Re: HttpOnly
On 12/06/2012 06:57, Caldarale, Charles R wrote: From: N.s.Karthik [mailto:nskarthi...@gmail.com] Subject: HttpOnly Tomcat 6.0.10 For some specific Reason We use Tomcat 6.0.10 for Dev/Deploy in INTRANET. Sorry, but there is simply no excuse for using a version of Tomcat that's over five years old. There may be a sound business rationale for using old versions of software. Tomcat 5.5.9, for example, works as well now as it did when it was judged ready to be a stable release. If there are no bugs or missing features in it which affect the security or functionality of an application, then there is no benefit from upgrading, but there will be costs and risks: * downtime and manpower for the upgrade * recommissioning/retesting: unless *all* acceptance tests are automated, this can be far more expensive than deploying the upgrade * risk of introducing new bugs in new code In general, older software is better understood and less risky than new software, and if it meets requirements, is preferable. Paul Singleton Note that the value of the useHttpOnly attribute for theContext element is false in 6.0.x, but true in 7.0.x. Whether or not the attribute even exists on such an ancient level of Tomcat is something you'll have to look up yourself. Try a current version and see if the issue persists. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Links not resolving to their correct path in TC 7.0.27
On 15/05/2012 15:08, Christopher Schultz wrote: On 5/15/12 5:00 AM, André Warnier wrote: Personal opinion :Base tags are evil. They create all kinds of issues when you move the app, or change your server configuration. There shouldn't be any real reason to use them, if your app is structured properly. Relative paths should work. +1 I only just found out in the last few months that URIs within a CSS are /relative to the URI of the CSS/ which blew my mind and, honestly, makes total sense. A JSP developer needs to know how (and when) references are resolved in at least these cases: %@ include file=foo ... %@ include file=/foo ... %@ page errorPage=foo ... %@ page errorPage=/foo ... %@ taglib uri=foo ... %@ taglib uri=/foo ... jsp:forward page=foo ... jsp:forward page=/foo ... jsp:include page=foo ... jsp:include page=/foo ... link href=foo ... link href=/foo ... script src=foo ... script src=/foo ... img src=foo ... img src=/foo ... style type=text/css p { background:url(foo) } ... style type=text/css p { background:url(/foo) } ... [surely there are more, e.g. within in-page JavaScript?] What *nix minds think of as an absolute path e.g. /foo is just relative to something other than what foo is relative to. I'll try to find a small prize for whoever is first to provide links to clear, definitive documentation of how each case above resolves ;-) I can't see a really good reason to use abase tag these days unless you want fully-qualified paths for all URLs and want to save on bandwidth or something like that. We found one, but if you are just using base empirically, to make things work when you don't really understand relative paths, then it's probably worth time spent figuring out how to manage without it. Paul Singleton - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
distinct HTTPS sites at distinct ports within same IP?
Is it feasible, under any Tomcat version, to offer two or more apps via HTTPS (with own domains certificates) on different port numbers at a single IPv4 address? I envisage name-based-virtual-server HTTP apps at port 80 which 302-redirect non-SSL requests to the corresponding port-specific HTTPS app, on the optimistic assumption that no-one these days actually types e.g. https://my-secure-app.megacorp.com just my-secure-app.megacorp.com Is this a really cheesy idea? have I missed something obvious? Paul Singleton - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Initializing webapps in a certain order
On 14/03/2012 01:37, Caldarale, Charles R wrote: From: Warren Bell [mailto:warrenbe...@gmail.com] Subject: Initializing webapps in a certain order Can you initialize webapps in a certain order ? Read the FAQ: http://wiki.apache.org/tomcat/FAQ/Miscellaneous#Q27 The primary reason is that the servlet spec requires that each webapp be self-contained and independent. I have two apps, app1 and app2. app2 needs to access app1 during app2's initialization. I need app1 to be initialized first and be done before app2 starts to initialize. Sounds like a bad plan. Sounds reasonable to me, that one service be designed to make use of another service ;-) We have OS services with explicit start-up dependencies, e.g. an issue tracking system which uses an RDBMS, and I'd expect to be able to do this with webapps. If the apps are so tightly coupled, why aren't they just one webapp? The dependency Warren describes doesn't imply tightly coupled, and one possible reason they aren't one webapp is that they come from different vendors. Does the servlet spec require that no web app may use the services of another web app? Is a servlet spec implementation free to enable startup sequence to be defined? Paul Singleton - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Apache Tomcat Native library
My standalone Tomcat 6 informs me, at startup, that The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path:... Does this library offer any benefit to standalone systems, or is it purely for use with Apache httpd + Tomcat? Paul Singleton - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: session id cookies
Bill Barker wrote: Paul Singleton [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] If I set Context cookies=false ... will Tomcat ignore any JSESSIONID cookie which accompanies a request? Should it? With any of the released versions, it won't ignore the cookie if the browser sends one. There is a patch in the SVN that causes at least TC 6 to ignore the cookie, but it seems to be buggy. More info at http://issues.apache.org/bugzilla/show_bug.cgi?id=43839. As to should, IMHO the cookies=false should be more of a hint (like in the released versions of Tomcat), but I'm in the minority here. Thanks for the info. We were experimenting with a wholly URL-encoding version of an app (this appeals for various reasons) but on switching between them, found that a left- -over session cookie broke the no cookies version. Given the long-established, disputed behaviour of the cookies attribute, we'd be happy with an additional cookiesIgnore attribute (and no change to cookies) Paul S. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
session id cookies
If I set Context cookies=false ... will Tomcat ignore any JSESSIONID cookie which accompanies a request? Should it? Paul Singleton - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Generating a 404 response
[EMAIL PROTECTED] wrote: See Thread at: http://www.techienuggets.com/Detail?tx=12338 Posted on behalf of a User I have a J2EE application residing on Tomcat. The pages are dynamically generated. If a use enters an invalid request I redirect him to a generic error page (which isn't really an error page but just a jsp that display a message and allows a redirect back to the site's main page). I would like to return a status of 404 from this page but because the page gets served properly I am returning a status of 200. The problem with this is that my error page than gets indexed by search engines. Any advise on how to tackle this? Servlet docs suggest you can nominate your JSP as an error page for status 404 - in Tomcat you could put this in conf/web.xml (after welcome-file-list) error-page error-code404/error-code location/my_error_404.jsp/location /error-page then if you call response.sendError(404, ) when your app decides the request isn't sensible, this page will be used. I haven't tried this. Paul Singleton - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Generating a 404 response
[EMAIL PROTECTED] wrote: See Thread at: http://www.techienuggets.com/Detail?tx=12338 Posted on behalf of a User It didn't work. I got a 500 later in my code. Here's what I did: if(detail.size() 0) { dbutil = new DBUtil(getServletConfig().getInitParameter(Constants.JNDI_NAME)); dbutil.executeNoResults(updateSql); dbutil.cleanup(); session.setAttribute(title, title); session.setAttribute(desc, title); session.setAttribute(keywords, keywords); dispatcher = getServletContext().getRequestDispatcher(/displayArticle.jsp); } else response.sendError(404, ); // dispatcher = getServletContext().getRequestDispatcher(/404.jsp); Notice I commented out the code that would later dispatch to 404.jsp. Here's my entry from web.xml: /error-page error-page error-code404/error-code location/404.jsp/location /error-page Looks like the 404 page isn't being invoked by the response.sendError(404, ); If you request a genuinely nonexistent page in your app, e.g. http://localhost:8080/myapp/FOOBAR987654321.html, do you get your /404.jsp returned (with status 404)? That should help locate the problem... P. In Response To: [EMAIL PROTECTED] wrote: See Thread at: http://www.techienuggets.com/Detail?tx=12338 Posted on behalf of a User I have a J2EE application residing on Tomcat. The pages are dynamically generated. If a use enters an invalid request I redirect him to a generic error page (which isn't really an error page but just a jsp that display a message and allows a redirect back to the site's main page). I would like to return a status of 404 from this page but because the page gets served properly I am returning a status of 200. The problem with this is that my error page than gets indexed by search engines. Any advise on how to tackle this? Servlet docs suggest you can nominate your JSP as an error page for status 404 - in Tomcat you could put this in conf/web.xml (after welcome-file-list) error-page error-code404/error-code location/my_error_404.jsp/location /error-page then if you call response.sendError(404, ) when your app decides the request isn't sensible, this page will be used. I haven't tried this. Paul Singleton - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL and non-secure items
is_maximum wrote: Hi experts, I have a web application configured to be secured by ssl, the problem is at some pages the browser displays a dialog box as a warning that says, this page contains both secure and non-secure items do you want to display non-secure items? and the user has two options yes and no. actually, this page is a table like a grid contains information, and it is paged so user can navigate between pages and for each page this message is displaying. my questions are, 1- why this message appears? Because the browser you're using is Internet Explorer 6? 2- how can I find which items are non-secure? 1) just say no and notice which items don't appear 2) use the View / Source feature and look for http:// urls 3- how to prevent this message to be displayed programatically? thank you very much Paul S. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Does anyone have an approach to checking if Tomcat instance is UP?
Kim Do you have reason to believe that the OutOfMemory exception is due to: * some cumulative effect (e.g. memory leak), in which case you need to restart, preferably (just) before it happens * the qty of active sessions, so you need to load-balance when near some threshold (offload to a less busy server iff poss else please come back later) * the complexity of some user's request, in which case your app isn't really down at all... Paul Kim Albee wrote: Tracy, The JSP does a call to a method in our app -- which if it runs, that means the app is up and available -- the method does a simple query against the DB and then returns a status of OK if the method runs through just fine. In our example from this weekend -- the health.jsp (which is the one that does this check) ran and returned a good result, but the main index.jspreturned the 500 error with the OutOfMemory exception. So that is what is confusing here. thanks, Kim :-) On 8/20/07, Nelson, Tracy M. [EMAIL PROTECTED] wrote: How is your JSP checking your application? Are you issuing a request to your app and checking the HTTP status? If so, why isn't it recognizing the 500? Or is the JSP in your application which is failing? | -Original Message- | From: Kim Albee [mailto:[EMAIL PROTECTED] | Sent: Monday, 20 August, 2007 09:48 | | Repeatedly, that JSP will work, but the site is down because Tomcat hit an | OutOfMemory exception -- but our JSP (which is very small) still runs | through it's process and returns that everything is happy. Our | application | is up, but the 500 error is an OutOFMemory exception. - The information contained in this message is confidential proprietary property of Nelnet, Inc. and its affiliated companies (Nelnet) and is intended for the recipient only. Any reproduction, forwarding, or copying without the express permission of Nelnet is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to this e-mail. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Paul Singleton Jambusters Ltd tel: 01782 750821 fax: 08707 628609 VAT: 777 3904 85 Company no. 04150146 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Does anyone have an approach to checking if Tomcat instance is UP?
Jeff Hoffmann wrote: Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dan, Dan Armbrust wrote: A simple cron job that points to a URL using lynx, and greps the output for what it should see will do the trick... I would use wget instead of Lynx, but that's just me. Don't forget that the OP said that his JSPs appear to run correctly even after the OOME. If what you're concerned about is an OOME, you can have a JSP that queries the runtime memory usage and outputs something easily parsable to alert you to a (pending) problem. IE: Runtime rt = Runtime.getRuntime(); double used = rt.totalMemory()-rt.freeMemory(); double free = rt.freeMemory(); double available = rt.maxMemory()-rt.totalMemory(); double usedpercent = (used/rt.maxMemory()) * 100; double freepercent = (free/rt.maxMemory()) * 100; double availablepercent = (available/rt.maxMemory()) * 100; Thanks for this - is there a similar (or any) way to anticipate out of PermGen? Paul S. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Regarding Text field editor in JSP
Girish Havaldar wrote: Hello are there any text editor built in that assist us in formating input data, like Subscripting, superscripting, making bold, etc. This editor we need to embed in our jsp page. 'openWYSIWYG' and 'tinyMCE' are JavaScript rich text editors embeddable in web pages including JSPs Paul S. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Configuring Cipher Suites with Tomcat 6
Mike Gardiner wrote: Hello, I'm sure this is detailed somewhere but I can't find it for the life of me and it's been driving me nuts all day. How can I limit the cipher suites used by Tomcat for an SSL connection? In Tomcat 5.5, like this: ciphers=TLS_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA Empirically, you must use the long names from the various cipher suite specs, not the perhaps more commonly encountered OpenSLL names, and if one of the names in the list is incorrect or otherwise unrecognised, or if you use a TLS v1.0 name when there is a SSL v3.0 for the same cipher, then the whole list is silently ignored. The list above restricts Tomcat 5.5 to only those 128-bit and above ciphers supported in JSSE. To check which ciphers a public website accepts you can use a service at serversniff.de, or download a desktop tool called SSLDigger from www.foundstone.com. Paul Singleton I tried setting SSLCipherSuite=SOME_CIPHER, to only allow a single cipher but when a client connects it still uses whatever is the first cipher in the client's list rather than using the cipher I specify in the server.xml file. My complete connector tag is: Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=SSLv3 keystoreType=luna keyAlias=tomcat keystore=/.keystore SSLCipherSuite=SSL_RSA_WITH_3DES_EDE_CBC_SHA/ Any help would be great Mike ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
starting Tomcat from Java
I (sometimes) want to start Tomcat (5.5 onwards) from Java, but I am not embedding: I just need to get the same effect as running bin/startup.bat but getting Tomcat to run in an existing JVM (so I can debug some other stuff). I am considering translating startup.bat into Java: has this already been done? I really want a solution which continues to behave like startup.bat regardless of changes to the environment, Tomcat, server.xml etc. (I won't always be there to sort things out) Paul Singleton - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: running tomcat on a particular network interface and a particular port
David Smith wrote: Ahhh the joy of *nix operating systems. Way back in the distant past of unix systems, someone decided it was a bad idea to allow any user on the system to bind to the well known low ports (1 - 1024) where officially sanctioned services (POP, SMTP, FTP, etc., ...) should be. A great idea except it also required the services to be running as a privileged user to gain access. For a lot of reasons, services should run with the least privilege. This kludge was forgiveable on multi-user systems (anyone remember them?) but makes things worse on secure servers; unfortunately you seem to have to recompile the kernel to switch it off... A couple of the most common solutions to this problem are: 1. Start tomcat using jsvc. You can get it from the commons-daemon project at http://jakarta.apache.org/commons/daemon 2. Run tomcat on a higher port like 8443 and attempt to use iptables to divert the traffic intended for 443 to tomcat. I'm a bit dubious on if this will work with an SSL connection. You can try it if you like. It works as well for HTTPS as it does for HTTP (i.e. fine) but you may nevertheless prefer to avoid configuring port redirection into iptables. My vote is for 1. It's easy and tomcat can act as a well behaved, respectable service running with minimum privilege while still capturing a privileged port. I opted for 2 (have used this in production a coupla years now) as it doesn't involve any software you wouldn't have to use anyway (if someone discovers a security vulnerability in jsvc tomorrow I shall be smugly smiling) but realistically there's nothing in it and the choice is yours... Paul Singleton --David Faheem Mitha wrote: Hi, I can now get tomcat to run an ssl connector at port 8443 (Debian default), but doesn't work if I try to run it at 443. The log says: Apr 17, 2007 12:31:19 AM org.apache.catalina.startup.Catalina start SEVERE: Catalina.start: LifecycleException: service.getName(): Catalina; Protocol handler start failed: java.net.BindExc eption: Permission denied:443 at org.apache.catalina.connector.Connector.start(Connector.java:1096) at org.apache.catalina.core.StandardService.start(StandardService.java:459) at org.apache.catalina.core.StandardServer.start(StandardServer.java:709) at org.apache.catalina.startup.Catalina.start(Catalina.java:551) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432) My server.xml config now says !-- Define a SSL HTTP/1.1 Connector on port 443 -- Connector address=core.dulci.org port=443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS / Any idea what I am missing? I don't think the problem is that apache is blocking 443, because when I turn off apache, I get the same error. In any case, I have configured apache to listen only at the florence.dulci.org:443 interface. Is there an easy way to discover what is listening on a particular port on a particular IP address? Thanks. Faheem. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Paul Singleton Jambusters Ltd tel: 01782 750821 fax: 08707 628609 VAT: 777 3904 85 Company no. 04150146 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to change a cipher suite with jboss 3.2.5
BENTOUHAMI MB Malek (DCL) wrote: Hi, I meet a unsolvable problem (for me) : 14:54:27,221 ERROR [PoolTcpEndpoint] Le point de contact [SSL: ServerSocket[addr=/0.0.0.0,port=0,localport=8443]] a ignoré l'exception: java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate corresponds to the SSL cipher suites which are enabled. java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate corresponds to the SSL cipher suites which are enabled. If it helps, you can discover which ciphers are enabled: * at serversniff.de (Webserver / SSL - Info) (if your site is public) * with a utility such as Foundstone SSLDigger (from www.foundstone.com) Paul S. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113) at org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:368) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:549) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683) at java.lang.Thread.run(Thread.java:534) I change everything : - certificate is a verisgn new one - keystore is specified in server.xml (path and pwd) - policyserver.key contains intermediate ca and the same password. Thank you for your help. Cordialement, ___ Malek Bentouhami CWIP (Pôle Architecture Technique / Technical Architecture Entity) DEXIA Crédit Local +33 (0)1 58 58 68 14 E-mail : [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ECO-GESTE : N'imprimez que si cela est nécessaire, en recto-verso ou à défaut 2 pages par feuille. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: can a web app discover its Service?
Raghupathy, Gurumoorthy wrote: How about Setting up jndi variables ? I've had a closer look at Tomcat Configuration Reference, which says you can set per-Server JNDI variables (GlobalNamingResources), and per-Context ones, but there's no mention of per-Service variables. Any idea whether/how this could be done? regards - Paul Regards Guru --- Gurumoorthy Raghupathy Email : [EMAIL PROTECTED] Internal Extn : 2337 External Phone : 01483712337 Nielsen Book 3rd Floor Midas House 62 Goldsworth Road Woking Surrey GU21 6LQ Visit us at : http://www.nielsenbookdata.co.uk/ --- -Original Message- From: Mikolaj Rydzewski [mailto:[EMAIL PROTECTED] Sent: 20 March 2007 15:05 To: Tomcat Users List Subject: Re: can a web app discover its Service? Paul Singleton wrote: I want to deploy the same war into different (5.5) Services (e.g. test and live), and want it to discover where it is and behave differently. Is there a Tomcat-specific way to do this? JMX and MBeans come to mind. Is there a container-independent way of discovering container-specific info like this? Check port server listens on? -- Paul Singleton Jambusters Ltd tel: 01782 750821 fax: 08707 628609 VAT: 777 3904 85 Company no. 04150146 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: can a web app discover its Service?
Mikolaj Rydzewski wrote: Paul Singleton wrote: I want to deploy the same war into different (5.5) Services (e.g. test and live), and want it to discover where it is and behave differently. Is there a Tomcat-specific way to do this? JMX and MBeans come to mind. Is there a container-independent way of discovering container-specific info like this? Check port server listens on? OK, since Servlet 2.4 there's String ServletRequest.getLocalAddr() which returns the IP address on which the request was received; this should enable my web apps to discover whether they are deployed to our 'test' virtual server or one of the live ones. I'd still like to know if there's anything we can set in a Service element which our web apps can read... Paul Singleton - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: can a web app discover its Service?
Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Paul, Paul Singleton wrote: I want to deploy the same war into different (5.5) Services (e.g. test and live), and want it to discover where it is and behave differently. Is there a Tomcat-specific way to do this? Is there a container-independent way of discovering container-specific info like this? You tell us: how can /you/ tell that you are in production versus test? If you can make that determination, then you should be able to make your software do it, too. I have ant scripts that build everything for me including WAR files for deployment. In my source repo, I have different configuration directories for each of dev, demo, and prod. In fact, I can make as many of those as I'd like, since I just set release-type in my build.properties file to a string, and ant pulls the configuration and properties files that match that directory, so I could potentially create a foo release-type if I wanted. So, instead of the application detecting where it is and configuring itself appropriately, I tell the application what it /will be/ and configure it at build time. Yeah, so do we, but like I said: I want to deploy the same war into different (5.5) Services (e.g. test and live), and want it to discover where it is and behave differently. I didn't explain *why* we want to do this, because I don't want to spend time debating it with folk who prefer to do it the other way ;-) But here are a couple of plus points for discovery and self-configuration (DSC): 1) our dev, test and demo configurations behave in convenient ways we don't *ever* want in our live apps; with DSC we are more confident that, even if deployment misteaks are made, we won't be embarrassed 2) we can implement all configuration in Java and don't need to learn or teach anything else! regards - Paul Just my $0.02 - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF//kT9CaO5/Lv0PARAgJZAJ4r2l8nkM/fbQWl62nTeR1TsKgQOACfYIXr wWE/VnGrYVqHxl5mUpbPt1U= =qyrv -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Paul Singleton Jambusters Ltd tel: 01782 750821 fax: 08707 628609 VAT: 777 3904 85 Company no. 04150146 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: can a web app discover its Service?
Bob Hall wrote: --- Paul Singleton [EMAIL PROTECTED] wrote: I want to deploy the same war into different (5.5) Services (e.g. test and live), and want it to discover where it is and behave differently. I didn't explain *why* we want to do this, because I don't want to spend time debating it with folk who prefer to do it the other way ;-) But here are a couple of plus points for discovery and self-configuration (DSC): 1) our dev, test and demo configurations behave in convenient ways we don't *ever* want in our live apps; with DSC we are more confident that, even if deployment misteaks are made, we won't be embarrassed Paul, If your app talks to a database, have you considered using a database table to map IP's to deploy modes? No, each app has its own database, and in our case, I'm happier building this table into our (common) application bean. But you've given me an idea: I may label each database internally as test, live etc. and get the apps to check this too when they start... Many thanks - Paul -Bob Bored stiff? Loosen up... Download and play hundreds of games for free on Yahoo! Games. http://games.yahoo.com/games/front - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Paul Singleton Jambusters Ltd tel: 01782 750821 fax: 08707 628609 VAT: 777 3904 85 Company no. 04150146 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
can a web app discover its Service?
I want to deploy the same war into different (5.5) Services (e.g. test and live), and want it to discover where it is and behave differently. Is there a Tomcat-specific way to do this? Is there a container-independent way of discovering container-specific info like this? Paul Singleton - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: can a web app discover its Service?
Mikolaj Rydzewski wrote: Paul Singleton wrote: I want to deploy the same war into different (5.5) Services (e.g. test and live), and want it to discover where it is and behave differently. Is there a Tomcat-specific way to do this? JMX and MBeans come to mind. Is there a container-independent way of discovering container-specific info like this? Check port server listens on? Well the port numbers are the same but the IP addresses differ, so if I can discover these, that's good enough for me. But how? I can't find anything in the Servlet API... Paul Singleton - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: HTTP plus
Peter Kennard wrote: Excuse the naivety but I thought you couldn't open a socket with J2EE. I was told (I think on this list) that you need to use a JCA to make the connection. Tomcat is not a full J2EE server, just servlets+JSP, so maybe it lets you do things which are verboten in J2EE? If this is true I want to know about this. I am so far under the impression if you needed to connect with another protocol in a servlet you could in essence (Worst case scenario) write a server inside a servlet using sockets. Well you can certainly make an HTTP request (to an arbitrary URL, including your own) from within a servlet, wait for the response, process it as you see fit and finally return it to the original requestor. Several of our apps do this. If you want to wrap a connection-based protocol in this way, you'll have to save socket info in session state. This works with database connections (although connection pooling is better practice). But that would require you write all the code to handle aborting startup/shutdown thread management etc etc. If I can have a tweaked protocol servlet as part of a multi-servlet application this would make a perfect model for the gateway type of application between HTTP and a non (exactly) HTTP protocol we are trying to support. Please clarify: are you aiming to wrap non-HTTP services as HTTP services, for HTTP clients only? I got the impression from another msg that you hoped to hand off an initial HTTP request to a telnet conversation, which could be tricky or impossible. Are you reinventing HTTP tunneling? http://en.wikipedia.org/wiki/HTTP-Tunnel Paul Singleton Can you write a server inside a servlet ?? PK At 06:46 2/28/2007, you wrote: On Wed, 28 Feb 2007 12:36:03 +0100 Georg Sauer-Limbach [EMAIL PROTECTED] wrote: If you don't want to deal with HTTP, you should not use the Servlet API (which is the Java abstraction of HTTP) at all. You can do the indicated code with generic sockets, no need to mind about Servlets altogether. Regards Wayne - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Paul Singleton Jambusters Ltd tel: 01782 750821 fax: 08707 628609 VAT: 777 3904 85 Company no. 04150146 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Certificate Installation Issues
Jeanna Geier wrote: Hello List- After having our application running smoothly with self-signed certificates, we made the change today and purchased a Comodo InstantSSL certificate - and after following the instructions on installing it, I'm having some problems that I am hoping someone with more experience who has ran across this can help me with.. I received three certificates from Comodo: * AddTrustExternalCARoot.crt * netrequest_biz.crt * UTNAddTrustServerCA.crt I followed their instructions on importing them in the order: 1) Root, 2) IntermediateCA, 3) Domain/Site Certificate On my Server, I ran the following to install the certificates into my Java cacerts: C:\Program Files\Java\jdk1.5.0_06\jre\lib\security\keytool -import -trustcacerts -alias root -file C:\AddTrustExternalCARoot.crt -keystore cacerts C:\Program Files\Java\jdk1.5.0_06\jre\lib\security\keytool -import -trustcacerts -alias INTER -file C:\UTNAddTrustServerCA.crt -keystore cacerts C:\Program Files\Java\jdk1.5.0_06\jre\lib\security\keytool -import -trustcacerts -alias netrequest -file C:\netrequest_biz.crt -keystore cacerts Maybe you should explicitly remove the old self-signed certificate with alias 'netrequest' before replacing it? Paul Singleton For good measure (because I wasn't sure if I had to or not) I also added them to my Java cacerts file on the pc that I'm going to use to remotely connect to the Server... OK, so my first test was to test that the certificate got installed on the Server correctly, so I opened Internet Explorer and from the File - Open (Open as Web Folder) box typed: https://localhost:8443/slide/files - and I was prompted with a 'Security Alert' that said that: The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority. The name on the security certificate is invalid or does not match the name of the site (The security date was valid). So, when I clicke don View Certificate two things struck me: 1) the issued by is 'netrequest.biz' (shouldn't this be Comodo - isn't this why we buy the certificate? our self-signed ones had this on it...) and 2) the date Valid from 2/27/2007 to 5/28/2007 (we purchased a two-year certificate, shouldn't this be until 2009??). Even after installing the certificate, logging out, and logging back in, I still get the Security Alert message box - something we don't want our customers to have to deal with. Second test: attempting to log into the Server where our DataBase is stored to access it and run the program. However, after putting in my Username and Password, when the program continues on to validate the sign-on, I get a pop-up with the following error message: IO Error loading patterns: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification pathe to requested target Prior to installing these new certificates from Comodo and while using our self-signed ones, all was working OK; we're getting ready to go live in a day and a half, so we really need to get this worked out, so any thoughts, comments, or expertise that anyone could provide to help me straighten this out would be greatly appreciated!!! Thanks in advance for your time and help!! -Jeanna - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Paul Singleton Jambusters Ltd tel: 01782 750821 fax: 08707 628609 VAT: 777 3904 85 Company no. 04150146 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: reload on demand?
Kent Tong wrote: In a development environment it's desirable to reload a webapp if any of its class files has been changed. Are you serious?! Our developers rely on Hot Code Replacement to enable them to continue debugging after changes to program logic, and only restart if they want/need to or if HCR fails (e.g. because they added/altered a public member signature etc.). They would not be happy with your policy! I know about the reloadable flag, but it will keep reloading the webapp whenever a change is made and slows down the computer. Instead, I'd like to reload it on demand, ie, when it is accessed again. Don't you run tests after changing your apps? ;-) Is it a desirable feature? It shouldn't be that hard to implement (invoke the reload logic before any access to the webapp instead of from a background scheduler). I (think I) understand your Wish, but I reckon they way you work is so unusual that you won't be able to rally much support for it. In our apps, it's initialisation of the application bean that takes time, and this happens at first request, not at reload. Yes, I know about the reload function in the Tomcat manager. But it requires two manual steps: first, reload the webapp; second, access a page in the webapp. Paul Singleton - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Get rid of 8080 port in Tomcat 3.3
Steffen Heil wrote: Hi That's the way You should go: http://www.linux.org.mt/article/tomcat-ports I totally disagree. First, it would surely be best to update to 6.0 and run it using jsvc However, let's look at the solution in the link above. 1. The Apache solution. (Which should be called the httpd solution.) This will work, and might be okay, if you are already running apache on that system. BUT tomcat itself can be faster (at least newer ones, I don't know about 3.x) without httpd. 2. The IP tables solution You webapplication will not know about the different port and encode urls incorrecly. Bad Idea and impossible if SSL is required. Dunno whether there are flaws in the particular solution which Stefan referred to, but your assertions about iptables solutions are not generally true. Using well documented iptables port mapping techniques you can run Tomcat 5.5 as non-privileged user, with SSL on port 443 on several address-based virtual hosts, each with their own certificates. No jsvc (or any other s/ware or processes) required. URL encoding works as intended (indeed, we rely on it exclusively, configuring Tomcat to never send cookies). This solution in production 1 year. What's the basis for your claims? 3. The rinetd solution Good for development and tests. Adds a little overhead AND destroy a lot of logging and security, as tomcat will always see ONE client ip. 4. IPchains alternative see 2. UPGRADE. Otherwise get jsvc to work for you. Regards, Steffen Paul Singleton - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: overlapped parameters between sessions
Caldarale, Charles R wrote: From: WILLIAM PARRA [mailto:[EMAIL PROTECTED] Subject: overlapped parameters between sessions When passing parameters with get metod, with many users (about 200); some parameters, are overlapped between sessions. If you're speaking of parameters taken from a URL, they are relative to a Request, not a Session. There can be many Requests associated with a single Session being processed concurrently. If you app is storing Request-specific information in a Session object, your app is in error. If you don't *need* to process per-session requests concurrently, you may find it easier and safer overall to synchronise access to each session and continue to code your sessions without worrying about concurrent requests. Your users will never notice. Just don't serialise *all* requests :-) But this may not be what William is on about... Paul Singleton - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
(mis)interpretation of /webapps2/ in Context.docBase
In Tomcat 5.5.9 (JDK 1.6.0, WinXP) I have a 'webapps2' folder alongside the default 'webapps', and server.xml has Host name=localhost appBase=webapps ... Context path=/myapp docBase=../webapps2/myapp ... / which works as intended, but originally I used an absolute path e.g. Host name=localhost appBase=webapps ... Context path=/myapp docBase=C:/shared/apps/jakarta-tomcat-5.5.9/webapps2/myapp ... / and got this at Tomcat startup: SEVERE: Error starting static Resources java.lang.IllegalArgumentException: Document base C:\shared\apps\jakarta-tomcat-5.5.9\webapps\2\CardiffCarshareWelsh2c does not exist or is not a readable directory where /webapps2/ was being interpreted as /webapps/2/ ?!?! Paul Singleton - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: IPTABLES
Parsons Technical Services wrote: So, if I read correctly you have no problems running you apps as root? ??? Sorry if I gave that impression; I run Tomcat standalone as a non-privileged user, doing port forwarding with iptables. I thus depend only on iptables, a Sun JRE and Tomcat, the simplest, smallest most reliable set I can think of. Apache httpd and jsvc may be fine, but I don't ever have to worry about newly discovered vulnerabilities, patches, version compatibility etc. with them. Spurning them is not a judgement of their quality, just keeping my config as simple as possible. That's (part of) my security posture... Paul Singleton PS if you know how to configure iptables to also forward internal requests to localhost:8080 please pass it on! If this is true, then I say you have a very weak security posture. Might I suggest you do some additional research on the subject. And that those who run things in a chroot jail must be real paranoid freaks. And now this post is way off topic. Doug - Original Message - From: Paul Singleton [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Thursday, October 19, 2006 7:21 PM Subject: Re: IPTABLES Christopher Schultz wrote: Apache httpd is configured out of the box to start up as root, bind to port 80 (or really any port), and then drop its privileges to the httpd user. Without some really nasty code, Tomcat is unable to do the same thing, so we're forced to do silly things like internal port forwarding, etc. The root-only-access-to-low-ports policy of Linux is a legacy from the days when Unix systems were typically multi-user: it is a heavy-handed way of stopping the oiks from running unauthorised servers. In a secure server it is unnecessary, indeed counterproductive when it tempts us to run services as root, or to use tricksy workarounds. Linux should make this switch-offable (without having to recompile the kernel). The only problem I've found with standalone Tomcat plus iptables port forwarding (apart from the need to understand iptables :-)) is that web apps can't make requests to themselves at port 80, but have to use 8080 or whatever. Paul Singleton - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: IPTABLES
Christopher Schultz wrote: Apache httpd is configured out of the box to start up as root, bind to port 80 (or really any port), and then drop its privileges to the httpd user. Without some really nasty code, Tomcat is unable to do the same thing, so we're forced to do silly things like internal port forwarding, etc. The root-only-access-to-low-ports policy of Linux is a legacy from the days when Unix systems were typically multi-user: it is a heavy-handed way of stopping the oiks from running unauthorised servers. In a secure server it is unnecessary, indeed counterproductive when it tempts us to run services as root, or to use tricksy workarounds. Linux should make this switch-offable (without having to recompile the kernel). The only problem I've found with standalone Tomcat plus iptables port forwarding (apart from the need to understand iptables :-)) is that web apps can't make requests to themselves at port 80, but have to use 8080 or whatever. Paul Singleton - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: AOL
Daniel Blumenthal wrote: How does the lb decide where you go for all requests after the first one? Typically, the session id is sniffed from the URL or cookie and the lb maintains a table of mappings that expires after some time. Our two choices are evidently IP-based and cookie-based. Currently, we're using IP-based, so every IP address is treated as a separate request. I'm looking into making it cookie-based, and making cookies a requirement for the site (currently, we only use cookies to store a couple of simple preferences). Any idea how many people have cookies turned off? Are you *sure* your load balancer isn't capable of recognising session IDs in URLs? If it can, then you have a 3rd option: forget cookies and tell Tomcat to use URL encoding exclusively. Of course, you must call response.encodeURL() anywhere you return a link back into the session, but this is probably good practice anyway, and all cookie-related problems go away (and testing becomes easier: you can have many independent sessions in Firefox tabs etc. :-) Paul Singleton - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: AOL
Daniel Blumenthal wrote: We just switched from a single server to a cluster, with a load balancer out front to manage incoming connections. The load balancer makes the decision to go to app server 1 (app1) or app server 2 (app2) based on IP address - once a request comes in from one source IP, all future requests (for some period of time) go to the same server. The problem is that it appears that AOL will randomly assign an IP address to every request a user sends. They presumably run a proxy farm: the IP addresses from request.getRemoteAddr() should be those of the (last) proxy which handled the request. AOL should use the HTTP_X_FORWARDED_FOR* header to convey the originating IP address (do they?): you could get this with request.getHeader(HTTP_X_FORWARDED_FOR) IMHO if your load balancer switches on RemoteAddr when an HTTP_X_FORWARDED_FOR address is available then it is broken, and if AOL don't set HTTP_X_FORWARDED_FOR then they are guilty of Bad Practice (only those dodgy anonymising services have a good reason to do that). Paul Singleton * or perhaps HTTP_CLIENT_IP - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: multiple virtual hosts and ssl certificates
Hassan Schroeder wrote: On 8/25/06, teknokrat [EMAIL PROTECTED] wrote: So lets see if i understand this correctly. I can only have multiple SSL certificates if I create different Services in server.xml pointing to different ports? No, you don't need different Services; you need a Connector and associated keystore per IP (or IP/port) that you want to secure. In 5.5.9 you can put all your certificates in one keystore (e.g. the default one for simplicity) under different aliases, then use the (still) undocumented attribute Connector keyAlias=mycert1 ... I suggest you don't proliferate keystores unless you really have to... Paul Singleton - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: performance question
Lambda Probe is a free+easy way to get some instrumentation Propes, Barry L wrote: I'm having some problems this morning with performance. How can I easily determine if it's servlets, or Tomcat, as opposed to possibly the database (Oracle) I'm using? I've not had this problem before. Barry - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Creating Virtual Hosts
Jorge Isaac Martínez Hatch wrote: Genius all around the world, Goal: Intall two SSL certificates in the same server, but working for two different IP addresses and domains. I have: - One server running Tomcat 5.5 over Windows. - Two IP addresses. - Two domains, one for each IP address. - Two SSL certificates one for each domain. - A keystore and alias for each certificate. You can keep both/all certificates in the same keystore (e.g. the default one) and specify them with the (still undocumented) Connector attribute keyAlias=mycert1 (I reckon one keystore is slightly easier to manage than two) I think I need to configure two hosts (or virtual hosts, what's the difference between these?) A physical host is a hardware server, which may support many virtual hosts, either name-based (several at one IP address, Tomcat steers requests to corresponding web apps) or address-based (each app needs its own IP address). Since certificates are checked *before* Tomcat gets to attempt name-based virtual hosting, you need a dedicated IP address for each SSL-enabled app, natch. Unless things have changed since 5.5.9 Connector port=443 name=72.3.245.1 No this should be Connector port=443 address=72.3.245.1 (there is no Connector name attribute that I can find) Host name=72.3.245.1 appBase=webapps Hmm, I'd expect name=mysecuresite.com or similar, not an IP address. It didn't work at all, I have the first certificate on the first IP working. But the second certificate just don't work because it gets the first certificate not the second, so the domains don't match. If it gets the first cert, then it must be using the first Connector, which I guess is because, without address attributes, both are using all addresses? Paul Singleton Any help on this is welcome, thank you. Isaac Martínez Hatch - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Creating Virtual Hosts
Jorge Isaac Martínez Hatch wrote: SEVERE: Error starting endpoint java.net.BindException: Cannot assign requested address: JVM_Bind:443 Probably the port is already in use, perhaps by a task left over from your previous attempts. Can you reboot and try again? Or do you have another web server running, e.g. Apache? IIS? Paul S. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat and Sysdeo Eclipse Plugin
Asad (I doubt that something as fundamental as this is a difference between 5.5.9 and 5.5.16) Have you checked Eclipse's Window / Preferences... / Tomcat to ensure that all references to Tomcat files refer to your new 5.5.16 installation? I get the same error if Tomcat home is set incorrectly in these preferences. cheers Paul Singleton Asad Habib wrote: Hello. I am experiencing a problem trying to start Tomcat from Eclipse using the Sysdeo Plugin. The error I get is as follows: Exception in thread main java.lang.NoClassDefFoundError: org/apache/catalina/startup/Bootstrap I am running Tomcat 5.5.16 and using Eclipse 3.1.2 with Sysdeo Eclipse Tomcat Plugin 3.1.0 on Mac OS X. I had no problems using this plugin with Tomcat 5.5.9. When I try starting Tomcat from the command line via the Terminal application, everything works. Also, I checked and the Bootstrap class does exist in the Tomcat bin directory. Any help would be appreciated. Thank you. - Asad - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: error-page for nonexistent context
Mark Thomas wrote: Paul Singleton wrote: (I am required to anonymiee a Tomcat 5.5 server from hackers trying to discover its version etc.) If I put this in conf/web.xml error-page error-code404/error-code location/anon_error.jsp/location /error-page *and* put an anon_error.jsp in every web app, then I can replace the built-in error page. But where will Tomcat look for /anon_error.jsp when a (page within a) nonexistent context is requested? I haven't tested this... I would expect an unknown context to be mapped to the ROOT context given the mapping rules defined in section SRV.11.1 If the context isn't recognised, then the longest macthing context path will be / which is the ROOT context. Thanks for this: I think you're right, and I have now tested this in 5.5.9 (which of course is not necessarily the version I'm trying to anonymise :-) and it works. cheers - Paul S. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
error-page for nonexistent context
(I am required to anonymiee a Tomcat 5.5 server from hackers trying to discover its version etc.) If I put this in conf/web.xml error-page error-code404/error-code location/anon_error.jsp/location /error-page *and* put an anon_error.jsp in every web app, then I can replace the built-in error page. But where will Tomcat look for /anon_error.jsp when a (page within a) nonexistent context is requested? Paul Singleton -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.1.375 / Virus Database: 268.0.0/268 - Release Date: 23/Feb/2006 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Certificate Beginner Question
David Wall wrote: ...if the user accesses your site with http://, the port 80 Connector (or 8080 if testing or using a non-standard port) has a redirectPort element that causes Tomcat to automatically issue a redirect using https:// Are you sure? I thought redirectPort was only useful for redirecting _https_ requests which were sent to the wrong port... Paul S. -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.1.362 / Virus Database: 267.13.10/189 - Release Date: 30/Nov/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to deploy my webapp as root context webapp without tomcat loading it twice?
Vivek Mohan wrote: Like I mentioned in my problem statement: I don't want to move my application into ROOT folder or rename it to ROOT. And unlike as you said Mark, putting autoDeploy=false doesn't help in this case. Is this (loading a webapp twice if the context path and the docBase path is different) a feature of Tomcat? Can't this be turned off? My hunch is that you won't get a definitive answer to this question in this group :-/ I *think* you need to do all these: * maintain an empty appBase directory * leave autoDeploy alone (there's nothing for it to deploy) * set docBase in Context to an absolute path to your app regards Paul Singleton -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.1.362 / Virus Database: 267.13.10/189 - Release Date: 30/Nov/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
IncompatibleClassChangeError handling
If I update a jar file within a JSP web app while Tomcat (5.5.9) is stopped, I may get an IncompatibleClassChangeError at the first request after restart. I fix this by stopping, deleting the work stuff, and restarting. Is it possible in principle for Tomcat to automatically regard the compiled pages as out of date, and recompile them as they are encountered? Paul Singleton -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.1.362 / Virus Database: 267.13.7/182 - Release Date: 24/Nov/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Could do with some guidance/help
I only use Tomcat standalone, and have no hunches about your particular problem, but sometimes IE hides the sordid details of error msgs and I find that Firefox gives them to you straight; also there's a LiveHTTPHeaders plugin which can be useful when troubleshooting? good luck :-/ Paul Singleton Richard Tomkins wrote: Platform: Windows 200 Pro, Service Pack 4 Pentium 4, HyperThreaded, 512MB memory. Installed software, Oracle 10g Release 2, Personal Edition. Apache 1.3.33 J2SDK 1.4.2_10 Tomcat 4.1.31 Mod_jk-1.2.14-apache-1.3.33.so I have set up Tomcat server.xml with the requisite listeners to have it do auto configuration. I a using the ajp13 connector, and I have tried both of the configurations for this inside server.xml, the ajp13 on port 8009 and the coyote/ajp13 on port 8009. The Tomact examples all work as well as the administration and management tools. My problem is that I have an application that I have to install on a number of desktops for internal test purposes. The application is written in jsp and works with an earlier version of Apache and Tomact 3.x.mumble. With the implementation I am working with, on the first page I get a message that an Internal Server Error has occurred. If I right mouse click and choose refresh, the expected page shows up on the browser. If I do this via, HYPERLINK http://localhost:8080/testsoft/index.htmlhttp://localhost:8080/testsoft/in dex.html, the display works everytime, unlike my experience with HYPERLINK http://locahost/testsoft.htmlhttp://locahost/testsoft.html which should work. Many web pages after do work, and as I said previously, the Tomact examples all work with both methods. Something between Apache and Tomcat is causing me some pain. If anyone has any ideas to throw my way, please do. Regards, Richard Tomkins -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.1.362 / Virus Database: 267.12.8/165 - Release Date: 9/Nov/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 5.0 : howto make a webapp the ROOT webapp the proper way
Francis Galiegue wrote: ... Host name=localhost debug=0 appBase=external-webapps autoDeploy=false deployXML=false deployOnStartup=true unpackWARs=true xmlValidation=false xmlNamespaceAware=false [...] Context docBase=/var/lib/tomcat5/webapps/one2team path= id=o2t Valve className=org.apache.catalina.valves.AccessLogValve prefix=access-kitu- suffix=.log pattern=common/ Logger className=org.apache.catalina.logger.FileLogger prefix=kitu- suffix=.log verbosity=2 timestamp=true/ /Context /Host ... But then this is flawed: * The external-webapps directory does not exist, and tomcat doesn't seem to complain. However, future versions may. Indeed. I recommend setting appBase to a real, empty directory. It seems a bit odd having to maintain an empty dir as part of the configuration, but you can do it if you try :-) You may want to put a README in there, saying do not interfere... What's more, if this directory is created and a webapp exists in there we get to the same problem... If webapps just magically come into existence on your server then it needs stricter administration :-) * I'm no expert at all with Tomcat but this just looks like there's a far more simple, elegant way... (before you're an expert you'll stop expecting this ;-) e.g. an attribute to retain deployment on startup from explicit contexts while suppressing implicit deployment from the appBase? Paul Singleton -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.1.362 / Virus Database: 267.12.8/162 - Release Date: 5/Nov/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
replacing the error page(s)
If I want to ensure that Tomcat's built-in error page (5.5.9+) is never used (and provide a custom replacement) (for all apps in a server), is there a better way than putting this sort of stuff in conf/web.xml? error-page error-code404/error-code location/some/error/page.jsp/location /error-page error-page exception-typejava.io.IOException/exception-type location/some/error/page.jsp/location /error-page and what error codes must I do this for? Is there a compact way of specifying *all* codes? Is it a bad idea to define a page for java.lang.Throwable? Paul Singleton -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.1.362 / Virus Database: 267.12.8/162 - Release Date: 5/Nov/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security question for this group
Prabhat Kumar (IT) wrote: I am trying to figure out how to prevent a situation where a user has a runaway page that is a super user page (and unauthorized). The page has a text area that takes an SQL query and executes this on the applications database. My question is, how can such unauthorized tasks be prevented in general? The only Java Server Pages available to the user are those which you deploy, so don't create such a page in the first place :-) If you need to evaluate SQL queries, set them up in advance as PreparedStatements, then just solicit parameter values from the user; if you construct SQL queries from text supplied by the user, they may be able to inject commands to do things you don't want them to be able to do RTFM for various techniques for authorizing users Paul Singleton -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.1.362 / Virus Database: 267.12.8/162 - Release Date: 5/Nov/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Unable to open Tomcat Manager?
Caldarale, Charles R wrote: ... Note that you cannot manually edit tomcat-users.xml while Tomcat is running, since Tomcat rewrites it at some point (probably at termination, but I haven't verified that). Does anyone else find that 5.5.9 rewrites it with these permissions under Linux? -rw-rw-r-- 1 tomcat tomcat 439 Oct 2 20:01 tomcat-users.xml Since it contains a plaintext password this is a security risk. Paul Singleton -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.12.4/143 - Release Date: 19/Oct/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Detecting Session Timeout in Tomcat
Brian Blount wrote: I need to be able to distinguish between a session timeout vs the first time someone accesses my web application. Within a single web application, I've been able to use the following logic: (request.isRequestedSessionIdValid() == false (request.isRequestedSessionIdFromCookie() || request.isRequestedSessionIdFromURL())) This assumes that any request containing an invalid session id refers to a timed-out session (although it could be something else...) (this trick is new to me, and looks like being more use to me than it is to you - thanks! :-) However, I am running multiple web applications with single-sign-on enabled between them, so when I first navigate from one web application to the next, the above expression evaluates to true even though my session has not timed out. presumably because the unrecognised session id actually refers to a (possibly valid) session in another web app? Is there a better way of detecting session timeouts in tomcat? each web app could maintain a Set of issued session ids to enable it to distinguish expired ones from alien ones (at least until the app was restarted) or your bunch of apps could share their collections of issued session ids via a database I guess this isn't Tomcat-specific: the (next?) API could do a little more to help you in these circumstances? Paul Singleton -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.12.4/142 - Release Date: 18/Oct/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Pre compilation of JSP
Santosh Asbe wrote: Hi, i have tried to use the code for pre compilation of JSP from the site http://www.rgagnon.com/javadetails/java-0414.html. In my Application in the JSP folder , there around 6 sub folders and around 25-30 JSP is each of them. When i run this JSP only few JSP's are complied and then an error is given in the catalina.sh as folows. Can anyone help me regarding this. You'll need to catch exceptions from RequestDispatcher#include() to get past that point, e.g. (with acknowledgements to Réal Gagnon) %@ page contentType=text/html;charset=UTF-8 language=java % %@ page import=javax.servlet.*,javax.servlet.http.*,javax.servlet.jsp.*% %@ page import=java.util.Set,java.util.Iterator,java.io.IOException% %! private int compileAllJsps(PageContext pageContext, JspWriter out, HttpServletRequest request,HttpServletResponse response, String uripath, boolean recurse) throws IOException, ServletException { Set set = pageContext.getServletContext().getResourcePaths(uripath); int n = 0; out.flush(); for ( Iterator iter=set.iterator() ; iter.hasNext() ; ) { String uri = (String) iter.next(); if ( uri.endsWith(.jsp) ) { RequestDispatcher rd = getServletContext().getRequestDispatcher(uri); try { if ( rd == null ) { throw new Error(uri + - not found); } else { rd.include(request, response); n++; } } catch ( Exception e ) { out.write(div + uri + + i+e.toString()+/i/div); out.flush(); } } else if ( recurse uri.endsWith(/) ) { compileAllJsps(pageContext, out, request, response, uri, recurse); // process subfolders } } return n; } % html head titleprecompiling JSPs/title /head body h4precompiling JSPs/h4 % HttpServletRequest req = new HttpServletRequestWrapper(request) { public String getQueryString() { return jsp_precompile; // can be jsp_precompile=true }; }; int ok = compileAllJsps(pageContext, out, req, response, /, false); % h4%= ok % JSPs (now) appear to be compiled/h4 /body /html Paul Singleton -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.12.4/142 - Release Date: 18/Oct/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]