Tomcat 5 standalone, SSL, IE problem...
Howdy, I'm running tomcat 5.0.16, jdk 1.4.1_02-b06 on Solaris 8 and am running into an issue with IE. It seems that when I use IE wihtout SSL things work fine, but when I use IE with SSL the form posts I'm sending don't always submit properly. I know it sounds crazy, but, I'm wondering if there are any known incompatibilities between IE and tomcat ssl? Or any special configuration settings I need to do in order to make IE and Tomcat happy together? Thanks, -gabe - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Off-topic - Java and X11 Window Server
If you are running java 1.4 you might be better off setting it up to run in a headless environment. I add this to my JAVA_OPTS when running startup.sh for tomcat to do this: JAVA_OPTS=-Djava.awt.headless=true Cheers, -gabe -Original Message- From: Patrick Willart [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 07, 2004 11:26 AM To: Jose Euclides da Silva Junior - DATAPREVRJ; 'Tomcat Users List' Subject: RE: Off-topic - Java and X11 Window Server Dear Jose, This is the document that put me on the right track. Set the DISPLAY variable as an environment variable for the user that start Tomcat. The variable has to be set before Tomcat is started snippet of document To run Xvfb in a manner that pleases Java, try: /usr/X11R6/bin/Xvfb :1 -screen 0 800x600x24 This will create a virtual display at :1.0 with a size of 800 by 600 pixels and a color depth of 24 bits. To ensure that Java draws to this display, you must set the DISPLAY environment variable to :1.0 before invoking Java. If Java throws any X11Environment exceptions, try changing the color depth or screen size. In my experience 16 or 24 bits has always worked. /snippet of document grts, Patrick -Original Message- From: Jose Euclides da Silva Junior - DATAPREVRJ [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 07, 2004 11:51 AM To: 'Tomcat Users List'; '[EMAIL PROTECTED]' Subject: RES: Off-topic - Java and X11 Window Server Dear Patrick, Where (and HOW ) should i set it? Thanks in advance, José Euclides Junior Projeto DOP201 Infra-estrutura J2EE para as aplicações corporativas da Previdência Social -Mensagem original- De: Patrick Willart [mailto:[EMAIL PROTECTED] Enviada em: quarta-feira, 7 de janeiro de 2004 16:51 Para: Tomcat Users List Assunto: RE: Off-topic - Java and X11 Window Server I am not an expert on any *nix system, but faced the same problem once. I had to set to DISPLAY varirable to :1.0 (export DISPLAY=:1.0). It is important that this is set for the same user that is running Tomcat. grts, Patrick -Original Message- From: Jose Euclides da Silva Junior - DATAPREVRJ [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 07, 2004 10:55 AM To: '[EMAIL PROTECTED]' Subject: Off-topic - Java and X11 Window Server Hi guys, Have anybody ever seen this error before? The X11 seems to be alive at my environment -- Conectiva Linux. The target Java app,GraficoBig, works with a free package, called org.jfree.char and org.jfree.gui. 500 Internal Server Error java.lang.InternalError: Can't connect to X11 window server using ':0.0' as the value of the DISPLAY variable. at sun.awt.X11GraphicsEnvironment.initDisplay(Native Method) at sun.awt.X11GraphicsEnvironment.clinit(X11GraphicsEnvironment.java:54) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Class.java:115) at java.awt.GraphicsEnvironment.getLocalGraphicsEnvironment(GraphicsEnvironment .java:53) at java.awt.Window.init(Window.java:183) at java.awt.Frame.init(Frame.java:310) at java.awt.Frame.init(Frame.java:289) at javax.swing.JFrame.init(JFrame.java:167) at org.jfree.ui.ApplicationFrame.init(Unknown Source) at mypackage2.GraficoBig.init(GraficoBig.java:26) at _Jspbig._jspService(_Jspbig.java:128) [SRC:Jspbig.jsp:118] regards, José Euclides Junior Projeto DOP201 Infra-estrutura J2EE para as aplicações corporativas da Previdência Social - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How do you generate a unique number for each request across muliple tomcat instances?
The hibernate project as a uuid class, you could look at how they do it... Here's the docs: http://www.hibernate.org/hib_docs/reference/html/or-mapping.html#or-mapp ing-s1-4-uuid -gabe -Original Message- From: Tom Ly [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 12:10 PM To: Tomcat Users List Subject: Re: How do you generate a unique number for each request across muliple tomcat instances? bump Tom Ly [EMAIL PROTECTED] wrote:That works great in a windows environment. But on Linux machines,the line will always return 127.0.0.1 Tim Funk wrote:Ideally use a string for uniqueness, not an int. For an int is too small across a cluster. To get a unique string, concatenate your IP address with java.rmi.server.UID(), for example: String guid = InetAddress.getLocalHost().getHostAddress() + (new java.rmi.server.UID()).toString()); See the javadocs on UID for more info. -Tim Tom Ly wrote: I have an application where I need to generate a unique int for each request that comes in. I've got about 8 Tomcat instances running spread across four machines(two tomcat's each machine). It's pretty simple with one Tomcat, but with mulitple Tomcats it gets tricky. I tried using InetAddress to get the ip address of the current machine and use that to set the range for each tomcat(since the ip address will always be unique), but since I'm using Linux, it'll always return 127.0.0.1 as the ip address, so I can use class InetAddress. Any advice on what to do? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard - Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: CGI not working on Tomcat 5.0.16?
I've noticed that on tomcat 5 the working directory that it execs the cgi script in is different then it was on tomcat 4. I haven't solved my problem yet, but I have isolated that to be my problem. -gabe -Original Message- From: Jonathan Eric Miller [mailto:[EMAIL PROTECTED] Sent: Monday, December 15, 2003 2:42 PM To: Tomcat User List Subject: CGI not working on Tomcat 5.0.16? I've been having problems getting CGI to work with Tomcat 5.0.16. I have it working with Tomcat 4.1. Has anyone else been able to get it to work? I'm receiving the following error in my localhost_log*.txt log even though the file listed is there. Has anyone else had this problem? 2003-12-12 16:46:14 StandardContext[]cgi: runCGI (stderr):Can't open perl script /opt/jakarta-tomcat-5.0.16/webapps/ROOT/WEB-INF/cgi/awstats.pl: No such file or directory 2003-12-12 16:46:14 StandardContext[]cgi: runCGI: 1 lines received on stderr Jon - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL/Verisign Confusion
I'm working on a tool to pull out the private key. It should be done by the end of the day. I will send something to the list when I have it finished. Kind of funny how just as I'm getting around to a project that has been on my plate all week someone else needs it too ;-) -gabe -Original Message- From: Dave Wood [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 8:07 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion I realize you can't do this with keytool. Is there no way to do it at all? I'm beginning to think I might be totally hosed here. Thanks, Dave -Original Message- From: Jay Garala [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 8:37 AM To: 'Tomcat Users List' Subject: RE: SSL/Verisign Confusion NOTE: You cannot export private key from keystore. -Original Message- From: Dave Wood [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 10:32 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion Thanks. With the exception of the openssl doc, I've been over these quite a bit. The result is the problem I've mentioned where keytool says it can't import my certificate because the alias already exists. After some help I got last night, I think the question boils down to this: * once I have extracted my private key from keytool (haven't done this yet), how do I take that key, the VeriSign intermediate certificate and my public key certificate and get them to play together. I'm hoping the openssl stuff will take care of this, because keytool doesn't really seem to recognize private keys as things that you can work with directly. Thanks again, Dave -Original Message- From: Jay Garala [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 7:12 AM To: 'Tomcat Users List' Subject: RE: SSL/Verisign Confusion Try the Java keytool help: http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html Tomcat how-to: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html If you have OpenSSL: http://forum.java.sun.com/thread.jsp?forum=2thread=4240 Jay -Original Message- From: Dave Wood [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2003 1:04 AM To: Tomcat Users List Subject: RE: SSL/Verisign Confusion Thanks Bill. I think this highlights something I'm really not understanding... Didn't I generate an important private key somewhere along the line that I can't just regenerate if I blow away my keystore? I assumed the certificate I got back from verisign would only work if I still had the original private key I generated before sending them my request. Is that wrong? (I'll take a look at the link you sent...at first glance, it looks a little hard to follow, but hopefully not). Thanks again. Dave -Original Message- From: news [mailto:[EMAIL PROTECTED] Behalf Of Bill Barker Sent: Thursday, September 04, 2003 11:06 PM To: [EMAIL PROTECTED] Subject: Re: SSL/Verisign Confusion Firstly, it looks like you should wipe you keystore and start again. To use a VS cert with Tomcat, the two options I know are: 1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm. 2) Using openssl or otherwise, convert your cert+key to a pkcs12 file, and use that as your keystore (remember to set 'keystoreType=pkcs12' on the Factory in server.xml). Dave Wood [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I'm having a problem getting an SSL certificate from Verisign working correctly. I'm going to include everything I can think of that MIGHT be a problem. Unfortunately, there are a couple things I can't quite remember for certain. Here's the situation: 1. I generated the initial key using an alias other than tomcat (we'll call it company) 2. I generated the CSR and sent it to verisign. I still have this file. 3. Verisign changed the company name during the verification process (from an acronym to the full spelling of the name) 4. I now have the certificate that they sent back after the validation process. 5. One thing I can't account for is why when I see this: $ keytool -list Keystore type: jks Keystore provider: SUN Your keystore contains 4 entries: (...others removed...) company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry, Certificate fingerprint (MD5): 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't really 0's) ...I think I must have self-signed or something (I was doing a couple of these things and don't recall exactly), but I'm surprised to see trustedCertEntry here. The problem I'm having is this: $ keytool -import -trustcacerts -alias company -file public.crt Enter keystore password: xxx keytool error: java.lang.Exception: Certificate not imported, alias company already exists (but I'm thinking it should be REPLACING this entry, so the fact that it exists shouldn't be a problem???) So, I have several questions: 1. Am I hosed completely because I didn't use tomcat as the alias? 2. How does the
RE: Help! heavy traffic is crapping out our site every 5 min! DBCP exceptions
Try running netstat on the linux box to see how many connections are out there. This might give you some more visibility into what network connections are actually being used and where they are going. -gabe -Original Message- From: Barclay A. Dunn [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 10:43 AM To: Tomcat Users List Subject: RE: Help! heavy traffic is crapping out our site every 5 min! DBCP exceptions your logic seems on target to me. my sysadmin (who's just as stymied as i am) says that according to his sources, sockets on linux are open files so if the open file limit is exceeded, it would affect sockets as well. any thoughts on this? barclay -Original Message- From: Eric J. Pinnell [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 1:38 PM To: Tomcat Users List Subject: RE: Help! heavy traffic is crapping out our site every 5 min! DBCP exceptions I'm pretty sure can't create socket means it can't connect to the DB for some reason. I would wager the DB (or something) is refusing the connection. The fact that it said can't create socket means that tomcat is trying to do so. So that part of it seems alright. -e On Fri, 8 Aug 2003, Barclay A. Dunn wrote: well, i followed the dbcp comment that says set to 0 for unlimited and that turns out to be wrong. i also tried -1 and that is equally unuseful in terms of setting it to unlimited. so i tried setting maxActive to 10 and so far it is generating no errors. no, i'm wrong. connecs shot up to around 600 or maybe more, then we started getting the java.sql.SQLException: [Microsoft][SQLServer 2000 Driver for JDBC]Error establishing socket. the db has an insanely huge connection limit of 99,999 we think. barclay -Original Message- From: Eric J. Pinnell [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 1:27 PM To: Tomcat Users List Subject: RE: Help! heavy traffic is crapping out our site every 5 min! DBCP exceptions Is it also unlimited (or insanely huge) on the database? -e On Fri, 8 Aug 2003, Barclay A. Dunn wrote: i adjusted the pool to unlimited and am still getting these errors. something else seems to be fekachte. barclay -Original Message- From: Eric J. Pinnell [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 1:11 PM To: Tomcat Users List Subject: Re: Help! heavy traffic is crapping out our site every 5 min! DBCP exceptions Hi, Your pool of connections to your database is exhausted. Try upping the number. -e On Fri, 8 Aug 2003, Barclay A. Dunn wrote: we are getting a ton of these errors in our catalina.out and i could use help in fixing it. i know they are related to our connection pooling, but not what to do to fix. my understanding of the underlying mechanics of connection pooling is somewhat limited. i have put two different but related error messages in here: java.sql.SQLException: DBCP could not obtain an idle db connection, pool exhausted at org.apache.commons.dbcp.AbandonedObjectPool.borrowObject(AbandonedObject Pool .java:123) at org.apache.commons.dbcp.PoolingDataSource.getConnection(PoolingDataSourc e.ja va:110) at org.apache.commons.dbcp.BasicDataSource.getConnection(BasicDataSource.ja va:3 12) at com.happypuppy.util.HPSql.getConnection(HPSql.java:21) at org.apache.jsp.index_jsp._jspService(index_jsp.java:222) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:137) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.ja va:2 04) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:295) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:241) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatc her. java:684) at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDisp atch er.java:575) at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispat cher .java:498) at org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary.ja va:8 22) at org.apache.jsp._404_jsp._jspService(_404_jsp.java:373) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:137) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.ja va:2 04) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:295) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:241) at
RE: Tomcat not working behind a NAT?
Does setting the proxyName help? See docs at: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/config/coyote.html -Original Message- From: Erin Dalzell [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2003 4:31 PM To: 'Tomcat Users List' Subject: RE: Tomcat not working behind a NAT? OK, I have a question for all the Tomcat gurus out there. Here is my scenario: * tomcat machine is behind NAT * internal ip address is 2.2.2.2 (ip changed to protect the innocent!) * external ip is 3.3.3.3 * client accesses servlet with ip 3.3.3.3. * inside servlet we call RequestDispatcher rd = getServletContext().getRequestDispatcher( /another_page.jsp ); * then we call rd.forward( orig_request, response ); My question is, is that forward call a full http request? If so, what ip address will it use? I think that it is trying to use the 3.3.3.3 address and the NAT doesn't like it. Thoughts? Thanks emd Erin Dalzell eXpresso Product Specialist Epic Data 604.207.7699 -Original Message- From: Eric J. Pinnell [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2003 10:05 AM To: Tomcat Users List Subject: RE: Tomcat not working behind a NAT? I still think you are barking up the wrong tree here. If I had to guess I would say that 95% of all internet faceing Tomcat servers are behind some kind of NAT device. One thing to consider. NAT only translates the IP in the IP header and doesn't change the data payload. So if you are, for whatever reason, using an IP address that is getting sent along in the payload and trying to redirect to it or whatever, NAT won't change that. Kinda how SQLNet doesn't like NAT devices. Because the users IP is embedded in the payload as part of the protocol. So it goofs up when the IP header and the IP in the payload don't match. But what you are thinking below is the first thing I would do. Make sure the machine on the outside see's the correct hostname/IP number and the machine on the inside see's that same hostname as the inside IP address. You can do that via the hosts file if you like. -e On Fri, 25 Jul 2003, Erin Dalzell wrote: For this particular Servlet call we are not accessing any databases. DTDs? Not really familiar with those...I will check. I don't think we are trying to resolve hosts. Here is something we got from our client: -- The sniffer log showed the NATed address in one of the http requests ... following along the line of tomcat not using a localhost for addressing requests even if they're local to the system ... What options are there to specify the address for tomcat under which to start ? It must perform a lookup on DNS to translate the address, can we use the /etc/hosts file to create a 'fixed' address that won't be affected by DNS ? This may not resolve it either ... as which one would you actually put in to allow both 'local' access vs 'outside' access ... -- Erin Dalzell eXpresso Product Specialist Epic Data 604.207.7699 -Original Message- From: Tim Funk [mailto:[EMAIL PROTECTED] Sent: Thursday, July 24, 2003 5:46 PM To: Tomcat Users List Subject: Re: Tomcat not working behind a NAT? It shouldn't use high ports. Are you running any database services or other services? Are your dtd's not correct and its trying actually pull foriegn assets via http? Are you trying to resolve hosts in your access log? (or similar) Use your sniffer to see the type of request being performed on the hight port. -Tim Erin Dalzell wrote: Hi there, We have just discovered that our tomcat web app is not working correctly behind a NAT. Our actual web app works fine, but when we try to access our management pages via http. It doesn't work. Any static pages are served up correctly through our defined tomcat port (6300), but any dynamic content (to several different servlets) don't work. When we run a sniffer, it looks like tomcat tries to communicate with itself on a very high (and random) port. For example, if our tomcat is accessible locally as 10.10.10.10 and externally as 204.1.1.1 and we access from withing our network (10.10.x.x) everything works fine and tomcat is able to talk to itself on port 45000. But if I access it from an external site, tomcat tries to communicate with itself on the 204.1.1.1 address and the NAT doesn't like it. So, I have a few questions: 1) why doesn't tomcat (we are using version 4) use localhost to communicate with itself? 2) anyone else seen this problem? 3) can the high port be configured? Thoughts? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This email and any attachments are intended only for use by the addressees named in this email and may contain legally privileged and/or confidential information. If you are not the
Internet Explorer SSL issues and tomcat running ssl?
Howdy, The mod_ssl faq says to do the following: The first reason is that the SSL implementation in some MSIE versions has some subtle bugs related to the HTTP keep-alive facility and the SSL close notify alerts on socket connection close. Additionally the interaction between SSL and HTTP/1.1 features are problematic with some MSIE versions, too. You've to work-around these problems by forcing Apache+mod_ssl+OpenSSL to not use HTTP/1.1, keep-alive connections or sending the SSL close notify messages to MSIE clients. This can be done by using the following directive in your SSL-aware virtual host section: SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 from http://www.modssl.org/docs/2.8/ssl_faq.html#io-ie Do I need to set something similar in Tomcat? Is it already part of the coyote connector? Thanks, -gabe - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Running Tomcat as Non-Root
Has any one submitted a request to get dropping privs into the JDK? Or escalating privs to grab one of these ports and then dropping them again? As I see this request over and over again on this list I think there is a large number of people who would like to see it or would vote for it in the java bug parade. It also seems rather important for running a secure service to manage the privs. I know I could use a security manager/policy to restrict what can happen, but this doesn't restrict native libraries loaded into the process and requires more work on our part then just allowing the JDK to loose its privs... -gabe -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 12:58 PM To: Tomcat Users List Subject: RE: Running Tomcat as Non-Root Howdy, Are you running on a unix OS? If so, root is normally required if you want to run on a port 1024. There are workarounds, but they vary in complexity and portability, and none are that good at this point. If you're running on a port higher than 1024, than you don't need to run as root at all. Yoav Shapira Millennium ChemInformatics -Original Message- From: Latesha Williams [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 3:55 PM To: Tomcat Users List Subject: Running Tomcat as Non-Root Is it possible to run Tomcat as a non-root user, with root as the owner of the entire Tomcat directory structure and grant file/directory permissions to the non-root account? Please advise. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Running Tomcat as Non-Root
Right. I'm saying has anyone looked into submitting something to sun asking them to make it possible to start up a process as root an then drop down to another user like most native services do? I want that bridge between native user credentials and capabilities, and the ability to switch which nave user I'm running on (assuming the user I'm running with has that capability.) This is missing in Java. -gabe -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 1:21 PM To: Tomcat Users List Subject: RE: Running Tomcat as Non-Root Howdy, Huh??? Have you looked at java.security.AccessController#doPrivileged() ? The issue is that port binding is a native operation and there's no bridge between the JDK java.security.Principal and the native user credentials needed to open the port. Yoav Shapira Millennium ChemInformatics -Original Message- From: Lawrence, Gabriel [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 4:06 PM To: Tomcat Users List Subject: RE: Running Tomcat as Non-Root Has any one submitted a request to get dropping privs into the JDK? Or escalating privs to grab one of these ports and then dropping them again? As I see this request over and over again on this list I think there is a large number of people who would like to see it or would vote for it in the java bug parade. It also seems rather important for running a secure service to manage the privs. I know I could use a security manager/policy to restrict what can happen, but this doesn't restrict native libraries loaded into the process and requires more work on our part then just allowing the JDK to loose its privs... -gabe -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 12:58 PM To: Tomcat Users List Subject: RE: Running Tomcat as Non-Root Howdy, Are you running on a unix OS? If so, root is normally required if you want to run on a port 1024. There are workarounds, but they vary in complexity and portability, and none are that good at this point. If you're running on a port higher than 1024, than you don't need to run as root at all. Yoav Shapira Millennium ChemInformatics -Original Message- From: Latesha Williams [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 3:55 PM To: Tomcat Users List Subject: Running Tomcat as Non-Root Is it possible to run Tomcat as a non-root user, with root as the owner of the entire Tomcat directory structure and grant file/directory permissions to the non-root account? Please advise. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Running Tomcat as Non-Root
So I'm going to take that as a no. No one has bothered to pester sun about this. And yes, the way things tend to work today is that people run these things with extra JVMs, although if its running on port 25 they'd all have to be running as root. So I realize that its possible that you could only drop privs down to a single user in the vm, but gee wouldn't that be hugely better then what we have today, where if I want to run 1024 I have to run as superuser? Surely you can see the benefit. -gabe -Original Message- From: John Turner [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 1:35 PM To: Tomcat Users List Subject: Re: Running Tomcat as Non-Root So every Java-based service would need its own JVM instance? Would you want your Java-based MTA on port 25 running as your Tomcat user or vice versa? Isn't that how it would work if you configured the user account in the JVM...all services would run as the same user? Seems like that would end up being pretty messy to manage. John On Fri, 18 Jul 2003 13:24:42 -0700, Lawrence, Gabriel [EMAIL PROTECTED] wrote: Right. I'm saying has anyone looked into submitting something to sun asking them to make it possible to start up a process as root an then drop down to another user like most native services do? I want that bridge between native user credentials and capabilities, and the ability to switch which nave user I'm running on (assuming the user I'm running with has that capability.) This is missing in Java. -gabe -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 1:21 PM To: Tomcat Users List Subject: RE: Running Tomcat as Non-Root Howdy, Huh??? Have you looked at java.security.AccessController#doPrivileged() ? The issue is that port binding is a native operation and there's no bridge between the JDK java.security.Principal and the native user credentials needed to open the port. Yoav Shapira Millennium ChemInformatics -Original Message- From: Lawrence, Gabriel [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 4:06 PM To: Tomcat Users List Subject: RE: Running Tomcat as Non-Root Has any one submitted a request to get dropping privs into the JDK? Or escalating privs to grab one of these ports and then dropping them again? As I see this request over and over again on this list I think there is a large number of people who would like to see it or would vote for it in the java bug parade. It also seems rather important for running a secure service to manage the privs. I know I could use a security manager/policy to restrict what can happen, but this doesn't restrict native libraries loaded into the process and requires more work on our part then just allowing the JDK to loose its privs... -gabe -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 12:58 PM To: Tomcat Users List Subject: RE: Running Tomcat as Non-Root Howdy, Are you running on a unix OS? If so, root is normally required if you want to run on a port 1024. There are workarounds, but they vary in complexity and portability, and none are that good at this point. If you're running on a port higher than 1024, than you don't need to run as root at all. Yoav Shapira Millennium ChemInformatics -Original Message- From: Latesha Williams [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 3:55 PM To: Tomcat Users List Subject: Running Tomcat as Non-Root Is it possible to run Tomcat as a non-root user, with root as the owner of the entire Tomcat directory structure and grant file/directory permissions to the non-root account? Please advise. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed
RE: Running Tomcat as Non-Root
It's a java problem as the OSes that block access to 1024 ports give native code api's to open these ports and then loose the root privs. Java should allow those of us who are interested in running java services to have the option to take advantage of this. I've filed a bug. When I get a bug number I'll post it. If you want to comment on how you think it's a good idea or a bad idea you can feel free to do it there. Lets take the rest of this discussion off the tomcat list. -gabe -Original Message- From: Lukas Bradley [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 2:02 PM To: [EMAIL PROTECTED] Subject: Re: Running Tomcat as Non-Root Yes, but is this a Java problem, or is this an OS related problem/feature? IMHO, since UNIX/LINUX is doing the restricting of port traffic, the problem resides with the OS, not with Java. Adding an API to shift the native security model is out of scope. Why don't particular flavors of the OS allow for 1024 to be non-root? Lukas Lawrence, Gabriel [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] So I'm going to take that as a no. No one has bothered to pester sun about this. And yes, the way things tend to work today is that people run these things with extra JVMs, although if its running on port 25 they'd all have to be running as root. So I realize that its possible that you could only drop privs down to a single user in the vm, but gee wouldn't that be hugely better then what we have today, where if I want to run 1024 I have to run as superuser? Surely you can see the benefit. -gabe - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Running Tomcat as Non-Root
Hey, that looks really useful. Thanks for pointing it out. Exactly what I'd like to see drawn into the platform, but I guess since its here already no need to wait :-) -gabe -Original Message- From: Bill Barker [mailto:[EMAIL PROTECTED] Sent: Fri 7/18/2003 7:40 PM To: [EMAIL PROTECTED] Cc: Subject:Re: Running Tomcat as Non-Root While this is flaming out of control ;-): Let me point out that there is jakarta-commons-sandbox/daemon that allows you to do this right now (i.e. launch as root, Tomcat binds to port 80, and then setuid to a non-privileged user before Tomcat actually handles any request). It also allows you to stop (gracefully) by sending a SIGTERM signal, or to restart by sending a SIGHUP. I'm pretty happy with it on the Linux box that I'm using it on. Lawrence, Gabriel [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Right. I'm saying has anyone looked into submitting something to sun asking them to make it possible to start up a process as root an then drop down to another user like most native services do? I want that bridge between native user credentials and capabilities, and the ability to switch which nave user I'm running on (assuming the user I'm running with has that capability.) This is missing in Java. -gabe -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 1:21 PM To: Tomcat Users List Subject: RE: Running Tomcat as Non-Root Howdy, Huh??? Have you looked at java.security.AccessController#doPrivileged() ? The issue is that port binding is a native operation and there's no bridge between the JDK java.security.Principal and the native user credentials needed to open the port. Yoav Shapira Millennium ChemInformatics -Original Message- From: Lawrence, Gabriel [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 4:06 PM To: Tomcat Users List Subject: RE: Running Tomcat as Non-Root Has any one submitted a request to get dropping privs into the JDK? Or escalating privs to grab one of these ports and then dropping them again? As I see this request over and over again on this list I think there is a large number of people who would like to see it or would vote for it in the java bug parade. It also seems rather important for running a secure service to manage the privs. I know I could use a security manager/policy to restrict what can happen, but this doesn't restrict native libraries loaded into the process and requires more work on our part then just allowing the JDK to loose its privs... -gabe -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 12:58 PM To: Tomcat Users List Subject: RE: Running Tomcat as Non-Root Howdy, Are you running on a unix OS? If so, root is normally required if you want to run on a port 1024. There are workarounds, but they vary in complexity and portability, and none are that good at this point. If you're running on a port higher than 1024, than you don't need to run as root at all. Yoav Shapira Millennium ChemInformatics -Original Message- From: Latesha Williams [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 3:55 PM To: Tomcat Users List Subject: Running Tomcat as Non-Root Is it possible to run Tomcat as a non-root user, with root as the owner of the entire Tomcat directory structure and grant file/directory permissions to the non-root account? Please advise. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED
Trouble with clustering ending tomcat process on 4.1.24
Howdy, I've noticed that sporadically my tomcat process dies with the following error in the Catalina.out. Anyone have any ideas on whats going on? Obviously an exception of somesort, but why the exception? Thanks, -gabe [InMemoryReplicationManager] storing attribute 'artifactbinding' with value 'e [EMAIL PROTECTED]' [InMemoryReplicationManager] Session queued for replication ReplicatedSession id=C54825CD094CEB71F3E891B19D34BA0E ref=StandardSession[C54825 CD094CEB71F3E891B19D34BA0E] name=userID; [EMAIL PROTECTED] name=authResult; value=edu.ucsd.security.ldapauth.LDAPAuthenticationResu [EMAIL PROTECTED] name=artifactbinding; value=edu.ucsd.security.saml.server.SamlArtifactBi [EMAIL PROTECTED] LastAccess=1058226313531 file sync interval: 60091 file sync: 1 ServerLifecycleListener: destroyMBeans: Throwable javax.management.InstanceNotFoundException: MBeanServer cannot find MBean with O bjectName Catalina:type=Valve,sequence=18528421,path=/a4,host=asdfasdf.ucsd.edu,se rvic e=Tomcat-Standalone at mx4j.server.MBeanServerImpl.findMBeanMetaData(MBeanServerImpl.java:52 8) at mx4j.server.MBeanServerImpl.unregisterMBean(MBeanServerImpl.java:1165 ) at org.apache.catalina.mbeans.MBeanUtils.destroyMBean(MBeanUtils.java:22 89) at org.apache.catalina.mbeans.ServerLifecycleListener.destroyMBeans(Serv erLifecycleListener.java:930) at org.apache.catalina.mbeans.ServerLifecycleListener.destroyMBeans(Serv erLifecycleListener.java:1165) at org.apache.catalina.mbeans.ServerLifecycleListener.destroyMBeans(Serv erLifecycleListener.java:1114) at org.apache.catalina.mbeans.ServerLifecycleListener.destroyMBeans(Serv erLifecycleListener.java:1296) at org.apache.catalina.mbeans.ServerLifecycleListener.destroyMBeans(Serv erLifecycleListener.java:1268) at org.apache.catalina.mbeans.ServerLifecycleListener.destroyMBeans(Serv erLifecycleListener.java:873) at org.apache.catalina.mbeans.ServerLifecycleListener.lifecycleEvent(Ser verLifecycleListener.java:254) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(Lifecycl eSupport.java:166) at org.apache.catalina.core.StandardServer.stop(StandardServer.java:2219 ) at org.apache.catalina.startup.Catalina$CatalinaShutdownHook.run(Catalin a.java:624) Stopping service Tomcat-Standalone [InMemoryReplicationManager] Stopping - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: In memory session replication and session listeners?
Flip, Got it. That's an easy, crafty way to do it. Will try it out and let you know how it works. -gabe -Original Message- From: Filip Hanik [mailto:[EMAIL PROTECTED] Sent: Thursday, June 12, 2003 9:19 PM To: Tomcat Users List Subject: RE: In memory session replication and session listeners? The session listener is only notified on the machine the value actually gets set. Session data doesn't get replicated using the setAttribute/removeAttribute methods, but pure serialization. And for now, the clustering doesn't have a public API to send your own data through it. one way you an do it, is to implement the java.io.Externilizable interface, and when the data gets deserialized, then set the stuff in your global variable, just remember to only set it once. do you see where I am going with this? Filip -Original Message- From: Lawrence, Gabriel [mailto:[EMAIL PROTECTED] Sent: Thursday, June 12, 2003 4:18 PM To: Tomcat Users List Subject: In memory session replication and session listeners? I'm using the tomcat 4 clustering stuff found at: http://cvs.apache.org/~fhanik/index.html And I have one issue. I have a service that tracks some information that is reported outside the users session. This is examined by a different client then the users client. I want to keep this global information in sync across my loadbalanced servers, as I can't necessarily predict which server the this different client is going to hit. The way it works without clustering is that I have a session listener set up that gets notified whenever data is added to a users session. This then triggers a update to my global store as well. What I think I'm seeing is that when session information is replicated to my other server, the fact that something was set isn't triggering a session listener call on the other server. Does that mesh with peoples understanding? Is there a way I can get it to? Thanks! -gabe - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
In memory session replication and session listeners?
I'm using the tomcat 4 clustering stuff found at: http://cvs.apache.org/~fhanik/index.html And I have one issue. I have a service that tracks some information that is reported outside the users session. This is examined by a different client then the users client. I want to keep this global information in sync across my loadbalanced servers, as I can't necessarily predict which server the this different client is going to hit. The way it works without clustering is that I have a session listener set up that gets notified whenever data is added to a users session. This then triggers a update to my global store as well. What I think I'm seeing is that when session information is replicated to my other server, the fact that something was set isn't triggering a session listener call on the other server. Does that mesh with peoples understanding? Is there a way I can get it to? Thanks! -gabe - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Why does Oracle in JSP uses multiple ports.
There was a config option to stop this and make oracle just use 1521 that I used a couple years back for this very purpose... Here's a discussion about how the problem and how to get oracle to just use a single port: http://www.stunnel.org/examples/oracle.html -gabe -Original Message- From: Tim Funk [mailto:[EMAIL PROTECTED] Sent: Monday, June 09, 2003 8:01 AM To: Tomcat Users List Subject: Re: Why does Oracle in JSP uses multiple ports. I have just learned that the thin driver uses 1521 to begin the conversation. But that is just a handshake. The handshake then says - Let's finish the rest of our work on another higher port where the higher port is a range of ports. So you need a whole range of ports open. :( -Tim Brad Rhoads wrote: My client had to open port 1521 between the webserver and Oracle DB server. This makes sense. But he also had to open port 33047 for our application pointing to the test SID and 40147 for the copy of the app pointing to the prod SID. Both ProdApp and TestApp are exactly the same except for the Oracle SID. Here's part of the log from their Check Point firewall (before they opened up these other ports): service sqlnet2-1521 is port 1521 service WebServer is port 40147 NumberDateTimeAction Service Source Destination Protocol 45488 5Jun2003 8:30:17 Accept sqlnet2-1521WebServer synapse.berlinind tcp 45489 5Jun2003 8:30:17 DropSynapseWeb WebServer synapse.berlinind tcp 45708 5Jun2003 8:31:50 DropSynapseWeb WebServer synapse.berlinind tcp Every SQL request sent through one 1521 which was accepted, and 2 40147s which were dropped. Can anyone explain this? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
