Re: Tomcat 6 - How to make an application available at www.mydomain.com
Hi, the best way is to deploy your application to run inside tomcat without a context path - eg. to be available at http://localhost:8080/ instead of http://localhost:8080/myApplication and use your apache reverse proxying / virtual host as it is. Trying to strip application context in virtual host configuration in my expirience was troublesome in some of my expiriences and now I always try to avoid it. What do you mean exactly by without deploying it as ROOT.war? You can set the context path of your Tomcat deployed applications to whatever you want - context path doesn't have to be the same as .war archive name. Just stop using deployment trough webapps directory and start using context files inside tomcat-x.x.x/conf directory to define your applications (all explained here http://tomcat.apache.org/tomcat-6.0-doc/config/context.html ), for example: 1. Make a file called ${catalina.base}/conf/Catalina/localhost.ROOT.xml that contains: ?xml version='1.0' encoding='utf-8'? Context docBase=${catalina.base}/war/myApplication.war path= Manager pathname=/ /Context 2. Copy you myApplication.war to ${catalina.base}/war - or some other directory if you want to arange things differently. 3. Remove myApplication.war from ${catalina.base}/webapps Where ${catalina.base} is you current tomcat installation (or base instance) where you are currently deploying you app. On 1/29/12, Thomas Rohde t...@ordix.de wrote: I'm running tomcat 6 behind apache. I currently have an application deployed as myApplication and it is available at http://www.mydomain.com/myApplication;. How can I make this application available at http://www.mydomain.com; without deploying it as ROOT.war? My server is running Ubuntu 10.04. Thanks! Dean Del Ponte You could use a rewrite rule to achieve that: RewriteEngine On RewriteRule ^/$ /myApplication/ [PT] JkMount /myApplication* tomcat Works for me very well. Thomas - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Why? Because YES! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6 - How to make an application available at www.mydomain.com
Just a small correction: 1. Make a file called ${catalina.base}/conf/Catalina/localhost/ROOT.xml that contains: instead of 1. Make a file called ${catalina.base}/conf/Catalina/localhost.ROOT.xml that contains: On 1/29/12, Borut Hadžialić borut.hadzia...@gmail.com wrote: Hi, the best way is to deploy your application to run inside tomcat without a context path - eg. to be available at http://localhost:8080/ instead of http://localhost:8080/myApplication and use your apache reverse proxying / virtual host as it is. Trying to strip application context in virtual host configuration in my expirience was troublesome in some of my expiriences and now I always try to avoid it. What do you mean exactly by without deploying it as ROOT.war? You can set the context path of your Tomcat deployed applications to whatever you want - context path doesn't have to be the same as .war archive name. Just stop using deployment trough webapps directory and start using context files inside tomcat-x.x.x/conf directory to define your applications (all explained here http://tomcat.apache.org/tomcat-6.0-doc/config/context.html ), for example: 1. Make a file called ${catalina.base}/conf/Catalina/localhost.ROOT.xml that contains: ?xml version='1.0' encoding='utf-8'? Context docBase=${catalina.base}/war/myApplication.war path= Manager pathname=/ /Context 2. Copy you myApplication.war to ${catalina.base}/war - or some other directory if you want to arange things differently. 3. Remove myApplication.war from ${catalina.base}/webapps Where ${catalina.base} is you current tomcat installation (or base instance) where you are currently deploying you app. On 1/29/12, Thomas Rohde t...@ordix.de wrote: I'm running tomcat 6 behind apache. I currently have an application deployed as myApplication and it is available at http://www.mydomain.com/myApplication;. How can I make this application available at http://www.mydomain.com; without deploying it as ROOT.war? My server is running Ubuntu 10.04. Thanks! Dean Del Ponte You could use a rewrite rule to achieve that: RewriteEngine On RewriteRule ^/$ /myApplication/ [PT] JkMount /myApplication* tomcat Works for me very well. Thomas - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Why? Because YES! -- Why? Because YES! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Simple Tomcat monitoring ?
I'm gonna try to make a guess here :) top - 08:20:02 up 72 days, 9:39, 4 users, load average: 6.83, 5.63, 3.16 Tasks: 265 total, 1 running, 264 sleeping, 0 stopped, 0 zombie Cpu(s): 0.2%us, 0.1%sy, 0.0%ni, 99.2%id, 0.5%wa, 0.0%hi, 0.0%si, 0.0%st Mem: 12328624k total, 11382976k used, 945648k free, 123400k buffers Swap: 4882424k total, 860k used, 4881564k free, 7565012k cached - somewhat large load average (6.83) - but no io waiting (0.5%wa), - app is heavily used - tomcat requests take long time (sometimes takes few seconds to produce the answer). Could it be a lack of threads at apache or tomcat? On Tue, Apr 12, 2011 at 12:20 PM, André Warnier a...@ice-sa.com wrote: Hi. I have a Linux application server running Apache + mod_jk + tomcat 5.5 (I know that it is relatively old; and to compound the heresy, it is installed from a Debian package). The hardware is quite OK (quad-core fast CPU, 12 GB RAM). Apache is serving most of the static content, and passing some requests to Tomcat via AJP. Tomcat runs basically a single application, but this webapp, although itself quite small, can be heavily used : it is an interface to a text retrieval system (a kind of database specialised for textual data), and some of the searches made by users can take several seconds to come back with results, which may themselves be several pages of data. I can access the host remotely via SSH and via HTTP, and have full control of it. But it is a productive customer server, so there are limits to what I can do. I am having performance issues with that system : users at times complain that they cannot access the application, and I see things like this in a top display : top - 08:20:02 up 72 days, 9:39, 4 users, load average: 6.83, 5.63, 3.16 Tasks: 265 total, 1 running, 264 sleeping, 0 stopped, 0 zombie Cpu(s): 0.2%us, 0.1%sy, 0.0%ni, 99.2%id, 0.5%wa, 0.0%hi, 0.0%si, 0.0%st Mem: 12328624k total, 11382976k used, 945648k free, 123400k buffers Swap: 4882424k total, 860k used, 4881564k free, 7565012k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 2023 tomcat55 20 0 627m 184m 9344 S 333 1.5 32:00.47 jsvc 5396 root 20 0 832m 610m 9224 S 100 5.1 12:32.43 java 1 root 20 0 10316 760 624 S 0 0.0 0:33.14 init (where I presume that if tomcat is showing 333% CPU usage, it is because it is running on multiple cores; the second task visible above is the interface to the search engine). Anyway, my question is : Considering all the above, which would be the easiest/quickest way of starting to figure out what this tomcat is doing, and where the system/application bottleneck might be ? My preference would be in an easy tool to install and run, to first get a rough idea, and then maybe select more specific tools to examine one or the other area more in-depth. Or maybe I can just first add some command-line switches to the JVM running tomcat, to give me more information in the logs ? (My workstation is Windows XP, and I can install anything I want on it.) Additional details : Platform : (Linux 64-bit) # uname -a Linux vogon2 2.6.26-2-amd64 #1 SMP Thu Nov 25 04:30:55 UTC 2010 x86_64 GNU/Linux Tomcat and Java : Using CATALINA_BASE: /usr/share/tomcat5.5 Using CATALINA_HOME: /usr/share/tomcat5.5 Using CATALINA_TMPDIR: /usr/share/tomcat5.5/temp Using JRE_HOME: /usr/lib/jvm/java-6-sun Server version: Apache Tomcat/5.5 Server built: Oct 15 2008 12:57:44 Server number: 5.5.26.0 OS Name: Linux OS Version: 2.6.26-2-amd64 Architecture: amd64 JVM Version: 1.6.0_22-b04 JVM Vendor: Sun Microsystems Inc. vogon2:/usr/share/tomcat5.5/bin# Tomcat is started as : tomcat55 2023 2021 6 Apr11 ? 00:31:58 /usr/bin/jsvc -user tomcat55 -cp /usr/share/java/commons-daemon.jar:/usr/share/tomcat5.5/bin/bootstrap.jar -outfile SYSLOG -errfile SYSLOG -pidfile /var/run/tomcat5.5.pid -Djava.awt.headless=true -Xms128M -Xmx128M -Djava.endorsed.dirs=/usr/share/tomcat5.5/common/endorsed -Dcatalina.base=/var/lib/tomcat5.5 -Dcatalina.home=/usr/share/tomcat5.5 -Djava.io.tmpdir=/var/lib/tomcat5.5/temp -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.util.logging.config.file=/var/lib/tomcat5.5/conf/logging.properties org.apache.catalina.startup.Bootstrap (which I don't think is a lot of heap space, which may be a problem here. But before I change it, I'd like to know why I change it; the server.xml settings are pretty much the standard issue, all defaults for threads etc..). Apache and mod_jk : Apache/2.2.9 (Debian) DAV/2 mod_jk/1.2.26 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0 configured Thanks in advance for any recommendation - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands,
Re: Simple Tomcat monitoring ?
You could check it apache threads are the problem by using something like: ps -feH | grep httpd | wc (or something else instead httpd to hit only apache processes) If the line number gets close to 150 (Apache (prefork) MaxClients) then that is the problem. On Tue, Apr 12, 2011 at 2:18 PM, André Warnier a...@ice-sa.com wrote: Borut Hadžialić wrote: I'm gonna try to make a guess here :) top - 08:20:02 up 72 days, 9:39, 4 users, load average: 6.83, 5.63, 3.16 Tasks: 265 total, 1 running, 264 sleeping, 0 stopped, 0 zombie Cpu(s): 0.2%us, 0.1%sy, 0.0%ni, 99.2%id, 0.5%wa, 0.0%hi, 0.0%si, 0.0%st Mem: 12328624k total, 11382976k used, 945648k free, 123400k buffers Swap: 4882424k total, 860k used, 4881564k free, 7565012k cached - somewhat large load average (6.83) - but no io waiting (0.5%wa), - app is heavily used - tomcat requests take long time (sometimes takes few seconds to produce the answer). Could it be a lack of threads at apache or tomcat? Spot on for the observation. That is one of the things that puzzle me : overall CPU usage is very low, and there is no i/o wait. Yet the load average is high (which should mean that a number of processes are constantly waiting for something), and Tomcat is using 333% of CPU time (which may be very little time in an absolute sense, but is puzzling anyway). And the clients are waiting. So where are the time/resources being spent ? About threads : - Apache (prefork) MaxClients is set to 150 - Tomcat AJP Connector does not specify any thread parameters, so defaults apply, which should be : maxThreads : 200 maxSpareThreads : 50 minSpareThreads : 4 Considering that Apache handles most requests for static contents, I think that the numbers should be about right. But not having so far done any real monitoring, that may be wrong. Which is one of the things I'd like to check. I think I'll start by making the Tomcat AJP Connector parameters explicit, and raise the minSpareThreads a bit. And also its Heap size. But I don't like to start changing things left and right, without knowing exactly why I'm doing it. Is there for example any parameter or command-line switch that I can use for the JVM or Tomcat, which would tell me a bit more (in the logs) about when Tomcat is starting a new thread, how many are alive on average etc.. ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Why? Because YES! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windows Authentication: Issue 49318 vs 47679
Would adding support for client credential delegation be out of scope for this implementation or not? Client credential delegation is when you use the spnego token construct a javax.security.auth.Subject instance that represents the client - which the server side application can use this to impersonate the client (eg. connect to some Kerberized database as the client that sent the request, or consume some other kerberized service as the client). The code for creating such a Subject would be something like this: GSSContext context = GSSManager.getInstance().createContext((GSSCredential) null); context.acceptSecContext(...); //check if the credentials can be delegated if (!context.getCredDelegState()) { //get the delegated credentials from the calling peer... GSSCredential clientCred = context.getDelegCred(); //Create a Subject out of the delegated credentials. //With this Subject the application server can impersonate the client that sent the request. Subject clientSubject = com.sun.security.jgss.GSSUtil.createSubject(context.getSrcName(), clientCred); } //Store the clientSubject somewhere - maybe to the HttpServletRequest? I am sure this would be useful for some applications - for example the one that we are currently developing needs functionality like this. On Tue, Mar 29, 2011 at 9:09 PM, Mark Thomas ma...@apache.org wrote: On 29/03/2011 15:20, Mark Thomas wrote: On 28/03/2011 22:31, Stefan Mayr wrote: Native SPNEGO in Tomcat sounds great. Waiting a little while depends on your scale of little. Is there already some development we can follow? Will this use Java GSS? I never figured out how to configure this with Tomcat. little hopefully means the next week or so in a 7.0.12 release. I have a handful of things I need/want to get into 7.0.12 and SPNEGO is one of them. Having spent more time than I want to think about and having lost count of the number of times I re-installed Windows 2k8 server to test this, I finally got this working a few minutes ago. The current code is *very* rough and ready and it only does authentication, not authorisation so I still have some work to do. The solution is based on ideas from Spring Security's Kerberos extension and the most recent patches attached to bug 48685. I'll be committing an initial implementation once I have cleaned up the code a bit and then I'll build on that to add authorisation, more configuration etc. The first part just got committed [1]. More to follow over the next day or so. Mark [1] http://svn.apache.org/viewvc?rev=1086683view=rev - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Why? Because YES! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windows Authentication: Issue 49318 vs 47679
Whoops, i reversed the condition of the if statement, it should be: //check if the credentials can be delegated if (context.getCredDelegState()) { ... } On Tue, Mar 29, 2011 at 9:47 PM, Borut Hadžialić borut.hadzia...@gmail.com wrote: Would adding support for client credential delegation be out of scope for this implementation or not? Client credential delegation is when you use the spnego token construct a javax.security.auth.Subject instance that represents the client - which the server side application can use this to impersonate the client (eg. connect to some Kerberized database as the client that sent the request, or consume some other kerberized service as the client). The code for creating such a Subject would be something like this: GSSContext context = GSSManager.getInstance().createContext((GSSCredential) null); context.acceptSecContext(...); //check if the credentials can be delegated if (!context.getCredDelegState()) { //get the delegated credentials from the calling peer... GSSCredential clientCred = context.getDelegCred(); //Create a Subject out of the delegated credentials. //With this Subject the application server can impersonate the client that sent the request. Subject clientSubject = com.sun.security.jgss.GSSUtil.createSubject(context.getSrcName(), clientCred); } //Store the clientSubject somewhere - maybe to the HttpServletRequest? I am sure this would be useful for some applications - for example the one that we are currently developing needs functionality like this. On Tue, Mar 29, 2011 at 9:09 PM, Mark Thomas ma...@apache.org wrote: On 29/03/2011 15:20, Mark Thomas wrote: On 28/03/2011 22:31, Stefan Mayr wrote: Native SPNEGO in Tomcat sounds great. Waiting a little while depends on your scale of little. Is there already some development we can follow? Will this use Java GSS? I never figured out how to configure this with Tomcat. little hopefully means the next week or so in a 7.0.12 release. I have a handful of things I need/want to get into 7.0.12 and SPNEGO is one of them. Having spent more time than I want to think about and having lost count of the number of times I re-installed Windows 2k8 server to test this, I finally got this working a few minutes ago. The current code is *very* rough and ready and it only does authentication, not authorisation so I still have some work to do. The solution is based on ideas from Spring Security's Kerberos extension and the most recent patches attached to bug 48685. I'll be committing an initial implementation once I have cleaned up the code a bit and then I'll build on that to add authorisation, more configuration etc. The first part just got committed [1]. More to follow over the next day or so. Mark [1] http://svn.apache.org/viewvc?rev=1086683view=rev - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Why? Because YES! -- Why? Because YES! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windows Authentication: Issue 49318 vs 47679
On Tue, Mar 29, 2011 at 9:57 PM, Mark Thomas ma...@apache.org wrote: It is in scope with the caveat - as always - that it depends on what the final implementation looks like. I do know (from debug logging) that right now tokens do not allow delegation. I suspect the hardest part of implementing this will be figuring out what config needs tweaking to allow that. I think that credential delegation is configured at the domain controller and client side, as this nice article describes: http://spnego.sourceforge.net/credential_delegation.html I am sure this would be useful for some applications - for example the one that we are currently developing needs functionality like this. Testing help always appreciated if you are happy running the latest 7.0.x release (this should be in 7.0.12 which I plan to start releasing just as soon as I finish everything on my todo list). We already have some hand written custom code for this. We will not be switching to 7.0.x (we will be deploying to tcServer in producion, and it will probably take lots of time for 7.0.12 changes to appear in some version of tcServer, so we need the custom code we have at the moment). I might however try to deploy our app to 7.0.12 when it is out - and see how much of our custom code will get removed by this spnego support that you are writing now. -- Why? Because YES! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windows Authentication: Issue 49318 vs 47679
Hellos Stefan, if you can't fix your problem with configuration and decide that you want to solve the problem by programming, then this might help you http://blog.springsource.com/2009/09/28/spring-security-kerberos/ After understanding that article a developer should be able to add a SPNEGO implementation (probably not the whole protocol, just as much it is needed for your app) to your Tomcat application by adding some filters. What the implementation needs to do is basically: 1. If there is a 'Negotiate ..' http header or other authentication, read it and process it. 2. Otherwise if there is no authentication, send a spnego challenge //HttpServletResponse response response.addHeader(WWW-Authenticate, Negotiate); response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); response.flushBuffer(); On Sun, Mar 27, 2011 at 8:26 PM, Stefan Mayr ste...@mayr-stefan.de wrote: Hello everybody, as many others before we wanted to do single-sign-on for intranet web applications using integrated windows authentication (negotiate because IE sometimes tries NTLM instead of using plain kerberos - breaking all our kerberos-only experiments). We thought that IIS would be the best choice for integrated windows authentication and we could pass the user via AJP (using mod_jk) to our tomcat instances. Our setup: - Windows 2008 R2 using IIS 7.5 (64bit) - mod_jk 1.2.31 - Oracle Java 1.6 U24 - Tomcat 6.0.32 At first glance using tomcatAuthentication=false worked as expected. We got the remote user and started deploying an application. End of happiness - the application complained about a missing user-agent. That header was not passed to tomcat when authentication was enabled on IIS. Some research revealed Bug 47679 - Not all headers get passed to Tomcat server from isapi_redirect.dll (https://issues.apache.org/bugzilla/show_bug.cgi?id=47679) Today I've found Bug 49318 - add a Negotiate (Kerberos/NTLM) authenticator / integrate Waffle (https://issues.apache.org/bugzilla/show_bug.cgi?id=49318). The last comment links a new Windows Authentication How-To from Mark Thomas. Looks like we have already tried almost all proposed solutions: - IIS + mod_jk: tried but stuck in Bug 47679. Also tried ARR to pass the user name as a request header from IIS to Tomcat without success - Apache mod_ntlm: used it and we replaced it by the much more stable mod_auth_ntlm_winbind. NTLMv1 is also disabled on Windows 7 (default) - Apache mod_auth_ntlm: in heavy use but stuck to Apache 2.0 and 32bit plattform - we couldn't get stability problems solved on Apache 2.2 and 64bit Linux. No ongoing development. - Apache mod_auth_sspi: till now in internal use for a very small project (works just fine), not sure about the future. Although there seems to be some new activity on 1.0.5 beta - Waffle: found it on thursday and it is on my our todo-list for testing it next week Any chances to get Bug 47679 solved? How can we help (we are admins, no devs)? What solutions have you deployed? Recommendations? Thank you, Stefan Mayr - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Why? Because YES! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 5.5.30 and Spring Framework
The docBase for my app is /usr/local/jsp/ I've placed my spring test JSP in /usr/local/jsp/testSpring/testSpring.jsp You probably want your's app docBase to be something like /usr/local/myapp, and then have your jsp's in a directory /usr/local/myapp/WEB-INF/jsp/ - eg. /usr/local/myapp/WEB-INF/jsp/testSpring/testSpring.jsp On Sat, Mar 12, 2011 at 5:42 AM, Aureliusz R. aremp...@gmail.com wrote: Borut, thanks again. You were correct, it was lazy initialization. Pretty much at this point I got the spring part working. I've encountered yet another issue with mapping requests from apache2 web server to tomcat. It seems to have something to do with SSL, as I don't have this issue for http. The situation looks as follows: apache2/httpd.conf has the following mod_jk mappings: JkMount /servlet/* worker1 JkMount /*.jsp worker1 JkMount /jsp/* worker1 When I invoke this JSP directly through tomcat, or through apache httpd server but over http, it works fine: http://server.domain.com:8080/jsp/testSpring/testSpring.htm http://server.domain.com/jsp/testSpring/testSpring.htm When I invoke this JSP through apache httpd over https, it's actually looking for the static htm file. It doesn't go through tomcat at all. https://server.domain.com/jsp/testSpring/testSpring.htm Not Found The requested URL /jsp/testSpring/testSpring.htm was not found on this server. Would you be able to point me in the right direction? I searched through some of the ssl config files, but I didn't find anything that would prevent /jsp/**/*.htm requests from being sent to tomcat. Thanks, aurir_ On Fri, Mar 11, 2011 at 9:30 AM, Borut Hadžialić borut.hadzia...@gmail.com wrote: Do not put anything in $TOMCAT_HOME/conf/web.xml - leave that file as it is when you unpack a fresh Tomcat distribution. Why the servlet is not being loaded? - not 100% about this, but I would first check if it is maybe being lazy loaded/initialized. After your tomcat starts up, try to browse http://localhost:8080/test.htm - that http request will be mapped to your spring servlet, and it will trigger the initialization of your spring servlet (if that was the problem in the first place, but i think it is). The exception you were getting meant that your DispatcherServlet couldn't find and load its configuration file at startup. A DispatcherServlet's configuration file is by default /WEB-INF/servlet-name-servlet.xml'. servlet-name is 'spring' in your case - that is how you named it inside web.xml: servlet servlet-namespring/servlet-name /servlet So your DispatcherServlet instance that you named 'spring' tried to load the file /WEB-INF/spring-servlet.xml, which wasn't there and you got the exception: java.io.FileNotFoundException: Could not open ServletContext resource [/WEB-INF/spring-servlet.xml] Make sure you have 'spring' DispatcherServlet's configuration in a file /WEB-INF/spring-servlet.xml, or use some other file with configuration like this: servlet servlet-namespring/servlet-name servlet-class org.springframework.web.servlet.DispatcherServlet /servlet-class init-param param-namecontextConfigLocation/param-name param-value/WEB-INF/foo/bar-servlet.xml/param-value /init-param load-on-startup1/load-on-startup /servlet On Fri, Mar 11, 2011 at 4:08 PM, Aureliusz R. aremp...@gmail.com wrote: Borut, your instructions were spot on. I was able to track down my docBase folder (it was specified in $TOMCAT_HOME/conf/servlet.xml context, and I verified that it's the correct location by adding some context parameters to the web.xml in my docBase, and then retrieving them from a JSP. Now I have another problem though. For some reason, my DispatcherSetvlet (for the spring framework) is not being loaded at all. I tried placing the piece of XML below in the $TOMCAT_HOME/conf/web.xml and my docBase/WEB-INF/web.xml. I also specified invalid fully qualified name for my DispatcherServlet to get some kind of exception, but I don't get anything. Is there anything that would prevent this servlet from being loaded? servlet-mapping servlet-namespring/servlet-name url-pattern*.htm/url-pattern /servlet-mapping It's ridiculous because some time ago when I placed it in $TOMCAT_HOME/conf/web.xml I was getting the exception below, and that's the reason why I wanted to know where my docBase is in the first place. Now that I know where it is, the DispatcherServlet doesn't seem to be loaded at all. Is there anything that would prevent this servlet from being loaded? org.springframework.beans.factory.BeanDefinitionSt oreException: IOException parsing XML document from ServletContext resource [/WEB-INF/spring-servlet.xml]; nested exception is java.io.FileNotFoundException: Could not open ServletContext resource [/WEB-INF/spring-servlet.xml] Thanks, Aurir_ On Tue, Mar 8, 2011 at 2:47 AM, Borut Hadžialić
Re: Tomcat 5.5.30 and Spring Framework
Do not put anything in $TOMCAT_HOME/conf/web.xml - leave that file as it is when you unpack a fresh Tomcat distribution. Why the servlet is not being loaded? - not 100% about this, but I would first check if it is maybe being lazy loaded/initialized. After your tomcat starts up, try to browse http://localhost:8080/test.htm - that http request will be mapped to your spring servlet, and it will trigger the initialization of your spring servlet (if that was the problem in the first place, but i think it is). The exception you were getting meant that your DispatcherServlet couldn't find and load its configuration file at startup. A DispatcherServlet's configuration file is by default /WEB-INF/servlet-name-servlet.xml'. servlet-name is 'spring' in your case - that is how you named it inside web.xml: servlet servlet-namespring/servlet-name /servlet So your DispatcherServlet instance that you named 'spring' tried to load the file /WEB-INF/spring-servlet.xml, which wasn't there and you got the exception: java.io.FileNotFoundException: Could not open ServletContext resource [/WEB-INF/spring-servlet.xml] Make sure you have 'spring' DispatcherServlet's configuration in a file /WEB-INF/spring-servlet.xml, or use some other file with configuration like this: servlet servlet-namespring/servlet-name servlet-class org.springframework.web.servlet.DispatcherServlet /servlet-class init-param param-namecontextConfigLocation/param-name param-value/WEB-INF/foo/bar-servlet.xml/param-value /init-param load-on-startup1/load-on-startup /servlet On Fri, Mar 11, 2011 at 4:08 PM, Aureliusz R. aremp...@gmail.com wrote: Borut, your instructions were spot on. I was able to track down my docBase folder (it was specified in $TOMCAT_HOME/conf/servlet.xml context, and I verified that it's the correct location by adding some context parameters to the web.xml in my docBase, and then retrieving them from a JSP. Now I have another problem though. For some reason, my DispatcherSetvlet (for the spring framework) is not being loaded at all. I tried placing the piece of XML below in the $TOMCAT_HOME/conf/web.xml and my docBase/WEB-INF/web.xml. I also specified invalid fully qualified name for my DispatcherServlet to get some kind of exception, but I don't get anything. Is there anything that would prevent this servlet from being loaded? servlet-mapping servlet-namespring/servlet-name url-pattern*.htm/url-pattern /servlet-mapping It's ridiculous because some time ago when I placed it in $TOMCAT_HOME/conf/web.xml I was getting the exception below, and that's the reason why I wanted to know where my docBase is in the first place. Now that I know where it is, the DispatcherServlet doesn't seem to be loaded at all. Is there anything that would prevent this servlet from being loaded? org.springframework.beans.factory.BeanDefinitionSt oreException: IOException parsing XML document from ServletContext resource [/WEB-INF/spring-servlet.xml]; nested exception is java.io.FileNotFoundException: Could not open ServletContext resource [/WEB-INF/spring-servlet.xml] Thanks, Aurir_ On Tue, Mar 8, 2011 at 2:47 AM, Borut Hadžialić borut.hadzia...@gmail.com wrote: The piece of xml you posted looks like something from $TOMCAT_HOME/conf/web.xml file. This file contains some default configuration that is applied to all web applications and you usually don't change it. What you need to find is the /WEB-INF directory of your web application. /WEB-INF directory resides in the root directory of your web application. This directory is also called Context Root / Document Base - its the directory that contains all files of your app. You usually put spring config files in the /WEB-INF directory of your web application. It doesn't matter where individual applications are on the disk (where their Context Root / Document Base directories are). Applications can be in $TOMCAT_HOME/webapps, or in some other directories anywhere on the filesystem. To figure out where your application's Context Root / Document Base is you can do this: 1. use find to search for WEB-INF directories on your filesystem 2. find your Tomcat's instance conf directory ($TOMCAT_HOME/conf) and go trough the config files there: first look at server.xml - look for Host elements and see if it has a appBase attribute defined. Then check if the Host element has any Context child elements. If it does, their docBase attribute points to document base of an application. If you don't find it there, look for subdirectories in conf directory - for example there might be subdirectories Catalina/localhost that contain individual application xml config files. Those files also contain Context elements - look for their docBase attribute. On Tue, Mar 8, 2011 at 4:47 AM, Aureliusz R. aremp...@gmail.com wrote: I know this is not a typical tomcat question
Re: Tomcat 5.5.30 and Spring Framework
The piece of xml you posted looks like something from $TOMCAT_HOME/conf/web.xml file. This file contains some default configuration that is applied to all web applications and you usually don't change it. What you need to find is the /WEB-INF directory of your web application. /WEB-INF directory resides in the root directory of your web application. This directory is also called Context Root / Document Base - its the directory that contains all files of your app. You usually put spring config files in the /WEB-INF directory of your web application. It doesn't matter where individual applications are on the disk (where their Context Root / Document Base directories are). Applications can be in $TOMCAT_HOME/webapps, or in some other directories anywhere on the filesystem. To figure out where your application's Context Root / Document Base is you can do this: 1. use find to search for WEB-INF directories on your filesystem 2. find your Tomcat's instance conf directory ($TOMCAT_HOME/conf) and go trough the config files there: first look at server.xml - look for Host elements and see if it has a appBase attribute defined. Then check if the Host element has any Context child elements. If it does, their docBase attribute points to document base of an application. If you don't find it there, look for subdirectories in conf directory - for example there might be subdirectories Catalina/localhost that contain individual application xml config files. Those files also contain Context elements - look for their docBase attribute. On Tue, Mar 8, 2011 at 4:47 AM, Aureliusz R. aremp...@gmail.com wrote: I know this is not a typical tomcat question but please bear with me. All Spring integrations call for placing configuration xmls in /WEB-INF/ of an application. The tomcat that I'm forced to work with has a weird configuration where there are no applications under $TOMCAT_HOME/webapps folder. There is one folder where all of the servlets go, and the invoker servlet is mapped to it: servlet-mapping servlet-nameinvoker/servlet-name url-pattern/servlets/*/url-pattern /servlet-mapping My question is, how do I know where the context (default context?) in such a situation is, so that I could place my spring configuration files in there? Is spring usage even possible with such configuration? Thanks Aurir_ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Why? Because YES! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Is it possible to configure 2 SSL connectors on one Tomcat instance?
Hi Nikko, I asume that you really want 2 connectors with 2 different key stores, not 2 different trust stores. If you have 2 ip addresses then its easy - define 2 connectors and use their address attribute to assign each connector one ip address. If you have only 1 ip address then you might have a problem. The problem with name based virtual hosts under https/ssl is that ssl handshake (which involves server sending a certificate for some domain) happens after tcp/ip connection is established - before the HOST part of the http request can be read. So if you would have 2 different https virtual domains on same ip:port, the server wouldn't know which certificate to send just after a tcp/ip connection was established, because it must decide what certificate to send based on information which is inside the HTTP request, which can be read only after establishing a ssl connection. This is a general problem, not just Tomcat specific. Maybe if your domains are really similar to host1.myhost.com and host2.myhost.com you could use a wildcard certificate (*.myhost.com) or if you are using a self-signed certificate and want just https encryption and not server verification - then you could use 1 Tomcat connector. And btw if you are defining a https connector in tomcat you are using a key store - a trust store is used when you verify client certificates when you set clientAuth=true which is rare. On Tue, Mar 8, 2011 at 1:57 PM, Nikko Nikko nikk@gmail.com wrote: Hi, Is It possible to define 2 SSL connectors for 2 different virtual domain domains? For example I want to define 2 virtual hosts: “host1.myhost.com” and “host2.myhost.com” and want to have different trust store for each of them. I want to run them in one and the same Tomcat instance. Best regards, Nikko. -- Why? Because YES! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat NTLM Authentication
Hi Hila, I have a similar requirement in my current project. End users (using browsers and java desktop apps) which work on windows workstations which are in a domain, must be able to log in the application without needing to type in username and password (using their windows credentials). Additionaly, the connection to the underlying database must also be done using those user credentials. My steps while implementing this were: 1. Implement authentication (browser-server, desktop app - server) which uses kerberos 2. Enable credential delegation so your app server can impersonate client when connecting to the database 3. Connect to the database as the client from within app server code/process (this is database-specific) This is how I solved it: I use SPNEGO for browser/webapp scenario authentication. These materials helped me come up with a working server side SPNEGO implementation: This is what I ended up using for reading a SPNEGO token: http://blog.springsource.com/2009/09/28/spring-security-kerberos/ Some general information about kerberos from msdn: http://msdn.microsoft.com/en-us/library/ms995329.aspx http://msdn.microsoft.com/en-us/library/ms995330.aspx Very nice articles about credentials delegation (you need that so your app server can impersonate clients when it connects to the database) http://s2.diffuse.it/blog/show/6602-SPNEGO_authentication_and_credential_delegation_with_Java http://spnego.sourceforge.net/credential_delegation.html I also had some java desktop apps which needed to authenticate in a similar way, which use Spring HttpInvoker as a remoting protocol, so I decided to make HttpInvoker pass some SPNEGO headers as well, and it seems to work: https://jira.springsource.org/browse/SES-11 We use Oracle as the database and some materials that were helpfull were these: Oracle Jdbc connection with kerberos http://download.oracle.com/docs/cd/E11882_01/java.112/e10589/clntsec.htm#insertedID7 http://download.oracle.com/javase/6/docs/api/javax/security/auth/Subject.html Some general info on Oracle Advanced Security http://download-west.oracle.com/docs/cd/B14099_19/idmanage.1012/b14085/odip_actdir001.htm#CHDDFFGG If you also use Oracle I can send you a complete code example for this - I have the whole thing working for simple tests..I should have a more complete implementation in few weeks. Cheers. 2011/3/7 הילה hilavalen...@gmail.com: Hey, The tomcat is running on windows server 2008 R2 STD I don't now if using windows authentication is less secure and affects all network's security, since this user have permissions only on the DB. you can't even perform login to servers with this user. anyway, I appreciate your comments and discussion of why it's less secure or not, but I need to perform this (task I've been given from guys in high above positions), so please help with what I'm trying to do :] If I can't use spnego and other stuff of the list i've found, what can I do? Thanks Hila 2011/3/6 André Warnier a...@ice-sa.com wrote: Hey, I want to change the way that tomcat authenticates to the DB of our application, from SQL authentication to Windows authentication. We use Tomcat 6.0.29 , and the user and password to connect to the DB is specified in clear text in the xml configuration file under the folder conf/catalina/localhost. My goal is to remove the user and password from the xml file, and letting the tomcat windows service run with a domain user that has permissions to the DB. when I searched for a solutions for what i'm trying to do, i got to this page- http://wiki.apache.org/tomcat/FAQ/Windows#Q4 Which suggest these methods: -Waffle/JNA -Tomcat SPNEGO -SPNEGO SF -Jespa (commercial) -Tomcat IIS Connector -Samba JCIFs (obsolete, no NTLMv2) Are one of these methods suit for what I'm trying to do? When reading about Tomcat SPNEGO, it says that users working on a windows client OS and IE or Firefox, can be silently authenticated (SSO) to a Tomcat running on a windows server via NTLM or kerberos. It doesn't seem to be what I aim for, since tomcat users are not interest me, only the tomcat windows service and how it connects to the DB Exactly. Now you have the issue correctly framed. And you are right above : all these methods indeed identify/authenticate the client of the Tomcat application to Tomcat, not Tomcat itself to something else. (**) The one thing missing in your description above, is that your Tomcat server is running on a Windows machine. And also that your back-end database system is able itself to perform user authentication either in clear-text (user-id + password), or via Windows NTLM authentication. (And, if the back-end database server is set to do NTLM authentication, then it can only do so for Domain user-id's; NTLM authentication will not work with a server-local user-id). So now you have to make one additional effort of thinking rationally, and answer the following fundamental question
Re: Tomcat NTLM Authentication
One of the links I sent you was broken, the right link is: Oracle Jdbc connection with kerberos http://download.oracle.com/docs/cd/B28359_01/java.111/b31224/clntsec.htm#CIHCIDHF Or just google for 'oracle jdbc kerberos' if they move the content again. On Mon, Mar 7, 2011 at 10:55 AM, Borut Hadžialić borut.hadzia...@gmail.com wrote: Hi Hila, I have a similar requirement in my current project. End users (using browsers and java desktop apps) which work on windows workstations which are in a domain, must be able to log in the application without needing to type in username and password (using their windows credentials). Additionaly, the connection to the underlying database must also be done using those user credentials. My steps while implementing this were: 1. Implement authentication (browser-server, desktop app - server) which uses kerberos 2. Enable credential delegation so your app server can impersonate client when connecting to the database 3. Connect to the database as the client from within app server code/process (this is database-specific) This is how I solved it: I use SPNEGO for browser/webapp scenario authentication. These materials helped me come up with a working server side SPNEGO implementation: This is what I ended up using for reading a SPNEGO token: http://blog.springsource.com/2009/09/28/spring-security-kerberos/ Some general information about kerberos from msdn: http://msdn.microsoft.com/en-us/library/ms995329.aspx http://msdn.microsoft.com/en-us/library/ms995330.aspx Very nice articles about credentials delegation (you need that so your app server can impersonate clients when it connects to the database) http://s2.diffuse.it/blog/show/6602-SPNEGO_authentication_and_credential_delegation_with_Java http://spnego.sourceforge.net/credential_delegation.html I also had some java desktop apps which needed to authenticate in a similar way, which use Spring HttpInvoker as a remoting protocol, so I decided to make HttpInvoker pass some SPNEGO headers as well, and it seems to work: https://jira.springsource.org/browse/SES-11 We use Oracle as the database and some materials that were helpfull were these: Oracle Jdbc connection with kerberos http://download.oracle.com/docs/cd/E11882_01/java.112/e10589/clntsec.htm#insertedID7 http://download.oracle.com/javase/6/docs/api/javax/security/auth/Subject.html Some general info on Oracle Advanced Security http://download-west.oracle.com/docs/cd/B14099_19/idmanage.1012/b14085/odip_actdir001.htm#CHDDFFGG If you also use Oracle I can send you a complete code example for this - I have the whole thing working for simple tests..I should have a more complete implementation in few weeks. Cheers. 2011/3/7 הילה hilavalen...@gmail.com: Hey, The tomcat is running on windows server 2008 R2 STD I don't now if using windows authentication is less secure and affects all network's security, since this user have permissions only on the DB. you can't even perform login to servers with this user. anyway, I appreciate your comments and discussion of why it's less secure or not, but I need to perform this (task I've been given from guys in high above positions), so please help with what I'm trying to do :] If I can't use spnego and other stuff of the list i've found, what can I do? Thanks Hila 2011/3/6 André Warnier a...@ice-sa.com wrote: Hey, I want to change the way that tomcat authenticates to the DB of our application, from SQL authentication to Windows authentication. We use Tomcat 6.0.29 , and the user and password to connect to the DB is specified in clear text in the xml configuration file under the folder conf/catalina/localhost. My goal is to remove the user and password from the xml file, and letting the tomcat windows service run with a domain user that has permissions to the DB. when I searched for a solutions for what i'm trying to do, i got to this page- http://wiki.apache.org/tomcat/FAQ/Windows#Q4 Which suggest these methods: -Waffle/JNA -Tomcat SPNEGO -SPNEGO SF -Jespa (commercial) -Tomcat IIS Connector -Samba JCIFs (obsolete, no NTLMv2) Are one of these methods suit for what I'm trying to do? When reading about Tomcat SPNEGO, it says that users working on a windows client OS and IE or Firefox, can be silently authenticated (SSO) to a Tomcat running on a windows server via NTLM or kerberos. It doesn't seem to be what I aim for, since tomcat users are not interest me, only the tomcat windows service and how it connects to the DB Exactly. Now you have the issue correctly framed. And you are right above : all these methods indeed identify/authenticate the client of the Tomcat application to Tomcat, not Tomcat itself to something else. (**) The one thing missing in your description above, is that your Tomcat server is running on a Windows machine. And also that your back-end database system is able itself to perform user authentication
Re: Tomcat NTLM Authentication
Yes Andre you are right, I misunderstood the OP - Hila wants to access the database as a single domain user. How to implement this is probably database specific. For example Oracle jdbc driver requires you to either: A) be running the process which makes the database connections as the domain user which can access the database. B) somehow get an instance of javax.security.auth.Subject representing such an user, for example by using a kerberos keytab file. There are code examples for A) (connectWithDefaultUser()) and B) (connectWithSpecificUser()) on the page i linked in the last mail. The problem after that is how to get connection pooling (you might need to implement you own). Hila, what database are you using? On Mon, Mar 7, 2011 at 11:59 AM, André Warnier a...@ice-sa.com wrote: Borut, thanks. I think that this is very helpful. It does not do what the OP wanted to do, but it does what he /should/ be doing (in my view). הילה, if the users connect to Tomcat, and the connections to the database are all done under the Tomcat user-id, then basically you are putting all the users into one big pot, and the database does not know who is really connecting to it. That means that now any of the users can do in the database anything that this Tomcat user-id can do, and you can never find out afterwards who did it. And because this Tomcat user needs to be able to do in the database anything that any user could do, it needs to have very broad rights to the database (the sum of all the users rights). In the scheme below, that is not true : each user connects to the database under his own user-id, so the database can decide who is allowed to do what, and can also keep track of who did what. Borut Hadžialić wrote: Hi Hila, I have a similar requirement in my current project. End users (using browsers and java desktop apps) which work on windows workstations which are in a domain, must be able to log in the application without needing to type in username and password (using their windows credentials). Additionaly, the connection to the underlying database must also be done using those user credentials. My steps while implementing this were: 1. Implement authentication (browser-server, desktop app - server) which uses kerberos 2. Enable credential delegation so your app server can impersonate client when connecting to the database 3. Connect to the database as the client from within app server code/process (this is database-specific) This is how I solved it: I use SPNEGO for browser/webapp scenario authentication. These materials helped me come up with a working server side SPNEGO implementation: This is what I ended up using for reading a SPNEGO token: http://blog.springsource.com/2009/09/28/spring-security-kerberos/ Some general information about kerberos from msdn: http://msdn.microsoft.com/en-us/library/ms995329.aspx http://msdn.microsoft.com/en-us/library/ms995330.aspx Very nice articles about credentials delegation (you need that so your app server can impersonate clients when it connects to the database) http://s2.diffuse.it/blog/show/6602-SPNEGO_authentication_and_credential_delegation_with_Java http://spnego.sourceforge.net/credential_delegation.html I also had some java desktop apps which needed to authenticate in a similar way, which use Spring HttpInvoker as a remoting protocol, so I decided to make HttpInvoker pass some SPNEGO headers as well, and it seems to work: https://jira.springsource.org/browse/SES-11 We use Oracle as the database and some materials that were helpfull were these: Oracle Jdbc connection with kerberos http://download.oracle.com/docs/cd/E11882_01/java.112/e10589/clntsec.htm#insertedID7 http://download.oracle.com/javase/6/docs/api/javax/security/auth/Subject.html Some general info on Oracle Advanced Security http://download-west.oracle.com/docs/cd/B14099_19/idmanage.1012/b14085/odip_actdir001.htm#CHDDFFGG If you also use Oracle I can send you a complete code example for this - I have the whole thing working for simple tests..I should have a more complete implementation in few weeks. Cheers. 2011/3/7 הילה hilavalen...@gmail.com: Hey, The tomcat is running on windows server 2008 R2 STD I don't now if using windows authentication is less secure and affects all network's security, since this user have permissions only on the DB. you can't even perform login to servers with this user. anyway, I appreciate your comments and discussion of why it's less secure or not, but I need to perform this (task I've been given from guys in high above positions), so please help with what I'm trying to do :] If I can't use spnego and other stuff of the list i've found, what can I do? Thanks Hila 2011/3/6 André Warnier a...@ice-sa.com wrote: Hey, I want to change the way that tomcat authenticates to the DB of our application, from SQL authentication to Windows authentication. We use
Re: Can we use Tomcat web server?
Hi, what would stop you from using Tomcat to host your application in production? Apache Tomcat is licensed under Apache 2.0 license meaning you can (practically) do whatever you want with it. And its being successfully used in production for many years in large number of installations. Take a look at this link for more information http://tomcat.apache.org/legal.html On Tue, Oct 26, 2010 at 10:28 AM, Chandra Shekar Bairi chandra.ba...@gmail.com wrote: Dear friends, I have developed a small web application using the Tomcat web server for my company. We are planning to purchase a web server very soon. Can we host this web application in our company before we purchase a different web server. This does not serve any business purpose. The web application is completely internal to our company. Kindly clarify. Thanks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Why? Because YES! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: apache 2 + tomcat 6 virtualhost question
Hi Patricio, try this: 1. Redeploy your app in tomcat so it shows at http://mydomain:8080/ instead of http://mydomain:8080/myapp How you do this depends on how you deployed the app in the first place - a) if you deployed a myapp.war and use autodeploy, then rename it to ROOT.war and redeploy it b) if you are using a Context element, set its path attribute to 2. Add an AJP connector to your tomcat's conf/server.xml eg: Connector port=8009 protocol=AJP/1.3 redirectPort=8443 URIEncoding=utf8/ and restart tomcat 3. Define an apache mod_jk worker eg: /usr/local/apache2/conf/workers.properties: worker.list=myapp worker.myapp.type=ajp13 worker.myapp.host=localhost worker.myapp.port=8109 4. Add a virtual host in apache configuration: NameVirtualHost *:80 VirtualHost *:80 ServerAdmin y...@gmail.com DocumentRoot /usr/local/apache2/htdocs --- this is irrelevant because of JkMount /* ServerName www.mydomain.com #ServerAlias www.somethingelse.com ErrorLog logs/www.mydomain.com-error_log CustomLog logs/www.mydomain.com-access_log common# JkMount /* myapp /VirtualHost 5. Make sure mod_jk config is in apache conf: IfModule jk_module JkWorkersFile /usr/local/apache2/conf/workers.properties JkShmFile /usr/local/apache2/logs/mod_jk.shm JkLogFile /usr/local/apache2/logs/mod_jk.log JkLogLevel info JkLogStampFormat [%a %b %d %H:%M:%S %Y] /IfModule Restart apache. In that case files in /home/mydomain/htdocs are no longer relevant. On Wed, May 26, 2010 at 11:32 PM, Bithost Ltda. bithost.ch...@gmail.comwrote: Hello I'm new to tomcat and i have some experience with apache, i have a debian server with apache 2.2 + mod_jk and tomcat 6 server. My doc root for my site is /home/mydomain/htdocs and i have a site which is using a WAR which i deployed it via the tomcat manager. So far if i go to http://mydomain:8080/myapp it shows fine, but now what i need is that if i type www.mydomain.com it has to show the app directly. I've managed to create an htaccess with a 301 redirect to the url http://mydomain:8080/myapp as a temporal fix, but what i need is that when i type www.mydomain.com it goes to my app and stays with the mydomain.comurl. How can i do that? do you need any config file? any help is appreciated. Thanks in advance. -- Patricio López Salgado Jefe de Operaciones 2-697 9216 http://www.bithost.cl -- Why? Because YES!
Re: apache 2 + tomcat 6 virtualhost question
Small mistake - put worker.myapp.port=8009 instead of worker.myapp.port=8109 (port needs to be the same as the one in tomcat's conf/server.xml Connector port=8009 protocol=AJP/1.3 .. ) On Thu, May 27, 2010 at 12:31 AM, Borut Hadžialić borut.hadzia...@gmail.com wrote: Hi Patricio, try this: 1. Redeploy your app in tomcat so it shows at http://mydomain:8080/instead of http://mydomain:8080/myapp How you do this depends on how you deployed the app in the first place - a) if you deployed a myapp.war and use autodeploy, then rename it to ROOT.war and redeploy it b) if you are using a Context element, set its path attribute to 2. Add an AJP connector to your tomcat's conf/server.xml eg: Connector port=8009 protocol=AJP/1.3 redirectPort=8443 URIEncoding=utf8/ and restart tomcat 3. Define an apache mod_jk worker eg: /usr/local/apache2/conf/workers.properties: worker.list=myapp worker.myapp.type=ajp13 worker.myapp.host=localhost worker.myapp.port=8109 4. Add a virtual host in apache configuration: NameVirtualHost *:80 VirtualHost *:80 ServerAdmin y...@gmail.com DocumentRoot /usr/local/apache2/htdocs --- this is irrelevant because of JkMount /* ServerName www.mydomain.com #ServerAlias www.somethingelse.com ErrorLog logs/www.mydomain.com-error_log CustomLog logs/www.mydomain.com-access_log common# JkMount /* myapp /VirtualHost 5. Make sure mod_jk config is in apache conf: IfModule jk_module JkWorkersFile /usr/local/apache2/conf/workers.properties JkShmFile /usr/local/apache2/logs/mod_jk.shm JkLogFile /usr/local/apache2/logs/mod_jk.log JkLogLevel info JkLogStampFormat [%a %b %d %H:%M:%S %Y] /IfModule Restart apache. In that case files in /home/mydomain/htdocs are no longer relevant. On Wed, May 26, 2010 at 11:32 PM, Bithost Ltda. bithost.ch...@gmail.comwrote: Hello I'm new to tomcat and i have some experience with apache, i have a debian server with apache 2.2 + mod_jk and tomcat 6 server. My doc root for my site is /home/mydomain/htdocs and i have a site which is using a WAR which i deployed it via the tomcat manager. So far if i go to http://mydomain:8080/myapp it shows fine, but now what i need is that if i type www.mydomain.com it has to show the app directly. I've managed to create an htaccess with a 301 redirect to the url http://mydomain:8080/myapp as a temporal fix, but what i need is that when i type www.mydomain.com it goes to my app and stays with the mydomain.com url. How can i do that? do you need any config file? any help is appreciated. Thanks in advance. -- Patricio López Salgado Jefe de Operaciones 2-697 9216 http://www.bithost.cl -- Why? Because YES! -- Why? Because YES!
Re: apache 2 + tomcat 6 virtualhost question
In that case you can have one tomcat instance per application. Each application can run inside its own tomcat process and have different ajp port, mod_jk worker and apache virtual host. On Thu, May 27, 2010 at 1:29 AM, Bithost Ltda. bithost.ch...@gmail.com wrote: El 26-05-10 18:31, Borut Hadžialić escribió: Hi Patricio, try this: 1. Redeploy your app in tomcat so it shows at http://mydomain:8080/ instead of http://mydomain:8080/myapp How you do this depends on how you deployed the app in the first place - a) if you deployed a myapp.war and use autodeploy, then rename it to ROOT.war and redeploy it b) if you are using a Context element, set its path attribute to 2. Add an AJP connector to your tomcat's conf/server.xml eg: Connector port=8009 protocol=AJP/1.3 redirectPort=8443 URIEncoding=utf8/ and restart tomcat 3. Define an apache mod_jk worker eg: /usr/local/apache2/conf/workers.properties: worker.list=myapp worker.myapp.type=ajp13 worker.myapp.host=localhost worker.myapp.port=8109 4. Add a virtual host in apache configuration: NameVirtualHost *:80 VirtualHost *:80 ServerAdmin y...@gmail.com mailto:y...@gmail.com DocumentRoot /usr/local/apache2/htdocs --- this is irrelevant because of JkMount /* ServerName www.mydomain.com http://www.mydomain.com # ServerAlias www.somethingelse.com http://www.somethingelse.com ErrorLog logs/www.mydomain.com-error_log CustomLog logs/www.mydomain.com-access_log common# JkMount /* myapp /VirtualHost 5. Make sure mod_jk config is in apache conf: IfModule jk_module JkWorkersFile /usr/local/apache2/conf/workers.properties JkShmFile /usr/local/apache2/logs/mod_jk.shm JkLogFile /usr/local/apache2/logs/mod_jk.log JkLogLevel info JkLogStampFormat [%a %b %d %H:%M:%S %Y] /IfModule Restart apache. In that case files in /home/mydomain/htdocs are no longer relevant. On Wed, May 26, 2010 at 11:32 PM, Bithost Ltda. bithost.ch...@gmail.com mailto:bithost.ch...@gmail.com wrote: Hello I'm new to tomcat and i have some experience with apache, i have a debian server with apache 2.2 + mod_jk and tomcat 6 server. My doc root for my site is /home/mydomain/htdocs and i have a site which is using a WAR which i deployed it via the tomcat manager. So far if i go to http://mydomain:8080/myapp it shows fine, but now what i need is that if i type www.mydomain.com http://www.mydomain.com it has to show the app directly. I've managed to create an htaccess with a 301 redirect to the url http://mydomain:8080/myapp as a temporal fix, but what i need is that when i type www.mydomain.com http://www.mydomain.com it goes to my app and stays with the mydomain.com http://mydomain.com url. How can i do that? do you need any config file? any help is appreciated. Thanks in advance. -- Patricio López Salgado Jefe de Operaciones 2-697 9216 http://www.bithost.cl -- Why? Because YES! Hello I appreciate this very helpful guide, i have some of these configs already in motion (got the ajp connector port, workers.properties and mod_jk included in apache), but what if i have more than 2 sites which need the same way of deploy (virtualhosting), in that case i can't deploy it under mydomain.com:8080, it has to be under mydomain.com:8080/myapp Thanks for your time. -- Why? Because YES! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Putting APACHE in front of a stand-alone Tomcat Server
Take a look at http://tomcat.apache.org/connectors-doc/ I think you can also use apache mod_proxy. On Mon, May 17, 2010 at 1:36 PM, Stephen . marr...@hotmail.com wrote: Hi all, just a quick question. I am currently using a stand-alone Tomcat Server to run an application. However, I plan to expand this application (which is web-based) to enable Authentication processes from external IDPs (Identity Providers). Unfortunately, to be able to implement this, the IDPs require that Tomcat must not be a stand-alone server. It requires Apache (apparently, all authentication requests will need to be routed via the Apache) My question is : is it possible to make this change (somehow install, or place Apache in front of my current Tomcat server)? Or does this require a whole new installation of Apache Tomcat? I am using : Apache Tomcat 6.0.18 (Funny thing : I always thought that the name Apache Tomcat automatically meant that my server already had Apache in front of it. But, it seems I was wrong) _ Hotmail: Trusted email with Microsoft’s powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969 -- Why? Because YES! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Putting APACHE in front of a stand-alone Tomcat Server
On Mon, May 17, 2010 at 1:58 PM, Stephen . marr...@hotmail.com wrote: Hi, thanks for your response. However, I would need some more explanation. Exactly where and how would I implement those Tomcat Connectors ? Apparently, all I have is the Tomcat engine itself. So, what I need is an actual Apache server. (Am I right?) A simplified explanation - Tomcat connectors - mod_jk is an Apache HTTPD module that can be used to implement a reverse proxy and load balancing. You need to install Apache HTTPD (which runs on Windows too), add module mod_jk to it and configure it. You can find more detailed tutorials and explanations how to do it on google - this is the first one that google returned to me http://www3.ntu.edu.sg/home/ehchua/programming/howto/apache_tomcat_howto.html Another thing : I've had my Tomcat running for a while now. The application which is running on the server is Sun's Identity Manager (IDM). If I now place an Apache in front of it, would that, in any way, damage the web application itself? What kind of authentication does the application use? Thanks Date: Mon, 17 May 2010 13:44:12 +0200 Subject: Re: Putting APACHE in front of a stand-alone Tomcat Server From: borut.hadzia...@gmail.com To: users@tomcat.apache.org Take a look at http://tomcat.apache.org/connectors-doc/ I think you can also use apache mod_proxy. On Mon, May 17, 2010 at 1:36 PM, Stephen . marr...@hotmail.com wrote: Hi all, just a quick question. I am currently using a stand-alone Tomcat Server to run an application. However, I plan to expand this application (which is web-based) to enable Authentication processes from external IDPs (Identity Providers). Unfortunately, to be able to implement this, the IDPs require that Tomcat must not be a stand-alone server. It requires Apache (apparently, all authentication requests will need to be routed via the Apache) My question is : is it possible to make this change (somehow install, or place Apache in front of my current Tomcat server)? Or does this require a whole new installation of Apache Tomcat? I am using : Apache Tomcat 6.0.18 (Funny thing : I always thought that the name Apache Tomcat automatically meant that my server already had Apache in front of it. But, it seems I was wrong) _ Hotmail: Trusted email with Microsoft’s powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969 -- Why? Because YES! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Hotmail: Free, trusted and rich email service. Get it now. -- Why? Because YES! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: IP-based virtual hosting with Tomcat(6)
Maybe this will be helpfull to you? http://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name_ I am not sure how well that extension is supported in browsers and other ssl clients, or can you get a CA to sign a certificate that contains these extensions. But, I wouldn't be surprised if there were no problems with any of that because there are scenarios in which its useful to have same certificate be valid for a url that contains a host name or ip address.. What I do know is that I used a single self signed certificate (with subject alt names for: IP Address=10.0.100.11 IP Address=10.0.100.12 IP Address=10.0.100.13 IP Address=10.0.100.14 ) locally for testing on 4 app servers that ran a load balanced app. We tested the app with urls like https://10.0.100.11/ https://10.0.100.12/ and so on. On Wed, Jul 29, 2009 at 10:44 PM, uma...@comcast.net wrote: My second issue is perhaps more serious: is there an underlying assumption with virtual hosts that they are bound by distinct security constraints? I mean, is there an implicit assumption, for instance, that distinct virtual hosts would use distinct SSL certificates? I plan to (rather, need to) use the same SSL certificate for all vHosts. Thanx again! /U -- Why? Because YES!
Re: Did anyone had problems with JspWriter in Tomcat 5.5.17?
I found the cause of the problem. Tomcat's implementation of javax.servlet.http.HttpServlet implements the doGet method like this: protected void doHead(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { NoBodyResponse response = new NoBodyResponse(resp); doGet(req, response); response.setContentLength(); } The problem occurs when a HTTP HEAD request arrives for a page that isn't in the page cache. When a HTTP HEAD request is received for a page that is not in the cache, the caching filter prepares a response wrapper that will capture the request (content generated by the application's servlets), puts that wrapper in the place of the real response, for the filters and servlets next in the chain, and gives the execution to the next filter/servlet in chain.. But, for HTTP HEAD requests, the caching wrapper never gets to the servlets that generate content, because the above method wraps it in NoBodyResponse, a response wrapper that throws away everything that is writen to it, like /dev/null does... servlets write content to NoBodyResponse, and the content is lost. On the way back, the caching filter inspects the response wrapper it created, sees 200 response code, and decides that the page was generated well, and caches it... (the content doesn't get cached because NoBodyResponse didnt forward it to the response it wrapped - caching filter's response wrapper) I will fix my caching filter to watch for this special case, and that will solve the problem in our applications... but I wonder if it is okay that Tomcat (silently) wraps the response inside a wrapper like NoBodyResponse that eats content.. or was it my fault that I didn't explicitly make difference between GET and HEAD requests when thinking about caching, probably because of lack of expirience.. -- Why? Because YES! - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Did anyone had problems with JspWriter in Tomcat 5.5.17?
Hi list, I have spent last 15 working hours trying to figure out the cause of a strange bug. Home page on one of our web sites sometimes gets generated with no content - as a blank page, the response buffer having size 0. We use caching filter (modified CachingFilter from Ehcache 1.3.0) which uses a response wrapper to capture responses to make caching possible. The response wrapper internaly uses standard classes ByteArrayOutputStream and PrintWriter from the Java API. The page cache time-to-live is set to 1 day. When the page is generated first time by jsps and tiles it is put into cache, and served for next 24 hours from the cache. After 24 hours it gets generated again. The manifestation of the bug is that randomly, the homepage gets generated as a blank page, about once in every 3 cache refreshes. When it occurs, the ByteArrayOutputStream has size 0, after the generation of the page has completed. Generating the homepage involves pulling some data from the database, which changes rarely, about once every week. I put cache time to live 300 seconds to eliminate the posibility that corrupt data from database causes errors in page generation. With 300 second time to live the problem was still there. The data in database does not change between good and faulty page generations. Home page is relatively simple - it does not involve pulling data from other data sources. It just reads some data the database and uses that data to make some html, using jsp. After turning on logging on database calls, all filters, and using a PrintWriter decorator inside our response wraper that echoes all print statements to the log, I found out something strange - A correct page generation logs some database calls (by the database logger), then a chunk of html (by the logging PrintWriter decorator, as a result of flushing JspWriter after enough out.write calls have been made), then some more database calls, then some more html.. and the page gets generated. ** A faulty generation (the one that produces a blank page) logs exactly same database calls as a correct page generation, but the log entries produced by the echoing PrintWriter are missing! **, like as jsps are executing normally, but something is wrong with the JspWriter out object. I am suspecting that somehow JspWriter writes somewhere else, not where it should. It should write into response wrapper's buffer, though the echoing/logging PrintWriter. But there is no PrintWriter echo and no bytes in response wrapper buffer... more exactly, *sometimes* there is no PrintWriter echo and no bytes in response wrapper buffer. I have read all the code that makes up the life cycle of PageContext and JspWriter on the docjar site (not sure for what version of Tomcat), and couldn't find anything that would help me solve this. http://www.docjar.com/html/api/org/apache/jasper/runtime/JspWriterImpl.java.html http://www.docjar.com/html/api/org/apache/jasper/runtime/PageContextImpl.java.html http://www.docjar.com/html/api/org/apache/jasper/runtime/JspFactoryImpl.java.html After adding some more logging statements I found out that 1 instance of JspWritter and 1 instance of PageContext are used shared across all page generations (site has low traffic and rarely 2 requests in same time). Same JspWritter and PageContext instances sometimes participate in good page and faulty page generations. I was hoping that someone on this list might know something that could help me find out why is this happening. Please help. -- Why? Because YES! - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Did anyone had problems with JspWriter in Tomcat 5.5.17?
I forgot to write information about our environment: Os: Red Hat 4.1 (Linux 2.6.9-42.EL) on i386 Jvm: Sun's Java HotSpot(TM) Client VM version 1.5.0_07-b03 Tomcat 5.5.17 We also use Spring, Informix db, iBatis, Jsp (tiles) and Ehcache 1.3.0 We have made 5 sites for now with these same technologies. The bug only occurrs on the home page on the least visited site.. Other sites are visited very often (we have to use load balancing on 4 servers) And 1 more important thing - when the caching filter is turned off, pages always get generated fine. But.. the code that creates the wrapper is same for all apps/pages, and works fine in other apps. -- Why? Because YES! - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Did anyone had problems with JspWriter in Tomcat 5.5.17?
The caching filter uses a BlockingCache. A miss (get that returns null) locks that entry/key, and other threads that try to get the page from the cache using the same key, must wait until the thread that locked the entry puts something into the cache and releases the lock. Lock are released implicitly when cache put method is called, by the thread that locked it. All this is implemented inside Ehcache. We havent observed any thread deadlock problems (using JMX to monitor servers) Lock implementation is net.sf.ehcache.constructs.concurrent.Mutex which is a copy of Doug Lea's mutex class from standard Java API, copied and imported into Ehcache. On 7/16/07, rpr_listas [EMAIL PROTECTED] wrote: Hello, Borut. Are you sure that there are no other thread writing in the cache at this moment? How do you prevent this case? Best regards. Ricardo Borut Hadžialić escribió: Hi list, I have spent last 15 working hours trying to figure out the cause of a strange bug. Home page on one of our web sites sometimes gets generated with no content - as a blank page, the response buffer having size 0. We use caching filter (modified CachingFilter from Ehcache 1.3.0) which uses a response wrapper to capture responses to make caching possible. The response wrapper internaly uses standard classes ByteArrayOutputStream and PrintWriter from the Java API. The page cache time-to-live is set to 1 day. When the page is generated first time by jsps and tiles it is put into cache, and served for next 24 hours from the cache. After 24 hours it gets generated again. The manifestation of the bug is that randomly, the homepage gets generated as a blank page, about once in every 3 cache refreshes. When it occurs, the ByteArrayOutputStream has size 0, after the generation of the page has completed. Generating the homepage involves pulling some data from the database, which changes rarely, about once every week. I put cache time to live 300 seconds to eliminate the posibility that corrupt data from database causes errors in page generation. With 300 second time to live the problem was still there. The data in database does not change between good and faulty page generations. Home page is relatively simple - it does not involve pulling data from other data sources. It just reads some data the database and uses that data to make some html, using jsp. After turning on logging on database calls, all filters, and using a PrintWriter decorator inside our response wraper that echoes all print statements to the log, I found out something strange - A correct page generation logs some database calls (by the database logger), then a chunk of html (by the logging PrintWriter decorator, as a result of flushing JspWriter after enough out.write calls have been made), then some more database calls, then some more html.. and the page gets generated. ** A faulty generation (the one that produces a blank page) logs exactly same database calls as a correct page generation, but the log entries produced by the echoing PrintWriter are missing! **, like as jsps are executing normally, but something is wrong with the JspWriter out object. I am suspecting that somehow JspWriter writes somewhere else, not where it should. It should write into response wrapper's buffer, though the echoing/logging PrintWriter. But there is no PrintWriter echo and no bytes in response wrapper buffer... more exactly, *sometimes* there is no PrintWriter echo and no bytes in response wrapper buffer. I have read all the code that makes up the life cycle of PageContext and JspWriter on the docjar site (not sure for what version of Tomcat), and couldn't find anything that would help me solve this. http://www.docjar.com/html/api/org/apache/jasper/runtime/JspWriterImpl.java.html http://www.docjar.com/html/api/org/apache/jasper/runtime/PageContextImpl.java.html http://www.docjar.com/html/api/org/apache/jasper/runtime/JspFactoryImpl.java.html After adding some more logging statements I found out that 1 instance of JspWritter and 1 instance of PageContext are used shared across all page generations (site has low traffic and rarely 2 requests in same time). Same JspWritter and PageContext instances sometimes participate in good page and faulty page generations. I was hoping that someone on this list might know something that could help me find out why is this happening. Please help. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Why? Because YES!
Re: Did anyone had problems with JspWriter in Tomcat 5.5.17?
The problem seem to happen before writing to the cache. Jsps write to response wrapper's buffer.. well, when they do page gets generated fine, when they don't we get a blank home page served and put in the cache. On 7/16/07, rpr_listas [EMAIL PROTECTED] wrote: Hello, Borut. Are you sure that there are no other thread writing in the cache at this moment? How do you prevent this case? Best regards. Ricardo -- Why? Because YES! - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat as a Standalone server
Buy the domain 'application.com'. After you buy it you will be able to specify the ip address of the name server responsible for resolving host names ending with 'application.com'. Install a name server on your server, and register its ip address as responsible for 'application.com' (you do that at the place where u bought your domain). In your name server, map the ip address of your web server to 'www.application.com'. On 2/13/07, matthedude [EMAIL PROTECTED] wrote: Hi, I am creating a simple web application that will consist of a few servlets and a MySQL database. I have installed tomcat and am using it in development with the normal 'localhost' address but have not been able to find any good tutorials on deploying the application to a web address such as 'www.application.com' so that anyone on the internet can enter their information. The website will not get very many hits and is only harvesting small amounts of data so my intention is to use a cheap PC with MySQL and tomcat to run the website. Any help would be greatly appreciated. Thanks, Matthew -- View this message in context: http://www.nabble.com/Tomcat-as-a-Standalone-server-tf3220304.html#a8943425 Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Why? Because YES! - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 5.5 class loader question.
Why would Catalina classloader need to see application specific jar files? On 8/23/06, Mark Thomas [EMAIL PROTECTED] wrote: Borut Hadžialić wrote: However, when we move those Jira dependencies from $CATALINA_HOME/common/lib/ to $CATALINA_BASE/shared/lib/ Jira starup fails - it throws several ClassDefNotFoundException (for org.postgresql.Driver and other classes) Does anyone know why is this happening? Probably because the Catalina classloader also needs to be able to see those classes. If they are in shared, they are not visible to the core Tomcat code. Mark -- Why? Because YES!