Re: tomcat-connectors mod_jk.dsp file will not load in Visual Studio 2005
Andy Wang wrote: Hi all, I was able to get mod_jk building fine using Makefile.vc, but couldn't get the .dsp file loaded into Visual Studio 2005. Anyone know if there's a trick to this, or should I just not care (it does build and seem to work fine with the Makefile). When Visual Studio 2005 tries to convert mod_jk.dsp to the newer format it complains with a Cannot load the project due to a corrupt project file Preferred method is to use the Makefile.vc, However you probably have Unix line endings (LF). Convert the .dsp to DOS line endings (CR-LF) by some editor that can do that or some unix2dos utility. IMO the .zip source files should have .dsp's with CRLF line endings. Regards -- ^TM - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat-connectors mod_jk.dsp file will not load in Visual Studio 2005
Andy Wang wrote: Hi all, I was able to get mod_jk building fine using Makefile.vc, but couldn't get the .dsp file loaded into Visual Studio 2005. If you are using HTTPD binaries from ASF use the Visual Studio 6 and Platform SDK (Windows 2003 R2 inclusive) VS 2005 will force usage of MSVCRT71 while, so you'll have multiple MSVCRT versions compiled in, which might cause some nasty logging issues. BTW, what's wrong with official mod_jk binaries? Regards -- ^TM - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
org.apache.tomcat.sendfile.support attribute returned via getAttribute() but name not returned via getAttributeNames()
Hi, Probably missing something simple here but I can't figure it out... I have pretty much just modified a simpel hello world servlet as I start to play around with NIO sendfile support. I am using Tomcat 6.0.20. I am trying to check for the org.apache.tomcat.sendfile.support which says I can use the sendfile mode. When I request the request atttributes in the doPut method via getAttributeNames(), I seem to get back an Enumeration with no attribute names in it. None... But when I ask for the org.apache.tomcat.sendfile.support attribute specifically via getAttribute(), I do get the attribute and it is correctly set to Boolean true/false depending on whether I've configured NIO in server.xml. Here is my code: protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { EnumerationString attrNames = request.getAttributeNames(); if (attrNames == null) { System.out.println(getAttributeNames returned null); } else { System.out.println(attrNames: + attrNames.toString()); } System.out.println(printing any attrs...); while (attrNames.hasMoreElements()) { String attrName = attrNames.nextElement(); System.out.println(attr: + attrName); } Boolean val = (Boolean) request.getAttribute(org.apache.tomcat.sendfile.support); if (val != null) { System.out.println(org.apache.tomcat.sendfile.support attr found: value: + val.toString()); } else { System.out.println(org.apache.tomcat.sendfile.support attr not found); } response.getWriter().write(Hello, world!); } Thanks in advance for any help on this... Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 6.0.18 and APR
Hi all, I'm currently trying to get the APR working on the following system; Using CATALINA_BASE: E:/apache-tomcat-server6.0 Using CATALINA_HOME: E:/apache-tomcat-server6.0 Using CATALINA_TMPDIR: E:/apache-tomcat-server6.0\temp Using JRE_HOME:E:/jdk1.5.0_12 Server version: Apache Tomcat/6.0.18 OS Name:Windows 2000 OS Version: 5.0 Architecture: x86 JVM Version:1.5.0_12-b04 I've downloaded the binaries from http://tomcat.heanet.ie/native/1.1.12/binaries/ and have tried both win32 and win64 (just in case I was being stupid! ;)). I've been copying openssl.exe and tcnative-1.dll to e:/apache-tomcat-server6.0/bin and still keep getting the same. INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: E:\apache-tomcat-server6.0\bin;.;C:\WINNT\system32;C:\WINNT;E:\jdk1.5.0_ 12\bin;snip. I've even tried the windows system32 folder and jdk bin folder. Additionally the Tomcat server is running as a Windows service. Each time I've tried the files in a new location I've stopped and re-started the service. I've also reverted my configuration files to the defaults to rule anything out there Does anyone have any suggestions for what I might be doing wrong please? I'm sort of at the end of my tether ;) Thanks in advance for any help Dave Lush Visa Europe, Europe's leading payment systems provider, is owned and governed within Europe for the benefit of European financial institutions. This email (including attachments) is confidential and is solely intended for the addressee. Unless you are the addressee, you may not read, use or store this email in any way, or permit others to. If you have received it in error, please contact Visa Europe on +44 (0)20 7937 8111.
With APR, getRemoteHost() returns NULL for unknown clients?
Hello, After searching in all the usual places for a problem I'm having with Tomcat/APR and reverse lookups, I haven't found anything similar, so maybe someone on the list can help... My setup is a RedHat 5 server (32 bit) running Tomcat 6.0.20 with Tomcat Native 1.1.16 libraries and Sun JDK 1.6.0_14. I've built and installed Tomcat Native as described in http://tomcat.apache.org/native-doc/ The server.xml file has been modified to add enableLookups=true to the HTTP Connector entry: Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 enableLookups=true redirectPort=8443 / Now, when the client exists in the DNS, reverse lookups via HttpServletRequest.getRemoteHost() work fine whether or not I'm using APR. The problem is, when attempting a reverse lookup for a client that is not found in the naming service, the behaviour of getRemoteHost() depends on whether or not APR is being used. Specifically, without APR, the method returns the dotted-string form of the IP address (consistent with the doc http://java.sun.com/webservices/docs/1.6/api/javax/servlet/ServletRequest.html#getRemoteHost() ). However, when APR is enabled, the method returns NULL. I can reproduce the problem using a simple test servlet: # cat GetAddress.java import java.io.*; import java.util.*; import javax.servlet.*; import javax.servlet.http.*; public class GetAddress extends HttpServlet { public void doGet(HttpServletRequest request,HttpServletResponse response) throws IOException, ServletException{ response.setContentType(text/html); PrintWriter out = response.getWriter(); out.println(bfont color='red'Hostname of request : /font/b +request.getRemoteHost()+p); out.println(bfont color='blue'IP Address of request : /font/b +request.getRemoteAddr()); } } If LD_LIBRARY_PATH is set to $CATALINA_HOME/lib, catalina.out confirms APR is enabled: 05-Jun-2009 11:09:01 org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.16. 05-Jun-2009 11:09:01 org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. 05-Jun-2009 11:09:02 org.apache.coyote.http11.Http11AprProtocol init From my client unknown to the DNS, the web page shows Hostname of request: null ... IP Address of request: client IP address Now, after unsetting LD_LIBRARY_PATH and restarting Tomcat (catalina.out confirms APR is not used), a request from the same client correctly shows Hostname of request: client IP address... IP Address of request: client IP address This behaviour with APR is causing problems for a third-party application that relies on identifying the client IP/host for authentication - as the code does not expect NULL from getRemoteHost() it denies access to the client (coming from another company via LAN-to-LAN VPN). Any ideas on how to debug this further? I had a quick look in the APR source but couldn't find any reference to getRemoteHost or enableLookups so I'm not sure where this side effect is coming from. I'd be happy to collect more info and file a bug report if necessary. Thanks in advance - Paul Seed.
Re: Tomcat 6.0.18 and APR
Lush, David wrote: Hi all, I've downloaded the binaries from http://tomcat.heanet.ie/native/1.1.12/binaries/ and have tried both win32 and win64 (just in case I was being stupid! ;)). Well, on win2k you will definitely need the win32 binaries. Main Tomcat page (tomcat.apache.org) has a nice Download section, from which you should click on the 'Tomcat Native'. Use the version 1.1.16 If you cannot find it on the main page here is the link: http://tomcat.apache.org/download-native.cgi Regards -- ^TM - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6.0.18 and APR
Lush, David wrote: I've downloaded the binaries from http://tomcat.heanet.ie/native/1.1.12/binaries/ First off, get the latest (1.1.16) binaries from here (heatnet.ie is an old location): http://tomcat.apache.org/download-native.cgi and have tried both win32 and win64 (just in case I was being stupid! ;)). You want win32. INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: E:\apache-tomcat-server6.0\bin;.;C:\WINNT\system32;C:\WINNT;E:\jdk1.5.0_ 12\bin;snip. If tcnative-1.dll is in E:\apache-tomcat-server6.0\bin, that should be all you need. Additionally the Tomcat server is running as a Windows service. Each time I've tried the files in a new location I've stopped and re-started the service. I've also reverted my configuration files to the defaults to rule anything out there If you have no joy with the latest 1.1.16, try starting Tomcat using the scripts instead. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: With APR, getRemoteHost() returns NULL for unknown clients?
Paul Seed wrote: Any ideas on how to debug this further? I had a quick look in the APR source but couldn't find any reference to getRemoteHost or enableLookups so I'm not sure where this side effect is coming from. I'd be happy to collect more info and file a bug report if necessary. Looks like you have enough info for a bug report to me. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability with FORM authentication
Christopher Schultz wrote: Mark, On 6/3/2009 11:42 AM, Mark Thomas wrote: CVE-2009-0580: Tomcat information disclosure vulnerability I know I'm likely to get a vague response, but could you provide some more info about this issue? I'm sorry you have that impression. As I hope you see from this thread, the Tomcat security team is more than happy to discuss any vulnerability in detail once the vulnerability has been made public. j_username=tomcatj_password=% I'm not sure how the patch (I read the patch for TC5.5 DataSourceRealm.java) changes anything at all: it appears to be merely a performance optimization. Not quite. No changes are made to the behavior of Tomcat, since the same null is returned to the caller if the credentials do not match. If the credentials are null (eg a password via FORM auth with invalid encoding) then there is an NPE. It is as a result of lines 332/334 (5.5.x, post patch). If credentials is null then digest(credentials) is also null which results in an NPE when we try digest(credentials).equals(...) The NPE results isn't handled and results in a blank response back to the client. I don't see any information disclosure vulnerability in the first place, and I don't see how your patch would have fixed it. The patch stops this NPE from happening and ensures that users get a login failed message rather than a blank screen. You are correct that for the current DataSource and JDBC Realms that this is just a bug fix. However, for the MemoryRealm there is a test a line 150 that means the responses for a valid and invalid user when credentials are null are different. Valid users cause an NPE and a blank response. Invalid users get a login failed message. For the JDBC and DataSource Realms, earlier versions (5.5.0 to 5.5.5 and 4.1.0 to 4.1.31 with the DataSource Realm introduced in 4.1.17) are vulnerable. I'll issue an update to the vulnerability notice to clarify this. If you have any further questions, please do ask. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[SECURITY] CVE-2009-0580 UPDATED Apache Tomcat User enumeration vulnerability with FORM authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Updated to clarify affected versions as they vary for each affected Realm. CVE-2009-0580: Tomcat information disclosure vulnerability Severity: Low Vendor: The Apache Software Foundation Versions Affected: MemoryRealm: Tomcat 4.1.0 to 4.1.39 Tomcat 5.5.0 to 5.5.27 Tomcat 6.0.0 to 6.0.18 DataSourceRealm: Tomcat 4.1.17 to 4.1.31 Tomcat 5.5.0 to 5.5.5 JDBCRealm: Tomcat 4.1.0 to 4.1.31 Tomcat 5.5.0 to 5.5.5 The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected. Description: Due to insufficient error checking in some authentication classes, Tomcat allows for the enumeration (brute force testing) of usernames by supplying illegally URL encoded passwords. The attack is possible if form based authenticiaton (j_security_check) with one of the following authentication realms is used: * MemoryRealm * DataSourceRealm * JDBCRealm Mitigation: 6.0.x users should do one of the following: - upgrade to 6.0.20 - apply this patch http://svn.apache.org/viewvc?rev=747840view=rev 5.5.x users should do one of the following: - upgrade to 5.5.28 when released - apply this patch http://svn.apache.org/viewvc?rev=781379view=rev 4.1.x users should do one of the following: - upgrade to 4.1.40 when released - apply this patch http://svn.apache.org/viewvc?rev=781382view=rev Example: The following POST request should trigger an error (500 server error or empty response, depending on the configuration) if the ROOT web application is configured to use FORM authentication: POST /j_security_check HTTP/1.1 Host: localhost j_username=tomcatj_password=% Credit: This issue was discovered by D. Matscheko and T. Hackner of SEC Consult. References: http://tomcat.apache.org/security.html Mark Thomas -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkoo/a0ACgkQb7IeiTPGAkOwBgCgg32bOh5/3FWwmg+qnazFuJLy UGAAnjGl3psau6THn7UDBjpHfSG8LZ4a =SIJ6 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Deploying .war-file in Tomcat 5.5
Dear users, I have installed Tomcat with apt-get install tomcat5.5 tomcat5.5-admin tomcat5.5-webapps The default webapps-deirectoy is now: /usr/share/tomcat5.5-webapps/ROOT/ Tomcat is running and I copy a .war file in /usr/share/tomcat5.5-webapps/ROOT/ But how is this .war-file unpacked/deployed? I restarted Tomcat already with /etc/init.d/tomcat restart but don't get the filestructure of that war-file? -- View this message in context: http://www.nabble.com/Deploying-.war-file-in-Tomcat-5.5-tp23886971p23886971.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Deploying .war-file in Tomcat 5.5
From: Kai Behncke [mailto:kai-behn...@gmx.de] I have installed Tomcat with apt-get install tomcat5.5 tomcat5.5-admin tomcat5.5-webapps From which we can assume you're running on Debian, rather than one of the many other platforms on which Tomcat runs? The default webapps-deirectoy is now: /usr/share/tomcat5.5-webapps/ROOT/ Yes. So that is the directory for the default (ROOT) webapp. The directory for webapps is its parent directory. Tomcat is running and I copy a .war file in /usr/share/tomcat5.5-webapps/ROOT/ But how is this .war-file unpacked/deployed? It won't be. Copy/move it to /usr/share/tomcat5.5-webapps instead. I restarted Tomcat already with /etc/init.d/tomcat restart but don't get the filestructure of that war-file? That's not surprising. Put it in the right directory and try again. - Peter - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: With APR, getRemoteHost() returns NULL for unknown clients?
Thanks Mark, I've filed bug #47319. https://issues.apache.org/bugzilla/show_bug.cgi?id=47319 Cheers - Paul. From: Mark Thomas ma...@apache.org To: Tomcat Users List users@tomcat.apache.org Sent: Friday, 5 June, 2009 12:12:07 Subject: Re: With APR, getRemoteHost() returns NULL for unknown clients? Paul Seed wrote: Any ideas on how to debug this further? I had a quick look in the APR source but couldn't find any reference to getRemoteHost or enableLookups so I'm not sure where this side effect is coming from. I'd be happy to collect more info and file a bug report if necessary. Looks like you have enough info for a bug report to me. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Deploying .war-file in Tomcat 5.5
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kai Behncke wrote: Tomcat is running and I copy a .war file in /usr/share/tomcat5.5-webapps/ROOT/ On Debian you should put it in /var/lib/tomcat5.5/webapps. (And if you run Debian squeeze you can install the tomcat6 package.) Cheers, Marcus -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkopFOoACgkQXjXn6TzcAQmIjQCeOnOrjj0+uO5bNe0m6gu8jrTA LzwAnRNH2GwYHHoYG0A0b865HXX8Jo+C =Dl/o -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Deploying .war-file in Tomcat 5.5
From: news [mailto:n...@ger.gmane.org] On Behalf Of Marcus Better On Debian you should put it in /var/lib/tomcat5.5/webapps. Ah - thanks, Marcus. Debian's rather odd symlinking policy strikes again! - Peter - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Deploying .war-file in Tomcat 5.5
Hi Peter, first of all thank you for your reply. Peter Crowther wrote: From: Kai Behncke [mailto:kai-behn...@gmx.de] I have installed Tomcat with apt-get install tomcat5.5 tomcat5.5-admin tomcat5.5-webapps From which we can assume you're running on Debian, rather than one of the many other platforms on which Tomcat runs? Yes, I use Debian etch. Tomcat is running and I copy a .war file in /usr/share/tomcat5.5-webapps/ROOT/ But how is this .war-file unpacked/deployed? It won't be. Copy/move it to /usr/share/tomcat5.5-webapps instead. I tried this without succes, I started Tomcat again but the .war-file is not unpacked. I made a couple of tests here. When I just did apt-get install tomcat 5.5 and I copied the .war file then to /var/lib/tomcat5.5/webapps it`s unpacked without any problems. But if I call then http://www.mysite.de:8180/my_servlet I don`t see anything in the browser?? If I install apt-get install tomcat 5.5 tomcat5.5-webapps The .war file in /usr/share/tomcat5.5-webapps/ is not unpacked. But if I copy the unpacked-sources from /var/lib/tomcat5.5/webapps/my_servlet to /usr/share/tomcat5.5-webapps/ROOT/ I get a result by doing http://www.mysite.de:8180/my_servlet Why might this be? Do I need apt-get install tomcat5.5-webapps to see a result in the browser? And what is the difference between tomcat 5.5 and tomcat5.5-webapps? Thank you very much, Kai - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://www.nabble.com/Deploying-.war-file-in-Tomcat-5.5-tp23886971p23887719.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Deploying .war-file in Tomcat 5.5
Hi Marcus, On Debian you should put it in /var/lib/tomcat5.5/webapps. Thank you very much. When I just did apt-get install tomcat 5.5 and I copied the .war file then to /var/lib/tomcat5.5/webapps it`s unpacked without any problems. But if I call then http://www.mysite.de:8180/my_servlet I don`t see anything in the browser?? That`s the thing I don`t get (well, I`m really a Tomcat newbie). But if I copy the unpacked-sources from /var/lib/tomcat5.5/webapps/my_servlet to /usr/share/tomcat5.5-webapps/ROOT/ I get a result by doing http://www.mysite.de:8180/my_servlet Why might this be? Do I need apt-get install tomcat5.5-webapps to see a result in the browser? And what is the difference between tomcat 5.5 and tomcat5.5-webapps? Best regards, Kai -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkopFOoACgkQXjXn6TzcAQmIjQCeOnOrjj0+uO5bNe0m6gu8jrTA LzwAnRNH2GwYHHoYG0A0b865HXX8Jo+C =Dl/o -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://www.nabble.com/Deploying-.war-file-in-Tomcat-5.5-tp23886971p23887798.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ISAPI incorrect function
On 04.06.2009 16:42, dljohnson69 wrote: I now have a simple workers.properties and uri file with the latest 1.2.28 redirector but no matter what I try I only get incorrect function returned to the browser. 1st error in log is [error] jk_shm_calculate_size::jk_shm.c (120): Could not get member list for lb worker from map True, because you didn't add any members to the defined load balancer worker named wlb. There's no balance_workers attribute there. After you add some member via balance_workers, remember to define the host and port for those members to. [error] validate::jk_lb_worker.c (1647): NULL parameters [error] wc_create_worker::jk_worker.c (163): validate failed for wlb workers.properties worker.list=wlb worker.wlb.type=lb worker.wlb.host=localhost worker.wlb.port=8010 host and port do not make sense for a load balancer. It doesn't send requests directly to tomcat, instead it choses one of the (missing) belance_workers and delegetes to them. uriworkermap.properties /admin/*=wlb /manager/*=wlb /jsp-examples/*=wlb /servlets-examples/*=wlb /ws/*=wlb When I change the 'type' to ajp13 I get a 502 'bad gateway' error. I've simplifed this as much as possible, tried IP instead of localhost and still cannot get this to serve up. Any ideas? I'll look at your posted log snippet for this part. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ISAPI incorrect function
On 04.06.2009 19:27, dljohnson69 wrote: The isapi.log is the only one I know of (maybe the same)let me know if the name of any other logs you think would help. Here is the error part of the isapi.log [Thu Jun 04 10:32:59.985 2009] [4272:4316] [info] ajp_connection_tcp_get_message::jk_ajp_common.c (1143): (wlb) can't receive the response header message from tomcat, tomcat (127.0.0.1:8010) has forced a connection close for socket 592 wildGuessWrong port? Default AJP port is 8009, you are using 8010 here. Make sure you use the AJP port of tomcat not the HTTP port./wildGuess [Thu Jun 04 10:32:59.985 2009] [4272:4316] [error] ajp_get_reply::jk_ajp_common.c (1962): (wlb) Tomcat is down or refused connection. No response has been sent to the client (yet) [Thu Jun 04 10:32:59.985 2009] [4272:4316] [info] ajp_service::jk_ajp_common.c (2447): (wlb) sending request to tomcat failed (recoverable), (attempt=2) [Thu Jun 04 10:32:59.985 2009] [4272:4316] [error] ajp_service::jk_ajp_common.c (2466): (wlb) connecting to tomcat failed. [Thu Jun 04 10:32:59.985 2009] [4272:4316] [error] HttpExtensionProc::jk_isapi_plugin.c (2200): service() failed with http error 502 [Thu Jun 04 10:32:59.985 2009] [4272:4316] [debug] ajp_reset_endpoint::jk_ajp_common.c (743): (wlb) resetting endpoint with sd = 4294967295 (socket shutdown) [Thu Jun 04 10:32:59.985 2009] [4272:4316] [debug] ajp_done::jk_ajp_common.c (2905): recycling connection pool slot=0 for worker wlb [Thu Jun 04 10:53:08.555 2009] [4272:4736] [info] TerminateFilter::jk_isapi_plugin.c (2250): Jakarta/ISAPI/isapi_redirector/1.2.28 stopping [Thu Jun 04 10:53:08.555 2009] [4272:4736] [debug] close_workers::jk_worker.c (218): close_workers will destroy worker wlb [Thu Jun 04 10:53:08.555 2009] [4272:4736] [debug] ajp_destroy::jk_ajp_common.c (2846): up to 250 endpoints to close Christopher Schultz-2 wrote: dl, On 6/4/2009 10:42 AM, dljohnson69 wrote: I now have a simple workers.properties and uri file with the latest 1.2.28 redirector but no matter what I try I only get incorrect function returned to the browser. 1st error in log is [error] jk_shm_calculate_size::jk_shm.c (120): Could not get member list for lb worker from map [error] validate::jk_lb_worker.c (1647): NULL parameters [error] wc_create_worker::jk_worker.c (163): validate failed for wlb workers.properties worker.list=wlb worker.wlb.type=lb worker.wlb.host=localhost worker.wlb.port=8010 'port' is inappropriate for the lb worker. Instead, you need to define 'balance_workers' for the lb balancer, instead. http://tomcat.apache.org/connectors-doc/reference/workers.html#Load%20Balancing%20Directives When I change the 'type' to ajp13 I get a 502 'bad gateway' error. Do you get any errors in the mod_jk log file when this error occurs? If so, please post them. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ISAPI incorrect function
On 04.06.2009 23:59, dljohnson69 wrote: Yes, tomcat is running. The IIS was shutdown by me on that log reference. Latest log, server.xml and worker.properties here. workers.properties worker.list=wlb worker.wlb.type=ajp13 worker.wlb.host=localhost worker.wlb.port=8010 server.xml Server port=8006 shutdown=SHUTDOWN debug=0 Connector port=8010 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false redirectPort=8443 acceptCount=100 debug=0 connectionTimeout=2 disableUploadTimeout=true / Thsi connector uses the defaukt protocol, which is http. You can't talk via the redirector to it. The redirector uses the AJP protocol. The default Tomcat server.xml configuration file contains an additional Connector entry for an AJP connector, which you deleted. It's the Connector using port 8009. Add it back and switch your redirector workers.properties to port 8009. Listener className=org.apache.catalina.mbeans.ServerLifecycleListener debug=0/ Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener debug=0/ !-- Global JNDI resources -- GlobalNamingResources !-- Test entry for demonstration purposes -- Environment name=simpleValue type=java.lang.Integer value=30/ !-- Editable user database that can also be used by UserDatabaseRealm to authenticate users -- Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved /Resource ResourceParams name=UserDatabase parameter namefactory/name valueorg.apache.catalina.users.MemoryUserDatabaseFactory/value /parameter parameter namepathname/name valueconf/tomcat-users.xml/value /parameter /ResourceParams /GlobalNamingResources Host name=localhost debug=0 appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false Context displayName=Sungard WealthStation docBase=e:/wealthstation/appserver2/webapps/wealthstation path=/wealthstation / [Thu Jun 04 16:53:10.292 2009] [4872:800] [error] ajp_get_reply::jk_ajp_common.c (1962): (wlb) Tomcat is down or refused connection. No response has been sent to the client (yet) [Thu Jun 04 16:53:10.292 2009] [4872:800] [info] ajp_service::jk_ajp_common.c (2447): (wlb) sending request to tomcat failed (recoverable), (attempt=2) [Thu Jun 04 16:53:10.292 2009] [4872:800] [error] ajp_service::jk_ajp_common.c (2466): (wlb) connecting to tomcat failed. [Thu Jun 04 16:53:10.292 2009] [4872:800] [error] HttpExtensionProc::jk_isapi_plugin.c (2200): service() failed with http error 502 [Thu Jun 04 16:53:10.292 2009] [4872:800] [debug] ajp_reset_endpoint::jk_ajp_common.c (743): (wlb) resetting endpoint with sd = 4294967295 (socket shutdown) [Thu Jun 04 16:53:10.292 2009] [4872:800] [debug] ajp_done::jk_ajp_common.c (2905): recycling connection pool slot=0 for worker wlb dljohnson69 wrote: I now have a simple workers.properties and uri file with the latest 1.2.28 redirector but no matter what I try I only get incorrect function returned to the browser. 1st error in log is [error] jk_shm_calculate_size::jk_shm.c (120): Could not get member list for lb worker from map [error] validate::jk_lb_worker.c (1647): NULL parameters [error] wc_create_worker::jk_worker.c (163): validate failed for wlb workers.properties worker.list=wlb worker.wlb.type=lb worker.wlb.host=localhost worker.wlb.port=8010 uriworkermap.properties /admin/*=wlb /manager/*=wlb /jsp-examples/*=wlb /servlets-examples/*=wlb /ws/*=wlb When I change the 'type' to ajp13 I get a 502 'bad gateway' error. I've simplifed this as much as possible, tried IP instead of localhost and still cannot get this to serve up. Any ideas? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Service Specific Error 0
From: aditya darbha [mailto:adityadar...@gmail.com] Subject: Re: Service Specific Error 0 However for a 64 bit wrapper of Tomcat, an error pops up saying Loading Error Cannot Find the File specified [prunsrv.c] You must use the 64-bit wrapper with a 64-bit JVM, and the 32-bit wrapper with a 32-bit JVM. Any mismatch will result in the above error. When posting log messages, post more than a single line; the file name of interest is in the *next* line. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat-connectors mod_jk.dsp file will not load in Visual Studio 2005
On 04.06.2009 01:33, Andy Wang wrote: Hi all, I was able to get mod_jk building fine using Makefile.vc, but couldn't get the .dsp file loaded into Visual Studio 2005. Anyone know if there's a trick to this, or should I just not care (it does build and seem to work fine with the Makefile). When Visual Studio 2005 tries to convert mod_jk.dsp to the newer format it complains with a Cannot load the project due to a corrupt project file popup. Does anyone really care about this or should I just ignore it? Mladen is right :) - should work when converted to DOS line endings I just now tested it again. - have a look at the provided binaries Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
APR is not working
Dear everybody, I am trying to install APR for tomcat 6.0.18 on debian I did the following: apt-get install libapr1-dev libssl-dev cd tomcat-native-1.1.16-src/jni/native ./configure --with-apr=/usr/bin/apr-1-config --with-java-home=/usr/lib/jvm/java-1.5.0-sun --prefix=/usr/lib/catalina make make install and created the file $CATALINA_HOME/bin/setenv.sh which has the following lines LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$CATALINA_HOME/lib export LD_LIBRARY_PATH Then when I started tomcat the log shows the following lines and then nothing (It hangs) 05.06.2009 14:15:46 org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.16. 05.06.2009 14:15:46 org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. I have tryed to stop and run it again manytimes and the same result. Please help Thanks a lot, Mohamedin - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
ADMINISTRATOR: PLEASE READ
The unsubscribe feature for this list appears to be broken. Kindly unsubscribe me. Thank you. ~Alex Alex Ryan's Facebook profile -Original Message- From: Mohamedin [mailto:mohame...@easy-dialog.info] Sent: Friday, June 05, 2009 9:40 AM To: Tomcat Users List Subject: APR is not working Dear everybody, I am trying to install APR for tomcat 6.0.18 on debian I did the following: apt-get install libapr1-dev libssl-dev cd tomcat-native-1.1.16-src/jni/native ./configure --with-apr=/usr/bin/apr-1-config --with-java- home=/usr/lib/jvm/java-1.5.0-sun --prefix=/usr/lib/catalina make make install and created the file $CATALINA_HOME/bin/setenv.sh which has the following lines LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$CATALINA_HOME/lib export LD_LIBRARY_PATH Then when I started tomcat the log shows the following lines and then nothing (It hangs) 05.06.2009 14:15:46 org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.16. 05.06.2009 14:15:46 org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. I have tryed to stop and run it again manytimes and the same result. Please help Thanks a lot, Mohamedin - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR is not working
On 05.06.2009 15:40, Mohamedin wrote: Dear everybody, I am trying to install APR for tomcat 6.0.18 on debian I did the following: apt-get install libapr1-dev libssl-dev cd tomcat-native-1.1.16-src/jni/native ./configure --with-apr=/usr/bin/apr-1-config --with-java-home=/usr/lib/jvm/java-1.5.0-sun --prefix=/usr/lib/catalina make make install and created the file $CATALINA_HOME/bin/setenv.sh which has the following lines LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$CATALINA_HOME/lib export LD_LIBRARY_PATH Then when I started tomcat the log shows the following lines and then nothing (It hangs) 05.06.2009 14:15:46 org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.16. 05.06.2009 14:15:46 org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. I have tryed to stop and run it again manytimes and the same result. speculation If it looks hanging during startup, it might initialize randomness and use /dev/random (blocking good quality randomness) instead of /dev/urandom (non-blocking pseudo-randomness). You can try to get a stack during the hang using gstack. Do you have a /dev/urandom device? Can you read from it, e.g. if you do a dd if=/dev/urandom of=/dev/null count=100 (reading 100 blocks of 512 bytes of randomness), does it return fast? What happens if you do the same again during the hang? /speculation Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Deploying .war-file in Tomcat 5.5
From: Kai Behncke [mailto:kai-behn...@gmx.de] Subject: Re: Deploying .war-file in Tomcat 5.5 it`s unpacked without any problems. But if I call then http://www.mysite.de:8180/my_servlet I don`t see anything in the browser?? You need to include the name of your webapp in the URL; the webapp name is the name of your .war file. But if I copy the unpacked-sources from /var/lib/tomcat5.5/webapps/my_servlet to /usr/share/tomcat5.5-webapps/ROOT/ I get a result by doing http://www.mysite.de:8180/my_servlet That's because you just made your webapp an extension of Tomcat's default webapp - probably not a good thing to do. If you want your webapp to be the default, delete Tomcat's default (/usr/share/tomcat5.5-webapps/ROOT), rename your .war file to ROOT.war, and place it in /usr/share/tomcat5.5-webapps/ROOT. You will also want to clean out Tomcat's work directory; I have no idea where the dismal Debian repackaging of Tomcat would have put that. And what is the difference between tomcat 5.5 and tomcat5.5-webapps? The Debian repackaging of Tomcat is a mess - files are scattered all over, and then symlinked back together to try to get things to run. There's no end of issues with that scheme, which is why many of us recommend throwing away that junk and installing a real Tomcat from tomcat.apache.org. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR is not working
Mohamedin wrote: Then when I started tomcat the log shows the following lines and then nothing (It hangs) 05.06.2009 14:15:46 org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.16. 05.06.2009 14:15:46 org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. I have tryed to stop and run it again manytimes and the same result. Have you tried to be more patient? On some systems the random number generator if having low entropy can hang for few minutes. Try setting SSLEngine to off in server.xml and see if it'll start faster. Regards -- ^TM - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ISAPI incorrect function
That was the problem, I had edited the http instead of the AJP connector section in the server.xml. It now does a redirect. I'll play with the load balancer and other connector info. Christopher Schultz-2 wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 dl, On 6/4/2009 10:42 AM, dljohnson69 wrote: I now have a simple workers.properties and uri file with the latest 1.2.28 redirector but no matter what I try I only get incorrect function returned to the browser. 1st error in log is [error] jk_shm_calculate_size::jk_shm.c (120): Could not get member list for lb worker from map [error] validate::jk_lb_worker.c (1647): NULL parameters [error] wc_create_worker::jk_worker.c (163): validate failed for wlb workers.properties worker.list=wlb worker.wlb.type=lb worker.wlb.host=localhost worker.wlb.port=8010 'port' is inappropriate for the lb worker. Instead, you need to define 'balance_workers' for the lb balancer, instead. http://tomcat.apache.org/connectors-doc/reference/workers.html#Load%20Balancing%20Directives When I change the 'type' to ajp13 I get a 502 'bad gateway' error. Do you get any errors in the mod_jk log file when this error occurs? If so, please post them. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkooAKgACgkQ9CaO5/Lv0PAUpwCdGq/7vlKLBIeS0m5Ha/RQwGQF uX0An1Xi2ow0Ftlp8gS3xo5pHmhaqbKz =mZen -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://www.nabble.com/ISAPI-incorrect-function-tp23871342p23888951.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat-connectors mod_jk.dsp file will not load in Visual Studio 2005
Mladen, Rainer, Thanks for pointing out the crlf thing, I discovered that myself last night and was going to update this thread this morning but you beat me to it. :) I just automatically, use the tarballs since I'm normally a Unix guy. I figure this out when I inadvertently used the Apache tarball instead of win zip and wondered why I got the same error trying to load the .dsps. Mladen, I am not anywhere near remotely a Windows guy. This is my first experience compiling stuff in a Microsoft world since using Turbo C++ back in college, and that was DOS :). With that in mind, can you elaborate on what the VS2005 MSVCRT71 issues might be? The problem is, Visual Studio 6 is not available from MSDN, and we don't have it readily available here. It appears to be a product circa 1998, so I thought a newer compiler might not be a bad idea. I don't know if you recall an e-mail from Jess Holle regarding a quieter logging patch that he asked for comments on. Until we have time to look into Rainer's idea of stopping the nodes via the mod_jk status worker, we're using our patch for now, thus the need to build our own mod_jk. Thanks, Andy Mladen Turk wrote: Andy Wang wrote: Hi all, I was able to get mod_jk building fine using Makefile.vc, but couldn't get the .dsp file loaded into Visual Studio 2005. If you are using HTTPD binaries from ASF use the Visual Studio 6 and Platform SDK (Windows 2003 R2 inclusive) VS 2005 will force usage of MSVCRT71 while, so you'll have multiple MSVCRT versions compiled in, which might cause some nasty logging issues. BTW, what's wrong with official mod_jk binaries? Regards -- ^TM - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat-connectors mod_jk.dsp file will not load in Visual Studio 2005
On 05.06.2009 16:43, Andy Wang wrote: Mladen, Rainer, Thanks for pointing out the crlf thing, I discovered that myself last night and was going to update this thread this morning but you beat me to it. :) I just automatically, use the tarballs since I'm normally a Unix guy. I figure this out when I inadvertently used the Apache tarball instead of win zip and wondered why I got the same error trying to load the .dsps. Mladen, I am not anywhere near remotely a Windows guy. This is my first experience compiling stuff in a Microsoft world since using Turbo C++ back in college, and that was DOS :). With that in mind, can you elaborate on what the VS2005 MSVCRT71 issues might be? The problem is, Visual Studio 6 is not available from MSDN, and we don't have it readily available here. It appears to be a product circa 1998, so I thought a newer compiler might not be a bad idea. I don't know if you recall an e-mail from Jess Holle regarding a quieter logging patch that he asked for comments on. Until we have time to look into Rainer's idea of stopping the nodes via the mod_jk status worker, we're using our patch for now, thus the need to build our own mod_jk. Mladen might like to elaborate more, but in short: MS binaries need a Microsoft Visual C++ Runtime library to run with. Those are called msvcrt. The library version used is determined during the dynamic linking done with visual studio. Now if you use an extensible application like Apache, and the web server and the modules you want to load are compiled with different Visual Studio versions, multiple and possibly incompatible version of the msvcrt libs will be loaded during runtime. Until now, the official downloads of the Apache web server are compiled with VS6, so our mod_jk Windows binaries are also compiled with VS6 in order to circumvent possible havoc. I did see mod_jk compiled with newer VS version running in the standard Windows Apache from the web server download page, but you *might* run into trouble. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [SECURITY] CVE-2009-0580 UPDATED Apache Tomcat User enumeration vulnerability with FORM authentication
Mark Thomas wrote: ... 5.5.x users should do one of the following: - upgrade to 5.5.28 when released - apply this patch http://svn.apache.org/viewvc?rev=781379view=rev 4.1.x users should do one of the following: - upgrade to 4.1.40 when released - apply this patch http://svn.apache.org/viewvc?rev=781382view=rev Any idea when these two releases will be available? D - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat-connectors mod_jk.dsp file will not load in Visual Studio 2005
Rainer Jung wrote: Mladen might like to elaborate more, but in short: MS binaries need a Microsoft Visual C++ Runtime library to run with. Those are called msvcrt. The library version used is determined during the dynamic linking done with visual studio. Now if you use an extensible application like Apache, and the web server and the modules you want to load are compiled with different Visual Studio versions, multiple and possibly incompatible version of the msvcrt libs will be loaded during runtime. Until now, the official downloads of the Apache web server are compiled with VS6, so our mod_jk Windows binaries are also compiled with VS6 in order to circumvent possible havoc. I did see mod_jk compiled with newer VS version running in the standard Windows Apache from the web server download page, but you *might* run into trouble. Regards, Rainer Ahh. I see, I think maybe I was misunderstanding Mladen then. I thought that just building with VS2005 would result in some level of multiple msvcrt library confusion. If, we build our own Apache, and our own mod_jk, and our own everything else up the toolchain (zlib, openssl, etc etc), we shouldn't have problems with multiple msvcrt dependencies right? But, that brings up a really interesting point, considering that our customers may have their own modules and who knows how they build them. I'll have to consider that. Thanks, Andy - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: APR is not working
Thanks a lot for your fast reply (Both of you) It was the random number generator Setting SSLEngine to off fixed the problem And I don't need the SSL since it is handled by apache using mod_jk Thanks again, Mohamedin - Original Message - From: Mladen Turk mt...@apache.org To: Tomcat Users List users@tomcat.apache.org Sent: Friday, June 05, 2009 4:54 PM Subject: Re: APR is not working Mohamedin wrote: Then when I started tomcat the log shows the following lines and then nothing (It hangs) 05.06.2009 14:15:46 org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.16. 05.06.2009 14:15:46 org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. I have tryed to stop and run it again manytimes and the same result. Have you tried to be more patient? On some systems the random number generator if having low entropy can hang for few minutes. Try setting SSLEngine to off in server.xml and see if it'll start faster. Regards -- ^TM - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org __ Information from ESET NOD32 Antivirus, version of virus signature database 4132 (20090604) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [SECURITY] CVE-2009-0580 UPDATED Apache Tomcat User enumeration vulnerability with FORM authentication
David kerber wrote: Mark Thomas wrote: ... 5.5.x users should do one of the following: - upgrade to 5.5.28 when released - apply this patch http://svn.apache.org/viewvc?rev=781379view=rev 4.1.x users should do one of the following: - upgrade to 4.1.40 when released - apply this patch http://svn.apache.org/viewvc?rev=781382view=rev Any idea when these two releases will be available? I hope to start the 4.1.x release process early next week - time permitting. I can't speak for Filip and 5.5.x. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability with FORM authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, On 6/5/2009 7:03 AM, Mark Thomas wrote: Christopher Schultz wrote: Mark, On 6/3/2009 11:42 AM, Mark Thomas wrote: CVE-2009-0580: Tomcat information disclosure vulnerability I know I'm likely to get a vague response, but could you provide some more info about this issue? I'm sorry you have that impression. As I hope you see from this thread, the Tomcat security team is more than happy to discuss any vulnerability in detail once the vulnerability has been made public. I'm sorry my comment came-off as annoyed or something like that. The reason I made this vague response statement is because the last time I asked about specifics of a particular security bugfix, you (I think) said that the vulnerability was theoretical, the bugfix was basically to prevent the possibility for exploitation, and that the vulnerability wasn't directly demonstrable in the first place (which makes me question the veracity of the claim in the first place). I wasn't trying to be a troll. Thanks for the response(s). You are correct that for the current DataSource and JDBC Realms that this is just a bug fix. However, for the MemoryRealm there is a test a line 150 that means the responses for a valid and invalid user when credentials are null are different. Valid users cause an NPE and a blank response. Invalid users get a login failed message. Aah, I hadn't looked at MemoryRealm, specifically. I made the (foolish) assumption that the changes in all the realms would be comparable. For the JDBC and DataSource Realms, earlier versions (5.5.0 to 5.5.5 and 4.1.0 to 4.1.31 with the DataSource Realm introduced in 4.1.17) are vulnerable. I'm afraid I still don't understand the vulnerability in 5.5's DataSourceRealm (the one I actually look at in detail): the NPE occurs (in the unpatched code) regardless of the presence of a valid user(name). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkopQG0ACgkQ9CaO5/Lv0PAiqwCbBS0d+QZ2rpRqE6ls0GrzgT74 CiQAoJVvXVC25ioMpzU/ZyP0EjcJ45rq =w9Iy -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: custom header
Anthony J. Biacco wrote: Is there a way to set a custom HTTP header from tomcat/mod_jk for the AJP connector? Short of changing the tomcat/mod_jk source code, that is. I have requests go from apache - mod_jk - tomcat, multiple servers, and I want to see in a Response header what tomcat my request is getting processed by. I am not sure that this is the quickest/easiest solution, but you should be able to do that with a servlet filter at the Tomcat level. Maybe have a look at the usual toolbox for this kind of thing : urlrewritefilter at tuckey.org ? It should allow you to add a custom response header without any reprogramming. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: custom header
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 6/5/2009 11:59 AM, André Warnier wrote: you should be able to do that with a servlet filter at the Tomcat level. +1 At first read, it sounded like the OP was trying to set a header in mod_jk so that Tomcat could read it. But it looks like exactly the opposite is true: Tomcat should be setting the header in the response before it goes back to httpd (and, ultimately, the client). Maybe have a look at the usual toolbox for this kind of thing : urlrewritefilter at tuckey.org ? It should allow you to add a custom response header without any reprogramming. Cool! André, you're quickly becoming our resident expert on url-rewrite. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkopQx4ACgkQ9CaO5/Lv0PDifACgrq3NZA0taKGnMUwFj6IU/Llv +ukAoLEmLwf4PCkHR7xgYUkfQ63ZIGQ9 =uzOK -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability with FORM authentication
Christopher Schultz wrote: For the JDBC and DataSource Realms, earlier versions (5.5.0 to 5.5.5 and 4.1.0 to 4.1.31 with the DataSource Realm introduced in 4.1.17) are vulnerable. I'm afraid I still don't understand the vulnerability in 5.5's DataSourceRealm (the one I actually look at in detail): the NPE occurs (in the unpatched code) regardless of the presence of a valid user(name). You need to go back to what the code looked like between 5.5.0 and 5.5.5. It was very different back then. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Deploying .war-file in Tomcat 5.5
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kai, On 6/5/2009 9:04 AM, Kai Behncke wrote: Thank you very much. When I just did apt-get install tomcat 5.5 and I copied the .war file then to /var/lib/tomcat5.5/webapps it`s unpacked without any problems. So, the webapps directory is really /var/lig/tomcat5.5/webapps. You were trying /usr/lib/tomcat5.5/webapps before, which is why it didn't work. But if I call then http://www.mysite.de:8180/my_servlet I don`t see anything in the browser?? See Chuck's response: you aren't using the right URL. Give us some specifics (like the name of the WAR file and the url mapping for the servlet you're trying to invoke) and we'll try to help you make contact. But if I copy the unpacked-sources from /var/lib/tomcat5.5/webapps/my_servlet to /usr/share/tomcat5.5-webapps/ROOT/ I get a result by doing http://www.mysite.de:8180/my_servlet That's because you're re-naming your own webapp to ROOT, essentially. Do I need apt-get install tomcat5.5-webapps to see a result in the browser? No. And what is the difference between tomcat 5.5 and tomcat5.5-webapps? tomcat5.5-webapps just includes the sample webapps that come with Tomcat, probably including the default ROOT webapp. I disagree with Chuck's complaint about this packaging: it actually looks quite sane to me: system-installed stuff goes into /usr/share/tomcat5.5/webapps and probably has XML context files in an appropriate location (don't ask me where!) to load those. /var/lib/tomcat5.5/webapps is the auto-deploy directory that mere mortals get to use (though usually /var is read-only for non-root users, so... wtf?). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkopRMsACgkQ9CaO5/Lv0PDnNQCfWWqdfJ5MHG/9ljiiMSVusRtW dOcAnRsDkdQ6vbpaL344923rboSj1Ars =Kr6M -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability with FORM authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, On 6/5/2009 12:14 PM, Mark Thomas wrote: Christopher Schultz wrote: For the JDBC and DataSource Realms, earlier versions (5.5.0 to 5.5.5 and 4.1.0 to 4.1.31 with the DataSource Realm introduced in 4.1.17) are vulnerable. I'm afraid I still don't understand the vulnerability in 5.5's DataSourceRealm (the one I actually look at in detail): the NPE occurs (in the unpatched code) regardless of the presence of a valid user(name). You need to go back to what the code looked like between 5.5.0 and 5.5.5. It was very different back then. Apologies: it's noon and I'm still bleary-eyed. I was reading 5.5.0 - 5.5.5 as 5.0 - 5.5. The actual fix then truly occurred between 5.5.0 and 5.5.5 in the 5.5.x branch, and the most recent commit amounts to both a performance optimization and triple-check that this type of bug won't bite again anytime soon. Thanks for clarifying (again). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkopRXAACgkQ9CaO5/Lv0PBnGgCeOaKePvSB7Xm05aFqt0cPO6sR sGkAn19hZSb02h8jGnLtugt/3bIyZn0b =tJvn -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat connector manipulation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck, On 5/27/2009 6:14 PM, Caldarale, Charles R wrote: From: xalia...@freemail.gr [mailto:xalia...@freemail.gr] Subject: tomcat connector manipulation Is there a way to be able to handle at first the one connector ( (high prior.) and then the other one? Nothing I can think of currently in Tomcat or the servlet spec would help here. You could write a Valve for the Engine or Host that gets called early in the processing chain to invoke Thread.setPriority() with a value appropriate to the request; how much effect this will have is hard to say. Not necessary: use an executor with threadPriority set. http://tomcat.apache.org/tomcat-6.0-doc/config/executor.html My advice would be to set up two connectors (as the OP suggested) and use two different executors: one with priority set higher and the other, lower. I would also give the high-priority connector more connections in its pool, while the lower-priority one gets fewer. You might even want to go further and use two different database connection pools, with the higher-priority clients having a larger pool than the lower-priority ones. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkopRncACgkQ9CaO5/Lv0PByrQCgwxboJ92co6RsfcsNsSDXCrQD STUAniExal0b6+A2Sfh6nEZRciAMCgiK =ci2J -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Deploying .war-file in Tomcat 5.5
From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: Deploying .war-file in Tomcat 5.5 I disagree with Chuck's complaint about this packaging: it actually looks quite sane to me: system-installed stuff goes into /usr/share/tomcat5.5/webapps and probably has XML context files in an appropriate location (don't ask me where!) to load those. /var/lib/tomcat5.5/webapps is the auto-deploy directory that mere mortals get to use (though usually /var is read-only for non-root users, so... wtf?). Your don't ask me where and wtf comments seem to conflict with your looks quite sane to me statement... The Debian file scattering approach makes it extremely difficult for anyone not running that Debian level and that specific Debian repackaged version of Tomcat to provide anything other than general advice. When the repackagers start to muck around in server.xml changing defaults (some of them do), it gets even worse. Ergo, if you want advice from the Tomcat users mailing list, it's best to use a standard Tomcat; otherwise, you will likely need help from a platform-specific forum. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
RE: tomcat-connectors mod_jk.dsp file will not load in Visual Studio 2005
Andy try Unix2Dos TextFile http://www.softpedia.com/get/System/File-Management/Unix2Dos.shtml --attempt at building mod_jk (libhttpd.dll first) i cannot get libhttpd.dll to build (dependency to apache2/mod_jk) Configuration: libhttpd - Win32 Release Creating include/os.h Generating test_char.h from gen_test_char.exe '.\server\gen_test_char.exe' is not recognized as an internal or external command, operable program or batch file. Error executing c:\windows\system32\cmd.exe. libhttpd.dll - 1 error(s), 0 warning(s) gen_test_char.exe location? Martin __ Verzicht und Vertraulichkeitanmerkung Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Date: Fri, 5 Jun 2009 15:36:52 +0200 From: rainer.j...@kippdata.de To: users@tomcat.apache.org Subject: Re: tomcat-connectors mod_jk.dsp file will not load in Visual Studio 2005 On 04.06.2009 01:33, Andy Wang wrote: Hi all, I was able to get mod_jk building fine using Makefile.vc, but couldn't get the .dsp file loaded into Visual Studio 2005. Anyone know if there's a trick to this, or should I just not care (it does build and seem to work fine with the Makefile). When Visual Studio 2005 tries to convert mod_jk.dsp to the newer format it complains with a Cannot load the project due to a corrupt project file popup. Does anyone really care about this or should I just ignore it? Mladen is right :) - should work when converted to DOS line endings I just now tested it again. - have a look at the provided binaries Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org _ Windows Live™ SkyDrive™: Get 25 GB of free online storage. http://windowslive.com/online/skydrive?ocid=TXT_TAGLM_WL_SD_25GB_062009
Re: concurrent connections with mod_jk/apache/tomcat
Jason Joseph wrote: Christopher Schultz wrote: .. lots of things .. I can't imagine that MaxRequestsPerChild would contribute to this problem. Maybe if you had MaxRequestPerChild set to 1 I might believe it, but you have it set to 0 which means children never die. Wouldn't MaxRequestPerChild set to 1 force the server to start a new process for every new HTTP request it got? Yes, and that would be a terrible idea, performance-wise. Just adding my grain of salt here, the way I understand how it works. The KeepAlive feature is something that was added to HTTP, so that the client and server would not need to create and tear down a new TCP connection for each request, and thus improve performance. The basic idea is that the same TCP connection can be re-used for several /successive/ requests/responses between the same client and server. (It also means that, on the server side, a child or thread of the server will be kept busy, tied on this TCP connection waiting for more requests, as long as the KeepAlive timeout has not been reached). But this does not mean that the basic nature of HTTP is changed : on that same TCP connection, individual request/response cycles are still consecutive, not simultaneous. The only time when a browser would fire off simultaneous requests, is if there were several windows or frames open, each making its own connection, and requests on it. There is no way the same browser window can make several requests at the same time, receive several answers maybe in a different order (depending on how long it takes to fulfill each request), and discriminate between these answers to know which one corresponds to which request. In other words, if I remember correctly the initial question, if the browser fires off a series of consecutive requests (each time waiting for the corresponding response), and one of these requests takes 30 seconds to fulfill, then the browser will wait these 30 seconds for that particular response, before sending the next request. That is the normal behaviour. If you want to avoid that, you could for instance organise your pages so that the long-duration request is made from within an iframe (which should be considered as a separate window, and thus maybe will create its own server TCP connection). Just to be perfectly clear, let me give an example : The first browser request is for an html page. It creates the TCP connection to the server and sends the request. The response comes back, in the form of the requested html page, and the browser starts interpreting it and rendering it. Now it just so happens that this html page contains 5 img tags pointing to the same server. Then, while it is rendering the initial page, the client browser can keep using the existing TCP connection to send the first img request, and receive the response (an image). Then it finds the next img tag, and sends the next request, etc.. When it has finished rendering the page (and all its embedded images), the browser does not send any request anymore for a while, and the KeepAlive timeout expires, and the server can now close this connection and release the child/thread. Now if instead of a simple static image, the third of these img tags happens to require a call to a back-end Tomcat, and generating that image takes 30 seconds, then the browser will never continue to the 4th img tag before it has this particular response. But if this img tag happened to be inside a separate iframe, then this iframe /may/ open another TCP connection to the server, get a different child/thread, and be loading separately while the server continues with the original window and page. May. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Having trouble with Tomcat 6.0.20 embedded in Red5
Mondain wrote: The fix didn't work, I still see the same error. I set the same name on the Service and the Engine now, previously the Service (Embedded) did not have a name set. Here is the relevant portion of the code: embedded = new Embedded(); embedded.createLoader(originalClassLoader); embedded.setCatalinaBase(serverRoot); embedded.setCatalinaHome(serverRoot); embedded.setName(serviceEngineName); engine = embedded.createEngine(); engine.setDefaultHost(host.getName()); engine.setName(serviceEngineName); The string serviceEngineName is set to red5Engine. Do I need some other form of registration prior to calling embedded.start()? I might have a patch for this. How happy are you building from source to try it out? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: concurrent connections with mod_jk/apache/tomcat
From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: concurrent connections with mod_jk/apache/tomcat The only time when a browser would fire off simultaneous requests, is if there were several windows or frames open, each making its own connection, and requests on it. Not true; a browser will normally open extra connections for any objects associated with a page, including style sheets, embedded images, applets, etc. For a given connection, there can be only one request outstanding at a time, but it's perfectly normal for a simple page to result in multiple connections being established. Most browsers adhere to the HTTP RFC recommendation of no more than two simultaneous connections to one host, but that appears to be increasingly ignored (or at least configurable) in newer browsers. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Having trouble with Tomcat 6.0.20 embedded in Red5
Mark,I'm perfectly ok with building the source and would be glad to test your patch. Paul On Fri, Jun 5, 2009 at 10:08 AM, Mark Thomas ma...@apache.org wrote: Mondain wrote: The fix didn't work, I still see the same error. I set the same name on the Service and the Engine now, previously the Service (Embedded) did not have a name set. Here is the relevant portion of the code: embedded = new Embedded(); embedded.createLoader(originalClassLoader); embedded.setCatalinaBase(serverRoot); embedded.setCatalinaHome(serverRoot); embedded.setName(serviceEngineName); engine = embedded.createEngine(); engine.setDefaultHost(host.getName()); engine.setName(serviceEngineName); The string serviceEngineName is set to red5Engine. Do I need some other form of registration prior to calling embedded.start()? I might have a patch for this. How happy are you building from source to try it out? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- http://gregoire.org/ http://code.google.com/p/red5/ http://code.google.com/p/blue5/
Hibernate
I am learning Hibernate and doing examples from a book. I have all of the jars the book has, but can't import perstistence.*. It will HSQL too. Which jar ha S this? Thanks Chris Lenart
Re: Having trouble with Tomcat 6.0.20 embedded in Red5
Mondain wrote: Mark,I'm perfectly ok with building the source and would be glad to test your patch. Great! Here it is: https://issues.apache.org/bugzilla/show_bug.cgi?id=47316#c3 Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Hibernate
Mail the hibernate users list, and I will help there. https://lists.jboss.org/mailman/listinfo/hibernate-users -Original Message- From: Chris Lenart [mailto:clen...@comcast.net] Sent: Friday, June 05, 2009 14:13 To: users@tomcat.apache.org Subject: Hibernate I am learning Hibernate and doing examples from a book. I have all of the jars the book has, but can't import perstistence.*. It will HSQL too. Which jar ha S this? Thanks Chris Lenart - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Hibernate
THANKS -Original Message- From: Jason Pyeron [mailto:jpye...@pdinc.us] Sent: Friday, June 05, 2009 1:29 PM To: 'Tomcat Users List' Subject: RE: Hibernate Mail the hibernate users list, and I will help there. https://lists.jboss.org/mailman/listinfo/hibernate-users -Original Message- From: Chris Lenart [mailto:clen...@comcast.net] Sent: Friday, June 05, 2009 14:13 To: users@tomcat.apache.org Subject: Hibernate I am learning Hibernate and doing examples from a book. I have all of the jars the book has, but can't import perstistence.*. It will HSQL too. Which jar ha S this? Thanks Chris Lenart - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Hibernate
one of n number Databases to choose from in $HIBERNATE_HOME/etc/hibernate.properties you can enable the properties for the DB entry by removing # in 1st column or disable the properties of the DB by placing a # in 1st column as in this example ## HypersonicSQL is enabled by default hibernate.dialect org.hibernate.dialect.HSQLDialect hibernate.connection.driver_class org.hsqldb.jdbcDriver hibernate.connection.username sa hibernate.connection.password hibernate.connection.url jdbc:hsqldb:./build/db/hsqldb/hibernate #hibernate.connection.url jdbc:hsqldb:hsql://localhost #hibernate.connection.url jdbc:hsqldb:test ## H2 (www.h2database.com) #hibernate.dialect org.hibernate.dialect.H2Dialect #hibernate.connection.driver_class org.h2.Driver #hibernate.connection.username sa #hibernate.connection.password #hibernate.connection.url jdbc:h2:mem:./build/db/h2/hibernate #hibernate.connection.url jdbc:h2:testdb/h2test #hibernate.connection.url jdbc:h2:mem:imdb1 #hibernate.connection.url jdbc:h2:tcp://dbserv:8084/sample; #hibernate.connection.url jdbc:h2:ssl://secureserv:8085/sample; #hibernate.connection.url jdbc:h2:ssl://secureserv/testdb;cipher=AES ## MySQL (important ones are driver_class, url, username and password #hibernate.dialect org.hibernate.dialect.MySQLDialect #hibernate.dialect org.hibernate.dialect.MySQLInnoDBDialect #hibernate.dialect org.hibernate.dialect.MySQLMyISAMDialect #hibernate.connection.driver_class com.mysql.jdbc.Driver #hibernate.connection.url jdbc:mysql:///test #hibernate.connection.username gavin #hibernate.connection.password HTH Martin Gainty __ Jogi és Bizalmassági kinyilatkoztatás/Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Ez az üzenet bizalmas. Ha nem ön az akinek szánva volt, akkor kérjük, hogy jelentse azt nekünk vissza. Semmiféle továbbítása vagy másolatának készítése nem megengedett. Ez az üzenet csak ismeret cserét szolgál és semmiféle jogi alkalmazhatósága sincs. Mivel az electronikus üzenetek könnyen megváltoztathatóak, ezért minket semmi felelöség nem terhelhet ezen üzenet tartalma miatt. Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. From: jpye...@pdinc.us To: users@tomcat.apache.org Subject: RE: Hibernate Date: Fri, 5 Jun 2009 14:28:59 -0400 Mail the hibernate users list, and I will help there. https://lists.jboss.org/mailman/listinfo/hibernate-users -Original Message- From: Chris Lenart [mailto:clen...@comcast.net] Sent: Friday, June 05, 2009 14:13 To: users@tomcat.apache.org Subject: Hibernate I am learning Hibernate and doing examples from a book. I have all of the jars the book has, but can't import perstistence.*. It will HSQL too. Which jar ha S this? Thanks Chris Lenart - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org _ Lauren found her dream laptop. Find the PC that’s right for you. http://www.microsoft.com/windows/choosepc/?ocid=ftp_val_wl_290
Re: Having trouble with Tomcat 6.0.20 embedded in Red5
Mark,Thanks for the patch; it works like a champ! Now how can I use this with future releases of Tomcat? Will I have to reapply it each time? Paul On Fri, Jun 5, 2009 at 11:25 AM, Mark Thomas ma...@apache.org wrote: Mondain wrote: Mark,I'm perfectly ok with building the source and would be glad to test your patch. Great! Here it is: https://issues.apache.org/bugzilla/show_bug.cgi?id=47316#c3 Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- http://gregoire.org/ http://code.google.com/p/red5/ http://code.google.com/p/blue5/
Re: concurrent connections with mod_jk/apache/tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck, On 6/5/2009 1:17 PM, Caldarale, Charles R wrote: From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: concurrent connections with mod_jk/apache/tomcat The only time when a browser would fire off simultaneous requests, is if there were several windows or frames open, each making its own connection, and requests on it. Not true; a browser will normally open extra connections for any objects associated with a page, including style sheets, embedded images, applets, etc. Yes, and this appears to be the case that the OP gave: firebug in fact shows that some resources are fetched /before/ the last byte of the parent request is received. But, of course, only for Tomcat standalone. I am unclear as to why these two servers could be behaving differently. It seems that the requests are partially serialized when httpd is in the mix. I wonder if mod_jk is buffering the response in httpd so most of the 3.2 seconds the response takes to come back is spent in httpd just waiting for the final byte to flush back to the client. When contacting Tomcat directly, the bytes (maybe) come back sooner, and so the browser can start making requests for dependent files earlier. 4KiB (the size of the primary response) sounds like it might just small enough to fit into a default buffer for mod_jk. Try some of these options, individually and/or together: JkOptions +FlushHeader +FlushPackets Setting +FlushPackets will make mod_jk send the bytes it receives from Tomcat /immediately/ with no further buffering (other than the size of an AJP packet, which is allegedly limited to 8KiB). Another option would be to use mox_proxy_http instead of mod_jk, which may have other buffering options to play with. Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkopelgACgkQ9CaO5/Lv0PBMHACffr4twpz0jzle7foYFVME+/Qf MogAoMONTyAwf2dXi+w3+JhkfRo3ZCgT =i5Xv -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Centos 5 OS not releasing memory Tomcat6
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Marc, You haven't yet provided any proof that any memory (at all) is allocated to Tomcat 6. Could you maybe show us some output of top or ps or something like that? If you're convinced that it's an OS problem, why not ask someone at CentOS? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkopfA0ACgkQ9CaO5/Lv0PBHNACdHV/SNYQ2YBeapS6SrQYPlZ/I YDEAnReJZ3t+zUguIlzypkXnrVS2pYWK =qGdc -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: concurrent connections with mod_jk/apache/tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 All, I just noticed something else: the two firebug examples provided in the OP have wildly differing primary response sizes: the direct-to-Tomcat one has a 16KiB response while the via-httpd response is a mere 4KiB. Jason, can you provide two sample runs of identical requests? Let's make sure we're comparing apples to oranges. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkopfQkACgkQ9CaO5/Lv0PAabgCfaqD1QrCf8Lj+WT8UEDeitxbO Y7QAn3APkhp7wNIY/GZYqbBTZxGkpdS6 =t4hv -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: concurrent connections with mod_jk/apache/tomcat
On 05.06.2009 22:04, Christopher Schultz wrote: Chuck, On 6/5/2009 1:17 PM, Caldarale, Charles R wrote: From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: concurrent connections with mod_jk/apache/tomcat The only time when a browser would fire off simultaneous requests, is if there were several windows or frames open, each making its own connection, and requests on it. Not true; a browser will normally open extra connections for any objects associated with a page, including style sheets, embedded images, applets, etc. Yes, and this appears to be the case that the OP gave: firebug in fact shows that some resources are fetched /before/ the last byte of the parent request is received. But, of course, only for Tomcat standalone. I am unclear as to why these two servers could be behaving differently. It seems that the requests are partially serialized when httpd is in the mix. I wonder if mod_jk is buffering the response in httpd so most of the 3.2 seconds the response takes to come back is spent in httpd just waiting for the final byte to flush back to the client. When contacting Tomcat directly, the bytes (maybe) come back sooner, and so the browser can start making requests for dependent files earlier. Buffering inside httpd could be, but ... 4KiB (the size of the primary response) sounds like it might just small enough to fit into a default buffer for mod_jk. Try some of these options, individually and/or together: for 4KB I would expect, that the full response comes from Tomcat in one single AJP body packet (plus one header packet) and the buffering would then happen inside Tomcat. The OP could switch to JkLogLevel trace, so he would notice each AJP packet coming in from Tomcat with its hex dump and verify, that there is one header packet and then only one packet with the full body. If so, the only possibility would be to already try to flush inside Tomcat, possibly combined with ... JkOptions +FlushHeader +FlushPackets in order to make the flush also effective for httpd. Setting +FlushPackets will make mod_jk send the bytes it receives from Tomcat /immediately/ with no further buffering (other than the size of an AJP packet, which is allegedly limited to 8KiB). Another option would be to use mox_proxy_http instead of mod_jk, which may have other buffering options to play with. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat relative path
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck, On 5/28/2009 9:25 PM, Caldarale, Charles R wrote: From: tcwarrior [mailto:sr_s...@yahoo.com] Subject: Tomcat relative path We had a consultant tell us since we have 49 images loading on our homepage we should change this so parallel downloads occur. I hope you didn't pay that consultant very much. All web browsers make concurrent requests for images, style sheets, applets, etc., that are embedded in web pages. However, unless tweaked, most browsers limit the concurrency to two - as recommended by the HTTP RFC. Nothing you do on the server can change that. There are actually some things you can do on the server-side that will affect the parallelism of requests (okay, technically, it's the response content that controls it, not that the server is controlling the browser). See these resources for an interesting read: http://www.stevesouders.com/blog/2009/04/09/dont-use-import/ http://www.stevesouders.com/blog/2009/04/27/loading-scripts-without-blocking/ http://www.stevesouders.com/blog/2009/05/12/sharding-dominant-domains/ http://www.stevesouders.com/blog/2009/05/18/flushing-the-document-early/ I'm sure there are other tricks that can be done, too. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkopgIYACgkQ9CaO5/Lv0PAUhwCcCXaN5Dssbkh+XVnFJpeZ9nY1 TZgAni+gyWRtOjA2eRd52xXdNJ8DXVd0 =Gy95 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Context failed to load due to previous error
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Arvind, On 5/29/2009 7:38 AM, S Arvind wrote: Recently in our Tomcat 6 , when we restart the tomcat we are getting the problem such as *Context[/] failed to load due to previous error. * listenerstart cannot be loaded , something like that. So did you check to see what that previous error was? It might be in youapp.log instead of catalina.out. after many restarts its finally loading all the context. We are having around 100 differnt context in confCatalinadomain.com folder. What it will be the problem. How to find that previous errors. You can definitely narrow-down the problem to a single webapp by looking at the X in your above error message. Many of lifes failure are people who did not realize how close they were to success when they gave up. I sure hope Thomas Edison said Many of life's failures are people who did not realize how close they were to success when they gave up. instead of what you have up there. :( - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkopgYwACgkQ9CaO5/Lv0PDuhgCfZhh+Tny1vo9utg1S815T2b9e g84Ani4g7yy8E2n4V5bxO2wlG2qT3J2i =VH3T -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat relative path
From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: Tomcat relative path See these resources for an interesting read: http://www.stevesouders.com/blog/2009/05/12/sharding-dominant-domains/ Yes, it was the sharding one that the OP was trying to use, but that wasn't at all clear from the original message. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Re: Having trouble with Tomcat 6.0.20 embedded in Red5
Mondain wrote: Mark,Thanks for the patch; it works like a champ! Now how can I use this with future releases of Tomcat? Will I have to reapply it each time? Thanks for testing. Assuming it gets the necessary 3 +1s, it will be in 6.0.21 onwards. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Re: concurrent connections with mod_jk/apache/tomcat
Rainer Jung wrote: On 05.06.2009 22:04, Christopher Schultz wrote: Chuck, On 6/5/2009 1:17 PM, Caldarale, Charles R wrote: From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: concurrent connections with mod_jk/apache/tomcat The only time when a browser would fire off simultaneous requests, is if there were several windows or frames open, each making its own connection, and requests on it. Not true; a browser will normally open extra connections for any objects associated with a page, including style sheets, embedded images, applets, etc. Yes, and this appears to be the case that the OP gave: firebug in fact shows that some resources are fetched /before/ the last byte of the parent request is received. But, of course, only for Tomcat standalone. I remember when Mozilla used to have a plugin that allowed you to speed up browsing by increasing the amount of simultaneous open connections you had but they suggested against numbers higher than 2 because it was against the HTTP1.1 spec :) for 4KB I would expect, that the full response comes from Tomcat in one single AJP body packet (plus one header packet) and the buffering would then happen inside Tomcat. The OP could switch to JkLogLevel trace, so he would notice each AJP packet coming in from Tomcat with its hex dump and verify, that there is one header packet and then only one packet with the full body. http://www.myownbriefcase.com/apache_mod_jk.log Here is my mod_jk log with LogLevel trace on. This was cleared prior to running this so it is for a single request. As far as I can tell there is only one header packet... [debug] ajp_unmarshal_response::jk_ajp_common.c (615): Number of headers is = 1 I assume that means only one body packet was sent as well? I am having a little trouble deciphering all of the log but I believe its all one body packet after that? If so, the only possibility would be to already try to flush inside Tomcat, possibly combined with ... JkOptions +FlushHeader +FlushPackets in order to make the flush also effective for httpd. This definitely fixed the issue! +FlushHeader did not seem to have any effect but +FlushPackets definitely changed the behavior so it was acting like Tomcat direct. Here are the results... http://207.7.102.90/~thecorp/apache-ajp-withflush.jpg http://www.myownbriefcase.com/apache_mod_jk-withflush.log Just reading through the documentation for FlushPackets it states, This option can have a strong performance penalty for Apache and Tomcat as writes are performed more often than would normally be required (ie: at the end of each response). Is this something I should be concerned about? I am most likely not going to be going with the AJP solution considering your comments regarding Tomcat's performance until I see some more compelling reason to start using Apache. Setting +FlushPackets will make mod_jk send the bytes it receives from Tomcat /immediately/ with no further buffering (other than the size of an AJP packet, which is allegedly limited to 8KiB). Another option would be to use mox_proxy_http instead of mod_jk, which may have other buffering options to play with. Regards, Rainer As a side note to Chris, no matter what I did, the size of the employerBriefcase.action through Tomcat was 16kB and 4kB through AJP. Although as you can see in the last picture with flush enabled the action is now 5kB. I think I have figured it out though, I just realized I have mod_deflate enabled for Apache. Would that apply to data coming back from the AJP connector as well? Thats my best guess as to the discrepancy you noticed. Thanks again for helping me figure this out, definitely an interesting issue, I think I am beginning to understand the whole connection/HTTP process a little better now :) Jason - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Re: concurrent connections with mod_jk/apache/tomcat
Rainer Jung wrote: JkOptions +FlushHeader +FlushPackets in order to make the flush also effective for httpd. Just realized I didn't disable caching before I did that last test, heres the image with caching disabled. http://207.7.102.90/~thecorp/apache-ajp-withflush-nocache.jpg Its 2 seconds slower than tomcat but its definitely loading files concurrently as it should. Any ideas why the static files are taking so much longer than with tomcat? Jason - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: concurrent connections with mod_jk/apache/tomcat
So it seems I put my foot (feet ?) in my mouth about the single browser connection. The rest of what I wrote is generally true though, just consider two connnections instead of one then (per window I suppose, although I'm not sure of that either). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: concurrent connections with mod_jk/apache/tomcat
On 05.06.2009 23:34, Jason Joseph wrote: Rainer Jung wrote: On 05.06.2009 22:04, Christopher Schultz wrote: Chuck, On 6/5/2009 1:17 PM, Caldarale, Charles R wrote: From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: concurrent connections with mod_jk/apache/tomcat The only time when a browser would fire off simultaneous requests, is if there were several windows or frames open, each making its own connection, and requests on it. Not true; a browser will normally open extra connections for any objects associated with a page, including style sheets, embedded images, applets, etc. Yes, and this appears to be the case that the OP gave: firebug in fact shows that some resources are fetched /before/ the last byte of the parent request is received. But, of course, only for Tomcat standalone. I remember when Mozilla used to have a plugin that allowed you to speed up browsing by increasing the amount of simultaneous open connections you had but they suggested against numbers higher than 2 because it was against the HTTP1.1 spec :) for 4KB I would expect, that the full response comes from Tomcat in one single AJP body packet (plus one header packet) and the buffering would then happen inside Tomcat. The OP could switch to JkLogLevel trace, so he would notice each AJP packet coming in from Tomcat with its hex dump and verify, that there is one header packet and then only one packet with the full body. http://www.myownbriefcase.com/apache_mod_jk.log Here is my mod_jk log with LogLevel trace on. This was cleared prior to running this so it is for a single request. As far as I can tell there is only one header packet... [debug] ajp_unmarshal_response::jk_ajp_common.c (615): Number of headers is = 1 No this is the number of HTTP headers contained in the response. but nevertheless its only one header packet received from ajp13 pos=0 len=51 max=8192 but the following body packets are the more interesting: received from ajp13 pos=0 len=2281 max=8192 !DOCTYPE html ... a href=/WebApp_ID/public/logout.action.class=thf_line followed by received from ajp13 pos=0 len=14 max=8192 logout/a and then many more packets: received from ajp13 pos=0 len=2746 max=8192 received from ajp13 pos=0 len=149 max=8192 received from ajp13 pos=0 len=979 max=8192 received from ajp13 pos=0 len=6532 max=8192 received from ajp13 pos=0 len=303 max=8192 received from ajp13 pos=0 len=362 max=8192 received from ajp13 pos=0 len=2302 max=8192 received from ajp13 pos=0 len=15 max=8192 received from ajp13 pos=0 len=177 max=8192 in sum about 16KB in a total of 11 body packets. So it might well be, that they were buffered by Apache and recombined in different chunks to be sent out. I assume that means only one body packet was sent as well? I am having a little trouble deciphering all of the log but I believe its all one body packet after that? See above. If so, the only possibility would be to already try to flush inside Tomcat, possibly combined with ... JkOptions +FlushHeader +FlushPackets in order to make the flush also effective for httpd. This definitely fixed the issue! +FlushHeader did not seem to have any effect but +FlushPackets definitely changed the behavior so it was acting like Tomcat direct. Here are the results... http://207.7.102.90/~thecorp/apache-ajp-withflush.jpg http://www.myownbriefcase.com/apache_mod_jk-withflush.log Yes, in this log we can see, that shortly after the first body packet comes back from Tomcat, the browser already starts to retrieve embedded page objects, so Apache must have send out the first body packet immediately. Just reading through the documentation for FlushPackets it states, This option can have a strong performance penalty for Apache and Tomcat as writes are performed more often than would normally be required (ie: at the end of each response). Is this something I should be concerned about? I am most likely not going to be going with the AJP solution considering your comments regarding Tomcat's performance until I see some more compelling reason to start using Apache. It depends :) But what will be the resources used additionally by the overhead of sending more packets: - a bit more cpu - packets per second thoughput on TCP - bandwidth due to more TCP packet headers I would expect all those to be very minor relative to the amount of resources available on modern systems. So in general you don't want to always flush just because of general rules of careful resource usage. In your case, if you want to drive latency down as much as possible, it could be a viable decision to add the flush option. Setting +FlushPackets will make mod_jk send the bytes it receives from Tomcat /immediately/ with no further buffering (other than the size of an AJP packet, which is allegedly limited to 8KiB). Another option would be to use mox_proxy_http instead of mod_jk, which may have other
Re: concurrent connections with mod_jk/apache/tomcat
On 06.06.2009 01:35, Jason Joseph wrote: Rainer Jung wrote: JkOptions +FlushHeader +FlushPackets in order to make the flush also effective for httpd. Just realized I didn't disable caching before I did that last test, heres the image with caching disabled. http://207.7.102.90/~thecorp/apache-ajp-withflush-nocache.jpg Its 2 seconds slower than tomcat but its definitely loading files concurrently as it should. Any ideas why the static files are taking so much longer than with tomcat? The difference is obviously how the bunch of pictures is handled, that were retrieved close to the end. Those images - I suppose - are static content. They are very small. So needing 2 seconds to serve such an image is much to long. - Check retrieving the images without the rest of the page and confirm, that as single requests they need much less than a second in both scenarios. If yes, recheck, whether the bad behavour for retrieving the full page is stable (always bad, turn trace logging off!). If so, retrieve again with trace on, so that you can check where the long response times are happening from the point of view of Apache (between browser and Apache, Apache and Tomcat, sending data back, ...). Note: You added a time stamp format configuration for mod_jk to your httpd configuration. Remove it. Without it you would get millisecond time resolution in the JK log file, with your hard coded time format you only get seconds resolution. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: concurrent connections with mod_jk/apache/tomcat
On 06.06.2009 02:05, Rainer Jung wrote: On 06.06.2009 01:35, Jason Joseph wrote: Rainer Jung wrote: JkOptions +FlushHeader +FlushPackets in order to make the flush also effective for httpd. Just realized I didn't disable caching before I did that last test, heres the image with caching disabled. http://207.7.102.90/~thecorp/apache-ajp-withflush-nocache.jpg Its 2 seconds slower than tomcat but its definitely loading files concurrently as it should. Any ideas why the static files are taking so much longer than with tomcat? The difference is obviously how the bunch of pictures is handled, that were retrieved close to the end. Those images - I suppose - are static content. They are very small. So needing 2 seconds to serve such an image is much to long. The previously send log files show, that those .png requests are not forwarded to Tomcat. So what is actually answering them? Apache web server directly? Did you put them into the DocumentRoot? That should be much faster, than what you see. I hope you don't still have MaxRequestsPerChild set to 1? That would be very very bad. Start a couple of more servers with StartServers and increase the difference between MinSpareServers and MaxSpareServers. Anything special in the httpd error log? Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Application monitoring
All, What are you using for production monitoring and alerting for JVM apache based applications? I am referring to proactively monitoring and alerting of apache utilization(workers, requests etc), tomcat utilization(threads, heap, etc) , tracking Java methods, JSPs , servlets and also transaction tracking. We are currently evaluating a number of tools like CA( Wily Introscope CEM) , Opnet (Panorama ACE Live) HP (Diagnostics, SiteScope and BAC). Do you have any opinions/experiences about these tools? Is there any other tool out there that you are using which is worth investigating? If you are using these tools, are you running them continuously in production or only during project implementation? THanks, Chetan
Re: Application monitoring
Hyperic and zabbix -Original Message- From: Chetan Chheda chetan_chh...@yahoo.com Date: Fri, 5 Jun 2009 19:19:21 To: users@tomcat.apache.org Subject: Application monitoring All, What are you using for production monitoring and alerting for JVM apache based applications? I am referring to proactively monitoring and alerting of apache utilization(workers, requests etc), tomcat utilization(threads, heap, etc) , tracking Java methods, JSPs , servlets and also transaction tracking. We are currently evaluating a number of tools like CA( Wily Introscope CEM) , Opnet (Panorama ACE Live) HP (Diagnostics, SiteScope and BAC). Do you have any opinions/experiences about these tools? Is there any other tool out there that you are using which is worth investigating? If you are using these tools, are you running them continuously in production or only during project implementation? THanks, Chetan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org