Connector problem
Hi! I have this setup in my server.xml Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=c:/keystore keystorePass=pass / Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false Aliaswww.alias1.se/Alias Aliaswww.alias1.com/Alias Aliaswww.alias2.com/Alias /Host How can I install a connector for each site on the 443 port? My application is running under ROOT.war. Hibernate is not glad if I run multiple instances. Now I have a ssl certificate for each alias. How can I get this running? -- View this message in context: http://www.nabble.com/Connector-problem-tp19603189p19603189.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat5.5 and ubuntu hardy heron
wwuster wrote: In usr/share/tomcat5.5-webapps I don't see a manager subdirectory. You need the tomcat5.5-admin package. Cheers, Marcus - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Connector problem
Mathias P.W Nilsson wrote: Hi! I have this setup in my server.xml Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=c:/keystore keystorePass=pass / Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false Aliaswww.alias1.se/Alias Aliaswww.alias1.com/Alias Aliaswww.alias2.com/Alias /Host How can I install a connector for each site on the 443 port? My application is running under ROOT.war. Hibernate is not glad if I run multiple instances. Now I have a ssl certificate for each alias. How can I get this running? You can't. You can only have one certificate per connector. In some cases you might be able to use a wildcard cert (*.foo.bar) but that doesn't look like it will work for you. Options: - pick one of the domains to be the main domain and then redirect all the others to that one - install multiple connectors on different port/ip combinations Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
HTTPS and Virtual Hosts
Hi. I'm not an expert at anything below, that's why I am asking. I am also not looking for a very precise answer, just a rough summary. The question : As I remember from reading about this a while ago, there is/was a fundamental incompatibility between the HTTP Virtual Host mechanism, and HTTPS/SSL, in the sense that there is some egg-and-chicken problem involved, which roughly goes like this : - the client connects to the host and requests an encrypted connection to a certain hostname - the host and client negociate the encryption (based or not on the name of the host) - on subsequent requests, the client sends the request encrypted, including the Host: header that (acording to the HTTP protocol) should indicate the name of the Virtual Host it wants to talk to - the server should decode the request (including this Host: HTTP header) in order to determine which Host the request is addressed to, but it can't because it does not know which host it is yet, and thus cannot decode the request - we are thus stuck Is the above, very roughly and approximatively still a valid explanation of what happens, or is it totally wrong, or has something changed in-between that I am unaware of ? Thanks - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: HTTPS and Virtual Hosts
From: André Warnier [mailto:[EMAIL PROTECTED] As I remember from reading about this a while ago, there is/was a fundamental incompatibility between the HTTP Virtual Host mechanism, and HTTPS/SSL, in the sense that there is some egg-and-chicken problem involved, which roughly goes like this : - the client connects to the host and requests an encrypted connection to a certain hostname Almost. The client connects to the host on a given IP address and port, which requires an encrypted connection. No hostname is transferred at this point, as encryption must happen first. - the host and client negociate the encryption (based or not on the name of the host) Based on the certificate that the host sends to the client as part of negotiating the encryption. That certificate contains the common name of the host (or occasionally a wildcard name such as *.melandra.com). The client should be suspicious if the common name in the certificate does not match the hostname the client thinks it sent the request to. Therefore, the host cannot know to which virtual host the client wishes to connect when it sends the certificate. Therefore, the host cannot send the right certificate unless all requests to a given hostname and port are designed to use the same certificate. Therefore, virtual hosting using SSL is a problem. Is the above, very roughly and approximatively still a valid explanation of what happens, or is it totally wrong, or has something changed in-between that I am unaware of ? It's close, but the problem occurs at an earlier step than you outline :-). - Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[OT] RE: HTTPS and Virtual Hosts
From: Ognjen Blagojevic [mailto:[EMAIL PROTECTED] For instance, you could put 2 or more network cards in the server, and than configure one virtual host for each of these cards. Or configure multiple IP addresses on one card - almost all operating systems these days allow multiple IP addresses on one adapter. Cheaper, and you don't run out of card slots so fast :-). - Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: HTTPS and Virtual Hosts
André Warnier wrote: Is the above, very roughly and approximatively still a valid explanation of what happens, or is it totally wrong, or has something changed in-between that I am unaware of ? Yes, that's about it. Here is the official explanation: http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts The workaround is also proposed. You can use different ports or IP adresses for different SSL enabled virtual hosts. For instance, you could put 2 or more network cards in the server, and than configure one virtual host for each of these cards. -Ognjen - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: HTTPS and Virtual Hosts
Ognjen Blagojevic wrote: André Warnier wrote: Is the above, very roughly and approximatively still a valid explanation of what happens, or is it totally wrong, or has something changed in-between that I am unaware of ? Yes, that's about it. Here is the official explanation: http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts The workaround is also proposed. You can use different ports or IP adresses for different SSL enabled virtual hosts. For instance, you could put 2 or more network cards in the server, and than configure one virtual host for each of these cards. You do not need multiple NICs to support multiple IP addresses. You can quite happily configure a NIC with multiple IP addresses. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT] RE: HTTPS and Virtual Hosts
Peter Crowther wrote: Or configure multiple IP addresses on one card - almost all operating systems these days allow multiple IP addresses on one adapter. Cheaper, and you don't run out of card slots so fast :-). Didn't know that. That's definitely better. -Ognjen - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: jstack and Tomcat 6 on Windows
Check Eclipse Memory Analyzer Tool www.eclipse.org/mat/. This is alternate to JMAP, but it can parse the hprof file faster and have a very visual GUI. Thanks Suren -Original Message- From: Johnny Kewl [mailto:[EMAIL PROTECTED] Sent: Saturday, September 20, 2008 4:40 PM To: Tomcat Users List Subject: Re: jstack and Tomcat 6 on Windows Thanks everyone for their suggestions. Unfortunately, that doesn't help me with my particular issue. I have a memory leak in one of my apps, and when the system runs out of memory, it stops responding to new requests. I have a script that will detect this condition and automatically restart Tomcat. I was hoping to add a jstack command to this script to give me a thread dump prior to restarting Tomcat to give me better troubleshooting information. Your solution would work under normal circumstances, but I don't know how to script a ctrl+break. ;-) OK... I couldnt resist giving it a little go... JHat is exactly what you looking for... http://weblogs.java.net/blog/jfarcand/archive/2006/02/using_mu stangs.html Well done Sun... its exactly what I've been looking for... Let the server run a little do a dump, run the server and then from the browser to the HIST option... The highest non Sun class... webapp class... is going to be the bad guy ;) Damn thats nice... -- - HARBOR : http://www.kewlstuff.co.za/index.htm The most powerful application server on earth. The only real POJO Application Server. See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm -- - - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: jstack and Tomcat 6 on Windows
OOPS It's alternate to JHAT and not JMAP. Suren -Original Message- From: Surendrakumar Viswanathan -X (suviswan - HCL at Cisco) Sent: Monday, September 22, 2008 3:25 PM To: 'Tomcat Users List' Subject: RE: jstack and Tomcat 6 on Windows Check Eclipse Memory Analyzer Tool www.eclipse.org/mat/. This is alternate to JMAP, but it can parse the hprof file faster and have a very visual GUI. Thanks Suren -Original Message- From: Johnny Kewl [mailto:[EMAIL PROTECTED] Sent: Saturday, September 20, 2008 4:40 PM To: Tomcat Users List Subject: Re: jstack and Tomcat 6 on Windows Thanks everyone for their suggestions. Unfortunately, that doesn't help me with my particular issue. I have a memory leak in one of my apps, and when the system runs out of memory, it stops responding to new requests. I have a script that will detect this condition and automatically restart Tomcat. I was hoping to add a jstack command to this script to give me a thread dump prior to restarting Tomcat to give me better troubleshooting information. Your solution would work under normal circumstances, but I don't know how to script a ctrl+break. ;-) OK... I couldnt resist giving it a little go... JHat is exactly what you looking for... http://weblogs.java.net/blog/jfarcand/archive/2006/02/using_mu stangs.html Well done Sun... its exactly what I've been looking for... Let the server run a little do a dump, run the server and then from the browser to the HIST option... The highest non Sun class... webapp class... is going to be the bad guy ;) Damn thats nice... -- - HARBOR : http://www.kewlstuff.co.za/index.htm The most powerful application server on earth. The only real POJO Application Server. See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm -- - - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Cannot see cluster MBean
Hi all, Here I come again. Can anyone help me please ? I am working on an application that uses tomcat clusters (tomcat 6). I follow all the steps on clustering guide (http://tomcat.apache.org/tomcat-6.0-doc/cluster-howto.html). I see all the MBeans but not the cluster MBean. is it a bug ? Is this MBean still registered in tomcat 6. this is my cluster configuration: Cluster className=org.apache.catalina.ha.tcp.SimpleTcpCluster channelSendOptions=8 Manager className=org.apache.catalina.ha.session.DeltaManager expireSessionsOnShutdown=false notifyListenersOnReplication=true/ Channel className=org.apache.catalina.tribes.group.GroupChannel Membership className=org.apache.catalina.tribes.membership.McastService address=228.0.0.4 port=45564 frequency=500 dropTime=3000/ Receiver className=org.apache.catalina.tribes.transport.nio.NioReceiver address=auto port=4000 autoBind=100 selectorTimeout=5000 maxThreads=6/ Sender className=org.apache.catalina.tribes.transport.ReplicationTransmitter Transport className=org.apache.catalina.tribes.transport.nio.PooledParallelSender/ /Sender Interceptor className=org.apache.catalina.tribes.group.interceptors.TcpFailureDetector/ Interceptor className=org.apache.catalina.tribes.group.interceptors.MessageDispatch15Interceptor/ /Channel Valve className=org.apache.catalina.ha.tcp.ReplicationValve filter=/ Valve className=org.apache.catalina.ha.session.JvmRouteBinderValve/ Deployer className=org.apache.catalina.ha.deploy.FarmWarDeployer tempDir=/tmp/war-temp/ deployDir=/tmp/war-deploy/ watchDir=/tmp/war-listen/ watchEnabled=false/ ClusterListener className=org.apache.catalina.ha.session.JvmRouteSessionIDBinderListener/ ClusterListener className=org.apache.catalina.ha.session.ClusterSessionListener/ /Cluster Thanks - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Connector problem
OK! How would that setup look like? Let's say I want a user to access the website in this fashion https://www.domain1.com ( SSL from thawte ) https://www.domain2.com ( SSL from thawte ) https://www.domain1.se ( SSL from thawte ) What would I have to do to make this work? I only have one server that is running tomcat 6. I would like to keep the settings in server.xml if that is possible. I read on some other thread that you could use different ports for the connector. How does this fit in the picture of letting the user enter https://? The user would not know the port to connect to. // Mathias -- View this message in context: http://www.nabble.com/Connector-problem-tp19603189p19604968.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: HTTPS and Virtual Hosts
- Original Message - From: André Warnier [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Monday, September 22, 2008 10:57 AM Subject: HTTPS and Virtual Hosts Hi. I'm not an expert at anything below, that's why I am asking. I am also not looking for a very precise answer, just a rough summary. The question : As I remember from reading about this a while ago, there is/was a fundamental incompatibility between the HTTP Virtual Host mechanism, and HTTPS/SSL, in the sense that there is some egg-and-chicken problem involved, which roughly goes like this : - the client connects to the host and requests an encrypted connection to a certain hostname - the host and client negociate the encryption (based or not on the name of the host) - on subsequent requests, the client sends the request encrypted, including the Host: header that (acording to the HTTP protocol) should indicate the name of the Virtual Host it wants to talk to - the server should decode the request (including this Host: HTTP header) in order to determine which Host the request is addressed to, but it can't because it does not know which host it is yet, and thus cannot decode the request - we are thus stuck Is the above, very roughly and approximatively still a valid explanation of what happens, or is it totally wrong, or has something changed in-between that I am unaware of ? Thanks -- Mmm yes... kinda Andre check out the hand shake in SSL... Keeping it very conceptual... the secure system between a browser and server is owned by Verisign, or GoDaddy, or whatever CA. And it is checking a few things... Like the domain name used and the expiry date... So when you buy a cert and give them www.andre.com Thats it... This is because the cert is pulled (checked) during the handshake... and host headers only come later... thats the official version of the story, but I actually cant see any reason why the hand shake couldnt be extended to look at the incoming URL... other than people would start doing server tricks and making extra free certs ;) I conclude... its more about biz, that it is about technology certificates are sold per domain... this is the real issue ;) Its actually interesting, because when we were making the Pojo server, this issue came up... especially because we want to give the company using the system the ability to be a CA... so we dropped the domain check, and then the only condition on the server is that the administrator knows the private key... ... clearly a really crap biz model because one can use the certs on a million servers... but an interesting thing happens... ... virtual host are NOT and issue ... Its secure on any port Ha ha... its about the biz model I believe ;) Hell they got to make money and it is beeg bucks... a local chap made a cool 3 billion dollars out of his CA ;) Yup... I think its about biz ;) --- HARBOR : http://www.kewlstuff.co.za/index.htm The most powerful application server on earth. The only real POJO Application Server. See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm --- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: HTTPS and Virtual Hosts
- Original Message - From: André Warnier [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Monday, September 22, 2008 10:57 AM Subject: HTTPS and Virtual Hosts Hi. I'm not an expert at anything below, that's why I am asking. I am also not looking for a very precise answer, just a rough summary. The question : As I remember from reading about this a while ago, there is/was a fundamental incompatibility between the HTTP Virtual Host mechanism, and HTTPS/SSL, in the sense that there is some egg-and-chicken problem involved, which roughly goes like this : - the client connects to the host and requests an encrypted connection to a certain hostname - the host and client negociate the encryption (based or not on the name of the host) - on subsequent requests, the client sends the request encrypted, including the Host: header that (acording to the HTTP protocol) should indicate the name of the Virtual Host it wants to talk to - the server should decode the request (including this Host: HTTP header) in order to determine which Host the request is addressed to, but it can't because it does not know which host it is yet, and thus cannot decode the request - we are thus stuck Is the above, very roughly and approximatively still a valid explanation of what happens, or is it totally wrong, or has something changed in-between that I am unaware of ? Thanks -- Mmm yes... kinda Andre check out the hand shake in SSL... Keeping it very conceptual... the secure system between a browser and server is owned by Verisign, or GoDaddy, or whatever CA. And it is checking a few things... Like the domain name used and the expiry date... So when you buy a cert and give them www.andre.com Thats it... This is because the cert is pulled (checked) during the handshake... and host headers only come later... thats the official version of the story, but I actually cant see any reason why the hand shake couldnt be extended to look at the incoming URL... other than people would start doing server tricks and making extra free certs ;) I conclude... its more about biz, that it is about technology certificates are sold per domain... this is the real issue ;) Its actually interesting, because when we were making the Pojo server, this issue came up... especially because we want to give the company using the system the ability to be a CA... so we dropped the domain check, and then the only condition on the server is that the administrator knows the private key... ... clearly a really crap biz model because one can use the certs on a million servers... but an interesting thing happens... ... virtual host are NOT and issue ... Its secure on any port Ha ha... its about the biz model I believe ;) Hell they got to make money and it is beeg bucks... a local chap made a cool 3 billion dollars out of his CA ;) Yup... I think its about biz ;) --- HARBOR : http://www.kewlstuff.co.za/index.htm The most powerful application server on earth. The only real POJO Application Server. See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm --- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Connector problem
From: Mathias P.W Nilsson [mailto:[EMAIL PROTECTED] Let's say I want a user to access the website in this fashion https://www.domain1.com ( SSL from thawte ) https://www.domain2.com ( SSL from thawte ) https://www.domain1.se ( SSL from thawte ) What would I have to do to make this work? I only have one server that is running tomcat 6. You would have to: - Obtain and set up 3 different IP addresses for the server; - Set up DNS to point www.domain1.com to one of the IP addresses, www.domain2.com to another, and www.domain1.se to the third. - Configure 3 different Host elements in your server.xml, each for one of the secure domains; - Configure each Host to use the appropriate certificate from your keystore(s). This is no harder than configuring one Host for SSL, you just need to do it three times :-). - Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: HTTPS and Virtual Hosts
From: Johnny Kewl [mailto:[EMAIL PROTECTED] I actually cant see any reason why the hand shake couldnt be extended to look at the incoming URL... Because the URL (or at least the host header) would have to be sent over the wire in cleartext, as it's before the encrypted connection is negotiated. This is an information disclosure vulnerability. - Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Connector problem
Ok thanks! The problem is that I need the host to run under the same tomcat instance. When a user access www.domain1.se then I read the HTTPServletRequest host name to see what site he/she want's to access. This is because I do not want 3 hibernate access to the same database because that won't work. I would get a lot of exceptions from hibernate if an entity is changed in one domain and not the other. So, can I set up the server in the way I have done now? If I use 3 different hosts, how can this point to the same war file without loading the war file twice? -- View this message in context: http://www.nabble.com/Connector-problem-tp19603189p19605213.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: HTTPS and Virtual Hosts
Mark Thomas wrote: Ognjen Blagojevic wrote: André Warnier wrote: Is the above, very roughly and approximatively still a valid explanation of what happens, or is it totally wrong, or has something changed in-between that I am unaware of ? Yes, that's about it. Here is the official explanation: http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts The workaround is also proposed. You can use different ports or IP adresses for different SSL enabled virtual hosts. For instance, you could put 2 or more network cards in the server, and than configure one virtual host for each of these cards. You do not need multiple NICs to support multiple IP addresses. You can quite happily configure a NIC with multiple IP addresses. Allright. Thanks to everyone for the answers and references. This was also linked to another thread Re. Connector problem, for which I am also interested in the practical solution. Now, a follow-up question : I seem to remember that there was talk about a scheme or a protocol that would allow (very roughly) a client/server pair to start a session using HTTP (not SSL), negociate, then in the course of the session upgrade this link to HTTPS. And that this somehow could be a solution to the Virtual Host issue under HTTPS. Am I dreaming this up, or does there exist something in that general area ? - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Connector problem
From: Mathias P.W Nilsson [mailto:[EMAIL PROTECTED] When a user access www.domain1.se then I read the HTTPServletRequest host name to see what site he/she want's to access. This is because I do not want 3 hibernate access to the same database because that won't work. I would get a lot of exceptions from hibernate if an entity is changed in one domain and not the other. So, can I set up the server in the way I have done now? If I use 3 different hosts, how can this point to the same war file without loading the war file twice? I am not aware of any way of doing this, unless you re-architect the application so that all Hibernate access is done in classes that are only loaded once. However, I'm not a Tomcat expert and there may be ways round the problem! - Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: HTTPS and Virtual Hosts
From: André Warnier [mailto:[EMAIL PROTECTED] I seem to remember that there was talk about a scheme or a protocol that would allow (very roughly) a client/server pair to start a session using HTTP (not SSL), negociate, then in the course of the session upgrade this link to HTTPS. And that this somehow could be a solution to the Virtual Host issue under HTTPS. Am I dreaming this up, or does there exist something in that general area ? I've no idea whether such a protocol exists today; however, the current set of browsers don't appear to support such a beast. It might be a good solution 5 years down the line, once all the old browsers that don't support it have fallen out of use, but even if the protocol's ready to go now the installed browser base isn't ready for a site that uses it. - Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Apache 2.0 Authentication LDAP
Hi Friends, I have recently migrated my webapp from tomcat 4.x to 6.0 . Please let me know how to set up Apache 2.0 for authentication(using LDAP) by connecting it with tomcat 6.0 . Please let me know the steps to be followed like changes in httpd.conf . I am using Linux server. Is there any settings need to be changed for linux server. Earlier i used sunOS. Regards, Arun.
Re: Connector problem
Am 22.09.2008, 12:17 Uhr, schrieb Peter Crowther [EMAIL PROTECTED]: From: Mathias P.W Nilsson [mailto:[EMAIL PROTECTED] Let's say I want a user to access the website in this fashion https://www.domain1.com ( SSL from thawte ) https://www.domain2.com ( SSL from thawte ) https://www.domain1.se ( SSL from thawte ) What would I have to do to make this work? I only have one server that is running tomcat 6. You would have to: - Obtain and set up 3 different IP addresses for the server; - Set up DNS to point www.domain1.com to one of the IP addresses, www.domain2.com to another, and www.domain1.se to the third. - Configure 3 different Host elements in your server.xml, each for one of the secure domains; - Configure each Host to use the appropriate certificate from your keystore(s). This is no harder than configuring one Host for SSL, you just need to do it three times :-). - Peter Sorry to kind of hijack this thread, but would it be possible to use one of the certificates linked below with tomcat, when only 1 IP and 1 SSL-Connector is used for different Host elements? http://www.geotrusteurope.com/products/ssl_certificates/true_businessid_mdm.asp http://www.positivessl.com/ssl-certificate-products/ssl/multi-domain-ssl-certificate.html Jörg - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache 2.0 Authentication LDAP
Arun Raj Ramkumar wrote: Hi Friends, I have recently migrated my webapp from tomcat 4.x to 6.0 . Please let me know how to set up Apache 2.0 for authentication(using LDAP) by connecting it with tomcat 6.0 . Please let me know the steps to be followed like changes in httpd.conf . I am using Linux server. Is there any settings need to be changed for linux server. Earlier i used sunOS. Hi Arun. As asked, your question is difficult to understand, and even more to answer I think. What is exactly what should happen where ? I'll give you a possible scenario, and you tell us if this scenario is what you want to do, or tell us your own scenario, ok ? My scenario : Your configuration is such that all HTTP (browser) accesses go to Apache first. Apache does the authentication via LDAP (using for example mod_authnz_ldap) for any URLs that are protected (including the ones that go later to Tomcat). Than Apache decides which calls go to Tomcat (via a mod_jk connector or mod_proxy_ajp). mod_jk (and the Tomcat side of that connector) is configured so that the Apache authentication is passed on to Tomcat. Tomcat itself does not do authentication, but relies on the user-id passed on by Apache (and the roles defined in Tomcat) to access the Tomcat applications. re : http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html re : Tomcat Connector, attribute tomcatAuthentication or something like that. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Apache 2.0 Authentication LDAP
Hi, Yes , that is my scenario. Please let me know what are the settings or changes I need to do for Apache authentication via LDAP. Regards, Arun -Original Message- From: André Warnier [mailto:[EMAIL PROTECTED] Sent: Monday, September 22, 2008 4:19 PM To: Tomcat Users List Subject: Re: Apache 2.0 Authentication LDAP Arun Raj Ramkumar wrote: Hi Friends, I have recently migrated my webapp from tomcat 4.x to 6.0 . Please let me know how to set up Apache 2.0 for authentication(using LDAP) by connecting it with tomcat 6.0 . Please let me know the steps to be followed like changes in httpd.conf . I am using Linux server. Is there any settings need to be changed for linux server. Earlier i used sunOS. Hi Arun. As asked, your question is difficult to understand, and even more to answer I think. What is exactly what should happen where ? I'll give you a possible scenario, and you tell us if this scenario is what you want to do, or tell us your own scenario, ok ? My scenario : Your configuration is such that all HTTP (browser) accesses go to Apache first. Apache does the authentication via LDAP (using for example mod_authnz_ldap) for any URLs that are protected (including the ones that go later to Tomcat). Than Apache decides which calls go to Tomcat (via a mod_jk connector or mod_proxy_ajp). mod_jk (and the Tomcat side of that connector) is configured so that the Apache authentication is passed on to Tomcat. Tomcat itself does not do authentication, but relies on the user-id passed on by Apache (and the roles defined in Tomcat) to access the Tomcat applications. re : http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html re : Tomcat Connector, attribute tomcatAuthentication or something like that. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache 2.0 Authentication LDAP
Arun Raj Ramkumar wrote: Hi, Yes , that is my scenario. Please let me know what are the settings or changes I need to do for Apache authentication via LDAP. I already did. Just click on the link I provided in the previous answer. This is a help forum, and we do what we can. But people who ask for help are expected to at least make a little effort to read the available on-line documentation, which in this case is very good. Then try to set it up following the instructions. Then, if there is something you do not understand, you can always come back here with a precise question. Ok ? André - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Share war file / virtual hosts
Hi! I have 3 different virtual hosts. Is there anyway these can share the same war file and instance? What I mean is that tomcat does not deploy the war file 3 times but uses the same war instance? -- View this message in context: http://www.nabble.com/Share-war-file---virtual-hosts-tp19605902p19605902.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Connector problem
From: Jörg Fröber [mailto:[EMAIL PROTECTED] Sorry to kind of hijack this thread, but would it be possible to use one of the certificates linked below with tomcat, when only 1 IP and 1 SSL-Connector is used for different Host elements? http://www.geotrusteurope.com/products/ssl_certificates/true_b usinessid_mdm.asp http://www.positivessl.com/ssl-certificate-products/ssl/multi- domain-ssl-certificate.html Assuming the browser support is out there then yes, it should be possible. - Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: HTTPS and Virtual Hosts
- Original Message - From: Peter Crowther [EMAIL PROTECTED] To: 'Tomcat Users List' users@tomcat.apache.org Sent: Monday, September 22, 2008 12:19 PM Subject: RE: HTTPS and Virtual Hosts From: Johnny Kewl [mailto:[EMAIL PROTECTED] I actually cant see any reason why the hand shake couldnt be extended to look at the incoming URL... Because the URL (or at least the host header) would have to be sent over the wire in cleartext, as it's before the encrypted connection is negotiated. This is an information disclosure vulnerability. - Peter http://support.microsoft.com/kb/257591 If it send the HOST info in step one and the server chose the correct cert I see no problem, the secure session hasnt even kicked in yet ;) So what are they not allowing? I think the only vulnerability is to the CA's biz model ;) If not what is the vulnerability? Whatever cert is sent what oput there by the admin dudes, and will be checked client side anyway ;) --- HARBOR : http://www.kewlstuff.co.za/index.htm The most powerful application server on earth. The only real POJO Application Server. See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm --- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: HTTPS and Virtual Hosts
- Original Message - From: André Warnier [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Monday, September 22, 2008 12:21 PM Subject: Re: HTTPS and Virtual Hosts Mark Thomas wrote: Ognjen Blagojevic wrote: André Warnier wrote: Is the above, very roughly and approximatively still a valid explanation of what happens, or is it totally wrong, or has something changed in-between that I am unaware of ? Yes, that's about it. Here is the official explanation: http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts The workaround is also proposed. You can use different ports or IP adresses for different SSL enabled virtual hosts. For instance, you could put 2 or more network cards in the server, and than configure one virtual host for each of these cards. You do not need multiple NICs to support multiple IP addresses. You can quite happily configure a NIC with multiple IP addresses. Allright. Thanks to everyone for the answers and references. This was also linked to another thread Re. Connector problem, for which I am also interested in the practical solution. Now, a follow-up question : I seem to remember that there was talk about a scheme or a protocol that would allow (very roughly) a client/server pair to start a session using HTTP (not SSL), negociate, then in the course of the session upgrade this link to HTTPS. And that this somehow could be a solution to the Virtual Host issue under HTTPS. Am I dreaming this up, or does there exist something in that general area ? Andre, I'm not aware of anything like it... one can actually do anything with crypto stuff, but the problem is that half the engine is built into the browser, if it doesnt want to play, it doesnt happen... there are do it yourself secure layers out there at javascript level, but they have issues... dont secure whole page etc. ... dont think so... However as soon as you leave the browser environment... anything is possible. --- HARBOR : http://www.kewlstuff.co.za/index.htm The most powerful application server on earth. The only real POJO Application Server. See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm --- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[OT] RE: HTTPS and Virtual Hosts
[Marked OT as this is not even remotely about Tomcat] From: Johnny Kewl [mailto:[EMAIL PROTECTED] http://support.microsoft.com/kb/257591 ... OK... If it send the HOST info in step one ... which it doesn't as far as I can see... and the server chose the correct cert I see no problem, the secure session hasnt even kicked in yet ;) Yes, exactly. So anything sent across the wire (such as the host header) is subject to eavesdropping. The URL, in particular, MUST NOT be sent in cleartext - consider a URL of the form https://www.innocentsite.com/myphotos/notsoinnocent/llamapr0n372.jpg *. The user would no doubt expect SSL to defend his/her access to that URL from eavesdropping :-). The case for not sending the host header in cleartext is weaker, but still present. Consider a blog site such as LiveJournal, for example. It hosts a range of content, separated onto one hostname per blog. Some of that content is pretty explicit, and some people might get rather upset if they knew that *even though they thought they were on a secure channel* then others could eavesdrop on the mere fact that they were reading *that* content, rather than some other innocent content that happened to be on the same IP. So I consider that the ID vul is still present, even via disclosure of just the host header. If not what is the vulnerability? Whatever cert is sent what oput there by the admin dudes, and will be checked client side anyway ;) You're thinking about ID vuls from the side of the server admin. Broaden your thinking - what might a *client* get upset about? - Peter * With thanks to User Friendly (http://www.userfriendly.org), over the years, for warping my mind enough to devise this URL. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache 2.0 Authentication LDAP
André Warnier wrote: Then, if there is something you do not understand, you can always come back here with a precise question. I forgot to say that if your problem is related to the Apache httpd setup of LDAP, then you would be better off trying the Apache httpd support list. Issues related to Tomcat, and even to Apache/Tomcat connectors like mod_jk, will be handled here. But for issues directly related to Apache httpd and the LDAP authentication at the Apache httpd level, you will get better/faster answers at [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Problems upgrading from 6.0.14 to 6.0.18
Due to the announce security bug http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938 I wanted to upgrade tomcat from 6.0.14 to 6.0.18. Tomcat is running on a VPS on a Linux box with kernel 2.6.18. The application has been running for a while without any problems with tomcat 6.0.14. Load is difficult to measure due to invisible load on host-system. After the upgrade, I got the following problems: * running with the NIO http connector, tomcat crashed with a 'Too many open files' exception java.io.IOException: Too many open files at sun.nio.ch.ServerSocketChannelImpl.accept0(Native Method) at sun.nio.ch.ServerSocketChannelImpl.accept(Unknown Source) at org.apache.tomcat.util.net.NioEndpoint$Acceptor.run(NioEndpoint.java: 1163) at java.lang.Thread.run(Unknown Source) * running with the apr connector, tomcat crashed silently, even when shutting down it complained about threads it didn't managed to shut down. * with apr and blocking http connector, I got problems with cookies-handling and the advise to use Base64 encoding for cookies. After two month struggling to get tomcat in a stable state, I switched back to tomcat 6.0.14 with the original NIO connector: Connector port=80 protocol=org.apache.coyote.http11.Http11NioProtocol connectionTimeout=2 URIEncoding=UTF-8 compression=on enableLookups=false maxThreads=100 maxSpareThreads=20 / and everything worked without problems again. I made sure that I didn't use 'allowLinking' so I'm not in danger of the vulnerability. I hope somebody has some ideas what has gone wrong. I would like to known what I should look for when upgrading the next time. Best regards, Heiko - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT] RE: HTTPS and Virtual Hosts
- Original Message - From: Peter Crowther [EMAIL PROTECTED] To: 'Tomcat Users List' users@tomcat.apache.org Sent: Monday, September 22, 2008 2:30 PM Subject: [OT] RE: HTTPS and Virtual Hosts [Marked OT as this is not even remotely about Tomcat] From: Johnny Kewl [mailto:[EMAIL PROTECTED] http://support.microsoft.com/kb/257591 ... OK... If it send the HOST info in step one ... which it doesn't as far as I can see... and the server chose the correct cert I see no problem, the secure session hasnt even kicked in yet ;) Yes, exactly. So anything sent across the wire (such as the host header) is subject to eavesdropping. The URL, in particular, MUST NOT be sent in cleartext - consider a URL of the form https://www.innocentsite.com/myphotos/notsoinnocent/llamapr0n372.jpg *. The user would no doubt expect SSL to defend his/her access to that URL from eavesdropping :-). The case for not sending the host header in cleartext is weaker, but still present. Consider a blog site such as LiveJournal, for example. It hosts a range of content, separated onto one hostname per blog. Some of that content is pretty explicit, and some people might get rather upset if they knew that *even though they thought they were on a secure channel* then others could eavesdrop on the mere fact that they were reading *that* content, rather than some other innocent content that happened to be on the same IP. So I consider that the ID vul is still present, even via disclosure of just the host header. If not what is the vulnerability? Whatever cert is sent what oput there by the admin dudes, and will be checked client side anyway ;) You're thinking about ID vuls from the side of the server admin. Broaden your thinking - what might a *client* get upset about? - Peter Ok... its off thread, but I disagree the secure session doesnt start out secure... even a certificate is clear text, dont see the big deal... once you in a session, different story... I guess this means you not going to help me with my new book ;) Curve Ball technology for biz sake... ha ha --- HARBOR : http://www.kewlstuff.co.za/index.htm The most powerful application server on earth. The only real POJO Application Server. See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm --- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: request for servlet filter
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
André,
André Warnier wrote:
note
The rule means that any request including Basic authentication
will be redirected to the indicated page.
/note
condition name=auth type=auth-typeBASIC_AUTH/condition
from^/.*$/from
to
type=temporary-redirect%{context-path}/errors/IE_settings.html/to
/rule
Nice... I've never used this package; I only knew that it existed. I'm
happy to see that it supports somewhat complicated conditions, etc.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkjXl3sACgkQ9CaO5/Lv0PD/hACeOFVjoCmRgKqDvYTMqL2ilb3O
v9gAn3EMNdmqTrsU7le39zSB4f8zDsV1
=dzay
-END PGP SIGNATURE-
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Server Maintenance Across Timezones (global)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Peng, Peng Tuck Kwok wrote: There's a lot of good suggestions here, maybe you could also justify maintaining a separate instance for the American customers. That would at least allow at a minimum to roll out changes specific for them, conform to their maintenance time :P. Yes I do realize it would be a replication of code in terms of releases but it is something to think about. For an application used this widely, presumably you'll need multiple physical machines, anyway. Since you require multiple machines, this replication of code will have to happen, anyway. You ought to be able to configure certain servers/clusters to provide, say, US-oriented content, while others provide content for other geographic areas. I think that's quite an elegant solution, actually. Thanks, Paul! - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkjXmM8ACgkQ9CaO5/Lv0PCwBgCcCwv6GiGR/8HFRULnIwPDNoM2 uqwAoJMB363isCzb9VJ3rAjK2T35dfQa =N+Tg -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 5.5, JNDI Connection Pooling, Active connections keep increasing....
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Sinoea,
sinoea kaabi wrote:
Christopher Schultz wrote:
You aren't using any class-level members in your static methods so
you should be fine.
This means that I cannot declare a:
public class Data {
private static DataSource datasource = null;
public static DataSource getDataSource() {
if (datasource == null) {
// create a datasource
}
return datasource;
}
}
Well, you /can/, but it wouldn't be a very good idea.
In the code above the class-level member is the datasource.
Do you mean I should do like this instead:
public class Data {
public static DataSource getDataSource() {
// create a new datasource for each call to this method
return datasource;
}
}
Assuming that the 'datasource' object is still shared among threads,
it's still a bad idea. DataSource objects are not guaranteed to be
threadsafe, so you shoule not share them.
This is a bad example, because you should never cache the DataSource in
the first place: you should always get it from the JNDI tree.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkjXmj8ACgkQ9CaO5/Lv0PDlcgCdFNuTHa9TJL8zLKfKCTMWEn0+
n38AniRE9T74fDioAZeOuVI/HbZlYIf+
=rQsW
-END PGP SIGNATURE-
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 5.5, JNDI Connection Pooling, Active connections keep increasing....
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Johnny, Johnny Kewl wrote: If a datasource in DBCP represents the pool... you cant, you'd make a million data pools... No, the DataSource object does not represent the pool per se. It's just a factory that produces Connection objects (which, in turn, come from the pool). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkjXmo8ACgkQ9CaO5/Lv0PADTACgte0ni15h+rcmslF7YI9EWhi4 jlIAn3ULPK3LRdxd6PAvCv8k/mT0zsF1 =P0sr -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: j_security_check Tomcat user status
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tokajac, Tokajac wrote: Now, i want to check another column on login: userstatus. Value of the column can be 0 or 1. Only users with correct username and status 1 can login. How can i do this with j_security_check? Mark's suggestion of using a VIEW is IIRC the only way this will work with Tomcat's built-in authentication mechanism. You could write your own Authenticator or you could use securityfilter (http://securityfilter.sourceforge.net) which lets you implement your own Realm classes as well. In there, you can do anything you want (such as check additional tables, issue extra queries, etc.). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkjXm2MACgkQ9CaO5/Lv0PBLTACaA2TzS8s5U2UiEhyEolDwRzAU 1F8AoLgYvUw87c83v+nRX3vZWTe6xHwG =SPrG -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Problems upgrading from 6.0.14 to 6.0.18
Heiko- can you use lsof to determine which processes are creating the file handles? http://spatula.net/blog/archive/2007_10_01_spatula_archive.html also try to bring up one webapp at a time for an hour or 2 until you determine where this bug occurs running lsof? I would also suggest disengage NIOConnector run lsof on problematic webapp and engage with problematic webapp and test as well Takk Martin __ Disclaimer and confidentiality note Everything in this e-mail and any attachments relates to the official business of Sender. This transmission is of a confidential nature and Sender does not endorse distribution to any party other than intended recipient. Sender does not necessarily endorse content contained within this transmission. Date: Mon, 22 Sep 2008 15:02:23 +0200 From: [EMAIL PROTECTED] To: users@tomcat.apache.org Subject: Problems upgrading from 6.0.14 to 6.0.18 Due to the announce security bug http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938 I wanted to upgrade tomcat from 6.0.14 to 6.0.18. Tomcat is running on a VPS on a Linux box with kernel 2.6.18. The application has been running for a while without any problems with tomcat 6.0.14. Load is difficult to measure due to invisible load on host-system. After the upgrade, I got the following problems: * running with the NIO http connector, tomcat crashed with a 'Too many open files' exception java.io.IOException: Too many open files at sun.nio.ch.ServerSocketChannelImpl.accept0(Native Method) at sun.nio.ch.ServerSocketChannelImpl.accept(Unknown Source) at org.apache.tomcat.util.net.NioEndpoint$Acceptor.run(NioEndpoint.java: 1163) at java.lang.Thread.run(Unknown Source) * running with the apr connector, tomcat crashed silently, even when shutting down it complained about threads it didn't managed to shut down. * with apr and blocking http connector, I got problems with cookies-handling and the advise to use Base64 encoding for cookies. After two month struggling to get tomcat in a stable state, I switched back to tomcat 6.0.14 with the original NIO connector: Connector port=80 protocol=org.apache.coyote.http11.Http11NioProtocol connectionTimeout=2 URIEncoding=UTF-8 compression=on enableLookups=false maxThreads=100 maxSpareThreads=20 / and everything worked without problems again. I made sure that I didn't use 'allowLinking' so I'm not in danger of the vulnerability. I hope somebody has some ideas what has gone wrong. I would like to known what I should look for when upgrading the next time. Best regards, Heiko - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] _ Get more out of the Web. Learn 10 hidden secrets of Windows Live. http://windowslive.com/connect/post/jamiethomson.spaces.live.com-Blog-cns!550F681DAD532637!5295.entry?ocid=TXT_TAGLM_WL_domore_092008
Re: jstack and Tomcat 6 on Windows
- Original Message - From: Surendrakumar Viswanathan -X (suviswan - HCL at Cisco) [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Monday, September 22, 2008 11:55 AM Subject: RE: jstack and Tomcat 6 on Windows Check Eclipse Memory Analyzer Tool www.eclipse.org/mat/. This is alternate to JMAP, but it can parse the hprof file faster and have a very visual GUI. Thanks Suren Cool, if people just chat about how they find these out of mem errors, this will become a very cool thread... Up until I discovered these tools, it seems such a black hit and miss art. ... before this I actually cant think of anything that let one peek inside those class loaders... short of writing your own code... In earlier threads there are also guys trying to figure out why TC wont let go... it holds... and I'm wondering if JHat wouldnt be able to help in those area's as well... ... its this class that wont let go... etc. ... it looks really nice ... did it help you, did you find the leak? --- HARBOR : http://www.kewlstuff.co.za/index.htm The most powerful application server on earth. The only real POJO Application Server. See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm --- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Share war file / virtual hosts
From: Mathias P.W Nilsson [mailto:[EMAIL PROTECTED] Subject: Share war file / virtual hosts I have 3 different virtual hosts. Is there anyway these can share the same war file and instance? If you are using Alias entries for a single Host, then the webapp will be deployed only once. If you are using multiple Host elements, then no, the webapp will be deployed for each Host, even if the docBase is identical for each. You could deploy dummy webapps on the secondary hosts that do nothing but redirect or forward to the primary, but that might be confusing to your end users. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 5.5, JNDI Connection Pooling, Active connections keep increasing....
- Original Message -
From: Christopher Schultz [EMAIL PROTECTED]
To: Tomcat Users List users@tomcat.apache.org
Sent: Monday, September 22, 2008 3:14 PM
Subject: Re: Tomcat 5.5, JNDI Connection Pooling, Active connections keep
increasing
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Sinoea,
sinoea kaabi wrote:
Christopher Schultz wrote:
You aren't using any class-level members in your static methods so
you should be fine.
This means that I cannot declare a:
public class Data {
private static DataSource datasource = null;
public static DataSource getDataSource() {
if (datasource == null) {
// create a datasource
}
return datasource;
}
}
Well, you /can/, but it wouldn't be a very good idea.
In the code above the class-level member is the datasource.
Do you mean I should do like this instead:
public class Data {
public static DataSource getDataSource() {
// create a new datasource for each call to this method
return datasource;
}
}
Assuming that the 'datasource' object is still shared among threads,
it's still a bad idea. DataSource objects are not guaranteed to be
threadsafe, so you shoule not share them.
This is a bad example, because you should never cache the DataSource in
the first place: you should always get it from the JNDI tree.
- -chris
Ah... thanks Chris being able to
DataSource ds =
(DataSource)initContext.lookup(java:/comp/env/jdbc/xmecsDB);
from anywhere in the webapp would solve a lot of problems in that code...
Thanks...
---
HARBOR : http://www.kewlstuff.co.za/index.htm
The most powerful application server on earth.
The only real POJO Application Server.
See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm
---
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Share war file / virtual hosts
Can I use Connectors to Aliases? -- View this message in context: http://www.nabble.com/Share-war-file---virtual-hosts-tp19605902p19610201.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Share war file / virtual hosts
From: Mathias P.W Nilsson [mailto:[EMAIL PROTECTED] Subject: RE: Share war file / virtual hosts Can I use Connectors to Aliases? A Connector operates with all Host elements in the same Engine; the Connector only cares about IP address and port number, not DNS names. (Not sure if that answers your question.) - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
How to redirect a web page from Tomcat to your browser?
This question's probably been asked a hundred times but it's new to me and I haven't found anything directly helpful in my newbieness. I have a servlet running on Tomcat on a remote machine. The application is a web site. What I want to do is have some links on the index page that go to a secure server out in The Great Cloud Of The Intertubes. Now I can't just put plain html links on the index page, because then if you click on them, naturally your browser will go to the secure server to try and get pages from it. The way the secure server is set up, it looks at the requesting IP address and if you're not on the invite list, then you don't get in. The remote machine with the Tomcat server on it has an approved IP address, so the secure server will talk it, just not to me here as my IP is different. So, question is, how do I set up a mechanism so that you click on a link on the index page for the URL you want, Tomcat takes this and sends the request to the secure server, the secure server sends the page(s) back to Tomcat and then Tomcat throws it at your browser? Thanks for any help on this. -- View this message in context: http://www.nabble.com/How-to-redirect-a-web-page-from-Tomcat-to-your-browser--tp19610550p19610550.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: question about realm auth and digest attribute
i'm talking about this part of configuration: http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html On Thu, Sep 18, 2008 at 3:18 PM, Christopher Schultz [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Joe, Joe A wrote: if i'm going to be using sha-1 for the encryption, do i just specify digest=SHA, digest=SHA1, digest=SHA-1? I'm not sure you have a choice... I think it's MD5 by default with no other options. http://en.wikipedia.org/wiki/Digest_access_authentication Note that MSIE 5.0+ apparently doesn't do things right, and will therefore not work (2002 report). Note sure if it has been fixed in later versions. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkjSt5kACgkQ9CaO5/Lv0PBlVwCgkXSaxKshMhTO9Ri5mziOQNOF ROEAnRX0WFPrkz/F4oRN98d9xjjnEoU3 =icKO -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to redirect a web page from Tomcat to your browser?
On Mon, Sep 22, 2008 at 8:35 AM, DeanM [EMAIL PROTECTED] wrote: So, question is, how do I set up a mechanism so that you click on a link on the index page for the URL you want, Tomcat takes this and sends the request to the secure server, the secure server sends the page(s) back to Tomcat and then Tomcat throws it at your browser? You need to write (or find) a proxy/reverse-proxy servlet. Alternatively, you could use Apache httpd that purpose. More moving parts, but possibly less work. :-) FWIW, -- Hassan Schroeder [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Share war file / virtual hosts
I think it does, but then I have another ;) Can The Host element support multiple ip addresses? -- View this message in context: http://www.nabble.com/Share-war-file---virtual-hosts-tp19605902p19610708.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to redirect a web page from Tomcat to your browser?
You need to write (or find) a proxy/reverse-proxy servlet. Alternatively, you could use Apache httpd that purpose. More moving parts, but possibly less work. :-) So you mean set up Apache and have Tomcat plug in to it? In other words, make Apache the front end my browser talks to, instead of using Tomcat on its own. -- View this message in context: http://www.nabble.com/How-to-redirect-a-web-page-from-Tomcat-to-your-browser--tp19610550p19610777.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to redirect a web page from Tomcat to your browser?
On Mon, Sep 22, 2008 at 10:46 AM, DeanM [EMAIL PROTECTED] wrote: You need to write (or find) a proxy/reverse-proxy servlet. Alternatively, you could use Apache httpd that purpose. More moving parts, but possibly less work. :-) So you mean set up Apache and have Tomcat plug in to it? In other words, make Apache the front end my browser talks to, instead of using Tomcat on its own. Not exactly. The Apache proxy would be independent of Tomcat. Your link in the servlet would simply link to the local, proxied address served by Apache. See ProxyPass and ProxyPassReverse in the Apache docs. -- Jeff - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Share war file / virtual hosts
From: Mathias P.W Nilsson [mailto:[EMAIL PROTECTED] Subject: RE: Share war file / virtual hosts Can The Host element support multiple ip addresses? A Host element doesn't care about IP addresses; only a Connector does, and hen only if it's configured for a specific IP address. Each Host is concerned only with the symbolic name on the URL, and the designated default Host handles all requests that don't match specific Host names or Alias elements. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to redirect a web page from Tomcat to your browser?
jlar310 wrote: Not exactly. The Apache proxy would be independent of Tomcat. Your link in the servlet would simply link to the local, proxied address served by Apache. See ProxyPass and ProxyPassReverse in the Apache docs. OK thanks I'll go and have a read. -- View this message in context: http://www.nabble.com/How-to-redirect-a-web-page-from-Tomcat-to-your-browser--tp19610550p19610933.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Apache 2.0 Authentication LDAP
Thanks a lot Andre.. Will get back to you.. After verifying the docs -Original Message- From: André Warnier [mailto:[EMAIL PROTECTED] Sent: Monday, September 22, 2008 5:55 PM To: Tomcat Users List Subject: Re: Apache 2.0 Authentication LDAP André Warnier wrote: Then, if there is something you do not understand, you can always come back here with a precise question. I forgot to say that if your problem is related to the Apache httpd setup of LDAP, then you would be better off trying the Apache httpd support list. Issues related to Tomcat, and even to Apache/Tomcat connectors like mod_jk, will be handled here. But for issues directly related to Apache httpd and the LDAP authentication at the Apache httpd level, you will get better/faster answers at [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: jstack and Tomcat 6 on Windows
Thanks again for all of our suggestions. The Eclipse Memory Analyzer Tool looks very interesting and helpful. It also calls out the JAVA_OPT -XX:+HeapDumpOnOutOfMemoryError to auto generate a heap dump for me. I was originally looking for a way to automatically generate a thread dump, but this will be extremely helpful as well. Another alternative to JHAT is Sun's new free tool, Visual VM. I think JHAT is part of its underlying technology. Visual VM now ships with Sun JDK 1.6.0_07 and later, and is available via download separately from https://visualvm.dev.java.net/ I believe that VisualVM will eventually replace Sun's Jconsole, as it has all of Jconsole's functionality as well as heap dump, thread dump, and basic profiler functionality. It seems to have some of the functionality that is in Eclipse MAT. Not sure of the pro's and con's of one vs. the other though. I plan on looking at both. Thanks again, Brian - Original Message From: Surendrakumar Viswanathan -X (suviswan - HCL at Cisco) To: Surendrakumar Viswanathan -X (suviswan - HCL at Cisco) Tomcat Users List users@tomcat.apache.org Sent: Monday, September 22, 2008 4:56:05 AM Subject: RE: jstack and Tomcat 6 on Windows OOPS It's alternate to JHAT and not JMAP. Suren -Original Message- From: Surendrakumar Viswanathan -X (suviswan - HCL at Cisco) Sent: Monday, September 22, 2008 3:25 PM To: 'Tomcat Users List' Subject: RE: jstack and Tomcat 6 on Windows Check Eclipse Memory Analyzer Tool www.eclipse.org/mat/. This is alternate to JMAP, but it can parse the hprof file faster and have a very visual GUI. Thanks Suren -Original Message- From: Johnny Kewl [mailto:[EMAIL PROTECTED] Sent: Saturday, September 20, 2008 4:40 PM To: Tomcat Users List Subject: Re: jstack and Tomcat 6 on Windows Thanks everyone for their suggestions. Unfortunately, that doesn't help me with my particular issue. I have a memory leak in one of my apps, and when the system runs out of memory, it stops responding to new requests. I have a script that will detect this condition and automatically restart Tomcat. I was hoping to add a jstack command to this script to give me a thread dump prior to restarting Tomcat to give me better troubleshooting information. Your solution would work under normal circumstances, but I don't know how to script a ctrl+break. ;-) OK... I couldnt resist giving it a little go... JHat is exactly what you looking for... http://weblogs.java.net/blog/jfarcand/archive/2006/02/using_mu stangs.html Well done Sun... its exactly what I've been looking for... Let the server run a little do a dump, run the server and then from the browser to the HIST option... The highest non Sun class... webapp class... is going to be the bad guy ;) Damn thats nice... -- - HARBOR : http://www.kewlstuff.co.za/index.htm The most powerful application server on earth. The only real POJO Application Server. See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm --
RE: Share war file / virtual hosts
The problem is this. I would like to set up 3 connector that points to 3 different domains One Host element and many aliases. Can this be done? The connectors are https. Connector port=443 .. address=1/ Connector port=443 .. address=2/ Connector port=443 .. address=3/ Host =localhost Alias/Alias /Host -- View this message in context: http://www.nabble.com/Share-war-file---virtual-hosts-tp19605902p19611322.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: jstack and Tomcat 6 on Windows
- Original Message - From: Brian Clark [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Monday, September 22, 2008 6:11 PM Subject: Re: jstack and Tomcat 6 on Windows Thanks again for all of our suggestions. The Eclipse Memory Analyzer Tool looks very interesting and helpful. It also calls out the AVA_OPT -XX:+HeapDumpOnOutOfMemoryError to auto generate a heap dump for me. I was originally looking for a way to automatically generate a thread dump, but this will be extremely helpful as well. Another alternative to JHAT is Sun's new free tool, Visual VM. I think JHAT is part of its underlying technology. Visual VM now ships with Sun JDK 1.6.0_07 and later, and is available via download separately from https://visualvm.dev.java.net/ I believe that VisualVM will eventually replace Sun's Jconsole, as it has all of Jconsole's functionality as well as heap dump, thread dump, and basic profiler functionality. It seems to have some of the functionality that is in Eclipse MAT. Not sure of the pro's and con's of one vs. the other though. I plan on looking at both. Thanks again, Brian VisualVM... damn its nice... --- HARBOR : http://www.kewlstuff.co.za/index.htm The most powerful application server on earth. The only real POJO Application Server. See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm --- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Share war file / virtual hosts
Mathias P.W Nilsson wrote: The problem is this. I would like to set up 3 connector that points to 3 different domains One Host element and many aliases. Can this be done? The connectors are https. Connector port=443 .. address=1/ Connector port=443 .. address=2/ Connector port=443 .. address=3/ Host =localhost Alias/Alias /Host yes it can, you just need to set your hostname to be the default host in the Engine element. Engine defaultHost=defaulthostname ... Host name=defaulthostname ... - assuming you want to determine the application's response per domain yourself. p - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Share war file / virtual hosts
Just to get this straight. Suppose I have this Host setting in server.xml Engine name=Catalina defaultHost=localhost Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false Aliaswww.domain1.se/Alias Aliaswww.domain1.com/Alias Aliaswww.domain2.se/Alias /Host /Engine How can I make 3 connectors to match this. There baught from Thawte with the www.domain1.se, www.domain1.com, www.domain2.se -- View this message in context: http://www.nabble.com/Share-war-file---virtual-hosts-tp19605902p19613482.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: mod_ajp and Load-Balancing Issue
On Mon, Sep 22, 2008 at 1:45 AM, Shaun Senecal [EMAIL PROTECTED] wrote: Are you using the ClusterSingleSignOn Valve? I'm not, no. I have httpd 2.2 on the front-end, with a balancer pool thus: ProxyRequests Off ProxyVia Off ProxyPreserveHost On ProxyErrorOverride On ProxyTimeout 60 Proxy balancer://tomcat BalancerMember ajp://10.1.1.231:8009 min=10 max=50 BalancerMember ajp://10.1.1.232:8009 min=10 max=50 #BalancerMember ajp://10.1.1.233:8009 min=10 max=50 Order deny,allow Allow from all /Proxy ProxyPass / balancer://tomcat/ lbmethod=byrequests stickysession=JSESSIONID nofailover=On ProxyPass /servlet balancer://tomcat/servlet lbmethod=byrequests stickysession=JSESSIONID nofailover=On ProxyPass /piston balancer://tomcat/piston lbmethod=byrequests stickysession=JSESSIONID nofailover=On ProxyPass /manager balancer://tomcat/manager lbmethod=byrequests stickysession=JSESSIONID nofailover=On ProxyPass /link balancer://tomcat/link lbmethod=byrequests stickysession=JSESSIONID nofailover=On ProxyPass /ajax balancer://tomcat/ajax lbmethod=byrequests stickysession=JSESSIONID nofailover=On When I browse to the login page, I see a jsessionid in firebug. I login, the jessionid cookie stays the same. I try to navigate within the application, and wherever I click I end up on the login screen again, with the message user has timed out. The cookie doesn't change until I login, in which case I see a new cookie. If I comment out two of the BalancerMembers, the app works fine. If I add one in (as above) I get the same behaviour. From reading the archives, it seems I should set a route in httpd.conf snippet and a jvmroute in the engine tag for each tomcat server.xml. I'll try this shortly, but it seems as if Richard did this, but still experienced problems. Thanks, S. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Share war file / virtual hosts
Yes, but how should I configure those connectors? I can't add port 443 to 3 of them because then tomcat casts an error. I can only have one host otherwise hibernate will start 3 times and that is bad. -- View this message in context: http://www.nabble.com/Share-war-file---virtual-hosts-tp19605902p19613936.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
How to make my application run outside of apache directory.
Hello, I've created a web application using servlets and jsp My servlet and other required class files are in let's say path ~/a/b/c/d/*.class, some of these have dependencies on classes from ~/a/b/e/f/*.class While building my back end, I get jar files with classes from the location /a/b/c/d. After I place this jar file under ~/tomcat/webapps/myappl/WEB-INF/lib and point my browser to the servlet url, it says of missing classes from the path a/b/e/f It's a whole tree of dependencies I have under ~/a/b, does it mean that I've to get all classes from that tree under my apache tree. This doesn't sound like a good solution. Is there any other way to run my application. Please would appreciate the help Thanks -- View this message in context: http://www.nabble.com/How-to-make-my-application-run-outside-of-apache-directory.-tp19614020p19614020.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Share war file / virtual hosts
On Mon, Sep 22, 2008 at 11:36 AM, Mathias P.W Nilsson [EMAIL PROTECTED] wrote: Yes, but how should I configure those connectors? I can't add port 443 to 3 of them because then tomcat casts an error. You can if each has a separate IP address, which is what you need to make this work. -- Hassan Schroeder [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Share war file / virtual hosts
From: Mathias P.W Nilsson [mailto:[EMAIL PROTECTED] Subject: RE: Share war file / virtual hosts I can't add port 443 to 3 of them because then tomcat casts an error. Each must have a unique IP address. You should also have three non-SSL Connector elements, one for each IP address, using port 80 and redirecting to 443. Post your Connector config if you can't get it to work. I can only have one host otherwise hibernate will start 3 times and that is bad. Some would say even once is bad... - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How to make my application run outside of apache directory.
From: NetbeanUser [mailto:[EMAIL PROTECTED] Subject: How to make my application run outside of apache directory. It's a whole tree of dependencies I have under ~/a/b, does it mean that I've to get all classes from that tree under my apache tree. If by apache tree you mean the webapp's WEB-INF/lib directory, then yes, your classes should go there. Webapps are intended to be self-contained, and packaging all the classes it needs together is the proper way to go. Make another jar with the other classes and put it in the WEB-INF/lib directory. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Share war file / virtual hosts
Here is the configure. Of course the IP address are real addresses. Server port=8005 shutdown=SHUTDOWN Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / Listener className=org.apache.catalina.core.JasperListener / Listener className=org.apache.catalina.mbeans.ServerLifecycleListener / Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener / GlobalNamingResources Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml / /GlobalNamingResources Service name=Catalina Connector port=80 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=443 / Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=store1 keystorePass=pass address=83.xx.xx.x1/ Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=store2 keystorePass=pass address=83.xx.xx.x2/ Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=store3 keystorePass=pass address=83.xx.xx.x3/ Connector port=8009 protocol=AJP/1.3 redirectPort=443 / Engine name=Catalina defaultHost=localhost Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false Aliaswww.domain1.se/Alias Aliaswww.domain1.com/Alias Aliasdomain2.com/Alias /Host /Engine /Service /Server -- View this message in context: http://www.nabble.com/Share-war-file---virtual-hosts-tp19605902p19614378.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: question about realm auth and digest attribute
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Joe, Joe A wrote: i'm talking about this part of configuration: http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html Sorry, I should have been more clear. Although Tomcat allows you to pick the hashing algorithm for DIGEST auth, there is no way for the server to communicate to the client what type of hashing function is being used. I believe all current HTTP clients will use MD5 since they have no way to decide to use something else. Definitely let me know if this is not the case. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkjX8YQACgkQ9CaO5/Lv0PCbUQCgwdb8IFsxxszP1N/bN8EAS0ag 95wAnRaCQCf1ZNE7Q4bd1uf+ei4TwOYv =PQy0 -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Share war file / virtual hosts
Mathias P.W Nilsson wrote: [...] From the questions and answers ping-pong here, I get the impression that you are trying to square the circle, and either bump into a Tomcat issue or a Hibernate one (whatever that is). Summary : - for some reason I don't know nor would understand, you want only one instance of this Hibernate to start, and that can only be the case if you have a single Host. - but you also want to be able to access this through 3 distinct IP addresses, (not that I really understand HTTPS either but) because this is HTTPS and HTTPS requires 3 different IP addresses for your 3 certificates. - in Tomcat, different server IP addresses are handled at the Connector level. But each Connector is linked to one Engine.. and there I am getting lost.. (although I believe you can have 3 Connectors for one Engine containing one Host, and the one Host does not give a damn which name it's called through as long as it is the default Host, but since I'm not on solid ground there, I'll skip that discussion..) But .. I have an alternative scenario for you : Imagine you have one Apache httpd server front-end, set up to handle 3 different IP addresses with HTTPS. That should work, with IP-based Virtual Hosts. So these Apache Hosts handle the HTTPS part (certificates, decrypting and such), and now inside each of these Apache Hosts we have things back in clear (unencrypted). Now each of these 3 Apache Virtual Hosts has a mod_jk Apache/Tomcat connector, connecting to ... a single Tomcat back-end, with a single Connector, a single Engine and a single Host (with no HTTPS needed), under which you start a single Hibernate, et voila ! The Apache/mod_jk will nicely pass all (decrypted) headers to your Tomcat back-end, where of course now it belongs to you to analyse the Host: header to figure out which alias the original Client really wanted to talk to. You can also do all kinds of neat tricks with mod_rewrite, mod_headers, mod_setenvif, mod_proxy, mod_auth_xxx and so on on the Apache side before you even let Tomcat and Hibernate see anything at all of the request. Even change the Host: header if you are so inclined. The above will of course all work nicely on one machine, so the Apache's/Tomcat connection is perfectly safe and maybe you do not need to be concerned about HTTPS and authentication and all that stuff at all on the Tomcat side. But even if you were to need this, the Apache hosts can also pass on to Tomcat all the HTTPS stuff and you can still bother with it if you want. This sounds way too simple, there must be a snag somewhere. But Apache httpd being a cousin of Apache Tomcat, at least the gurus on this list will have to be polite when shooting down the solution. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Share war file / virtual hosts
From: Mathias P.W Nilsson [mailto:[EMAIL PROTECTED] Subject: RE: Share war file / virtual hosts Connector port=80 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=443 / I think you need three port 80 Connector elements, one for each IP address. You may also want another Connector pair for IP address 127.0.0.1, if you want to access this Tomcat from a local browser. Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false Aliaswww.domain1.se/Alias Aliaswww.domain1.com/Alias Aliasdomain2.com/Alias /Host The Alias elements aren't needed. Try the above changes, and tell us what, if any, errors you get when Tomcat starts up. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Share war file / virtual hosts
Thanks very much! The last one about apache as a frontend would work. ( I'm very new to this, server set up as you probably seen. ) I am reading the headers to look at the request. I'm using a Wicket solution with Spring and Hibernate. The Wicket handles 3 different looks with the exact same java code and variations. So when a request comes from www.domain1.com I look at the host header, determine the look and Store and the create the Session object , payments etc. Because I handle bank payments and Visa,Mastercard solutions I need the solution to be SSL. Now, the customer that I'm building this for wants to seperate the two domains for the outside user but internal they use the same admin. ( They don't sell the same articles on both sites. They can choose in the admin on wich store they want to sell the item. In some cases on all sites with different images and so forth ) Now I don't know if this explains why I need 3 connectors and one host but I can't think of another way. Wicket and hibernate takes alot of ram and If I should use this 3 times then, well the server will be overloaded, not to mention the Hibernate errors that would occur when accessing an object in two different threads and trying to persist. By reading your thread I guess that a tomcat solution is out of the question? -- View this message in context: http://www.nabble.com/Share-war-file---virtual-hosts-tp19605902p19615102.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: question about realm auth and digest attribute
i'm talking about the part of configuration that lets you choose specify how the passwords are stored in the users table. On Mon, Sep 22, 2008 at 2:27 PM, Christopher Schultz [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Joe, Joe A wrote: i'm talking about this part of configuration: http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html Sorry, I should have been more clear. Although Tomcat allows you to pick the hashing algorithm for DIGEST auth, there is no way for the server to communicate to the client what type of hashing function is being used. I believe all current HTTP clients will use MD5 since they have no way to decide to use something else. Definitely let me know if this is not the case. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkjX8YQACgkQ9CaO5/Lv0PCbUQCgwdb8IFsxxszP1N/bN8EAS0ag 95wAnRaCQCf1ZNE7Q4bd1uf+ei4TwOYv =PQy0 -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Share war file / virtual hosts
From: Mathias P.W Nilsson [mailto:[EMAIL PROTECTED] Subject: Re: Share war file / virtual hosts The last one about apache as a frontend would work. I wouldn't recommend adding another node and associated complexity and overhead to fix the problem. Please try the suggested server.xml changes and report back. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Share war file / virtual hosts
Mathias P.W Nilsson wrote: Thanks very much! [...] By reading your thread I guess that a tomcat solution is out of the question? No, I would not even dare to suggest that ! I don't want to be expelled from this list. ;-) I was just proposing an alternative using things I know better than Tomcat. But it seems from the previous answer by Chuck, that there should be no problem with Tomcat after all. When Chuck says that you do not need the Alias, he is of course right, but he does not say why, so let me : The default Host is the one that handles all requests for which Tomcat tries to find a matching Hostname, and fails. If there is a single Host under Tomcat (your case), then that Host is (duh) automatically the default Host. And since you do not have a matching Host for either www.domain1.se nor www.domain1.com, Tomcat defaults to your default Host to handle the requests for those (also). And it would default to that one for any other requests that find physically their way to your Tomcat, no matter what Host: header they indicate. CQFD. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: question about realm auth and digest attribute
Joe A wrote: i'm talking about the part of configuration that lets you choose specify how the passwords are stored in the users table. To repeat my previous answer, any digest that is supported by the JVM you are using is fine for this. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Redirection after Tomcat restart
I am running Tomcat 6.0.18. My application uses form based authentication. I am not sure how to handle the case where a user navigates to one of the secure page after logging in and Tomcat is restarted. The problem is that from the secured page, if the user clicks on any of the links after the restart, Tomcat will redirect to the login page (which is expected) and then, after the login, it will execute the code that it would normally execute when the user clicks on the link. The problem that I am facing is that since the application is using a new session, there might be some session based variables that are not initialized. Ultimately, if Tomcat is restarted, I would rather the user be redirected to a predetermined page (some kind of home page), but it seems that instead, and I believe this is as per the servlet spec, Tomcat displays the page information it had stored in its container before restarting. Any advice on how to best handle this? Martin
Re: Share war file / virtual hosts
Ok! I tested with port 8080 and 8443 as ssl port with no luck. I only have 2 domains but tomcat complains about java.net.BindException: Cannot assign requested address: JVM_Bind:8080. Now I guess this isn't configured right so any pointers here would be greatly appreciated. ?xml version=1.0 encoding=UTF-8? Server port=8005 shutdown=SHUTDOWN Listener SSLEngine=on className=org.apache.catalina.core.AprLifecycleListener/ Listener className=org.apache.catalina.core.JasperListener/ Listener className=org.apache.catalina.mbeans.ServerLifecycleListener/ Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener/ GlobalNamingResources Resource auth=Container description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory name=UserDatabase pathname=conf/tomcat-users.xml type=org.apache.catalina.UserDatabase/ /GlobalNamingResources Service name=Catalina Connector connectionTimeout=2 port=8080 address=90.2xx.xxx.x6 protocol=HTTP/1.1 redirectPort=443/ Connector connectionTimeout=2 port=8080 address=90.2xx.xxx.x7 protocol=HTTP/1.1 redirectPort=443/ Connector SSLEnabled=true clientAuth=false keystoreFile=store keystorePass=pass maxThreads=150 address=90.2xx.xxx.x6 port=8443 redirectPort=443 protocol=HTTP/1.1 scheme=https secure=true sslProtocol=TLS/ Connector SSLEnabled=true clientAuth=false keystoreFile=store1 keystorePass=store maxThreads=150 address=90.2xx.xxx.x7 port=8443 redirectPort=443 protocol=HTTP/1.1 scheme=https secure=true sslProtocol=TLS/ Connector port=8009 protocol=AJP/1.3 redirectPort=8443/ Engine defaultHost=localhost name=Catalina Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ Host appBase=webapps autoDeploy=true name=localhost unpackWARs=true xmlNamespaceAware=false xmlValidation=false /Host /Engine /Service /Server -- View this message in context: http://www.nabble.com/Share-war-file---virtual-hosts-tp19605902p19615778.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Share war file / virtual hosts
Mathias P.W Nilsson wrote: Ok! I tested with port 8080 and 8443 as ssl port with no luck. I only have 2 domains but tomcat complains about java.net.BindException: Cannot assign requested address: JVM_Bind:8080. Now I guess this isn't configured right so any pointers here would be greatly appreciated. ?xml version=1.0 encoding=UTF-8? Server port=8005 shutdown=SHUTDOWN Listener SSLEngine=on className=org.apache.catalina.core.AprLifecycleListener/ Listener className=org.apache.catalina.core.JasperListener/ Listener className=org.apache.catalina.mbeans.ServerLifecycleListener/ Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener/ GlobalNamingResources Resource auth=Container description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory name=UserDatabase pathname=conf/tomcat-users.xml type=org.apache.catalina.UserDatabase/ /GlobalNamingResources Service name=Catalina Connector connectionTimeout=2 port=8080 address=90.2xx.xxx.x6 protocol=HTTP/1.1 redirectPort=443/ Connector connectionTimeout=2 port=8080 address=90.2xx.xxx.x7 protocol=HTTP/1.1 redirectPort=443/ Connector SSLEnabled=true clientAuth=false keystoreFile=store keystorePass=pass maxThreads=150 address=90.2xx.xxx.x6 port=8443 redirectPort=443 protocol=HTTP/1.1 scheme=https secure=true sslProtocol=TLS/ Connector SSLEnabled=true clientAuth=false keystoreFile=store1 keystorePass=store maxThreads=150 address=90.2xx.xxx.x7 port=8443 redirectPort=443 protocol=HTTP/1.1 scheme=https secure=true sslProtocol=TLS/ Connector port=8009 protocol=AJP/1.3 redirectPort=8443/ Engine defaultHost=localhost name=Catalina Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ Host appBase=webapps autoDeploy=true name=localhost unpackWARs=true xmlNamespaceAware=false xmlValidation=false /Host /Engine /Service /Server I believe you confused your Port and redirectPort in the SSL Connectors. The Port indicated in the SSL Connector should match the redirectPort of the non-SSL corresponding Connector. I am not even sure SSL Connectors have a redirectPort, but if they do, then you should probably put 8080 there. But the error message seems to say that the JVM tries to bind one of your Connectors to port 8080, but that there is already something listening on that port. It would say that, if it misundertood your first Connectors, and bound the first one to all IP adresses instead of just the one IP address. Then when it comes to the second Connector, it also tries to bind it to all IP adresses, port 8080, and it cannot because it's already taken by your first Connector. Are you sure the address attribute is the correct one ? And if it is, are you sure that your IP interface(s) really are bound to the different IP adresses you indicate ? - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Share war file / virtual hosts
On Mon, Sep 22, 2008 at 1:22 PM, Mathias P.W Nilsson [EMAIL PROTECTED] wrote: Ok! I tested with port 8080 and 8443 as ssl port with no luck. I only have 2 domains but tomcat complains about java.net.BindException: Cannot assign requested address: JVM_Bind:8080. Now I guess this isn't configured right so any pointers here would be greatly appreciated. Connector connectionTimeout=2 port=8080 address=90.2xx.xxx.x6 protocol=HTTP/1.1 redirectPort=443/ Connector connectionTimeout=2 port=8080 address=90.2xx.xxx.x7 protocol=HTTP/1.1 redirectPort=443/ Ignoring the redirect port confusion and the unneeded AJP connector, do you actually have both IP addresses configured on this box? -- Hassan Schroeder [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: question about realm auth and digest attribute
in the docs it says The value for this attribute must be one of the digest algorithms supported by the java.security.MessageDigest class (SHA, MD2, or MD5). so if i encrypt using the sha1 algorithm, do you know if i should specify sha1 or sha-1 or sha? thanks, joe On Mon, Sep 22, 2008 at 3:06 PM, Mark Thomas [EMAIL PROTECTED] wrote: Joe A wrote: i'm talking about the part of configuration that lets you choose specify how the passwords are stored in the users table. To repeat my previous answer, any digest that is supported by the JVM you are using is fine for this. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Share war file / virtual hosts
Yes thanks for pointing that out Connector connectionTimeout=2 port=8080 protocol=HTTP/1.1 redirectPort=8443/ Connector SSLEnabled=true clientAuth=false keystoreFile=store keystorePass=store maxThreads=150 address=IP1 port=8443 protocol=HTTP/1.1 scheme=https secure=true sslProtocol=TLS/ Connector SSLEnabled=true clientAuth=false keystoreFile=store1 keystorePass=store maxThreads=150 address=IP2 port=8443 protocol=HTTP/1.1 scheme=https secure=true sslProtocol=TLS/ Is there anyway of testing this using local servers? -- View this message in context: http://www.nabble.com/Share-war-file---virtual-hosts-tp19605902p19616056.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Share war file / virtual hosts
From: Mathias P.W Nilsson [mailto:[EMAIL PROTECTED] Subject: Re: Share war file / virtual hosts Yes thanks for pointing that out Pointing what out? Many comments have been made. Is there anyway of testing this using local servers? You can test it on one box, but you'll still have to configure all the IP addresses on that box's TCP/IP stack. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: question about realm auth and digest attribute
Joe A wrote: in the docs it says The value for this attribute must be one of the digest algorithms supported by the java.security.MessageDigest class (SHA, MD2, or MD5). so if i encrypt using the sha1 algorithm, do you know if i should specify sha1 or sha-1 or sha? Is it really too much effort for you to look this up in the API docs yourself? It took me less than a minute to find the JavaDoc for java.security.MessageDigest and to follow the links to the list of supported digests. The 1.6 docs list the following: MD2, MD5, SHA-1, SHA-256, SHA-384, SHA512 Alternatively you could have just tried digesting a password. You should see an exception if you try digesting a password with an invalid digest alg. Mark thanks, joe On Mon, Sep 22, 2008 at 3:06 PM, Mark Thomas [EMAIL PROTECTED] wrote: Joe A wrote: i'm talking about the part of configuration that lets you choose specify how the passwords are stored in the users table. To repeat my previous answer, any digest that is supported by the JVM you are using is fine for this. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT] question about realm auth and digest attribute
Mark Thomas wrote: [...] It took me less than a minute to find the JavaDoc for java.security.MessageDigest It's by saying things like that that you provoke this kind of question.. It takes us mere mortals ages to find anything there. :-) - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Redirection after Tomcat restart
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin, Martin Dubuc wrote: The problem that I am facing is that since the application is using a new session, there might be some session based variables that are not initialized. If you want your application to work properly in this situation, you'll need to add checks to your code to ensure Session integrity before proceeding. If there's a problem, redirect to some benign location. Ultimately, if Tomcat is restarted, I would rather the user be redirected to a predetermined page (some kind of home page), but it seems that instead, and I believe this is as per the servlet spec, Tomcat displays the page information it had stored in its container before restarting. Correct. Any advice on how to best handle this? That depends on a few things. You could write a filter that tests for certain session contents and, in their absence, redirects the user to your preferred page. The problem here is that the session is (probably) not expected to look the same in all parts of your application, so it's hard to tell which session key to choose. Perhaps your default page inserts something into the session like user is still logged-in. Another choice (which I like the best) is to upgrade your application to tolerate Tomcat's behavior. Honestly, I like this the best because it makes it possible for people to resume their session rather than having to start all over again (which really sucks for certain operations). The last option I can think of is to use securityfilter (http://securityfilter.sourceforge.net) and hack-up the FormAuthenticator such that it redirects you to a specific location instead of the original, saved request. There's a feature in the CVS head where you can specify where to go once you are properly authenticated (which overrides the go-to-saved-request behavior). You could use this, too. Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkjYD9QACgkQ9CaO5/Lv0PALYwCfdxSV9ocTi0vC6l+ehZt4yYWO hV4AnRJbvo2WNvN8giZoc6qAveEiR7yF =jzKg -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Share war file / virtual hosts
I actually think I got it up and running. I have assigned 2 addresses to the same ethernet card and added 2 ssl connectors to server.xml and tomcat did not crash. So I guess it was my lack of knowledge that did this. I must have an mx record for the new ipaddress to know for a fact but thanks all for putting up with my silly questions. One connector with redirect to https port 2 connectors one for each ssl assigned to an ip. // Mathias -- View this message in context: http://www.nabble.com/Share-war-file---virtual-hosts-tp19605902p19616273.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Script will not start Tomcat6 on restart
current EnviornmentRHEL 5JDK 1.5.0Tomcat6Virtual Machine Hello all,I am looking at our existing script we are trying to find out why our script will not start Tomcat6. We have checked the following. Run level is 3 checked /etc/rc3.d for symbolic link, here is what is listedS80tomcat6 - ../init.d/tomcat6Also checked /etc/rc.d/rc3.dS80tomcat6 - ../init.d/tomcat6Checked: /etc/init.d/tomcat6 Below is the script that is not starting the service _ Want to do more with Windows Live? Learn “10 hidden secrets” from Jamie. http://windowslive.com/connect/post/jamiethomson.spaces.live.com-Blog-cns!550F681DAD532637!5295.entry?ocid=TXT_TAGLM_WL_domore_092008
RE: Tomcat 6 Context Configuration
From: mookiegp [mailto:[EMAIL PROTECTED] Subject: Tomcat 6 Context Configuration I can't seem to figure out where in the configuration files I can change Tomcat to change the path to my web apps on the E drive. If you want Tomcat to use just the webapps on your E: drive and not any of the normally included ones, then change the Host appBase attribute to point to the directory under which each of your webapps is installed. If you want to keep the webapps that are bundled with Tomcat and add yours, then create a file named conf/Catalina/[host]/[appName].xml for each webapp; each such file should contain a Context element with a docBase attribute giving the absolute path to the associated webapp. (Do not use the path attribute; that is determined by the name of the XML file.) - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat 6 Context Configuration
Ok. I changed the following in C:\Program Files\Apache Software Foundation\Tomcat 6.0\conf\server.xml Changed this: Host name=localhost appBase=webapps To this: Host name=localhost appBase=E:\Public\Files\My Docs\Web\Sites Inside the the directory on the E: drive is a copy of the default Tomcat index.html file for testing purposes. After restarting Tomcat nothing happens. Here's a link to a screenshot of Firefox and IE. One working with default configuration and one when I make the change. http://66.39.112.245/tmp/tomcat-screenshot.jpg http://66.39.112.245/tmp/tomcat-screenshot.jpg Is there other conf file I need to change? Caldarale, Charles R wrote: From: mookiegp [mailto:[EMAIL PROTECTED] Subject: Tomcat 6 Context Configuration I can't seem to figure out where in the configuration files I can change Tomcat to change the path to my web apps on the E drive. If you want Tomcat to use just the webapps on your E: drive and not any of the normally included ones, then change the Host appBase attribute to point to the directory under which each of your webapps is installed. If you want to keep the webapps that are bundled with Tomcat and add yours, then create a file named conf/Catalina/[host]/[appName].xml for each webapp; each such file should contain a Context element with a docBase attribute giving the absolute path to the associated webapp. (Do not use the path attribute; that is determined by the name of the XML file.) - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Tomcat-6-Context-Configuration-tp19616289p19619365.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat 6 Context Configuration
From: mookiegp [mailto:[EMAIL PROTECTED] Subject: RE: Tomcat 6 Context Configuration Host name=localhost appBase=E:\Public\Files\My Docs\Web\Sites Inside the the directory on the E: drive is a copy of the default Tomcat index.html file for testing purposes. That's not correct. Each webapp must be in a directory (or .war file) immediately under the appBase directory. So if you have webapps A, B, and C, you need these directories: E:\Public\Files\My Docs\Web\Sites\A E:\Public\Files\My Docs\Web\Sites\B E:\Public\Files\My Docs\Web\Sites\C with appropriate files underneath those. (The structure of a webapp is specified in the Servlet spec - JSR 154; you should use that as a reference.) The default webapp must be named ROOT (case sensitive, even on Windows). You need to put the index.html file in: E:\Public\Files\My Docs\Web\Sites\ROOT - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Cannot see cluster MBean
this is work in progress Filip Landry Stephane Zeng Eyindanga wrote: Hi all, Here I come again. Can anyone help me please ? I am working on an application that uses tomcat clusters (tomcat 6). I follow all the steps on clustering guide (http://tomcat.apache.org/tomcat-6.0-doc/cluster-howto.html). I see all the MBeans but not the cluster MBean. is it a bug ? Is this MBean still registered in tomcat 6. this is my cluster configuration: Cluster className=org.apache.catalina.ha.tcp.SimpleTcpCluster channelSendOptions=8 Manager className=org.apache.catalina.ha.session.DeltaManager expireSessionsOnShutdown=false notifyListenersOnReplication=true/ Channel className=org.apache.catalina.tribes.group.GroupChannel Membership className=org.apache.catalina.tribes.membership.McastService address=228.0.0.4 port=45564 frequency=500 dropTime=3000/ Receiver className=org.apache.catalina.tribes.transport.nio.NioReceiver address=auto port=4000 autoBind=100 selectorTimeout=5000 maxThreads=6/ Sender className=org.apache.catalina.tribes.transport.ReplicationTransmitter Transport className=org.apache.catalina.tribes.transport.nio.PooledParallelSender/ /Sender Interceptor className=org.apache.catalina.tribes.group.interceptors.TcpFailureDetector/ Interceptor className=org.apache.catalina.tribes.group.interceptors.MessageDispatch15Interceptor/ /Channel Valve className=org.apache.catalina.ha.tcp.ReplicationValve filter=/ Valve className=org.apache.catalina.ha.session.JvmRouteBinderValve/ Deployer className=org.apache.catalina.ha.deploy.FarmWarDeployer tempDir=/tmp/war-temp/ deployDir=/tmp/war-deploy/ watchDir=/tmp/war-listen/ watchEnabled=false/ ClusterListener className=org.apache.catalina.ha.session.JvmRouteSessionIDBinderListener/ ClusterListener className=org.apache.catalina.ha.session.ClusterSessionListener/ /Cluster Thanks - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
