RE: Performance with many small requests
From: David kerber [dcker...@verizon.net] My cpu usage for tomcat has gone from bouncing between 0 and 1 in task manager, to a steady 2 since more threads are now actually doing work instead of waiting around for their turn at the code, my disk writes per sec in perfmon have also more than doubled, and the destination log file is growing much faster as well. All excellent news. The fact that you've seen the performance double means that there was, in fact, a bottleneck there. Have you taken a new thread dump to see whether the locks (almost certainly on the log write) are still a problem? If so, you might have to go to a more complex scheme such as multiple log files managed by a pool manager. Don't even try to write the pool manager yourself; they're horribly messy things to get right and shake the race conditions out*. I half-remember Jakarta Commons has one that can be adapted if you get to that stage. Thanks a ton!!! No problem. - Peter * Yes, I did implement one. I still have the scars. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
AW: AW: Permanent Redirect?
Hello, Yes it works with Tuckey.org but, what about http and https? In my urlrewrite.xml only this entry: urlrewrite rule from/(.*)$/from to type=redirecthttp://www.thenewserver.de/$1/to /rule /urlrewrite But if the user came from https he should also redirected to https://thenewserver.de/?someparameters Greetings Alexander -Ursprüngliche Nachricht- Von: Pid [mailto:p...@pidster.com] Gesendet: Donnerstag, 30. April 2009 11:51 An: Tomcat Users List Betreff: Re: AW: Permanent Redirect? Alexander Diedler wrote: Hmm.. Seems not to be work for me The target is a http://www.siteA.de/index.jsp?WERWERWERWERWER redirect to http://www.siteB.de/index.jsp?WERWERWERWERWER I download the package, unzip and put the new content to a new, empty docBase folder. I edit my ROOT.xml in SiteA point to this new folder and create an empty web.xml that contains only filter filter-nameUrlRewriteFilter/filter-name filter-classorg.tuckey.web.filters.urlrewrite.UrlRewriteFilter/filter-cla ss /filter filter-mapping filter-nameUrlRewriteFilter/filter-name url-pattern/*/url-pattern /filter-mapping But where I have to define, what is the target of the redirect? Have you read: http://tuckey.org/urlrewrite/manual/3.0/ p My Tomcat: [tomcat-base]/conf/Catalina/www.siteA.de/ROOT.xml (Context docBase point to D:\Inetpub\SiteA) [tomcat-base]/conf/Catalina/www.siteB.de/ROOT.xml (Context docBase point to D:\Inetpub\SiteA) [tomcat-base]/conf/Catalina/www.siteC.de/ROOT.xml (Context docBase point to D:\Inetpub\SiteA) Same DocBase because it is a CMS with the functionality to show different content for different domains. Server.xml: Connector protocol=org.apache.coyote.http11.Http11Protocol port=443 address=xxx.xxx.xxx.209 addressminSpareThreads=5 maxSpareThreads=75 enableLookups=true disableUploadTimeout=true acceptCount=100 maxThreads=200 scheme=https secure=true SSLEnabled=true keystoreFile=D:/Keystore/siteA.kdb keystorePass=changeit clientAuth=false sslProtocol=TLS/ Connector protocol=org.apache.coyote.http11.Http11Protocol port=443 address=xxx.xxx.xxx.210 addressminSpareThreads=5 maxSpareThreads=75 enableLookups=true disableUploadTimeout=true acceptCount=100 maxThreads=200 scheme=https secure=true SSLEnabled=true keystoreFile=D:/Keystore/siteB.kdb keystorePass=changeit clientAuth=false sslProtocol=TLS/ Connector protocol=org.apache.coyote.http11.Http11Protocol port=443 address=xxx.xxx.xxx.211 addressminSpareThreads=5 maxSpareThreads=75 enableLookups=true disableUploadTimeout=true acceptCount=100 maxThreads=200 scheme=https secure=true SSLEnabled=true keystoreFile=D:/Keystore/www_siteC.kdb keystorePass=changeit clientAuth=false sslProtocol=TLS/ If this is a very bad configuration, I am open for any better suggestions of you... Greetings Alexander Diedler -Ursprüngliche Nachricht- Von: Pid [mailto:p...@pidster.com] Gesendet: Montag, 27. April 2009 11:11 An: Tomcat Users List Betreff: Re: Permanent Redirect? Alexander Diedler wrote: Hello everybody, I have a question to implement a permanent redirect for an old domain to a new domain on the Tomcat 6.0.16 Server. It is definied in the server.xml as it own connector (for SSL) and now we want, that if we fill-in www.websiteA.de http://www.websiteA.de we will be redirected to www.websiteB.de http://www.websiteB.de automatically. A small webapp deployed in websiteA.de/ROOT that contains a servlet Filter which is coded to issue an appropriate redirect to the new URL. You could avoid rolling your own and try: tuckey.org/urlrewrite/ p Greetings Alexander - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org smime.p7s Description: S/MIME cryptographic signature
centralized server
Hi, Is there a way to log all the catalina.out files of tomcat hosted on different servers to a centralized server and view it using a web Interface? Thanks and Regards Kaushal
RE: Tomcat 5.5.27 404 for JSP's in a particular derectory
Caldarale, Charles R wrote: 1. The shuppin directory is a subdirectory which is inside a ROOT application directory, it has other sibling directories which are working correctly. They may appear to work correctly, but that's probably just an accident. Each webapp should be directly under the Host appBase (by default, that's Tomcat's webapps directory). Placing a directory under webapps/ROOT makes it part of the default webapp rather than being its own webapp. Sounds like your directory setup is incorrect, as well might be other config settings. What Context elements have you specified? Where are they located? What's in the individual webapp WEB-INF/web.xml files? OK I spoke too soon, you were right the invoker issue did not sort out my problem I have the following in my server.xml Host name=auction appBase=/var/www/auction unpackWARs=true autoDeploy=false xmlValidation=false xmlNamespaceAware=false Aliasauction.provide-cars.com/Alias /Host I have a dir called /var/www/auction/ROOT in which I have /var/www/auction/ROOT/shuppin as well as /var/www/auction/ROOT/dir and /var/www/auction/ROOT/members the dir and members dirs are working fine, have no problem accessing beans etc in /var/www/auction/ROOT/WEB-INF/Classes. I have added no other contexts and am completely lost why this shuppin dir should throw 404's unless you change its name. As I said earlier I do have a package/dir at /var/www/auction/ROOT/WEB-INF/Classes/shuppin/ which may have something to do with it? This is wierd because I had it working once? Thanks again for any help Richard -- View this message in context: http://www.nabble.com/Tomcat-5.5.27-404-for-JSP%27s-in-a-particular-derectory-tp23475510p23481918.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 5.5.27 404 for JSP's in a particular derectory
Thanks all for your help I am stupid stupid stupid I had my ftp set up so that even though ROOT houses my app I have ROOT and shuppin in the same directory aswell as shuppin inside the ROOT dir so it looked in the sibling of ROOT rather than the child of ROOT Thanks again for your help Richard -- View this message in context: http://www.nabble.com/Tomcat-5.5.27-404-for-JSP%27s-in-a-particular-derectory-tp23475510p23482270.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 5.5.27 404 for JSP's in a particular derectory
Mackstar wrote: Thanks all for your help I am stupid stupid stupid I had my ftp set up so that even though ROOT houses my app I have ROOT and shuppin in the same directory aswell as shuppin inside the ROOT dir so it looked in the sibling of ROOT rather than the child of ROOT Thanks again for your help Richard Yup... that will do it. shuppin as a sibling would have been seen as a webapp and it would have ended up with the request. --David - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Trouble parsing datetime strings
This is related to the performance issues discussed in the thread Performance with many small requests. When I reworked my servlet to synchronize only on pieces that needed to be synchronized, rather than on the entire request processing routine, I am now throwing an exception when parsing a string into a java.util.Date variable. It only happens occasionally, maybe once every few dozen to a hundred or so requests, and I can't figure out why it doesn't work all the time. Declared at the class level, I have: private static final SimpleDateFormatsdfFullDateTime = new SimpleDateFormat( -MM-dd HH:mm:ss ); Then in the request processing method, I have dateTimeStr = dateStr + + timeStr; try { dataDate = sdfFullDateTime.parse( dateTimeStr ); } catch ( Exception e ) { writeLog( Unable to parse dataTime string: ', dateTimeStr + ': + e ); } (the try/catch is there only for debugging this issue), and in the log I'm seeing: 2009-05-11 09:19:54: Unable to parse dateTime string: ': '2009-05-11 09:19:37': java.lang.NumberFormatException: For input string: ' Which I don't understand at all; dateDate (java.util.Date), dateStr (String), timeStr (String) and dateTimeStr (String) are all declared in the processing method, NOT at the class level. Maybe I should move the declaration of the SimpleDateFormat into the processing method? Or synchronize the date parse? I'm kind of lost here; any help appreciated!! Dave - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Trouble parsing datetime strings
Hello, Date formats are not synchronized. It is recommended to create separate format instances for each thread. If multiple threads access a format concurrently, it must be synchronized externally. This is from the reference of JDK API. 2009/5/11 David kerber dcker...@verizon.net This is related to the performance issues discussed in the thread Performance with many small requests. When I reworked my servlet to synchronize only on pieces that needed to be synchronized, rather than on the entire request processing routine, I am now throwing an exception when parsing a string into a java.util.Date variable. It only happens occasionally, maybe once every few dozen to a hundred or so requests, and I can't figure out why it doesn't work all the time. Declared at the class level, I have: private static final SimpleDateFormatsdfFullDateTime = new SimpleDateFormat( -MM-dd HH:mm:ss ); Then in the request processing method, I have dateTimeStr = dateStr + + timeStr; try { dataDate = sdfFullDateTime.parse( dateTimeStr ); } catch ( Exception e ) { writeLog( Unable to parse dataTime string: ', dateTimeStr + ': + e ); } (the try/catch is there only for debugging this issue), and in the log I'm seeing: 2009-05-11 09:19:54: Unable to parse dateTime string: ': '2009-05-11 09:19:37': java.lang.NumberFormatException: For input string: ' Which I don't understand at all; dateDate (java.util.Date), dateStr (String), timeStr (String) and dateTimeStr (String) are all declared in the processing method, NOT at the class level. Maybe I should move the declaration of the SimpleDateFormat into the processing method? Or synchronize the date parse? I'm kind of lost here; any help appreciated!! Dave - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Sincerely yours and Best Regards, Xie Xiaodong
RE: Trouble parsing datetime strings
From: David kerber [mailto:dcker...@verizon.net] Subject: Trouble parsing datetime strings Declared at the class level, I have: private static final SimpleDateFormatsdfFullDateTime = new SimpleDateFormat( -MM-dd HH:mm:ss ); Oops. Read the fine print for SimpleDateFormat: Date formats are not synchronized. It is recommended to create separate format instances for each thread. If multiple threads access a format concurrently, it must be synchronized externally. Rather than introducing another bottleneck by synchronizing, you may be better off keeping separate SDF objects for each request. If this is your only webapp, you could get away with storing one per thread as a ThreadLocal. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: how to enable management agent on a process
From: Anamika raj [mailto:rajnam...@gmail.com] Subject: Re: how to enable management agent on a process i am not getting how to set com.sun.management.jmxremote in the system property. The basic answer is that you set it the same way you set any other Java system property. Perhaps you need to learn Java fundamentals. It's difficult to give you specifics when you don't bother to provide basic information such as Tomcat version, JVM level, and the platform you're running on. Also, if it's Windows, are you running Tomcat via the scripts, or as a service? If Linux/UNIX, how are your starting Tomcat? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Performance with many small requests
Peter Crowther wrote: From: David kerber [dcker...@verizon.net] My cpu usage for tomcat has gone from bouncing between 0 and 1 in task manager, to a steady 2 since more threads are now actually doing work instead of waiting around for their turn at the code, my disk writes per sec in perfmon have also more than doubled, and the destination log file is growing much faster as well. All excellent news. The fact that you've seen the performance double means that there was, in fact, a bottleneck there. Have you taken a new thread dump to see whether the locks (almost certainly on the log write) are still a problem? If so, you might have to go to a more complex scheme such as multiple log files managed by a pool manager. Don't even try to write the pool manager yourself; they're horribly messy things to get right and shake the race conditions out*. I half-remember Jakarta Commons has one that can be adapted if you get to that stage. From what I can tell now, it looks like most of my wait time is on socket reads. In the thread dump I took about 20 minutes ago, I didn't see any waiting on disk writes: The line listed in this one is my inputStream.read(): [2009-05-11 08:20:09] [info] http-1024-Processor8 [2009-05-11 08:20:09] [info] daemon [2009-05-11 08:20:09] [info] prio=6 tid=0x270e83c8 [2009-05-11 08:20:09] [info] nid=0xcd4 [2009-05-11 08:20:09] [info] runnable [2009-05-11 08:20:09] [info] [0x2755f000..0x2755f9e4] [2009-05-11 08:20:09] [info] at java.net.SocketInputStream.socketRead0(Native Method) [2009-05-11 08:20:10] [info] at java.net.SocketInputStream.read(Unknown Source) [2009-05-11 08:20:10] [info] at org.apache.coyote.http11.InternalInputBuffer.fill(InternalInputBuffer.java:747) [2009-05-11 08:20:10] [info] at org.apache.coyote.http11.InternalInputBuffer$InputStreamInputBuffer.doRead(InternalInputBuffer.java:777) [2009-05-11 08:20:10] [info] at org.apache.coyote.http11.filters.IdentityInputFilter.doRead(IdentityInputFilter.java:115) [2009-05-11 08:20:10] [info] at org.apache.coyote.http11.InternalInputBuffer.doRead(InternalInputBuffer.java:712) [2009-05-11 08:20:10] [info] at org.apache.coyote.Request.doRead(Request.java:423) [2009-05-11 08:20:10] [info] at org.apache.catalina.connector.InputBuffer.realReadBytes(InputBuffer.java:283) [2009-05-11 08:20:10] [info] at org.apache.tomcat.util.buf.ByteChunk.substract(ByteChunk.java:404) [2009-05-11 08:20:10] [info] at org.apache.catalina.connector.InputBuffer.read(InputBuffer.java:298) [2009-05-11 08:20:10] [info] at org.apache.catalina.connector.CoyoteInputStream.read(CoyoteInputStream.java:192) [2009-05-11 08:20:10] [info] at eddsrv.EddRcvr.processRequest(EddRcvr.java:199) [2009-05-11 08:20:10] [info] at eddsrv.EddRcvr.doPost(EddRcvr.java:94) [2009-05-11 08:20:10] [info] at javax.servlet.http.HttpServlet.service(HttpServlet.java:709) [2009-05-11 08:20:10] [info] at javax.servlet.http.HttpServlet.service(HttpServlet.java:802) [2009-05-11 08:20:10] [info] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252) [2009-05-11 08:20:10] [info] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) [2009-05-11 08:20:10] [info] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) [2009-05-11 08:20:10] [info] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178) [2009-05-11 08:20:10] [info] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126) [2009-05-11 08:20:10] [info] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105) [2009-05-11 08:20:10] [info] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107) [2009-05-11 08:20:11] [info] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) [2009-05-11 08:20:11] [info] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869) [2009-05-11 08:20:11] [info] at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:667) [2009-05-11 08:20:11] [info] at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527) [2009-05-11 08:20:11] [info] at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80) [2009-05-11 08:20:11] [info] at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684) [2009-05-11 08:20:11] [info] at java.lang.Thread.run(Unknown Source) [2009-05-11 08:20:11] [info] This one seems to be waiting on something in tomcat itself: [2009-05-11 08:19:49] [info] http-1024-Processor45 [2009-05-11 08:19:49] [info] daemon [2009-05-11 08:19:49] [info] prio=6 tid=0x26fa6f38 [2009-05-11 08:19:49] [info] nid=0x340 [2009-05-11
Re: Trouble parsing datetime strings
2009/5/11 David kerber dcker...@verizon.net: This is related to the performance issues discussed in the thread Performance with many small requests. When I reworked my servlet to synchronize only on pieces that needed to be synchronized, rather than on the entire request processing routine, I am now throwing an exception when parsing a string into a java.util.Date variable. It only happens occasionally, maybe once every few dozen to a hundred or so requests, and I can't figure out why it doesn't work all the time. Declared at the class level, I have: private static final SimpleDateFormat sdfFullDateTime = new SimpleDateFormat( -MM-dd HH:mm:ss ); Then in the request processing method, I have dateTimeStr = dateStr + + timeStr; try { dataDate = sdfFullDateTime.parse( dateTimeStr ); } catch ( Exception e ) { writeLog( Unable to parse dataTime string: ', dateTimeStr + ': + e ); } (the try/catch is there only for debugging this issue), and in the log I'm seeing: 2009-05-11 09:19:54: Unable to parse dateTime string: ': '2009-05-11 09:19:37': java.lang.NumberFormatException: For input string: ' Which I don't understand at all; dateDate (java.util.Date), dateStr (String), timeStr (String) and dateTimeStr (String) are all declared in the processing method, NOT at the class level. Maybe I should move the declaration of the SimpleDateFormat into the processing method? Or synchronize the date parse? I'm kind of lost here; any help appreciated!! Dave As the JavaDoc says http://java.sun.com/javase/6/docs/api/java/text/SimpleDateFormat.html Date formats are not synchronized. It is recommended to create separate format instances for each thread You may either create a new instance of SimpleDateFormat each time, or add a synchronization around that part of code, or use a ThreadLocal (though ThreadLocal has its own caveats as the threads belong to Tomcat and are shared among applications). Without profiling you would not know which one of the ways I am mentioning is faster. Maybe I would start with creating a new instance each time, as GC for short-living objects seems to be cheap in recent JREs. Though without profiling you will not get the numbers. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Performance with many small requests
From: David kerber [mailto:dcker...@verizon.net] Subject: Re: Performance with many small requests From what I can tell now, it looks like most of my wait time is on socket reads. In the thread dump I took about 20 minutes ago, I didn't see any waiting on disk writes: The line listed in this one is my inputStream.read(): Waiting for the body of the request to show up. This one seems to be waiting on something in tomcat itself: Waiting for the request header to show up. If that's all you're seeing in the thread dump, then it does look like the network is sluggish, as I think you mentioned before. You might try running Wireshark or equivalent to monitor the traffic and see just how long it takes for each segment of the message to be delivered to the server. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Trouble parsing datetime strings
Konstantin Kolinko wrote: ... As the JavaDoc says http://java.sun.com/javase/6/docs/api/java/text/SimpleDateFormat.html Date formats are not synchronized. It is recommended to create separate format instances for each thread You may either create a new instance of SimpleDateFormat each time, or add a synchronization around that part of code, or use a ThreadLocal (though ThreadLocal has its own caveats as the threads belong to Tomcat and are shared among applications). Without profiling you would not know which one of the ways I am mentioning is faster. Maybe I would start with creating a new instance each time, as GC for short-living objects seems to be cheap in recent JREs. Though without profiling you will not get the numbers. Thanks, guys! Obviously I missed that part when I was looking for a fix for this issue. For now, I took the simplest (from a coding standpoint) way out, and moved the declaration of the SimpleDateFormat into each method where it's used, and that has fixed the issue. From the quick reading I did, I imagine that will give me a bit of a performance hit compared to using ThreadLocal, but since I've never used the ThreadLocal pattern before, I didn't want to try implementing it on the fly, just to fix this issue. As for whether synchronization would be faster than local declaration, I'll try doing some benchmarking at some point. Dave - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: how to enable management agent on a process
Well, you did not mention the platform under which you are running Tomcat, nor the Tomcat version, not the Java version, so I could only give you general stuff. (And if this happened to be a Tomcat running under Windows, please also indicate how you are starting Tomcat). Anamika raj wrote: The link which you gave me i have gone through it before ...but i am not getting how to set com.sun.management.jmxremote in the system property. as it is written in the given link- To enable the JMX agent for local access, set this system property when you start the JVM or Java application: com.sun.management.jmxremote I am not getting how to do it. please help me thanx awarnier wrote: Anamika raj wrote: i am configuring a server to monitor it with jconsole locally.when i m starting the jconsole PID is showing for that server in the jconsole(for local monitoring) but it is giving me message that management agent is not enables on that process. how to enable the management agent for that process or tell me for any process in simple,step by step. i didnt do any configuration to monitor that server with Jconsole,do i need to do anything to configure any server with jconsole? I want to know if i want to monitor any server what configuration I have to do. Read : http://java.sun.com/j2se/1.5.0/docs/guide/management/agent.html Example jvm settings for starting Tomcat to allow jconsole monitoring (! with no security !) : -Dcom.sun.management.jmxremote.port=8200 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Getting the Right High Availability Architecture for Tomcat
Caldarale, Charles R wrote: Have you considered doing the SSL processing in the load balancer(s)? It would make life simpler. - Chuck From application's perspective it really does not make much of a difference where SSL is done - actually it does make now after your explanation - thanks for that - however this change would need to be run and approved by our networking and security people first. In any case I am afraid that even if they are willing to move SSL processing to the balancers this change may not happen in time for our first application, so we might end up with the setup as I described it in my original post. Our applications do not issue concurrent requests to the servers, i.e. they are classical web applications where the user activates a control on a page and then waits for a page to refresh or a new page to load. Therefore under normal usage scenarios concurrent requests should really not happen. I say normal as it is possible for a user to resubmit a request by reloading a page using browser controls. However we warn the users to use only controls on the page and gray-out submit buttons once a request is submitted so hopefully this should not be an issue. With such an application in mind would you see an issue with not implementing sticky session? Again, I was able to test that and the only issue that I am seeing is that JSESSIONID changes depending on what Tomcat instance processed it, but again, I am not sure if that is really an issue or not? Thanks Nash -- View this message in context: http://www.nabble.com/Getting-the-Right-High-Availability-Architecture-for-Tomcat-tp23452018p23485311.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Getting the Right High Availability Architecture for Tomcat
Nenad Kovacevic wrote: Caldarale, Charles R wrote: Have you considered doing the SSL processing in the load balancer(s)? It would make life simpler. - Chuck From application's perspective it really does not make much of a difference where SSL is done - actually it does make now after your explanation - thanks for that - however this change would need to be run and approved by our networking and security people first. In any case I am afraid that even if they are willing to move SSL processing to the balancers this change may not happen in time for our first application, so we might end up with the setup as I described it in my original post. Our applications do not issue concurrent requests to the servers, i.e. they are classical web applications where the user activates a control on a page and then waits for a page to refresh or a new page to load. Therefore under normal usage scenarios concurrent requests should really not happen. I say normal as it is possible for a user to resubmit a request by reloading a page using browser controls. However we warn the users to use only controls on the page and gray-out submit buttons once a request is submitted so hopefully this should not be an issue. With such an application in mind would you see an issue with not implementing sticky session? Again, I was able to test that and the only issue that I am seeing is that JSESSIONID changes depending on what Tomcat instance processed it, but again, I am not sure if that is really an issue or not? Not sure if it is relevant here : a browser will make (quasi-)concurrent requests to the server, for example when you load a html frames document. The first request will be for the frames document itself, but as soon as that one is returned, each frame in it will be the object of a new request. A similar case happens when a document merely contains img or style or script tags. To fill these slots, the browser will issue several requests (and probably establish several connections) in parallel. I know that this kind of thing can play havoc with some authentication schemes for instance. Again, I don't know if it is really a cause for concern in this situation. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Getting the Right High Availability Architecture for Tomcat
Nenad Kovacevic wrote: Caldarale, Charles R wrote: Have you considered doing the SSL processing in the load balancer(s)? It would make life simpler. - Chuck From application's perspective it really does not make much of a difference where SSL is done - actually it does make now after your explanation - thanks for that - however this change would need to be run and approved by our networking and security people first. In any case I am afraid that even if they are willing to move SSL processing to the balancers this change may not happen in time for our first application, so we might end up with the setup as I described it in my original post. Our applications do not issue concurrent requests to the servers, i.e. they are classical web applications where the user activates a control on a page and then waits for a page to refresh or a new page to load. Therefore under normal usage scenarios concurrent requests should really not happen. I say normal as it is possible for a user to resubmit a request by reloading a page using browser controls. However we warn the users to use only controls on the page and gray-out submit buttons once a request is submitted so hopefully this should not be an issue. With such an application in mind would you see an issue with not implementing sticky session? Again, I was able to test that and the only issue that I am seeing is that JSESSIONID changes depending on what Tomcat instance processed it, but again, I am not sure if that is really an issue or not? Thanks Nash Sorry, forgot to mention we are running Tomcat 6.0.18 on SunOS 5.8, our current java is 1.5 update 11. -- View this message in context: http://www.nabble.com/Getting-the-Right-High-Availability-Architecture-for-Tomcat-tp23452018p23485700.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Getting the Right High Availability Architecture for Tomcat
From: Nenad Kovacevic [mailto:micami...@yahoo.com] Subject: RE: Getting the Right High Availability Architecture for Tomcat Our applications do not issue concurrent requests to the servers, i.e. they are classical web applications where the user activates a control on a page and then waits for a page to refresh or a new page to load. Unless the pages are incredibly simplistic, there will be multiple concurrent requests. Each embedded object in the page along with any .css files will cause the browser to issue multiple requests in parallel. You also have no control over the user getting impatient and clicking more links or buttons before the prior one responds. However we warn the users to use only controls on the page and gray-out submit buttons once a request is submitted so hopefully this should not be an issue. Sorry, but that's rather naive. You cannot base the integrity of your application on trusting the user to always do the right thing. With such an application in mind would you see an issue with not implementing sticky session? Yes, I would. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AW: AW: Permanent Redirect?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alexander, On 5/11/2009 4:56 AM, Alexander Diedler wrote: Yes it works with Tuckey.org but, what about http and https? In my urlrewrite.xml only this entry: urlrewrite rule from/(.*)$/from to type=redirecthttp://www.thenewserver.de/$1/to /rule /urlrewrite But if the user came from https he should also redirected to https://thenewserver.de/?someparameters RTFM condition type=scheme value=https / vs. condition type=scheme value=http / - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkoIR88ACgkQ9CaO5/Lv0PCt7ACfahPXAzDjEuKIgXZMH42aELyQ jnAAnjvMqaYsMFE2kXclOwC+B3dGovdy =8MKo -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Getting the Right High Availability Architecture for Tomcat
Actually, script tags load sequentially, I believe. (Not sure about css.) -- Robin D. Wilson On May 11, 2009, at 10:28 AM, André Warnier a...@ice-sa.com wrote: Nenad Kovacevic wrote: Caldarale, Charles R wrote: Have you considered doing the SSL processing in the load balancer(s)? It would make life simpler. - Chuck From application's perspective it really does not make much of a difference where SSL is done - actually it does make now after your explanation - thanks for that - however this change would need to be run and approved by our networking and security people first. In any case I am afraid that even if they are willing to move SSL processing to the balancers this change may not happen in time for our first application, so we might end up with the setup as I described it in my original post. Our applications do not issue concurrent requests to the servers, i.e. they are classical web applications where the user activates a control on a page and then waits for a page to refresh or a new page to load. Therefore under normal usage scenarios concurrent requests should really not happen. I say normal as it is possible for a user to resubmit a request by reloading a page using browser controls. However we warn the users to use only controls on the page and gray-out submit buttons once a request is submitted so hopefully this should not be an issue. With such an application in mind would you see an issue with not implementing sticky session? Again, I was able to test that and the only issue that I am seeing is that JSESSIONID changes depending on what Tomcat instance processed it, but again, I am not sure if that is really an issue or not? Not sure if it is relevant here : a browser will make (quasi-)concurrent requests to the server, for example when you load a html frames document. The first request will be for the frames document itself, but as soon as that one is returned, each frame in it will be the object of a new request. A similar case happens when a document merely contains img or style or script tags. To fill these slots, the browser will issue several requests (and probably establish several connections) in parallel. I know that this kind of thing can play havoc with some authentication schemes for instance. Again, I don't know if it is really a cause for concern in this situation. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form-based Container Security with SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Guojun, On 5/8/2009 5:27 PM, Guojun Zhu wrote: What do you mean You want to ensure a session is created in non-secure more BEFORE the user submits their credentials.? Session id cookies are created by Tomcat in either secure mode (when the session is created during a HTTPS request) or non-secure mode (when the session is created during a HTTP request). If you get a secure cookie, the browser will no longer send it to the server when you go back to HTTP mode. So, you have to make sure you get a non-secure cookie. Your options are (as previously stated) 1. Modify the cookie to make sure it's not set to secure=true or 2. Modify your web application to ensure the session id cookie is created in non-secure mode. This may require you to expire a session id cookie that is already in secure mode, redirect to a non-secure page that creates a new (non-secure) session cookie, and then redirects to your login page so you can be authenticated in a secure environment (but still with a non-secure session id cookie). I am sorry, but I am not sure that I understand what you mean. All your solutions is to modify the login.jsp. But we have already reach there by http unsecurely whenever I try to access any restricted pages. Showing a non-secure login page isn't a problem, is it? You just need to make sure that the login form's action is HTTPS and you will get a secure login. Furthermore, in your solution, what cookie should I get? Is there any special one? You will always get a cookie with the name JSESSIONID created by Tomcat. This is the cookie you need to make sure is /not/ in secure mode. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkoISRgACgkQ9CaO5/Lv0PAmIACgmgOzZlbJ0ey62HBTW7WRIKV4 MtkAnil4A/2Ra8KEMh/7D3Jy+/ETl1Xe =4RUF -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: IIS Redirect Issue
The tomcat5.exe is running away with just bringing up the redirect servlet examples. No self-written Java has been added; just running the default, full-install items from Tomcat. I don't know what else to try. Maybe since I'm running Server 2k3R2 within VMWare with VMWare tools installed, this is giving us this issue. I just need to get this up and working properly and with just a default-full install of Tomcat, I'm getting these issues. IIS Configuration: Default Website: ISAPI Filters - Added Jakarta and pointed it to the location of the isapi_redirect.dll file. I've tried versions .14 through .28 and have the same issue with each. Virtual Directory - Added jakarta virtual directory and pointed it to the folder hosting the isapi_redirect.dll file. Again, I've tried versions .14 through .28 and have the same issue with each. Web Service Extension: Added Jakarta web service extension and added the locations for all the isapi_redirect.dll files; version .14 through .28. All files are allowed as well as the Jakarta web service extension. I can bring up the Tomcat welcome page fine; http://localhost:8080. I can bring up the servlet HelloWorldExample fine; http://localhost:8080/servlets-examples/servlet/HelloWorldExample. The tomcat5.exe service is fine. When I go to test the redirect, I remove the :8080 at the end of the URL and it comes up (http://localhost/servlets-examples/servlet/HelloWorldExample), but the tomcat5.exe service maxes out the CPU; 99% I ran the Process Explorer and have the following Thread going hay-wire. TID 3488 CPU 95.38 Cswitch Delta Jumps around from as high as 50 to as low as 27 Start Address MSVCRT.dll!endthreadex+0x2f Stack: ntkrnlpa.exe+0x87b1d ntkrnlpa.exe+0x2721e ntkrnlpa.exe+0x14a3ae ntkrnlpa.exe+0x2c36e hal.dll+0x5f1f hal.dll+0x6153 hal.dll+0x62f1 ntkrnlpa.exe+0x87900 ntkrnlpa.exe+0x838cf ntdll.dll!KiFastSystemCallRet WS2_32.dll!select+0xa1 tcnative-1.dll!Java_org_apache_tomcat_jni_OS_info+0xa236 tcnative-1.dll!Java_org_apache_tomcat_jni_Poll_poll+0xc6 -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Sunday, May 10, 2009 8:41 AM To: Tomcat Users List Subject: Re: IIS Redirect Issue On 10.05.2009 12:43, Maze, Jeffrey S. wrote: It's running on IIS6 and Win2k3 Server. I downloaded version .15 through .28 and will try different versions and see if it still occurs. If it is coming from the redirector, I would expect to see heavy continuing log activity once you switch the log level of the redirector to trace. It could also be a problem with the tcnative connector on the Tomcat side in case you use it. If you use it, try removing tcnative and check again. You can also use Microsoft Process Explorer (aka Sysinternals) and check, which thread uses the cpu, and then use the stack shown there and more likely the thread in a Java thread dump via jstack, to see in which code the thread loops. Regards, Rainer Thanks.. -Jeff -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Saturday, May 09, 2009 2:52 PM To: Tomcat Users List Subject: Re: IIS Redirect Issue Maze, Jeffrey S. wrote: Hello, I'm new to the list. I'm having an issues with Tomcat. I'm using version 1.2.28 of the redirect, and I've tried Tomcat versions 6.0.18 and 5.5.27 and Java versions 1.5u18 and 1.6u13. No matter what Tomcat or Java version I use, I have the same issues; redirect is the only thing in common. If I run the Hello World! example using localhost:8080, it works fine. I have the IIS redirect setup correctly because I can remove the 8080, the page redirect correctly and I see the Hello World!. This is when something odd happens. The tomcat5.exe service goes into run-away; CPU usage showing 99% and the system slows WAY down. I can hit all the other examples using port 8080 fine, but the instant I try anything without port 8080, Tomcat goes haywire. Any ideas on where I should look to begin troubleshooting this issue? I'm guessing a bug in the isapi_redirect.dll Maybe try an older version? Also, which OS and IIS version are you using? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: IIS Redirect Issue
From: Maze, Jeffrey S. [mailto:jm...@co.geauga.oh.us] Subject: RE: IIS Redirect Issue I ran the Process Explorer and have the following Thread going hay- wire. tcnative-1.dll!Java_org_apache_tomcat_jni_OS_info+0xa236 tcnative-1.dll!Java_org_apache_tomcat_jni_Poll_poll+0xc6 It could also be a problem with the tcnative connector on the Tomcat side in case you use it. If you use it, try removing tcnative and check again. Rainer already provided the above suggestion, which seems to be highly applicable, given the thread trace. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: IIS Redirect Issue
Thanks for the reply.. Originally, I wasn't sure how to accomplish this, but after googling a found what he meant. I just ended up renaming the file and now the Tomcat server doesn't go into runaway during a IIS redirect. Thanks! But I have another question, what exactly does this tcnative-1.dll file do? What are the advantages/disadvantages/security issues with Tomcat not using this file? Thanks again.. -Jeff -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Monday, May 11, 2009 12:10 PM To: Tomcat Users List Subject: RE: IIS Redirect Issue From: Maze, Jeffrey S. [mailto:jm...@co.geauga.oh.us] Subject: RE: IIS Redirect Issue I ran the Process Explorer and have the following Thread going hay- wire. tcnative-1.dll!Java_org_apache_tomcat_jni_OS_info+0xa236 tcnative-1.dll!Java_org_apache_tomcat_jni_Poll_poll+0xc6 It could also be a problem with the tcnative connector on the Tomcat side in case you use it. If you use it, try removing tcnative and check again. Rainer already provided the above suggestion, which seems to be highly applicable, given the thread trace. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: IIS Redirect Issue
From: Maze, Jeffrey S. [mailto:jm...@co.geauga.oh.us] Subject: RE: IIS Redirect Issue what exactly does this tcnative-1.dll file do? It's the same HTTP[S] handling code that's in httpd, which is why it's called Apache Portable Runtime. What are the advantages/disadvantages/security issues with Tomcat not using this file? No security impacts (unless there's a bug in the code, but it's been around a long time). Better performance with SSL, since APR uses OpenSSL rather than doing all the number crunching in Java. You might see better performance with non-SSL, but that appears to be application dependent. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Preventing OutOfMemoryError: Java heap space
I have a Java application running under Tomcat 6.0.18 on Ubuntu. This is using Sun's 1.6.0_07 JVM. I know how to set the max heap space by setting -Xmx256m in CATALINA_OPTS. But with a lot of sessions, I still have the possibility of running out of heap space. My application uses a lot of memory per user. I know I should avoid this, but at this point I can't dramatically change the software. And most of the time we have a small number of users anyway. I would like to proactively avoid running out of heap space. I would like people get a Server Too Busy message, _before_ the heap is actually exhausted. I would rather serve 40 users well than 45 users poorly. I'm wondering if there are any Tomcat configuration options, or filters, or whatever, which might address this. My current idea, which I think is solid, is to check the available memory before populating any new Session instances. My current test uses the following formula to determine the amount of space available: Runtime.getRuntime().maxMemory() -Runtime.getRuntime().totalMemory() +Runtime.getRuntime().freeMemory(); In other words, take the amount of memory we COULD allocate, subtract the amount we HAVE allocated, and then add back the amount that is allocated but unused. To phrase it another way, add the amount of free memory to the amount of unallocated memory. In practice this formula approaches zero as I get closer and closer to running out of heap space. So it seems to be correct. I’m wondering what people think of this idea, or if there is a better / simpler way to accomplish my goal. Opinions? Ideas? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Preventing OutOfMemoryError: Java heap space
I think the results are going to be pretty erratic. The issue that I see is that the garbage collector operation is (to my knowledge) not deterministic. IOW, you're not really accounting for memory that could be garbage collected. So, I think that you'll have a systematic bias showing less memory than is actually available. I suppose you could throw in Runtime.getRuntime().runFinalization() Runtime.getRuntime().gc() However, runtime.gc() just suggests that the Java Virtual Machine expend effort toward recycling unused objects in order to make the memory they currently occupy available for quick reuse Todd Hivnor wrote: I have a Java application running under Tomcat 6.0.18 on Ubuntu. This is using Sun's 1.6.0_07 JVM. I know how to set the max heap space by setting -Xmx256m in CATALINA_OPTS. But with a lot of sessions, I still have the possibility of running out of heap space. My application uses a lot of memory per user. I know I should avoid this, but at this point I can't dramatically change the software. And most of the time we have a small number of users anyway. I would like to proactively avoid running out of heap space. I would like people get a Server Too Busy message, _before_ the heap is actually exhausted. I would rather serve 40 users well than 45 users poorly. I'm wondering if there are any Tomcat configuration options, or filters, or whatever, which might address this. My current idea, which I think is solid, is to check the available memory before populating any new Session instances. My current test uses the following formula to determine the amount of space available: Runtime.getRuntime().maxMemory() -Runtime.getRuntime().totalMemory() +Runtime.getRuntime().freeMemory(); In other words, take the amount of memory we COULD allocate, subtract the amount we HAVE allocated, and then add back the amount that is allocated but unused. To phrase it another way, add the amount of free memory to the amount of unallocated memory. In practice this formula approaches zero as I get closer and closer to running out of heap space. So it seems to be correct. I’m wondering what people think of this idea, or if there is a better / simpler way to accomplish my goal. Opinions? Ideas? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- George Sexton MH Software, Inc. Voice: +1 303 438 9585 URL: http://www.mhsoftware.com/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
How to configure Tomcat 6.0 with JAAS?
No matter what I do...I always get an 'HTTP Status 403 - Access to the requested resource has been denied error' displayed after authenticating in Tomcat with JAAS. Here is my configuration. Tomcat 6.0.x server.xml: ... Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false !-- JAAS config -- Realm className=org.apache.catalina.realm.JAASRealm appName=CDF_TestApp userClassNames=ipt.tas.security.login.TASUserPrincipal roleClassNames=ipt.tas.security.login.TASGroupPrincipal useContextClassLoader=true debug=99/ /Host /Engine /Service /Server Issues here...since TASUserPrincipal TASGroupPrincipal are not available yet (they are in my web app) hasn't started how can I delay configuration until my web app has started? (Doubt this is cause of error however). My WebApp web.xml: !--Test code to get JAAS to work-- servlet servlet-nameStartupServlet/servlet-name servlet-class com.issinc.cdf.servlet.StartupServlet /servlet-class load-on-startup1/load-on-startup /servlet security-constraint web-resource-collection web-resource-nameTest App/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namemembers/role-name /auth-constraint /security-constraint security-role description /description role-namemembers/role-name /security-role login-config auth-methodBASIC/auth-method realm-nameTest App Realm/realm-name /login-config !--End JAAS code-- Note that StartupServlet configures JAASConfiguration to load my custom LoginModule. When my web app starts I do get the authentication dialog and I enter my login info. I have debugged my custom LoginModule and login() and commit() both succeed/return true for the user. However when the app continues I get the 403 error stated above. What am I doing wrong? I don't understand if/how the role-name(s) specifed in the web.xml are validated at this point. Do I have to tie my Subject Principal to these roles somehow? Or are these roles just used by the JAAS logic after authenication is complete? I will say that if I remove the auth-constraint section then the login dialog is not even displayed. Can someone point me to my error? -Dave
Re: How to configure Tomcat 6.0 with JAAS?
Update. It looks like the problem is with the Tomcat Realm configuration. If I move the jar that contains these custom classes to the Tomcat lib folder then it works! However this is not a workable solution. I can't deploy jars like this. How can I delay JAAS realm configuration to my web app? After all what is the purpose of useContextClassLoader? Ideally I would like to move the configuration out of server.xml to my web app so this is self-contained. What is the right way to do this? -Dave On Mon, May 11, 2009 at 1:14 PM, David Hoffer dhoff...@gmail.com wrote: No matter what I do...I always get an 'HTTP Status 403 - Access to the requested resource has been denied error' displayed after authenticating in Tomcat with JAAS. Here is my configuration. Tomcat 6.0.x server.xml: ... Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false !-- JAAS config -- Realm className=org.apache.catalina.realm.JAASRealm appName=CDF_TestApp userClassNames=ipt.tas.security.login.TASUserPrincipal roleClassNames=ipt.tas.security.login.TASGroupPrincipal useContextClassLoader=true debug=99/ /Host /Engine /Service /Server Issues here...since TASUserPrincipal TASGroupPrincipal are not available yet (they are in my web app) hasn't started how can I delay configuration until my web app has started? (Doubt this is cause of error however). My WebApp web.xml: !--Test code to get JAAS to work-- servlet servlet-nameStartupServlet/servlet-name servlet-class com.issinc.cdf.servlet.StartupServlet /servlet-class load-on-startup1/load-on-startup /servlet security-constraint web-resource-collection web-resource-nameTest App/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namemembers/role-name /auth-constraint /security-constraint security-role description /description role-namemembers/role-name /security-role login-config auth-methodBASIC/auth-method realm-nameTest App Realm/realm-name /login-config !--End JAAS code-- Note that StartupServlet configures JAASConfiguration to load my custom LoginModule. When my web app starts I do get the authentication dialog and I enter my login info. I have debugged my custom LoginModule and login() and commit() both succeed/return true for the user. However when the app continues I get the 403 error stated above. What am I doing wrong? I don't understand if/how the role-name(s) specifed in the web.xml are validated at this point. Do I have to tie my Subject Principal to these roles somehow? Or are these roles just used by the JAAS logic after authenication is complete? I will say that if I remove the auth-constraint section then the login dialog is not even displayed. Can someone point me to my error? -Dave
RE: Preventing OutOfMemoryError: Java heap space
From: Todd Hivnor [spambox_98...@yahoo.com] I would like to proactively avoid running out of heap space. I would like people get a Server Too Busy message, _before_ the heap is actually exhausted. I would rather serve 40 users well than 45 users poorly. Rather than monitor memory, which is subject to GC whims as George points out, I'd suggest monitoring the number of sessions in your application - find a number of sessions you can live with, keep a (suitably synchronized) counter that's incremented and decremented as sessions are created and destroyed, and don't start new sessions if that counter is higher than your threshold. - Peter - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Getting the Right High Availability Architecture for Tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robin, On 5/11/2009 11:47 AM, Robin Wilson wrote: Actually, script tags load sequentially, I believe. (Not sure about css.) That's a pretty bold statement. The truth is, it's complicated. http://www.stevesouders.com/blog/2009/04/27/loading-scripts-without-blocking/ - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkoIh3MACgkQ9CaO5/Lv0PDJhACgjsNV9XMP8/rpYhn14JsS/Vky D7IAoJmqaYaK/7FAfp/ylb8TSPpaX4ld =vzs/ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form Based Authentication creates user session before it is authenticated?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Umesh, On 5/8/2009 9:03 PM, umeshkavade wrote: In my web application, I am using tomcat's form based authentication for protecting my secure web pages. Thus whenever user starts accessing webapp by providing an URL of protected page, it is redirected to login page. However, while doing so it creates a session. I do not want my web application to create a session until user logs into the system. Pid is right, you can't avoid this. Tomcat stores the original request that caused authentication to be triggered in the session. Technically, it's not stored in the session attributes (so you can't manipulate it), but it's definitely tied to the session. If you want to avoid session creation, you'll have to roll your own authentication mechanism. I tried to figure out how form authenticator is working. I got source code of FormAuthenticator at: http://www.java2s.com/Open-Source/Java-Document/Sevlet-Container/tomcat-catalina/org/apache/catalina/authenticator/FormAuthenticator.java.htm You should get the source code from the actual source repository: http://svn.apache.org/repos/asf/tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java Is there any way to avoid this and tell tomcat to not create session. No, you'd have to write your own authentication mechanism. Tomcat is required to store the request that triggered authentication for re-play after a successful authentication. If not the request, where else should it be stored? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkoIidsACgkQ9CaO5/Lv0PC2MgCgiHFPJfAotZX9ZSB89ADVt2r7 XT4AoLIq/Yo29sQOQM/DPDkDXqHARVR0 =A1z7 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Trouble parsing datetime strings
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David, On 5/11/2009 10:22 AM, David kerber wrote: From the quick reading I did, I imagine that will give me a bit of a performance hit compared to using ThreadLocal, but since I've never used the ThreadLocal pattern before, I didn't want to try implementing it on the fly, just to fix this issue. As for whether synchronization would be faster than local declaration, I'll try doing some benchmarking at some point. I don't think that flyweighting SimpleDateFormat objects is worth it. Most of the time spent in SDF object code will be in the parse() method, not in the constructor. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkoIiw4ACgkQ9CaO5/Lv0PBsQQCfRi9WI2eqPQ9j0k72FxadZueD HnMAmwV/9rA9hOZVkUT01coUu4SX1czm =Qqx7 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Performance with many small requests
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Peter, On 5/8/2009 7:26 AM, Peter Crowther wrote: Decrypt: parallel. Send ack: parallel. Increment counters: synced. Write to log file: synced (or you'll have some very odd stuff happening). I'd go further and suggest that you re-factor your design so that your servlet is very simple. Something like this: public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { RequestCounter counter = ...; // get from app scope? Class-level? RequestLogger logger = ...; // same here RequestProcessor processor = ...; // same here counter.count(); processor.processRequest(request, response, false); logger.log(request, response); } Then its up to the RequestCounter to maintain its own synchonization (if necessary) instead of your servlet having to know the semantics of thread-safety, etc. Same with the logger. As someone mentioned, most logging frameworks handle synchronization for you, and most of them can buffer the output to their log files so that you are getting the best performance you can. I highly recommend using a logging framework, or developing something that meets your needs that is self-contained, can accept log entries from multiple concurrent clients (your servlets), and buffers output to the log file to keep performance up. What is it that processRequest actually does? Decryption? Hmm... is it possible for you to save the decryption for later? You could have a service that simply logs the notifications and then have a batch job that later does the decryption and throws-out all the incorrectly-encrypted data. Just another option. Finally... if you are logging all requests, is it necessary to keep a daily and total request count? You can avoid the synchronization of those counters entirely by ... not bothering to count them. Again, retrospective counting is a possibility. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkoIkLoACgkQ9CaO5/Lv0PAingCbBNb5ESoaIlDwoROOFrjmYySZ X94AniMh23cbmU2rodDw5fFISpRwDyhS =fB6Z -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Cluster session sync question (from documentation)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 5/6/2009 3:19 PM, André Warnier wrote: I can think of another : by using sticky sessions, you are forcing the load-balancer to keep track of which session belongs to which back-end, and to look up this table at each request. I could imagine that this could get tiresome.. Yeah, but this type of thing is what load balancers were born to do. It's only abusive if it's inappropriate. :) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkoIklMACgkQ9CaO5/Lv0PAbeQCghcb+BQhopJpoKlxslhSZf21J B5UAnR2VOMjOGoCIGI1KM7vYmnpPaeJH =tJvb -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: how to build an multi lingual website
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andrew, On 5/7/2009 3:35 PM, Andrew Davidson wrote: My main website is in English. I want to have a landing page in Spanish that describes my website and invites the user to click through the English version of the web site. Any idea how I set this up using Tomcat? The bulk of our web site is static html pages. Some one sent me a link about how to do this using the Apache web server so that it check the Accept-Language of the http header http://developers.sun.com/dev/gadc/technicalpublications/articles/apache.html I have not been able to find a similar discussion for how to configure Tomcat to get similar behavior You can think about mod_* as a servlet in Tomcat that doesn't yet exist. You can implement any capability you need to match something that Apache httpd does with one of its modules. Do I have to replace index.html with a servlet that checks the value of Accept-Language and generates a redirect to something like index.html.en or index.html.[es] That sounds like a decent idea. Andre-John suggests using request.getLocale().getLanguage() to determine where to go. I would recommend getting the raw Accept-Language header information and checking that against the languages you support. You don't want to blindly redirect to index.html.zh when you only have index.html.en and index.html.es. You may be able to leverage urlrewrite (http://tuckey.org/urlrewrite/) to do your heavy-lifting. I think something like this would work: rule !-- Attempt to find Spanish without an English preference over it -- condition name=Accept-Language value=(en){0}?.*es(_[A-Z][A-Z])? / from/index.html/from !-- Don't try any more rules -- to last=true type=redirect/index.html.es/to /rule !-- Default rule: go to English for everyone else -- rule from/index.html/from to type=redirect/index.html.en/to /rule - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkoIlSMACgkQ9CaO5/Lv0PDqlwCdHP+bzdw6m4XMv05EnivZbtnk 7+gAn1Q4A4aOjCBjINhQQTUlApHUO4ND =ammP -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Confused by mpm/mod_jk
I'm trying to understand mpm_worker MaxCLients and it's relationship with mod_jk connection_pool_size. Here's what I've got at the moment: OS: Red Hat 5.2 Server httpd: 2.2.11 tomcat-connector: 1.2.28 tomcat: 6.0.18 Java: 1.6.0_13 httpd-mpm.conf: ListenBacklog 2048 IfModule mpm_worker_module StartServers 2 MaxClients 256 MinSpareThreads 25 MaxSpareThreads 75 ThreadsPerChild 32 MaxRequestsPerChild 0 /IfModule workers.properties: worker.tomcat1.type=ajp13 worker.tomcat1.host=127.0.0.2 worker.tomcat1.port=8009 worker.tomcat1.connection_pool_size=150 worker.tomcat1.connection_pool_timeout=600 worker.tomcat1.socket_keepalive=1 server.xml: Connector port=8009 protocol=AJP/1.3 address=127.0.0.2 redirectPort=443 maxThreads=150 / Also, I've added these to /etc/sysctl.conf # increase the maximum number of TCP connections. net.core.somaxconn = 2048 net.core.netdev_max_backlog = 1024 I've got three separate boxes running their own httpd/Tomcat, load balanced with LVS so total connections is actually 3x of what is indicated above. I'm feeling like MaxClients is a bit low, but I can't seem to satisfactorily articulate why. I'm going to be hit with a traffic storm (many thousands of simultaneous connection attempts in a few minutes) in a few days, and I'm thinking I should make sure I've got this right. I went through it maybe 8-10 months ago but that was long before I put these systems into production. I probably should have gone through it again a month ago but didn't think to. I'm also contemplating increasing connection_pool_size maxThreads (I'm pretty sure those have to be equal) since my database can handle up to 1000 simultaneous connections and as it is, I've got a maximum of 3*150=450 Tomcat threads that can access it at any given time. Any useful advice on this would be appreciated. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Changing webserver from Tomcat 5.0 to 6.0.18
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ties, On 5/8/2009 2:26 AM, Ties wrote: A website is running on server A (Tomcat 5.0) and it has to move to server B (Tomcat 6.0.18). I have configured everything which should be configured. But somehow the server is not able to locate the webapp. The apaches httpd.conf (on Server A) shows the following: IfModule mod_jk.c JkMount /mywebapp/* ajp13 /IfModule Is Tomcat 6.0.18 able to deal with ajp13, or should it be changed in the name of the Tomcat from server B? Rest assured, Tomcat 6.x can read AJP13-protocol requests. The ajp13 there is actually the name of a worker for mod_jk. If your webapp is physically moving hosts, you will need to adjust the IP address of the back-end server, most likely specified in a file called jk_workers.properties or workers.properties. There should be a directive in httpd.conf matching something like: JkWorkersFile /etc/apache/workers.properties This specifies where the workers are defined. Mark suggested posting your workers.properties file (which is definitely a good idea) and this is how you would find it. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkoIlhEACgkQ9CaO5/Lv0PCYsACdF+SCgNTjz9HUnVK/sEK3s1S5 gG4AoJITUm4aQ2r9Ib1qM7/D28UivSDS =nSXi -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: how to build an multi lingual website
Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andrew, On 5/7/2009 3:35 PM, Andrew Davidson wrote: My main website is in English. I want to have a landing page in Spanish that describes my website and invites the user to click through the English version of the web site. Any idea how I set this up using Tomcat? The bulk of our web site is static html pages. Some one sent me a link about how to do this using the Apache web server so that it check the Accept-Language of the http header Another way of doing this is to use resource bundles. It's uglier in some ways, but better in other ways. Create a captions.properties file for spanish: Date=Term for Date in Spanish and a captions_en.properties Date=Date Place the file in your WEB-INF/classes directory. Now, add this code to your page: Locale lc=request.getLocale(); ResourceBundle rb=ResourceBundle.getBundle(captions,lc); Now, on your JSP page instead of Date INPUT TYPE=TEXT VALUE=05/27/2009 you have %=rb.getString(Date)% INPUT TYPE=TEXT VALUE=05/27/2009 The good part of this is that you end up with only one set of JSP pages. The bad side is that you have to code your layout so it can deal with variable size captions. Spanish captions are going to be some 20% longer on average than English. Additionally, if you're using images with text, you'll have to put handling in. -- George Sexton MH Software, Inc. Voice: +1 303 438 9585 URL: http://www.mhsoftware.com/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat logs in EST, webapp reports time in GMT
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ciarán, On 5/8/2009 8:04 AM, Rowe, Ciaran (IT) wrote: I'm not so experienced in how Java/Tomcat handle timezone matters, but I've come across a running instance of a container which claims to be in GMT for some webapps, and US/Eastern for others. What is the time zone of the running JVM? You can check the value of the user.timezone system propery, or just call java.util.TimeZone.getDefault(). The container itself appears to be logging in US/Eastern. This is most likely the default for the JVM. I've verified through a heapdump that there are various GregorianCalendar instances floating around memory with different ZoneInfo instances (some ID themselves as GMT, some as US/Eastern). With a heap dump, it will be tough to determine who is using what. You might want to turn to a debugger. Nowhere in the app code makes a clear request to have the time in GMT, everything uses the default, so they should all report in US/Eastern. I'm wondering what settings/behaviours in tomcat/the JVM could effect a default timezone change for an application? When you say the webapp is reporting times in GMT, do you mean times displayed in web pages generated by the webapp? Or do you mean web app logs or something? I'm wondering if the webapp is sniffing the time zone from the client (browser) and adjusting the time zone for that user. Or, maybe there's a user preference or something that doesn't allow you to do a simple grep through your code for GMT. Could the GregorianCalendar object itself be working some voodoo on this? Why isn't everything picking up EDT as the timezone? I couldn't guess, but I would find everywhere in your application where you use Calendar or TimeZone. I'd also look at how you render times in your pages... if you are using some kind of JSP tag library or something to display dates, it might be either misconfigured, or using information you didn't expect to determine the time zone. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkoImRIACgkQ9CaO5/Lv0PBvmgCfb3TNYzYgB6fLTPSGqDwA7td9 zhsAn0hWDM/qOALYftG2uINWFUTs734u =+dhz -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: centralized server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kaushal, On 5/11/2009 6:14 AM, Kaushal Shriyan wrote: Is there a way to log all the catalina.out files of tomcat hosted on different servers to a centralized server and view it using a web Interface? Yes. Tomcat provides none of this capability, though. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkoImhIACgkQ9CaO5/Lv0PDQFQCeJWo39PeSPK0nnhw558eB6Y/e UNYAoIb1711O0SqF5SSjXGqPoRf+vUHL =ptsz -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat and Oracle connections
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Wouter, On 5/9/2009 5:46 AM, Wouter D'Haeseleer wrote: This means, no connections available anymore. And when I look at the connections itself in oracle I see that the following connection is using more then 200 sessions ! I think Chuck is right: you're leaking connections. Resource auth=Container ... I would highly recommend adding these two attributes to your Resource: logAbaodoned=true removeAbandoned=true removeAbandonedTimeout=30 (# of seconds to wait before considering a connection abandoned. Adjust to fit your needs) While you're at it, maybe you want to set: validationQuery=SELECT 1 FROM DUAL (or something else appropriate to test your connections) For me this is really strange since this connections says maxActive=10 I always recommend setting maxActive=1 in development. You'll find connection leaks REALLY quick! I'll take this opportunity to plug my own blog entry regarding proper JDBC resource management: http://blog.christopherschultz.net/?p=68 - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkoIm4YACgkQ9CaO5/Lv0PDFcgCeMcq1tf6zJM2LL50BvFfclJ/j /eQAoISCn7x1AoIxcLz32NY1XT1ZkrlT =4iKb -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: how to build an multi lingual website
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 George, On 5/11/2009 5:30 PM, George Sexton wrote: Another way of doing this is to use resource bundles. It's uglier in some ways, but better in other ways. The OP said he was using mostly static content, so I think the redirection based upon Accept-Language is a better strategy. If you are using a dynamic web site, going with resource bundles is definitely the way to go. %=rb.getString(Date)% INPUT TYPE=TEXT VALUE=05/27/2009 Heh, I hope you use a Locale-specific date format otherwise you'll confuse a lot of people. ;) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkoInA4ACgkQ9CaO5/Lv0PC25ACdEdUVVVxyFpvSx1Uc8fW9ThfO HLAAni1nVSdyv7yFByN4PPSaXIL67VWQ =fv49 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: changing location of conf/Catalina
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dmitry, On 5/7/2009 3:07 PM, Dmitry Beransky wrote: I want to lock down the core Tomcat installation by making it read-only (and updateable only through a SCM). I've figured out how to relocate temp, work, logs, webapps directories, all of which get modified as part of Tomcat's standard operation. The last directory left inside the core that gets modified at runtime is conf/Catalina and I can't find a way to relocate it elsewhere. Is this even possible? Not sure if you can re-locate this, but have you considered giving read-only access to that directory for the Tomcat euid and allowing only admins to write? That seems more straightforward than re-locating everything. Note that relocating everything means that when posting your users post questions to this mailing list we're likely to say who's the idiot that scattered all the directories all over the place? try downloading a fresh version of Tomcat and see if all your problems go away?. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkoInKYACgkQ9CaO5/Lv0PB7DwCdHJoHw4+BrthF42NOGLO0Wl/D c6oAnj0ttZlH+kGxl5xaN39PQKphQMwJ =L7Uw -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Confused by mpm/mod_jk
Hi Bill, On 11.05.2009 23:15, Bill Davidson wrote: I'm trying to understand mpm_worker MaxCLients and it's relationship with mod_jk connection_pool_size. Here's what I've got at the moment: OS: Red Hat 5.2 Server httpd: 2.2.11 tomcat-connector: 1.2.28 tomcat: 6.0.18 Java: 1.6.0_13 Hey great, someone using recent version :) httpd-mpm.conf: ListenBacklog 2048 Wow. IfModule mpm_worker_module StartServers 2 MaxClients 256 MinSpareThreads 25 MaxSpareThreads 75 ThreadsPerChild 32 Usually MinSpaceThreads and MaxSpareThreads having a multiple of ThreadsPerChild makes it easier understandable, what the numbers mean. Scaling up and down is always done in increments of processes, each having ThreadsPerChild threads. MaxClients is the maximum number of concurrent connections allowed, which is the same as the maximum number of threads used (for the worker mpm). MaxRequestsPerChild 0 /IfModule workers.properties: worker.tomcat1.type=ajp13 worker.tomcat1.host=127.0.0.2 worker.tomcat1.port=8009 worker.tomcat1.connection_pool_size=150 Delete the connection_pool_size. Connection pools in mod_jk are local to httpd processes. Each process can only use as many connections, as it has threads to process concurrent requests. In your configuration this is 32. mod_jk asks httpd when starting about this number and automatically sets its pool size to the number of threads per process. You'll never need more. Only if you have very good reasons, that you want to lower this, you can configure a smaller number. Usually you don't want to do this. worker.tomcat1.connection_pool_timeout=600 you need to set connectionTimeout for the Tomcat connector to 60 then. You might also want to set a minimum pool size, i.e. the smallest number of connections th epool is allowed to shrink to, if it is idle. I would suggest 0. please do also have a look at the docs page on timeouts for mod_jk. worker.tomcat1.socket_keepalive=1 server.xml: Connector port=8009 protocol=AJP/1.3 address=127.0.0.2 redirectPort=443 maxThreads=150 / The 150 threads do not make a good fit to your MaxClients of 256. If your Apache is mainly forwarding requests to Tomcat, then it doesn't make much sense to allow 256 parallel connections to Apace, but only 150 on the backend. That will result in some Apache processes being fully connected (32 connections) and some other not able to grow their connection pool to the full size, because they get errors when trying to connect. Also, I've added these to /etc/sysctl.conf # increase the maximum number of TCP connections. net.core.somaxconn = 2048 net.core.netdev_max_backlog = 1024 I've got three separate boxes running their own httpd/Tomcat, load balanced with LVS so total connections is actually 3x of what is indicated above. Are the Apaches connected to each Tomcat, or only to their Tomcat? If you separate your design into 3 disjoint Apache/Tomcat pairs, then you need to educate your LVS about correct session stickyness. If you think you can't manage that, then add a load balancer worker to each Apache, let each of them connect to all Tomcats, set the distance for the local Tomcat to 0 and set it to 1 for the other two Tomcats. Finally allow min pool size 0 and add some spare threads above MaxClients to the Tomcats, because they need to handle connections from all three Apaches. I'm feeling like MaxClients is a bit low, but I can't seem to satisfactorily articulate why. Expected concurrency = LoadInRequestsPerSecond * AverageResponseTime I'm going to be hit with a traffic storm (many thousands of simultaneous connection attempts in a few minutes) in a few days, and I'm thinking I should make sure I've got this right. You need to do stress testing in order to find out, what the correct sizing is. If your application can stand the load and is very fast/lightweight, then you could manage more than 1000 requests/second with three Tomcats without ever reaching 256 MaxClients per Apache. If your application gets slow, then you might not be able to server 50 requests/second. Play around with the above formula. I went through it maybe 8-10 months ago but that was long before I put these systems into production. I probably should have gone through it again a month ago but didn't think to. I'm also contemplating increasing connection_pool_size maxThreads (I'm pretty sure those have to be equal) since my database can handle up to 1000 simultaneous connections and as it is, I've got a maximum of 3*150=450 Tomcat threads that can access it at any given time. more likely 3*256 = 768 which is close to the db max. Any useful advice on this would be appreciated. It is more likely that increasing the allowed concurrency will make things worse. Quite often the first bottleneck is not the allowed concurrency, but things like database I/O
Re: Form-based Container Security with SSL
Dear Chris, Thank you very much. What we really want is that the login username/password communicates encrypted. Everything else can be in clear-text. (We also need the log-out, so I cannot use the digest authentification.) Showing a non-secure login page isn't a problem, is it? You just need to make sure that the login form's action is HTTPS and you will get a secure login. But if this login page is reached by http, will the login username/password be sent out in clear-texted? Or should I specified the action j_security_check as https? Then after the authentication, change back to http. (By changing the secured cookie into unsecured? Where? In every pages as tomcat has redirect the link away from login?) Thank you very much? Sincerely Zhu, Guojun - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: how to build an multi lingual website
Christopher Schultz wrote: %=rb.getString(Date)% INPUT TYPE=TEXT VALUE=05/27/2009 Heh, I hope you use a Locale-specific date format otherwise you'll confuse a lot of people. ;) I think I have this down. You can check: http://www.mhsoftware.com/caldemo/ and let me know... -- George Sexton MH Software, Inc. Voice: +1 303 438 9585 URL: http://www.mhsoftware.com/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 5.5.27 404 for JSP's in a particular derectory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mackstar, On 5/10/2009 10:31 PM, Mackstar wrote: Konstantin Kolinko wrote: 2) Do not use the Invoker servlet. It is a hole you won't be able to patch See http://wiki.apache.org/tomcat/FAQ/Miscellaneous#Q2 http://wiki.apache.org/tomcat/FAQ/Miscellaneous#Q3 I disabled the invoker servlet and could then use the directory, I have to re-arrange a bunch of servlets now to get them working! That shouldn't be necessary. Just add servlet-mapping elements to your web.xml. You should not have to change one line of JSP or servlet code. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkoIoLoACgkQ9CaO5/Lv0PCWGACeJKwlsXxbhaXywlTY2qOi7p1w Dv0AoIOgVjDaMKwGYf6PtAW49VIl/G2s =lko+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to configure Tomcat 6.0 with JAAS?
David Hoffer wrote: Update. It looks like the problem is with the Tomcat Realm configuration. If I move the jar that contains these custom classes to the Tomcat lib folder then it works! However this is not a workable solution. I can't deploy jars like this. How can I delay JAAS realm configuration to my web app? After all what is the purpose of useContextClassLoader? Ideally I would like to move the configuration out of server.xml to my web app so this is self-contained. What is the right way to do this? Configure the realm at the context level - ie in the META-INF/context.xml of your WAR, or application directory. p -Dave On Mon, May 11, 2009 at 1:14 PM, David Hoffer dhoff...@gmail.com wrote: No matter what I do...I always get an 'HTTP Status 403 - Access to the requested resource has been denied error' displayed after authenticating in Tomcat with JAAS. Here is my configuration. Tomcat 6.0.x server.xml: ... Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false !-- JAAS config -- Realm className=org.apache.catalina.realm.JAASRealm appName=CDF_TestApp userClassNames=ipt.tas.security.login.TASUserPrincipal roleClassNames=ipt.tas.security.login.TASGroupPrincipal useContextClassLoader=true debug=99/ /Host /Engine /Service /Server Issues here...since TASUserPrincipal TASGroupPrincipal are not available yet (they are in my web app) hasn't started how can I delay configuration until my web app has started? (Doubt this is cause of error however). My WebApp web.xml: !--Test code to get JAAS to work-- servlet servlet-nameStartupServlet/servlet-name servlet-class com.issinc.cdf.servlet.StartupServlet /servlet-class load-on-startup1/load-on-startup /servlet security-constraint web-resource-collection web-resource-nameTest App/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namemembers/role-name /auth-constraint /security-constraint security-role description /description role-namemembers/role-name /security-role login-config auth-methodBASIC/auth-method realm-nameTest App Realm/realm-name /login-config !--End JAAS code-- Note that StartupServlet configures JAASConfiguration to load my custom LoginModule. When my web app starts I do get the authentication dialog and I enter my login info. I have debugged my custom LoginModule and login() and commit() both succeed/return true for the user. However when the app continues I get the 403 error stated above. What am I doing wrong? I don't understand if/how the role-name(s) specifed in the web.xml are validated at this point. Do I have to tie my Subject Principal to these roles somehow? Or are these roles just used by the JAAS logic after authenication is complete? I will say that if I remove the auth-constraint section then the login dialog is not even displayed. Can someone point me to my error? -Dave - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form-based Container Security with SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Guojun, On 5/11/2009 5:49 PM, Guojun Zhu wrote: Dear Chris, Thank you very much. What we really want is that the login username/password communicates encrypted. Everything else can be in clear-text. (We also need the log-out, so I cannot use the digest authentification.) Showing a non-secure login page isn't a problem, is it? You just need to make sure that the login form's action is HTTPS and you will get a secure login. But if this login page is reached by http, will the login username/password be sent out in clear-texted? The scheme used to access the login page is not relevant to the safety of your credentials. Only the scheme used to /submit/ those credentials from your login form is relevant. Or should I specified the action j_security_check as https? Definitely. Then after the authentication, change back to http. Correct. (By changing the secured cookie into unsecured? Where? In every pages as tomcat has redirect the link away from login?) No, all my suggestions have been to create a non-secure session id cookie /before/ authentication occurs. Then you don't have to worry about it, later. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkoIqKIACgkQ9CaO5/Lv0PAifgCdGOhDbM2bEmMyoZUGCKrwSQx5 Sg0AoJCaYuusBHIS98n8vKRUtalnjQkD =OlR2 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Analyzing Tomcat related VM crash?
Hi, We have recently put into production a Tomcat 5.5.27 based web site, using JDK 1.6 (JDK 1.6.0_12-b04 on RedHat Linux). We have spent months developing and testing the site, both by us and the customer, and experienced no VM crashes. Now that we are in production we find the VM is crashing from time to time. Trying to see if anyone else has experienced the same thing I simply find plenty of requests for help, but no answers. Looking at my catalina log I see: [2009-05-08 01:22:33,174] ERROR (StandardWrapperValve.java:260) - Servlet.service() for servlet action threw exception java.lang.IllegalStateException at org .apache .catalina.connector.ResponseFacade.sendError(ResponseFacade.java:405) at org .apache .struts.action.RequestProcessor.processMapping(RequestProcessor.java: 658) at org .apache.struts.action.RequestProcessor.process(RequestProcessor.java: 193) at org.apache.struts.action.ActionServlet.process(ActionServlet.java: 1164) at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:397) at javax.servlet.http.HttpServlet.service(HttpServlet.java:627) at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) at org .apache .catalina .core .ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java: 269) at org .apache .catalina .core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.myco.web.filter.CharsetFilter.doFilter(CharsetFilter.java:35) I doubt this would be enough to destabilize a VM? We have a second filter that might be picky about the order that it is called, and we will look into this, but not being able to reproduce this issue in a non-producion environment is making it challenging. The 'uname -a' command gives: Linux myco-prod01 2.4.21-37.ELsmp #1 SMP Wed Sep 7 13:28:55 EDT 2005 i686 i686 i386 GNU/Linux Can anyone suggest an approach to establish the route cause? What stuff should I be checking? André-John - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Analyzing Tomcat related VM crash?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André-John, On 5/11/2009 6:48 PM, Andre-John Mas wrote: We have recently put into production a Tomcat 5.5.27 based web site, using JDK 1.6 (JDK 1.6.0_12-b04 on RedHat Linux). We have spent months developing and testing the site, both by us and the customer, and experienced no VM crashes. Now that we are in production we find the VM is crashing from time to time. JVM crashes are no good :( Looking at my catalina log I see: [2009-05-08 01:22:33,174] ERROR (StandardWrapperValve.java:260) - Servlet.service() for servlet action threw exception java.lang.IllegalStateException This is unlikely to be causing any JVM crash. I doubt this would be enough to destabilize a VM? We have a second filter that might be picky about the order that it is called, and we will look into this, but not being able to reproduce this issue in a non-production environment is making it challenging. It's pretty much impossible to crash the JVM intentionally just using Java code. You have to go JNI to do that. I would (as always) be suspicious of the physical hardware. Try taking one of the servers out of service and run a memory/cpu test on it. I'll bet it's got bad memory. You didn't give any details of the crash. I'm guessing SIG11? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkoIrc4ACgkQ9CaO5/Lv0PACWwCgvXa0DmHKjZMmIQyuWB93hyNk CnIAn2l1cvk0QihaxuguOmC9+LV5b5Wy =pKjQ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Analyzing Tomcat related VM crash?
On 11-May-2009, at 18:59, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André-John, On 5/11/2009 6:48 PM, Andre-John Mas wrote: We have recently put into production a Tomcat 5.5.27 based web site, using JDK 1.6 (JDK 1.6.0_12-b04 on RedHat Linux). We have spent months developing and testing the site, both by us and the customer, and experienced no VM crashes. Now that we are in production we find the VM is crashing from time to time. JVM crashes are no good :( Looking at my catalina log I see: [2009-05-08 01:22:33,174] ERROR (StandardWrapperValve.java:260) - Servlet.service() for servlet action threw exception java.lang.IllegalStateException This is unlikely to be causing any JVM crash. I doubt this would be enough to destabilize a VM? We have a second filter that might be picky about the order that it is called, and we will look into this, but not being able to reproduce this issue in a non-production environment is making it challenging. It's pretty much impossible to crash the JVM intentionally just using Java code. You have to go JNI to do that. I would (as always) be suspicious of the physical hardware. Try taking one of the servers out of service and run a memory/cpu test on it. I'll bet it's got bad memory. You didn't give any details of the crash. I'm guessing SIG11? I have added the details to the end of this e-mail. André-John catalina.out: # # An unexpected error has been detected by Java Runtime Environment: # # SIGSEGV (0xb) at pc=0x06546578, pid=7456, tid=2349013936 # # Java VM: Java HotSpot(TM) Server VM (11.2-b01 mixed mode linux-x86) # Problematic frame: # V [libjvm.so+0x546578] # # An error report file with more information is saved as: # /home/apache/hs_err_pid7456.log # # If you would like to submit a bug report, please visit: # http://java.sun.com/webapps/bugreport/crash.jsp # /home/apache/hs_err_pid7456.log (certain names changed, for anonymity): # # An unexpected error has been detected by Java Runtime Environment: # # SIGSEGV (0xb) at pc=0x06546578, pid=7456, tid=2349013936 # # Java VM: Java HotSpot(TM) Server VM (11.2-b01 mixed mode linux-x86) # Problematic frame: # V [libjvm.so+0x546578] # # If you would like to submit a bug report, please visit: # http://java.sun.com/webapps/bugreport/crash.jsp # --- T H R E A D --- Current thread (0x08060800): GCTaskThread [stack: 0x8bfb1000,0x8c032000] [id=7459] siginfo:si_signo=SIGSEGV: si_errno=0, si_code=1 (SEGV_MAPERR), si_addr=0x Registers: EAX=0x0001, EBX=0xa46f8520, ECX=0x, EDX=0x ESP=0x8c0318d0, EBP=0x8c0318f8, ESI=0xb42d, EDI=0x8bd56680 EIP=0x06546578, CR2=0x, EFLAGS=0x00010246 Top of Stack: (sp=0x8c0318d0) 0x8c0318d0: 0805ee88 8bd566d8 8c0318f8 0001 0x8c0318e0: 0805eec8 0100 a46f8520 8bd56680 0x8c0318f0: 08060800 0001 8c031938 0654922b 0x8c031900: 8bd56680 0001 8bd56680 8bd56680 0x8c031910: 0805eec8 8bd56680 063488bd 0x8c031920: 0805eec8 8bd56680 8a8e6cb8 0x8c031930: 08060800 0666128c 8c0319d8 0632848b 0x8c031940: 8a8e6cb8 0805ee88 0001 Instructions: (pc=0x06546578) 0x06546568: f0 89 d9 83 e1 01 84 c9 0f 85 9f 00 00 00 8b 13 0x06546578: 8b 02 83 e0 03 83 f8 03 75 7e 8b 12 80 3d cd 87 Stack: [0x8bfb1000,0x8c032000], sp=0x8c0318d0, free space=514k Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code) V [libjvm.so+0x546578] V [libjvm.so+0x54922b] V [libjvm.so+0x32848b] V [libjvm.so+0x506929] C [libpthread.so.0+0x4dec] --- P R O C E S S --- Java Threads: ( = current thread ) 0x8b1d1800 JavaThread http-8085-Monitor [_thread_blocked, id=7498, stack(0x89de3000,0x89e34000)] 0x8b1d JavaThread http-8085-Processor25 daemon [_thread_blocked, id=7497, stack(0x89e34000,0x89e85000)] 0x8b1ae800 JavaThread http-8085-Processor24 daemon [_thread_blocked, id=7496, stack(0x89e85000,0x89ed6000)] 0x8b1ad400 JavaThread http-8085-Processor23 daemon [_thread_blocked, id=7495, stack(0x89ed6000,0x89f27000)] 0x8a79fc00 JavaThread http-8085-Processor22 daemon [_thread_in_native, id=7494, stack(0x89f27000,0x89f78000)] 0x8a79e800 JavaThread http-8085-Processor21 daemon [_thread_blocked, id=7493, stack(0x89f78000,0x89fc9000)] 0x8a6b4c00 JavaThread http-8085-Processor20 daemon [_thread_blocked, id=7492, stack(0x89fc9000,0x8a01a000)] 0x8a6b3800 JavaThread http-8085-Processor19 daemon [_thread_blocked, id=7491, stack(0x8a01a000,0x8a06b000)] 0x8a842400 JavaThread http-8085-Processor18 daemon [_thread_blocked, id=7490, stack(0x8a06b000,0x8a0bc000)] 0x8a841000 JavaThread http-8085-Processor17 daemon [_thread_blocked, id=7489, stack(0x8a0bc000,0x8a10d000)] 0x8a8cd000 JavaThread http-8085-Processor16 daemon [_thread_blocked, id=7488, stack(0x8a10d000,0x8a15e000)] 0x8a8cbc00 JavaThread http-8085-Processor15 daemon [_thread_blocked, id=7487,
IIS tomcat connector plugin fail to reverse proxy.
I am trying to use the IIS tomcat connector to act like a reverse proxy If I hit the IIS at /MWGAT it will forward the tomcat with /GAT However I fail to do this In the documentation http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html they say I can do this If you are using Microsoft IIS as a web server, the ISAPI plugin provides a way of doing the first step with a builtin feature. You define a mapping file for simple prefix changes like this: # Add a context prefix to all requests ... /=/myapp/ # ... or change some prefix ... /oldapp/=/myapp/ But I don;t think it is possible.(have tried) I would need some help. I am using isapi_redirect.1.2.14.dll Thanks and regards, Eric - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Performance with many small requests
Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Peter, On 5/8/2009 7:26 AM, Peter Crowther wrote: Decrypt: parallel. Send ack: parallel. Increment counters: synced. Write to log file: synced (or you'll have some very odd stuff happening). I'd go further and suggest that you re-factor your design so that your servlet is very simple. Something like this: public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { RequestCounter counter = ...; // get from app scope? Class-level? RequestLogger logger = ...; // same here RequestProcessor processor = ...; // same here counter.count(); processor.processRequest(request, response, false); logger.log(request, response); } Then its up to the RequestCounter to maintain its own synchonization (if necessary) instead of your servlet having to know the semantics of thread-safety, etc. Same with the logger. As someone mentioned, most logging frameworks handle synchronization for you, and most of them can buffer the output to their log files so that you are getting the best performance you can. I highly recommend using a logging framework, or developing something that meets your needs that is self-contained, can accept log entries from multiple concurrent clients (your servlets), and buffers output to the log file to keep performance up. I've been meaning to look into some more sophisticated logging techniques, and this exercise has given me some good incentive to do so sooner rather than later. However, it doesn't look at the moment like disk writes are a limiting factor in this app's performance. My latest thread dump indicates that the socket read is where most of the waits are at. Because the requests are so small, I imagine that network latency is a far bigger factor than gross throughput is. I definitely should hook a profiler to the app so I can be sure of what's taking the time, though. What is it that processRequest actually does? Decryption? Hmm... is it possible for you to save the decryption for later? You could have a service that simply logs the notifications and then have a batch job that later does the decryption and throws-out all the incorrectly-encrypted data. Just another option. Basically the entire job of this application (servlet) is to accept the POSTs from the clients in the field, decrypt them, do a few sanity checks on the raw data, and dump them into a file on disk (we call it a cache file). There are separate apps that then continuously read the data from the cache file and do all kinds of processing on it, stuff it into a database, and check various values and trends for near-realtime alerting purposes. Moving the decryption to a later step in the process would be possible, but would require rewriting another application, for probably very little net gain. Early on in the design, we considered doing it all in one application, but felt that this method gave us a little more overall reliability, because one piece could go down without affecting the others, and then it could catch up when it came back up. It also allowed us to profile each section separately, making it a little easier to find the bottlenecks. Finally... if you are logging all requests, is it necessary to keep a daily and total request count? You can avoid the synchronization of those counters entirely by ... not bothering to count them. Again, retrospective counting is a possibility. The counting isn't a core requirement of the application; I just put it in a a way to help me monitor its progress during the day, to be sure it hasn't locked up or lost a network connection somewhere along the way. Incrementing a counter can't be much of a synchronization bottleneck, and if I switch to an AtomicInteger, it should be even less of one. Thanks for the comments! D - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Confused by mpm/mod_jk
Rainer Jung wrote: Hey great, someone using recent version :) I've been trying to stay current with the stable releases since upgrading the app from httpd 1.3 and Tomcat 3.2.4 last year. I usually wait a couple weeks to a month and watch the mailing lists after a release to make sure nothing major snuck through QA. ListenBacklog 2048 Wow. I'm just guessing on most of these things. I suspect I copied that from the httpd 1.3 + Tomcat 3.2.4 configuration, as I did with a lot of the other numbers. I didn't create those old configs. I just came in and tried to get the app working on Tomcat 6 and httpd 2.2 (and with the help of Brittain Darwin and the people on this list, I succeeded). Delete the connection_pool_size. Connection pools in mod_jk are local to httpd processes. Each process can only use as many connections, as it has threads to process concurrent requests. In your configuration this is 32. mod_jk asks httpd when starting about this number and automatically sets its pool size to the number of threads per process. You'll never need more. Only if you have very good reasons, that you want to lower this, you can configure a smaller number. Usually you don't want to do this. please do also have a look at the docs page on timeouts for mod_jk. I will do that. The 150 threads do not make a good fit to your MaxClients of 256. If your Apache is mainly forwarding requests to Tomcat, then it doesn't make much sense to allow 256 parallel connections to Apace, but only 150 on the backend. That will result in some Apache processes being fully connected (32 connections) and some other not able to grow their connection pool to the full size, because they get errors when trying to connect. Interesting. httpd is mainly connecting to servlets but those also request images, javascript, style sheets and applets that get served directly by httpd. Are the Apaches connected to each Tomcat, or only to their Tomcat? Only to their own Tomcat. I even do the connection on the loopback for security and (I hope) performance. If you separate your design into 3 disjoint Apache/Tomcat pairs, then you need to educate your LVS about correct session stickyness. Already done. I'm pretty sure this setup wouldn't be working at all in production if we hadn't since we don't have session replication (yet). Thanks for the advice. I'm still digesting some of it and I'll be looking at that documentation again. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Analyzing Tomcat related VM crash?
From: Andre-John Mas [mailto:aj...@sympatico.ca] Subject: Re: Analyzing Tomcat related VM crash? I have added the details to the end of this e-mail. If the hardware tests don't find anything, try running the JVM in client mode rather than server. Historically, the server JIT has been slightly less stable than the client JIT - although I'm not aware of any specific codegen problems in 6u12, client or server. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat and Oracle connections
From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: Tomcat and Oracle connections I would highly recommend adding these two attributes to your Resource: logAbaodoned=true removeAbandoned=true removeAbandonedTimeout=30 While you're at it, maybe you want to set: validationQuery=SELECT 1 FROM DUAL Note that the OP is using type=oracle.jdbc.pool.OracleDataSource rather than Tomcat's pooling mechanism; consequently the above (slightly misspelled) attributes may not be applicable. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
RE: changing location of conf/Catalina
From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: changing location of conf/Catalina Not sure if you can re-locate this, but have you considered giving read-only access to that directory for the Tomcat euid and allowing only admins to write? Making conf/Catalina read-only will cause problems when deploying .war webapps with META-INF/context.xml files embedded in them; Tomcat must have write access to conf/Catalina/[host] in order to extract the Context element. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Re: How to configure Tomcat 6.0 with JAAS?
Okay that sounds good I'll try that. Next newbie question...will this be server agnostic? I need to support Tomcat/JBoss/WebLogic. -Dave On Mon, May 11, 2009 at 4:17 PM, Pid p...@pidster.com wrote: David Hoffer wrote: Update. It looks like the problem is with the Tomcat Realm configuration. If I move the jar that contains these custom classes to the Tomcat lib folder then it works! However this is not a workable solution. I can't deploy jars like this. How can I delay JAAS realm configuration to my web app? After all what is the purpose of useContextClassLoader? Ideally I would like to move the configuration out of server.xml to my web app so this is self-contained. What is the right way to do this? Configure the realm at the context level - ie in the META-INF/context.xml of your WAR, or application directory. p -Dave On Mon, May 11, 2009 at 1:14 PM, David Hoffer dhoff...@gmail.com wrote: No matter what I do...I always get an 'HTTP Status 403 - Access to the requested resource has been denied error' displayed after authenticating in Tomcat with JAAS. Here is my configuration. Tomcat 6.0.x server.xml: ... Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false !-- JAAS config -- Realm className=org.apache.catalina.realm.JAASRealm appName=CDF_TestApp userClassNames=ipt.tas.security.login.TASUserPrincipal roleClassNames=ipt.tas.security.login.TASGroupPrincipal useContextClassLoader=true debug=99/ /Host /Engine /Service /Server Issues here...since TASUserPrincipal TASGroupPrincipal are not available yet (they are in my web app) hasn't started how can I delay configuration until my web app has started? (Doubt this is cause of error however). My WebApp web.xml: !--Test code to get JAAS to work-- servlet servlet-nameStartupServlet/servlet-name servlet-class com.issinc.cdf.servlet.StartupServlet /servlet-class load-on-startup1/load-on-startup /servlet security-constraint web-resource-collection web-resource-nameTest App/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namemembers/role-name /auth-constraint /security-constraint security-role description /description role-namemembers/role-name /security-role login-config auth-methodBASIC/auth-method realm-nameTest App Realm/realm-name /login-config !--End JAAS code-- Note that StartupServlet configures JAASConfiguration to load my custom LoginModule. When my web app starts I do get the authentication dialog and I enter my login info. I have debugged my custom LoginModule and login() and commit() both succeed/return true for the user. However when the app continues I get the 403 error stated above. What am I doing wrong? I don't understand if/how the role-name(s) specifed in the web.xml are validated at this point. Do I have to tie my Subject Principal to these roles somehow? Or are these roles just used by the JAAS logic after authenication is complete? I will say that if I remove the auth-constraint section then the login dialog is not even displayed. Can someone point me to my error? -Dave - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 6 conflict between apache JSTL libs and glassfish appserv-rt.jar
Hi, I've started using JSTL tags in my JSP. All was good until i needed to call a remote EJB from a servlet, store the object to a session, and redirect to a JSP page to display the content of the remote object. We'll just to clear things, i am able to do this properly using JSP expressions %=myVar%. And i am able to use c:out value=${myVar} / on a project which does not have appserv-rt.jar inside it's lib directory. I'm getting a java.lang.NoSuchMethodError: javax.el.ExpressionFactory.newInstance()Ljavax/el/ExpressionFactory; when i add appserv-rt.jar in my lib. I'm using Tomcat 6.0.18 as my web server and glassfish as my app server. Below is the complete stack trace from tomcat: SEVERE: Servlet.service() for servlet jsp threw exception java.lang.NoSuchMethodError: javax.el.ExpressionFactory.newInstance()Ljavax/el/ExpressionFactory; at org.apache.jasper.compiler.JspUtil.getExpressionFactory(JspUtil.java:1166) at org.apache.jasper.compiler.JspUtil.validateExpressions(JspUtil.java:628) at org.apache.jasper.compiler.Validator$ValidateVisitor.getJspAttribute(Validator.java:1341) at org.apache.jasper.compiler.Validator$ValidateVisitor.checkXmlAttributes(Validator.java:1117) at org.apache.jasper.compiler.Validator$ValidateVisitor.visit(Validator.java:834) at org.apache.jasper.compiler.Node$CustomTag.accept(Node.java:1482) at org.apache.jasper.compiler.Node$Nodes.visit(Node.java:2257) at org.apache.jasper.compiler.Node$Visitor.visitBody(Node.java:2307) at org.apache.jasper.compiler.Node$Visitor.visit(Node.java:2313) at org.apache.jasper.compiler.Node$Root.accept(Node.java:481) at org.apache.jasper.compiler.Node$Nodes.visit(Node.java:2257) at org.apache.jasper.compiler.Validator.validate(Validator.java:1837) at org.apache.jasper.compiler.Compiler.generateJava(Compiler.java:195) at org.apache.jasper.compiler.Compiler.compile(Compiler.java:409) at org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:592) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:344) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:470) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:364) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:630) at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:436) at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:374) at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:302) at gogogo.MyServlet.doPost(MyServlet.java:88) at javax.servlet.http.HttpServlet.service(HttpServlet.java:710) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) at java.lang.Thread.run(Thread.java:619) This has been driving me nuts for days... any help would be deeply appreciated. thanks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: How to configure Tomcat 6.0 with JAAS?
From: David Hoffer [mailto:dhoff...@gmail.com] Subject: Re: How to configure Tomcat 6.0 with JAAS? Next newbie question...will this be server agnostic? Unfortunately not. The servlet spec does not define how realms are to be configured, so each app server rolls its own mechanism. Note that the Context and Realm elements are unique to Tomcat, which is why they're not in WEB-INF/web.xml. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
RE: Tomcat 6 conflict between apache JSTL libs and glassfish appserv-rt.jar
From: Joseph dela Peña [mailto:masterkure...@gmail.com] Subject: Tomcat 6 conflict between apache JSTL libs and glassfish appserv-rt.jar I'm getting a java.lang.NoSuchMethodError: javax.el.ExpressionFactory.newInstance()Ljavax/el/ExpressionFactory; when i add appserv-rt.jar in my lib. You must not put appserv-rt.jar anywhere that can be seen by Tomcat; many of the classes therein conflict with those Tomcat supplies. You'll need to find the packages you're missing and use the jars that contain just those, rather than the extremely annoying and unfriendly all-the-eggs-in-one-basket approach that Sun used with appserv-rt.jar. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Performance with many small requests
From: David Kerber [mailto:dcker...@verizon.net] Subject: Re: Performance with many small requests Incrementing a counter can't be much of a synchronization bottleneck, and if I switch to an AtomicInteger, it should be even less of one. Actually, it won't. There's a slight performance difference between the two mechanisms, but it's usually in favor of the synchronized increment, not the AtomicInteger, at least on my dual-core AMD 64 system running JDK 6u12 in 64-bit server mode on Vista. The difference is only a few percent, so you should just code it whichever way you find more maintainable. (Test program available on request; it would be interesting to see if the same relationship exists on a modern Intel chip.) - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.