Re: Using the Apache Tomcat 6.0 SSL Configuration HOW-TO guide, but it is not working
On 19 Oct 2011, at 16:15, ML Harmon wrote: > I don't see any log file? what would be the log files name? Please don't top post (see below). > On Fri, Oct 14, 2011 at 9:55 AM, Konstantin Kolinko > wrote: > >> 2011/10/14 ML Harmon : >>> >>> I don't even know enough about Tomcat to know how to troubleshoot this, >> am >>> very new to this. >>> >> >> 1) If you know where your server.xml is, you should know where your >> log files are as well. >> >> There is logs folder that is sibling to conf. Did you find the logs folder as indicated above? What is in it? p >> >> 2) There are two different implementations of SSL connector >> (Java-based and OpenSSL-based), that are configured rather >> differently. >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: how to apply fixes for various identified vulnerabilities
> From: Barrera, Maribel [mailto:maribel.barr...@travelport.com] > Subject: FW: how to apply fixes for various identified vulnerabilities > We are using Tomcat 4.1.24 Which is over 8.5 years old... > McAfee has identified several vulnerabilities. I bet it has. > How do I build these source codes and replace the classes in the > tomcat files that are currently installed in the system ? First off, Tomcat 4 hasn't been supported in years, so there are likely dozens of additional vulnerabilities that will _never_ be fixed in that version. Trying to stay safe on Tomcat 4 is a pointless exercise. You really, really, really need to upgrade to a supported level; since you really, really, really need to upgrade, you might as well move to the current 7.0.x version. There are a few configuration differences between Tomcat 4 and Tomcat 7, so you must read the docs for 7 when setting it up. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
FW: how to apply fixes for various identified vulnerabilities
Hi, I want to apply the fixes to various identified vulnerabilities. We are using Tomcat 4.1.24, McAfee has identified several vulnerabilities. When I went to your http://tomcat.apache.org/security-4.html site, I can see the cve numbers and the fix, however, when I click the fixes, it let me download the source code. How do I build these source codes and replace the classes in the tomcat files that are currently installed in the system ? Maribel W. Barrera Travelport Mobile: 1-424-477-4362 Email: maribel.barr...@travelport.com If you are not the intended recipient of this e-mail message, please notify the sender and delete all copies immediately. The sender believes this message and any attachments were sent free of any virus, worm, Trojan horse, and other forms of malicious code. This message and its attachments could have been infected during transmission. The recipient opens any attachments at the recipient's own risk, and in so doing, the recipient accepts full responsibility for such actions and agrees to take protective and remedial action relating to any malicious code. Travelport is not liable for any loss or damage arising from this message or its attachments.
Re: Fwd: Re: question about inter-webapp communication
Garey Mills wrote: ... Need some time to think about this, but I agree with Christopher that there should be a simpler way than what you first outlined. For a start, have you looked at the urlrewrite filter ? http://urlrewritefilter.googlecode.com/svn/trunk/src/doc/manual/3.2/index.html (not thinking of it on its own, but it may already provide part of the needed functionality, and since it is a filter, you can stack it with other filters. For one thing, it can match URL patterns with regexp'es, and it can set request attributes in function of such matches. That makes conditional code in another filter easier to write.) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Fwd: Re: question about inter-webapp communication
Christopher -
Thanks for your reply. I am just going to respond to your first
question here, because it may be that I need to rethink the whole thing.
/webapp_two is Geoserver, a complex web app that receives requests
for geolocated content and returns it in a number of different formats.
One of the way to distinguish content in Geoserver is to create and add
content to different 'workspaces', each with it's own name. When you
request content from Geoserver, the workspace name appears in the query
string.
Geoserver only has basic authentication on an object by object
level. We are deploying it in a unversity that has a Centralized
Authentication Server, or CAS. CAS has a implementation that can be used
in tomcat, and that is realized as a set of filters.
The first problem is that filters have the severe limitation of
only allowing one asterisk, making it impossible (as far as I can see)
to distinguish URLs on the basis of recognizing a pattern in the query
string. So this seems to necessitate recognizing the pattern in code,
modifying the URI in some recognizable way (or setting an attribute on
the request) and redirecting so that it gets intercepted by the CAS
filter(s).
This makes it very difficult to work with Geoserver directly. While
the code is available, this is a massive project.
On the other hand, I got my scheme to work more or less, but there
are problems. I got it to work by instantiating a RequestDispatcher by
getNamedDispatcher and finding the servlet name ("dispatcher") in
Geoserver's web.xml. However, I find that the content that Geoserver
returns embeds a number of URLs that point back to itself. I would have
to somehow intercept Geoserver's return in my fronting webapp and
rewrite those URLs.
If I bite the bullet and attempt to change Geoserver, there is
another difficulty. I am attaching Geoserver's web.xml. Here also are
the CAS filters from my fronting webapp:
CAS Single Sign Out Filter
org.jasig.cas.client.session.SingleSignOutFilter
CAS Authentication Filter
org.jasig.cas.client.authentication.AuthenticationFilter
casServerLoginUrl
https://auth.berkeley.edu/cas/login
serverName
https://linuxdev.lib.berkeley.edu:8443
Ticket Validation Filter
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter
casServerUrlPrefix
https://auth.berkeley.edu/cas
serverName
https://linuxdev.lib.berkeley.edu:8443
Http Servlet Request Wrapper Filter
org.jasig.cas.client.util.HttpServletRequestWrapperFilter
Assertion Thread Local Filter
org.jasig.cas.client.util.AssertionThreadLocalFilter
CAS Authentication Filter
/PROTECTED/*
Ticket Validation Filter
/PROTECTED/*
Http Servlet Request Wrapper Filter
/PROTECTED/*
Assertion Thread Local Filter
/PROTECTED/*
CAS Single Sign Out Filter
/PROTECTED/*
org.jasig.cas.client.session.SingleSignOutHttpSessionListener
A major problem is how to integrate these two. If you can tell me,
maybe I can attempt to introduce the necessary changes to the Geoserver
servlet.
Garey Mills
On 10/19/2011 12:33 PM, Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Garey,
On 10/19/2011 1:56 PM, Garey Mills wrote:
I want to use /webapp_one as an authentication front end for
/webapp_two, since /webapp_two is a large, complex web app and I
want to do authentication filtering on patterns in the query
string. My scheme is to analyze the request URL in the body of
/webapp_one. If it should be protected, rewrite it by adding a flag
into the URI, so that it can be caught by my authentication filter
in the web.xml, and redirect it back to /webapp_one. If it does not
have to be protected, or if it has been protected by my filter,
wrap the request so that it looks like a request to /webapp_two,
get a RequestDispatcher from /webapp_two's context, and 'include'
the output from /webapp_two in the response from /webapp_one.
That sounds absolutely insane. Can you explain why all this is necessary?
The problem is that this is not working, and I believe that the
problem is in how I am getting /webapp_two's ServletContext, or in
how I am referring to the servlet in /webapp_two's context, since I
am not seeing any activity from /webapp_two in the logs.
Here are the particulars:
* I have 'crossContext=true' set in /webapp_one's context * Here is
my request wrapper
public class MyRequestWrapper extends HttpServletRequestWrapper {
String queryString = null; String uri = null; String contextPath =
null; String pathTranslated = null;
public GSRequestWrapper(HttpServletRequest req) { super(req); }
public void setRequestURI(String newUri) { uri = newUri; } public
String getRequestURI() { return uri; }
Since this is a specialized filter, maybe this isn't a big deal, but
you probably want to call super.getRequestURI() when none has been
set. Similarly with the other methods.
public StringBuffer getRequestURL() {
StringBuffer
RE: [sidebar] Tomcat configuration under webApp
n828cl wrote: > >> From: Mark Thomas [mailto:ma...@apache.org] >> Subject: Re: [sidebar] Tomcat configuration under webApp > >> On 19/10/2011 19:01, Tim Watts wrote: >> > Don't know how this happens but your replies are coming across as >> > quoted (i.e. having a "> " line prefix). Makes it very difficult to >> > follow the thread. > >> That is a *good* thing. Unquoted replies make it very difficult to >> differentiate between who wrote what. > > It would be if used properly; unfortunately, Ettore is using it > improperly, so he's prefixing not only the text being responded to, but > also his own - the message is largely indecipherable, so I ignore anything > from him. > > - Chuck > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you > received this in error, please contact the sender and delete the e-mail > and its attachments from all computers. > > > My fault guys, I apologize! Thanks for your replies. -- View this message in context: http://old.nabble.com/Tomcat-configuration-under-webApp-tp32675490p32684576.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Force 32-bit installation on 64-bit windows?
> From: David kerber [mailto:dcker...@verizon.net] > Subject: Re: Force 32-bit installation on 64-bit windows? > So if I select the 32-bit JRE, it should install the 32-bit service? Not sure if the installer will ask, but if you make the 32-bit JRE the default, it will use that and select the 32-bit service. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Force 32-bit installation on 64-bit windows?
On 10/19/2011 3:54 PM, Caldarale, Charles R wrote: From: David kerber [mailto:dcker...@verizon.net] Subject: Force 32-bit installation on 64-bit windows? If I use the "32-bit/64-bit bit windows service installer", is there a way of forcing it to do a 32-bit installation when it's installing on 64-bit windows server 2008? The current Tomcat Windows installers will auto-detect the mode of the JRE and install the corresponding service. Note that this affects only the service and the APR library; Tomcat itself is pure Java and is platform-agnostic. - Chuck So if I select the 32-bit JRE, it should install the 32-bit service? Thanks! D - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Force 32-bit installation on 64-bit windows?
From: David kerber [mailto:dcker...@verizon.net] Subject: Force 32-bit installation on 64-bit windows? If I use the "32-bit/64-bit bit windows service installer", is there a way of forcing it to do a 32-bit installation when it's installing on 64-bit windows server 2008? The current Tomcat Windows installers will auto-detect the mode of the JRE and install the corresponding service. Note that this affects only the service and the APR library; Tomcat itself is pure Java and is platform-agnostic. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Force 32-bit installation on 64-bit windows?
If I use the "32-bit/64-bit bit windows service installer", is there a way of forcing it to do a 32-bit installation when it's installing on 64-bit windows server 2008? Or do I need to get the 32-bit windows zip and do it myself? I've got issues with database connectivity that appear to be related to the 64-bit db drivers, and want to try a 32-bit installation. I am aware that I'll need a 32-bit JRE as well. Dave - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: question about inter-webapp communication
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Garey,
On 10/19/2011 1:56 PM, Garey Mills wrote:
> I want to use /webapp_one as an authentication front end for
> /webapp_two, since /webapp_two is a large, complex web app and I
> want to do authentication filtering on patterns in the query
> string. My scheme is to analyze the request URL in the body of
> /webapp_one. If it should be protected, rewrite it by adding a flag
> into the URI, so that it can be caught by my authentication filter
> in the web.xml, and redirect it back to /webapp_one. If it does not
> have to be protected, or if it has been protected by my filter,
> wrap the request so that it looks like a request to /webapp_two,
> get a RequestDispatcher from /webapp_two's context, and 'include'
> the output from /webapp_two in the response from /webapp_one.
That sounds absolutely insane. Can you explain why all this is necessary?
> The problem is that this is not working, and I believe that the
> problem is in how I am getting /webapp_two's ServletContext, or in
> how I am referring to the servlet in /webapp_two's context, since I
> am not seeing any activity from /webapp_two in the logs.
>
> Here are the particulars:
>
> * I have 'crossContext=true' set in /webapp_one's context * Here is
> my request wrapper
>
> public class MyRequestWrapper extends HttpServletRequestWrapper {
> String queryString = null; String uri = null; String contextPath =
> null; String pathTranslated = null;
>
> public GSRequestWrapper(HttpServletRequest req) { super(req); }
>
> public void setRequestURI(String newUri) { uri = newUri; } public
> String getRequestURI() { return uri; }
Since this is a specialized filter, maybe this isn't a big deal, but
you probably want to call super.getRequestURI() when none has been
set. Similarly with the other methods.
> public StringBuffer getRequestURL() {
>
> StringBuffer sb = new StringBuffer(); sb.append(uri + "?" +
> queryString);
Really?
> * Here is the code I use to create the wrapper
>
> MyRequestWrapper myReq = new MyRequestWrapper(req);
>
> myReq.setRequestURI(req.getRequestURI().replaceFirst("webapp_one",
> "webapp_two"));
>
> myReq.setContextPath(req.getContextPath().replaceFirst("webapp_one",
>
>
"webapp_two"));
>
> myReq.setPathTranslated(req.getPathTranslated().replaceFirst("webapp_one",
>
>
"webapp_two"));
>
> ServletContext twoContext = sc.getContext("/webapp_two");
What do you do with twoContext after this point?
> * In /webapp_two, the url-pattern intercepted is '/*', so this is
> how I am trying to create the RequestDispatcher
>
> RequestDispatcher rd = twoContext.getRequestDispatcher("/");
You want to use getRequestDispatcher() with a real path: I would
recommend using the path that you are really trying to reach -- either
the modified one (except that you don't want to have the context-path
in the path because the RequestDispatcher will already know it's bound
to a certain ServletContext) instead of just asking for "/".
Also, I'm not entirely sure what happens to the HttpServletRequest
when you get a request dispatcher using a path and then forward an
existing request. I suspect that the filters and servlets on the other
end see the path you used to fetch the dispatcher, otherwise you could
never forward or include content that didn't match the original URI.
> Trying all this out, I see that the RequestDispatcher I am
> creating is not null, but I am not seeing any activity in
> /webapp_two, and the page returned is blank.
Any error messages in the logs?
> Am I making a mistake in referring to the context of /webapp_two,
> or in how I am creating my request wrapper, or in how I am
> referring to the servlet in /webapp_two?
I think things in general are okay (notwithstanding the very strange
requirements, here) -- there must be some small detail that is
out-of-place.
I would try using the desired path when you fetch a RequestDispatcher
instead of just using "/".
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6fJiAACgkQ9CaO5/Lv0PCEAgCeL+7kPrxL4CPS97kR5+04V+g8
6JMAoLXHVsLq2MceN0cEt6U6sfcrU6d2
=3WPe
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat configuration under webApp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ettore, On 10/19/2011 1:21 PM, ettoregia wrote: >> So... why can't you use the manager webapp to deploy your WAR? > > Well because I've no permission to access the manager webApp since > there are other applications under the container that I don't own. > So, your IT department will give you access to neither the deployment directory, nor the conf/ directory for deployment, nor will they give you access to the manager app to deploy webapps? Sounds like your IT department doesn't want you to deploy webapps. Maybe you should discuss this with them. > Btw do you understand why I have server.xml and the others > mentioned before under Tomcat/webApps/myWebApp/conf/, aren't they > files that should just be stored under Tomcat/conf ?? Your layout seems ... non-standard. Perhaps /Tomcat/webApps/myWebApp is supposed to be a CATALINA_BASE for multi-instance Tomcat use. This is what Tim suggested, yesterday. You said you were going to as your IT dept... did you do that, yet? Only they can tell you what's going on. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6fIXAACgkQ9CaO5/Lv0PACqwCdFtw7m9KLHu992erfgovXqMwa kcEAn0v/nBK+IXbh5Z4gIWaOGrvx+R1w =rCgo -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [sidebar] Tomcat configuration under webApp
On 19/10/2011 19:06, Caldarale, Charles R wrote: >> From: Mark Thomas [mailto:ma...@apache.org] Subject: Re: [sidebar] >> Tomcat configuration under webApp > >> On 19/10/2011 19:01, Tim Watts wrote: >>> Don't know how this happens but your replies are coming across >>> as quoted (i.e. having a "> " line prefix). Makes it very >>> difficult to follow the thread. > >> That is a *good* thing. Unquoted replies make it very difficult to >> differentiate between who wrote what. > > It would be if used properly; unfortunately, Ettore is using it > improperly, so he's prefixing not only the text being responded to, > but also his own - the message is largely indecipherable, so I ignore > anything from him. Ah. That makes sense. Sorry for the noise. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: combination of RemoteAddrValve und basic authentication
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Remon,
On 10/19/2011 12:23 PM, Remon Sadikni wrote:
> Hi Chris,
>>
>> If you overrode the process() method (and I'm sure you changed
>> other things, too, since the variable "allows" is not part of
>> RequestFilterValve), then you really aren't getting anything by
>> extending RequestFilterValve.
>
> but "allows" is part of RequestFilterValve.
Not in the current trunk. Your code expects the "allows" variable to
be of type String[], and no such variable exists in RequestFilterValve.
> I only extended this class. I took the same invoke() method as
> RequestAddrValve, so that I get the IP-address of the user:
>
> public void invoke(Request request, Response response) throws
> IOException, ServletException {
> process(request.getRequest().getRemoteAddr(), request, response);
> }
>
> and overwrote the process method to react on this IP address.
Right: the point of the RequestFilterValve is that you don't have to
override the process() method. Overriding it kind of defeats the
purpose of the class, because it really doesn't have any other methods
other than the accessors and mutators for the 'deny' and 'allow'
properties.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6fEtAACgkQ9CaO5/Lv0PAVagCdGCDoraUl41tI7H9hgKxIPkqU
AvwAoLV9OW95mDaPVXL7vibCfWo5Yokj
=4oGY
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [sidebar] Tomcat configuration under webApp
> From: Mark Thomas [mailto:ma...@apache.org] > Subject: Re: [sidebar] Tomcat configuration under webApp > On 19/10/2011 19:01, Tim Watts wrote: > > Don't know how this happens but your replies are coming across as > > quoted (i.e. having a "> " line prefix). Makes it very difficult to > > follow the thread. > That is a *good* thing. Unquoted replies make it very difficult to > differentiate between who wrote what. It would be if used properly; unfortunately, Ettore is using it improperly, so he's prefixing not only the text being responded to, but also his own - the message is largely indecipherable, so I ignore anything from him. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Re: [sidebar] Tomcat configuration under webApp
On 19/10/2011 19:01, Tim Watts wrote: > Don't know how this happens but your replies are coming across as > quoted (i.e. having a "> " line prefix). Makes it very difficult to > follow the thread. That is a *good* thing. Unquoted replies make it very difficult to differentiate between who wrote what. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [sidebar] Tomcat configuration under webApp
Don't know how this happens but your replies are coming across as quoted
(i.e. having a "> " line prefix). Makes it very difficult to follow the
thread.
On Wed, 2011-10-19 at 10:21 -0700, ettoregia wrote:
>
>
> Christopher Schultz-2 wrote:
> >
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA1
> >
> > Ettore,
> >
> > On 10/19/2011 3:38 AM, ettoregia wrote:
> >> SERVER.XML-- >> version='1.0' encoding='utf-8'?> >> port="1${tomcat.server.port}" shutdown="SHUTDOWN">
> >
> > Just to let you know, I'm trying to figure out something out of what has
> > been done by someone else, that is, sometimes I don't know why those
> > things are there.
> >
> > You might want to consider using two different properties for the
> > shutdown and connector ports: port 1xxx might not be available all the
> > time, and you might want to configure it explicitly and independently
> > of tomcat.server.port.
> >
> > OK
> >
> >> >> auth="Container" type="org.apache.catalina.UserDatabase"
> >> description="User database that can be updated and saved"
> >>
> >> factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
> >> pathname="conf/tomcat-users.xml" />
> >
> > You should remove that if you're not using it.
> >
> >
> >
> >> >> protocol="HTTP/1.1" connectionTimeout="2" redirectPort="8443"
> >> />
> >>
> >>
> >>
> >> >> connectionURL="ldap://pinot-nero.energiaspa.it:389";
> >> alternateURL="ldap://pinot-grigio.energiaspa.it:389";
> >> connectionName="ENERGIASPA\ldapbrowser"
> >> connectionPassword="drc4Fv9CGqIzWewX9nO3"
> >
> > Whoops. Time to change your password.
> > You're def right, even if those tools are inside the intranet and the pwd
> > are old ones, but still...thanks
> >
> >> >> autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false">
> >>
> >> >> docBase="${catalina.home}/webapps/probe" privileged="true"
> >> antiResourceLocking="false" antiJARLocking="false">
> >
> > A Host with appBase="webapps" and a with a docBase in
> > "webapps" will result in Lambda Probe (time to upgrade to Psi Probe!)
> > being deployed twice. (Unless you are using CATALINA_HOME and
> > CATALINA_BASE, in which case, you should be okay with this).
> >
> > Okay, I don't see any reason why you couldn't have everything
> > contained in your webapp: either you use the specified at the
> > level and don't need to specify it in your
> > META-INF/context.xml or you use a different Realm and *do* need to
> > specify it in your META-INF/context.xml.
> >
> > So... why can't you use the manager webapp to deploy your WAR?
> >
> > Well because I've no permission to access the manager webApp since there
> > are other applications under the container that I don't own.
> >
> > Btw dou you understand why I have server.xml and the others mentioned
> > before under Tomcat/webApps/myWebApp/conf/, aren't they files that should
> > just be stored under Tomcat/conf ??
> >
> > Thanks a lot for your time, really apprecciate!
> >
> > - -chris
> > -BEGIN PGP SIGNATURE-
> > Version: GnuPG v1.4.10 (MingW32)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> >
> > iEYEARECAAYFAk6e3+oACgkQ9CaO5/Lv0PAxNwCgn6tBSZDtt8Bu04dXNOZL+2eN
> > pZQAn289rvJm5fkETltiDMfsfY80KmvQ
> > =9Mkp
> > -END PGP SIGNATURE-
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
> >
>
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
question about inter-webapp communication
Hello -
Tomcat 7.0.8 on RHEL6. I have two webapps, one accessed at
/webapp_one and one at /webapp_two. My question has to do with how to
include output from /webapp_two in the output of /webapp_one.
I want to use /webapp_one as an authentication front end for
/webapp_two, since /webapp_two is a large, complex web app and I want to
do authentication filtering on patterns in the query string. My scheme
is to analyze the request URL in the body of /webapp_one. If it should
be protected, rewrite it by adding a flag into the URI, so that it can
be caught by my authentication filter in the web.xml, and redirect it
back to /webapp_one. If it does not have to be protected, or if it has
been protected by my filter, wrap the request so that it looks like a
request to /webapp_two, get a RequestDispatcher from /webapp_two's
context, and 'include' the output from /webapp_two in the response from
/webapp_one.
The problem is that this is not working, and I believe that the
problem is in how I am getting /webapp_two's ServletContext, or in how I
am referring to the servlet in /webapp_two's context, since I am not
seeing any activity from /webapp_two in the logs.
Here are the particulars:
* I have 'crossContext=true' set in /webapp_one's context
* Here is my request wrapper
public class MyRequestWrapper extends HttpServletRequestWrapper {
String queryString = null;
String uri = null;
String contextPath = null;
String pathTranslated = null;
public GSRequestWrapper(HttpServletRequest req) {
super(req);
}
public void setRequestURI(String newUri) { uri = newUri; }
public String getRequestURI() { return uri; }
public void setContextPath(String cp) { contextPath = cp; }
public String getContextPath() { return contextPath; }
public void setPathTranslated(String pt) { pathTranslated = pt; }
public String getPathTranslated() { return pathTranslated; }
public StringBuffer getRequestURL() {
StringBuffer sb = new StringBuffer();
sb.append(uri + "?" + queryString);
return sb;
}
}
* Here is the code I use to create the wrapper
MyRequestWrapper myReq = new MyRequestWrapper(req);
myReq.setRequestURI(req.getRequestURI().replaceFirst("webapp_one",
"webapp_two"));
myReq.setContextPath(req.getContextPath().replaceFirst("webapp_one",
"webapp_two"));
myReq.setPathTranslated(req.getPathTranslated().replaceFirst("webapp_one",
"webapp_two"));
ServletContext twoContext = sc.getContext("/webapp_two");
* In /webapp_two, the url-pattern intercepted is '/*', so this is how
I am trying to create the RequestDispatcher
RequestDispatcher rd = twoContext.getRequestDispatcher("/");
Trying all this out, I see that the RequestDispatcher I am creating
is not null, but I am not seeing any activity in /webapp_two, and the
page returned is blank. Am I making a mistake in referring to the
context of /webapp_two, or in how I am creating my request wrapper, or
in how I am referring to the servlet in /webapp_two?
Garey Mills
Library Systems Office
UC Berkeley
Re: WebApp access to a LAN share
Hello again. @awarnier and others. It worked! Thanks. I just want to add that I had to install the "smbfs" package to be able to mount Windows shares: > apt-get install smbfs Best regards, -- Léa -- View this message in context: http://old.nabble.com/WebApp-access-to-a-LAN-share-tp32658680p32683726.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat configuration under webApp
Christopher Schultz-2 wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Ettore,
>
> On 10/19/2011 3:38 AM, ettoregia wrote:
>> SERVER.XML-- > version='1.0' encoding='utf-8'?> > port="1${tomcat.server.port}" shutdown="SHUTDOWN">
>
> Just to let you know, I'm trying to figure out something out of what has
> been done by someone else, that is, sometimes I don't know why those
> things are there.
>
> You might want to consider using two different properties for the
> shutdown and connector ports: port 1xxx might not be available all the
> time, and you might want to configure it explicitly and independently
> of tomcat.server.port.
>
> OK
>
>> > auth="Container" type="org.apache.catalina.UserDatabase"
>> description="User database that can be updated and saved"
>>
>> factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
>> pathname="conf/tomcat-users.xml" />
>
> You should remove that if you're not using it.
>
>
>
>> > protocol="HTTP/1.1" connectionTimeout="2" redirectPort="8443"
>> />
>>
>>
>>
>> > connectionURL="ldap://pinot-nero.energiaspa.it:389";
>> alternateURL="ldap://pinot-grigio.energiaspa.it:389";
>> connectionName="ENERGIASPA\ldapbrowser"
>> connectionPassword="drc4Fv9CGqIzWewX9nO3"
>
> Whoops. Time to change your password.
> You're def right, even if those tools are inside the intranet and the pwd
> are old ones, but still...thanks
>
>> > autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false">
>>
>> > docBase="${catalina.home}/webapps/probe" privileged="true"
>> antiResourceLocking="false" antiJARLocking="false">
>
> A Host with appBase="webapps" and a with a docBase in
> "webapps" will result in Lambda Probe (time to upgrade to Psi Probe!)
> being deployed twice. (Unless you are using CATALINA_HOME and
> CATALINA_BASE, in which case, you should be okay with this).
>
> Okay, I don't see any reason why you couldn't have everything
> contained in your webapp: either you use the specified at the
> level and don't need to specify it in your
> META-INF/context.xml or you use a different Realm and *do* need to
> specify it in your META-INF/context.xml.
>
> So... why can't you use the manager webapp to deploy your WAR?
>
> Well because I've no permission to access the manager webApp since there
> are other applications under the container that I don't own.
>
> Btw dou you understand why I have server.xml and the others mentioned
> before under Tomcat/webApps/myWebApp/conf/, aren't they files that should
> just be stored under Tomcat/conf ??
>
> Thanks a lot for your time, really apprecciate!
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk6e3+oACgkQ9CaO5/Lv0PAxNwCgn6tBSZDtt8Bu04dXNOZL+2eN
> pZQAn289rvJm5fkETltiDMfsfY80KmvQ
> =9Mkp
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>
--
View this message in context:
http://old.nabble.com/Tomcat-configuration-under-webApp-tp32675490p32683725.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: combination of RemoteAddrValve und basic authentication
Hi Chris,
If you overrode the process() method (and I'm sure you changed other
things, too, since the variable "allows" is not part of
RequestFilterValve), then you really aren't getting anything by
extending RequestFilterValve.
but "allows" is part of RequestFilterValve. I only extended this class.
I took the same invoke() method as RequestAddrValve, so that I get the
IP-address of the user:
public void invoke(Request request, Response response)
throws IOException, ServletException {
process(request.getRequest().getRemoteAddr(), request, response);
}
and overwrote the process method to react on this IP address.
Note that there has been some grumbling on the list about the use of
Matcher.matches() instead of Matcher.lookingAt(): you might want to
consider your requirements before choosing one over the other: most
regular expression folks will expect the behavior of lookingAt and not
matches().
I will look at it.
Hey, that's an idea: I didn't think of just shoving the principal into
the request. Just be aware that you will do this on every request,
because Tomcat isn't storing the Principal anywhere to maintain the
"login".
That's ok for me.
Regards,
Remon
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using the Apache Tomcat 6.0 SSL Configuration HOW-TO guide, but it is not working
I don't see any log file? what would be the log files name? On Fri, Oct 14, 2011 at 9:55 AM, Konstantin Kolinko wrote: > 2011/10/14 ML Harmon : > > > > I don't even know enough about Tomcat to know how to troubleshoot this, > am > > very new to this. > > > > 1) If you know where your server.xml is, you should know where your > log files are as well. > > There is logs folder that is sibling to conf. > > 2) There are two different implementations of SSL connector > (Java-based and OpenSSL-based), that are configured rather > differently. > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
RE: TOMCAT_BASE and TOMCAT_HOME
> There was a change in 6.0.21 (6.0.24 - released 2010-01-21) that now a > Tomcat instance looks both into $CATALINA_BASE\lib and > $CATALINA_HOME\lib for libraries. > Ahh! This makes it clear. So, for 5.5 and early 6.0, if you wanted to add anything to these lib directories, and you didn't want that addition to affect all of the tomcat instances running off of the same CATALINA_HOME, then you were obliged to copy the entire set of lib directories to your CATALINA_HOME. Then, the instance would use, and only use, the CATALINA_HOME lib directories. This all or nothing approach requires wholesale copying. In fact, then, I was misreading the section of the book. And after the later 6.0.x revisions, you can override at a finer granularity and, thus, avoid having to copy the entire things over. Thanks so much! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: can't set tomcat to use log4j for its internal logging
On Wed, Oct 19, 2011 at 4:46 PM, Konstantin Kolinko wrote: > 2011/10/19 Silvia Righini : > > Hi everyone, > > > > I'm trying to tell tomcat to use log4j for its internal logging, but it > just > > ignores me.. > > I have Tomcat 6.0.33 running on a Mac OS X 10.5.8 (with java openjdk > version > > "1.6.0-internal"). > > > > I followed to the letter the docs at > > http://tomcat.apache.org/tomcat-6.0-doc/logging.html#Using_Log4j > > I put log4j.properties (copy and paste right from the docs) in > > /usr/local/tomcat/lib, got log4j-1.2.16.jar in /usr/local/tomcat/lib, and > > put tomcat-juli-adapters.jar and (new) tomcat-juli.jar in > > /usr/local/tomcat/bin. > > IIRC, adapters should go into lib. They wouldn't be found if they are in > bin. > > You are SO right! I read the docs over and over and didn't notice tomcat-juli.jar had to be in bin, while the adapter had to be in lib! Thank you so much, you saved my day!
Re: can't set tomcat to use log4j for its internal logging
2011/10/19 Silvia Righini : > Hi everyone, > > I'm trying to tell tomcat to use log4j for its internal logging, but it just > ignores me.. > I have Tomcat 6.0.33 running on a Mac OS X 10.5.8 (with java openjdk version > "1.6.0-internal"). > > I followed to the letter the docs at > http://tomcat.apache.org/tomcat-6.0-doc/logging.html#Using_Log4j > I put log4j.properties (copy and paste right from the docs) in > /usr/local/tomcat/lib, got log4j-1.2.16.jar in /usr/local/tomcat/lib, and > put tomcat-juli-adapters.jar and (new) tomcat-juli.jar in > /usr/local/tomcat/bin. IIRC, adapters should go into lib. They wouldn't be found if they are in bin. > I deleted logging.properties. As I start tomcat (through startup.sh) it > tells me $CATALINA_HOME and $CATALINA_BASE are both set to > /usr/local/tomcat, so I just skipped point 5 of the docs. > > At this point, Tomcat just logs to catalina.out. > Whatever i put in log4j.properties just gets ignored (i changed the > conversion pattern, and the file name of the log files and restarted tomcat, > but no change.. tomcat logs as it always did.. and to catalina.out alone > now). > > I added -Dlog4j.debug to $JAVA_OPTS in catalina.sh, but i don't get any > output from it. I have a project on Tomcat that gets correctly deployed and > uses log4j (with its own log4j.properties in its war/classes), and for this > project i can see the result of -Dlog4j.debug, but nothing regarding Tomcat > itself. > > This issue is driving me crazy, any hint is appreciated! :) > Thanks > > Silvia > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
can't set tomcat to use log4j for its internal logging
Hi everyone, I'm trying to tell tomcat to use log4j for its internal logging, but it just ignores me.. I have Tomcat 6.0.33 running on a Mac OS X 10.5.8 (with java openjdk version "1.6.0-internal"). I followed to the letter the docs at http://tomcat.apache.org/tomcat-6.0-doc/logging.html#Using_Log4j I put log4j.properties (copy and paste right from the docs) in /usr/local/tomcat/lib, got log4j-1.2.16.jar in /usr/local/tomcat/lib, and put tomcat-juli-adapters.jar and (new) tomcat-juli.jar in /usr/local/tomcat/bin. I deleted logging.properties. As I start tomcat (through startup.sh) it tells me $CATALINA_HOME and $CATALINA_BASE are both set to /usr/local/tomcat, so I just skipped point 5 of the docs. At this point, Tomcat just logs to catalina.out. Whatever i put in log4j.properties just gets ignored (i changed the conversion pattern, and the file name of the log files and restarted tomcat, but no change.. tomcat logs as it always did.. and to catalina.out alone now). I added -Dlog4j.debug to $JAVA_OPTS in catalina.sh, but i don't get any output from it. I have a project on Tomcat that gets correctly deployed and uses log4j (with its own log4j.properties in its war/classes), and for this project i can see the result of -Dlog4j.debug, but nothing regarding Tomcat itself. This issue is driving me crazy, any hint is appreciated! :) Thanks Silvia
Re: Tomcat configuration under webApp
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Ettore,
On 10/19/2011 3:38 AM, ettoregia wrote:
> SERVER.XML-- version='1.0' encoding='utf-8'?> port="1${tomcat.server.port}" shutdown="SHUTDOWN">
You might want to consider using two different properties for the
shutdown and connector ports: port 1xxx might not be available all the
time, and you might want to configure it explicitly and independently
of tomcat.server.port.
> auth="Container" type="org.apache.catalina.UserDatabase"
> description="User database that can be updated and saved"
>
> factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
> pathname="conf/tomcat-users.xml" />
You should remove that if you're not using it.
> protocol="HTTP/1.1" connectionTimeout="2" redirectPort="8443"
> />
>
>
>
> connectionURL="ldap://pinot-nero.energiaspa.it:389";
> alternateURL="ldap://pinot-grigio.energiaspa.it:389";
> connectionName="ENERGIASPA\ldapbrowser"
> connectionPassword="drc4Fv9CGqIzWewX9nO3"
Whoops. Time to change your password.
> autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false">
>
> docBase="${catalina.home}/webapps/probe" privileged="true"
> antiResourceLocking="false" antiJARLocking="false">
A Host with appBase="webapps" and a with a docBase in
"webapps" will result in Lambda Probe (time to upgrade to Psi Probe!)
being deployed twice. (Unless you are using CATALINA_HOME and
CATALINA_BASE, in which case, you should be okay with this).
Okay, I don't see any reason why you couldn't have everything
contained in your webapp: either you use the specified at the
level and don't need to specify it in your
META-INF/context.xml or you use a different Realm and *do* need to
specify it in your META-INF/context.xml.
So... why can't you use the manager webapp to deploy your WAR?
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6e3+oACgkQ9CaO5/Lv0PAxNwCgn6tBSZDtt8Bu04dXNOZL+2eN
pZQAn289rvJm5fkETltiDMfsfY80KmvQ
=9Mkp
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Reuse mod ajp proxy connections
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 10/19/2011 3:21 AM, André Warnier wrote: > Next question : > >> ProxyPassMatch ^/(.*) ajp://localhost:8009/$1 > > If you are forwarding *everything* to Tomcat anyway, then why do > you have an Apache httpd in front ? why not just set up Tomcat to > listen on port 80 and avoid the complication ? This could just be in a single , etc. But I agree: don't use https unless you really need it. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6e3oUACgkQ9CaO5/Lv0PCwsQCfYBsP3sVlYIs31DwmCDRoOMMZ YF8AmwQ34Y1yRtNf1VVKxLx+pARdl/nj =BOis -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Reuse mod ajp proxy connections
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dimitar, On 10/18/2011 10:50 PM, Dimitar Georgievski wrote: >> SetEnv force-proxy-request-1.0 1 SetEnv proxy-nokeepalive 1 > This setting should control the mod_http_proxy connections. I > forgot to mention this Apache server does that. My reading suggests that it controls mod_proxy, which should be the same for all mod_proxy_*. The documentation for mod_proxy_ajp is woefully slim. Sure, you can learn all about the AJP protocol, just not how to configure the proxy in httpd.conf :( > I'll definitely take out these settings, because the http proxy > connections should also be persistent. Okay. Did it work? Seems like a simple test to make. > Regarding the upgrade of the Tomcat server we might not be able to > do that. The application hosted by Tomcat has dependency on the > Tomcat 5.5.x version which limits our options. I'll need to > determine yet which version would be compliant with our > application. If you have dependencies on Tomcat code, it's best to replace those with standards-compliant code. Maybe we could help with that kind of thing. As for 5.5 -> 6.0 -> 7.0 upgrades, I have recent done that exact thing and have had no problems whatsoever. Tomcat *should* be backward-compatible with previous releases, but there are some gotchas to be found when the TC code has become more spec-compliant or more cranky about certain bad configurations that it used to allow. As with any upgrade, always read the release notes / changelog carefully. > I am also considering to install Apache Portable Runtime to > improve connectors performance and determine its effects on the > persistence of the proxy connections. What do you think? If you expect high concurrency, try using the NIO connector(s): they should scale better and have the advantage of being all Java, so you have less risk of crashing your JVM if something goes wrong (though the APR AJP connector /is/ pretty rock-solid). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6e3kYACgkQ9CaO5/Lv0PDtEgCeJTRF7GujmZefSjofidEDJOf2 wxUAnj/Sjt4fFXbs3cdCsnqZCQaz5SMl =LlVh -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: combination of RemoteAddrValve und basic authentication
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Remon,
On 10/19/2011 7:57 AM, Remon Sadikni wrote:
> I managed to get it working. If you are interested in my solution
> for Tomcat 6: I extended the Valve RequestFilterValve and overwrote
> the method process with this content:
>
> // Check the allow patterns for (int i = 0; i < allows.length; i++)
> { if (allows[i].matcher(property).matches()) { // create a
> principal for an existing fake user final List roles = new
> ArrayList(); roles.add("ROLE"); final Principal principal =
> new GenericPrincipal(null, "USER", "PASS", roles); // set the
> principal in this request request.setUserPrincipal(principal); } }
> // pass this request to the next valve (basic authentication)
> getNext().invoke(request, response); return;
If you overrode the process() method (and I'm sure you changed other
things, too, since the variable "allows" is not part of
RequestFilterValve), then you really aren't getting anything by
extending RequestFilterValve.
Note that there has been some grumbling on the list about the use of
Matcher.matches() instead of Matcher.lookingAt(): you might want to
consider your requirements before choosing one over the other: most
regular expression folks will expect the behavior of lookingAt and not
matches().
> If the User has an allowed IP address, the UserPrincipal will be
> set in this request, so that the next valve (the Basic
> Authentication) will not show the login window. If the User has
> another IP address, the request will be forwarded to the next valve
> without any changes, so that you need to log in.
Hey, that's an idea: I didn't think of just shoving the principal into
the request. Just be aware that you will do this on every request,
because Tomcat isn't storing the Principal anywhere to maintain the
"login".
> At first I tried solving it with RequestWrappers and changing
> Headers, but that failed, because the Basic Authentication Method
> tests for the UserPrincipal.
It should be doing both, but the Principal is more efficient because
you don't have to use "real" user that can be authenticated using the
webapp's Realm.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6e3RcACgkQ9CaO5/Lv0PCIQQCdGKJ3w7mLQqir8wDswf2b/Np2
x0cAoKzOb5X9Ka/BRpeWzEWie0UMCQqQ
=3Qln
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat not starting after certificate installation
Noura Shaaban wrote: Hi we have tomcat 5.5 on solaris 5.10 since Verisign certificate has expired,we ordered a new certificate and added the new one in cacerts when restarting tomcat,it gives the response "started successfully" but in browser(all browsers),we have "Page can not be displayed" Surely, there is a bit more information, such as a HTTP status code 4xx or 5xx. What is it exactly ? (Note: if the browser is IE, disable the "friendly error messages"). what could be the problem?I don't know which log file to check,there are so many... There may be many, but they are probably time-stamped. Just check the latest modified ones. Could it be that the new c ertificate is 128-bit encryption? I'm not an SSL specialist, but do I not remember a very recent issue on this list, about the ordering of certificates in the file ? Browse the list of the last two weeks, I'm quite sure it's there. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
tomcat not starting after certificate installation
Hi we have tomcat 5.5 on solaris 5.10 since Verisign certificate has expired,we ordered a new certificate and added the new one in cacerts when restarting tomcat,it gives the response "started successfully" but in browser(all browsers),we have "Page can not be displayed" what could be the problem?I don't know which log file to check,there are so many... Could it be that the new c ertificate is 128-bit encryption? thanks
Re: combination of RemoteAddrValve und basic authentication
Hi André, hi Christopher,
The use of HTTP BASIC authentication confuses things here because
of the credential transfer mechanism (HTTP headers). I suppose
you could write a Valve that sniffs the user's IP address and
then adds HTTP headers to the request for the "Authentication"
header to essentially force a login. You'll have to decide what
the user's Principal will need to look like (because Tomcat will
actually try to /verify/ the fake-user's credentials and maintain
a "login" for them, running proper authorization checks, etc.) in
order to actually work.
I managed to get it working. If you are interested in my solution for
Tomcat 6: I extended the Valve RequestFilterValve and overwrote the
method process with this content:
// Check the allow patterns
for (int i = 0; i < allows.length; i++) {
if (allows[i].matcher(property).matches()) {
// create a principal for an existing fake user
final List roles = new ArrayList();
roles.add("ROLE");
final Principal principal = new GenericPrincipal(null, "USER",
"PASS", roles);
// set the principal in this request
request.setUserPrincipal(principal);
}
}
// pass this request to the next valve (basic authentication)
getNext().invoke(request, response);
return;
If the User has an allowed IP address, the UserPrincipal will be set in
this request, so that the next valve (the Basic Authentication) will not
show the login window. If the User has another IP address, the request
will be forwarded to the next valve without any changes, so that you
need to log in.
At first I tried solving it with RequestWrappers and changing Headers,
but that failed, because the Basic Authentication Method tests for the
UserPrincipal.
Thanks for your help,
Remon
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AJP Errors. Apache + Tomcat
Francis GALIEGUE wrote: On Wed, Oct 19, 2011 at 11:56, Mikolaj Rydzewski wrote: On Wed, 19 Oct 2011 11:42:36 +0200, Francis GALIEGUE wrote: Extract from the script (note that the server port is not randomized, it should probably be): Hi all, Why do you want to go into such deep details, like checking for particular ports to be opened? I have httpd, mod_proxy_ajp and tomcat. mod_proxy will catch running tomcat after some time. It's a matter of proper configuration how long will it take. I guess that we all know tools like Nagios. I prefer to use them to detect problems instead of hacking startup scripts. Well, this is not an option for me since my sites display a static page as long as long as the webapp is not ready. As the apps I manage take 10 seconds to start in the best of scenarios, I need to know that tomcat is _really_ ready to serve requests. I think that the point which Mikolaj is making, is that there must be "retry" options in mod_proxy_ajp, which could avoid the kind of issue which the OP mentioned in the first place. I just don't know these options, and they may have additional side effects. That's why I originally suggested a simple wait, and Francis suggested a better way, for the specific issue of the OP. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AJP Errors. Apache + Tomcat
On Wed, Oct 19, 2011 at 11:56, Mikolaj Rydzewski wrote: > On Wed, 19 Oct 2011 11:42:36 +0200, Francis GALIEGUE wrote: > >> Extract from the script (note that the server port is not randomized, >> it should probably be): > > Hi all, > > Why do you want to go into such deep details, like checking for particular > ports to be opened? > > I have httpd, mod_proxy_ajp and tomcat. mod_proxy will catch running tomcat > after some time. It's a matter of proper configuration how long will it > take. > > I guess that we all know tools like Nagios. I prefer to use them to detect > problems instead of hacking startup scripts. > Well, this is not an option for me since my sites display a static page as long as long as the webapp is not ready. As the apps I manage take 10 seconds to start in the best of scenarios, I need to know that tomcat is _really_ ready to serve requests. -- Francis Galiegue ONE2TEAM Ingénieur système Mob : +33 (0) 683 877 875 Tel : +33 (0) 178 945 552 f...@one2team.com 40 avenue Raymond Poincaré 75116 Paris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AJP Errors. Apache + Tomcat
On Wed, 19 Oct 2011 11:42:36 +0200, Francis GALIEGUE wrote: Extract from the script (note that the server port is not randomized, it should probably be): Hi all, Why do you want to go into such deep details, like checking for particular ports to be opened? I have httpd, mod_proxy_ajp and tomcat. mod_proxy will catch running tomcat after some time. It's a matter of proper configuration how long will it take. I guess that we all know tools like Nagios. I prefer to use them to detect problems instead of hacking startup scripts. -- Mikolaj Rydzewski - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AJP Errors. Apache + Tomcat
On Wed, Oct 19, 2011 at 11:47, André Warnier wrote: > Francis GALIEGUE wrote: >> >> On Wed, Oct 19, 2011 at 11:42, Francis GALIEGUE wrote: >> [...] >>> >>> lsof -u $TOMCAT_USER -i tcp:8005 &>/dev/null >>> >> >> Sorry, that's a non working version: forget the -u option. But with >> only the -i, it works. >> > > Thanks, very useful. I'll try that. > Actually, I've discovered that there's a -a option... You can do lsof -u $TOMCAT_USER -a -i tcp:8005. -- Francis Galiegue ONE2TEAM Ingénieur système Mob : +33 (0) 683 877 875 Tel : +33 (0) 178 945 552 f...@one2team.com 40 avenue Raymond Poincaré 75116 Paris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AJP Errors. Apache + Tomcat
Francis GALIEGUE wrote: On Wed, Oct 19, 2011 at 11:42, Francis GALIEGUE wrote: [...] lsof -u $TOMCAT_USER -i tcp:8005 &>/dev/null Sorry, that's a non working version: forget the -u option. But with only the -i, it works. Thanks, very useful. I'll try that. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AJP Errors. Apache + Tomcat
On Wed, Oct 19, 2011 at 11:42, Francis GALIEGUE wrote: [...] > > lsof -u $TOMCAT_USER -i tcp:8005 &>/dev/null > Sorry, that's a non working version: forget the -u option. But with only the -i, it works. -- Francis Galiegue ONE2TEAM Ingénieur système Mob : +33 (0) 683 877 875 Tel : +33 (0) 178 945 552 f...@one2team.com 40 avenue Raymond Poincaré 75116 Paris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AJP Errors. Apache + Tomcat
On Wed, Oct 19, 2011 at 11:27, André Warnier wrote: > Francis GALIEGUE wrote: [...] > > Yes, that would be more reliable than my 2 seconds above. > Although if one really wanted to split hairs in 4 parts (lenghtwise), one > could argue that the fact that the port mentioned in is open and > listening, does not necessarily mean that the port in the AJP Connector is > open and listening. > Actually yes, it does mean that, I have double checked: connectors start to listen before the Server port starts to listen. > Now just by curiosity, what mechanism do you use exactly to check that the > port is listening ? (yes, the script lines..) > Extract from the script (note that the server port is not randomized, it should probably be): MAXITERS=120 ITERS=0 while true; do ITERS=$((ITERS+1)) if [ $ITERS -gt $MAXITERS ]; then echo echo >&2 "BUG: Tomcat not started after $MAXITERS seconds!" exit 1 fi lsof -u $TOMCAT_USER -i tcp:8005 &>/dev/null if [ "$?" = "0" ]; then break fi echo -n . sleep 1 done echo " Done (in $ITERS seconds)" -- Francis Galiegue ONE2TEAM Ingénieur système Mob : +33 (0) 683 877 875 Tel : +33 (0) 178 945 552 f...@one2team.com 40 avenue Raymond Poincaré 75116 Paris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AJP Errors. Apache + Tomcat
Francis GALIEGUE wrote: On Wed, Oct 19, 2011 at 10:48, André Warnier wrote: Hi. The problem can also be due just to the difference in startup time between Apache httpd and Tomcat. At the time Apache httpd (and its embedded mod_proxy_ajp module) try to contact Tomcat, Tomcat has possibly not yet "opened" its Connector on port 8009, which causes the host to refuse a connection to that port. In my experience anything involving Java tends to take a while to "start the machinery" (it is after all a "java virtual machine"). In the practice thus, what we always do in such configurations, is to start Tomcat first (which really means mostly "start the java virtual machine which runs Tomcat") , wait a couple of seconds, and then start the Apache httpd part. Actually, there is a reliable way of waiting for Tomcat to be fully started: wait to see the port specified in open for listening. Then you are sure Tomcat is fully loaded. This is what I use and it's very reliable. Yes, that would be more reliable than my 2 seconds above. Although if one really wanted to split hairs in 4 parts (lenghtwise), one could argue that the fact that the port mentioned in is open and listening, does not necessarily mean that the port in the AJP Connector is open and listening. Now just by curiosity, what mechanism do you use exactly to check that the port is listening ? (yes, the script lines..) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AJP Errors. Apache + Tomcat
On Wed, Oct 19, 2011 at 10:48, André Warnier wrote: > Hi. > > The problem can also be due just to the difference in startup time between > Apache httpd and Tomcat. At the time Apache httpd (and its embedded > mod_proxy_ajp module) try to contact Tomcat, Tomcat has possibly not yet > "opened" its Connector on port 8009, which causes the host to refuse a > connection to that port. > > In my experience anything involving Java tends to take a while to "start the > machinery" (it is after all a "java virtual machine"). > In the practice thus, what we always do in such configurations, is to start > Tomcat first (which really means mostly "start the java virtual machine > which runs Tomcat") > , wait a couple of seconds, and then start the Apache httpd part. > Actually, there is a reliable way of waiting for Tomcat to be fully started: wait to see the port specified in open for listening. Then you are sure Tomcat is fully loaded. This is what I use and it's very reliable. -- Francis Galiegue ONE2TEAM Ingénieur système Mob : +33 (0) 683 877 875 Tel : +33 (0) 178 945 552 f...@one2team.com 40 avenue Raymond Poincaré 75116 Paris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AJP Errors. Apache + Tomcat
Hi.
The problem can also be due just to the difference in startup time between Apache httpd
and Tomcat. At the time Apache httpd (and its embedded mod_proxy_ajp module) try to
contact Tomcat, Tomcat has possibly not yet "opened" its Connector on port 8009, which
causes the host to refuse a connection to that port.
In my experience anything involving Java tends to take a while to "start the machinery"
(it is after all a "java virtual machine").
In the practice thus, what we always do in such configurations, is to start Tomcat first
(which really means mostly "start the java virtual machine which runs Tomcat")
, wait a couple of seconds, and then start the Apache httpd part.
Joe Hansen wrote:
I uninstalled Tomcat and installed a newer version (6.0.33) and the problem
disappeared. It is strange because the config files are the same.
On Wed, Oct 19, 2011 at 2:16 AM, wrote:
Hi
I get the following AJP errors when I try to access a webpage after
ztarting
Apache and Tomcat. Both Apache web server and Tomcat start up fine
but I get these errors in Apache logs and I get a 503 Service
Temporarily Unavailable message in the browser. Apparently Tomcat
isn't seeing the request.
[error] (OS 10061) No connection could be made because the target machine
actively refused it. : proxy: AJP: attempt to connect to
127.0.0.1:8009(localhost) failed
[error] ap_proxy_connect_backend disabling worker for (localhost)
[error] proxy: AJP: failed to make connection to backend: localhost
Can you please help me find out where the problem lies.
Have you checked the port is listening? (netstat -an) and the firewall
permits the connection (telnet localhost 8009)
John
--
/(bb|[^b]{2})/
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AJP Errors. Apache + Tomcat
I uninstalled Tomcat and installed a newer version (6.0.33) and the problem
disappeared. It is strange because the config files are the same.
On Wed, Oct 19, 2011 at 2:16 AM, wrote:
> Hi
> >
> > I get the following AJP errors when I try to access a webpage after
> ztarting
> > Apache and Tomcat. Both Apache web server and Tomcat start up fine
> > but I get these errors in Apache logs and I get a 503 Service
> > Temporarily Unavailable message in the browser. Apparently Tomcat
> > isn't seeing the request.
> >
> > [error] (OS 10061) No connection could be made because the target machine
> > actively refused it. : proxy: AJP: attempt to connect to
> > 127.0.0.1:8009(localhost) failed
> > [error] ap_proxy_connect_backend disabling worker for (localhost)
> > [error] proxy: AJP: failed to make connection to backend: localhost
> >
> > Can you please help me find out where the problem lies.
> >
> Have you checked the port is listening? (netstat -an) and the firewall
> permits the connection (telnet localhost 8009)
>
> John
>
> --
> /(bb|[^b]{2})/
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
Re: Error while starting tomcat. Failed creating jvm.dll
Thanks for pointing that out, Konstantin. I have now uninstalled Tomcat 6.0.29 and installed 6.0.33 instead and it works flawlessly with the 32-bit JRE. If it weren't for you, I wouldn't have known about it. Thank you very much! :) Regards, Joe On Wed, Oct 19, 2011 at 2:03 AM, Konstantin Kolinko wrote: > 2011/10/19 Joe Hansen : > > Thanks for the quick reply, Konstantin! > > > > I uninstalled Tomcat, then installed JDK 6 64-bit version and I do not > get > > that error anymore. The problem happened because I was pointing Tomcat to > a > > 32-bit JDK rather than 64-bit one. > > Latest versions of 6.0.x installer (6.0.30+) can autoselect 32-bit > service wrapper if they encounter a 32-bit JRE, but your old 6.0.29 > one cannot. > > > > I have installed Tomcat 6.0.29 on a machine running Windows 7 > Professional > > (64bit) and JDK 1.5.0_22. > > > > When I start Tomcat, I see the following error message in the log file: > > [206 javajni.c] [error] %1 is not a valid Win32 application. > > [985 prunsrv.c] [error] Failed creating java C:\Program Files > > (x86)\Java\jdk1.5.0_22\jre\bin\server\jvm.dll > > > Best regards, > Konstantin Kolinko > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: AJP Errors. Apache + Tomcat
Hi
>
> I get the following AJP errors when I try to access a webpage after
ztarting
> Apache and Tomcat. Both Apache web server and Tomcat start up fine
> but I get these errors in Apache logs and I get a 503 Service
> Temporarily Unavailable message in the browser. Apparently Tomcat
> isn't seeing the request.
>
> [error] (OS 10061) No connection could be made because the target machine
> actively refused it. : proxy: AJP: attempt to connect to
> 127.0.0.1:8009(localhost) failed
> [error] ap_proxy_connect_backend disabling worker for (localhost)
> [error] proxy: AJP: failed to make connection to backend: localhost
>
> Can you please help me find out where the problem lies.
>
Have you checked the port is listening? (netstat -an) and the firewall
permits the connection (telnet localhost 8009)
John
--
/(bb|[^b]{2})/
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
AJP Errors. Apache + Tomcat
Hi,
I get the following AJP errors when I try to access a webpage after starting
Apache and Tomcat. Both Apache web server and Tomcat start up fine but I get
these errors in Apache logs and I get a 503 Service Temporarily Unavailable
message in the browser. Apparently Tomcat isn't seeing the request.
[error] (OS 10061) No connection could be made because the target machine
actively refused it. : proxy: AJP: attempt to connect to
127.0.0.1:8009(localhost) failed
[error] ap_proxy_connect_backend disabling worker for (localhost)
[error] proxy: AJP: failed to make connection to backend: localhost
Can you please help me find out where the problem lies.
Thanks,
Joe
Environment: Apache 2.2, Tomcat 6.0.29, JDK 6, Windows 7 64-bit
/* excerpt from httpd.conf */
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
NameVirtualHost *:80
ServerAdmin a...@gmail.com
ServerName abc.local
ServerAlias www.abc.local
ErrorLog "logs/ajp.error.log"
RewriteEngine on
RewriteCond %{HTTP_HOST} ^abc.local [nc]
RewriteRule ^(.*)$ http://www.abclocal$1 [r=301,L]
AddDefaultCharset Off
Order deny,allow
Allow from all
ProxyPass / ajp://localhost:8009/
ProxyPassReverse / ajp://localhost:8009/
/* excerpt from tomcat/conf/server.xml */
Re: Error while starting tomcat. Failed creating jvm.dll
2011/10/19 Joe Hansen : > Thanks for the quick reply, Konstantin! > > I uninstalled Tomcat, then installed JDK 6 64-bit version and I do not get > that error anymore. The problem happened because I was pointing Tomcat to a > 32-bit JDK rather than 64-bit one. Latest versions of 6.0.x installer (6.0.30+) can autoselect 32-bit service wrapper if they encounter a 32-bit JRE, but your old 6.0.29 one cannot. > I have installed Tomcat 6.0.29 on a machine running Windows 7 Professional > (64bit) and JDK 1.5.0_22. > > When I start Tomcat, I see the following error message in the log file: > [206 javajni.c] [error] %1 is not a valid Win32 application. > [985 prunsrv.c] [error] Failed creating java C:\Program Files > (x86)\Java\jdk1.5.0_22\jre\bin\server\jvm.dll Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Error while starting tomcat. Failed creating jvm.dll
Thanks for the quick reply, Konstantin! I uninstalled Tomcat, then installed JDK 6 64-bit version and I do not get that error anymore. The problem happened because I was pointing Tomcat to a 32-bit JDK rather than 64-bit one. On Wed, Oct 19, 2011 at 12:59 AM, Konstantin Kolinko wrote: > 2011/10/19 Joe Hansen : > > Hi, > > > > I have installed Tomcat 6.0.29 on a machine running Windows 7 > Professional > > (64bit) and JDK 1.5.0_22. > > Why not 6.0.33? > > > > > When I start Tomcat, I see the following error message in the log file: > > [206 javajni.c] [error] %1 is not a valid Win32 application. > > [985 prunsrv.c] [error] Failed creating java C:\Program Files > > (x86)\Java\jdk1.5.0_22\jre\bin\server\jvm.dll > > 64-bit service and 32-bit dll? > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Tomcat configuration under webApp
Pid * wrote:
>
> On 18/10/2011 23:29, Tim Watts wrote:
>>> Sorry I meant /tomcat/apps/myAppName/conf/ and under conf all the files
>>> > mentioned above
>> That is a strange layout. Is it possible that the IT people are running
>> each webapp in a separate JVM and pointing CATALINA_BASE
>> to /tomcat/apps/appName ?
>
> That makes sense actually, I'll ask the IT if that's what they do.
>
>>
>>
> > What is in the server.xml file?
>
> Question still stands...
>
>
> p
>
> SERVER.XML--
>
>
>
>SSLEngine="on" />
>
>/>
>className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
>
>
>type="org.apache.catalina.UserDatabase"
> description="User database that can be updated and saved"
>
> factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
> pathname="conf/tomcat-users.xml" />
>
>
>
> connectionTimeout="2"
>redirectPort="8443" />
>
>
>
> connectionURL="ldap://pinot-nero.energiaspa.it:389";
> alternateURL="ldap://pinot-grigio.energiaspa.it:389";
> connectionName="ENERGIASPA\ldapbrowser"
> connectionPassword="drc4Fv9CGqIzWewX9nO3"
> userBase="DC=ENERGIASPA,DC=IT"
> referrals="follow"
> userSubtree="true"
> userSubtree="true"
> userSearch="(&(sAMAccountName={0})(objectClass=user))"
> roleBase="OU=linux-group,OU=Linux,DC=ENERGIASPA,DC=IT"
> roleName="cn"
> roleSearch="(member={0})"
> />
>
>unpackWARs="true" autoDeploy="true"
> xmlValidation="false" xmlNamespaceAware="false">
>
>docBase="${catalina.home}/webapps/probe" privileged="true"
> antiResourceLocking="false" antiJARLocking="false">
>
>
>
>
>
>
>
> ---
>
>
>
>
--
View this message in context:
http://old.nabble.com/Tomcat-configuration-under-webApp-tp32675490p32680389.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Reuse mod ajp proxy connections
Dimitar Georgievski wrote: ... Mod proxy settings in Apache ProxyStatus On ProxyRequests Off ProxyTimeout 1800 ProxyPassMatch ^/(.*) ajp://localhost:8009/$1 SetEnv force-proxy-request-1.0 1 SetEnv proxy-nokeepalive 1 What happens if you just comment out the previous 2 lines ? Unless I totally misunderstand the httpd documentation and HTTP, the above 2 lines tell the Apache mod_proxy module to issue all requests to Tomcat using HTTP 1.0, which does not support persistent connections. No wonder then that each request causes a separate connection setup and tear-down. Next question : > ProxyPassMatch ^/(.*) ajp://localhost:8009/$1 If you are forwarding *everything* to Tomcat anyway, then why do you have an Apache httpd in front ? why not just set up Tomcat to listen on port 80 and avoid the complication ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Error while starting tomcat. Failed creating jvm.dll
2011/10/19 Joe Hansen : > Hi, > > I have installed Tomcat 6.0.29 on a machine running Windows 7 Professional > (64bit) and JDK 1.5.0_22. Why not 6.0.33? > > When I start Tomcat, I see the following error message in the log file: > [206 javajni.c] [error] %1 is not a valid Win32 application. > [985 prunsrv.c] [error] Failed creating java C:\Program Files > (x86)\Java\jdk1.5.0_22\jre\bin\server\jvm.dll 64-bit service and 32-bit dll? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
