Re: Setting up Eclipse for remote debug struts action classes intomcat?
The most basic way is probably to use log4j or commons logging and then use the eclipse logwatcher plugin to keep watch over your log files. Paul Sundling Quasar wrote: I know I have read that you can use eclipse to remote debug tomcat, but is it possible to have eclipse debug struts action classes that are being executed by Tomcat? And is there anywhere that documents how that would work.. I'd love to know what the value of some variables are at runtime etc when I'm having problems with it.. thanks in advance! -D - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CVS with tomcat
I've attached my build.xml (with changes to IPs and passwords :)) The kind of setup I'd recommend is this: local developer machines (windows, linux, bsd, whatever) running local copies of tomcat, eclipse for an IDE attached to your CVS repository and ant either run from command line, or launched from within the eclipse itself with the appropriate client. Now the deploy to staging need to be done, but I'm sure you can research that part. Get the files from CVS for your local copy and then pushing those to production or staging. You'll need an ant target that uses ftp or something or rsync or scp would work too Paul Sundling SuniX wrote: Thank you Can you give an example of ant source whick reload and deploy to a tomcat server? It can help me. Thanks Paul Sundling wrote: I'm not sure why you'd want to have it deployed automatically. You can probably do it with ant and cruise control? With ant, you can create targets that reload your app or deploy it to a tomcat server. That's what I do currently and it even integrates well with eclipse! If you really want to do it automatically I heard cruise control does that sort of functionality, but I'm not sure about having it look for changes in CVS. SuniX wrote: Hi Is there a way to use CVS with tomcat ? i want my tomcat server to check a cvs project and deployed it automaticaly. (cvs server and tomcat server in the same machine running on a debian testing) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] !-- A project describes a set of targets that may be requested when Ant is executed. The default attribute defines the target which is executed if no specific target is requested, and the basedir attribute defines the current working directory from which Ant executes the requested task. This is normally set to the current working directory. -- project name=Gladiator default=compile basedir=. !-- = Property Definitions === -- !-- Each of the following properties are used in the build script. Values for these properties are set by the first place they are defined, from the following list: * Definitions on the ant command line (ant -Dcatalina.home=xyz compile) * Definitions from a build.properties file in the top level source directory * Definitions from a build.properties file in the developer's home directory * Default definitions in this build.xml file You will note below that property values can be composed based on the contents of previously defined properties. This is a powerful technique that helps you minimize the number of changes required when your development environment is modified. Note that property composition is allowed within build.properties files as well as in the build.xml script. -- !-- The only properties we need is TOMCAT_HOME, so we get it from the environment property file=build.properties/ property file=${user.home}/build.properties/ -- property environment=env/ !-- File and Directory Names -- !-- These properties generally define file and directory names (or paths) that affect where the build process stores its outputs. app.name Base name of this application, used to construct filenames and directories. Defaults to myapp. app.version Version identifier for this application. build.home The directory into which the prepare and compile targets will generate their output. Defaults to build. catalina.homeThe directory in which you have installed a binary distribution of Tomcat 4. This will be used by the deploy target. deploy.home The name of the directory into which the deployment hierarchy will be created, and into which the build directory will be copied. Defaults to ${catalina.home}/webapps/${app.name}. dist.homeThe name of the base directory in which distribution files are created. Defaults to dist. -- property name=app.name value=gladiator/ property name=app.version value=1.0/ property name=build.homevalue=build/ property name=catalina.home value=${env.TOMCAT_HOME}/ property name=deploy.home value=${catalina.home}/webapps/${app.name}/ property name=dist.home value=dist/ property name=webapp.libs value=web/WEB-INF/lib/ property name=local.tomcat.username value=admin/ property name
Re: changing class file and reloading question
You can reload using the manager app (the link is on the start page when you first start tomcat). You can also use an ant target. You can reload a single webapp, which is probably the better way of doing it. Here's an example target from a build.xml that takes an arguement: target name=reload depends=deploy description=Reloads Tomcat Application (Local) get src=http://127.0.0.1:8080/manager/reload?path=/${app.name}; dest=status.txt username=yourtomcataccount password=yourtomcatpassword / loadfile property=catalina.reload srcFile=status.txt / echo${catalina.reload}/echo delete file=status.txt/ /target Luke Vanderfluit wrote: Hi, I'm running tomcat 4.1.27 standalone on Redhat 9 I have a class that I'm changing (development) and don't want to have to restart tomcat each time I make a change. It wouldn't be so bad to do that if it wasn't for the fact that tomcat takes ages to read my servlet every time it's restarted. I have got the following entry in my server.xml file # DefaultContext reloadable=true/ !-- Tomcat Root Context -- Context path= docBase=ROOT debug=0 reloadable=true /Context # The class I'm changing is in the ROOT/WEB-INF/classes directory the console message when I hit 'reload' on the browser is: WebappClassLoader: Resource '/WEB-INF/classes/Topic3x4.class' was modified; Date is now: Wed Aug 20 05:53:59 CST 2003 Was: Wed Aug 20 05:44:04 CST 2003 How do I get tomcat to indeed reload the classes without having to restart each time? Thanks, kind regards, - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CVS with tomcat
I'm not sure why you'd want to have it deployed automatically. You can probably do it with ant and cruise control? With ant, you can create targets that reload your app or deploy it to a tomcat server. That's what I do currently and it even integrates well with eclipse! If you really want to do it automatically I heard cruise control does that sort of functionality, but I'm not sure about having it look for changes in CVS. SuniX wrote: Hi Is there a way to use CVS with tomcat ? i want my tomcat server to check a cvs project and deployed it automaticaly. (cvs server and tomcat server in the same machine running on a debian testing) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security hole on windows tomcat?
yep, you're correct that the JDK was important in solving this. In case you didn't get the message below, the guys tracked it down to being a problem in JDK 1.4.2 . I'll remember to include that information next time. Paul Sundling Ralph Einfeldt wrote: I think you should also include the JDK (vendor and version). It's not impossible that this might be a JDK problem. -Original Message- From: Jeff Tulley [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 6:41 PM To: [EMAIL PROTECTED] Subject: RE: security hole on windows tomcat? OS version Directly to Tomcat (8080) or through Apache - JK or JK2? (If you've seen the problem, please include your workers or workers2.properties file, with a .txt extension) Browser version(s) url's where this was seen or not seen - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - Yes, adding -Dsun.io.useCanonCaches=false to the tomcat seemed to fix the security hole I discovered on my 4.1.24 tomcat on Windows XP using JDK 1.4.2. Great job finding a solution. It's a testament to open source and cooperation. Fortunately it's JSP source it's showing and people should have anything worth seeing in their servlets or EJBs anyway. Paul Sundling Jeff Tulley wrote: I just wanted to make sure you saw this -- Jeanfrancois made the connection that this issue has a known workaround, so you don't have to backrev your JVM if you don't want to. I tried this on Windows XP and NetWare and it worked in both places... Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com [EMAIL PROTECTED] 8/12/03 7:08:50 PM Sorry I've just realize this thread may be related to bugtraq #4895132 (thanks to Jeff for the wake up mail on tomcat-dev ). The workaround is to add the following property when starting Tomcat: -Dsun.io.useCanonCaches=false Can someone try it and let me know if it change something. If this is not working, then point me to a very simple test case and I will file a new bugtraq bug. -- Jeanfrancois Eric J. Pinnell wrote: I think at this point this might be a worthwile canidate for Sun's bugparade. At least get it on their radars (if they don't know about it already). It's interesting that the bug doesn't show up in Tomcat 4.1.27. When 1.4.2 was released 4.1.24 was the latest stable build. Regardless the JDK/appserver/whatever should never puke it's guts and spit out the source code when it gets a request it doesn't know how to deal with. Upon failure it should result in some kind of error. Sun might care about this... -e On Tue, 12 Aug 2003, Jeff Tulley wrote: It is highly possible that this is dependent on the JVM you have installed. I actually finally WAS able to see this on Windows XP, but only if Tomcat was running on JVM 1.4.2. The problem did NOT happen with 1.4.1. Of course, JVM version is the one item I left off of my poll in my email below. I'm trying to verify this on other OS's and track down what the actual problem is. But, if you run Tomcat on JVM 1.4.2, verify if you have this problem. Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com [EMAIL PROTECTED] 8/12/03 4:10:53 PM Tomcat 4.0.6 on Win2K via direct connection to Tomcat on localhost via either port 8080 or port 80 - pages return fine without the %20 suffix, always return http 404 with the suffix. Murray -Original Message- From: Jeff Tulley [mailto:[EMAIL PROTECTED] Sent: Wednesday, 13 August 2003 02:41 To: [EMAIL PROTECTED] Subject: RE: security hole on windows tomcat? So this issue is confusing. It seems that indeed there IS an issue, though most cannot see a problem. Talking to some people off-list, it seems that some think it is a JK2 / workers2.properties issue. But I'm pretty sure that others have seen this going directly to port 8080. We probably need to take a quick poll: If you have seen this security problem of being able to view JSP source, in what scenario(s)? Tomcat version OS version Directly to Tomcat (8080) or through Apache - JK or JK2? (If you've seen the problem, please include your workers or workers2.properties file, with a .txt extension) Browser version(s) url's where this was seen or not seen If you have seen this in multiple scenarios, and not in others, please list each separately. I have NOT seen it in the following scenarios: Tomcat 4.1.18, 4.1.24, 4.1.26, 4.1.27 Windows 2000 5.00.2195 Service Pack 4 Directly to port 8080 Internet Explorer 6.0.2800.1106 with all security patches up to date I tried http://(url):8080/index.jsp
Re: security hole on windows tomcat?
It's a default tomcat 4.1.24 install on windows XP with no apache. You'll note I used port 8080 in my sample, so I'm going directly to tomcat. I went through the web.xml and there is a mapping for *.jsp and there is no space. Even if there were, there's no space in the file itself. So be sure to mention operating system. I was only able to recreate it on windows, not on linux. Paul Sundling Cox, Charlie wrote: do you have apache on the front end and are you only mapping *.jsp where *.jsp%20 is not a match and apache would then serve the file as text? Charlie -Original Message- From: John Turner [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 9:22 AM To: Tomcat Users List Subject: Re: security hole on windows tomcat? Appending %20 to my Tomcat 4.1.1x URLs generates a 404. John Paul Sundling(Webdaddy) wrote: I came across what appears to be a security hole when running tomcat. I'm not sure how widespread it is, but my linux server is safe, yet my windows XP, tomcat 4.1.24 is vulnerable. I found that if you append %20 to a jsp page it shows the source code instead of displaying the page: http://192.168.1.54:8080/index.jsp shows page as expected http://192.168.1.54:8080/index.jsp%20 shows source code of index.jsp So how widespread is this? Paul Sundling - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security hole on windows Apache - Tomcat?
You actually do can that if you had a servlet on the outside that forwarded the request to the appropriate JSPs.A simple example is if you use the struts framework, the following is an example of how you could use that approach. I just tested it and it worked fine: [snip from struts-config.xml] action path=/Welcome type=org.apache.struts.actions.ForwardAction parameter=/WEB-INF/inside.jsp/ [end snip] Angus Mezick wrote: Not at the current late stage of development we are currently in. I know, it bites. I am going to try a trick with RedirectMatch. Maybe just redirect them into limbo, I don't know. -Original Message- From: Ralph Einfeldt [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 11:45 AM To: Tomcat Users List Subject: RE: security hole on windows Apache - Tomcat? Can you arrange your file layout in a way, that the jsp's aren't under the document root for apache ? (I guess they are, otherwise apache couldn't show them) -Original Message- From: Angus Mezick [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 5:34 PM To: Tomcat Users List Subject: RE: security hole on windows Apache - Tomcat? I ONLY see the problem in apache. So I think it is a config problem. Will the jk2 URI : [uri:www.SITENAME.org/*.jsp] catch www.SITENAME.org/index.jsp%20 ? When I turn on the accessvalve tomcat doesn't see this request. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: hardware recommendation, Tomcat with Apache web server
I forgot to point out that in the test where opteron was beating xeon 2 to 1, it was a 2.8 Ghz Xeon losing to a 1.6 Ghz Opteron!!! So with almost half the clock speed it was twice as good as a Xeon. That's impressive I found some benchmarks that used another app server, but it's the same kind of software as tomcat, so it's a good comparison. The clear answer is that a new opteron is what you should get and it's LITERALLY twice as good in the role of an application server(like tomcat): http://www.extremetech.com/article2/0,3973,1149817,00.asp Our most important server test for comparing the Opteron to the Xeon in an application server scenario is our 32-bit Nile application server benchmark. The test is both CPU and disk-intensive, and it emulates a book-ordering transaction-processing environment modeled on Amazon.com. The test uses Oracle 9i as the back-end, running on a Xeon 4P server, and uses BEA WebLogic Server 7.0.2 application server software. The BEA application server software runs on the test equipment in this case we loaded it on both the 2P Opteron and 2P Xeon systems, with Windows 2000 with SP3 as the OS. Results on the Nile benchmark showed the dual Opteron system outperforming the dual Xeon by a fairly wide margin. Across a 300 to 500 virtual user load, where transaction processing stabilized with both high disk and CPU utilization, the Xeon averaged 7.6 Pages Received per second, and the Opteron averaged 15.2 Pages Received per second, double the Xeon. In the response time measurements, at the 200 user load, average transaction time (start to finish) was approximately 34 seconds on the Xeon and 30 seconds on Opteron, but moving to 300 users, Opteron stayed at 30 seconds, and Xeon moved to 50 seconds. At 400 users, Opteron was 35 seconds, and Xeon was near 80 seconds. And at 500 users Opteron was about 50 seconds, and Xeon was near 100 seconds. See Nile Benchmark charts below. 20-30 simultaneous users doesn't sound like much. Personally, I'd love to get one of those new Opteron servers! 64 bit processor and when the real 64 bit windows becomes available in a couple months it could really scream and it'd scale up to huge levels of ram if you ever needed it. Or it'd be 64 bit already with linux/bsd/solaris/ [you know you've been programming too long when you almost do Ctrl-s (like in eclipse) when you're finished with something instead of clickong on send] Paul wrote: - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: hardware recommendation, Tomcat with Apache web server
I found some benchmarks that used another app server, but it's the same kind of software as tomcat, so it's a good comparison. The clear answer is that a new opteron is what you should get and it's LITERALLY twice as good in the role of an application server(like tomcat): http://www.extremetech.com/article2/0,3973,1149817,00.asp Our most important server test for comparing the Opteron to the Xeon in an application server scenario is our 32-bit Nile application server benchmark. The test is both CPU and disk-intensive, and it emulates a book-ordering transaction-processing environment modeled on Amazon.com. The test uses Oracle 9i as the back-end, running on a Xeon 4P server, and uses BEA WebLogic Server 7.0.2 application server software. The BEA application server software runs on the test equipment in this case we loaded it on both the 2P Opteron and 2P Xeon systems, with Windows 2000 with SP3 as the OS. Results on the Nile benchmark showed the dual Opteron system outperforming the dual Xeon by a fairly wide margin. Across a 300 to 500 virtual user load, where transaction processing stabilized with both high disk and CPU utilization, the Xeon averaged 7.6 Pages Received per second, and the Opteron averaged 15.2 Pages Received per second, double the Xeon. In the response time measurements, at the 200 user load, average transaction time (start to finish) was approximately 34 seconds on the Xeon and 30 seconds on Opteron, but moving to 300 users, Opteron stayed at 30 seconds, and Xeon moved to 50 seconds. At 400 users, Opteron was 35 seconds, and Xeon was near 80 seconds. And at 500 users Opteron was about 50 seconds, and Xeon was near 100 seconds. See Nile Benchmark charts below. 20-30 simultaneous users doesn't sound like much. Personally, I'd love to get one of those new Opteron servers! 64 bit processor and when the real 64 bit windows becomes available in a couple months it could really scream and it'd scale up to huge levels of ram if you ever needed it. Or it'd be 64 bit already with linux/bsd/solaris/ [you know you've been programming too long when you almost do Ctrl-s (like in eclipse) when you're finished with something instead of clickong on send] Paul wrote: not sure what the load is going to be ... would be nice to be able to adequately handle aprox. 20-30 simultaneous users. Not sure if that answers your question properly. -pl - Original Message - From: Cristopher Daniluk [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 4:46 PM Subject: RE: hardware recommendation, Tomcat with Apache web server What kind of load? Tomcat and Apache don't use anythign but a few mb of ram when you're not doing anything :) -Original Message- From: Paul [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 4:35 PM To: Tomcat Users List Subject: hardware recommendation, Tomcat with Apache web server what would be appropriate hardware for a Tomcat with Apache web server running on Win2k server (for a public OLTP-type web service with database backend running on its own dedicated machine)? probably use striped (raid-0) scsi drive system, but not sure if dual cpu's required, P3, P4 or Zeon system would be appropriate? -paul lomack - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security hole on windows tomcat?
which operating system? Paul John Turner wrote: Appending %20 to my Tomcat 4.1.1x URLs generates a 404. John Paul Sundling(Webdaddy) wrote: I came across what appears to be a security hole when running tomcat. I'm not sure how widespread it is, but my linux server is safe, yet my windows XP, tomcat 4.1.24 is vulnerable. I found that if you append %20 to a jsp page it shows the source code instead of displaying the page: http://192.168.1.54:8080/index.jsp shows page as expected http://192.168.1.54:8080/index.jsp%20 shows source code of index.jsp So how widespread is this? Paul Sundling - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security hole on windows tomcat?
I never changed the mime-mapping when I installed it. I run tomcat manually or as a manual service. When I tried running tomcat as an automatic service, it had trouble. The only changes I made were in configs specific to webapps. The problem is present on the unmodified examples webapp. The only two jars I added in the SDK were the JDBC drivers for postrgres and mysql. Paul Sundling Cox, Charlie wrote: did you change any mime-mappings in conf/web.xml? could you have a jsp in there somewhere defining it as text? -Original Message- From: Angus Mezick [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:15 PM To: Tomcat Users List Subject: RE: security hole on windows tomcat? Ok guys, What could I have turned on that would have allowed this bug to happen? I can make it happen in both tomcat and tomcat through apache. (Most recent of both) I can provide a site where it DOES happen so you guys can see what is happening. -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:07 PM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? sorry, I don't know - I don't use Apache. This was just a thought that I had. I do not have this problem 4.1.24 on Win2k Charlie -Original Message- From: Angus Mezick [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 11:49 AM To: Tomcat Users List Subject: RE: security hole on windows tomcat? Charlie, How do you fix this within apache? -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 10:15 AM To: 'Tomcat Users List' Subject: RE: security hole on windows tomcat? do you have apache on the front end and are you only mapping *.jsp where *.jsp%20 is not a match and apache would then serve the file as text? Charlie -Original Message- From: John Turner [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 9:22 AM To: Tomcat Users List Subject: Re: security hole on windows tomcat? Appending %20 to my Tomcat 4.1.1x URLs generates a 404. John Paul Sundling(Webdaddy) wrote: I came across what appears to be a security hole when running tomcat. I'm not sure how widespread it is, but my linux server is safe, yet my windows XP, tomcat 4.1.24 is vulnerable. I found that if you append %20 to a jsp page it shows the source code instead of displaying the page: http://192.168.1.54:8080/index.jsp shows page as expected http://192.168.1.54:8080/index.jsp%20 shows source code of index.jsp So how widespread is this? Paul Sundling - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
security hole on windows tomcat?
I came across what appears to be a security hole when running tomcat. I'm not sure how widespread it is, but my linux server is safe, yet my windows XP, tomcat 4.1.24 is vulnerable. I found that if you append %20 to a jsp page it shows the source code instead of displaying the page: http://192.168.1.54:8080/index.jsp shows page as expected http://192.168.1.54:8080/index.jsp%20 shows source code of index.jsp So how widespread is this? Paul Sundling - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]