Re: Client authentication for specific path
2014-10-03 17:42 GMT+02:00 Nathan Quirynen nat...@pensionarchitects.be: On 02/10/14 19:00, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Nathan, On 10/1/14 12:16 PM, Nathan Quirynen wrote: On 01/10/14 18:08, Christopher Schultz wrote: Nathan, On 10/1/14 10:02 AM, Nathan Quirynen wrote: Hi Tomcat users, A current application has client authentication configured in the SSL Connector (server.xml): Connector port=8443 ... clientAuth=true keystoreFile=.keystore keystorePass=... truststoreFile=.truststore truststorePass=... / And the CA root certificates have been added to the truststore. This way it asks for a client certificate in any case, which works and is fine for this application. For a new application the use case is a bit different. I only need client authentication for a specific defined path (for example: /secured/*). After some research I found this was possible with defining this on application level in the web.xml file. So I changed my configuration to: server.xml: Connector port=8443 ... clientAuth=false keystoreFile=.keystore keystorePass=... truststoreFile=.truststore truststorePass=... / web.xml: security-constraint web-resource-collection web-resource-nameSecureconn/web-resource-name url-pattern/secured/*/url-pattern http-methodGET/http-method /web-resource-collection auth-constraint role-namesecureconn/role-name /auth-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method realm-nameSecureconn/realm-name /login-config security-role role-namesecureconn/role-name /security-role In this case it actually only asks for client authentication when going to for example secured/home page. But I'm getting a 401 message code. What am I missing to get people authenticated based on the CA root certificates that are in the configured truststore? Is it even possible what I am trying? What happens if you change clientAuth=false to clientAuth=want? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Hey Chris, If I change it to want I still get the same error: HTTP Status 401 - Cannot authenticate with the provided credentials So just to be sure, the only difference between the application you have that is working and the one that is not working is that you have a different url-pattern in your web.xml? Generally speaking, Tomcat will authenticate the client certificate just using the configuration at the Connector level. Using CLIENT-CERT in the application is used for application credentials -- such as establishing roles to be used with role-based permissions. Do you intend to use role-based permissions and all that other stuff, or do you just want to make sure that the client has a valid certificate? If you just want to make sure that the certificate is valid, then you want to use clientAuth=want and remove the configuration you have from web.xml. Next, you will need to write a Filter that grabs the X509 certificate from the request and does manual checking. You might be able to get some help from a series of posts I wrote a few years ago about manually-handling X509 certificates: http://markmail.org/message/kzxsamuiu6bldjmv Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJULYSZAAoJEBzwKT+lPKRYorwP/1GT+aPdAK5Vu2piCp+4ZDXQ kGm42DzD0FBM8oKI2vgPj/hvOTEYC+e7EndxxUbhaSoek0O71hlEeWfnhrCt3lNs xKHBhwXHeVwxOkSHsjZKfzHqoJgHhMBBVU5rQHQ1mwIT71bayNSYVuG/QRZFffoM lef1YTql+jt+LOgfJauD/yozYG2fblEMMEcUWfBtpruEFVns6Vu2m5vwKwn7si2K 13SjiqoULIOf6FkiKXiCewXACq98KLbjo21m5SkUNDgFiE6wWquOX/uyQBBP8n+p B2H6b6YlQAj1KOBtH+yd+0vnW6BwjI9ZxHDfT7t8Ii1zBwUDFj3QZOJ5RXFwteQR cFjJXxmRliD/EuEfjZuHD5U9d51Eq44RU6p3/8cuIg90gx8fPYBULJimXRX6v4ca EdTmqnJyxZeh2WoNAY2k+24OxwwxKSZUErxm0biBAy/wcqT1O1ePkaCI6YQx1Vkj TnHxleVWvr2FpZDp1apmTcgzP0gBnD6fOG8ltf8Nqe/Ax4l6nhdK3Q19YLTt2Q2z IKX7oUOYru0GNuICtsNYz0EprzdMxnv28v3SBYLSfHln9J5WWtfBeOlKxMPmP0Fg ZJG/X/zUUC2IxDNe6u7ZdZr/vqxDLyZxc74ugiVIxveutzrXOHdxnPRIzbEXjYIC umadSoe7yZwlcEAAQFG/ =bMuo -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Yes that's what I want. But when I set clientAuth to want it asks for the client certificate on every path, which I don't want... I only want client authentication on the specified path. I'm wondering if I can solve what I need with Tomcat alone. Maybe I should put Apache in front? One way you could do it would be to : - set clientAuth=false in your connector - add the security-constraint as you did except for the security-role : security-role
Re: Client authentication for specific path
2014-10-01 18:16 GMT+02:00 Nathan Quirynen nat...@pensionarchitects.be: On 01/10/14 18:08, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Nathan, On 10/1/14 10:02 AM, Nathan Quirynen wrote: Hi Tomcat users, A current application has client authentication configured in the SSL Connector (server.xml): Connector port=8443 ... clientAuth=true keystoreFile=.keystore keystorePass=... truststoreFile=.truststore truststorePass=... / And the CA root certificates have been added to the truststore. This way it asks for a client certificate in any case, which works and is fine for this application. For a new application the use case is a bit different. I only need client authentication for a specific defined path (for example: /secured/*). After some research I found this was possible with defining this on application level in the web.xml file. So I changed my configuration to: server.xml: Connector port=8443 ... clientAuth=false keystoreFile=.keystore keystorePass=... truststoreFile=.truststore truststorePass=... / web.xml: security-constraint web-resource-collection web-resource-nameSecureconn/web-resource-name url-pattern/secured/*/url-pattern http-methodGET/http-method /web-resource-collection auth-constraint role-namesecureconn/role-name /auth-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method realm-nameSecureconn/realm-name /login-config security-role role-namesecureconn/role-name /security-role In this case it actually only asks for client authentication when going to for example secured/home page. But I'm getting a 401 message code. What am I missing to get people authenticated based on the CA root certificates that are in the configured truststore? Is it even possible what I am trying? What happens if you change clientAuth=false to clientAuth=want? Hey Chris, If I change it to want I still get the same error: HTTP Status 401 - Cannot authenticate with the provided credentials This is because when you use the CLIENT-CERT auth-method, Tomcat add the SSLAuthenticator to the context (your app) which validate the cert on the realm. By default, that realm is the UserDatabaseRealm which stores credentials in tomcat-users.xml. So several choices for you, add all the certificates DN in that file with the right roles, or change the realm for something more suited to your need. Aside, you can also define which certificate attribute will be resolved to search for the principal, in X509UsernameRetrieverClassName (http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html) Cédric - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SAML 2.0 with container managed authentication in Tomcat
Hello, 2014-09-11 14:26 GMT+02:00 Maarten van Hulsentop maar...@vanhulsentop.nl: Dear Tomcat-users, We are investigating the best way to support SAML 2.0 (SP) authentication with our application. Our application is using container managed authentication provided by Tomcat, and works very well with basic authentication, form authentication, SPnego and others. My expectation would be that it should be possible to add a Valve and a Realm and have a 3rd party tool supply the SAML2 Relying Party implementation. So far, we have identified a couple of possible candidates. - Apache CXF Fediz. This project still seems young, but the integration would be as i expect. - Spring security might be possible to wrap into a Valve and Realm? - Picketlink? As stated on https://docs.jboss.org/author/display/PLINK/SAML+Authenticators+(Tomcat,JBossAS) - Very own Tomcat support not there yet? https://issues.apache.org/bugzilla/show_bug.cgi?id=54503 - Shibbolth (on HTTPD, remote user passed through AJP) Until now we have been using the Shibbolth/HTTPd implementation, but from Tomcat perspective this is not very 'pure'. We would like to configure it all in one place, Tomcat. At work, with exactly the same requirement, we used OIOSAML[1] which has been transformed as a custom tomcat authenticator (from the filter). It works quite well within our organisation with the Shibboleth IDP. There is also an enhancement request on bugzilla on that topic. [2] which seems to prefer adding JASPI(C) to tomcat to add SAML. [1] http://digitaliser.dk/resource/2582561 [2] https://issues.apache.org/bugzilla/show_bug.cgi?id=54503 Cédric - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ISAPI Redicect - Request Entitiy too large
2014-07-21 6:42 GMT+02:00 Mikey mikey7...@gmail.com: Alexander Diedler adiedler at tecracer.de writes: Hello at ll, I have installed a new Windows 2008 R2 x64 Server with IIS7 and Tomcat 6.0.32 x64 Edition. We use SSO Authentication from IIS to the Tomcat. Suddenly, we got on some clients, but not on every client (that´s stupid!) the following error: Request Entity Too large! The HTTP method does not allow the data transmitted, or the data volume exceeds the capacity limit. Jakarata/ISAPI/isapi_redirector/1.2.32 () The isapi.log contains the following messages in debug mode: [Fri Sep 30 15:06:08.445 2011] [3456:1540] [debug] find_match::jk_uri_worker_map.c (863): Found a wildchar match '/jci/*=worker1' [Fri Sep 30 15:06:08.445 2011] [3456:1540] [debug] HttpFilterProc::jk_isapi_plugin.c (1978): check if [/jci/] points to the web-inf directory [Fri Sep 30 15:06:08.445 2011] [3456:1540] [debug] HttpFilterProc::jk_isapi_plugin.c (1994): [/jci/] is a servlet url - should redirect to worker1 [Fri Sep 30 15:06:08.445 2011] [3456:1540] [debug] HttpFilterProc::jk_isapi_plugin.c (2034): fowarding escaped URI [/jci/] [Fri Sep 30 15:06:08.445 2011] [3456:1540] [debug] wc_maintain::jk_worker.c (339): Maintaining worker worker1 [Fri Sep 30 15:06:08.445 2011] [3456:1540] [debug] init_ws_service::jk_isapi_plugin.c (3022): Reading extension header HTTP_TOMCATWORKER00018000: worker1 [Fri Sep 30 15:06:08.445 2011] [3456:1540] [debug] init_ws_service::jk_isapi_plugin.c (3023): Reading extension header HTTP_TOMCATWORKERIDX00018000: 3 [Fri Sep 30 15:06:08.445 2011] [3456:1540] [debug] init_ws_service::jk_isapi_plugin.c (3024): Reading extension header HTTP_TOMCATURI00018000: /jci/ [Fri Sep 30 15:06:08.445 2011] [3456:1540] [debug] init_ws_service::jk_isapi_plugin.c (3025): Reading extension header HTTP_TOMCATQUERY00018000: (null) [Fri Sep 30 15:06:08.445 2011] [3456:1540] [debug] init_ws_service::jk_isapi_plugin.c (3085): Applying service extensions [Fri Sep 30 15:06:08.445 2011] [3456:1540] [debug] init_ws_service::jk_isapi_plugin.c (3309): Forwarding request header Connection : Keep-Alive [Fri Sep 30 15:06:08.445 2011] [3456:1540] [debug] init_ws_service::jk_isapi_plugin.c (3309): Forwarding request header Content-Length : 0 [Fri Sep 30 15:06:08.445 2011] [3456:1540] [debug] init_ws_service::jk_isapi_plugin.c (3309): Forwarding request header Accept : */* [Fri Sep 30 15:06:08.460 2011] [3456:1540] [debug] init_ws_service::jk_isapi_plugin.c (3309): Forwarding request header Accept- Encoding : gzip, deflate [Fri Sep 30 15:06:08.460 2011] [3456:1540] [debug] init_ws_service::jk_isapi_plugin.c (3309): Forwarding request header Accept- Language : de-DE [Fri Sep 30 15:06:08.460 2011] [3456:1540] [debug] init_ws_service::jk_isapi_plugin.c (3309): [Fri Sep 30 15:06:08.460 2011] [3456:1540] [debug] init_ws_service::jk_isapi_plugin.c (3309): Forwarding request header Host : b0621s008 [Fri Sep 30 15:06:08.460 2011] [3456:1540] [debug] init_ws_service::jk_isapi_plugin.c (3309): Forwarding request header User- Agent : Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727) [Fri Sep 30 15:06:08.460 2011] [3456:1540] [debug] init_ws_service::jk_isapi_plugin.c (3344): Service protocol=HTTP/1.1 method=GET host=fe80::3d83:4ce1:6ac:83dd%11 addr=fe80::3d83:4ce1:6ac:83dd%11 name=b0621s008 port=80 auth=Negotiate user=DOMAIN\USERNAME uri=/jci/ [Fri Sep 30 15:06:08.460 2011] [3456:1540] [debug] init_ws_service::jk_isapi_plugin.c (3356): Service request headers=8 attributes=0 chunked=no content-length=0 available=0 [Fri Sep 30 15:06:08.460 2011] [3456:1540] [debug] wc_get_worker_for_name::jk_worker.c (116): found a worker worker1 [Fri Sep 30 15:06:08.460 2011] [3456:1540] [debug] HttpExtensionProc::jk_isapi_plugin.c (2228): got a worker for name worker1 [Fri Sep 30 15:06:08.460 2011] [3456:1540] [debug] ajp_get_endpoint::jk_ajp_common.c (3161): acquired connection pool slot=0 after 0 retries [Fri Sep 30 15:06:08.460 2011] [3456:1540] [error] ajp_marshal_into_msgb::jk_ajp_common.c (469): failed appending the header value [Fri Sep 30 15:06:08.460 2011] [3456:1540] [info] ajp_service::jk_ajp_common.c (2431): Creating AJP message failed, without recovery [Fri Sep 30 15:06:08.460 2011] [3456:1540] [error] HttpExtensionProc::jk_isapi_plugin.c (2261): service() failed with http error 413 [Fri Sep 30 15:06:08.460 2011] [3456:1540] [debug] ajp_reset_endpoint::jk_ajp_common.c (807): (worker1) resetting endpoint with socket -1 (socket shutdown) [Fri Sep 30 15:06:08.460 2011] [3456:1540] [debug] ajp_done::jk_ajp_common.c (3078): recycling connection pool slot=0 for worker worker1 Attachment (smime.p7s): application/pkcs7-signature, 5183 bytes After 18+ months of dealing with this issue - with IIS6, IIS7, IIS7.5 - I fixed it by removing 'Negotiate' from the Windows Authentication
Re: Regarding i think an intrusion
2014-04-30 19:07 GMT+02:00 Christopher Schultz ch...@christopherschultz.net : -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Leonardo, On 4/30/14, 12:48 PM, Leonardo Santagostini wrote: Im uploading mi logfiles so it will be available when finished uploading. Remember to get a thread dump while Runtime.exec() is running. You should copy the script /tmp/4.sh somewhere else so you have a copy in case the attacker tries to clean-up after themselves. That's certainly what's doing the evil work. You could probably set up iptables or something to restrict outgoing requests so that the attack can't progress across your network. Regarding the configuration, its working in two other sites without problem, and there is no problem putting L4 balancing with haproxy. I have asked developers about that exploit, still without answer. You appear to be using struts2 2.1.8, which is in the range of versions vulnerable to this bug. There is a workaround that you can probably apply: http://struts.apache.org/release/2.3.x/docs/s2-021.html (see the last section on this page). Of course, the vulnerability doesn't allow you to simply inject code or anything like that: you can certainly mess-around with code that is already available on the site, though. I think the S2-021 can be used to inject code. There is a POC circulating proving it. That said, this struts version (2.1.8) is also vulnerable to http://struts.apache.org/release/2.3.x/docs/s2-016.html which permits code execution very easily. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTYS3BAAoJEBzwKT+lPKRYqDsP/jmNjM+YwxySFGgPUuvcL2bN kkApblcr9ryGZQG6RGwUFr69FCJ8qFDQSZ0aXXxPCfTpM6ce1VqXPv+WcOwnueOF mrugSa2InF2IWPAP2lwhEGqyxRAYZGfxz0aA9sFb7sSw4IpDP7u6TJx9g3oYrLTt URIbzTfhY0aGgEkQlrWNgrAWFKsUQ0uOrg8+3IS52O/e1ZVdudTMQBh5/LLJ522p yr+TlMooKDY8OA1TYttE0zEe3/Z9dd2AZ4YHoqLy8Hwq0lufYSaFZ5TpHfiOgJ0I 0Q3dcXEmjMTrBkBm4JKBR9b6KZSvG/H42q0GsEFHZeGw+3VIqYFGVRR5iCRRvVgg cqVKgGevB+fefcbGX9IFgFnus8QMUYq4XOcsE1YJVflxVBEfgwsCDLZEJqpzbovV ZpNBimPoLc8I5ifo2o7GSkO1GNSjhD7Q9p5MnmNW7Qna9RJh67Lv2oft9yPqGvjZ F2dTgbKFqyr8GSy/X4Ji8FsoeK+YxF0zXXDkaXxJzu054LuhodLCHJu7WwnwGjjL 0VI/Xxfihzk9+u3HNuwK0HTEt40Tca+vEKDUlMa9fvHL3ZqM3upy50bGE0PCTrJO A1cI+e0lzKEEQ+maym65DmSYiVvUPnfv0AxA0iUfU/UbhV1yWEkD3TyF3dOZPZqH ob6Km1Clt4KNLKVyQjt+ =8KFm -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AJP and attributes versus headers
2014-02-11 10:41 GMT+01:00 André Warnier a...@ice-sa.com: Cédric Couralet wrote: 2014-02-11 1:20 GMT+01:00 Elliot Kendall elliot.kend...@ucsf.edu: We have a Java application running on Tomcat with an Apache HTTP proxy in front. Our SSO system (Shibboleth) runs as an Apache module and sets an HTTP header with the logged-in username, which gets passed through to Tomcat and which the app uses Spring's RequestHeaderAuthenticationFilter to read. We would like to switch from HTTP to AJP for the proxy, as recommended by our SSO vendor. When we do, though, the logged-in username ends up in an environment variable and gets passed to Tomcat as a request attribute rather than a header. The Spring filter is using javax.servlet.http.HttpServletRequest.getHeader to read the value, which fails. For things to work, it would need to use javax.servlet.ServletRequest.getAttribute. As far as I can tell, no filter exists in Spring that uses requests instead of headers. Is there a way to make Tomcat expose the values of AJP request attributes as headers so that the Spring filter can see them? Or maybe a way to make one the user principal, accessible through javax.servlet.http.HttpServletRequest.getUserPrincipal? Then I could use a different Spring filter, J2eePreAuthenticatedProcessingFilter). And if there is a way to do one or both of these, do you think I would be better off trying to fix this on the Spring side? You could try setting tomcatAuthentification=false on your AJP connector in server.xml. If Shibboleth put the value in REMOTE_USER as it should then tomcat should pick it up as the principal. Be aware that you should protect your ajp connector so that no other machine than your Apache can connect to it. Cedric, I think that the essence of the above is correct, but that strictly speaking the details are not. I do not think that the authenticated user-id from Apache is passed via (or taken from) the REMOTE_USER header. The mod_jk and mod_proxy_ajp modules most probably take the Apache authenticated user-id directly from the Apache request record (r-user), no matter how it has been set, and pass it on to Tomcat throughj AJP as a request attribute. The setting of the REMOTE_USER http header is just a side-effect, and may be happening or not. The AJP connector at the Tomcat level, if tomcatAuthentication=false, then uses the value of the received AJP request attribute to set Tomcat's request userPrincipal value. There is no need then for anything else in Tomcat to grab the REMOTE_USER header of the request. Yes, I did not mean REMOTE_USER as header but as the environment variable in apache httpd (I don't know how to call it). I picked it up from this page : https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPJavaInstall Setting the tomcatAuthentication=false attribute on the AJP Connectorelement allows for passing REMOTE_USER from Apache httpd. See Tomcat's AJP Connector documentation for more. I do not know Shibboleth, but I would presume that when it authenticates a user, it sets the Apache r-user first. And then maybe, accessorily and/or optionally, Shibbolet may add a REMOTE_USER header to the request. And at the Tomcat level, one /may/ have some authentication module that picks up the user-id from the REMOTE_USER header of the request, and sets it as the Tomcat userPrincipal. But what I mean to say is that both these things with the REMOTE_USER http header are not mandatory. If Apache httpd authenticates a user, by whatever well-written method, the httpd r-user will be set, and the proxied AJP request will contain the corresponding user-id. And if the Tomcat AJP Connector says tomcatAuthentication=false, then the Connector will pick up this user-id from the AJP request attribute, and set the Tomcat user to that value. Independently of any REMOTE_USER header being set or not. Of course you can always override this, and force the usage of the REMOTE_USER header on both sides. But why would you do that, if a standard mechanism is already built-in into AJP ? (It would be different if you were using mod_proxy_http as a connector).
Re: AJP and attributes versus headers
2014-02-11 1:20 GMT+01:00 Elliot Kendall elliot.kend...@ucsf.edu: We have a Java application running on Tomcat with an Apache HTTP proxy in front. Our SSO system (Shibboleth) runs as an Apache module and sets an HTTP header with the logged-in username, which gets passed through to Tomcat and which the app uses Spring's RequestHeaderAuthenticationFilter to read. We would like to switch from HTTP to AJP for the proxy, as recommended by our SSO vendor. When we do, though, the logged-in username ends up in an environment variable and gets passed to Tomcat as a request attribute rather than a header. The Spring filter is using javax.servlet.http.HttpServletRequest.getHeader to read the value, which fails. For things to work, it would need to use javax.servlet.ServletRequest.getAttribute. As far as I can tell, no filter exists in Spring that uses requests instead of headers. Is there a way to make Tomcat expose the values of AJP request attributes as headers so that the Spring filter can see them? Or maybe a way to make one the user principal, accessible through javax.servlet.http.HttpServletRequest.getUserPrincipal? Then I could use a different Spring filter, J2eePreAuthenticatedProcessingFilter). And if there is a way to do one or both of these, do you think I would be better off trying to fix this on the Spring side? You could try setting tomcatAuthentification=false on your AJP connector in server.xml. If Shibboleth put the value in REMOTE_USER as it should then tomcat should pick it up as the principal. Be aware that you should protect your ajp connector so that no other machine than your Apache can connect to it. Thanks for any suggestions. -- Elliot Kendall IAM Support Engineer - Single Sign On Information Technology Services University of California, San Francisco - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: What is the best connector configuration for thousands of mostly idle users?
2014-02-10 22:34 GMT+01:00 André Warnier a...@ice-sa.com: Jesse Barnum wrote: On Feb 10, 2014, at 11:14 AM, Filip Hanik fi...@hanik.com wrote: Jesse, mostly idle users and you wish to conserve resources. Use the JkOptions +DisableReuse on the mod_jk module. This will close connections after the request has been completed. Many will tell you this will slow down your system since new connections have to be created for each request. Usually, the overhead of this connection creation on a LAN is worth it. Measure for yourself. Then you can go back to the regular blocking AJP connector, that will perform a bit better as it doesn't have to do polling. If I do this, can I keep a long keep-alive time on Apache? I need to preserve that, because renegotiating SSL connections for every request grinds the web server to a halt. Also, I thought mod_jk and mod_ajp were two different things - how can I use them both together? Reply to the last phrase above : mod_jk and mod_proxy_ajp are indeed two different things, but with a similar purpose : - each of them is a different add-on module to Apache httpd - each one of them can be used as a connector between Apache httpd and Apache Tomcat - you generally use one or the other, not both at the same time - they both connect to the same AJP Connector at the Tomcat level - between Apache httpd and Tomcat, they both speak the same language (the AJP protocol) One difference is that mod_jk has quite a few more tunable options than the mod_proxy_ajp module. The JkOptions mentioned above by Filip is one of these mod_jk options. I don't know what that JkOptions options does exactly, but from the name, isn't it the same as the disableReuse option on mod_proxy? http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypass Then the OP could try that. But I don't remember (and did not check earlier in the thread) if you indicated that you are using mod_proxy_ajp. And to answer the previous question : yes, I believe that you can keep a long keep-alive in Apache httpd, independently of how httpd connects to Tomcat. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: unable to start Tomcat through the Windows Services panel
2014-02-04 javier_esp...@hna.honda.com: Thank you Mark, but it did not make a difference. Any other idea? Do you have anything in the log directory of your tomcat installation? There should be log for commons-daemon (used to launch the service) and maybe for tomcat. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SEVERE: Servlet.service() for servlet [action] in context with path [/portal] threw exception
Hi, 2014/1/30 Randeep randeep...@gmail.com: Hi, I'm getting the following exception. I'm running it in Netbeans IDE. With tomcat 7.50.0 Am I missing some libraries here? Jar files? Developers says its not their code problem its server problem. But i'm not able to get it. Struts core jar is present and in web.xml i have following lines. Which version of Struts are you using? servlet servlet-nameaction/servlet-name servlet-classorg.apache.struts.action.ActionServlet/servlet-class init-param param-nameconfig/param-name param-value/WEB-INF/struts-config.xml/param-value /init-param init-param param-namedebug/param-name param-value2/param-value /init-param init-param param-namedetail/param-name param-value2/param-value /init-param load-on-startup1/load-on-startup /servlet servlet-mapping servlet-nameaction/servlet-name url-pattern*.do/url-pattern /servlet-mapping Jan 30, 2014 12:22:39 PM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet [action] in context with path [/portal] threw exception java.lang.NullPointerException at java.lang.Class.isAssignableFrom(Native Method) at org.apache.struts.util.RequestUtils.rationalizeMultipleFileProperty(RequestUtils.java:506) at org.apache.struts.util.RequestUtils.populate(RequestUtils.java:459) at org.apache.struts.action.RequestProcessor.processPopulate(RequestProcessor.java:823) at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:194) It looks like an issue known with struts 1.3.10, did you check on struts jira? https://issues.apache.org/jira/browse/STR-3173 (there is a snapshot of struts 1.3.11 available on that ticket). That said , struts1 is EOL, (http://struts.apache.org/struts1eol-announcement.html ) you really should change the framework. -- Cédric - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat as Windows service under technical user
2014/1/27 Strobel, Stefan (TS IC) stefan.stro...@hp.com: Hi everybody, I would like to run a Tomcat 7.0.47 as Windows service. But that service shall not be executed as Administrator but as a local technical user. That user is existent, let's call it A. The account is secured with password B. The question is, how do I install Tomcat as a service (that starts at Windows startup) as the technical user A? I tried various commands, but didn't get it working. Any ideas, solutions? Once the service installed, you can change the User with the sc utility : sc.exe config serviceName obj= domain\username password= password Thanks Stefan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: LDPA Authentication Failure
2013/12/13 Phill Perryman ph...@alstonelane.com: I have set up the following authentication to the ldap server. I can log into this server using the LdapAdmin browser ok. Running 7.0.34 (I think its 34 but I can't bring the server up at the moment) I am getting a stack trace Dec 13, 2013 1:56:35 PM org.apache.catalina.realm.JNDIRealm open WARNING: Exception performing authentication javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: Connection refused: connect] at com.sun.jndi.ldap.Connection.init(Unknown Source) Does the authentication fail at the time of this warning? It may happen that the connection is finished on the ldap server when tomcat tries to authenticate the user, but tomcat should retry anyway after this message (which has an INFO level in recents versions) I am not connecting to local host so I don't understand the message. None of the other files in conf have been touched. I tried searching and found lots of references but no real solutions. Engine name=Catalina defaultHost=localhost Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionName=cn=xxx,o=mitelinternet connectionPassword=xxx connectionURL=ldap://ottedev02.mitel.com:389; alternateURL=ldap://ottedev02.mitel.com:389; userPattern=uid={0},o=mitelinternet roleBase=o=mitelinternet roleSubtree=true roleSearch=(member={0}) roleName=cn /Realm Is it really the definition that you have in server.xml or is a typo? As it is written, the Realm has no attribute which may explain the localhost in the message (default in JNDI). May be you meant : . Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionName=cn=xxx,o=mitelinternet connectionPassword=xxx connectionURL=ldap://ottedev02.mitel.com:389; alternateURL=ldap://ottedev02.mitel.com:389; userPattern=uid={0},o=mitelinternet roleBase=o=mitelinternet roleSubtree=true roleSearch=(member={0}) roleName=cn /Realm - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Help needed with SpnegoAuthenticator authentication
2013/11/15 chris ch...@ottmountainbike.co.uk: Any help with this would be very much appreciated. We are trying to proof of concept this to return the remote user's domain login name to use it in a Web application. Attempting to use a keytab method to hopefully negate any requirement for exposing the kerberos principal delegate in any server configuration files. We have a test configuration for SpnegoAuthenticator authentication using Apache Tomcat/7.0.47 in sandbox environment. From a remote client workstation we are seeing an HTTP 500 error when testing and looking for some insight as to what is wrong or missing in our test environment. Environment: Apache Tomcat/7.0.47 Java JDK/JRE 1.7.0_45 Test Workstation: Windows 7 x64 (domain joined) Test Server: Windows Server 2008 R2 When testing see Log dump --- Nov 14, 2013 10:04:50 PM org.apache.catalina.authenticator.SpnegoAuthenticator authenticate SEVERE: Unable to login as the service principal javax.security.auth.login.LoginException: Unable to obtain password from user at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Unknown Source) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown [..] SPN is delegated to the domain account with UPN: svctomca...@mydom.int (Setspn –a http/tomcatsvr.mydom.int:8080 svctomcatdv) No need for the port when defining a SPN. * Domain Controller DC1 is Server 2008 R2 * Windows server hosting Tomcat is Server 2008 R2 * PC is Windows 7 and configured to automatically login in Intranet zone identified by *.mydom.int Keytab generated using the ktpass.exe utility with command: ktpass /crypto AES256-SHA1 /princ svctomca...@mydom.int /pass * /kvno 0 /ptype KRB5_NT_SRV_INST /out C:\temp\tc.keytab I have found that an error like this indicates a bad keytab. I generate keytab with the /princ option set to the SPN of the user (as indicated on tomcat documentation : http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html#Domain_Controller) Could you try it this way? ktpass /crypto AES256-SHA1 /princ http/tomcatsvr.mydom@mydom.int /pass * /kvno 0 /out C:\temp\tc.keytab Cédric - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Override logging
2013/10/8 André Warnier a...@ice-sa.com: Geoff Meakin wrote: I've been asked to host a couple of tomcat thirdparty webapps which all have either logging.properties or log4j configurations (internally). My question is, as a sysadmin who only gets to run the tomcat container, can I override all the logging configurations of my apps. For example, I dont use disks to log, I use syslog, and want to force all tomcat logs to go over syslog. I've read all the docs on JULI and log4j, and my head has exploded, and I appreciate there are ways to do this in the properties file of the app itself. However, I can't change the apps, and want to override all at the container level. Is this possible? I can't imagine that it wouldn't be. +1 Hope this isn't too much of a n00b question. No, it isn't. It is a very good question, very relevant to people such as you (and I) who mostly have to manage tomcats rather than developing apps for tomcat. Did you happen to try something with sl4j ? That would be my first try : get all application logging to sl4j and then manage it as I want. I don't even know if it is possible at all, and you will probably have to touch the web app to replace the libraries used by sl4j bridge. I'm also greatly interested if you find something usable. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache HTTP + Tomcat + SSL
Hi, 2013/9/30 André Warnier a...@ice-sa.com: Hi. [...] The question is now : why does that application require HTTPS ? An application usually doesn't care how it is accessed, except if some configuration of the application requires it to get some information from the SSL protocol (like a user certificate or so). What does this application need ? I don't agree, the application should know how it is accessed, if only because some pages may require SSL (all page under an auth-constraint) and others not, and it should not be delegated to apache but required at the tomcat level. I really think that saying to an application do not care about SSL it is our problem will lead to all sort of security incomprehension in the future. Espcially when it is as easy as adding a valve in server.xml to do so (as said by Daniel Mikusa), or if it is an option, configuring AJP between tomcat and httpd, which then requires nothing on the tomcat side. Cédric - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache HTTP + Tomcat + SSL
2013/9/30 Christopher Schultz ch...@christopherschultz.net: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cédric, On 9/30/13 10:06 AM, Cédric Couralet wrote: Hi, 2013/9/30 André Warnier a...@ice-sa.com: Hi. [...] The question is now : why does that application require HTTPS ? An application usually doesn't care how it is accessed, except if some configuration of the application requires it to get some information from the SSL protocol (like a user certificate or so). What does this application need ? I don't agree, the application should know how it is accessed, if only because some pages may require SSL (all page under an auth-constraint) and others not, and it should not be delegated to apache but required at the tomcat level. I really think that saying to an application do not care about SSL it is our problem will lead to all sort of security incomprehension in the future. Espcially when it is as easy as adding a valve in server.xml to do so (as said by Daniel Mikusa), or if it is an option, configuring AJP between tomcat and httpd, which then requires nothing on the tomcat side. Some solutions require nothing on the Tomcat site (hint: mod_jk does all this auto-magically). I didn't say otherwise ( configuring AJP between tomcat and httpd, which then requires nothing on the tomcat side ) I just reacted to the saying that an application could not care whether it was accessed with SSL or not, I think the choice of https over http is an application choice and it could be dangerous to say that it is not important for an application to think about it. I agree with all the rest, just that sentence which made me uneasy (in lack of a better term ). Cédric - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache HTTP + Tomcat + SSL
I said An application *usually* doesn't care how it is accessed. Most applications do not. Some do. But I would argue that this would not be such a good design, because it removes flexibility in the application. It would mean that the application then cannot work in a context where there is no need for strong security, and that you always pay the SSL penalty, even when you do not really need it. The configuration around the webapp allows to put whatever level of security you need, without having to change the application code. Except in some cases, and that is why we were asking what *this* application really needs. Tout est dans la nuance.. .., I will take some more english lessons :) The confusion was that when I say application, I mean the code and the configuration (web.xml, context.xml). I already got in an argument with someone saying that httpd should be the one to force a request over https and the developper should not have to think about it, so I am a little quick to react on this. Thank you for the clarification, - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Filtering HTTP OPTIONS request method from logs?
Hi, I'm also interested in a method to filter those OPTIONS. With the same setup, I basically created my own AccessLogValve wich does the filtering, something like : /** * Don't log request when HTTP Method is one of the exclude List */ @Override public void log(Request request, Response response, long time) { if (Arrays.asList(exclude.split(,)).contains(request.getMethod())) { return; } super.log(request, response, time); } But there must be something better. 2013/9/16 Jim Barber jim.bar...@ddihealth.com: Hi all. I'm hoping someone on this list can help me since I've been reading docs, mailing lists, FAQs, and so on for hours now, and I'm not having much luck finding an answer to my question. I am using Tomcat version 7.0.42 as packaged in Debian Linux. In front of my Tomcat servers, I am using haproxy for load balancing. The haproxy load balancers are using the HTTP OPTIONS request method to check if the Tomcat servers are alive and healthy. This results in log entries like the following in the Tomcat accesslog file: 10.122.32.4 - - [16/Sep/2013:17:12:49 +1000] OPTIONS / HTTP/1.0 200 - 10.122.32.4 - - [16/Sep/2013:17:12:51 +1000] OPTIONS / HTTP/1.0 200 - 10.122.32.4 - - [16/Sep/2013:17:12:53 +1000] OPTIONS / HTTP/1.0 200 - 10.122.32.4 - - [16/Sep/2013:17:12:55 +1000] OPTIONS / HTTP/1.0 200 - 10.122.32.4 - - [16/Sep/2013:17:12:57 +1000] OPTIONS / HTTP/1.0 200 - 10.122.32.4 - - [16/Sep/2013:17:12:59 +1000] OPTIONS / HTTP/1.0 200 - 10.122.32.4 - - [16/Sep/2013:17:13:01 +1000] OPTIONS / HTTP/1.0 200 - 10.122.32.4 - - [16/Sep/2013:17:13:03 +1000] OPTIONS / HTTP/1.0 200 - 10.122.32.4 - - [16/Sep/2013:17:13:05 +1000] OPTIONS / HTTP/1.0 200 - 10.122.32.4 - - [16/Sep/2013:17:13:07 +1000] OPTIONS / HTTP/1.0 200 - 10.122.32.4 - - [16/Sep/2013:17:13:09 +1000] OPTIONS / HTTP/1.0 200 - 10.122.32.4 - - [16/Sep/2013:17:13:11 +1000] OPTIONS / HTTP/1.0 200 - At the moment I'm getting one of these every 2seconds, but I haven't enabled the second load balancer for HA purposes yet. When I do that, I'll be getting twice as many hits of this type. This is going to result in rather large log files full of noise that I'm not interested in. I've been trying to work out how to filter these out. Basically I don't want to log anything that is using the HTTP OPTIONS Request Method, but still want to log anything else that Tomcat usually logs. I have a feeling it will come down to modifying the following entry in the /etc/tomcat7/server.xml file: Valve className=org.apache.catalina.valves.AccessLogValve directory=logs prefix=localhost_access_log. suffix=.txt pattern=%h %l %u %t quot;%rquot; %s %b / Specifically adding the condition=VALUE attribute, but I have no idea what to set VALUE to. The docs say that if ServletRequest.getAttribute(VALUE) returns null for the attribute defined in condition, then the item will be logged. Is there an ServletRequest attribute that is null when the http request method is not using OPTIONS? Or am I completely off track and there is a different way to filter these access log messages? Regards, -- Jim Barber - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Filtering HTTP OPTIONS request method from logs?
2013/9/16 André Warnier a...@ice-sa.com: Apologies for top posting, just following the trend. OPTIONS are used quite a bit by e.g. DAV clients. Won't you want also to add an IP filter then, to be able to block selectively only the requests from the proxies themselves ? Sorry for the top-post, i have got to find a better client ... If you are talking about my message, I agree, I didn't do it because in my case, there cannot be any other OPTION than for the proxy itself (we don't use all those new technologies like DAV :) ). And again, I'm really looking for a better way to handle that. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Deploying war from dependency with tomcat7-maven-plugin
2013/9/9 Greg Amerson gregory.amer...@liferay.com: Hello all, I'm trying to use the tomcat7-maven-plugin, specifically running the *mvn tomcat7:run* command. However, in my case I have two requirements that are different than the documentation provides for and I'm wondering if it is possible with the current tomcat7-maven-plugin. 1. need to deploy several jars to the global tomcat classpath (i.e. same as copying them into tomcat.home/lib/ext/ folder in a standalone install). 2. need to deploy a war to the ROOT context but instead of packaging the current project from source, I just need to point to an existing WAR as a dependency. So in my project there will be no webapp source. I simply want to run a tomcat with some extra jars in /lib/ext/ directory and also deploy a war that is obtained via a dependency with war type instead of packaged from source. Thanks in advance for any help! Hi, I don't know if it could answer your question but I think I do something similar for integration testing. First to add jar to embedded tomcat used by by the plugin, Ideclare those Jar as dependencies for the plugin. Then to add a different war I use the dependency plugin to unzip the war in the current project build directory and then use the tomcat plugin to launch it : plugin groupIdorg.apache.maven.plugins/groupId artifactIdmaven-dependency-plugin/artifactId version2.4/version executions execution idunzip-webapp/id phasepre-integration-test/phase goals goalunpack/goal /goals configuration artifactItems artifactItem groupId${project.groupId}/groupId artifactId${artifact-to-import}/artifactId version${project.version}/version typewar/type /artifactItem /artifactItems outputDirectory${project.build.directory}/webapp/outputDirectory overWriteSnapshotstrue/overWriteSnapshots /configuration /execution /executions /plugin plugin groupIdorg.apache.tomcat.maven/groupId artifactIdtomcat7-maven-plugin/artifactId executions execution idtomcat-run/id goals goalrun-war-only/goal /goals phasepre-integration-test/phase configuration path//path port8080/port uriEncodingUTF-8/uriEncoding warDirectory${project.build.directory}/webapp//warDirectory forktrue/fork ignorePackagingtrue/ignorePackaging contextFile${project.build.directory}/webapp/META-INF/context.xml/contextFile /configuration /execution execution idtomcat-shutdown/id goals goalshutdown/goal /goals phasepost-integration-test/phase /execution /executions /plugin . Cédric - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 7 ldap error
2013/8/7 Christopher Schultz ch...@christopherschultz.net: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Vicky, On 8/6/13 10:46 PM, vicky007aggar...@yahoo.co.in wrote: Hi All, Can somebody pls share the steps requires to setup active directory with tomcat . Is it valid to simply define a user in the active directory ldap without assigning any role to it ?? Will we still be able to authenticate the user when logged in from the application.if yes then kindly share the configuration which i need to do in web.xml and server.xml. I need this because in our application we have ldap users defined without any role mapped to them, so i want to know how to configure this in server.xml and web.xml,so that user get authenticated successfully I'm not sure about your LDAP configuration exactly (I've never used Tomcat with LDAP authentication myself) but Tomcat's security is entirely based upon roles. Thus, if you have (LDAP) users that are not in any group, those users are not going to be able to successfully access any resources unless you have role-name*/role-name in your auth-constraint. And , at least for tomcat 6 and 7, you will need to set the JNDIRealm attribute allRolesMode to authOnly if your users don't have any role in the LDAP. http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#JNDI_Directory_Realm_-_org.apache.catalina.realm.JNDIRealm - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JMX monitoring of tomcat service
2013/7/23 honyk j.tosov...@email.cz: Dear All, I run tomcat as service on Windows Server 2008 R2. I am not able to monitor it locally yet (discussed in another thread) so in the meantime I am trying to establish JMX connection to it acc. to this guide: http://tomcat.apache.org/tomcat-7.0-doc/monitoring.html All params are changed using tomcat7w.exe (in the Java options text field) and then the service is restarted. I am experiencing several weird issues: 1) Basic settings (single line): -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9090 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false If these properties are on the same line in the java options tab, it won't work they need to be on different lines. [...] b) When credentials files were specified, there were still 'FileNotFound' errors in the log (even when absolute paths were used): -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9090 -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.password.file=../conf/jmxremote.password -Dcom.sun.management.jmxremote.access.file=../conf/jmxremote.access -Dcom.sun.management.jmxremote.ssl=false When launching tomcat as a service, without changing the default configuration, it will start in the system32 folder (or something else on Win 2008) and not in the tomcat folder. So the path for password file and acces file should be absolute - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Different behaviour when start inside Eclipse
2013/6/20 Demetrio Carvalho demetri...@hotmail.com: When I start the Tomcat 7 by invoking startup.sh via gnome-terminal I can reach the administration console while browsing localhost:8080. But when I start the same Tomcat inside the Eclipse although my web application is working properly when I browse localhost:8080/my_application/index.html, I get error 404 when I try browse localhost:8080. What is the difference about start process between Eclipse and startup.sh? hello, The default webapps are not included when launching via eclipse. When adding a tomcat server in eclipse, it creates a catalina_base folder (most often under $eclipse_workspace/.metadata/wst.server.core/tmp$number) with no applications by default. Cédric - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Dynamic auth-constraint in web.xml ?
Hello, More of a servlet spec question than a tomcat one, and, from what I read, a rather long shot, but is there a way to define auth-constraint dynamically in web.xml? For instance I'd like to have the following security-constraint display-name/display-name web-resource-collection web-resource-name/web-resource-name url-pattern/something/(.*)/someotherthing/url-pattern http-methodPUT/http-method http-methodPOST/http-method http-methodDELETE/http-method /web-resource-collection auth-constraint role-name\1_something/role-name /auth-constraint /security-constraint security-role role-name*_something/role-name /security-role with \1 being the (.*) in url-pattern ? I know I can do it programmatically with something like request.isUserInRole(). But I would like to define all the webapp security in another place than in code (if only not to forget anything :) ). I don't know if it relevant but I'm using tomcat 6.0.36 at the moment on Windows 2003 with jdk 1.6_0.37. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Dynamic auth-constraint in web.xml ?
2013/5/3 Christopher Schultz ch...@christopherschultz.net: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cédric, On 5/3/13 3:09 AM, Cédric Couralet wrote: More of a servlet spec question than a tomcat one, and, from what I read, a rather long shot, but is there a way to define auth-constraint dynamically in web.xml? For instance I'd like to have the following security-constraint display-name/display-name web-resource-collection web-resource-name/web-resource-name url-pattern/something/(.*)/someotherthing/url-pattern http-methodPUT/http-method http-methodPOST/http-method http-methodDELETE/http-method /web-resource-collection auth-constraint role-name\1_something/role-name /auth-constraint /security-constraint security-role role-name*_something/role-name /security-role with \1 being the (.*) in url-pattern ? Nope. You'll have to resort to using a Filter. Yes, that is what I thought. I know I can do it programmatically with something like request.isUserInRole(). But I would like to define all the webapp security in another place than in code (if only not to forget anything :) ). If you wanted things to be a bit more explicit in web.xml, you could write a Filter that checks for a *specific* user role, and then configure it all in web.xml. This is a good idea, I'll try and see where it goes. Thank you - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSLAuthenticator question
Hi, 2013/4/26 Jeffrey Janner jeffrey.jan...@polydyne.com: Ok, I know I've been doing this for awhile and should probably know better, but Since long ago (4.x?), at the guidance of some long-gone developers, I've been adding the following to our app_context.xml file for instances where we are expecting to use SSL protocol for communications. Note we are not using SSL-Client-Authentication, which is what I've recently discovered this valve actually implements. I actually use a security-constraint to force the conversation to the SSL port. So with that background, am I getting any beneficial side-effects from this, and, if so, is there a better way to get the same results? Valve className=org.apache.catalina.authenticator.SSLAuthenticator securePagesWithPragma=false / If I'm not wrong , the authenticators are not called if the request is not constrained to an auth-constraint. If it was, you would need a client certificate to access your web app (ensured by that authenticator). So no in your case. From the definition of the parameter, I am at least turning off some IE-incompatible headers that control proxy-caching. Not even that, if you really have no auth-constraint then there is no justification to keep this authenticator in the context. FYI: Currently deployed on Tomcat 6.0.27 and higher, and starting the transition to Tomcat 7.0.latest. Jeff - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form Authentication
Hello, Without knowing how are your security-constraint, and where are the css file, I don't think anyone could help you. Did you try as a last measure to force css file to pass through the authentification, something as : security-constraint web-resource-collectionurl-pattern*.css/url-pattern/web-resource-collection /security-constraint (probably not a valid security-constraint, just to give the idea) I did this kind of thing for the favicon. We had a webapp entirely protected by form authentication and on firefox after authentication we were directed to the favicon.ico (when one existed). Firefox seems to get the favicon after the first request even when the status is 401... So we had to add a special security-constraint for the favicon for our application to work correctly and correct that firefox behavior (I want to say bug, but I'm sure there is a very good explanation for this :). 2013/4/18 Barbara Newton barbara.new...@gmail.com: This is driving me crazy! I have configured from authentication in my web.xml with a number of security constraints. None of the constraints map to any CSS files. However, when I bring up the application the CSS files are hitting the authentication. Since my form has styling this is a problem of the chicken-and-egg sort since the CSS files are not authenticated yet. On top of that, when I do successfully authenticate, the CSS file is the one that has been saved by the authenticator and is the one that is returned so the browser just brings up the raw CSS file. Any thoughts? Ideas? = The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair ---* Douglas Adams* - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: IWA username using JSP for Already authenticated Window system
2013/3/25 N.s.Karthik nskarthi...@gmail.com: Hi Hello https://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html I have already tried this and found the same to Work only on Windows Environment but my Tomcat servers are on Oracle Linux Systems... Will this configurations work with Tomcat 7.0.30 on Linux with Clients using IE8 from Windows ??? I will assume you talk about the SPNEGO Authenticator from tomcat. If that is the case, then I can confirm it works on Linux (Debian SID here). One thing to watch for is that the client must use Kerberos and not NTLM (it's a guess but it seems logical) . For this, you must have AD knowing your tomcat server ie : nslookup your.url must return your IP adress . For the rest the documentation on the tomcat website is basically all I needed. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: IWA username using JSP for Already authenticated Window system
One thing to watch for is that the client must use Kerberos and not NTLM (it's a guess but it seems logical) . Sorry to burst in, but can you elaborate on that ? Why does it seem logical ? To my own (admittedly limited) knowledge, Kerberos is not the most widely implemented solution in Windows networks, NTLMv2 is. Does the SPNEGO implementation in Tomcat not work with NTLMv2 then ? Only on a linux box. In my mind, NTLM being a Microsoft protocol, the chance of it working on a linux box was small. That is what I observed. When the tomcat on my linux was configured with the SPNEGO valve, at first my browser was talking NTLM (apparently, you can see that when the first reponse to the negotiate challenge begins with NTRLM...), and I got an error in tomcat log saying can't validate client ticket. Once i declared the box in the active directory dns, my browser stopped using NTLM for Kerberos and everything works as expected. It should be apparent I'm really not an expert on that, so all that is just some guesses. I'm still studying all that. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6.0.20/Windows 2008 R2/SSL Configuration
2013/3/20 Harris, Jeffrey E. jeffrey.har...@mantech.com: -Original Message- From: my business mail [mailto:mv.ma...@gmail.com] Sent: Wednesday, March 20, 2013 2:39 PM To: Tomcat Users List Subject: Re: Tomcat 6.0.20/Windows 2008 R2/SSL Configuration I only added the keystore property not truststore. I was just following what i'd done for tomcat4.1 on w2k3. Here is the log file. The keystore file is DEF in the path indicated, but i see the error below in the catalina file. Mar 20, 2013 2:35:21 PM org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'clientAuth' to 'false' did not find a matching property. Mar 20, 2013 2:35:21 PM org.apache.catalina.startup.SetAllPropertiesRule begin One problem is that Tomcat is not finding your keystore file or loading your certificates. This can be because you entered the wrong path or file name, specified the wrong password, or there is a problem with the actual content of your keystore file. Or maybe you are using APR with respect to SSL? The configuration is a little different . Can you try by replacing protocol=HTTP/1.1 with protocol=org.apache.coyote.http11.Http11Protocol in your SSL connector? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question regarding JNDIRealm - tomcat 6.0.35
2013/2/19 Tanmoy Chatterjee tanmoy.chatter...@nxp.com: Hello, Technical Stack: Apache Tomcat v 6.0.35 OS : RHEL 5.3 64 bits java version 1.6.0_18 32 bits I am using Realm className=org.apache.catalina.realm.JNDIRealm for connecting to LDAP. Is there any configuration to prevent the default connection to LDAP happening on Tomcat-Start. If I have to write my own code for doing this which method should I be overriding? Hello, By pure curiosity, why would you want that? The validation happens in the start method of JNDIRealm : // Validate that we can open our connection try { open(); } catch (NamingException e) { throw new LifecycleException(sm.getString(jndiRealm.open), e); } My first attempt was to override this method in a custom Class which inherits from JNDIRealm. This obviously can't work short of rewriting the complete call to super.start(). Or, but I didn't test nor do i know if it is good (or even valid) java, you could try by overriding this method like that : @Override public void start() throws LifecycleException { ((RealmBase)this).start(); } - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question regarding JNDIRealm - tomcat 6.0.35
2013/2/20 Tanmoy Chatterjee tanmoy.chatter...@nxp.com: Hello Cédric, The reason I want to do is as follows: I am facing the problem already expressed in https://issues.apache.org/bugzilla/show_bug.cgi?id=33774 I see that the bug status shows as Fixed, however I still get the same Issue on the Stack mentioned earlier. Hence what I have done is that I have already extended the JNDIRealm class (CustomJNDIRealm) to disconnect as soon as authentication is successful. (ref: http://stackoverflow.com/questions/10911897/tomcat-7-0-14-ldap-authentication) public class CustomJNDIRealm extends JNDIRealm { @Override public Principal authenticate(String username, String credentials) { Principal principal = super.authenticate(username, credentials); if (context != null) { close(context); } return principal; } } Have tested this and I see it to be working great except a small problem. After tomcat starts successfully and remains idle i.e let's say there is no user who logs in (gets authenticated) for 5-10 mins...I face the same issue as mentioned in the above bug. This is because the initial connection to the LDAP exists and the above overridden authenticate () doesn't get called. Hence I want to prevent the initial connection started by tomcat to LDAP as well. I am looking for some good way of doing this only on tomcat start-up and not all other the times. What I am not able to understand is why Tomcat doesn't allow configurable parameters to either select / deselect the Realm connections on startup. So you don't mind the initial connection but want to close it as soon as possible. Then what about writing a custom start method in your CustomJNDIRealm based on your overriding of the authenticate method : @Override public void start() throws LifecycleException { super.start(); if (context != null) { close(context); } } To come back to the root of the problem. In tomcat6, there is a chance an exception is thrown with JNDIRealm when no user has tried to log in in a certain time. That exception is logged at a WARNING level and I tend to ignore them because tomcat retries anyway. I don't think you should do anything just to avoid those. Hope this helps, Cédric - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Client Authentication
2013/2/20 maximilian-schm...@telekom.de: Hello Mark, thank you for the quick answer! Could you explain, how I can change how to derive the user name from the cert? I don't have a DN in my certificate (Only E, CN, OU, O, L, S, C). This would be very great. Hello, The different E, CN,... are elements which compose the DN. You can retrieve it with the keytool program: keytool -printcert -file path/to/certificatePem And look at the first line which could be Owner or Subject (I only have a french version at the moment which says Propriétaire:) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Client Authentication
2013/2/20 maximilian-schm...@telekom.de: Hello Cedric, And look at the first line which could be Owner or Subject (I only have a french version at the moment which says Propriétaire:) (I created another Client-Cert) I did it and it shows me: CN=User03, OU=Any, O=Company, L=City, ST=Something, C=DE So I wrote: user username=CN=User03, OU=Any, O=Company, L=City, ST=Something, C=DE password= roles=secureconn, admin/ But still I get a 403 Error when I try to connect. Maybe this is helpful: I used a pcks12 Certificate to install it into my Browser (within Private Public Key). Does anyone have an idea, why this doesn't work? A 403 error usually means the user does not have the right role for this resource. You can see what is going on by putting these line at the end of your logging.properties file : org.apache.catalina.realm.level=DEBUG org.apache.catalina.authenticator.level=DEBUG And check the log file. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question regarding JNDIRealm - tomcat 6.0.35
2013/2/20 Tanmoy Chatterjee tanmoy.chatter...@nxp.com: Thanks Cédric, I will try this and let you know. Once Ldap closes the connection from it's end, tomcat indeed keeps on trying and finally establishes a new connectionbut the time spent in retrying is too high (more than 4-5 minutes) and in that time...user cannot loginthe login page just sort of hangs in the browser. I'd say this is more a problem with openldap. Do you know why tomcat hangs to recreate the connection when openldap closes it? Do you have anything in openldap configuration which could explain this. We are at the moment migrating our old ldap server to openldap and this could be a real issue for us. Just a note, from what I see, Tomcat does not keep on trying. A first attempt is made on the context then if an exception is thrown, it is caught and tomcat call the open method again (wich tries first the connectionURL and then the alternateUrl if problem). So only two attempts if I'm not wrong. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Reporting a revoked certificate
Thanks Dan - which access log should I look at? all of the tomcat logs don't show anything. I've got it configured with APR TCNATIVE Hello, I'm not sure you could get an error page. The ssl dialog takes place before any http communication. So I don't think tomcat can send an http response if the certificate is revoked. You could use openssl s_client to try and connect to your server to see what is returned from Tomcat exactly. Cédric - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Reporting a revoked certificate
Hello, I'm not sure you could get an error page. The ssl dialog takes place before any http communication. So I don't think tomcat can send an http response if the certificate is revoked. You could use openssl s_client to try and connect to your server to see what is returned from Tomcat exactly. And as a quick test, you could try with Firefox. I've found it gives almost meaningful error dialog when dealing with ssl. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7.0.33 just stops without any errors...
2012/12/20 Tony Anecito adanec...@yahoo.com: Hi All, I have noticed since switching to Tomcat 7.0.33 64-bit that sometimes it just stops functioning with no errors and no events in windows to give me a reason why. It seems to do it once every couple of weeks. Has anyone experienced that? I am thinking next time to hookup visualvm to see what I can see. Hello, If there is really nothing in all the logs generated by Tomcat then it could be a JVM crash. Some explanation could be found in a file named hs_err_pid.log. By default it is in the working directory. For tomcat as a service in windows, i noticed it is in %WIN_DIR%/system32/ http://www.oracle.com/technetwork/java/javase/felog-138657.html#gbwcy - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JMX with Listener
2012/12/11 André Warnier a...@ice-sa.com: Cédric Couralet wrote: ... One question, though, in the tomcat doc (for 6.0.x) for the JMXRemoteListener, the configuration is : -Dcom.sun.management.jmxremote.password.file=$CATALINA_BASE/conf/jmxremote.password -Dcom.sun.management.jmxremote.access.file=$CATALINA_BASE/conf/jmxremote.access while mine is -Dcom.sun.management.jmxremote.password.file=${CATALINA_BASE}/conf/jmxremote.password (notice the {} ). is it my mistake? No, it is not a mistake. The above are lines extracted from a shell script, I presume. In this particular case, $CATALINA_BASE and ${CATALINA_BASE} are equivalent. The {} form helps to clarify things for the shell when the character which *follows* the name of the variable, could be considered by the shell as part of the variable name. For example in : echo something $my_file_conf it is not clear whether the name of the variable is my or my_file or my_file_conf. (or anything in-between), and by default the shell will use the longer possibility. Writing this as echo something ${my_file}_conf leaves only one possible interpretation. In $CATALINA_BASE/conf/jmxremote.password there is really no ambiguity (because / cannot be part of a variable name), but the form ${CATALINA_BASE}/conf/jmxremote.password is anyway clearer and less prone to oversights. (But it is slightly more work to type, and as programmers are a notoriously lazy and hubristic bunch, they rarely go through the trouble). I suppose that - just to kid Christopher - I could on like this, talking about interpolation and stuff, but I'll leave it at that because it's already late here. I finally had some times to do some testing. First even with useLocalPorts=true, the JmxConnectorServer listen on all interfaces but won't accept connection from remote host. From the tomcat code, only the rmi client socket is forced to localhost at least on tomcat 6.0.x. A RMI server Socket could be created to force listening on a specified interface but I am not sure of any side effect. Second, for my password problem, there was a problem with my configuration. In the tomcat service for JavaOptions, i had -Dcom.sun.management.jmxremote.authenticate=true (with a space after true), so when parsing the system properties in the Listener, the lines (in the init() method): String authenticateValue = System.getProperty( com.sun.management.jmxremote.authenticate, true); authenticate = Boolean.parseBoolean(authenticateValue); returned false. This is only a problem with tomcat as a service (on windows), in command line i'm guessing the double space won't be taken into account by the shell. And now, another problem with this is that i can't reference catalina.base in those options. I tried : %CATALINA_BASE%, $CATALINA_BASE , ${catalina.base} and neither values are expanded. Is it possible at all? It is not so much of a problem, i can write the path by hand, but it would be nice to have. Cédric - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JMX with Listener
Where do you /set/ CATALINA_BASE? Hum nowhere. Ok my mistake but i set catalina.base as a jvm options and I would like to reference it in another. As I say it, I don't think java can do it so i may be out of luck.
Re: JMX with Listener
2012/12/17 André Warnier a...@ice-sa.com: Cédric Couralet wrote: Where do you /set/ CATALINA_BASE? Hum nowhere. Ok my mistake but i set catalina.base as a jvm options and I would like to reference it in another. As I say it, I don't think java can do it so i may be out of luck. [snip great explanation on tomcat as a windows service] Later if you want to change it, you can probably do this by running tomcat7.exe with the //US (update service) switch (see the doc). Thank you for all this :) I know I can probably do it by updating (or uninstall/install) the service, but I was wondering if one could set a jvm option like -Dtest=true and then reference it in another Java option like -Dtest2=${test}, but it is far from being a question in topic. My initial problem is resolved : - JMXRemoteLifecycleListener listens on all interface - seems normal as any connection from remote hosts seems to be rejected. - the authenticate=true was not taken into account by tomcat - it was due to a space after the true in the java_options for the service. That space cause the line authenticate=Boolean.parseBolean(authenticateValue) to return false. It can't happen when running in command line, as the spaces will be considered as one by the shell. Thanks everyone for the big help. Cédric - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
JMX with Listener
Hello, In our tomcat, we use at the moment the JMXRemoteLifecycleListener configured as : Listener className=org.apache.catalina.mbeans.JmxRemoteLifecycleListener rmiRegistryPortPlatform=10001 rmiServerPortPlatform=10002 useLocalPorts=true / The configuration for the windows service is : -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.password.file=${CATALINA_BASE}/conf/jmxremote.password -Dcom.sun.management.jmxremote.access.file=${CATALINA_BASE}/conf/jmxremote.access -Dcom.sun.management.jmxremote.ssl=false with jmxremote.access being a textfile with: nagios readonly and jmxremote.password : nagios nagios Version and OS information : - Tomcat 6.0.35 - Windows server 2003 32bit - jdk 1.6.36 Now for my problems or questions: - Apparently, the Jmx listener listens on 0.0.0.0 (confirmed by a netstat) on the two ports configured for the listener, is it normal ? I thought that useLocalPorts would restrain the listening only to 127.0.0.1. As i can't seem to connect on that ports with a remote host, I think it is normal but I would like some clarifications if possible. - with jvisualvm i am able to connect through jmx with the url service:jmx:rmi://localhost:10002/jndi/rmi://localhost:10001/jmxrmi without entering the credentials (nagios:nagios). I thought that by entering com.sun.management.jmxremote.authenticate=true, even read access would be restricted. Thank you for any answers. Cédric Couralet - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JMX with Listener
Okay. Now for my problems or questions: - Apparently, the Jmx listener listens on 0.0.0.0 (confirmed by a netstat) on the two ports configured for the listener, is it normal ? I thought that useLocalPorts would restrain the listening only to 127.0.0.1. useLocalePorts /should/ force 127.0.0.1 (actually localhost... whatever that resolves to on your server). Can you confirm that you are editing the correct server.xml? If you edit it in one place and then deploy it, please make sure you have the latest version installed under CATALINA_BASE/conf. So it should force 127.0.0.1, ok ! - with jvisualvm i am able to connect through jmx with the url service:jmx:rmi://localhost:10002/jndi/rmi://localhost:10001/jmxrmi without entering the credentials (nagios:nagios). I thought that by entering com.sun.management.jmxremote.authenticate=true, even read access would be restricted. I think you need to double-check that you are actually using the configuration you think you are. I think too now :) i'll double check it. Is there a way to dump the jmx configuration in the jvm? It happens on all the tomcat in use (a lot) and i'm quite sure I am not mistaken the server.xml for every one of them. One question, though, in the tomcat doc (for 6.0.x) for the JMXRemoteListener, the configuration is : -Dcom.sun.management.jmxremote.password.file=$CATALINA_BASE/conf/jmxremote.password -Dcom.sun.management.jmxremote.access.file=$CATALINA_BASE/conf/jmxremote.access while mine is -Dcom.sun.management.jmxremote.password.file=${CATALINA_BASE}/conf/jmxremote.password (notice the {} ). is it my mistake? Another note: using traditional JMX with Nagios is going to suck. You are probably going to make, say, 5 connections to your server every minute to check on things like heap size, request-time, etc. Each of those connections requires a complete JMX connection which is not cheap to make -- especially if the client is running on the same server. That's 5 JVMs, 5 JMX connections, etc. every minute (or 5 or whatever). We don't really use nagios as is. We use check_MK, an agent installed on the host for which i developped a plug in to get only the informations I want, with one connection to JMX (thus my need to restrict to localhost). If you just want to make some quick checks, consider looking at the JMXProxyServlet which is provided by the manager webapp. I believe it will be a much lighter-weight solution (and does not require all of this crazy setup to configure JMX authentication, etc.). Some ancient rules force us to disactivate the manager webapp (those rules originated from some vulnerabilities with the manager webapp I believe), but i'm trying to get it back with the appropriate security, evebn if only to ease deployments :). Thanks for the help ! - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEAREIAAYFAlDHUKcACgkQ9CaO5/Lv0PCYVgCfdhcR80DY4nO1QTHCnohhBul8 pmMAn0J1tFmswgyMAd4AXQBKyfNTMb1u =BzhT -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JMX with Listener
Okay. Now for my problems or questions: - Apparently, the Jmx listener listens on 0.0.0.0 (confirmed by a netstat) on the two ports configured for the listener, is it normal ? I thought that useLocalPorts would restrain the listening only to 127.0.0.1. useLocalePorts /should/ force 127.0.0.1 (actually localhost... whatever that resolves to on your server). Can you confirm that you are editing the correct server.xml? If you edit it in one place and then deploy it, please make sure you have the latest version installed under CATALINA_BASE/conf. So it should force 127.0.0.1, ok ! No, it forces the hostname localhost. That might mean 10.0.0.1 on your system. Try host localhost and see what happens. Yes, i should have thought of that sooner, I saw a couple of times a windows server without any localhost in its host file. thanks for the help. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windows Service Security
Bill, - create a local user, e.g. tomcat - stop Tomcat - use whatever path the Microsoft geniuses have invented this week to reach the Services applet - search for the Apache Tomcat Service - right click on it and select Settings or Properties (ditto) - in the tab Login as (or ditto), change the account to the one you just created - before you restart Tomcat, make sure that all it's files/directories can be read/written by this user - then restart Tomcat As long as the Tomcat process (and any of its webapps) does not need any Windows network resources (network shares or printers or the like), you'll be fine. If you need any of these, then you'll have to use a Domain user instead of a local one. (Note that Tomcat probably does not need any of those, since it was running fine as LocalSystem and that user does not have access to Windows network resources either). Or you can use one of the two built in accounts in Windows 2008 (and possibly Windows 2003) : Local Service and Network Service. From what I have seen, these two accounts are simple users on the computer (with some extended right for accessing network share for Network Service). They have no administratives right on the system, so you have to allow them read or write access on the different folder where tomcat might read or write. Documentation for these accounts can be found here : http://msdn.microsoft.com/en-us/library/windows/desktop/ms686005(v=vs.85).aspx
Re: Windows Service Security
Maybe as a suggestion for the people who make the installers for Tomcat/Windows ? I'm not sure I understand (you'll have to excuse my poor understanding of english nuance :) ) My reply was not a suggestion, but it would be great if the installer could provide the option. I never looked how the installer was made so i do not know if it is possible. -- Cédric Couralet