RE: standalone production?
What I think you need to consider is the risk of running TC in this manner dependant on where and what the TC instance is being deployed for. The risk MAY be acceptable if you are intending on running a TC instance internally on an intranet or something similar, as then you only have to worry about internal threats to its operation. (Considering that your external defenses [if you have an external access point] are up to the task of keeping attackers out from the outside) But lets not forget that a large proportion of attacks do come internally. If you are running this TC in an internet facing environment it is generally considered good practice to have a proxy of some sort for the TC instance in an DMZ and have the TC running behind the DMZ protected (hopefully) from most attacks. Putting an application server into the DMZ is generally considered a bad practice due to the impact that can be had should an attacker compromise it (of course dependant on the relative risk of having it there). Also you need to consider what exactly this TC is doing, and what risk is posed by its operation being modifed/destroyed by an attacker and what the impact of such a event could be. Once you know your risk on running it this way then you can decide whether this configuration is "safe" for you or not. Of course you should always aim to reduce your risk (and the exposure caused by the risk) but balanced against the costs of implementing and maintaining a highly secure system. If you have system admins and whatnot for your production server then they should know alot about this already and can help you out deciding what to do. Regards, Shane. -Original Message- From: Justin Jaynes [mailto:[EMAIL PROTECTED] Sent: Thursday, 27 May 2004 2:46 PM To: [EMAIL PROTECTED] Subject: standalone production? Is it considered safe to run tomcat as a stand-alone production server on ports 80 and 443? This requires tomcat to run as root (or so I have read) and it is therefore "not recommended". Using apache forks child processes that run as nobody. But I don' want to use apache. Again, is it safe to run tomcat as a stand-alone production server on port 80 and 443 as root? Or is there some way to deny root permissions and still use these ports? __ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Frames vs Tables, I think Tables are the future! HTML examples please !
I whole heartedly agree! Frames are bad! I don't expect everyone to agree but they have been nothing but trouble for me... I know we are off topic but frames make me RANT! My last project forced me to use frames (because thats what the web designers liked) and it was nothing but pain... and dobs of javascript were needed all over the place to make the site work the way that they wanted. And since I was using struts its not as if a wholy non-frame approach was going to make things harder. Harder for the web designers, most probably but who cares about those people! :) Regards, Shane. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, 26 May 2004 4:19 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Frames vs Tables, I think Tables are the future! HTML examples please ! Don't use frames, frames are bad! ;-) > -Original Message- > From: Ben Bookey [mailto:[EMAIL PROTECTED] > Sent: 26 May 2004 08:26 > To: Tomcat User List > Subject: Frames vs Tables, I think Tables are the future! > HTML examples please ! > > > Dear list, > > I think most of us need to have a mechanism where we can have > multiple elements, "or jsp pages" in our jsp solutions. > > We have a web solution based on frames, (and tomcat) and > have realised that on a normal sesion time-out, we get 404 on > some of the frames, and could lead to major confusion (& > jscript errors)for the user [to be more precise we have a > data entry tool with a series of buttons in a left frame > which then load the various jsp pages into the center frame]. > > Could anyone give me a sample table solution? which runs on > all browsers. I have read around a little and still not sure > what the simplest/best/most effective cross-browser solution is. > > i.e. Netscape prefers layers, and IE prefers DIV. > > > Would appreciate any help, and some HTML samples would be great > > regards > > Ben > > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > This email may contain information which is privileged or confidential. If you are not the intended recipient of this email, please notify the sender immediately and delete it without reading, copying, storing, forwarding or disclosing its contents to any other person Thank you Check us out at http://www.btsyntegra.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: session data in Tomcat 5
I am a ZoneAlarm Pro user and when I first ran Tomcat on my desktop (with ZapPro) it sabotaged the cookies that TC was using, and from memory TC started to encode the session id in the URL. I would recommend looking at the privacy settings in zonelabs to see what it is doing with user identifiable information and particularly cookies. I havn't used Integrity before but it does have the forever troublesome "Privacy and Productivity Features" found in ZapPro. Start with downgrading the level of security for cookies (or set up your local PC to be trusted when it comes to cookies" and things might just get better for you. Regards, Shane. -Original Message- From: M.Hockings [mailto:[EMAIL PROTECTED] Sent: Monday, 24 May 2004 11:40 AM To: Tomcat Users List Subject: Re: session data in Tomcat 5 Ben Souther wrote: >>Ah Ben, I don't know if you have kids or not. But y'know how a kid can >>kinda look at the floor and shuffle their feet when caught doing >>something stupid. Well, keep that in mind as you read what I figured >>out... >> >> > >Believe me, you've nothing to feel stupid about. We've all been there. > >One thing to bear in mind, and I've had to tell myself this at least a dozen >times over the last year, is that there are thousands of people developing >commercial applications with Tomcat right now. If something fundamental, >like session handling, were ever to stop working, there would be hundreds of >posts to this list, all of them complaining about the same thing. Within a >day, there would be a fix for it. Over the next few days, you would see >hundreds more complaining about the same bug accompanied by hundreds of posts >from the likes of Yoav Shapira, Tim Funk, Philip Hanik, (and several others) >answering the same question over and over again, telling people exactly what >version to download to fix it. If you don't see that scenerio on this list, >keep looking at your own setup. > >I'm glad it's working for you. > >-Ben > >PS: Did the put the Zone Labs product on the server, or just on your desktop? > Thanks Ben. I kept telling myself that it should work just fine, particularly since Tomcat has been one of those things that for me "just works" with little or no tinkering (I like that kinda thing). The Zone Labs thing is installed on the desktop, when I open it's config window it's called "Zone Labs Integrity Desktop". When I click on the help/about link it sends me here http://www.zonelabs.com/store/content/company/corpsales/zapidOverview.jsp Mike - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: session data in Tomcat 5
I am a ZoneAlarm Pro user and when I first ran Tomcat on my desktop (with ZapPro) it sabotaged the cookies that TC was using, and from memory TC started to encode the session id in the URL. I would recommend looking at the privacy settings in zonelabs to see what it is doing with user identifiable information and particularly cookies. I havn't used Integrity before but it does have the forever troublesome "Privacy and Productivity Features" found in ZapPro. Start with downgrading the level of security for cookies (or set up your local PC to be trusted when it comes to cookies" and things might just get better for you. Regards, Shane. -Original Message- From: M.Hockings [mailto:[EMAIL PROTECTED] Sent: Monday, 24 May 2004 11:40 AM To: Tomcat Users List Subject: Re: session data in Tomcat 5 Ben Souther wrote: >>Ah Ben, I don't know if you have kids or not. But y'know how a kid can >>kinda look at the floor and shuffle their feet when caught doing >>something stupid. Well, keep that in mind as you read what I figured >>out... >> >> > >Believe me, you've nothing to feel stupid about. We've all been there. > >One thing to bear in mind, and I've had to tell myself this at least a dozen >times over the last year, is that there are thousands of people developing >commercial applications with Tomcat right now. If something fundamental, >like session handling, were ever to stop working, there would be hundreds of >posts to this list, all of them complaining about the same thing. Within a >day, there would be a fix for it. Over the next few days, you would see >hundreds more complaining about the same bug accompanied by hundreds of posts >from the likes of Yoav Shapira, Tim Funk, Philip Hanik, (and several others) >answering the same question over and over again, telling people exactly what >version to download to fix it. If you don't see that scenerio on this list, >keep looking at your own setup. > >I'm glad it's working for you. > >-Ben > >PS: Did the put the Zone Labs product on the server, or just on your desktop? > Thanks Ben. I kept telling myself that it should work just fine, particularly since Tomcat has been one of those things that for me "just works" with little or no tinkering (I like that kinda thing). The Zone Labs thing is installed on the desktop, when I open it's config window it's called "Zone Labs Integrity Desktop". When I click on the help/about link it sends me here http://www.zonelabs.com/store/content/company/corpsales/zapidOverview.jsp Mike - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: install4iis.js error
Once upon a time I once wrote: >Well to tell the complete truth, at my site here we used this open source JK2 IIS installer to do all the nitty gritty for us! > > http://www.shiftomat.com/opensource/ > >It doesn't use the latest version of JK2, but I don't see why a simple dll upgrade shouldn't fix >that :) > Regards, Shane. -Original Message- From: Sasha Borodin [mailto:[EMAIL PROTECTED] Sent: Thursday, 20 May 2004 11:15 PM To: Tomcat Users List Subject: install4iis.js error I'm getting the following error when running the JavaScript installer for the JK2 ISAPI filter on my W2K box: "Unable to find Web Server ROOT Directory" Looking inside the JavaScript, this error is reported here: if ((IIsROOT = findADSIObject(IIsWebServer, _IIS_WEBDIR, "ROOT")) == null) { ERROR(args, "Unable to find Web Server ROOT direcrory."); } Since I know nothing about windows scripting, I'm at a loss - has anyone encountered this error before when trying to install the JK2 filter? Thanks, -Sasha - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Disabling rowser Cache of UID / PW
At least in IE, almost anything is possible with the correct ActiveX Control some bad security settings, or click happy users :) Regards, Shane... (happy Mozilla user) -Original Message- From: Steven J.Owens [mailto:[EMAIL PROTECTED] Sent: Wednesday, 19 May 2004 1:32 PM To: Tomcat Users List Subject: Re: Disabling Drowser Cache of UID / PW On Fri, May 14, 2004 at 04:13:03PM -0400, Ben Souther wrote: > > I am under a mandate to disable this caching on a global basis, but I have > > no idea how. Any ideas out there? > > It's interesting that someone would mandate functionality before finding out > if it's possible. While they were at it they should mandate that Outlook be > made secure. Hm... no problem, just do a servlet filter that detects IE and redirects it to a "you must install a secure browser to use this website" page :-). -- Steven J. Owens [EMAIL PROTECTED] "I'm going to make broad, sweeping generalizations and strong, declarative statements, because otherwise I'll be here all night and this document will be four times longer and much less fun to read. Take it all with a grain of salt." - Me at http://darksleep.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Problem using JMS with Tomcat
Well, seeing your exception stack trace would help and perhaps a manifest of your j2ee.jar file. Otherwise if you included it into you WEB-INF/lib for your webapp that may help, but considering the name of the JAR file, I would be hesitant to use it at all, where did it come from? If you just need the JMS API Jar file then why not download it as a separate Jar file from java.sun.com, you can find the link to it from here: http://java.sun.com/products/jms/docs.html Hopefully your JMS provider isn't in that j2ee.jar file either... not that I know anything about JMS providers... Regards, Shane. -Original Message- From: Kawthar Bt M Sulaiman [mailto:[EMAIL PROTECTED] Sent: Tuesday, 18 May 2004 4:47 PM To: [EMAIL PROTECTED] Subject: Problem using JMS with Tomcat Hello, I'm trying to use Sun Messaging Queue. I use javax.jms package in my code. I got the j2ee.jar file and put under tomcat common\lib but this causes a conflict.. my tomcat won't start. If I don't put the jar file there, tomcat starts without any problem. However, my code won't run because cannot find javax.jms classes. Please advise how I can use javax.jms packages with tomcat. Thanks, --Kawthar Confidential information may be contained in this e-mail and any files transmitted with it ('Message'). If you are not the addressee indicated in this Message (or responsible for delivery of this Message to such person), you are hereby notified that any dissemination, distribution, printing or copying of this Message or any part thereof is strictly prohibited. In such a case, you should delete this Message immediately and advise the sender by return e-mail. Opinions, conclusions and other information in this Message that do not relate to the official business of Maxis shall be understood as neither given nor endorsed by Maxis. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: I need help: Configure log4j in Tomcat/Windows 2000
The honorable Yaov Shapira once wrote: >I've added it to the misc page of the tomcat FAQ: >http://jakarta.apache.org/tomcat/faq/misc.html#commonsLoggingLog4j. > >Jake, if you have another explanation of this issue/solutions on a web >page somewhere, let me know and I'll link that from the above location >as well. > >Yoav Shapira Regards, Shane. -Original Message- From: Dotterweich Juergen [mailto:[EMAIL PROTECTED] Sent: Monday, 17 May 2004 5:54 PM To: '[EMAIL PROTECTED]' Subject: I need help: Configure log4j in Tomcat/Windows 2000 Hello, I need to now, how to configure the log4j from Tomcat in Windows 2000. What is log4j? I am new with Tomcat. I have installed "jakarta-slide-2.0-tomcat-4.1.30" with "Axis1_1" under the operating system Windows 2000 and it runs. But I get a WARNING if I start and stop the Tomcat. The WARNING is: LOG4j:No appender could be found for logger org.apache.common.digester.Digester.sax. Please initialize the log4j system properly. What should I do that this WARNING never appears and HOW to do this action. Thanks in advance. Kind Regards Jürgen - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat 4: How to get RoleName from LDAP
The way that the JNDIRealm works is dependant on its implementation. Unless there is a configuration item for Tomcat 4.1.27 that allows the comparison to be done on the role name attribute (CN in this case) then you will have to put the full distinguished name into the configuration. I had a quick look at the JNDIRealm doco and I didn't see anything in there that would allow this. It is strange however that the 4.1.27 implementation takes the roleName attribute that would be used in such a comparison and doesn't use it in the way that might be expected. Because otherwise there is no point in specifying the roleName attribute as its not required to determine membership of a user to a group through an LDAP search. Of course the doco says its used as a flag as to whether the userRoleName is used instead. I would image that the rationale of this implementation to use the DN is that the DN is unambiguous and would cater for a strongly heirachial LDAP tree that may have groups of the same name under different branches, from the starting point of the LDAP search. Another option of course is to compile your own Tomcat with the required change to the code or implement your own realm security manager. But thats a bit more work :) But without looking at the source, which I don't have time!, I can only speculate! Regards, Shane. -Original Message- From: Goerlich, Michael [mailto:[EMAIL PROTECTED] Sent: Monday, 17 May 2004 3:17 PM To: [EMAIL PROTECTED] Subject: Tomcat 4: How to get RoleName from LDAP Hi, In my environment I want to authenticate the users against MS Active Directory by JNDI LDAP. The user authentication is ok and also the roles found by getRoles() are the right ones. But the returned roles are given in their complete distinguished name (DN. In catalina.out: 2004-05-13 11:33:44 JNDIRealm[Standalone]: Found role CN=ERKUSAAdmin,CN=Users,DC=local,DC=bremereb,DC=de instead of 2004-05-13 11:59:31 JNDIRealm[Catalina]: Found role ERKUSAAdmin So I have to configure the fully DN in web.xml for a security-constraint instead of the pure role name, what is highest undesireable. I run this on tomcat 4.1.27. The funny thing is that the same configuration on tomcat 5 works. For completion, here is my realm config (user- and rolebase are the same): Can anybody tell me how to get the pure assigned role names for a authenticated user? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JK2 still broken even in new version 2.0.4 with upload Stream ended unexpectedly error
Oh, far too many bells! This problem, is hellish to diagnose properly because uploads works flawlessy for some and not for others. There isn't a clear reason why. I was one of the unlucky ones. The only solution that worked for my site was to install the JK1.2 connector instead, which worked flawlessly for all the uploads. Regards, Shane. -Original Message- From: Allistair Crossley [mailto:[EMAIL PROTECTED] Sent: Thursday, 13 May 2004 11:39 PM To: [EMAIL PROTECTED] Subject: JK2 still broken even in new version 2.0.4 with upload Stream ended unexpectedly error Well, since using 2.0.4 this error has been unheard of until today. A user has been trying to upload a document and tried 4 times and constantly got the Stream ended unexpectedly error from JK2 connector. The document is Word and 140K. I have tested with other users trying to upload this item and there has not been a problem, it seems restricted to this particular user!? Does this ring any bells for anyone? Cheers, Allistair --- QAS Ltd. Developers of QuickAddress Software http://www.qas.com";>www.qas.com Registered in England: No 2582055 Registered in Australia: No 082 851 474 --- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: tomcat, SSL and multiple urls
The SSL protocol demands that the domain recorded within the SSL certificate is the same as the domain thru which the SSL connection is obtained. Otherwise the SSL connection negotiation will fail. This is to avoid the nastiness of hijacking and whatnot. To use the 2 different domains that you have you will need 2 different SSL certificates, taking into account the limitations in the web server et all to handle multiple SSL certificates for different domains etc. My memory is a little fuzzy on this area as its been a while since I've had to think about it so take some salt with this :) Alternativly if you had a redirector or load balancer of some kind sitting in front of your web server you could have a SSL certifcate bound to a more generic domain like www.myserver.net, and have the redirector/balancer dish out the requests to www.myserver1.net and www.myserver2.net while still supporting the SSL. I don't know how Tomcats load balancing works with SSL... But then i'm not a network architect either... so more salt.. Regards, Shane. -Original Message- From: ian [mailto:[EMAIL PROTECTED] Sent: Wednesday, 12 May 2004 2:41 PM To: 'Tomcat Users List' Subject: tomcat, SSL and multiple urls Hi. Is it possible for tomcat to have multiple domain names connecting thru SSL? For example, my tomcat-5.0.19 is hosted on a server with 202.10.11.12 as its public IP. This IP can be accessed thru either www.myserver1.net or www.myserver2.net. All connections can only go thru SSL (https). Is this possible? If so, how do I configure tomcat's keystore? Thanks in advance. - ian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm strangeness
Well you have prompted me to respond once more! Tomcat should not have to do anything to establish a encrypted SSL connection to your LDAP server except pass on the correct parameters to the chosen LDAP driver, and instantiate it. It is the LDAP drivers job to handle all the nasty details of doing the SSL connection, and talking LDAP. That said, some LDAP driver factories do offer extra parameters for configuring SSL parameters beyond the SECURITY_PROTOCOL parameter. (Of course, Tomcat will be issuing the appropriate LDAP queries to do the Realm authentication, etc). I took a quick look at the Tomcat JDNI Realm configuration document, and it does specify that you can put in your own "contextFactory" so if you have another LDAP driver, other than Suns reference driver then you could use try that out to see if it fixes your problem. I don't know if OpenLDAP provides their own Java LDAP Driver but its worth a look! Have a hunt around and see what you can find. Technically speaking any driver that implements the LDAP RFCs should be able to talk to any LDAP server that implements the RFCs, but cruel reality often imposes itself :) But yes, someone should get around to putting in a bug report about that "ldaps" matter :) If it has not already been done that is. Regards, Shane. -Original Message- From: Chong Yu Meng [mailto:[EMAIL PROTECTED] Sent: Monday, 10 May 2004 11:53 AM To: Tomcat Users List Subject: Re: JNDIRealm strangeness Hi Shane ! Thanks for your help! After experimenting over the weekend, I think that this is probably a bug in the Tomcat code. I checked and corrected some problems in my OpenLDAP setup, and verified that SSL/TLS connections can be made successfully to it using ldapsearch. When I tried starting up Tomcat again, it gave me the same error. I think Tomcat may not be able to establish an encrypted connection to OpenLDAP. Unencrypted connections on port 389 seem to be ok. Incidentally, I'm also anal retentive (that, I am told, is a national characteristic of my country), and I tried "ldaps://", but Tomcat will throw a parse error and will not accept the JNDI Realm parameters. They may have fixed it in the just-released 5.0.24, though. Thanks for your help, again ! I'm not on any specific timetable, so I don't need to fix this soon. I'll direct my question to the Tomcat developers and see if they are aware of the issue. Regards, pascal chong Shane Linley wrote: >Hi, > >What happens on failed connections IS driver specific, but it should NOT BY >DEFAULT switch to using a non SSL connection, for the sake of security if >nothing else. The connection should tried to be established, if it fails >then it should send back the appropriate naming exception. That said drivers >do accept configuration properties to modify their behaviour, so technically >anything is possible, based on your drivers documentation. > >I have never used OpenLDAP so its error logs don't really mean all that much >to me, but having done similar things in the past you should look up your >error codes in the OpenLDAP documentation (but its probably the OpenSSL >doco) as to what the error codes really mean to work out what the problem >is. I'm referring specifically to this line (as id does match up to the >"Request: 1 cancelled") message that the LDAP client driver reports. > > May 7 20:03:56 localhost slapd[6346]: connection_read(11): TLS accept >error error=-1 id=0, closing > >Thats all I have! Good luck. > >Regards, >Shane. > >P.S. The anal retentive part of me still wants you to specify the ldap >connection as ldaps://server:636 but that is completely besides the point! >:) > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm strangeness
Hi, What happens on failed connections IS driver specific, but it should NOT BY DEFAULT switch to using a non SSL connection, for the sake of security if nothing else. The connection should tried to be established, if it fails then it should send back the appropriate naming exception. That said drivers do accept configuration properties to modify their behaviour, so technically anything is possible, based on your drivers documentation. I have never used OpenLDAP so its error logs don't really mean all that much to me, but having done similar things in the past you should look up your error codes in the OpenLDAP documentation (but its probably the OpenSSL doco) as to what the error codes really mean to work out what the problem is. I'm referring specifically to this line (as id does match up to the "Request: 1 cancelled") message that the LDAP client driver reports. May 7 20:03:56 localhost slapd[6346]: connection_read(11): TLS accept error error=-1 id=0, closing Thats all I have! Good luck. Regards, Shane. P.S. The anal retentive part of me still wants you to specify the ldap connection as ldaps://server:636 but that is completely besides the point! :) -Original Message- From: Chong Yu Meng [mailto:[EMAIL PROTECTED] Sent: Friday, 7 May 2004 8:17 PM To: Tomcat Users List Subject: Re: JNDIRealm strangeness Hi Shane ! Thanks for the description and advice! I managed to finally turn on OpenLDAP logging (a pain in Fedora Core 1), and set the loglevel to 256. Here's what I get. When the Tomcat server starts up, the connection errors seem to be related to port 636 : May 7 19:51:50 localhost slapd[6049]: conn=4 fd=11 ACCEPT from IP=127.0.0.1:32892 (IP=0.0.0.0:636) May 7 19:51:50 localhost slapd[6049]: conn=4 fd=11 closed May 7 19:51:50 localhost slapd[6049]: conn=5 fd=11 ACCEPT from IP=127.0.0.1:32894 (IP=0.0.0.0:389) May 7 19:51:50 localhost slapd[6049]: conn=5 op=0 BIND dn="" method=128 May 7 19:51:50 localhost slapd[6049]: conn=5 op=0 RESULT tag=97 err=0 text= May 7 19:52:02 localhost slapd[6049]: conn=6 fd=12 ACCEPT from IP=127.0.0.1:32895 (IP=0.0.0.0:636) May 7 19:52:02 localhost slapd[6049]: conn=6 fd=12 closed May 7 19:52:02 localhost slapd[6049]: conn=7 fd=12 ACCEPT from IP=127.0.0.1:32897 (IP=0.0.0.0:389) May 7 19:52:02 localhost slapd[6049]: conn=7 op=0 BIND dn="" method=128 May 7 19:52:02 localhost slapd[6049]: conn=7 op=0 RESULT tag=97 err=0 text= Bumping up loglevel to 4095, I get these details for the errors on port 636: May 7 20:03:56 localhost slapd[6346]: connection_read(11): TLS accept error error=-1 id=0, closing May 7 20:03:56 localhost slapd[6346]: connection_closing: readying conn=0 sd=11 for close May 7 20:03:56 localhost slapd[6346]: connection_close: conn=0 sd=11 Seems to indicate that there is something wrong with my SSL/TLS connection. But my JNDIRealm still works ! Users can still authenticate successfully. Does the connection fallback to port 389 if a connection on 636 is not possible? Thanks for the help, Shane ! If you have any further suggestions, I would really appreciate it ! Regards, pascal chong Shane Linley wrote: >Hi, > >Knowledge on configuring JNDIRealms security: zip! >Knowledge on the JNDI LDAP interface: guru! > >The root cause: javax.naming.CommunicationException, refers to there being >an underlying network problem with communicating between the LDAP client, >and the LDAP server. The message received from the ldap driver: "Request: 1 >cancelled" is the reason as to why this error occured. As can be seen its >not very helpful. (I've been spoilt on receiving error codes from servers >and detailed messages and such). > >You appear to be using the Sun JNDI LDAP reference implementation, which I >found to not always offer the best error messages. I cant remember if it has >any extra logging capabilities (from memory it doesn't) to try and wring >more information out of the driver, however the key to solving the problem >may lie elsewhere. > >I would recommended turning on the detailed debugging in your LDAP server to >determine what error it is trying to communicate back to the LDAP driver >(and if the server is successfully contacted in this first instance), by of >course inspecting its logs. This approach I have had to use a number of >times on less than helpful LDAP drivers that don't seem to think good error >messages are needed. You are trying to use a secure SSL connection to the >LDAP server, but it does not appear to be SSL related as you normally get a >specific SSL error back when it is SSL related, usually ugly and unhelpful. > >Regards, >Shane. > > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat 5 JK2 and IIS 5
Well to tell the complete truth, at my site here we used this open source JK2 IIS installer to do all the nitty gritty for us! http://www.shiftomat.com/opensource/ It doesn't use the latest version of JK2, but I don't see why a simple dll upgrade shouldn't fix that :) This is the easiest way I've seen to install JK2... Otherwise I know of no other way to help you at the moment... shane.. -Original Message- From: Raymond Blum [mailto:[EMAIL PROTECTED] Sent: Friday, 7 May 2004 8:23 PM To: Tomcat Users List Subject: Re: Tomcat 5 JK2 and IIS 5 Yes, I am running the ajp connectors at 8009, the 8018 is where Tomcat is listening for HTTP requests instead of the default of 8080 I do have the entry you describe below ---Raymond On May 7, 2004, at 3:59 AM, Shane Linley wrote: > From memory, Tomcat runs the default ajp13 connector off of port 8009 > not > 8080 which is the default HTTP connector port. You worker2.properties > file > should specify to use port 8009 for your ajp13 connector and not 8018. > > In your server.xml file look for an entry similar to: > > > enableLookups="false" redirectPort="8443" debug="0" >protocol="AJP/1.3" /> > > to see what port your ajp13 connector is listening on. > > Regards, > Shane. > > -Original Message- > From: Raymond Blum [mailto:[EMAIL PROTECTED] > Sent: Friday, 7 May 2004 12:00 PM > To: Tomcat Users List > Subject: Tomcat 5 JK2 and IIS 5 > > > Hi >I am struggling to get IIS 5.0 to pass off JSP and servlet context > requests to tomcat 5.0.19 under Windows 2000.I have downloaded and > installed what I believe to be a usable copy of isapi_redirector2,dll > and have configured the virtual directory Jakarta under one of the web > servers in my IIS server. > > Tomcat is running at 8018, not 8080 > > I can get to XXX.XXX.XXX.XXX:8018/servlet-examples/ just fine > I map /servlet-examples/* to tomcat in workers2.properties and then I > try the following > XXX.XXX.XXX.XXX/servlet-examples > > which yields the response > The servlet container is temporary unavailable or being upgraded > > (I have found that this message seems to come from mod_jk and it only > is received in response to one of my mapped server paths, so I assume > that the URI mapping is being successfully interpreted and that the > problem is in my Tomcat and/or workers configuration) > > I portscan the machine at XXX.XXX.XXX.XXX and port 8009 is open so I > assume that tomcat is there and listening. > > Any tips greatly appreciated! I have searched the archives and googled > this a dozen ways. > ---Raymond > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JNDIRealm strangeness
Hi, Knowledge on configuring JNDIRealms security: zip! Knowledge on the JNDI LDAP interface: guru! The root cause: javax.naming.CommunicationException, refers to there being an underlying network problem with communicating between the LDAP client, and the LDAP server. The message received from the ldap driver: "Request: 1 cancelled" is the reason as to why this error occured. As can be seen its not very helpful. (I've been spoilt on receiving error codes from servers and detailed messages and such). You appear to be using the Sun JNDI LDAP reference implementation, which I found to not always offer the best error messages. I cant remember if it has any extra logging capabilities (from memory it doesn't) to try and wring more information out of the driver, however the key to solving the problem may lie elsewhere. I would recommended turning on the detailed debugging in your LDAP server to determine what error it is trying to communicate back to the LDAP driver (and if the server is successfully contacted in this first instance), by of course inspecting its logs. This approach I have had to use a number of times on less than helpful LDAP drivers that don't seem to think good error messages are needed. You are trying to use a secure SSL connection to the LDAP server, but it does not appear to be SSL related as you normally get a specific SSL error back when it is SSL related, usually ugly and unhelpful. Regards, Shane. -Original Message- From: Chong Yu Meng [mailto:[EMAIL PROTECTED] Sent: Friday, 7 May 2004 4:32 PM To: Tomcat Users List Subject: JNDIRealm strangeness Hi All ! I wonder if anyone has seen this anomaly, when following my instructions on setting up a JNDIRealm, on my website (http://cymulacrum.net/writings/adv_tomcat/c487.html). I wrote these instructions after version 5.0.19 of Tomcat came out and fixed the character encoding issue in the JNDIRealm. In my document I described how to : 1. Setup OpenLDAP so it runs with SSL/TLS enabled 2. Setup Tomcat's JNDIRealm so that it communicates with ldap://localhost:636, the secure port instead of 389. I never noticed anything strange, because my JNDIRealm setup seemed to work fine, but when I tried to put SecurityFilter on, I found an error. Thinking that it was probably SecurityFilter, I looked at the logfiles, and I was surprised to find that, even before I had installed SecurityFilter, there was that same error being logged inside catalina.out. I just never bothered to look before because everything seemed to be running fine. Here's what the error looks like. It only occurs on startup, all LDAP operations work fine with no errors: JNDIRealm[Catalina]: Connecting to URL ldap://localhost:636 JNDIRealm[Catalina]: Exception performing authentication javax.naming.CommunicationException: Request: 1 cancelled at com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequest.java:76) at com.sun.jndi.ldap.Connection.readReply(Connection.java:433) at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:356) at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:187) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2615) at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:293) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:190) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:208) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:674) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:256) at javax.naming.InitialContext.init(InitialContext.java:232) at javax.naming.InitialContext.(InitialContext.java:208) I'm not really sure where to begin, or even if it is significant (since LDAP authentication still works). If you want to repeat this error for yourself, you can follow the instructions on my web page. Any help would be greatly appreciated ! Regards, pascal chong - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat 5 JK2 and IIS 5
>From memory, Tomcat runs the default ajp13 connector off of port 8009 not 8080 which is the default HTTP connector port. You worker2.properties file should specify to use port 8009 for your ajp13 connector and not 8018. In your server.xml file look for an entry similar to: to see what port your ajp13 connector is listening on. Regards, Shane. -Original Message- From: Raymond Blum [mailto:[EMAIL PROTECTED] Sent: Friday, 7 May 2004 12:00 PM To: Tomcat Users List Subject: Tomcat 5 JK2 and IIS 5 Hi I am struggling to get IIS 5.0 to pass off JSP and servlet context requests to tomcat 5.0.19 under Windows 2000.I have downloaded and installed what I believe to be a usable copy of isapi_redirector2,dll and have configured the virtual directory Jakarta under one of the web servers in my IIS server. Tomcat is running at 8018, not 8080 I can get to XXX.XXX.XXX.XXX:8018/servlet-examples/ just fine I map /servlet-examples/* to tomcat in workers2.properties and then I try the following XXX.XXX.XXX.XXX/servlet-examples which yields the response The servlet container is temporary unavailable or being upgraded (I have found that this message seems to come from mod_jk and it only is received in response to one of my mapped server paths, so I assume that the URI mapping is being successfully interpreted and that the problem is in my Tomcat and/or workers configuration) I portscan the machine at XXX.XXX.XXX.XXX and port 8009 is open so I assume that tomcat is there and listening. Any tips greatly appreciated! I have searched the archives and googled this a dozen ways. ---Raymond - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Help with manager app
I am by no means a network configuration specialist, so take what I say with a grain of salt :) You havn't mentioned how Tomcat is accessed from the internet, such as do you have a Apache or IIS, server acting as a proxy/redirector to tomcat, or whether tomcat itself is internet facing. If you have a separate web server infront of tomcat, then the web server only needs to be configured with the URI's to pass through to tomcat for your web application AND NOT specify those URIs for the manager app. That way you can access the manager app from the internal network by directly going to tomcat, but the external internet users will never be able to access it, because no path exists to it for them. If however you tomcat is internet facing (not an option I would recommend) then I wouldn't know how you should properly deal with that. At least have a good password :) Regards, Shane -Original Message- From: Richard S. Huntrods [mailto:[EMAIL PROTECTED] Sent: Tuesday, 4 May 2004 1:41 PM To: [EMAIL PROTECTED] Subject: Help with manager app I have a rather urgent problem. I have been using tomcat for several years now, and normally weather the upgrades with some few problems, but nothing serious - until now. My problem - in the old Tomcat, I used the manager application to monitor the number of users accessing the system. In the old version, I had it set up so that external requests could NOT see the manager, ever. Now, under the new Tomcat, the manager app has changed. Today I also noticed that it is also available to the internet. How do I restrict access to the manager application to the local network - i.e. how do I turn off internet access to the manager app? Thanks in advance, -Richard - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: EL Configuration problem
I had a similar problem which I overcame with lots of reading and some guesswork. BTW Im using the Sun supplied JSTL... I'm running on Tomcat 5.0.19 In your JSP directives you will need to declare: <%@ taglib uri="http://java.sun.com/jsp/jstl/core"; prefix="c" %> Your web.xml for your web-app declaration will need to reference the correct version of the J2EE schemas. Here is mine: http://java.sun.com/xml/ns/j2ee"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee web-app_2_4.xsd" version="2.4"> Of course I wanted to make sure EL was enabled as did you: Property group for common configuration for all the JSP's *.jsp false false Don't forget to throw in your JSTL jar files, um jstl.jar and standard.jar from what I remember, into the WEB-INF/lib directory. Regards, Shane. -Original Message- From: Chanan Braunstein [mailto:[EMAIL PROTECTED] Sent: Thursday, 22 April 2004 4:11 AM To: 'Tomcat Users List' Subject: EL Configuration problem Hello, Using Tomcat 5.0.19 I cannot get EL to work in my webapp (It works fine in jsp-examples). I checked the version of web.xml to make sure it is 2.4 and I added to be safe: *.jsp false But, all I get is the EL text back at me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: windows service vs. startup.bat
Hi, I place my log4j.properties file for my webapp in the WEB-INF/classes directory where it will be picked up in the classpath by log4j. My Tomcat runs as a service and the logging works as expected for my Webapp. Regards, Shane. -Original Message- From: John MccLain [mailto:[EMAIL PROTECTED] Sent: Tuesday, 23 March 2004 8:36 AM To: Tomcat user list Subject: windows service vs. startup.bat I am using Log4J in my webapp. I have modified setclasspath.bat so that I include the path to log4j.properties in my classpath. When I run startup.bat, all is well and I get logging. HOWEVER, when I run tomcat from my service manager (the way I wish to run it), I get no logging, and I get an error message indicating tomcat could not find my log4j.properties file. I then said 'OK, just put it in my systems classpath variable. It still did not work. How do I setup Tomcat so that when I run it as a service, it includes my classpath - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]