Happy Birthday, Chuck!
Hi Chuck, thanks again for your valuable comments on this list, and keep it up! Cheers! Gregor -- just because you're paranoid, don't mean they're not after you... gpgp-fp: 3DB13F197F8A0360814885D1F1F1E2EFAD509AFD skype:rc46fi gplus.to/gregor twitter.com/#/2smart4u - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problems w/ TLS (record-splitting)
Hi Chris, first, thanks for your answer. Since this is a *sic* "managed server", I don't have root-access, so I can only guess regarding the version of the APR (it's the one from the packages, but AFAIK the APR has been stable since quite a while, so I asume it should be the latest one. As for tthe connector, I'm using the http-connector with OpenSSL-extension as described here: http://tomcat.apache.org/tomcat-6.0-doc/apr.html I'm using mainly the defaults apart from the SSL-cert-filenames Unfortunately I can post the complete connector-def tomorrow earliest since I'm not in the office any more, but will do as soon as I'm on my desk. Thanks Gregor -- just because you're paranoid, don't mean they're not after you... gpgp-fp: 3DB13F197F8A0360814885D1F1F1E2EFAD509AFD skype:rc46fi gplus.to/gregor twitter.com/#/2smart4u - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Problems w/ TLS (record-splitting)
Hi guys, I know, it's actually not a Tomcat-problem, but I was wondering if one of those guru hanging around in this mailing-list could give me a hint on how to handle this problem. As some of you might be aware, Firefox (from on version 9.x) cannot handle TLS-records which are served from a server if they are split into multiple parts. This behaviour is documented here: https://bugzilla.mozilla.org/show_bug.cgi?id=702111 Since some of our clients are using Firefox, I just can't lean back and tell them "well, that's a Firefox-bug, get a decent browser" - unfortunately. We are using Apache Tomcat 6.0.24 on Scientific Linux release 6.2 (Carbon), Tomcat is running as a demon via jsvc, and Tomcat is using the Apache Portable Runtime (APR). I went through all docs I could find on the net, hoping, there was some screw I could turn to switch off TLS record splitting on the server side, but I couldn't find anything. Our scenario is as follows: - SSL connection - user is prompted for ID / password via FormLogin (j_security_check) And then we get the message "The connection was reset" "The connection to the server was reset while the page was loading." Does any of you guys have an idea, if there is any Tomcat configuration-parameter I could try to overcome this behaviour? IE Chrome (both all versions) are working like charm. Thanks in advance! Gregor -- just because you're paranoid, don't mean they're not after you... gpgp-fp: 3DB13F197F8A0360814885D1F1F1E2EFAD509AFD skype:rc46fi gplus.to/gregor twitter.com/#/2smart4u - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: is der any default username for tomcat?
On Fri, Jan 6, 2012 at 3:59 PM, Caldarale, Charles R wrote: >> From: charan raj [mailto:charanraj...@gmail.com] >> Subject: Re: is der any default username for tomcat? > > > Is it a full moon? > Over there: Definately YES. Cheers Gregor -- just because you're paranoid, don't mean they're not after you... gpgp-fp: 3DB13F197F8A0360814885D1F1F1E2EFAD509AFD skype:rc46fi gplus.to/gregor twitter.com/#/2smart4u - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Can't get APR running w/ Tomcat 6.0.33 (Debian)
Chris, On Tue, Dec 20, 2011 at 9:25 PM, Christopher Schultz wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > That's an interesting academic question: would "the stock market" > provide enough entropy? when looking at my small portfolio becoming smaller and smaller and determing against zero and postulating that entropy ~ coincidence, there's only one answer to that question: DEFINATELY! *grumble* Gregor -- just because you're paranoid, don't mean they're not after you... gpgp-fp: 3DB13F197F8A0360814885D1F1F1E2EFAD509AFD skype:rc46fi gplus.to/gregor twitter.com/#/2smart4u - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Can't get APR running w/ Tomcat 6.0.33 (Debian)
Hi Chris, On Tue, Dec 20, 2011 at 7:43 PM, Christopher Schultz wrote: > Yeah, it's a question of faster startup or "better" entropy. > Everything is PRNGs, anyway. If you want real entropy, you have to > listen to cosmic background radiation or something. Now *that* sound interesting: How do I configure Tomcat to generate entropy by listening to cosmic radiation? Couldn't find anything about this in the docs... ;) > Do you have an OpenSSL crypto provider that you'd like to use > *besides* the software-based one? If so, that's where you'd specify it. Nope, we're just using plain OpenSSL here. I was just a bit afraid that the netropy generated by /dev/urandom might be a bit weak. JFC also told me that builtin == OpenSSL when the APR is linked against OpenSSL. So all my questions have been answered, my installation is working, and I have to give some big KUDOES to everybody involved here - thank you, guys! Gregor -- just because you're paranoid, don't mean they're not after you... gpgp-fp: 3DB13F197F8A0360814885D1F1F1E2EFAD509AFD skype:rc46fi gplus.to/gregor twitter.com/#/2smart4u - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Can't get APR running w/ Tomcat 6.0.33 (Debian)
This time, it's great some of the guys are on Google+. Thanks to +Jean-Frederic Clere, I changed the listener-definition to and it's working now. Ok, it's not the best solution since AFAIK /dev/urandom is not the most secure implementation, but at least it's working now. When reading the docs, I noticed that I also can specify the SSLEngine to be used. The default one is the built-in-engine when specifying SSLEngine="on". Now I'm wondering: When I compiled the APR against OpenSSL, is OpenSSL the one being used when I specify "SSLEngine="on""? Or do I have to specify something like "SSLEngine=/usr/bin/openssl""? Couldn't find anything on this topic in the docs. My hopes are, that OpenSSL is NOT the built-in-engine and if I can specify to use OpenSSL as engine to be used, I don't have to tweak Tomcat into using /dev/urandom. But I', afraif OpenSSL in my case equals to the built-in engine. Comments on this anyone? Cheers Gregor -- just because you're paranoid, don't mean they're not after you... gpgp-fp: 3DB13F197F8A0360814885D1F1F1E2EFAD509AFD skype:rc46fi gplus.to/gregor twitter.com/#/2smart4u - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Can't get APR running w/ Tomcat 6.0.33 (Debian)
Ok, here's some news: When using the APR without SSL by changing the attribute of APRLiefeCycleListener to it's working. My SSL-version is OpenSSL> version OpenSSL 0.9.8c 05 Sep 2006 According to the docs (http://tomcat.apache.org/tomcat-6.0-doc/apr.html) this should be fine. Anybody got any idea how to proceed? Jean-Frederic suggested to use "urandom" - how can I configure this? TIA Gregor -- just because you're paranoid, don't mean they're not after you... gpgp-fp: 3DB13F197F8A0360814885D1F1F1E2EFAD509AFD skype:rc46fi gplus.to/gregor twitter.com/#/2smart4u - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Can't get APR running w/ Tomcat 6.0.33 (Debian)
Hi André, that's a good idea trying the APR w/o SSL, I'll give it a try pretty soon. Still, we do need SSL (personal data, we're obliged by law), but that might give me a clue at what to look at. Updating Java and the OS unfortunately (big, big sighh) is not an option, at least for the next few months (kudos for that go, as always, to our management). I'll post the results in here. Cheers! Gregor -- just because you're paranoid, don't mean they're not after you... gpgp-fp: 3DB13F197F8A0360814885D1F1F1E2EFAD509AFD skype:rc46fi gplus.to/gregor twitter.com/#/2smart4u - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Can't get APR running w/ Tomcat 6.0.33 (Debian)
Hi guys, I'm a bit desperated: I'm trying to re-organize our "pet" Tomcat within the following environment: Using CATALINA_BASE: /home/tomcat/local/apache-tomcat-6.0.33 Using CATALINA_HOME: /home/tomcat/local/apache-tomcat-6.0.33 Using CATALINA_TMPDIR: /home/tomcat/local/apache-tomcat-6.0.33/temp Using JRE_HOME:/home/tomcat/local/jdk15/ Using CLASSPATH: /home/tomcat/local/apache-tomcat-6.0.33/bin/bootstrap.jar Server version: Apache Tomcat/6.0.33 Server built: Aug 16 2011 02:16:34 Server number: 6.0.33.0 OS Name:Linux OS Version: 2.6.18-6-amd64 (Debian 4.0 Etch) Architecture: amd64 JVM Version:1.5.0_10-b03 JVM Vendor: Sun Microsystems Inc. I know it's a very outdated version of Debian, still, we do not have any option yet to upgrade it. However, we need to get Tomcat6 there up & running, and since it's not within the Debian repositories for this version, I downloaded a vanilla Tomcat 6.0.33. We also need to run Tomcat with the APR (Apache Portable Runtime). I compiled tomcat-native-1.1.20 (configure, make, make install), and everything looked great so far: No error-messages. When I run Tomcat WITHOUT the APR-listener, Tomcat starts up. Still, when using the APR-listener, Tomcat just doesn't initialize the HTTP-connector. When I run Tomcat using the jsvc-demon, it simply failes w/o giving me any reason. Only when shutting down Tomcat, jsvc demon will shut Tomcat down, but will exit with an error 143. When I'm running Tomcat w/o the demon, the same thing happens, still, slightly different information. It just tells me that the APR is loaded and then hangs. This is the info from catalina.out when running w/o jsvc-demon: Listening for transport dt_socket at address: 7002 Dec 20, 2011 4:26:15 PM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.20. Dec 20, 2011 4:26:15 PM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. As you can see, the message that the HTTP-connector is initialized is missing. My connector in $CATALINA_HOME/conf/server.xml looks like (removed some valves to improve readability): = [ ... ] www.someDomain www1.someDomain www.someOtherDomain www1.someOtherDomain = The Tomcat-native-libs (APR) are looking good from my point of view: tomcat@www1:~/local/apache-tomcat-6.0.33/lib$ file libtcnative-1.so.0.1.20 libtcnative-1.so.0.1.20: ELF 64-bit LSB shared object, AMD x86-64, version 1 (SYSV), not stripped Does anyone on this list has an idea, what I could do to figure out why Tomcat simply doesn't initialize the HTTP-connectors when switching to the APR? On a different Box, running a later version of Debian, but 32Bit, everything's runing like charm. Maybe of some help, here's some debugging-output of jsvc, but I can't see any hints in it. Would really, really appreciate if somebody could give me a hint. This is the catalina.out of jsvc-demon: Switching umask back to 022 from 077 user changed to 'tomcat' Using default JVM in /home/tomcat/local/jdk1.5.0_10-amd64/jre/lib/amd64/server/libjvm.so Attemtping to load library /home/tomcat/local/jdk1.5.0_10-amd64/jre/lib/amd64/server/libjvm.so JVM library /home/tomcat/local/jdk1.5.0_10-amd64/jre/lib/amd64/server/libjvm.so loaded JVM library entry point found (0x4153EFC0) +-- DUMPING JAVA VM CREATION ARGUMENTS - | Version: 0x010004 | Ignore Unrecognized Arguments: False | Extra options: 9 | "-Dcatalina.home=/home/tomcat/local/apache-tomcat-6.0.33" (0x) | "-Dcatalina.base=/home/tomcat/local/apache-tomcat-6.0.33" (0x) | "-Djava.io.tmpdir=/tmp" (0x) | "-Dlog4j.configuration=log4j.xml" (0x) | "-XX:MaxPermSize=384m" (0x) | "-Xmx2048m" (0x) | "-Xms2048m" (0x) | "-Djava.library.path=/home/tomcat/local/apache-tomcat-6.0.33/lib" (0x) | "-Djava.class.path=/home/tomcat/local/jdk1.5.0_10-amd64/lib/tools.jar:/home/tomcat/local/apache-tomcat-6.0.33/bin/commons-daemon.jar:/home/tomcat/local/a pache-tomcat-6.0.33/bin/bootstrap.jar:/usr/lib/" (0x) +--- | Internal options: 4 | "-Dcommons.daemon.process.id=11761" (0x) | "-Dcommons.daemon.process.parent=11760" (0x) | "-Dcommons.daemon.version=1.0.7" (0x) | "abort" (0x004072bd) +--- Java VM created successfully Class org/apache/commons/daemon/support/DaemonLoader found Native methods registered java_init done Daemon
Re: path used for tc-natuve
Guys, I feel you're seeing thing way too complicated. Chris: > IIRC, Tomcat loads tcnative without a version number in it's name even > when it prefers a version that is of a certain level. I don't believe you're right, since when I upgraded Tomcat5.5 having an old version of tcnative installed, Tomcat 6 refused to start requiring a more recent version of tcnative. André: As I wrote on top, you can tell Catalina where to look for libtcnative. The LD_LIBRARY_PATH should do the trick, but I wouldn't set it system.wide since this variable is also requested from other processes. A change here might have impacts. Therefore, just pass it as a Java-property to Catalina and let Catalina know where to look for it: Just adapt the CATALINA_OPTS in Tomcat's startup-script: CATALINA_OPTS=$CATALINA_OPTS -Djava.library.path=[path to where libtcnative is located] Doing so, you can run as many different versions of Tomcat referring to different version of libtcnative. Cheers! Gregor -- just because you're paranoid, don't mean they're not after you... gpgp-fp: 3DB13F197F8A0360814885D1F1F1E2EFAD509AFD skype:rc46fi gplus.to/gregor twitter.com/#/2smart4u - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: path used for tc-natuve
Hi Chuck! On Thu, Dec 15, 2011 at 5:36 PM, Caldarale, Charles R wrote: >> From: Gregor S. [mailto:rc4...@googlemail.com] >> Subject: Re: path used for tc-natuve > >> I guess it's a bad idea to run two different versions >> of Tomcat on the same box. > > ??? Clearly that's not true - it's done all the time. Much easier when not > using these 3rd-party repackaged corruptions... Hm, maybe my view is too limited, but I really can't see any good reason running two different versions on the same box. What's the user-story behind this configuration? Actually, I can only think of three: - shared hosting, where each customer gets his own Tomcat instance Well, I guess shared hosting is dead anyways, since if you're running a serious business: Go and get your own server - they don't cost that much - Using 3rd party software which is bound to a certain version of a certain servlet-container Well, in this case, you've bought the wrong software. When we are evaluating software, and a provider tells us that he needs a certain version of Tomcat / Java / Windows / IE / ... , he can grab his stuff, and we wish him well. - upgrading Tomcat and keeping the old version - just in case... Again: In times of virtualization, I have the production-machine as a VM on my laptop. I'm testing and developing there, and once it's ready, just put the image on a "real" test-server. After successful testing, the image is propagated to the production-server, meaning old Tomcat is gone. Still, I can see no serious reason why somebody should ask for trouble & run two different Tomcat-version on one box - sorry. Still, you're invited to enlighten me ;) Cheers Gregor -- just because you're paranoid, don't mean they're not after you... gpgp-fp: 3DB13F197F8A0360814885D1F1F1E2EFAD509AFD skype:rc46fi gplus.to/gregor twitter.com/#/2smart4u - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: path used for tc-natuve
...and sorry for my typoes, I'm kind in a rush... -- just because you're paranoid, don't mean they're not after you... gpgp-fp: 3DB13F197F8A0360814885D1F1F1E2EFAD509AFD skype:rc46fi gplus.to/gregor twitter.com/#/2smart4u - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: path used for tc-natuve
Hi Chris, On Thu, Dec 15, 2011 at 4:34 PM, Christopher Schultz wrote: > > I think that's a bad idea because then you have built your libtcnative > (which can be considered Tomcat-version-specific, or at least > Tomcat-version-sensitive) for the whole system to use and that > essentially locks you into that version regardless of Tomcat version > being run at the time. True. However, I guess it's a bad idea to run two different versions of Tomcat on the same box. I don't know Andre's motivation for installing TC6, but I assumed (maybe wrongly) that he wanted to replace the old version. Howver, there's a pretty solution even when running two different versions on the same box: When compiling, libtcnative goes to $CATALINA_HOME//bin/tomcat-native-1.1.20-src/jni/native/.lib (dpeneding on the tomcat-native-version). So instead of putting it inti /usr/lib, leave it at the original place and just change the CATALAINA_OPTS accordingly. Cheers! Gregor -- just because you're paranoid, don't mean they're not after you... gpgp-fp: 3DB13F197F8A0360814885D1F1F1E2EFAD509AFD skype:rc46fi gplus.to/gregor twitter.com/#/2smart4u - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: path used for tc-natuve
Hi André, On Thu, Dec 15, 2011 at 3:45 PM, André Warnier wrote: > > Indeed. Where have you been ? > either in the office or changing Junior's nappies ;) > I am not using HTTPS, and my problem is not at the /running/ stage. > But from the README, I got the impression that I needed OpenSSL in order to > /compile/ tc-native. I tool "OpenSSL" to mean "the OpenSSL sources" or "the > OpenSSL headers" or ksomething of the kind, and that's when I gave up. > I didn't really read any further, I must admit. Well, you don't have to use OpenSSL unless you're running https.. Still, if you have OpenSSL installed, compiling is a walk in the park, and installing OpenSSL is merley a call of apt-get. Then, just enter ./configure --with-apr=/usr/bin/apr-1-config --with-ssl=/usr/lib/ --with-java-home=$JAVA_HOME After that, make && make install, and you're all set. Since I'm running the same configs here (Debian, Tomcat6, APR & jsvc), feel free to drop me a line, maybe I can be of some help ;) Cheers! Gregor -- just because you're paranoid, don't mean they're not after you... gpgp-fp: 3DB13F197F8A0360814885D1F1F1E2EFAD509AFD skype:rc46fi gplus.to/gregor twitter.com/#/2smart4u - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: path used for tc-natuve
Hi André, long time no see ;) Ok, let's try to free you from your wprries: You'l only need OpenSSL if you are running a https-connector. if you don't use https, you don't need OpenSSL. And even if you want to run https, it's no big deal: apt-get install OpenSSL and you're all set. One question still, for which I couldn't find an answer within this thread: You did compile tcnative for Tomcat6, right? And as mentioned in the thread here, you'll have to change your LD-LIBRARY_PATH, so that it contains tcnative. In my environment here, I just adapted the CTALINA_OPTS inside the startup-script: CATALINA_OPTS="$JPDA_OPTS -XX:MaxPermSize=384m -Xmx2048m -Xms2048m -Djava.library.path=/usr/lib" And /usr/lib is where you put libtcnative after using libtool as recommended in the BUILDING.TXT: dekolxrd13:/opt/apache-tomcat-6.0.33/bin# ls -l /usr/lib/libtcn* -rw-r--r-- 1 root root 1116156 1. Dez 19:05 /usr/lib/libtcnative-1.a -rwxr-xr-x 1 root root 928 1. Dez 19:05 /usr/lib/libtcnative-1.la lrwxrwxrwx 1 root root 23 1. Dez 19:05 /usr/lib/libtcnative-1.so -> libtcnative-1.so.0.1.20 lrwxrwxrwx 1 root root 23 1. Dez 19:05 /usr/lib/libtcnative-1.so.0 -> libtcnative-1.so.0.1.20 -rwxr-xr-x 1 root root 790332 1. Dez 19:05 /usr/lib/libtcnative-1.so.0.1.20 HTH Gregor On Wed, Dec 14, 2011 at 8:57 AM, André Warnier wrote: > Christopher Schultz wrote: >> >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> Chuck, >> >> On 12/12/11 8:27 PM, Caldarale, Charles R wrote: From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: path used for tc-natuve And if I do this, where do I put the result, in such a way that it doesn't overwrite the existing one used by tomcat5.5 ? >>> >>> One would normally place it in Tomcat's bin directory, and set >>> LD_LIBRARY_PATH or -Djava.library.path to point there. It's a bit >>> scary (and rude) to put it in a public place. >> >> >> +1 >> >> I think Andre's original problem wasn't with tcnative, but with >> libapr. If you build the new tcnative dynamically-linked, then you're >> going to have the same problem. >> >> Other possibilities include building everything (libapr and >> libtcnative) and putting them into, say, CATALINA_HOME/bin. I recently >> had a fun (read: miserable) time doing this with 2 versions of each >> (total of 4 possibilities) along with 2 libssl versions at the same >> time. Trying to trump the system-level libraries requires that you >> cover all your bases, otherwise some library name (like >> libapr.1.4.2.so) will not override /usr/lib/libapr.1.so. Make sure >> you've got all your symlinks right :) >> > > Well, yes. And that's exactly why, for the time being, I have decided to do > without tc-native. The first line I saw in the tc-native source README was > something like "to build, you may need OpenSSL xx .." and then I started > getting cold feet, remembering my previous experiences going along the > dependencies-from-hell route umpteen times before. > And in this case, we're talking indeed about a system which already has all > those nice symlinks all over the place.. > What is it he said ? "once you give in to the dark side of the Force, > forever dominate you it will.." > If apt-get is the dark side, then I guess I'm already on Darth's side. > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -- just because you're paranoid, don't mean they're not after you... gpgp-fp: 3DB13F197F8A0360814885D1F1F1E2EFAD509AFD skype:rc46fi gplus.to/gregor twitter.com/#/2smart4u - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problems with forwaring HTTP to HTTPS
Marc, thanks for your comment and thanks for pointing me to the right direction. I guess this one is the matching excerpt from the specs: = [snip ] The combination of user-data-constraints that apply to a common urlpattern and http-method shall yield the union of connection types accepted by the individual constraints as acceptable connection types. A security constraint that does not contain a user-data-constraint shall combine with other userdata-constraints to cause the unprotected connection type to be an accepted connection type. = [snap ] As Jeffrey mentioned, I guess I'll have to byte the bullet, but before doing that, I'll try my luck writing a valve forwarding all http to https. Still, I guess the specs do have some room for improvement here, meaning, it would be more than helpful if default settings could be specified inside the global deployment descriptor. Wondering if I'm the first person missing such a feature. Thanks! Gregor On Thu, Dec 1, 2011 at 3:43 PM, Mark Thomas wrote: > On 30/11/2011 18:32, Gregor S. wrote: >> My understanding was, that in the global web.xml >> ($catalina.home/conf/web.xml) the defaults are specified and promoted >> to all webapps. But it seems as the webapp doesn't inherit the element >> from the global web.xml if it specifies it's >> own - my expectation was, that it inherits >> those elements not specified inside the webapp's >> deployment-descriptor. > > Your understanding is wrong. > > You need to read the 2.5 servlet specification, particularly section > SRV.12.7.1. > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -- just because you're paranoid, don't mean they're not after you... gpgp-fp: 3DB13F197F8A0360814885D1F1F1E2EFAD509AFD skype:rc46fi gplus.to/gregor twitter.com/#/2smart4u - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Problems with forwaring HTTP to HTTPS
Hi list, I'm a bit puzzled. I want to forward all incoming HTTP-traffic to HTTPS. Within my $catalina.home/conf/server.xml I've specified the following connectors: Then I specified in $catalina.home/conf/web.xml the following transport-guarantee: Protected Context /* CONFIDENTIAL In my webapp, additionally I also specified some additional security-constraints as follows: Protected Area /* someuser However, when I call the webapp using http://mywebapp.something, it is not redirected to HTTPS but the HTTP-scheme is used. However, when I remove the security-constraints from $catalina.base/conf/web.xml and change the webapp's deployment-descriptor to Protected Area /* CONFIDENTIAL domuser it's working. My understanding was, that in the global web.xml ($catalina.home/conf/web.xml) the defaults are specified and promoted to all webapps. But it seems as the webapp doesn't inherit the element from the global web.xml if it specifies it's own - my expectation was, that it inherits those elements not specified inside the webapp's deployment-descriptor. Is is such, that if I specify in my local webapp, the global setting in $catalina.home/conf/web.xml are always overwritten? If not - where does the inheritiance start and where does it end? My business-case is, that I do have a whole bunch of webapps which have to be re-directed to HTTPS, each of them having their own since you'll have to login to access them, and additionally multiple domains, so that changing each deployment-descriptor is giving me a major headache. I couldn't find anything in the documentation - or let me re-phrase it: I understood it that way that each element is inherited from the global deployment-descriptor if not specified in the webapp's own deployment-descriptor. If somebody could shed some light here or point me to to right docs, that would be great. My configuration: Using CATALINA_BASE: /home/tomcat/local/apache-tomcat-6.0.33 Using CATALINA_HOME: /home/tomcat/local/apache-tomcat-6.0.33 Using CATALINA_TMPDIR: /home/tomcat/local/apache-tomcat-6.0.33/temp Using JRE_HOME:/usr/lib/jvm/java-6-sun Using CLASSPATH: /home/tomcat/local/apache-tomcat-6.0.33/bin/bootstrap.jar Server version: Apache Tomcat/6.0.33 Server built: Aug 16 2011 02:16:34 Server number: 6.0.33.0 OS Name:Linux OS Version: 2.6.26-2-686 Architecture: i386 JVM Version:1.6.0_26-b03 JVM Vendor: Sun Microsystems Inc. I'm also using the APR, thus using OpenSSL as SSL-implementation. TIA Gregor -- just because you're paranoid, don't mean they're not after you... gpgp-fp: 3DB13F197F8A0360814885D1F1F1E2EFAD509AFD skype:rc46fi gplus.to/gregor twitter.com/#/2smart4u - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
