Re: ISAPI-Problem
On 27.10.2010 15:24, Jost Richstein wrote: Hi, I have the following problem on a Windows Server 2003 64Bit (AMD). Configuration: IIS 6, isapi_redirect.dll AMD64 Version 1.2.30, Tomcat 5.5.27, JDk 1.6.0_12 64Bit. I am using the following small worker.properties: ps=\ worker.list=ajp13 worker.ajp13.port=8010 worker.ajp13.host=localhost worker.ajp13.type=ajp13 worker.ajp13.connection_pool_size=500 My isapi_redirect.properties contains only (no other parameters set) extension_uri log_file log_level (error) worker_file worker_mount_file My Tomcat site works fine in general, there are up to 1.400 users active and the site answers requests very fast. However I have the following log entries every few minutes (sometimes every few seconds) in jk.log. Every time that pair of entries: [Wed Oct 27 12:15:37.764 2010] [3156:3284] [error] ajp_service::jk_ajp_common.c (2559): (ajp13) connecting to tomcat failed. [Wed Oct 27 12:15:37.811 2010] [3156:3284] [error] HttpExtensionProc::jk_isapi_plugin.c (2195): service() failed with http error 500 Increase your log_level to info. This will provide additional log lines directly before the ones you cited which contain more detailed information about the root cause. Regards, Rainer Rainer, that is the log output with log level info: [Fri Oct 29 09:04:15.312 2010] [3076:4308] [info] ajp_service::jk_ajp_common.c (2540): (ajp13_internet) sending request to tomcat failed (recoverable), because of server error (attempt=1) [Fri Oct 29 09:04:15.483 2010] [3076:4308] [info] ajp_send_request::jk_ajp_common.c (1490): (ajp13_internet) did not receive END_RESPONSE, closing socket 1628 [Fri Oct 29 09:04:15.546 2010] [3076:4308] [info] ajp_service::jk_ajp_common.c (2540): (ajp13_internet) sending request to tomcat failed (recoverable), because of server error (attempt=2) [Fri Oct 29 09:04:15.593 2010] [3076:4308] [error] ajp_service::jk_ajp_common.c (2559): (ajp13_internet) connecting to tomcat failed. [Fri Oct 29 09:04:15.655 2010] [3076:4308] [error] HttpExtensionProc::jk_isapi_plugin.c (2195): service() failed with http error 500 I still have no other info, in particular no log entry in Tomcat or my applications indicating an error in Tomcat or my apps. The problem came in after we switched from Version 1.2.14 to 1.2.30 of the redirector dll. Regards, Jost - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Maven and Axis 1.5.1 problem
Thanks for the contribution. I have posted on the axis list but no response and I'm running out of time :/ If you can take a look at a list of the .jar files my webservice has: activation-1.1.jar ant-1.7.0.jar ant-launcher-1.7.0.jar antlr-2.7.6.jar apache-maven-2.0.9.jar asm-3.1.jar asm-attrs-1.5.3.jar axiom-api-1.2.8.jar axiom-dom-1.2.8.jar axiom-impl-1.2.8.jar axis-wsdl4j-1.5.1.jar axis2-1.5.1.jar axis2-adb-1.5.1.jar axis2-adb-codegen-1.5.1.jar axis2-codegen-1.5.1.jar axis2-kernel-1.5.1.jar axis2-wsdl2code-maven-plugin-1.5.1.jar axis2-xmlbeans-1.5.1.jar cglib-nodep-2.2.jar classworlds-1.1-alpha-2.jar commons-cli-1.0.jar commons-codec-1.2.jar commons-collections-3.2.1.jar commons-fileupload-1.2.jar commons-httpclient-3.1.jar commons-io-1.4.jar commons-logging-1.1.1.jar dom4j-1.6.1.jar doxia-sink-api-1.0-alpha-10.jar ehcache-1.2.3.jar geronimo-activation_1.1_spec-1.0.1.jar geronimo-javamail_1.4_spec-1.2.jar geronimo-javamail_1.4_spec-1.6.jar geronimo-jta_1.1_spec-1.1.jar geronimo-stax-api_1.0_spec-1.0.1.jar geronimo-ws-metadata_2.0_spec-1.1.2.jar hibernate-3.2.7.ga.jar jaxb-api-2.2.1.jar jaxb-impl-2.2.1.1.jar jaxen-1.1.1.jar jdom-1.0.jar jersey-bundle-1.3.jar jersey-client-1.3.jar jersey-core-1.3.jar jersey-multipart-1.3.jar jsch-0.1.27.jar jsr311-api-1.1.1.jar jtidy-4aug2000r7-dev.jar log4j-1.2.14.jar mail-1.4.jar maven-artifact-2.0.8.jar maven-artifact-manager-2.0.7.jar maven-core-2.0.9.jar maven-error-diagnostics-2.0.9.jar maven-model-2.0.7.jar maven-monitor-2.0.9.jar maven-plugin-api-2.0.7.jar maven-plugin-descriptor-2.0.9.jar maven-plugin-parameter-documenter-2.0.9.jar maven-plugin-registry-2.0.7.jar maven-profile-2.0.7.jar maven-project-2.0.7.jar maven-reporting-api-2.0.9.jar maven-repository-metadata-2.0.7.jar maven-settings-2.0.7.jar maven-toolchain-2.0.9.jar maven-wadl-plugin-1.3.jar mimepull-1.4.jar neethi-2.0.4.jar plexus-container-default-1.0-alpha-9-stable-1.jar plexus-interactivity-api-1.0-alpha-4.jar plexus-utils-1.4.9.jar servlet-api-2.3.jar slf4j-api-1.5.11.jar slf4j-log4j12-1.5.11.jar slide-webdavlib-2.1.jar stax-api-1.0-2.jar wagon-file-1.0-beta-2.jar wagon-http-lightweight-1.0-beta-2.jar wagon-http-shared-1.0-beta-2.jar wagon-provider-api-1.0-beta-2.jar wagon-ssh-1.0-beta-2.jar wagon-ssh-common-1.0-beta-2.jar wagon-ssh-external-1.0-beta-2.jar wagon-webdav-1.0-beta-2.jar woden-api-1.0M8.jar woden-impl-dom-1.0M8.jar wsdl4j-1.6.2.jar wstx-asl-3.2.4.jar xalan-2.7.0.jar xercesImpl-2.6.1.jar xml-apis-1.0.b2.jar xml-apis-1.3.04.jar xml-im-exporter-1.1.jar xmlbeans-2.3.0.jar xmlParserAPIs-2.6.0.jar XmlSchema-1.4.3.jar And this is my pom.xml file: project xmlns=http://maven.apache.org/POM/4.0.0; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd; modelVersion4.0.0/modelVersion groupIdcom.mywebapp/groupId artifactIdWebApp/artifactId packagingwar/packaging nameWebApplication for Axis 2/name version0.1/version dependencies dependency groupIdorg.apache.tomcat/groupId artifactIdcatalina/artifactId version6.0.29/version scopetest/scope /dependency dependency groupIdorg.apache.tomcat/groupId artifactIdcoyote/artifactId version6.0.29/version scopetest/scope /dependency dependency groupIdorg.apache.tomcat/groupId artifactIdjasper/artifactId version6.0.29/version scopetest/scope /dependency dependency groupIdorg.apache.axis2/groupId artifactIdaxis2-adb-codegen/artifactId version1.5.1/version /dependency dependency groupIdorg.apache.axis2/groupId artifactIdaxis2-wsdl2code-maven-plugin/artifactId version1.5.1/version /dependency dependency groupIdcom.sun.jersey.contribs/groupId artifactIdjersey-multipart/artifactId version1.3/version !--version1.0.1/version-- /dependency dependency groupIdcom.sun.jersey/groupId artifactIdjersey-client/artifactId version1.3/version !--version1.0.1/version-- /dependency dependency groupIdcom.sun.jersey/groupId artifactIdjersey-bundle/artifactId version1.3/version !--version1.0.1/version-- /dependency dependency groupIdcommons-logging/groupId artifactIdcommons-logging/artifactId version1.1.1/version !--version1.0.4/version-- /dependency dependency groupIdcommons-collections/groupId
Re: ISAPI-Problem
On 29.10.2010 09:18, Jost Richstein wrote: On 27.10.2010 15:24, Jost Richstein wrote: that is the log output with log level info: Double check: no other message betwen about 09:00 and the following line which is marked with 3076:4308]? [Fri Oct 29 09:04:15.312 2010] [3076:4308] [info] ajp_service::jk_ajp_common.c (2540): (ajp13_internet) sending request to tomcat failed (recoverable), because of server error (attempt=1) [Fri Oct 29 09:04:15.483 2010] [3076:4308] [info] ajp_send_request::jk_ajp_common.c (1490): (ajp13_internet) did not receive END_RESPONSE, closing socket 1628 [Fri Oct 29 09:04:15.546 2010] [3076:4308] [info] ajp_service::jk_ajp_common.c (2540): (ajp13_internet) sending request to tomcat failed (recoverable), because of server error (attempt=2) [Fri Oct 29 09:04:15.593 2010] [3076:4308] [error] ajp_service::jk_ajp_common.c (2559): (ajp13_internet) connecting to tomcat failed. [Fri Oct 29 09:04:15.655 2010] [3076:4308] [error] HttpExtensionProc::jk_isapi_plugin.c (2195): service() failed with http error 500 I still have no other info, in particular no log entry in Tomcat or my applications indicating an error in Tomcat or my apps. The problem came in after we switched from Version 1.2.14 to 1.2.30 of the redirector dll. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6.0.18 JNDIRealm ConnectException: Connection timed out
Hi, On Thu, 28 Oct 2010 21:50:15 +0200, S.V. svku...@googlemail.com wrote: Hi, i have tomcat 6.0.18 and configured it to use JNDIRealm for a specific That version is quite old. In newer versions you could try to add 'adCompat=true' as documented on http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html. I don't know if my tip is going to work in your version though. path: Realm className=org.apache.catalina.realm.JNDIRealm test=89 I believe that this attribute test is useless. It is not documented at least. bye Felix connectionName=CN=tomcat,CN= Users,DC=host,DC=de connectionPassword=*** connectionURL=ldap://host:389/; referrals=follow userBase=DC=host,DC=de userRoleName=memberOf userSearch=((sAMAccountName={0})(objectClass=user)) userSubtree=true / login-config auth-methodBASIC/auth-method realm-nameJNDIRealm/realm-name /login-config The problem is that sometimes it is working fine, but sometimes Tomcat got an exception and users can not be authenticated, because the connections to ldap (AD) timed out. 2010-10-28 15:53:08,592 ContainerBase.[Catalina] ERROR [ttp-8443-1] - Exception performing authentication javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: host.de:389 [Root exception is java.net.ConnectException: Connection timed out: connect]] Have someone an idea or a hint to find out, why these connections are timing out sometimes? Thanks in advance - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ISAPI-Problem
On 29.10.2010 09:18, Jost Richstein wrote: On 27.10.2010 15:24, Jost Richstein wrote: that is the log output with log level info: Double check: no other message betwen about 09:00 and the following line which is marked with 3076:4308]? No, I copied it directly from the log file. I have always these 5 lines of output grouped together. However I have the same lines in that case at 09:04:05. [Fri Oct 29 09:04:15.312 2010] [3076:4308] [info] ajp_service::jk_ajp_common.c (2540): (ajp13_internet) sending request to tomcat failed (recoverable), because of server error (attempt=1) [Fri Oct 29 09:04:15.483 2010] [3076:4308] [info] ajp_send_request::jk_ajp_common.c (1490): (ajp13_internet) did not receive END_RESPONSE, closing socket 1628 [Fri Oct 29 09:04:15.546 2010] [3076:4308] [info] ajp_service::jk_ajp_common.c (2540): (ajp13_internet) sending request to tomcat failed (recoverable), because of server error (attempt=2) [Fri Oct 29 09:04:15.593 2010] [3076:4308] [error] ajp_service::jk_ajp_common.c (2559): (ajp13_internet) connecting to tomcat failed. [Fri Oct 29 09:04:15.655 2010] [3076:4308] [error] HttpExtensionProc::jk_isapi_plugin.c (2195): service() failed with http error 500 I still have no other info, in particular no log entry in Tomcat or my applications indicating an error in Tomcat or my apps. The problem came in after we switched from Version 1.2.14 to 1.2.30 of the redirector dll. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
tomcat6.0.29 on debian lenny
I ran a tomcat 5.5 on an older debian formerly and after an upgrade to 5.0.6 (debian lenny), my tomcat installation is messed up. I'm running the tomcat behind an apache2 with some connectors. The mess must have to do something with the (braindead imho) split up between /usr/share/tomcat5.5 and /usr/share/tomcat5.5-webapps. Anyway, to come to the point, I downloaded the tomcat 6.0.29 tar ball and installed it under /opt/tomcat, wrote a little startup script that simply invoked bin/startup.sh resp. shutdown. Didn't set any special environment variables like JAVA_HOME or CLASSPATH and I'm getting the following in catalina.out (tomcat then dies after start): WARNING: error instantiating '1catalina.org.apache.juli.FileHandler,' referenced by handlers, class not found java.lang.ClassNotFoundException: 1catalina/org/apache/juli/FileHandler, at java.lang.VMClass.forName(VMClass.java) at java.lang.Class.forName(Class.java:235) at java.util.logging.LogManager.locateClass(LogManager.java:917) at java.util.logging.LogManager.createInstance(LogManager.java:846) at java.util.logging.LogManager.readConfiguration(LogManager.java:569) at java.util.logging.LogManager.readConfiguration(LogManager.java:529) at java.util.logging.LogManager.initLogManager(LogManager.java:203) at java.util.logging.LogManager.getLogManager(LogManager.java:168) at java.util.logging.Logger.getLogger(Logger.java:276) at java.util.logging.Logger.getLogger(Logger.java:224) at java.util.logging.Logger$1.run(Logger.java:91) at java.security.AccessController.doPrivileged(AccessController.java:96) at java.util.logging.Logger.clinit(Logger.java:86) at gnu.java.security.jce.sig.SignatureAdapter.clinit(SignatureAdapter.java:78) at java.lang.VMClass.forName(VMClass.java) at java.lang.Class.forName(Class.java:189) at gnu.java.security.provider.Gnu$1.run(Gnu.java:65) at java.security.AccessController.doPrivileged(AccessController.java:96) at gnu.java.security.provider.Gnu.init(Gnu.java:55) at java.util.jar.JarFile.clinit(JarFile.java:117) at gnu.java.net.protocol.jar.Connection$JarFileCache.get(Connection.java:98) at gnu.java.net.protocol.jar.Connection.connect(Connection.java:140) at gnu.java.net.protocol.jar.Connection.getJarFile(Connection.java:169) at gnu.java.net.loader.JarURLLoader.initialize(JarURLLoader.java:85) at gnu.java.net.loader.JarURLLoader.init(JarURLLoader.java:76) at java.net.URLClassLoader.addURLImpl(URLClassLoader.java:387) at java.net.URLClassLoader.addURLs(URLClassLoader.java:418) at java.net.URLClassLoader.init(URLClassLoader.java:215) at java.lang.ClassLoader$1.init(ClassLoader.java:1099) at java.lang.ClassLoader.createSystemClassLoader(ClassLoader.java:1099) at java.lang.ClassLoader.defaultGetSystemClassLoader(ClassLoader.java:1084) at java.lang.VMClassLoader.getSystemClassLoader(VMClassLoader.java:404) at java.lang.ClassLoader$StaticData.clinit(ClassLoader.java:155) at java.lang.ClassLoader.getSystemClassLoader(ClassLoader.java:799) Internal error: caught an unexpected exception. Please check your CLASSPATH and your installation. java/lang/ExceptionInInitializerError at java.lang.ClassLoader.getSystemClassLoader (ClassLoader.java:799) caused by java/lang/NullPointerException: at java.util.logging.Logger.addHandler (Logger.java:1017) at java.util.logging.LogManager.readConfiguration (LogManager.java:570) at java.util.logging.LogManager.readConfiguration (LogManager.java:529) at java.util.logging.LogManager.initLogManager (LogManager.java:203) at java.util.logging.LogManager.getLogManager (LogManager.java:168) at java.util.logging.Logger.getLogger (Logger.java:276) at java.util.logging.Logger.getLogger (Logger.java:224) at java.util.logging.Logger$1.run (Logger.java:91) at java.security.AccessController.doPrivileged (AccessController.java:96) at java.util.logging.Logger.clinit (Logger.java:86) at gnu.java.security.jce.sig.SignatureAdapter.clinit (SignatureAdapter.java:78) at java.lang.VMClass.forName (VMClass.java:native) at java.lang.Class.forName (Class.java:189) at gnu.java.security.provider.Gnu$1.run (Gnu.java:65) at java.security.AccessController.doPrivileged (AccessController.java:96) at gnu.java.security.provider.Gnu.init (Gnu.java:55) at java.util.jar.JarFile.clinit (JarFile.java:117) at gnu.java.net.protocol.jar.Connection$JarFileCache.get (Connection.java:98) at gnu.java.net.protocol.jar.Connection.connect (Connection.java:140) at gnu.java.net.protocol.jar.Connection.getJarFile (Connection.java:169) at gnu.java.net.loader.JarURLLoader.initialize (JarURLLoader.java:85) at gnu.java.net.loader.JarURLLoader.init (JarURLLoader.java:76) at java.net.URLClassLoader.addURLImpl (URLClassLoader.java:387) at java.net.URLClassLoader.addURLs (URLClassLoader.java:418) at java.net.URLClassLoader.init (URLClassLoader.java:215) at
Re: tomcat6.0.29 on debian lenny
On 29/10/2010 09:51, Christoph Kukulies wrote: Anyway, to come to the point, I downloaded the tomcat 6.0.29 tar ball and installed it under /opt/tomcat, wrote a little startup script that simply invoked bin/startup.sh resp. shutdown. Didn't set any special environment variables like JAVA_HOME or CLASSPATH and I'm getting the following in catalina.out (tomcat then dies after start): WARNING: error instantiating '1catalina.org.apache.juli.FileHandler,' referenced by handlers, class not found snip/ Could it be, that sun-java6-jre and jdk are not being recognized or found? It seems there is still kaffee java active, although I installed (sun java6). Looks like the LogManager is not being set correctly. You need to be using -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager which the Tomcat scripts should be doing by default. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
How to protect the plain text username and password in the server.xml
Dears, We are using Tomcat 5.5.20 in a RHEL 64bit box. The application running on it is a financial system. An internal audit indicated that we should not use plain text username and password in the server.xml, as: Resource name=jdbc/JiraDS auth=Container type=javax.sql.DataSource username=user password=password ... / Is there a way to use encrypted username and password in the server.xml file? Or, use the username and password as parameters of the startup command, instead of leaving them as plain text in the server.xml? Thanks, Roy Qiao - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat6.0.29 on debian lenny
Am 29.10.2010 11:12, schrieb Mark Thomas: On 29/10/2010 09:51, Christoph Kukulies wrote: Anyway, to come to the point, I downloaded the tomcat 6.0.29 tar ball and installed it under /opt/tomcat, wrote a little startup script that simply invoked bin/startup.sh resp. shutdown. Didn't set any special environment variables like JAVA_HOME or CLASSPATH and I'm getting the following in catalina.out (tomcat then dies after start): WARNING: error instantiating '1catalina.org.apache.juli.FileHandler,' referenced by handlers, class not found snip/ Could it be, that sun-java6-jre and jdk are not being recognized or found? It seems there is still kaffee java active, although I installed (sun java6). Looks like the LogManager is not being set correctly. You need to be using -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager which the Tomcat scripts should be doing by default. Mark Ooops. Sorry, I noticed that I had already copied over my 5.5 system.xml into the conf directory. Using the original server.xml now works. -- Christoph P.U. Kukulies - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
running tomcat6 under a different user than root (debian)
How can I run tomcat under a different user than root (debian e.g.)? -- Christoph P.U. Kukulies - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to protect the plain text username and password in the server.xml
It is possible to define the element as an entity in server.xml: |!ENTITY secure_resource SYSTEM http://somewhere.com/resource.xml;| and then replace the Resource element with the entity: |secure_resource Because the entity resolves to an external source, this source can be generated dynamically, by a script for example. This script could potentially be limited in execution to the tomcat user/instance. Other users who can possibly read the script that generates the the username/password, but not execute it, cannot get the username/password. Regards, Simon | On 29/10/10 10:19, 彬 乔 wrote: Dears, We are using Tomcat 5.5.20 in a RHEL 64bit box. The application running on it is a financial system. An internal audit indicated that we should not use plain text username and password in the server.xml, as: Resource name=jdbc/JiraDS auth=Container type=javax.sql.DataSource username=user password=password ... / Is there a way to use encrypted username and password in the server.xml file? Or, use the username and password as parameters of the startup command, instead of leaving them as plain text in the server.xml? Thanks, Roy Qiao - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: running tomcat6 under a different user than root (debian)
On 29/10/2010 10:57, Christoph Kukulies wrote: How can I run tomcat under a different user than root (debian e.g.)? Use a service wrapper. http://tomcat.apache.org/tomcat-6.0-doc/setup.html#Unix_daemon p 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
BackupManager vs DeltaManager
Hi! Should BackupManager work well with any number of nodes? And with large clusters it should work even better than DeltaManager? We have large production clusters (10+) nodes and we have evaluated if we can use BackupManager. In test cluster of 6 nodes it didn't work too well: much higher request latency, with logs full of following errors: 2010-09-24 14:17:34,536 ERROR [tomcat-processor-53] (org.apache.catalina.tribes.tipis.AbstractReplicatedMap) Unable to replicate out data for a LazyReplicatedMap.get operationorg.apache.catalina.tribes.ChannelException: Operation has timed out(3000 ms.).; Faulty members:tcp://{10, 1, 8, 219}:4200; at org.apache.catalina.tribes.transport.nio.ParallelNioSender.sendMessage(ParallelNioSender.java:97) at org.apache.catalina.tribes.transport.nio.PooledParallelSender.sendMessage(PooledParallelSender.java:53) at org.apache.catalina.tribes.transport.ReplicationTransmitter.sendMessage(ReplicationTransmitter.java:80) at org.apache.catalina.tribes.group.ChannelCoordinator.sendMessage(ChannelCoordinator.java:78) at org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:75) at org.apache.catalina.tribes.group.interceptors.MessageDispatchInterceptor.sendMessage(MessageDispatchInterceptor.java:73) at org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:75) at org.apache.catalina.tribes.group.interceptors.TcpFailureDetector.sendMessage(TcpFailureDetector.java:87) at org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:75) at org.apache.catalina.tribes.group.GroupChannel.send(GroupChannel.java:216) at org.apache.catalina.tribes.group.GroupChannel.send(GroupChannel.java:175) at org.apache.catalina.tribes.group.RpcChannel.send(RpcChannel.java:89) at org.apache.catalina.tribes.tipis.AbstractReplicatedMap.get(AbstractReplicatedMap.java:844) at org.apache.catalina.session.ManagerBase.findSession(ManagerBase.java:887) at org.apache.catalina.connector.Request.doGetSession(Request.java:2363) at org.apache.catalina.connector.Request.getSession(Request.java:2098) at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:833) at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:216) at com.sulake.habboweb.util.TomcatSessionFixationPreventerFilter$RequestWrapper.getSession(TomcatSessionFixationPreventerFilter.java:72) . Yes, I know that documentation says: Downside of the BackupManager: not quite as battle tested as the delta manager. Maybe this is it. :) Regards, Ossi
Re: How to protect the plain text username and password in the server.xml
On 29/10/2010 10:19, 彬 乔 wrote: Dears, We are using Tomcat 5.5.20 in a RHEL 64bit box. The application running on it is a financial system. An internal audit indicated that we should not use plain text username and password in the server.xml, as: Resource name=jdbc/JiraDS auth=Container type=javax.sql.DataSource username=user password=password ... / Is there a way to use encrypted username and password in the server.xml file? Or, use the username and password as parameters of the startup command, instead of leaving them as plain text in the server.xml? Just set the permissions of the file to be read-only for the user that runs Tomcat, and restrict access to that user. chmod 600 server.xml If the user (say 'tomcat') doesn't have a login shell, then only root will be able read that file. Encrypting passwords in server.xml is largely a waste of time. p 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: running tomcat6 under a different user than root (debian)
2010/10/29 Christoph Kukulies k...@kukulies.org: How can I run tomcat under a different user than root (debian e.g.)? How do you run it now? Nobody should run Tomcat as root. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Basic Question : Tomact Clustering
Hi All, I am working Business Objects 3.1(BOE) with tomcat being the application server. I am new to the web application part, hence i had some doubts We are trying to step up a BOE on 2 machines we will have tomcat installed on both machines. We plan to use MS NLB for high availability. I am not sure how will i configure the web + web apps in such scenario with Tomcat. I will be installing tomcat 5.5 on both machines. this is shipped as default with BOE. 1. Do i need to install Apache on both machines? 2. What are the configuring steps to cluster tomcat for HA fail over? 3. Do i need to cluster Apache as well?? Regards, *Alok Kakani*
Re: BackupManager vs DeltaManager
On 29/10/2010 11:17, Ossi wrote: Hi! Should BackupManager work well with any number of nodes? Yes. And with large clusters it should work even better than DeltaManager? Yes. *Should*. We have large production clusters (10+) nodes and we have evaluated if we can use BackupManager. In test cluster of 6 nodes it didn't work too well: much higher request latency, with logs full of following errors: 2010-09-24 14:17:34,536 ERROR [tomcat-processor-53] (org.apache.catalina.tribes.tipis.AbstractReplicatedMap) Unable to replicate out data for a LazyReplicatedMap.get operationorg.apache.catalina.tribes.ChannelException: Operation has timed out(3000 ms.).; Faulty members:tcp://{10, 1, 8, 219}:4200; It's timing out for some reason. You could try increasing the timeout. Does this occur on all cluster members, or just a few? p at org.apache.catalina.tribes.transport.nio.ParallelNioSender.sendMessage(ParallelNioSender.java:97) at org.apache.catalina.tribes.transport.nio.PooledParallelSender.sendMessage(PooledParallelSender.java:53) at org.apache.catalina.tribes.transport.ReplicationTransmitter.sendMessage(ReplicationTransmitter.java:80) at org.apache.catalina.tribes.group.ChannelCoordinator.sendMessage(ChannelCoordinator.java:78) at org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:75) at org.apache.catalina.tribes.group.interceptors.MessageDispatchInterceptor.sendMessage(MessageDispatchInterceptor.java:73) at org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:75) at org.apache.catalina.tribes.group.interceptors.TcpFailureDetector.sendMessage(TcpFailureDetector.java:87) at org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:75) at org.apache.catalina.tribes.group.GroupChannel.send(GroupChannel.java:216) at org.apache.catalina.tribes.group.GroupChannel.send(GroupChannel.java:175) at org.apache.catalina.tribes.group.RpcChannel.send(RpcChannel.java:89) at org.apache.catalina.tribes.tipis.AbstractReplicatedMap.get(AbstractReplicatedMap.java:844) at org.apache.catalina.session.ManagerBase.findSession(ManagerBase.java:887) at org.apache.catalina.connector.Request.doGetSession(Request.java:2363) at org.apache.catalina.connector.Request.getSession(Request.java:2098) at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:833) at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:216) at com.sulake.habboweb.util.TomcatSessionFixationPreventerFilter$RequestWrapper.getSession(TomcatSessionFixationPreventerFilter.java:72) . Yes, I know that documentation says: Downside of the BackupManager: not quite as battle tested as the delta manager. Maybe this is it. :) Regards, Ossi 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: running tomcat6 under a different user than root (debian)
No one should, but I had a supplier recommend to run their application as root. All their scripts and configuration instructions were for running as root. Needless to say I didn't run it as that and rewrote their installation scripts. Now I have to try and convince them that storing the database connection username and passwords in plaintext are a bad idea... On 29/10/10 9:42 PM, Konstantin Kolinko knst.koli...@gmail.com wrote: 2010/10/29 Christoph Kukulies k...@kukulies.org: How can I run tomcat under a different user than root (debian e.g.)? How do you run it now? Nobody should run Tomcat as root. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
tomcat log format disable the ipv6 format
Here are three log exmaples: 127.0.0.1 - - [17/Sep/2010:14:03:07 +0800] GET /docs/logging.html HTTP/1.1 200 24040 http://localhost:8000/docs/manager-howto.html; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) 0:0:0:0:0:0:0:1 - - [26/Oct/2010:09:53:30 +0800] GET /docs/images/tomcat.gif HTTP/1.1 200 1934 http://localhost:8000/docs/; Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 0:0:0:0:0:0:0:1 - - [26/Oct/2010:09:53:30 +0800] GET /docs/images/asf-logo.gif HTTP/1.1 200 7279 http://localhost:8000/docs/; Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 The first is correct,however the ip of the second and the third is ipv6 format, how to avoid this?
Security of WEB-INF content
Hi, I have read in various forums that there are situations where the content of WEB-INF can be accessed. Some people say that it is good practice to hide sensitive files in WEB-INF and some say it might not be... I am using Tomcat 6.0 and I am worried someone could access some of my sensitive files located inside the WEB-INF folder. Could you explain to me whether this is possible or not. Do i need to obfuscate the content of the files in WEB-INF? With best regards, Peter Hallbeck
Re: running tomcat6 under a different user than root (debian)
On 29/10/2010 12:03, Darryl Lewis wrote: No one should, but I had a supplier recommend to run their application as root. All their scripts and configuration instructions were for running as root. Needless to say I didn't run it as that and rewrote their installation scripts. Now I have to try and convince them that storing the database connection username and passwords in plaintext are a bad idea... What is the alternative? If the config files containing that information are only readable by the user running Tomcat, and that user doesn't have login access - assuming you're using the service wrapper script to start up, then the information is protected, no? p 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: how can i turn off This is very likely to create a memory leak.
grep -v memory leak Op donderdag, 28 oktober 2010 15:44 schreef Leon Rosenberg rosenberg.l...@gmail.com: Hello, I investigated an issue (another thread) with new error messages after tomcat update: SEVERE: The web application [/moskitodemo] appears to have started a thread named [MoskitoMemoryPoolReader] but has failed to stop it. This is very likely to create a memory leak. After some research and discussions with colleagues we came to the conclusion that this message is ... well not helping us. Is there a possibility to turn it off? Its annoying to have such messages in the logs after a server shutdown. For explanation: I'm not planing to use webapp reload in my environment, hence, this message is actually just spam. regards Leon - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat log format disable the ipv6 format
On 29/10/2010 12:24, maven apache wrote: Here are three log exmaples: 127.0.0.1 - - [17/Sep/2010:14:03:07 +0800] GET /docs/logging.html HTTP/1.1 200 24040 http://localhost:8000/docs/manager-howto.html; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) 0:0:0:0:0:0:0:1 - - [26/Oct/2010:09:53:30 +0800] GET /docs/images/tomcat.gif HTTP/1.1 200 1934 http://localhost:8000/docs/; Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 0:0:0:0:0:0:0:1 - - [26/Oct/2010:09:53:30 +0800] GET /docs/images/asf-logo.gif HTTP/1.1 200 7279 http://localhost:8000/docs/; Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 The first is correct,however the ip of the second and the third is ipv6 format, how to avoid this? Don't connect to Tomcat using IPv6. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Security of WEB-INF content
On 29/10/2010 12:30, Haledor wow wrote: Hi, I have read in various forums that there are situations where the content of WEB-INF can be accessed. Some people say that it is good practice to hide sensitive files in WEB-INF and some say it might not be... I am using Tomcat 6.0 and I am worried someone could access some of my sensitive files located inside the WEB-INF folder. Could you explain to me whether this is possible or not. Nothing under WEB-INF is directly accessible to a user. Requests to http://host:port/app/WEB-INF/... will always be rejected. However, applications can forward requests to resources under /WEB-INF and can also include resources under /WEB-INF. It is up to the application to make sure it doesn't do that in a way that could compromise the security of any sensitive data placed under /WEB-INF. Do i need to obfuscate the content of the files in WEB-INF? No. And as an aside, Obfuscation != security Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: RV: Session Context variables architecture problem
Just query the database. Enable query caching in mysql. And only optimize in java if you see a bottleneck. My mysql does 15000 queries/sec. What is your expectation of number of queries? Ronald. Op donderdag, 28 oktober 2010 19:31 schreef falva...@geocom.com.uy: Dear All, I'm currently using Tomcat 6.0.28 and having some doubt on how to solve and implement this problem: My webapp has a MySQL Database with a table named parameters, in which we have just two columns (property and value). This table is acceded many times but doesn't change often. For performance purposes I want to save this parameters in the user's tomcat session, so they are read from memory and not database. So far so good. Now the problem: how can I tell this sessions that an attribute has changed? I had suggestions of using context variables instead of session variables, but that didn't solve the problem. Any help in this matter is more than welcome. I have no problem in changing the approach, and may be not use sessions at all. Thanks in advance. Best regards, Federico Alvarez. Info: Tomcat 6.0.28 Java 1.6 MySQL 5.5 NOT USING HIBERNATE, so 2nd Level cache is not an option
Re: running tomcat6 under a different user than root (debian)
On 29/10/2010 12:03, Darryl Lewis wrote: Now I have to try and convince them that storing the database connection username and passwords in plaintext are a bad idea... I trust that the supplier replies that there is nothing wrong with this approach. The most you'll ever be able to achieve is limiting access to the username and password to the user running the Tomcat process. Since the OS provides a fine set of file permissions for doing exactly that, why bother with anything else? 'encrypting' the username and password will never be anything more than security by obscurity and that is no security at all. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat log format disable the ipv6 format
2010/10/29 Mark Thomas ma...@apache.org On 29/10/2010 12:24, maven apache wrote: Here are three log exmaples: 127.0.0.1 - - [17/Sep/2010:14:03:07 +0800] GET /docs/logging.html HTTP/1.1 200 24040 http://localhost:8000/docs/manager-howto.html; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) 0:0:0:0:0:0:0:1 - - [26/Oct/2010:09:53:30 +0800] GET /docs/images/tomcat.gif HTTP/1.1 200 1934 http://localhost:8000/docs/; Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 0:0:0:0:0:0:0:1 - - [26/Oct/2010:09:53:30 +0800] GET /docs/images/asf-logo.gif HTTP/1.1 200 7279 http://localhost:8000/docs/; Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 The first is correct,however the ip of the second and the third is ipv6 format, how to avoid this? Don't connect to Tomcat using IPv6. I did not intend to. But I am using win7 now,so I do not know how to disable the ipv6,also I *can not* control the user. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Memory Problem
Hi I am developing web application using Tomcat 6.0 server but after running application many times it gives Perm gem space outofMemory Error why is it so? I want to know reason for that and solution to overcome this error -- © Copyright Sukrut Systems 2010 Unless otherwise explicitly stated, all rights including those in copyright in the content of this e-mail are owned by Sukrut Systems. The contents of this e-mail shall not be copied, reproduced, or transmitted in any form without the written permission of Sukrut Systems or that of the copyright owner. The receipt of this mail is the acknowledgement of the receipt of contents; if the recipient is not the intended addressee then the recipient shall notify the sender immediately.
Re: tomcat log format disable the ipv6 format
On 29/10/2010 13:06, maven apache wrote: But I am using win7 now,so I do not know how to disable the ipv6, That would be a question for a Windows support forum if you want to disable it globally. To control which address Tomcat listens on, read the docs or search the archives. Mark also I *can not* control the user. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Memory Problem
On 29/10/2010 13:10, Sandip Hirwale wrote: Hi I am developing web application using Tomcat 6.0 server Care to be more precise about which of the 20+ Tomcat 6.0.x versions you are using? The OS and Java version you are using might be useful to know as well. but after running application many times it gives Perm gem space outofMemory Error why is it so? Your application has one or more memory leaks. I want to know reason for that Developer error. Also known as a bug. and solution to overcome this error Find the root cause of the memory leak and fix the bug. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat6.0.29 on debian lenny
On 10/29/2010 5:40 AM, Christoph Kukulies wrote: ... Ooops. Sorry, I noticed that I had already copied over my 5.5 system.xml into the conf directory. Using the original server.xml now works. Yeah, that bit me too, when I migrated from 5.5.x to 6.0.x. D - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat log format disable the ipv6 format
http://osdir.com/ml/users-tomcat.apache.org/2010-05/msg00315.html From this thread, I want to set the connect address format to :0:0:0:0 however I can not find this attribute at: http://tomcat.apache.org/tomcat-6.0-doc/config/http.html 2010/10/29 Mark Thomas ma...@apache.org On 29/10/2010 13:06, maven apache wrote: But I am using win7 now,so I do not know how to disable the ipv6, That would be a question for a Windows support forum if you want to disable it globally. To control which address Tomcat listens on, read the docs or search the archives. Mark also I *can not* control the user. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat log format disable the ipv6 format
On 29/10/2010 13:49, maven apache wrote: http://osdir.com/ml/users-tomcat.apache.org/2010-05/msg00315.html From this thread, I want to set the connect address format to :0:0:0:0 Read that thread again, that is not the value you should be using. however I can not find this attribute at: http://tomcat.apache.org/tomcat-6.0-doc/config/http.html Look harder. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: running tomcat6 under a different user than root (debian)
Encrypt the username and passwords using Realm configuration. You should always assume there is the possibility that a user will get access to the system via a badly written program. Whilst they might get some system access, you should make it as difficult as possible for them to jump to the next box. If you give read access on server.xml only to root user, it requires that Tomcat is started with root privileges, which is really bad. If a person gets access, they automatically get root privildges. Then entire idea is to make it difficult for a person to get very far quickly. If you run TC as a non-root user, even if they crack the app to get system access, they still have to go further to get root. On 29/10/10 10:42 PM, Pid p...@pidster.com wrote: On 29/10/2010 12:03, Darryl Lewis wrote: No one should, but I had a supplier recommend to run their application as root. All their scripts and configuration instructions were for running as root. Needless to say I didn't run it as that and rewrote their installation scripts. Now I have to try and convince them that storing the database connection username and passwords in plaintext are a bad idea... What is the alternative? If the config files containing that information are only readable by the user running Tomcat, and that user doesn't have login access - assuming you're using the service wrapper script to start up, then the information is protected, no? p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: running tomcat6 under a different user than root (debian)
Are you serious? Why do we bother with SSL then? Lets just send everything in clear text... On 29/10/10 11:03 PM, Mark Thomas ma...@apache.org wrote: On 29/10/2010 12:03, Darryl Lewis wrote: Now I have to try and convince them that storing the database connection username and passwords in plaintext are a bad idea... I trust that the supplier replies that there is nothing wrong with this approach. The most you'll ever be able to achieve is limiting access to the username and password to the user running the Tomcat process. Since the OS provides a fine set of file permissions for doing exactly that, why bother with anything else? 'encrypting' the username and password will never be anything more than security by obscurity and that is no security at all. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: running tomcat6 under a different user than root (debian)
On 29/10/2010 14:19, Darryl Lewis wrote: Are you serious? Completely. If you have a scheme that encrypts the database username and password in server.xml and provides genuine additional security over and above limiting access to server.xml to the user running Tomcat (and root) I'd love to hear it. I'd also be amazed. Why do we bother with SSL then? Lets just send everything in clear text... Different information in a different environment with different threats. I never said passwords should never be protected. I was quite specific that trying to encrypt usernames and passwords in server.xml (or context.xml for that matter) for database resources is a complete waste of time. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: running tomcat6 under a different user than root (debian)
From: Darryl Lewis [mailto:darryl.le...@unsw.edu.au] Subject: Re: running tomcat6 under a different user than root (debian) Are you serious? Definitely. Think it through. Why do we bother with SSL then? Lets just send everything in clear text... Perhaps you failed to notice that traffic over the wire is available to pretty much anyone, but bits on the server hard drive are not (or at least shouldn't be, if you've taken the most basic security steps). - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: running tomcat6 under a different user than root (debian)
On 29/10/2010 14:18, Darryl Lewis wrote: Encrypt the username and passwords using Realm configuration. Realms have nothing to do with the usernames and passwords used to connect to databases defined via Resource tags. You should always assume there is the possibility that a user will get access to the system via a badly written program. Whilst they might get some system access, you should make it as difficult as possible for them to jump to the next box. If Tomcat has access to a database and the attacker has access to a shell prompt (or similar) with the same privileges as Tomcat then the attacker has access to the database and there is absolutely nothing you can do to prevent that. If you give read access on server.xml only to root user, No-one is suggesting that. Go read what Pid wrote again. Tomcat is started with root privileges, which is really bad. Agreed. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: running tomcat6 under a different user than root (debian)
On Friday 29 October 2010 15:34:29 Mark Thomas wrote: If Tomcat has access to a database and the attacker has access to a shell prompt (or similar) with the same privileges as Tomcat then the attacker has access to the database and there is absolutely nothing you can do to prevent that. In theory, there is a way Tomcat could implement. You could interactively ask for all needed passwords when starting Tomcat and keep them only in memory. httpd does that by default for encrypted SSL primary keys. But in practice the userbase that would accept the inconvenience and the impossibility to automatically start tomcat would be too small to spend time for that. And the practical security gain is small. Mark Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: running tomcat6 under a different user than root (debian)
On 29/10/2010 14:42, Rainer Frey wrote: On Friday 29 October 2010 15:34:29 Mark Thomas wrote: If Tomcat has access to a database and the attacker has access to a shell prompt (or similar) with the same privileges as Tomcat then the attacker has access to the database and there is absolutely nothing you can do to prevent that. In theory, there is a way Tomcat could implement. You could interactively ask for all needed passwords when starting Tomcat and keep them only in memory. httpd does that by default for encrypted SSL primary keys. But in practice the userbase that would accept the inconvenience and the impossibility to automatically start tomcat would be too small to spend time for that. And the practical security gain is small. Actually it is pretty much zero. If the password is in memory it will be in a known location and an attacker will still be able to read it (reflection, heap dump, etc). With httpd the barrier is a little higher since it is likely to be harder to find the right bit of memory. Agreed that the downtime issues far outweigh and security benefits. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: running tomcat6 under a different user than root (debian)
If you have a webapp where users log in you can use there login/password to login on the database. A little bit inconvenient for the DBA but you don't have passwords on your servers. Ronald. Op vrijdag, 29 oktober 2010 15:42 schreef Rainer Frey rainer.f...@inxmail.de: On Friday 29 October 2010 15:34:29 Mark Thomas wrote: If Tomcat has access to a database and the attacker has access to a shell prompt (or similar) with the same privileges as Tomcat then the attacker has access to the database and there is absolutely nothing you can do to prevent that. In theory, there is a way Tomcat could implement. You could interactively ask for all needed passwords when starting Tomcat and keep them only in memory. httpd does that by default for encrypted SSL primary keys. But in practice the userbase that would accept the inconvenience and the impossibility to automatically start tomcat would be too small to spend time for that. And the practical security gain is small. Mark Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: running tomcat6 under a different user than root (debian)
On 29/10/2010 14:53, Ronald Klop wrote: If you have a webapp where users log in you can use there login/password to login on the database. A little bit inconvenient for the DBA but you don't have passwords on your servers. It isn't quite that clear cut. There are some trade-offs to make with this approach (and I'm not sure I like them). 1. The user's password has to be available in plain text. That prevents you from storing digested passwords in the realm. 2. All the users' passwords are in memory and that is still vulnerable to an attacker. 3. If the username/password is held in the session: a) it could get persisted to disk b) it could get replicated in a cluster both of which may, or may not, be an issue. 1 bothers me the most. For the the others, once an attacker has reached the point where they have shell access as the Tomcat user (or have some other way to extract data from the heap) then it is game over for all data that passes through that Tomcat instance. As with anything security related the right solution is going to vary from environment to environment and it is always going to involve some form of trade-off. Mark Ronald. Op vrijdag, 29 oktober 2010 15:42 schreef Rainer Frey rainer.f...@inxmail.de: On Friday 29 October 2010 15:34:29 Mark Thomas wrote: If Tomcat has access to a database and the attacker has access to a shell prompt (or similar) with the same privileges as Tomcat then the attacker has access to the database and there is absolutely nothing you can do to prevent that. In theory, there is a way Tomcat could implement. You could interactively ask for all needed passwords when starting Tomcat and keep them only in memory. httpd does that by default for encrypted SSL primary keys. But in practice the userbase that would accept the inconvenience and the impossibility to automatically start tomcat would be too small to spend time for that. And the practical security gain is small. Mark Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: How to start my application without localhost, only with virtiual host ?
We have this server.xml file: Host name=cntest2.de appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=true Context path= docBase=/usr/share/tomcat6/webapps/MyNetwork reloadable=true allowLinking=true / /Host If we have no path defined (path=) , there are two networks starting (catalina.out - part) INFO: Initializing Mojarra (1.2_12-b01-FCS) for context '' and later (catalina.out - part) INFO: Initializing Mojarra (1.2_12-b01-FCS) for context '/CompetenceNetwork' we can access the page by http://cntest2.de/ - and get redirected to http://cntest2.de/login.html. If we define the path like path=/MyNetwork. Host name=cntest2.de appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=true Context path=/MyNetwork docBase=/usr/share/tomcat6/webapps/MyNetwork reloadable=true allowLinking=true / /Host And starts only one network: (catalina.out - part) INFO: Initializing Mojarra (1.2_12-b01-FCS) for context '/CompetenceNetwork' The page http://cntest2.de/MyNetwork/login.html works fine. But if we go to the page http://cntest2.de/ the index.html from ROOT is showing. So now we did what you said and copied the MyNetwork content (subfolder and files) to the ROOT directory. Then we see the loginpage of MyNetwork as expected. But now if we try to login we get URL-redirected to: http://cntest2.de/pages/#{subUserSessionUtil.startPageAddress} There is no error shown in the catalina.out, but the #{subUserSessionUtil.startPageAddress} looks like an uninterpreted handler call. That works if we access the network with http://cntest2.de:8080/MyNetwork/login.html. The goal is to access the network by its configured URL-pattern - http://cntest2.de/login.html (and do login etc.) The question: how can we adjust the server.xml and work with url http://cntest2.de/login.html , not with http://cntest2.de/MyNetwork/login.html ? Tnank you from apache2: vhost_cn.conf # Update this path to match your conf directory location (put workers.properties next to httpd. # JkWorkersFile /etc/tomcat6/workers.properties # Where to put jk shared memory # Update this path to match your local state directory or logs directory JkShmFile /var/log/apache2/mod_jk.shm # Where to put jk logs #mmm: JkWorkersFile /usr/share/tomcat6/conf/worker.properties # # Update this path to match your logs directory location (put mod_jk.log next to access_log) JkLogFile /var/log/apache2/mod_jk.log # Set the jk log level [debug/error/info] JkLogLevel info # Select the timestamp log format JkLogStampFormat [%a %b %d %H:%M:%S %Y] NameVirtualHost * VirtualHost * DocumentRoot /usr/share/tomcat6/webapps/MyNetwork . JkMount /* worker1 .. # Serve html, jpg and gif using httpd JkUnMount /*.html ajp13 JkUnMount /*.jpg ajp13 JkUnMount /*.gif ajp13 ServerName cntest2.de ServerAdmin i...@cntest2.de Directory /usr/share/tomcat6/webapps/MyNetwork Options Indexes MultiViews AllowOverride none Allow from all /Directory Location /WEB-INF/ #AllowOverride None deny from all /Location #RewriteEngine On Options +FollowSymLinks / n828cl wrote: From: M.Arkhypov [mailto:mykhaylo.arkhy...@gmx.net] Subject: How to start my application without localhost, only with virtiual host ? I would like to start my application without localhost, only with virtiual host. All Host elements are virtual. The name localhost in the Engine and one Host element has nothing to do with 127.0.0.1, but rather it simply links the Engine to the default Host. You must always have one default Host, but it can be any of your Host elements. Host name=mmmtest.ch unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=true Aliasmmmtest.ch/Alias You're missing the appBase attribute; the value for that should be unique for each Host. That's a pointless Alias, since it's the same as the name attribute. Context path= docBase=c:/temp_mmm/apache-tomcat-6.0.29/webapps/examples reloadable=true allowLinking=true /Context It's extremely bad practice to put Context elements in server.xml, and very dangerous to share webapps across multiple Host elements. The tomcatmanager is reachable on: http://mmmtest.ch:8080/manager/html. Only because both Host elements are sharing appBase - a really bad idea. Host name=pcd-testcommunity.de unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=true Aliaspcd-testcommunity.de/Alias Another useless Alias. Context path= docBase=/var/lib/tomcat55/webapps/CompetenceNetwork reloadable=true allowLinking=true
RE: Error getting Thread dump on Windows
I wanted to let everyone know that I figured this out -- sort of. Seems I was trying this logged in using Remote Desktop (MS) while logged in as a user that wasn't Administrator, though part of the admin group. Something about that configuration is causing the error. When I went to the console, I was able to do a thread dump on any of the instances on the machine. I can't test if it is RDP or user that's that problem, since this is a production system and I won't let Administrator login remotely. I might be able to use the other login on the console, but I will have to try that later. Jeff -Original Message- From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] Sent: Tuesday, October 12, 2010 11:35 AM To: Tomcat Users List Subject: Error getting Thread dump on Windows Tomcat 5.5.17 (running as a service) Java JDK 1.5.0_06 (yes, I know, really old) Windows Server 2003 SP2 (up to date) I have a Tomcat instance (one of many) that appears to have some hung/looping threads. I tried to use the system tray to take a thread dump (right-click, pick thread dump) and I get an odd error from Windows: Window title: Application System Error Window contents: The system cannot file the file specified. Unable to open the Event Mutex. Any clues? I've seen this sometimes on login (on another system) and am completely baffled. It occurs no matter which instance I am trying to dump. Jeff ___ ___ Confidentiality Notice: This Transmission (including any attachments) may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this transmission in error, please immediately reply to the sender or telephone (512) 343-9100 and delete this transmission from your system. __ Confidentiality Notice: This Transmission (including any attachments) may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this transmission in error, please immediately reply to the sender or telephone (512) 343-9100 and delete this transmission from your system. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to start my application without localhost, only with virtiual host ?
Dear Chuck, thank you for your attention and reply, we have done a few of yours advices, but without success: We have this server.xml file: Host name=cntest2.de appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=true Context path= docBase=/usr/share/tomcat6/webapps/MyNetwork reloadable=true allowLinking=true / /Host If we have no path defined (path=) , there are two networks starting (catalina.out - part) INFO: Initializing Mojarra (1.2_12-b01-FCS) for context '' and later (catalina.out - part) INFO: Initializing Mojarra (1.2_12-b01-FCS) for context '/MyNetwork' we can access the page by http://cntest2.de/ - and get redirected to http://cntest2.de/login.html. If we define the path like path=/MyNetwork. Host name=cntest2.de appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=true Context path=/MyNetwork docBase=/usr/share/tomcat6/webapps/MyNetwork reloadable=true allowLinking=true / /Host And starts only one network: (catalina.out - part) INFO: Initializing Mojarra (1.2_12-b01-FCS) for context '/CompetenceNetwork' The page http://cntest2.de/MyNetwork/login.html works fine. But if we go to the page http://cntest2.de/ the index.html from ROOT is showing. So now we did what you said and copied the MyNetwork content (subfolder and files) to the ROOT directory. Then we see the loginpage of MyNetwork as expected. But now if we try to login we get URL-redirected to: http://cntest2.de/pages/#{subUserSessionUtil.startPageAddress} There is no error shown in the catalina.out, but the #{subUserSessionUtil.startPageAddress} looks like an uninterpreted handler call. That works if we access the network with http://cntest2.de:8080/MyNetwork/login.html. The goal is to access the network by its configured URL-pattern - http://cntest2.de/login.html (and do login etc.) The question: how can we adjust the server.xml and work with url http://cntest2.de/login.html , not with http://cntest2.de/MyNetwork/login.html ? Tnank you conf. from apache2: vhost_cn.conf # Update this path to match your conf directory location (put workers.properties next to httpd. # JkWorkersFile /etc/tomcat6/workers.properties # Where to put jk shared memory # Update this path to match your local state directory or logs directory JkShmFile /var/log/apache2/mod_jk.shm # Where to put jk logs #mmm: JkWorkersFile /usr/share/tomcat6/conf/worker.properties # # Update this path to match your logs directory location (put mod_jk.log next to access_log) JkLogFile /var/log/apache2/mod_jk.log # Set the jk log level [debug/error/info] JkLogLevel info # Select the timestamp log format JkLogStampFormat [%a %b %d %H:%M:%S %Y] NameVirtualHost * VirtualHost * DocumentRoot /usr/share/tomcat6/webapps/MyNetwork . JkMount /* worker1 .. # Serve html, jpg and gif using httpd JkUnMount /*.html ajp13 JkUnMount /*.jpg ajp13 JkUnMount /*.gif ajp13 ServerName cntest2.de ServerAdmin i...@cntest2.de Directory /usr/share/tomcat6/webapps/MyNetwork Options Indexes MultiViews AllowOverride none Allow from all /Directory Location /WEB-INF/ #AllowOverride None deny from all /Location #RewriteEngine On Options +FollowSymLinks / Am 27.10.2010, 17:44 Uhr, schrieb Caldarale, Charles R chuck.caldar...@unisys.com: From: M.Arkhypov [mailto:mykhaylo.arkhy...@gmx.net] Subject: How to start my application without localhost, only with virtiual host ? I would like to start my application without localhost, only with virtiual host. All Host elements are virtual. The name localhost in the Engine and one Host element has nothing to do with 127.0.0.1, but rather it simply links the Engine to the default Host. You must always have one default Host, but it can be any of your Host elements. Host name=mmmtest.ch unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=true Aliasmmmtest.ch/Alias You're missing the appBase attribute; the value for that should be unique for each Host. That's a pointless Alias, since it's the same as the name attribute. Context path= docBase=c:/temp_mmm/apache-tomcat-6.0.29/webapps/examples reloadable=true allowLinking=true /Context It's extremely bad practice to put Context elements in server.xml, and very dangerous to share webapps across multiple Host elements. The tomcatmanager is reachable on: http://mmmtest.ch:8080/manager/html. Only because both Host elements are sharing appBase - a really bad idea. Host name=pcd-testcommunity.de unpackWARs=true autoDeploy=true xmlValidation=false
RE: RV: Session Context variables architecture problem
Thanks Ronald and Pid for the help. Honestly I don't know if this parameters thing is really a performance issue, but I've been assigned to work on it so I don't have much choice, ;). I liked the idea of a class handling the attributes in ServletContext. I'll give it a try and let you know of the outcome. Thanks again. Best regards, Federico Alvarez. Lic. Federico Alvarez Analista Genexus GEOCOM Uruguay S.A. Dionisio Oribe 3071 // Montevideo CP 11600 // Uruguay Tels.: (+598) 2 481 ext. 775 / Fax.: 481 ext. 718 EnGEOCOM nos comprometemos con el Medio Ambiente: Antes de imprimir este e-mail piense bien si es necesario. NOTA DE CONFIDENCIALIDAD: La informacion transmitida en este mensaje y sus archivos adjuntos son para la persona o entidad a la cual esta dirigida y puede contener material privilegiado y/o confidencial. Su transmision se encuentra legalmente protegida. Si usted ha recibido este e-mail por error, comuniquelo inmediatamente por esta via su autor y eliminelo de su sistema. Si usted no es el destinatario especificado en el mensaje, cualquier revelacion copia o distribucion de su contenido esta estrictamente prohibida. Es responsabilidad del receptor asegurarse que el mensaje y sus archivos adjuntos se encuentren libres de virus. El mensaje expresa la opinion de su autor pero no necesariamente la de GEOCOM Uruguay S.A. Ni GEOCOM Uruguay S.A ni su autor se hacen responsables por las alteraciones que pueda sufrir este mensaje a partir de su envio. -Mensaje original- De: Pid [mailto:p...@pidster.com] Enviado el: jueves, 28 de octubre de 2010 19:36 Para: Tomcat Users List Asunto: Re: RV: Session Context variables architecture problem On 28/10/2010 18:31, falva...@geocom.com.uy wrote: Dear All, I'm currently using Tomcat 6.0.28 and having some doubt on how to solve and implement this problem: My webapp has a MySQL Database with a table named parameters, in which we have just two columns (property and value). This table is acceded many times but doesn't change often. For performance purposes I want to save this parameters in the user's tomcat session, so they are read from memory and not database. So far so good. Do you actually know that this is a performance problem, or are you guessing that it is? Now the problem: how can I tell this sessions that an attribute has changed? Using the session will mean that you have duplicate copies of this information in each session. I had suggestions of using context variables instead of session variables, but that didn't solve the problem. *If* you need to do this, using the Context is probably better. I would suggest that you created a class which periodically updated all the values by selecting the data in the DB and storing the result in the Context. Implementing a ServletContextListener will give you access to the ServletContext and two methods, for app startup shutdown, which you can use to start the periodic process, and properly stop it (very important). You may consider using a Timer, or something from the java.util.concurrent package. p Any help in this matter is more than welcome. I have no problem in changing the approach, and may be not use sessions at all. Thanks in advance. Best regards, Federico Alvarez. Info: Tomcat 6.0.28 Java 1.6 MySQL 5.5 NOT USING HIBERNATE, so 2nd Level cache is not an option - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: RV: Session Context variables architecture problem
Nothing like wasting your time to get job satisfaction... p On 29 Oct 2010, at 17:39, falva...@geocom.com.uy falva...@geocom.com.uy wrote: Thanks Ronald and Pid for the help. Honestly I don't know if this parameters thing is really a performance issue, but I've been assigned to work on it so I don't have much choice, ;). I liked the idea of a class handling the attributes in ServletContext. I'll give it a try and let you know of the outcome. Thanks again. Best regards, Federico Alvarez. Lic. Federico Alvarez Analista Genexus GEOCOM Uruguay S.A. Dionisio Oribe 3071 // Montevideo CP 11600 // Uruguay Tels.: (+598) 2 481 ext. 775 / Fax.: 481 ext. 718 EnGEOCOM nos comprometemos con el Medio Ambiente: Antes de imprimir este e-mail piense bien si es necesario. NOTA DE CONFIDENCIALIDAD: La informacion transmitida en este mensaje y sus archivos adjuntos son para la persona o entidad a la cual esta dirigida y puede contener material privilegiado y/o confidencial. Su transmision se encuentra legalmente protegida. Si usted ha recibido este e-mail por error, comuniquelo inmediatamente por esta via su autor y eliminelo de su sistema. Si usted no es el destinatario especificado en el mensaje, cualquier revelacion copia o distribucion de su contenido esta estrictamente prohibida. Es responsabilidad del receptor asegurarse que el mensaje y sus archivos adjuntos se encuentren libres de virus. El mensaje expresa la opinion de su autor pero no necesariamente la de GEOCOM Uruguay S.A. Ni GEOCOM Uruguay S.A ni su autor se hacen responsables por las alteraciones que pueda sufrir este mensaje a partir de su envio. -Mensaje original- De: Pid [mailto:p...@pidster.com] Enviado el: jueves, 28 de octubre de 2010 19:36 Para: Tomcat Users List Asunto: Re: RV: Session Context variables architecture problem On 28/10/2010 18:31, falva...@geocom.com.uy wrote: Dear All, I'm currently using Tomcat 6.0.28 and having some doubt on how to solve and implement this problem: My webapp has a MySQL Database with a table named parameters, in which we have just two columns (property and value). This table is acceded many times but doesn't change often. For performance purposes I want to save this parameters in the user's tomcat session, so they are read from memory and not database. So far so good. Do you actually know that this is a performance problem, or are you guessing that it is? Now the problem: how can I tell this sessions that an attribute has changed? Using the session will mean that you have duplicate copies of this information in each session. I had suggestions of using context variables instead of session variables, but that didn't solve the problem. *If* you need to do this, using the Context is probably better. I would suggest that you created a class which periodically updated all the values by selecting the data in the DB and storing the result in the Context. Implementing a ServletContextListener will give you access to the ServletContext and two methods, for app startup shutdown, which you can use to start the periodic process, and properly stop it (very important). You may consider using a Timer, or something from the java.util.concurrent package. p Any help in this matter is more than welcome. I have no problem in changing the approach, and may be not use sessions at all. Thanks in advance. Best regards, Federico Alvarez. Info: Tomcat 6.0.28 Java 1.6 MySQL 5.5 NOT USING HIBERNATE, so 2nd Level cache is not an option - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: how can i turn off This is very likely to create a memory leak.
Simon Funnell wrote: .. Note the word 'likely' is not 'defiantly', it is possible that your implementation is 'not' creating a memory leak. And it's definitely not defiantly either. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org