Re: Where do I store Images in tomcat structure so that I can retrive it properly in all browsers
After playing around for a day, this is another solutions which worked for me, with Tomcat 7.0.11 in context.xml I think now I understand as how aliases work, /UploadedImages is the aliaspath and c:/UploadedImages is the docbase to which it refers. Is this understanding correct ? In manager app I see something called /files , not sure as what is this ? On 6/2/2012 4:45 AM, Kiran Badi wrote: On 6/1/2012 9:27 PM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kiran, On 5/31/12 10:37 PM, Kiran Badi wrote: Ok I did it this way in TC 7.0.27 as I decided not to touch Netbeans setup with 7.0.11( I had messed up TC7.0.11 after doing several trial and error stuff,felt real pain) I have TC7.0.27 running as window service which I use it deploy my latest build everyday. In server xml, I added below context between host tags You shouldn't put elements in server.xml. Also, using a docBase that has files appear at random can be problematic when it comes to caching, etc. and users often have problems. Kiran : I had never thought about caching , and caching is one of key features which I am planning to implement. so I did not use aliases at all, is this good solution or I am missing something again. Presumably you have an existing webapp that does the upload part: make C:\UploadedImages into an "alias" for that webapp instead of creating a second webapp for it. Ok I will give try to create alias and see how it goes. Thanks. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/I5l0ACgkQ9CaO5/Lv0PCtJwCgrGbdhRjeSetyRz8Zr3Bvzkt0 mU0AnidgFANsdy8ZFNoo8/SPLCCY11+E =7Q6w -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: transport CONFIDENTIAL based on remote ip/host filter?
Comments inline below. On 6/4/2012 4:18 PM, Konstantin Kolinko wrote: 2012/6/5 Timothy J Schumacher: We make a piece of IT equipment with tomcat running inside serving an application that acts as the administration console for the device. There is also a firefox browser running inside the equipment that exposes the web application in question on the front panel touchscreen of the device. The device also can be plugged into a network to facilitate remote management via the web application. (...) Why do you need transport CONFIDENTIAL in your web.xml? Do you have some pages that are accessed via HTTP and some that are only HTTPS on the same Tomcat? That is when you need HTTP -> HTTPS redirection when user comes to the protected part. I think you are right, I do not really need that. I guess I was really just using CONFIDENTIAL to automatically do the redirect to the https port for me. If I want to have http on port 80 still open to remote users, what is the best way to automatically respond to all requests on http port 80 with a redirect to port 443 without using transport CONFIDENTIAL in my web.xml? This is just a convenience to users who forget to put https (like me) when they open up a browser and type in a url. Should I implement a servlet filter that responds to all requests on port 80 with the redirect? If your tomcat serves only administrative console webapp, I think it could be a more simple configuration: 1) remove transport-guarantee CONFIDENTIAL 2) configure HTTPS connector that is accessible from outside (either do not specify address - to bind on all of them, or specify device's public IP) 3) configure HTTP connector with address="127.0.0.1" (no need for secure="true") This way the HTTP connector binds on the loopback address only and is not accessible from outside, regardless of your web.xml. Yes, this is way better-Thanks! I guess I wasn't realizing that forcing clients to use https implies "transport confidential" without actually configuring transport confidential in the web.xml. If things are more complicated, you could implement a Filter that does the same job as transport-guarantee. The Connector that the client connects to could be distinguished by ServletRequest.getLocalAddr(), getLocalPort(), getScheme(). Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: looking for help with getting tomcat 7 to authenticate aginst windows domain controller from aix 6.1 and 5.3
Mead, Jen L wrote: Hi, I am brand new to tomcat 7 and am hoping to get realms set-up for users to use my CGI scripts you are aware that to run CGI scripts, tomcat may not be the best choice ? What is the programming language of your CGI scripts ? using their windows password. So far I have put a request into the windows group to create a user for this verification. Well, if your workstations are running Windows in a Windows domain, then you should not need a special user for that, it should work with yours (or whomever is logged-in). The point is to have the server authenticate the logged-in user automatically and transparently, no ? I followed the example in the tomcat manual as follows: Which Tomcat manual ? If you are talking about this : http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html then it seems to me that this mechanism implies that your Tomcat server is a Windows host. Did you not mention AIX ? * Create a domain user that will be mapped to the service name used by the Tomcat server. In this how-to, this user is called tc01 and has a password of tc01pass. * Map the service principal name (SPN) to the user account. SPNs take the form /:/. The SPN used in this how-to is HTTP/win-tc01.dev.local. To map the user to the SPN, run the following: If you determine that you do need Tomcat for this, and you are not under Windows, then I suggest that you have a look at Jespa, at http://www.ioplex.com. It is not either open-source nor free, but it works (on any Java platform) and it is really not expensive. (I have no commercial interest in it, I just use it). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: transport CONFIDENTIAL based on remote ip/host filter?
2012/6/5 Timothy J Schumacher : > > We make a piece of IT equipment with tomcat running inside serving an > application that acts as the administration console for the device. There > is also a firefox browser running inside the equipment that exposes the web > application in question on the front panel touchscreen of the device. The > device also can be plugged into a network to facilitate remote management > via the web application. (...) Why do you need transport CONFIDENTIAL in your web.xml? Do you have some pages that are accessed via HTTP and some that are only HTTPS on the same Tomcat? That is when you need HTTP -> HTTPS redirection when user comes to the protected part. If your tomcat serves only administrative console webapp, I think it could be a more simple configuration: 1) remove transport-guarantee CONFIDENTIAL 2) configure HTTPS connector that is accessible from outside (either do not specify address - to bind on all of them, or specify device's public IP) 3) configure HTTP connector with address="127.0.0.1" (no need for secure="true") This way the HTTP connector binds on the loopback address only and is not accessible from outside, regardless of your web.xml. If things are more complicated, you could implement a Filter that does the same job as transport-guarantee. The Connector that the client connects to could be distinguished by ServletRequest.getLocalAddr(), getLocalPort(), getScheme(). Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: looking for help with getting tomcat 7 to authenticate aginst windows domain controller from aix 6.1 and 5.3
correct critical requirement from the client would be to supplyuser's password which is hashed by AS to secret-key which encrypts into generated TGSsecret-key which is later encrypted into TGT with secret-key http://en.wikipedia.org/wiki/Kerberos_(protocol)#Client_Authentication Martin.. __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. > From: mead@con-way.com > To: users@tomcat.apache.org > Date: Mon, 4 Jun 2012 14:08:04 -0700 > Subject: RE: looking for help with getting tomcat 7 to authenticate aginst > windows domain controller from aix 6.1 and 5.3 > > Now that I am looking further into this, I am almost convinced that I don't > need Kerberos on the AIX webserver but only in the client (PC that is > accessing the pages that are going to authenticate). I don't get the feeling > that many people are doing this (just using a keytab file with an AD account > and tweaking the conf files on the UNIX box where tomcat is installed). This > is the only response so far. > Jen > > -Original Message- > From: Martin Gainty [mailto:mgai...@hotmail.com] > Sent: Monday, June 04, 2012 12:45 PM > To: Tomcat Users List > Subject: RE: looking for help with getting tomcat 7 to authenticate aginst > windows domain controller from aix 6.1 and 5.3 > > > assuming you're auth'ing against ADS then your Servlet will have to load a > ADS Authentication library and then extract auth creds to validate against > ADS.. > By the way ADS is native windows code so the only option to make ADS run on > AIX is thru a Windows Emulator such as WINEhttp://www.winehq.org/download And > yes if your ADS library forces Kerberos Authentication thru TC > NegotiateAuthenticator valve (such as waffle).. then the answer is yes you > will need to accomodate Kerberos Authentication Tokens > http://code.dblock.org/single-sign-on-tomcat-negotiate-authenticator-kerberos-ntlm-w-waffleKeep > in mind that the majority of ADS Libraries are written for native windows so > turn your radar on for1)32bit vs 64bit ADS Deployments > 2)Specific .NET Framework implementations (v1 or v2 or v3) for ADS3)Threaded > vs non-threaded singleton library dependencies for ADS (keep the other > library off the path) //somewhere in your code you have a > javax.net.ssl.SSLSessionContext concrete class .. then get the SSLSession > with your JSessionIDjavax.net.ssl.SSLSession > ssl_session=SSLSessionContext.getSession(JSessionID.getBytes()); //extract > PeerPrincipal from your SSLSessionjava.security.Principal principal > =(java.security.Principal) ssl_session.getPeerPrincipal();//test Principal > for Kerberosif (principal instanceof KerberosPrincipal) >{ > serverName = > sun.security.util.HostnameChecker.getServerName((KerberosPrincipal)principal); > > }http://www.docjar.com/html/api/sun/security/util/HostnameChecker.java.html > i would not deploy on AIX and deploy on a windows box..far easier to load ADS > Server and ADS client code windows code to test on guys..any suggestions? > Martin > __ > Do not alter or disrupt this message..Thank You > > From: mead@con-way.com > To: users@tomcat.apache.org > Date: Mon, 4 Jun 2012 11:42:38 -0700 > Subject: looking for help with getting tomcat 7 to authenticate aginst > windows domain controller from aix 6.1 and 5.3 > > Hi, I am brand new to tomcat 7 and am hoping to get realms set-up for users > to use my CGI scripts using their windows password. So far I have put a > request into the windows group to create a user for this verification. I > followed the example in the tomcat manual as follows:Create a domain user > that will be mapped to the service name used by the Tomcat server. In this > how-to, this user is called tc01 and has a password of tc01pass.Map the > service principal name (SPN) to the user account. SPNs take the form class>/:/. The SPN used in this how-to is > HTTP/win-tc01.dev.local. To map the user to the S
Re: transport CONFIDENTIAL based on remote ip/host filter?
See inline comments below. Thanks again for your time! Tim On 6/4/2012 2:35 PM, Konstantin Kolinko wrote: 2012/6/4 Timothy J Schumacher: On 5/31/2012 1:30 PM, Konstantin Kolinko wrote: 2012/5/31 Timothy J Schumacher: Hi, We are using Apache Tomcat 6.0.35 with # java -version java version "1.6.0_30" Java(TM) SE Runtime Environment (build 1.6.0_30-b12) Java HotSpot(TM) Client VM (build 20.5-b03, mixed mode, sharing) in redhat linux. I am wondering if there is a way to use transport CONFIDENTIAL for all hosts that are not localhost? I am guessing the servlet spec does not allow this, it seems to be all or none in the web.xml config. Perhaps there is a way configure transport NONE in web.xml and then manually configure a valve/filter in context.xml that would enforce CONFIDENTIAL to all remote hosts but let localhost pass without redirects to port 443? Any ideas are appreciated! It will 1. Listen on localhost only. 2. Be treated by Tomcat as if it were an HTTPS connection. Hi Konstantine, thanks this works! I have one more question. I assume that setting secure="true" means that the cookie JSESSIONID has "Secure" set. This causes my browser (an old version of FF) to not send the cookie which I assume is due to the fact that the communication is over a plain http connection. Since we have not diligently coded encodeURLs everywhere the application loses the session on occasion. Is there a way to tell the component that sets the cookie to not set "Secure" only for this particular connector? Why do you want to avoid HTTPS so much? We make a piece of IT equipment with tomcat running inside serving an application that acts as the administration console for the device. There is also a firefox browser running inside the equipment that exposes the web application in question on the front panel touchscreen of the device. The device also can be plugged into a network to facilitate remote management via the web application. We run the local firefox in kiosk mode, and when the device is powered on, firefox prompts the user about security certificate warnings and alerts the user when you are about to view encrypted pages and when you are about to leave encrypted pages. On top of that, if the user isn't there to accept the warnings/prompts the local browser seems to timeout and become unresponsive which requires a restart of firefox. I have tried to get the certificates loaded and setting preferences inside our local firefox, but so far have not had success. We just want the local front panel to show the login screen and not prompt/warn the user and I suppose the real fix is to learn the proper way to set up the local firefox but all attempts at getting this correct have been unsuccessful so far. Since I am more familiar with tomcat and the tomcat documentation is easier to follow than the old firefox docs, I thought it could be easier to accomplish this by just configuring something that makes tomcat treat the local firefox differently. The recipe that I gave you is usually used in the scenario when Tomcat is behind a proxy that uses HTTP protocol (instead of AJP one). That is: a proxy (a.g. Apache HTTPD) does HTTPS, decodes the connection and forwards request through HTTP. The "secure" attribute that I mentioned is similar to "proxyHost" and "proxyPort" connector attributes. It is not there to fool the picture, but to provide some information to Tomcat that it does not know by itself. In that scenario the browser will not have any problems with secure cookies, because from its side it sees the site through HTTPS. I think that in your case you can turn off cookies support in browser and to rely on sessionid being encoded in URLs. URLs are not a subject to "secure cookies" limitation. I was afraid this could be the answer... Unfortunately we have not been very good about using url encoding in our app and there are lots of jsps with lots of links that need to be wrapped with encodeURL calls but that is our problem :) I was just hoping for "a big hammer" to get it fixed in the short term. I do not remember any option to turn off "secure" bit in cookies. If there were one, I think it would be on Context. If you want to implement a trick, I think a Valve can affect create session cookie or "set-cookie" header, clearing the flag. I will give the valve idea a try. That seems promising. You can look into the code for more details. If you want to try running Tomcat with a debugger, there are tips in the FAQ, or ask here. YMMV. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: daemon thread causing tomcat process to live on
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chad, On 6/4/12 5:29 PM, chad.da...@emc.com wrote: > I've got a daemon thread that seems to run after the tomcat has > received the shutdown signal. It's a TimerTask and it appears to > fire again after the webapp itself has been shutdown. This then > seems to cause the whole jvm to live on, sometimes for a couple of > minutes, sometimes much longer. > > The timertask blows up with classnotfounds because the webapp > classloader is gone. Shouldn't it be killed when the webapp is > killed? Tomcat won't stop threads created by your webapp: that's up to you. > How do I troubleshoot this? First, you'll have to find out where the thread is being created. Ideally, it will be created in a ServletContextListener's or a Servlet's init method. Just add appropriate code to the destroy() method so shut-down the thread. Depending on what the thread does, you may need to modify the task being executed so that it can be gracefully cancelled when your webapp stops. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/NLEMACgkQ9CaO5/Lv0PBacACeO4G06QzQI3sQBDImfr7BCfgE 47oAnRNDC+wtCEST1iCaYIk6XRaPTSPl =GDOO -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
daemon thread causing tomcat process to live on
I've got a daemon thread that seems to run after the tomcat has received the shutdown signal. It's a TimerTask and it appears to fire again after the webapp itself has been shutdown. This then seems to cause the whole jvm to live on, sometimes for a couple of minutes, sometimes much longer. The timertask blows up with classnotfounds because the webapp classloader is gone. Shouldn't it be killed when the webapp is killed? How do I troubleshoot this?
RE: looking for help with getting tomcat 7 to authenticate aginst windows domain controller from aix 6.1 and 5.3
Now that I am looking further into this, I am almost convinced that I don't need Kerberos on the AIX webserver but only in the client (PC that is accessing the pages that are going to authenticate). I don't get the feeling that many people are doing this (just using a keytab file with an AD account and tweaking the conf files on the UNIX box where tomcat is installed). This is the only response so far. Jen -Original Message- From: Martin Gainty [mailto:mgai...@hotmail.com] Sent: Monday, June 04, 2012 12:45 PM To: Tomcat Users List Subject: RE: looking for help with getting tomcat 7 to authenticate aginst windows domain controller from aix 6.1 and 5.3 assuming you're auth'ing against ADS then your Servlet will have to load a ADS Authentication library and then extract auth creds to validate against ADS.. By the way ADS is native windows code so the only option to make ADS run on AIX is thru a Windows Emulator such as WINEhttp://www.winehq.org/download And yes if your ADS library forces Kerberos Authentication thru TC NegotiateAuthenticator valve (such as waffle).. then the answer is yes you will need to accomodate Kerberos Authentication Tokens http://code.dblock.org/single-sign-on-tomcat-negotiate-authenticator-kerberos-ntlm-w-waffleKeep in mind that the majority of ADS Libraries are written for native windows so turn your radar on for1)32bit vs 64bit ADS Deployments 2)Specific .NET Framework implementations (v1 or v2 or v3) for ADS3)Threaded vs non-threaded singleton library dependencies for ADS (keep the other library off the path) //somewhere in your code you have a javax.net.ssl.SSLSessionContext concrete class .. then get the SSLSession with your JSessionIDjavax.net.ssl.SSLSession ssl_session=SSLSessionContext.getSession(JSessionID.getBytes()); //extract PeerPrincipal from your SSLSessionjava.security.Principal principal =(java.security.Principal) ssl_session.getPeerPrincipal();//test Principal for Kerberosif (principal instanceof KerberosPrincipal) { serverName = sun.security.util.HostnameChecker.getServerName((KerberosPrincipal)principal); }http://www.docjar.com/html/api/sun/security/util/HostnameChecker.java.html i would not deploy on AIX and deploy on a windows box..far easier to load ADS Server and ADS client code windows code to test on guys..any suggestions? Martin __ Do not alter or disrupt this message..Thank You From: mead@con-way.com To: users@tomcat.apache.org Date: Mon, 4 Jun 2012 11:42:38 -0700 Subject: looking for help with getting tomcat 7 to authenticate aginst windows domain controller from aix 6.1 and 5.3 Hi, I am brand new to tomcat 7 and am hoping to get realms set-up for users to use my CGI scripts using their windows password. So far I have put a request into the windows group to create a user for this verification. I followed the example in the tomcat manual as follows:Create a domain user that will be mapped to the service name used by the Tomcat server. In this how-to, this user is called tc01 and has a password of tc01pass.Map the service principal name (SPN) to the user account. SPNs take the form /:/. The SPN used in this how-to is HTTP/win-tc01.dev.local. To map the user to the SPN, run the following: setspn -A HTTP/win-tc01.dev.local tc01Generate the keytab file that the Tomcat server will use to authenticate itself to the domain controller. This file contains the Tomcat private key for the service provider account and should be protected accordingly. To generate the file, run the following command (all on a single line): ktpass /out c:\tomcat.keytab /mapuser tc01@DEV.LOCAL /princ HTTP/win-tc01.dev.local@DEV.LOCAL /pass tc01pass /kvno 0Create a domain user to be used on the client. In this how-to the domain user is test with a password of testpass.I then went into the next section and started to do some configuration on the tomcat server, which right now is a prototype and is an AIX box running 5300-12-04-1119. My question is: does the box need to be configured for Kerberos? If so how does the Kerberos authentication work with tomcat? The above code sent to the windows group creates a tomcat user, should there also be a Kerberos user? How would they work together? Or do they need to? Should they be the same user? The documentation does not address this situation in any way at all except to specify that Kerberos is required on the unix box, it doesn't address AIX specifically ever. I work at a place where the admin team is half way around the world. So each and every request and test is painstakingly long and obscure for the most part. So any and all information I come armed with is the only way to fly. Has anyone succeeded with this on unix or better yet AIX? Any and all information is greatly appreciated. Regards,Jen in Oregon Regards,Jen
Re: transport CONFIDENTIAL based on remote ip/host filter?
2012/6/4 Timothy J Schumacher : > On 5/31/2012 1:30 PM, Konstantin Kolinko wrote: >> >> 2012/5/31 Timothy J Schumacher: >>> >>> Hi, >>> >>> We are using Apache Tomcat 6.0.35 >>> >>> with >>> >>> # java -version >>> java version "1.6.0_30" >>> Java(TM) SE Runtime Environment (build 1.6.0_30-b12) >>> Java HotSpot(TM) Client VM (build 20.5-b03, mixed mode, sharing) >>> >>> in redhat linux. >>> >>> I am wondering if there is a way to use transport CONFIDENTIAL for all >>> hosts >>> that are not localhost? I am guessing the servlet spec does not allow >>> this, >>> it seems to be all or none in the web.xml config. Perhaps there is a way >>> configure transport NONE in web.xml and then manually configure a >>> valve/filter in context.xml that would enforce CONFIDENTIAL to all remote >>> hosts but let localhost pass without redirects to port 443? >>> >>> Any ideas are appreciated! >>> >> >> >> It will >> 1. Listen on localhost only. >> 2. Be treated by Tomcat as if it were an HTTPS connection. > > > Hi Konstantine, thanks this works! I have one more question. I assume that > setting secure="true" means that the cookie JSESSIONID has "Secure" set. > This causes my browser (an old version of FF) to not send the cookie which > I assume is due to the fact that the communication is over a plain http > connection. Since we have not diligently coded encodeURLs everywhere the > application loses the session on occasion. Is there a way to tell the > component that sets the cookie to not set "Secure" only for this particular > connector? > Why do you want to avoid HTTPS so much? The recipe that I gave you is usually used in the scenario when Tomcat is behind a proxy that uses HTTP protocol (instead of AJP one). That is: a proxy (a.g. Apache HTTPD) does HTTPS, decodes the connection and forwards request through HTTP. The "secure" attribute that I mentioned is similar to "proxyHost" and "proxyPort" connector attributes. It is not there to fool the picture, but to provide some information to Tomcat that it does not know by itself. In that scenario the browser will not have any problems with secure cookies, because from its side it sees the site through HTTPS. I think that in your case you can turn off cookies support in browser and to rely on sessionid being encoded in URLs. URLs are not a subject to "secure cookies" limitation. I do not remember any option to turn off "secure" bit in cookies. If there were one, I think it would be on Context. If you want to implement a trick, I think a Valve can affect create session cookie or "set-cookie" header, clearing the flag. You can look into the code for more details. If you want to try running Tomcat with a debugger, there are tips in the FAQ, or ask here. YMMV. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: looking for help with getting tomcat 7 to authenticate aginst windows domain controller from aix 6.1 and 5.3
assuming you're auth'ing against ADS then your Servlet will have to load a ADS Authentication library and then extract auth creds to validate against ADS.. By the way ADS is native windows code so the only option to make ADS run on AIX is thru a Windows Emulator such as WINEhttp://www.winehq.org/download And yes if your ADS library forces Kerberos Authentication thru TC NegotiateAuthenticator valve (such as waffle).. then the answer is yes you will need to accomodate Kerberos Authentication Tokens http://code.dblock.org/single-sign-on-tomcat-negotiate-authenticator-kerberos-ntlm-w-waffleKeep in mind that the majority of ADS Libraries are written for native windows so turn your radar on for1)32bit vs 64bit ADS Deployments 2)Specific .NET Framework implementations (v1 or v2 or v3) for ADS3)Threaded vs non-threaded singleton library dependencies for ADS (keep the other library off the path) //somewhere in your code you have a javax.net.ssl.SSLSessionContext concrete class .. then get the SSLSession with your JSessionIDjavax.net.ssl.SSLSession ssl_session=SSLSessionContext.getSession(JSessionID.getBytes()); //extract PeerPrincipal from your SSLSessionjava.security.Principal principal =(java.security.Principal) ssl_session.getPeerPrincipal();//test Principal for Kerberosif (principal instanceof KerberosPrincipal) { serverName = sun.security.util.HostnameChecker.getServerName((KerberosPrincipal)principal); }http://www.docjar.com/html/api/sun/security/util/HostnameChecker.java.html i would not deploy on AIX and deploy on a windows box..far easier to load ADS Server and ADS client code windows code to test on guys..any suggestions? Martin __ Do not alter or disrupt this message..Thank You From: mead@con-way.com To: users@tomcat.apache.org Date: Mon, 4 Jun 2012 11:42:38 -0700 Subject: looking for help with getting tomcat 7 to authenticate aginst windows domain controller from aix 6.1 and 5.3 Hi, I am brand new to tomcat 7 and am hoping to get realms set-up for users to use my CGI scripts using their windows password. So far I have put a request into the windows group to create a user for this verification. I followed the example in the tomcat manual as follows:Create a domain user that will be mapped to the service name used by the Tomcat server. In this how-to, this user is called tc01 and has a password of tc01pass.Map the service principal name (SPN) to the user account. SPNs take the form /:/. The SPN used in this how-to is HTTP/win-tc01.dev.local. To map the user to the SPN, run the following: setspn -A HTTP/win-tc01.dev.local tc01Generate the keytab file that the Tomcat server will use to authenticate itself to the domain controller. This file contains the Tomcat private key for the service provider account and should be protected accordingly. To generate the file, run the following command (all on a single line): ktpass /out c:\tomcat.keytab /mapuser tc01@DEV.LOCAL /princ HTTP/win-tc01.dev.local@DEV.LOCAL /pass tc01pass /kvno 0Create a domain user to be used on the client. In this how-to the domain user is test with a password of testpass.I then went into the next section and started to do some configuration on the tomcat server, which right now is a prototype and is an AIX box running 5300-12-04-1119. My question is: does the box need to be configured for Kerberos? If so how does the Kerberos authentication work with tomcat? The above code sent to the windows group creates a tomcat user, should there also be a Kerberos user? How would they work together? Or do they need to? Should they be the same user? The documentation does not address this situation in any way at all except to specify that Kerberos is required on the unix box, it doesn’t address AIX specifically ever. I work at a place where the admin team is half way around the world. So each and every request and test is painstakingly long and obscure for the most part. So any and all information I come armed with is the only way to fly. Has anyone succeeded with this on unix or better yet AIX? Any and all information is greatly appreciated. Regards,Jen in Oregon Regards,Jen
Re: Mapping a servlet to the application's context root results in IAE
Here it is: https://issues.apache.org/bugzilla/show_bug.cgi?id=53356 Thanks Violeta 2012/6/4 Mark Thomas > On 04/06/2012 19:25, Violeta Georgieva wrote: > > Hi, > > > > I'm using Tomcat 7.0.27. > > > > I have an application and I want to map my servlet to the application's > > context root, but I do not want to override the "/" mapping for the > > "default" servlet. > > > > It is specified in the Servlet spec that there is a "special" url mapping > > that can be used for such purposes and it is an empty string (""). > > That feature is not implemented in Tomcat. I don't see it in the spec's > change log which is why I suspect it is so little used that no-one else > has noticed it doesn't work until now. > > Please file a BZ issue and this should get fixed for the next release. > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Mapping a servlet to the application's context root results in IAE
On 04/06/2012 19:25, Violeta Georgieva wrote: > Hi, > > I'm using Tomcat 7.0.27. > > I have an application and I want to map my servlet to the application's > context root, but I do not want to override the "/" mapping for the > "default" servlet. > > It is specified in the Servlet spec that there is a "special" url mapping > that can be used for such purposes and it is an empty string (""). That feature is not implemented in Tomcat. I don't see it in the spec's change log which is why I suspect it is so little used that no-one else has noticed it doesn't work until now. Please file a BZ issue and this should get fixed for the next release. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Request for or as element inside
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Esmond, On 6/3/12 9:23 PM, Esmond Pitt wrote: > I have a large and growing number of requirements for aliases, and > the existing (new for Tomcat 7) aliases= attribute is unwieldy for > me. The line is already 289 characters long ;-( > > It would be a lot more convenient if aliases could be specified > individually via a repeatable nested entry, something > like: > > ... > Please file an enhancement request in bugzilla: https://issues.apache.org/bugzilla/enter_bug.cgi?product=Tomcat%207 - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/NBo8ACgkQ9CaO5/Lv0PAzaACgu+faPREfy0wuVTMSN5yhqS6l zpMAninHKlMUszrESeve/jMQ7FiztF9x =JXP+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ROOT.xml problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Stefan, On 6/3/12 9:20 AM, Stefan Mayr wrote: > Steps: 1. remove everything you did to make it work as ROOT; back > to the working /corda version +1 > 2. Create a redirect in your ROOT context > > Options to make no. 2 work: create webapps/ROOT/index.jsp with > content <% > response.sendRedirect("http://yourhostname:8080/corda/";); %> > > or a simple html-only version index.html: Another option would be to redirect even earlier using a filter like url-rewrite. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/NBhoACgkQ9CaO5/Lv0PCQ7QCdHoWRvteKA3GY+ub6vB8wRYb/ Cx0AoLd2EIqFXPOjJM3ZF4KRY4kukeG4 =1eXo -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ROOT.xml problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kevin, On 6/3/12 3:17 AM, Kevin Marx wrote: > in the browser I am entering http://localhost:8080 > > the URL is comes up with is thus: > > http://localhost:8080/dashboards/welcome/main.dashxml > > However it should be: > > http://localhost:8080/corda/dashboards/welcome/main.dashxml > > This URL will work when entered. The /corda is necessary > > Why is the /corda missing from the URL? What needs to be in the > ROOT.xml file to make it show up? I just felt a searing pain in my brain. Haven't you been trying to make your "corda" into the ROOT webapp? You keep using that word (ROOT). I do not think it means what you think it means. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/NBcAACgkQ9CaO5/Lv0PCLtwCgqrQBBKRN5ZgJ8orGEDJO+8NH 5tgAn0Ufp8CNi3Gj2beDJyia4mnNyFm+ =XJhy -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
looking for help with getting tomcat 7 to authenticate aginst windows domain controller from aix 6.1 and 5.3
Hi, I am brand new to tomcat 7 and am hoping to get realms set-up for users to use my CGI scripts using their windows password. So far I have put a request into the windows group to create a user for this verification. I followed the example in the tomcat manual as follows: * Create a domain user that will be mapped to the service name used by the Tomcat server. In this how-to, this user is called tc01 and has a password of tc01pass. * Map the service principal name (SPN) to the user account. SPNs take the form /:/. The SPN used in this how-to is HTTP/win-tc01.dev.local. To map the user to the SPN, run the following: setspn -A HTTP/win-tc01.dev.local tc01 * Generate the keytab file that the Tomcat server will use to authenticate itself to the domain controller. This file contains the Tomcat private key for the service provider account and should be protected accordingly. To generate the file, run the following command (all on a single line): ktpass /out c:\tomcat.keytab /mapuser tc01@DEV.LOCAL /princ HTTP/win-tc01.dev.local@DEV.LOCAL /pass tc01pass /kvno 0 * Create a domain user to be used on the client. In this how-to the domain user is test with a password of testpass. I then went into the next section and started to do some configuration on the tomcat server, which right now is a prototype and is an AIX box running 5300-12-04-1119. My question is: does the box need to be configured for Kerberos? If so how does the Kerberos authentication work with tomcat? The above code sent to the windows group creates a tomcat user, should there also be a Kerberos user? How would they work together? Or do they need to? Should they be the same user? The documentation does not address this situation in any way at all except to specify that Kerberos is required on the unix box, it doesn't address AIX specifically ever. I work at a place where the admin team is half way around the world. So each and every request and test is painstakingly long and obscure for the most part. So any and all information I come armed with is the only way to fly. Has anyone succeeded with this on unix or better yet AIX? Any and all information is greatly appreciated. Regards, Jen in Oregon Regards, Jen
Mapping a servlet to the application's context root results in IAE
Hi, I'm using Tomcat 7.0.27. I have an application and I want to map my servlet to the application's context root, but I do not want to override the "/" mapping for the "default" servlet. It is specified in the Servlet spec that there is a "special" url mapping that can be used for such purposes and it is an empty string (""). I tried several approaches to specify this via web.xml and annotation: 1) Approach one TestServlet "" 2) Approach two TestServlet2 3) Approach three @WebServlet(urlPatterns={""}) In all three cases I'm receiving: Caused by: java.lang.IllegalArgumentException: Invalid in servlet mapping at org.apache.catalina.core.StandardContext.addServletMapping(StandardContext.java:3208) at org.apache.catalina.core.StandardContext.addServletMapping(StandardContext.java:3183) at org.apache.catalina.deploy.WebXml.configureContext(WebXml.java:1302) at org.apache.catalina.startup.ContextConfig.webConfig(ContextConfig.java:1305) at org.apache.catalina.startup.ContextConfig.configureStart(ContextConfig.java:855) at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:346) What I should do in order to have this running? Thanks in advance Regards Violeta pp: Extract from the spec 12.2 Specification of Mappings In the Web application deployment descriptor, the following syntax is used to define mappings: ■ A string beginning with a ‘/’ character and ending with a ‘/*’ suffix is used for path mapping. ■ A string beginning with a ‘*.’ prefix is used as an extension mapping. ■ The empty string ("") is a special URL pattern that exactly maps to the application's context root, i.e., requests of the form http://host:port//. In this case the path info is ’/’ and the servlet path and context path is empty string (““). ■ A string containing only the ’/’ character indicates the "default" servlet of the application. In this case the servlet path is the request URI minus the context path and the path info is null. ■ All other strings are used for exact matches only.
Re: tomcat full GC every 2 minutes for first 6 hours after war reload
On 29.05.2012 17:03, Kevin wrote: Hi We have a cluster of tomcat servers being used on a very high volume website. We've noticed that for the first 5-6 hours after an application re-load that Full GC will run every 2 minutes pausing the application for anywhere between 5 and 20 seconds. After 5-6 hours the full GC will no longer run until tomcat is reloaded. This behavior is repeatable. We discounted our EhCache settings as potential issue because tomcat can be killed without this issue showing up. It's not until we actually reload the WAR with changes (clearing the work directory) and restart tomcat that this issue shows up. Traffic level isn't a factor we'll go through our peak hours with no problem. The servers are all dual quad core with 32GB of RAM running Centos 5 and tomcat 6.0.18. We've attempted every suggested GC setting change suggested on the net and by developers and system administrators. Our java opts are being played with on a daily basis however here are the settings that correspond to the sample GC log below: -server -Xmx27g -Xms27g -XX:+DisableExplicitGC -XX:+UseConcMarkSweepGC -XX:+PrintTenuringDistribution -Dsun.rmi.dgc.client.gcInterval=90 -Dsun.rmi.dgc.server.gcInterval=90 -XX:NewSize=8g -XX:SurvivorRatio=16 -verbose:gc -XX:+PrintGCTimeStamps -XX:+PrintGCDetails 343.376: [Full GC 343.378: [CMS: 1158107K->1312570K(19922944K), 3.4129290 secs] 2884580K->1312570K(27845568K), [CMS Perm : 83964K->47203K(83968K)], 3.4168600 secs] [Times: user=3.87 sys=0.02, real=3.41 secs] 20526.469: [Full GC 20526.475: [CMS: 9175755K->9210800K(19922944K), 33.1161300 secs] 13632232K->9210800K(27845568K), [CMS Perm : 83967K->53332K(83968K)], 33.1254170 secs] [Times: user=33.12 sys=0.02, real=33.12 secs] Looks to me as the oerm gen fills up and triggers the Full GC. Then perm gen is back to only be used by about 60% but rapidly fills up again. So it seems your are using a lot of classes that are only used for a short period of time. Add -XX:+TraceClassUnloading which adds the names of the classes which are unloaded to the GC output. Then check, whether the names of the classes give you an idea, why you load and unload that many classes for a long time (and why it finally gets stable). Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: transport CONFIDENTIAL based on remote ip/host filter?
On 5/31/2012 1:30 PM, Konstantin Kolinko wrote: 2012/5/31 Timothy J Schumacher: Hi, We are using Apache Tomcat 6.0.35 with # java -version java version "1.6.0_30" Java(TM) SE Runtime Environment (build 1.6.0_30-b12) Java HotSpot(TM) Client VM (build 20.5-b03, mixed mode, sharing) in redhat linux. I am wondering if there is a way to use transport CONFIDENTIAL for all hosts that are not localhost? I am guessing the servlet spec does not allow this, it seems to be all or none in the web.xml config. Perhaps there is a way configure transport NONE in web.xml and then manually configure a valve/filter in context.xml that would enforce CONFIDENTIAL to all remote hosts but let localhost pass without redirects to port 443? Any ideas are appreciated! It will 1. Listen on localhost only. 2. Be treated by Tomcat as if it were an HTTPS connection. Hi Konstantine, thanks this works! I have one more question. I assume that setting secure="true" means that the cookie JSESSIONID has "Secure" set. This causes my browser (an old version of FF) to not send the cookie which I assume is due to the fact that the communication is over a plain http connection. Since we have not diligently coded encodeURLs everywhere the application loses the session on occasion. Is there a way to tell the component that sets the cookie to not set "Secure" only for this particular connector? Thanks again! Tim - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org