RE: tomcat 6 database pooling, DataSource returning NULL connection

[Caldarale, Charles R]

> From: Lucas Vickers [mailto:lucasvick...@gmail.com]
> Subject: Re: tomcat 6 database pooling, DataSource returning NULL
> connection
> 
> I refreshed the config file and I am still getting NULL connections
> to my database.

Just for completeness, check the security policy in the JRE/JDK you're using.  
If someone has modified this in a restrictive fashion, your changes to 
catalina.policy may have overridden them and allowed normal operation.  The 
default policy is located in jre/lib/security/java.policy; there may be an 
additional policy file in ${user.home}/.java.policy.  These locations are 
specified in jre/lib/security/java.security; check that that file has not be 
modified.

If you do find anything odd in the above files, you might want to reinstall the 
JRE/JDK, just to make sure something else hasn't been fiddled with.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Converting to container based security.

[Pid]

On 19/7/09 18:52, Bill Davidson wrote:

Mark Thomas wrote:
 >Alternatively, you could use a database view to present the two sets of
 >users as a single table.

What about duplicated user names between the two sides?


That might not be an issue if admin users don't use the public site, and 
vice versa.  Be better to avoid that if possible though.


Can you reassign admin user names?


There's also the need to make sure that the admin side servlets are
not accessible to the public side and vice versa and that the public
side servlets are accessible without authentication but the admin
side servlets are not.


Container auth uses configurable roles to set authorization, which would 
handle this eventuality.  Just set up two different security-constraint's.


p


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: [OT] Apache httpd prefork versus worker MPM

[James Abley]

James Abley wrote:
> 
> 
> 
> mgainty wrote:
>> 
>> 
>> the inherent problem with multi-threaded model vs prefork n processes
>> 
>> http://blog.zakame.net/tips/apache2-worker-lowmem
>> 
>> http://www.experts-exchange.com/Software/Server_Software/Web_Servers/Apache/Q_24192924.html
>> 
>> rule seems to be more than 1 CPU go with worker
>> 1 CPU go with MPM
>> 
>>  
>> 
>> once you set your path on Worker all modules and all binaries under
>> Apache have to be multi-threaded
>> 
>>  
>> 
>> YMMV
>> 
>> Martin  
>> __ 
>> Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
>> 
>> Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene
>> Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede
>> unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese
>> Nachricht dient lediglich dem Austausch von Informationen und entfaltet
>> keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit
>> von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
>> 
>> Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas
>> le destinataire prévu, nous te demandons avec bonté que pour satisfaire
>> informez l'expéditeur. N'importe quelle diffusion non autorisée ou la
>> copie de ceci est interdite. Ce message sert à l'information seulement et
>> n'aura pas n'importe quel effet légalement obligatoire. Étant donné que
>> les email peuvent facilement être sujets à la manipulation, nous ne
>> pouvons accepter aucune responsabilité pour le contenu fourni.
>> 
>> 
>> 
>>  
>> 
>>> Date: Fri, 17 Jul 2009 21:17:51 -0400
>>> From: ch...@christopherschultz.net
>>> To: users@tomcat.apache.org
>>> Subject: [OT] Apache httpd prefork versus worker MPM
>>> 
>>> -BEGIN PGP SIGNED MESSAGE-
>>> Hash: SHA1
>>> 
>>> All,
>>> 
>>> I've been working with Apache httpd and Tomcat together with mod_jk for
>>> about 10 years, and I've always been using the prefork MPM. I'm setting
>>> up a new development server with Debian Lenny and apt-get prefers to
>>> install the worker MPM. I can definitely install the prefork MPM if I
>>> want, but I figured I'd take this opportunity to ask about the worker
>>> MPM.
>>> 
>>> Has anyone had any configuration problems when using the worker MPM? Any
>>> performance problems? The worker MPM is advertised as "high-performance"
>>> and I was wondering if it would be a PITA to use or anything like that.
>>> 
>>> If the worker MPM really is higher performance, I'd prefer to use that,
>>> but only if there are no big gotchas that anyone can think of.
>>> 
>>> I'd appreciate some feedback from folks that have used both the prefork
>>> and worker MPMs at one point, and might be able to comment on their
>>> different experiences.
>>> 
>>> Thanks,
>>> - -chris
>>> -BEGIN PGP SIGNATURE-
>>> Version: GnuPG v1.4.9 (MingW32)
>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>> 
>>> iEYEARECAAYFAkphIr8ACgkQ9CaO5/Lv0PCM8gCePSdyOk5U1rt5yndOsrta/E+B
>>> yuQAnjmhsTZn6s9Fg0Z8x3QgJRh9ejw7
>>> =Fmnd
>>> -END PGP SIGNATURE-
>>> 
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>> 
>> 
>> _
>> Windows Live™ SkyDrive™: Store, access, and share your photos. See how.
>> http://windowslive.com/Online/SkyDrive?ocid=TXT_TAGLM_WL_CS_SD_photos_072009
>> 
> 
> 
> My reading of it, which someone else on this list might be able to
> confirm, is that using mod_jk with worker MPM can potentially give lower
> memory usage on the machine.
> 
> e.g.
> 
> with 
> 
> 
> StartServers   8
> MinSpareServers5
> MaxSpareServers   20
> ServerLimit  256
> MaxClients   256
> MaxRequestsPerChild  4000
> 
> 
> That will potentially create 256 httpd processes, each consuming 10MB or
> so.
> 
> Alternatively, 
> 
> 
> StartServers 2
> MaxClients 250
> MinSpareThreads 25
> MaxSpareThreads 75 
> ThreadsPerChild 25
> MaxRequestsPerChild  0
> 
> 
> That will potentially create 10 httpd processes, each capable of handling
> 25 requests. Assume that each process needs 30MB (I don't think it would,
> but I haven't measured it recently). The reduced memory requirement for
> this configuration might be a very attractive option for some
> environments.
> 
> This assumes that mod_jk is thread-safe and doesn't suffer from the known
> problems with non-thread-safe modules in worker MPM. Can anyone confirm
> that's true?
> 
> Cheers,
> 
> James
> 

Answering my own question; from the docs, it looks like mod_jk is built by
default to be thread-safe, and you need to switch that off using the
--enable-prefork option at build time. [1]

[1]
http://tomcat.apache.org/connectors-doc/webserver_howto/apache.html#configure%20arguments
-- 
View t

RE: [OT] Apache httpd prefork versus worker MPM

[James Abley]

mgainty wrote:
> 
> 
> the inherent problem with multi-threaded model vs prefork n processes
> 
> http://blog.zakame.net/tips/apache2-worker-lowmem
> 
> http://www.experts-exchange.com/Software/Server_Software/Web_Servers/Apache/Q_24192924.html
> 
> rule seems to be more than 1 CPU go with worker
> 1 CPU go with MPM
> 
>  
> 
> once you set your path on Worker all modules and all binaries under Apache
> have to be multi-threaded
> 
>  
> 
> YMMV
> 
> Martin  
> __ 
> Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
> 
> Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene
> Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte
> Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht
> dient lediglich dem Austausch von Informationen und entfaltet keine
> rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von
> E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
> 
> Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le
> destinataire prévu, nous te demandons avec bonté que pour satisfaire
> informez l'expéditeur. N'importe quelle diffusion non autorisée ou la
> copie de ceci est interdite. Ce message sert à l'information seulement et
> n'aura pas n'importe quel effet légalement obligatoire. Étant donné que
> les email peuvent facilement être sujets à la manipulation, nous ne
> pouvons accepter aucune responsabilité pour le contenu fourni.
> 
> 
> 
>  
> 
>> Date: Fri, 17 Jul 2009 21:17:51 -0400
>> From: ch...@christopherschultz.net
>> To: users@tomcat.apache.org
>> Subject: [OT] Apache httpd prefork versus worker MPM
>> 
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>> 
>> All,
>> 
>> I've been working with Apache httpd and Tomcat together with mod_jk for
>> about 10 years, and I've always been using the prefork MPM. I'm setting
>> up a new development server with Debian Lenny and apt-get prefers to
>> install the worker MPM. I can definitely install the prefork MPM if I
>> want, but I figured I'd take this opportunity to ask about the worker
>> MPM.
>> 
>> Has anyone had any configuration problems when using the worker MPM? Any
>> performance problems? The worker MPM is advertised as "high-performance"
>> and I was wondering if it would be a PITA to use or anything like that.
>> 
>> If the worker MPM really is higher performance, I'd prefer to use that,
>> but only if there are no big gotchas that anyone can think of.
>> 
>> I'd appreciate some feedback from folks that have used both the prefork
>> and worker MPMs at one point, and might be able to comment on their
>> different experiences.
>> 
>> Thanks,
>> - -chris
>> -BEGIN PGP SIGNATURE-
>> Version: GnuPG v1.4.9 (MingW32)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>> 
>> iEYEARECAAYFAkphIr8ACgkQ9CaO5/Lv0PCM8gCePSdyOk5U1rt5yndOsrta/E+B
>> yuQAnjmhsTZn6s9Fg0Z8x3QgJRh9ejw7
>> =Fmnd
>> -END PGP SIGNATURE-
>> 
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
> 
> _
> Windows Live™ SkyDrive™: Store, access, and share your photos. See how.
> http://windowslive.com/Online/SkyDrive?ocid=TXT_TAGLM_WL_CS_SD_photos_072009
> 


My reading of it, which someone else on this list might be able to confirm,
is that using mod_jk with worker MPM can potentially give lower memory usage
on the machine.

e.g.

with 


StartServers   8
MinSpareServers5
MaxSpareServers   20
ServerLimit  256
MaxClients   256
MaxRequestsPerChild  4000


That will potentially create 256 httpd processes, each consuming 10MB or so.

Alternatively, 


StartServers 2
MaxClients 250
MinSpareThreads 25
MaxSpareThreads 75 
ThreadsPerChild 25
MaxRequestsPerChild  0


That will potentially create 10 httpd processes, each capable of handling 25
requests. Assume that each process needs 30MB (I don't think it would, but I
haven't measured it recently). The reduced memory requirement for this
configuration might be a very attractive option for some environments.

This assumes that mod_jk is thread-safe and doesn't suffer from the known
problems with non-thread-safe modules in worker MPM. Can anyone confirm
that's true?

Cheers,

James
-- 
View this message in context: 
http://www.nabble.com/-OT--Apache-httpd-prefork-versus-worker-MPM-tp24543852p24559610.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Converting to container based security.

[Bill Davidson]

Mark Thomas wrote:
>Alternatively, you could use a database view to present the two sets of
>users as a single table.

What about duplicated user names between the two sides?

There's also the need to make sure that the admin side servlets are
not accessible to the public side and vice versa and that the public
side servlets are accessible without authentication but the admin
side servlets are not.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Converting to container based security.

[Mark Thomas]

Pid wrote:
> There is/was a multi realm, but I think it's intended for use with an
> SSL cert & Form auth combination.

No. Realms do not care about the authentication mechanism. The new (in
6.0.20) CombinedRealm [1] could be used to merge two DataSourceRealms. A
combined Realm will work with *any* authentication mechanism.

Alternatively, you could use a database view to present the two sets of
users as a single table.

[1] http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html

Mark



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat 6 database pooling, DataSource returning NULL connection

[Mark Thomas]

Lucas Vickers wrote:
> I see now.  thanks
> 
> I refreshed the config file and I am still getting NULL connections to my
> database.
> 
> Does anyone on this list have any interest in being hired as a consultant?
> At this point I have a strange catalina.policy security issue (which may or
> may not be a problem) and this database issue.

http://wiki.apache.org/tomcat/SupportAndTraining

Both of those companies employee Tomcat committers.

(full disclosure - I work for SpringSource)

Mark

> 
> Lucas
> 
> On Sat, Jul 18, 2009 at 9:24 PM, Caldarale, Charles R <
> chuck.caldar...@unisys.com> wrote:
> 
>>> From: Lucas Vickers [mailto:lucasvick...@gmail.com]
>>> Subject: Re: tomcat 6 database pooling, DataSource returning NULL
>>> connection
>>>
>>> I am doing a static install and restarting my tomcat each time I
>>> make a file change, so I do not think this is the issue.
>> Actually, that's exactly the procedure that can cause the problem.  When
>> the webapp is first loaded, Tomcat copies the webapp's META-INF/context.xml
>> file to conf/Catalina/[host]/[appName].xml.  As long as the
>> conf/Catalina/[host]/[appName].xml file exists, it will override the one in
>> META-INF/context.xml.  Proper undeployment will remove the copied 
>> element; just copying over a new version of the webapp will not.
>>
>>  - Chuck
>>
>>
>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
>> MATERIAL and is thus for use only by the intended recipient. If you received
>> this in error, please contact the sender and delete the e-mail and its
>> attachments from all computers.
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
> 



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat 6 - setting classpath

[Wesley Acheson]

We ran into an exact same problem.  Our workarround hack classpath.bat and
classpath.sh works perfectly.

I also considered running down the ClassLoader route.  That also works but
it felt more wrong.

I was just going to ask what the accepted way of doing this was but I think
I've got my answer.

Regards,

Wesley Acheson

On Wed, Jun 17, 2009 at 8:38 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Tom,
>
> On 6/17/2009 7:43 AM, Tom Brown wrote:
> > it is only configuration files - no jar changes.
>
> If your code uses getResourceAsStream(), then the classpath will be
> checked. The webapp's classpath will essentially be
> WEB-INF/classes:WEB-INF/lib:CATALINA_BASE/lib:JAVA_HOME/rt.jar
>
> So, putting your configuration files in CATALINA_BASE/lib should do it,
> unless you have those same configuration files in WEB-INF/classes (or a
> JAR in WEB-INF/lib) already, which it sounds like you /do/.
>
> Mikolaj's suggestion of using a custom classloader might be your only
> option, unless you can change your code to load the configuration files
> from a pre-defined location (or, even better, from a location specified
> in web.xml!).
>
> Note that your first solution was to modify web.xml which would, in
> turn, modify the WAR file. So, how was that one going to work?
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAko5OBoACgkQ9CaO5/Lv0PA7rQCgv2gBTk/RCpeRXFjSFX1VzJ4G
> WVsAn1cxUNlzZgDaFvvM1cTwz5oTPry3
> =y0/Y
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: tomcat 6 database pooling, DataSource returning NULL connection

[Lucas Vickers]

I see now.  thanks

I refreshed the config file and I am still getting NULL connections to my
database.

Does anyone on this list have any interest in being hired as a consultant?
At this point I have a strange catalina.policy security issue (which may or
may not be a problem) and this database issue.

Lucas

On Sat, Jul 18, 2009 at 9:24 PM, Caldarale, Charles R <
chuck.caldar...@unisys.com> wrote:

> > From: Lucas Vickers [mailto:lucasvick...@gmail.com]
> > Subject: Re: tomcat 6 database pooling, DataSource returning NULL
> > connection
> >
> > I am doing a static install and restarting my tomcat each time I
> > make a file change, so I do not think this is the issue.
>
> Actually, that's exactly the procedure that can cause the problem.  When
> the webapp is first loaded, Tomcat copies the webapp's META-INF/context.xml
> file to conf/Catalina/[host]/[appName].xml.  As long as the
> conf/Catalina/[host]/[appName].xml file exists, it will override the one in
> META-INF/context.xml.  Proper undeployment will remove the copied 
> element; just copying over a new version of the webapp will not.
>
>  - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you received
> this in error, please contact the sender and delete the e-mail and its
> attachments from all computers.
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Tomcat 6 database pooling causes HttpServlet class not found exception

[Lucas Vickers]

I am starting using:

catalina.sh start
stopping with
catalina.sh stop

I don't even have a lib directory in my WEB-INF , just my class file :(

Does anyone on this list have any interest in being hired as a consultant?
At this point I have this security issue (which may or may not be a problem)
and a database memory leak that I can not figure out.  Database pooling may
be a fix for that but I can not get that working either.

Lucas

On Sun, Jul 19, 2009 at 7:02 AM, Pid  wrote:

> On 19/7/09 05:13, Lucas Vickers wrote:
>
>> For what it's worth.
>>
>> Every now and then tomcat throws that exception again.
>> I then shut down tomcat, touch the .policy file, start tomcat, and it
>> works.
>>
>
> Are you using a repackaged Tomcat or have you downloaded and installed it
> yourself?
>
> How, exactly, are you starting and stopping it?
>
> The permissions below shouldn't need setting, even if you're running a
> SecurityManager.  Not my area of expertise, but if this is the fix,
> something else, somewhere, is horribly wrong.
>
> Don't forget to check that you're not ending up with a servlet-api.jar (or
> something similar, with the contained classes) in your webapp/WEB-INF/lib.
>
> Ending up with javax.servlet.* classes actually inside your webapp will
> cause all manner of fail conditions.
>
>
> p
>
>
>  On Sat, Jul 18, 2009 at 9:29 PM, Lucas Vickers> >wrote:
>>
>>  // == WEB APPLICATION PERMISSIONS
>>> =
>>>
>>>
>>> // These permissions are granted by default to all web applications
>>> // In addition, a web application will be given a read FilePermission
>>> // and JndiPermission for all files and directories in its document root.
>>> grant {
>>> ...
>>>
>>> // Needed for TABS
>>> permission java.util.PropertyPermission "org.apache.tomcat.dbcp.*",
>>> "read";
>>> permission java.util.PropertyPermission "javax.servlet.*", "read";
>>> permission java.util.PropertyPermission "javax.servlet.http.*",
>>> "read";
>>>
>>>
>>> was added.  I tested by commenting out and then uncommenting.  Works when
>>> it's not commented out.
>>>
>>>
>>> I run using "catalina.sh start"
>>>
>>> if commented out, I get:
>>>
>>>
>>> HTTP Status 500 -
>>> --
>>>
>>> *type* Exception report
>>>
>>> *message*
>>>
>>> *description* *The server encountered an internal error () that prevented
>>> it from fulfilling this request.*
>>>
>>> *exception*
>>>
>>> javax.servlet.ServletException: Error allocating a servlet instance
>>>
>>>  
>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>>
>>>  org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
>>>
>>>
>>>  org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)
>>>
>>>  
>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
>>>
>>>  org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454)
>>>
>>>java.lang.Thread.run(Thread.java:619)
>>>
>>> *root cause*
>>>
>>> java.lang.NoClassDefFoundError: javax/servlet/http/HttpServlet
>>>java.lang.ClassLoader.defineClass1(Native Method)
>>>java.lang.ClassLoader.defineClass(ClassLoader.java:621)
>>>
>>>
>>>  java.security.SecureClassLoader.defineClass(SecureClassLoader.java:124)
>>>java.net.URLClassLoader.defineClass(URLClassLoader.java:260)
>>>java.net.URLClassLoader.access$000(URLClassLoader.java:56)
>>>java.net.URLClassLoader$1.run(URLClassLoader.java:195)
>>>
>>>java.security.AccessController.doPrivileged(Native Method)
>>>java.net.URLClassLoader.findClass(URLClassLoader.java:188)
>>>java.lang.ClassLoader.loadClass(ClassLoader.java:307)
>>>sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)
>>>
>>>java.lang.ClassLoader.loadClass(ClassLoader.java:252)
>>>
>>>  
>>> org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1302)
>>>
>>>  
>>> org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1233)
>>>
>>>
>>>  
>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>>
>>>  org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
>>>
>>>  org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)
>>>
>>>
>>>  
>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
>>>
>>>  org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454)
>>>java.lang.Thread.run(Thread.java:619)
>>>
>>> *root cause*
>>>
>>> java.lang.ClassNotFoundException: javax.servlet.http.HttpServlet
>>>java.net.URLClassLoader$1.run(URLClassLoader.java:200)
>>>java.security.AccessController.doPrivileged(Native Method)
>>>java.net.URLClassLoader.findClass(URLClassLoader.java:188)
>>>
>>>java.lang.ClassLoader.loadClass(ClassLoader.java:307)
>>>sun.misc.Launcher$App

osgi plugin for tomcat 6.0.18

[donf yang]

Hi,

An osgi plugin for tomcat-6.0.18 is now available to use.

Key Features:

   - Full compatibility with tomcat
   - No more complex configuration for osgi environment
   - No more huge war packages as it supporting deploy osgi applications
   from repository by a deployment description file

Reference guild online:
http://extwind.googlecode.com/svn/doc/extwind/reference/reference.htm

Google group:
http://groups.google.com/group/extwind



-- 

Regards,

Donf Yang
--
To be surprised,to wonder,is to begin to understand.

Re: Tomcat 6 database pooling causes HttpServlet class not found exception

[Pid]

On 19/7/09 05:13, Lucas Vickers wrote:

For what it's worth.

Every now and then tomcat throws that exception again.
I then shut down tomcat, touch the .policy file, start tomcat, and it works.


Are you using a repackaged Tomcat or have you downloaded and installed 
it yourself?


How, exactly, are you starting and stopping it?

The permissions below shouldn't need setting, even if you're running a 
SecurityManager.  Not my area of expertise, but if this is the fix, 
something else, somewhere, is horribly wrong.


Don't forget to check that you're not ending up with a servlet-api.jar 
(or something similar, with the contained classes) in your 
webapp/WEB-INF/lib.


Ending up with javax.servlet.* classes actually inside your webapp will 
cause all manner of fail conditions.


p



On Sat, Jul 18, 2009 at 9:29 PM, Lucas Vickerswrote:


// == WEB APPLICATION PERMISSIONS
=


// These permissions are granted by default to all web applications
// In addition, a web application will be given a read FilePermission
// and JndiPermission for all files and directories in its document root.
grant {
...

 // Needed for TABS
 permission java.util.PropertyPermission "org.apache.tomcat.dbcp.*",
"read";
 permission java.util.PropertyPermission "javax.servlet.*", "read";
 permission java.util.PropertyPermission "javax.servlet.http.*", "read";


was added.  I tested by commenting out and then uncommenting.  Works when
it's not commented out.


I run using "catalina.sh start"

if commented out, I get:


HTTP Status 500 -
--

*type* Exception report

*message*

*description* *The server encountered an internal error () that prevented
it from fulfilling this request.*

*exception*

javax.servlet.ServletException: Error allocating a servlet instance

org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)


org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)

org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454)

java.lang.Thread.run(Thread.java:619)

*root cause*

java.lang.NoClassDefFoundError: javax/servlet/http/HttpServlet
java.lang.ClassLoader.defineClass1(Native Method)
java.lang.ClassLoader.defineClass(ClassLoader.java:621)

java.security.SecureClassLoader.defineClass(SecureClassLoader.java:124)
java.net.URLClassLoader.defineClass(URLClassLoader.java:260)
java.net.URLClassLoader.access$000(URLClassLoader.java:56)
java.net.URLClassLoader$1.run(URLClassLoader.java:195)

java.security.AccessController.doPrivileged(Native Method)
java.net.URLClassLoader.findClass(URLClassLoader.java:188)
java.lang.ClassLoader.loadClass(ClassLoader.java:307)
sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)

java.lang.ClassLoader.loadClass(ClassLoader.java:252)

org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1302)

org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1233)


org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)

org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)


org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454)
java.lang.Thread.run(Thread.java:619)

*root cause*

java.lang.ClassNotFoundException: javax.servlet.http.HttpServlet
java.net.URLClassLoader$1.run(URLClassLoader.java:200)
java.security.AccessController.doPrivileged(Native Method)
java.net.URLClassLoader.findClass(URLClassLoader.java:188)

java.lang.ClassLoader.loadClass(ClassLoader.java:307)
sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)
java.lang.ClassLoader.loadClass(ClassLoader.java:252)
java.lang.ClassLoader.loadClassInternal(ClassLoader.java:320)

java.lang.ClassLoader.defineClass1(Native Method)
java.lang.ClassLoader.defineClass(ClassLoader.java:621)
java.security.SecureClassLoader.defineClass(SecureClassLoader.java:124)
java.net.URLClassLoader.defineClass(URLClassLoader.java:260)

java.net.URLClassLoader.access$000(URLClassLoader.java:56)
java.net.URLClassLoader$1.run(URLClassLoader.java:195)
java.security.AccessController.doPrivileged(Native Method)
java.net.URLClassLoader.findClass(URLClassLoader.java:188)

java.lang.ClassLoader.loadClass(ClassLoader.java:307)
sun.misc.Launcher$AppClass

Re: Converting to container based security.

[Pid]

On 19/7/09 04:56, Bill Davidson wrote:

Tomcat 6.0.18
Java 1.6.0_14
RedHat 5.2 Server
Oracle 10g

I've got an old web app that was originally spec'd in 1999.  Last year, I
got
it migrated from Tomcat 3.2.4 for 6.0.16 and more recently from Java 1.4.2
to 1.6.  I'm gradually trying to modernize it.  I just converted from using
an old database connection pool library from that period to using a
DataSource managed by Tomcat/DBCP (which was surprisingly easy).
Now I want to tackle container based security.

The app currently manages its own security.  It's all servlets which do a
little session magic on their own.  The login servlet hits the database
where
the user names and password are.  I want to start using JSP and/or maybe
JSF, which is part of the reason I want to go to container based security.

I'm thinking that the login.jsp can be set up with a bean to massage the
session so that old servlets will still be satisfied that the session is
legit.

>

Newer servlets can dispense with that security and older ones can have
it taken out gradually over time (over 200 of them).


A servlet Filter that checks for the presence of the bean, (loads it if 
missing by checking the contents of the UserPrincipal), would be less 
intrusive and you can just remove it when all Servlets are updated.



While it's actually just one web app, conceptually, it's two.  There's one
side
which is an administrative side, and another for the general public.  Some
servlets are used by one side, other servlets are used by the other.  They
all
use the same database, and share a lot of the same objects and data, however
the user names and passwords are in different database tables.  Also, the
public
side can be used anonymously (no need to log in).  Login mainly gives the
public
side the ability to store preferences so that it doesn't need to be
re-entered
and keep track of history.


Two Filters, if necessary, as they can be applied by selecting different 
classes.  Hopefully your sub-apps operate on different paths.



I've been going over the realm documentation, and it's a little confusing.
I think that I'm actually going to need two realms, one for each side
(remember that they use different tables).  I'm not exactly sure how to
set that up.


There is/was a multi realm, but I think it's intended for use with an 
SSL cert & Form auth combination.


Check the source of the latest release:

http://svn.apache.org/repos/asf/tomcat/tc6.0.x/trunk/java/org/apache/catalina/realm/CombinedRealm.java

You may be able to exploit this to do what you need.


I'd like to use a DataSourceRealm, using the DataSource I've already
set up, however I've also got the problem that the programmers who set this
up stored the passwords UNIX/Linux style with a Java implementation of
crypt(3), which doesn't seem to be one of the options for MessageDigest.
I hope I'm wrong about that.  Given how common it is in the UNIX/Linux
world, I'd think that would be a good one to have (and please don't tell me
that it's not that secure -- that's not the point -- this is a compatibility
issue).
Does this mean I'm going to need to write my own custom realm?  That
looks fairly confusing too.


(Hopefully you've got a dev environment.)  Start with a repackaged 
version of DataSourceRealm and make minimal changes to encrypt the 
password before sending it to the DB for matching.


Modifying the realm a bit shouldn't be too tricky, find the method that 
sends the password to the DB to do the auth.


If you've got code for the crypt implementation it may just worth 
bunging it into a static utility & encrypting the password manually, 
inside the realm - just to get it working initially, so you can prove 
that it will work.



Can someone please point me at a good overall strategy for how to tackle
all of this, given these constraints?  I've only spent a few hours trying to
go through the docs but I'm feeling a bit overwhelmed and really need
some perspective.



Configure container based security.
Get one Realm working for 1 part of the app.
Add a Filter to handle the unmodified servlets.
Add the Combined realm.

p

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org