Re: Tomcat 8 classloading

2016-07-13 Thread chris derham
> Hi There,
>
> We are about to upgrade from tomcat-7.0.65 to tomcat-8.0.XX. and this is
> regarding the loading of same JARs within the different application. to
> understand the scenario, consider below case
>
> Tomcat 8 ---
> webapps
> a.war--> lib--> spring.jar
> b.war--> lib--> spring.jar
>
> here b.war is just a copy of a.war and renamed just to differentiate hence
> spring.jar is same for both the applications.
>
> My question is
>
> 1) will spring.jar loaded twice

yes it will be loaded twice

> 2) how to i make sure to load it only once ( if loaded twice)

This question comes up frequently. Search the mailing list for shared
class loader to see the details. The upshot is that this can be done
using shared class loader, however there are real technical issues if
you do this - class cast exceptions, difficulty performing upgrades to
individual wars without taking down all of tomcat. The only positive
is that you might save a few MB of memory cost by having the same jar
loaded twice in memory.

I've been on this mailing list for ~8 years, and every time this
issues comes up (about 5 times a year?), the tomcat developers suggest
that the proposed memory saving isn't not worth the problems that it
causes..

HTH

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: AW: AW: Suppress or replace WWW-Authorization header

2015-10-30 Thread chris derham
> I want to say thank you all for your help and many different ways to solve
> my problem. I think the most -maybe all- will work in an ideal world without
> hard requirements through legacy client-applications. I don't want to hold
> on BASIC as auth-method because I like it so much, I prefer to kick that
> legacy application. ^^

Torsten,

If you have fixed it, then perhaps I should stop trying to help you.
However I reviewed the previous posts, and think that there was a key
aspect that I didn't mention before. So for the benefit of the email
archive, I'll give it another go.

Setup you landing/index page to be public, i.e. no authentication. The
AngularJS html/js/css/pngs all load freely. I assume that this isn't
too much of an issue, e.g.you want to prevent people accessing the app
unless they have logged in. Then make all RestAPI calls to a
sub-directory called say /api/. Add security restrictions to this
sub-directory. As the app starts up, any call to any rest api will
return a 401. As all calls are ajax, no browser login popup. The
global AngularJS ajax error handler I posted previously captures the
response. So when the server detects no (or expired) session, it
returns a 401, & AngularJS global error handler detects this &
redirects to login page. Login page captures credentials, posts to
login api (which obviously needs to be not protected as well), and
then upon success, sends a cookie (or auth token of some sort). Then
AngularJS can send this cookie (or auth token) in each subsequent
RestApi call, e voila.

I just tested the app I am developing that does this, in Edge, IE,
Chrome & Firefox. All working perfectly. No "ugly" login dialog in
sight. The key point I neglected to mention in my earlier post is that
you need to make sure that the host page is not behind the security.
If you are unwilling to do this, then they will have login before
accessing the app. In which case you can't really do anything about
it.

HTH

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: AW: Suppress or replace WWW-Authorization header

2015-10-29 Thread chris derham
>> Torsten,
>>
>> Add an interceptor to AngularJS to detect the 401 and do whatever you
>> want, e.g. redirect to a login page. Then when you have the
>> credentials, submit to login rest api, get a token, and then make all
>> other calls passing this token.
>>
>> There are loads of examples on how to do this on the internet. This
>> isn't tomcat specific.
>>
>> function globalInterceptorResponse($injector, $q) {
>> return {
>> 'response': function (response) {
>> return response;
>> },
>> 'responseError': function (rejection) {
>> switch (rejection.status) {
>> ...
>> case 401:
>> console.warn("Hit 401 - redirecting to login");
>> window.location = '/login';
>> break;
>> ...
>> default:
>> console.warn(rejection);
>> }
>> return $q.reject(rejection);
>> }
>> };
>> }
>> globalInterceptorResponse.$inject = ['$injector', '$q'];
>>
>> then in request config,
>>
>> $httpProvider.interceptors.push(globalInterceptorResponse);
>
> This won't work because the application doesn't get a chance to do
> anything until Tomcat completes its authentication/authorization work.
> If the application were handling the authentication/authorization, then
> the original Filter would have worked.
>
> -chris

Chris,

I think that you thought the above was server-side java code. The
above was javascript code that runs in the browser. It does work - I
copied it from a project I am working on now.

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: AW: Suppress or replace WWW-Authorization header

2015-10-28 Thread chris derham
> No, container BASIC authentication should be enabled, the container should
> handle the authentication, but the browser should not show his ugly default
> login dialog when I request resources from the REST-service with wrong
> credentials.
> When the REST-client (web-application in the browser) receives a failed
> login with a WWW-Authenticate header, the default dialog of the browser will
> be shown... that’s what I want to suppress.
>
> When I remove the (a)  or (b)   sending requests
> with credentials will not work anymore (a: 403 forbidden; b: deployment
> fails). But that's not a solution because the rest-service should be still
> protected and I need to authenticate via "Authentication: Basic ."
> header send credentials, but I don't want to show the ugly browser-dialog to
> the users.
>
> Using a AngularJS Client with REST-services based on tomcat should be a
> common use-case, it could not be that I'm the first one who wants a custom
> login-screen. :-/
>
> -torsten

Torsten,

Add an interceptor to AngularJS to detect the 401 and do whatever you
want, e.g. redirect to a login page. Then when you have the
credentials, submit to login rest api, get a token, and then make all
other calls passing this token.

There are loads of examples on how to do this on the internet. This
isn't tomcat specific.

function globalInterceptorResponse($injector, $q) {
return {
'response': function (response) {
return response;
},
'responseError': function (rejection) {
switch (rejection.status) {
...
case 401:
console.warn("Hit 401 - redirecting to login");
window.location = '/login';
break;
...
default:
console.warn(rejection);
}
return $q.reject(rejection);
}
};
}
globalInterceptorResponse.$inject = ['$injector', '$q'];

then in request config,

$httpProvider.interceptors.push(globalInterceptorResponse);


Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Dynamically Create Subdomains - Tomcat 7x

2015-09-04 Thread chris derham
> I need something like,
>
> My main landing page  www.mysite.com
>
> Subdomains I am looking for
>
> myfeature1.mysite.com
>
> myfeature2.mysite.com
>
> myfeature3.mysite.com
>
> etc
>
> myfeature is  a cookie value which comes from www.mysite.com(this is
> landing page which drops myfeature cookie)..
>
> - Kiran

so if you map *.mysite.com DNS name to a single server, it can do all of that.

You are asking a very generic high level question, without providing
details of what you have tried, and what isn't working. Hence you
really need to open up more and explain. Can a single site handle all
of these "features" or do you need isolation between them? Is this a
"how can I setup DNS?" or a "how can I setup websesrvers against host
names?" kind of question. It really is worded very openly so people
will be hard pushed to help

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: [ANN] Apache Tomcat Connectors 1.2.41 released

2015-08-25 Thread chris derham
All,

I still don't quite understand how I ended up in this position, but
when Stephen from the Apache Lounge builds a new tomcat native build
of something, he asks me to inform the tomcat mailing list. I consider
it the very least I can do for the community, but struggle to see how
I am adding value. Anyway his notification below. His original subject
was mod_jk-1.2.41 VC11 but it seemed prudent to send on this thread.

Chris

Hi Chris,

Just build it for VC11, see https://www.apachelounge.com/viewtopic.php?p=31471

Maybe you can inform the list.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Parallel Deployment: Can I request a specific webapp version?

2015-07-21 Thread chris derham
 BTW: The reason I'm asking is because that transparent shift from
 one app release to the next doesn't play along well with any caches
 (browser, caching proxies, CDNs etc.): When a shift to the next app
 release occurs, I generally need the client browsers to fetch a
 fresh copy of all files belonging to that release. And the only way
 to force them to do that is by having them use a different URL than
 for the old app release files..

 Or, you could use proper proxy-friendly cache-control response headers
 for those resources. Why aren't you doing that?

The OP's main thread here is asking about logical deployment. However
as a sub-thread he is asking about caching. As Christopher replied in
this thread, I will attempt to clarify what I think the OP is asking.

If you have v1.0.0 of the app deployed, and it has sent cache for 1
day replies for javascript/image/css files, then this works fine.
However as soon as you release the next version, the browsers won't
send requests as they have a local cache. Christopher's reply was use
proper proxy-friendly cache-control response headers. IMO having the
browser only query for such static resources as these daily is
something that would be required to reduce calls. However this comes
at the expense of causing this issue.

My first thought was to suggest that the OP somehow use ETag header
combined with a version number. However if the browser is told to
cache for 1 day, this won't work. Having said that, if your app did
send an ETag which was a hash of the files contents, then it would
auto download a new version if it had changed between v1.0.0 and
v1.0.1.

I think that this leaves 3 solutions

1) Gauge what your site can support in terms of many calls to static
resources vs when a new version is rolled out. Perhaps a 5 minute
browser cache is ok. Or 60 mins. or 180 etc. It is a balancing act
between reducing server calls for static content that hasn't changed
and the time for an upgrade to appear in the browser
2) Adjust the source of the website such that each script/css/img tag
contains a version number parameter. You could do this via
pre-processing the source rather than manually. Then cache that for
365 days. If you release a new version, just update the number.
3) Set a cookie with the version number, and then redirect server side
to different version specific urls.

2) seems to be the most robust to me. Christopher can you clarify what
you meant?

HTH

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Check if a URL exists programatically

2015-07-16 Thread chris derham
 I already have a custom error page.  When I detect that a URL returned by
 google would return a 404, I exclude it from the search results so that the
 user never sees it.

 Mitch

Mitch,

Ok I see now what you mean. Sorry your original email was quite clear.

Hmm interesting challenge. Big picture terms, I guess the two obvious
choices seem to be to not use google for searching, or parse the
google results, and determine the url validity as you are doing.
Depending on the urls you use, that could be horrible. Guess that's
where you are. Is not using google an option?

Please let us know how you resolve it.

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Check if a URL exists programatically

2015-07-16 Thread chris derham
 Short question: How can I, from within code running under Tomcat, determine
 if a given URL request to that tomcat instance would result in a 404 or not,
 without calling back to the Tomcat using an HTTP HEAD or GET?

 Background: We use google custom search by calling the google server and
 then formatting the results on our search page.  Our range of products is
 fairly fluid, and there is occasionally a gap between when a product goes
 away and the google search index is updated, which would result in a 404 if
 user clicked that link in the search results.  (I know that I can ask google
 to re-index, but I still need to solve this problem.)

 Rather than write a ton of code for the various types of pages that we have
 (product, category, etc) I'd like to just be able to call some Tomcat method
 to determine if the URL that I get back from google would result in a 404 or
 not.  I'm currently calling back to the Tomcat instance using an HTTP HEAD
 call, but that is a waste of resources and during periods of high volume
 uses up processing threads that I want to reserve for actual customers.

 We are using Tomcat 7 with Struts.

Mitch,

What will you do when you detect a 404? Couldn't you just implement a
custom 404 error page, that does what ever it is?

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: redirect to website not working

2015-06-17 Thread chris derham
 ... how can I share
 the result of fiddler to you if the system dosent allow attachments?

Ankur,

Copy/paste the text of the raw response into an email should do it

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Slow HTTP Rquest via Tomcat

2015-01-12 Thread chris derham
On 13 January 2015 at 11:38, Thone Soungpanya
thone.soungpa...@higherone.com wrote:
 Hello,

 Can anyone give some advice on what the issue may be? We have a web 
 application folder in Tomcat that have been slowing the http request's 
 connection to another third party system when there are high traffic. It 
 seems to be halting in the Tomcat server for about 20 - 50 seconds before 
 attempting to connect to the third party system. Once it tries to connect to 
 the third party system, the response time is only about 6 - 10 seconds which 
 is normal. It does not seem to be an issue at the third party's end as the 
 response time is quick once we get connected.

 Here are the specs that we have and additional information...

 1) Apache Tomcat 7.0.56
 2) JVM version 1.7
 3) Running on Linux OS Version 2.6.32

 Connection Flow:
 1) User submits a HTTP request from web application to Tomcat
 2) Tomcat calls Java's servlet code along with HTTP request parameters
 3) Java servlet code connects to third party system via application server 
 and jolt port
 4) Third party system returns requested information

 We thought it would be a session issue which we lowered the session timeout 
 (just for that folder) in WEB-INF folder to 5 minutes from defaulted 30 
 minutes but it is still doing the same thing.

 Any advice on what it may be? Let me know if you need additional information.

How does your code connect to the 3rd party? There are libraries that
do this, please elaborate which you use. I recall using one, and it
had a limit on the number of concurrent connections to a 3rd party.
Perhaps you hit this limit? How many connections are you talking about
when the problem occurs - 10s, 100s, 1000s or more?

Chris

 Thank you in advance!

 Thone

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Spurious Problem starting Tomcat7 (garbled class names)

2014-11-07 Thread chris derham
 example with to garbled classes: (3.class being the first, which
 must come from SomeClass$3.class and the second one being something
 awefully beautiful:
 ConfigEdiAtourtAhpepnltiiccaattiioonn$SAtpaptlei$cIadteinotniCfo^@^@iigeLro.acdlLaissstener.class

To prevent decompilation, you can run your classes through a code
obfuscator. That replaces all field/method/class names with garbage,
to make it harder to see what is going on. The garbage you see might
actually be the names in the jar files. Unzip the war/jars and see
what is actually in there. Could it be correct?

HTH

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Tomcat JDBC pool - too many connections in TIME_WAIT state

2014-11-06 Thread chris derham
On 6 November 2014 05:36, Vasily Kukhta v.b.kuk...@gmail.com wrote:
 I have received additional details - the application starts getting
 java.sql.SQLException: Listener refused the connection with the following
 error: ORA-12519, TNS:no appropriate service handler found, although the
 amount of listeners in the DB is large enough. I have some concerns about
 the removeAbandonedTimeout property, it is set to 5 seconds now. Maybe
 the pool abandones every connection after 5 seconds, opens a new
 connection, and the previous connection goes to TIME_WAIT status consuming
 server resources?

We hit a similar problem 5-6 years ago with Oracle. We found that the
pool would close connections from client end successfully. However
Oracle has a background thread thread that marks server end
connections, and this was a little slow. Until this had closed the
connection, and told TNSListener, TNSListener wouldn't allow new
connections.

Our fix was to increase the number of connections allowed, and the
problem went away

HTH

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: How to access Sessions outside of class

2014-10-28 Thread chris derham
On 28 October 2014 11:06, Jason Ricles jgr...@alum.lehigh.edu wrote:
 Ok so here is the problem I have been spinning my wheels on for day let me
 just lay it out.

 I have a daemon written in java running lets call it foo for simpleness on
 a linux machine that has the tomcat server running. On the tomcat server is
 a WAR file for a webapp called bar. In that webapp is a webpage with
 JavaScript websocket communication that connects to a websocket server that
 is also a part of the WAR file. So I have a webpage and a websocket server
 communicating with each other.

 I want the foo daemon and the websocket server on bar (web application) to
 be able to communicate with each other. Is there any way outside of sockets
 to have foo and the websocket server on bar do this?

Define communicate - what kind? One way, two way, what kind of data,
frequency, size, type?

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: How to access Sessions outside of class

2014-10-28 Thread chris derham
Couldn't you have the daemon write to a database, and have the web app
read from the database?

Then you could pass whatever message you wanted as a string?

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: How to protect a Tomcat server/Webapp from (D)DOS attacks

2014-06-17 Thread chris derham
Léa,

 Below is what I would like to ask you:
 How do you usually protect your Tomcat servers and Webapps from (D)DOS
 ((Distributed) Denial-of-service) attacks?

If you allow the DOS traffic to make it all the way up to the
application layer before you detect it, then the DOS will still have
an effect. The best way of stopping such traffic is to detect it at a
lower level, and then block at a firewall. Typically this can be done
by counting number of calls coming from a IP address and automatically
blocking if they exceed a threshold.

Apache ships with mod_evasive that allows you do this. I have used
this in the past with some success. The other alternative I am aware
of is to use mod_security. I am not aware of anything that will run
directly in front of tomcat however - does anyone else have any
suggestions? I think that was some talk of a port of mod_security that
was implemented in java (well java calling the mod_security c library
via jni). That might be mature enough for you to try.

HTH

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Fwd: mod_jk release

2014-03-24 Thread chris derham
All,

I had a email thread going a while back -
http://tomcat.10.x6.nabble.com/64bit-windows-mod-jk-connector-download-for-apache-httpd-2-4-td4893904.html.
The thread ended with Christopher Schultz and mladen suggesting that I
ask the maintainer of apache lounge to include builds of mod_jk on his
site. He did this at the time and all was good.

He just sent me an email, saying that he just put up a new build of
mod_jk, and asking me to forward to the list.

==
Updated to 1.2.39 in all flavors:

VC11: 2.4 Win32/64
VC10: 2.2/2.4 Win32/Win64.
==

My question is how should I do this? Which list should I email? Not
sure if this belongs on tomcat users mailing list or some other

Suggestions welcome

Thanks

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Tomcat 7 : Configure redirect url for session timeout

2014-03-18 Thread chris derham
 It is not feasible to determine the difference between a timed-out
 session and a user who had no session to begin with.

Couldn't you use the presence/absence of a session id cookie?

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: how to best launch a jnlp from and then return to a different jsp

2014-02-25 Thread chris derham
Aryeh,

I suggest that you take a step from implementations, and define what
you want a little more clearly.

You have a webpage, that is served and loads a java app via jnlp. That
java app uploads some files to the server. At a later point in time,
you want the server to know that the client has uploaded the files to
the server, and hence change what is shown in the web pages? Is that
right?

Surely if the files are uploaded, can you just use the presence of the
file on the server to drive that logic? i.e. have the server check for
the file, and if present show x, else show the jnlp page?

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Problem starting Tomcat 6.0.39 (64) service under Windows 7/64

2014-02-07 Thread chris derham
Christopher

 On 2/7/14, 4:01 AM, Christoph P.U. Kukulies wrote:
 I downloaded tomcat 6.0.39 (64) from tomcat.apache.org, put it
 into c:\program files\Apache_Group\Tomcat_6.0.39 and ran the
 service.bat which established the service.

 As system environment variables I have set:

 CATALINA_HOME=c:\Program Files\Apache_Group\Tomcat_6.0.3
 JAVA_HOME=c:\Program Files\java\jdk1.7.0_51 JRE_HOME=c:\program
 files\java\jre7

 Note that, when using the Windows Service, the above environment
 variables are completely irrelevant.

For the benefit of the mailing archive, when using the windows
service the variables are not relevant. However when I read
Christoph's post, I think that it is more along the lines of I set
these variables when I ran service.bat, in which case the values at
that time are critical. True they don't have to be system environment
variables - plain environment variables in the console will do.
However it is wrong to say environment variables are completely
irrelevant.

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: unable to start Tomcat through the Windows Services panel

2014-02-05 Thread chris derham
On 5 February 2014 16:34,  javier_esp...@hna.honda.com wrote:
 How do I get to the Windows Event Viewer in Windows 7?

http://lmgtfy.com/?q=How+do+I+get+to+the+Windows+Event+Viewer+in+Windows+7

 Thanks

Your welcome. Anytime you want something from google, please ask here first

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: [OT] Out of memory exception - top posting

2014-01-24 Thread chris derham
 There are probably lots of reasons for top-posting, and I don't think we can
 lay the blame on the MS Outlook world. The people I work with use a mixture
 of Thunderbird, web-based interfaces, and Outlook.

 Every one of them top-posts :-(.

When you click reply in these email clients, they insert the caret at
the top of the email with the original email indented below. This is
the out of the box default. It can be changed, but most people won't
know how/care to/prefer it this way.

 I think top-posting says a lot about the thought process of the poster. To
 me it says, my issue, problem, answer, concern is of paramount importance.
 You should remember everything about my issue. After all, I remember
 everything about my issue.

 The attitude is probably not malicious, but more along the lines of a lack
 of perspective.

As long as you can visually distinguish the reply from the original,
does it really matter if that reply is above or below the original?
When people reply to a thread, as long as their email client indents,
you have that clear visual indication. As a programmer, I have seen
arguments about indentation and brace position. This smacks to me as
one of those.

Personally I think that life really is too short to get hung up about
this. People want help. I joined this mailing list to help them, to
kind of pay back for people that had helped me with previous problems.
Lets help them.

 Save your own time and the time of everyone else on the list
(and the archives, where useless messages can't be removed) and just
skip that step.

+1 Personally I find replies to threads that are more conversational,
far more offensive than top posting. This isn't facebook. If the reply
doesn't provide help to the issue at hand, don't send

2C

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Tomcat strips CRLFs from the generated page

2014-01-14 Thread chris derham
Asok,

 As I said before, I have no control over the input text. In the test
 servlet I am simply reading text from a file and sending it out to the
 browser. No other processing has been done to the text by the servlet. The
 browser, however, receives a page with CRLF stripped starting from a
 certain point in the text.
 If I View source in the browser, I can see that happening.

 This is consistent over most operating systems (Windows and Linux) and most
 browsers (IE, Firefox and Chrome) and the stripping happens exactly at the
 same point onward, in all combinations of OS and browser.

 My question is: who is stripping the CRLF from the text? Is it Tomcat or
 the browser? Is Tomcat doing any validation of the text before sending it
 out to the client?

I believe that all of this has been understood by the people that
replied to you. Their suggestions are trying to help tidy things up,
so that is easier to see the wood for the trees. In other words if you
take their suggestions and fix the issues as they have suggested, then
the problems

a) might go away
b) it will be easier once the confusion is removed to see the real
cause of the problems
c) you leave a better set of files for the next person (or even
yourself 6 months plus) who has to maintain them

So please apply all the fixes as suggested, then repost new links to
the updated files.

Chris

P.S. also the custom on this mailing list is to reply below the post
to which you are replying. You can see how I have quoted the relevant
portion of your email, and then added my reply below

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Packet misses in Tomcat

2014-01-06 Thread chris derham
 Issue: Few packets do not reach the application servlet but tomcat receives 
 them. The missing packets reach the HTTP layer and thereafter they disappear.

 This issue is not frequent but occasionally consistent. For the POSTs of 
 missing packet I am not able to find the entry in localhost_access_log.

How do you know that the packet reaches tomcat if there is no matching
entry in localhost_access.log? Does all other access appear in this
file?

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: [OT] [Fwd: TomEE Professional Support]

2013-11-13 Thread chris derham
 This email does not have any relation with my activities in ASF and its 
 projects. Its solely related with my marketing team in which how you get 
 emails. If I thought that it will be a spam, would I put my email address to 
 sender? I think no! We thought that you can benefit from this email.

 Anyway, I closed the discussion from my side! If you are really feeling bad 
 now because of receiving such email from me, please unsubscribe the list.

So to sum up you created a mailing list somehow, and then sent an
unsolicited email to a list of people. Now you demand that they
unsubscribe from your mailing list. You also feign that you can't
understand why people are complaining. To turn this on its head, how
about this. If each person on this list, decides that you might be
interested in something (I don't know a site selling a little blue
pill lets say for example), and added your email address to a mailing
service. Then when you complain about all the unsolicited email, we
can tell you well we thought that you might be interested and
Anyway, I closed the discussion from my side! If you are really
feeling bad now because of receiving such email from me, please
unsubscribe the list. How would that make you feel?

Just because you are bored of this topic, doesn't mean other people
are. We are upset that somebody has spammed us. We want satisfaction.
Some kind of apology would be a start. Owning up to how created the
mailing list with emails might help. That way may be we can try to
prevent it from happening again.

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Restrict the use of JDK classes Tomcat 7 or 6

2013-10-22 Thread chris derham
 2013/10/22 ANALIA DE PEDRO SANTAMARIA 100074...@alumnos.uc3m.es:
 Hello,

 I would like to know if is it possible to restrict the use of JDK classes
 in Tomcat according to a list given in another file. ¿Is it possible by
 creating a new Add-on? If it is possible, where can I find documentation
 about creating Add-ons? I have looked up and I haven't found any
 information about it (I only have found AddOns in Tomcat 3.3 but there is
 nothing about creating new ones).

This sounds like a home work question. My spanish is bad, but alumnos
is surely student in spanish. Hence the OP has had the cheek to send
from the student account of his university. Do the mailing list rules
state home work questions are in or out of scope?

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: overriden context root

2013-10-16 Thread chris derham
 hi All,
 I have added below entry in server.xml  to override the context root of my 
 application i.e from /dummy  to /market.

You can add entries to server.xml, but people on this forum generally
advise against it. Please remove that

 The problem is now the application is accessible via both context roots i.e 
 via /dummy  /market context roots but I want the application to be 
 accessible only via overridden context root i.e via /market only.

Tomcat auto deploys war files in webapps. If you do not want this, do
not place the war file there. In similar situations I create a
directory notWebapps at the same level, and place the war file there.
Then point your context.xml file at it and you will have what you
require.

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: MaxClients and maxThreads

2013-09-21 Thread chris derham

 To add to what Daniel is saying, here is a little graphic representation,
 for one single client browser :

 (browser) -- HTTP -- (httpd + mod_jk) -- AJP -- (tomcat) -- (webapp)
 (1)
  |
  |- (local resources) (2)

 When the browser sends a request to httpd, one httpd child/thread is
 allocated to process that request and return a response to the client.  That
 child/thread is busy with this one request, from the time the request is
 received to the time when the response has been sent.
 2 cases are possible :
 a) the request is for something that can be served directly by httpd,
 without need to involve Tomcat.  That is the (2) above.  For example, in
 some configurations, static HTML pages, images, stylesheets etc. are served
 directly by httpd, and only requests for webapps are forwarded to Tomcat.
 b) the request is for something that has to be processed and served by
 Tomcat (the (1) above).  In that case, httpd + mod_jk will forward the
 request to Tomcat, and wait for Tomcat's response.
 When Tomcat responds, httpd + mod_jk will return that response to the
 browser client.
 While Tomcat is processing that request, you have one Tomcat thread busy
 processing that request, and one httpd child/thread waiting for Tomcat to
 respond.

 So let's say that at the level of httpd, there are 1000 browser requests
 coming in every minute.  The number of httpd children/threads needed to
 handle this, depends on how long it takes httpd, on average, to process each
 request.  If it takes on average 1 second to process a request, then each
 httpd child/thread can on average process 60 requests per minute, and to
 handle 1000 requests per minute, you need 1000/60 = 16.66 children/threads
 in httpd.
 Now estimate (or better, measure) how many of these requests are being
 forwarded to Tomcat, and how long Tomcat needs on average to process such a
 request and send a response.
 With the same kind of calculation, this will tell you how many threads you
 need in Tomcat.

 Now to be on the safe side, double these numbers (if your servers support
 that), and try it out, /with your application/, measure what happens, and
 rectify the configuration accordingly.

 The main point is : nobody except yourself knows exactly how your
 application works, how many requests are really served by httpd and tomcat,
 or how long it takes to process one request.  So nobody can tell you in
 advance how many threads/children you need in httpd or Tomcat, to serve your
 volume of requests.

 The best that the Apache httpd developers, and the Tomcat developers can do,
 is to provide some best guess defaults, for some configuration that will,
 in their considerate opinion, be adequate for serving some average needs and
 not be very unbalanced.
 And that's what they do, and that is why you should generally start with
 this default configuration.  And then, if you can see and *measure* that
 there is something wrong, start amending this configuration item by item
 carefully, and measure again after each change to see if it improves or
 worsens the situation.
 There is no one size fits all.
 (If there was, then the developers would just set it as the default, and
 they would not need to provide any adjustable parameters).


This type of question seems to come up once every 3 months on the
mailing list. Given that this is a beautiful explanation, perhaps we
could add this as a new section to the tomcat documentation - a new
Performance Tuning section?

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Why does JDBC application logging SQL instructions in Apache Tomcat lists 545 repeatedly

2013-08-06 Thread chris derham
On Tue, Aug 6, 2013 at 7:52 AM, Martin O'Shea app...@dsl.pipex.com wrote:
 This is now resolved. Thanks anyway.

For the benefit of anybody else that hits this issue, care to explain
how it was resolved?

Thanks

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: [Tomcat 7.x] Tuning the connector for large requests / response

2013-07-11 Thread chris derham
Stefan,

 but I'm not sure which values to tune. Probably the buffers, right?

 Any pointers would be great.

If you want to tune an application, first you need to create a
repeatable test load using any tool you like. Then measure the
application under load, and identify where there are problems. Once
you have done this, come back to the list and explain specifically
where the problems lie. Then the people on the list will be able to
help point out settings that might improve load. Right now with the
information provided, there is no way to know where the problem would
lie. Also if you did change something, you would have no way of
knowing if the change had made a positive or negative effect

HTH

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: [Tomcat 7.x] Tuning the connector for large requests / response

2013-07-11 Thread chris derham
On Thu, Jul 11, 2013 at 11:35 AM, Stefan Magnus Landrø
stefan.lan...@gmail.com wrote:


 Den 11. juli 2013 kl. 15:44 skrev chris derham ch...@derham.me.uk:

 Stefan,

 but I'm not sure which values to tune. Probably the buffers, right?

 Any pointers would be great.

 If you want to tune an application, first you need to create a
 repeatable test load using any tool you like.

 Agreed. That's exactly what I'm doing (using Gatling actually)

Ok never heard of it - will have a look

 Then measure the
 application under load, and identify where there are problems.

 Performing a thread dump I see most threads are doing io stuff reading from 
 the socket and consuming lots of CPU.

Can you post the thread dumps? That might help people on the list get
a feel for where the problem lies? Do you hit this problem when you
target a specific url, or only when you have a broad range of request
types hitting the server

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Class cast exception when starting tomcat 7.0.1

2013-06-13 Thread chris derham
 Who says I was using a 3 year old unreleased level?

You did when you set the subject line to Class cast exception when
starting tomcat 7.0.1 Charles was hinting that 7.0.1 wasn't released

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: SSL Issue- Support required.

2013-06-11 Thread chris derham

 Please help to trouble shoot this issue.

 **

 More information on this would be provided as per the request.

 ** **

 Thanks

 ** **

 *Regards*

 *Veena B S*

 ** **

The mailing list strips attachments. Please try again, sending a plain text
email without any attachments

Thanks

Chris


Re: Best practices for shared classloader use?

2013-06-04 Thread chris derham
 I am considering using the Tomcat 7 shared classloader to reduce the memory 
 footprint of my web apps.

Can you provide some approximate numbers as to what the current memory
footprint is? Also some details of how many tomcat instances you have
running and/or how many versions of the application you have running?

So for example if your war file has 10mb of class files, and you have
five concurrent versions of the war running, your reasoning is that by
using a shared class loader, you can reduce the memory foot print from
50mb to 10mb?

Thanks

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: WebSockets Thread Safety question

2013-06-03 Thread chris derham
 When I use the syntax from the samples in the onTextMessage() method, I get
 ConcurrentModificationException if I have more than one client sending data
 to the server at the same time:

 for(MyMessageInbound mmib: mmiList){
 CharBuffer buffer = CharBuffer.wrap(cb);
 mmib.myoutbound.writeTextMessage(buffer);
 mmib.myoutbound.flush();
 }


 Changing it to the following works fine:

 for(int i = 0; i  mmib.size(); i++) {
 MyMessageInbound mmib = mmiList.get(i);
 CharBuffer buffer = CharBuffer.wrap(cb);
 mmib.myoutbound.writeTextMessage(buffer);
 mmib.myoutbound.flush();
 }

 However, this approach is not as efficient as to use an Iterator, unless I
 clone the mmiList Collection to iterate over it...

Can you explain where is the in-efficiency?

Thanks

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Catalina.policy java.security.AllPermission

2013-05-09 Thread chris derham
 Maybe the first question should be : why do you want to run this with the
 Security Manager ?
 As far as I understand this, the SM only really helps, if otherwise unsecure
 applications can be deployed within your JVM.  Is that the case, or do you
 know and control all the applications from the start ?

Isn't it more like a dog and a muzzle? In theory if you know the dog
and it is always friendly, there is no need to use one. However if all
dogs wore muzzles, there would be less dog attacks.

IMHO security in depth is about making things harder for the bad guys.
Adding a security manager should do this, if it is configured
correctly. BTW I am not saying that I actually do this, just that I
think that everyone should to make it harder for when the bad guys
break into your app

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Multiple tomcat containers or instance on same servers

2013-05-01 Thread chris derham
 If anyone else wants to chip in with any relevant additions, let me
 know. I might be able to have a look at updating the documentation
 page later, but being as I'm a developer my linguistic skills have
 never really been approved off so not sure any changes will be
 approved :-)

 HTH

 Chris

I've added some comments to
http://tomcat.apache.org/tomcat-7.0-doc/windows-service-howto.html -
is there a better way to get an addition made to that page?

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Multiple tomcat containers or instance on same servers

2013-04-30 Thread chris derham
 Thanks for all your feedbacks.

 Is multiple versions supported or all instances have to be the same build.

You can have it any which way you wish, e.g. single tomcat in single
catalina_home with multiple instances each with own catalina_base, or
multiple versions of tomcat each in own catalina_home each with one or
more instance each with own catalina_base. You can setup a right mess
if you wish...

 I thought sure that the Tomcat Windows Service page of the users' guide,
 but it is /not/ there:
 http://tomcat.apache.org/tomcat-7.0-doc/windows-service-howto.html

 I wonder if there are any heavy Microsoft Windows users that could
 offer to write a section on Multiple Tomcat Instances specifically
 with Microsoft Windows Services. The file RUNNING.txt only explains
 how to set up Tomcat itself (CATALINA_HOME versus CATALINA_BASE) but
 says nothing about how to configure Tomcat's service runner to point
 to one (other than inferring that one ought to set CATALINA_HOME and
 CATALINA_BASE appropriately).

 For instance, it's probably important to give the services distinct
 names ;)

The only things that seem to be missing are

a) set CATALINA_HOME and CATALINA_BASE before running service.bat
b) when run service.bat, specific a unique service name
c) you need to copy some files around to allow the CATALINA_BASE to be
different from each other, e.g. port config

e.g.

set CATALINA_HOME=c:\tomcat
set CATALINA_BASE=c:\tomcat\instances\instance1
service install tomcat1

Then to install instance two, just run

set CATALINA_BASE=c:\tomcat\instances\instance2
service install tomcat2

If anyone else wants to chip in with any relevant additions, let me
know. I might be able to have a look at updating the documentation
page later, but being as I'm a developer my linguistic skills have
never really been approved off so not sure any changes will be
approved :-)

HTH

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Tomcat access log reveals hack attempt: HEAD /manager/html HTTP/1.0 404

2013-04-22 Thread chris derham
 But honestly, I am also a bit at a loss now as to how to continue.  There is
 of course no way for me to prove the validity of the scheme by installing it
 on 31 million (20%) of webservers on the Internet and looking at the
 resulting bot activity patterns to confirm my suspicions.

Try to enter into contact with Fyodor (http://insecure.org/fyodor/).
He wrote nmap - an open source scanner. It isn't a botnet, but he
might have some interesting thoughts on your proposal. I'd be
interested to hear what he has to say

HTH

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Tomcat access log reveals hack attempt: HEAD /manager/html HTTP/1.0 404

2013-04-20 Thread chris derham
 Let me just summarise my arguments then :
 1) These scans are a burden for all webservers, not just for the vulnerable
 ones.  Whether we want to or not, we currently all have to invest resources
 into countering (or simply responding to) these scans.  Obviously, just
 ignoring them doesn't stop them, and just protecting one's own servers
 against them doesn't stop them in a general sense.
 2) there is a fundamental asymmetry between how bots access a server (and
 most of the responses that they get), and how normal clients access a
 server : normal clients receive mostly non-404 responses, while bots - by
 the very nature of what they are looking for - receive many 404 responses.
 So anything that would in some way penalise 404 responses with respect to
 other ones, should impact bots much more than normal clients
 3) setting up a bot to perform such a scanning operation has a cost; if the
 expected benefit does not cover the cost, it makes no sense to do it.
 Assuming that botmasters are rational, they should stop doing it then. It is
 debatable what proportion of servers would need to implement this proposal
 in order for this kind of bot-scanning to become uneconomical in a general
 sense.  What is certain is that, if none do and no better general scheme is
 found, the scans will continue.  It is also fairly certain that if all
 servers did, this particular type of scan would stop.
 4) it is not obvious right now which method bots could use to circumvent
 this in order to continue scanning HTTP servers for these known potentially
 vulnerable URLs. I do not discount that these people are smart, and that
 they could find a way.
 But so far it would seem that any scheme thought of by people commenting on
 this idea, have their own costs in some way and do not invalidate the basic
 idea.
 5) if the scheme works, and it does the effect of making this type of
 server-scanning uneconomical, bot developers will look for other ways to
 find vulnerable targets.
 It is just not obvious to me where they would move their focus, HTTP-wise.
 If their aim is to find vulnerable URLs on webservers, what else can they do
 but try them ?
 6) intuitively, it seems that implementing this would not be very
 complicated, and that the foreseeable cost per server, in terms of
 complexity and performance, would be quite low.  The burden imposed on
 normal clients would also seem to be small.
 Maybe this should be evaluated in terms of a comparison with any other
 method that could provide some similar benefit at lower costs.
 7) once implemented, it would be something which does not require any
 special skills or and special effort on the part of the vast majority of
 people that download and install tomcat.  Which means that it has a real
 chance to automatically spread over time to a large proportion of servers.
 This is quite unlike any other bot-fighting measure that I have seen
 mentioned so far in this thread.
 8) an obvious drawback to this scheme, is that if it works, it would take a
 long time to show its effects, because
 a) it would take a long time before a significant proportion of active
 servers implement the scheme
 b) even then, it would probably take an even longer time for the bots to
 adapt their behaviour (the time for the current generation to die out)
 So in politics, this would be a no-no, and I will probably never get a Nobel
 prize for it either.  Damn. I would welcome any idea to spread this faster
 and allow me to gain a just recognition for my insights however.

So a miscreant decides that they want to hack into a computer. Like
most things in computing, they break the task down into smaller more
manageable tasks. Step 1 to find targets. Easiest step would seem to
be to enumerate every ip4 address possible, and sent a tcp/ip packet
to some known ports. If you get a response, its a live IP address. You
don't need to map every port, just establish if the host is listening
to the internet. This will allow you to build up a list of live IP
addresses and feed into step 2

Step 2 fingerprint those IP addresses. To do this, use a scanning
tool. These send packets to ports of a given IP address, looking at
the responses. They don't just look for positive responses, they also
send badly formed/invalid packets. They use many techniques to do
this. My favorite is the xmas tree packet. The low level TCP protocol
defines several fields as control fields - the xmas tree packet flags
all control fields as true. The packet is completely invalid at a TCP
level, but different os'es will respond differently. The results of
all of these responses provide a fingerprint, which should provide a
identification of what os the server is running. Using similar
techniques it is generally possible to identify the software stack
running on each port. Sometime there will be 100% confidence in the
results, sometimes less. Sometimes the software can't tell what the
software stack on the server is. However the aim of the game is to

Re: Tomcat access log reveals hack attempt: HEAD /manager/html HTTP/1.0 404

2013-04-17 Thread chris derham
 Yes.  But someone *does* own the botted computers, and their own
 operations are slightly affected.  I have wondered if there is some
 way to make a bot so intrusive that many more owners will ask
 themselves, why is my computer so slow/weird/whatever?  I'd better
 get it looked at.  Maybe I should install a virus scanner.

Somebody said earlier in the thread (sorry but I can't be bothered to
find the exact quote and attribute it) something along the lines of
this is an arms race. The current bot software may not be there yet,
but it is easy to see how the bot-net developers would like to have
the job of probing IPs distributed over the botnet, so each target
only receives a single call from each distinct IP, but together the
10,000 members of the bot-net each send one probe creating a full
probe of known weak points in the server. The net result would be a)
very hard to detect/defend against b) the proposal would not have a
negative effect - you only add 1 second (or whatever value is agreed)
to the async call time for each botnet member.

I agree that currently if an attacker compromises a server, and then
runs probes against the whole internet from that one host, your idea
would slow the assault. However it will just encourage the next
evolutionary step described above. However the bad guys are quite
clever. The scanning software already has rate limiting switches to
stop network intrusion detection systems from detecting probes. They
would just use these to slow the attack and the computer user would
not notice. As long as you have many bots in the whole net, it isn't a
problem.

I used to work in agrochemical research. They tried 1,000,000
different pseudo-random chemicals a year against plants, watching for
a reaction. If something reacted in a positive manner, then they
investigated what was going on. This is the same as the bad-guys are
doing globally - probe every IP, and look for interesting responses.
Yes the approach to slowing down these responses should in theory
work, but if the clever guys distribute the load over a bot-net, and
the bot-net is large enough, then it is just a numbers game. Enough
bots sending probes, and then get a new target each day, that will be
enough for them to abuse that target to send out that days mailshot of
spam.

The key security recommendation is to not have anything running unless
required. The manager app has no users defined by default - perhaps
the default install for tomcat could be such that it is a bare bones
install? I do not know of any weaknesses in the manager app, but if it
isn't even there, their presence/absence doesn't really matter. Same
with the other default parts, e.g. help etc. As long as they can be
installed easily if required, shouldn't be a problem. The OWASP
recommendations for securing tomcat suggest removing all items under
catalina_home/webapps as a first step. Just a thought.

The first step an attacker performs when conducting a focused attack,
is to map out the server. The presence of a response to
http://server:8080/manager/html/ would seem to indicate a default
install of tomcat. Once that have this initial reconnaissance
performed, they will move onto using known exploits against it. By
removing manager app from the default install, this would be made one
step harder. You can't really prevent a dedicated attacker, but making
it one step harder to attack your server, might make the
not-bothered-which-server-I-attack guy move on to easier pickings

Also one thing worth mentioning. There is an attack called a blind sql
injection attack. The crux of it is that by timing the response from a
sql injection, you can detect if your query was a success or a
failure. Typically some processing occurs upon success, hence the
response takes longer. During testing (obviously not against a real db
:-)), I have used manged to download the whole contents of a db after
a little scripting of a sql injection and some perusal of the results.
If you deliberately delay 404 by a known amount of time, it will still
stick out, and they can use this just as much as a positive
indication.

HTH somebody

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Tomcat access log reveals hack attempt: HEAD /manager/html HTTP/1.0 404

2013-04-17 Thread chris derham
 Hi.
 Long and thoughtful post. Thanks.

just hope it helps move the discussion forward

 Say you have a botnet composed of 100 bots, and you want (collectively) to
 have them scan 100,000 hosts in total, each one for 30 known buggy URLs.
 These 30 URLs are unrelated to eachother; each one of them probes for some
 known vulnerability, but it is not so that if one URL results in a 404, any
 of the others would, or vice-versa.
 So this is 3,000,000 URLs to try, no matter what.
 And say that by a stroke of bad luck, all of these 100,000 hosts have been
 well-configured, and that none of these buggy URLs corresponds to a real
 resource on any of these servers.
 Then no matter how you distribute this by bot or in time, collectively and
 in elapsed time, it is going to cost the botnet :
 - 3,000,000 X 10 ms (~ 8.3 hours) if each of these URLs responds by a 404
 within 10 ms
 - 3,000,000 X 1000 ms (~ 833 hours) if each of these URLs responds by a 404
 delayed by 1 s

So if a bot sends a request for http://server/, it will presumably get
a 302 response back redirecting to say http://server/index.html, and
to use your figures lets say this takes 10 ms - call this
goodResponseTime. Now the bot sends a request to the server for
http://server/manager/html. If the server has implemented delay 404
(as it seems to have been christened), the server will delay response
for say 1s. The scanner writers can just abort the connection after
say 2*goodResponseTime or 3 if they want to reduce false positives.
Perhaps spider the links in the good page returned initially and get a
feel for average response times for say 10 valid calls, then start
making probing calls to reduce false positives. Simply abort any that
take too long and carry on to the next host and/or the next url on
the same host.

Incidentally someone suggested that the work to delay the response
could be farmed off to a side-kick thread. It is true that this would
minimize CPU over head server end. However at the low os level, you
are still keeping a socket open for a second (or whatever the 404
delay is configured to be). If scanners use the above technique, they
will end up creating say 30 connections to the server each of which
then has to stay open for 1 second. 30 additional connections won't
bring the server down, but it is still consuming more resources than
normal. Enough concurrent scanners and the server will suffer DOS. A
few pages with bad links that return 404 - maybe due to
miss-configuration - and google bots and their friends querying the
site could kick off the DOS.

 As for the other points in your post : you are right of course, in
 everything that you say about how to better configure your server to avoid
 vulnerabilities.
 And I am sure that everyone following this thread is now busy scanning his
 own servers and implementing these tips.

I guess the point I was trying to make is that the whole idea is to
make the default install as secure as possible. So the sensible steps
included in http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html
would not be necessary, if they were already present in the default
install. Then if people want to open the server up, that's their
problem. I know that this potentially means that it may be harder for
noobs to get started with tomcat. It is a fine line to walk.

 But my point is that, over the WWW at large (*), I am willing to bet that
 less than 20% are, and will ever be, so carefully configured and verified.
 And that is not going to change.

agreed. What we really need is a big carrot and a big stick to
encourage people to Do The Right Thing™.

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Tomcat access log reveals hack attempt: HEAD /manager/html HTTP/1.0 404

2013-04-16 Thread chris derham
 Or, another way of looking at this would be that for every 40 servers
 scanned without a 404 delay, the same bot infrastructure within the same
 time would only be able to scan 1 server if a 1 s 404 delay was implemented
 by 50% of the webservers.

This assumes that the scanning software makes sequential requests.
Assuming your suggestion was rolled out (which I think is a good idea
in principal), wouldn't the scanners be updated to make concurrent
async requests? At which point, you only end up adding 1 second to the
total original time? Which kind of defeats it.

Again I'd like to state that I think you are onto a good idea, but the
other important point is that some (most?) of these scans are run from
botnets. These have zero cost (well for the bot farmers anyway). My
point is even if the proposal worked, they don't care if their herd is
held up a little longer - they are abusing other people
computers/connections so it doesn't cost them anything directly.

Sorry but those are my thoughts

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Analyzing Connection Pool Errors/Leaks

2013-04-02 Thread chris derham
 OK, I'll have to investigate the DB setting more thoroughly. The maximum
 sessions and processes in Oracle are higher than we were using for the test
 though (several hundred).

We hit a similar situation a year ago. Essentailly Oracle has a TNS
listener process that accepts connections. This is responsible for
counting connections and preventing any new ones when the limit is
hit. The counting only occurs on a background thread every x minutes,
hence if you have a high turnover of connections, you can exceed the
limit. Even if your app correctly returns all connections, the TNS
listener will not see the returned connections, and hence hit the
error above. For our situation we were able to just bump up the
connections allowed to the db. This may or may not help in your case

HTH

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: runtime.exec cmd.exe /C net use

2013-03-26 Thread chris derham
This thread has been going on for some time now, but why are you using
drive letters? Can't you just use unc paths and remove all of these
issues you are having? I searched the thread for UNC and can't see
that this was asked, but seems like a sensible question.

HTH

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: I need help in configuring windows authentication in tomcat 7.0

2013-03-21 Thread chris derham
 Context
 RealmclassName=org.apache.catalina.realm.JNDIRealm
   adCompat=true
allRolesMode=authOnly
   referrals=follow
  connectionURL=ldap://dc01.mydom.local:389;
 connectionName=mydom\tcuser
 connectionPassword=Pa55w0rd
   userBase=dc=mydom,dc=local
userSubtree=true
 userSearch=(sAMAccountName={0})
   roleBase=ou=groups,ou=myappl,dc=mydom,dc=local
   roleName=cn
 roleSearch=(member={0})
roleSubtree=true
 /
 /Context

This has come up multiple times on the mailing list - essentially it
can not/should not be done. Please see
http://wiki.apache.org/tomcat/FAQ/Password for details

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: SSL Best Practices

2013-03-18 Thread chris derham
 If the system is only for testing, or communicates with a limited number of 
 systems (i.e.,
 it is a firewalled backend system that only communicates with a front-end 
 system), then again,
 a self-signed certificate would be fine.

+1

 If his organization already uses PKI certificates, then he should follow the 
 rules
 established in his organization's Certificate Practice Statement, if it has 
 issued
 one.

 I do agree that if this is a public facing system, or one in an organization 
 with a large
 number of users that does not have its own CA infrastructure, then a 
 commercial certificate
 would be the best choice.

Commercial certificate authorities are actively targeted by hackers,
and when they are broken into, the trust each os has configured of
such certificates can cause issues. The recent google ssl certificate
issue shows what happens when things go wrong. If users will access
the site via a browser, then the browser warning will confuse
them/make them used to ignoring security warnings. For applications
communicating with each other, a self signed certificate will actually
be more secure than a certificate authority issued certificate -
assuming you trust your internal security more than you trust that of
a commercial certificate authority. It all depends on what the
certificate will be used for.

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Tomcat 6 access Network drive and interact with desktop

2013-02-22 Thread chris derham
 I mean I need a tomcat service which can interact with desktop and can
 access network resources

Top hit when googling for 'windows service interact with desktop'

http://lostechies.com/keithdahlby/2011/08/13/allowing-a-windows-service-to-interact-with-desktop-without-localsystem/

 The basic answer to your question is :
 The fact that under Windows you cannot do what you seem to want, has to do
 with Windows and how it handles Windows Services. It does not depend on
 Tomcat in any way, and there is nothing that you can do in Tomcat to change
 this.

You can flag a service as being allowed to interact with the desktop.
This is turned off by default

 Apart from that, there seems to be something illogical in your request.

I think it is very strange that the server needs to open windows -
surely on the server nobody is going to be there to look at them?

HTH

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Tomcat 6 access Network drive and interact with desktop

2013-02-22 Thread chris derham
 The first part (running programs which require a Window) usually doesn't,
 because those programs are usually such that they do not work as a
 service.  It is not usually only the fact that they need a console, but
 they need a whole bunch of other environment which a Service does not
 provide.
 It will only work when the other program is specifically designed to work
 that way.
 For example, OpenOffice in headless mode works fine.  But MS-Office
 programs do not, and this mode of operation is explicitly indicated by
 Microsoft as not recommended and not supported.

So summarising discussion so far

1) services generally run headless with no interaction with desktop
2) you can run a service with interaction with desktop enabled
3) this doesn't work under Windows Server 2008 and later.

So questions to OP

a) did the link I sent help?
b) what programs are you trying to run that open windows on desktop?
c) what version of os are you running under?

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Tomcat 6 access Network drive and interact with desktop

2013-02-21 Thread chris derham
 I mean I need a tomcat service which can interact with desktop and can
 access network resources

'access network resources' is clear, but please define 'interact with
the desktop' - what do you want the app to do exactly?

Chirs

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Sharing session attributes across multiple webapps

2013-02-09 Thread chris derham
snip
 I simply need a temporary string that is set during the session in
 one app to still be able to be displayed when the user goes to another
 app.
/snip

snip
 Am I missing something obvious here?
/snip

Couldn't you try a cookie?

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Help in diagnosing server unresponsiveness

2013-02-02 Thread chris derham
 In the Java world, most people would only call it a consider it a
 cluster if the app servers actually know about each other -- for
 instance, if you are using session replication. IMO session
 replication is a dog, and there are better ways to achieve similar
 goals that yield much higher performance.

I am curious to hear your thoughts - care to elaborate?

Thanks

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Different webapp paths on different hosts

2013-02-02 Thread chris derham
 To my mind if you deploy the app as ROOT.war, as long as DNS
 is configured correctly, that single context will serve
 responses to http://app1.com/ and http://app2.com/. This
 appears solves the explicit requirement stated above.

 But the OP refuses to supply any information about why that's
 not sufficient.

 in this case http://app1.com/ and http://app2.com/ will serve the
 same content. i need different content on different domains.

You asked how can I serve content from one domain to one host, and a
different set of content for another domain. You were told that the
easiest way is to deploy two separate apps. You said that isn't what
you want, but did not explain why. What technical reason is this not a
suitable solution?

If you really want a single app deployed that sends different content
depending on the host used, then you will need to code that inside
your app. This isn't really application/web server issue, its
something that needs to be handled inside the web app

 Something actually made a little pop in my brain when I read that. I
 gotta go... I think I smell toast burning...

 i take it as you don't know the correct answer.

You asked an incredibly badly question, and didn't provide a clear
explanation of what you wanted people to help you with. Free advice
from people donated in their own time, and now 22 emails in and you
are getting snarky? Do you think that this is really going to
encourage people to help you?

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: How do I deploy a war file to a context path not matching the war file name

2013-02-01 Thread chris derham
 The documentation for the docBase (a.k.a context root) attribute
 states that the docBase attribute should be used to point to the war
 or exploded war file. My server's appBase is the default of 'webapps'
 and my WAR and exploded WAR are under webapps so I have specified a
 relative path of 'MYAPP' to point to the exploded war folder (i.e.
 webapps/MYAPP).

move the exploded war to a folder outside of webapps. Personally I
create a folder called notWebapps.


 For clarity, here is the content of the context.xml file:

 ?xml version=1.0 encoding=utf-8?
 Context docBase=MYAPP
 /Context


Than alter the docBase to be Context docBase=../notWebapps/MYAPP

HTH

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: LDAP on TOMCAT 7.0.30

2013-01-31 Thread chris derham
 We have 2 Apps on tomcat with each having independent DB
 the credentials in both apps are in synch with the list of authorized users
 as per LDAP.

What does that mean? Where is the source of the credentials? When a
user changes a password, where do they change it? You say in synch,
so do the databases just copy the credentials from LDAP? How is the
sync working?

 *for the 1st app any valid user should be able to log in (using any Browser)
 only once to validate the LDAP verification ,

What does that mean validate the LDAP verification - do you mean
validate their credentials against LDAP right?

 On validating the request should continue to AAA of the Application as per
 the Local DB credentials

Do you mean that another round of authentication should occur in the
application? Surely the app could just pick up the SSO credentials?
Why do it again?

 and allow to successful logon ...probably log out later.*

 *Later If the 2nd apps is requested for the  authorization should not ask for 
 re-validation.*

  The process on any apps requires to validate credentials only once in a day.

So you want to configure the login process to work once per day, e.g.
the users are prompted once per day for either app, but once prompted,
they won't be prompted again for either app for the rest of the day.
Presumably if the login is without a prompt, then this requirement
disappears, e.g. if the browser can send current credentials to server
without any prompt, then it doesn't really matter how many times this
happens per day right?


  How can this be achievable [ Either at TOMCAT (if possible) or at Apache
 httpd since we use reverse Proxy conf ]

Subject to some confirmation from you about exactly what you want, the
previous suggestions should allow you to do all of the above

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: LDAP on TOMCAT 7.0.30

2013-01-31 Thread chris derham
 Is this possible, Is there any material available for me

The links already provided cover all that you request

 I have read some where that Apache HTTPD  ( )  can do this SSO process,
 then the same could be at Httpd instead of Tomcat end .

 If so yes plz  let me know the process.

I have never setup SSO for httpd. Others on this Apache tomcat mailing
list might know, but I suggest that if you have questions relating to
Apache httpd, then you ask on the Apache httpd mailing list.

HTH

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: LDAP on TOMCAT 7.0.30

2013-01-29 Thread chris derham
 Does that mean that Tomcat treats WIA similar to HTTP BASIC (or maybe
 DIGEST) unless you've approved a particular domain/host? That's
 interesting. Can you just enter anything you'd like? For instance, can
 I authenticate to a server that is expecting WIA from a Linux
 workstation just by entering my domain credentials into the dialog?
 That certainly sounds nice: the Microsoft Windows crowd doesn't have
 to authenticate (explicitly, that is... their credentials are that
 they are currently logged-into a machine on the network) but everyone
 else can also get in.


If tomcat is setup to work with SPNEGO authentication, then when a new
session requires authentication, the server asks the client for a
kerberos token. Under IE this will be passed silently. Under FF if you
have configured the network.automatic-ntlm-auth.trusted-uris to the
url of the server, this will be passed silently. If you setup your
*nix machines to login to active directory they will have a kerberos
token. If you also make the FF setting change, they to will then be
able to silently login by sending through the kerberos token.

I think as you configure the server, you can specify what to do it
SPNEGO fails. I guess one option would be to fail back to http basic.
If you didn't want to get the *nix machines to login to active
directory, then I guess that would be a way to go. Guess that it all
depends on the security requirements

HTH

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: LDAP on TOMCAT 7.0.30

2013-01-28 Thread chris derham
 1) All 3 applications  are browser compatible  and users may use other then
 IE
 hence IE alone can be ruled out

Do you mean multiple browsers access these web applications, so we
can't use anything that is IE specific? Assuming that you do, I don't
believe that anybody suggested anything that is IE specific, e.g. the
SSO solutions so far posted will work in other browsers as well. Can
you elaborate on what you mean exactly please?

Thanks

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: LDAP on TOMCAT 7.0.30

2013-01-28 Thread chris derham
 Do you need a plug-in or anything like that? Does it need to be
 specifically enabled?

 No, we use it all the time with IE, Firefox, and I believe Chrome
 as well.

Last time I was working in this area a few years ago, it worked by
default in IE and had to be turned on in FF. A rogue website would
request the token and do malicious things if it is handed out by the
browser whenever asked. The link explains the settings required.
Perhaps this has changed recently and works auto-magically now?

http://pic.dhe.ibm.com/infocenter/wasinfo/v7r0/topic/com.ibm.websphere.express.doc/info/exp/ae/tsec_SPNEGO_configweb_new.html

Thanks

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Different webapp paths on different hosts

2013-01-26 Thread chris derham

 it's not. maybe it will make things clear if i change the names of the
 paths, say:

 * when user goes to http://app1.com/ - {thesamewebapp}/app1 path is served
 as root path of the domain app1.com
 * when user goes to http://app2.com/ - {thesamewebapp}/app2 path is served
 as root path of the domain app2.com


From this I conclude that the explicit requirement is to have a single
running version of the war, that responds to different domains. You
seem to think that you have an additional implicit requirement that
this must be done within tomcat by having different contexts. This
seems to me to be the source of confusion in all the replies to your
thread.


 What you are trying to do is make the same webapp answer both
 domain1.com/ and domain2.com/ right? If so you can simply
 deploy the webapp as ROOT. The webapp will then answer on all domains
 pointing to the server. If this is not what you want, you
 can set up a virtual host in server.xml with an appbase outside the
 webapps folder (eg. $CATALINA_BASE (or is it HOME?)$\domain1
 and then use the Alias element to specify the second domain as an alias
 for the first (which you set as an attribute in the
 Host element).


 i know these tricks, but they don't work for my case.

To my mind if you deploy the app as ROOT.war, as long as DNS is
configured correctly, that single context will serve responses to
http://app1.com/ and http://app2.com/. This appears solves the
explicit requirement stated above. However you state they don't work
for my case - please explain why this doesn't work for your case

Thanks

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Trying to install tomcat 7.0.35 but after installation it shows me as Apache Tomcat 7.0.2

2013-01-23 Thread chris derham
Kiran

 I want to run it as service.I installed this by running service bat file
 from cmd prompt.once installation was success full.I checked local
 host:8080.over there I see version 7.0.2 .

in a cmd prompt run netstat -ano. The output will list all processes
and the TCP port they have open. Find the row that ends with :8080 in
the second column. My machine runs tomcat on port 8084, and the row
looks like this

  TCP0.0.0.0:8082   0.0.0.0:0  LISTENING   596

The last columns lists the process id. Start task manager (right click
on task bar and click start task manager). Under view, click select
columns, then add the PID column. Then look through the lists of
processes on the process tab. Find the one matching the process above
- so for my machine it was 596. When you have the row, click open file
location.

All this will show you the location of the tomcat running on port
8080. From what you have said it is very clear that it is tomcat
7.0.2.

I cannot remove all tomcats since
 it will large effort for me.but I know there nothing wrong with those.they
 sit in different directories.

If you really want to run 7.0.35 instead of 7.0.2, then remove the
service for 7.0.2, and then install the 7.0.35 service. To uninstall
the service, go to cmd prompt and from CATALINA_HOME\bin run service
uninstall.

The alternative is to run 7.0.35 on a different port, e.g. 8081. Would
this work better for you?

HTH

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Single Tomcat instance scalability

2013-01-18 Thread chris derham
 We have a web server hosted on Apache Tomcat Version 7.0.32.

 It is a single Tomcat instance on 64 bit windows.  Server.xml has two
 connectors: The ssl connector is HTTP NIO and the non-ssl connector is HTTP
 BIO.

 We are trying to achieve vertical scalability and would like to increase
 the concurrent users (~1) based on the given hardware.

 Is there any recommendation for maxThreads for single Tomcat instance?

 Any other recommendations for scaling single Tomcat instance?

The recommendations are to take an out of the box installation of
tomcat, and run a load test. Through monitoring establish where the
performance bottle neck is. Then make a single fix, and run the load
test again. If there is an improvement, repeat until you achieve
desired performance or you can't improve things anymore. If you hit
this, post to tomcat forum and maybe somebody can help.

There is no magical setting that will enable your app to run with
10,000 users. Each app is different. Each app will have different
performance characteristics. The only solution is to load test as
above

Good luck

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Mod_jk - loadbalancer

2012-12-03 Thread chris derham
 I use mod_jk loadbalancing. (JkMount /WebApp/* loadbalancer )
 I want to use only one loadbalancer.


Why are you using load balancing? Why do you want to use only one
loadbalancer?


 Can I set specific url after balancing
 ?

 For example, firstly every request will go to loadbalancer.
 Then if request is  /WebApp/A*.com, it will go to node1. If request
 /WebApp/B*.com, it will go to node2


Why do you not just proxy these requests and skip the load balancing?

Confused

Chris


Re: Handling requests when under load - ACCEPT and RST vs non-ACCEPT

2012-11-14 Thread chris derham
Having finally received the actual details of what the OP actually is doing
in email #37 of this thread, I was struck by a simple thought. I have
re-read the whole thread, and don't think/hope that I am about to say
anything completely stupid.

 We develop software that routes millions of requests to dozens of Tomcat
instances. 

So you have your own software in front of many tomcats that is responsible
for distributing the load between multiple tomcat instances

 Yes, we can and do support connection throttling at a slight cost to
safeguard a single Tomcat from receiving more connections that it can, but
if Tomcat was able to not reset connections at the TCP level - we can
perform our task much better, and I do not think this will cause any
problem to any other use cases of Tomcat - if we can just enable this
behavior with a configuration parameter

My simple thought was that it sounds like your code isn't working. You have
more load than one tomcat instance can handle, which overloads that
instance. You are trying to write code to handle this situation, and seem
convinced that the only solution is to alter tomcat such that you can
detect/handle this occurrence in a way that is easier for your software.
You also state that when this happens, you will simple route to there
tomcat instances - the implicit assumption that they have spare capacity on
the other instances. If this is the case, why didn't your code route to
these other instances in the first place? Surely this would obviate the
need for any changes to tomcat? What algorithm do you use to determine
where to send the load?

 I do not understand the negativity here..

After writing comments such as If you can, try to understand what I said
better.. Its ok to not accept this proposal and/or not understand it.. you
really can't understand the negativity? Really? Are you sure?

Chris


Re: tomcat 7 PermGen

2012-10-25 Thread chris derham
 After upgrading to 7, deploying a new war file often results
 in PermGen error, much more often than in 6.(with identical JVM settings)
 I have tried all those JVM settings for perm memory but no help.

All those JVM settings for perm memory - could you share which
settings you have tried, and what values you set? Ideally tell us
exactly how you made the changes. Also knowing a little about your
system might help. You know the basics. Like which tomcat v7 - there
are 32 of them. Which version of java? Which os? Little things like
that help

Thanks

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: insfrastructure set list

2012-10-23 Thread chris derham
 Today we're about to deploy a simple app that is basically a charts
 solution that will run over Tomcat 7.X. Well till there everything is all
 right. But since I'm not a heavy user of Tomcat I'm not so sure what could
 that be the best settup for my app for not have problems in a first sight
 by a miss configuration.

 This app will have 100 concurrent users and in terms of hardware I'm not
 sure what they will give us.

 Is that possible that you guys share some experience and minimal setup due
 to those above scenario?

 Thanks!!!

Daniel,

I think that you are trying to use this list incorrectly. If everyone
that wanted to use tomcat emailed the list, none of the people who
answer questions on the list would be able to get any work done. They
are only answering the questions posted on this list in their own free
time. Nobody is paid to answer questions on this list.

The suggested approach to using tomcat (and open source software in general) is

1) download, install, try it out
2) if you get an error, google for the error message. 99.99% of the
time, somebody else will have hit the problem and commented about it
somewhere
3) if you can't fix it by yourself, ask the list

You seem to be asking for this piece of software (that I won't tell
you anything about), how should I configure tomcat? Nobody can answer
that question. We don't know the software - you haven't told us. We
don't know the hardware. We don't know the load.

Even if people did know the above, the answer is always to try your
suggested load using your hardware, and see what happens. The defaults
generally work very well in a broad range of situations. That's why
they are the defaults. Perhaps you will need to tweak some settings,
but you need to have a baseline, and method to test what effect each
change actually has.

HTH

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Setting JVM Parameters in Windows Service for Tomcat7

2012-09-20 Thread chris derham

 The documentation tells, that this could be done by calling tomcat7
 //US//Tomcat7 ...
 This method works, but it is not practicable for our production
 environment, because these settings are stored in the registry.

 Matthias - can you please elaborate on exactly what it is not practicable
for our production environment means?

Thanks

Chris


Re: exploting tomcat vulnerability with example

2012-09-19 Thread chris derham
On Wed, Sep 19, 2012 at 10:02 AM, Ragini raginippa...@gmail.com wrote:For
my research work I want to have different attacking scenarios which
exploits vulnerability of JAVA based applications. This java applications
can be just any web-application, desktopapplication or any other.For this,
I was thinking to exploit vulnerabilities of tomcat itself (because it is
in java). I went through different vulnerabilities of different versions of
tomcat on apache tomcat's official site. They have provided information
about what is the vulnerability and what is its consequences.

 But I am looking for some real time example by which I can exhibit the
 exploitation of tomcat’s vulnerability. The version of the tomcat can be
 just any. I would like to try vulnerabilities like authentication bypass,
 information disclosure or some other which really compromises the security.

 Could anybody please suggest some source where I can get step by step
 information about exploiting tomcat’s vulnerability with example ? It would
 be nice if the example web application used for exploitation is also in
 java.

 I would really appreciate your any kind of help regarding this.

 Thanks.

 Richa.


Have you tried webgoat?

Chris


Re: Root context switching

2012-09-04 Thread chris derham
I am new to Tomcat. What I like to do is to deploy different versions of my

 application, for example:
 hostname\myappv1
 hostname\myappv2

 Now I want the ROOT context to be set dynamicly to one of the available
 deployed versions. Is this possible? Is there a way to implement this?

 Dennie,

This question is asked regularly. The regularly posted answer is that you
must call the root war ROOT.war, such that it is unpacked as
CATALINA_HOME\webapps\ROOT. There may be ways around this, but it really is
much, much simpler to do this in all cases I have seen discussed.

Having said that, you say that you wish to change the ROOT dynamically.
Why? What is your use case? If you explain, perhaps we might be able to
describe a suitable alternative

Chris


Re: Root context switching

2012-09-04 Thread chris derham

 Basic what I want is the same functionality which google apps provides. So
 I want to be able to have multiple versions of my application online, let
 people try the new environment and eventually switch the root context to
 the new running version. This enables my clients to try out the new version
 and options before they switch over to the new environment and enables me
 to fix bugs found in the new release.

 Two options spring to mind. First is to have multiple tomcat instances
running. One is production with accepted versions of wars. Then a second
instance could run on a different port allowing you to test the new wars.
When they are accepted, you deploy on the production instance. Second
option is a slight variation - you could run a single instance, but have
two hosts specified. In one host you specify your production wars, and in
the second you specify your UAT wars.

Every company that I have worked in always runs separate a production and
UAT machines. If you don't want multiple machines, then I'd go for option
1.

HTH

Chris


Re: tomcat and DB oracle problem - only in higher versions

2012-08-16 Thread chris derham

 I found following problem when java application is trying save xml data
 into xml column to database. 

 I found a problem with tomcat which is happening in the version 6.0.32 and
 6.0.35 (maybe also in other version), but working really fine with version
 6.0.26.

 ** **

 My configuration:

 ** **

 OS: windows 7 enterprise

 IDE: Eclipse EE 3.7.1

 Java: 1.6.0_33

 Tomcat: 6.0.26, 6.0.32, 6.0.35

 DB: Oracle Database 11g Enterprise Edition 11.2.0.3.0

 Other technologies: Spring 3.1.1 + Hibernate 3 + Struts 1.1



Can you provide details of how you create your connection to the database?
Config file or code? This should shed some light on the issue. I recall
that I hit this in the past, and it is to do with how the connection pool
is setup. Perhaps with the details, it might ring some bells for me or
somebody else.

Thanks

Chris


Re: ClassCastException org.apache.jasper.runtime.ELContextImpl cannot be cast to org.apache.jasper.el.ELContextImpl

2012-08-09 Thread chris derham
| I am 95% certain of what is happenning but haven't tested this. It will
help your understanding if you read the EL specification, specifically the
section in the Javadoc regarding how implementations are discovered.
| Tomcat implements these rules. It is possible for an EL implementation to
be loaded from an application. Everything will be fine EL-wise for the
application that shipped with the EL implementation but things will
| fall apart for any other application that tries to use EL since the
implementation classes will not be visible.

Mark,

I don't understand one key component of your response. I don't pretend to
understand the internals of tomcat, but I thought that I had a good grasp
on how things were supposed to work. Please forgive me if I ask something
stupid.

You seem to say that the EL implementation will be loaded from the app2, as
it has an implementation present in its lib. You then say that this won't
be visible to app 1, presumably because this class is loaded into the
app2's class loader. That bit matches up with my understanding on app class
loaders in web containers - each app has its own, and they are separate
preventing leakage from one app to another. The bit I don't really
understand is when app 1 tries to run some EL code, surely the same
mechanism should kick in and load an EL implementation. I get that app 1
doesn't have an impl in its lib folder, but I would expect the call to be
passed to the tomcat shared class loader, whereby tomcat's EL impl is
loaded from CATALINA_BASE/lib. You seem to imply that once tomcat has
loaded a EL impl into the app2's classloader, that this some how breaks or
dirties the tomcat shared classloader so that it can no longer work the way
I describe above. Could you spare a minute to explain where my
understanding falters?

Thanks

Chris


Re: TOMCAT with multiple sites (one on https, others on http)

2012-08-07 Thread chris derham

 I have configured the server.xml to run a few sites with HTTP and HTTPS,
 HTTP sites work correctly, that HTTPS is not responding, can not display
 the page

 Massimo Chirivì

 Massimo,

Pid's reply was asking you to answer some specific questions. You appear to
have only answered the first one of them by irony only.

The people on the list will need all of these specific questions answered
in order to help you any further. Here is the list once again in case you
have lost the previous email

Chris

 Are you just repeating the same question over  over?

 Have you read the documents provided previously?

 What version of Tomcat are you using?

 What *exactly* does 'not ok' mean?

 Are there any errors in the log files?

 Can you describe the symptoms of the error?

 Have you ever read  comprehended:

  http://www.catb.org/esr/faqs/smart-questions.html


Re: Location of Tomcat 7 jvm defualt settings...

2012-07-21 Thread chris derham
On Fri, Jul 20, 2012 at 6:31 PM, Tony Anecito adanec...@yahoo.com wrote:

 Thanks for the quick reply Mark.
 Yes I saw your comments in one of your presentations about profilier and I
 am a fan of visualvm and have profiled Tomcat in the past but when down to
 1-2msec not sure how much the profilier can pick up. I did notice that as
 the hotspot engine warms up the response times start to see improvement.
 I did adjust the -Xss256k from the default of 1M and I am looking forward
 to when I get home to see the results since the response times quickly went
 to 3msec after that was set and hope to see 1msec or below after running
 for 1 day if that change really helps. I did start out profiling the SQL
 and that helped and switching to the jtds jdbc driver which seem to help
 even more and of course eliminating the interprocess communication (Tomcat
 - JBoss). I made sure my data types in SQL server were unicode so the jdbc
 drive did not do extra conversion work to unicode. I am slowly moving to
 the front (JAX-WS to JAX-RS) and then a deep dive into OS tuning. After that
  I will stop tuning for another 6 months I guess.


Tony,

With all due respect, you sound like you are fiddling with settings to
learn rather than tuning. What I understand by tuning a webapp is that you

   1. Create a automated test script to simulate some load
   2. You increase the load until the bring the webapp to its knees -
   either 80% CPU or responses taking 1/2 sec to return
   3. Critical step - you tell your bosses the maximum level that the app
   can currently support, e.g. X concurrent users performing A and B and C
   routes through the app.
   4. If they say that's all they need, then stop
   5. Otherwise use a profiler to establish where the bottle neck is
   6. Fix it
   7. Repeat from step 2

Using this technique you make sure that you don't waste time fixing issues
that aren't really issues. As a programmer, its kind of hurts to admit it,
but programmers are wrong when thy guess where the performance issues are.
Always. This isn't my idea - read the performance tuning books. You'll just
make code more complicated, and less maintainable.

IMO there is nothing wrong with fiddling with settings to see what they do.
However unless you have a repeatable (read automated) test script that
allows you to test after each individual change, you're just whistling in
the wind.

Now it is possible that I have all this wrong. Perhaps you have an
automated script, and you are doing all the above. It doesn't sound from
your description that this is the case, but if it is then I apologise

HTH

Chris


Re: How to initiate session id change from application code?

2012-06-28 Thread chris derham


 Good Evening Pavel Implementing a SSL Connector on Tomcat will prevent
 Session Fixation attack


Martin,

This is not correct. Using SSL will not stop session fixation attacks

Chris


Re: Tomcat 7.0.28 connection pool issue

2012-06-28 Thread chris derham
On Thu, Jun 28, 2012 at 12:38 PM, Yasser yarafa...@gmail.com wrote:

 Yes. It does show that maxactive has reached 100. I also use splunk to get
 the connection status at the oracle side.
 What I dont understand is that Resin needs just 50 connections to handle
 the same load. I am in the process of increasing the count to 300 and see
 if that makes a difference. Oracle has the capacity to handle that many
 connections.

 We hit an odd oracle exception that may be related. Can't explain it
really well, but the essence of the bug in Oracle was that the
tnslistener's connection count wasn't updated regularly enough when
connections closed, so it could believe that the connection limit had
exceeded when the db instance was still happy to accept more connections.
As I recall this was a known Oracle issue, and was fixed by increasing the
acceptable connection count in Oracle. Can you provide the exact exception
from the logs that you hit?

Also have you tried turning on connection pool logging to diagnose when
actual physical connections are created?

Chris


Re: Wish to use an independent class module in Tomcat

2012-06-26 Thread chris derham
On Tue, Jun 26, 2012 at 12:46 PM, Cotton, Joseph B 
bcot...@dpscs.state.md.us wrote:

 I looked at the Realm documentation for a few minutes, but it appears to
 be intended for User ID and Password verification.

 Joseph,

Ignore Martin's JDBCRealm suggestion - his responses don't seem to relate
to your concern

 We wish to have a class running on Tomcat that contains system wide
info
 and multiple database connections into DB2 on the mainframe.   All
other
 apps runing on Tomcat will open an instance of this class to access
 the static info and one of five open connections.  Opening and closing

 database connections is very slow and we wish to leave open the
 connections and just reuse them as needed.

Each webapp exists in isolation - they are all inside the same JVM, so in
theory you could allow them to talk to a single instance. Perhaps it would
be clearer/cleaner to have the common code in a separate JVM, and then use
some kind of RMI to communicate to it? Or perhaps you could have a
background component that performs requests that are queued to
disk/memory/database/message queue?

Perhaps a dumb  question - if the connections are slow to open, that's fine
but just allow each app to have one open and then they can co-exist and you
don't need to worry about all of this?

HTH

Chris

 We wrote the class and it runs ok.  Yet to get it to run with an app,
 we need to load the class jar file into the app and references in
 context.xml and web.xml as listed in the documentation. But that
 defeats the purpose of the global app because then there are multiple
 instances of the class.

 We tried to insert a reference in GlobalNamingResources of
server.xml.
 It doesn't seem to work for us.

 Or are we off base with this design?  Is app to app communication
 allowed?  Can I call a class from one app to another without first
 loading the called class into the calling class?

 I am using NetBeans IDE 7.1.1, Apache Tomcat 7.0.22 and Java 6.23
 (build 1.6.0_23-b05).  Java 7 is not an option in our shop yet because

 we are supporting a commercial package that breaks when run under Java

 7.

 I would appreciate if the group could point me to the correct
 documentation to do what we are looking for, and perhaps a translation

 of the Tomcat specific terminology and jargon.

 Thanks

 Joe





-
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org




Re: Request timeout option in HTTP or AJP Connector

2012-06-22 Thread chris derham


 Using tomcat 6.0.29.

  i want to know is there any parameter in HTTP\AJP connector  to set
 request time out(i.e if particular request taking long time to complete it
 should time out after configured timeout value).?

 My web application communicating to some external system where response is
 very slow for particular queries so i want tomcat to timout those requests.

 How do you communicate with the external system? You say particular
queries so is it jdbc? Can't you set a timeout whatever communication
mechanism you use to connect to the external system? Then detect the
timeout in your webapp and respond appropriately

Chris


Re: user switching or application interacting with container based authentication

2012-05-23 Thread chris derham


 any hint on fast-user-switching or
 applications-interacting-with-container-based-authentication are very
 welcome.


Dirk,

We had an app where support staff can login, and then on a special form
enter the username of the person to impersonate and their own password (to
prevent abuse), and the system then allows them to impersonate the user.
Worked well for viewing exactly what the user was seeing when reporting
issues. To do this we used acegi security - has built in support for
impersonation.

HTH

Chris


Fwd: mod_jk binary

2012-05-16 Thread chris derham
Steffen from apache lounge asked me to forward this to tomcat mailing list

Chris

-- Forwarded message --
From: Steffen i...@apachelounge.com
Date: Wed, May 16, 2012 at 12:10 PM
Subject: Re: mod_jk binary

  Chris,

Made 1.2.36 Apache 2.4 Win32/Win64 available.
Maybe you can say it on the Tomcat user list.

Steffen


Re: IE caching problem-

2012-05-13 Thread chris derham

 never had this problem when i deployed to SolarisI'll try again
 tommorrow when i have a REAL Operating System to deploy my webapp


So you have a web app, serving up web pages, that are being cached in a
browser. The browser is not refreshing, for reasons unknown. You say that
the clock was incorrect, but now I assume the problem is still occurring.
Yet you think that moving the webapp to a real os will help?

Browsers cache pages only if they are told to. Have you used some kind of
technique to check the headers? Fiddler or live http headers? Why are the
pages being cached?

Once you know that, perhaps you can resolve the issue. If I had a car that
wouldn't start, I know nothing about cars but I'm reasonably confident that
changing the garage won't help the issue that much

Chris


Re: 64bit windows mod_jk connector download for apache httpd 2.4

2012-04-25 Thread chris derham
 Wow, that was fast.

 Far better than commercial support IMO


  I am grateful too for the above, but since you appear to have a good
 connection, and for the sake of symmetry, should not one ask them also for
 the 32-bit version ?


I sent one email, and he went for it. I don't really call that a good
connection. I also thought about the symmetry thing yesterday and asked
for a 32 bit one. He replied last night saying it was bed time, and would
do it tomorrow. He emailed again today saying it was there now, and when I
checked today and it was there. So I think we owe Steffen from apache
lounge some thanks/donations

Chris


Re: 64bit windows mod_jk connector download for apache httpd 2.4

2012-04-24 Thread chris derham

   Exactly. Might be better to come from userland

 +1


 I have emailed the apache lounge contact email asking if they would
 consider including a build of mod_jk - lets see what happens

 Thanks

 Chris


And we have a winner - 64 bit mod_jk now present on
http://www.apachelounge.com/download/win64/

Thanks for all your help, and apache lounge for doing the work

Chris


Re: 64bit windows mod_jk connector download for apache httpd 2.4

2012-04-23 Thread chris derham

  Exactly. Might be better to come from userland

 +1


I have emailed the apache lounge contact email asking if they would
consider including a build of mod_jk - lets see what happens

Thanks

Chris


Re: 64bit windows mod_jk connector download for apache httpd 2.4

2012-04-19 Thread chris derham
On Wed, Apr 18, 2012 at 5:07 PM, Mladen Turk mt...@apache.org wrote:

 On 04/18/2012 02:00 PM, chris derham wrote:

 All,

 Our setup has apache tomcat running behind apache httpd using mod_jk. I
 would like to upgrade to apache 2.4, but for this I need to find a 64bit
 mod_jk release for httpd 2.4. The binaries contained at
 http://tomcat.apache.org/**download-connectors.cgihttp://tomcat.apache.org/download-connectors.cgi32
  bit httpd connectors,
 or a 64bit iis one.


 Why would you need a 64-bit httpd at the first place
 especially on windows.


Can't help feel that I am falling into a trap here, but if we have a
windows 64 bit os, using 64 bit jvm and 64 bit tomcat, are you suggesting
that it would be better to use a 32 bit httpd and mod_jk?


 Anyhow, building should be easy if you have 64-bit windows dev httpd.

 Open Vstudio command prompt for 64-bit development
 (You should have a shortcut for that)

  cd where-ever-you-unzip\tomcat-**connectors-1.2.35-src\native\**
 apache-2.0
  nmake -f Makefile.vc ARCH=AMD64 APACHE24_HOME=C:\httpd-2.4.2

 Worked perfectly. Thank you. Would you think that it is a good idea to add
this text to a new section in building.txt? I can supply the patch to the
documentation if you concur, just not sure if this should go into a new
file or an addendum to the existing one

I see that the binary releases that are available are signed by you. So
perhaps I could ask why there isn't a 64 bit mod_jk included? I assume the
answer will relate to your response to the above question

Thanks for your help

Chris


64bit windows mod_jk connector download for apache httpd 2.4

2012-04-18 Thread chris derham
All,

Our setup has apache tomcat running behind apache httpd using mod_jk. I
would like to upgrade to apache 2.4, but for this I need to find a 64bit
mod_jk release for httpd 2.4. The binaries contained at
http://tomcat.apache.org/download-connectors.cgi 32 bit httpd connectors,
or a 64bit iis one.

Can somebody help point me to where suitable binaries are? Alternatively
could somebody point to some documentation showing how to build them
myself? I know for unix you can just download the source and follow the
build scripts, but for windows I believe that the build process will be
considerably more complicated then configure; make

Thanks for any help

Chris


Re: Tomcat with mod_jk becomes irresponsive after working for awhile

2012-02-26 Thread chris derham
Ofer,

Look at the articles in the link already given -
http://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F-
find the bit about sendsignal. Download this program, and run it. This
provides the windows equivalent of sending -3 to a *nix java process, e.g.
encourages it to provide a thread dump. I have used in the past on windows
with great success. Requires no changes to get it to run, e.g. you do not
have to restart a process or configure it

HTH

Chris


Re: Tomcat with mod_jk becomes irresponsive after working for awhile

2012-02-24 Thread chris derham

  http://wiki.apache.org/tomcat/**HowTo#How_do_I_obtain_a_**
 thread_dump_of_my_running_**webapp_.3Fhttp://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F
 for more info, to get a thread dump of tomcat.

 I have seen that page but actually can't use the //MS// option as
 Tomcat is already running and in this bad state that I want to catch
 without restarting the service.  Is there some way to gather this
 information without a restart?

 If you look at that article, the paragraph above where is mentions //MS//
option, mentions using sendSignal to generate a thread dump. We've used
that in the past and it allows generation of a thread dump on an already
running process with no restart

Chris


Re: JNDI Access in Lifecycle Listener

2012-02-14 Thread chris derham

 i load a spring xml with my own lifecycle listener. Which works pretty
 well actually.
 In my spring xml i try to get a datasource from the JNDI context. I
 put the definition in the server.xml under GlobalNamingResources.
 My lifecycle listener is loaded after the GlobalResourcesLifecycleListener

 During the startup catalina.out tells me:
  javax.naming.NameNotFoundException: Name java:comp is not bound
 in this Context

 My first idea was, that the JNDI context is not published when loading
 the spring xml file, so i tried to add a specific environment to the
 spring lookup
jee:environment

  java.naming.factory.initial=org.apache.naming.java.javaURLContextFactory

  java.naming.provider.url=file:${catalina.base}/conf/server.xml
java.naming.factory.url.pkgs=org.apache.naming
/jee:environment

 That doesn't help.

 Can someone tell me how to access the context in this early state of
 loading.

 Please provide the configuration of the jndi lookup in spring.xml and the
tomcat jndi configuration. Version details of java/tomcat/spring may also
help

Thanks

Chris


Re: Tomcat memory requirements

2012-01-25 Thread chris derham

 Hi Celso, you signature is in portuguese because that i will talk in
 portuguese...

 Tenho 12 anos de experiência com Linux e dois livros publicados, nunca
 vi um tomcat rodar sem consumir umas cacetadas de megas de memória,
 acho que o java, é uma plataforma ruim, mas que todo mundo defende e
 quer usar, talvez seja mais facil desenvolver em Java, o que eu acho
 difícil ser verdade, talvez seja mais fácil a portabilidade, mas eu
 acho improvavel o php não ser portável e não haver outras coisas
 portáveis como o ruby.

 O que eu sei é que em todas as empresas que fui para resolver algum
 problema no servidor, estava na lista o tomcat que consumia memória.
 Por exemplo na empresa que estou atualmente o tomcat consome 2 GB de
 memória, num sistema que processa 2 milhões de registros, apesar de
 parecer Explicável isso jamais aconteceria se estivessemos usando
 php, nunca fui numa empresa e me reclamaram que uma aplicação php
 estivesse lenta ou comendo memória, isso é uma lenda.

 Mas uma lenda mesmmo é dizer que o Linux vai resolver o problema do
 Java, que é comer memória até o infinito, talvez os desenvolvedores é
 que sejam muito ruins, mas estou para achar um bom então, pois toda
 empresa que fui mesmo problema, espero que eu não seja expulso desta
 lista por dizer isso. Mas infelizmente todos aqui no fundo do coração
 devem saber que é verdade.

 Agora, se ta travando seu sistema começe aumentando a memória da
 máquina virtual do java.

 For the benefit of the non-portuguese speaking list members, Luciano
basically has a rant about

1) how in his experience java always consumes lots of memory
2) how php is much better
3) how php doesn't randomly consume memory

He also wishes that he is not expelled from the mailing list for making
these comments. Rather than having a php vs java discussion, I would just
reply that the java process is configured to have a maximum amount of
memory. The java process will never exceed this. If you have gone into an
environment where hte server is using 2gb of memory, then it was explicitly
configured to do so. It is not true to say that java just kept on
consuming memory infinitely


 2012/1/25, Celso Magalhães Dantas Neto ce...@reconcavo.org.br:
  Hey everyone!
 
  Does anyone knows where I can find any information about Tomcat memory
  requirements?
 

Couldn't you just run tomcat without any webapps installed? Surely that
would provide the information that you require? Presumably it would be
different on each platform, so doing this on your target platform would be
easiest


  Here's the problem: I got a client who's running a Tomcat process in his
  machine and it is taking around 150MB of RAM and he is complaining about
  it. It's a webapp and for me it's normal to a webapp to take that amount
 of
  memory, but I want to argue with him with some data.
 

If in his server tomcat process takes 150MB of memory, what is the issue?
The box has more than 150MB of memory free right, so what's wrong?

  So I'm looking for some Tomcat memory requirements info, even if it's a
  memory requirements to run Tomcat only, with no deployed webapp. It will
  help me to argue with him.
 

Good luck

Chris


Re: Strategy to prohibit concurrent users authenticated through Tomcat

2012-01-13 Thread chris derham

 I am using Tomcat 7.0.11 and use Form Authentication (via
 j_security_check) to authenticate through the Tomcat server.
 Currently, two users with the same username can log into my application
 from two different computers and concurrently access the app.
 Is there a way to prohibit a user from authenticating if a user with the
 same username has previously authenticated and still has an active session?

 We use spring security in a web app that is deployed in tomcat. It has
built in support for this - you can configure to either disallow subsequent
sessions, or kill the first session and allow subsequent sessions. This
should explain it better than I can
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/session-mgmt.html.
Don't know how big a task it would be for you to move to this, but it works
really well for us

If you provide a bit more information about what you are trying/need to do,
 someone my come up with a better idea.
 For example, what is the real problem - in your application - when two
 people at different computers login with the same user-id ?

 +1

Chris


Re: Single war file - multiple hosts - can't get log4j to log to different files

2011-11-23 Thread chris derham
  We thought this would allow us to monitor all contexts with a
  single probe install, but it only seems to show a single localhost
  context. I assume that the hosts are separated, and that the
  context=priviliged setting can allow a web app to access other
  webapps in the same context, but not across hosts.

 So... what setting is that?

 I meant the crossContext=true setting. I have searched around, and can
see that both tomcat's manager and probe are not able to monitor virtual
hosts other than the one that they reside in. So I will just have to deploy
manager and/or probe for each virtual host. I just wanted to see everything
in a single place - from what I have read this can't be done


 1. Move your .war files from out of the webapps directory (and subdirs)
 2. Update the paths in ROOT.xml and probe.xml to point to the new
   location
 3. Remove the local and demos directories

 Thanks for the pointer. What I ended up doing was moving all wars to
CATALINA_BASE/notWebapps. Then I unpacked them, and set the relevant
context.xml's docbase to point to the exploded directory. Seems to work
well now

 The only idea I have left if nobody can see an obvious flaw in our
  logic is to write some custom code to initialise log4j. We would
  just need to pick up the context, or a jndi variable and then
  prefix the log file name with this. Guess it can't be that hard -
  just figured that somebody would have hit this before.

 I think that's your best bet.

 Yes it was surprisingly easy. We created a subclass of springs
Log4jConfigListener, and then prefix the file parameter of any file
appenders. We set the web.xml value to blank, which is ignored, and then
when required we can override it in context.xml. Thanks for the pointer

 I recall that Mark Thomas mentioned something in a recent response
  about looking for some code in tomcat source where it allowed
  different contexts to register with JMX using different ports. I
  looked and can't find it - always hard to google for something if
  you don't know the term. Can anyone provide a pointer to if there
  is an existing variable containing a context id, or path, or name
  or something unique that we could use to prefix the log file - or
  is it just easier to setup our own context parameter?

 I'm not sure that using JMX is going to make your life any easier.


I thought that via some internal to tomcat mechanism, I would be able to
detect which context I was in, and thus be able to use that to drive the
prefix for the log file, rather than having to have a specific web.xml
setting that each context overrides.

Thanks for you quick and detailed reply

Chris


Re: Babysitting ThreadLocals

2011-11-23 Thread chris derham

 A silly question:

 why do you use a ThreadLocal to store a constant value for entire
 application? why not a static variable or store into web application
 context , by example ?

 The string of the date format is constant. However the SimpleDateFormat
class is not threadsafe, so you will hit intermittant issues when sharing
across threads.

  So, my question is whether or not there is a good way to clean-out the
  ThreadLocals from our webapp?

 It would be much simpler code to read/write/maintain if you just create
new ones each time - as Charles says. Then profile the app, and only if the
creation of simpleDateFormat objects is slowing the app, then try to
optimise.

If you do this, and fine that creating these objects is taking more time,
then perhaps one method would be to use a weak object reference to the
thread local. That way you would get the best of both worlds - no memory
leak and reduced creation of SimpleDateFormat. However most people coding
probably won't know what a ThreadLocal class is/does, let alone a Weak
memory reference. IMO it would be easier just to code the easy way

Chris


Single war file - multiple hosts - can't get log4j to log to different files

2011-11-22 Thread chris derham
All,

Java running on windows 2008 r2 against tomcat 7.0.19

java version 1.6.0_24
Java(TM) SE Runtime Environment (build 1.6.0_24-b07)
Java HotSpot(TM) 64-Bit Server VM (build 19.1-b02, mixed mode)

I have a single war file, and would like to host multiple demo sites of our
app. So ideally users access demo1.company.com and demo2.company.com.
Completely isolated, but all running the same war. Please correct me where
ever my logic is wrong, but I figured that I would

1) have a tomcat instance, containing config directory. This would have
catalina/demo1.company.com/ROOT.xml containing pertinent jndi config.
2) in server.xml add this

  Host name=demo1.company.com appBase=webapps\demos
unpackWARs=false autoDeploy=false
Valve className=org.apache.catalina.valves.AccessLogValve
directory=logs
   prefix=demo_access_log. suffix=.log
   pattern=%h %l %u %t quot;%rquot; %s %b
resolveHosts=false/
  /Host

When I start the app, it works and the app works. However all context's
apps log to the same log file. What I want to know how to make the
different contexts under different hosts log to different file. Our log4j
file contains

appender name=FILE
class=org.apache.log4j.rolling.RollingFileAppender
param name=Threshold value=INFO /
param name=File value=${catalina.base}/logs/demo.log /
param name=Append value=true /
rollingPolicy
class=org.apache.log4j.rolling.TimeBasedRollingPolicy
param name=FileNamePattern
value=${catalina.base}/logs/demo.%d{-MM-dd}.log /
/rollingPolicy
layout class=org.apache.log4j.PatternLayout
param name=ConversionPattern value=%d %t %X{user} %-5p [%c]
%m%n /
/layout
/appender

I have searched around, and found some references to JNDI context selectors
for log4j, but I believe that this is to allow log4j separation - not
directly related to what I am trying to do.

I have tried to add a suitable web.xml environment entry, and then add it
to the log file name, e.g.
${catalina.base}/logs/${tomcatInstancePrefix}demo.log. Then in ROOT.xml for
each host I add

Environment name=tomcatInstancePrefix value=demo2-
type=java.lang.String override=false/

and in web.xml I add

resource-env-ref
resource-env-ref-nametomcatInstancePrefix/resource-env-ref-name
resource-env-ref-typejava.lang.String/resource-env-ref-type
/resource-env-ref

but that didn't work

Has anyone else done this? I can't believe that we are unique. Perhaps I am
just ignorant of the correct term to search for. Any help greatly
appreciated

Thanks

Chris


Re: Single war file - multiple hosts - can't get log4j to log to different files

2011-11-22 Thread chris derham
   Host name=demo1.company.com appBase=webapps\demos

   unpackWARs=false autoDeploy=false

 The appBase I find a little concerning...  You don't have any apps
 directly place in webapps do you?

 So I wasn't 100% sure exactly what to do here. I setup a folder under
webapps called demos. We put our app there, named ROOT.war. Then in another
subfolder of webapps called local, we put probe.war. We thought this would
allow us to monitor all contexts with a single probe install, but it only
seems to show a single localhost context. I assume that the hosts are
separated, and that the context=priviliged setting can allow a web app to
access other webapps in the same context, but not across hosts.

Does that explanation make sense, and does that remove your concern?

The only idea I have left if nobody can see an obvious flaw in our logic is
to write some custom code to initialise log4j. We would just need to pick
up the context, or a jndi variable and then prefix the log file name with
this. Guess it can't be that hard - just figured that somebody would have
hit this before.

I recall that Mark Thomas mentioned something in a recent response about
looking for some code in tomcat source where it allowed different contexts
to register with JMX using different ports. I looked and can't find it -
always hard to google for something if you don't know the term. Can anyone
provide a pointer to if there is an existing variable containing a context
id, or path, or name or something unique that we could use to prefix the
log file - or is it just easier to setup our own context parameter?

Thanks

Chris


Re: Grabbing the user's info

2011-11-16 Thread chris derham

 But for _transparent_ authentication IIS is required as Christopher
 mentioned.

 That is not true. You can use SPNEGO to setup transparent authentication
directly to tomcat. You do not need IIS. This means that a browser accesses
a protected url on the server, and the server and browser discuss who the
user is, and then the application is presented with that information. This
discussion is transparent and involves no user interaction. This can be
done by default in IE and I believe chrome, but firefox is more secure so
needs to have explicitly have this authentication security enabled - by
default it is turned off to stop hackers falsely requesting the details
from a malicious server

HTH

Chris


Re: Include NEtwork path into Tomcat - urgent

2011-11-15 Thread chris derham
On Tue, Nov 15, 2011 at 11:39 AM, Alexander Diedler adied...@tecracer.dewrote:

 Hello,
 This is no option, this solution means, that the windows session must still
 remain opened with a logged in user.

 Not true. You can setup tomcat to run under a service account, and have
the service account map that drive.

Chris


Re: SSL for modjk and tomcat

2011-11-10 Thread chris derham

 Simple i have setup httpd,modjk,tomcat .i want to enable SSL(i.e i can
 handle everything on https).


If you have httpd sending traffic via mod_jk to tomcat, you are nearly
there. Just configure httpd to listen over ssl.


  If (instead) you want to encrypt the AJP connection between HTTPD and
 Tomcat, you'll have to use an SSH tunnel because the AJP protocol is not
 encrypted.

  Now AJP not support SSL fine. i.e AJP protocol is not
 encrypted.
 i dont want SSH tunnel.


That's fine if you don't want/need a tunnel


 What other approach i can follow now.i mean other way ?


 i am not sure where to configure those mod jk directive and what
 configurations at tomcat side?


I don't think you quite understand how this list works. You need to ask a
specific question, and people will generally try to provide a specific
answer. In your email you say you have httpd/mod_jk/tomcat communicating.
You keep saying that you want to turn on ssl. As 3 people have already
pointed out, you can have ssl between browser and httpd. You can have ssl
between httpd and tomcat, but you said you don't want that. If you
configure httpd for ssl, then you're probably there. IMO you only to worry
about those mod_jk directives if you need tomcat to know that it is being
handed a connection that has come from an ssl connection. Perhaps explain
why you need this ssl information in your app? Perhaps supply a copy of
web.xml with the security constraints?

In short help us help you -
http://www.catb.org/~esr/faqs/smart-questions.html

Chris


Re: Session time out never takes place with ajax

2011-11-10 Thread chris derham

 So to recap, and verify my understanding...
 Perhaps I am missing some valve overview.

 I understand it is invoked before the filters, but after completion it
 would arrive to the filter/servlet container anyway.
 So what your saying is that if I build a valve and read information from
 IO file or/db or any other cached data which doesn’t trigger a
 request.getSession
 That will work?
 And if so, I will still need to break the chain and prevent it from
 continuing deeper into tomcat or else it will update the session access time

 Instead of mapping all requests e.g. /* through security*, you could split
you app. So say /public folder contains static resources and requires not
security*. You could put dynamic resources under /dynamic and map to
security*. That way anybody requesting a dynamic resource would need a
session, and this would be touched on every request to /dynamic/*. If you
had this kind of setup, then you could create another top level folder
called say /ajaxPing and not map that to security*. Then as long as the
filter/servlet/jsp page that fulfills that request does not call
request.getSession, you will fulfill your aim to respond without affecting
session expiration

Alternatively you could put a valve in the front of the whole web app, and
have that respond to a given url, and then stop the request, e.g. not pass
the request to tomcat. I beleive that is what Mr Schultz was suggesting

* when I keep saying security, I'm not sure the correct collective term. I
don't just mean container security, but also any filter/servlet/jsp that
calls request.getSession

HTH

Chris


Re: how to connect to datasource

2011-11-09 Thread chris derham
 may I  know, how to connect to datasource automatically if my DB
machine

   is
  restarted?? Is it having any specific parameter to connect datasource
  automatically??


How does the existing app connect to the database? Can you show the code
please - remove any sensitive passwords

Thanks

Chris


  1   2   >