Re: [JBoss-user] Re: [jetty-discuss] Re: jetty integration with apache
Greg Wilkins wrote: > > Jetty used to have some JNI code to call setuid on *nix so that it > could start as root and then become another user after listening on > port 80. > > The problem here is that different JVMs uses different threading models. > Sometimes setuid only changes it for the current thread rather than the > whole JVM. That was my concern with that approach. > > As the idea is to be secure - ie to know who is running as root and > who is not, a security mechanism that is hard to understand and platform > dependant was just not good enough. > > The port mapping stuff works fine. As long as your *NIX variant supports it, or you have a firewall elsewhere that does. > > If that's not for you, run as root and set up a permissions file so that > the JVM sandbox does not let servlets call native code or exec files etc. > This had occurred to me, but I'm not sure that that would be sufficient for corp. security departments - of course, commercial servers have the exact same problem. thanks, danch ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Re: [jetty-discuss] Re: jetty integration with apache
Jetty used to have some JNI code to call setuid on *nix so that it could start as root and then become another user after listening on port 80. The problem here is that different JVMs uses different threading models. Sometimes setuid only changes it for the current thread rather than the whole JVM. As the idea is to be secure - ie to know who is running as root and who is not, a security mechanism that is hard to understand and platform dependant was just not good enough. The port mapping stuff works fine. If that's not for you, run as root and set up a permissions file so that the JVM sandbox does not let servlets call native code or exec files etc. cheers -- Greg Wilkins<[EMAIL PROTECTED]> GB Phone: +44-(0)7092063462 Mort Bay Consulting Australia and UK.Mbl Phone: +61-(0)4 17786631 http://www.mortbay.com AU Phone: +61-(0)2 98107029 ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] Re: [jetty-discuss] Re: jetty integration with apache
I used to follow the Orion server many months ago, before the support got super bad (no such problem with Jboss). But I do remember a discussion on this, and here is a web site that answers this specific question: http://www.orionsupport.com/articles/unixprocess.html Cc: "Jason Dillon" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> Subject: RE: [JBoss-user] Re: [jetty-discuss] Re: jetty integration with apache Date: Mon, 10 Dec 2001 12:20:34 -0500 |How do I run jetty as non-root listening on port 80? If you can do this, |how did you accomplish it? | |-danch ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Re: [jetty-discuss] Re: jetty integration with apache
David Ward wrote: > > > Sorry for another post, but this is as example of kicking of a java proc > from root but have the process running as a different user (in this > case, "foouser"). > > > /bin/su -c "cd /usr/local/jboss/bin ; nohup ./run_with_tomcat.sh 1> > /var/log/jboss.log 2>%1 &" - foouser > But that process (the java process) is running as foouser from the get-go: it won't be able to listen on port 80. -danch ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Re: [jetty-discuss] Re: jetty integration with apache
> /bin/su -c "cd /usr/local/jboss/bin ; nohup ./run_with_tomcat.sh 1> > /var/log/jboss.log 2>%1 &" - foouser oops - my bad: %1 should be &1 David ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Re: [jetty-discuss] Re: jetty integration with apache
David Ward wrote: > > I'm not talking about "in" Java, I'm talking about the JVM process > itself, which is (obviously) OS specific. > > Sorry for another post, but this is as example of kicking of a java proc from root but have the process running as a different user (in this case, "foouser"). /bin/su -c "cd /usr/local/jboss/bin ; nohup ./run_with_tomcat.sh 1> /var/log/jboss.log 2>%1 &" - foouser ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Re: [jetty-discuss] Re: jetty integration with apache
David Ward wrote: > > I'm not talking about "in" Java, I'm talking about the JVM process > itself, which is (obviously) OS specific. > Right, but if there isn't a Java API for it, what do you do? You _could_ right JNI code, but I don't know if you can return a ServerSocket (or ServerSocketChannel) from JNI - I'm just not a JNI guy. -danch ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Re: [jetty-discuss] Re: jetty integration with apache
danch wrote: > > > David Ward wrote: > >> Doesn't apache start up as root, binds to the [80 < 1024] port, but >> then re-assigns the process to whatever user you have in httpd.conf? > > > > yes. > >> I bet you could do something similar... > > > > Not in Java (to my knowledge, although I haven't looked real closely at > the 1.4 API) > > -danch > > > I'm not talking about "in" Java, I'm talking about the JVM process itself, which is (obviously) OS specific. ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Re: [jetty-discuss] Re: jetty integration with apache
David Ward wrote: > Doesn't apache start up as root, binds to the [80 < 1024] port, but then > re-assigns the process to whatever user you have in httpd.conf? yes. > I bet > you could do something similar... Not in Java (to my knowledge, although I haven't looked real closely at the 1.4 API) -danch ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Re: [jetty-discuss] Re: jetty integration with apache
Doesn't apache start up as root, binds to the [80 < 1024] port, but then re-assigns the process to whatever user you have in httpd.conf? I bet you could do something similar... -- danch wrote: > > > Greg Wilkins wrote: > >> Jason, >> >> As Jetty (and tomcat4) is a full featured HTTP/1.1 server, there is >> little need to put apache up front. > > > > How do I run jetty as non-root listening on port 80? If you can do this, > how did you accomplish it? > > -danch > > > > > > ___ > JBoss-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] Re: [jetty-discuss] Re: jetty integration with apache
|How do I run jetty as non-root listening on port 80? If you can do this, |how did you accomplish it? | |-danch something similar, jboss.org runs jetty on port 8080 with redirect from 80 -> 8080 on linux jboss runs as user jboss, yet 'listens' on port 80 marcf ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Re: [jetty-discuss] Re: jetty integration with apache
Greg Wilkins wrote: > Jason, > > As Jetty (and tomcat4) is a full featured HTTP/1.1 server, there is > little need to put apache up front. How do I run jetty as non-root listening on port 80? If you can do this, how did you accomplish it? -danch ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] RE: [jetty-discuss] Re: jetty integration with apache
one of the reasons one might want the ability to put apache/iis/netscape/etc. in front of jetty (or tomcat for that matter) is simply fitting into an existing infrastructure. for example, suppose i have this application that is servlet based. i sell this application to a customer that has standardized on iis. for one reason or another, web traffic can only be exposed to the "outside world" by way of iis. in this situation, it's nice to have connectors from iis to my serlvet engine of choice. it's more a matter of sales/deployment friction than anything else. > > Jason, > > As Jetty (and tomcat4) is a full featured HTTP/1.1 server, there is > little need to put apache up front. > > If you feel a technical needs - ask us for what you think is > missing from > Jetty and we will try to support it. > > If you feel an administration/managment/defacto standards > need, try to > educate :-) > > If the education fails and you really do need to put apache outfront, > it is a trivial thing to do. > > Again as Jetty fully supports HTTP/1.1, there is no need to waste > cycled using mod_webapp to translate the protocol to that used by > tomcat3. > > Instead, use Apaches transparent proxy mechanism to delegate the HTTP > requests to Jetty running within JBoss. I think it is > something like the following in your apache config: > > ProxyPass /mywebapp/ http://jbosshost:8080/mywebapp/ > > The feedback I have had on this is that it is rather efficient > and only slightly reduces the throughput you can get with direct > access to the server within JBoss. > > cheers > > PS. Jetty's doco site is in transit at the moment, so the page about > this is not linked in (nor exactly upto date). But you can still > see it at: http://jetty.mortbay.org/jetty/doc/JettyWithApache.html > > > --- Julian Gosnell <[EMAIL PROTECTED]> wrote: > Jason, > > > > As far as i know - YES > > > > You should post on [EMAIL PROTECTED] where i am > sure Greg will > > be > > able to point you to the relevant doc and summarise various > pros and cons. > > > > Jetty supports virtual hosts, but this has not been > integrated with JBoss > > as > > AFAIK, the Deployer does not yet support this (since J2EE > doesn't???). > > > > Ask Greg re URL rewriting. > > > > Please let the list know of any other 'advanced features' > that you feel > > Jetty > > (or JBoss/J2EE) is lacking, so they can be considered. > > > > I'm crossposting you to jetty-discuss, and jboss-user, as > the points this > > thread raises may be of value to other participants. > > > > > > Jules > > > > > > > > Jason Dillon wrote: > > > > > Hey, do you know if any integration support between jetty > and apache? > > Like > > > tomcat does with mod_webapp? > > > > > > I think it would be a good idea if it was easy to > integrate jboss with > > > apache as easily as possible. This would allow users to > make use of the > > > advanced web support it provides (virtual hosts, url > re-writing...). > > > > > > > snip... > > > > > > > Anyways, I don't really care if it is jetty or tomcat > that is shipped > > > default with JBoss, just that which ever it is can be > easily plugged into > > > apache. > > > > > > Perhaps jetty can support mod_webapp, if not perhaps > there is another > > > alternative which could be used for tighter integration. > > > > > > Just want to see if you might have more information on > the subject. :) > > > > > > --jason > > > > > > _ > > Do You Yahoo!? > > Get your free @yahoo.com address at http://mail.yahoo.com > > > > > > > > For the latest information about Jetty, please see http://jetty.mortbay. > > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ > > > = -- Greg Wilkins <[EMAIL PROTECTED]> Mort Bay Consulting Australia and UK.GB Phone: +44-(0)7775534369 http://www.mortbay.com AU Phone: +61-(0)299772395 http://shopping.yahoo.com.au - Yahoo! Shopping - Free CDs for thousands of Priority Shoppers! Yahoo! Groups Sponsor -~--> Break free. Great American Smokeout http://us.click.yahoo.com/3vN8tD/.pSDAA/ySSFAA/CefplB/TM -~-> For the latest information about Jetty, please see http://jetty.mortbay. Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] Re: [jetty-discuss] Re: jetty integration with apache
Jason, Mod_proxy does the job as the Host header should be used by all webapps as the basis of generating URLs in responses (and thus hiding the existance of the secondary server and/or port). Jetty uses this header for all the data and URL rewriting that it does, so almost all servlets should work fine behind mod_proxy. If the host header is not used, then those servlets will not work if the client has their own non-transparent proxies or port forwarders. > I don't think that Jetty should try to incorporate all of the features and > functionality of Apache. Instead, allow for JBoss/Jetty to be hooked up to Jetty is firstly and foremost a full featured HTTP/1.1 implementation in Java. Servlets are just a handler within the Jetty architecture. There is value in a 100% java solution: efficiency, simplicity, portability. While apache is a great server it should not be the end of the story when it comes to serving HTTP. While Jetty lacks some bells and whistle it can well support the requirements of almost all HTTP based applications. cheers --- Jason Dillon <[EMAIL PROTECTED]> wrote: > I was avoiding posting to jetty-discuss right away, as I didn't really do > that much research (short of a few websearches) on the matter. > > Let me clarify though. I was hoping to make use of apache's facilities for > > these advanced configurations and simply proxy other requests over to > JBoss. > > The trick would be to make sure that the url mappings look consistent from > the Apache standpoint. So if there was a virtual host foo.mydomain.com, > and > jboss was running on mydomain.com:8080, then apache could proxy requests to > > a j2ee app deployed, but appear to be foo.mydomain.com. The webuser would > never know about mydomain.com:8080. > > I know that some of this is possible with mod_proxy, but I am not so sure > about the rest. > > I don't think that Jetty should try to incorporate all of the features and > functionality of Apache. Instead, allow for JBoss/Jetty to be hooked up to > > Apache seemlessly and get the best of both worlds. > > --jason > > > On Mon, 10 Dec 2001, Julian Gosnell wrote: > > > Jason, > > > > As far as i know - YES > > > > You should post on [EMAIL PROTECTED] where i am sure Greg > will be > > able to point you to the relevant doc and summarise various pros and > cons. > > > > Jetty supports virtual hosts, but this has not been integrated with JBoss > as > > AFAIK, the Deployer does not yet support this (since J2EE doesn't???). > > > > Ask Greg re URL rewriting. > > > > Please let the list know of any other 'advanced features' that you feel > Jetty > > (or JBoss/J2EE) is lacking, so they can be considered. > > > > I'm crossposting you to jetty-discuss, and jboss-user, as the points this > > thread raises may be of value to other participants. > > > > > > Jules > > > > > > > > Jason Dillon wrote: > > > > > Hey, do you know if any integration support between jetty and apache? > Like > > > tomcat does with mod_webapp? > > > > > > I think it would be a good idea if it was easy to integrate jboss with > > > apache as easily as possible. This would allow users to make use of > the > > > advanced web support it provides (virtual hosts, url re-writing...). > > > > > > > snip... > > > > > > > Anyways, I don't really care if it is jetty or tomcat that is shipped > > > default with JBoss, just that which ever it is can be easily plugged > into > > > apache. > > > > > > Perhaps jetty can support mod_webapp, if not perhaps there is another > > > alternative which could be used for tighter integration. > > > > > > Just want to see if you might have more information on the subject. :) > > > > > > --jason > > > > > > _ > > Do You Yahoo!? > > Get your free @yahoo.com address at http://mail.yahoo.com > > > > > Yahoo! Groups Sponsor -~--> > Quit now for Great > American Smokeout > http://us.click.yahoo.com/0vN8tD/9pSDAA/ySSFAA/CefplB/TM > -~-> > > For the latest information about Jetty, please see http://jetty.mortbay. > > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ > > > = -- Greg Wilkins <[EMAIL PROTECTED]> Mort Bay Consulting Australia and UK.GB Phone: +44-(0)7775534369 http://www.mortbay.com AU Phone: +61-(0)299772395 http://shopping.yahoo.com.au - Yahoo! Shopping - Free CDs for thousands of Priority Shoppers! ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] Re: [jetty-discuss] Re: jetty integration with apache
Jason, As Jetty (and tomcat4) is a full featured HTTP/1.1 server, there is little need to put apache up front. If you feel a technical needs - ask us for what you think is missing from Jetty and we will try to support it. If you feel an administration/managment/defacto standards need, try to educate :-) If the education fails and you really do need to put apache outfront, it is a trivial thing to do. Again as Jetty fully supports HTTP/1.1, there is no need to waste cycled using mod_webapp to translate the protocol to that used by tomcat3. Instead, use Apaches transparent proxy mechanism to delegate the HTTP requests to Jetty running within JBoss. I think it is something like the following in your apache config: ProxyPass /mywebapp/ http://jbosshost:8080/mywebapp/ The feedback I have had on this is that it is rather efficient and only slightly reduces the throughput you can get with direct access to the server within JBoss. cheers PS. Jetty's doco site is in transit at the moment, so the page about this is not linked in (nor exactly upto date). But you can still see it at: http://jetty.mortbay.org/jetty/doc/JettyWithApache.html --- Julian Gosnell <[EMAIL PROTECTED]> wrote: > Jason, > > As far as i know - YES > > You should post on [EMAIL PROTECTED] where i am sure Greg will > be > able to point you to the relevant doc and summarise various pros and cons. > > Jetty supports virtual hosts, but this has not been integrated with JBoss > as > AFAIK, the Deployer does not yet support this (since J2EE doesn't???). > > Ask Greg re URL rewriting. > > Please let the list know of any other 'advanced features' that you feel > Jetty > (or JBoss/J2EE) is lacking, so they can be considered. > > I'm crossposting you to jetty-discuss, and jboss-user, as the points this > thread raises may be of value to other participants. > > > Jules > > > > Jason Dillon wrote: > > > Hey, do you know if any integration support between jetty and apache? > Like > > tomcat does with mod_webapp? > > > > I think it would be a good idea if it was easy to integrate jboss with > > apache as easily as possible. This would allow users to make use of the > > advanced web support it provides (virtual hosts, url re-writing...). > > > > snip... > > > > Anyways, I don't really care if it is jetty or tomcat that is shipped > > default with JBoss, just that which ever it is can be easily plugged into > > apache. > > > > Perhaps jetty can support mod_webapp, if not perhaps there is another > > alternative which could be used for tighter integration. > > > > Just want to see if you might have more information on the subject. :) > > > > --jason > > > _ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com > > > Yahoo! Groups Sponsor -~--> > Stop Smoking Now > Nicotrol will help > http://us.click.yahoo.com/2vN8tD/_pSDAA/ySSFAA/CefplB/TM > -~-> > > For the latest information about Jetty, please see http://jetty.mortbay. > > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ > > > = -- Greg Wilkins <[EMAIL PROTECTED]> Mort Bay Consulting Australia and UK.GB Phone: +44-(0)7775534369 http://www.mortbay.com AU Phone: +61-(0)299772395 http://shopping.yahoo.com.au - Yahoo! Shopping - Free CDs for thousands of Priority Shoppers! ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
