Re: how to connect to datasource
On 09/11/2011 07:00, spike@12 wrote: > > Hi, > > I have setup my application using with tomcat and it is working fine. But > when I have restarted my DB machine, my application is not working. If I > have restart my tomcat server then it is working fine. > may I know, how to connect to datasource automatically if my DB machine is > restarted?? Is it having any specific parameter to connect datasource > automatically?? > > Please let me know. Thanks in advance. It's better to tell us precise details about your Tomcat, Java and OS version when asking a question. I'll assume 7.0. A validation query may help. Note: restarting a DB while the application server is up is often prone to problems. Read: http://tomcat.apache.org/tomcat-7.0-doc/jndi-resources-howto.html Pay attention to the paragraph which refers to the 'validationQuery' attribute. p -- [key:62590808] signature.asc Description: OpenPGP digital signature
RE: SSL connect to APR fails - "bad version"
Hi Kobe;
I can see why it looks like the server is sending the message, but I think
there's some reference that's being missed. The SSL debug should show Client
messages and Server messages.
One thing that's certain, the SSLv2 ClientHello is a client message sent by the
client. This message is never sent by the server.
On a separate note, the APR is very strict about enforcing TLSv1. When it's
configured for TLSv1, it immediately terminates the connection if it receives
any SSLv2 ClientHello or SSLv3 Client Hello. If you have a server with an
active APR that's accepting the SSLv2 (or SSLv3) ClientHello, then the value of
SSLProtocol is "all' (default), "SSLv2", "SSLv3", or "SSLv2+SSLv3".
Regards,
Steve
From: users-return-229208-STEVEN.J.ADAMUS=saic@tomcat.apache.org on behalf
of Kobe
Sent: Tue 11/8/2011 10:20 PM
To: users@tomcat.apache.org
Subject: Re: SSL connect to APR fails - "bad version"
thank you Chris. I know the server (APR) is sending SSLv2 ClientHello because
ssl debugs show it:
// from ${CATALINA_HOME}/bin/setenv.sh:
export JAVA_OPTS="... -Djavax.net.debug=ssl"
//...
# sh ${CATALINA_HOME}/bin/startup.sh
// from client
$ openssl s_client -connect server.xxx.net:443 -debug -ssl3
// from ${CATALINA_HOME}/logs/catalina.out
...
sending SSLv2 ClientHello << server issues only SSLv2
ClientHello
But same openssl version (FIPS) connects with SSLv3 on another machien.
so I am thinking there is openssl misconfig on this server.
many tahnks.
/Kobe
Christopher Schultz-2 wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Kobe,
>
> On 11/8/11 2:01 PM, Kobe wrote:
>> thank for your help. here is more info on my setup: tomcat version
>> 6.0.29. And tomcat is startin clean; no ererors while loading.
>>
>> if I use tls1, I get same error as before ("bad version").
>>
>> when i test with openssl s_client, I check line 293 of s3_pkt.c. it
>> say -->
>>
>>
>> if ((version>>8) != SSL3_VERSION_MAJOR) {
>>
>> SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); goto
>> err; }
>>
>>
>>
>> so client is wanting ssl version 3. But i have same error with
>> browser. i donot/cannot find what version browser wants - i Think
>> it is 3.
>
> Your web browser likely has SSL 2.0 disabled entirely. You should
> check which types of SSL/TLS are enabled.
>
>> So I am thinking, there is misconfigure on this server. i would
>> like to find why this server respond with SSLv2 ClientHello instead
>> of SSLv3 ClientHello.
>
> Why do you think you are getting an SSLv2 reply?
>
>> how do i find this misconfigurn?
>
> Are you using the same version of openssl as the "client" as you are
> using withing Tomcat? I wonder if the FIPS mode is tripping you up.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
how to connect to datasource
Hi, I have setup my application using with tomcat and it is working fine. But when I have restarted my DB machine, my application is not working. If I have restart my tomcat server then it is working fine. may I know, how to connect to datasource automatically if my DB machine is restarted?? Is it having any specific parameter to connect datasource automatically?? Please let me know. Thanks in advance. -- View this message in context: http://old.nabble.com/how-to-connect-to-datasource-tp32809000p32809000.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat doesnt want to start
On 09/11/11 15:46, Daniel Baktiar wrote: Probably you should instead do this: $ cat /var/log/tomcat6 (I suspect it's the log file, not a tomcat6 folder). No, it is because of permissions on the /var/log/tomcat6 directory... you cannot cd to that directory as an ordinary user. so these will work: sudo ls -l /var/log/tomcat6 sudo less /var/log/tomcat6/catalina.out etc.. --- daniel baktiar On Wed, Nov 9, 2011 at 07:08, Christian Röttger< chris.roett...@uni-muenster.de> wrote: Hello list, i updated my ubuntu server to tomcat 6.0.24. (a kernel update was also included) After a reboot tomcat doesn't want to start. The status is not running and when i want to start it, it always says: /etc/init.d/tomcat6 start * Starting Tomcat servlet engine tomcat6 [fail] the same with force-reload when i try to look at the logs in /var/log/tomcat i don't get access sudo cat /var/log$ cd tomcat6/ -bash: cd: tomcat6/: Keine Berechtigung Where should i look? Can anyone provide some help how to get it running again? thanks, christian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL connect to APR fails - "bad version"
thank you Chris. I know the server (APR) is sending SSLv2 ClientHello because
ssl debugs show it:
// from ${CATALINA_HOME}/bin/setenv.sh:
export JAVA_OPTS="... -Djavax.net.debug=ssl"
//...
# sh ${CATALINA_HOME}/bin/startup.sh
// from client
$ openssl s_client -connect server.xxx.net:443 -debug -ssl3
// from ${CATALINA_HOME}/logs/catalina.out
...
sending SSLv2 ClientHello << server issues only SSLv2
ClientHello
But same openssl version (FIPS) connects with SSLv3 on another machien.
so I am thinking there is openssl misconfig on this server.
many tahnks.
/Kobe
Christopher Schultz-2 wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Kobe,
>
> On 11/8/11 2:01 PM, Kobe wrote:
>> thank for your help. here is more info on my setup: tomcat version
>> 6.0.29. And tomcat is startin clean; no ererors while loading.
>>
>> if I use tls1, I get same error as before ("bad version").
>>
>> when i test with openssl s_client, I check line 293 of s3_pkt.c. it
>> say -->
>>
>>
>> if ((version>>8) != SSL3_VERSION_MAJOR) {
>>
>> SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); goto
>> err; }
>>
>>
>>
>> so client is wanting ssl version 3. But i have same error with
>> browser. i donot/cannot find what version browser wants - i Think
>> it is 3.
>
> Your web browser likely has SSL 2.0 disabled entirely. You should
> check which types of SSL/TLS are enabled.
>
>> So I am thinking, there is misconfigure on this server. i would
>> like to find why this server respond with SSLv2 ClientHello instead
>> of SSLv3 ClientHello.
>
> Why do you think you are getting an SSLv2 reply?
>
>> how do i find this misconfigurn?
>
> Are you using the same version of openssl as the "client" as you are
> using withing Tomcat? I wonder if the FIPS mode is tripping you up.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk65274ACgkQ9CaO5/Lv0PAcfwCeI/nP0CP5Y8Jj1q/1Im/9ef9Y
> tZQAnial2UmsG5FSBSkSclenImxf5YR+
> =vgDW
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>
--
View this message in context:
http://old.nabble.com/SSL-connect-to-APR-fails---%22bad-version%22-tp32788669p32808893.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat doesnt want to start
Probably you should instead do this: $ cat /var/log/tomcat6 (I suspect it's the log file, not a tomcat6 folder). --- daniel baktiar On Wed, Nov 9, 2011 at 07:08, Christian Röttger < chris.roett...@uni-muenster.de> wrote: > Hello list, > > i updated my ubuntu server to tomcat 6.0.24. (a kernel update was also > included) After a reboot tomcat doesn't want to start. > The status is not running and when i want to start it, it always says: > /etc/init.d/tomcat6 start > * Starting Tomcat servlet engine tomcat6 [fail] > the same with force-reload > > when i try to look at the logs in /var/log/tomcat i don't get access > sudo cat /var/log$ cd tomcat6/ > -bash: cd: tomcat6/: Keine Berechtigung > > Where should i look? > Can anyone provide some help how to get it running again? > > thanks, > christian > >
RE: tomcat doesnt want to start
> From: Christian Röttger [mailto:chris.roett...@uni-muenster.de] > Subject: tomcat doesnt want to start > i updated my ubuntu server to tomcat 6.0.24. (a kernel update was also > included) After a reboot tomcat doesn't want to start. > Can anyone provide some help how to get it running again? Unfortunately, what you've got is a 3rd-party repackaged version of Tomcat, with a very different file structure and component set than that of a standard Tomcat download. You really need someone familiar with Ubuntu, rather than Tomcat. If you can install a real Tomcat from tomcat.apache.org, then we can help you with that. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Trouble running TC8 trunk
2011/11/9 Christopher Schultz : \> > With current trunk HEAD and a fresh: > > $ ant clean clean-depend download-compile deploy > > When I attempt to start Tomcat, I get this error (this is 100% of my > catalina.out): > > java.lang.NoClassDefFoundError: > org/apache/catalina/startup/SetParentClassLoaderRule > at java.lang.Class.getDeclaredConstructors0(Native Method) > at java.lang.Class.privateGetDeclaredConstructors(Class.java:2389) > at java.lang.Class.getConstructor0(Class.java:2699) > at java.lang.Class.newInstance0(Class.java:326) > at java.lang.Class.newInstance(Class.java:308) > at org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:239) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:425) > Caused by: java.lang.ClassNotFoundException: > org.apache.catalina.startup.SetParentClassLoaderRule > at java.net.URLClassLoader$1.run(URLClassLoader.java:202) > at java.security.AccessController.doPrivileged(Native Method) > at java.net.URLClassLoader.findClass(URLClassLoader.java:190) > at java.lang.ClassLoader.loadClass(ClassLoader.java:306) > at java.lang.ClassLoader.loadClass(ClassLoader.java:247) > ... 7 more > > That line in Bootstrap.java is creating a new startup.Catalina object > which needs it's own inner class SetParentClassLoaderRule. It looks > like the JVM is attempting to load the wrong class: it should be > loading startup.Catalina$SetParentClassLoaderRule but instead it's > trying to load startup.SetParentClassLoaderRule. > > I'm at a loss, here. > > JVM info: > > $ java -version > java version "1.6.0_26" > Java(TM) SE Runtime Environment (build 1.6.0_26-b03) > Java HotSpot(TM) Server VM (build 20.1-b02, mixed mode) > > Any ideas? > How do you start it? Are you in output/build/bin when you are trying to start it? Are CATALINA_HOME and CATALINA_BASE have none or valid values when you are running the startup scripts? (catalina.sh should print their values when starting). Maybe try good old "rm -rf output" instead of Ant clean? Last time I cleanly recompiled it was yesterday (to confirm brokenness in the manager webapp - see elsethread), and all was fine. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Trouble running TC8 trunk
- Original Message - > From: Christopher Schultz > To: Tomcat Users List > Cc: > Sent: Tuesday, November 8, 2011 5:37 PM > Subject: Trouble running TC8 trunk > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > All, > > With current trunk HEAD and a fresh: > > $ ant clean clean-depend download-compile deploy > > When I attempt to start Tomcat, I get this error (this is 100% of my > catalina.out): > > java.lang.NoClassDefFoundError: > org/apache/catalina/startup/SetParentClassLoaderRule > at java.lang.Class.getDeclaredConstructors0(Native Method) > at java.lang.Class.privateGetDeclaredConstructors(Class.java:2389) > at java.lang.Class.getConstructor0(Class.java:2699) > at java.lang.Class.newInstance0(Class.java:326) > at java.lang.Class.newInstance(Class.java:308) > at org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:239) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:425) > Caused by: java.lang.ClassNotFoundException: > org.apache.catalina.startup.SetParentClassLoaderRule > at java.net.URLClassLoader$1.run(URLClassLoader.java:202) > at java.security.AccessController.doPrivileged(Native Method) > at java.net.URLClassLoader.findClass(URLClassLoader.java:190) > at java.lang.ClassLoader.loadClass(ClassLoader.java:306) > at java.lang.ClassLoader.loadClass(ClassLoader.java:247) > ... 7 more > > That line in Bootstrap.java is creating a new startup.Catalina object > which needs it's own inner class SetParentClassLoaderRule. It looks > like the JVM is attempting to load the wrong class: it should be > loading startup.Catalina$SetParentClassLoaderRule but instead it's > trying to load startup.SetParentClassLoaderRule. > > I'm at a loss, here. > > JVM info: > > $ java -version > java version "1.6.0_26" > Java(TM) SE Runtime Environment (build 1.6.0_26-b03) > Java HotSpot(TM) Server VM (build 20.1-b02, mixed mode) > > Any ideas? > > Thanks, > - -chris Chris, This is likely not to be very helpful . . . Revision: 1199595 java version "1.6.0_29" Java(TM) SE Runtime Environment (build 1.6.0_29-b11) Java HotSpot(TM) Client VM (build 20.4-b02, mixed mode, sharing) Apache Ant(TM) version 1.8.2 compiled on December 20 2010 Fedora 15, latest patches Modified build.properties from build.properties.default base.path=/home/mdeggers/src/tomcat-src/trunk-repo # skipping windows installer skip.installer=true Commands: ant clean ant release Copied output/release/v8.0.0-dev/bin/apache-tomcat-8.0.0-dev.tar.gz someplace and unpacked it. It started up fine, and I was able to run a few of the test applications. I enabled the GUI manager and that worked as well. I tried ant clean ant deploy and then ran the resulting output/build/bin/startup.sh from output/build/bin. That ran as well. I also ran it successfully as output/build/bin/startup.sh. The only java-related environment variables I have are the following: JRE_HOME=/usr/jre JAVA_HOME=/usr/java ANT_HOME=/usr/local/Apache/ant M2_HOME=/usr/local/Apache/maven MAVEN_OPTS=-Xms128m -Xmx256m I know, a "works for me" post isn't very helpful. Sorry 'bout that. . . . just my two cents. /mde/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL connect to APR fails - "bad version"
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Kobe,
On 11/8/11 2:01 PM, Kobe wrote:
> thank for your help. here is more info on my setup: tomcat version
> 6.0.29. And tomcat is startin clean; no ererors while loading.
>
> if I use tls1, I get same error as before ("bad version").
>
> when i test with openssl s_client, I check line 293 of s3_pkt.c. it
> say -->
>
>
> if ((version>>8) != SSL3_VERSION_MAJOR) {
>
> SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); goto
> err; }
>
>
>
> so client is wanting ssl version 3. But i have same error with
> browser. i donot/cannot find what version browser wants - i Think
> it is 3.
Your web browser likely has SSL 2.0 disabled entirely. You should
check which types of SSL/TLS are enabled.
> So I am thinking, there is misconfigure on this server. i would
> like to find why this server respond with SSLv2 ClientHello instead
> of SSLv3 ClientHello.
Why do you think you are getting an SSLv2 reply?
> how do i find this misconfigurn?
Are you using the same version of openssl as the "client" as you are
using withing Tomcat? I wonder if the FIPS mode is tripping you up.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk65274ACgkQ9CaO5/Lv0PAcfwCeI/nP0CP5Y8Jj1q/1Im/9ef9Y
tZQAnial2UmsG5FSBSkSclenImxf5YR+
=vgDW
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7, Servlet 3.0, and Non-Blocking
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matthew, On 11/8/11 4:43 PM, Matthew Tyson wrote: > So if I want to use Servlet 3.0 async (eg, a call to > request.startAsync), and have it be handled without blocking IO, I > need to use the NIO connector? To repeat Mark's reply: > On Tue, Nov 8, 2011 at 12:27 PM, Mark Thomas > wrote: If you want to use Comet you'll need to use HTTP NIO or HTTP > APR/native. > > Servlet 3.0 async works with any connector. Note that last sentence. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk652ckACgkQ9CaO5/Lv0PB+9wCdGzcXsivGczZZ5Dv7GKZTb/gJ Ha8AoI3MPm/kaU9IP1v5V2VvxH2EmEsh =8tM/ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Trouble running TC8 trunk
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 All, With current trunk HEAD and a fresh: $ ant clean clean-depend download-compile deploy When I attempt to start Tomcat, I get this error (this is 100% of my catalina.out): java.lang.NoClassDefFoundError: org/apache/catalina/startup/SetParentClassLoaderRule at java.lang.Class.getDeclaredConstructors0(Native Method) at java.lang.Class.privateGetDeclaredConstructors(Class.java:2389) at java.lang.Class.getConstructor0(Class.java:2699) at java.lang.Class.newInstance0(Class.java:326) at java.lang.Class.newInstance(Class.java:308) at org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:239) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:425) Caused by: java.lang.ClassNotFoundException: org.apache.catalina.startup.SetParentClassLoaderRule at java.net.URLClassLoader$1.run(URLClassLoader.java:202) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:190) at java.lang.ClassLoader.loadClass(ClassLoader.java:306) at java.lang.ClassLoader.loadClass(ClassLoader.java:247) ... 7 more That line in Bootstrap.java is creating a new startup.Catalina object which needs it's own inner class SetParentClassLoaderRule. It looks like the JVM is attempting to load the wrong class: it should be loading startup.Catalina$SetParentClassLoaderRule but instead it's trying to load startup.SetParentClassLoaderRule. I'm at a loss, here. JVM info: $ java -version java version "1.6.0_26" Java(TM) SE Runtime Environment (build 1.6.0_26-b03) Java HotSpot(TM) Server VM (build 20.1-b02, mixed mode) Any ideas? Thanks, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk652TwACgkQ9CaO5/Lv0PC1LgCeOePAnmx3PjNbTaqqHSvy/ATW Ng0AmgLhQQcd4sECYLnz+4EJ8z5PEHkf =epiQ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: o Tomcat alter the page encoding for JSP file created via Netbeans 7.01
Got it Pid.Thanks. On 11/8/2011 8:53 PM, Pid wrote: On 05/11/2011 17:57, Kiran Badi wrote: Hi All, I am aware this might be offtopic but being a silent member to this list, I think this list can give me better suggestion than doing a google.So posting here. Unfortunately it was on someone else's topic. In future please don't just edit a reply's subject line& body (which is called thread-hijacking). Start an entirely new email. p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7, Servlet 3.0, and Non-Blocking
I guess what I'm asking is if I just start using the Servlet 3.0 support for suspending requests out of the box, will it be a thread blocking implementation I'm using? HTTP APR/native is blocking as well, correct? So if I want to use Servlet 3.0 async (eg, a call to request.startAsync), and have it be handled without blocking IO, I need to use the NIO connector? Thanks, Matt On Tue, Nov 8, 2011 at 12:27 PM, Mark Thomas wrote: > On 08/11/2011 20:15, Matthew Tyson wrote: > > Hey Guys, > > > > It has been my assumption that Tomcat 7's comet implementation (ie, > > asyncSupported=true), will automatically use NIO processing. > > Comet != Servlet 3.0 async > > > Is that not true? > > Yes, that is not true. > > > Do I need to set the connector to be > > org.apache.coyote.http11.Http11NioProtocol explicitly? > > If you want to use Comet you'll need to use HTTP NIO or HTTP APR/native. > > Servlet 3.0 async works with any connector. > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: HTTP Status 404 - /manager/html
On Tue, Nov 8, 2011 at 10:29 AM, Caldarale, Charles R wrote: >> From: Kaushal Shriyan [mailto:kaushalshri...@gmail.com] >> Subject: Re: HTTP Status 404 - /manager/html > >> I did downloaded it from >> http://archive.apache.org/dist/tomcat/tomcat-7/v7.0.19/bin/ > > Good. For curiosity's sake, why didn't you use the most recent release? > >> i do have manager webapps > > So noted. > > Are you sure you're accessing that Tomcat? > > Have you changed anything in conf/server.xml (e.g., disabling > deployOnStartup)? > > Look in the Tomcat logs to see if there are any errors regarding deployment > of or access to the manager webapp. > > - Chuck > Thanks Chuck for the hint,Fixed it after peeking at catalina.out log file. INFO: Deploying configuration descriptor manager.xml from /opt/tomcat0/conf/Catalina/localhost java.lang.IllegalArgumentException: Document base /opt/tomcat0/server/webapps/manager does not exist or is not a readable directory SEVERE: Context [/manager] startup failed due to previous errors INFO: Deploying web application directory host-manager So going through the logs,if we look at /opt/tomcat0/conf/Catalina/localhost/manager.xml docBase was set to a different path I have corrected it and it worked fine. Regards, Kaushal - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
tomcat doesnt want to start
Hello list, i updated my ubuntu server to tomcat 6.0.24. (a kernel update was also included) After a reboot tomcat doesn't want to start. The status is not running and when i want to start it, it always says: /etc/init.d/tomcat6 start * Starting Tomcat servlet engine tomcat6 [fail] the same with force-reload when i try to look at the logs in /var/log/tomcat i don't get access sudo cat /var/log$ cd tomcat6/ -bash: cd: tomcat6/: Keine Berechtigung Where should i look? Can anyone provide some help how to get it running again? thanks, christian smime.p7s Description: S/MIME Cryptographic Signature
Re: SSL connect to APR fails - "bad version"
many thanks again for your time and help. Problem is: same openssl version working on another server and successfuly setup SSLv3 connections with same client. So I am thinking, there is misconfigure on this server. i would like to find why this server respond with SSLv2 ClientHello instead of SSLv3 ClientHello. how do i find this misconfigurn? /Kobe Marvin Addison wrote: > > The following works as expected on my config (6.0.26) using the > default protocols and cipher suite as in your config: > > $ openssl s_client -connect eiger:443 -debug -ssl3 > CONNECTED(0003) > ... > > Something in your SSL version jumped out at me: > > OpenSSL 0.9.8e-fips-rhel5 > > Looks like you're running OpenSSL with the FIPS compliance features > enabled, which may impose additional requirements on SSL negotiation. > I can't provide any further insight, but hopefully it might point to > an area for further investigation. > > M > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > -- View this message in context: http://old.nabble.com/SSL-connect-to-APR-fails---%22bad-version%22-tp32788669p32805994.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL connect to APR fails - "bad version"
thank for your help. here is more info on my setup: tomcat version 6.0.29.
And tomcat is startin clean; no ererors while loading.
if I use tls1, I get same error as before ("bad version").
when i test with openssl s_client, I check line 293 of s3_pkt.c. it say -->
if ((version>>8) != SSL3_VERSION_MAJOR)
{
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
goto err;
}
so client is wanting ssl version 3. But i have same error with browser. i
donot/cannot find what
version browser wants - i Think it is 3.
Konstantin Kolinko wrote:
>
> 2011/11/6 Kobe :
>>
>> I build tcnative and apr from src with exist ver of openssl (means
>> openssl
>> not
>> build my me). I load apr connector in tomcat as below.
>>
>> when my client connect, I cannot connect: i get "bad version".
>> please explain what I do wrong?
>>
>>
>> server# ./apr-1-config --version
>> 1.4.5
>> server#
>> server# openssl version
>> OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
>> server#
>>
>> /// APR Connector Configuration in Tomcat6
>> > protocol="org.apache.coyote.http11.Http11AprProtocol"
>> enableLookups="false" disableUploadTimeout="true"
>> acceptCount="100" scheme="https" secure="true"
>> SSLCertificateFile="server_certificate.pem"
>> SSLCertificateChainFile="cachain.pem"
>> SSLCertificateKeyFile="server.key"
>> />
>>
>>
>> $ openssl s_client -connect server.xxx.net:443 -debug -ssl3
>
>> 44414:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
>> number:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s3_pkt.c:293:
>
> And what happens with
> $ openssl s_client -connect server.xxx.net:443 -debug -tls1
> ?
>
> What is on line 293 in s3_pkt.c in the version of openssl the client
> side of the connection is using?
>
> I quick guess that client&server cannot negotiate protocol version.
> There are some options on that might be used to configure
> protocols & ciphers that are supported.
>
> Note that
> - There were several security fixes in OpenSSL since that version that
> you are using.
> - You may try googling for your error message. It is mentioned a lot of
> times.
> - You are not mentioning what version of Tomcat x.y.z you are using.
> - There might be some messages in Tomcat log files. Does Tomcat start
> up cleanly?
>
> Re: Andre's question:
> That is openssl in command-line client mode, as a test whether it can
> connect to the server.
>
> Best regards,
> Konstantin Kolinko
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>
--
View this message in context:
http://old.nabble.com/SSL-connect-to-APR-fails---%22bad-version%22-tp32788669p32805993.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL connect to APR fails - "bad version"
Actually, whether it be webaccess or webservice access, i not follow your confusion. pleas explain why this is wrong. /Kobe Kobe wrote: > > Tomcat is also a servlet container and may be used to host web services. > That is the case here. the web service client is hosted in a BEA weblogic > server > and attempts to connect to the web service over SSL. > > /Kobe > > > awarnier wrote: >> >> Kobe wrote: >>> I build tcnative and apr from src with exist ver of openssl (means >>> openssl >>> not >>> build my me). I load apr connector in tomcat as below. >>> >>> when my client connect, I cannot connect: i get "bad version". >>> please explain what I do wrong? >>> >>> >>> server# ./apr-1-config --version >>> 1.4.5 >>> server# >>> server# openssl version >>> OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 >>> server# >>> >>> >>> >>> /// APR Connector Configuration in Tomcat6 >>> >> protocol="org.apache.coyote.http11.Http11AprProtocol" >>> enableLookups="false" disableUploadTimeout="true" >>> acceptCount="100" scheme="https" secure="true" >>> SSLCertificateFile="server_certificate.pem" >>> SSLCertificateChainFile="cachain.pem" >>> SSLCertificateKeyFile="server.key" >>> /> >>> >>> >>> >>> >>> $ openssl s_client -connect server.xxx.net:443 -debug -ssl3 >>> CONNECTED(0003) >>> write to 0x100119470 [0x100815e00] (95 bytes => 95 (0x5F)) >>> - 16 03 00 00 5a 01 00 00-56 03 00 4e b5 d4 3e 2d >>> Z...V..N..>- >>> 0010 - 57 eb 94 3c f8 0f a0 55-76 75 21 7c b3 f1 37 6f >>> W..<...Uvu!|..7o >>> 0020 - 99 2b 68 7c 65 b7 c9 2c-f6 1f dd 00 00 2e 00 39 >>> .+h|e..,...9 >>> 0030 - 00 38 00 35 00 16 00 13-00 0a 00 33 00 32 00 2f >>> .8.5...3.2./ >>> 0040 - 00 9a 00 99 00 96 00 05-00 04 00 15 00 12 00 09 >>> >>> 0050 - 00 14 00 11 00 08 00 06-00 03 00 ff 02 01 .. >>> 005f - >>> read from 0x100119470 [0x100811400] (5 bytes => 5 (0x5)) >>> - 48 54 54 50 2fHTTP/ >>> write to 0x100119470 [0x10081b800] (7 bytes => 7 (0x7)) >>> - 15 03 00 00 02 02 28 ..( >>> 44414:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version >>> number:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s3_pkt.c:293: >>> $ >>> >> Hi. >> I don't know if other members of this list will be as puzzled as I am, >> but it is not clear >> to me what you are trying to achieve. >> I mean that Tomcat is in principle a web server, normally answering web >> browser requests >> (via HTTP or HTTPS). What are you trying to do when you access it with >> the above type of >> client, and what are you sending to Tomcat, and why ? >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >> > > -- View this message in context: http://old.nabble.com/SSL-connect-to-APR-fails---%22bad-version%22-tp32788669p32805704.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7, Servlet 3.0, and Non-Blocking
On 08/11/2011 20:15, Matthew Tyson wrote: > Hey Guys, > > It has been my assumption that Tomcat 7's comet implementation (ie, > asyncSupported=true), will automatically use NIO processing. Comet != Servlet 3.0 async > Is that not true? Yes, that is not true. > Do I need to set the connector to be > org.apache.coyote.http11.Http11NioProtocol explicitly? If you want to use Comet you'll need to use HTTP NIO or HTTP APR/native. Servlet 3.0 async works with any connector. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL connect to APR fails - "bad version"
Tomcat is also a servlet container and may be used to host web services. That is the case here. the web service client is hosted in a BEA weblogic server and attempts to connect to the web service over SSL. /Kobe awarnier wrote: > > Kobe wrote: >> I build tcnative and apr from src with exist ver of openssl (means >> openssl >> not >> build my me). I load apr connector in tomcat as below. >> >> when my client connect, I cannot connect: i get "bad version". >> please explain what I do wrong? >> >> >> server# ./apr-1-config --version >> 1.4.5 >> server# >> server# openssl version >> OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 >> server# >> >> >> >> /// APR Connector Configuration in Tomcat6 >> > protocol="org.apache.coyote.http11.Http11AprProtocol" >> enableLookups="false" disableUploadTimeout="true" >> acceptCount="100" scheme="https" secure="true" >> SSLCertificateFile="server_certificate.pem" >> SSLCertificateChainFile="cachain.pem" >> SSLCertificateKeyFile="server.key" >> /> >> >> >> >> >> $ openssl s_client -connect server.xxx.net:443 -debug -ssl3 >> CONNECTED(0003) >> write to 0x100119470 [0x100815e00] (95 bytes => 95 (0x5F)) >> - 16 03 00 00 5a 01 00 00-56 03 00 4e b5 d4 3e 2d Z...V..N..>- >> 0010 - 57 eb 94 3c f8 0f a0 55-76 75 21 7c b3 f1 37 6f W..<...Uvu!|..7o >> 0020 - 99 2b 68 7c 65 b7 c9 2c-f6 1f dd 00 00 2e 00 39 .+h|e..,...9 >> 0030 - 00 38 00 35 00 16 00 13-00 0a 00 33 00 32 00 2f .8.5...3.2./ >> 0040 - 00 9a 00 99 00 96 00 05-00 04 00 15 00 12 00 09 >> 0050 - 00 14 00 11 00 08 00 06-00 03 00 ff 02 01 .. >> 005f - >> read from 0x100119470 [0x100811400] (5 bytes => 5 (0x5)) >> - 48 54 54 50 2fHTTP/ >> write to 0x100119470 [0x10081b800] (7 bytes => 7 (0x7)) >> - 15 03 00 00 02 02 28 ..( >> 44414:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version >> number:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s3_pkt.c:293: >> $ >> > Hi. > I don't know if other members of this list will be as puzzled as I am, but > it is not clear > to me what you are trying to achieve. > I mean that Tomcat is in principle a web server, normally answering web > browser requests > (via HTTP or HTTPS). What are you trying to do when you access it with > the above type of > client, and what are you sending to Tomcat, and why ? > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > -- View this message in context: http://old.nabble.com/SSL-connect-to-APR-fails---%22bad-version%22-tp32788669p32805690.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 7, Servlet 3.0, and Non-Blocking
Hey Guys, It has been my assumption that Tomcat 7's comet implementation (ie, asyncSupported=true), will automatically use NIO processing. Is that not true? Do I need to set the connector to be org.apache.coyote.http11.Http11NioProtocol explicitly? Thanks, Matt
Re: making security constraints configureable
On 1:59 PM, André Warnier wrote: Terence M. Bandoian wrote: On 1:59 PM, Konstantin Kolinko wrote: 2011/11/3 Leon Rosenberg: I have a situation where an application is accessable from outside in staging and production environment, but shouldn't be open for public in staging environment. Put it behind Apache HTTPD (or any other proxy) and let HTTPD handle authentication& authorization instead of Tomcat. I'd advise against using BASIC auth in public internet, unless the channel is protected with HTTPS. What we did so far was, that we excluded everyone via web.xml: You can automate the above. If you pack your war file using Ant, you can use task. Best regards, Konstantin Kolinko I'm not sure what "open for public" means above. What about using a system property (e.g. myorg.myapp.isStagingEnv=true) in a filter or valve to accept or reject requests? If I (belatedly) understand the requirements properly, Leon does not not want to reject /all/ requests (that, he could do by undeploying the application). It is more something like this : - requests originating from a range of IP addresses (e.g. the internal LAN) should be accepted, without authentication - requests originating from anywhere else should be submitted to authentication. Practical case : the application is in a testing state, and should not be available to the public at large, only to inside testers. The inside testers should not have to login for that. However, occasionally, someone may be sitting in an Internet Cafe and want to do a demo for a customer from there. He should be able to access the application, but only after logging in. Leon, if the above is not the right description, please correct it. In such matters, the devil is in the details. The system property that indicates whether or not the application is in a staging or test environment would be used in conjunction with a test against, for example, request.getRemoteUser() or request.isUserInRole() or request.getRemoteAddr(). -Terence Bandoian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Session expiration - browser -Web application
@Terence : Thank you for your answer. Actually, I extracted the Java code from the JSP and put it in a TLD so that the code is cleaner and more manageable. Best regards, -- Léa -- View this message in context: http://old.nabble.com/Session-expiration---browser--Web-application-tp32780678p32804141.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[SECURITY] CVE-2011-3376 Apache Tomcat - Privilege Escalation via Manager app
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2011-3376 Apache Tomcat - Privilege Escalation via Manager app Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.21 Description: This issue only affects environments running web applications that are not trusted (e.g. shared hosting environments). The Servlets that implement the functionality of the Manager application that ships with Apache Tomcat should only be available to Contexts (web applications) that are marked as privileged. However, this check was not being made. This allowed an untrusted web application to use the functionality of the Manager application. This could be used to obtain information on running web applications as well as deploying additional web applications. Mitigation: Users of Tomcat 7.0.x should upgrade to 7.0.22 or later Credit: This issue was identified by Ate Douma References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOuWxPAAoJEBDAHFovYFnng3oP/jkYsplqxz9hjWi6uztQK3Gv BlS1IlbyqW5HW8rqr/pyfLWDDiJZUc+FmWRbyT96r/V4z0w4oGglGi289owLr1Lx bsGlauWQhZh7k5nWKboMVEk6CjGOXVQ9zMJJwhEkrXn6/HNV5O65F/0nnLoHgStM DNyKKpYDtc6XCI7+Pcutv3fqkk9niF3KSF3rePKlpUstVbuLx9HlX+0fbj7+X4w/ PyE5R9tVfr3Toiwn546QQR73VkOSmAGt0IEE9P06oY50ruW3/Z6wJjVHrlJUsoQ3 txupoC+FCZ5ph8DfoeVzav6Y3W9dImXz6rzxm3YnUKCDZuWnGVNzDE4IUyKdRM5t W/Smquaat8VxsxMbU34bSJHYA1m2nos4qPrQvJl2w0wKWrPFRnu4f8RImvg1BIPH gZ17raqPjdoBuE3H4ivgF0DSasVdYM/Ge977B+6nD9jzwE6FEFAFCCRpbYvD/6SA //QbqSlcULb6CKZ6D/rNbLSQ3e0QD6GYaz3HjJcCtJkqo2FoLGY88AxtoF4es5SB thYJf7r51J9W8g7nvw+b7Y0+eG3IczsBA0spIoyzIKr1RxSEFE2220idPdotpjAf aticEwF9U5przWmwNab7lKUd91bo32ZVtvIprPGL/NfHrL3KC891gjYqkQtrcJC5 SkiQ74ix/uGZTB6HHCWm =wak3 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AW: mod_jk - Browser displays HTML Sourcecode
Pid wrote: On 08/11/2011 15:54, André Warnier wrote: But obviously it isn't, so there's something wrong with this JkMount. Jumping ahead, that bit comes next when the OP's sorted their layout out... ;) Ok, had a second look at the Tomcat config, and I think you're right. there's some work to do there.. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AW: mod_jk - Browser displays HTML Sourcecode
Pid wrote: On 08/11/2011 15:54, André Warnier wrote: But obviously it isn't, so there's something wrong with this JkMount. Jumping ahead, that bit comes next when the OP's sorted their layout out... ;) Jumping back, the misdirected DocumentRoot issue should not be an immediate security problem if the JkMount /* loadbalancer worked. No ? :-) @Alexander : change the VirtualHost's DocumentRoot to point anywhere else that is not part of the Tomcat directories. Then put a simple "index.html" document there, saying "wrong place". (and make all of that readable by the user under which Apache httpd runs (like www-data probably)). Reload the Apache config. After that, apart from the top-level "/" URL, everything else should return a 404 "not found", until the JkMount works. Then, in this : ServerAdmin xxx@yyy DocumentRoot "D:/www/apps/app1/ROOT" Options Indexes FollowSymLinks AllowOverride None Order allow,deny Allow from all ... I don't see a JkMount. Where is it ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AW: mod_jk - Browser displays HTML Sourcecode
On 08/11/2011 15:54, André Warnier wrote: > > But obviously it isn't, so there's something wrong with this JkMount. Jumping ahead, that bit comes next when the OP's sorted their layout out... ;) p -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: AW: mod_jk - Browser displays HTML Sourcecode
Hi. Pid wrote: On 08/11/2011 15:12, Alexander Diedler wrote: Hello That most probably means that the URL mappings for mod_jk are not correct, and that Apache httpd is serving that content directly. Look at (or show here) the JkMount lines that should be somewhere in your Apache configuration. Was attached in the post: JkMount /* loadbalancer So everything would be served by tomcat. But obviously it isn't, so there's something wrong with this JkMount. Somewhere else you are talking of VirtualHost. Are you sure that the above line is inside the configuration ? If it is in the "main" Apache config, it is not automatically "inherited" by the VirtualHost's. Check the JkMountCopy directive for details. At a second level, it also means that you are doing something that is really not recommended : allow Apache httpd access to the Tomcat application directories. +1 I'd go further: *never* publish a Tomcat application docBase as an HTTPD DocumentRoot. That bypasses any security that you may have in Tomcat. Your current problem is a perfect example : Apache now shows the source code of your JSP pages. Hopefully there is no secret password in there. Test : (http://www.test.de/xyz)/WEB-INF/web.xml Yes you are right, I can read the web.xml from the browser. How we can avoid it? Don't publish a Tomcat application docBase as an HTTPD DocumentRoot. Simples. To say that in another way : Suppose that your Tomcat webapps directory is /var/lib/tomcatx/webapps. Then DO NOT define in Apache DocumentRoot /var/lib/tomcatx/webapps (or any other overlap between these two, or subdirectories of ditto). Apache httpd and Tomcat "don't know eachother", they are independent applications. Each one has its own security system, based on different principles. For example, Tomcat will /never/ allow a client to retrieve a file from inside a webapp's WEB-INF subdirectory. But Apache httpd doesn't know that a WEB-INF sub-directory is something special, so it will happily serve its content, if the URL maps there for Apache. Similarly, Apache doesn't know that a JSP file is something special (that must be compiled to a java servlet etc..). So if the URL which Apache handles points to something like that, Apache will happily serve it as a text file. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
AW: AW: mod_jk - Browser displays HTML Sourcecode
Ok, But would be the better way (of life) for this? HTTPD vhost.conf: ServerAdmin xxx@yyy DocumentRoot "D:/www/apps/app1/ROOT" Options Indexes FollowSymLinks AllowOverride None Order allow,deny Allow from all ... Server.xml: ROOT.xml in /conf/ Greetings Alexander -Ursprüngliche Nachricht- Von: Pid [mailto:p...@pidster.com] Gesendet: Dienstag, 8. November 2011 16:21 An: Tomcat Users List Betreff: Re: AW: mod_jk - Browser displays HTML Sourcecode On 08/11/2011 15:12, Alexander Diedler wrote: > Hello > >> That most probably means that the URL mappings for mod_jk are not >> correct, > and that Apache httpd is serving that content directly. >> Look at (or show here) the JkMount lines that should be somewhere in >> your > Apache configuration. > > Was attached in the post: > JkMount /* loadbalancer > So everything would be served by tomcat. > >> At a second level, it also means that you are doing something that is > really not recommended : allow Apache httpd access to the Tomcat > application directories. +1 I'd go further: *never* publish a Tomcat application docBase as an HTTPD DocumentRoot. >> That bypasses any security that you may have in Tomcat. >> Your current problem is a perfect example : Apache now shows the >> source > code of your JSP pages. Hopefully there is no secret password in there. > >> Test : (http://www.test.de/xyz)/WEB-INF/web.xml > Yes you are right, I can read the web.xml from the browser. How we can > avoid it? Don't publish a Tomcat application docBase as an HTTPD DocumentRoot. Simples. p > Greetings > Alexander > > > >> >> >> >> In the Apache access log: >> >> xxx.xxx.214.145 - - [08/Nov/2011:14:44:08 +0100] "GET / HTTP/1.1" 200 >> 23281 ##OK >> >> xxx.xxx.214.145 - - [08/Nov/2011:14:44:11 +0100] "GET >> /go/VV4QB69WO9F01A9KGBSYVGNVGHY6T95J HTTP/1.1" 200 88572##Not ok, >> sorcecode displayed. >> >> >> >> In the virtual-host.conf: >> >> ## Tomcatanbindung >> >> JkMount /* loadbalancer >> >> JkOptions +ForwardURICompatUnparsed >> >> AllowEncodedSlashes On >> >> >> >> >> >> Greetings >> >> Alexander >> >> >> >> > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -- [key:62590808] smime.p7s Description: S/MIME cryptographic signature
Re: o Tomcat alter the page encoding for JSP file created via Netbeans 7.01
On 05/11/2011 17:57, Kiran Badi wrote: > Hi All, > I am aware this might be offtopic but being a silent member to this > list, I think this list can give me better suggestion than doing a > google.So posting here. Unfortunately it was on someone else's topic. In future please don't just edit a reply's subject line & body (which is called thread-hijacking). Start an entirely new email. p -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: AW: mod_jk - Browser displays HTML Sourcecode
On 08/11/2011 15:12, Alexander Diedler wrote: > Hello > >> That most probably means that the URL mappings for mod_jk are not correct, > and that Apache httpd is serving that content directly. >> Look at (or show here) the JkMount lines that should be somewhere in your > Apache configuration. > > Was attached in the post: > JkMount /* loadbalancer > So everything would be served by tomcat. > >> At a second level, it also means that you are doing something that is > really not recommended : allow Apache httpd access to the Tomcat application > directories. +1 I'd go further: *never* publish a Tomcat application docBase as an HTTPD DocumentRoot. >> That bypasses any security that you may have in Tomcat. >> Your current problem is a perfect example : Apache now shows the source > code of your JSP pages. Hopefully there is no secret password in there. > >> Test : (http://www.test.de/xyz)/WEB-INF/web.xml > Yes you are right, I can read the web.xml from the browser. How we can avoid > it? Don't publish a Tomcat application docBase as an HTTPD DocumentRoot. Simples. p > Greetings > Alexander > > > >> >> >> >> In the Apache access log: >> >> xxx.xxx.214.145 - - [08/Nov/2011:14:44:08 +0100] "GET / HTTP/1.1" 200 >> 23281 ##OK >> >> xxx.xxx.214.145 - - [08/Nov/2011:14:44:11 +0100] "GET >> /go/VV4QB69WO9F01A9KGBSYVGNVGHY6T95J HTTP/1.1" 200 88572##Not ok, >> sorcecode displayed. >> >> >> >> In the virtual-host.conf: >> >> ## Tomcatanbindung >> >> JkMount /* loadbalancer >> >> JkOptions +ForwardURICompatUnparsed >> >> AllowEncodedSlashes On >> >> >> >> >> >> Greetings >> >> Alexander >> >> >> >> > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -- [key:62590808] signature.asc Description: OpenPGP digital signature
AW: mod_jk - Browser displays HTML Sourcecode
Hello >That most probably means that the URL mappings for mod_jk are not correct, and that Apache httpd is serving that content directly. >Look at (or show here) the JkMount lines that should be somewhere in your Apache configuration. Was attached in the post: JkMount /* loadbalancer So everything would be served by tomcat. >At a second level, it also means that you are doing something that is really not recommended : allow Apache httpd access to the Tomcat application directories. >That bypasses any security that you may have in Tomcat. >Your current problem is a perfect example : Apache now shows the source code of your JSP pages. Hopefully there is no secret password in there. >Test : (http://www.test.de/xyz)/WEB-INF/web.xml Yes you are right, I can read the web.xml from the browser. How we can avoid it? Greetings Alexander > > > > In the Apache access log: > > xxx.xxx.214.145 - - [08/Nov/2011:14:44:08 +0100] "GET / HTTP/1.1" 200 > 23281 ##OK > > xxx.xxx.214.145 - - [08/Nov/2011:14:44:11 +0100] "GET > /go/VV4QB69WO9F01A9KGBSYVGNVGHY6T95J HTTP/1.1" 200 88572##Not ok, > sorcecode displayed. > > > > In the virtual-host.conf: > > ## Tomcatanbindung > > JkMount /* loadbalancer > > JkOptions +ForwardURICompatUnparsed > > AllowEncodedSlashes On > > > > > > Greetings > > Alexander > > > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org smime.p7s Description: S/MIME cryptographic signature
Re: mod_jk - Browser displays HTML Sourcecode
Alexander Diedler wrote: Hello, Something goes wrong. I have a Apache 2.2.1 with mod_jk and a Tomcat 6.0.32. So if I connect to the website http://www.test.de/ everything is ok, site was displayed. If I try to access http://www.test.de/xyz i get the source code from the site it should be displayed, but it was not rendered by the browser. If I connect to the tomcat directly with port 8080, the sites will be delivered fine to the browser. That most probably means that the URL mappings for mod_jk are not correct, and that Apache httpd is serving that content directly. Look at (or show here) the JkMount lines that should be somewhere in your Apache configuration. At a second level, it also means that you are doing something that is really not recommended : allow Apache httpd access to the Tomcat application directories. That bypasses any security that you may have in Tomcat. Your current problem is a perfect example : Apache now shows the source code of your JSP pages. Hopefully there is no secret password in there. Test : (http://www.test.de/xyz)/WEB-INF/web.xml In the Apache access log: xxx.xxx.214.145 - - [08/Nov/2011:14:44:08 +0100] "GET / HTTP/1.1" 200 23281 ##OK xxx.xxx.214.145 - - [08/Nov/2011:14:44:11 +0100] "GET /go/VV4QB69WO9F01A9KGBSYVGNVGHY6T95J HTTP/1.1" 200 88572##Not ok, sorcecode displayed. In the virtual-host.conf: ## Tomcatanbindung JkMount /* loadbalancer JkOptions +ForwardURICompatUnparsed AllowEncodedSlashes On Greetings Alexander - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
mod_jk - Browser displays HTML Sourcecode
Hello, Something goes wrong. I have a Apache 2.2.1 with mod_jk and a Tomcat 6.0.32. So if I connect to the website http://www.test.de/ everything is ok, site was displayed. If I try to access http://www.test.de/xyz i get the source code from the site it should be displayed, but it was not rendered by the browser. If I connect to the tomcat directly with port 8080, the sites will be delivered fine to the browser. In the Apache access log: xxx.xxx.214.145 - - [08/Nov/2011:14:44:08 +0100] "GET / HTTP/1.1" 200 23281 ##OK xxx.xxx.214.145 - - [08/Nov/2011:14:44:11 +0100] "GET /go/VV4QB69WO9F01A9KGBSYVGNVGHY6T95J HTTP/1.1" 200 88572##Not ok, sorcecode displayed. In the virtual-host.conf: ## Tomcatanbindung JkMount /* loadbalancer JkOptions +ForwardURICompatUnparsed AllowEncodedSlashes On Greetings Alexander smime.p7s Description: S/MIME cryptographic signature
Re: Catalina.policy file for security option
When I have set CATALINA_OPTS to:
linux:/var/log/tomcat5/base # echo $CATALINA_OPTS
-Djava.security.debug=all
linux:/var/log/tomcat5/base #
in log I see:
domain 1 ProtectionDomain
CodeSource=CodeSource, url=file:/usr/share/tomcat5/bin/bootstrap.jar,
ClassLoader=sun.misc.Launcher$AppClassLoader@8e208e2
Permissions:
static: java.security.Permissions@8930893 (
(java.io.FilePermission /usr/share/tomcat5/bin/bootstrap.jar read)
(java.lang.RuntimePermission exitVM)
)
Dne 8. listopadu 2011 13:51 Petr Hracek napsal(a):
> Yes the tomcat should be run as a back-end server (AJP) with apache2-2.2.21.
> I have add to the catalina.policy following permission:
> permission javax.management.MBeanServerPermission "createMBeanServer";
> permission javax.management.MBeamPermission
> "com.javamonitor.mbeans.*","*";
> permission javax.management.MBeanTrustPermission "register";
> permission javax.management.MBeanServerPermission "findMBeanServer";
> permission java.net.SocketPermission "java-monitor.com:80", "connect";
> permission java.net.SocketPermission "java-monitor.com:80", "resolve";
>
> In the log of catalina.out I see:
> log4j:WARN No appenders could be found for logger
> (org.apache.catalina.startup.Embedded).
> log4j:WARN Please initialize the log4j system properly.
>
> But as in ps -ef | grep java and lsof -i | grep java I did not see any
> 8009 and 8005 port or even that tomcat5 is not starting.
>
> Where could be a problem?
>
> Dne 7. listopadu 2011 12:29 André Warnier napsal(a):
>> Petr Hracek wrote:
>>>
>>> Dear tomcat users,
>>>
>>> I have try to configure my really old tomcat5 configuration (for using
>>> -security).
>>> but tomcat is not running.
>>
>> Petr,
>> can you be a bit more specific ? what is not running ? does it start ? does
>> it crash after starting ? is it just not answering requests ? are there
>> error messages anywhere ?
>>
>> On my system tomcat5 is run only as servlet
>>>
>>> engine and not as web server.
>>>
>> Do you mean for example that it runs as a back-end server (through AJP
>> e.g.), with a front-end webserver serving all static content ?
>>
>>
>>
>>> Do you have any example catalina.policy file?
>>> My catalina.policy file is:
>>> // == SYSTEM CODE PERMISSIONS
>>> =
>>>
>>>
>>> // These permissions apply to javac
>>> grant codeBase "file:${java.home}/lib/-" {
>>> permission java.security.AllPermission;
>>> };
>>>
>>> // These permissions apply to all shared system extensions
>>> grant codeBase "file:${java.home}/jre/lib/ext/-" {
>>> permission java.security.AllPermission;
>>> };
>>>
>>> // These permissions apply to javac when ${java.home] points at
>>> $JAVA_HOME/jre
>>> grant codeBase "file:${java.home}/../lib/-" {
>>> permission java.security.AllPermission;
>>> };
>>>
>>> // These permissions apply to all shared system extensions when
>>> // ${java.home} points at $JAVA_HOME/jre
>>> grant codeBase "file:${java.home}/lib/ext/-" {
>>> permission java.security.AllPermission;
>>> };
>>> // == CATALINA CODE PERMISSIONS
>>> ===
>>>
>>>
>>> // These permissions apply to the launcher code
>>> grant codeBase "file:${catalina.home}/bin/commons-launcher.jar" {
>>> permission java.security.AllPermission;
>>> };
>>>
>>> // These permissions apply to the daemon code
>>> grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
>>> permission java.security.AllPermission;
>>> };
>>>
>>> // These permissions apply to the commons-logging API
>>> grant codeBase "file:${catalina.home}/bin/commons-logging-api-1.1.1.jar" {
>>> permission java.security.AllPermission;
>>> };
>>>
>>> // These permissions apply to the server startup code
>>> grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
>>> permission java.security.AllPermission;
>>> };
>>>
>>> // These permissions apply to the JMX server
>>> grant codeBase "file:${catalina.home}/bin/jmx.jar" {
>>> permission java.security.AllPermission;
>>> };
>>>
>>> // These permissions apply to JULI
>>> grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
>>> permission java.util.PropertyPermission
>>> "java.util.logging.config.class", "read";
>>> permission java.util.PropertyPermission
>>> "java.util.logging.config.file", "read";
>>> permission java.io.FilePermission
>>> "${java.home}${file.separator}lib${file.separator}logging.properties",
>>> "read";
>>> permission java.lang.RuntimePermission "shutdownHooks";
>>> permission java.io.FilePermission
>>>
>>> "${catalina.base}${file.separator}conf${file.separator}logging.properties",
>>> "read";
>>> permission java.util.PropertyPermission "catalina.base", "read";
>>> permission java.util.logging.LoggingPermission "control";
>>> permission java.io.FilePermission
>>> "${catalina.base}${file.separator}logs", "read, write"
Re: Catalina.policy file for security option
Yes the tomcat should be run as a back-end server (AJP) with apache2-2.2.21.
I have add to the catalina.policy following permission:
permission javax.management.MBeanServerPermission "createMBeanServer";
permission javax.management.MBeamPermission
"com.javamonitor.mbeans.*","*";
permission javax.management.MBeanTrustPermission "register";
permission javax.management.MBeanServerPermission "findMBeanServer";
permission java.net.SocketPermission "java-monitor.com:80", "connect";
permission java.net.SocketPermission "java-monitor.com:80", "resolve";
In the log of catalina.out I see:
log4j:WARN No appenders could be found for logger
(org.apache.catalina.startup.Embedded).
log4j:WARN Please initialize the log4j system properly.
But as in ps -ef | grep java and lsof -i | grep java I did not see any
8009 and 8005 port or even that tomcat5 is not starting.
Where could be a problem?
Dne 7. listopadu 2011 12:29 André Warnier napsal(a):
> Petr Hracek wrote:
>>
>> Dear tomcat users,
>>
>> I have try to configure my really old tomcat5 configuration (for using
>> -security).
>> but tomcat is not running.
>
> Petr,
> can you be a bit more specific ? what is not running ? does it start ? does
> it crash after starting ? is it just not answering requests ? are there
> error messages anywhere ?
>
> On my system tomcat5 is run only as servlet
>>
>> engine and not as web server.
>>
> Do you mean for example that it runs as a back-end server (through AJP
> e.g.), with a front-end webserver serving all static content ?
>
>
>
>> Do you have any example catalina.policy file?
>> My catalina.policy file is:
>> // == SYSTEM CODE PERMISSIONS
>> =
>>
>>
>> // These permissions apply to javac
>> grant codeBase "file:${java.home}/lib/-" {
>> permission java.security.AllPermission;
>> };
>>
>> // These permissions apply to all shared system extensions
>> grant codeBase "file:${java.home}/jre/lib/ext/-" {
>> permission java.security.AllPermission;
>> };
>>
>> // These permissions apply to javac when ${java.home] points at
>> $JAVA_HOME/jre
>> grant codeBase "file:${java.home}/../lib/-" {
>> permission java.security.AllPermission;
>> };
>>
>> // These permissions apply to all shared system extensions when
>> // ${java.home} points at $JAVA_HOME/jre
>> grant codeBase "file:${java.home}/lib/ext/-" {
>> permission java.security.AllPermission;
>> };
>> // == CATALINA CODE PERMISSIONS
>> ===
>>
>>
>> // These permissions apply to the launcher code
>> grant codeBase "file:${catalina.home}/bin/commons-launcher.jar" {
>> permission java.security.AllPermission;
>> };
>>
>> // These permissions apply to the daemon code
>> grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
>> permission java.security.AllPermission;
>> };
>>
>> // These permissions apply to the commons-logging API
>> grant codeBase "file:${catalina.home}/bin/commons-logging-api-1.1.1.jar" {
>> permission java.security.AllPermission;
>> };
>>
>> // These permissions apply to the server startup code
>> grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
>> permission java.security.AllPermission;
>> };
>>
>> // These permissions apply to the JMX server
>> grant codeBase "file:${catalina.home}/bin/jmx.jar" {
>> permission java.security.AllPermission;
>> };
>>
>> // These permissions apply to JULI
>> grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
>> permission java.util.PropertyPermission
>> "java.util.logging.config.class", "read";
>> permission java.util.PropertyPermission
>> "java.util.logging.config.file", "read";
>> permission java.io.FilePermission
>> "${java.home}${file.separator}lib${file.separator}logging.properties",
>> "read";
>> permission java.lang.RuntimePermission "shutdownHooks";
>> permission java.io.FilePermission
>>
>> "${catalina.base}${file.separator}conf${file.separator}logging.properties",
>> "read";
>> permission java.util.PropertyPermission "catalina.base", "read";
>> permission java.util.logging.LoggingPermission "control";
>> permission java.io.FilePermission
>> "${catalina.base}${file.separator}logs", "read, write";
>> permission java.io.FilePermission
>> "${catalina.base}${file.separator}logs${file.separator}*", "read,
>> write";
>> permission java.lang.RuntimePermission "getClassLoader";
>> // To enable per context logging configuration, permit read
>> access to the appropriate file.
>> // Be sure that the logging configuration is secure before
>> enabling such access
>> // eg for the examples web application:
>> // permission java.io.FilePermission
>>
>> "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties",
>> "read";
>> };
>>
>>
Re: problem with loading Bouncy Castle
Crypto providers need to be installed into the JRE extension directory
(e.g. $JRE_HOME/lib/ext) and an entry must be added to
$JRE_HOME/lib/security/java.security to install the provider. For
example:
security.provider.5=org.bouncycastle.jce.provider.BouncyCastleProvider
Note the 5 above; each provider needs a unique number and the ordering
determines which provider is used for a given crypto primitive
obtained by code like the following:
Cipher c1 = Cipher.getInstance("DES");
If BC is before the Sun provider, you'll use the BC DES
implementation. Put it last if in doubt. (Although it's arguably
better than Sun in many cases.)
M
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: problem with loading Bouncy Castle
On 08/11/2011 08:47, Jan Vávra wrote:
> Hello,
> I have a problem with loading bouncy castle.
> My code snippet is:
>
> int position = Security.addProvider(new BouncyCastleProvider());
> KeyStore store = KeyStore.getInstance("PKCS12", "BC");
>
> In the application log I have message that BouncyCastleProvider is
> already loaded (position== -1).
> But call of getInstance(.) failed with exception:
> java.security.KeyStoreException: PKCS12 not found
> Caused by: java.security.KeyStoreException: PKCS12 not found
> Caused by: java.security.NoSuchAlgorithmException: class configured for
> KeyStore(provider: BC)cannot be found
> Caused by: java.lang.ClassNotFoundException:
> org.bouncycastle.jce.provider.JDKPKCS12KeyStore$BCPKCS12KeyStore
>
> class JDKPKCS12KeyStore$BCPKCS12KeyStore is contained in
> webapps/appX/WEB-INF/lib/bcprov-ext-jdk16-146.jar
>
> In the catalina log there is a message:
> Nov 8, 2011 8:34:22 AM org.apache.catalina.loader.WebappClassLoader
> loadClass
> INFO: Illegal access: this web application instance has been stopped
> already. Could not load
> org.bouncycastle.jce.provider.JDKPKCS12KeyStore$BCPKCS12KeyStore. The
> eventual following stack trace is caused by an error thrown for
> debugging purposes as well as to attempt to terminate the thread which
> caused the illegal access, and has no functional impact.
> java.lang.IllegalStateException
>
> On the tomcat I have 2 more applications that use the same version of
> bcprov-ext. Each has it in own WEB-INF/lib directory.
>
> Could anybody give me an advice?
> Why tomcat does complaint about "Illegal access"?
> Is there any way how to debug work of
> org.apache.catalina.loader.WebappClassLoader?
>
> My tomcat version is:
> Apache Tomcat/6.0.29 1.6.0_22-b04 Sun Microsystems Inc.
> Linux 2.6.32.36-0.5-default amd64
Try putting the jar in tomcat/lib instead of in each webapp.
p
--
[key:62590808]
signature.asc
Description: OpenPGP digital signature
problem with loading Bouncy Castle
Hello,
I have a problem with loading bouncy castle.
My code snippet is:
int position = Security.addProvider(new BouncyCastleProvider());
KeyStore store = KeyStore.getInstance("PKCS12", "BC");
In the application log I have message that BouncyCastleProvider is
already loaded (position== -1).
But call of getInstance(.) failed with exception:
java.security.KeyStoreException: PKCS12 not found
Caused by: java.security.KeyStoreException: PKCS12 not found
Caused by: java.security.NoSuchAlgorithmException: class configured for
KeyStore(provider: BC)cannot be found
Caused by: java.lang.ClassNotFoundException:
org.bouncycastle.jce.provider.JDKPKCS12KeyStore$BCPKCS12KeyStore
class JDKPKCS12KeyStore$BCPKCS12KeyStore is contained in
webapps/appX/WEB-INF/lib/bcprov-ext-jdk16-146.jar
In the catalina log there is a message:
Nov 8, 2011 8:34:22 AM org.apache.catalina.loader.WebappClassLoader
loadClass
INFO: Illegal access: this web application instance has been stopped
already. Could not load
org.bouncycastle.jce.provider.JDKPKCS12KeyStore$BCPKCS12KeyStore. The
eventual following stack trace is caused by an error thrown for
debugging purposes as well as to attempt to terminate the thread which
caused the illegal access, and has no functional impact.
java.lang.IllegalStateException
On the tomcat I have 2 more applications that use the same version of
bcprov-ext. Each has it in own WEB-INF/lib directory.
Could anybody give me an advice?
Why tomcat does complaint about "Illegal access"?
Is there any way how to debug work of
org.apache.catalina.loader.WebappClassLoader?
My tomcat version is:
Apache Tomcat/6.0.29 1.6.0_22-b04 Sun Microsystems Inc. Linux
2.6.32.36-0.5-default amd64
Thanks.
Jan
Re: Clustering and session persistence across restarts?
On 7 Nov 2011, at 22:23, Al DiVenuti wrote: > Hello, > > I am currently configuring a sandbox development environment with two > clustered Tomcat 6.0.32 instances running on the same Windows XP SP3 > (32-bit) hosts. > > I have a question regarding whether or not the "Manager" > implementations available for a Tomcat 6 Cluster (i.e. the "Delta Manager" > or the "Backup Manager") supports "Restart Persistence" for sessions that > enables the web application's session data to be serialized prior to > shutdown or application reload and then restored when the web application > is restarted as a result of the Tomcat restart or reloading of the web > application. > > The availability of this behavior for the "Standard Manager" is documented > quite clearly at http://tomcat.apache.org/tomcat-6.0-doc/config/manager.html > . > > This is a very useful feature. My review of the Tomcat documentation at > http://tomcat.apache.org/tomcat-6.0-doc/config/cluster-manager.html makes > no mention of that behavior being available for the "Delta Manager" or the > "Backup Manager" - but I want to be certain whether or not it is available. Serialisation to file is not available in the cluster session managers. p > I am happy to provide additional information if my question is not clear. > > Many thanks! > > -Al - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
