web.xml and schema location
Back in Tomcat 5, we had the problem with tomcat trying to access java.sun.com. Lots of our servers are behind firewalls, so this caused an error in the log. We realized one way to fix this was just to remove the schemaLocation attribute from the web.xml files. Below is the top of the main web.xml in Tomcat 7. I did a snoop, and it didn't seem to try to access java.sun.com this time. Has this been changed at some point? Or did I just have some error in my snoop? Thanks, Mark web-app xmlns=http://java.sun.com/xml/ns/javaee; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd; version=3.0 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: web.xml and schema location
1. Do you have validation enabled? E.g. with org.apache.catalina.STRICT_SERVLET_COMPLIANCE=true I don't think so (but that was a long time ago). Anyway, I am glad to know that the default config does not try to contact anything and I can leave by web.xml as is. Thanks! -Original Message- From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Sent: Wednesday, April 18, 2012 11:50 AM To: Tomcat Users List Subject: Re: web.xml and schema location 2012/4/18 Mark Claassen ma...@donnell.com: Back in Tomcat 5, we had the problem with tomcat trying to access java.sun.com. Lots of our servers are behind firewalls, so this caused an error in the log. We realized one way to fix this was just to remove the schemaLocation attribute from the web.xml files. Below is the top of the main web.xml in Tomcat 7. I did a snoop, and it didn't seem to try to access java.sun.com this time. Has this been changed at some point? Or did I just have some error in my snoop? 1. Do you have validation enabled? E.g. with org.apache.catalina.STRICT_SERVLET_COMPLIANCE=true 2. Tomcat has all the necessary schemas bundled (servlet-api.jar). I do not know why it was contacting external resource in your case. web-app xmlns=http://java.sun.com/xml/ns/javaee; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd; version=3.0 Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: how to populate userPrincipal in request object
I am not sure what your exact situation here is, but the user certificate stuff is only available if Tomcat requests it. And Tomcat only does this if Tomcat is using certificate based SSL authentication. I don't believe this will work if an Apache webserver is handling the SSL negotiation. Mark -Original Message- From: shahab [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 13, 2007 9:42 AM To: users@tomcat.apache.org Subject: how to populate userPrincipal in request object Hi: Would you please let me know how can I set the userPrincipal in request Object. I am setting the Principal and roles in Subject (2 Principal object according to JAAS implementation). When i run the code in debugger, I see the Subject in reuqest null, also userPrincipal is null. Also, instead of role map in request, its updating security map. Thanx -- View this message in context: http://www.nabble.com/how-to-populate-userPrincipal-in-request-object-tf3914 736.html#a11099625 Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Using log4J and getting rid of default logs in Tomcat 6
I would like to have all my logging go through log4J and not have the default XXX.date.log files created. Is there a way to do this? I got log4j working, as it says in the docs, but the localhost.date.log is still created and written to. From what I understand, I will need to put a log4j.properties in the admin and manager webapps to get these to go away, but I am not sure what to put in them. Has anyone done this? Is there a good on-line resource I can check? The logs I would like to get rid of, and replace with log4J managed logs are: 0 Jun 12 11:19 admin.2007-06-12.log 1585 Jun 12 11:20 catalina.2007-06-12.log 0 Jun 12 11:19 host-manager.2007-06-12.log 736 Jun 12 11:20 localhost.2007-06-12.log 0 Jun 12 11:19 manager.2007-06-12.log Thanks, Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Using log4J and getting rid of default logs in Tomcat 6
As it turns out, getting rid of the old logging.properties file I had solved the problem. However, how I am not sure I am getting all the information used to be. Looking at some other examples, this seems to be the list of loggers to define. Is this correct? log4j.rootLogger=INFO, ROOT log4j.logger.org.apache.catalina=INFO, CATALINA log4j.logger.org.apache.catalina.core=INFO, CORE log4j.logger.org.apache.catalina.core.ContainerBase.[Catalina].[localhost]=I NFO, LOCALHOST log4j.logger.org.apache.catalina.session=INFO, SESSION Can syntax like in the logging.properties be used as well: [/host-manager] = like: log4j.logger.org.apache.catalina.core.ContainerBase.[Catalina].[localhost]=I NFO, MANAGER Thanks, Mark -Original Message- From: Mark Claassen [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 12, 2007 11:31 AM To: 'Tomcat Users List' Subject: Using log4J and getting rid of default logs in Tomcat 6 I would like to have all my logging go through log4J and not have the default XXX.date.log files created. Is there a way to do this? I got log4j working, as it says in the docs, but the localhost.date.log is still created and written to. From what I understand, I will need to put a log4j.properties in the admin and manager webapps to get these to go away, but I am not sure what to put in them. Has anyone done this? Is there a good on-line resource I can check? The logs I would like to get rid of, and replace with log4J managed logs are: 0 Jun 12 11:19 admin.2007-06-12.log 1585 Jun 12 11:20 catalina.2007-06-12.log 0 Jun 12 11:19 host-manager.2007-06-12.log 736 Jun 12 11:20 localhost.2007-06-12.log 0 Jun 12 11:19 manager.2007-06-12.log Thanks, Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Using log4J and getting rid of default logs in Tomcat 6
Thanks for the reply. I did get some logging to work already, so I am assuming that I have it configured correctly. I did the compile of the extras and log4j 1.2. By removing the logging.properties, I got rid of the default logs, but I am not getting all the same output. I interpreted the documentation as saying that I can use log4J as long as I compile the extras. Are you saying that this still gives an incomplete picture? Mark -Original Message- From: news [mailto:[EMAIL PROTECTED] On Behalf Of Bill Barker Sent: Tuesday, June 12, 2007 9:42 PM To: users@tomcat.apache.org Subject: Re: Using log4J and getting rid of default logs in Tomcat 6 See the note at the top of http://tomcat.apache.org/tomcat-6.0-doc/logging.html. By default, TC 6 only uses Juli for it's internal logging. Mark Claassen [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] As it turns out, getting rid of the old logging.properties file I had solved the problem. However, how I am not sure I am getting all the information used to be. Looking at some other examples, this seems to be the list of loggers to define. Is this correct? log4j.rootLogger=INFO, ROOT log4j.logger.org.apache.catalina=INFO, CATALINA log4j.logger.org.apache.catalina.core=INFO, CORE log4j.logger.org.apache.catalina.core.ContainerBase.[Catalina].[localh ost]=I NFO, LOCALHOST log4j.logger.org.apache.catalina.session=INFO, SESSION Can syntax like in the logging.properties be used as well: [/host-manager] = like: log4j.logger.org.apache.catalina.core.ContainerBase.[Catalina].[localh ost]=I NFO, MANAGER Thanks, Mark -Original Message- From: Mark Claassen [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 12, 2007 11:31 AM To: 'Tomcat Users List' Subject: Using log4J and getting rid of default logs in Tomcat 6 I would like to have all my logging go through log4J and not have the default XXX.date.log files created. Is there a way to do this? I got log4j working, as it says in the docs, but the localhost.date.log is still created and written to. From what I understand, I will need to put a log4j.properties in the admin and manager webapps to get these to go away, but I am not sure what to put in them. Has anyone done this? Is there a good on-line resource I can check? The logs I would like to get rid of, and replace with log4J managed logs are: 0 Jun 12 11:19 admin.2007-06-12.log 1585 Jun 12 11:20 catalina.2007-06-12.log 0 Jun 12 11:19 host-manager.2007-06-12.log 736 Jun 12 11:20 localhost.2007-06-12.log 0 Jun 12 11:19 manager.2007-06-12.log Thanks, Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Using log4J and getting rid of default logs in Tomcat 6
Yep. And, as I said, it is working to some degree. I just want to get info from the other canned webapps in there. As well as have some certainty that I am getting what I am supposed to. -Original Message- From: news [mailto:[EMAIL PROTECTED] On Behalf Of Bill Barker Sent: Tuesday, June 12, 2007 10:47 PM To: users@tomcat.apache.org Subject: Re: Using log4J and getting rid of default logs in Tomcat 6 Mark Claassen [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Thanks for the reply. I did get some logging to work already, so I am assuming that I have it configured correctly. I did the compile of the extras and log4j 1.2. By removing the logging.properties, I got rid of the default logs, but I am not getting all the same output. I interpreted the documentation as saying that I can use log4J as long as I compile the extras. Are you saying that this still gives an incomplete picture? I agree that the instructions are a bit sparse. Did you actually replace $CATALINA_HOME/bin/tomcat-juli.jar with the one built in extras? Mark -Original Message- From: news [mailto:[EMAIL PROTECTED] On Behalf Of Bill Barker Sent: Tuesday, June 12, 2007 9:42 PM To: users@tomcat.apache.org Subject: Re: Using log4J and getting rid of default logs in Tomcat 6 See the note at the top of http://tomcat.apache.org/tomcat-6.0-doc/logging.html. By default, TC 6 only uses Juli for it's internal logging. Mark Claassen [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] As it turns out, getting rid of the old logging.properties file I had solved the problem. However, how I am not sure I am getting all the information used to be. Looking at some other examples, this seems to be the list of loggers to define. Is this correct? log4j.rootLogger=INFO, ROOT log4j.logger.org.apache.catalina=INFO, CATALINA log4j.logger.org.apache.catalina.core=INFO, CORE log4j.logger.org.apache.catalina.core.ContainerBase.[Catalina].[local h ost]=I NFO, LOCALHOST log4j.logger.org.apache.catalina.session=INFO, SESSION Can syntax like in the logging.properties be used as well: [/host-manager] = like: log4j.logger.org.apache.catalina.core.ContainerBase.[Catalina].[local h ost]=I NFO, MANAGER Thanks, Mark -Original Message- From: Mark Claassen [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 12, 2007 11:31 AM To: 'Tomcat Users List' Subject: Using log4J and getting rid of default logs in Tomcat 6 I would like to have all my logging go through log4J and not have the default XXX.date.log files created. Is there a way to do this? I got log4j working, as it says in the docs, but the localhost.date.log is still created and written to. From what I understand, I will need to put a log4j.properties in the admin and manager webapps to get these to go away, but I am not sure what to put in them. Has anyone done this? Is there a good on-line resource I can check? The logs I would like to get rid of, and replace with log4J managed logs are: 0 Jun 12 11:19 admin.2007-06-12.log 1585 Jun 12 11:20 catalina.2007-06-12.log 0 Jun 12 11:19 host-manager.2007-06-12.log 736 Jun 12 11:20 localhost.2007-06-12.log 0 Jun 12 11:19 manager.2007-06-12.log Thanks, Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Reloading keystore - how to register a new TrusStore Manager for Tomcat?
Humm. I don't think this is how the certificate system is supposed to be used. The intention is that the truststore handles certificates authorities you trust. For an example, let's switch to the browser. Browsers generally trust Verisgn and Thwart out of the box. You can see these certificates in your browser's options pages. So, let's say you go to amazon.com. Amazon will have a certificate that was created for them by, say, Verisign. Your browser will get the amazon certificate and see that it was created by verisign. Since your browser already trusts verisign, it will trust that amazon is who it says it is. (Verifying identity is the certificate's primary function.) Tomcat works the same way. So, in your case, maybe you want to create your own certificate and put it into your truststore. Then, as you create certificates for other's, you create them based on the certificate you loaded into your truststore. Since Tomcat already trusts this one, all the certificates you create and give to others will also be trusted...no reconfiguration necessary. Mark Some helpful links: http://www.tc.umn.edu/~brams006/selfsign.html http://www.openssl.org/docs/apps/x509.html http://www.openssl.org/docs/apps/pkcs12.html -Original Message- From: Ronald Spiers [mailto:[EMAIL PROTECTED] Sent: Monday, June 11, 2007 10:21 AM To: users@tomcat.apache.org Subject: Reloading keystore - how to register a new TrusStore Manager for Tomcat? Hi, I am preparing a self enrollment webapp for generating client certificates and adding them to the server keystore. I know that Tomcat won't reload keystore unless the server is restarted, so I did look for alternatives, and the JSSE guide explains an approach to this in the section Creating Your Own X509TrustManager. My question is: Does anybody in this list have some experience solving this problem?, providing tomcat a custom trust manager to dynamically add a client certificate to the verification path when client credentials are presented? Can self-enrollment be done using Tomcat and JSSE? maybe it can't be done I am just wasting my time ;) I have searched a lot in the last 3 days, tomcat list archives and other materials, I have not found a single solution to this problem, except for the JSSE guide and this article, that explains how to create a trustManager and a SSLContext for implementing S/MIME with JavaMail: * http://www.javaworld.com/javatips/jw-javatip115.html Thanks a lot for any feedback you can provide. Regards, Martin - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Reloading keystore - how to register a new TrusStore Manager for Tomcat?
I would have thought that the Java APIs would have allowed you to do this. As far as openssl in concerned, it is just command line stuff, so you can always use the Runtime.exec() to run openssl. I think there is a -dname option for openssl so you can just put the cert request answers on the command-line as well, and not have to answer these through standardin/standardout. Good luck. -Original Message- From: Ronald Spiers [mailto:[EMAIL PROTECTED] Sent: Monday, June 11, 2007 11:15 AM To: Tomcat Users List Subject: Re: Reloading keystore - how to register a new TrusStore Manager for Tomcat? Hi Mark, thans a lot for your comments. The problem is that I found a way to generate via API a PKCS12 keystore for my client, but it won't be based on my server's certificate. I could not find a way to auto-enroll users using openssl and Java, I mean control openssl commands from Java to create PKCS12 keystores they can import, already signed by my server certificate, so that my server will trust in them without having to reload the Truststore (if I understood well you last paragraph). That's why I was looking into this problem, once I was able to create these clients certificates via API ( CertAndKeyGen.getSelfCertificate() ) and store the client certificates into my truststore, I thought the natural next step was to reload the truststore in some way, because these certificates are not linked to my server-certificate and the server must verify them. It seems I have to resort to openssl to sign them with my server's certificate, but I don't know how to do that programatically with Java. I searched the tomcat archives and found that others comfronted this problem and probably shared my misconception of the certificate system, but no one reported it as solved, either by doing it the right way via openssl or finally implementing a trustManager, or something like that using JSSE APIs (which is what I would prefer). Thanks for the links anyway, if you have some resource about controlling the process via openssl with Java, please share it with me. Regards. On 6/11/07, Mark Claassen [EMAIL PROTECTED] wrote: Humm. I don't think this is how the certificate system is supposed to be used. The intention is that the truststore handles certificates authorities you trust. For an example, let's switch to the browser. Browsers generally trust Verisgn and Thwart out of the box. You can see these certificates in your browser's options pages. So, let's say you go to amazon.com. Amazon will have a certificate that was created for them by, say, Verisign. Your browser will get the amazon certificate and see that it was created by verisign. Since your browser already trusts verisign, it will trust that amazon is who it says it is. (Verifying identity is the certificate's primary function.) Tomcat works the same way. So, in your case, maybe you want to create your own certificate and put it into your truststore. Then, as you create certificates for other's, you create them based on the certificate you loaded into your truststore. Since Tomcat already trusts this one, all the certificates you create and give to others will also be trusted...no reconfiguration necessary. Mark Some helpful links: http://www.tc.umn.edu/~brams006/selfsign.html http://www.openssl.org/docs/apps/x509.html http://www.openssl.org/docs/apps/pkcs12.html -Original Message- From: Ronald Spiers [mailto:[EMAIL PROTECTED] Sent: Monday, June 11, 2007 10:21 AM To: users@tomcat.apache.org Subject: Reloading keystore - how to register a new TrusStore Manager for Tomcat? Hi, I am preparing a self enrollment webapp for generating client certificates and adding them to the server keystore. I know that Tomcat won't reload keystore unless the server is restarted, so I did look for alternatives, and the JSSE guide explains an approach to this in the section Creating Your Own X509TrustManager. My question is: Does anybody in this list have some experience solving this problem?, providing tomcat a custom trust manager to dynamically add a client certificate to the verification path when client credentials are presented? Can self-enrollment be done using Tomcat and JSSE? maybe it can't be done I am just wasting my time ;) I have searched a lot in the last 3 days, tomcat list archives and other materials, I have not found a single solution to this problem, except for the JSSE guide and this article, that explains how to create a trustManager and a SSLContext for implementing S/MIME with JavaMail: * http://www.javaworld.com/javatips/jw-javatip115.html Thanks a lot for any feedback you can provide. Regards, Martin - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED
RE: Using Javac instead of JDT to compile JSPs
Thanks, that seems to have work! -Original Message- From: Lakshmi Venkataraman [mailto:[EMAIL PROTECTED] Sent: Friday, June 08, 2007 7:41 PM To: Tomcat Users List Subject: RE: Using Javac instead of JDT to compile JSPs I have been successfully using something other than Jasper in my development enviroment. This is what I did: 1) Remove jasper-compiler-jdt.jar from CATALINA_HOME/common/lib 2) Add JDK_HOME/lib/tools.jar in CATALINA_HOME/common/lib 3) Add ant.jar also to CATALINA_HOME/common/lib. The ant.jat that was compatible with Tomcat5.5.23 was apache-ant-1.6/lib/ant.jar 4) Make sure the application specific web.xml does NOT have any servlet and servlet-name MAPPINGS for the JSPs that need to be compiled on the fly. If these mappings exist, Tomcat 5.5.23 tries to look for precompiled classes. 5) In my CATALINA_HOME/conf/web.xml which is the global web.xml, I have the following to enable compilation. servlet servlet-namejsp/servlet-name servlet-classorg.apache.jasper.servlet.JspServlet/servlet-class init-param param-namefork/param-name param-valuefalse/param-value /init-param init-param param-namexpoweredBy/param-name param-valuefalse/param-value /init-param init-param param-namecompilerTargetVM/param-name param-value1.5/param-value /init-param init-param param-namecompilerSourceVM/param-name param-value1.5/param-value /init-param load-on-startup3/load-on-startup /servlet Hope that helps Lakshmi -Original Message- From: Mark Claassen [mailto:[EMAIL PROTECTED] Sent: Friday, June 08, 2007 9:29 AM To: 'Tomcat Users List' Subject: Using Javac instead of JDT to compile JSPs Has anyone tried to get the jasper compiler to be something other than the JDT? I tried several things, each of them not working. The docs say an alternative compiler can be specified, but makes no mention of how to specify it. This seems to be controlled by settings in the web.xml. Below is a part of my web.xml from my latest try (which failed). Thanks, Mark web.xml section --- servlet servlet-namejsp/servlet-name servlet-classorg.apache.jasper.servlet.JspServlet/servlet-class init-param param-namecompiler/param-name param-valuecom.sun.tools.javac.main.JavaCompiler/param-value /init-param init-param param-namefork/param-name param-valuetrue/param-value /init-param init-param param-namexpoweredBy/param-name param-valuefalse/param-value /init-param load-on-startup3/load-on-startup /servlet - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Using Javac instead of JDT to compile JSPs
Has anyone tried to get the jasper compiler to be something other than the JDT? I tried several things, each of them not working. The docs say an alternative compiler can be specified, but makes no mention of how to specify it. This seems to be controlled by settings in the web.xml. Below is a part of my web.xml from my latest try (which failed). Thanks, Mark web.xml section --- servlet servlet-namejsp/servlet-name servlet-classorg.apache.jasper.servlet.JspServlet/servlet-class init-param param-namecompiler/param-name param-valuecom.sun.tools.javac.main.JavaCompiler/param-value /init-param init-param param-namefork/param-name param-valuetrue/param-value /init-param init-param param-namexpoweredBy/param-name param-valuefalse/param-value /init-param load-on-startup3/load-on-startup /servlet - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Using Javac instead of JDT to compile JSPs
Thanks for your help, and I didn't mean to raise anyone's ire. I did read the docs, but started to loose confidence when it was not working. The part of the documentation that is missing is the specification of the param-value. Is this param-value supposed to be a java class, an executable, or something else? I had: param-valuecom.sun.tools.javac.main.JavaCompiler/param-value You didn't seems to have an issue with this parameter being a class, so I am going on the assumption that this is correct. So, now maybe my problem is my setup of the classpath. I was thinking that just putting the tools.jar in the lib directory would be sufficient for a test. This did not work. I then added it manually to the CLASSPATH variable in the setclasspath.sh to ensure it is set. Yet, I still get a: java.lang.IllegalStateException: No Java compiler available org.apache.jasper.JspCompilationContext.createCompiler(JspCompilationContext .java:229) One of my servlets prints out the classpath, and it shows : java.class.path=/opt/OCIEsys/tomcat/DEV_04_07/bin/java/lib/tools/jar::/ocie/ tests/OCIEsys/to mcat/DEV_04_07/bin/bootstrap.jar:/ocie/tests/OCIEsys/tomcat/DEV_04_07/bin/co mmons-logging-api.jar Thanks again, Mark -Original Message- From: Caldarale, Charles R [mailto:[EMAIL PROTECTED] Sent: Friday, June 08, 2007 1:10 PM To: Tomcat Users List Subject: RE: Using Javac instead of JDT to compile JSPs From: Mark Claassen [mailto:[EMAIL PROTECTED] Subject: Using Javac instead of JDT to compile JSPs The docs say an alternative compiler can be specified, but makes no mention of how to specify it. Actually, the docs say this: The servlet which implements Jasper is configured using init parameters in your global $CATALINA_BASE/conf/web.xml. * compiler - Which compiler Ant should use to compile JSP pages. See the Ant documentation for more information. If the value is not set, then the default Eclipse JDT Java compiler will be used instead of using Ant. No default value. This seems to be controlled by settings in the web.xml. As explicitly stated in the doc. param-valuecom.sun.tools.javac.main.JavaCompiler/param-value [Note for Mark T:] If you're running on Windows, there's a bug in the Tomcat 6.0.13 setclasspath.bat script which checks for tools.jar in the wrong place. You'll need to include the tools.jar location explicitly in your CLASSPATH environment variable. (The problem does not exist in the .sh version.) - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Using Javac instead of JDT to compile JSPs
I noted the capitalization before, but not the missing part of the package. Here it is now. init-param param-namecompiler/param-name param-valuecom.sun.tools.javac.Main/param-value /init-param It still doesn't work. I removed the jasper-jdt.jar again as well. If I leave it, it doesn't matter what value I state...it always works. Because of this, I was wondering if it is even reading the compiler parameter at all. Mark -Original Message- From: Caldarale, Charles R [mailto:[EMAIL PROTECTED] Sent: Friday, June 08, 2007 2:59 PM To: Tomcat Users List Subject: RE: Using Javac instead of JDT to compile JSPs From: Mark Claassen [mailto:[EMAIL PROTECTED] Subject: RE: Using Javac instead of JDT to compile JSPs Even with this fix, neither of the values below worked. param-valuecom.sun.tools.javac.main.Main/param-value Again, that's not the right class; from the previous message: Try just com.sun.tools.javac.Main instead (note capitalization). - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Using Javac instead of JDT to compile JSPs
When using Main. This is in the localhost.log -- SEVERE: Servlet.service() for servlet jsp threw exception java.lang.ClassCastException: com.sun.tools.javac.Main at org.apache.jasper.JspCompilationContext.createCompiler(JspCompilationContext .java:238) at org.apache.jasper.JspCompilationContext.createCompiler(JspCompilationContext .java:214) at org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:5 61) When using main.JavaCompiler. This is in catalina.out -- WARNING: No Java compiler available java.lang.InstantiationException: com.sun.tools.javac.main.JavaCompiler When using main.Main . This is in catalina.out -- WARNING: No Java compiler available java.lang.InstantiationException: com.sun.tools.javac.main.Main Looking at the source, the Compiler needs to be a: org.apache.jasper.compiler.Compiler, which, clearly, javac is not. So maybe I need to use the AntCompiler (I have no idea what this is currently), and have it call javac. This is all looking like it may not be worth it. Still, I may investigate it further this weekend. -Original Message- From: Caldarale, Charles R [mailto:[EMAIL PROTECTED] Sent: Friday, June 08, 2007 4:23 PM To: Tomcat Users List Subject: RE: Using Javac instead of JDT to compile JSPs From: Mark Claassen [mailto:[EMAIL PROTECTED] Subject: RE: Using Javac instead of JDT to compile JSPs param-namecompiler/param-name Looking at the code in org.apache.jasper.EmbeddedServletOptions, it appears the parameter name should be compilerClassName rather than compiler. If compilerClassName is null, the following somewhat odd code in org.apache.jasper.JspCompilationContext is executed: if (options.getCompiler() == null) { jspCompiler = createCompiler(org.apache.jasper.compiler.JDTCompiler); if (jspCompiler == null) { jspCompiler = createCompiler(org.apache.jasper.compiler.AntCompiler); } } else { jspCompiler = createCompiler(org.apache.jasper.compiler.AntCompiler); if (jspCompiler == null) { jspCompiler = createCompiler(org.apache.jasper.compiler.JDTCompiler); } } It appears the value of compiler is ignored, which explains why the JDT compiler keeps getting used. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat and OCSP
Now that I see Tomcat 6.0 is on it's way, I was wondering if OCSP is going to be included? This is being required by more and more people these days (like the US government). If there are no plans to include it yet, how can this issue be escalated? I see that OCSP support is bundled into the new JDKs, does this mean that it would not be too difficult for an enterprising (and desperate) developer to tackle? Mark -Original Message- From: Velpi [mailto:[EMAIL PROTECTED] Sent: Monday, July 31, 2006 4:33 AM To: Tomcat Users List Subject: Re: Tomcat and OCSP Does the new support for OCSP in Java 5.0 have any impact on how certificates are handled in Tomcat? http://java.sun.com/j2se/1.5.0/docs/guide/security/pki-tiger.html It looks like it might just work if it is set up right in the java property files. I checked the mailing list archives and found a few old references to OCSP, but nothing definitive. Any guidance would be greatly appreciated. I'm trying to set this up too. Did you get it up and running properly yet? (any hints?) -- Velpi - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Random HTTP 502 errors
I was wondering if this is just caused by Tomcat closing the socket before the proxy finished reading the message. Is there a way to set the LINGER on these sockets? It still seems a big strange to me that the LINGER could be a problem, since there are no problems when not using the proxy. If it was the LINGER I would expect that our Java client would have problems too. Still, it is something I can look in to, as I am currently at a loss for any other theories. Lastly, setting the debug level in a connector does not seem to do anything for me. What is the secret to getting debug output on the connectors? Mark -Original Message- From: Mark Claassen [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 18, 2006 5:04 PM To: 'Tomcat Users List' Subject: Random HTTP 502 errors I was wondering if anyone could shed some light on some strange 502 errors I am having when going through a proxy. We are using a relatively new proxy server Sun-Java-System-Web-Proxy-Server/4.0 The error seems to be originating between Tomcat and the proxy. When the error occurs, the proxy logs say: Error reading response header. Server closed connection. On a thousand rapid requests from a client thread, I will get this only 0 - 3 times. If I send the response header Connection: close on every request from my servlet, I do not get the error. However, I do not want to disable persistent connections. I did a snoop, and I noticed that the responses I get (on the same socket) a bunch of replies with this header: HTTP/1.1 200 OK Transfer-Encoding: chunked Date: Tue, 18 Jul 2006 19:35:12 GMT Server: Apache-Coyote/1.1 On the last one for a given socket, HTTP/1.1 200 OK Date: Tue, 18 Jul 2006 19:35:12 GMT Server: Apache-Coyote/1.1 Connection: close Any guidance or insight would be greatly appreciated. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat and OCSP
Does anyone have any experience with this? -Original Message- From: Mark Claassen [mailto:[EMAIL PROTECTED] Sent: Thursday, July 13, 2006 12:26 PM To: users@tomcat.apache.org Subject: Tomcat and OCSP Does the new support for OCSP in Java 5.0 have any impact on how certificates are handled in Tomcat? http://java.sun.com/j2se/1.5.0/docs/guide/security/pki-tiger.html It looks like it might just work if it is set up right in the java property files. I checked the mailing list archives and found a few old references to OCSP, but nothing definitive. Any guidance would be greatly appreciated. Thanks, Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat and OCSP
Does the new support for OCSP in Java 5.0 have any impact on how certificates are handled in Tomcat? http://java.sun.com/j2se/1.5.0/docs/guide/security/pki-tiger.html It looks like it might just work if it is set up right in the java property files. I checked the mailing list archives and found a few old references to OCSP, but nothing definitive. Any guidance would be greatly appreciated. Thanks, Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Restricting access to localhost for an HTTP connector - Email has different SMTP TO: and MIME TO: fields in the email addresses
Thanks for all your help and I have gotten it to work. It seems to be, however, dependant on the name it is being access by. I was hoping that I could just put 127.0.0.1 in there and then it would only accept connections from the local machine. It turns out that doing this only accepts connections that come in with this name. To clarify what I mean, here is an example: Say Tomcat is on a machine called TestMachine. If I put 127.0.0.1 in the address field, it accepts connections of the form http: //127.0.0.1/... only It does not accept connections from http: //TestMachine/..., even though the server is this same machine. I was hoping that it would accept all connections from the local machine, regardless of what the connection was called. Is there a way to do this? Is this be design? Can IP spoofing get around this protection? Mark -Original Message- From: Leo Donahue - PLANDEVX [mailto:[EMAIL PROTECTED] Sent: Thursday, June 08, 2006 2:13 PM To: Tomcat Users List Subject: RE: [SPAM:] - RE: Restricting access to localhost for an HTTP connector - Email has different SMTP TO: and MIME TO: fields in the email addresses In your server.xml you will add an address element and specify it as: 127.0.0.1 !-- Define a non-SSL Coyote HTTP/1.1 Connector on the port specified during installation -- Connector address=127.0.0.1 port=8080 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false redirectPort=8443 acceptCount=100 debug=0 connectionTimeout=2 disableUploadTimeout=true / Leo From: Mark Claassen [mailto:[EMAIL PROTECTED] Sent: Thursday, June 08, 2006 10:51 AM To: 'Tomcat Users List' Subject: [SPAM:] - RE: Restricting access to localhost for an HTTP connector - Email has different SMTP TO: and MIME TO: fields in the email addresses Thanks. I thought I heard that it was possible though the address, but was not sure. I read this in the docs, but I guess I didn't / don't understand the short explanation of address. From: Filip Hanik - Dev Lists [mailto:[EMAIL PROTECTED] Sent: Thursday, June 08, 2006 1:24 PM To: Tomcat Users List Subject: Re: Restricting access to localhost for an HTTP connector yes, you can bind the connector the 127.0.0.1, meaning it will only listen on that address use the address attribute in the connector http://tomcat.apache.org/tomcat-5.5-doc/config/http.html Mark Claassen wrote: Is there to configure an HTTP Connector to only allow connections from localhost? We have a server that has an HTTPS port that handles all public access. However, we would like to leave a non SSL port open for a monitoring program we have running on the same machine. We would like to not allow anyone else to be able to access the non-SSL port. I know that the apache webserver has mechanism to do this, but I was wondering if a standalone tomcat could also do what we need. Thanks, Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Filip Hanik - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Restricting access to localhost for an HTTP connector - Email has different SMTP TO: and MIME TO: fields in the email addresses
We do have something similar to your first example. 127.0.0.1 localhost 192.168.0.2 testmachine.domain.com testmachine So we can probably move testmachine like you did. But does this mean that accesses by testmachine.domain.com will not comply? I was just hoping that the restriction would be based on some intrinsic information and not just on the name that was used. Providing I don't let anyone hack into my /etc/hosts file, can this be spoofed? Mark -Original Message- From: Andrew Miehs [mailto:[EMAIL PROTECTED] Sent: Monday, June 12, 2006 9:17 AM To: Tomcat Users List Subject: Re: Restricting access to localhost for an HTTP connector - Email has different SMTP TO: and MIME TO: fields in the email addresses @Mark, as Peter wrote, have a look in /etc/hosts. It probably looks like 127.0.0.1 localhost 192.168.0.2 testmachine.domain.com testmachine You should change this to 127.0.0.1 localhost testmachine 192.168.0.2 testmachine.domain.com Just be careful if you are using Solaris - you may end up configuring your ethernet to 127.0.0.1 if you have not used a fully qualified domain name in / etc/hostname.interfacename Regards Andrew On 12/06/2006, at 3:08 PM, Peter Crowther wrote: From: Mark Claassen [mailto:[EMAIL PROTECTED] Say Tomcat is on a machine called TestMachine. If I put 127.0.0.1 in the address field, it accepts connections of the form http: //127.0.0.1/... only It does not accept connections from http: //TestMachine/..., even though the server is this same machine. I was hoping that it would accept all connections from the local machine, regardless of what the connection was called. Is there a way to do this? Yes. Add '127.0.0.1 TestMachine' into testmachine's /etc/hosts file. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Restricting access to localhost for an HTTP connector - Email has different SMTP TO: and MIME TO: fields in the email addresses
Thanks, I think this answers my questions -Original Message- From: Peter Crowther [mailto:[EMAIL PROTECTED] Sent: Monday, June 12, 2006 9:08 AM To: Tomcat Users List Subject: RE: Restricting access to localhost for an HTTP connector - Email has different SMTP TO: and MIME TO: fields in the email addresses From: Mark Claassen [mailto:[EMAIL PROTECTED] Say Tomcat is on a machine called TestMachine. If I put 127.0.0.1 in the address field, it accepts connections of the form http: //127.0.0.1/... only It does not accept connections from http: //TestMachine/..., even though the server is this same machine. I was hoping that it would accept all connections from the local machine, regardless of what the connection was called. Is there a way to do this? Yes. Add '127.0.0.1 TestMachine' into testmachine's /etc/hosts file. Is this be design? Yes - IP design. If you make a connection to an IP address, the receiving socket must be bound to that IP address. If the name TestMachine maps to (say) 10.0.0.1, the IP stack will make the outbound connection to 10.0.0.1:80. But here you've elected not to bind the socket to 10.0.0.1:80, so the inbound connection will fail. Can IP spoofing get around this protection? Not trivially, as you have to spoof the destination IP address, not the source. I wouldn't like to spoof it over the Internet - you'd have to compromise each router by some means. Yes on the same subnet, by obtaining the MAC address for one of TestMachine's network adapters and crafting an IP datagram with a forged destination address. This could be protected against by the input policy on the adapter blocking datagrams with a 127.0.0.1 destination address - or, in fact, any address other than one of the legitimate IP addresses bound to that adapter (plus any multicasts you use). - Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Restricting access to localhost for an HTTP connector
Is there to configure an HTTP Connector to only allow connections from localhost? We have a server that has an HTTPS port that handles all public access. However, we would like to leave a non SSL port open for a monitoring program we have running on the same machine. We would like to not allow anyone else to be able to access the non-SSL port. I know that the apache webserver has mechanism to do this, but I was wondering if a standalone tomcat could also do what we need. Thanks, Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Restricting access to localhost for an HTTP connector
Thanks. I thought I heard that it was possible though the address, but was not sure. I read this in the docs, but I guess I didn't / don't understand the short explanation of "address". From: Filip Hanik - Dev Lists [mailto:[EMAIL PROTECTED] Sent: Thursday, June 08, 2006 1:24 PMTo: Tomcat Users ListSubject: Re: Restricting access to localhost for an HTTP connector yes, you can bind the connector the 127.0.0.1, meaning it will only listen on that addressuse the "address" attribute in the connector http://tomcat.apache.org/tomcat-5.5-doc/config/http.htmlMark Claassen wrote: Is there to configure an HTTP Connector to only allow connections from localhost? We have a server that has an HTTPS port that handles all public access. However, we would like to leave a non SSL port open for a monitoring program we have running on the same machine. We would like to not allow anyone else to be able to access the non-SSL port. I know that the apache webserver has mechanism to do this, but I was wondering if a standalone tomcat could also do what we need. Thanks, Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Filip Hanik