Tomcat Cluster 6.0.20 & White sites
Hi everybody, We have some issues with a Tomcat Cluster. Sometimes (after a few hours without restart of services) , the webserver doesn´t deliver the complete content to the browser. It means, in the browser ther appear the header and some parts of the website, but then only blank and white website. In the source code in HTML view it is the same leak. Only after a restart of the services the content will be completely delivered. It is a Win 2003 Server with JDK 1.6 32-Bit, the Server jvm.dll is called from Tomcat. It is a 2 node cluster with Apache 2.2.14 and Tomcat 6.0.20 and mod_jk 1.2.28. In front of these cluster there is a Hardware loadbalanacer BigIP from F5. Somebody any idea, why the cluster stops delivering of contents after a period of hours? Greetings Alexander
RE: multiple URI
Modify your servlet mapping in your web.xml so that you have more than one mapping to that servlet. Take the following xml snippet as an example, each of the three servlet mappings will map to a single servlet. This would allow someone to use three different URL's to access the same servlet. RequestFactory com.foo.web.servlet.RequestFactory RequestFactory /RequestFactory RequestFactory /Request RequestFactory /SomeOtherUrl -Original Message- From: Vadym Chepkov [mailto:chep...@yahoo.com] Sent: Tuesday, January 19, 2010 12:17 PM To: users@tomcat.apache.org Subject: multiple URI Greetings, I want a servlet to serve two different urls: http://server/A and http://server/B, but I don't want to install this servlet as a ROOT servlet. Is this possible in tomcat 6? Thank you. Sincerely yours, Vadym Chepkov - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat Clsuter 6.0.18 & White sites
Hi everybody, We have some issues with a Tomcat Cluster. Sometimes (after a few hours without restart of services) , the webserver doesn´t deliver the complete content to the browser. It means, in the browser ther appear the header and some parts of the website, but then only blank and white website. In the source code in HTML view it is the same leak. Only after a restart of the services the content will be completely delivered. It is a Win 2003 Server with JDK 1.6, the Server jvm.dll is called from Tomcat. It is a 2 node cluster with Apache 2.2.14 and Tomcat 6.0.20 and mod_jk 1.2.28. In front of these cluster there is a Hardware loadbalanacer BigIP from F5. Somebody any idea, why the cluster stops delivering of contents after a period of hours? Greetings Alexander
Tomcat Realm
Hi, I'm using tomcat5.5. my question is: is it possible to implement a realm to identify valid users of a web application: the username and password get from LDAP directory server central, and the role of the user get from local file such as tomcat-user.xml instead. Thanks, Aihong Yin. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Different apps clustering on the same Tomcat?
> From: John Tangney [mailto:jo...@jdtangney.com] > Subject: Different apps clustering on the same Tomcat? > > Is it possible to get two apps in the same Tomcat instance to exchange > session info, in a cluster? If so, how? Not sure what you're asking. If there's only one Tomcat instance, there's no cluster. Multiple apps in one Tomcat cannot share a session, since that's prohibited by the servlet spec. You can create a bean from a class in a shared library to hold data needed by both apps. If you really do have a cluster of multiple Tomcat instances, you can choose to replicate session information across them by any of several means. Consult the documentation for details: http://tomcat.apache.org/tomcat-6.0-doc/cluster-howto.html - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Different apps clustering on the same Tomcat?
Is it possible to get two apps in the same Tomcat instance to exchange session info, in a cluster? If so, how? Thanks! --johnt - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Modifying value or format of HTTPServletRequest.getRemoteUser()
I have a Jaas plugin where I'm using basic auth. It authenticates the user successfully, and in the jaas plugin I make it so request.getUserPrincipal().getName() it returns the format of the username I want shown to the app. But HttpServletRequest.getRemoteUser always returns the value of the username in the HTTP AUTHORIZATION header. How do I modify what getRemoteUser returns to always match the request.getUserPrincipal().getName()? Thanks, Christopher
RE: multiple URI
> From: Vadym Chepkov [mailto:chep...@yahoo.com] > Subject: multiple URI > > I want a servlet to serve two different urls: http://server/A and > http://server/B, but I don't want to install this servlet as a ROOT > servlet. Is this possible in tomcat 6? Do you mean you want the same webapp to be accessed by multiple URLs? If it's ok to have more than one instance of the webapp, just deploy it multiple times, once for each URL. If you want aliases for a single webapp, the easiest thing is to forward or redirect requests to the aliases using the tuckey rewrite filter: http://tuckey.org/urlrewrite/ - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
multiple URI
Greetings, I want a servlet to serve two different urls: http://server/A and http://server/B, but I don't want to install this servlet as a ROOT servlet. Is this possible in tomcat 6? Thank you. Sincerely yours, Vadym Chepkov - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TCNative installation failed
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nikolay, On 1/19/2010 9:59 AM, Nikolay Diulgerov wrote: > I followed this instruction (http://tomcat.apache.org/native-doc/), > installed all the required packages for the compilation of TCNative > (1.1.19), > > The configuration, compilation and installation went OK. Great! > Now in my $CATALINA_HOME/lib folder I have Where does CATALINA_HOME point? > LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$CATALINA_HOME/lib > export LD_LIBRARY_PATH That looks good. > But when I start tomcat, it seems tcnative library cannot be found (so > not loaded). > > Jan 19, 2010 9:54:13 AM org.apache.catalina.core.AprLifecycleListener > lifecycleEvent > > INFO: The Apache Tomcat Native library which allows optimal performance > in production environments was not found on the java.library.path: > /appsrv/jdk1.6.0_16/jre/lib/amd64/server:/appsrv/jdk1.6.0_16/jre/lib/amd > 64:/appsrv/jdk1.6.0_16/jre/../lib/amd64::/appsrv/tomcat/lib:/usr/java/pa > ckages/lib/amd64:/lib:/usr/lib Is CATALINA_HOME set to "/appsrv/tomcat"? If so, then your LD_LIBRARY_PATH appears to be set correctly, which is good. > Now in my $CATALINA_HOME/lib folder I have > > drwxr-xr-x 3 niki niki4096 2010-01-19 09:05 . > drwxr-xr-x 13 niki niki4096 2010-01-19 08:43 .. > -rw-r--r-- 1 niki niki 1574152 2010-01-19 09:05 libtcnative-1.a > -rwxr-xr-x 1 niki niki 911 2010-01-19 09:05 libtcnative-1.la > lrwxrwxrwx 1 niki niki 23 2010-01-19 09:05 libtcnative-1.so -> > libtcnative-1.so.0.1.19 > lrwxrwxrwx 1 niki niki 23 2010-01-19 09:05 libtcnative-1.so.0 -> > libtcnative-1.so.0.1.19 > -rwxr-xr-x 1 niki niki 889278 2010-01-19 09:05 libtcnative-1.so.0.1.19 > drwxr-xr-x 2 niki niki4096 2010-01-19 09:05 pkgconfig The file libtcnative-1.so should be all you need (well, plus the file to which it points). Everything you have done looks correct. I have a few possibilities I can think of: 1. Your tcnative library doesn't match the architecture of the JVM (i.e. JVM is 64-bit while library is 32-bit). You can find out what type the library is by doing: $ file $CATALINA_HOME/lib/libtcnative-1.so.0.1.19 2. You are running under a SecurityManager which does not permit you to load that native library from that location. Are you using a SecurityManager? 3. Your file paths are incorrect. You didn't say explicitly what CATALINA_HOME was, but I suspect everything is in order. Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktWALUACgkQ9CaO5/Lv0PCwiwCgplfaRNcJeA/wPbt79YJ8/azP SJ8An0jK1zK/5UjC72COJYD0g32c5YpO =Z2Hj -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSLv3/TLS man-in-middle vulnerability
> From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] > Subject: RE: SSLv3/TLS man-in-middle vulnerability > > If you have to stay with 5.5.23, you'll need to go with the ARP SSL > connector. > > (slap me if I'm still wrong Charles, but I checked the doc and there > doesn't appear to be support for NIO in 5.5.x) That is correct; NIO was introduced with Tomcat 6.0. There are noticeable performance and security improvements in 6.0.x, so that would be the preferred approach, even if APR is used. Migration to 6.0.x is pretty much painless: http://tomcat.apache.org/migration.html - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSLv3/TLS man-in-middle vulnerability
As Charles said, move up to 6.0.20 and switch to the NIO connector. If you have to stay with 5.5.23, you'll need to go with the ARP SSL connector. (slap me if I'm still wrong Charles, but I checked the doc and there doesn't appear to be support for NIO in 5.5.x) Jeff -Original Message- From: Steve G. Johnson [mailto:johnson_stev...@solarturbines.com] Sent: Tuesday, January 19, 2010 10:24 AM To: Tomcat Users List Subject: RE: SSLv3/TLS man-in-middle vulnerability Hi Charles, FYI: This is in my listener list: Added the "protocol" entry and now trying to start Tomcat manager results in "page cannot be displayed". Removing entry it starts. Added as follows: Steve Steve Johnson (619) 237-8315 P Please consider the environment before printing this e-mail. "Caldarale, Charles R" Tomcat Users List 01/19/2010 07:33 cc AM Subject RE: SSLv3/TLS man-in-middle Please respond to vulnerability "Tomcat Users List" Caterpillar: Confidential Green Retain Until: 02/18/2010 > From: Steve G. Johnson [mailto:johnson_stev...@solarturbines.com] > Subject: Re: SSLv3/TLS man-in-middle vulnerability > > maxThreads="150" > minSpareThreads="25" maxSpareThreads="75" enableLookups="false" > disableUploadTimeout="true" acceptCount="100" scheme="https" > secure > ="true" clientAuth="false" sslProtocol="TLS" keystoreFile="xxx" > keystorePass="xxx" keystoreType="PKCS12" /> Add the following attribute to the above: protocol="org.apache.coyote.http11.Http11NioProtocol" Leave the AJP alone. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org *** NOTICE * This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by reply or by telephone (call us collect at 512-343-9100) and immediately delete this message and all its attachments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: I have a lot of process in my server
> From: Guifre Bosch Fabregas [mailto:guifre.bo...@gmail.com] > Subject: I have a lot of process in my server > > Normally I see 20 process of *httpd *in my server but some time I see > 200 (ps -ef | grep httpd | wc -l) and my Apache crash. You are aware this is the Tomcat mailing list, not the one for httpd? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
I have a lot of process in my server
Hi guys! I have a linux environment whith an Apache Tomcat 5.5. Normally I see 20 process of *httpd *in my server but some time I see 200 (ps -ef | grep httpd | wc -l) and my Apache crash. What's happens??? In which site I can see the origin of the problem? I use the command "lsof -p PID" but I don't see anything. Any ideas? Very thanks!
RE: SSLv3/TLS man-in-middle vulnerability
Ah, didn't exactly ignore it, just forgot about it. I'd already removed it from the thread. Good point. -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Tuesday, January 19, 2010 9:56 AM To: Tomcat Users List Subject: RE: SSLv3/TLS man-in-middle vulnerability > From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] > Subject: RE: SSLv3/TLS man-in-middle vulnerability > > In particular, he stated that switching to the NIO connector at this > point wouldn't address it (from my reading of his post), as the fix > will require a JDK/JRE fix from the vendor and a workaround isn't > available yet. You ignored Filip's post: "NIO doesn't allow handshakes and is not vulnerable. Instead it will time out the request. So if using Tomcat 6, then NIO is a work around." http://marc.info/?l=tomcat-user&m=126384310705143&w=2 - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org *** NOTICE * This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by reply or by telephone (call us collect at 512-343-9100) and immediately delete this message and all its attachments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSLv3/TLS man-in-middle vulnerability
> From: Steve G. Johnson [mailto:johnson_stev...@solarturbines.com] > Subject: RE: SSLv3/TLS man-in-middle vulnerability > > FYI: This is in my listener list: > If the tcnative library isn't found, the above listener will simply display a message stating so in the logs, so it doesn't hurt to have it in there. But do check the logs to make sure that message is being displayed. > Added the "protocol" entry and now trying to start Tomcat manager > results in "page cannot be displayed". You need to move up to 6.0.20, as mentioned earlier. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSLv3/TLS man-in-middle vulnerability
Hi Charles, FYI: This is in my listener list: Added the "protocol" entry and now trying to start Tomcat manager results in "page cannot be displayed". Removing entry it starts. Added as follows: Steve Steve Johnson (619) 237-8315 P Please consider the environment before printing this e-mail. "Caldarale, Charles R" Tomcat Users List 01/19/2010 07:33 cc AM Subject RE: SSLv3/TLS man-in-middle Please respond to vulnerability "Tomcat Users List" Caterpillar: Confidential Green Retain Until: 02/18/2010 > From: Steve G. Johnson [mailto:johnson_stev...@solarturbines.com] > Subject: Re: SSLv3/TLS man-in-middle vulnerability > > maxThreads="150" > minSpareThreads="25" maxSpareThreads="75" enableLookups="false" > disableUploadTimeout="true" acceptCount="100" scheme="https" > secure > ="true" clientAuth="false" sslProtocol="TLS" keystoreFile="xxx" > keystorePass="xxx" keystoreType="PKCS12" /> Add the following attribute to the above: protocol="org.apache.coyote.http11.Http11NioProtocol" Leave the AJP alone. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSLv3/TLS man-in-middle vulnerability
> From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] > Subject: RE: SSLv3/TLS man-in-middle vulnerability > > In particular, he stated that switching to the NIO connector at this > point wouldn't address it (from my reading of his post), as the fix > will require a JDK/JRE fix from the vendor and a workaround isn't > available yet. You ignored Filip's post: "NIO doesn't allow handshakes and is not vulnerable. Instead it will time out the request. So if using Tomcat 6, then NIO is a work around." http://marc.info/?l=tomcat-user&m=126384310705143&w=2 - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSLv3/TLS man-in-middle vulnerability
You're right. I'd completely forgotten the SSL. Odd, since I do nothing but SSL here. As I recall, it's re-issue your certificate in OpenSSL format (or convert it) and change the SSL specific parameters as follows: Drop the "sslProtocol" and keystore* attributes and replace with SSLEngine="on" SSLCertificateFile="path" SSLCertificateKeyFile="path" SSLPassword="password" Yes, re-issuing the cert or converting it will be a hassle, but is well documented on the website, as are the above attributes/parameters. I addressed this as an answer to Mark's original suggestion, and I quote: "Right now, the quickest way to fix this is to switch to the APR/native connector and use 1.1.19" In particular, he stated that switching to the NIO connector at this point wouldn't address it (from my reading of his post), as the fix will require a JDK/JRE fix from the vendor and a workaround isn't available yet. But the 1.1.19 APR has the workaround available now. Jeff -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Tuesday, January 19, 2010 9:29 AM To: Tomcat Users List Subject: RE: SSLv3/TLS man-in-middle vulnerability > From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] > Subject: RE: SSLv3/TLS man-in-middle vulnerability > > For Steve to switch to the APR/native connectors, all he needs to do in > this config is download the native libraries and restart, correct? No, the SSL config is completely different. Easier to use the NIO , as Mark suggested. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org *** NOTICE * This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by reply or by telephone (call us collect at 512-343-9100) and immediately delete this message and all its attachments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSLv3/TLS man-in-middle vulnerability
> From: Steve G. Johnson [mailto:johnson_stev...@solarturbines.com] > Subject: Re: SSLv3/TLS man-in-middle vulnerability > > maxThreads="150" > minSpareThreads="25" maxSpareThreads="75" enableLookups="false" > disableUploadTimeout="true" acceptCount="100" scheme="https" > secure > ="true" clientAuth="false" sslProtocol="TLS" keystoreFile="xxx" > keystorePass="xxx" keystoreType="PKCS12" /> Add the following attribute to the above: protocol="org.apache.coyote.http11.Http11NioProtocol" Leave the AJP alone. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSLv3/TLS man-in-middle vulnerability
> From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] > Subject: RE: SSLv3/TLS man-in-middle vulnerability > > For Steve to switch to the APR/native connectors, all he needs to do in > this config is download the native libraries and restart, correct? No, the SSL config is completely different. Easier to use the NIO , as Mark suggested. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSLv3/TLS man-in-middle vulnerability
Mark - For Steve to switch to the APR/native connectors, all he needs to do in this config is download the native libraries and restart, correct? Oh and make sure the following line is in the server.xml file to start the APR lifecycle listener. Steve, you can download the latest APR lib from the Tomcat website. Follow the "Tomcat Native" link and get the one for your environment. Jeff -Original Message- From: Steve G. Johnson [mailto:johnson_stev...@solarturbines.com] Sent: Tuesday, January 19, 2010 9:08 AM To: Tomcat Users List Subject: Re: SSLv3/TLS man-in-middle vulnerability Mark, Our JRE is 1.6.0_17. Below are server.xml entries for connectors minus security tag values. Please suggest changes. Is that all I have to do before Security runs another HP scan? Thanks - - - - Steve Johnson (619) 237-8315 P Please consider the environment before printing this e-mail. Mark Thomas To Tomcat Users List 01/19/2010 06:48 AM cc Subject Please respond to Re: SSLv3/TLS man-in-middle "Tomcat Users vulnerability List" Caterpillar: Confidential Green Retain Until: 02/18/2010 On 19/01/2010 02:31, Steve G. Johnson wrote: > Mark, > Since we do not know how to "switch connectors", or install OpenSSL, and do > not have JDK on the server (only JRE 1.6.0_17), then I suppose the best bet > is to wait until Tomcat is fixed ("coming soon"). You can replace JDK with JRE in what I previously. Switching from BIO to NIO is a simple change to server.xml, if you are interested. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org *** NOTICE * This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by reply or by telephone (call us collect at 512-343-9100) and immediately delete this message and all its attachments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSLv3/TLS man-in-middle vulnerability
Mark, Our JRE is 1.6.0_17. Below are server.xml entries for connectors minus security tag values. Please suggest changes. Is that all I have to do before Security runs another HP scan? Thanks - - - - Steve Johnson (619) 237-8315 P Please consider the environment before printing this e-mail. Mark Thomas To Tomcat Users List 01/19/2010 06:48 AM cc Subject Please respond to Re: SSLv3/TLS man-in-middle "Tomcat Users vulnerability List" Caterpillar: Confidential Green Retain Until: 02/18/2010 On 19/01/2010 02:31, Steve G. Johnson wrote: > Mark, > Since we do not know how to "switch connectors", or install OpenSSL, and do > not have JDK on the server (only JRE 1.6.0_17), then I suppose the best bet > is to wait until Tomcat is fixed ("coming soon"). You can replace JDK with JRE in what I previously. Switching from BIO to NIO is a simple change to server.xml, if you are interested. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
TCNative installation failed
Hello there, I'm trying to do this setup: 1. OS debian 5.03 (AMD_64) 2. Tomcat 5.5.28 (downloaded from the official site) 3. Sun Java jdk-6u16-linux-x64 I followed this instruction (http://tomcat.apache.org/native-doc/), installed all the required packages for the compilation of TCNative (1.1.19), ./configure --with-apr=/usr/bin/apr-1-config --with-java-home=/appsrv/jdk1.6.0_16/ --with-ssl=yes --prefix=$CATALINA_HOME make make install The configuration, compilation and installation went OK. Now in my $CATALINA_HOME/lib folder I have drwxr-xr-x 3 niki niki4096 2010-01-19 09:05 . drwxr-xr-x 13 niki niki4096 2010-01-19 08:43 .. -rw-r--r-- 1 niki niki 1574152 2010-01-19 09:05 libtcnative-1.a -rwxr-xr-x 1 niki niki 911 2010-01-19 09:05 libtcnative-1.la lrwxrwxrwx 1 niki niki 23 2010-01-19 09:05 libtcnative-1.so -> libtcnative-1.so.0.1.19 lrwxrwxrwx 1 niki niki 23 2010-01-19 09:05 libtcnative-1.so.0 -> libtcnative-1.so.0.1.19 -rwxr-xr-x 1 niki niki 889278 2010-01-19 09:05 libtcnative-1.so.0.1.19 drwxr-xr-x 2 niki niki4096 2010-01-19 09:05 pkgconfig According the instructions, I created setenv.sh which contains: JAVA_OPTS="-server -Xms128m -Xmx256m -XX:PermSize=128m -XX:MaxPermSize=128m" #CATALINA_OPTS="" JAVA_HOME=/appsrv/jdk1.6.0_16 JRE_HOME=/appsrv/jdk1.6.0_16/jre LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$CATALINA_HOME/lib export LD_LIBRARY_PATH Till now everything seems OK, But when I start tomcat, it seems tcnative library cannot be found (so not loaded). Here is my catalina.out: Jan 19, 2010 9:54:13 AM org.apache.catalina.core.AprLifecycleListener lifecycleEvent INFO: The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /appsrv/jdk1.6.0_16/jre/lib/amd64/server:/appsrv/jdk1.6.0_16/jre/lib/amd 64:/appsrv/jdk1.6.0_16/jre/../lib/amd64::/appsrv/tomcat/lib:/usr/java/pa ckages/lib/amd64:/lib:/usr/lib Jan 19, 2010 9:54:13 AM org.apache.coyote.http11.Http11AprProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 Jan 19, 2010 9:54:13 AM org.apache.coyote.ajp.AjpAprProtocol init INFO: Initializing Coyote AJP/1.3 on ajp-8009 Jan 19, 2010 9:54:13 AM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 1046 ms Jan 19, 2010 9:54:13 AM org.apache.catalina.core.StandardService start INFO: Starting service Catalina Jan 19, 2010 9:54:13 AM org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/5.5.28 Jan 19, 2010 9:54:13 AM org.apache.catalina.core.StandardHost start INFO: XML validation disabled Jan 19, 2010 9:54:15 AM org.apache.coyote.http11.Http11AprProtocol start INFO: Starting Coyote HTTP/1.1 on http-8080 Jan 19, 2010 9:54:15 AM org.apache.coyote.ajp.AjpAprProtocol start INFO: Starting Coyote AJP/1.3 on ajp-8009 Jan 19, 2010 9:54:15 AM org.apache.catalina.storeconfig.StoreLoader load INFO: Find registry server-registry.xml at classpath resource Jan 19, 2010 9:54:15 AM org.apache.catalina.startup.Catalina start INFO: Server startup in 1461 ms Any help would be appretiated. Greetings.
Re: The code of method _jspService(...) is exceeding the 65535 byteslimit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Konstantin, On 1/18/2010 7:08 PM, Konstantin Kolinko wrote: > 2010/1/18 iainmac : >> >> Hi, >> >> I am moving from Tomcat 5 to 6, and jsp's that worked fine in 5 now give me >> this length error. >> >> I also have moved from java j2sdk1.4.1_02 to jdk1.6.0_18. >> >> I know I can rewrite the code, and over time I probably will, but is there a >> way of configuring Tomcat 6 to enable me to compile these jsp's? >> > > If you add the following option > > > mappedfile > false > > > to the JspServlet declaration in conf/web.xml, the JSP engine will not > generate separate write() command for each line of your JSP. I didn't know you could do that (though it's right there in conf/web.xml if I had cared to read it). Thanks for the tip. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktVyLMACgkQ9CaO5/Lv0PBjiwCgh8pDvmF5VmrIjMdwFoAPGXzx Oe8AnjESQ9PRroz5ZX6TYHV+wrQP3J98 =V3YA -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Comet Connection Writeable?
Hi Steffen, At http://svn.apache.org/viewvc/tomcat/sandbox/gdev6x/ I implemented the feature you are looking for. Where you would do CometEvent.interestOps(CometEvent.CometOperation.OP_WRITE); and you will receive a CometEvent.EventType.WRITE When I tried to write sample applications against this, it turned out to be very complex programming. You can check out that branch and build it and see if its something we should still pursue Filip On 01/18/2010 09:06 AM, Steffen Heil wrote: Hi I am using comet connections for some time now in a server push manner: Whenever the server needs to inform the client about some event, it sends a packet to the client and waits for a reply in the same connection. As soon, as a READ event is triggered, that reply is read and the next message can be sent. Now, this requires a round-trip-time between the client and the server and is inappropriate for larger amounts of data especially on high latency connections. I am seeking for a way to determine (from a comet servlets point of view) if a connection is writeable - this is, if output buffers are empty and I can send additional data. Note, that sending a huge amount of data at once is not an option, I need to send distinct parts... So here are my questions: - How can I detect if a connection is writeable? - That is, how can I detect if the output buffers are empty? - Is there a way to use comet connection for something like a selector? Regards, Steffen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Logout mechanism on Digest Authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 1/19/2010 6:32 AM, André Warnier wrote: > vpapado wrote: >> Hello, >> >> I have a problem in logout mechanism for my web app. For logging in I use >> Digest Authentication. Here is how things go: >> > ... >> >> Is there a problem in logout mechanism for Digest Authentication? Is >> logout >> not supported for diggest authentication? How could I manage to logout? >> I use Tomcat6. >> > In HTTP neither Basic nor Digest authentication provide a "logout" > mechanism. That is not an issue specific to Tomcat, it is a generic > characteristic of the protocol. > The browser "memorises" the authentication entered by the user for a > combination of host/realm, and will automatically re-submit the needed > authentication headers whenever the server requests an authentication > for the same realm, without user intervention. > In other words, the only way to "logout" is to close the browser and > re-open it. Not necessarily. In your webapp, if you send another WWW-Authenticate header to the browser, it will generally "forget" the credentials it had been using. There is no guarantee of this, however it usually works. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktVxpwACgkQ9CaO5/Lv0PD79QCbB45BStGoG1RtKj5CZrVgJAJB 70YAnR14UytcEr2wXwbi7hQAuEOD5m50 =NSux -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSLv3/TLS man-in-middle vulnerability
On 19/01/2010 02:31, Steve G. Johnson wrote: > Mark, > Since we do not know how to "switch connectors", or install OpenSSL, and do > not have JDK on the server (only JRE 1.6.0_17), then I suppose the best bet > is to wait until Tomcat is fixed ("coming soon"). You can replace JDK with JRE in what I previously. Switching from BIO to NIO is a simple change to server.xml, if you are interested. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Logout mechanism on Digest Authentication
Thank you. awarnier wrote: > > vpapado wrote: >> Hello, >> >> I have a problem in logout mechanism for my web app. For logging in I use >> Digest Authentication. Here is how things go: >> > ... >> >> Is there a problem in logout mechanism for Digest Authentication? Is >> logout >> not supported for diggest authentication? How could I manage to logout? >> I use Tomcat6. >> > In HTTP neither Basic nor Digest authentication provide a "logout" > mechanism. That is not an issue specific to Tomcat, it is a generic > characteristic of the protocol. > The browser "memorises" the authentication entered by the user for a > combination of host/realm, and will automatically re-submit the needed > authentication headers whenever the server requests an authentication > for the same realm, without user intervention. > In other words, the only way to "logout" is to close the browser and > re-open it. > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > -- View this message in context: http://old.nabble.com/Logout-mechanism-on-Digest-Authentication-tp27224384p27224953.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Logout mechanism on Digest Authentication
vpapado wrote: Hello, I have a problem in logout mechanism for my web app. For logging in I use Digest Authentication. Here is how things go: ... Is there a problem in logout mechanism for Digest Authentication? Is logout not supported for diggest authentication? How could I manage to logout? I use Tomcat6. In HTTP neither Basic nor Digest authentication provide a "logout" mechanism. That is not an issue specific to Tomcat, it is a generic characteristic of the protocol. The browser "memorises" the authentication entered by the user for a combination of host/realm, and will automatically re-submit the needed authentication headers whenever the server requests an authentication for the same realm, without user intervention. In other words, the only way to "logout" is to close the browser and re-open it. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Logout mechanism on Digest Authentication
Hello, I have a problem in logout mechanism for my web app. For logging in I use Digest Authentication. Here is how things go: 1. On the same web app I first used Form Authentication and on each jsp page I created I used, on logout, bellow code: session.invalidate(); response.sendRedirect("samepage.jsp"); 2. Next, again on the same web app, I only changed tag in web.xml, in order to achieve Digest Authentication, as bellow: DIGEST Authentication Area Then, login procedure worked OK, but on log out, I still could access the secured jsp pages (as defined in web.xml) Is there a problem in logout mechanism for Digest Authentication? Is logout not supported for diggest authentication? How could I manage to logout? I use Tomcat6. Thanks in Advance for your answer. -- View this message in context: http://old.nabble.com/Logout-mechanism-on-Digest-Authentication-tp27224384p27224384.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Silent Installation Options
2010/1/19 Kranti™ K K Parisa : > Hi All, > > I am trying to install Tomcat thru command line ( need this to include the > tomcat installation file thru our product installer). > > I am able to use upto this > > command prompt > tomcat5525.exe /S /D=d:\MyTomcat Why 5.5.25 ?? That is an old release. > > but i want to know more options available for this I am afraid that that is not possible. The NSIS installer does not provide built-in support for an answer file, and we have not coded such support by ourselves. (The patches are always welcome, and the file in question is res/tomcat.nsi or build/tomcat.nsi in TC 5.5). Also, what the installer installs is a good start for a developer, or for a system administrator that will tune it for production, but there was no intention to provide direct control of all the available configuration options. I will mention some of them below. You would better start with a zip archive. Note, that - in 5.5.28 there is a single zip, containing versions of tomcat5.exe for different CPU architectures. - in 6.6.x that is expected to be released very soon (that will be 6.0.24, I suppose), there will be *-windows-x86.zip with binaries for 32-bit CPUs, and separate *-windows-x64.zip and *-windows-i64.zip for AMD/Intel x64_86 and Intel Itanium CPUs respectively. You may look at the dev@ list for the release candidate links. > like specifying the JAVA HOME, When using Service launcher, the value of JVM dll to be used is stored in the registry. The environment variables are not used. The service launcher, tomcat5.exe, can configure itself it you call it with relevant command-line options. -- see service.bat for an example The values are usually passed as environment variables. See the daemon project in commons.apache.org for documentation: http://commons.apache.org/daemon/procrun.html Note, that the registry path depends on the name of the exe file. That is, rename tomcat5.exe and tomcat5w.exe to something else to have a different instance of the Service tomcat5.exe and tomcat6.exe in Tomcat 5.5 and in Tomcat 6 are actually the same file, but with different names Be sure to install tomcat(5|6).exe for the right CPU architecture. The installer determines the architecture by reading some environment variables provided by the system (see the *.nsi file). > Port numbers, components to be installed..etc > Be sure to specify shutdown port that is unique. I saw one product that changed the AJP port, but still used 8005 for shutdown. Tip: You can use properties substitution (${propname}) in the server.xml file and define the necessary properties in catalina.properties file. Also, the when running as a service the shutdown port is not needed and you should be able to set it to -1 -- see configuration reference for details. If you do not need manager/host-manager, remove their *.xml context files from conf/Catalina/localhost/ and their code from server/webapps/Other unnecessary applications are in the webapps/ folder. In TC 6 all of them are in webapps/. You can also remove unneeded user names/roles from conf/tomcat-users.xml, and either remove the "UserDatabase" resource (that references tomcat-users.xml) from server.xml, or add readonly="true" attribute to it so that the file will not be overwritten on startup. http://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/catalina/users/MemoryUserDatabase.html http://tomcat.apache.org/tomcat-5.5-doc/catalina/docs/api/org/apache/catalina/users/MemoryUserDatabase.html You may also want to tune conf/logging.properties to do not generate unnecessary logs. > I was browsing all over but didn't get a clear documentation on this. > > Can anyone help me on this. > > Thanks in advance. > > Best Regards, > Kranti K K Parisa > If you have any questions, please ask. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Silent Installation Options
The document is here: http://tomcat.apache.org/tomcat-6.0-doc/windows-service-howto.html Kranti™ K K Parisa wrote: > > Hi All, > > I am trying to install Tomcat thru command line ( need this to include the > tomcat installation file thru our product installer). > > I am able to use upto this > > command prompt > tomcat5525.exe /S /D=d:\MyTomcat > > but i want to know more options available for this like specifying the > JAVA > HOME, Port numbers, components to be installed..etc > > I was browsing all over but didn't get a clear documentation on this. > > Can anyone help me on this. > > Thanks in advance. > > Best Regards, > Kranti K K Parisa > > -- View this message in context: http://old.nabble.com/Tomcat-Silent-Installation-Options-tp27222513p27223662.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Increase in rss and thread usage.
2010/1/19 > Are using Tomcat 6.0.20. We have mointored it and can see that the rss and > thread usage increases all the time. > Is this someone else also have experienced? > > Almost always, if your resource usage increases over time, your application has a resource leak. In this case, I suspect your application is starting threads. It is far more likely to be your application than Tomcat causing the problem. Take two thread dumps some time apart and see what has changed. - Peter
Increase in rss and thread usage.
Hi, Are using Tomcat 6.0.20. We have mointored it and can see that the rss and thread usage increases all the time. Is this someone else also have experienced?
Tomcat Silent Installation Options
Hi All, I am trying to install Tomcat thru command line ( need this to include the tomcat installation file thru our product installer). I am able to use upto this command prompt > tomcat5525.exe /S /D=d:\MyTomcat but i want to know more options available for this like specifying the JAVA HOME, Port numbers, components to be installed..etc I was browsing all over but didn't get a clear documentation on this. Can anyone help me on this. Thanks in advance. Best Regards, Kranti K K Parisa