Re: Question about custom JSSEImplementation

2016-09-22 Thread Jacopo Cappellato 
On Thu, Sep 22, 2016 at 4:07 PM, Mark Thomas  wrote:

>
> It is only used by BIO which has been removed in 8.5.x. Even in 8.0.x I
> don't see anywhere obvious it could help unless you:
> a) set bindOnInit to false
> and
> b) start/stop the connector frequently
>
> In that case, it could speed up the connector start time.
>
> Mark
>

Thank you Mark, your feedback is of great help: we are using NIO connectors
that are started once and we do not set/use bindOnInit so we can probably
just get rid of this old legacy code.

Thank you,

Jacopo

Question about custom JSSEImplementation

2016-09-22 Thread Jacopo Cappellato 
Hi all,

I am reviewing some legacy code in Apache OFBiz [*], in the attempt to
simplify its integration with Tomcat 8.0.+ and in preparation to upgrade to
Tomcat 8.5.+.
I have noticed that OFBiz, which starts a Tomcat instance in embedded mode,
uses a legacy class that extends the Tomcat's JSSEImplementation class.
This implementation, in particular, overrides the getServerFactory(...)
method to save an instance of ServerSocketFactory and return it if already
set [**].

Unfortunately I don't know enough about Tomcat internals to understand if
the OFBiz implementation makes any sense: do you have any feedback to share
on how this code could affect the behavior of Tomcat? Maybe a difference in
performance in the setup of an encrypted connection?
As a side note, OFBiz seems to work fine even when I switch to the Tomcat
standard implementation by setting:
sslImplementationName=org.apache.tomcat.util.net.jsse.JSSEImplementation

Thanks in advance,

Jacopo

[*] http://ofbiz.apache.org/

[**] the OFBiz legacy implementation (simplified) of JSSEImplementation:

public class SSLImpl extends JSSEImplementation {
protected ServerSocketFactory ssFactory = null;

@Override
public ServerSocketFactory getServerSocketFactory(AbstractEndpoint
endpoint) {
if (this.ssFactory == null) {
this.ssFactory = (new
JSSEImplementation()).getServerSocketFactory(endpoint);
}
return ssFactory;
}
}

Re: Enabling X-XSS-Protection

2015-12-14 Thread Jacopo Cappellato 
Hi Mark,

I have created a ticket and attached a patch to it:
https://bz.apache.org/bugzilla/show_bug.cgi?id=58735

Thanks,

Jacopo

On 08/10/2015, Mark Thomas wrote:
> On 08/10/2015, Jacopo Cappellato wrote:
>>...
>> Do you think that HttpHeaderSecurityFilter should be enhanced to support
>> this (I could provide a patch for this)? Is there another way?

> A patch to add support for this header would be great.

> Mark

Enabling X-XSS-Protection

2015-10-07 Thread Jacopo Cappellato 
Hi all,

I am looking for a way to add the X-XSS-Protection header (*) to the
response from Tomcat.

I am currently using the Tomcat's HttpHeaderSecurityFilter that allows to
setup other useful security related headers but it doesn't seem to support
the X-XSS-Protection header (**).

Do you think that HttpHeaderSecurityFilter should be enhanced to support
this (I could provide a patch for this)? Is there another way?

Thanks in advance,

Jacopo

(*) https://www.owasp.org/index.php/List_of_useful_HTTP_headers
(**) https://tomcat.apache.org/tomcat-8.0-doc/config/filter.html

Re: Issue running Websockets JSR356 with Tomcat 7.0.50 Embedded

2014-02-25 Thread Jacopo Cappellato 
Any hints? I would really appreciate if someone could provide some pointers 
(e.g. classes involved etc) about the implementation of the mechanism used to 
discover and deploy endpoints; I will then try to study the code in order to 
figure out why it doesn't work when I set jarScanner.setScanClassPath(false)

Thanks,

Jacopo

On Feb 14, 2014, at 7:58 PM, Jacopo Cappellato jacopo.cappell...@gmail.com 
wrote:

 Here is the client code that I use to recreate the problem:
 
public static void main(String[] args) throws Exception {
 
String currentDir = new File(.).getCanonicalPath();
String tomcatDir = currentDir + File.separatorChar + tomcat;
String webRoot = currentDir + File.separatorChar + examples;
 
Tomcat tomcat = new Tomcat();
tomcat.setBaseDir(tomcatDir);
tomcat.setPort(8080);
 
tomcat.addWebapp(/examples, webRoot);
 
// this code gets the JarScanner and sets scanClassPath to false:
// with this setting the websockets are not deployed
Container[] containers = 
 tomcat.getService().getContainer().findChildren();
StandardHost host = (StandardHost)containers[0];
containers = host.findChildren();
StandardContext ctx = (StandardContext)containers[0];
StandardJarScanner jarScanner = 
 (StandardJarScanner)ctx.getJarScanner();
jarScanner.setScanClassPath(false); // if this is set to true the 
 websockets are deployed successfully
 
tomcat.start();
 
while (true) {
Thread.sleep(9);
}
}
 
 I run this code from a folder containing the examples webapp and the Tomcat 
 jars.
 
 Is there a way to deploy successfully the websockets with 
 setScanClassPath(false) ?
 
 Thanks,
 
 Jacopo


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Issue running Websockets JSR356 with Tomcat 7.0.50 Embedded

2014-02-25 Thread Jacopo Cappellato 

On Feb 25, 2014, at 4:20 PM, Mark Thomas ma...@apache.org wrote:

 On 25/02/2014 15:14, Jacopo Cappellato wrote:
 Any hints? I would really appreciate if someone could provide some
 pointers (e.g. classes involved etc) about the implementation of the
 mechanism used to discover and deploy endpoints; I will then try to
 study the code in order to figure out why it doesn't work when I set
 jarScanner.setScanClassPath(false)
 
 Presumably because the Endpoints you are trying to deploy are not part
 of the web application (i.e. in WEB-INF/classes or WEB-INF/lib) and
 loaded by the web application but are on the class path.

Well, actually in my unit test (posted in this thread) I am deploying the 
examples application of Tomcat, and the websockets in it are under the WEB-INF 
folder.

Jacopo

 
 Mark
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Websocket classes in tomcat-embed-core-7.0.52.jar

2014-02-20 Thread Jacopo Cappellato 
On Feb 20, 2014, at 9:10 AM, Ralph Schaer ralphsch...@gmail.com wrote:

 Hi
 
 The embedded core jar 7.0.52 no longer contains the websocket classes.
 It only contains an empty org.apache.tomcat.websocket package
 
 Version 7.0.50 of the embedded core contains all the websocket classes.
 
 Is this a intentional change or maybe a bug in the build process?

This is true, however the embedded distribution now has a separate jar with the 
websockets implementation:

tomcat7-embed-websocket.jar

Jacopo


 
 Ralph


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Issue running Websockets JSR356 with Tomcat 7.0.50 Embedded

2014-02-14 Thread Jacopo Cappellato 
Here is the client code that I use to recreate the problem:

public static void main(String[] args) throws Exception {

String currentDir = new File(.).getCanonicalPath();
String tomcatDir = currentDir + File.separatorChar + tomcat;
String webRoot = currentDir + File.separatorChar + examples;

Tomcat tomcat = new Tomcat();
tomcat.setBaseDir(tomcatDir);
tomcat.setPort(8080);

tomcat.addWebapp(/examples, webRoot);

// this code gets the JarScanner and sets scanClassPath to false:
// with this setting the websockets are not deployed
Container[] containers = 
tomcat.getService().getContainer().findChildren();
StandardHost host = (StandardHost)containers[0];
containers = host.findChildren();
StandardContext ctx = (StandardContext)containers[0];
StandardJarScanner jarScanner = (StandardJarScanner)ctx.getJarScanner();
jarScanner.setScanClassPath(false); // if this is set to true the 
websockets are deployed successfully

tomcat.start();

while (true) {
Thread.sleep(9);
}
}

I run this code from a folder containing the examples webapp and the Tomcat 
jars.

Is there a way to deploy successfully the websockets with 
setScanClassPath(false) ?

Thanks,

Jacopo


On Feb 13, 2014, at 6:47 PM, Jacopo Cappellato jacopo.cappell...@gmail.com 
wrote:

 Hello all,
 
 I did further tests and I have now implemented a test client that executes a 
 Tomcat embedded instance that is successfully running websockets.
 The client code resembles quite closely what we are doing in OFBiz to prepare 
 the Tomcat instance... and I think I have found the settings that is causing 
 the issue in OFBiz.
 When in OFBiz we create the Context objects we set in their JarScanner (we 
 use the StandardJarScanner): setScanClassPath(false)
 
 I have noticed that if in my test client I set the same the websockets are 
 not mounted; they only work with setScanClassPath(true).
 
 Since I doubt we will be able to set it to true in OFBiz, I would really 
 appreciate if you could provide some hints about the mechanism that Tomcat 
 uses to deploy websockets.
 
 Am I completely off track?
 
 Thanks,
 
 Jacopo
 
 On Jan 29, 2014, at 4:42 PM, Jacopo Cappellato jacopo.cappell...@gmail.com 
 wrote:
 
 Hello all,
 
 I am trying to deploy and use Websockets using the Tomcat 7.0.50 *Embedded* 
 distribution [*].
 
 Some more details on my environment:
 * I have the following jars in my classpath:
 ** tomcat-7.0.50-tomcat-embed-core.jar
 ** tomcat-7.0.50-tomcat-embed-jasper.jar
 ** tomcat-7.0.50-tomcat-embed-logging-log4j.jar
 ** tomcat-7.0.50-tomcat7-websocket.jar
 ** tomcat-7.0.50-websocket-api.jar
 ** ecj-4.2.2.jar
 ** annotations-api-3.0.jar
 ** jsp-api-2.2.jar
 ** servlet-api-3.0.jar
 * I have mounted the examples webapp that comes with Tomcat (Core 
 distribution) using the Embedded Tomcat instance: all the examples work fine 
 (including the websocket-deprecated ones) except for the Websockets JSR356 
 ones
 
 When I try to run the Websockets JSR356 examples, when I try to Connect 
 (either using the programmatic API or the annotation API) I get the message: 
 Info: WebSocket connection closed.
 Nothing appears in the console.
 
 Any hints would be greatly appreciated. Thanks in advance
 
 Jacopo
 
 [*] The reason I am using the Embedded version of Tomcat is that I am trying 
 to add support for Websockets to Apache OFBiz (ofbiz.apache.org) and OFBiz 
 runs Tomcat in embedded mode.
 
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Issue running Websockets JSR356 with Tomcat 7.0.50 Embedded

2014-02-13 Thread Jacopo Cappellato 
Hello all,

I did further tests and I have now implemented a test client that executes a 
Tomcat embedded instance that is successfully running websockets.
The client code resembles quite closely what we are doing in OFBiz to prepare 
the Tomcat instance... and I think I have found the settings that is causing 
the issue in OFBiz.
When in OFBiz we create the Context objects we set in their JarScanner (we use 
the StandardJarScanner): setScanClassPath(false)

I have noticed that if in my test client I set the same the websockets are not 
mounted; they only work with setScanClassPath(true).

Since I doubt we will be able to set it to true in OFBiz, I would really 
appreciate if you could provide some hints about the mechanism that Tomcat uses 
to deploy websockets.

Am I completely off track?

Thanks,

Jacopo

On Jan 29, 2014, at 4:42 PM, Jacopo Cappellato jacopo.cappell...@gmail.com 
wrote:

 Hello all,
 
 I am trying to deploy and use Websockets using the Tomcat 7.0.50 *Embedded* 
 distribution [*].
 
 Some more details on my environment:
 * I have the following jars in my classpath:
 ** tomcat-7.0.50-tomcat-embed-core.jar
 ** tomcat-7.0.50-tomcat-embed-jasper.jar
 ** tomcat-7.0.50-tomcat-embed-logging-log4j.jar
 ** tomcat-7.0.50-tomcat7-websocket.jar
 ** tomcat-7.0.50-websocket-api.jar
 ** ecj-4.2.2.jar
 ** annotations-api-3.0.jar
 ** jsp-api-2.2.jar
 ** servlet-api-3.0.jar
 * I have mounted the examples webapp that comes with Tomcat (Core 
 distribution) using the Embedded Tomcat instance: all the examples work fine 
 (including the websocket-deprecated ones) except for the Websockets JSR356 
 ones
 
 When I try to run the Websockets JSR356 examples, when I try to Connect 
 (either using the programmatic API or the annotation API) I get the message: 
 Info: WebSocket connection closed.
 Nothing appears in the console.
 
 Any hints would be greatly appreciated. Thanks in advance
 
 Jacopo
 
 [*] The reason I am using the Embedded version of Tomcat is that I am trying 
 to add support for Websockets to Apache OFBiz (ofbiz.apache.org) and OFBiz 
 runs Tomcat in embedded mode.
 
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Issue running Websockets JSR356 with Tomcat 7.0.50 Embedded

2014-01-29 Thread Jacopo Cappellato 
Hello all,

I am trying to deploy and use Websockets using the Tomcat 7.0.50 *Embedded* 
distribution [*].

Some more details on my environment:
* I have the following jars in my classpath:
** tomcat-7.0.50-tomcat-embed-core.jar
** tomcat-7.0.50-tomcat-embed-jasper.jar
** tomcat-7.0.50-tomcat-embed-logging-log4j.jar
** tomcat-7.0.50-tomcat7-websocket.jar
** tomcat-7.0.50-websocket-api.jar
** ecj-4.2.2.jar
** annotations-api-3.0.jar
** jsp-api-2.2.jar
** servlet-api-3.0.jar
* I have mounted the examples webapp that comes with Tomcat (Core 
distribution) using the Embedded Tomcat instance: all the examples work fine 
(including the websocket-deprecated ones) except for the Websockets JSR356 ones

When I try to run the Websockets JSR356 examples, when I try to Connect 
(either using the programmatic API or the annotation API) I get the message: 
Info: WebSocket connection closed.
Nothing appears in the console.

Any hints would be greatly appreciated. Thanks in advance

Jacopo

[*] The reason I am using the Embedded version of Tomcat is that I am trying to 
add support for Websockets to Apache OFBiz (ofbiz.apache.org) and OFBiz runs 
Tomcat in embedded mode.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Issue running Websockets JSR356 with Tomcat 7.0.50 Embedded

2014-01-29 Thread Jacopo Cappellato 
Thank you Mark!

Please see inline:

On Jan 29, 2014, at 4:50 PM, Mark Thomas ma...@apache.org wrote:

 On 29/01/2014 15:42, Jacopo Cappellato wrote:
 Hello all,
 
 I am trying to deploy and use Websockets using the Tomcat 7.0.50 *Embedded* 
 distribution [*].
 
 Java version?

1.7.0_40

 
 Some more details on my environment:
 * I have the following jars in my classpath:
 ** tomcat-7.0.50-tomcat-embed-core.jar
 ** tomcat-7.0.50-tomcat-embed-jasper.jar
 ** tomcat-7.0.50-tomcat-embed-logging-log4j.jar
 ** tomcat-7.0.50-tomcat7-websocket.jar
 ** tomcat-7.0.50-websocket-api.jar
 ** ecj-4.2.2.jar
 ** annotations-api-3.0.jar
 ** jsp-api-2.2.jar
 ** servlet-api-3.0.jar
 * I have mounted the examples webapp that comes with Tomcat (Core 
 distribution) using the Embedded Tomcat instance: all the examples work fine 
 (including the websocket-deprecated ones) except for the Websockets JSR356 
 ones
 
 I think you may have duplicated some classes there. Some of those API JARs 
 may not be required.
 
 When I try to run the Websockets JSR356 examples, when I try to Connect 
 (either using the programmatic API or the annotation API) I get the message: 
 Info: WebSocket connection closed.
 Nothing appears in the console.
 
 The HTTP headers send and received would help you to debug / enable us
 to provide you with some pointers.

The error I am getting in the browser is the following:

[Error] WebSocket connection to 
'ws://localhost:8080/examples/websocket/echoAnnotation' failed: Unexpected 
response code: 404 (echo.xhtml, line 0)

It seems like the endpoint was not mounted but I amy be wrong.

Thanks,

Jacopo

 
 Mark
 
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Fine tune or disable JMX activity

2012-06-22 Thread Jacopo Cappellato 
Hi all,

I am a committer of the Apache OFBiz project; OFBiz uses Tomcat 7.0.28 in 
embedded mode.
While doing some profiling with Java VisualVM I have noticed that a lot of 
object (java.util.TreeMap$Entry) are created even when there is no traffic; 
they don't represent a memory leak because a garbage collection removes them 
all, but the still grow at a very high pace; they seem to be generated by JMX 
support in Tomcat.
Is it possible? Is there a way to disable JMX related activity (if not needed, 
of course)? I am worried that this could cause an unnecessary waste of server 
resources (more frequent GCs etc...).

Thanks in advance,

Jacopo
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Fine tune or disable JMX activity

2012-06-22 Thread Jacopo Cappellato 

On Jun 22, 2012, at 5:11 PM, Pid wrote:

 On 22/06/2012 16:09, Jacopo Cappellato wrote:
 Hi all,
 
 I am a committer of the Apache OFBiz project; OFBiz uses Tomcat 7.0.28 in 
 embedded mode.
 While doing some profiling with Java VisualVM I have noticed that a lot of 
 object (java.util.TreeMap$Entry) are created even when there is no traffic; 
 they don't represent a memory leak because a garbage collection removes them 
 all, but the still grow at a very high pace; they seem to be generated by 
 JMX support in Tomcat.
 
 Can you explain a little about how you concluded that Tomcat's JMX
 support is responsible?
 

I am actually not sure if Tomcat is responsible for this (it could actually be 
completely unrelated); I think it is related to JMX because I have found that 
most of the objects are created in the following stack:

https://cwiki.apache.org/confluence/download/attachments/27850262/profiler-snapshot.png

Regards,

Jacopo

 
 p
 
 
 Is it possible? Is there a way to disable JMX related activity (if not 
 needed, of course)? I am worried that this could cause an unnecessary waste 
 of server resources (more frequent GCs etc...).
 
 Thanks in advance,
 
 Jacopo
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 
 -- 
 
 [key:62590808]
 
 
 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Fine tune or disable JMX activity

2012-06-22 Thread Jacopo Cappellato 

On Jun 22, 2012, at 5:45 PM, Caldarale, Charles R wrote:

 So let's see... you're using VisualVM which depends on JMX to retrieve the 
 information it reports, and you want to disable JMX?
 
 I think you're observing self-induced behavior.

ah ah, yes I think you are quite right and it was a dumb question indeed.

By the way, thank you, it helped me.

Jacopo
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: OutOfMemoryError happening in embedded instance of Tomcat 6 (Apache OFBiz project)

2008-07-08 Thread Jacopo Cappellato 

Filip,

thank you for your help.
Your suggestion actually helped to identify the root of our issues: it  
was not related to Tomcat 6 but instead it was an issue in the version  
of DBCP we were using (a snapshot of November 2007); we have upgraded  
it to the HEAD and the errors seem gone away (we are running some load  
testing sessions right now).


Thanks so much and sorry for the off-topic.

Jacopo


On Jul 7, 2008, at 6:03 PM, Filip Hanik - Dev Lists wrote:

just use the -XX:+HeapDumpOnOutOfMemoryError and see what is causing  
the OOME


Filip

Jacopo Cappellato wrote:

Hi all,

I am one of the committers and PMC member of the Apache OFBiz  
project (ofbiz.apache.org).
Our project is using an embedded instance of Tomcat to run the web  
applications that compose the OFBiz suite of ERP applications.


A few weeks ago, with rev. 659490, we have upgraded Tomcat from to  
5.5.23 to 6.0.16.
Since then, we have noticed in some production server some  
OutOfMemoryError: Java heap space exceptions that make the  
instances pretty unstable after some time they are up.
My suspect is that we are not creating the Tomcat instance in the  
right way, but I am not sure where is the error... and I'm not sure  
about the question I should ask here.

However, maybe someone of you could help with some advices or hints.

This is the code we used to create the instance of Tomcat 5.5.23  
(that was working fine):


http://svn.apache.org/viewvc/ofbiz/trunk/framework/catalina/src/org/ofbiz/catalina/container/CatalinaContainer.java?revision=585848view=markup

and this is the new code for 6.0.16:

http://svn.apache.org/viewvc/ofbiz/trunk/framework/catalina/src/org/ofbiz/catalina/container/CatalinaContainer.java?view=markup

Thanks so much,

Jacopo



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

OutOfMemoryError happening in embedded instance of Tomcat 6 (Apache OFBiz project)

2008-07-07 Thread Jacopo Cappellato 

Hi all,

I am one of the committers and PMC member of the Apache OFBiz project  
(ofbiz.apache.org).
Our project is using an embedded instance of Tomcat to run the web  
applications that compose the OFBiz suite of ERP applications.


A few weeks ago, with rev. 659490, we have upgraded Tomcat from to  
5.5.23 to 6.0.16.
Since then, we have noticed in some production server some  
OutOfMemoryError: Java heap space exceptions that make the instances  
pretty unstable after some time they are up.
My suspect is that we are not creating the Tomcat instance in the  
right way, but I am not sure where is the error... and I'm not sure  
about the question I should ask here.

However, maybe someone of you could help with some advices or hints.

This is the code we used to create the instance of Tomcat 5.5.23 (that  
was working fine):


http://svn.apache.org/viewvc/ofbiz/trunk/framework/catalina/src/org/ofbiz/catalina/container/CatalinaContainer.java?revision=585848view=markup

and this is the new code for 6.0.16:

http://svn.apache.org/viewvc/ofbiz/trunk/framework/catalina/src/org/ofbiz/catalina/container/CatalinaContainer.java?view=markup

Thanks so much,

Jacopo



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]