Apache; and this is probably because the corresponding HTTP connection (1) between the browser and Apache httpd has been dropped. And this is probably - as someone else already mentioned - because in the meantime, the human at the browser side has decided to click away onto another page. Humans are relatively slow in computer terms. So if they manage to click somewhere else between the moment at which they receive the part about the document having been moved, and whatever else the Tomcat application is still trying to send to them afterward, there must be a considerable delay somewhere at the application level, between the moment it sends the "document moved" response part, and the moment it tries to send some additional response part. That is probably what you should be looking at here : what is it that it cannot send anymore, and why is it that there is such a delay between the "document moved" part and this second part. What is the application doing in the meantime ? Of course, the problem, if it is occasional, could also be due to a bad network connection somewhere.. On 27 October 2015 at 14:59, André Warnier (tomcat) <a...@ice-sa.com> wrote: Yogesh, 1) please follow the rules of this list, and don't "top-post" : http://tomcat.apache.org/lists.html#tomcat-users #6 2) please follow the rules of this list, and post your messages as plain text : http://tomcat.apache.org/lists.html#tomcat-users #7 As you can see below, what you are sending comes here as an unreadable blob, and that makes it all the more difficult and demotivating for anyone wanting to help you. On 27.10.2015 06:47, Yogesh Patel wrote: Tomcat 7: INFO org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/cms][ ajp-apr-10161-exec-282][2015-10-20 10:02:59,673]- org.apache.catalina.core. StandardWrapperValve.invoke:Line 211 - ClientAbortException: java.io. IOException: Failed to send AJP message at org.apache.catalina.connector.. OutputBuffer.realWriteBytes(OutputBuffer.java:406) at org.apache.tomcat.util .buf.ByteChunk.append(ByteChunk.java:342) at org.apache.catalina.connector. OutputBuffer.writeBytes(OutputBuffer.java:431) at org.apache.catalina. connector.OutputBuffer.write(OutputBuffer.java:419) at org.apache.catalina. connector.CoyoteOutputStream.write(CoyoteOutputStream.java:91) at com.os.. gfnactions.contentmanager.document.documentDownload. finalDocumentDownloadProcess(documentDownload.java:140) at sun.reflect. GeneratedMethodAccessor8388.invoke(Unknown Source) at sun.reflect. DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at com.opensymphony.xwork2. DefaultActionInvocation.invokeAction(DefaultActionInvocation.java:450) at com.opensymphony.xwork2.DefaultActionInvocation.invokeActionOnly( DefaultActionInvocation.java:289) at com.opensymphony.xwork2. DefaultActionInvocation.invoke(DefaultActionInvocation.java:252) at com. opensymphony.xwork2.interceptor.ExceptionMappingInterceptor.intercept( ExceptionMappingInterceptor.java:189) at com.opensymphony.xwork2. DefaultActionInvocation.invoke(DefaultActionInvocation.java:246) at org. apache.s
Re: ClientAbortException: java.io.IOException: Failed to send AJP message
Yogesh, 1) please follow the rules of this list, and don't "top-post" : http://tomcat.apache.org/lists.html#tomcat-users #6 2) please follow the rules of this list, and post your messages as plain text : http://tomcat.apache.org/lists.html#tomcat-users #7 As you can see below, what you are sending comes here as an unreadable blob, and that makes it all the more difficult and demotivating for anyone wanting to help you. On 27.10.2015 06:47, Yogesh Patel wrote: Tomcat 7: INFO org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/cms][ ajp-apr-10161-exec-282][2015-10-20 10:02:59,673]- org.apache.catalina.core. StandardWrapperValve.invoke:Line 211 - ClientAbortException: java.io. IOException: Failed to send AJP message at org.apache.catalina.connector. OutputBuffer.realWriteBytes(OutputBuffer.java:406) at org.apache.tomcat.util .buf.ByteChunk.append(ByteChunk.java:342) at org.apache.catalina.connector. OutputBuffer.writeBytes(OutputBuffer.java:431) at org.apache.catalina. connector.OutputBuffer.write(OutputBuffer.java:419) at org.apache.catalina. connector.CoyoteOutputStream.write(CoyoteOutputStream.java:91) at com.os. gfnactions.contentmanager.document.documentDownload. finalDocumentDownloadProcess(documentDownload.java:140) at sun.reflect. GeneratedMethodAccessor8388.invoke(Unknown Source) at sun.reflect. DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at com.opensymphony.xwork2. DefaultActionInvocation.invokeAction(DefaultActionInvocation.java:450) at com.opensymphony.xwork2.DefaultActionInvocation.invokeActionOnly( DefaultActionInvocation.java:289) at com.opensymphony.xwork2. DefaultActionInvocation.invoke(DefaultActionInvocation.java:252) at com. opensymphony.xwork2.interceptor.ExceptionMappingInterceptor.intercept( ExceptionMappingInterceptor.java:189) at com.opensymphony.xwork2. DefaultActionInvocation.invoke(DefaultActionInvocation.java:246) at org. apache.struts2.interceptor.DeprecationInterceptor.intercept( DeprecationInterceptor.java:41) at com.opensymphony.xwork2. DefaultActionInvocation.invoke(DefaultActionInvocation.java:246) at org. apache.struts2.interceptor.debugging.DebuggingInterceptor.intercept( DebuggingInterceptor.java:256) at com.opensymphony.xwork2. DefaultActionInvocation.invoke(DefaultActionInvocation.java:246) at com. opensymphony.xwork2.interceptor.DefaultWorkflowInterceptor.doIntercept( DefaultWorkflowInterceptor.java:167) at com.opensymphony.xwork2.interceptor. MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98) at com. opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation. java:246) at com.opensymphony.xwork2.validator.ValidationInterceptor. doIntercept(ValidationInterceptor.java:265) at org.apache.struts2. interceptor.validation.AnnotationValidationInterceptor.doIntercept( AnnotationValidationInterceptor.java:68) at com.opensymphony.xwork2. interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java: 98) at com.opensymphony.xwork2.DefaultActionInvocation.invoke( DefaultActionInvocation.java:246) at com.opensymphony.xwork2.interceptor. ConversionErrorInterceptor.intercept(ConversionErrorInterceptor.java:138) at com.opensymphony.xwork2.DefaultActionInvocation.invoke( DefaultActionInvocation.java:246) at com.opensymphony.xwork2.interceptor. ParametersInterceptor.doIntercept(ParametersInterceptor.java:249) at com. opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept( MethodFilterInterceptor.java:98) at com.opensymphony.xwork2. DefaultActionInvocation.invoke(DefaultActionInvocation.java:246) at com. opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept( ParametersInterceptor.java:249) at com.opensymphony.xwork2.interceptor. MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98) at com. opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation. java:246) at com.opensymphony.xwork2.interceptor.StaticParametersInterceptor .intercept(StaticParametersInterceptor.java:191) at com.opensymphony.xwork2. DefaultActionInvocation.invoke(DefaultActionInvocation.java:246) at org. apache.struts2.interceptor.MultiselectInterceptor.intercept( MultiselectInterceptor.java:73) at com.opensymphony.xwork2. DefaultActionInvocation.invoke(DefaultActionInvocation.java:246) at org. apache.struts2.interceptor.CheckboxInterceptor.intercept(CheckboxInterceptor .java:91) at com.opensymphony.xwork2.DefaultActionInvocation.invoke( DefaultActionInvocation.java:246) at org.apache.struts2.interceptor. FileUploadInterceptor.intercept(FileUploadInterceptor.java:252) at com. opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation. java:246) at com.opensymphony.xwork2.interceptor.ModelDrivenInterceptor. intercept(ModelDrivenInterceptor.java:100) at com.opensymphony.xwork2. DefaultActionInvocation.invoke(DefaultActionInvocation.java:246) at com. opensymph
Re: AW: Suppress or replace WWW-Authorization header
Hi. on this list, as per http://tomcat.apache.org/lists.html#tomcat-users #6 , it is preferred if you respond below the question being asked (or the previous response) rather than on top. (The main reason being that it is easier that way to follow the normal gist of the conversation, rather than having to scroll back and forth to figure out what you are responding to.) On 28.10.2015 13:19, Torsten Rieger wrote: I have a legacy java-SOAP-client that only supports BASIC authentication (send the Authorization: Basic... header) and a AngularJS application that consumes a REST-service (also sending the Authorization: Basic header). The server supports two kinds of deployment: Standalone with an embedded Jetty-server and as war-file for app-servers (most of them are tomcat-server). I try to suppress the browser BASIC-login-dialog for the REST-service-calls from AngularJS. On Jetty I modify the 401-responses and replace the "WWW-Authenticate" header by anything else than "BASIC" and that works, now I try to find a solution for the deployment on tomcat servers. Can you copy and paste here the WEB-INF/web.xml of that server application ? (remove any sensitive data). There is probably a way to do this via configuration in Tomcat (I haven't looked it up), but you could also have a look at a standard workhorse for this kind of thing : the UrlRewriteFilter (http://tuckey.org/urlrewrite/). It might provide a way to do this. (I have not really checked it either, but this looks promising : http://cdn.rawgit.com/paultuckey/urlrewritefilter/master/src/doc/manual/4.0/index.html#outbound-rule See the response-header part. ) Rewrite (unset header in responses) with an apache proxy in front of the tomcat is unfortunately not a solution I can implement. So I'm looking for a solution to remove or modify the headers in 401 responses on application server level. One thing which is still not clear : do you really want to remove/replace that header, or do you just want that this application would not request authentication at all ? (Then there would be no need to play with the 401 header, because there would never be one). -Ursprüngliche Nachricht- Von: André Warnier (tomcat) [mailto:a...@ice-sa.com] Gesendet: Mittwoch, 28. Oktober 2015 10:26 An: users@tomcat.apache.org Betreff: Re: Suppress or replace WWW-Authorization header Hi. On 28.10.2015 09:36, Torsten Rieger wrote: Hi, I try to suppress the browser login-dialog on basic authentication (basic is a legacy requirement), how can I do that? Filters are called after login on the container, right? I am not sure that I understand exactly what you mean here, and I certainly do not understand the purpose of what you are trying to do, but here is some informaytion that may help : The general authentication logic in HTTP works (roughly) as follows : 1) the browser sends a request to the server, for some resource (HTML page or else) 2) the server checks if access to the requested resource resource requires authentication/authorization. If not, go to 8 3) (if yes) : the server checks if the requesst already contains an authentication of the required type, and if yes, if it is valid. If yes, go to 8 4) (if not) : the server returns a status code 401 (authorization required) to the browser, along with *the kind of authentication* required (this is defined in the server configuration for that resource) 5) the browser obtains the required authentication credentials (in a way which depends on the type of AAA required) 6) the browser repeats the request to the server, this time providing the required credentials, in the form corresponding to what the server indicated in (4). 7) back to (2) above. 8) the server returns the requested resource. Now your case is apparently so that at step (4) above, the 401 response that the server sends back to the browser, specifies "HTTP Basic" as the requested form of authentication/credentials. In such a case, the browser (all browsers), at step (5), *will* popup a Basic authentication dialog, and there is nothing that you can do about it. It is a behaviour that is built-in in all browsers, and it is what is expected of them. (In other words also, this dialog is not something that is sent by the server, so you cannot "filter it out"). The only way to avoid such a dialog in the browser, is at the level of the server, ensuring that the 401 responses do not specify "Basic" as the requested authentication method. If the above does not answer yopur question, please provide more details about what you are trying to do, and the purpose of it. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.a
Re: AW: Suppress or replace WWW-Authorization header
On 29.10.2015 10:12, chris derham wrote: Torsten, Add an interceptor to AngularJS to detect the 401 and do whatever you want, e.g. redirect to a login page. Then when you have the credentials, submit to login rest api, get a token, and then make all other calls passing this token. There are loads of examples on how to do this on the internet. This isn't tomcat specific. function globalInterceptorResponse($injector, $q) { return { 'response': function (response) { return response; }, 'responseError': function (rejection) { switch (rejection.status) { ... case 401: console.warn("Hit 401 - redirecting to login"); window.location = '/login'; break; ... default: console.warn(rejection); } return $q.reject(rejection); } }; } globalInterceptorResponse.$inject = ['$injector', '$q']; then in request config, $httpProvider.interceptors.push(globalInterceptorResponse); This won't work because the application doesn't get a chance to do anything until Tomcat completes its authentication/authorization work. If the application were handling the authentication/authorization, then the original Filter would have worked. -chris Chris, I think that you thought the above was server-side java code. The above was javascript code that runs in the browser. It does work - I copied it from a project I am working on now. Hi. I will not dispute the fact that this solution works for you, and that it could also work for Torsten. And I must say that it looks elegant, from a javascript point of view. I will just submit a personal opinion, based on long experience, that says that any solution (for this kind of interacting-with-servers issue) which is browser-based, is always more fragile and inherently more unstable, than a solution based on normal HTTP interactions and implemented at the server side. (*) There are always little differences among browsers and browser versions, as to how they handle javascript code. And there are many things that a user can do with his browser, that can interfere with such things. And problems on that side will always be very time-consuming to identify and debug. A server-side, protocol-compliant solution on the other hand, will work with any HTTP-compliant browser (which does not necessarily include all versions of Internet Explorer), and be a lot easier to maintain. End of opinion. (*) with an exception for all the marvelous things which you can do with tools like jQuery, when used judiciously at the level of the browser-side presentation and user interaction. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AW: Suppress or replace WWW-Authorization header
On 28.10.2015 15:39, Christopher Schultz wrote: Torsten, On 10/28/15 8:19 AM, Torsten Rieger wrote: I have a legacy java-SOAP-client that only supports BASIC authentication (send the Authorization: Basic... header) and a AngularJS application that consumes a REST-service (also sending the Authorization: Basic header). The server supports two kinds of deployment: Standalone with an embedded Jetty-server and as war-file for app-servers (most of them are tomcat-server). I try to suppress the browser BASIC-login-dialog for the REST-service-calls from AngularJS. On Jetty I modify the 401-responses and replace the "WWW-Authenticate" header by anything else than "BASIC" and that works, now I try to find a solution for the deployment on tomcat servers. Rewrite (unset header in responses) with an apache proxy in front of the tomcat is unfortunately not a solution I can implement. So I'm looking for a solution to remove or modify the headers in 401 responses on application server level. So you just want to disable HTTP BASIC authentication? Why not just remove the from web.xml and disable authentication entirely? Are you saying that when you connect using a REST client, the client shows a login dialog in a web browser? That sounds ... weird. The REST client should see the WWW-Authenticate header and either (a) fail or (b) re-try with credentials you have provided to it. Yes, but if the SOAP-client is an applet in the browser, chances are that in order to collect the user credentials that it needs, it uses the internal browser mechanism, which pops up the dialog to obtain these user credentials. So not so weird necessarily. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: servlet filter not working over virtual directories in tomcat
On 24.10.2015 05:11, Pradyut Bhattacharya wrote: The URL pattern therefore needs to be "/*" Could not do anything with the above statement. May be an example could suffice. Then maybe try this : Instead of : dir_filter /web/* try : dir_filter /* Explanation : in and , the is *relative to the webapp context*. In your case, because of the way you have configured this, the webapp has a context of "/TestApp/web". Therefore, if you want the filter to apply to everything under "/TestApp/web", you have to map it to "/*". So that, in URL-space, it will apply to "/TestApp/web/*". The way you originally mapped it above, it would apply to "/TestApp/web/web/*", which is why it seemed not to be working. The filter was there, but never invoked, because there was never any request URL matching "/TestApp/web/web/*". Clearer ? Note that this is the same as what Mark was saying, only in many more words. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Java 7 and 8 features
On 27.10.2015 17:01, Vinicius Corrêa de Almeida wrote: I analized some releases and i noticed that not using java 7 features like multi catch and in java 8 do not use lambda expressions and others features, so i came by this email to know why the developers not using this features? I believe that you are asking the wrong question. As per this page : http://tomcat.apache.org/whichversion.html "Apache Tomcat™ is an open source software implementation of the Java Servlet and JavaServer Pages technologies." In other words, Tomcat is not an implementation of any specific Java version. If, to fulfill its target of implementing some specific version of the Java Servlet and JavaServer Pages technologies, it was necessary for running Tomcat code to use a certain minimum version of the Java JVM, then so be it, and the page above would mention that (and it does). But that does not mean that every feature available in such a version of the Java JVM /must/ necessarily be used by Tomcat. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AW: Suppress or replace WWW-Authorization header
On 28.10.2015 16:55, chris derham wrote: No, container BASIC authentication should be enabled, the container should handle the authentication, but the browser should not show his ugly default login dialog when I request resources from the REST-service with wrong credentials. When the REST-client (web-application in the browser) receives a failed login with a WWW-Authenticate header, the default dialog of the browser will be shown... that’s what I want to suppress. When I remove the (a) or (b) sending requests with credentials will not work anymore (a: 403 forbidden; b: deployment fails). But that's not a solution because the rest-service should be still protected and I need to authenticate via "Authentication: Basic ." header send credentials, but I don't want to show the ugly browser-dialog to the users. Using a AngularJS Client with REST-services based on tomcat should be a common use-case, it could not be that I'm the first one who wants a custom login-screen. :-/ -torsten Torsten, Add an interceptor to AngularJS to detect the 401 and do whatever you want, e.g. redirect to a login page. Then when you have the credentials, submit to login rest api, get a token, and then make all other calls passing this token. There are loads of examples on how to do this on the internet. This isn't tomcat specific. function globalInterceptorResponse($injector, $q) { return { 'response': function (response) { return response; }, 'responseError': function (rejection) { switch (rejection.status) { ... case 401: console.warn("Hit 401 - redirecting to login"); window.location = '/login'; break; ... default: console.warn(rejection); } return $q.reject(rejection); } }; } globalInterceptorResponse.$inject = ['$injector', '$q']; then in request config, $httpProvider.interceptors.push(globalInterceptorResponse); Chris What is maybe not totally clear for the OP above, is that the above is done at the level of the client (browser). Not at the tomcat level. (Which is maybe also why Torsten did not find anything when he previously searched the web : he was searching with the wrong keywords). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AW: AW: Suppress or replace WWW-Authorization header
On 28.10.2015 17:42, Torsten Rieger wrote: -Ursprüngliche Nachricht- Von: Aurélien Terrestris [mailto:aterrest...@gmail.com] Gesendet: Mittwoch, 28. Oktober 2015 16:45 An: Tomcat Users List <users@tomcat.apache.org> Betreff: Re: AW: Suppress or replace WWW-Authorization header You can choose between a pop-up or an HTML FORM This one looks like this in web.xml : FORM webapp global realm /login.jsp /error_login.jsp 2015-10-28 16:28 GMT+01:00 Torsten Rieger <torsten.rie...@promatis.de>: -Ursprüngliche Nachricht- Von: Christopher Schultz [mailto:ch...@christopherschultz.net] Gesendet: Mittwoch, 28. Oktober 2015 15:39 An: Tomcat Users List <users@tomcat.apache.org> Betreff: Re: AW: Suppress or replace WWW-Authorization header Torsten, On 10/28/15 8:19 AM, Torsten Rieger wrote: I have a legacy java-SOAP-client that only supports BASIC authentication (send the Authorization: Basic... header) and a AngularJS application that consumes a REST-service (also sending the Authorization: Basic header). The server supports two kinds of deployment: Standalone with an embedded Jetty-server and as war-file for app-servers (most of them are tomcat-server). I try to suppress the browser BASIC-login-dialog for the REST-service-calls from AngularJS. On Jetty I modify the 401-responses and replace the "WWW-Authenticate" header by anything else than "BASIC" and that works, now I try to find a solution for the deployment on tomcat servers. Rewrite (unset header in responses) with an apache proxy in front of the tomcat is unfortunately not a solution I can implement. So I'm looking for a solution to remove or modify the headers in 401 responses on application server level. So you just want to disable HTTP BASIC authentication? Why not just remove the from web.xml and disable authentication entirely? Are you saying that when you connect using a REST client, the client shows a login dialog in a web browser? That sounds ... weird. The REST client should see the WWW-Authenticate header and either (a) fail or (b) re-try with credentials you have provided to it. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org No, container BASIC authentication should be enabled, the container should handle the authentication, but the browser should not show his ugly default login dialog when I request resources from the REST-service with wrong credentials. When the REST-client (web-application in the browser) receives a failed login with a WWW-Authenticate header, the default dialog of the browser will be shown... that’s what I want to suppress. When I remove the (a) or (b) sending requests with credentials will not work anymore (a: 403 forbidden; b: deployment fails). But that's not a solution because the rest-service should be still protected and I need to authenticate via "Authentication: Basic ." header send credentials, but I don't want to show the ugly browser-dialog to the users. Using a AngularJS Client with REST-services based on tomcat should be a common use-case, it could not be that I'm the first one who wants a custom login-screen. :-/ Torsten, the people answering on this list are generally competent and helpful. But they are not magicians. You seem (so far) to be asking something impossible. 1) if the server sends to the client an authentication header saying HTTP Basic, then the client will popup a builtin HTTP Basic dialog (which you do not want) 2) if the server sends to the client an authentication header saying something else, then the client cannot handle it 1 + 2 = solution impossible You mentioned before that with another server than Tomcat, you solved this apparently impossible problem. Can you tell us how ? Or else, can you tell us which authentication methods, /apart/ from HTTP Basic, the client does support ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AW: AW: Suppress or replace WWW-Authorization header
On 28.10.2015 17:42, Torsten Rieger wrote: -Ursprüngliche Nachricht- Von: Aurélien Terrestris [mailto:aterrest...@gmail.com] Gesendet: Mittwoch, 28. Oktober 2015 16:45 An: Tomcat Users List <users@tomcat.apache.org> Betreff: Re: AW: Suppress or replace WWW-Authorization header You can choose between a pop-up or an HTML FORM This one looks like this in web.xml : FORM webapp global realm /login.jsp /error_login.jsp 2015-10-28 16:28 GMT+01:00 Torsten Rieger <torsten.rie...@promatis.de>: -Ursprüngliche Nachricht- Von: Christopher Schultz [mailto:ch...@christopherschultz.net] Gesendet: Mittwoch, 28. Oktober 2015 15:39 An: Tomcat Users List <users@tomcat.apache.org> Betreff: Re: AW: Suppress or replace WWW-Authorization header Torsten, On 10/28/15 8:19 AM, Torsten Rieger wrote: I have a legacy java-SOAP-client that only supports BASIC authentication (send the Authorization: Basic... header) and a AngularJS application that consumes a REST-service (also sending the Authorization: Basic header). The server supports two kinds of deployment: Standalone with an embedded Jetty-server and as war-file for app-servers (most of them are tomcat-server). I try to suppress the browser BASIC-login-dialog for the REST-service-calls from AngularJS. On Jetty I modify the 401-responses and replace the "WWW-Authenticate" header by anything else than "BASIC" and that works, now I try to find a solution for the deployment on tomcat servers. Rewrite (unset header in responses) with an apache proxy in front of the tomcat is unfortunately not a solution I can implement. So I'm looking for a solution to remove or modify the headers in 401 responses on application server level. So you just want to disable HTTP BASIC authentication? Why not just remove the from web.xml and disable authentication entirely? Are you saying that when you connect using a REST client, the client shows a login dialog in a web browser? That sounds ... weird. The REST client should see the WWW-Authenticate header and either (a) fail or (b) re-try with credentials you have provided to it. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org No, container BASIC authentication should be enabled, the container should handle the authentication, but the browser should not show his ugly default login dialog when I request resources from the REST-service with wrong credentials. When the REST-client (web-application in the browser) receives a failed login with a WWW-Authenticate header, the default dialog of the browser will be shown... that’s what I want to suppress. When I remove the (a) or (b) sending requests with credentials will not work anymore (a: 403 forbidden; b: deployment fails). But that's not a solution because the rest-service should be still protected and I need to authenticate via "Authentication: Basic ." header send credentials, but I don't want to show the ugly browser-dialog to the users. Using a AngularJS Client with REST-services based on tomcat should be a common use-case, it could not be that I'm the first one who wants a custom login-screen. :-/ -torsten The Problem is then, that login via "Authorization: BASIC xyz==" will not work anymore... the legacy client is not able to handle FORM based login :-/ Torsten, let me try again another way : 1) >> Using a AngularJS Client with REST-services based on tomcat should be >> a common use-case, it could not be that I'm the first one who wants a >> custom login-screen. :-/ No, you probably are not. But *this has nothing to do with Tomcat per se*. Any other webserver, in the same circumstances, would send a 401 back, with a request for HTTP Basic authentication. If, at the server level, you configure that for this application, you want HTTP Basic authentication, then that is what you will get. It is not a choice of the server, it is something *imposed* by the HTTP protocol. If you want something else to happen, but still have the client be authenticated for that application, then you have to change the authentication method required, at the server level. No way around it. 2) If the browser receives a 401 response header which indicates that the requested authentication method should be HTTP Basic, then it will popup its bultin HTTP Basic authentication popup dialog. There is no easy way around this either, because this behaviour is built-in into the code of all major browsers. (Also because the HTTP protocol says that this is what the browser should do). If you want this to be different, then you have to find a way to modify the browser-side logic, so that it does not do that. Doing this is possible, but not easy (see some of the other responses), and if not
Re: AW: AW: Tomcat 6, DB2 Driver Problems
On 29.10.2015 09:09, simone.rodenbach@devk.de wrote: Hi Christopher, I attachted some pictures of the threads. Thx, Simone Hi Simone. Christopher is in the USA, so it will take some time before he responds. For the sake of gaining some time however : your attachments did not make it to the list, which strips most attachments. Better : use a text editor to cut and paste the stack trace right here : -Ursprüngliche Nachricht- Von: Christopher Schultz [mailto:ch...@christopherschultz.net] Gesendet: Mittwoch, 28. Oktober 2015 15:30 An: Tomcat Users List Betreff: Re: AW: Tomcat 6, DB2 Driver Problems Simone, On 10/28/15 4:02 AM, simone.rodenbach@devk.de wrote: I tried to google for the driver and classloader and found nothing that helped me :-( I can only provide you with this information: I configured the datasource in the context.xml Why are you overriding Tomcat's default DataSourceFactory with another one? maxActive="10" minIdle="2" maxIdle="10" maxWait="1" minEvictableIdleTimeMillis="12" timeBetweenEvictionRunsMillis="6" username="xxx" password="xxx" driverClassName="com.ibm.db2.jcc.DB2Driver" url="xxx;" validationQuery="select 1 from sysibm.sysdummy1" /> The spring bean I created a test project. Because oft hat I'm sure that I don't start a thread. It doesn't have to be *your code* starting the thread directly. JDBC drivers have a habit of launching their own cleanup threads and then not offering any interface to stop them. But the log says: Okt 28, 2015 8:41:15 AM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SCHWERWIEGEND: The web application [/test] appears to have started a thread named [Timer-0] but has failed to stop it. This is very likely to create a memory leak. I think this thread is started from org.apache.commons.dbcp.BasicDataSourceFactory. Nope, BasicDataSourceFactory doesn't have the word "thread" anywhere in its code: http://svn.apache.org/viewvc/commons/proper/dbcp/tags/DBCP_1_4/src/java/org/apache/commons/dbcp/BasicDataSourceFactory.java?view=markup I removed the db2cc4.jar to get an exception to inspect from where the driver is loaded and got: Caused by: java.lang.ClassNotFoundException: com.ibm.db2.jcc.DB2Driver at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1858) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1709) at org.apache.commons.dbcp.BasicDataSource.createConnectionFactory(BasicDataSource.java:1420) That only tells you where the driver is loaded. It doesn't tell you when the thread was launched. After shutting-down your web application (and getting the warning about the Timer-0 thread), can you take a thread dump and show us the stack trace for the Timer-0 thread? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Bitte denken Sie an die Umwelt. Müssen Sie diese E-Mail ausdrucken? Wichtiger Hinweis zum Schutz Ihrer Daten! Der Schutz von Kundendaten ist uns ein wichtiges Anliegen. Aus diesem Grund hat sich die DEVK freiwillig verpflichtet, die "Verhaltensregeln für den Umgang mit personenbezogenen Daten durch die deutsche Versicherungswirtschaft" (Code of Conduct) einzuhalten. Sie regeln die Erhebung, Verarbeitung und Nutzung von personenbezogenen Daten. Den vollen Wortlaut des Code of Conduct finden Sie unter www.devk.de/datenschutz. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat answers on port 80, not on 443
On 23.10.2015 16:53, Beyer, Gregory L wrote: ... ## # Inbound SSL Settings ## org.apache.felix.https.enable=true org.osgi.service.http.port.secure=443 org.apache.felix.https.keystore=E:\\Program Files\\Connector\\.keystore org.apache.felix.https.keystore.password=REDACTED org.apache.felix.https.keystore.key.password= REDACTED org.apache.felix.https.truststore=C:\\Program Files\\Java\\jre1.8.0_60\\lib\\security\\cacerts org.apache.felix.https.truststore.password= REDACTED Question -- Does anyone think " Program Files" (space) above is contributing to the problem? Maybe, maybe not. It would depend on how "Felix" parses its configuration files. But in any case, admitting spaces in file names is certainly one of the stupidest and most costly ideas in the history of computing. A close second would be making this a standard program installation directory in some widely-distributed operating systems. A close third would be using the same thing in the standard installation path of some popular open-source software. oh well.. Getting back on-topic however : I do not know anything about Felix, and I have not really followed this thread. But assuming that this Felix is a web application running under Tomcat, the fact that it has the above in its own configuration file, rather than in some Tomcat configuration file, would tend to make one suspect that Felix is opening its own listening socket, of which Tomcat knows nothing. No ? And in such a case, there would be some conflict if one simultaneously to deploying this web application, would try to open a Tomcat Connector on the same port. One of them is bound to fail. [...] - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Suppress or replace WWW-Authorization header
Hi. On 28.10.2015 09:36, Torsten Rieger wrote: Hi, I try to suppress the browser login-dialog on basic authentication (basic is a legacy requirement), how can I do that? Filters are called after login on the container, right? I am not sure that I understand exactly what you mean here, and I certainly do not understand the purpose of what you are trying to do, but here is some informaytion that may help : The general authentication logic in HTTP works (roughly) as follows : 1) the browser sends a request to the server, for some resource (HTML page or else) 2) the server checks if access to the requested resource resource requires authentication/authorization. If not, go to 8 3) (if yes) : the server checks if the requesst already contains an authentication of the required type, and if yes, if it is valid. If yes, go to 8 4) (if not) : the server returns a status code 401 (authorization required) to the browser, along with *the kind of authentication* required (this is defined in the server configuration for that resource) 5) the browser obtains the required authentication credentials (in a way which depends on the type of AAA required) 6) the browser repeats the request to the server, this time providing the required credentials, in the form corresponding to what the server indicated in (4). 7) back to (2) above. 8) the server returns the requested resource. Now your case is apparently so that at step (4) above, the 401 response that the server sends back to the browser, specifies "HTTP Basic" as the requested form of authentication/credentials. In such a case, the browser (all browsers), at step (5), *will* popup a Basic authentication dialog, and there is nothing that you can do about it. It is a behaviour that is built-in in all browsers, and it is what is expected of them. (In other words also, this dialog is not something that is sent by the server, so you cannot "filter it out"). The only way to avoid such a dialog in the browser, is at the level of the server, ensuring that the 401 responses do not specify "Basic" as the requested authentication method. If the above does not answer yopur question, please provide more details about what you are trying to do, and the purpose of it. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Fwd:
On 12.11.2015 10:17, Yuval Schwartz wrote: On Wed, Nov 11, 2015 at 7:14 PM, Mark Eggers <its_toas...@yahoo.com.invalid> wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yuval, On 11/11/2015 8:34 AM, Yuval Schwartz wrote: Hello Mark, Thanks for the reply. I am interested in finding where the Document Root is for my application ("applicationName"). As I understand, since my Catatlina_Home = "c:\tomcat" and the "" tag in the server.xml specifies "appbase='webapps'", it should be under c:\tomcat\webapps...but it is not. Thanks again. And it will only be there if you actually deploy the WAR file to Tomcat (and unpackWARs is set to true). It may be in a different directory if you use a context file. This is how NetBeans operates. It may not even exist (if unpackWARs is set to false). What are you doing that requires knowledge of Document Root? BTW, document root is really an Apache HTTPD concept, and not an Apache Tomcat concept. I just want to place a favicon in the document root. How can I do this? Again, the default tomcat favicon was shown up until (I think) when I changed one of my projects' context path from "applicationName" to "/". Since then, the favicon has disappeared and I would like to see it again (and to have a better understanding of these things since I hope to deploy to a web server in the coming months). Maybe this will help your basic understanding : http://wiki.apache.org/tomcat/HowTo#How_do_I_make_my_web_application_be_the_Tomcat_default_application.3F And maybe additionally, a comparison with Apache httpd : Under Apache httpd, there isn't really a "default application", but the top of the URL space (what you get when you request a URL such as "http://hostname/;) is defined by the DocumentRoot directive in the webserver configuration file. (And by default, it is something on disk like : ../Apache2/htdocs/). Under Tomcat, things are a bit different : there is not really a "DocumentRoot"; instead, there are multiple "web applications", all equal and at the same logical level, each one of them defined separately in its own sub-directory of (tomcat_directory)/webapps/. Among those equal webapps, one is a little bit more equal than the others however, and acts as the "default webapp" (what a client gets when it requests the URL "http://tomcat_hostname/; (*) : that is the application located at "(tomcat_directory)/webapps/ROOT/" (capitals important). (*) or any other URL which Tomcat cannot clearly map to another webapp Also, it is the convention of this mailing list to either reply inline or (preferably) at the end of the message. See the following for the mailing list guidelines: http://tomcat.apache.org/lists.html (item 6 of the tomcat-users mailing list) . . . just my two cents /mde/ On Wed, Nov 11, 2015 at 6:13 PM, Mark Eggers <its_toas...@yahoo.com.invalid> wrote: Yuval, On 11/11/2015 7:06 AM, Yuval Schwartz wrote: Hello, I am using tomcat 8.0.22.0. My Catalina_Home is set to "C:\tomcat". IDE: Netbeans. Language: Java. For some reason, when I deploy a web application in Netbeans that has the name "applicationName" and context path: "/applicationName" I do not see the application in the c:\tomcat\webapps folder. Can someone help me figure out what is not configured correctly? All I see is 4 folders "docs, examples, host-manager, manager." Interestingly, if I undeploy one of these 4 folders in netbeans, then this change is reflected immediately in path c:\tomcat\webapps (ie: I see 3 folders). However, as I said, deploying "applicationName" does not result in the folder being available in c:\tomcat\webapps (as it should). The whole reason I got into this was because I stopped seeing the tomcat favicon in my application all of a sudden (I suspect because I changed the context path from "/applicationName" to "/"). Now I would like to see the favicon and would like to understand why I am not seeing the deployed application where I should. My application is deployed successfully and runs fine (I just don't see it in c:\tomcat\webapps). Thank you. This is due to how NetBeans deploys to Tomcat. NetBeans creates a config.xml file and copies it to %CATALINA_BASE%\conf\Catalina\localhost\appname.xml Inside the appname.xml, there's a docBase that points to where you built your application (for me it's ProjectName\target\artifact-id). This then makes use of Tomcat's default configuration to trigger reloads of your web application when certain resources are changed. Here's a link on how that deployment works: http://tomcat.apache.org/tomcat-8.0-doc/manager-howto.html Look for Deploy using a Context configuration ".xml" file. . . . just my two cents /mde/ --
Re: Tomcat simple tcp cluster doesn't work on switching browser
On 16.11.2015 11:36, Amit Rawat wrote: Hi, I'm observing some strange behaviour between two instances of apache-tomcat-7.0.41 running on the same server. Sessions are shared between the servers on multiple logins/logouts on the same browser , but when i switch browsers , the session sharing stops . I have posted a question on stack overflow where you can find more details on what I have tried & my observations : http://stackoverflow.com/questions/33546555/tomcat-simple-tcp-cluster-doesnt-work-on-switching-browser Any help would be appreciated. Off the top of my head, I would say - a "session" saved on the server, is identified by a "session-id" (some kind of large alphanumeric string, unique) - to allow a browser to re-connect to the same session during several interactions, this session-id is initially sent to the browser, contained in a cookie - whenever the browser interacts with the same server/cluster, it resends this cookie, and this is what allows the server to re-connect this browser to the saved session - of course, if you switch browsers, the new browser does not have that cookie. So it does not send it to the server/cluster, and it gets a new session, with a different session-id. Or did I misunderstand your explanation of what happens ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: 80ms delay switching between worker threads
On 30.10.2015 01:03, Farzad Panahi wrote: Hi, I am using tomcat 8.0.23 to terminate my websocket connections. I was looking at my trace logs and noticed that when tomcat worker thread responsible for processing websocket messages switches to a different thread, there is about 80ms delay. In my OnMessage implementation I let the work done for each message by thread from the executor service thread pool. So onMsg method supposed to return immediately. Here is the OnMessage implementation and trace log messages. Any ideas what is causing that delay? Come on, let's be a bit humane here. According to : https://en.wikipedia.org/wiki/Time_%28Orders_of_magnitude%29 tomcat here thus switches threads in less than the blink of an eye. Considering that most tomcats out there already process dozens of requests per second, day in, day out, without any holidays ever, with end-user clients that they barely know, don't you think that they can be allowed this slight pause between conversations ? Also, for the method supposed to return "immediately" : the (Google) definition of "immediately" says "here and now, this very minute". Surely 80 ms is well within the specs then ? After all, websocket is an /asynchronous/ protocol. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] RE: 80ms delay switching between worker threads
On 02.11.2015 21:23, David kerber wrote: On 11/2/2015 3:09 PM, Farzad Panahi wrote: Quoting from David Holme's blog: The nanoTime method uses the highest resolution clock available on the platform, and while its return value is in nanoseconds, the update resolution is typically only microseconds. https://blogs.oracle.com/dholmes/entry/inside_the_hotspot_vm_clocks I think we can rely on nanoTime as a clock with microsecond resolution. Having said that can't we say printing out nanoTime in websocket message handler will give us a fair number (with microsecond accuracy) to measure how quickly the message handler is being called? All I am saying is that I see an obvious hiccup in order of milliseconds when threads are switching which I have no explanation for. Please advise if you think the way I am measuring is wrong. I'm with Chris on this one: I think it's due to running on a VM rather than on real hardware. I am no specialist in the matter, but I believe that what the OP is saying, is that there is a clear and systematic difference between 2 cases : - when the threads are switching - versus when they are not switching If so, and assuming that his measurements use the same method and instruments in each case, statistically-speaking there would still be an as yet unexplained difference, no ? (even if it is only a blink of an eye, repeated blinks can amount to something significant) Cheers Farzad On Mon, Nov 2, 2015 at 4:56 AM, David kerber <dcker...@verizon.net> wrote: On 10/31/2015 10:51 AM, David Balažic wrote: Just a note: When most of you say "resolution" what you think about is actually called "accuracy". (also see "precision" , here is a good roundup: http://www.tutelman.com/golf/measure/precision.php ) I'm not sure about the others, but as an Electrical Engineer, I know the difference between resolution, precision, and accuracy. In the post I made earlier, I said and meant "resolution". David Balažic Software Engineer www.comtrade.com -Original Message- From: Konstantin Preißer [mailto:kpreis...@apache.org] Sent: 31. October 2015 10:27 To: Tomcat Users List Subject: [OT] RE: 80ms delay switching between worker threads Importance: Low Hi Christopher, -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Saturday, October 31, 2015 3:43 AM What OS are you using? IIRC, the Windows timer has horrible resolution. you can call System.currentTimeNanos all you want, but you won't get anything meaningful lower than some threshold regardless of the actual least significant digits coming back from those calls. While that may have been true in ancient versions like XP and Vista, at least starting with Win7 QueryPerformanceCounter() uses the processor's TSC [1] (where Vista used the HPET if available) so you should have a very high resolution here. E.g. running the following Java program: int[] iterations = { 100, 120, 150, 250 }; for (int i = 0; i < iterations.length; i++) { for (int j = 0; j < 3; j++) { long currentTime = System.nanoTime(); double startValue = 1000; for (int z = 0; z < iterations[i]; z++) { startValue = Math.pow(startValue, 0.99); } long difference = System.nanoTime() - currentTime; System.out.println(iterations[i] + " pow iterations ms took " + (difference / 1000L) + " µs"); } } prints on my system something like: 100 pow iterations ms took 25 µs 100 pow iterations ms took 7 µs 100 pow iterations ms took 7 µs 120 pow iterations ms took 8 µs 120 pow iterations ms took 9 µs 120 pow iterations ms took 8 µs 150 pow iterations ms took 11 µs 150 pow iterations ms took 10 µs 150 pow iterations ms took 13 µs 250 pow iterations ms took 18 µs 250 pow iterations ms took 17 µs 250 pow iterations ms took 17 µs So there should at least be a microsecond resolution. On a C# program using Stopwatch I get similar results in the range from 5 to 12 µs. Note, QueryPerformanceFrequency() [2] can be used to get the frequency of the timer which is exposed in .Net through static System.Diagnostics.Stopwatch.Frequency field as ticks per second. On my system it prints "3323580" so the resolution should be around ~0.3 microseconds. Regards, Konstantin Preißer [1] https://msdn.microsoft.com/en- us/library/windows/desktop/dn553408%28v=vs.85%29.aspx [2] https://msdn.microsoft.com/de- de/library/windows/desktop/ms644905%28v=vs.85%29.aspx - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [PROPOSAL] Tomcat Webinar series
On 12.11.2015 23:29, Mark Thomas wrote: All, I've been wondering if there would be any interest in a Tomcat Webinar series. I'm thinking ~10 minutes of presentation followed by Q on topics of interest to this community with the webinars taking place every 1/2/4 weeks depending on interest. The webinars would also be recorded and uploaded somewhere - probably youtube - and linked from tomcat.apache.org. My initial thoughts on possible topics are: - Intro to Tomcat 9 (the first milestone release is in progress as I type this) - TLS virtual hosting with Tomcat 9 - Generating TLS keys for Tomcat - HTTP/2 and Tomcat 9 - Connector selection: BIO vs NIO vs NIO2 vs APR - Proxy protocol choice HTTP vs AJP Other topics as requested by the users@ community. Presenters would be one of the Tomcat committers. Obviously, I'm happy to do these but I hope some of my fellow committers will agree to do some presentations as well. Thoughts, feedback, topic suggestions welcome. I think it's a great idea, but like someone else mentioned, I believe that 10 minutes may be a bit short for any of the above themes. Additional suggestions for sessions : - how to set up Tomcat so as to make upgrades easier - the relationship between Tomcat and the Java Servlet Specification - for sysadmins : how to set up Tomcat logging - tools and formulas for tuning Tomcat for specific load scenarios - when and how to generate heap dumps, and how to (roughly) interpret them - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HTTP 400 with Form based authentication
Hi. I have notv really followed this thread from the beginning, but maybe I can contribute something here.. On 07.09.2015 15:56, Sreyan Chakravarty wrote: .. Also can I webapp have different realms ? If so how do you distinguish them ? I was looking at the RealmBase source and I haven't noticed a place for realmName. If not then what is the use of the element in web.xml ? One webapp can only have one realm, but several webapps (or let's say more generically several areas in "URL space" on the server) can share the same realm. The "realm" is something that the server sends back to the browser in the "401 Authorization required response". It is just a "label", which in terms of AAA, identifies a certain collection of resources on the server, covered by the same authentication/authorization requirements. In the server configuration, you can choose yourself which resources are covered by the same realm (label). It is easier to explain this by example, in the general context of the HTTP protocol. The basic way in which AAA works in a webserver is this : 1) the client/browser sends a request to the server, with a specific URL, which resolves on the server to some resource 2) the server evaluates the request, and resolves the resource to which it applies (e.g. a static html page, a servlet, ..). The server then checks in its configuration, if this resource is protected. If not, it returns the requested resouerces to the client, and that's it. 3) if the request is protected, the server checks if the request contains some form of authentication. If yes, the server checks if this authentication is valid, and applicable to this resource. If yes, the server returns the requested resource, and that's it. If not, the server returns a "forbidden" response. 4) If the request did not contain an authentication, the server returns a response to the client : "401 Authorization required", along with a realm (the "label" applicable to this resource, as per the server configuration), *and* the required authentication method (e.g. "Basic" or "Digest"). 5) the client sees this response, and interacts with the user to obtain the required user-id/password. Once obtained, the client/browser repeats the same request to the server, but this time with some additional HTTP header(s) containing the requested authentication. At the same time, the client/browser "remembers" this authentication, and remembers to which "realm" it applies. Then go back to (1) above. If the client/browser (within the same browser session), later accesses the same or another resource, and it receives from the server another 401 "auth required" response with a realm in it, and the browser knows that *for this same realm* it already had a remembered authentication, then it can send the same one again to the server, without needing to ask the user again to fill-in a login dialog. This is a pure HTTP-level mechanism, which works independently of any "session" that one may have on the server (as long as the authentication method is "Basic" or "Digest"). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Dynamically Create Subdomains - Tomcat 7x
On 04.09.2015 05:31, Kiran Badi wrote: Hi, I need some help, I need to create subdomains dynamically, Is this possible ? I have a site, www.mymainsite.com on this main site, I drop the zipcode and city cookie and then I forward it to front controller, and it's this front controller which will point it to city subdomain. Can we create subdomains on the fly in tomcat ? Kiran, Can you try to re-phrase your question in terms which people without a crystal ball would understand ? Ce qui se conçoit bien s'énonce clairement - Et les mots pour le dire arrivent aisément. L'Art poétique (1674) Nicolas Boileau-Despréaux - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: seeking help with stabilizing the persistence of a JSESSIONID
On 03.09.2015 23:31, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hardy, On 9/3/15 2:32 PM, Pottinger, Hardy J. wrote: Are you actually using HTTP Basic authentication? You may be configuring the wrong authenticator. (I know nothing about Shibboleth) I'm using Apache HTTPD as a front-end (via mod_proxy) for Tomcat, since Shibboleth works (mostly) with Apache HTTPD. So, the authentication happens on the HTTPD side. Are you using AJP or HTTP as your proxy protocol? If AJP, are you using tomcatAuthentication="false" on your ? I'm not exactly sure what happens when you do that... you might get a NonLoginAuthenticator. You could cause any error to occur in your application and then look at the stack trace to find out what kind of authenticator you got (the Valve will be in the stack trace). I believe there may be some confusion here. The things to find out would be : 1) if *all* accesses to the application, go through httpd first. And if yes, by what mechanism does httpd proxy them to Tomcat ? (choices : mod_proxy_http / mod_proxy_ajp / mod_jk) 2) if yes to the above, then : does httpd do the authentication before proxying these calls to Tomcat ? (because if yes to both above, then the issue looks to be more at the httpd level, than at the Tomcat level) In other words, it may be helpful to paste a copy of the httpd configuration here. (Do not attach it, paste it in (after removing anything irrelevant or confidential); the list strips most attachments). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [somewhat OT] Undefined behaviour with Credential Handler
Hi. I have been following this thread loosely, and I have nothing about Tomcat authentication per se, but maybe now may be the moment to suggest another approach : why not use an Apache httpd as a front-end to Apache Tomcat, do the user authentication/authorization at the Apache httpd level (in almost whatever flavor known to man, and generally dictated by the customer circumstances more than by anything else), and pass to Tomcat requests which are already authenticated/authorized ? Apache httpd having been on the market a bit longer than Tomcat, and having a comparatively higher "market share" in terms of number of webserver installations, it has already acquired over time a very wide range of user authentication mechanisms, which Tomcat doesn't match yet, and will probably never match unless a lot of developer time is spent at just that aspect (never mind the developer time that has already been spent at it). Developer time which could probably be fruitfully spent at other more Tomcat- and Java-servlet-centric issues, rather than at duplicating what is already solved and heavily tested elsewhere. Installing and configuring Apache httpd as a front-end to Tomcat is fairly easy, fairly efficient in operation, and fairly frequent for real-world Tomcat sites, even if not always for authentication purposes per se. Adding user authentication/authorization to such a setup is almost trivial from an httpd point of view, and totally trivial from the Tomcat point of view (well, at least with AJP). And, it would stay in the big Apache free and open-source family. Re: https://en.wikipedia.org/wiki/Law_of_the_instrument and https://en.wikipedia.org/wiki/Overengineering I mean, from a human point of view, I understand the temptation for a Java developer, and for a Tomcat Java developer, to do everything in Java and in Tomcat rather than somewhere/somehow else. And I do recognise that in some use cases, one can not do otherwise. But at some point, the more bells and whistles you add to something, the heavier it becomes and the more resources are needed to develop, debug, document and maintain all that stuff. Isn't it so ? On 10.09.2015 21:49, Sreyan Chakravarty wrote: "Feel free to do that. You'll have to implement a lot of plumbing code yourself to use Apache Shiro. (It seems like Tomcat ought to support Shiro, eh? Maybe we should get together with them to build an out-of-the-box configurable component in Tomcat)." Well I don't know that but you people could try making Tomcat Container managed security easier to use. On Thu, Sep 10, 2015 at 9:16 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sreyan, On 9/10/15 8:10 AM, Sreyan Chakravarty wrote: Yes but that requires implementing your own credential handler. Sorry, I thought you had implemented your own credential handler. But the default one will still have the bug. Oh, I was just suggesting that fix as something temporary until an updated version of Tomcat is released where this bug is fixed. The fix is trivial, so I have no doubt it will be in the next release. Right now I am thinking of using an authentication framework like Apache Shiro. Feel free to do that. You'll have to implement a lot of plumbing code yourself to use Apache Shiro. (It seems like Tomcat ought to support Shiro, eh? Maybe we should get together with them to build an out-of-the-box configurable component in Tomcat). - -chris On 9/9/15 12:50 PM, Sreyan Chakravarty wrote: Well I guess now its confirmed that it is a bug. Do you still need the code ? No, I don't think I will. However, since you wrote your own CredentialHandler, you could merely patch it to check in the matches() method for null. Something like this: @Override public boolean matches(String inputCredentials, String storedCredentials) { if(null == storedCredentials) return false; return matchesSaltIterationsEncoded(inputCredentials, storedCredentials); } Then you can resume your testing. -chris On Wed, Sep 9, 2015 at 8:55 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: Sreyan, On 9/8/15 6:31 AM, Sreyan Chakravarty wrote: Okay is if I have stored my password in my DB with SHA256 encryption, can the credential handler declared in the realm work if the it is declared with SHA512 ? No. SHA256 and SHA512 produce hashes of different sizes, so with the same input, they will always produce different outputs. https://en.wikipedia.org/wiki/SHA-2#Comparison_of_SHA_functions As far as I know it must be same algorithm, salt and iterations for the hash to be matched perfectly. Correct. Now take my case-: Okay this my credential handler that I am using. In my DB the password is stored using PBEWITHHMACSHA384ANDAES_256. A completely different algorithm that the one specified before. So how come when I put in my user-id and password on my form-login page I
Re: heap thrashing
On 11.09.2015 16:43, Leo Donahue wrote: On Fri, Sep 11, 2015 at 9:36 AM, Leo Donahuewrote: Good day, I see this topic come up from time to time on the list. Can someone point me to what heap thrashing looks like? Googled java heap thrashing and looked at the images, but there isn't much to look at. I also tried googling for ventricular tachycardia to see if I could find a similar graph - it's close to what I'm seeing in VisualVM, but not quite. Is heap thrashing a very "closely spaced" saw tooth pattern? Leo This is about as close as I can find that is similar to what I'm seeing. On the left side of the graph, imagine the spacing so close together that it looks like a solid blue read out in the monitor. When I stop the webapp, the jvm adjusts itself back to normal. It's only during servicing requests that I see the very closely spaced pattern. http://i.stack.imgur.com/B9oPL.png What about a GC log with timestamps ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TC Connector IIS .41 build not running on windows 2012
Thanks for providing the solution, as well as the question. Is this something that should be added to some documentation on the Tomcat website ? Or is it already there and you just overlooked it ? On 15.09.2015 19:30, Thomas, Stuart wrote: The server simply needs to the C++ Redistributable for VS - answer is to install this on the server: http://www.microsoft.com/en-us/download/details.aspx?id=48145 Now it makes sense why it worked locally and not on the server. -Original Message- Sent: Saturday, September 12, 2015 10:38 AM To: users@tomcat.apache.org Subject: TC Connector IIS .41 build not running on windows 2012 I did a build from source using MS Blend for VS. I copied x86 settings to x64 and my .41 build runs like a charm on Win7 64bit IIS 7.5 - but does not run on windows 2012 IIS 8.5. Is there anything I should be doing differently to build for IIS 8.5? -- This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message. Littler Mendelson, P.C. is part of the international legal practice Littler Global, which operates worldwide through a number of separate legal entities. Please visit www.littler.com for more information. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question on autoDeploy=true + editing conf/context.xml
On 15.09.2015 20:11, Felipe Jaekel wrote: Hi, I use parallel deployment, so I set *autoDeploy=true* to enable newer versions of webapps as as soon as they are deployed, but if I edit *conf/context.xml*, I'd like that Tomcat 7.0.62 did not restart automatically. Is it possible? Just a comment from a not-Tomcat-developer : According to a comment in the file (tomcat_dir)/conf/context.xml : and it seems that this very file, is telling Tomcat which webapp resource to watch for changes, in relation to the applications that may need to be reloaded/restarted : WEB-INF/web.xml So to me, it does make sense, if someone changes conf/context.xml, to restart the whole Tomcat, to take into account such a possible change to the very thing that controls the detection of a change in all applications. Which is probably the basic reason why it is so. No ? A further question would be : what is the "use case" for modifying the global conf/context.xml while Tomcat is running ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: heap thrashing
On 11.09.2015 18:24, Caldarale, Charles R wrote: From: Leo Donahue [mailto:donahu...@gmail.com] Subject: Re: heap thrashing I see this topic come up from time to time on the list. Can someone point me to what heap thrashing looks like? Is heap thrashing a very "closely spaced" saw tooth pattern? Should have mentioned that "heap thrashing" does not have a strict definition. Often, it's used to describe the heap itself expanding and contracting in a cyclic manner. This is most easily avoided by setting the min and max heap size limits to the same value. What you have appears to be just very rapid object creation and garbage collection. Using a larger heap (if you have the RAM for it) could help to reduce the frequency of collections. Fixing the webapp to not consume so much space would be better, of course. - Chuck In terms of looking at the webapp code which may generate that kind of behaviour, while searching for an example on the www, I came across this blog post : http://steve-yegge.blogspot.de/2006/03/execution-in-kingdom-of-nouns.html Independently of what one may think about the author's opinions and treatment of the matter, I find the prose beautiful and witty. The pseudo-java code example is of course tongue-in-cheek and contrived, but I have seen similar code in the real world, and it would probably produce the kind of phenomenon which Leo is seeing. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 8 reliability/performance on Windows 2008 R2 Server vs. RHEL/CentOS
On 30.09.2015 22:23, Jason Britton wrote: Hello Good People - We currently have multiple Tomcat instances deployed on RHEL in production with no issues but I am getting asked why we shouldn't migrate everything to run on Windows 2008 R2 Server instead. My stomach churns at the thought but I am looking for more concrete information about why this could be problematic vs. running Tomcat on RHEL/CentOS. My gut says far more Tomcat deployments in production are done on top of Linux based OS's vs. Windows. Any thoughts on making an argument for one OS vs another in deploying Tomcat 8? Thanks for your thoughts, This looks like the ideal start for some holy war. Maybe you (not me) could argue that Tomcat being an Open-Source, free software, would undoubtedly feel more comfortable and cushy living inside a platform that is like him, open-source and free ? (Whilst being perfectly able to run under Windows and other platforms, for being a versatile multi-platform Java application, it may nevertheless always feel a bit like an a not-so-well integrated immigrant there). More seriously (and considering that you seem to express a slight personal preference for the one vs the other) : The main difference for Tomcat itself is probably going to be in - what kind of hardware would Tomcat be running on in either case ? - how stable is the Java JVM which actually runs the Tomcat java code, in either case ? But you may also want to give a thought to everything else, apart from Tomcat and around it, which is currently installed and running on your current platform, and whether the equivalent exists on the other platform. It may well be for example, that some auxiliary product of which you are currently using the open-source and free version, is not available on the other platform, or available only in a different and/or non-free version. You may also want to consider how you are currently supporting/maintaining your Tomcat and its applications. If you are using Linux/shell-based tools, that may be more difficult under Windows, and/or require other tools. If that system is remote with reference to the people supporting/maintaining it, you may also want to investigate what kind of access tools you would have to a Windows platform. In my experience for instance, accessing these platforms via SSH/SCP/SFTP requires some serious non-standard setup. Also an access via Remote Desktop (almost the standard when talking about a Windows server), will require a VPN for working correctly, and even then any file transfers are likely to be much more of a hassle than with a Linux platform. For example, the file drag-and-drop feature via Remote Desktop, is kind of neat graphically, but in the principle often turns out to be abysmally slow. (And of course that works only if your own station is Windows). You may also want to give a thought to who else (apart from yourself presumably) is going to provide the support for the platform in question and its OS, and its integration in the big scheme of things. Quite often in my experience, the teams in charge of each kind of platform are different. Quite often also, they have a different focus and different sets of skills. You may also be interested in finding out what kind of global security and other policies apply to this other platform. Who for exmple enjoys admin rights to it, and/or how easy it is to obtain such rights when needed for installation-support-maintenance purposes ? There may also be global policies regarding allowed and/or mandatory software updates and patches, different per platform type. And there might be policies regarding mandatory usage of auxiliary things, such as virus scanners and the like. Enough yet ? P.S. In my line of business, we install and support our applications remotely on both kinds of platforms, and occasionally we move ditto applications from the one to the other at the customer's request. (In the IT world, there are also fashions, which come and go). Such moves are never to be considered lightly, even when you might think at first that being purely Tomcat and purely Java, it should not be an issue. It usually is an issue, for the simple fact that over time, you have probably gotten used to the one platform and its tools and quirks, and you have probably accumulated a lot of peripheral stuff that is not really multi-platform hanging around, which you initially forget about because you have gotten so used to it. So whatever you end up having to do (many times you don't get to choose), make sure that you and whoever else is concerned, at least have realistic expectations about the time and effort it takes to move. It is not that the one platform is necesarily better or worse than the other. It is the fact that they are *different*, and because of that a lot of things around them are different too. - To unsubscribe, e-mail
Re: [OT] loading images through a Servlet
On 02.10.2015 12:44, Bill Ross wrote: Whether or not I have masked the file name in the header properly, which I can't verify easily Oh yes you can. Mozilla Firefox, plugins, Web Developer, HttpFox. click and open in its own window. click start then get your page (in the main window) then go back to the HttpFox window, click on a line and use the various views available to see exactly what the browser has sent, and what the server returned (headers and all). but believe is working, I have definitely masked the name in the URL and protected myself against later downloads: HTTP ERROR 404 Problem accessing /images/_ewjMC3. Reason: Not Found While on the server side: ...TagResourceServlet - DANGER OLD HASH ATTACK ... Will the fame and money just arrive? I'll settle for 6 month's salary (that's how long I've been working on my own unpaid :-) You may want to refine your scheme a tad, thinking of the robots (Google etc) which will be exploring your site. You don't want to be swamped by DANGER messages above for trivial cases (nor communicate their IP to the XXX sites). Other than that, your scheme looks nice to me so far. Original message From: "André Warnier (tomcat)" <a...@ice-sa.com> Date:10/02/2015 2:46 AM (GMT-08:00) To: users@tomcat.apache.org Subject: Re:[OT] loading images through a Servlet On 02.10.2015 11:39, Bill Ross wrote: And if I find anyone hitting me with unknown or aged-out hashes I will report their IP addresses to porn sites so they can be blocked there as well. This honeypot activity could be an alternate source of income, if I hadn't just disclosed the method :-) Never mind that. If you have actually found an innovative solution to the "browser-knows-all-anyway" conundrum, much bigger fame (and income) awaits you. Bill Original message From: Bill Ross <r...@cgl.ucsf.edu> Date:10/02/2015 2:04 AM (GMT-08:00) To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: loading images through a Servlet Thanks Andre for the well-considered reply. To Thad - thanks, I also asked on stackoverflow after here. I believe I have solved the obfuscation problem independent of the javascript issue. What I just got working is logically: img.src = "/images/" + /servlet/getnext(params) Where I now have a Servlet at /images that serves the file, thanks to a generous coder at stackoverflow. I'll post the nicely designed code here if anyone wants. I am adding a table to map random hashes to file names. I'll insert there and have getnext() return the hash instead of the file name. The new Servlet I just added will look up the hash, check the age of the record and refuse it if older than a second, and then serve up the mapped file from the filesystem with current date and some flippant random file name in the headers. So as far as I can see, the only thing not obfuscated is the image itself and my ego, which is harmless here. I can think of even more hare-brained schemes where for instance some Ajax function of yours could open a websocket connection to the server, and receive a stream of image objects from the server over that single connection and "plug" them into the page as appropriate. But any kind of thing like that would start to deviate seriously from standard practices, and need a serious effort of development and debugging before it could be considered as "production-level". This is exactly what I was fishing for, and I thought maybe it had been solved in some javascript library. P.S. and if you really want to know how to display tons of images fast, I suggest that you have a look (in a manner of speaking of course) at some of those many XXX websites. They /must/ have ways to do this efficiently.. Maybe I will be selling to them :-) Thinking of my slideshow app overall. Bill On 10/2/2015 1:16 AM, André Warnier (tomcat) wrote: On 01.10.2015 23:52, Bill Ross wrote: Please let me know if there is a better place to ask Servlet/javascript interface questions. For the javascript part, there are probably better places. But the people here are awesome, so it's worth giving it a try. For the servlet side of it, this /is/ probably one of the best places. But let's start with javascript : First a general principle : if you are thinking about security or any form of obfuscation in the face of a determined and competent client, basically forget it. To get an image or anything else from a server, the browser (or else), has to know how to get it, so you need to send it that information. And once the server sends any information to the client, it is no longer under your control, because the browser (or other program, such as curl and the like) is under total control of the client (user). So, as long as /that/ is not your ultimate purpose, I have a slide show web page that does the logical equivalent of: var img = ne
Re: loading images through a Servlet
On 01.10.2015 23:52, Bill Ross wrote: Please let me know if there is a better place to ask Servlet/javascript interface questions. For the javascript part, there are probably better places. But the people here are awesome, so it's worth giving it a try. For the servlet side of it, this /is/ probably one of the best places. Since you are asking nicely, let's start with javascript : First a general principle : if you are thinking about security or any form of obfuscation in the face of a determined and competent client, basically forget it. To get an image or anything else from a server, the browser (or else), has to know how to get it, so you need to send it that information. And once the server sends any information to the client, it is no longer under your control, because the browser (or other program, such as curl and the like) is under total control of the client (user). So, as long as /that/ is not your ultimate purpose, I have a slide show web page that does the logical equivalent of: var img = new Image(); img.src = "/images/" + /servlet/getnextfile(params) img.[onload]: document["image"].src = img.src; resizeImage(); Rather than using the 'getnextfile' servlet to get a file name and then load it, I would like to have getnextfile return a stream of bytes from the database which seems feasible (streaming a BLOB I assume), but I don't know how to receive that into an Image (which wouldn't have 'src' set - ?). Have a look here : http://www.w3schools.com/jsref/dom_obj_image.asp The javascript DOM "img" object does not seem to have any callable method by which it can retrieve its own image content. The only way to have it retrieve that content, is by changing its "src" property. This you can do, and it will apparently refresh its own image by itself when you do. But the "src" property has to be set to a URL, so it "retrieves itself" by making a HTTP call to the server.. chicken and egg kind of thing. In a form of obfuscation, you could try to set the "src" property to something like 'javascript: retrieve_image("some id")' (Note: I haven't tried this), and then have this "retrieve_image()" function be something in one of your javascript libraries, which would in turn retrieve the image from the server, in a way less visible to the casual script kiddie. (So in a way, you would be creating your own little internal HTTP forward proxy server). But do not forget that the browser first has to receive that javascript library from the server, so it has it, and the person controlling the browser can see it, and turn it off at will or modify it to do anything he wants; see basic principle above. In a more sophisticated way, you can probably add a custom method to the img objects on the page (see jquery for that kind of thing), so that you can have them change their own src property and retrieve their content in a less-immediately visible way. But again, basic principle above. One motivation is to reduce the round trips to the server for faster response time. You still have to retrieve each image from the server, which in HTTP 1.1, means one request/response per image. So I do not believe that you can gain much on that side. Also, over quite a long period by now, as well browsers as webservers have been both well-debugged and optimised to death, to respectively retrieve and serve "things" using the "normal" HTTP methods (think of caching on both sides, and content compression), and avoid introducing security holes in the process (*). Anything that you would do yourself is likely in the end to be even less optimised and secure. (This is not to discourage innovation of course. You might after all still invent a better mousetrap). Maybe also read this : https://en.wikipedia.org/wiki/HTTP/2 (*) yes, I know, successive IE versions are kind of a counter-example to that statement. Another motivation is to keep the filename from the user. Basic principle again. Anyone who installs the "Web Developer" plugin into his Mozilla browser, can ultimately find out anything about anything that is part of the page shown in the browser. I can think of even more hare-brained schemes where for instance some Ajax function of yours could open a websocket connection to the server, and receive a stream of image objects from the server over that single connection and "plug" them into the page as appropriate. But any kind of thing like that would start to deviate seriously from standard practices, and need a serious effort of development and debugging before it could be considered as "production-level". So the question would be : is it worth it ? (but then again, HTTP 2 ?) P.S. and if you really want to know how to display tons of images fast, I suggest that you have a look (in a manner of speaking of course) at some of those many XXX websites. They /must/ have ways to do this efficiently.. ;-)
Re:[OT] loading images through a Servlet
On 02.10.2015 11:39, Bill Ross wrote: And if I find anyone hitting me with unknown or aged-out hashes I will report their IP addresses to porn sites so they can be blocked there as well. This honeypot activity could be an alternate source of income, if I hadn't just disclosed the method :-) Never mind that. If you have actually found an innovative solution to the "browser-knows-all-anyway" conundrum, much bigger fame (and income) awaits you. Bill Original message From: Bill Ross <r...@cgl.ucsf.edu> Date:10/02/2015 2:04 AM (GMT-08:00) To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: loading images through a Servlet Thanks Andre for the well-considered reply. To Thad - thanks, I also asked on stackoverflow after here. I believe I have solved the obfuscation problem independent of the javascript issue. What I just got working is logically: img.src = "/images/" + /servlet/getnext(params) Where I now have a Servlet at /images that serves the file, thanks to a generous coder at stackoverflow. I'll post the nicely designed code here if anyone wants. I am adding a table to map random hashes to file names. I'll insert there and have getnext() return the hash instead of the file name. The new Servlet I just added will look up the hash, check the age of the record and refuse it if older than a second, and then serve up the mapped file from the filesystem with current date and some flippant random file name in the headers. So as far as I can see, the only thing not obfuscated is the image itself and my ego, which is harmless here. I can think of even more hare-brained schemes where for instance some Ajax function of yours could open a websocket connection to the server, and receive a stream of image objects from the server over that single connection and "plug" them into the page as appropriate. But any kind of thing like that would start to deviate seriously from standard practices, and need a serious effort of development and debugging before it could be considered as "production-level". This is exactly what I was fishing for, and I thought maybe it had been solved in some javascript library. P.S. and if you really want to know how to display tons of images fast, I suggest that you have a look (in a manner of speaking of course) at some of those many XXX websites. They /must/ have ways to do this efficiently.. Maybe I will be selling to them :-) Thinking of my slideshow app overall. Bill On 10/2/2015 1:16 AM, André Warnier (tomcat) wrote: On 01.10.2015 23:52, Bill Ross wrote: Please let me know if there is a better place to ask Servlet/javascript interface questions. For the javascript part, there are probably better places. But the people here are awesome, so it's worth giving it a try. For the servlet side of it, this /is/ probably one of the best places. But let's start with javascript : First a general principle : if you are thinking about security or any form of obfuscation in the face of a determined and competent client, basically forget it. To get an image or anything else from a server, the browser (or else), has to know how to get it, so you need to send it that information. And once the server sends any information to the client, it is no longer under your control, because the browser (or other program, such as curl and the like) is under total control of the client (user). So, as long as /that/ is not your ultimate purpose, I have a slide show web page that does the logical equivalent of: var img = new Image(); img.src = "/images/" + /servlet/getnextfile(params) img.[onload]: document["image"].src = img.src; resizeImage(); Rather than using the 'getnextfile' servlet to get a file name and then load it, I would like to have getnextfile return a stream of bytes from the database which seems feasible (streaming a BLOB I assume), but I don't know how to receive that into an Image (which wouldn't have 'src' set - ?). Have a look here : http://www.w3schools.com/jsref/dom_obj_image.asp The javascript DOM "img" object does not seem to have any callable method by which it can retrieve its own image content. The only way to have it retrieve that content, is by changing its "src" property. This you can do, and it will apparently refresh its own image by itself when you do. But the "src" property has to be set to a URL, so it "retrieves itself" by making a HTTP call to the server.. chicken and egg kind of thing. In a form of obfuscation, you could try to set the "src" property to something like 'javascript: retrieve_image("some id")' (Note: I haven't tried this), and then have this "retrieve_image()" function be something in one of your javascript libraries, which would in turn retrieve the image from the server, in a way less visible to the casual script kidd
Re: loading images through a Servlet
Chris, you're kind of breaking down an open door here. Bill was already at the stage of congratulating himself and dreaming of his retirement plan, following his discovery of a brilliant and innovative solution. Better to start from the beginning of the thread.. On 02.10.2015 16:30, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Bill, On 10/2/15 5:04 AM, Bill Ross wrote: Thanks Andre for the well-considered reply. To Thad - thanks, I also asked on stackoverflow after here. I believe I have solved the obfuscation problem independent of the javascript issue. What I just got working is logically: img.src = "/images/" + /servlet/getnext(params) Where I now have a Servlet at /images that serves the file, thanks to a generous coder at stackoverflow. I'll post the nicely designed code here if anyone wants. Why not just use the DefaultServlet... that's what it's job already is. Or, do you need an image from a database or whatever? I am adding a table to map random hashes to file names. I'll insert there and have getnext() return the hash instead of the file name. The new Servlet I just added will look up the hash, check the age of the record and refuse it if older than a second, and then serve up the mapped file from the filesystem with current date and some flippant random file name in the headers. You could do your security-checking, and then simply forward() to the resource, then let the DefaultServlet actually serve the bytes. That allows you to use range-requests, etags, if-modified-since, and all that other good stuff. So as far as I can see, the only thing not obfuscated is the image itself and my ego, which is harmless here. What do you need to obfuscate? I can think of even more hare-brained schemes where for instance some Ajax function of yours could open a websocket connection to the server, and receive a stream of image objects from the server over that single connection and "plug" them into the page as appropriate. But any kind of thing like that would start to deviate seriously from standard practices, and need a serious effort of development and debugging before it could be considered as "production-level". This is exactly what I was fishing for, and I thought maybe it had been solved in some javascript library. Do you need the image to be in an Image object, or do you want to put it into an on the screen? If the latter, just change the value of the 'src' of the and the browser will re-load the image from the server. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJWDpT2AAoJEBzwKT+lPKRYdj0P/iTqUq5FTYeTgVjJtLXEMile 74ql5SalOtbERrTvyY72d4wHjlnWUYJCJeJOTWyDU3grJsG7OBxHpiWEQEI5c9GV xEhhGrlI1vOIdJ3gZRCgnrPDV8pdXTS4Sg8zEuLpW5ITRLEJsnHQz6yJDkbLofYz w9ACt/Dllv/kcJPHrIu9+J5xgLAEUPKIHuu1mM9TkTWeSYepuR8grm3A2GFO999D +5MIkd/XpkfTK88/yGP6Q2xtXgXAtnI5Ug0e5S72gkGFRsHYV5iWb9yBRoji7W09 G1uOJPm3xiCED2bLsiFBZmhgv/YrmCoVx4EbLnsYO/92tkHT1+2zly2bmKZc/AoC LXoWI/trEiE2MUWvYlwftyEZvBLsJQCqrHfo6MOwPNwY2YFhv+GYl7E5N+QcQZf5 eCu/vzCvsDZHz7QrVHwInDKXeD2iZ3JxMRVPFT7kIfD/aTzrlFEGqZ+hG/pYsjWh Gv1l2vmfQkPu7/wmhoCscdcqwk9SMCYOWvK7/5ehSyZl/j/4J/zkqnkbU10HlxO+ wVjt+cVYtrCHf7UXWInF86N5ZHSu9KVsmWdoMUUOxIFbGRQbSIvCVBzFPv+WIoR/ G/hURioQXqcICmslbbhw9QwINuRWz7gpcp+Ll7Jj+3furtxYQwv6IB/qJSWSi/Ih lvNUQAkYta9Y+ZUGYAfE =5ruo -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: loading images through a Servlet
On 01.10.2015 23:52, Bill Ross wrote: Please let me know if there is a better place to ask Servlet/javascript interface questions. For the javascript part, there are probably better places. But the people here are awesome, so it's worth giving it a try. For the servlet side of it, this /is/ probably one of the best places. But let's start with javascript : First a general principle : if you are thinking about security or any form of obfuscation in the face of a determined and competent client, basically forget it. To get an image or anything else from a server, the browser (or else), has to know how to get it, so you need to send it that information. And once the server sends any information to the client, it is no longer under your control, because the browser (or other program, such as curl and the like) is under total control of the client (user). So, as long as /that/ is not your ultimate purpose, I have a slide show web page that does the logical equivalent of: var img = new Image(); img.src = "/images/" + /servlet/getnextfile(params) img.[onload]: document["image"].src = img.src; resizeImage(); Rather than using the 'getnextfile' servlet to get a file name and then load it, I would like to have getnextfile return a stream of bytes from the database which seems feasible (streaming a BLOB I assume), but I don't know how to receive that into an Image (which wouldn't have 'src' set - ?). Have a look here : http://www.w3schools.com/jsref/dom_obj_image.asp The javascript DOM "img" object does not seem to have any callable method by which it can retrieve its own image content. The only way to have it retrieve that content, is by changing its "src" property. This you can do, and it will apparently refresh its own image by itself when you do. But the "src" property has to be set to a URL, so it "retrieves itself" by making a HTTP call to the server.. chicken and egg kind of thing. In a form of obfuscation, you could try to set the "src" property to something like 'javascript: retrieve_image("some id")' (Note: I haven't tried this), and then have this "retrieve_image()" function be something in one of your javascript libraries, which would in turn retrieve the image from the server, in a way less visible to the casual script kiddie. But do not forget that the browser first has to receive that javascript library from the server, so it has it, and the person controlling the browser can see it, and turn it off at will or modify it to do anything he wants; see basic principle above. In a more sophisticated way, you can probably add a custom method to the img objects on the page (see jquery for that kind of thing), so that you can have them change their own src property and retrieve their content in a less-immediately visible way. But again, refer to basic principle above. One motivation is to reduce the round trips to the server for faster response time. Basically, you still have to retrieve the image from the server, so I do not believe that you will gain much on that side. Also, over quite a long period by now, as well browsers as webservers have been both well-debugged and optimised to death, to respectively retrieve and serve "things" using the "normal" HTTP methods (think of caching e.g., on both sides, and content compression), and avoid introducing security holes in the process (*). Anything that you would do yourself is likely in the end to be even less optimised and secure. (This is not to discourage innovation of course. You might after all still invent a better mousetrap). (*) yes, I know, successive IE versions are kind of a counter-example to that statement. Another motivation is to keep the filename from the user. See basic principle. Anyone who installs the "web developer" plugin into his Mozilla browser, can ultimately find out anything about anything that is part of the page shown in the browser. I can think of even more hare-brained schemes where for instance some Ajax function of yours could open a websocket connection to the server, and receive a stream of image objects from the server over that single connection and "plug" them into the page as appropriate. But any kind of thing like that would start to deviate seriously from standard practices, and need a serious effort of development and debugging before it could be considered as "production-level". So the question would be : is it worth it ? P.S. and if you really want to know how to display tons of images fast, I suggest that you have a look (in a manner of speaking of course) at some of those many XXX websites. They /must/ have ways to do this efficiently.. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: loading images through a Servlet
On 02.10.2015 17:04, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 André, On 10/2/15 10:38 AM, André Warnier (tomcat) wrote: Chris, you're kind of breaking down an open door here. Bill was already at the stage of congratulating himself and dreaming of his retirement plan, following his discovery of a brilliant and innovative solution. Better to start from the beginning of the thread.. Yep, I read the whole thread. I don't think this is a million-dollar idea. If it was, I would never have gone to college, having written one of these for a client while I was in high school. In my case, it was a CGI that counted hits to an image whilst simultaneously serving that image. No security or anything like that, but the "security" in Bill's case is just a proxy for "do something first, then serve an image". It is a bit more than that, though : a user cannot, for example, save the html page containing the images, and then reload it later, and still see get the images with the same image links, because they will have "expired". Neither can one of these image links simply be copied to a friend in an email, and still work for the friend. He also gets a specific action triggered when someone attempts this. It is not something infinitely scaleable (the server-side hashtable would get quite large), but it is a relatively simple scheme, usable in quite a number of scenarios. I'm suggesting that Bill can focus on his "do something first" task and delegate the serving of bytes to a tool more appropriate for the task: the DefaultServlet. I would agree with you, except that at some point Bill mentioned serving the image content out of a database blob. That's something the Default Servlet couldn't do. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AW: Problems to configure tomcat as windows service
On 02.10.2015 17:12, Arno Schäfer wrote: Thanks for the hint Aurélien, there *maybe is* documentation about this, see question & comments from Konstantin Kolinko in http://tomcat.apache.org/tomcat-7.0-doc/windows-service-howto.html but I asked this question, because I recognize, that it didn't worked like it is described, but in version 6 the description was the same and it has worked. Maybe it is not only the version of Tomcat that has changed, but also the machine/OS on which you do this ? Maybe the user under which you execute this command does not have the required privileges, at OS level on this machine, to do this ? Maybe the user-id *to* which you are trying to set the Tomcat service, does not have enough privileges to "run as a Service" ? (In the services.msc applet, it would ask you interactively to grant these privileges first, but maybe the command-line tool cannot do that). (I am not really a Windows OS specialist, but I have seen variations of the above kind of issues previously) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problems to configure tomcat as windows service
On 02.10.2015 16:36, Arno Schäfer wrote: Hi all, using tomcat 7.0.54 on Windows 8.1 64 Bit system, I encounter the problem, that I can not configure a user/password with the tomcat7.exe utility. I run this as a local administrator in a DOS box with a valid user and password it returned with errorlevel 0, but the user was not set in the service settings. What can be the reason for this? The same solution run before in a tomcat 6 environment with no problems and I recognize no changes in the documentation in this area. Hi. What exactly /is/ the problem ? - that you cannot change the user-id under which it runs (which by default should be something like LocalService) ? - or that you can change it, but then it crashes when you run it ? If the last, then one more question : does your Tomcat or any of its applications need access to any network shared directory ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] loading images through a Servlet
On 02.10.2015 21:18, Bill Ross wrote: Installed FF, HttpFox wasn't installed, installed it but it doesn't show up under developer tools, but I found something and here are my headers: HTTP/1.1 200 OK Etag: W/"resized_2_33068.jpg-1443146350159" Last-Modified: Fri, 25 Sep 2015 01:59:10 GMT [random time in past 22.32455 days] Expires: Sun, 01 Nov 2015 19:12:45 GMT Content-Type: image/jpeg Content-Disposition: inline;filename="resized_2_33068.jpg"; filename*=UTF-8''resized_2_33068.jpg isn't that a giveaway still ? Content-Length: 157896 Server: Jetty(9.3.4-SNAPSHOT) Bill On 10/2/2015 7:17 AM, André Warnier (tomcat) wrote: On 02.10.2015 12:44, Bill Ross wrote: Whether or not I have masked the file name in the header properly, which I can't verify easily Oh yes you can. Mozilla Firefox, plugins, Web Developer, HttpFox. click and open in its own window. click start then get your page (in the main window) then go back to the HttpFox window, click on a line and use the various views available to see exactly what the browser has sent, and what the server returned (headers and all). but believe is working, I have definitely masked the name in the URL and protected myself against later downloads: HTTP ERROR 404 Problem accessing /images/_ewjMC3. Reason: Not Found While on the server side: ...TagResourceServlet - DANGER OLD HASH ATTACK ... Will the fame and money just arrive? I'll settle for 6 month's salary (that's how long I've been working on my own unpaid :-) You may want to refine your scheme a tad, thinking of the robots (Google etc) which will be exploring your site. You don't want to be swamped by DANGER messages above for trivial cases (nor communicate their IP to the XXX sites). Other than that, your scheme looks nice to me so far. Original message From: "André Warnier (tomcat)" <a...@ice-sa.com> Date:10/02/2015 2:46 AM (GMT-08:00) To: users@tomcat.apache.org Subject: Re:[OT] loading images through a Servlet On 02.10.2015 11:39, Bill Ross wrote: And if I find anyone hitting me with unknown or aged-out hashes I will report their IP addresses to porn sites so they can be blocked there as well. This honeypot activity could be an alternate source of income, if I hadn't just disclosed the method :-) Never mind that. If you have actually found an innovative solution to the "browser-knows-all-anyway" conundrum, much bigger fame (and income) awaits you. Bill Original message From: Bill Ross <r...@cgl.ucsf.edu> Date:10/02/2015 2:04 AM (GMT-08:00) To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: loading images through a Servlet Thanks Andre for the well-considered reply. To Thad - thanks, I also asked on stackoverflow after here. I believe I have solved the obfuscation problem independent of the javascript issue. What I just got working is logically: img.src = "/images/" + /servlet/getnext(params) Where I now have a Servlet at /images that serves the file, thanks to a generous coder at stackoverflow. I'll post the nicely designed code here if anyone wants. I am adding a table to map random hashes to file names. I'll insert there and have getnext() return the hash instead of the file name. The new Servlet I just added will look up the hash, check the age of the record and refuse it if older than a second, and then serve up the mapped file from the filesystem with current date and some flippant random file name in the headers. So as far as I can see, the only thing not obfuscated is the image itself and my ego, which is harmless here. I can think of even more hare-brained schemes where for instance some Ajax function of yours could open a websocket connection to the server, and receive a stream of image objects from the server over that single connection and "plug" them into the page as appropriate. But any kind of thing like that would start to deviate seriously from standard practices, and need a serious effort of development and debugging before it could be considered as "production-level". This is exactly what I was fishing for, and I thought maybe it had been solved in some javascript library. P.S. and if you really want to know how to display tons of images fast, I suggest that you have a look (in a manner of speaking of course) at some of those many XXX websites. They /must/ have ways to do this efficiently.. Maybe I will be selling to them :-) Thinking of my slideshow app overall. Bill On 10/2/2015 1:16 AM, André Warnier (tomcat) wrote: On 01.10.2015 23:52, Bill Ross wrote: Please let me know if there is a better place to ask Servlet/javascript interface questions. For the javascript part, there are probably better places. But the people here are awesome, so it's worth giving it a try. For the servlet side of it, this /is/ probably one of the best places. But let's start
Re: Need help understanding support for Unix Domain Sockets in Tomcat 7.0.x
On 28.09.2015 18:09, Christopher Schultz wrote: ... Not sure on this, as AJP is quite handy. Expecialy load balancing java webapps and i find mod_jk quite good at this. Remember, it's not mod_jk doing the load-balancing, it's Apache httpd. mod_jk is simply providing the channel over which the proxying is being done. I don't think that's true. In the case of mod_proxy_ajp, it is mod_proxy and mod_proxy_balancer who do the load-balancing. But mod_proxy* are not used with mod_jk; it does its own balancing. In a thread on the dev list, I'm a little more defensive of AJP because of its ability to pass data out-of-band with respect to the tunneled HTTP message. There definitely is utility there. +1. Passing Apache httpd's "environment variables" for instance, becoming "request attributes" in Tomcat. ... - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Log message - APR Error -70014
On 23.09.2015 17:51, DB wrote: Hello, For Tomcat 8.0.24 and jre 1.8.0_60. I have seen this stack trace in catalina.out and I have not found anything using google search to discover the cause. The error is intermittent and only shows up after pretty significant load: 17-Sep-2015 13:04:54.941 INFO [http-apr-8443-exec-3082] org.apache.coyote.AbstractProcessor.setErrorState An error occurred in processing while on a non-container thread. The connection will be closed immediately java.io.IOException: APR error: -70014 at org.apache.coyote.http11.InternalAprOutputBuffer.writeToSocket(InternalAprOutputBuffer.java:291) at org.apache.coyote.http11.InternalAprOutputBuffer.writeToSocket(InternalAprOutputBuffer.java:244) at org.apache.coyote.http11.InternalAprOutputBuffer.flushBuffer(InternalAprOutputBuffer.java:213) at org.apache.coyote.http11.AbstractOutputBuffer.flush(AbstractOutputBuffer.java:305) at org.apache.coyote.http11.AbstractHttp11Processor.action(AbstractHttp11Processor.java:765) at org.apache.coyote.Response.action(Response.java:179) at org.apache.catalina.connector.OutputBuffer.doFlush(OutputBuffer.java:349) at org.apache.catalina.connector.OutputBuffer.flush(OutputBuffer.java:317) at org.apache.catalina.connector.CoyoteWriter.flush(CoyoteWriter.java:94) at MyServlet.doGet(MyServlet.java:55) The code at this line is: response.getWriter().flush(); What does this error mean? Hi. This is way beyond my depth in Tomcat or Java, but searching Google for "non-container thread" brought back one item which might be of interest : https://bz.apache.org/bugzilla/show_bug.cgi?id=57683 Such as : maybe running Tomcat in a console could bring more light on the matter ? P.S. This should not be construed as even a suggestion that the eminent Tomcat committers involved in the mentioned bug report may have missed something. As mentioned above, this is way beyond my depth, and I do not even really know what non-container threads are (that's why I was looking in Google). It's just that some of the lines in the stack-traces look eerily similar. P.S.2 : A better search in Google seems to be : tomcat "non-container threads" - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Which version of Tomcat supports Java 8
On 25.09.2015 01:03, gloria.zh...@wellsfargo.com wrote: Hi, We are currently using Tomcat 7.0.62. Does this version officially support Java 8? If not, which version of Tomcat supports it. All you wish to know is here : http://tomcat.apache.org/whichversion.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[OT] Re: Parallel Deployment: Can I request a specific webapp version?
On 24.09.2015 23:59, George Sexton wrote: ... Couldn't you have your load balancer send x% to one instance, and 1-x% to the other instance? Wait, I didn't get this. Say that x = 20. So we send 20% to instance A. Then we send (1 - 20)% = -19%, to instance B. So together, instance A and instance B handle (20 + -19)% = 1% of the clients. What happens to the other 99% ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: soap web service (axis based) on tomcat 8
On 19.09.2015 02:20, jennifer zhou wrote: Hi, Our app was running well on Tomcat 7 on linux. Recently we migrated to Tomcat 8 on linux. However we found the system CPU usage is higher than normal. When there is no any user interaction, we still see about 25% of the system CPU usage. After deep dive, we found the tomcat keeps scanning our app's class path under WEB-INF folder. Actually all our artifacts are packed within WEB-INF/lib folder, there is nothing within WEB-INF/classes folder. Is there any way to look for WEB-INF/lib folder first before looking for artifacts within WEB-INF/classes folder? Also why does Tomcat keeps scanning our app classpath during app idle time? Is there anyway to turn this off? Quick pointer : http://tomcat.apache.org/tomcat-8.0-doc/config/host.html#Standard_Implementation See "autoDeploy" (default is true) If you set this to "false", does the same still happen ? The detailed information is shown as below for your references. 7196 lstat("/home", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 7196 lstat("/home/jgu-admin", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 7196 lstat("/home/jgu-admin/apache-tomcat-8.0.24", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 7196 lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 7196 lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps/IDManager", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 7196 lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps/IDManager/WEB-INF", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 7196 lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps/IDManager/WEB-INF/classes", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 7196 lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps/IDManager/WEB-INF/classes/org", 0x2b9a564eb2b0) = -1 ENOENT (No such file or directory) 7196 lstat("/home", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 7196 lstat("/home/jgu-admin", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 7196 lstat("/home/jgu-admin/apache-tomcat-8.0.24", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 7196 lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 7196 lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps/IDManager", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 7196 lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps/IDManager/WEB-INF", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 7196 lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps/IDManager/WEB-INF/classes", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 7196 lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps/IDManager/WEB-INF/classes/org", 0x2b9a564eb2b0) = -1 ENOENT (No such file or directory) 7196 lstat("/home", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 7196 lstat("/home/jgu-admin", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 7196 lstat("/home/jgu-admin/apache-tomcat-8.0.24", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 7196 lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 7196 lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps/IDManager", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 7196 lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps/IDManager/WEB-INF", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 7196 lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps/IDManager/WEB-INF/classes", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 7196 lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps/IDManager/WEB-INF/classes/org", 0x2b9a564eb2b0) = -1 ENOENT (No such file or directory) 7196 lstat("/home", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 7196 lstat("/home/jgu-admin", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 7196 lstat("/home/jgu-admin/apache-tomcat-8.0.24", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 7196 lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 7196 lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps/IDManager", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 7196 lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps/IDManager/WEB-INF", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 7196 lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps/IDManager/WEB-INF/classes", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 7196 lstat("/home/jgu-admin/apache-tomcat-8.0.24/webapps/IDManager/WEB-INF/classes/org", 0x2b9a564eb2b0) = -1 ENOENT (No such file or directory) 7196 lstat("/home", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 7196 lstat("/home/jgu-admin", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 7196 lstat("/home/jgu-a
Re: Need help understanding support for Unix Domain Sockets in Tomcat 7.0.x
srini_ On 23.09.2015 19:03, Srinivasan Raman wrote: Hi Graham, Unfortunately, the data needs to be encrypted if the communication is over TCP, even if it is to a process in the same VM. Any alternatives that you can suggest for getting Unix domain sockets to work with Tomcat? I did come across mention of a connector, JK, that mentions Unix Domain sockets - that's what got me interested in this. Thanks, srini_ You already got a response from Christopher, one of the Tomcat Committers. Re-read it. It basically boils down to this : either - you write this yourself from scratch, both at the Apache httpd (mod_jk/mod_proxy_ajp) and at the Tomcat level (AJP Connector) or - you convince whoever wrote that requirement, that an internal TCP connection within the same host, is no less secure than a Unix Domain socket Your choice. (Otherwise, look at "socat" : http://www.dest-unreach.org/socat/) (I am just kidding; you would end up with two local TCP connections instead of one. But it /would/ use a UDS in-between. And internally, it must be doing the kind of things needed to "adapt" TCP to UDS and vice-versa. So maybe looking at the source code may give you an idea of what would be involved). Subject: Re: Need help understanding support for Unix Domain Sockets in Tomcat 7.0.x From: minf...@sharp.fm Date: Wed, 23 Sep 2015 18:11:06 +0200 To: users@tomcat.apache.org On 23 Sep 2015, at 5:55 PM, Srinivasan Raman <srini_b...@hotmail.com> wrote: Sorry, I should have provided more details while posting the query. Due to a security policy that mandates that a certain type of sensitive data flowing over a communication channel must be encrypted, we are using SSL. If the communication channel were to be Unix Domain sockets, we do not need to encrypt the data, based on the data classification for this use-case. Would it be possible to confirm the need for encrypting traffic over localhost? Regards, Graham — - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat, Apache web-server : Simultaneously running both servers and Virtual Hosting.
On 07.12.2015 11:26, Kernel freak wrote: Hello friends, I am working on some server side changes in which I have the webapps or website hosted by Apache server is called by the URL. So if url is www.domain-one.com, then the specific webapp or website must be served. I have partial success in these regards as I have already configured Apache Tomcat to host multiple webapps, and call them based on URL. It is working. Now on to the 2nd stage of problem, where I have hosted a CMS on Apache server, and would like to call it with a URL, *but also keep Apache tomcat running in parallel*, and this is the main problem I am dealing with. This may seem like a Apache server issue, but it's both, as I want to run Apache web-server and Apache tomcat simultaneously with Virtual hosting. I just hope there might be people here who know both servers. I tried mod_jk without any luck. Here are the changes I made to tomcat and apache server. Tomcat changes : server.xml : www.domain-first.com www.domain-second.com Installed mod_jk with following command : apt-get install libapache2-mod-jk Created file workers.properties in /etc/apache2/ # Define 1 real worker using ajp13 worker.list=worker # Set properties for worker (ajp13) worker.worker.type=ajp13 worker.worker.host=localhost worker.worker.port=8010 Instructed jk.conf to load this file : JkWorkersFile /etc/apache2/workers.properties Finally edited 000-default in sites-enabled to add : JkMount /home/user/tomcat_directory/* worker1 Then restarted Apache2, and I got this error : [] Restarting web server: apache2(98)Address already in use: make_sock: could not bind to address [::]:80 (98)Address already in use: make_sock: could not bind to address 0.0.0.0:80 no listening sockets available, shutting down Unable to open logs Action 'start' failed. The Apache error log may have more information. failed! I understand that Tomcat is running on 80, but how do I then configure the servers so they can run simultaneously. Kindly let me know.. Hi. You may have a lot of reading to do, specially on the Apache httpd side. It will be worth it in the end, to be able to think "globally" about the issues, and to be able to decide where best to do what. 1) Virtual Hosts : http://httpd.apache.org/docs/2.2/vhosts/ --> name-based virtual hosts 2) Proxying from Apache to Tomcat : http://httpd.apache.org/docs/2.2/mod/mod_proxy.html http://httpd.apache.org/docs/2.2/mod/mod_proxy_ajp.html (an alternative to mod_jk) .. and mod_jk you already know 3) URL Rewriting : http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html (allows you to do a lot of things, in combination with mod_proxy, but at a much finer level) Also, a tip if you want to use mod_jk in combination with all the Apache-httpd modules above : look at an alternative way to configure proxying from httpd to Tomcat, here : http://tomcat.apache.org/connectors-doc/reference/apache.html section : Using SetHandler and Environment Variables This method replaces the JkMount/JkUnMount, and fits nicely in Apache httpd's scheme, together with mod_rewrite, mod_proxy etc.. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Creating another Tomcat copy in hot stand-by when original goes down.
On 08.12.2015 14:07, Kernel freak wrote: Hello friends, I am working on a Debian server in which I would like to setup 2 instances of Apache tomcat which will be load balanced by an Apache HTTP server(Do I require a http server? ). In-case one copy of Apache tomcat goes down, the other one will automatically comes online. While I was creating a configuration for one of our server, I know how to relay requests based upon URL to Apache Tomcat, these are the 2 things I don't know. 1) Will this work with https? Reason I ask is, there are many pages which are served under https and the configuration which I have and shown below seems to be calling with http instead of https. 2) How to trigger the 2nd copy of tomcat. [snip] Hi. To answer this "top-down" : 1) to do "load-balance" 2 tomcats, there are many ways, and you do not necessarily have to use Apache httpd as a front-end, there are other solutions. But the Apache httpd solution is probably the easiest to set up, and it's free. 2) picture the following setup : user browser <-- HTTP or HTTPS --> Apache httpd <-- HTTP/HTTPS/AJP --> tomcat1 + Connector <-- HTTP/HTTPS/AJP --> tomcat2 tomcat1 and tomcat2 are always active, both. You do not start one when the other fails. They are normally both active, and they share the load (the httpd Connector does that for you). If one tomcat fails, the Connector under Apache httpd will notice that, and will start forwarding the requests only to the still-working tomcat. When the failed tomcat comes back on-line, the Connector notices again, and starts balancing the requests again to both tomcats. If both tomcats fail, you get an error at the httpd level. 3) for the httpd-level "Connector" between httpd and tomcat, you have 3 choices : a) mod_proxy + mod_proxy_http b) mod_proxy + mod_proxy_ajp c) mod_jk Each one of those can do load-balancing, but their configuration is different. 4) If Apache httpd and the tomcats communicate through a network that is considered as secure, then the most efficient configuration would be : Connection A Connection B user browser <-- HTTP or HTTPS --> Apache httpd <-- HTTP/AJP --> tomcat1 + Connector <-- HTTP/AJP --> tomcat2 The usual way of describing this is "terminating HTTPS at the httpd level". In other words, do not use HTTPS between httpd and tomcat (connection B), because it would unnecessarily force an additional encryption/decryption. All the additional HTTPS information that may be needed at the tomcat level, to know that the original user connection with httpd (connection A) was under HTTPS, will be anyway forwarded by the Connector, to Tomcat (as HTTP request headers). (So tomcat can always know if the original browser to httpd connection A was secure or not.) 5) - The (mod_proxy + mod_proxy_http) Connector, forwards the original (HTTP/HTTPS) client requests to Tomcat, using the HTTP protocol (and format). So at the receiving end, in Tomcat, you need a matching HTTP Connector. - the (mod_proxy + mod_proxy_ajp) Connector, and the mod_jk Connector, forward the original (HTTP/HTTPS) client requests to Tomcat, using a protocol/format that is not HTTP, but which essentially carries the same information (it is the AJP protocol/format). So at the receiving end you need a matching AJP Connector. - when the request is received by Tomcat using either one of the Tomcat Connectors, it is the job of the Tomcat-side Connector to "translate" this request into an internal Tomcat "request object", which is always the same. So from the point of view of your tomcat webapps, it does not matter through which Connector the request was received, it always looks the same. - one difference between proxying through HTTP and proxying through AJP, is that the AJP protocol does not have a corresponding "AJPS" encrypted version. In other words, you should probably not use either (mod_proxy + mod_proxy_ajp) or mod_jk, if your httpd and tomcats communicate over a non-secure channel (such as over an Internet connection). (You could still do that over an SSH tunnel, but that complicates things). - another difference is that the AJP protocol can carry to tomcat, a user-id that has been authenticated at the httpd level. The HTTP protocol does not do that by itself. (In short, if you authenticate users at the httpd level, and want Tomcat to use this and avoid authenticating the user again, then use the AJP protocol). Does this give you enough material to figure out the rest of your questions ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Detecting Expired Session via JavaScript?
On 02.12.2015 16:55, Christopher Schultz wrote: Jerry, On 12/1/15 2:39 PM, Jerry Malcolm wrote: On 12/1/2015 12:17 PM, Jose María Zaragoza wrote: ts automatically resets the session timer. Only if the request goes to the same application. You can create a HttpSessionListener who saves some info on a shared store when session is expired. Anothe REST service could check the status of the session when is requested by your page Jose, I understand the listener and storing the state in common storage. But I'm confused on your statement above about the same application. I have several web apps running on the same host instance. They all share a common login using SingleSignOn. Each application has a distinct HttpSession object. The SingleSignOn cookie allows each application to re-authenticate using the SSO information, so you get a new HttpSession if your old one times out. If I hit any of the apps it resets the timer. I don't think hitting app A will reset the session timeout of app B's session. (Or maybe it does, but I didn't think that's how SSO worked in Tomcat. Unfortunately, the SSO documentation[1] doesn't actually say exactly how all this works.) Do they all have separate sessions but share a common login state? Yes. What is the relationship between "logged in" and separate webapp sessions that come and go independently. What I really care about is whether the authenticator is going to bounce the request to a login page or not. It still seems like calling any app is going to reset the logged-in timer if I'm using single sign-on (?). The authenticator is not going to sent you to a login page for any application unless either of these events occurs: (a) You explicitly log-out from one of the applications. This will terminate the SSO cookie and revoke your logins on all associated applications. (b) Your SSO cookie (or server-based info) expires. Then you will be asked to authenticate again. If you are using SSO, this adds a bit of mystery to the situation, since what you really want to find out is whether the /SSO token/ is still valid. The validity of any of the various individual-application session identifiers is irrelevant, since if the SSO token is valid, you will be automatically re-authenticated to the individual applications. I think you may have to re-think how you detect the expiration of your users' logins. Hi. I am sorry to barge in this discussion, which I have been loosely following over several days, but I have to say that at least based on the documentation at http://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Single_Sign_On_Valve and http://tomcat.apache.org/tomcat-8.0-doc/config/host.html#Single_Sign_On , I still do not understand what the problem is, that Jerry is trying to solve. In his original post, Jerry said "But basically, I want to know that the session is no longer valid and force the user back to the login page." And he later mentioned that he was using the SSO Valve, and container-based Form authentication for the webapps. But as far as I understand, that is the way in which this works : - as soon as the user (initially) accesses any of the protected applications, he/she gets a login page and has to login. Thereafter, he/she gets access to the requested application, which creates an "application session", in which the logged-in state is recorded. - because of the SSO Valve, some information is also stored separately, regarding the user authentication - now if the user accesses another protected application, the container - which would normally send back a login form - notices that there is stored SSO authentication information, and automatically authenticates the user for this second application. Which also creates a separate "application session" stored on the server. - and so on... - at some point in the future, any one of these stored application sessions becomes invalid (either by something actively invalidating the session, or by a session timeout). At this point - if I believe the documentation - the container immediately invalidates all the other application sessions and whatever SSO authentication had been saved, so that if the user subsequently accesses any other (or the same) application, they get a login page again. And is that not precisely what Jerry wanted to achieve in the first place ? Or am I missing/misunderstanding something ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Fwd: curl and geoserver not working
On 06.12.2015 20:25, pablo zader wrote: Hello list. Something strange is happening when I load a file to Geoserver by curl. I observed in the tomcat manager that the process never leaves the state (s) of service: *Sent Time Stage B B Recv Client (Forwarded) Client (Current) VHost Request* *S 1968673 ms 0 KB 59442 KB 172.xx.xx.xx 172.xx.xx.xx 172.xx.xx.xx /geoserver/rest/workspaces//coveragestores//file.geotiff PUT HTTP / 1.1* The curl command is nailed to the command line: $> Curl -v -u user: pass -XPUT -H 'Content-type: image / tiff' --data-binary @ / mytif.tif http: // myip: myport / geoserver / rest / workspaces / / coveragestores //file.geotiff * About to connect () to 172.19.12.24 port 8080 (# 0) * Trying 172.19.12.24 ... Connected * Server using basic with auth user 'admin' /geoserver/rest/workspaces//coveragestores//file.geotiff PUT HTTP / 1.1 Authorization: Basic YWRtaW46cHJveWVjdG9VREVHRTIwMTU = User-Agent: curl / 7.22.0 (x86_64-pc-linux-gnu) libcurl / 7.22.0 OpenSSL / zlib 1.0.1 / 1.2.3.4 libidn / librtmp 1.23 / 2.3 Host: myip: myport Accept: * / * Content-type: image / tiff Content-Length: 125009107 Expect: 100-continue And in the file /usr/share/tomcat7-admin/manager/WEB-INF/web.xml 400428800 400428800 0 I think this must be a problem of Tomcat, but maybe the problem is Geoserver. Hello Pablo. Nothing to do (maybe) with your problem itself, but in your messaqe to the liat, above, there are a lot of spaces that do not look like they should be there. For example, in > $> Curl -v -u user: pass -XPUT -H 'Content-type: image / tiff' > --data-binary @ / mytif.tif http: // myip: myport / geoserver / rest / > workspaces / / coveragestores //file.geotiff and in >> Host: myip: myport >> Accept: * / * >> Content-type: image / tiff and in > 400428800 Since any of these spaces could in principle cause something to malfunction, could you repost your question with all the not-original spaces removed ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Today's Apache Tomcat: TLS Virtual Hosting webinar is now available on YouTube
On 09.12.2015 01:13, Yu, Yujin wrote: Hi, Please kindly remove myself in this e-mail group. Please see instructions for that at the bottom of *each message* on this list. ... - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Custom Connector class
On 09.12.2015 14:03, Roel Storms wrote: The real requirement is being able to process the body of a request in a Valve without restricting the servlet to call request.getInputStream, getReader and getStream. I have tried by wrapping the request but some behavior can't be masked. It is also much more simple to implement by just extending the Request class and using this in Connector.createRequest(). So the actual requirement is a Valve wanting to process the body but still allowing the target application to call whatever processing method they chose. When the Valve would chose to process the body by calling Request.getInputStream(). The servlet wouldn't be able to call getReader or getParam anymore. I would like my Valve to be transparent in that sense. I am no java nor Tomcat guru, so take this with caution : Looking at http://tomcat.apache.org/tomcat-8.0-doc/config/http.html#Common_Attributes --> maxSavePostSize makes me think that there is a case where tomcat saves an incoming request body, and restores it afterward (after the authentication). Since the authentication takes place before the webapp is called, it cannot know the way in which the webapp is going to consume the request body. So the saved body must be saved in such a way, that the webapp can afterward consume it in the way it chooses. Doesn't that provide some clue on how to solve your problem ? 2015-12-09 13:07 GMT+01:00 Konstantin Kolinko <knst.koli...@gmail.com>: 2015-12-09 14:13 GMT+03:00 Roel Storms <roel.sto...@gmail.com>: Hello, In Tomcat 4.1 it used to be possible to specify a custom class for the Connector: https://tomcat.apache.org/tomcat-4.1-doc/config/coyote.html In the newest versions it's only possible to provide a custom Protocol. However I would like to modify the Request that is created by the Connector.createRequest() method. Is this no longer possible via configuration? As a note: If such a feature ever going to be implemented, the place to fix is org.apache.catalina.startup.ConnectorCreateRule class. Instances of Connector are created via that rule, instead of a standard class creation rule, and so (unlike other elements processed by digester) className attribute does not work here. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Failover not working even after configuration.
On 09.12.2015 15:56, Kernel freak wrote: I am working on Apache and tomcat to setup Load-balancing and fail-over. Initially I thought that load-balancing would include fail-over, but I was wrong. I thought that if one instance is not active, then consuming other instance also becomes a part of load-management. It should : quote : http://tomcat.apache.org/connectors-doc/reference/workers.html Load balancer management includes: Instantiating the workers in the web server. Using the worker's load-balancing factor, perform weighed-round-robin load balancing where high lbfactor means stronger machine (that is going to handle more requests) Keeping requests belonging to the same session executing on the same Tomcat worker. Identifying failed Tomcat workers, suspending requests to them and instead fall-backing on other workers managed by the lb worker. The overall result is that workers managed by the same lb worker are load-balanced (based on their lbfactor and current user session) and also fall-backed so a single Tomcat process death will not "kill" the entire site. Enough with the terminologies, I setup fail-over, but the ironical part is fail-over itself is failing. As soon as I shut down one instance of tomcat, the entire setup is dead and I am getting 503. Can someone help me understand what is the problem. Maybe the first step would be to remove the irrelevant parts of he configuration below. Also, please make an effort at formatting your email, in plain text. What comes below is almost unreadable as it is. (Even in the original mail to the list, see by yourself) I have reformatted what I could.. Added this in apache2.conf : JkWorkersFile /etc/apache2/workers.properties JkMount /* loadbalancer workers.properties : worker.list=loadbalancer worker.server1.port=8010 worker.server1.host=localhost worker.server1.type=ajp13 worker.server2.port=8011 worker.server2.host=localhost worker.server2.type=ajp13 worker.server1.lbfactor=1 worker.server2.lbfactor=1 worker.loadbalancer.type=lb worker.loadbalancer.balance_workers=server1,server2 worker.loadbalancer.method=B worker.balancer.sticky_session=True 000-default in sites-enabled : JkMountCopy On BalancerMember ajp://localhost:8010 route=server1 connectiontimeout=10 BalancerMember ajp://localhost:8011 route=server2 connectiontimeout=10 ProxySet stickysession=JSESSIONID|jsessionid Order Deny,Allow Deny from none Allow from all ProxyRequests off ProxyPass /balancer-manager ! ProxyPass / balancer://mycluster/ ProxyPassReverse / balancer://mycluster/ SetHandler balancer-manager Order Deny,Allow Deny from none Allow from all First tomcat's server.xml : On your front-end, you are re-directing everything to the tomcats, via AJP. So this Connector is superfluous, and only makes the discussion more confusing : Same for this one. You are using AJP, so you are never accessing tomcat directly via HTTPS. Useless : This one is being used : // No modifications inside Second Tomcat's server.xml : useless, see above : useless, see above : Used: // No modifications here Note : your HTTP(S) Connectors are useless, since nothing should in principle ever reach tomcat via HTTP(S). But if you are going to use the redirectPort="8443" attribute, you may at least ensure that the corresponding port is attended to. So, I suggest that you clean up your configuration, and repost it in a more readable format. Then maybe we'll see something. I am working on Apache and tomcat to setup Load-balancing and fail-over. Initially I thought that load-balancing would include fail-over, but I was wrong. I thought that if one instance is not active, then consuming other instance also becomes a part of load-management. Enough with the terminologies, I setup fail-over, but the ironical part is fail-over itself is failing. As soon as I shut down one instance of tomcat, the entire setup is dead and I am getting 503. Can someone help me understand what is the problem. Added this in apache2.conf : JkWorkersFile /etc/apache2/workers.properties JkMount /* loadbalancer workers.properties : GNU nano 2.2.6 File: workers.properties worker.list=loadbalancer worker.server1.port=8010 worker.server1.host=localhost worker.server1.type=ajp13 worker.server2.port=8011 worker.server2.host=localhost worker.server2.type=ajp13 worker.server1.lbfactor=1 worker.server2.lbfactor=1 worker.loadbalancer.type=lb worker.loadbalancer.balance_workers=server1,server2 worker.loadbalancer.method=B worker.balancer.sticky_session=True 000-default in sites-enabled : JkMountCopy On BalancerMember ajp://localhost:8010 route=server1 connectiontimeout=10 BalancerMember ajp://localhost:8011 route=server2 connectiontimeout=10 ProxySet stickysession=JSESSIONID|jsessionid Order
Apache httpd / mod_proxy_ajp logging
Hi. Although the above module is a httpd-level, this might still be the right place to ask : I am usually using mod_jk as an Apache httpd / Tomcat connector. With mod_jk, there is a separate JkLogLevel directive to set the log level, and also a separate logfile. Would anyone here know what is available in that respect with mod_proxy_ajp ? Can I trace at the httpd level what is actually being proxied to Tomcat ? Thanks. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Detecting Expired Session via JavaScript?
On 01.12.2015 18:30, Jerry Malcolm wrote: I'm looking for a way to detect that the current session has expired (or logged out via another tab on the browser). I know I could just issue dummy requests to the server and see if a login page comes back. But issuing requests automatically resets the session timer. I need a benign way to query that doesn't keep the session alive forever. I'm sure this problem has been solved before. But basically, I want to know that the session is no longer valid and force the user back to the login page. Isn't that what the standard authentication code does ? (or could do ?) I know one possibility is to set the Tomcat timer to 30 min expiration, and then keep a '29 minute' timer running in the browser. But my clients can change the tomcat session timer length. And also this doesn't account for a logoff using the same session on a different browser tab. I'd really like a pro-active query method if anything like that exists. Suggestion? Thanks. Jerry - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Failover not working even after configuration.
On 09.12.2015 17:02, Kernel freak wrote: Hi, Thank you for finding out that mistake with port-number. What I fail to understand is, where to redirect the AJP request then? Why would you need to ? Again : Your AJP (in Tomcat) will *never* receive requests that are HTTPS. It expects (and in your configuration, receives) only requests in the AJP protocol format (from the Apache-httpd-side mod_jk or mod_proxy_ajp module). (And if it received anything else, it would bitterly complain). Also again: Your configuration is : User browser <-- HTTP(S) --> Apache httpd + mod_jk <- AJP -> Tomcat AJP Connector <-->Tomcat webapp The user's browser talks to Apache httpd using either HTTP or HTTPS. If it is HTTPS, Apache unencrypts it. The request is then (partially) processed in Apache httpd (parsing the headers etc.), and then it is forwarded to (one of the) Tomcat by the mod_jk module, in AJP format (which has no encrypted version). It is received by the AJP Connector in Tomcat (which understands AJP, but not HTTP/HTTPS). The AJP Connector in Tomcat makes this into a Tomcat/java HTTP Request object, that object is passed to the webapp, and that is what the webapp is dealing with. The webapp Response object goes the opposite way. Tomcat outputs this response through the AJP connector, which encodes it as an "AJP message". This message goes to the Apache mod_jk connector. The mod_jk connector decodes this back for Apache-httpd, into an "Apache httpd response". Apache httpd then sends this response back to the browser, in HTTP or HTTPS, depending on how the browser originally connected to httpd to send that request. The thing to understand here, is that along with the request in AJP format that mod_jk sends to the Tomcat AJP Connector, there will be (optionally) a number of "SSL attributes", which allow the recipient webapp to know that the original browser-to-httpd connection was HTTPS (or not), even though Tomcat received that request through the AJP Connector, in non-SSL AJP format. See here : http://tomcat.apache.org/connectors-doc/reference/apache.html --> JkExtractSSL I do not know Spring, and I do not know under what conditions it would send back https:// links or not. But this should not be a problem, if the configuration on both Apache-httpd and Tomcat is correct. Now, all that I am saying above, and also all your load-balancing setup, is only valid assuming that *all* browser-to-Tomcat communications always goes through Apache httpd. If you allow browsers to access Tomcat directly, then all this is moot. A browser cannot talk directly to the Tomcat AJP Connector, they would not understand eachother. But if your Tomcats have active HTTP/HTTPS Connectors, and the browser is able to connect to them, then forget all the above, it will not work as you expect. (Such connections would also bypass the load-balancing that you want). Can you tell me that. I am as of now creating additional mail, as I changed the config and added a Cluster in tomcat. I just need to know what's the deal with those connectors, as the webapp requires https.. Should I remove that redirectPort in ajp? Kindly let me know. Thank you. On Wed, Dec 9, 2015 at 4:46 PM, André Warnier (tomcat) <a...@ice-sa.com> wrote: On 09.12.2015 15:56, Kernel freak wrote: I am working on Apache and tomcat to setup Load-balancing and fail-over. Initially I thought that load-balancing would include fail-over, but I was wrong. I thought that if one instance is not active, then consuming other instance also becomes a part of load-management. It should : quote : http://tomcat.apache.org/connectors-doc/reference/workers.html Load balancer management includes: Instantiating the workers in the web server. Using the worker's load-balancing factor, perform weighed-round-robin load balancing where high lbfactor means stronger machine (that is going to handle more requests) Keeping requests belonging to the same session executing on the same Tomcat worker. Identifying failed Tomcat workers, suspending requests to them and instead fall-backing on other workers managed by the lb worker. The overall result is that workers managed by the same lb worker are load-balanced (based on their lbfactor and current user session) and also fall-backed so a single Tomcat process death will not "kill" the entire site. Enough with the terminologies, I setup fail-over, but the ironical part is fail-over itself is failing. As soon as I shut down one instance of tomcat, the entire setup is dead and I am getting 503. Can someone help me understand what is the problem. Maybe the first step would be to remove the irrelevant parts of he configuration below. Also, please make an effort at formatting your email, in plain text. What comes below is almost unreadable as it is. (Even in the original mail to the list, see by yourse
Re: Tomcat available memory
On 11.12.2015 11:17, Yogesh Patel wrote: In Tomcat's JVM settings following parameters are configured : -verbose:gc -XX:+PrintGCDateStamps -XX:+PrintGC -Xloggc:logs/gc.log which prints log in file like below: 2015-12-11T15:42:06.779+0530: 5.662: [GC [PSYoungGen: 115711K->26741K(218624K)] 159969K->71550K(283136K), 0.0305672 secs] [Times: user=0.02 sys=0.02, real=0.03 secs] I want to print like below in log file: Free memory: 244.47 MB Total memory: 512.00 MB Max memory: 910.50 MB What parameters need to set in JVM option of Tomcat to achieve this? You need to look at the options for the JVM that you are using. That is not within the scope of Tomcat. It is not Tomcat writing this, it is the JVM. And it is not "Tomcat's JVM", it is the "JVM vendor's JVM" (Oracle, IBM or whatever). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: maxConnection and keepAliveTimeout
On 11.12.2015 07:56, Yogesh Patel wrote: Hi All, *If we do not configure "maxConnections" then it will take default value as maxThread (which is 200) and "keepAliveTimeout" will take default value of connectionTimeout (which is 60 seconds) then what is a impact of configuring these parameteres?* *What value for "keepAliveTimeout" will be consider as the best?* hi. This must already have been answered a million times on this list and others, but anyway : 1) https://en.wikipedia.org/wiki/HTTP_persistent_connection ... "Disadvantages If the client does not close the connection when all of the data it needs has been received, the resources needed to keep the connection open on the server will be unavailable for other clients. How much this affects the server's availability and how long the resources are unavailable depend on the server's architecture and configuration. " Imagine the case of a browser requesting a html page from a server, and receiving back a page which contains 30 further links to other resources on the server, all needed to represent the initial page correctly (css,javascript,images,..). The keep-alive setting is meant to allow the browser to fetch these additional resources, using the same initial TCP connection, instead of having to re-build a separate connection for each of these additionaln resource calls. The keep-alive timeout kicks in each time the server has finished serving one resource to the browser. The server then waits (with the connection still open) for another "timeout seconds", to see if the browser sends any other request on the same connection. If the timeout is reached without the server receiving any additional request, the server closes the connection, /and can free the resources that were waiting on that connection/. In modern infrastructures, if the server does not receive any more requests on a connection after a few seconds, it is likely that the browser is not going to send any additional requests there. So it is better to free such a connection relatively quickly (lile, 5 s), to allow the server resources to process other requests instead. And by the way, I would also lower the connectionTimeout, if I was you. Just to reduce the possibility of one form of DOS attack. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Conflicting with Group Policy Client
On 19.11.2015 05:19, Nick Childs wrote: Tomcat Version: 6.0.39 Operating System: Server 2012 R2 Standard Configuration: We are utilizing Tomcat as part of a Pentaho deployment - Tomcat is utilized for Pentaho's Data Integration and Business Analytics services. Description: We have a custom Deployment of Pentaho using PostgreSQL and Tomcat Apache running within the current version of our proprietary Medical Imaging software. The integration works well, but we have spent months struggling to identify the cause of a major conflict between the PostgreSQL/Tomcat integration and group policy client in windows domain environments. Whenever the PostgreSQL and Tomcat Apache (Pentaho Data Integration) services are running, we begin to see 1 hour + reboot times and gpupdate failures due to the group policy client just hanging for long periods of time with no explanation. If only Pentaho is running, no problem is experienced. If only Tomcat is running, no problem is experienced - it is only when we have both running/communicating the Group Policy updates begin to fail. We have enabled all known debugging in Group Policy, PostgreSQL, Pentaho, and Tomcat, performed xBootMgr traces, performed Process Monitor analysis, and Packet Captures, but have been unable to determine the cause of the conflict. We are also working with Microsoft, Pentaho, and PostgreSQL independently to try and flush out the culprit. After spending weeks analyzing and reviewing our development team's internal notes, I have become fairly confident that the root cause of this problem is related to the way that we deployed Tomcat, and the way that Tomcat/PostgreSQL communicate with each other, but I have not found solid proof that actually indicates this yet. I have learned a lot about how PostgreSQL/Tomcat are functioning in this environment over the last week, but I am not part of the team that deployed this, and am certainly not an expert on Pentaho, PostgreSQL, or Tomcat. I have been collecting a list of debug error/warnings from the Tomcat logs over the last few days (attached), and I am hoping someone who is an expert on this stuff can possibly review this list of errors, provide an explanation/priority for each, and answer the following questions: 1. Are there any known conflicts with Tomcat and GroupPolicy in Windows domain environments? Required Configurations? Workarounds? 3. Are there any special debugging options or monitoring tools that we could use to get more information about what Tomcat is doing during the time periods that Group Policy Client is hung? The built-in logging is not helping us. 4. Do you have any suggestions or options that we can try to see if our behavior changes? Please let me know if there is any additional information I can provide to help. Hi. I don't know anything about the various non-Tomcat softwares you are mentioning, and just a little bit about Tomcat. But the one thing I see in your Tomcat logfile, is that there seem to be a lot of TCP connection errors of the kind "(Connection refused. Check that the hostname and port are correct and that the postmaster is accepting TCP/IP connections.)" These seem to be related mostly to PostgreSQL. Maybe there is a limit (in the PostgreSQL configuration) to how many connections it accepts at the same time ? or maybe the PostgreSQL server is just overloaded ? Anyway, I would check this first, because there is a chance that many of the other errors which you are seeing are cascading down from there. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Source IP filtering on some URLs before Container-managed authentication
On 20.11.2015 17:00, Ognjen Blagojevic wrote: Andre, Chris, On 20.11.2015 9:30, André Warnier (tomcat) wrote: On 19.11.2015 21:26, Christopher Schultz wrote: I think that may be the only way to do it. IIRC, someone did some work to allow Filters to be used in the valve chain, but I don't think there is any facility for specifying s for those. Or, you could switch from container-based AAA, to application-based AAA. You can create a servlet filter which "wraps" your application(s), and in it apply any rules you want. This is totally portable, not Tomcat-specific, and doesn't require any change to server.xml for instance (nor to your application). Thank you both for looking into this. Ok, so it is a choice, either - move RemoteAddrFilter to become a Realm in front of Authenticator Valve, or - move Authenticator valve to become a Filter behind RemoteAddrFilter. To avoid having to redo what others have already done, you may also want to have a look at : http://tuckey.org/urlrewrite/manual/3.0/#filterparams see : element --> remote-addr (for instance) (I'm not saying that urlrewrite fills /all/ your needs, but you could combine urlrewrite with some simple code of your own, to fill all your needs. (snip)). This part I don't get. What is the added value of using urlrewrite compared to RemoteAddrFilter? It is basically the same functionality? Well, you can use a lot more conditions in urlrewrite filter, such as a client IP + URL patterns + lots more. And you can combine them using the type="next". Your original post said "My webapp have a set of resources, let's call that set R. Some of those resources need to be accessed only from certain source IP addresses, let's call that subset R'. And some subset of R' (let's call it R'') needs authentication." So if I get this correctly, for R'' you have 3 requirements : - a URL matching R'' (check with "request-url" or "request-uri") - a remote IP (check with "remote_addr") - an authenticated user (check with "remote_user" not blank) and if it does not match the last 2, return "not found" or "forbidden" or a login page (or anything else that strikes your fancy) then, (with "next"="or") for R' you have 2 requirements : - a URL matching R' (check with "request-url" or "request-uri") - a remote IP (check with "remote_addr") and if it does not match the last, return "not found" or "forbidden" or a login page (or anything else that strikes your fancy) and for the rest, nothing, which is what urlrewrite will do by default : let the request through. Note that I haven't really tried the above. It just looks as if it might fill your needs. If you do not know urlrewrite yet, it is worth investigating anyway; it is a nice piece of work, useful in many circumstances. The above is just an expression of my general view of things. I interpret 12.2 and 12.3 of the servlet spec as saying that container-based authentication is meant to match general cases, and if you want more specific things, you should probably move to application-level authentication (which can be part of your application, and if based on servlet filters, should be portable to other containers)(which Valves are not). And if you are anyway going in that direction, re-using already-developed and tested stuff like urlrewrite (if possible), is probably less expensive overall, than starting from scratch. Note also that urlrewrite is open-source, under a BSD license. So you can also re-use parts of the code (or just get inspiration from it), if you want to turn your own more specific filter. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Source IP filtering on some URLs before Container-managed authentication
On 19.11.2015 21:26, Christopher Schultz wrote: Ognjen, On 11/19/15 10:14 AM, Ognjen Blagojevic wrote: My webapp have a set of resources, let's call that set R. Some of those resources need to be accessed only from certain source IP addresses, let's call that subset R'. And some subset of R' (let's call it R'') needs authentication. I have a reqirement to check source IP address before authentication. Right now, R' is specified in web.xml RemoteAddrFilter s, and R'' is specified in web.xml s. The problem is, filters are executed after container-managed authentication, so login form is presented to the user before RemoteAddrFilter kicks in, and check source IP address. That is not what I need. Users outside trusted IP ranges should not be able to even know about the protected resources, let alone to guess passwords. RemoteAddrValve, on the other hand, is called before container-managed authentication, but it does not allow specifying s. What would be a good solution for the above requirement? Extend RemoteAddrValve with the ability to specify s? I think that may be the only way to do it. IIRC, someone did some work to allow Filters to be used in the valve chain, but I don't think there is any facility for specifying s for those. -chris Or, you could switch from container-based AAA, to application-based AAA. You can create a servlet filter which "wraps" your application(s), and in it apply any rules you want. This is totally portable, not Tomcat-specific, and doesn't require any change to server.xml for instance (nor to your application). Servlet Spec 3.0 has this to say : 13.3 Programmatic Security Programmatic security is used by security aware applications when declarative security alone is not sufficient to express the security model of the application. To avoid having to redo what others have already done, you may also want to have a look at : http://tuckey.org/urlrewrite/manual/3.0/#filterparams see : element --> remote-addr (for instance) (I'm not saying that urlrewrite fills /all/ your needs, but you could combine urlrewrite with some simple code of your own, to fill all your needs. Servlet filters are "stackable"). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Modsecurity - REQBODY ERROR
On 23.11.2015 10:52, Yogesh Patel wrote: In modsecurity we have a rule below: "SecRule REQBODY_ERROR "!@eq 0" \ "id:'21', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2" in mod security log following error message is detected: "Message: Access denied with code 400 (phase 2). Match of "eq 0" against "REQBODY_ERROR" required. [file "D:/tools/Apache2.4.x/conf/extra/highq/modsec/modsecurity.conf"] [line "132"] [id "21"] [msg "Failed to parse request body."] [data "Error reading request body: Client went away."] [severity "CRITICAL"] Action: Intercepted (phase 2)" What could be the possible reason for this error? I don't know, but I believe that you may have posted this to the wrong list. Should you not be sending this to the *Apache httpd* user list, instead of the *Apache Tomcat* user list ? See : http://httpd.apache.org/ versus http://tomcat.apache.org (They both belong to the Apache organisation, but they are different software products) And modsecurity is yet another separate thing, at http://www.modsecurity.org, but it seems more related to Apache httpd than to Tomcat. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ServletRequest.getInputStream, getReader, getParameter.
On 23.11.2015 21:14, Roel Storms wrote: Ok, thank you for the clear response. I see the problem with file type elements. If you really have an overwhelming need to pre-check whole POST bodies before passing them to a Tomcat application, you may want to think about fronting your Tomcat server with an Apache httpd server. You could then do the checking at the Apache httpd level, before forwarding the request to Tomcat. And of course not forward it at all if the check fails. Doing this at the front-end level would not "consume" the request body, as it does when you do this under Tomcat. All in all, you would still end up reading the request body twice. But depending on your use case, it may be worth it. In your initial post below, you wrote "..some integrity checking on HTTP requests (the details aren't important)..". But if you want further help or recommendations, I believe that more details about what exactly you are trying to achieve and/or check, would be important. After all, Tomcat is already making a fair amount of checking by default, on any received HTTP request, before it will forward it to any application. So it would be interesting to have an idea of which extra checks you want to make. 2015-11-23 17:18 GMT+01:00 André Warnier (tomcat) <a...@ice-sa.com>: On 23.11.2015 16:31, Mark Thomas wrote: On 23/11/2015 14:30, Roel Storms wrote: Hello, I am working on a Valve that does some integrity checking on HTTP requests (the details aren't important) where I need this valve to have access to the HTTP request body as well. I used request.getInputStream to fetch the data. However when a web application makes use of my valve, the getParameter method does not return the parameters submitted via POST anymore. This is documented behavior according to the spec of ServletRequest ( https://tomcat.apache.org/tomcat-8.0-doc/servletapi/javax/servlet/ServletRequest.html#getInputStream() ). I was wondering why it was designed this way, Given the potential size of a request body, streaming is the only viable option. since numerous complaints have arisen from this behavior and some ugly workarounds have been devised which unfortunately stop working from Tomcat 7 (servlet 3.0): https://stackoverflow.com/questions/10210645/http-servlet-request-lose-params-from-post-body-after-read-it-once This shows how easily code like this could break. What that shows is the folks haven't thought through what they are trying to do. Consider the following: Tomcat provides request R. Filter reads request body using R.getInputStream(). Filter caches request body. Filter wraps request R to provide R', over-riding getInputStream() to provide the cached body. Filter passes R' to the application. Application calls R'.getParameter() R'.getParameter() calls R.getParameter() Keep in mind at this point R has zero knowledge of R'. R calls getInputStream() to read request body but that InputStream has already been read. The problem is the wrapper, R'. Over-riding getInputStream() is not enough. It needs to over-ride every method that may access that InputStream. Which is non-trivial because it means re-implementing a lot of functionality the container would normally provide for you out of the box. Overwriting getInputStream to return a cached version doesn't work anymore Nope. That never worked. See my explanation above. since the parameter attribute isn't populated by using getInputStream. How exactly it is populated remains a mystery to me. Any advice on how to solve this properly? Write a better wrapper. Performing an integrity check without getInputStream or getReader but with getParameters, will not work if the data submitted is not in the expected format. See above. Mark To emphasize a point made by Mark above : a POST body can potentially contain one or more elements. So imagine a POST which contains a 50 MB uploaded file. You'd need to read it once (for your Valve) and cache it, then re-read the cached version to parse it for parameters. That would have a serious impact on performance. (That's what Mark means by "streaming.."). And because it is a Valve, it would run before the request has been mapped to any application, so the hit would be for all applications in the server. (Of course, in some authentication scenarios, this already happens behind the scenes. But you can avoid it by designing the application accordingly. See : https://tomcat.apache.org/tomcat-8.0-doc/config/http.html --> Common Attributes --> maxSavePostSize) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ServletRequest.getInputStream, getReader, getParameter.
On 23.11.2015 16:31, Mark Thomas wrote: On 23/11/2015 14:30, Roel Storms wrote: Hello, I am working on a Valve that does some integrity checking on HTTP requests (the details aren't important) where I need this valve to have access to the HTTP request body as well. I used request.getInputStream to fetch the data. However when a web application makes use of my valve, the getParameter method does not return the parameters submitted via POST anymore. This is documented behavior according to the spec of ServletRequest ( https://tomcat.apache.org/tomcat-8.0-doc/servletapi/javax/servlet/ServletRequest.html#getInputStream() ). I was wondering why it was designed this way, Given the potential size of a request body, streaming is the only viable option. since numerous complaints have arisen from this behavior and some ugly workarounds have been devised which unfortunately stop working from Tomcat 7 (servlet 3.0): https://stackoverflow.com/questions/10210645/http-servlet-request-lose-params-from-post-body-after-read-it-once This shows how easily code like this could break. What that shows is the folks haven't thought through what they are trying to do. Consider the following: Tomcat provides request R. Filter reads request body using R.getInputStream(). Filter caches request body. Filter wraps request R to provide R', over-riding getInputStream() to provide the cached body. Filter passes R' to the application. Application calls R'.getParameter() R'.getParameter() calls R.getParameter() Keep in mind at this point R has zero knowledge of R'. R calls getInputStream() to read request body but that InputStream has already been read. The problem is the wrapper, R'. Over-riding getInputStream() is not enough. It needs to over-ride every method that may access that InputStream. Which is non-trivial because it means re-implementing a lot of functionality the container would normally provide for you out of the box. Overwriting getInputStream to return a cached version doesn't work anymore Nope. That never worked. See my explanation above. since the parameter attribute isn't populated by using getInputStream. How exactly it is populated remains a mystery to me. Any advice on how to solve this properly? Write a better wrapper. Performing an integrity check without getInputStream or getReader but with getParameters, will not work if the data submitted is not in the expected format. See above. Mark To emphasize a point made by Mark above : a POST body can potentially contain one or more elements. So imagine a POST which contains a 50 MB uploaded file. You'd need to read it once (for your Valve) and cache it, then re-read the cached version to parse it for parameters. That would have a serious impact on performance. (That's what Mark means by "streaming.."). And because it is a Valve, it would run before the request has been mapped to any application, so the hit would be for all applications in the server. (Of course, in some authentication scenarios, this already happens behind the scenes. But you can avoid it by designing the application accordingly. See : https://tomcat.apache.org/tomcat-8.0-doc/config/http.html --> Common Attributes --> maxSavePostSize) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org