RE: iis not looking for jsp in tomcat webapps folder
-Original Message- From: Vijaya [mailto:svij...@solutionscraft.com] Subject: iis not looking for jsp in tomcat webapps folder The current setting is In IIS 6, I have the jakarta isapi filter set and the default document only as and nothing else; Do you have a web service extension for Jarkata that is set to allowed? Leo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[OT] Observer pattern?
Could someone point me in the right direction. If three different web applications all rely on knowing when a piece of data changes, how does webapp #1 who makes the update, notify webapp #2 and webapp #3 that they need to make a request to update their view? For example: User of webapp #1 updates the status of something in a database and needs to inform the users of webapp #2 and webapp #3, who are updating other data yet watching for that status to change, that they need to update their view (fetch updated data from a database, or call some other method based on the changed status value). It sounds like the Observer pattern, but I don't know. Leo
RE: org.apache.catalina.valves.RemoteHostValve does this work ???
-Original Message- From: N.s.Karthik [mailto:nskarthi...@gmail.com] Subject: org.apache.catalina.valves.RemoteHostValve does this work ??? Hi Spec JDK1.6 TC : tomcat 6.26 O/s win 7 /Linux (redhat) I have configured the valve as follows in TC /conf/Context.xml *Valve className=org.apache.catalina.valves.RemoteHostValve allow=ai-itl-107 deny=192.168.8.210 /* On restart of the TC ... I am denied access at URL *http://ai-itl-107:8080/* as HTTP 403 Error ??? Disabling this valve the URL works and application is available normally. I am confused with regards karthik The docs indicate that you need to use a regular expression pattern for the allow and deny attributes. http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Remote_Host_Filter allow=ai\-itl\-107 deny=192\.168\.8\.210 Does that work? Leo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Access Log Valve invalid requests
Tomcat 6.0.35 http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Access_Log_Valve Some requests may be handled by Tomcat before they are passed to a container. These include redirects from /foo to /foo/ and the rejection of invalid requests. What is an invalid request? If I have a deny set for a Remote Host Filter, is that considered an invalid request attempt? What I'm trying to do is deny a certain requestor from making a POST request to a URL that is no longer published, yet retain the attempted request in the access log. If I'm denying the request, should I even care to log the fact that there are still attempts at a non-existent webapp? The requestor makes about 200 POST requests within a few seconds everyday around the same time for the past 4 months. They all result in HTTP 500. Leo
RE: Access Log Valve invalid requests
-Original Message- From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: Access Log Valve invalid requests Leo Donahue - PLANDEVX wrote: Tomcat 6.0.35 http://tomcat.apache.org/tomcat-6.0- doc/config/valve.html#Access_Log_V alve Some requests may be handled by Tomcat before they are passed to a container. These include redirects from /foo to /foo/ and the rejection of invalid requests. What is an invalid request? If I have a deny set for a Remote Host Filter, is that considered an invalid request attempt? What I'm trying to do is deny a certain requestor from making a POST request to a URL that is no longer published, yet retain the attempted request in the access log. If I'm denying the request, should I even care to log the fact that there are still attempts at a non-existent webapp? The requestor makes about 200 POST requests within a few seconds everyday around the same time for the past 4 months. They all result in HTTP 500. Find him and shoot him. Seriously, you should be able to log its IP address. From the IP address, you should be able to find the domain (WHOIS), I log the IP and it comes from a US ISP. Email has been sent. and an email address for a domain admin or better someone responsible for spam and other nasties. If it is not in China, send them an email indicating the problem, with an excerpt of your logs. In my experience, in most cases (80%), it works, in the sense that the attempts stop. In 1% of cases, you might even get a polite thank you answer. (*) If it continues, then it is usually better to filter this before it even reaches Tomcat. A firewall or iptables (Linux) just blocking any connection from that IP will do fine, and will not force your www server to handle that load for nothing. Most of these things are nasty hacking programs which continuously scan a range of IP addresses and try to break in using a range of well-known weak URLs. Most of those are trojan programs that run on hosts that have been broken in, and are not themselves even suspecting that they have been broken in. It can also be a legitimate program which just has the wrong hostname or IP address to connect to. It may be worth 5 minutes of your time to let such normal people know that something is amiss, rather than letting them continue to host a trojan or have a badly-configured application running. (*) I would be curious to see the break-down of the other 79%. They could be nice people who realise that one of their servers is doing something it shouldn't; or they could be nasty people knowing that their server is doing something it shouldn't, and stopping because they've been found out. But there is no way to know for sure. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat advantages
-Original Message- From: Pid * [mailto:p...@pidster.com] Subject: Re: Tomcat advantages What else would you like it to do? p My list is long... ;) It can start by checking if Tomcat is not your default web server, and ask if you would like to make it so. It would also be cool if it could make skype phone calls and if it came a digital camera. A low tech camera at first but on subsequent releases the camera would get better, because all cameras at first are limited by the current technology. It always takes a few releases for them to get good. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat advantages
From: Pid * [p...@pidster.com] Subject: Re: Tomcat advantages -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, March 13, 2012 7:46 AM To: Tomcat Users List Subject: Re: Tomcat advantages On 13/03/2012 14:42, Leo Donahue - PLANDEVX wrote: -Original Message- From: Pid * [mailto:p...@pidster.com] Subject: Re: Tomcat advantages What else would you like it to do? p My list is long... ;) It can start by checking if Tomcat is not your default web server, and ask if you would like to make it so. It would also be cool if it could make skype phone calls and if it came a digital camera. A low tech camera at first but on subsequent releases the camera would get better, because all cameras at first are limited by the current technology. It always takes a few releases for them to get good. I keep trying to get it to make my coffee, but it always forgets the grounds. That's because theres no grounds for making Tomcat pretend to be a coffee machine. p I wish I had a time-'machine' to go back to before I submitted this twisted fiber. (get it? thread. best I could do. anybody want a peanut?). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Dynamic Security Constraints?
-Original Message- From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: Dynamic Security Constraints? Addenda : 1) ... You'd have to think carefully of where you place these files to download, so that Tomcat does not unwittingly provide the possibility for a user to download such a file directly (bypassing the login) by providing a URL that points to the file directly. Not to change the subject, but I hear a lot of people talking about the point you're making about where to place the file and unwittingly providing a URL to access it outside of a security constraint. Perhaps there is some design history to this that people used to do that I am just missing, so could someone please enlighten me? If I place a file in a webapp context of customerx, and restrict access to everything in the customerx url pattern to a specific login, how can that URL be accessed outside of a security check? Are people doing something else when they deploy their apps that would allow the situation you are describing? Are they creating a separate docBase? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Dynamic Security Constraints?
I'm not sure this is the right subject line, but if I wanted to use Tomcat to publish large files (several GB) for different customers to download, and each customer wanted their own secure URL (form based login over HTTPS) from which to download their data, how would I add a new security constraint url-pattern for authentication for new customers without restarting the server? Is that even the correct approach? Or would it just be easier to deploy a new pre-configured webapp for each customer? Tomcat 6.0.35 Leo
RE: Dynamic Security Constraints?
-Original Message- From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: Dynamic Security Constraints? Leo Donahue - PLANDEVX wrote: I'm not sure this is the right subject line, but if I wanted to use Tomcat to publish large files (several GB) for different customers to download, and each customer wanted their own secure URL (form based login over HTTPS) from which to download their data, how would I add a new security constraint url-pattern for authentication for new customers without restarting the server? Is that even the correct approach? Or would it just be easier to deploy a new pre-configured webapp for each customer? Your own choice of phrasing above is a bit ambiguous, but indeed your last solution seems to be the easiest to implement. Among other reasons, since you do not know who they are before they login, it would be difficult to present each one of them with their own specific login page. (That's the ambiguous part, so I'm not sure that I understand your requirement correctly). Occasionally I get requests for GIS data in the tens of gigabytes. Our ftp won't let us upload that amount of data, so I thought why not zip it and place it on Tomcat for them to download. This data was sensitive in nature and they wanted a secure login to whatever URL I provided for them to download that data. Example: http://planning.maricopa.gov/customerx when they access this URL, they are presented with a form based login over HTTPS, and once authenticated, Tomcat serves up a directory with their zip file. Essentially, I would already have a preconfigured SQL database with users/roles and just whip up a webapp and send the customer a url/username/password with which to login. I was thinking I would just have webapp template that I modify when I get a request like that, deploy and then undeploy it after they get their data. Is there a better way? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat Manager WebApp authentication
-Original Message- From: Mark Montague [mailto:m...@catseye.org] Subject: Tomcat Manager WebApp authentication Is is possible to ... or some other independent source for role information? I've read the documentation on realms and security constraints, and googled, but the solution is not obvious to me. Thanks. -- Mark Montague m...@catseye.org A sample using JNDI and active directory in the archives. http://www.mail-archive.com/users@tomcat.apache.org/msg74641.html Leo
RE: Tomcat Manager WebApp authentication
-Original Message- From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] Subject: RE: Tomcat Manager WebApp authentication -Original Message- From: Mark Montague [mailto:m...@catseye.org] Subject: Tomcat Manager WebApp authentication Is is possible to ... or some other independent source for role information? I've read the documentation on realms and security constraints, and googled, but the solution is not obvious to me. Thanks. -- Mark Montague m...@catseye.org A sample using JNDI and active directory in the archives. http://www.mail-archive.com/users@tomcat.apache.org/msg74641.html Leo And a SQL server DataSource Realm example also: http://www.mail-archive.com/users@tomcat.apache.org/msg75265.html Last post.
RE: Trying to get Tomcat 6 running as a Windows service
-Original Message- From: app...@dsl.pipex.com [mailto:app...@dsl.pipex.com] Subject: Trying to get Tomcat 6 running as a Windows service Hello ... but I find that although Tomcat will start / stop via the batch files in the /bin folder, when set as a Windows service, I get a message that: Windows could not start the service on the Local Computer. Have you any iseas at all? The Tomcat logs display nothing when the above happens. Martin O'Shea. I run Windows 7. I just downloaded Tomcat 6.0.26 from the archives, using this zip file: http://archive.apache.org/dist/tomcat/tomcat-6/v6.0.26/bin/apache-tomcat-6.0.26-windows-x64.zip I have the 64 bit Java sdk installed: jdk-6u29-windows-x64.exe JAVA_HOME environment variable is set. When I issue from the command line: service install Tomcat6 ... the service is created but not started. When I start the service and view http://localhost:8080 I get the Tomcat welcome page. Perhaps you could try removing the windows service using: service remove Tomcat6 and then try the install command a second time? Leo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Deploying .war files
Tomcat 6.0.32 When you add a new .war file to the webapps directory (by dragging the file in there from another directory) and it automatically expands the web archive, is that any different than what the manager application does when it deploys the .war file? Likewise when you delete the .war file from the webapps directory, the expanded web archive will shortly remove itself as well. Is there some amount of time that is required if you want to redeploy the same .war file you just removed/undeployed with a newer version (same name)? I can't get a consistent response from either physically adding the .war file to the web apps directory and then deleting it/replacing it with a newer version of the .war file, or whether I use the manager application to deploy/undeploy/deploy. It seems as if I try to redeploy the newer version of the war file I just deleted too soon everything hangs and while the newer .war file will expand, it gives a 404 response when I access that web app. If I wait about 30 or 40 seconds between undeploying the old and redeploying the new it works although I didn't actually record the time in between. Leo
RE: endpoint.warn.unlockAcceptorFailed
___ From: Konstantin Kolinko [knst.koli...@gmail.com] Subject: Re: endpoint.warn.unlockAcceptorFailed 2011/9/27 Konstantin Kolinko knst.koli...@gmail.com: 2011/9/27 Konstantin Kolinko knst.koli...@gmail.com: 2011/9/27 Leo Donahue - PLANDEVX leodona...@mail.maricopa.gov: Tomcat 6.0.32 and 6.0.33 32-bit windows zip - Windows XP Pro Running the shutdown.bat script, on .32 and .33, hung at trying to stop the coyote connector, which then produces the error message in the command prompt window endpoint.warn.unlockAcceptorFailed over and over. I fixed the missing message r1176477. The rest of the issue needs investigation. Last changes in the shutdown code were http://svn.apache.org/viewvc?view=revisionrevision=1065945 Fixed in trunk and 7.0. It wouldn't be in 7.0.22 which is already tagged, but in 7.0.23. Proposed for 6.0. Bugzilla issue: https://issues.apache.org/bugzilla/show_bug.cgi?id=51905 Best regards, Konstantin Kolinko - Not sure if this info is too late, but it is for tomcat 6.0.33 Thanks for filing the bug report and for fixing the issue. So it sounds like my firewall setting afterall. Catalina log: Sep 28, 2011 7:03:11 PM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.20. Sep 28, 2011 7:03:11 PM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Sep 28, 2011 7:03:11 PM org.apache.coyote.http11.Http11AprProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 Sep 28, 2011 7:03:11 PM org.apache.coyote.ajp.AjpAprProtocol init INFO: Initializing Coyote AJP/1.3 on ajp-8009 Sep 28, 2011 7:03:11 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 1017 ms Sep 28, 2011 7:03:11 PM org.apache.catalina.core.StandardService start INFO: Starting service Catalina Sep 28, 2011 7:03:11 PM org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/6.0.33 Sep 28, 2011 7:03:11 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory docs Sep 28, 2011 7:03:12 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory examples Sep 28, 2011 7:03:12 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory host-manager Sep 28, 2011 7:03:12 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory manager Sep 28, 2011 7:03:12 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory ROOT Sep 28, 2011 7:03:12 PM org.apache.coyote.http11.Http11AprProtocol start INFO: Starting Coyote HTTP/1.1 on http-8080 Sep 28, 2011 7:03:12 PM org.apache.coyote.ajp.AjpAprProtocol start INFO: Starting Coyote AJP/1.3 on ajp-8009 Sep 28, 2011 7:03:12 PM org.apache.catalina.startup.Catalina start INFO: Server startup in 594 ms Sep 28, 2011 7:03:24 PM org.apache.coyote.http11.Http11AprProtocol pause INFO: Pausing Coyote HTTP/1.1 on http-8080 Sep 28, 2011 7:03:24 PM org.apache.coyote.ajp.AjpAprProtocol pause INFO: Pausing Coyote AJP/1.3 on ajp-8009 Sep 28, 2011 7:03:25 PM org.apache.catalina.core.StandardService stop INFO: Stopping service Catalina Sep 28, 2011 7:03:25 PM org.apache.coyote.http11.Http11AprProtocol destroy INFO: Stopping Coyote HTTP/1.1 on http-8080 Sep 28, 2011 7:03:55 PM org.apache.tomcat.util.net.AprEndpoint stop WARNING: endpoint.warn.unlockAcceptorFailed Sep 28, 2011 7:03:56 PM org.apache.tomcat.util.net.AprEndpoint stop WARNING: endpoint.warn.unlockAcceptorFailed Sep 28, 2011 7:03:57 PM org.apache.tomcat.util.net.AprEndpoint stop WARNING: endpoint.warn.unlockAcceptorFailed Sep 28, 2011 7:03:58 PM org.apache.tomcat.util.net.AprEndpoint stop WARNING: endpoint.warn.unlockAcceptorFailed Sep 28, 2011 7:03:59 PM org.apache.tomcat.util.net.AprEndpoint stop WARNING: endpoint.warn.unlockAcceptorFailed Sep 28, 2011 7:04:00 PM org.apache.tomcat.util.net.AprEndpoint stop WARNING: endpoint.warn.unlockAcceptorFailed Sep 28, 2011 7:04:01 PM org.apache.tomcat.util.net.AprEndpoint stop WARNING: endpoint.warn.unlockAcceptorFailed and outputs the same message every second until I terminate the windows process. Thread Dump: 2011-09-28 19:06:41 Full thread dump Java HotSpot(TM) Client VM (20.2-b06 mixed mode, sharing): RMI TCP Connection(2)-192.168.1.104 daemon prio=6 tid=0x02f50400 nid=0x374 runnable [0x04aff000] java.lang.Thread.State: RUNNABLE at java.net.SocketInputStream.socketRead0(Native Method) at java.net.SocketInputStream.read(SocketInputStream.java:129) at java.io.BufferedInputStream.fill(BufferedInputStream.java:218) at java.io.BufferedInputStream.read(BufferedInputStream.java:237) - locked 0x22df19d8 (a java.io.BufferedInputStream) at java.io.FilterInputStream.read
endpoint.warn.unlockAcceptorFailed
Tomcat 6.0.32 and 6.0.33 32-bit windows zip - Windows XP Pro [OT] I was experimenting with trying to profile memory on Tomcat when it is started via a Windows Service using jvisualvm.exe Profiling tomcat memory using visualvm works great when Tomcat is started as a script using the startup.bat. I've seen several articles that talk about profiling Tomcat as a windows service relating to the CATALINA_TMPDIR directory vs the windows tmp directory and other articles that talk about the account under which Tomcat is started vs the account under which the visualvm.exe is started. I have not changed anything in catalina.bat at this point, or anything else - these were fresh downloads and checksums verified. References: http://visualvm.java.net/troubleshooting.html http://blogs.oracle.com/nbprofiler/entry/monitoring_java_processes_running_as http://mballantyne.blogspot.com/2011/05/profiling-tomcat-with-visualvm-on-mac.html [/OT] Running the shutdown.bat script, on .32 and .33, hung at trying to stop the coyote connector, which then produces the error message in the command prompt window endpoint.warn.unlockAcceptorFailed over and over. Tomcat 7.0.21 32-bit windows zip starting and stopping via the startup and shutdown scripts doesn't give me this problem. Any ideas what could be wrong? Windows firewall maybe? Leo
Securing Tomcat Manager auth-method
In light of the recent announcement, is securing Tomcat Manager with org.apache.catalina.valves.RemoteAddrValve enough if we are using 127.0.0.1 or should I consider changing the manager auth-method from BASIC to FORM and enable HTTPS as well? Is running Tomcat as a Windows service considered insecure? leo
RE: [tomcat-6.0.33] META-INF/context.xml Environment not working
-Original Message- From: Tim Watts [mailto:t...@cliftonfarm.org] Subject: [tomcat-6.0.33] META-INF/context.xml Environment not working === context.xml Context unpackWAR=false privileged=false antiResourceLocking=false antiJARLocking=false Environment name=configName value=${catalina.base}/local/xbasic/config/master.properties description=Full path name of the config file. type=java.lang.String/ /Context In my context.xml, I use type=javax.sql.DataSource, and I'm using a Resource element instead of Environment Resource name=configName auth=Container type=javax.sql.DataSource username=username password=password driverClassName=whatever driver you have url=your jdbc driver connection stuff/ resource-ref descriptionDB Connection/description res-ref-nameconfigName/res-ref-name res-typejavax.sql.DataSource/res-type res-authContainer/res-auth /resource-ref === web.xml ?xml version=1.0 encoding=UTF-8? web-app xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xmlns=http://java.sun.com/xml/ns/javaee; xmlns:web=http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd; xsi:schemaLocation=http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd; id=WebApp_ID version=2.5 display-nameArchetype Created Web Application/display-name servlet servlet-nameController/servlet-name servlet-classorg.cliftonfarm.xbasic.Controller/servlet-class /servlet servlet-mapping servlet-nameController/servlet-name url-pattern/*/url-pattern /servlet-mapping env-entry env-entry-nameconfigName/env-entry-name env-entry-typejava.lang.String/env-entry-type /env-entry /web-app I don't have a env-entry in my web.xml === Servlet constructor public class Controller extends HttpServlet { private static final long serialVersionUID = 1L; private String configName; /** * @throws NamingException * @see HttpServlet#HttpServlet() */ public Controller() throws NamingException { super(); // get store JNDI info configName = InitialContext.doLookup(java:comp/env/configName); // line 28 log(getClass().getName() +: Successfully initialized. configName=[ +configName +]); } ... My version of this code, with your name: private DataSource ds; public void createDataSource(){ // Setup the DataSource Context try{ Context ctx = new InitialContext(); ds = (DataSource) ctx.lookup(java:comp/env/configName); } catch (NamingException ex){ FacesContext.getCurrentInstance().getExternalContext().log(DataSource lookup failed, ex); } }
RE:[OT][tomcat-6.0.33] META-INF/context.xml Environment not working
-Original Message- From: Tim Watts [mailto:t...@cliftonfarm.org] Subject: RE: [tomcat-6.0.33] META-INF/context.xml Environment not working I got it to work by removing the env-entry from web.xml. I believe this is a regression because it works correctly under 5.5.17. Under 5.5.17 it finds the env entry with or without having defined in web.xml. Under 6.0.33 having the env entry defined in web.xml *prevents* it from finding it. So what is the difference between having a env-entry or resource-ref in web.xml vs. a Resource or Environment elements in META-INF/context.xml?
RE: Users and authentication - how?
-Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, September 20, 2011 6:29 AM To: Tomcat Users List Subject: Re: Users and authentication - how? On 18/09/2011 21:42, java4dev wrote: * Implement your own using phase listeners. WTF is a 'phase listener'? p Maybe it's related to this?... http://www.jsfcentral.com/listings/A92000?link - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Users and authentication - how?
-Original Message- From: Pid [mailto:p...@pidster.com] Subject: Re: Users and authentication - how? On 20/09/2011 15:40, Leo Donahue - PLANDEVX wrote: -Original Message- From: Pid [mailto:p...@pidster.com] Subject: Re: Users and authentication - how? On 18/09/2011 21:42, java4dev wrote: * Implement your own using phase listeners. WTF is a 'phase listener'? p Maybe it's related to this?... http://www.jsfcentral.com/listings/A92000?link So the solutions to solve a trival login problem were: a) use an enormous framework, b) read the docs and c) refer to a). Awesome. p It looks that way. And funny how option a) still requires option b) - I mean, if you choose to go with option a) as your starting point. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Turning off local access log
-Original Message- From: David kerber [mailto:dcker...@verizon.net] Subject: Re: Turning off local access log On 9/1/2011 9:32 AM, Mark Thomas wrote: On 01/09/2011 14:10, David kerber wrote: Will removing this valve from my server.xml stop access logging? Right now it's trying to log every one of the 4M hits I get per day. Valve className=org.apache.catalina.valves.AccessLogValve directory=logs prefix=localhost_access_log. suffix=.txt pattern=%h %l %u %tquot;%rquot; %s %b / Can I just comment it out? Yes, but it is a bad idea unless you have access logging elsewhere. Mark Logging is handled by the app; I don't need this from Tomcat. Yes, but does your app log intentionally mal-formed requests? -Leo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Turning off local access log
-Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: Turning off local access log Leo, It will also not log requests that weren't directed to your app. - -chris Better said. That is what I was trying to get at.
RE: Conditional Branch from Servlet to URL
From: Donald Jolley [jolleyt...@gmail.com] Subject: Conditional Branch from Servlet to URL I'm not at all surprised about the request and response symbols as they appear to be undefined. I really expected that getRequestDispatcher would have been found in javax.servlet.* which is imported. ... doug * Shouldn't you import javax.servlet.http ? If your request and response objects are undefined - wish we could see how you declared them, how can RequestDispatcher perform the forward? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 7, isapi_redirect, IIS 7 - blank page
___ From: Douglas McGregor [d...@douglasmcgregor.co.uk] Subject: Tomcat 7, isapi_redirect, IIS 7 - blank page Hi there, I'm getting really desperate with this - I've been at it for about a couple of months now and still no further forward. The strange thing is that this works absolutely fine in IIS 7.5 with Tomcat 7 on my laptop which runs Windows 7, but is persistantly throwing a blank page on IIS 7 with Windows Server 2008 - it gives a blank page when I add the Handler Mapping in IIS, but just shows source code when I delete the Handler Mapping. I'm stumped with this. I'll outline what I've done below - please note that I've followed the documentation on the official Tomcat website to the letter - this is the HowTo documentation for connecting Tomcat to IIS. 1. Installed Tomcat 7.0.18 in E:\Tomcat 2. Created a directory named isapi in E:\Tomcat - so, E:\Tomcat\isapi 3. Created an isapi_redirect.properties file in the same directory and modified the paths 4. Created workers.properties and uriworkermap.properties in E:\Tomcat\conf 5. Added content to and edited workers.properties and uriworkermap.properties as required 6. Stop and Start the Tomcat Service In the IIS Manager: 1. Created a virtual directory called jakarta (without the quotes) pointing to E:\Tomcat\isapi 2. In IIS Home (in my case this is WEB-SERVER Home), clicked on ISAPI and CGI Restrictions, clicked add - ISAPI Or CGI Path: E:\Tomcat\isapi\isapi_redirect.dll; Description: Tomcat 3. Clicked on my website, went to ISAPI Filters, clicked add - Filter name: Tomcat; Executable: E:\Tomcat\isapi\isapi_redirect.dll 4. Handler Mappings - Add Module Mapping - Request Path = *.jsp; Module = IsapiModule; Executable = E:\Tomcat\isapi\isapi_redirect.dll; Name = Tomcat; Request Restrictions Access Execute 5. Restart IIS isapi_redirect.properties # Configuration file for the Jakarta ISAPI Redirector # The path to the ISAPI Redirector Extension, relative to the website # This must be in a virtual directory with execute privileges extension_uri=/jakarta/isapi_redirect.dll # Full path to the log file for the ISAPI Redirector log_file=E:\Tomcat\logs\isapi.log # Log level (debug, info, warn, error or trace) log_level=debug # Full path to the workers.properties file worker_file=E:\Tomcat\conf\workers.properties # Full path to the uriworkermap.properties file worker_mount_file=E:\Tomcat\conf\uriworkermap.properties workers.properties # An entry that lists all the workers defined worker.list=worker1 # Entries that define the host and port associated with each of these workers worker.worker1.host=www.douglasmcgregor.co.uk worker.worker1.port=8009 worker.worker1.type=ajp13 worker.worker1.connection_pool_timeout=600 uriworkermap.properties #example uriworkermap.properties fragment /examples/*=worker1 .jsp=worker1 The /examples/ work perfectly, but like I said .jsp pages on IIS give a blank page. I should say I've Googled for days and hours and not found anything that fixes this. I've asked on the official IIS forum, but they don't seem to be able to help. I really hope someone here can help me with this, I'm close to giving up. Thanks Douglas ** Don't you have to set and allow a web service extension in IIS for the Jakarta? Leo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 7, isapi_redirect, IIS 7 - blank page
From: André Warnier [a...@ice-sa.com] Subject: Re: Tomcat 7, isapi_redirect, IIS 7 - blank page Leo Donahue - PLANDEVX wrote: ... Don't you have to set and allow a web service extension in IIS for the Jakarta? But the OP says 'The /examples/ work perfectly', ... * Yes, but I don't think we've seen any proof of that. Servlets work but JSP's don't in his situation? Leo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Running Tomcat on a webserver that is on a workgroup
I've been informed that our web server is going to be disjoined from the domain and placed on a workgroup. Is this a trend? I don't understand how Tomcat will be able to access resources from our domain, and vice versa, unless I'm running Tomcat as a local account, and that same local account is created on the other servers on the domain. It seems like I'm exploiting one security issue for another. Leo Donahue
RE: Running Tomcat on a webserver that is on a workgroup
André, -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: Running Tomcat on a webserver that is on a workgroup There is probably more to it than that. All they are going to do is join it to a workgroup. I don't understand how Tomcat will be able to access resources from our domain, and vice versa, unless I'm running Tomcat as a local account, and that same local account is created on the other servers on the domain. It all depends what you mean by resources. It will still be able to access other hosts via TCP (through the firewall, if the firewall allows it). But it will no longer be able to access shares or windows network printers e.g. What kind of network resources does your webserver need ? Windows shares. Otherwise the size of the vm that is my current web server needs to grow in order to support access to certain files, mostly images (over 500 GB), or I add the local account from the workgroup to the domain server containing the file share. It seems like I'm exploiting one security issue for another. (trading). Yes, trading is a better word. What is the security issue that this change is supposed to cure ? Other than making administration more difficult, I was hoping someone could tell me. Tomcat runs with a least privilege account anyway. Is this a feel good thing? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: About JAVA_HOME!
-Original Message- From: Nash [mailto:iamlegen...@163.com] Subject: About JAVA_HOME! Hello! I am using tomcat under RHEL5.4 and I haven't build JAVA_HOME environment variable. However, the tomcat 6.0.32 can run normally. Why? Thank you for your attention. Best wishes! 2011-06-06 Nash Look at the RUNNING.txt file in the root of your Tomcat 6.0.32 directory. Your installation of Tomcat is utilizing whatever Java Runtime you have installed, not the JDK. Leo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: storing images
-Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Subject: RE: storing images From: alexis [mailto:alz...@gmail.com] Subject: storing images You have a couple of options: 1) Create a dummy webapp whose sole purpose is to provide a location for the dynamically generated images. Create some directory outside of Tomcat's file structure to hold the images, and place a Context element in conf/Catalina/[host]/[dummyAppName].xml with a docBase attribute (and nothing else) that points to that directory. The img tags should refer to [dummyAppName] as the URL for retrieving the images. - Chuck That is exactly what we did for our web app that generates images. http://planning.maricopa.gov/agsoutput/_ags_mapad578dbb026f4429aa755f471b259bd3.jpg our 2011 images were not so great... regarding the mosaic. Leo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Working of Tomcat with MS Access
-Original Message- From: RAHUL RAJ [mailto:omrahulraj...@gmail.com] Sent: Friday, April 15, 2011 10:35 AM To: Tomcat Users List Subject: Re: Working of Tomcat with MS Access Since I am a beginner, I have to start with some trial projects, right? I know this is nothing! and help me...pls answer to the question.. Mikolaj gave you a hint already. If your Tomcat runs as a service, under what account does that service run? Does that account have access to your mdb? Did you create a user or system datasource on your computer with the name: rahul - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Working of Tomcat with MS Access
-Original Message- From: RAHUL RAJ [mailto:omrahulraj...@gmail.com] Subject: Re: Working of Tomcat with MS Access Yes, it runs as a service. But how to know under what account does that service run? does it mean 'admin' or 'normal user' or 'system'? I made a system DSN for this...not the user DSN(Data Source Name) and I launched tomcat service by right click 'run as admin' I'm really surprised you have had as many responses to this thread as you've had. Assuming you have Tomcat installed as a Windows service, usually the default account that runs Tomcat as a Windows service is Local System Account. You need to change that account to one that has access to your mdb. You can do that through the Services console. Or try starting Tomcat via the startup.bat file, that should launch Tomcat with the same account you've logged into your system with, which hopefully is the same account you need to for Access. The code you posted should work, although I can't understand what the purpose of your assignment is. Don't get in the habit of using this code for anything related to logging in, or anything else. If you must stay in the MS world, use SQL Express. try { Class.forName( sun.jdbc.odbc.JdbcOdbcDriver); Connection con = DriverManager.getConnection(jdbc:odbc:rahul,,); Statement stmt = con.createStatement(ResultSet.TYPE_FORWARD_ONLY,ResultSet.CONCUR_READ_ONLY); String query = Select whatever; ResultSet rs = stmt.executeQuery(query); while(rs.next()){ // do stuff } rs.close(); stmt.close(); con.close(); } catch(SQLException ex) { } catch(java.lang.ClassNotFoundException jdbce) { }
RE: Working of Tomcat with MS Access
-Original Message- From: RAHUL RAJ [mailto:omrahulraj...@gmail.com] Subject: Re: Working of Tomcat with MS Access you said: You need to change that account to one that has access to your mdb. You can do that through the Services console. Or try starting Tomcat via the startup.bat file, that should launch Tomcat with the same account you've logged into your system with, which hopefully is the same account you need to for Access. I don't know how to do these...Can you explain for me? On Vista Home Basic... ? Uh... Start/Control Panel Switch to Classic View Find Administrative Tools/Services You're on your own after this, but in a nutshell.. you need to check the properties of the Tomcat Service and see if you can change the way the service Logs On What happens when you reboot your computer? Do you have to restart Tomcat each time or is it still running after you reboot? Also startup.bat is not there in the specified directory. Fine. By the way, I never specified a directory because no one here knows how you've installed Tomcat 5.5.x I'm very fond of version x myself. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Working of Tomcat with MS Access
From: RAHUL RAJ [omrahulraj...@gmail.com] Subject: Re: Working of Tomcat with MS Access vista home basic. No, I can restart tomcat each time, by clicking the start/stop button. Did you try any of the suggestions André or I offered? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Logging request parameters - Filter vs Servlet
Chris, -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: Logging request parameters - Filter vs Servlet I don't know what I don't know... Log4j I guess. That is what everyone recommends. Hmm... ServletContext logging then? There is an AccessLogValve that you can use if you know which request parameters you want to log. There is also a RequestDumperValve (and RequestDumperFilter in 7.0) that you can use to dump everything from the request. See the docs for details. Would those work for you? The AccessLog pattern I'm using: pattern=%h %l %u %t %r %q %s %b The results: 2.3.4.5 - - [29/Mar/2011:16:02:39 -0700] POST /oppositioncase/oppositioncase.faces HTTP/1.1 200 38621 My web app uses the JSF framework, forgot to mention that. http://planning.maricopa.gov/oppositioncase samples: 211-52-002A 211-74-016 211-53-005C Those are the parameters I'm trying to capture, along with the map image url. A. We'd like to know how many requests actually generated a map image. B. We'd like to know whether this app is searching for parcels primarily in the unincorporated areas of the County, or parcels located within a city jurisdiction. That part I can figure out once I know which parcels people are searching. Note that reading request parameters in a Filter may trigger parsing of a POST request body which may not be something you want to happen on every request. I guess my only option then is to log them from the web app. But somewhere I've read that is the wrong/lazy way to do logging.
RE: Logging request parameters - Filter vs Servlet
Chris, Thanks for the feedback.. very much appreciated! -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: Logging request parameters - Filter vs Servlet So you need to log the txtAPN parameter, right? Yes. Actually, the contents of the listbox... as you'll see below. Those are the parameters I'm trying to capture, along with the map image url. A. We'd like to know how many requests actually generated a map image. Can you tell that, just from a parameter value? I would think that the URL itself would more likely tell you if a map was generated. No, I couldn't tell that from a parameter value, which is why I knew I had to log from within the webapp somewhere, but I didn't know whether logging should happen in a filter or at a specific place in the model. Or should I log in the fascade (pattern)? I wanted the logs to capture the url so that I knew the model reached a point where it generated an image. http://planning.maricopa.gov/agsoutput/_ags_mapdee1a8d3a28f49a48f44aaf4dc4cc316.jpg Those images are only there for 20 min, so that url is already dead. B. We'd like to know whether this app is searching for parcels primarily in the unincorporated areas of the County, or parcels located within a city jurisdiction. That part I can figure out once I know which parcels people are searching. Simply logging the parcels used in searches would allow you to do that, as you've said. The RequestDumperValve logs a /ton/ of information, and probably wouldn't get you what you want. I'm not sure where you read it, but that sounds like a platitude applied as a blanket admonition not to log in your webapp. If it's appropriate for your situation, then feel free to do it. Back to the original filter question: logging using a filter is perfectly acceptable if it's the right solution (see below for questions that might lead you to other options). Writing the filter is trivial: just implement the javax.servlet.Filter interface and be sure to read the javadoc for it before you try: you'll thank yourself, later. You can even use ServletContext.log() to write to the context log if you want. Otherwise, feel free to use your webapp's log4j or other logging facility (you'll have to configure this yourself). Just don't use System.out :) One might argue that blindly logging request parameters is not particularly useful. For instance, a quick look at your interface indicates that you can add several plots of land before performing the search. Those initial add operations may be of little use to you. You are right. Instead, you may wish to log them only at a certain point in your workflow. Since most requests go to oppositioncase.faces, you may not be able to map your Filter to a URL pattern that is fine-grained enough. Instead, it might make more sense to log this data when you know there's a reason to log it. Since you're expecting to perform statistical analysis on the data, you might even consider writing it directly to a database instead of to a plain-old log file. I'm going this route for now: FacesContext.getCurrentInstance().getExternalContext().log(the string buffer of the parcel listbox); FacesContext.getCurrentInstance().getExternalContext().log(the map URL); Produces: Mar 30, 2011 12:02:35 PM org.apache.catalina.core.ApplicationContext log INFO: PARCEL = '125-27-089' Mar 30, 2011 12:02:45 PM org.apache.catalina.core.ApplicationContext log INFO: http://planning.maricopa.gov/agsoutput/_ags_map08eb57df58224e1884e17a3e8a59b555.jpg Mar 30, 2011 12:03:16 PM org.apache.catalina.core.ApplicationContext log INFO: PARCEL = '125-27-089' OR PARCEL = '125-27-090' OR PARCEL = '125-27-091' Mar 30, 2011 12:03:27 PM org.apache.catalina.core.ApplicationContext log INFO: http://planning.maricopa.gov/agsoutput/_ags_map1a6e940afbd1494794c8d22b36f3a11a.jpg Cool webapp, by the way! Thanks! NB: The ctrl key isn't always the modifier key to use to de-select items from a multi-select list. I think that's a Microsoft Windows convention, but it's CMD-click on Mac and probably something like META-click on *NIX. Sadly, my department wanted that blurb on there. They forget stuff. Leo
Logging request parameters - Filter vs Servlet
Where do you initialize the Logger (Filter or Servlet)? The servlet 2.5 spec says you can use filters for logging, but since I'm not modifying the request or response, is logging from within a filter the right approach to logging request parameters? Using CATALINA_BASE: C:\ApacheTomcat\apache-tomcat-6.0.32 Using CATALINA_HOME: C:\ApacheTomcat\apache-tomcat-6.0.32 Using CATALINA_TMPDIR: C:\ApacheTomcat\apache-tomcat-6.0.32\temp Using JRE_HOME:C:\jdk1.6.0_24 Using CLASSPATH: C:\ApacheTomcat\apache-tomcat-6.0.32\bin\bootstrap.jar Server version: Apache Tomcat/6.0.32 Server built: February 2 2011 2003 Server number: 6.0.32.0 OS Name:Windows XP OS Version: 5.1 Architecture: x86 JVM Version:1.6.0_24-b07 JVM Vendor: Sun Microsystems Inc. Leo
RE: Logging request parameters - Filter vs Servlet
Chris, -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: Logging request parameters - Filter vs Servlet Leo, On 3/29/2011 12:57 PM, Leo Donahue - PLANDEVX wrote: Where do you initialize the Logger (Filter or Servlet)? Which logger? I don't know what I don't know... Log4j I guess. That is what everyone recommends. The servlet 2.5 spec says you can use filters for logging, but since I'm not modifying the request or response, is logging from within a filter the right approach to logging request parameters? That depends upon your requirements. What are they? I just want to capture the request parameters on a certain web app and log them (time and what they were) in a separate log file from the standard logs, so that I don't have to hunt them down in the standard Tomcat logs. The security tool that our telecom office uses for auditing our sites makes quite a mess of my standard logs periodically. Note that reading request parameters in a Filter may trigger parsing of a POST request body which may not be something you want to happen on every request. An example of things I don't know that I don't know... Leo
Context - useHttpOnly
A security audit of my site indicated a Missing HttpOnly attribute in Session Cookie problem. If this is a security problem, then why does the useHttpOnly attribute in Context default to false? I'm not specifically setting any cookies... http://tomcat.apache.org/tomcat-6.0-doc/config/context.html Using CATALINA_BASE: C:\apache-tomcat-6.0.29 Using CATALINA_HOME: C:\apache-tomcat-6.0.29 Using CATALINA_TMPDIR: C:\apache-tomcat-6.0.29\temp Using JRE_HOME:C:\Program Files\Java\jdk1.6.0_20 Using CLASSPATH: C:\apache-tomcat-6.0.29\bin\bootstrap.jar Server version: Apache Tomcat/6.0.29 Server built: July 19 2010 1458 Server number: 6.0.0.29 OS Name:Windows 2003 OS Version: 5.2 Architecture: x86 JVM Version:1.6.0_20-b02 JVM Vendor: Sun Microsystems Inc Leo
memory question - heap size and windows process
Is there a correlation between the heap size Tomcat is using and the memory allocated to the Tomcat process running as a windows service - depicted in task manager, or are these not related to one another? Tomcat 6.0.29 - windows service - 512MB initial and max memory Tomcat as listed in windows task manager: 312,664k Tomcat as listed in jvisualvm: Heap Size: 518,979,584 B Used: 175,853,040 B Max: 518,979,584 B PermGen Size: 33,816,576 B Used: 33,771,424 B Max: 67,108,864 B Leo
RE: memory question - heap size and windows process
Chris, Sorry about the long delay, Exchange took a break this morning. -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: memory question - heap size and windows process Leo, On 1/24/2011 10:30 AM, Leo Donahue - PLANDEVX wrote: Is there a correlation between the heap size Tomcat is using and the memory allocated to the Tomcat process running as a windows service - depicted in task manager, or are these not related to one another? Well, one would expect that as heap size increases, so does the total amount of memory allocated to the process, but I'm guessing you were hoping for something more helpful :) Tomcat 6.0.29 - windows service - 512MB initial and max memory So you are trying to get a fixed heap size: okay. Tomcat as listed in windows task manager: 312,664k That seems strange: I would expect the JVM to pre-allocate the entire heap (512MiB) plus allocate everything else it might need (PermGen, stack space, native heap, etc.) so you should exceed 512MiB as soon as the process launches. Which number are you observing in the Windows Task Manager? It can show you a lot of different memory numbers. Memory Usage, not Memory Usage Delta. Tomcat as listed in jvisualvm: Heap Size: 518,979,584 B Used: 175,853,040 B Max: 518,979,584 B That looks right. PermGen Size: 33,816,576 B Used: 33,771,424 B Max: 67,108,864 B Okay, so you have 512MiB of Java heap and 30MiB of PermGen so your process should take at minimum 542MiB of space. I'd be shocked if you had less than a 300MiB virtual size, though the memory might not actually be used at this point, so Microsoft Windows might not report it. I don't know much about Microsoft Windows, but I know that Linux doesn't even allocate memory to you until you actually write to it, so the actual amount of memory allocated to a JVM can be quite modest compared to the amount you expected to use upon JVM launch. Perhaps Microsoft Windows does something similar... though that would have to be a relatively new improvement (Vista/7?). Using Windows Server 2003 Standard R2 Were you hoping to get an answer to a specific question? Yes, but asking the right question is the hardest part.
Filter questions
Servlet Spec 2.5 SRV.6.2.1 The container provides the filter config as declared in the filter's deployment descriptor, the reference to the ServletContext for the Web application, and the set of initialization parameters.' 1. How does Tomcat get a reference to a ServletContext before any servlet is created? 2. If a filter can be mapped to a static resource, what is the servlet context? Leo Donahue
RE: Filter questions
-Original Message- From: Pid * [mailto:p...@pidster.com] Subject: Re: Filter questions On 1 Dec 2010, at 14:35, Leo Donahue - PLANDEVX leodona...@mail.maricopa.gov wrote: Servlet Spec 2.5 SRV.6.2.1 The container provides the filter config as declared in the filter's deployment descriptor, the reference to the ServletContext for the Web application, and the set of initialization parameters.' 1. How does Tomcat get a reference to a ServletContext before any servlet is created? Servlets exist inside the context, not the other way round. 2. If a filter can be mapped to a static resource, what is the servlet context? The app is the context. p Thanks, I realized the context part about 20 seconds after I posted and totally forgot about the default servlet. I'll read the spec front to back, as suggested. In the meantime I was trying to understand how/when servletness occurs. http://localhost:8080 will load index.html, because of the welcome file, in ROOT but that's not a servlet. Are you saying that the servletcontext here is the Default Servlet mapped to / ?
RE: Tomcat Consultant
-Original Message- From: Pid [mailto:p...@pidster.com] Subject: Re: Tomcat Consultant On 18/11/2010 19:35, Pid wrote: On 24/09/2010 18:25, tdelesio wrote: My fortune 500 company is testing a pilot for switching over a J2EE web app over from Web Sphere application server to Tomcat and we are looking for a consultant to setup a crusted production instance of tomcat. Does anyone have any recommendations for a top notch consulting firm that could provide these services? http://wiki.apache.org/tomcat/SupportAndTraining Doh. Doh and double doh. p Um, can anyone translate this? Am I really seeing that? http://training.mulesoft.com/about/index.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Release COM Objects
http://j-integra.intrinsyc.com/support/com/doc/gc/index.html #4 com.linar.jintegra.Cleaner.releaseAll(); Can Tomcat call this method prior to shutting down as a windows service? If so where would I configure this? JSF 1.2 (Sun RI) mojarra-1.2 Tomcat running as a windows service Using CATALINA_BASE: C:\apache-tomcat-6.0.29 Using CATALINA_HOME: C:\apache-tomcat-6.0.29 Using CATALINA_TMPDIR: C:\apache-tomcat-6.0.29\temp Using JRE_HOME:C:\Program Files\Java\jdk1.6.0_20 Using CLASSPATH: C:\apache-tomcat-6.0.29\bin\bootstrap.jar Server version: Apache Tomcat/6.0.29 Server built: July 19 2010 1458 Server number: 6.0.0.29 OS Name:Windows 2003 OS Version: 5.2 Architecture: x86 JVM Version:1.6.0_20-b02 JVM Vendor: Sun Microsystems Inc. Leo Donahue
RE: Release COM Objects
-Original Message- From: Len Popp [mailto:len.p...@gmail.com] Subject: Re: Release COM Objects I would use a ServletContextListener. It gets notified when the webapp is initialized and destroyed. -- Len Filter vs ServletContextListener. When does Tomcat tell me in the logs that I might have a memory leak due to some threads not being released upon shutdown? In a Filter or in a ServletContextListener? SRV.9.12 When a web app is deployed, it does the following steps in order... • Instantiate an instance of each event listener identified by a listener element in the deployment descriptor. • For instantiated listener instances that implement ServletContextListener, call the contextInitialized() method. • Instantiate an instance of each filter identified by a filter element in the deployment descriptor and call each filter instance’s init() method. • Instantiate an instance of each servlet identified by a servlet element that includes a load-on-startup element in the order defined by the load-onstartup element values, and call each servlet instance’s init() method. When a web app is shutdown, does it do those same four steps in reverse order? I'm guessing yes according to contextDestroyed() method. (..All servlets and filters have been destroy()ed before any ServletContextListeners are notified of context destruction ...)
RE: Tomcat 6.0.18 JNDIRealm ConnectException: Connection timed out
-Original Message- From: S.V. [mailto:svku...@googlemail.com] Subject: Tomcat 6.0.18 JNDIRealm ConnectException: Connection timed out userBase=DC=host,DC=de I had this same problem. It depends on where your users are located in AD and how large the tree is. This is probably not the right way to do it, but I limited the roleBase and userBase to specific nodes. Realm className=org.apache.catalina.realm.JNDIRealm connectionURL=ldap://url:389; connectionName=CN=ad_user_account,OU=Service Accounts,OU=PLANDEV Dept,DC=plandev,DC=maricopa,DC=gov connectionPassword=*** roleBase=OU=Groups,OU=PLANDEV Dept,DC=plandev,DC=maricopa,DC=gov roleSubtree=true roleName=cn roleSearch=(member={0}) userBase=OU=PLANDEV Dept,DC=plandev,DC=maricopa,DC=gov userSearch=(amp;(objectCategory=person)(sAMAccountName={0})) userSubtree=true userRoleName=memberOf / - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 6.0.29 - Windows Service - JMX
http://tomcat.apache.org/tomcat-6.0-doc/monitoring.html Adding JMX to Tomcat 6.0.29 and starting with the startup.bat will add a Tomcat icon and show the process ID, under the Local connection, when launching jvisualvm.exe Adding JMX to Tomcat via the tomcat6w.exe doesn't display the Tomcat icon or the process id in jvisualvm.exe, and I have to add the JXM connection myself. What is the difference? How do I configure the tomcat6w.exe to show the icon and process id in jvisualvm.exe? Java tab in tomcat6w.exe -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=1092 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false Leo Donahue
Access Log Valve - Query String
I am currently using the common pattern to log all requests using the Access Log Valve. Valve className=org.apache.catalina.valves.AccessLogValve directory=c:/apache-tomcat-logs/webappname prefix=webappname_access_log. suffix=.txt pattern=common resolveHosts=false/ Question: I'd like to start logging the Query String - I think. The webapp is a JSF webapp, using Sun RI 1.2 of JSF. I'm not interested in logging the javax.faces.ViewState parameter, but if I use the query string option, will the ViewState parameter show up in the log? At this point, all I want is the textfield and the datetime. Should I write my own log for this? Reason: I want to log what the user enters into the search field. I'd like to find out if the value entered into the search field is causing a problem. The reason: java.lang.NullPointerException caused by some line in my code that should never execute if the what the user entered in the search field is not found in the database. Working with GIS data, it could be that what the user searched for is found, but that I have some kind of geometry problem associated with that record that is causing a null pointer on a feature cursor. I can provide more detail if needed. Using CATALINA_BASE: C:\apache-tomcat-6.0.29 Using CATALINA_HOME: C:\apache-tomcat-6.0.29 Using CATALINA_TMPDIR: C:\apache-tomcat-6.0.29\temp Using JRE_HOME:C:\Program Files\Java\jdk1.6.0_20 Using CLASSPATH: C:\apache-tomcat-6.0.29\bin\bootstrap.jar Server version: Apache Tomcat/6.0.29 Server built: July 19 2010 1458 Server number: 6.0.0.29 OS Name:Windows 2003 OS Version: 5.2 Architecture: x86 JVM Version:1.6.0_20-b02 JVM Vendor: Sun Microsystems Inc. Leo Donahue
RE: Access Log Valve - Query String
-Original Message- From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] Subject: Access Log Valve - Query String I am currently using the common pattern to log all requests using the Access Log Valve. Valve className=org.apache.catalina.valves.AccessLogValve directory=c:/apache-tomcat-logs/webappname prefix=webappname_access_log. suffix=.txt pattern=common resolveHosts=false/ Question: I'd like to start logging the Query String - I think. The webapp is a JSF webapp, using Sun RI 1.2 of JSF. I'm not interested in logging the javax.faces.ViewState parameter, but if I use the query string option, will the ViewState parameter show up in the log? At this point, all I want is the textfield and the datetime. Should I write my own log for this? Reason: I want to log what the user enters into the search field. I'd like to find out if the value entered into the search field is causing a problem. The reason: java.lang.NullPointerException caused by some line in my code that should never execute if the what the user entered in the search field is not found in the database. Working with GIS data, it could be that what the user searched for is found, but that I have some kind of geometry problem associated with that record that is causing a null pointer on a feature cursor. I can provide more detail if needed. Using CATALINA_BASE: C:\apache-tomcat-6.0.29 Using CATALINA_HOME: C:\apache-tomcat-6.0.29 Using CATALINA_TMPDIR: C:\apache-tomcat-6.0.29\temp Using JRE_HOME:C:\Program Files\Java\jdk1.6.0_20 Using CLASSPATH: C:\apache-tomcat-6.0.29\bin\bootstrap.jar Server version: Apache Tomcat/6.0.29 Server built: July 19 2010 1458 Server number: 6.0.0.29 OS Name:Windows 2003 OS Version: 5.2 Architecture: x86 JVM Version:1.6.0_20-b02 JVM Vendor: Sun Microsystems Inc. Leo Donahue Looks like Request Dumper Valve does what I want. Satisfied for now. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Howto: call a Servlet from another Servlet (Example)?!
-Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: Howto: call a Servlet from another Servlet (Example)?! -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ronald, On 9/20/2010 11:07 AM, Ronald Klop wrote: You can use the RequestDispatcher. RequestDispatcher dispatcher = request.getRequestDispatcher(/userlist); dispatcher.forward(request, response); Of course, you can also issue a redirect to the client: response.sendRedirect(...) The advantage of issuing a redirect is that the client will not have to re-authenticate if the user then RELOADs the resulting page. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyXf3gACgkQ9CaO5/Lv0PDRmQCfSKPGx2EbXA8dA0WlcbNee8M9 /YYAoJ6iHtoM5pYzteMy3DMHzH07OCno =bBF7 -END PGP SIGNATURE- I thought that if you were making a request to a UserListServlet and it was restricted to authentication, assuming you use Form Authentication and structure your login form correctly, you don't have to worry about calling LoginServlet or using the requestDispatcher? Doesn't Tomcat handle this for you? What am I missing here? In the OP question, to what does the LoginServlet authenticate you? The LoginServlet?
RE: Howto: call a Servlet from another Servlet (Example)?!
Chris, -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: Howto: call a Servlet from another Servlet (Example)?! -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - From my reading, the OP is doing his own authentication rather than using container-managed authentication. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyXpakACgkQ9CaO5/Lv0PCQ1QCginz5lDgSDCX/U6ek3oEQXvgg pdwAoKP12wnSztLoujxoj7rvNY8N4u/3 =r7fJ -END PGP SIGNATURE- I thought rolling your own authentication, rather than using container-managed security for authentication, is a bad idea? Is that just rhetoric?
WEB-INF
I've read that you can secure direct access to a JSP by placing it in the WEB-INF directory. I know you can also secure direct access to a JSP by creating a security constraint using URL patterns and assigning role names that do not exist. I've also heard that when you secure a URL using a security constraint, that you are not securing the resource. Most of the time I struggle with the semantics of the words people choose to use when discussing certain points. Is there a difference between securing the URL and securing the resource? Leo Donahue
directory listing using context.xml
I see this question a lot. If you want to create a web app that shows nothing more than a directory listing, you use the docBase attribute of context.xml in META-INF for your web app? You would also need a default servlet and mapping in web.xml that enables directory listing. Is that all? Sorry for the two questions in one day. Leo Donahue
RE: WEB-INF
From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Subject: RE: WEB-INF From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] Subject: WEB-INF Is there a difference between securing the URL and securing the resource? Quick quiz: what does the acronym URL stand for? - Chuck Well put. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: WEB-INF
From: michel [mailto:compu...@videotron.ca] Subject: Re: WEB-INF - Original Message - From: Leo Donahue - PLANDEVX leodona...@mail.maricopa.gov To: 'Tomcat Users List' users@tomcat.apache.org Sent: Friday, September 10, 2010 10:13 AM Subject: WEB-INF I've read that you can secure direct access to a JSP by placing it in the WEB-INF directory. I know you can also secure direct access to a JSP by creating a security constraint using URL patterns and assigning role names that do not exist. I've also heard that when you secure a URL using a security constraint, that you are not securing the resource. Most of the time I struggle with the semantics of the words people choose to use when discussing certain points. Is there a difference between securing the URL and securing the resource? Leo Donahue Leo, what do you mean direct access to a JSP? You get direct access to any JSP if you specify the URL. Michel Michel, I don't know. I'm trying to understand why there are so many of these kinds of questions. http://www.google.com/search?hl=enq=prevent+direct+access+to+jspaq=0maqi=g-m1aql=oq=direct+access+to+jgs_rfai= - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: WEB-INF
From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Subject: RE: WEB-INF I'm trying to understand why there are so many of these kinds of questions. I think mostly because people often do not read the actual specs. - Chuck This one? http://jcp.org/aboutJava/communityprocess/final/jsr315/index.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: WEB-INF
From: Wesley Acheson [mailto:wesley.ache...@gmail.com] Subject: Re: WEB-INF Leo judging from the answers you've got. I think it may be better to state what you want to achieve. I'm not clear if you want to prevent access or allow access at the moment. Especially with the security role and no access. Is it that you want to protect your source code. Prevent access, prevent access under certain circumnstances. Or is it just you want the best way of not having something accessible through the outside world? Sorry If my questions don't make most sense. Regards, Wes I want to understand why it is a good practice to place them in WEB-INF Leo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: WEB-INF
From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Subject: RE: WEB-INF I want to understand why it is a good practice to place them in WEB-INF To avoid uncontrolled access to your code. For example, if the resources were in a client-accessible area, the resource would have to protect itself against ill-formatted or antagonistic input; if the resource is only accessible to trusted callers (e.g., filters or servlets), the burden of validation can be on the visible component, and the logic in the non-visible resource can be simpler. - Chuck I could only come up with page navigation out of order as a reason to restrict direct access. You said it better. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: WEB-INF
From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: WEB-INF -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Leo, I'll chime in. :) On 9/10/2010 10:13 AM, Leo Donahue - PLANDEVX wrote: I've read that you can secure direct access to a JSP by placing it in the WEB-INF directory. I know you can also secure direct access to a JSP by creating a security constraint using URL patterns and assigning role names that do not exist. I've also heard that when you secure a URL using a security constraint, that you are not securing the resource. That depends on what you think the resource is. If it's a file on a disk, than it is only secure if you secure all ways to retrieve it. If you have multiple URLs that reference the same file on a disk, then yes, you can secure one URL and not another and therefore your file is not entirely secure. Chuck doesn't come right out and say this, but I believe he's hinting at the fact that files on a disk are largely irrelevant: they are an implementation detail where HTTP is concerned: the URL is a request for a resource. Securing that URL is securing the resource. The fact that multiple resources might result in the same response (from the same file on the disk) is just a coincidence. - -chris The heard part I mentioned in my original post, was actually a comment from another forum. The comment: The URL mapping, as its name implies, works on submitted URLs and doesn't protect resources The comment was in reference to using a URL pattern in a security constraint, and I didn't understand the use of that phrase ...works on submitted URLs and doesn't protect resources. The Tomcat list cleared this up, thanks everyone. Leo
RE: Configure read/write-access in TomCat
-Original Message- From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: Configure read/write-access in TomCat Comments at end. Caldarale, Charles R wrote: Do you know anyone who actually likes to write documentation? André Warnier wrote: Well actually I do. But it this case, I have a number of impediments : - I do not know enough of Tomcat and even Java to write something coherent and correct - I find the process of contributing Tomcat documentation changes rather overwhelming, technically speaking. (Which I guess explains also why not many other people feel like correcting the docs.) But let's suppose that I would try to write a summary of this process. Where would it fit in the documentation ? And whereabout would I find the original Tomcat code which does this, on the off-chance I might actually understand it enough to write something not totally wrong? Or, might the process better be described as : As Tomcat deploys each web application, it first installs the default servlet and its associated web.xml descriptor CATALINA_BASE/conf/web.xml for this web application, then it overrides this setup by any servlets and descriptor (application/WEB- INF/web.xml) provided by the application itself (if any). In case of overlapping or conflicting settings, the web application specific settings have precedence. http://tomcat.apache.org/tomcat-6.0-doc/architecture/startup/serverStartup.txt Sequence 2. c) c)3 - the last sentence. Obviously, this is supposedly for Tomcat 6, but the doc reads Tomcat 5 Startup Sequence. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Configuring Tomcat 6.0.28 with SSL
-Original Message- From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 [mailto:jason.t.hansel@navy.mil] Subject: RE: Configuring Tomcat 6.0.28 with SSL Well, IIS is listening on 443. Our users authenticate via PKI, through IIS (which is set-up for SSL/Single-Sign On). Ideally, I'd like this to be the same for the web app I'm trying to make available on the web server, however, the isapi_redirect loads the page very very very slow. I know that I'd have to establish a different port (according to the SysAdmin) if I'd want to authenticate through Tomcat, can this be done on 8443? Sorry for the questions, I'm a GIS guy learning Web. Jason, Sorry I'm late chiming in, but I had to go back and read the archives to see the history. Are you trying to secure something ArcGIS Server related? (or, ArcIMS?) I am able to avoid needing IIS/ISAPI for any of our GIS web apps, so far. Even when I had IIS/ISAPI configured, I didn't experience the same issues you have had with performance. can this be done on 8443? That is how I have to develop and test our GIS web apps that use SSL. Leo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
WebappClassLoader clearReferencesThreads
This is really a two part question. The first question has to do with the error in the log file and the second question has to do with making connections to other app servers in Tomcat. Part 1: I have a webapp (http://planning.maricopa.gov/apnxy) running under Tomcat 6.0.26 that makes a connection to a different app server that hosts the GIS part of the webapp. That app server is always running, even when I shutdown Tomcat. I looked at the source for WebappClassLoader: http://svn.apache.org/repos/asf/tomcat/tc6.0.x/trunk/java/org/apache/catalina/loader/ and I see that Tomcat is trying to terminate the thread that the apnxy web app started. I could stop the GIS service on the app server prior to restarting Tomcat, then start the app server. Part 2: What is the correct way to make connections to things that are not data sources in Tomcat? Can Tomcat manage the connection information (machine name, domain, user, password)? How? Making a server connection to an ArcGIS Server app server: http://resources.esri.com/help/9.3/arcgisserver/adf/java/help/api/arcobjects/com/esri/arcgis/server/ServerConnection.html PDUManagerImpl: http://edndoc.esri.com/arcobjects/9.2/Java/api/arcobjects/com/esri/arcgis/interop/PDUManagerImpl.html WebappClassLoader: http://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/catalina/loader/WebappClassLoader.html Catalina logs: Jul 5, 2010 9:42:45 AM org.apache.coyote.http11.Http11AprProtocol pause INFO: Pausing Coyote HTTP/1.1 on http-80 Jul 5, 2010 9:42:45 AM org.apache.coyote.ajp.AjpAprProtocol pause INFO: Pausing Coyote AJP/1.3 on ajp-8009 Jul 5, 2010 9:42:46 AM org.apache.catalina.core.StandardService stop INFO: Stopping service Catalina Jul 5, 2010 9:42:47 AM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: A web application appears to have started a thread named [PDUManagerImpl-openConnection] but has failed to stop it. This is very likely to create a memory leak. Jul 5, 2010 9:42:47 AM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: A web application appears to have started a thread named [PDUManagerImpl-openConnection] but has failed to stop it. This is very likely to create a memory leak. Jul 5, 2010 9:42:47 AM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: A web application appears to have started a thread named [PDUManagerImpl-openConnection] but has failed to stop it. This is very likely to create a memory leak. Jul 5, 2010 9:42:47 AM org.apache.coyote.http11.Http11AprProtocol destroy INFO: Stopping Coyote HTTP/1.1 on http-80 Using CATALINA_BASE: C:\apache-tomcat-6.0.26 Using CATALINA_HOME: C:\apache-tomcat-6.0.26 Using CATALINA_TMPDIR: C:\apache-tomcat-6.0.26\temp Using JRE_HOME:C:\Program Files\Java\jdk1.6.0_20 Using CLASSPATH: C:\apache-tomcat-6.0.26\bin\bootstrap.jar Server version: Apache Tomcat/6.0.26 Server built: March 9 2010 1805 Server number: 6.0.26.0 OS Name:Windows 2003 OS Version: 5.2 Architecture: x86 JVM Version:1.6.0_20-b02 JVM Vendor: Sun Microsystems Inc. Leo Donahue
Question on ClientAbortException
http://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/catalina/connector/ClientAbortException.html What does this mean exactly? A user makes a request for a resource and closes the browser before they get the response? Jul 2, 2010 10:04:27 AM com.sun.faces.lifecycle.LifecycleImpl phase WARNING: executePhase(RENDER_RESPONSE 6,com.sun.faces.context.facescontexti...@1efe4ac) threw exception javax.faces.FacesException at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:135) at com.sun.faces.lifecycle.LifecycleImpl.phase(LifecycleImpl.java:251) at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:144) at javax.faces.webapp.FacesServlet.service(FacesServlet.java:245) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:646) at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:436) at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:374) at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:302) at org.apache.jasper.runtime.PageContextImpl.doForward(PageContextImpl.java:706) at org.apache.jasper.runtime.PageContextImpl.forward(PageContextImpl.java:677) at org.apache.jsp.index_jsp._jspService(index_jsp.java:58) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:377) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:313) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:260) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:465) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:555) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:859) at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:579) at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1555) at java.lang.Thread.run(Thread.java:619) Caused by: ClientAbortException: java.io.IOException at org.apache.catalina.connector.OutputBuffer.realWriteBytes(OutputBuffer.java:358) at org.apache.tomcat.util.buf.ByteChunk.flushBuffer(ByteChunk.java:434) at org.apache.catalina.connector.OutputBuffer.doFlush(OutputBuffer.java:309) at org.apache.catalina.connector.OutputBuffer.flush(OutputBuffer.java:288) at org.apache.catalina.connector.Response.flushBuffer(Response.java:548) at org.apache.catalina.connector.ResponseFacade.flushBuffer(ResponseFacade.java:279) at com.sun.faces.application.ViewHandlerImpl.renderView(ViewHandlerImpl.java:203) at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:106) ... 32 more Caused by: java.io.IOException at org.apache.coyote.http11.InternalAprOutputBuffer.flushBuffer(InternalAprOutputBuffer.java:696) at org.apache.coyote.http11.InternalAprOutputBuffer$SocketOutputBuffer.doWrite(InternalAprOutputBuffer.java:726) at org.apache.coyote.http11.filters.ChunkedOutputFilter.doWrite(ChunkedOutputFilter.java:124) at org.apache.coyote.http11.InternalAprOutputBuffer.doWrite(InternalAprOutputBuffer.java:532) at org.apache.coyote.Response.doWrite(Response.java:560) at org.apache.catalina.connector.OutputBuffer.realWriteBytes(OutputBuffer.java:353) ... 39 more Using CATALINA_BASE: C:\apache-tomcat-6.0.26 Using CATALINA_HOME: C:\apache-tomcat-6.0.26 Using CATALINA_TMPDIR: C:\apache-tomcat-6.0.26\temp Using JRE_HOME:C:\Program
RE: Still having problem retrieving user value from ISAPI Filter for authentication
From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Subject: RE: Still having problem retrieving user value from ISAPI Filter for authentication What I did was comment out the filter from the web.xml and I went straight from the IE browser (http://localhost/index.jsp) to the index.jsp page that was comprised of only the following: %...@page language=java contentType=text/html; charset=ISO- 8859-1 pageEncoding=ISO-8859-1% Here is my USERID using getRemoteUser, %=request.getRemoteUser()% , in my index.jsp page. My browser window then showed: Here is my USERID using getRemoteUser, null, in my index.jsp page. That was it. So I wasn't even going through my application at all but only from the browser to Tomcat and it returned my page without issue but with NO user value as is indicated below in the log. Unless you are going to authenticate via one of Tomcat's authentication methods; BASIC, FORM, etc, then getRemoteUser() is going to return null. You'll need to add a security constraint, login-config and security-role to your web.xml to test getRemoteUser(); in just Tomcat. Look at the manager webapp web.xml example: !-- Define a Security Constraint on this Application -- security-constraint web-resource-collection web-resource-nameHTMLManger and Manager command/web-resource-name url-pattern/jmxproxy/*/url-pattern url-pattern/html/*/url-pattern url-pattern/list/url-pattern url-pattern/expire/url-pattern url-pattern/sessions/url-pattern url-pattern/start/url-pattern url-pattern/stop/url-pattern url-pattern/install/url-pattern url-pattern/remove/url-pattern url-pattern/deploy/url-pattern url-pattern/undeploy/url-pattern url-pattern/reload/url-pattern url-pattern/save/url-pattern url-pattern/serverinfo/url-pattern url-pattern/status/*/url-pattern url-pattern/roles/url-pattern url-pattern/resources/url-pattern url-pattern/findleaks/url-pattern /web-resource-collection auth-constraint !-- NOTE: This role is not present in the default users file -- role-namemanager/role-name /auth-constraint /security-constraint !-- Define the Login Configuration for this Application -- login-config auth-methodBASIC/auth-method realm-nameTomcat Manager Application/realm-name /login-config !-- Security roles referenced by this web application -- security-role description The role that is required to log in to the Manager Application /description role-namemanager/role-name /security-role - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
OT RE: Still having problem retrieving user value from ISAPI Filter for authentication
From: Marc Boorshtein [mailto:mboorsht...@gmail.com] Subject: Re: Still having problem retrieving user value from ISAPI Filter for authentication Unless you are going to authenticate via one of Tomcat's authentication methods; BASIC, FORM, etc, then getRemoteUser() is going to return null. You'll need to add a security constraint, login-config and security- role to your web.xml to test getRemoteUser(); in just Tomcat. This shouldn't be the case since she put tomcatAuthentication=false tomcat should be taking the username from the JK_REMOTE_USER attribute. Marc Doesn't the url mapping in the uriworkermap.properties file interrupt IIS from passing authentication to Tomcat? If you restrict access to a virtual directory in IIS, mapped to a servlet or webapp in Tomcat, and there is a URL for that servlet/webapp in uriworkermap.properties, wouldn't Tomcat allow access even though IIS attempts to say no? I still have a server with IIS and the isapi_redirect.dll Jakarta filter running internally. I created a new website in IIS, called test, using IIS port 8088, mapped to the examples directory in Tomcat 6.0.26 (Tomcat's HTTP port is still 8080) I added the Jakarta virtual directory to test. I removed anonymous access and checked integrated windows security for test. http://localhost:8088 supply credentials of user not allowed to this directory - yields no access. http://localhost:8088/examples I get right through, no challenge from IIS. http://localhost:8088 supply credentials of user allowed, snoop JSP works, but Remote User is null. Everything else in snoop output had a value. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: OT RE: Still having problem retrieving user value from ISAPI Filter for authentication
From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] Subject: OT RE: Still having problem retrieving user value from ISAPI Filter for authentication Doesn't the url mapping in the uriworkermap.properties file interrupt IIS from passing authentication to Tomcat? If you restrict access to a virtual directory in IIS, mapped to a servlet or webapp in Tomcat, and there is a URL for that servlet/webapp in uriworkermap.properties, wouldn't Tomcat allow access even though IIS attempts to say no? I still have a server with IIS and the isapi_redirect.dll Jakarta filter running internally. I created a new website in IIS, called test, using IIS port 8088, mapped to the examples directory in Tomcat 6.0.26 (Tomcat's HTTP port is still 8080) I added the Jakarta virtual directory to test. I removed anonymous access and checked integrated windows security for test. http://localhost:8088 supply credentials of user not allowed to this directory - yields no access. http://localhost:8088/examples I get right through, no challenge from IIS. http://localhost:8088 supply credentials of user allowed, snoop JSP works, but Remote User is null. Everything else in snoop output had a value. I stand corrected, as usual. Snoop JSP does display my login info. However, my browser is now set to supply credentials for internal sites. Automatic login only in Intranet zone. IE 7 Internet Options Security Custom Level Scroll all the way down to User Authentication. isapi_redirect.dll version 1.2.27 IIS 6.0 Windows Server 2003 http://localhost:8088/examples/jsp/snp/snoop.jsp Request Information JSP Request Method: GET Request URI: /examples/jsp/snp/snoop.jsp Request Protocol: HTTP/1.1 Servlet path: /jsp/snp/snoop.jsp Path info: null Query string: null Content length: 0 Content type: null Server name: server name Server port: 8088 Remote user: PLANDEV\donahuel Remote address: my ip Remote host: my ip Authorization scheme: Negotiate Locale: en_US - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Multiple Tomcat Instances
From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Subject: RE: Multiple Tomcat Instances Read the rest of that section of RUNNING.txt as well: When you use $CATALINA_BASE, Tomcat will calculate all relative references for files in the following directories based on the value of $CATALINA_BASE instead of $CATALINA_HOME: * bin - Only setenv.sh (*nix), setenv.bat (windows) and tomcat-juli.jar * conf - Server configuration files (including server.xml) * logs - Log and output files * webapps - Automatically loaded web applications * work - Temporary working directories for web applications * temp - Directory used by the JVM for temporary files (java.io.tmpdir) I saw this part but was confused about the word relative and thought it meant that somehow Tomcat would still be using a relative reference to the original directories based on where the $CATALINA_BASE directory was created. You seem to be confusing installation directories with running processes; I am. Tomcat uses whatever CATALINA_BASE is active when Tomcat is run via the startup.bat or catalina.bat scripts. Since each user has complete control over his/her environment variables, he or she can set the variable to any value desired. And that is the part that clears it up. The users are starting and stopping Tomcat via the scripts, not the windows process. The other part that is confusing me is that what if all users are running a process of Tomcat at the same time, I'm assuming they all have to use a separate HTTP port and shutdown port? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Multiple Tomcat Instances
From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: Multiple Tomcat Instances The other part that is confusing me is that what if all users are running a process of Tomcat at the same time, I'm assuming they all have to use a separate HTTP port and shutdown port? You are not confused here. That is correct. If you have several Tomcat /instances/ (actually, they will be instances of java, running Tomcat), not two of them can open the same server port at the same time. If you are running one single instance of Tomcat (of java running Tomcat) with several virtual hosts defined in it, then there is only a single shutdown port, and there /can/ be a single HTTP port shared by all virtual hosts (or, just to add some confusion, there can also be several ports :-)). RUNNING.txt says: ... Note that by default Tomcat will first try to load classes and JARs from $CATALINA_BASE/lib and then $CATALINA_HOME/lib. You can place instance specific JARs and classes (e.g. JDBC drivers) in $CATALINA_BASE/lib whilst keeping the standard Tomcat JARs in $CATALINA_HOME/lib ... The doc didn't mention that Tomcat will calculate a relative reference for files in /lib, a few lines above this quote. I'm assuming I also need a /lib directory in $CATALINA_BASE then. If I place copies(?) of bin, conf, logs, webapps, work and temp in my $CATALINA_BASE directory, then how is that different from just downloading multiple Tomcat zip files and naming them separately, changing the startup/shutdown ports on each? The only thing I'm gaining is only needing the two files in my $CATALINA_BASE/bin instead of all the other files? What else? What was the deciding factor to be able to run multiple Tomcat instances? Leo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Multiple Tomcat Instances
-Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: Multiple Tomcat Instances Leo, No, you don't have to have one, but if it's there, Tomcat will prefer the more-specific library(ies) found in CATALINA_BASE/lib to those found in CATALINA_HOME/lib. If I place copies(?) of bin, conf, logs, webapps, work and temp in my $CATALINA_BASE directory, then how is that different from just downloading multiple Tomcat zip files and naming them separately, changing the startup/shutdown ports on each? If you copy everything, then there is no difference. It's more typical to only create conf/server.xml and a separate webapps directory for the separate instance. The 'work' and 'temp' directories (and logs? I haven't checked) will automatically be created for you. Run the scripts from CATALINA_HOME and they will use CATALINA_BASE to figure everything out. Something not yet mentioned that can be done when using CATALINA_BASE is that you can have separate versions of the JVM running the same version of Tomcat, if that's useful to you. For instance, in production, we run 4 separate JVMs - one for each of our primary web applications. Some of those applications haven't yet been tested extensively under Java 6, yet, so we run them on Java 5 instead. The only thing I'm gaining is only needing the two files in my $CATALINA_BASE/bin instead of all the other files? What else? What was the deciding factor to be able to run multiple Tomcat instances? If you use a minimal set of files in CATALINA_BASE, then upgrading multiple (separate) installations of Tomcat is easily done by simply installing a new version of Tomcat into a new directory and running the new startup script. You can even switch-back to the old version fairly easily: run the startup script from the old version instead. ;) - -chris This is very helpful everyone. This kind of stuff needs to be in a newsletter or something, the part about using multiple jvms, and typical setups etc. Tomcat zip dir: C:\ApacheTomcat\apache-tomcat-6.0.26\bin In here I created a setenv.bat that has the following: set CATALINA_BASE=%C:\Catalina_Base1% C:\Catalina_Base1\ ** \conf ** \logs(automatically added when I ran C:\ApacheTomcat\apache-tomcat-6.0.26\bin\startup.bat) ** \webapps ** \work(automatically added when I ran C:\ApacheTomcat\apache-tomcat-6.0.26\bin\startup.bat) C:\Catalina_Base1\conf ** I copied the contents of \conf from C:\ApacheTomcat\apache-tomcat-6.0.26\conf ** I changed the shutdown port to 8006, HTTP port to 8081, and AJP Port to 8010 in server.xml C:\Catalina_Base1\webapps\ROOT ** I edited the index.html to indicate I'm using the html file from Catalina_Base1 http://localhost:8081 produces the edited index.html file from C:\Catalina_Base1\webapps\ROOT Very cool by the way. Ok, so how do I get specify multiple CATALINA_BASE options in the setenv.bat in C:\ApacheTomcat\apache-tomcat-6.0.26\bin ? This doesn't work: set CATALINA_BASE=%C:\Catalina_Base1%;%C:\Catalina_Base2%;%C:\Catalina_Base3%
RE: Multiple Tomcat Instances
From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: Multiple Tomcat Instances No wonder. I am starting to think that you do this on purpose.. Unfortunately, I'm not. Everyone always says read the docs. There are a lot of things I don’t understand, and other than the docs mentioning there is a CATALINA_BASE variable, they don't speak to where it can/should be defined (startup.bat or catalina.bat or setenv.bat), or setting it up the way you mentioned, or that you can even do it that way. http://tomcat.apache.org/tomcat-6.0-doc/introduction.html ( If read the docs literally, there is no README.txt in my CATALINA_HOME ) This is where people get lost/confused. Much of Tomcat config is like learning the secret handshake to me at this point. Maybe having a good look at the startup.bat and catalina.bat files would help. I was looking in both of those, which is where I saw the call to setenv.bat and assumed that must be where you define it, otherwise what is that call for?
RE: Multiple Tomcat Instances
From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: Multiple Tomcat Instances -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Leo, On 6/16/2010 1:31 PM, Leo Donahue - PLANDEVX wrote: Tomcat zip dir: C:\ApacheTomcat\apache-tomcat-6.0.26\bin In here I created a setenv.bat that has the following: set CATALINA_BASE=%C:\Catalina_Base1% That is going to be counter-productive, since any instance of Tomcat using CATALINA_HOME=C:\ApacheTomcat\apache-tomcat-6.0.26\bin will end up using CATALINA_BASE=%C:\Catalina_Base1% (BTW, %C:\Catalina_Base1% will give you the value of an environment variable, instead of the path C:\Catalina_Base1, right?) Instead, I might suggest using a script like C:\Catalina_Base1\startup.bat: @set CATALINA_BASE=C:\Catalina_Base1 C:\ApacheTomcat\apache-tomcat-6.0.26\bin\startup.bat C:\Catalina_Base1\conf ** I copied the contents of \conf from C:\ApacheTomcat\apache-tomcat- 6.0.26\conf ** I changed the shutdown port to 8006, HTTP port to 8081, and AJP Port to 8010 in server.xml You can probably leave context.xml and web.xml in the original install without copying them. I would recommend your own server.xml (required), logging.properties (if you want something other than the default) and, if necessary, catalina.policy. Let the base Tomcat install take care of the other files. Ok, so how do I get specify multiple CATALINA_BASE options in the setenv.bat in C:\ApacheTomcat\apache-tomcat-6.0.26\bin? You don't :) See above. Hope that helps, - -chris Yes. After this exercise, I feel like I'm learning disabled.
Multiple Tomcat Instances
In RUNNING.txt it says you can have a single copy of Tomcat binary shared among multiple users on the same server by setting the environment variable $CATALINA_BASE to the directory that contains the files for each personal Tomcat instance. As simple as that reads, I don't understand it. I don't understand how this is different than a virtual host with different appBase's. Is it saying that whoever has a user login on the server can have their own Tomcat playground even though there is just one Tomcat installed? So, if on Windows, you set a User environment variable of CATALINA_BASE to something like C:\TomcatDevUser1 ... that's it? Tomcat figures out the CATALINA_BASE variable depending on who is logged in? Does C:\TomcatDevUser1 need a ROOT directory for their default webapp? Leo
RE: Allowing only specific users LDAP access
-Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Tuesday, June 08, 2010 9:12 AM To: Tomcat Users List Subject: RE: Allowing only specific users LDAP access I am trying to allow only specific users access. If you can't use Chris' suggestion and you're on a current version of Tomcat, you can combine your existing Realm with an additional authenticator, possibly using a file where you specify the subset of users you're willing to allow in. http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#CombinedRealm - Chuck Does Tomcat allow you to specify separate userBase's? Or can you only have one per Realm? userBase=CN=User1,OU=somegroup,DC=yourdomain,DC=com userSearch=(amp;(objectCategory=person)(sAMAccountName={0})) userSubtree=true userRoleName=memberOf userBase=CN=User2,OU=somegroup,DC=yourdomain,DC=com userSearch=(amp;(objectCategory=person)(sAMAccountName={0})) userSubtree=true userRoleName=memberOf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: How can I get the user value in the request forwarded to my Tomcat in my Java app?
I can't remember if anyone has already mentioned this. If so, my apologies. In IIS, do you have a Web Service Extension that is mapped to the isapi_redirect.dll, and that is set to allowed? -Original Message- From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Sent: Thursday, June 03, 2010 1:53 PM To: 'Tomcat Users List' Subject: RE: How can I get the user value in the request forwarded to my Tomcat in my Java app? I think I was finally able to TEST that my tomcat connector and its respective config files have been setup correctly. I think I have narrowed my problem to an IIS Directory Security ISSUE on jakarta. If anyone has run into this issue can you please respond to the following problem: In IIS I have the Default Web Site setup with: ISAPI Filters: jakarta and it points to C:\Server\Tomcat 6.0\bin\isapi_redirect.dll And the Directory Security is: Enable anonymous access (checked only) In IIS I have the jakarta virtual directory setup with: Where the local path is: C:\Server\Tomcat 6.0\bin And the Directory Security is: Integrated Windows authentication (checked only) The result I get in my IE browser is: You are not authorized to view this page You do not have permission to view this directory or page using the credentials that you supplied because your Web browser is sending a WWW-Authenticate header field that the Web server is not configured to accept. Please try the following: Contact the Web site administrator if you believe you should be able to view this directory or page. Click the Refresh button to try again with different credentials. HTTP Error 401.2 - Unauthorized: Access is denied due to server configuration. Internet Information Services (IIS) But when I change the jakarta Directory Security to the following I am able to get to the ERROR.jsp page in my application on Tomcat: Directory Security changed to Anonymous access (checked only) The ERROR.jsp page comes up because I do not have a USER value in the request. It is empty as depicted from the isapi log: [Thu Jun 03 15:27:24.665 2010] [948:3148] [debug] jk_isapi_plugin.c (3108): Service protocol=HTTP/1.1 method=GET host=167.99.60.10 addr=167.99.60.10 name=scmisdev port=80 auth= user= uri=/pics/plus.jpg Any suggestions or direction on how I can remedy this issue would be appreciated. Thank you. -Original Message- From: Savoy, Melinda Sent: Thursday, June 03, 2010 12:53 PM To: 'Tomcat Users List' Subject: RE: How can I get the user value in the request forwarded to my Tomcat in my Java app? Let me try to answer Andre's questions below as well as communicate the results I got given the settings I have in the Windows 2003 server and ANY HELP or DIRECTION would be GREATLY APPRECIATED : I spoke to the guy who had setup our Tomcat server and he said that the SECOND HOST in our server.xml file was there to define the virtual host that is in our enterprise DNS (see settings below). The baseapp=scmisapp which is a directory in our tomcat server: C:\Server\Tomcat 6.0\scmisapp I removed the SECOND virtual directory as you instructed and now I'm getting Windows login dialog boxes when trying to go the URL: http://scmisdev. If we could start from the following settings and if someone could let me know what I'm doing wrong to get the error (see below) I'm getting it would be greatly appreciated: Workers.properties file: worker.scmisWorker.type=ajp13 worker.scmisWorker.host=localhost (I'm not sure if this should match the host name=scmis in my server.xml file or not) worker.scmisWorker.port=8009 uriworkermap.properties file: /scmisdev/*=scmisWorker (this matches the virtual host that we have defined in the enterprise DNS and what we use to get to this server via the URL in our browsers (IE) http://scmisdev ). Server.xml: Host name=localhost appBase=webapps unpackWARs=false autoDeploy=false xmlValidation=false xmlNamespaceAware=false !-- SingleSignOn valve, share authentication between web applications Documentation at: /docs/config/valve.html -- !-- Valve className=org.apache.catalina.authenticator.SingleSignOn / -- !-- Access log processes all example. Documentation at: /docs/config/valve.html -- !-- Valve className=org.apache.catalina.valves.AccessLogValve directory=logs prefix=localhost_access_log. suffix=.txt pattern=common resolveHosts=false/ -- /Host Host name=scmis appBase=scmisapp unpackWARs=true autoDeploy=false xmlValidation=false xmlNamespaceAware=false Aliasscmisdev/Alias Aliasscmisdev.texashealth.org/Alias /Host In IIS I have the Default Web Site setup with: ISAPI Filters: jakarta and it points to C:\Server\Tomcat 6.0\bin\isapi_redirect.dll And the Directory Security is: Enable anonymous access
RE: Way to record what URL an error originated from in my localhost file?
-Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Thursday, May 20, 2010 3:34 PM To: Tomcat Users List Subject: Re: Way to record what URL an error originated from in my localhost file? Valve className=org.apache.catalina.valves.AccessLogValve ... [file and path parameters] ... condition=javax.servlet.error.request_uri pattern=[%t] %a %{javax.servlet.error.request_uri}r (no CRLF) %{my.session.attribute}s (no CRLF here, either) %{my.other.session.attribute}s / If you want to look at ExtendedAccessLogValve, it can do some more exciting things, though I think you have to know the parameter names beforehand: it can't simply dump the entire set of request parameters. Hope that helps, - -chris Very nice example, thanks Chris. Where is ExtendedAccessLogValve? http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html
RE: Way to record what URL an error originated from in my localhost file?
-Original Message- From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] Sent: Thursday, May 20, 2010 3:57 PM To: 'Tomcat Users List' Subject: RE: Way to record what URL an error originated from in my localhost file? Very nice example, thanks Chris. Where is ExtendedAccessLogValve? http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html Found it. Haven't looked in here before, sorry. http://tomcat.apache.org/tomcat-6.0-doc/api/index.html
clearThreadLocalMap
These show up in my Catalina logs, not very often - maybe half a dozen per day. Does this mean I didn't clean up my variables correctly in my webapp? May 18, 2010 7:51:01 PM org.apache.catalina.loader.WebappClassLoader clearThreadLocalMap SEVERE: A web application created a ThreadLocal with key of type [null] (value [javax.faces.context.facescontex...@724356]) and a value of type [null] (value [null]) but failed to remove it when the web application was stopped. To prevent a memory leak, the ThreadLocal has been forcibly removed. Using CATALINA_BASE: C:\apache-tomcat-6.0.24 Using CATALINA_HOME: C:\apache-tomcat-6.0.24 Using CATALINA_TMPDIR: C:\apache-tomcat-6.0.24\temp Using JRE_HOME:C:\Program Files\Java\jdk1.6.0_14 Using CLASSPATH: C:\apache-tomcat-6.0.24\bin\bootstrap.jar Server version: Apache Tomcat/6.0.24 Server built: January 19 2010 1439 Server number: 6.0.0.0 OS Name:Windows 2003 OS Version: 5.2 Architecture: x86 JVM Version:1.6.0_14-b08 JVM Vendor: Sun Microsystems Inc. Leo
RE: Restrict http methods
-Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Friday, May 14, 2010 5:07 AM To: Tomcat Users List Subject: Re: Restrict http methods Mark Thomas wrote: On 14/05/2010 09:06, André Warnier wrote: Mark Thomas wrote: On 14/05/2010 00:28, André Warnier wrote: Leo, normally in the default config of a webserver, these methods are by default disabled, for the simple reason that there is no handler defined for them. That is the case for Apache httpd, and I suppose for Tomcat. Nope. The default servlet supports both PUT and DELETE but they are blocked by default. I suppose that Tomcat could return a 405 Method Not Allowed or a 501 Not Implemented error code, but I am not sure what it does really. It returns a 403. Mark Thanks. Just for further information really : If there is a webapp context say at /abc, with a servlet url-mapping of /*, and this servlet does not have a doPut() method, does a PUT request to /abc get remapped to the default servlet ? No. All requests, regardless of HTTP method, get passed to a Servlet's service() method. From the reference to doPut(), I assume that the servlet in question is extending javax.servlet.http.HttpServlet Rather than me describe what that code does: http://svn.apache.org/viewvc/tomcat/trunk/java/javax/servlet/http/Http Servlet.java?view=annotate Allright, I think I get it now. My mindset is just not Java- or object-enough oriented for me to think of that right away. So a servlet subclasses (or implements) HttpServlet, and if it does not itself override the doPut and doDelete methods, the ones from the base class (or interface) apply. And these return 403. Thanks for enlightening me. Leo, are you still with us ? ;-) Yes. I wasn't implementing doPUT or doDELETE and was scratching my head trying to figure out how the security scan was able to indicate those methods were available. Pid - see, I told you I have a lot to learn Btw, I had no idea that the code is published on the web. Very cool. Now you've got me on a diversion... So many questions - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
clientaccesspolicy and crossdomain xml files
In order for Silverlight to access a cross-domain webservice, it needs a clientaccesspolicy.xml and crossdomain.xml in the root directory of the webapp? I don't see anthing in the Servlet 2.5 spec that talks about these, or whether they impact security-constraints or remote address valves. Anyone using these? Leo
Restrict http methods
What do most people use to restrict PUT and DELETE http methods? 1. Using a security-constraint with no roles specified in a auth-constraint, with a url-pattern of /* (or appropriate URI) and list the http methods to restrict OR 2. Set the attribute readonly to true in the default servlet in web.xml Leo
RE: Restrict http methods
Thanks. Security audit day. Spent 3 hours making changes - waiting for results, when the tool ended up reporting a false-positive for DELETE. Now I know I could have done nothing. Great. I still don't have warm fuzzies about this. I think they used IBM Rational App Scan, not sure though. Leo -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Thursday, May 13, 2010 3:13 PM To: Tomcat Users List Subject: RE: Restrict http methods From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] Subject: Restrict http methods What do most people use to restrict PUT and DELETE http methods? 2. Set the attribute readonly to true in the default servlet in web.xml The readonly attribute defaults to true, so most people do ... nothing. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Almost figured out how to satisfy container and managed bean login.
anyone know why? Without seeing your web.xml, I have no idea. it never reaches the j_security check servlet However, are you trying to do FORM based authentication? Then read this: http://java.sun.com/javaee/5/docs/tutorial/doc/bncbe.html#bncbq And here is an example: http://java.sun.com/javaee/5/docs/tutorial/doc/bncbx.html#bncca I have a double login requirement... If you are using container managed security, you can use isUserInRole, no? Leo -Original Message- From: Yucca Nel [mailto:yucca...@live.co.za] Sent: Sunday, May 09, 2010 1:22 PM To: Tomcat Users List Subject: Almost figured out how to satisfy container and managed bean login. I have a double login requirement because I need some finer detals that tomcst's container authentication does not seem to provide. I need a way to atore username in business logic scope when logged in (mainly just the username) my current solution is not working as follows: I submit action to backing method which is coded in the jsf as follows in the login page: f:view body style=background-color:#7b68ee;margin:auto div align=center id=headerjsp:include page=/header.jsp//div div align=center div align=center id=centred-contentstyle=border-width:3px; border-style: solid; border-color: #7fffd4;width:800px div id=h1 align=center h:outputText value=#{loginMsg.h1}... style=color:white; font-family:fantasy;font-size:large;/br h:outputText value=#{loginMsg.h2}... style=color:white; font-family:fantasy;font-size:large;//div div align=center h:form h:panelGrid columns=2 h:outputText value=#{registerMsg.userName}: style=color:yellow;/ h:inputText id=j_username value=#{loginForm.username} title=#{registerMsg.userNameTitle}required=true f:validateLength maximum=20 minimum=6/ h:outputText value=#{registerMsg.password}: style=color:yellow;/ h:inputSecret id=j_passwword value=#{loginForm.password} title=#{registerMsg.passwordTitle}required=true /h:inputSecret /h:panelGrid h:commandButton action=#{loginForm.confirmCredentials} value=#{loginMsg.login}style=color:#20b2aa; / br /h:form then in loginForm.java I have the method coded as follows to set my managed bean and hopefuly dispatch on continer needed login credentials. public String confirmCredentials() throws IOException, ServletException { UserSession userSession = (UserSession)FacesContext.getCurrentInstance().getExternalContext().getSessionMap().get(userSession); if (UserManagerBean.confirmLogin(username, password)) { UsersEntity user = UserManagerBean.findUser(username); userSession.setCurrentUser(user); return home; } FacesMessage message = new FacesMessage(); message.setSummary(Login Error); message.setDetail(Unable to log you in - + username and password combination not found.); message.setSeverity(FacesMessage.SEVERITY_WARN); FacesContext.getCurrentInstance().addMessage(null,message); ExternalContext ectx = FacesContext.getCurrentInstance().getExternalContext(); HttpServletRequest request = (HttpServletRequest)ectx.getRequest(); HttpServletResponse response = (HttpServletResponse)ectx.getResponse(); RequestDispatcher dispatcher = request.getRequestDispatcher(j_security_check); dispatcher.forward(request,response); return null; } it never reaches the j_security check servlet anyone know why? The method works fine when called from outside containers security context defined around the page request. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Context in conf/Catalina/localhost question
NetBeans 6.8 won't even run the webapp within the IDE unless the path attribute is set in META-INF/context.xml I understand why the IDE needs the path to run the webapp from the the NetBeans work directory, but do the NetBeans people talk to the Tomcat people? :) Maybe, the clean and build tool in NetBeans could strip that out when it creates the war file? I'm just saying. People forget. -Original Message- From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] Sent: Sunday, May 09, 2010 6:27 PM To: 'Tomcat Users List' Subject: RE: Context in conf/Catalina/localhost question This always happens. Once I send a question I find the answer. Normally I've been copying expanded webapp directories to the webapps folder when I have Tomcat stopped for other server maintenance. I forgot that I experimented with deploying a war file for the apnxy servlet. I'm going to point the finger at NetBeans for adding the path attribute to my context. Tomcat was just doing what it is supposed to under automatic deployment: http://tomcat.apache.org/tomcat-6.0-doc/config/host.html#Automatic%20Application%20Deployment -Original Message- From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] Sent: Sunday, May 09, 2010 6:17 PM To: 'Tomcat Users List' Subject: Context in conf/Catalina/localhost question I've noticed that sometimes when I make a change to an existing webapp or deploy a new one, that the file contents created in conf/Catalina/localhost do not match the contents of the context file in META-INF/context.xml of the webapp dir. Tomcat 6.0.24 - still. Upgrade is coming. Example, I added a valve to each of my webapps context.xml to turn on the access logs. The valve was the same for each webap, I only changed the name of the access log file name. Three of four webapps produced a log file, but one webapp would not produce an access log file, no matter how many times I restarted Tomcat - deleted the cache in the work directory and removed previous entries in conf/Catalina/localhost. http://tomcat.apache.org/tomcat-6.0-doc/config/context.html ... You may define as many Context elements as you wish. Each such Context MUST have a unique context path. In addition, a Context must be present with a context path equal to a zero-length string. This Context becomes the default web application for this virtual host, and is used to process all requests that do not match any other Context's context path ... Contents of the apnxy servlet META-INF/context.xml that keep appearing in conf/Catalina/localhost, and I didn't even have the path attribute set in that file: ?xml version=1.0 encoding=UTF-8? Context antiJARLocking=true path=/apnxy /Context I finally just stopped Tomcat, deleted the cache in work dir, renamed and manually copied the apnxy.xml file from META-INF/context.xml to conf/Catalina/localhost and started Tomcat. Access log for apnxy_... appeared. What did I miss? Contents of each access log valve: ?xml version=1.0 encoding=UTF-8? Context antiJARLocking=true !-- Log all requests to Tomcat root -- Valve className=org.apache.catalina.valves.AccessLogValve directory=logs prefix=apnxy_access_log. suffix=.txt pattern=common resolveHosts=false/ /Context Contents of context.xml in conf directory: ?xml version='1.0' encoding='utf-8'? !-- The contents of this file will be loaded for each web application -- Context !-- Default set of monitored resources -- WatchedResourceWEB-INF/web.xml/WatchedResource !-- Uncomment this to disable session persistence across Tomcat restarts -- !-- Manager pathname= / -- !-- Uncomment this to enable Comet connection tacking (provides events on session expiration as well as webapp lifecycle) -- !-- Valve className=org.apache.catalina.valves.CometConnectionManagerValve / -- /Context Leo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Context in conf/Catalina/localhost question
NetBeans 6.8 Output window: In-place deployment at C:\NetBeans_Projects\webappname\build\web Cannot deploy the module. The context.xml file seems to be broken. Check whether it is well-formed and valid. C:\NetBeans_Projects\webappname\nbproject\build-impl.xml:584: The module has not been deployed. -Original Message- From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] Sent: Monday, May 10, 2010 2:51 PM To: 'Tomcat Users List' Subject: RE: Context in conf/Catalina/localhost question NetBeans 6.8 won't even run the webapp within the IDE unless the path attribute is set in META-INF/context.xml I understand why the IDE needs the path to run the webapp from the the NetBeans work directory, but do the NetBeans people talk to the Tomcat people? :) Maybe, the clean and build tool in NetBeans could strip that out when it creates the war file? I'm just saying. People forget. -Original Message- From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] Sent: Sunday, May 09, 2010 6:27 PM To: 'Tomcat Users List' Subject: RE: Context in conf/Catalina/localhost question This always happens. Once I send a question I find the answer. Normally I've been copying expanded webapp directories to the webapps folder when I have Tomcat stopped for other server maintenance. I forgot that I experimented with deploying a war file for the apnxy servlet. I'm going to point the finger at NetBeans for adding the path attribute to my context. Tomcat was just doing what it is supposed to under automatic deployment: http://tomcat.apache.org/tomcat-6.0-doc/config/host.html#Automatic%20Application%20Deployment -Original Message- From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] Sent: Sunday, May 09, 2010 6:17 PM To: 'Tomcat Users List' Subject: Context in conf/Catalina/localhost question I've noticed that sometimes when I make a change to an existing webapp or deploy a new one, that the file contents created in conf/Catalina/localhost do not match the contents of the context file in META-INF/context.xml of the webapp dir. Tomcat 6.0.24 - still. Upgrade is coming. Example, I added a valve to each of my webapps context.xml to turn on the access logs. The valve was the same for each webap, I only changed the name of the access log file name. Three of four webapps produced a log file, but one webapp would not produce an access log file, no matter how many times I restarted Tomcat - deleted the cache in the work directory and removed previous entries in conf/Catalina/localhost. http://tomcat.apache.org/tomcat-6.0-doc/config/context.html ... You may define as many Context elements as you wish. Each such Context MUST have a unique context path. In addition, a Context must be present with a context path equal to a zero-length string. This Context becomes the default web application for this virtual host, and is used to process all requests that do not match any other Context's context path ... Contents of the apnxy servlet META-INF/context.xml that keep appearing in conf/Catalina/localhost, and I didn't even have the path attribute set in that file: ?xml version=1.0 encoding=UTF-8? Context antiJARLocking=true path=/apnxy /Context I finally just stopped Tomcat, deleted the cache in work dir, renamed and manually copied the apnxy.xml file from META-INF/context.xml to conf/Catalina/localhost and started Tomcat. Access log for apnxy_... appeared. What did I miss? Contents of each access log valve: ?xml version=1.0 encoding=UTF-8? Context antiJARLocking=true !-- Log all requests to Tomcat root -- Valve className=org.apache.catalina.valves.AccessLogValve directory=logs prefix=apnxy_access_log. suffix=.txt pattern=common resolveHosts=false/ /Context Contents of context.xml in conf directory: ?xml version='1.0' encoding='utf-8'? !-- The contents of this file will be loaded for each web application -- Context !-- Default set of monitored resources -- WatchedResourceWEB-INF/web.xml/WatchedResource !-- Uncomment this to disable session persistence across Tomcat restarts -- !-- Manager pathname= / -- !-- Uncomment this to enable Comet connection tacking (provides events on session expiration as well as webapp lifecycle) -- !-- Valve className=org.apache.catalina.valves.CometConnectionManagerValve / -- /Context Leo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands
Context in conf/Catalina/localhost question
I've noticed that sometimes when I make a change to an existing webapp or deploy a new one, that the file contents created in conf/Catalina/localhost do not match the contents of the context file in META-INF/context.xml of the webapp dir. Tomcat 6.0.24 - still. Upgrade is coming. Example, I added a valve to each of my webapps context.xml to turn on the access logs. The valve was the same for each webap, I only changed the name of the access log file name. Three of four webapps produced a log file, but one webapp would not produce an access log file, no matter how many times I restarted Tomcat - deleted the cache in the work directory and removed previous entries in conf/Catalina/localhost. http://tomcat.apache.org/tomcat-6.0-doc/config/context.html ... You may define as many Context elements as you wish. Each such Context MUST have a unique context path. In addition, a Context must be present with a context path equal to a zero-length string. This Context becomes the default web application for this virtual host, and is used to process all requests that do not match any other Context's context path ... Contents of the apnxy servlet META-INF/context.xml that keep appearing in conf/Catalina/localhost, and I didn't even have the path attribute set in that file: ?xml version=1.0 encoding=UTF-8? Context antiJARLocking=true path=/apnxy /Context I finally just stopped Tomcat, deleted the cache in work dir, renamed and manually copied the apnxy.xml file from META-INF/context.xml to conf/Catalina/localhost and started Tomcat. Access log for apnxy_... appeared. What did I miss? Contents of each access log valve: ?xml version=1.0 encoding=UTF-8? Context antiJARLocking=true !-- Log all requests to Tomcat root -- Valve className=org.apache.catalina.valves.AccessLogValve directory=logs prefix=apnxy_access_log. suffix=.txt pattern=common resolveHosts=false/ /Context Contents of context.xml in conf directory: ?xml version='1.0' encoding='utf-8'? !-- The contents of this file will be loaded for each web application -- Context !-- Default set of monitored resources -- WatchedResourceWEB-INF/web.xml/WatchedResource !-- Uncomment this to disable session persistence across Tomcat restarts -- !-- Manager pathname= / -- !-- Uncomment this to enable Comet connection tacking (provides events on session expiration as well as webapp lifecycle) -- !-- Valve className=org.apache.catalina.valves.CometConnectionManagerValve / -- /Context Leo
RE: Context in conf/Catalina/localhost question
This always happens. Once I send a question I find the answer. Normally I've been copying expanded webapp directories to the webapps folder when I have Tomcat stopped for other server maintenance. I forgot that I experimented with deploying a war file for the apnxy servlet. I'm going to point the finger at NetBeans for adding the path attribute to my context. Tomcat was just doing what it is supposed to under automatic deployment: http://tomcat.apache.org/tomcat-6.0-doc/config/host.html#Automatic%20Application%20Deployment -Original Message- From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] Sent: Sunday, May 09, 2010 6:17 PM To: 'Tomcat Users List' Subject: Context in conf/Catalina/localhost question I've noticed that sometimes when I make a change to an existing webapp or deploy a new one, that the file contents created in conf/Catalina/localhost do not match the contents of the context file in META-INF/context.xml of the webapp dir. Tomcat 6.0.24 - still. Upgrade is coming. Example, I added a valve to each of my webapps context.xml to turn on the access logs. The valve was the same for each webap, I only changed the name of the access log file name. Three of four webapps produced a log file, but one webapp would not produce an access log file, no matter how many times I restarted Tomcat - deleted the cache in the work directory and removed previous entries in conf/Catalina/localhost. http://tomcat.apache.org/tomcat-6.0-doc/config/context.html ... You may define as many Context elements as you wish. Each such Context MUST have a unique context path. In addition, a Context must be present with a context path equal to a zero-length string. This Context becomes the default web application for this virtual host, and is used to process all requests that do not match any other Context's context path ... Contents of the apnxy servlet META-INF/context.xml that keep appearing in conf/Catalina/localhost, and I didn't even have the path attribute set in that file: ?xml version=1.0 encoding=UTF-8? Context antiJARLocking=true path=/apnxy /Context I finally just stopped Tomcat, deleted the cache in work dir, renamed and manually copied the apnxy.xml file from META-INF/context.xml to conf/Catalina/localhost and started Tomcat. Access log for apnxy_... appeared. What did I miss? Contents of each access log valve: ?xml version=1.0 encoding=UTF-8? Context antiJARLocking=true !-- Log all requests to Tomcat root -- Valve className=org.apache.catalina.valves.AccessLogValve directory=logs prefix=apnxy_access_log. suffix=.txt pattern=common resolveHosts=false/ /Context Contents of context.xml in conf directory: ?xml version='1.0' encoding='utf-8'? !-- The contents of this file will be loaded for each web application -- Context !-- Default set of monitored resources -- WatchedResourceWEB-INF/web.xml/WatchedResource !-- Uncomment this to disable session persistence across Tomcat restarts -- !-- Manager pathname= / -- !-- Uncomment this to enable Comet connection tacking (provides events on session expiration as well as webapp lifecycle) -- !-- Valve className=org.apache.catalina.valves.CometConnectionManagerValve / -- /Context Leo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Isapi_redirect.dll
http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html A pre-built version of the ISAPI redirector server plugin, isapi_redirect.dll, is available under the win32/i386 directory of tomcat-connectors distribution I'm blind. I downloaded the zip and I don't see it in there anywhere. http://tomcat.apache.org/download-connectors.cgi Leo
RE: Isapi_redirect.dll
Found it. http://www.gossipcheck.com/mirrors/apache/tomcat/tomcat-connectors/jk/binaries/win32/jk-1.2.30/ -Original Message- From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] Sent: Friday, May 07, 2010 9:48 AM To: 'Tomcat Users List' Subject: Isapi_redirect.dll http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html A pre-built version of the ISAPI redirector server plugin, isapi_redirect.dll, is available under the win32/i386 directory of tomcat-connectors distribution I'm blind. I downloaded the zip and I don't see it in there anywhere. http://tomcat.apache.org/download-connectors.cgi Leo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Isapi_redirect.dll
Martin, You caught me on an interesting day. I have an interesting/jaded response. Short answer: They work nice together when the configuration is correct, and you know what you're doing, and nobody messes with anything. Although, I don't think I really need IIS + Tomcat for what we are doing. Long answer: For several years, we have had a GIS website running under IIS + Tomcat, using the isapi_redirect.dll, and that is because we followed the vendor's recommendations. IIS = port 80, Tomcat = port 8080. Try deviating from their specs and you lose tech support, that is unless you can get someone to assist you in their user forums. Their user forums are not the best place to ask Tomcat related questions - *simply my opinion. IIS + Tomcat makes my head spin. The reason being is that when something is wrong with my servlet or the vendor's webapp, I waste time figuring out whether the isapi_redirect.dll is not working or whether I have some other issue. Case in point, today. My site was down for about 5 hours this morning. I finally tracked it back to: I implemented Tomcat, someone else implements IIS. I upgraded Tomcat, but IIS still had hold of the isapi_redirect.dll in my old tomcat_6.0.20 bin and that tomcat was not running. Ok, tried to fix that. Edit the registry for the isapi dll point to new tomcat bin, restart the server, no luck. Ok, then maybe isapi dll I had is not compatible with newer Tomcat? Chase that question down This whole process wastes time when I don't have it to waste. I ended up turning IIS off and now run my site using Tomcat only. Everything seems to be working fine with just Tomcat serving up static HTTP. I don't even notice a difference. I still have a lot to learn about using Tomcat. http://planning.maricopa.gov Leo -Original Message- From: Martin Gainty [mailto:mgai...@hotmail.com] Sent: Friday, May 07, 2010 10:37 AM To: Tomcat Users List Subject: RE: Isapi_redirect.dll no problem..you're the 3rd person on the list (in as many weeks) that has requested operational details for IIS-Tomcat configuration would appreciate hearing how these 2 technology stacks work together, Martin __ Please do not modify or alter this transmission. Thank You From: leodona...@mail.maricopa.gov To: users@tomcat.apache.org Date: Fri, 7 May 2010 09:49:41 -0700 Subject: RE: Isapi_redirect.dll Found it. http://www.gossipcheck.com/mirrors/apache/tomcat/tomcat-connectors/jk/ binaries/win32/jk-1.2.30/ -Original Message- From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] Sent: Friday, May 07, 2010 9:48 AM To: 'Tomcat Users List' Subject: Isapi_redirect.dll http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html A pre-built version of the ISAPI redirector server plugin, isapi_redirect.dll, is available under the win32/i386 directory of tomcat-connectors distribution I'm blind. I downloaded the zip and I don't see it in there anywhere. http://tomcat.apache.org/download-connectors.cgi Leo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org _ The New Busy think 9 to 5 is a cute idea. Combine multiple calendars with Hotmail. http://www.windowslive.com/campaign/thenewbusy?tile=multicalendarocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_5 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Isapi_redirect.dll
That happened here once. The building we lease lost AC two summers ago. We rented a cooling unit and the dust that blew out of the cooling unit tripped the fire alarm. Still employed. -Original Message- From: Martin Gainty [mailto:mgai...@hotmail.com] Sent: Friday, May 07, 2010 12:19 PM To: Tomcat Users List Subject: RE: Isapi_redirect.dll i used to work at a site where the owner wanted to save a few pennies and turn the AC off at nite.. one day in july it got over 90 degrees and all the apps went into 'super-fried' mode my beeper went off at 8pm ..when i finally arrived at the server room the temp was over 100f opened the windows.. got some fans blowing..downed all the servers and the apps returned to operational I see alot of GIS apps going ESRI these days..(mostly Postgres/PostGIS or Oracle Spatial) would like to hear your esri preference (offline) when you get the chance good stuff! Martin Gainty __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. From: leodona...@mail.maricopa.gov To: users@tomcat.apache.org Date: Fri, 7 May 2010 12:02:53 -0700 Subject: RE: Isapi_redirect.dll Martin, You caught me on an interesting day. I have an interesting/jaded response. Short answer: They work nice together when the configuration is correct, and you know what you're doing, and nobody messes with anything. Although, I don't think I really need IIS + Tomcat for what we are doing. Long answer: For several years, we have had a GIS website running under IIS + Tomcat, using the isapi_redirect.dll, and that is because we followed the vendor's recommendations. IIS = port 80, Tomcat = port 8080. Try deviating from their specs and you lose tech support, that is unless you can get someone to assist you in their user forums. Their user forums are not the best place to ask Tomcat related questions - *simply my opinion. IIS + Tomcat makes my head spin. The reason being is that when something is wrong with my servlet or the vendor's webapp, I waste time figuring out whether the isapi_redirect.dll is not working or whether I have some other issue. Case in point, today. My site was down for about 5 hours this morning. I finally tracked it back to: I implemented Tomcat, someone else implements IIS. I upgraded Tomcat, but IIS still had hold of the isapi_redirect.dll in my old tomcat_6.0.20 bin and that tomcat was not running. Ok, tried to fix that. Edit the registry for the isapi dll point to new tomcat bin, restart the server, no luck. Ok, then maybe isapi dll I had is not compatible with newer Tomcat? Chase that question down This whole process wastes time when I don't have it to waste. I ended up turning IIS off and now run my site using Tomcat only. Everything seems to be working fine with just Tomcat serving up static HTTP. I don't even notice a difference. I still have a lot to learn about using Tomcat. http://planning.maricopa.gov Leo -Original Message- From: Martin Gainty [mailto:mgai...@hotmail.com] Sent: Friday, May 07, 2010 10:37 AM To: Tomcat Users List Subject: RE: Isapi_redirect.dll no problem..you're the 3rd person on the list (in as many weeks) that has requested operational details for IIS-Tomcat configuration would appreciate hearing how these 2 technology stacks work together, Martin __ Please do not modify or alter this transmission. Thank You From: leodona...@mail.maricopa.gov To: users@tomcat.apache.org Date: Fri, 7 May 2010 09:49:41 -0700 Subject: RE: Isapi_redirect.dll Found it. http://www.gossipcheck.com/mirrors/apache/tomcat/tomcat-connectors/j k/ binaries/win32/jk-1.2.30/ -Original Message- From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] Sent: Friday, May 07, 2010 9:48 AM To: 'Tomcat Users List' Subject: Isapi_redirect.dll http://tomcat.apache.org/connectors-doc
Access Log Valve
Using CATALINA_BASE: C:\apache-tomcat-6.0.24 Using CATALINA_HOME: C:\apache-tomcat-6.0.24 Using CATALINA_TMPDIR: C:\apache-tomcat-6.0.24\temp Using JRE_HOME:C:\Program Files\Java\jdk1.6.0_14 Using CLASSPATH: C:\apache-tomcat-6.0.24\bin\bootstrap.jar Server version: Apache Tomcat/6.0.24 Server built: January 19 2010 1439 Server number: 6.0.0.0 OS Name:Windows 2003 OS Version: 5.2 Architecture: x86 JVM Version:1.6.0_14-b08 JVM Vendor: Sun Microsystems Inc. I know, I need to update a few items. Why is the access log valve in server.xml commented out initially? ... and will record ALL requests... - is this a hint? http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Access%20Log%20Valve Leo Donahue
RE: Windows Local user Login
What database are you using? SQL Server 2005 and later allows you to use windows password policy and password expiration. You can enable that when you create your sql login. You create your windows password policy outside of Tomcat in active directory. However, as David pointed out to you in your other thread, you have write your own code to catch sql exceptions when user logs in with expired, inactive, etc. passwords. Leo -Original Message- From: Stéphanie Cettou [mailto:s.cet...@gmail.com] Sent: Wednesday, March 31, 2010 8:25 AM To: Tomcat Users List Subject: Re: Windows Local user Login I am confusing... I have a JSP application and tomcat 5.5. my goal it to implement a login for this application with this mandatory rules: - Check type of password (more that 8 char, special char,...) - Ask new password every month (from the web site) - Block the user after 3 failed login - Block inactive user (ex after 90 days) and not Mandatory: - Single-Sing-On for some users - Add/modify/delete user from web site - Get more roles at an user (my Java code is ready for a JDBCRealm login) * read/modify pages and objects The user must can connect from more pc, the finally application is in a Windows 2003 server. I don't know if I can use active directory (create a new active directory only for this application = install a new server), or others things... I don't know if I need to implement this in java, or a existing solution is ready... I don't have a lot of knowledge in active directory, tomcat, NTLM or Kerberos, I need to be sure to choise the good solution for all point of my goal while I can't spent a lot of time, and I can't change my solution later... can you give me more informations, please? I don't have enough knowledge to choise the the simplest and best solution now... thank you Stéphanie 2010/3/31 Christopher Schultz ch...@christopherschultz.net: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Stéphanie, On 3/31/2010 10:08 AM, Stéphanie Cettou wrote: it is possible to do a windows authentication using local window xp users and Tomcat? Do you happen to be using ActiveDirectory? Realm className=org.apache.catalina.realm.JNDIRealm for Active directory users. It is possible to use the local windows users? If yes, how? Try googling for tomcat windows authentication: there's some stuff out there. A couple of things I found before I decided I was getting-in over my head (are you using NTLM or Kerberos, etc.?), I found these: http://spnego.sourceforge.net/ http://wiki.apache.org/tomcat/FAQ/Windows#Q4 I'm sure there are others. Another possibility (I suspect, though I don't know) is to use IIS out in front of Tomcat, and have IIS perform the local authentication for you, then pass that information through to Tomcat using AJP. This might be an easier path for you to follow. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuzW74ACgkQ9CaO5/Lv0PCWjgCghZXSFIO8/W/vrYJRdJ8JFJ9n O/cAnjZaOXhzbp/06cHf6NReLYW/9VOB =NQ3t -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Connecting to a Database
I only added that valve because I did not want just anyone to be able to type http://mydomain.com/manager/html and get the Tomcat manager login challenge. That valve should not have any effect on your DataSourceRealm. You should probably post the data Chuck asked for. Where is the Realm for the manager app defined? Where is the Realm for your webapp defined? Post your server.xml so we can see it. Did you remove the Realm in server.xml? Have you made any changes to the global conf/context.xml? -Original Message- From: Propes, Barry L [mailto:barry.l.pro...@citi.com] Sent: Tuesday, March 30, 2010 9:20 AM To: 'Tomcat Users List' Subject: RE: Connecting to a Database Oh ok, I see. You've added a valve to the manager app. I probably need to do that, and have not. Thanks. -Original Message- From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] Sent: Monday, March 29, 2010 5:38 PM To: 'Tomcat Users List' Subject: RE: Connecting to a Database If I set the DataSourceRealm in my context.xml file of my webapps/webappfldr/META-INF/ will it not allow for a later reference separately in the Tomcat manager app? Barry, I thought having a context.xml in META-INF/ was the most specific place to define a context for a webapp, in the heirarchy of Context element locations. http://tomcat.apache.org/tomcat-6.0-doc/config/context.html I have the manager webapp running. In various places in server.xml, other than adding digest, this is the standard tomcat config: GlobalNamingResources !-- Editable user database that can also be used by UserDatabaseRealm to authenticate users -- Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml / /GlobalNamingResources !-- This Realm uses the UserDatabase configured in the global JNDI resources under the key UserDatabase. Any edits that are performed against this UserDatabase are immediately available for use by the Realm. -- Realm className=org.apache.catalina.realm.UserDatabaseRealm digest=md5 resourceName=UserDatabase/ In webapps/manager/META-INF/context.xml: !-- Valve added to prevent access to this webapp from public computers -- Context antiResourceLocking=false debug=0 privileged=true Valve className=org.apache.catalina.valves.RemoteAddrValve allow=specific ip / /Context -Original Message- From: Propes, Barry L [mailto:barry.l.pro...@citi.com] Sent: Monday, March 29, 2010 2:41 PM To: 'Tomcat Users List' Subject: RE: Connecting to a Database And after doing this, and getting my DataSourceRealm to work properly, now I can't get the Tomcat manager app to work properly now...it references my JNDI realm reference (DataSourceRealm actually) and throws an exception. Even if I delete it out of my context.xml file (the reference) and delete the one created in the conf folder, it still tries to reference the DataSourceRealm credentials and throws an error. If I set the DataSourceRealm in my context.xml file of my webapps/webappfldr/META-INF/ will it not allow for a later reference separately in the Tomcat manager app? Reference to the tomcat-users.xml file? I'll dump out the work folder, too, but it'd be nice to have both working concurrently. I would have thought they would, but am likely mistaken. -Original Message- From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] Sent: Friday, March 26, 2010 6:09 PM To: 'Tomcat Users List' Subject: RE: Connecting to a Database You are correct. I stumbled across that info while reading the Realm config in the DataSource Database Realm section but I wasn't looking for that when I saw it the first n times. I was looking for info about the userRoleTable. -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Friday, March 26, 2010 2:56 PM To: Tomcat Users List Subject: RE: Connecting to a Database From: Propes, Barry L [mailto:barry.l.pro...@citi.com] Subject: RE: Connecting to a Database Thanks, Leo! I've not seen instructions in the How-To (maybe I overlooked it) on the localDataSource=true attrib to the Realm in the context.xml file Unfortunately, it's not in the How-To, just in the configuration doc for Realm (which is linked to from the How-To): http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html The How-To is oriented towards server-wide authentication, so the examples all show use of a Realm in server.xml and a corresponding global resource declaration. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received
RE: Connecting to a Database
If I set the DataSourceRealm in my context.xml file of my webapps/webappfldr/META-INF/ will it not allow for a later reference separately in the Tomcat manager app? Barry, I thought having a context.xml in META-INF/ was the most specific place to define a context for a webapp, in the heirarchy of Context element locations. http://tomcat.apache.org/tomcat-6.0-doc/config/context.html I have the manager webapp running. In various places in server.xml, other than adding digest, this is the standard tomcat config: GlobalNamingResources !-- Editable user database that can also be used by UserDatabaseRealm to authenticate users -- Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml / /GlobalNamingResources !-- This Realm uses the UserDatabase configured in the global JNDI resources under the key UserDatabase. Any edits that are performed against this UserDatabase are immediately available for use by the Realm. -- Realm className=org.apache.catalina.realm.UserDatabaseRealm digest=md5 resourceName=UserDatabase/ In webapps/manager/META-INF/context.xml: !-- Valve added to prevent access to this webapp from public computers -- Context antiResourceLocking=false debug=0 privileged=true Valve className=org.apache.catalina.valves.RemoteAddrValve allow=specific ip / /Context -Original Message- From: Propes, Barry L [mailto:barry.l.pro...@citi.com] Sent: Monday, March 29, 2010 2:41 PM To: 'Tomcat Users List' Subject: RE: Connecting to a Database And after doing this, and getting my DataSourceRealm to work properly, now I can't get the Tomcat manager app to work properly now...it references my JNDI realm reference (DataSourceRealm actually) and throws an exception. Even if I delete it out of my context.xml file (the reference) and delete the one created in the conf folder, it still tries to reference the DataSourceRealm credentials and throws an error. If I set the DataSourceRealm in my context.xml file of my webapps/webappfldr/META-INF/ will it not allow for a later reference separately in the Tomcat manager app? Reference to the tomcat-users.xml file? I'll dump out the work folder, too, but it'd be nice to have both working concurrently. I would have thought they would, but am likely mistaken. -Original Message- From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] Sent: Friday, March 26, 2010 6:09 PM To: 'Tomcat Users List' Subject: RE: Connecting to a Database You are correct. I stumbled across that info while reading the Realm config in the DataSource Database Realm section but I wasn't looking for that when I saw it the first n times. I was looking for info about the userRoleTable. -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Friday, March 26, 2010 2:56 PM To: Tomcat Users List Subject: RE: Connecting to a Database From: Propes, Barry L [mailto:barry.l.pro...@citi.com] Subject: RE: Connecting to a Database Thanks, Leo! I've not seen instructions in the How-To (maybe I overlooked it) on the localDataSource=true attrib to the Realm in the context.xml file Unfortunately, it's not in the How-To, just in the configuration doc for Realm (which is linked to from the How-To): http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html The How-To is oriented towards server-wide authentication, so the examples all show use of a Realm in server.xml and a corresponding global resource declaration. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Connecting to a Database
You are correct. I stumbled across that info while reading the Realm config in the DataSource Database Realm section but I wasn't looking for that when I saw it the first n times. I was looking for info about the userRoleTable. -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Friday, March 26, 2010 2:56 PM To: Tomcat Users List Subject: RE: Connecting to a Database From: Propes, Barry L [mailto:barry.l.pro...@citi.com] Subject: RE: Connecting to a Database Thanks, Leo! I've not seen instructions in the How-To (maybe I overlooked it) on the localDataSource=true attrib to the Realm in the context.xml file Unfortunately, it's not in the How-To, just in the configuration doc for Realm (which is linked to from the How-To): http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html The How-To is oriented towards server-wide authentication, so the examples all show use of a Realm in server.xml and a corresponding global resource declaration. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Connecting to a Database
Chris, I meant to reply to this yesterday. I can digest a password and use that digested password in the tomcat-users.xml I added an md5 attribute to the user database realm in server.xml and storing the digested password in tomcat-users.xml is working. Is it not supposed to? Based on that I assumed I could digest other passwords as well. Leo -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, March 24, 2010 12:47 PM To: Tomcat Users List Subject: Re: Connecting to a Database -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Leo, On 3/24/2010 1:28 PM, Leo Donahue - PLANDEVX wrote: I know you can specify digest for a Realm, but I don't see where I can do that for a Resource. Note that the digest is for hashing passwords during /user/ authentication, not connecting to the database. Do I need to leave the password of javadude in the Resource in clear text, or can it be a digested version of javadude in clear text in the Resource element? You cannot hash the db password. If you could, how would Tomcat decrypt it to make the connection? The SQL table of user passwords will be in digest, but I wasn't sure if I could use a digested password as part of the configuration for the account that connects to the authstore database. Nope. Search the archives for that question being asked repeatedly, or just think about the implications of hashing a password that you want to use later. Then, think about the implications of /two-way/ encryption for a password and I think you'll see that you're just moving the problem somewhere else. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuqbDYACgkQ9CaO5/Lv0PBhHwCgqFQcdHypen2gtOfbtqjhd0IR CNUAoLT3Joi1rTnqvWC0wQ82Hls1zoK9 =uX5k -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Connecting to a Database
No, not sure. That is what I was confused about. JDBC Realm, vs JNDI DataSourceRealm, vs JDBC DataSource I think what was throwing me off was seeing examples of the tomcat-users in both the realm-howto and in the jndi-resources-howto I'm attempting container managed security using SQL Server. It looks like I need both a DataSourceRealm and a JDBC DataSource? Assuming I have the correct tables in the database named authstore, does this look right? ** in server.xml ** Realm className=com.microsoft.sqlserver.jdbc.SQLServerDriver dataSourceName=jdbc/authority userTable=users userNameCol=user_name userCredCol=user_pass userRoleTable=user_roles roleNameCol=role_name/ ** in META-INF/context.xml of specific webapp ** resource-ref descriptionDB Connection/description res-ref-namejdbc/authority/res-ref-name res-typejavax.sql.DataSource/res-type res-authContainer/res-auth /resource-ref ** also in META-INF/context.xml file? ** Resource name=jdbc/authority auth=Container type=javax.sql.DataSource username=javauser password=javadude driverClassName=com.microsoft.sqlserver.jdbc.SQLServerDriver url=jdbc:sqlserver://localhost;database=authstore/ -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Tuesday, March 23, 2010 3:22 PM To: Tomcat Users List Subject: RE: Connecting to a Database From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] Subject: Connecting to a Database Tomcat 6.0.24 Windows Server 2003 R2 SP2 SQL Server 2005 Express Microsoft SQL Server 2005 JDBC Driver 1.2 - October 2007 I know I need to configure a Realm Are you sure? A Realm is used for authentication only, not for a webapp that accesses a database. Do you perhaps mean Resource? JDBCRealm or JNDI DataSourceRealm? If you are in fact storing credentials in SQL Server, use DataSourceRealm - it's much more robust. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Connecting to a Database
Thanks everyone. I understand this better. I know you can specify digest for a Realm, but I don't see where I can do that for a Resource. Do I need to leave the password of javadude in the Resource in clear text, or can it be a digested version of javadude in clear text in the Resource element? The SQL table of user passwords will be in digest, but I wasn't sure if I could use a digested password as part of the configuration for the account that connects to the authstore database. Leo -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, March 24, 2010 8:56 AM To: Tomcat Users List Subject: Re: Connecting to a Database -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Leo, On 3/24/2010 11:43 AM, Leo Donahue - PLANDEVX wrote: No, not sure. That is what I was confused about. JDBC Realm, vs JNDI DataSourceRealm, vs JDBC DataSource A Realm is something Tomcat uses for authentication. A DataSource is an object which hands out database connections. The use of JDBC vs. JNDI is really just about how the connections are obtained: JDBCRealm manages its own JDBC connection (and is heavily synchronized, as Mark mentions: don't use it). DataSourceRealm uses a DataSource obtained via JNDI and configured via a Resource element. There is no JDBCDataSource that I know of. Recommended setup (IMHO): configure everything in META-INF/context.xml and use DataSourceRealm. No need to configure anything in server.xml and no need to configure anything at the OS level (as Mark mentioned, that's ODBC). Assuming I have the correct tables in the database named authstore, does this look right? ** in server.xml ** Realm className=com.microsoft.sqlserver.jdbc.SQLServerDriver className should be org.apache.catalina.realm.DataSourceRealm dataSourceName=jdbc/authority userTable=users userNameCol=user_name userCredCol=user_pass userRoleTable=user_roles roleNameCol=role_name/ Ok. ** in META-INF/context.xml of specific webapp ** resource-ref descriptionDB Connection/description res-ref-namejdbc/authority/res-ref-name res-typejavax.sql.DataSource/res-type res-authContainer/res-auth /resource-ref This is actually stuff for web.xml, though it is not required if you have your Resource defined in META-INF/context.xml. ** also in META-INF/context.xml file? ** Resource name=jdbc/authority auth=Container type=javax.sql.DataSource username=javauser password=javadude driverClassName=com.microsoft.sqlserver.jdbc.SQLServerDriver url=jdbc:sqlserver://localhost;database=authstore/ Looks good to me. Make sure your JDBC driver JAR file is in CATALINA_BASE/lib and nowhere else. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuqNfkACgkQ9CaO5/Lv0PAgQwCgt7UySAU4hOcZzw4oGFlEqeqM l3EAoJt8ySaQRmKKwVZbS8NytPs8HfqZ =ou3q -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Connecting to a Database
Chris, In my realm, you're saying that the digest attribute is how the password is stored in the database? Not how it is entered/translated when the user logs in. I'm using this to generate a MD5 hash of the password = password: java -classpath C:\apache-tomcat-6.0.24\lib\catalina.jar;C:\apache-tomcat-6.0.24\bin\tomcat-juli.jar org.apache.catalina.realm.RealmBase -a md5 password I don't understand why I can't authenticate with what I have. When I login and supply a username and password, I get the 401 error page. This user does have the webservicereader role. And the user's password is the same value in the database as in the dos window when I create a password of password. Page 144 of the servlet 2.5 spec speaks to the login-config Element. It doesn't list the values for realm-name, is DataSourceRealm valid? I've tried using DIGEST instead of BASIC for the auth-method, but that change doesn't make a difference, so I must have something else wrong? The only thing I haven't tried is changing the names of the tables to the names listed in the Tomcat docs. Maybe I can't use different table names for users and roles? I do have SSL enabled and I have another webapp working with Active Directory authentication - BASIC over HTTPS. This experiment is an extension of the SSL question I posted a few weeks ago. That is probably why the web.xml looks very similar. ** META-INF/context.xml: Context antiJARLocking=true path=/sample2 privileged=true !-- This Realm uses a DataSourceRealm -- Realm className=org.apache.catalina.realm.DataSourceRealm dataSourceName=jdbc/SecurityStore userTable=SECURITYSTORE_USERS userNameCol=USERNAME userCredCol=MD5PASSWORD userRoleTable=SECURITYSTORE_ROLES roleNameCol=ROLENAME digest=MD5/ resource-ref descriptionDB Connection/description res-ref-namejdbc/SecurityStore/res-ref-name res-typejavax.sql.DataSource/res-type res-authContainer/res-auth /resource-ref Resource name=jdbc/SecurityStore auth=Container type=javax.sql.DataSource username=username password=password driverClassName=com.microsoft.sqlserver.jdbc.SQLServerDriver url=jdbc:sqlserver://servername;database=databasename/ /Context ** web.xml: !-- SECURITY CONSTRAINT -- security-constraint web-resource-collection web-resource-namesamplewebapp2/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namewebservicereader/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint !-- LOGIN CONFIGURATION-- login-config auth-methodBASIC/auth-method realm-nameDataSourceRealm/realm-name /login-config !-- Security roles referenced by this web application -- security-role role-namewebservicereader/role-name /security-role -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, March 24, 2010 12:47 PM To: Tomcat Users List Subject: Re: Connecting to a Database -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Leo, On 3/24/2010 1:28 PM, Leo Donahue - PLANDEVX wrote: I know you can specify digest for a Realm, but I don't see where I can do that for a Resource. Note that the digest is for hashing passwords during /user/ authentication, not connecting to the database. Do I need to leave the password of javadude in the Resource in clear text, or can it be a digested version of javadude in clear text in the Resource element? You cannot hash the db password. If you could, how would Tomcat decrypt it to make the connection? The SQL table of user passwords will be in digest, but I wasn't sure if I could use a digested password as part of the configuration for the account that connects to the authstore database. Nope. Search the archives for that question being asked repeatedly, or just think about the implications of hashing a password that you want to use later. Then, think about the implications of /two-way/ encryption for a password and I think you'll see that you're just moving the problem somewhere else. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuqbDYACgkQ9CaO5/Lv0PBhHwCgqFQcdHypen2gtOfbtqjhd0IR CNUAoLT3Joi1rTnqvWC0wQ82Hls1zoK9 =uX5k -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr