date:20111006

On 07.10.2011 03:12, Ilya Kazakevich wrote:
> Hello,
> 
> My app uses log4j. I have several apps running in my tomcat 6 in different
> contexts. I want to log them to different files but filenames (as well as
> levels and even appenders) should be configurable by admin.
> 
> Something like this:
> 
> ./config/ENGINE_NAME/HOST_NAME/ContextName/log4j.properties
> 
> I can't put log4j directly in tomcat so all apps would use one config (and
> it is not what I want).
> I can't put a copy to the each .war file too because admin would not be able
> to reconfigure them.
> 
> Does there is a nice solution (with out of custom code)?

You can use the VirtualWebappLoader, at least if Log4J in your webapps
is configured as usual using the class loader search. If it is
configured programmatically, then there is little you can do.

The VirtualWebappLoader allows to extend the search path for the class
loader of a web application by external directories and jars. So you can
e.g. add ${catalina.base}/ENGINE_NAME/HOST_NAME/CONTEXT_NAME/ the the
path for the context named CONTEXT_NAME.

The VirtualWebappLoader exists since quite some time in TC 6, but only
in TC 7 it gained non-experimental status. Nevertheless it does work in
TC 6 too. The configuration is done in a Loader element nested in the
Context element in the context deployment descriptor (aka context.xml or
myapp.xml).

For TC 6 the docs are somewhat hidden:

http://tomcat.apache.org/tomcat-6.0-doc/api/index.html

for TC 7 it is a first class citizen documented at

http://tomcat.apache.org/tomcat-7.0-doc/config/loader.html#VirtualWebappLoader_Implementation

Important note: old versions of the VirtualWebappLoader appended the
additional search path components, so anything found inside the webapp
won. Of course here you want to overwrite something in the war, so you
want the path components to get prepended. The attribute
searchVirtualFirst="true" configures that. This is only available in TC
6.0.33 (and TC 7 since 7.0.0).

Example:

There is also another option: if you only want to make the path to the
log files configurable and you can agree on a solution with the webapp
developers, you can convince them to use a system property for the log
path, that you can set during TC startup. Since system properties are
global, you would need a different system property for each webapp if
you want to configure different directories.

Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Log4j per context admin managable configs?

2011-10-06 Thread Ilya Kazakevich

Hello,

My app uses log4j. I have several apps running in my tomcat 6 in different
contexts. I want to log them to different files but filenames (as well as
levels and even appenders) should be configurable by admin.

Something like this:

./config/ENGINE_NAME/HOST_NAME/ContextName/log4j.properties

I can't put log4j directly in tomcat so all apps would use one config (and
it is not what I want).
I can't put a copy to the each .war file too because admin would not be able
to reconfigure them.

Does there is a nice solution (with out of custom code)?

Thank you.

Ilya Kazakevich,
Developer
JetBrains Inc
http://www.jetbrains.com
"Develop with pleasure!"


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JSP page that will not update

2011-10-06 Thread Konstantin Kolinko

2011/10/7 Stephen Caine :
> List users,
>
> I recently updated to Tomcat 5.5.34 from 5.5.7.  Keeping all the 
> configuration files the same, I now notice that a jsp page that opens cached 
> data whereas before the page always loaded updated data.  The call to the 
> page is via a javascript using window.open.
>

Your description is too high-level.

You need to find what actually happens. Either
a) the page generates stale data
b) the page is not requested by browser (a stale copy is used)

a) happens on server,
b) happens in the browser, but depends on what HTTP headers are
returned with your response.

You need to perform some investigation, what really happens, and
whether it is a) or b).
At least, configure an AccessLogValve in Tomcat.

> Some questions…
>
> 1.  Has Tomcat 5.5.34 introduced some change that might account for what I am 
> experiencing?

:/

> 2.  Is there a setting in Tomcat that can be tweaked to address my issue?

See above.

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

two questions about the session timeout in tomcat

2011-10-06 Thread Bill Wang

Hi Tomcat Guru,

Recently one of Tomcat application has performance issue, which get slow
respond with high sessions.

One team member recommend me to adjust the  session timeout from 60 minutes
to 30 minutes.  I will do that, but before change it, I'd like to understand
how the performance related with the expire session timeout.

 60

Second, currently I monitor the session count by login the admin interface,
the manual way is not efficiency, can I run some commands to get the
sessions number? With that I can set a cronjob and generate the session
report easily.

Regards,
Bill

Re: Should Form Authentication Valve restore request body on a PUT?

2011-10-06 Thread Nicholas Sushkin

I found out that in Tomcat 6.0 trunk, if user is not authentication and app is 
configured for FORM authentication, POST and GET requests return 200 and the 
login form, but PUT returns 403 and error page. What might explain the 
difference in handling PUT? 

I tried to run in debugger, but it wasn't immediately obvious. 
forwardToLoginPage is called in all cases, but there is some difference in the 
way dispatcher processes the forward.

Thanks.

On Thursday, September 29, 2011 17:04:27 Christopher Schultz wrote:
> Nicholas,
> 
> On 9/29/2011 3:37 PM, Nicholas Sushkin wrote:
> > In Tomcat 6, Form Authentication valve restores the original
> > request after a POST with successful authentication and redirect is
> > followed by the client's GET. In case of the POST, the valve also
> > restores the original request's body. However, it doesn't do that
> > for a PUT.
> 
> That's not entirely surprising.
> 
> > If I am not mistaken, it should restore the body on PUT as well. Do
> > I misunderstand something?
> 
> The servlet spec (v3.0, SRV 13.6.3.1) has this to say:
> "
> If the form based login is invoked because of an HTTP request, the
> original request parameters must be preserved by the container for use
> if, on successful authentication, it redirects the call to the
> requested resource.
> "
> 
> It doesn't say what kinds of HTTP verbs should or should not be
> supported, but GET and PUT seem entirely obvious. It doesn't say that
> the request body needs to be maintained, only the "request
> parameters". Since the servlet specification doesn't have any
> provisions for fetching request parameters from PUT operations, I
> suppose the spec therefore doesn't directly recommend that PUT bodies
> be stored for later use like when POST is used.
> 
> > The patch would be in FormAuthenticator.restoreRequest(Request,
> > Session) [1], to change from
> > 
> > if ("POST".equalsIgnoreCase(saved.getMethod())) {
> > 
> > to
> > 
> > if ("POST".equalsIgnoreCase(saved.getMethod()) ||
> > "PUT".equalsIgnoreCase(saved.getMethod())) {
> 
> On the face of it, that seems reasonable. I haven't read-through the
> code that then replays the saved-request so I'm not sure if there's
> more to be done.
> 
> I do have one question: why are you using Form-based authentication
> with PUT requests? It seems like HTTP Digest or something like that
> would make more sense when clients can expect to send data without
> being challenged a-priori for credentials.
> 
> Another workaround would just be to use POST.
> 
> -chris
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
-- 
Nicholas Sushkin
Senior Software Engineer, Manager of IT Operations

OpenFinance
62 Chelsea Piers, Suite 316
New York, NY 10011
+1 646 723 2790 (o)

nsush...@openfinance.com 

CONFIDENTIALITY NOTICE: This e-mail message and any attachments are only for 
the use of the intended recipient and may contain information that is 
privileged, confidential or exempt from disclosure under applicable law. If 
you are not the intended recipient, any disclosure, distribution or other use 
of this e-mail message or attachments is prohibited. If you have received this 
e-mail message in error, please delete and notify the sender immediately. 
Thank you.


smime.p7s
Description: S/MIME cryptographic signature

JSP page that will not update

2011-10-06 Thread Stephen Caine

List users,

I recently updated to Tomcat 5.5.34 from 5.5.7.  Keeping all the configuration 
files the same, I now notice that a jsp page that opens cached data whereas 
before the page always loaded updated data.  The call to the page is via a 
javascript using window.open.

Some questions…

1.  Has Tomcat 5.5.34 introduced some change that might account for what I am 
experiencing?
2.  Is there a setting in Tomcat that can be tweaked to address my issue?

Thank you,

Stephen Caine
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to get Tomcat HTTP port during startup of the server

2011-10-06 Thread Lahiru Gunathilake

HI Christopher,

That is what I have already done ! I thought its not nice users to put the
same configuration in to another properties file !

Somehow currently I have a solution but I am trying to find a better
solution.

I appreciate your responses ! Tomcat user list seems awesome !

Lahiru

On Thu, Oct 6, 2011 at 2:57 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Lahiru,
>
> On 10/6/2011 2:21 PM, Lahiru Gunathilake wrote:
> > This is my usecase, I want to register my application URL to a
> > repository and there is another remote application who reads that
> > URL somewhere and invoke my application. So during the startup I
> > need to register them before I get any request.
>
> Can you solve this with configuration? It seems like simply adding
> something like "URLBackToMe" could be configured in a properties file,
> web.xml init-param, or even in the JNDI context for the webapp. That
> will almost certainly be easier and less error-prone than trying to
> sniff the HTTP port from one of Tomcat's connectors.
>
> In production, we have two connectors: one HTTP and one AJP. The AJP
> connector accepts connections from the load-balancer for "regular"
> traffic. The HTTP connector accepts localhost-only loopback
> connections for operations that do not need to be encrypted. We have
> both the "public" and "private" URLs to our webapp in configuration
> files so that they can be used as appropriate depending upon the
> situation.
>
> If you had a setup like the above (particularly if you were using two
> HTTP connectors instead of one AJP and one HTTP), you might not be
> able to tell which connector was the "right" one. Also, you might have
> connectors bound to different interfaces to support multi-hostname
> SSL, etc. In those cases, how do you determine what the "right" port is?
>
> I think it's better to solve this with configuration instead of trying
> to determine the environment from the inside.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk6N+h4ACgkQ9CaO5/Lv0PAitACggQjcKsO2YUO4ZCeVoVQfLavH
> aE4AniuyPfiQ9/tx3dN9a0wZsExA12Wz
> =Gd3G
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


-- 
System Analyst Programmer
PTI Lab
Indiana University

Re: AW: Preferred configuration with Hardware Loadbalancer

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Alexander,

On 10/6/2011 6:43 AM, Alexander Diedler wrote:
> I mean a frontend Apache httpd and backend Tomcat server. 
> Loadbalancing would be done by a hardware load balancer fronted to
> the Apache Webserver, so we should not balance the request two
> times. It should be only a Failovercluster.

I agree with Ronald: drop the Apache httpd and figure out how to get
your Cisco load balancer to detect failure and perform failover.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6N+pYACgkQ9CaO5/Lv0PCqcwCfeWQqDopt2un5xYuxEQezKuz3
MJIAnA/A2IERGEk8J0yRijVm4o05ZNdV
=9Ifd
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to get Tomcat HTTP port during startup of the server

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Lahiru,

On 10/6/2011 2:21 PM, Lahiru Gunathilake wrote:
> This is my usecase, I want to register my application URL to a
> repository and there is another remote application who reads that
> URL somewhere and invoke my application. So during the startup I
> need to register them before I get any request.

Can you solve this with configuration? It seems like simply adding
something like "URLBackToMe" could be configured in a properties file,
web.xml init-param, or even in the JNDI context for the webapp. That
will almost certainly be easier and less error-prone than trying to
sniff the HTTP port from one of Tomcat's connectors.

In production, we have two connectors: one HTTP and one AJP. The AJP
connector accepts connections from the load-balancer for "regular"
traffic. The HTTP connector accepts localhost-only loopback
connections for operations that do not need to be encrypted. We have
both the "public" and "private" URLs to our webapp in configuration
files so that they can be used as appropriate depending upon the
situation.

If you had a setup like the above (particularly if you were using two
HTTP connectors instead of one AJP and one HTTP), you might not be
able to tell which connector was the "right" one. Also, you might have
connectors bound to different interfaces to support multi-hostname
SSL, etc. In those cases, how do you determine what the "right" port is?

I think it's better to solve this with configuration instead of trying
to determine the environment from the inside.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6N+h4ACgkQ9CaO5/Lv0PAitACggQjcKsO2YUO4ZCeVoVQfLavH
aE4AniuyPfiQ9/tx3dN9a0wZsExA12Wz
=Gd3G
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Securing Tomcat cluster communication

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Azeez,

On 10/6/2011 10:17 AM, Afkham Azeez wrote:
> Is there a way to do authentication in Tribes when new members try
> to join a cluster so that unauthorized nodes cannot join in? Also,
> when clustering messages are sent back & forth, how do we ensure
> security?

You could always use stunnel. I'm currently piloting that for a
multi-node cluster with a pair of httpd instances for load-balancing.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6N+MoACgkQ9CaO5/Lv0PA4ggCfRxzweAyWHtEzLOE30nv//wtD
zQUAn3gxOpc9WRDpnRTkNXecGtqKKHG4
=fOAu
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Detecting a login or logoff event

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Chema,

On 10/6/2011 10:23 AM, Chema wrote:
> 2011/10/6 Martin O'Shea 
> 
>> 
>> Detecting a logoff is easier using the sessionDestroyed method.
>> 
> 
> How do you detect that an user is closing his browser ?

You cannot. The best you can hope for is to wait for the session to
time out.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6N+GsACgkQ9CaO5/Lv0PDfmQCghNSHJlYONAtzclzrx5uD4Q82
bokAmwV9SW5+xVatuumoI5VlJFOtfw+N
=CIbe
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Detecting a login or logoff event

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Martin,

On 10/6/2011 9:29 AM, Martin O'Shea wrote:
> I need to be able to intercept a successful authentication of a
> login / logout request which can then be used to make a series of
> system updates to record the fact.
> 
> So, if John Doe has just logged in successfully, an update is made
> to his session like:
> 
> session.setAttribute("loggedIntoSession", true);
> 
> Or an update made to the database?
> 
> Conversely, upon logout:
> 
> session.setAttribute("loggedIntoSession", false);
> 
> At the moment, I am thinking about scriptlets in the pages served 
> testing the request's servlet path after login is successful

That sounds like a fragile way to do it: you have to make sure that
all JSPs have the same scriptlet, use it properly, have error
recovery, etc.

> but is a filter better?

Absolutely: this is the kind of thing that Filters were created for.

> But if so, what might a filter check for?

That depends. If you are using FORM authentication, then this stuff is
possible. If you use HTTP BASIC/DIGEST or CLIENT-CERT, things get
complicated.

Let's assume FORM. It's simple: in your Filter, check to see if the
user is logged-in (request.getPrincipal) but there is no
"loggedIntoSession" token in the session. If that's the case, perform
your login procedure and then write your "loggedIntoSession" token
into the session.

As others have suggested, for logout you'll have to use a
HttpSessionListener. If the user was logged-in, you can get their
loggedIntoSession token (which ought to include some identifier for
them) and do whatever you want. No need to remove the
"loggedInotSession" token, since the session will be destroyed anyway.

We use this exact same technique to do things like update the
last-logged-in date of the user, as well as loading user-specific
preferences from the database into the session. The entire Filter
class, including blank lines, imports, comments, and specialized
methods to build the preferences objects to store in the session is a
mere 336 lines of code. This is something that is not terribly complex
to handle.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6N+FIACgkQ9CaO5/Lv0PB+nwCfR3AMFmDy3vejPIBT0IREapjA
wb4AmwZ7GOJ51pVDBrnG1m7E7x2xZhit
=NXi/
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to get Tomcat HTTP port during startup of the server

2011-10-06 Thread Lahiru Gunathilake

Hi Charles,

This is my usecase, I want to register my application URL to a repository
and there is another remote application who reads that URL somewhere and
invoke my application. So during the startup I need to register them before
I get any request.

Lahiru

On Thu, Oct 6, 2011 at 1:38 PM, Caldarale, Charles R <
chuck.caldar...@unisys.com> wrote:

> > From: Lahiru Gunathilake [mailto:glah...@gmail.com]
> > Subject: How to get Tomcat HTTP port during startup of the server
>
> > I have a requirement of getting the Tomcat HTTP port during
> > startup of my application.
>
> The obvious first question is: why?  Also, you must know that Tomcat may be
> listening on multiple ports, not just one.
>
> > before getting any HttpRequest I need to talk tomcat
> > HTTP port.
>
> What do you think you are going to say when you talk to one of the Tomcat
> ports?
>
> > Can someone please tell me how to access the http port
>
> You can use JMX to query nearly all of the Tomcat configuration settings.
>
>  - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you received
> this in error, please contact the sender and delete the e-mail and its
> attachments from all computers.
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


-- 
System Analyst Programmer
PTI Lab
Indiana University

RE: How to get Tomcat HTTP port during startup of the server

2011-10-06 Thread Caldarale, Charles R

> From: Lahiru Gunathilake [mailto:glah...@gmail.com] 
> Subject: How to get Tomcat HTTP port during startup of the server

> I have a requirement of getting the Tomcat HTTP port during 
> startup of my application.

The obvious first question is: why?  Also, you must know that Tomcat may be 
listening on multiple ports, not just one.

> before getting any HttpRequest I need to talk tomcat 
> HTTP port.

What do you think you are going to say when you talk to one of the Tomcat ports?

> Can someone please tell me how to access the http port

You can use JMX to query nearly all of the Tomcat configuration settings.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

How to get Tomcat HTTP port during startup of the server

2011-10-06 Thread Lahiru Gunathilake

Hi all,

I have a requirement of getting the Tomcat HTTP port during startup of my
application. I have the ServletContext object in me during startup, before
getting any HttpRequest I need to talk tomcat HTTP port. I write a
reflection code to access that even it doesn't work always I don't know why,
sometimes those parameters are empty.

Can someone please tell me how to access the http port or else how can I
know server.xml location from servletContext so that I can directly read
from server.xml but thats not in my application classpath so I cannot load
it from the classpath files.

Appreciate your response !

Lahiru

-- 
System Analyst Programmer
PTI Lab
Indiana University

Re: AW: Securing Tomcat cluster communication

Correct. What we have between nodes in a cluster is a channel. My questions
are related to securing this channel.


On Thu, Oct 6, 2011 at 8:17 PM, Ronald Klop (Mailing List) <
ronald-mailingl...@base.nl> wrote:

> A 'connector' is used between for example Apache httpd and Tomcat. It is
> not used between Tomcat nodes in a cluster.
>
> Ronald.
>
>
> Op donderdag, 6 oktober 2011 16:22 schreef Alexander Diedler <
> adied...@tecracer.de>:
>
>
>>Hello,
>>  Please search for "secret" in
>>  
>> http://tomcat.apache.org/**connectors-doc/reference/**workers.html
>>   Only requests from members with the same secret word will be acceped.
>>  Greetings
>>  Alexander
>>   -Ursprüngliche Nachricht-
>>  Von: Afkham Azeez [mailto:afk...@gmail.com]
>>  Gesendet: Donnerstag, 6. Oktober 2011 16:18
>>  An: Tomcat Users List
>>  Betreff: Securing Tomcat cluster communication
>>  Hi folks,
>>  Is there a way to do authentication in Tribes when new members try to
>> join a
>>  cluster so that unauthorized nodes cannot join in? Also, when clustering
>>  messages are sent back & forth, how do we ensure security?
>>  Thanks
>>  Azeez
>>
>>
>>

Re: AW: Securing Tomcat cluster communication

2011-10-06 Thread Ronald Klop (Mailing List)


A 'connector' is used between for example Apache httpd and Tomcat. It is not 
used between Tomcat nodes in a cluster.

Ronald.


Op donderdag, 6 oktober 2011 16:22 schreef Alexander Diedler 
:


  
 
 Hello,

 Please search for "secret" in
 http://tomcat.apache.org/connectors-doc/reference/workers.html  
 Only requests from members with the same secret word will be acceped.
 
 Greetings

 Alexander
 
 
 -Ursprüngliche Nachricht-

 Von: Afkham Azeez [mailto:afk...@gmail.com]
 Gesendet: Donnerstag, 6. Oktober 2011 16:18
 An: Tomcat Users List
 Betreff: Securing Tomcat cluster communication
 
 Hi folks,

 Is there a way to do authentication in Tribes when new members try to join a
 cluster so that unauthorized nodes cannot join in? Also, when clustering
 messages are sent back & forth, how do we ensure security?
 
 Thanks

 Azeez

Re: Securing Tomcat cluster communication

Thanks Alexander. That would work for authentication. But how could we
achieve confidentiality when it comes to the clustering messages (state
replication etc)?

On Thu, Oct 6, 2011 at 7:52 PM, Alexander Diedler wrote:

> Hello,
> Please search for "secret" in
> http://tomcat.apache.org/connectors-doc/reference/workers.html
> Only requests from members with the same secret word will be acceped.
>
> Greetings
> Alexander
>
>
> -Ursprüngliche Nachricht-
> Von: Afkham Azeez [mailto:afk...@gmail.com]
> Gesendet: Donnerstag, 6. Oktober 2011 16:18
> An: Tomcat Users List
> Betreff: Securing Tomcat cluster communication
>
> Hi folks,
> Is there a way to do authentication in Tribes when new members try to join
> a
> cluster so that unauthorized nodes cannot join in? Also, when clustering
> messages are sent back & forth, how do we ensure security?
>
> Thanks
> Azeez
>

Re: Securing Tomcat cluster communication

I had a look at the Tribes code. Can somebody please explain how
Channel.SEND_OPTIONS_SECURE works?

>From the JavaDoc: SEND_OPTIONS_SECURE - Message is sent over an encrypted
channel

How is this encrypted channel setup? How do we define the keys/keystores
etc?


On Thu, Oct 6, 2011 at 7:47 PM, Afkham Azeez  wrote:

> Hi folks,
> Is there a way to do authentication in Tribes when new members try to join
> a cluster so that unauthorized nodes cannot join in? Also, when clustering
> messages are sent back & forth, how do we ensure security?
>
> Thanks
> Azeez
>
>


-- 
*Afkham Azeez*
Director of Architecture; WSO2, Inc.; http://wso2.com,
*Member; Apache Software Foundation;
**http://www.apache.org/*
*
*
*email: **az...@wso2.com* * cell: +94 77 3320919
blog: **http://blog.afkham.org* *
twitter: **http://twitter.com/afkham_azeez*
*
linked-in: **http://lk.linkedin.com/in/afkhamazeez*
*
*
*Lean . Enterprise . Middleware*
*
*

Re: Detecting a login or logoff event

2011-10-06 Thread Chema

2011/10/6 Martin O'Shea 

>
> Detecting a logoff is easier using the sessionDestroyed method.
>

How do you detect that an user is closing his browser ?

AW: Securing Tomcat cluster communication

Hello,
Please search for "secret" in
http://tomcat.apache.org/connectors-doc/reference/workers.html  
Only requests from members with the same secret word will be acceped.

Greetings
Alexander


-Ursprüngliche Nachricht-
Von: Afkham Azeez [mailto:afk...@gmail.com] 
Gesendet: Donnerstag, 6. Oktober 2011 16:18
An: Tomcat Users List
Betreff: Securing Tomcat cluster communication

Hi folks,
Is there a way to do authentication in Tribes when new members try to join a
cluster so that unauthorized nodes cannot join in? Also, when clustering
messages are sent back & forth, how do we ensure security?

Thanks
Azeez


smime.p7s
Description: S/MIME cryptographic signature

RE: Detecting a login or logoff event

I had thought to use scriptlets.

But I've rigged a filter on the server which tests for the mappings of the few 
protected pages which require logins. It seems to work and update session 
variables which is what I'm after. My issue is that a session may well have 
been created prior to login so using a listener here via sessionCreated may not 
be useful.

Detecting a logoff is easier using the sessionDestroyed method.

-Original Message-
From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] 
Sent: 06 Oct 2011 15 05
To: Tomcat Users List
Subject: RE: Detecting a login or logoff event

> From: Martin O'Shea [mailto:app...@dsl.pipex.com]
> Subject: Detecting a login or logoff event

> I need to be able to intercept a successful authentication of a login 
> / logout request which can then be used to make a series of system 
> updates to record the fact.

> I am thinking about scriptlets in the pages served testing the 
> request's servlet path after login is successful

If the integrity of your information is dependent on actions of the client, you 
have no data integrity.  There's nothing stopping a client from disabling 
scripts, running their own scripts, or doing anything else by accident or 
intent - you cannot control that.  Anything you do for tracking must be done on 
the server side.

You probably can use a filter, but a Listener might be more appropriate.  See 
section 10 of the servlet spec.  (Make sure you're looking at the current spec 
for the Tomcat version you're using; the 2.2 spec you referenced earlier is 
badly out of date.)

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Securing Tomcat cluster communication

Hi folks,
Is there a way to do authentication in Tribes when new members try to join a
cluster so that unauthorized nodes cannot join in? Also, when clustering
messages are sent back & forth, how do we ensure security?

Thanks
Azeez

RE: Detecting a login or logoff event

2011-10-06 Thread Caldarale, Charles R

> From: Martin O'Shea [mailto:app...@dsl.pipex.com] 
> Subject: Detecting a login or logoff event

> I need to be able to intercept a successful authentication of a 
> login / logout request which can then be used to make a series
> of system updates to record the fact.

> I am thinking about scriptlets in the pages served testing the 
> request's servlet path after login is successful

If the integrity of your information is dependent on actions of the client, you 
have no data integrity.  There's nothing stopping a client from disabling 
scripts, running their own scripts, or doing anything else by accident or 
intent - you cannot control that.  Anything you do for tracking must be done on 
the server side.

You probably can use a filter, but a Listener might be more appropriate.  See 
section 10 of the servlet spec.  (Make sure you're looking at the current spec 
for the Tomcat version you're using; the 2.2 spec you referenced earlier is 
badly out of date.)

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.

RE: Detecting a login or logoff event

Unfortunately I'm not using spring in my application but thanks anyway.

-Original Message-
From: Chema [mailto:demablo...@gmail.com] 
Sent: 06 Oct 2011 15 02
To: Tomcat Users List
Subject: Re: Detecting a login or logoff event

For logout, you can implement a HttpSessionListener .
It has got a method:

public void sessionDestroyed(HttpSessionEvent se)

It's invoked when http session is invalidated. ( session.invalidated() )

So, you have to invalidate http session when user makes logout ( i.e, user
clicks a logout button and calls a servlet ) To capture when user is closing
the browser , you need use javascript events and throw a call to the server.
Maybe, a filter can be use to capture this event

For login, you can use Spring Security
Maybe for logout too, but I don't know it Or your use your own filters




2011/10/6 Martin O'Shea 

> I need to be able to intercept a successful authentication of a login 
> / logout request which can then be used to make a series of system 
> updates to record the fact.
>
> So, if John Doe has just logged in successfully, an update is made to 
> his session like:
>
> session.setAttribute("loggedIntoSession", true);
>
> Or an update made to the database?
>
> Conversely, upon logout:
>
> session.setAttribute("loggedIntoSession", false);
>
> At the moment, I am thinking about scriptlets in the pages served 
> testing the request's servlet path after login is successful but is a
filter better?
> But if so, what might a filter check for?
>
> -Original Message-
> From: Martin O'Shea [mailto:app...@dsl.pipex.com]
> Sent: 05 Oct 2011 23 06
> To: 'Tomcat Users List'
> Subject: RE: Using multiple login pages
>
> Thanks for this Chris. It is food for thought.
>
> I was under the impression that  was static, because 
> that's how I seen it used in apps I've worked on.
>
> But I am curious to try a filter as well, something like this mapped 
> to the
> login:
>
> public void doFilter(ServletRequest request, ServletResponse response, 
> FilterChain chain) throws java.io.IOException, ServletException {
>
>
>  HttpServletRequest req = (HttpServletRequest)request;
>  HttpServletResponse res = (HttpServletResponse)response;
>
>  // pre login action
>
>  // get username
>  String username = req.getParameter("j_username");
>
>  // if user is in revoked list send error
>  if ( revokeList.contains(username) ) {
>
res.sendError(javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED);
>  return;
>  }
>
>  // call next filter in the chain : let j_security_check authenticate
>  // user
>  chain.doFilter(request, response);
>
>  // post login action
>
>   }
>
> I wouldn't mind seeing a servlet specified as  if you 
> know of an example.
>
> -Original Message-
> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Sent: 05 Oct 2011 22 08
> To: Tomcat Users List
> Subject: Re: Using multiple login pages
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Martin,
>
> On 10/5/2011 1:59 PM, Martin O'Shea wrote:
> > I have it now. There was a redirection going on in a method called 
> > from a scriptlet in the login page. It now seems to be OK.
>
> Glad you got it going.
>
> > But one thing bugs me still: you said that you can have 'different 
> > login pages for different types of resources you're trying to 
> > reach.' Can you give any pointers about this?
>
> A "page" is defined as whatever the server responds when you request a 
> resource. The  you configure in your web.xml can be
> dynamic: you can do whatever you want in that page. It doesn't have to 
> be a static  that always looks the same. You can 
> include/forward/etc from that page. It doesn't even have to be a JSP.
> You can configure the  to be a servlet that makes 
> decisions and forwards to some other .jsp file.
>
> Use your imagination.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk6MxyEACgkQ9CaO5/Lv0PByHACfZL9ykx3wPGApX1yyzjxYwkQR
> Rf4AoJG5DnnBtbIFYzZsKSLzPJOjJq2j
> =A5GW
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Detecting a login or logoff event

2011-10-06 Thread Chema

For logout, you can implement a HttpSessionListener .
It has got a method:

public void sessionDestroyed(HttpSessionEvent se)

It's invoked when http session is invalidated. ( session.invalidated() )

So, you have to invalidate http session when user makes logout ( i.e, user
clicks a logout button and calls a servlet )
To capture when user is closing the browser , you need use javascript events
and throw a call to the server. Maybe, a filter can be use to capture this
event

For login, you can use Spring Security
Maybe for logout too, but I don't know it
Or your use your own filters




2011/10/6 Martin O'Shea 

> I need to be able to intercept a successful authentication of a login /
> logout request which can then be used to make a series of system updates to
> record the fact.
>
> So, if John Doe has just logged in successfully, an update is made to his
> session like:
>
> session.setAttribute("loggedIntoSession", true);
>
> Or an update made to the database?
>
> Conversely, upon logout:
>
> session.setAttribute("loggedIntoSession", false);
>
> At the moment, I am thinking about scriptlets in the pages served testing
> the request's servlet path after login is successful but is a filter better?
> But if so, what might a filter check for?
>
> -Original Message-
> From: Martin O'Shea [mailto:app...@dsl.pipex.com]
> Sent: 05 Oct 2011 23 06
> To: 'Tomcat Users List'
> Subject: RE: Using multiple login pages
>
> Thanks for this Chris. It is food for thought.
>
> I was under the impression that  was static, because
> that's how I seen it used in apps I've worked on.
>
> But I am curious to try a filter as well, something like this mapped to the
> login:
>
> public void doFilter(ServletRequest request, ServletResponse response,
> FilterChain chain) throws java.io.IOException, ServletException {
>
>
>  HttpServletRequest req = (HttpServletRequest)request;
>  HttpServletResponse res = (HttpServletResponse)response;
>
>  // pre login action
>
>  // get username
>  String username = req.getParameter("j_username");
>
>  // if user is in revoked list send error
>  if ( revokeList.contains(username) ) {
>  res.sendError(javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED);
>  return;
>  }
>
>  // call next filter in the chain : let j_security_check authenticate
>  // user
>  chain.doFilter(request, response);
>
>  // post login action
>
>   }
>
> I wouldn't mind seeing a servlet specified as  if you know
> of an example.
>
> -Original Message-
> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Sent: 05 Oct 2011 22 08
> To: Tomcat Users List
> Subject: Re: Using multiple login pages
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Martin,
>
> On 10/5/2011 1:59 PM, Martin O'Shea wrote:
> > I have it now. There was a redirection going on in a method called
> > from a scriptlet in the login page. It now seems to be OK.
>
> Glad you got it going.
>
> > But one thing bugs me still: you said that you can have 'different
> > login pages for different types of resources you're trying to
> > reach.' Can you give any pointers about this?
>
> A "page" is defined as whatever the server responds when you request a
> resource. The  you configure in your web.xml can be
> dynamic: you can do whatever you want in that page. It doesn't have to
> be a static  that always looks the same. You can
> include/forward/etc from that page. It doesn't even have to be a JSP.
> You can configure the  to be a servlet that makes
> decisions and forwards to some other .jsp file.
>
> Use your imagination.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk6MxyEACgkQ9CaO5/Lv0PByHACfZL9ykx3wPGApX1yyzjxYwkQR
> Rf4AoJG5DnnBtbIFYzZsKSLzPJOjJq2j
> =A5GW
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: AW: Preferred configuration with Hardware Loadbalancer

2011-10-06 Thread Ronald Klop (Mailing List)


I don't have a crystal ball to look into your setup, but I would remove httpd 
and set up the LB and Tomcat. Less moving parts, so it is easier to think about.

And read this: http://tomcat.apache.org/tomcat-7.0-doc/cluster-howto.html

Ronald.


Op donderdag, 6 oktober 2011 12:43 schreef Alexander Diedler 
:


  
 
 Hello,

 I mean a frontend Apache httpd and backend Tomcat server.
 Loadbalancing would be done by a hardware load balancer fronted to the
 Apache Webserver, so we should not balance the request two times. It should
 be only a Failovercluster.
 
 
 
 Best regards

 Alexander
 
 
 -Ursprüngliche Nachricht-

 Von: Ronald Klop (Mailing List) [mailto:ronald-mailingl...@base.nl]
 Gesendet: Donnerstag, 6. Oktober 2011 10:44
 An: Tomcat Users List
 Betreff: Re: Preferred configuration with Hardware Loadbalancer
 
 What do you mean by Apache Webserver? Do you mean Apache Tomcat or Apache

 httpd?
 
  And do you want Failover (active-passive) or Loadbalancing (active-active)?
 
  Ronald.
 
 
 Op donderdag, 6 oktober 2011 10:36 schreef Alexander Diedler

 :
 >
 >   
 >  
 >  
 >  
 > Hello,  
 >  
 > I am just planning a Application cluster for Tomcat. We have a big

 hardware loadbalancer (Cisco) and three virtual servers. We talked about
 several configurations, but it is not clear for us, how to build a Tomcat
 cluster, with Failover and Session-Replication, but without Loadbalancing?  
 >  
 > E.g. the LB redirect the request to node 1. The Apache Webserver redirects

 the request to node2. So we have a double load-balancing, what ne would
 avoid.  
 >  
 >
 >  
 > Best regards  
 >  
 > Alexander  
 >  
 >
 >  
 >  
 >  
 >  
 >  
 >  
 >

Detecting a login or logoff event

I need to be able to intercept a successful authentication of a login / logout 
request which can then be used to make a series of system updates to record the 
fact.

So, if John Doe has just logged in successfully, an update is made to his 
session like:

session.setAttribute("loggedIntoSession", true);

Or an update made to the database?

Conversely, upon logout:

session.setAttribute("loggedIntoSession", false);

At the moment, I am thinking about scriptlets in the pages served testing the 
request's servlet path after login is successful but is a filter better? But if 
so, what might a filter check for?

-Original Message-
From: Martin O'Shea [mailto:app...@dsl.pipex.com] 
Sent: 05 Oct 2011 23 06
To: 'Tomcat Users List'
Subject: RE: Using multiple login pages

Thanks for this Chris. It is food for thought.

I was under the impression that  was static, because that's 
how I seen it used in apps I've worked on.

But I am curious to try a filter as well, something like this mapped to the 
login:

public void doFilter(ServletRequest request, ServletResponse response, 
FilterChain chain) throws java.io.IOException, ServletException {

  HttpServletRequest req = (HttpServletRequest)request;
  HttpServletResponse res = (HttpServletResponse)response;

  // pre login action

  // get username 
  String username = req.getParameter("j_username");

  // if user is in revoked list send error
  if ( revokeList.contains(username) ) {
  res.sendError(javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED);
  return;
  }

  // call next filter in the chain : let j_security_check authenticate 
  // user
  chain.doFilter(request, response);

  // post login action

   }

I wouldn't mind seeing a servlet specified as  if you know of 
an example.

-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Sent: 05 Oct 2011 22 08
To: Tomcat Users List
Subject: Re: Using multiple login pages

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Martin,

On 10/5/2011 1:59 PM, Martin O'Shea wrote:
> I have it now. There was a redirection going on in a method called 
> from a scriptlet in the login page. It now seems to be OK.

Glad you got it going.

> But one thing bugs me still: you said that you can have 'different 
> login pages for different types of resources you're trying to
> reach.' Can you give any pointers about this?

A "page" is defined as whatever the server responds when you request a
resource. The  you configure in your web.xml can be
dynamic: you can do whatever you want in that page. It doesn't have to
be a static  that always looks the same. You can
include/forward/etc from that page. It doesn't even have to be a JSP.
You can configure the  to be a servlet that makes
decisions and forwards to some other .jsp file.

Use your imagination.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6MxyEACgkQ9CaO5/Lv0PByHACfZL9ykx3wPGApX1yyzjxYwkQR
Rf4AoJG5DnnBtbIFYzZsKSLzPJOjJq2j
=A5GW
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: ISAPI Redicect - Request Entitiy too large

2011-10-06 Thread André Warnier

Rainer Jung wrote:

On 06.10.2011 10:17, Alexander Diedler wrote:

Yes, that´s it. We changed the size to 12k and everything works fine.
It is a lot tricky, that the default value is not fitting in a default
environment.

Increasing the max_packet_size beyond what is normally needed in most cases, probably
causes some additional memory overhead, which is why the default size is what it is.

Yours is not really a "default environment". I have many servers running within a similar
environment (large company, Windows Domain authentication, IIS/Apache + AJP + Tomcat,
default mod_jk/isapi_redirect settings) which do not experience that problem.

(And some of your clients do not experience it either).
In this particular case, some of your clients experience the problem because (as Chris
pointed out) their particular user-id triggers a very large "Authorization:" header.

This being said, Chris's comment was very informative, because I also did not know that
the user's group membership may be a factor in that header size. That is the kind of
information that may save a lot of time some day. Thanks, Chris.

Thanks to all for your help.

I improved logging in this situation a bit for the next release, e.g.
giving size and name of the failing header and adding a hint for
max_packet_size.

That's a very good idea, because right now, what heppens is that prcisely the header which
causes the problem does not appear in the log, even at the highest log setting.

;-)

The problem is not unusual, so a hint about the likely

cause is appropriate.

See: http://svn.apache.org/viewvc?view=revision&revision=1179533

Will be in 1.2.33.

Thanks.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Using multiple login pages

2011-10-06 Thread Pid

On 05/10/2011 18:51, Martin O'Shea wrote:
> 
> /jsp/index/newjsp.jsp
> 

This is incorrect, it should contain a list of welcome-file elements
which indicated which files can be used as index files, when found in a
directory.

It shouldn't give a full path to a specific file:

 index.jsp
 index.html
 newjsp.jsp

p

signature.asc
Description: OpenPGP digital signature

AW: Preferred configuration with Hardware Loadbalancer

Hello,
I mean a frontend Apache httpd and backend Tomcat server. 
Loadbalancing would be done by a hardware load balancer fronted to the
Apache Webserver, so we should not balance the request two times. It should
be only a Failovercluster.



Best regards
Alexander


-Ursprüngliche Nachricht-
Von: Ronald Klop (Mailing List) [mailto:ronald-mailingl...@base.nl] 
Gesendet: Donnerstag, 6. Oktober 2011 10:44
An: Tomcat Users List
Betreff: Re: Preferred configuration with Hardware Loadbalancer

What do you mean by Apache Webserver? Do you mean Apache Tomcat or Apache
httpd?

 And do you want Failover (active-passive) or Loadbalancing (active-active)?

 Ronald.


Op donderdag, 6 oktober 2011 10:36 schreef Alexander Diedler
:
> 
>   
>  
>  
>  
> Hello,  
>  
> I am just planning a Application cluster for Tomcat. We have a big
hardware loadbalancer (Cisco) and three virtual servers. We talked about
several configurations, but it is not clear for us, how to build a Tomcat
cluster, with Failover and Session-Replication, but without Loadbalancing?  
>  
> E.g. the LB redirect the request to node 1. The Apache Webserver redirects
the request to node2. So we have a double load-balancing, what ne would
avoid.  
>  
>
>  
> Best regards  
>  
> Alexander  
>  
>
>  
>  
>  
>  
>  
>  
> 


smime.p7s
Description: S/MIME cryptographic signature

Re: ISAPI Redicect - Request Entitiy too large

On 06.10.2011 10:17, Alexander Diedler wrote:
> Yes, that´s it. We changed the size to 12k and everything works fine.
> It is a lot tricky, that the default value is not fitting in a default
> environment.
> Thanks to all for your help.

I improved logging in this situation a bit for the next release, e.g.
giving size and name of the failing header and adding a hint for
max_packet_size. The problem is not unusual, so a hint about the likely
cause is appropriate.

See: http://svn.apache.org/viewvc?view=revision&revision=1179533

Will be in 1.2.33.

Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Preferred configuration with Hardware Loadbalancer

2011-10-06 Thread Ronald Klop (Mailing List)


What do you mean by Apache Webserver? Do you mean Apache Tomcat or Apache httpd?

And do you want Failover (active-passive) or Loadbalancing (active-active)?

Ronald.


Op donderdag, 6 oktober 2011 10:36 schreef Alexander Diedler 
:


  
 
 
 
Hello,  
 
I am just planning a Application cluster for Tomcat. We have a big hardware loadbalancer (Cisco) and three virtual servers. We talked about several configurations, but it is not clear for us, how to build a Tomcat cluster, with Failover and Session-Replication, but without Loadbalancing?  
 
E.g. the LB redirect the request to node 1. The Apache Webserver redirects the request to node2. So we have a double load-balancing, what ne would avoid.  
 
   
 
Best regards  
 
Alexander

Preferred configuration with Hardware Loadbalancer

Hello,

I am just planning a Application cluster for Tomcat. We have a big hardware
loadbalancer (Cisco) and three virtual servers. We talked about several
configurations, but it is not clear for us, how to build a Tomcat cluster,
with Failover and Session-Replication, but without Loadbalancing?

E.g. the LB redirect the request to node 1. The Apache Webserver redirects
the request to node2. So we have a double load-balancing, what ne would
avoid.

 

Best regards

Alexander

 



smime.p7s
Description: S/MIME cryptographic signature

RE: Using multiple login pages

Ok. I think, I think I have it now to my satisfaction although much work 
remains.

Thanks Chris and Charles.

-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Sent: 06 Oct 2011 01 45
To: Tomcat Users List
Subject: Re: Using multiple login pages

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Martin,

On 10/5/2011 6:50 PM, Martin O'Shea wrote:
> If I understand you correctly, I think I should have this:
> 
>  FORM 
> Form-Based Authentication Area 
>  /login 
> /jsp/security/protected/error.jsp
>
> 

> 
> 
> But when called I receive a page not found exception. /login maps
> to a servlet I've been using to test my own logging in outside of 
> j_security_check

It's important to understand that the  is the
resource returned when the user tries to access a protected resource
but is not yet authenticated. The  does *not* perform
any authentication itself. It merely requests credentials from the
user (i.e. it contains a  with j_username and j_password fields).

> Should the servlet mapped to /login receive j_username and
> j_password?

No. It should produce a page which contains a login form.

Tomcat will handle the actual processing of j_username/j_password for
you, and then send the user onto the originally-requested page.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6M+fwACgkQ9CaO5/Lv0PCf7QCgiEzUtizqst/nDb0F9qrLeeb8
sbAAn0R85xOID9LtrPCSwIk54uZgssT3
=ssS3
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: AW: ISAPI Redicect - Request Entitiy too large

Yes, that´s it. We changed the size to 12k and everything works fine.
It is a lot tricky, that the default value is not fitting in a default
environment.
Thanks to all for your help.

BR
Alex



-Ursprüngliche Nachricht-
Von: cjder...@gmail.com [mailto:cjder...@gmail.com] Im Auftrag von chris
derham
Gesendet: Mittwoch, 5. Oktober 2011 12:53
An: Tomcat Users List
Betreff: Re: AW: ISAPI Redicect - Request Entitiy too large

Alexander,

If you are using authorisation header, then you are using SPNGEO. This
header encodes the users group membership in the authorisation header. By
default tomcat has an 8k maximum header, whilst users belonging to many
groups can have an authorisation token that can swell to larger than this
size. This explains why you see some people can login and others can't.

Just change the maxHttpHeaderSize to something larger than the default 8k
and you should be set. We used 32k

Chris


smime.p7s
Description: S/MIME cryptographic signature

Web hosting suggestions for Tomcat

2011-10-06 Thread Murat Birben

Hi everyone,

I want to hear your suggestions about web hosts that provide Tomcat and
MySQL. Which one do you prefer to use? Your experiences are more valuable
than the sites offers to me.

Thank you in advance for your answers.

Best,

-- 
Murat BIRBEN

Re: Problem with Tomcat 6.0.33 Session replication

On 05.10.2011 16:41, Tobias Quosigk wrote:
> I'm running 2 servers with Tomcat 6.0.33 and session replication.
>  Tomcat session replication only works with Tomcat starting the first time 
> the server (Windows Server 2008 R2 64-bit) boots.
> 
> When I stop and then start the Tomcat service via Windows Services, session 
> replication will no longer work until the next reboot of that server (the 
> Tomcat service is automatically started on startup).
> 
> Has anybody experienced this before or have any pointers on where to start 
> looking for issues? In the catalina logs, the only indicator I get is:
> 
> INFO: Manager [/cas]: skipping state transfer. No members active in cluster 
> group.

Never used clustering on Windows, but your description sounds like
Windows might do something wrong with multicast registrations.

You could increase the cluster log levels to debug so you will see the
multicast packets between the cluster nodes.

Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: ISAPI Redicect - Request Entitiy too large