Re: Tomcat 8 classloading
> Hi There, > > We are about to upgrade from tomcat-7.0.65 to tomcat-8.0.XX. and this is > regarding the loading of same JARs within the different application. to > understand the scenario, consider below case > > Tomcat 8 --- > webapps > a.war--> lib--> spring.jar > b.war--> lib--> spring.jar > > here b.war is just a copy of a.war and renamed just to differentiate hence > spring.jar is same for both the applications. > > My question is > > 1) will spring.jar loaded twice yes it will be loaded twice > 2) how to i make sure to load it only once ( if loaded twice) This question comes up frequently. Search the mailing list for shared class loader to see the details. The upshot is that this can be done using shared class loader, however there are real technical issues if you do this - class cast exceptions, difficulty performing upgrades to individual wars without taking down all of tomcat. The only positive is that you might save a few MB of memory cost by having the same jar loaded twice in memory. I've been on this mailing list for ~8 years, and every time this issues comes up (about 5 times a year?), the tomcat developers suggest that the proposed memory saving isn't not worth the problems that it causes.. HTH Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AW: AW: Suppress or replace WWW-Authorization header
> I want to say thank you all for your help and many different ways to solve > my problem. I think the most -maybe all- will work in an ideal world without > hard requirements through legacy client-applications. I don't want to hold > on BASIC as auth-method because I like it so much, I prefer to kick that > legacy application. ^^ Torsten, If you have fixed it, then perhaps I should stop trying to help you. However I reviewed the previous posts, and think that there was a key aspect that I didn't mention before. So for the benefit of the email archive, I'll give it another go. Setup you landing/index page to be public, i.e. no authentication. The AngularJS html/js/css/pngs all load freely. I assume that this isn't too much of an issue, e.g.you want to prevent people accessing the app unless they have logged in. Then make all RestAPI calls to a sub-directory called say /api/. Add security restrictions to this sub-directory. As the app starts up, any call to any rest api will return a 401. As all calls are ajax, no browser login popup. The global AngularJS ajax error handler I posted previously captures the response. So when the server detects no (or expired) session, it returns a 401, & AngularJS global error handler detects this & redirects to login page. Login page captures credentials, posts to login api (which obviously needs to be not protected as well), and then upon success, sends a cookie (or auth token of some sort). Then AngularJS can send this cookie (or auth token) in each subsequent RestApi call, e voila. I just tested the app I am developing that does this, in Edge, IE, Chrome & Firefox. All working perfectly. No "ugly" login dialog in sight. The key point I neglected to mention in my earlier post is that you need to make sure that the host page is not behind the security. If you are unwilling to do this, then they will have login before accessing the app. In which case you can't really do anything about it. HTH Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AW: Suppress or replace WWW-Authorization header
>> Torsten,
>>
>> Add an interceptor to AngularJS to detect the 401 and do whatever you
>> want, e.g. redirect to a login page. Then when you have the
>> credentials, submit to login rest api, get a token, and then make all
>> other calls passing this token.
>>
>> There are loads of examples on how to do this on the internet. This
>> isn't tomcat specific.
>>
>> function globalInterceptorResponse($injector, $q) {
>> return {
>> 'response': function (response) {
>> return response;
>> },
>> 'responseError': function (rejection) {
>> switch (rejection.status) {
>> ...
>> case 401:
>> console.warn("Hit 401 - redirecting to login");
>> window.location = '/login';
>> break;
>> ...
>> default:
>> console.warn(rejection);
>> }
>> return $q.reject(rejection);
>> }
>> };
>> }
>> globalInterceptorResponse.$inject = ['$injector', '$q'];
>>
>> then in request config,
>>
>> $httpProvider.interceptors.push(globalInterceptorResponse);
>
> This won't work because the application doesn't get a chance to do
> anything until Tomcat completes its authentication/authorization work.
> If the application were handling the authentication/authorization, then
> the original Filter would have worked.
>
> -chris
Chris,
I think that you thought the above was server-side java code. The
above was javascript code that runs in the browser. It does work - I
copied it from a project I am working on now.
Chris
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AW: Suppress or replace WWW-Authorization header
> No, container BASIC authentication should be enabled, the container should
> handle the authentication, but the browser should not show his ugly default
> login dialog when I request resources from the REST-service with wrong
> credentials.
> When the REST-client (web-application in the browser) receives a failed
> login with a WWW-Authenticate header, the default dialog of the browser will
> be shown... that’s what I want to suppress.
>
> When I remove the (a) or (b) sending requests
> with credentials will not work anymore (a: 403 forbidden; b: deployment
> fails). But that's not a solution because the rest-service should be still
> protected and I need to authenticate via "Authentication: Basic ."
> header send credentials, but I don't want to show the ugly browser-dialog to
> the users.
>
> Using a AngularJS Client with REST-services based on tomcat should be a
> common use-case, it could not be that I'm the first one who wants a custom
> login-screen. :-/
>
> -torsten
Torsten,
Add an interceptor to AngularJS to detect the 401 and do whatever you
want, e.g. redirect to a login page. Then when you have the
credentials, submit to login rest api, get a token, and then make all
other calls passing this token.
There are loads of examples on how to do this on the internet. This
isn't tomcat specific.
function globalInterceptorResponse($injector, $q) {
return {
'response': function (response) {
return response;
},
'responseError': function (rejection) {
switch (rejection.status) {
...
case 401:
console.warn("Hit 401 - redirecting to login");
window.location = '/login';
break;
...
default:
console.warn(rejection);
}
return $q.reject(rejection);
}
};
}
globalInterceptorResponse.$inject = ['$injector', '$q'];
then in request config,
$httpProvider.interceptors.push(globalInterceptorResponse);
Chris
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Dynamically Create Subdomains - Tomcat 7x
> I need something like, > > My main landing page www.mysite.com > > Subdomains I am looking for > > myfeature1.mysite.com > > myfeature2.mysite.com > > myfeature3.mysite.com > > etc > > myfeature is a cookie value which comes from www.mysite.com(this is > landing page which drops myfeature cookie).. > > - Kiran so if you map *.mysite.com DNS name to a single server, it can do all of that. You are asking a very generic high level question, without providing details of what you have tried, and what isn't working. Hence you really need to open up more and explain. Can a single site handle all of these "features" or do you need isolation between them? Is this a "how can I setup DNS?" or a "how can I setup websesrvers against host names?" kind of question. It really is worded very openly so people will be hard pushed to help Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [ANN] Apache Tomcat Connectors 1.2.41 released
All, I still don't quite understand how I ended up in this position, but when Stephen from the Apache Lounge builds a new tomcat native build of something, he asks me to inform the tomcat mailing list. I consider it the very least I can do for the community, but struggle to see how I am adding value. Anyway his notification below. His original subject was mod_jk-1.2.41 VC11 but it seemed prudent to send on this thread. Chris Hi Chris, Just build it for VC11, see https://www.apachelounge.com/viewtopic.php?p=31471 Maybe you can inform the list. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Parallel Deployment: Can I request a specific webapp version?
BTW: The reason I'm asking is because that transparent shift from one app release to the next doesn't play along well with any caches (browser, caching proxies, CDNs etc.): When a shift to the next app release occurs, I generally need the client browsers to fetch a fresh copy of all files belonging to that release. And the only way to force them to do that is by having them use a different URL than for the old app release files.. Or, you could use proper proxy-friendly cache-control response headers for those resources. Why aren't you doing that? The OP's main thread here is asking about logical deployment. However as a sub-thread he is asking about caching. As Christopher replied in this thread, I will attempt to clarify what I think the OP is asking. If you have v1.0.0 of the app deployed, and it has sent cache for 1 day replies for javascript/image/css files, then this works fine. However as soon as you release the next version, the browsers won't send requests as they have a local cache. Christopher's reply was use proper proxy-friendly cache-control response headers. IMO having the browser only query for such static resources as these daily is something that would be required to reduce calls. However this comes at the expense of causing this issue. My first thought was to suggest that the OP somehow use ETag header combined with a version number. However if the browser is told to cache for 1 day, this won't work. Having said that, if your app did send an ETag which was a hash of the files contents, then it would auto download a new version if it had changed between v1.0.0 and v1.0.1. I think that this leaves 3 solutions 1) Gauge what your site can support in terms of many calls to static resources vs when a new version is rolled out. Perhaps a 5 minute browser cache is ok. Or 60 mins. or 180 etc. It is a balancing act between reducing server calls for static content that hasn't changed and the time for an upgrade to appear in the browser 2) Adjust the source of the website such that each script/css/img tag contains a version number parameter. You could do this via pre-processing the source rather than manually. Then cache that for 365 days. If you release a new version, just update the number. 3) Set a cookie with the version number, and then redirect server side to different version specific urls. 2) seems to be the most robust to me. Christopher can you clarify what you meant? HTH Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Check if a URL exists programatically
I already have a custom error page. When I detect that a URL returned by google would return a 404, I exclude it from the search results so that the user never sees it. Mitch Mitch, Ok I see now what you mean. Sorry your original email was quite clear. Hmm interesting challenge. Big picture terms, I guess the two obvious choices seem to be to not use google for searching, or parse the google results, and determine the url validity as you are doing. Depending on the urls you use, that could be horrible. Guess that's where you are. Is not using google an option? Please let us know how you resolve it. Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Check if a URL exists programatically
Short question: How can I, from within code running under Tomcat, determine if a given URL request to that tomcat instance would result in a 404 or not, without calling back to the Tomcat using an HTTP HEAD or GET? Background: We use google custom search by calling the google server and then formatting the results on our search page. Our range of products is fairly fluid, and there is occasionally a gap between when a product goes away and the google search index is updated, which would result in a 404 if user clicked that link in the search results. (I know that I can ask google to re-index, but I still need to solve this problem.) Rather than write a ton of code for the various types of pages that we have (product, category, etc) I'd like to just be able to call some Tomcat method to determine if the URL that I get back from google would result in a 404 or not. I'm currently calling back to the Tomcat instance using an HTTP HEAD call, but that is a waste of resources and during periods of high volume uses up processing threads that I want to reserve for actual customers. We are using Tomcat 7 with Struts. Mitch, What will you do when you detect a 404? Couldn't you just implement a custom 404 error page, that does what ever it is? Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: redirect to website not working
... how can I share the result of fiddler to you if the system dosent allow attachments? Ankur, Copy/paste the text of the raw response into an email should do it Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Slow HTTP Rquest via Tomcat
On 13 January 2015 at 11:38, Thone Soungpanya thone.soungpa...@higherone.com wrote: Hello, Can anyone give some advice on what the issue may be? We have a web application folder in Tomcat that have been slowing the http request's connection to another third party system when there are high traffic. It seems to be halting in the Tomcat server for about 20 - 50 seconds before attempting to connect to the third party system. Once it tries to connect to the third party system, the response time is only about 6 - 10 seconds which is normal. It does not seem to be an issue at the third party's end as the response time is quick once we get connected. Here are the specs that we have and additional information... 1) Apache Tomcat 7.0.56 2) JVM version 1.7 3) Running on Linux OS Version 2.6.32 Connection Flow: 1) User submits a HTTP request from web application to Tomcat 2) Tomcat calls Java's servlet code along with HTTP request parameters 3) Java servlet code connects to third party system via application server and jolt port 4) Third party system returns requested information We thought it would be a session issue which we lowered the session timeout (just for that folder) in WEB-INF folder to 5 minutes from defaulted 30 minutes but it is still doing the same thing. Any advice on what it may be? Let me know if you need additional information. How does your code connect to the 3rd party? There are libraries that do this, please elaborate which you use. I recall using one, and it had a limit on the number of concurrent connections to a 3rd party. Perhaps you hit this limit? How many connections are you talking about when the problem occurs - 10s, 100s, 1000s or more? Chris Thank you in advance! Thone - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Spurious Problem starting Tomcat7 (garbled class names)
example with to garbled classes: (3.class being the first, which must come from SomeClass$3.class and the second one being something awefully beautiful: ConfigEdiAtourtAhpepnltiiccaattiioonn$SAtpaptlei$cIadteinotniCfo^@^@iigeLro.acdlLaissstener.class To prevent decompilation, you can run your classes through a code obfuscator. That replaces all field/method/class names with garbage, to make it harder to see what is going on. The garbage you see might actually be the names in the jar files. Unzip the war/jars and see what is actually in there. Could it be correct? HTH Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat JDBC pool - too many connections in TIME_WAIT state
On 6 November 2014 05:36, Vasily Kukhta v.b.kuk...@gmail.com wrote: I have received additional details - the application starts getting java.sql.SQLException: Listener refused the connection with the following error: ORA-12519, TNS:no appropriate service handler found, although the amount of listeners in the DB is large enough. I have some concerns about the removeAbandonedTimeout property, it is set to 5 seconds now. Maybe the pool abandones every connection after 5 seconds, opens a new connection, and the previous connection goes to TIME_WAIT status consuming server resources? We hit a similar problem 5-6 years ago with Oracle. We found that the pool would close connections from client end successfully. However Oracle has a background thread thread that marks server end connections, and this was a little slow. Until this had closed the connection, and told TNSListener, TNSListener wouldn't allow new connections. Our fix was to increase the number of connections allowed, and the problem went away HTH Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to access Sessions outside of class
On 28 October 2014 11:06, Jason Ricles jgr...@alum.lehigh.edu wrote: Ok so here is the problem I have been spinning my wheels on for day let me just lay it out. I have a daemon written in java running lets call it foo for simpleness on a linux machine that has the tomcat server running. On the tomcat server is a WAR file for a webapp called bar. In that webapp is a webpage with JavaScript websocket communication that connects to a websocket server that is also a part of the WAR file. So I have a webpage and a websocket server communicating with each other. I want the foo daemon and the websocket server on bar (web application) to be able to communicate with each other. Is there any way outside of sockets to have foo and the websocket server on bar do this? Define communicate - what kind? One way, two way, what kind of data, frequency, size, type? Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to access Sessions outside of class
Couldn't you have the daemon write to a database, and have the web app read from the database? Then you could pass whatever message you wanted as a string? Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to protect a Tomcat server/Webapp from (D)DOS attacks
Léa, Below is what I would like to ask you: How do you usually protect your Tomcat servers and Webapps from (D)DOS ((Distributed) Denial-of-service) attacks? If you allow the DOS traffic to make it all the way up to the application layer before you detect it, then the DOS will still have an effect. The best way of stopping such traffic is to detect it at a lower level, and then block at a firewall. Typically this can be done by counting number of calls coming from a IP address and automatically blocking if they exceed a threshold. Apache ships with mod_evasive that allows you do this. I have used this in the past with some success. The other alternative I am aware of is to use mod_security. I am not aware of anything that will run directly in front of tomcat however - does anyone else have any suggestions? I think that was some talk of a port of mod_security that was implemented in java (well java calling the mod_security c library via jni). That might be mature enough for you to try. HTH Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Fwd: mod_jk release
All, I had a email thread going a while back - http://tomcat.10.x6.nabble.com/64bit-windows-mod-jk-connector-download-for-apache-httpd-2-4-td4893904.html. The thread ended with Christopher Schultz and mladen suggesting that I ask the maintainer of apache lounge to include builds of mod_jk on his site. He did this at the time and all was good. He just sent me an email, saying that he just put up a new build of mod_jk, and asking me to forward to the list. == Updated to 1.2.39 in all flavors: VC11: 2.4 Win32/64 VC10: 2.2/2.4 Win32/Win64. == My question is how should I do this? Which list should I email? Not sure if this belongs on tomcat users mailing list or some other Suggestions welcome Thanks Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 : Configure redirect url for session timeout
It is not feasible to determine the difference between a timed-out session and a user who had no session to begin with. Couldn't you use the presence/absence of a session id cookie? Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: how to best launch a jnlp from and then return to a different jsp
Aryeh, I suggest that you take a step from implementations, and define what you want a little more clearly. You have a webpage, that is served and loads a java app via jnlp. That java app uploads some files to the server. At a later point in time, you want the server to know that the client has uploaded the files to the server, and hence change what is shown in the web pages? Is that right? Surely if the files are uploaded, can you just use the presence of the file on the server to drive that logic? i.e. have the server check for the file, and if present show x, else show the jnlp page? Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem starting Tomcat 6.0.39 (64) service under Windows 7/64
Christopher On 2/7/14, 4:01 AM, Christoph P.U. Kukulies wrote: I downloaded tomcat 6.0.39 (64) from tomcat.apache.org, put it into c:\program files\Apache_Group\Tomcat_6.0.39 and ran the service.bat which established the service. As system environment variables I have set: CATALINA_HOME=c:\Program Files\Apache_Group\Tomcat_6.0.3 JAVA_HOME=c:\Program Files\java\jdk1.7.0_51 JRE_HOME=c:\program files\java\jre7 Note that, when using the Windows Service, the above environment variables are completely irrelevant. For the benefit of the mailing archive, when using the windows service the variables are not relevant. However when I read Christoph's post, I think that it is more along the lines of I set these variables when I ran service.bat, in which case the values at that time are critical. True they don't have to be system environment variables - plain environment variables in the console will do. However it is wrong to say environment variables are completely irrelevant. Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: unable to start Tomcat through the Windows Services panel
On 5 February 2014 16:34, javier_esp...@hna.honda.com wrote: How do I get to the Windows Event Viewer in Windows 7? http://lmgtfy.com/?q=How+do+I+get+to+the+Windows+Event+Viewer+in+Windows+7 Thanks Your welcome. Anytime you want something from google, please ask here first Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Out of memory exception - top posting
There are probably lots of reasons for top-posting, and I don't think we can lay the blame on the MS Outlook world. The people I work with use a mixture of Thunderbird, web-based interfaces, and Outlook. Every one of them top-posts :-(. When you click reply in these email clients, they insert the caret at the top of the email with the original email indented below. This is the out of the box default. It can be changed, but most people won't know how/care to/prefer it this way. I think top-posting says a lot about the thought process of the poster. To me it says, my issue, problem, answer, concern is of paramount importance. You should remember everything about my issue. After all, I remember everything about my issue. The attitude is probably not malicious, but more along the lines of a lack of perspective. As long as you can visually distinguish the reply from the original, does it really matter if that reply is above or below the original? When people reply to a thread, as long as their email client indents, you have that clear visual indication. As a programmer, I have seen arguments about indentation and brace position. This smacks to me as one of those. Personally I think that life really is too short to get hung up about this. People want help. I joined this mailing list to help them, to kind of pay back for people that had helped me with previous problems. Lets help them. Save your own time and the time of everyone else on the list (and the archives, where useless messages can't be removed) and just skip that step. +1 Personally I find replies to threads that are more conversational, far more offensive than top posting. This isn't facebook. If the reply doesn't provide help to the issue at hand, don't send 2C Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat strips CRLFs from the generated page
Asok, As I said before, I have no control over the input text. In the test servlet I am simply reading text from a file and sending it out to the browser. No other processing has been done to the text by the servlet. The browser, however, receives a page with CRLF stripped starting from a certain point in the text. If I View source in the browser, I can see that happening. This is consistent over most operating systems (Windows and Linux) and most browsers (IE, Firefox and Chrome) and the stripping happens exactly at the same point onward, in all combinations of OS and browser. My question is: who is stripping the CRLF from the text? Is it Tomcat or the browser? Is Tomcat doing any validation of the text before sending it out to the client? I believe that all of this has been understood by the people that replied to you. Their suggestions are trying to help tidy things up, so that is easier to see the wood for the trees. In other words if you take their suggestions and fix the issues as they have suggested, then the problems a) might go away b) it will be easier once the confusion is removed to see the real cause of the problems c) you leave a better set of files for the next person (or even yourself 6 months plus) who has to maintain them So please apply all the fixes as suggested, then repost new links to the updated files. Chris P.S. also the custom on this mailing list is to reply below the post to which you are replying. You can see how I have quoted the relevant portion of your email, and then added my reply below - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Packet misses in Tomcat
Issue: Few packets do not reach the application servlet but tomcat receives them. The missing packets reach the HTTP layer and thereafter they disappear. This issue is not frequent but occasionally consistent. For the POSTs of missing packet I am not able to find the entry in localhost_access_log. How do you know that the packet reaches tomcat if there is no matching entry in localhost_access.log? Does all other access appear in this file? Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] [Fwd: TomEE Professional Support]
This email does not have any relation with my activities in ASF and its projects. Its solely related with my marketing team in which how you get emails. If I thought that it will be a spam, would I put my email address to sender? I think no! We thought that you can benefit from this email. Anyway, I closed the discussion from my side! If you are really feeling bad now because of receiving such email from me, please unsubscribe the list. So to sum up you created a mailing list somehow, and then sent an unsolicited email to a list of people. Now you demand that they unsubscribe from your mailing list. You also feign that you can't understand why people are complaining. To turn this on its head, how about this. If each person on this list, decides that you might be interested in something (I don't know a site selling a little blue pill lets say for example), and added your email address to a mailing service. Then when you complain about all the unsolicited email, we can tell you well we thought that you might be interested and Anyway, I closed the discussion from my side! If you are really feeling bad now because of receiving such email from me, please unsubscribe the list. How would that make you feel? Just because you are bored of this topic, doesn't mean other people are. We are upset that somebody has spammed us. We want satisfaction. Some kind of apology would be a start. Owning up to how created the mailing list with emails might help. That way may be we can try to prevent it from happening again. Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Restrict the use of JDK classes Tomcat 7 or 6
2013/10/22 ANALIA DE PEDRO SANTAMARIA 100074...@alumnos.uc3m.es: Hello, I would like to know if is it possible to restrict the use of JDK classes in Tomcat according to a list given in another file. ¿Is it possible by creating a new Add-on? If it is possible, where can I find documentation about creating Add-ons? I have looked up and I haven't found any information about it (I only have found AddOns in Tomcat 3.3 but there is nothing about creating new ones). This sounds like a home work question. My spanish is bad, but alumnos is surely student in spanish. Hence the OP has had the cheek to send from the student account of his university. Do the mailing list rules state home work questions are in or out of scope? Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: overriden context root
hi All, I have added below entry in server.xml to override the context root of my application i.e from /dummy to /market. You can add entries to server.xml, but people on this forum generally advise against it. Please remove that The problem is now the application is accessible via both context roots i.e via /dummy /market context roots but I want the application to be accessible only via overridden context root i.e via /market only. Tomcat auto deploys war files in webapps. If you do not want this, do not place the war file there. In similar situations I create a directory notWebapps at the same level, and place the war file there. Then point your context.xml file at it and you will have what you require. Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: MaxClients and maxThreads
To add to what Daniel is saying, here is a little graphic representation, for one single client browser : (browser) -- HTTP -- (httpd + mod_jk) -- AJP -- (tomcat) -- (webapp) (1) | |- (local resources) (2) When the browser sends a request to httpd, one httpd child/thread is allocated to process that request and return a response to the client. That child/thread is busy with this one request, from the time the request is received to the time when the response has been sent. 2 cases are possible : a) the request is for something that can be served directly by httpd, without need to involve Tomcat. That is the (2) above. For example, in some configurations, static HTML pages, images, stylesheets etc. are served directly by httpd, and only requests for webapps are forwarded to Tomcat. b) the request is for something that has to be processed and served by Tomcat (the (1) above). In that case, httpd + mod_jk will forward the request to Tomcat, and wait for Tomcat's response. When Tomcat responds, httpd + mod_jk will return that response to the browser client. While Tomcat is processing that request, you have one Tomcat thread busy processing that request, and one httpd child/thread waiting for Tomcat to respond. So let's say that at the level of httpd, there are 1000 browser requests coming in every minute. The number of httpd children/threads needed to handle this, depends on how long it takes httpd, on average, to process each request. If it takes on average 1 second to process a request, then each httpd child/thread can on average process 60 requests per minute, and to handle 1000 requests per minute, you need 1000/60 = 16.66 children/threads in httpd. Now estimate (or better, measure) how many of these requests are being forwarded to Tomcat, and how long Tomcat needs on average to process such a request and send a response. With the same kind of calculation, this will tell you how many threads you need in Tomcat. Now to be on the safe side, double these numbers (if your servers support that), and try it out, /with your application/, measure what happens, and rectify the configuration accordingly. The main point is : nobody except yourself knows exactly how your application works, how many requests are really served by httpd and tomcat, or how long it takes to process one request. So nobody can tell you in advance how many threads/children you need in httpd or Tomcat, to serve your volume of requests. The best that the Apache httpd developers, and the Tomcat developers can do, is to provide some best guess defaults, for some configuration that will, in their considerate opinion, be adequate for serving some average needs and not be very unbalanced. And that's what they do, and that is why you should generally start with this default configuration. And then, if you can see and *measure* that there is something wrong, start amending this configuration item by item carefully, and measure again after each change to see if it improves or worsens the situation. There is no one size fits all. (If there was, then the developers would just set it as the default, and they would not need to provide any adjustable parameters). This type of question seems to come up once every 3 months on the mailing list. Given that this is a beautiful explanation, perhaps we could add this as a new section to the tomcat documentation - a new Performance Tuning section? Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Why does JDBC application logging SQL instructions in Apache Tomcat lists 545 repeatedly
On Tue, Aug 6, 2013 at 7:52 AM, Martin O'Shea app...@dsl.pipex.com wrote: This is now resolved. Thanks anyway. For the benefit of anybody else that hits this issue, care to explain how it was resolved? Thanks Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [Tomcat 7.x] Tuning the connector for large requests / response
Stefan, but I'm not sure which values to tune. Probably the buffers, right? Any pointers would be great. If you want to tune an application, first you need to create a repeatable test load using any tool you like. Then measure the application under load, and identify where there are problems. Once you have done this, come back to the list and explain specifically where the problems lie. Then the people on the list will be able to help point out settings that might improve load. Right now with the information provided, there is no way to know where the problem would lie. Also if you did change something, you would have no way of knowing if the change had made a positive or negative effect HTH Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [Tomcat 7.x] Tuning the connector for large requests / response
On Thu, Jul 11, 2013 at 11:35 AM, Stefan Magnus Landrø stefan.lan...@gmail.com wrote: Den 11. juli 2013 kl. 15:44 skrev chris derham ch...@derham.me.uk: Stefan, but I'm not sure which values to tune. Probably the buffers, right? Any pointers would be great. If you want to tune an application, first you need to create a repeatable test load using any tool you like. Agreed. That's exactly what I'm doing (using Gatling actually) Ok never heard of it - will have a look Then measure the application under load, and identify where there are problems. Performing a thread dump I see most threads are doing io stuff reading from the socket and consuming lots of CPU. Can you post the thread dumps? That might help people on the list get a feel for where the problem lies? Do you hit this problem when you target a specific url, or only when you have a broad range of request types hitting the server Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Class cast exception when starting tomcat 7.0.1
Who says I was using a 3 year old unreleased level? You did when you set the subject line to Class cast exception when starting tomcat 7.0.1 Charles was hinting that 7.0.1 wasn't released Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Issue- Support required.
Please help to trouble shoot this issue. ** More information on this would be provided as per the request. ** ** Thanks ** ** *Regards* *Veena B S* ** ** The mailing list strips attachments. Please try again, sending a plain text email without any attachments Thanks Chris
Re: Best practices for shared classloader use?
I am considering using the Tomcat 7 shared classloader to reduce the memory footprint of my web apps. Can you provide some approximate numbers as to what the current memory footprint is? Also some details of how many tomcat instances you have running and/or how many versions of the application you have running? So for example if your war file has 10mb of class files, and you have five concurrent versions of the war running, your reasoning is that by using a shared class loader, you can reduce the memory foot print from 50mb to 10mb? Thanks Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: WebSockets Thread Safety question
When I use the syntax from the samples in the onTextMessage() method, I get
ConcurrentModificationException if I have more than one client sending data
to the server at the same time:
for(MyMessageInbound mmib: mmiList){
CharBuffer buffer = CharBuffer.wrap(cb);
mmib.myoutbound.writeTextMessage(buffer);
mmib.myoutbound.flush();
}
Changing it to the following works fine:
for(int i = 0; i mmib.size(); i++) {
MyMessageInbound mmib = mmiList.get(i);
CharBuffer buffer = CharBuffer.wrap(cb);
mmib.myoutbound.writeTextMessage(buffer);
mmib.myoutbound.flush();
}
However, this approach is not as efficient as to use an Iterator, unless I
clone the mmiList Collection to iterate over it...
Can you explain where is the in-efficiency?
Thanks
Chris
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Catalina.policy java.security.AllPermission
Maybe the first question should be : why do you want to run this with the Security Manager ? As far as I understand this, the SM only really helps, if otherwise unsecure applications can be deployed within your JVM. Is that the case, or do you know and control all the applications from the start ? Isn't it more like a dog and a muzzle? In theory if you know the dog and it is always friendly, there is no need to use one. However if all dogs wore muzzles, there would be less dog attacks. IMHO security in depth is about making things harder for the bad guys. Adding a security manager should do this, if it is configured correctly. BTW I am not saying that I actually do this, just that I think that everyone should to make it harder for when the bad guys break into your app Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Multiple tomcat containers or instance on same servers
If anyone else wants to chip in with any relevant additions, let me know. I might be able to have a look at updating the documentation page later, but being as I'm a developer my linguistic skills have never really been approved off so not sure any changes will be approved :-) HTH Chris I've added some comments to http://tomcat.apache.org/tomcat-7.0-doc/windows-service-howto.html - is there a better way to get an addition made to that page? Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Multiple tomcat containers or instance on same servers
Thanks for all your feedbacks. Is multiple versions supported or all instances have to be the same build. You can have it any which way you wish, e.g. single tomcat in single catalina_home with multiple instances each with own catalina_base, or multiple versions of tomcat each in own catalina_home each with one or more instance each with own catalina_base. You can setup a right mess if you wish... I thought sure that the Tomcat Windows Service page of the users' guide, but it is /not/ there: http://tomcat.apache.org/tomcat-7.0-doc/windows-service-howto.html I wonder if there are any heavy Microsoft Windows users that could offer to write a section on Multiple Tomcat Instances specifically with Microsoft Windows Services. The file RUNNING.txt only explains how to set up Tomcat itself (CATALINA_HOME versus CATALINA_BASE) but says nothing about how to configure Tomcat's service runner to point to one (other than inferring that one ought to set CATALINA_HOME and CATALINA_BASE appropriately). For instance, it's probably important to give the services distinct names ;) The only things that seem to be missing are a) set CATALINA_HOME and CATALINA_BASE before running service.bat b) when run service.bat, specific a unique service name c) you need to copy some files around to allow the CATALINA_BASE to be different from each other, e.g. port config e.g. set CATALINA_HOME=c:\tomcat set CATALINA_BASE=c:\tomcat\instances\instance1 service install tomcat1 Then to install instance two, just run set CATALINA_BASE=c:\tomcat\instances\instance2 service install tomcat2 If anyone else wants to chip in with any relevant additions, let me know. I might be able to have a look at updating the documentation page later, but being as I'm a developer my linguistic skills have never really been approved off so not sure any changes will be approved :-) HTH Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat access log reveals hack attempt: HEAD /manager/html HTTP/1.0 404
But honestly, I am also a bit at a loss now as to how to continue. There is of course no way for me to prove the validity of the scheme by installing it on 31 million (20%) of webservers on the Internet and looking at the resulting bot activity patterns to confirm my suspicions. Try to enter into contact with Fyodor (http://insecure.org/fyodor/). He wrote nmap - an open source scanner. It isn't a botnet, but he might have some interesting thoughts on your proposal. I'd be interested to hear what he has to say HTH Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat access log reveals hack attempt: HEAD /manager/html HTTP/1.0 404
Let me just summarise my arguments then : 1) These scans are a burden for all webservers, not just for the vulnerable ones. Whether we want to or not, we currently all have to invest resources into countering (or simply responding to) these scans. Obviously, just ignoring them doesn't stop them, and just protecting one's own servers against them doesn't stop them in a general sense. 2) there is a fundamental asymmetry between how bots access a server (and most of the responses that they get), and how normal clients access a server : normal clients receive mostly non-404 responses, while bots - by the very nature of what they are looking for - receive many 404 responses. So anything that would in some way penalise 404 responses with respect to other ones, should impact bots much more than normal clients 3) setting up a bot to perform such a scanning operation has a cost; if the expected benefit does not cover the cost, it makes no sense to do it. Assuming that botmasters are rational, they should stop doing it then. It is debatable what proportion of servers would need to implement this proposal in order for this kind of bot-scanning to become uneconomical in a general sense. What is certain is that, if none do and no better general scheme is found, the scans will continue. It is also fairly certain that if all servers did, this particular type of scan would stop. 4) it is not obvious right now which method bots could use to circumvent this in order to continue scanning HTTP servers for these known potentially vulnerable URLs. I do not discount that these people are smart, and that they could find a way. But so far it would seem that any scheme thought of by people commenting on this idea, have their own costs in some way and do not invalidate the basic idea. 5) if the scheme works, and it does the effect of making this type of server-scanning uneconomical, bot developers will look for other ways to find vulnerable targets. It is just not obvious to me where they would move their focus, HTTP-wise. If their aim is to find vulnerable URLs on webservers, what else can they do but try them ? 6) intuitively, it seems that implementing this would not be very complicated, and that the foreseeable cost per server, in terms of complexity and performance, would be quite low. The burden imposed on normal clients would also seem to be small. Maybe this should be evaluated in terms of a comparison with any other method that could provide some similar benefit at lower costs. 7) once implemented, it would be something which does not require any special skills or and special effort on the part of the vast majority of people that download and install tomcat. Which means that it has a real chance to automatically spread over time to a large proportion of servers. This is quite unlike any other bot-fighting measure that I have seen mentioned so far in this thread. 8) an obvious drawback to this scheme, is that if it works, it would take a long time to show its effects, because a) it would take a long time before a significant proportion of active servers implement the scheme b) even then, it would probably take an even longer time for the bots to adapt their behaviour (the time for the current generation to die out) So in politics, this would be a no-no, and I will probably never get a Nobel prize for it either. Damn. I would welcome any idea to spread this faster and allow me to gain a just recognition for my insights however. So a miscreant decides that they want to hack into a computer. Like most things in computing, they break the task down into smaller more manageable tasks. Step 1 to find targets. Easiest step would seem to be to enumerate every ip4 address possible, and sent a tcp/ip packet to some known ports. If you get a response, its a live IP address. You don't need to map every port, just establish if the host is listening to the internet. This will allow you to build up a list of live IP addresses and feed into step 2 Step 2 fingerprint those IP addresses. To do this, use a scanning tool. These send packets to ports of a given IP address, looking at the responses. They don't just look for positive responses, they also send badly formed/invalid packets. They use many techniques to do this. My favorite is the xmas tree packet. The low level TCP protocol defines several fields as control fields - the xmas tree packet flags all control fields as true. The packet is completely invalid at a TCP level, but different os'es will respond differently. The results of all of these responses provide a fingerprint, which should provide a identification of what os the server is running. Using similar techniques it is generally possible to identify the software stack running on each port. Sometime there will be 100% confidence in the results, sometimes less. Sometimes the software can't tell what the software stack on the server is. However the aim of the game is to
Re: Tomcat access log reveals hack attempt: HEAD /manager/html HTTP/1.0 404
Yes. But someone *does* own the botted computers, and their own operations are slightly affected. I have wondered if there is some way to make a bot so intrusive that many more owners will ask themselves, why is my computer so slow/weird/whatever? I'd better get it looked at. Maybe I should install a virus scanner. Somebody said earlier in the thread (sorry but I can't be bothered to find the exact quote and attribute it) something along the lines of this is an arms race. The current bot software may not be there yet, but it is easy to see how the bot-net developers would like to have the job of probing IPs distributed over the botnet, so each target only receives a single call from each distinct IP, but together the 10,000 members of the bot-net each send one probe creating a full probe of known weak points in the server. The net result would be a) very hard to detect/defend against b) the proposal would not have a negative effect - you only add 1 second (or whatever value is agreed) to the async call time for each botnet member. I agree that currently if an attacker compromises a server, and then runs probes against the whole internet from that one host, your idea would slow the assault. However it will just encourage the next evolutionary step described above. However the bad guys are quite clever. The scanning software already has rate limiting switches to stop network intrusion detection systems from detecting probes. They would just use these to slow the attack and the computer user would not notice. As long as you have many bots in the whole net, it isn't a problem. I used to work in agrochemical research. They tried 1,000,000 different pseudo-random chemicals a year against plants, watching for a reaction. If something reacted in a positive manner, then they investigated what was going on. This is the same as the bad-guys are doing globally - probe every IP, and look for interesting responses. Yes the approach to slowing down these responses should in theory work, but if the clever guys distribute the load over a bot-net, and the bot-net is large enough, then it is just a numbers game. Enough bots sending probes, and then get a new target each day, that will be enough for them to abuse that target to send out that days mailshot of spam. The key security recommendation is to not have anything running unless required. The manager app has no users defined by default - perhaps the default install for tomcat could be such that it is a bare bones install? I do not know of any weaknesses in the manager app, but if it isn't even there, their presence/absence doesn't really matter. Same with the other default parts, e.g. help etc. As long as they can be installed easily if required, shouldn't be a problem. The OWASP recommendations for securing tomcat suggest removing all items under catalina_home/webapps as a first step. Just a thought. The first step an attacker performs when conducting a focused attack, is to map out the server. The presence of a response to http://server:8080/manager/html/ would seem to indicate a default install of tomcat. Once that have this initial reconnaissance performed, they will move onto using known exploits against it. By removing manager app from the default install, this would be made one step harder. You can't really prevent a dedicated attacker, but making it one step harder to attack your server, might make the not-bothered-which-server-I-attack guy move on to easier pickings Also one thing worth mentioning. There is an attack called a blind sql injection attack. The crux of it is that by timing the response from a sql injection, you can detect if your query was a success or a failure. Typically some processing occurs upon success, hence the response takes longer. During testing (obviously not against a real db :-)), I have used manged to download the whole contents of a db after a little scripting of a sql injection and some perusal of the results. If you deliberately delay 404 by a known amount of time, it will still stick out, and they can use this just as much as a positive indication. HTH somebody Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat access log reveals hack attempt: HEAD /manager/html HTTP/1.0 404
Hi. Long and thoughtful post. Thanks. just hope it helps move the discussion forward Say you have a botnet composed of 100 bots, and you want (collectively) to have them scan 100,000 hosts in total, each one for 30 known buggy URLs. These 30 URLs are unrelated to eachother; each one of them probes for some known vulnerability, but it is not so that if one URL results in a 404, any of the others would, or vice-versa. So this is 3,000,000 URLs to try, no matter what. And say that by a stroke of bad luck, all of these 100,000 hosts have been well-configured, and that none of these buggy URLs corresponds to a real resource on any of these servers. Then no matter how you distribute this by bot or in time, collectively and in elapsed time, it is going to cost the botnet : - 3,000,000 X 10 ms (~ 8.3 hours) if each of these URLs responds by a 404 within 10 ms - 3,000,000 X 1000 ms (~ 833 hours) if each of these URLs responds by a 404 delayed by 1 s So if a bot sends a request for http://server/, it will presumably get a 302 response back redirecting to say http://server/index.html, and to use your figures lets say this takes 10 ms - call this goodResponseTime. Now the bot sends a request to the server for http://server/manager/html. If the server has implemented delay 404 (as it seems to have been christened), the server will delay response for say 1s. The scanner writers can just abort the connection after say 2*goodResponseTime or 3 if they want to reduce false positives. Perhaps spider the links in the good page returned initially and get a feel for average response times for say 10 valid calls, then start making probing calls to reduce false positives. Simply abort any that take too long and carry on to the next host and/or the next url on the same host. Incidentally someone suggested that the work to delay the response could be farmed off to a side-kick thread. It is true that this would minimize CPU over head server end. However at the low os level, you are still keeping a socket open for a second (or whatever the 404 delay is configured to be). If scanners use the above technique, they will end up creating say 30 connections to the server each of which then has to stay open for 1 second. 30 additional connections won't bring the server down, but it is still consuming more resources than normal. Enough concurrent scanners and the server will suffer DOS. A few pages with bad links that return 404 - maybe due to miss-configuration - and google bots and their friends querying the site could kick off the DOS. As for the other points in your post : you are right of course, in everything that you say about how to better configure your server to avoid vulnerabilities. And I am sure that everyone following this thread is now busy scanning his own servers and implementing these tips. I guess the point I was trying to make is that the whole idea is to make the default install as secure as possible. So the sensible steps included in http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html would not be necessary, if they were already present in the default install. Then if people want to open the server up, that's their problem. I know that this potentially means that it may be harder for noobs to get started with tomcat. It is a fine line to walk. But my point is that, over the WWW at large (*), I am willing to bet that less than 20% are, and will ever be, so carefully configured and verified. And that is not going to change. agreed. What we really need is a big carrot and a big stick to encourage people to Do The Right Thing™. Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat access log reveals hack attempt: HEAD /manager/html HTTP/1.0 404
Or, another way of looking at this would be that for every 40 servers scanned without a 404 delay, the same bot infrastructure within the same time would only be able to scan 1 server if a 1 s 404 delay was implemented by 50% of the webservers. This assumes that the scanning software makes sequential requests. Assuming your suggestion was rolled out (which I think is a good idea in principal), wouldn't the scanners be updated to make concurrent async requests? At which point, you only end up adding 1 second to the total original time? Which kind of defeats it. Again I'd like to state that I think you are onto a good idea, but the other important point is that some (most?) of these scans are run from botnets. These have zero cost (well for the bot farmers anyway). My point is even if the proposal worked, they don't care if their herd is held up a little longer - they are abusing other people computers/connections so it doesn't cost them anything directly. Sorry but those are my thoughts Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Analyzing Connection Pool Errors/Leaks
OK, I'll have to investigate the DB setting more thoroughly. The maximum sessions and processes in Oracle are higher than we were using for the test though (several hundred). We hit a similar situation a year ago. Essentailly Oracle has a TNS listener process that accepts connections. This is responsible for counting connections and preventing any new ones when the limit is hit. The counting only occurs on a background thread every x minutes, hence if you have a high turnover of connections, you can exceed the limit. Even if your app correctly returns all connections, the TNS listener will not see the returned connections, and hence hit the error above. For our situation we were able to just bump up the connections allowed to the db. This may or may not help in your case HTH Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: runtime.exec cmd.exe /C net use
This thread has been going on for some time now, but why are you using drive letters? Can't you just use unc paths and remove all of these issues you are having? I searched the thread for UNC and can't see that this was asked, but seems like a sensible question. HTH Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: I need help in configuring windows authentication in tomcat 7.0
Context
RealmclassName=org.apache.catalina.realm.JNDIRealm
adCompat=true
allRolesMode=authOnly
referrals=follow
connectionURL=ldap://dc01.mydom.local:389;
connectionName=mydom\tcuser
connectionPassword=Pa55w0rd
userBase=dc=mydom,dc=local
userSubtree=true
userSearch=(sAMAccountName={0})
roleBase=ou=groups,ou=myappl,dc=mydom,dc=local
roleName=cn
roleSearch=(member={0})
roleSubtree=true
/
/Context
This has come up multiple times on the mailing list - essentially it
can not/should not be done. Please see
http://wiki.apache.org/tomcat/FAQ/Password for details
Chris
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Best Practices
If the system is only for testing, or communicates with a limited number of systems (i.e., it is a firewalled backend system that only communicates with a front-end system), then again, a self-signed certificate would be fine. +1 If his organization already uses PKI certificates, then he should follow the rules established in his organization's Certificate Practice Statement, if it has issued one. I do agree that if this is a public facing system, or one in an organization with a large number of users that does not have its own CA infrastructure, then a commercial certificate would be the best choice. Commercial certificate authorities are actively targeted by hackers, and when they are broken into, the trust each os has configured of such certificates can cause issues. The recent google ssl certificate issue shows what happens when things go wrong. If users will access the site via a browser, then the browser warning will confuse them/make them used to ignoring security warnings. For applications communicating with each other, a self signed certificate will actually be more secure than a certificate authority issued certificate - assuming you trust your internal security more than you trust that of a commercial certificate authority. It all depends on what the certificate will be used for. Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6 access Network drive and interact with desktop
I mean I need a tomcat service which can interact with desktop and can access network resources Top hit when googling for 'windows service interact with desktop' http://lostechies.com/keithdahlby/2011/08/13/allowing-a-windows-service-to-interact-with-desktop-without-localsystem/ The basic answer to your question is : The fact that under Windows you cannot do what you seem to want, has to do with Windows and how it handles Windows Services. It does not depend on Tomcat in any way, and there is nothing that you can do in Tomcat to change this. You can flag a service as being allowed to interact with the desktop. This is turned off by default Apart from that, there seems to be something illogical in your request. I think it is very strange that the server needs to open windows - surely on the server nobody is going to be there to look at them? HTH Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6 access Network drive and interact with desktop
The first part (running programs which require a Window) usually doesn't, because those programs are usually such that they do not work as a service. It is not usually only the fact that they need a console, but they need a whole bunch of other environment which a Service does not provide. It will only work when the other program is specifically designed to work that way. For example, OpenOffice in headless mode works fine. But MS-Office programs do not, and this mode of operation is explicitly indicated by Microsoft as not recommended and not supported. So summarising discussion so far 1) services generally run headless with no interaction with desktop 2) you can run a service with interaction with desktop enabled 3) this doesn't work under Windows Server 2008 and later. So questions to OP a) did the link I sent help? b) what programs are you trying to run that open windows on desktop? c) what version of os are you running under? Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6 access Network drive and interact with desktop
I mean I need a tomcat service which can interact with desktop and can access network resources 'access network resources' is clear, but please define 'interact with the desktop' - what do you want the app to do exactly? Chirs - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Sharing session attributes across multiple webapps
snip I simply need a temporary string that is set during the session in one app to still be able to be displayed when the user goes to another app. /snip snip Am I missing something obvious here? /snip Couldn't you try a cookie? Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Help in diagnosing server unresponsiveness
In the Java world, most people would only call it a consider it a cluster if the app servers actually know about each other -- for instance, if you are using session replication. IMO session replication is a dog, and there are better ways to achieve similar goals that yield much higher performance. I am curious to hear your thoughts - care to elaborate? Thanks Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Different webapp paths on different hosts
To my mind if you deploy the app as ROOT.war, as long as DNS is configured correctly, that single context will serve responses to http://app1.com/ and http://app2.com/. This appears solves the explicit requirement stated above. But the OP refuses to supply any information about why that's not sufficient. in this case http://app1.com/ and http://app2.com/ will serve the same content. i need different content on different domains. You asked how can I serve content from one domain to one host, and a different set of content for another domain. You were told that the easiest way is to deploy two separate apps. You said that isn't what you want, but did not explain why. What technical reason is this not a suitable solution? If you really want a single app deployed that sends different content depending on the host used, then you will need to code that inside your app. This isn't really application/web server issue, its something that needs to be handled inside the web app Something actually made a little pop in my brain when I read that. I gotta go... I think I smell toast burning... i take it as you don't know the correct answer. You asked an incredibly badly question, and didn't provide a clear explanation of what you wanted people to help you with. Free advice from people donated in their own time, and now 22 emails in and you are getting snarky? Do you think that this is really going to encourage people to help you? Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How do I deploy a war file to a context path not matching the war file name
The documentation for the docBase (a.k.a context root) attribute states that the docBase attribute should be used to point to the war or exploded war file. My server's appBase is the default of 'webapps' and my WAR and exploded WAR are under webapps so I have specified a relative path of 'MYAPP' to point to the exploded war folder (i.e. webapps/MYAPP). move the exploded war to a folder outside of webapps. Personally I create a folder called notWebapps. For clarity, here is the content of the context.xml file: ?xml version=1.0 encoding=utf-8? Context docBase=MYAPP /Context Than alter the docBase to be Context docBase=../notWebapps/MYAPP HTH Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: LDAP on TOMCAT 7.0.30
We have 2 Apps on tomcat with each having independent DB the credentials in both apps are in synch with the list of authorized users as per LDAP. What does that mean? Where is the source of the credentials? When a user changes a password, where do they change it? You say in synch, so do the databases just copy the credentials from LDAP? How is the sync working? *for the 1st app any valid user should be able to log in (using any Browser) only once to validate the LDAP verification , What does that mean validate the LDAP verification - do you mean validate their credentials against LDAP right? On validating the request should continue to AAA of the Application as per the Local DB credentials Do you mean that another round of authentication should occur in the application? Surely the app could just pick up the SSO credentials? Why do it again? and allow to successful logon ...probably log out later.* *Later If the 2nd apps is requested for the authorization should not ask for re-validation.* The process on any apps requires to validate credentials only once in a day. So you want to configure the login process to work once per day, e.g. the users are prompted once per day for either app, but once prompted, they won't be prompted again for either app for the rest of the day. Presumably if the login is without a prompt, then this requirement disappears, e.g. if the browser can send current credentials to server without any prompt, then it doesn't really matter how many times this happens per day right? How can this be achievable [ Either at TOMCAT (if possible) or at Apache httpd since we use reverse Proxy conf ] Subject to some confirmation from you about exactly what you want, the previous suggestions should allow you to do all of the above Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: LDAP on TOMCAT 7.0.30
Is this possible, Is there any material available for me The links already provided cover all that you request I have read some where that Apache HTTPD ( ) can do this SSO process, then the same could be at Httpd instead of Tomcat end . If so yes plz let me know the process. I have never setup SSO for httpd. Others on this Apache tomcat mailing list might know, but I suggest that if you have questions relating to Apache httpd, then you ask on the Apache httpd mailing list. HTH Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: LDAP on TOMCAT 7.0.30
Does that mean that Tomcat treats WIA similar to HTTP BASIC (or maybe DIGEST) unless you've approved a particular domain/host? That's interesting. Can you just enter anything you'd like? For instance, can I authenticate to a server that is expecting WIA from a Linux workstation just by entering my domain credentials into the dialog? That certainly sounds nice: the Microsoft Windows crowd doesn't have to authenticate (explicitly, that is... their credentials are that they are currently logged-into a machine on the network) but everyone else can also get in. If tomcat is setup to work with SPNEGO authentication, then when a new session requires authentication, the server asks the client for a kerberos token. Under IE this will be passed silently. Under FF if you have configured the network.automatic-ntlm-auth.trusted-uris to the url of the server, this will be passed silently. If you setup your *nix machines to login to active directory they will have a kerberos token. If you also make the FF setting change, they to will then be able to silently login by sending through the kerberos token. I think as you configure the server, you can specify what to do it SPNEGO fails. I guess one option would be to fail back to http basic. If you didn't want to get the *nix machines to login to active directory, then I guess that would be a way to go. Guess that it all depends on the security requirements HTH Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: LDAP on TOMCAT 7.0.30
1) All 3 applications are browser compatible and users may use other then IE hence IE alone can be ruled out Do you mean multiple browsers access these web applications, so we can't use anything that is IE specific? Assuming that you do, I don't believe that anybody suggested anything that is IE specific, e.g. the SSO solutions so far posted will work in other browsers as well. Can you elaborate on what you mean exactly please? Thanks Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: LDAP on TOMCAT 7.0.30
Do you need a plug-in or anything like that? Does it need to be specifically enabled? No, we use it all the time with IE, Firefox, and I believe Chrome as well. Last time I was working in this area a few years ago, it worked by default in IE and had to be turned on in FF. A rogue website would request the token and do malicious things if it is handed out by the browser whenever asked. The link explains the settings required. Perhaps this has changed recently and works auto-magically now? http://pic.dhe.ibm.com/infocenter/wasinfo/v7r0/topic/com.ibm.websphere.express.doc/info/exp/ae/tsec_SPNEGO_configweb_new.html Thanks Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Different webapp paths on different hosts
it's not. maybe it will make things clear if i change the names of the
paths, say:
* when user goes to http://app1.com/ - {thesamewebapp}/app1 path is served
as root path of the domain app1.com
* when user goes to http://app2.com/ - {thesamewebapp}/app2 path is served
as root path of the domain app2.com
From this I conclude that the explicit requirement is to have a single
running version of the war, that responds to different domains. You
seem to think that you have an additional implicit requirement that
this must be done within tomcat by having different contexts. This
seems to me to be the source of confusion in all the replies to your
thread.
What you are trying to do is make the same webapp answer both
domain1.com/ and domain2.com/ right? If so you can simply
deploy the webapp as ROOT. The webapp will then answer on all domains
pointing to the server. If this is not what you want, you
can set up a virtual host in server.xml with an appbase outside the
webapps folder (eg. $CATALINA_BASE (or is it HOME?)$\domain1
and then use the Alias element to specify the second domain as an alias
for the first (which you set as an attribute in the
Host element).
i know these tricks, but they don't work for my case.
To my mind if you deploy the app as ROOT.war, as long as DNS is
configured correctly, that single context will serve responses to
http://app1.com/ and http://app2.com/. This appears solves the
explicit requirement stated above. However you state they don't work
for my case - please explain why this doesn't work for your case
Thanks
Chris
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Trying to install tomcat 7.0.35 but after installation it shows me as Apache Tomcat 7.0.2
Kiran I want to run it as service.I installed this by running service bat file from cmd prompt.once installation was success full.I checked local host:8080.over there I see version 7.0.2 . in a cmd prompt run netstat -ano. The output will list all processes and the TCP port they have open. Find the row that ends with :8080 in the second column. My machine runs tomcat on port 8084, and the row looks like this TCP0.0.0.0:8082 0.0.0.0:0 LISTENING 596 The last columns lists the process id. Start task manager (right click on task bar and click start task manager). Under view, click select columns, then add the PID column. Then look through the lists of processes on the process tab. Find the one matching the process above - so for my machine it was 596. When you have the row, click open file location. All this will show you the location of the tomcat running on port 8080. From what you have said it is very clear that it is tomcat 7.0.2. I cannot remove all tomcats since it will large effort for me.but I know there nothing wrong with those.they sit in different directories. If you really want to run 7.0.35 instead of 7.0.2, then remove the service for 7.0.2, and then install the 7.0.35 service. To uninstall the service, go to cmd prompt and from CATALINA_HOME\bin run service uninstall. The alternative is to run 7.0.35 on a different port, e.g. 8081. Would this work better for you? HTH Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Single Tomcat instance scalability
We have a web server hosted on Apache Tomcat Version 7.0.32. It is a single Tomcat instance on 64 bit windows. Server.xml has two connectors: The ssl connector is HTTP NIO and the non-ssl connector is HTTP BIO. We are trying to achieve vertical scalability and would like to increase the concurrent users (~1) based on the given hardware. Is there any recommendation for maxThreads for single Tomcat instance? Any other recommendations for scaling single Tomcat instance? The recommendations are to take an out of the box installation of tomcat, and run a load test. Through monitoring establish where the performance bottle neck is. Then make a single fix, and run the load test again. If there is an improvement, repeat until you achieve desired performance or you can't improve things anymore. If you hit this, post to tomcat forum and maybe somebody can help. There is no magical setting that will enable your app to run with 10,000 users. Each app is different. Each app will have different performance characteristics. The only solution is to load test as above Good luck Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Mod_jk - loadbalancer
I use mod_jk loadbalancing. (JkMount /WebApp/* loadbalancer ) I want to use only one loadbalancer. Why are you using load balancing? Why do you want to use only one loadbalancer? Can I set specific url after balancing ? For example, firstly every request will go to loadbalancer. Then if request is /WebApp/A*.com, it will go to node1. If request /WebApp/B*.com, it will go to node2 Why do you not just proxy these requests and skip the load balancing? Confused Chris
Re: Handling requests when under load - ACCEPT and RST vs non-ACCEPT
Having finally received the actual details of what the OP actually is doing in email #37 of this thread, I was struck by a simple thought. I have re-read the whole thread, and don't think/hope that I am about to say anything completely stupid. We develop software that routes millions of requests to dozens of Tomcat instances. So you have your own software in front of many tomcats that is responsible for distributing the load between multiple tomcat instances Yes, we can and do support connection throttling at a slight cost to safeguard a single Tomcat from receiving more connections that it can, but if Tomcat was able to not reset connections at the TCP level - we can perform our task much better, and I do not think this will cause any problem to any other use cases of Tomcat - if we can just enable this behavior with a configuration parameter My simple thought was that it sounds like your code isn't working. You have more load than one tomcat instance can handle, which overloads that instance. You are trying to write code to handle this situation, and seem convinced that the only solution is to alter tomcat such that you can detect/handle this occurrence in a way that is easier for your software. You also state that when this happens, you will simple route to there tomcat instances - the implicit assumption that they have spare capacity on the other instances. If this is the case, why didn't your code route to these other instances in the first place? Surely this would obviate the need for any changes to tomcat? What algorithm do you use to determine where to send the load? I do not understand the negativity here.. After writing comments such as If you can, try to understand what I said better.. Its ok to not accept this proposal and/or not understand it.. you really can't understand the negativity? Really? Are you sure? Chris
Re: tomcat 7 PermGen
After upgrading to 7, deploying a new war file often results in PermGen error, much more often than in 6.(with identical JVM settings) I have tried all those JVM settings for perm memory but no help. All those JVM settings for perm memory - could you share which settings you have tried, and what values you set? Ideally tell us exactly how you made the changes. Also knowing a little about your system might help. You know the basics. Like which tomcat v7 - there are 32 of them. Which version of java? Which os? Little things like that help Thanks Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: insfrastructure set list
Today we're about to deploy a simple app that is basically a charts solution that will run over Tomcat 7.X. Well till there everything is all right. But since I'm not a heavy user of Tomcat I'm not so sure what could that be the best settup for my app for not have problems in a first sight by a miss configuration. This app will have 100 concurrent users and in terms of hardware I'm not sure what they will give us. Is that possible that you guys share some experience and minimal setup due to those above scenario? Thanks!!! Daniel, I think that you are trying to use this list incorrectly. If everyone that wanted to use tomcat emailed the list, none of the people who answer questions on the list would be able to get any work done. They are only answering the questions posted on this list in their own free time. Nobody is paid to answer questions on this list. The suggested approach to using tomcat (and open source software in general) is 1) download, install, try it out 2) if you get an error, google for the error message. 99.99% of the time, somebody else will have hit the problem and commented about it somewhere 3) if you can't fix it by yourself, ask the list You seem to be asking for this piece of software (that I won't tell you anything about), how should I configure tomcat? Nobody can answer that question. We don't know the software - you haven't told us. We don't know the hardware. We don't know the load. Even if people did know the above, the answer is always to try your suggested load using your hardware, and see what happens. The defaults generally work very well in a broad range of situations. That's why they are the defaults. Perhaps you will need to tweak some settings, but you need to have a baseline, and method to test what effect each change actually has. HTH Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Setting JVM Parameters in Windows Service for Tomcat7
The documentation tells, that this could be done by calling tomcat7 //US//Tomcat7 ... This method works, but it is not practicable for our production environment, because these settings are stored in the registry. Matthias - can you please elaborate on exactly what it is not practicable for our production environment means? Thanks Chris
Re: exploting tomcat vulnerability with example
On Wed, Sep 19, 2012 at 10:02 AM, Ragini raginippa...@gmail.com wrote:For my research work I want to have different attacking scenarios which exploits vulnerability of JAVA based applications. This java applications can be just any web-application, desktopapplication or any other.For this, I was thinking to exploit vulnerabilities of tomcat itself (because it is in java). I went through different vulnerabilities of different versions of tomcat on apache tomcat's official site. They have provided information about what is the vulnerability and what is its consequences. But I am looking for some real time example by which I can exhibit the exploitation of tomcat’s vulnerability. The version of the tomcat can be just any. I would like to try vulnerabilities like authentication bypass, information disclosure or some other which really compromises the security. Could anybody please suggest some source where I can get step by step information about exploiting tomcat’s vulnerability with example ? It would be nice if the example web application used for exploitation is also in java. I would really appreciate your any kind of help regarding this. Thanks. Richa. Have you tried webgoat? Chris
Re: Root context switching
I am new to Tomcat. What I like to do is to deploy different versions of my application, for example: hostname\myappv1 hostname\myappv2 Now I want the ROOT context to be set dynamicly to one of the available deployed versions. Is this possible? Is there a way to implement this? Dennie, This question is asked regularly. The regularly posted answer is that you must call the root war ROOT.war, such that it is unpacked as CATALINA_HOME\webapps\ROOT. There may be ways around this, but it really is much, much simpler to do this in all cases I have seen discussed. Having said that, you say that you wish to change the ROOT dynamically. Why? What is your use case? If you explain, perhaps we might be able to describe a suitable alternative Chris
Re: Root context switching
Basic what I want is the same functionality which google apps provides. So I want to be able to have multiple versions of my application online, let people try the new environment and eventually switch the root context to the new running version. This enables my clients to try out the new version and options before they switch over to the new environment and enables me to fix bugs found in the new release. Two options spring to mind. First is to have multiple tomcat instances running. One is production with accepted versions of wars. Then a second instance could run on a different port allowing you to test the new wars. When they are accepted, you deploy on the production instance. Second option is a slight variation - you could run a single instance, but have two hosts specified. In one host you specify your production wars, and in the second you specify your UAT wars. Every company that I have worked in always runs separate a production and UAT machines. If you don't want multiple machines, then I'd go for option 1. HTH Chris
Re: tomcat and DB oracle problem - only in higher versions
I found following problem when java application is trying save xml data into xml column to database. I found a problem with tomcat which is happening in the version 6.0.32 and 6.0.35 (maybe also in other version), but working really fine with version 6.0.26. ** ** My configuration: ** ** OS: windows 7 enterprise IDE: Eclipse EE 3.7.1 Java: 1.6.0_33 Tomcat: 6.0.26, 6.0.32, 6.0.35 DB: Oracle Database 11g Enterprise Edition 11.2.0.3.0 Other technologies: Spring 3.1.1 + Hibernate 3 + Struts 1.1 Can you provide details of how you create your connection to the database? Config file or code? This should shed some light on the issue. I recall that I hit this in the past, and it is to do with how the connection pool is setup. Perhaps with the details, it might ring some bells for me or somebody else. Thanks Chris
Re: ClassCastException org.apache.jasper.runtime.ELContextImpl cannot be cast to org.apache.jasper.el.ELContextImpl
| I am 95% certain of what is happenning but haven't tested this. It will help your understanding if you read the EL specification, specifically the section in the Javadoc regarding how implementations are discovered. | Tomcat implements these rules. It is possible for an EL implementation to be loaded from an application. Everything will be fine EL-wise for the application that shipped with the EL implementation but things will | fall apart for any other application that tries to use EL since the implementation classes will not be visible. Mark, I don't understand one key component of your response. I don't pretend to understand the internals of tomcat, but I thought that I had a good grasp on how things were supposed to work. Please forgive me if I ask something stupid. You seem to say that the EL implementation will be loaded from the app2, as it has an implementation present in its lib. You then say that this won't be visible to app 1, presumably because this class is loaded into the app2's class loader. That bit matches up with my understanding on app class loaders in web containers - each app has its own, and they are separate preventing leakage from one app to another. The bit I don't really understand is when app 1 tries to run some EL code, surely the same mechanism should kick in and load an EL implementation. I get that app 1 doesn't have an impl in its lib folder, but I would expect the call to be passed to the tomcat shared class loader, whereby tomcat's EL impl is loaded from CATALINA_BASE/lib. You seem to imply that once tomcat has loaded a EL impl into the app2's classloader, that this some how breaks or dirties the tomcat shared classloader so that it can no longer work the way I describe above. Could you spare a minute to explain where my understanding falters? Thanks Chris
Re: TOMCAT with multiple sites (one on https, others on http)
I have configured the server.xml to run a few sites with HTTP and HTTPS, HTTP sites work correctly, that HTTPS is not responding, can not display the page Massimo Chirivì Massimo, Pid's reply was asking you to answer some specific questions. You appear to have only answered the first one of them by irony only. The people on the list will need all of these specific questions answered in order to help you any further. Here is the list once again in case you have lost the previous email Chris Are you just repeating the same question over over? Have you read the documents provided previously? What version of Tomcat are you using? What *exactly* does 'not ok' mean? Are there any errors in the log files? Can you describe the symptoms of the error? Have you ever read comprehended: http://www.catb.org/esr/faqs/smart-questions.html
Re: Location of Tomcat 7 jvm defualt settings...
On Fri, Jul 20, 2012 at 6:31 PM, Tony Anecito adanec...@yahoo.com wrote: Thanks for the quick reply Mark. Yes I saw your comments in one of your presentations about profilier and I am a fan of visualvm and have profiled Tomcat in the past but when down to 1-2msec not sure how much the profilier can pick up. I did notice that as the hotspot engine warms up the response times start to see improvement. I did adjust the -Xss256k from the default of 1M and I am looking forward to when I get home to see the results since the response times quickly went to 3msec after that was set and hope to see 1msec or below after running for 1 day if that change really helps. I did start out profiling the SQL and that helped and switching to the jtds jdbc driver which seem to help even more and of course eliminating the interprocess communication (Tomcat - JBoss). I made sure my data types in SQL server were unicode so the jdbc drive did not do extra conversion work to unicode. I am slowly moving to the front (JAX-WS to JAX-RS) and then a deep dive into OS tuning. After that I will stop tuning for another 6 months I guess. Tony, With all due respect, you sound like you are fiddling with settings to learn rather than tuning. What I understand by tuning a webapp is that you 1. Create a automated test script to simulate some load 2. You increase the load until the bring the webapp to its knees - either 80% CPU or responses taking 1/2 sec to return 3. Critical step - you tell your bosses the maximum level that the app can currently support, e.g. X concurrent users performing A and B and C routes through the app. 4. If they say that's all they need, then stop 5. Otherwise use a profiler to establish where the bottle neck is 6. Fix it 7. Repeat from step 2 Using this technique you make sure that you don't waste time fixing issues that aren't really issues. As a programmer, its kind of hurts to admit it, but programmers are wrong when thy guess where the performance issues are. Always. This isn't my idea - read the performance tuning books. You'll just make code more complicated, and less maintainable. IMO there is nothing wrong with fiddling with settings to see what they do. However unless you have a repeatable (read automated) test script that allows you to test after each individual change, you're just whistling in the wind. Now it is possible that I have all this wrong. Perhaps you have an automated script, and you are doing all the above. It doesn't sound from your description that this is the case, but if it is then I apologise HTH Chris
Re: How to initiate session id change from application code?
Good Evening Pavel Implementing a SSL Connector on Tomcat will prevent Session Fixation attack Martin, This is not correct. Using SSL will not stop session fixation attacks Chris
Re: Tomcat 7.0.28 connection pool issue
On Thu, Jun 28, 2012 at 12:38 PM, Yasser yarafa...@gmail.com wrote: Yes. It does show that maxactive has reached 100. I also use splunk to get the connection status at the oracle side. What I dont understand is that Resin needs just 50 connections to handle the same load. I am in the process of increasing the count to 300 and see if that makes a difference. Oracle has the capacity to handle that many connections. We hit an odd oracle exception that may be related. Can't explain it really well, but the essence of the bug in Oracle was that the tnslistener's connection count wasn't updated regularly enough when connections closed, so it could believe that the connection limit had exceeded when the db instance was still happy to accept more connections. As I recall this was a known Oracle issue, and was fixed by increasing the acceptable connection count in Oracle. Can you provide the exact exception from the logs that you hit? Also have you tried turning on connection pool logging to diagnose when actual physical connections are created? Chris
Re: Wish to use an independent class module in Tomcat
On Tue, Jun 26, 2012 at 12:46 PM, Cotton, Joseph B bcot...@dpscs.state.md.us wrote: I looked at the Realm documentation for a few minutes, but it appears to be intended for User ID and Password verification. Joseph, Ignore Martin's JDBCRealm suggestion - his responses don't seem to relate to your concern We wish to have a class running on Tomcat that contains system wide info and multiple database connections into DB2 on the mainframe. All other apps runing on Tomcat will open an instance of this class to access the static info and one of five open connections. Opening and closing database connections is very slow and we wish to leave open the connections and just reuse them as needed. Each webapp exists in isolation - they are all inside the same JVM, so in theory you could allow them to talk to a single instance. Perhaps it would be clearer/cleaner to have the common code in a separate JVM, and then use some kind of RMI to communicate to it? Or perhaps you could have a background component that performs requests that are queued to disk/memory/database/message queue? Perhaps a dumb question - if the connections are slow to open, that's fine but just allow each app to have one open and then they can co-exist and you don't need to worry about all of this? HTH Chris We wrote the class and it runs ok. Yet to get it to run with an app, we need to load the class jar file into the app and references in context.xml and web.xml as listed in the documentation. But that defeats the purpose of the global app because then there are multiple instances of the class. We tried to insert a reference in GlobalNamingResources of server.xml. It doesn't seem to work for us. Or are we off base with this design? Is app to app communication allowed? Can I call a class from one app to another without first loading the called class into the calling class? I am using NetBeans IDE 7.1.1, Apache Tomcat 7.0.22 and Java 6.23 (build 1.6.0_23-b05). Java 7 is not an option in our shop yet because we are supporting a commercial package that breaks when run under Java 7. I would appreciate if the group could point me to the correct documentation to do what we are looking for, and perhaps a translation of the Tomcat specific terminology and jargon. Thanks Joe - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Request timeout option in HTTP or AJP Connector
Using tomcat 6.0.29. i want to know is there any parameter in HTTP\AJP connector to set request time out(i.e if particular request taking long time to complete it should time out after configured timeout value).? My web application communicating to some external system where response is very slow for particular queries so i want tomcat to timout those requests. How do you communicate with the external system? You say particular queries so is it jdbc? Can't you set a timeout whatever communication mechanism you use to connect to the external system? Then detect the timeout in your webapp and respond appropriately Chris
Re: user switching or application interacting with container based authentication
any hint on fast-user-switching or applications-interacting-with-container-based-authentication are very welcome. Dirk, We had an app where support staff can login, and then on a special form enter the username of the person to impersonate and their own password (to prevent abuse), and the system then allows them to impersonate the user. Worked well for viewing exactly what the user was seeing when reporting issues. To do this we used acegi security - has built in support for impersonation. HTH Chris
Fwd: mod_jk binary
Steffen from apache lounge asked me to forward this to tomcat mailing list Chris -- Forwarded message -- From: Steffen i...@apachelounge.com Date: Wed, May 16, 2012 at 12:10 PM Subject: Re: mod_jk binary Chris, Made 1.2.36 Apache 2.4 Win32/Win64 available. Maybe you can say it on the Tomcat user list. Steffen
Re: IE caching problem-
never had this problem when i deployed to SolarisI'll try again tommorrow when i have a REAL Operating System to deploy my webapp So you have a web app, serving up web pages, that are being cached in a browser. The browser is not refreshing, for reasons unknown. You say that the clock was incorrect, but now I assume the problem is still occurring. Yet you think that moving the webapp to a real os will help? Browsers cache pages only if they are told to. Have you used some kind of technique to check the headers? Fiddler or live http headers? Why are the pages being cached? Once you know that, perhaps you can resolve the issue. If I had a car that wouldn't start, I know nothing about cars but I'm reasonably confident that changing the garage won't help the issue that much Chris
Re: 64bit windows mod_jk connector download for apache httpd 2.4
Wow, that was fast. Far better than commercial support IMO I am grateful too for the above, but since you appear to have a good connection, and for the sake of symmetry, should not one ask them also for the 32-bit version ? I sent one email, and he went for it. I don't really call that a good connection. I also thought about the symmetry thing yesterday and asked for a 32 bit one. He replied last night saying it was bed time, and would do it tomorrow. He emailed again today saying it was there now, and when I checked today and it was there. So I think we owe Steffen from apache lounge some thanks/donations Chris
Re: 64bit windows mod_jk connector download for apache httpd 2.4
Exactly. Might be better to come from userland +1 I have emailed the apache lounge contact email asking if they would consider including a build of mod_jk - lets see what happens Thanks Chris And we have a winner - 64 bit mod_jk now present on http://www.apachelounge.com/download/win64/ Thanks for all your help, and apache lounge for doing the work Chris
Re: 64bit windows mod_jk connector download for apache httpd 2.4
Exactly. Might be better to come from userland +1 I have emailed the apache lounge contact email asking if they would consider including a build of mod_jk - lets see what happens Thanks Chris
Re: 64bit windows mod_jk connector download for apache httpd 2.4
On Wed, Apr 18, 2012 at 5:07 PM, Mladen Turk mt...@apache.org wrote: On 04/18/2012 02:00 PM, chris derham wrote: All, Our setup has apache tomcat running behind apache httpd using mod_jk. I would like to upgrade to apache 2.4, but for this I need to find a 64bit mod_jk release for httpd 2.4. The binaries contained at http://tomcat.apache.org/**download-connectors.cgihttp://tomcat.apache.org/download-connectors.cgi32 bit httpd connectors, or a 64bit iis one. Why would you need a 64-bit httpd at the first place especially on windows. Can't help feel that I am falling into a trap here, but if we have a windows 64 bit os, using 64 bit jvm and 64 bit tomcat, are you suggesting that it would be better to use a 32 bit httpd and mod_jk? Anyhow, building should be easy if you have 64-bit windows dev httpd. Open Vstudio command prompt for 64-bit development (You should have a shortcut for that) cd where-ever-you-unzip\tomcat-**connectors-1.2.35-src\native\** apache-2.0 nmake -f Makefile.vc ARCH=AMD64 APACHE24_HOME=C:\httpd-2.4.2 Worked perfectly. Thank you. Would you think that it is a good idea to add this text to a new section in building.txt? I can supply the patch to the documentation if you concur, just not sure if this should go into a new file or an addendum to the existing one I see that the binary releases that are available are signed by you. So perhaps I could ask why there isn't a 64 bit mod_jk included? I assume the answer will relate to your response to the above question Thanks for your help Chris
64bit windows mod_jk connector download for apache httpd 2.4
All, Our setup has apache tomcat running behind apache httpd using mod_jk. I would like to upgrade to apache 2.4, but for this I need to find a 64bit mod_jk release for httpd 2.4. The binaries contained at http://tomcat.apache.org/download-connectors.cgi 32 bit httpd connectors, or a 64bit iis one. Can somebody help point me to where suitable binaries are? Alternatively could somebody point to some documentation showing how to build them myself? I know for unix you can just download the source and follow the build scripts, but for windows I believe that the build process will be considerably more complicated then configure; make Thanks for any help Chris
Re: Tomcat with mod_jk becomes irresponsive after working for awhile
Ofer, Look at the articles in the link already given - http://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F- find the bit about sendsignal. Download this program, and run it. This provides the windows equivalent of sending -3 to a *nix java process, e.g. encourages it to provide a thread dump. I have used in the past on windows with great success. Requires no changes to get it to run, e.g. you do not have to restart a process or configure it HTH Chris
Re: Tomcat with mod_jk becomes irresponsive after working for awhile
http://wiki.apache.org/tomcat/**HowTo#How_do_I_obtain_a_** thread_dump_of_my_running_**webapp_.3Fhttp://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F for more info, to get a thread dump of tomcat. I have seen that page but actually can't use the //MS// option as Tomcat is already running and in this bad state that I want to catch without restarting the service. Is there some way to gather this information without a restart? If you look at that article, the paragraph above where is mentions //MS// option, mentions using sendSignal to generate a thread dump. We've used that in the past and it allows generation of a thread dump on an already running process with no restart Chris
Re: JNDI Access in Lifecycle Listener
i load a spring xml with my own lifecycle listener. Which works pretty
well actually.
In my spring xml i try to get a datasource from the JNDI context. I
put the definition in the server.xml under GlobalNamingResources.
My lifecycle listener is loaded after the GlobalResourcesLifecycleListener
During the startup catalina.out tells me:
javax.naming.NameNotFoundException: Name java:comp is not bound
in this Context
My first idea was, that the JNDI context is not published when loading
the spring xml file, so i tried to add a specific environment to the
spring lookup
jee:environment
java.naming.factory.initial=org.apache.naming.java.javaURLContextFactory
java.naming.provider.url=file:${catalina.base}/conf/server.xml
java.naming.factory.url.pkgs=org.apache.naming
/jee:environment
That doesn't help.
Can someone tell me how to access the context in this early state of
loading.
Please provide the configuration of the jndi lookup in spring.xml and the
tomcat jndi configuration. Version details of java/tomcat/spring may also
help
Thanks
Chris
Re: Tomcat memory requirements
Hi Celso, you signature is in portuguese because that i will talk in portuguese... Tenho 12 anos de experiência com Linux e dois livros publicados, nunca vi um tomcat rodar sem consumir umas cacetadas de megas de memória, acho que o java, é uma plataforma ruim, mas que todo mundo defende e quer usar, talvez seja mais facil desenvolver em Java, o que eu acho difícil ser verdade, talvez seja mais fácil a portabilidade, mas eu acho improvavel o php não ser portável e não haver outras coisas portáveis como o ruby. O que eu sei é que em todas as empresas que fui para resolver algum problema no servidor, estava na lista o tomcat que consumia memória. Por exemplo na empresa que estou atualmente o tomcat consome 2 GB de memória, num sistema que processa 2 milhões de registros, apesar de parecer Explicável isso jamais aconteceria se estivessemos usando php, nunca fui numa empresa e me reclamaram que uma aplicação php estivesse lenta ou comendo memória, isso é uma lenda. Mas uma lenda mesmmo é dizer que o Linux vai resolver o problema do Java, que é comer memória até o infinito, talvez os desenvolvedores é que sejam muito ruins, mas estou para achar um bom então, pois toda empresa que fui mesmo problema, espero que eu não seja expulso desta lista por dizer isso. Mas infelizmente todos aqui no fundo do coração devem saber que é verdade. Agora, se ta travando seu sistema começe aumentando a memória da máquina virtual do java. For the benefit of the non-portuguese speaking list members, Luciano basically has a rant about 1) how in his experience java always consumes lots of memory 2) how php is much better 3) how php doesn't randomly consume memory He also wishes that he is not expelled from the mailing list for making these comments. Rather than having a php vs java discussion, I would just reply that the java process is configured to have a maximum amount of memory. The java process will never exceed this. If you have gone into an environment where hte server is using 2gb of memory, then it was explicitly configured to do so. It is not true to say that java just kept on consuming memory infinitely 2012/1/25, Celso Magalhães Dantas Neto ce...@reconcavo.org.br: Hey everyone! Does anyone knows where I can find any information about Tomcat memory requirements? Couldn't you just run tomcat without any webapps installed? Surely that would provide the information that you require? Presumably it would be different on each platform, so doing this on your target platform would be easiest Here's the problem: I got a client who's running a Tomcat process in his machine and it is taking around 150MB of RAM and he is complaining about it. It's a webapp and for me it's normal to a webapp to take that amount of memory, but I want to argue with him with some data. If in his server tomcat process takes 150MB of memory, what is the issue? The box has more than 150MB of memory free right, so what's wrong? So I'm looking for some Tomcat memory requirements info, even if it's a memory requirements to run Tomcat only, with no deployed webapp. It will help me to argue with him. Good luck Chris
Re: Strategy to prohibit concurrent users authenticated through Tomcat
I am using Tomcat 7.0.11 and use Form Authentication (via j_security_check) to authenticate through the Tomcat server. Currently, two users with the same username can log into my application from two different computers and concurrently access the app. Is there a way to prohibit a user from authenticating if a user with the same username has previously authenticated and still has an active session? We use spring security in a web app that is deployed in tomcat. It has built in support for this - you can configure to either disallow subsequent sessions, or kill the first session and allow subsequent sessions. This should explain it better than I can http://static.springsource.org/spring-security/site/docs/3.0.x/reference/session-mgmt.html. Don't know how big a task it would be for you to move to this, but it works really well for us If you provide a bit more information about what you are trying/need to do, someone my come up with a better idea. For example, what is the real problem - in your application - when two people at different computers login with the same user-id ? +1 Chris
Re: Single war file - multiple hosts - can't get log4j to log to different files
We thought this would allow us to monitor all contexts with a single probe install, but it only seems to show a single localhost context. I assume that the hosts are separated, and that the context=priviliged setting can allow a web app to access other webapps in the same context, but not across hosts. So... what setting is that? I meant the crossContext=true setting. I have searched around, and can see that both tomcat's manager and probe are not able to monitor virtual hosts other than the one that they reside in. So I will just have to deploy manager and/or probe for each virtual host. I just wanted to see everything in a single place - from what I have read this can't be done 1. Move your .war files from out of the webapps directory (and subdirs) 2. Update the paths in ROOT.xml and probe.xml to point to the new location 3. Remove the local and demos directories Thanks for the pointer. What I ended up doing was moving all wars to CATALINA_BASE/notWebapps. Then I unpacked them, and set the relevant context.xml's docbase to point to the exploded directory. Seems to work well now The only idea I have left if nobody can see an obvious flaw in our logic is to write some custom code to initialise log4j. We would just need to pick up the context, or a jndi variable and then prefix the log file name with this. Guess it can't be that hard - just figured that somebody would have hit this before. I think that's your best bet. Yes it was surprisingly easy. We created a subclass of springs Log4jConfigListener, and then prefix the file parameter of any file appenders. We set the web.xml value to blank, which is ignored, and then when required we can override it in context.xml. Thanks for the pointer I recall that Mark Thomas mentioned something in a recent response about looking for some code in tomcat source where it allowed different contexts to register with JMX using different ports. I looked and can't find it - always hard to google for something if you don't know the term. Can anyone provide a pointer to if there is an existing variable containing a context id, or path, or name or something unique that we could use to prefix the log file - or is it just easier to setup our own context parameter? I'm not sure that using JMX is going to make your life any easier. I thought that via some internal to tomcat mechanism, I would be able to detect which context I was in, and thus be able to use that to drive the prefix for the log file, rather than having to have a specific web.xml setting that each context overrides. Thanks for you quick and detailed reply Chris
Re: Babysitting ThreadLocals
A silly question: why do you use a ThreadLocal to store a constant value for entire application? why not a static variable or store into web application context , by example ? The string of the date format is constant. However the SimpleDateFormat class is not threadsafe, so you will hit intermittant issues when sharing across threads. So, my question is whether or not there is a good way to clean-out the ThreadLocals from our webapp? It would be much simpler code to read/write/maintain if you just create new ones each time - as Charles says. Then profile the app, and only if the creation of simpleDateFormat objects is slowing the app, then try to optimise. If you do this, and fine that creating these objects is taking more time, then perhaps one method would be to use a weak object reference to the thread local. That way you would get the best of both worlds - no memory leak and reduced creation of SimpleDateFormat. However most people coding probably won't know what a ThreadLocal class is/does, let alone a Weak memory reference. IMO it would be easier just to code the easy way Chris
Single war file - multiple hosts - can't get log4j to log to different files
All,
Java running on windows 2008 r2 against tomcat 7.0.19
java version 1.6.0_24
Java(TM) SE Runtime Environment (build 1.6.0_24-b07)
Java HotSpot(TM) 64-Bit Server VM (build 19.1-b02, mixed mode)
I have a single war file, and would like to host multiple demo sites of our
app. So ideally users access demo1.company.com and demo2.company.com.
Completely isolated, but all running the same war. Please correct me where
ever my logic is wrong, but I figured that I would
1) have a tomcat instance, containing config directory. This would have
catalina/demo1.company.com/ROOT.xml containing pertinent jndi config.
2) in server.xml add this
Host name=demo1.company.com appBase=webapps\demos
unpackWARs=false autoDeploy=false
Valve className=org.apache.catalina.valves.AccessLogValve
directory=logs
prefix=demo_access_log. suffix=.log
pattern=%h %l %u %t quot;%rquot; %s %b
resolveHosts=false/
/Host
When I start the app, it works and the app works. However all context's
apps log to the same log file. What I want to know how to make the
different contexts under different hosts log to different file. Our log4j
file contains
appender name=FILE
class=org.apache.log4j.rolling.RollingFileAppender
param name=Threshold value=INFO /
param name=File value=${catalina.base}/logs/demo.log /
param name=Append value=true /
rollingPolicy
class=org.apache.log4j.rolling.TimeBasedRollingPolicy
param name=FileNamePattern
value=${catalina.base}/logs/demo.%d{-MM-dd}.log /
/rollingPolicy
layout class=org.apache.log4j.PatternLayout
param name=ConversionPattern value=%d %t %X{user} %-5p [%c]
%m%n /
/layout
/appender
I have searched around, and found some references to JNDI context selectors
for log4j, but I believe that this is to allow log4j separation - not
directly related to what I am trying to do.
I have tried to add a suitable web.xml environment entry, and then add it
to the log file name, e.g.
${catalina.base}/logs/${tomcatInstancePrefix}demo.log. Then in ROOT.xml for
each host I add
Environment name=tomcatInstancePrefix value=demo2-
type=java.lang.String override=false/
and in web.xml I add
resource-env-ref
resource-env-ref-nametomcatInstancePrefix/resource-env-ref-name
resource-env-ref-typejava.lang.String/resource-env-ref-type
/resource-env-ref
but that didn't work
Has anyone else done this? I can't believe that we are unique. Perhaps I am
just ignorant of the correct term to search for. Any help greatly
appreciated
Thanks
Chris
Re: Single war file - multiple hosts - can't get log4j to log to different files
Host name=demo1.company.com appBase=webapps\demos unpackWARs=false autoDeploy=false The appBase I find a little concerning... You don't have any apps directly place in webapps do you? So I wasn't 100% sure exactly what to do here. I setup a folder under webapps called demos. We put our app there, named ROOT.war. Then in another subfolder of webapps called local, we put probe.war. We thought this would allow us to monitor all contexts with a single probe install, but it only seems to show a single localhost context. I assume that the hosts are separated, and that the context=priviliged setting can allow a web app to access other webapps in the same context, but not across hosts. Does that explanation make sense, and does that remove your concern? The only idea I have left if nobody can see an obvious flaw in our logic is to write some custom code to initialise log4j. We would just need to pick up the context, or a jndi variable and then prefix the log file name with this. Guess it can't be that hard - just figured that somebody would have hit this before. I recall that Mark Thomas mentioned something in a recent response about looking for some code in tomcat source where it allowed different contexts to register with JMX using different ports. I looked and can't find it - always hard to google for something if you don't know the term. Can anyone provide a pointer to if there is an existing variable containing a context id, or path, or name or something unique that we could use to prefix the log file - or is it just easier to setup our own context parameter? Thanks Chris
Re: Grabbing the user's info
But for _transparent_ authentication IIS is required as Christopher mentioned. That is not true. You can use SPNEGO to setup transparent authentication directly to tomcat. You do not need IIS. This means that a browser accesses a protected url on the server, and the server and browser discuss who the user is, and then the application is presented with that information. This discussion is transparent and involves no user interaction. This can be done by default in IE and I believe chrome, but firefox is more secure so needs to have explicitly have this authentication security enabled - by default it is turned off to stop hackers falsely requesting the details from a malicious server HTH Chris
Re: Include NEtwork path into Tomcat - urgent
On Tue, Nov 15, 2011 at 11:39 AM, Alexander Diedler adied...@tecracer.dewrote: Hello, This is no option, this solution means, that the windows session must still remain opened with a logged in user. Not true. You can setup tomcat to run under a service account, and have the service account map that drive. Chris
Re: SSL for modjk and tomcat
Simple i have setup httpd,modjk,tomcat .i want to enable SSL(i.e i can handle everything on https). If you have httpd sending traffic via mod_jk to tomcat, you are nearly there. Just configure httpd to listen over ssl. If (instead) you want to encrypt the AJP connection between HTTPD and Tomcat, you'll have to use an SSH tunnel because the AJP protocol is not encrypted. Now AJP not support SSL fine. i.e AJP protocol is not encrypted. i dont want SSH tunnel. That's fine if you don't want/need a tunnel What other approach i can follow now.i mean other way ? i am not sure where to configure those mod jk directive and what configurations at tomcat side? I don't think you quite understand how this list works. You need to ask a specific question, and people will generally try to provide a specific answer. In your email you say you have httpd/mod_jk/tomcat communicating. You keep saying that you want to turn on ssl. As 3 people have already pointed out, you can have ssl between browser and httpd. You can have ssl between httpd and tomcat, but you said you don't want that. If you configure httpd for ssl, then you're probably there. IMO you only to worry about those mod_jk directives if you need tomcat to know that it is being handed a connection that has come from an ssl connection. Perhaps explain why you need this ssl information in your app? Perhaps supply a copy of web.xml with the security constraints? In short help us help you - http://www.catb.org/~esr/faqs/smart-questions.html Chris
Re: Session time out never takes place with ajax
So to recap, and verify my understanding... Perhaps I am missing some valve overview. I understand it is invoked before the filters, but after completion it would arrive to the filter/servlet container anyway. So what your saying is that if I build a valve and read information from IO file or/db or any other cached data which doesn’t trigger a request.getSession That will work? And if so, I will still need to break the chain and prevent it from continuing deeper into tomcat or else it will update the session access time Instead of mapping all requests e.g. /* through security*, you could split you app. So say /public folder contains static resources and requires not security*. You could put dynamic resources under /dynamic and map to security*. That way anybody requesting a dynamic resource would need a session, and this would be touched on every request to /dynamic/*. If you had this kind of setup, then you could create another top level folder called say /ajaxPing and not map that to security*. Then as long as the filter/servlet/jsp page that fulfills that request does not call request.getSession, you will fulfill your aim to respond without affecting session expiration Alternatively you could put a valve in the front of the whole web app, and have that respond to a given url, and then stop the request, e.g. not pass the request to tomcat. I beleive that is what Mr Schultz was suggesting * when I keep saying security, I'm not sure the correct collective term. I don't just mean container security, but also any filter/servlet/jsp that calls request.getSession HTH Chris
Re: how to connect to datasource
may I know, how to connect to datasource automatically if my DB machine is restarted?? Is it having any specific parameter to connect datasource automatically?? How does the existing app connect to the database? Can you show the code please - remove any sensitive passwords Thanks Chris
