Re: restrict per user public_html to serve static files only...
Kim wrote: Hi, Dear all I'm using tomcat 6.0.35 on linux CentOS 5.7 using sun jdk jdk1.5.0_11. I need to enable public_html for my user but for security reason, I would like restrict the functions to serve static files only. Can anyone tell me how to do that ? Actually I can build tomcat from src and don't mind modify the code base for this specific feature. Can anyone help me to point out which source file I should modify ... Regards, Kim Modifying the Tomcat code base for this seems to me a heavy, non-portable, non-maintainable, non-upgradable solution. You could this with a very simple (*) Servlet Filter. One may already exist which does that. I'd be surprised if you couldn't do that with, for example, the URLRewrite filter. http://www.tuckey.org/urlrewrite/ Rewrite URLs that do not point to static pages, to some error page URL, et voila. (better : rewrite all /public_html/* URLs to the error page, /except/ if they end in \.(xxx|yyy|zzz)) (*) and light and portable and maintainable and upgradable - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: restrict per user public_html to serve static files only...
Hi,Andre Thanks for the advice. I do implement a Valve class to capture all the request before forwarding to actual web app. However, I can not know in advance the actual url for the servlet or JSP .. i.e. I can not know from the URI in the Valve class that the resources is static files or servlet ... Regards, Kim 2012/6/27 André Warnier a...@ice-sa.com: Kim wrote: Hi, Dear all I'm using tomcat 6.0.35 on linux CentOS 5.7 using sun jdk jdk1.5.0_11. I need to enable public_html for my user but for security reason, I would like restrict the functions to serve static files only. Can anyone tell me how to do that ? Actually I can build tomcat from src and don't mind modify the code base for this specific feature. Can anyone help me to point out which source file I should modify ... Regards, Kim Modifying the Tomcat code base for this seems to me a heavy, non-portable, non-maintainable, non-upgradable solution. You could this with a very simple (*) Servlet Filter. One may already exist which does that. I'd be surprised if you couldn't do that with, for example, the URLRewrite filter. http://www.tuckey.org/urlrewrite/ Rewrite URLs that do not point to static pages, to some error page URL, et voila. (better : rewrite all /public_html/* URLs to the error page, /except/ if they end in \.(xxx|yyy|zzz)) (*) and light and portable and maintainable and upgradable - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
how to configure Tomcat for leveraging browser caching?
Hi , I ran Google's Page Speed( https://developers.google.com/speed/pagespeed/ ) on our web app to analyze and optimize our web site . One of the many items under Web Performance Best Practices ( https://developers.google.com/speed/docs/best-practices/caching#LeverageBrowserCaching ) as listed in Page Speed says To take advantage of the full benefits of caching consistently across all browsers, we recommend that you configure your web server to explicitly set caching headers and apply them to all cacheable static resources, not just a small subset (such as images). Cacheable resources include JS and CSS files, image files, and other binary object files (media files, PDFs, Flash files, etc.). In general, HTML is not static, and shouldn't be considered cacheable. How do I configure tomcat to achieve the same ? I know it can be done via Filters by putting some HTTP headers but can we do it without touching code just by configuration ? Regards, Subhrajyoti Mobile: +919830079545 Mail: choudh...@labware.com Web: www.labware.com LabWare LIMS Solutions - Results Count
Re: restrict per user public_html to serve static files only...
On 27.06.2012 06:58, Kim wrote: I'm using tomcat 6.0.35 on linux CentOS 5.7 using sun jdk jdk1.5.0_11. I need to enable public_html for my user but for security reason, I would like restrict the functions to serve static files only. Can anyone tell me how to do that ? IMO apache httpd suits better in this situation. There's built in support for public_html directories. Since all you need is to serve static files I see no point in using tomcat. -- Mikolaj Rydzewski m...@ceti.pl - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: restrict per user public_html to serve static files only...
Hi,Mikolaj Actually I would like to get rid of apache httpd Regards, Kim 2012/6/27 Mikolaj Rydzewski m...@ceti.pl: On 27.06.2012 06:58, Kim wrote: I'm using tomcat 6.0.35 on linux CentOS 5.7 using sun jdk jdk1.5.0_11. I need to enable public_html for my user but for security reason, I would like restrict the functions to serve static files only. Can anyone tell me how to do that ? IMO apache httpd suits better in this situation. There's built in support for public_html directories. Since all you need is to serve static files I see no point in using tomcat. -- Mikolaj Rydzewski m...@ceti.pl - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: restrict per user public_html to serve static files only...
Regarding the style of communications : on this list, it is preferred if posters answer *below* the respective text to which they refer, not on top of the message. It makes it so much easier to follow the flow of the conversation (rather than having to scroll up and down to find the appropriate paragraph). Kim wrote: Hi,Andre Thanks for the advice. I do implement a Valve class to capture all the request before forwarding to actual web app. However, I can not know in advance the actual url for the servlet or JSP .. i.e. I can not know from the URI in the Valve class that the resources is static files or servlet ... How so ? can you explain ? After all, Tomcat itself has to know if the resource being served is a servlet or jsp page or something else, in order to serve it properly. So how come you cannot do the same ? Another question : where is this public_html directory (?) actually located, and what does/can it contain, other than static pages ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: restrict per user public_html to serve static files only...
Hi, Andre How so ? can you explain ? After all, Tomcat itself has to know if the resource being served is a servlet or jsp page or something else, in order to serve it properly. So how come you cannot do the same ? ans : each user can have his/her own web.xml and can do whatever URL mapping in web.xml to serve his/her serlvet ... That's why I can not know in advance unless I go into the user WEB-INF to do the parsing ... Another question : where is this public_html directory (?) actually located, and what does/can it contain, other than static pages ? ans : I configure tomcat to enable per-user web as follows: Listener className=org.apache.catalina.startup.UserConfig directoryName=public_html homeBase=/share/home userClass=org.apache.catalina.startup.HomesUserDatabase/ Regards, Kim 2012/6/27 André Warnier a...@ice-sa.com: Regarding the style of communications : on this list, it is preferred if posters answer *below* the respective text to which they refer, not on top of the message. It makes it so much easier to follow the flow of the conversation (rather than having to scroll up and down to find the appropriate paragraph). Kim wrote: Hi,Andre Thanks for the advice. I do implement a Valve class to capture all the request before forwarding to actual web app. However, I can not know in advance the actual url for the servlet or JSP .. i.e. I can not know from the URI in the Valve class that the resources is static files or servlet ... How so ? can you explain ? After all, Tomcat itself has to know if the resource being served is a servlet or jsp page or something else, in order to serve it properly. So how come you cannot do the same ? Another question : where is this public_html directory (?) actually located, and what does/can it contain, other than static pages ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: using clearReferencesStopTimerThreads value for context
On 27/06/2012 03:04, Supun Malinga wrote: Hi all, Say I have a webapp that don't stop all the timer threads it started upon the webapp undeploy/stop. So tomcat prints an error, The web application [/NewStratosDBAccessServlet] appears to have started a thread named [MySQL Statement Cancellation Timer] but has failed to stop it. This is very likely to create a memory leak. The error says severe and we need to take some action against it. Therefore I set clearReferencesStopTimerThreads property to webapp context. Now tomcat prints, *SEVERE*: The web application [/NewStratosDBAccessServlet] appears to have started a TimerThread named [Timer-8] via the java.util.Timer API but has failed to stop it. To prevent a memory leak, the timer (and hence the associated thread) has been *forcibly canceled*. Thought it indicates the timer threads are cleared the log is still SEVERE. May I know the intention of keeping it as SEVERE ? Because the web application still has a bug. Whether or not Tomcat is working around it is irrelevant to the severity of the bug in the web application. All memory leaks of this nature are reported as errors. Wouldn't it be of WARN or perhaps INFO ? Nope. Any help is highly appreciated.. Getting rid of that message is simple. Fix the bug in the web application. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: restrict per user public_html to serve static files only...
Kim wrote: Hi, Andre How so ? can you explain ? After all, Tomcat itself has to know if the resource being served is a servlet or jsp page or something else, in order to serve it properly. So how come you cannot do the same ? ans : each user can have his/her own web.xml and can do whatever URL mapping in web.xml to serve his/her serlvet ... That's why I can not know in advance unless I go into the user WEB-INF to do the parsing Right, so you /are/ trying to implement something like the ~userdir of Apache httpd. I tend to agree with Mikolaj then, you may be better off keeping Apache httpd for that. Or else, this is the kind of situation for which the security manager of Tomcat (actually of Java) may be the way to go. If individual users can upload stuff and have it served by Tomcat, at least restrict whatever these things can actually do. Have a look first at the file (catalina_home)/conf/catalina.policy, section WEB APPLICATION PERMISSIONS. It seems to me that by not granting those permissions (other than to your own webapps), you can greatly restrict what users can do. As long as the users don't have access to (catalina_base)/conf of course. It also means of course that you /must/ grant these permissions to your own webapps, which tends to be a p.i.t.a. But then, you have an open system, so it belongs to you to close the holes. ... Another question : where is this public_html directory (?) actually located, and what does/can it contain, other than static pages ? ans : I configure tomcat to enable per-user web as follows: Listener className=org.apache.catalina.startup.UserConfig directoryName=public_html homeBase=/share/home userClass=org.apache.catalina.startup.HomesUserDatabase/ Regards, Kim 2012/6/27 André Warnier a...@ice-sa.com: Regarding the style of communications : on this list, it is preferred if posters answer *below* the respective text to which they refer, not on top of the message. It makes it so much easier to follow the flow of the conversation (rather than having to scroll up and down to find the appropriate paragraph). Kim wrote: Hi,Andre Thanks for the advice. I do implement a Valve class to capture all the request before forwarding to actual web app. However, I can not know in advance the actual url for the servlet or JSP .. i.e. I can not know from the URI in the Valve class that the resources is static files or servlet ... How so ? can you explain ? After all, Tomcat itself has to know if the resource being served is a servlet or jsp page or something else, in order to serve it properly. So how come you cannot do the same ? Another question : where is this public_html directory (?) actually located, and what does/can it contain, other than static pages ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: using clearReferencesStopTimerThreads value for context
Hi, On Wed, Jun 27, 2012 at 1:42 PM, Mark Thomas ma...@apache.org wrote: On 27/06/2012 03:04, Supun Malinga wrote: Hi all, Say I have a webapp that don't stop all the timer threads it started upon the webapp undeploy/stop. So tomcat prints an error, The web application [/NewStratosDBAccessServlet] appears to have started a thread named [MySQL Statement Cancellation Timer] but has failed to stop it. This is very likely to create a memory leak. The error says severe and we need to take some action against it. Therefore I set clearReferencesStopTimerThreads property to webapp context. Now tomcat prints, *SEVERE*: The web application [/NewStratosDBAccessServlet] appears to have started a TimerThread named [Timer-8] via the java.util.Timer API but has failed to stop it. To prevent a memory leak, the timer (and hence the associated thread) has been *forcibly canceled*. Thought it indicates the timer threads are cleared the log is still SEVERE. May I know the intention of keeping it as SEVERE ? Because the web application still has a bug. Whether or not Tomcat is working around it is irrelevant to the severity of the bug in the web application. All memory leaks of this nature are reported as errors. I see.. thanks for the clarification! Wouldn't it be of WARN or perhaps INFO ? Nope. Any help is highly appreciated.. Getting rid of that message is simple. Fix the bug in the web application. thanks, Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Supun Malinga
Re: restrict per user public_html to serve static files only...
2012/6/27 Kim k...@aerodrive.com: Hi, Dear all I'm using tomcat 6.0.35 on linux CentOS 5.7 using sun jdk jdk1.5.0_11. I need to enable public_html for my user but for security reason, I would like restrict the functions to serve static files only. Can anyone tell me how to do that ? Actually I can build tomcat from src and don't mind modify the code base for this specific feature. Can anyone help me to point out which source file I should modify ... For reference, User Web Applications feature is implemented via a Listener, o.a.catalina.startup.UserConfig which enumerates users and deploys their web applications. Documentation is in config/listeners.html and config/host.html. Currently it creates web application for each user when Tomcat starts. Probably it could be improved to perform such deployment once in a while on Lifecycle.PERIODIC_EVENT. First, you need to prevent not only jsps, but servlets as well. I think I would create my own UserConfig listener so that it would skip directories that have WEB-INF and META-INF directories in them. Things to beware are WEB-INF/web.xml, WEB-INF/lib (because of web fragments feature of Servlet 3.0), WEB-INF/classes (unlikely, but just to be sure; maybe it could be used to reconfigure logging). There should not be META-INF/context.xml file. (Though as far as I remember when an application is deployed via UserConfig the context.xml file is ignored). Second, Processing of Jsp files can be enabled though two constructs a) explicit mapping of JspServlet, like it is done in conf/web.xml b) implicitly by using jsp-property-group with url pattern that patches the file. I think that removing JspServlet mappings from global conf/web.xml will disable JSP processing for you. 2012/6/27 André Warnier a...@ice-sa.com: Have a look first at the file (catalina_home)/conf/catalina.policy, section WEB APPLICATION PERMISSIONS. It seems to me that by not granting those permissions (other than to your own webapps), you can greatly restrict what users can do. Note that regardless of contents of conf/catalina.policy every web application is granted permission to load its own classes and write to its own temporary directory. The servlet spec requires it. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
multiple tomcat on same server ajp stops working
I have a situation where i have several tomcats installed on the same server (windows) Each tomcat has its own ports the first listens to 8080 ajp 8009 the second listens to 8081 ajp 8010 I have this problem running 7 tomcats from port 8080 to 8086 work fine but ajp of the first 3 (8009,8010,8011) stop working (while they work if each tomcat is run in isolation). It seems like no more than 4 ajp listeners can run...how this can be? Anyone can help? Pierluigi Santin * Tel. 0432 421000 Cell. 3939013490 Fintel Engineering S.r.l. Sede Friuli: Via del Cotonificio, 129/b 33100 Udine UD Sede Veneto: Via Friuli, 10 31020 San Vendemiano TV p.san...@fintelengineering.itmailto:p.san...@fintelengineering.it www.fintelengineering.ithttp://www.fintelengineering.it/ Rispetta l'ambiente. Non stampare questa mail se non è necessario. Ai fini del rispetto del D.Lgs. 196/2003 (Codice della privacy) sulla tutela dei dati personali, questo messaggio ed i suoi eventuali allegati, sono rivolti unicamente al/i destinatario/i indicato/i e potrebbero contenere informazioni riservate o confidenziali. Se lo ha ricevuto per errore, ci scusiamo per l'inconveniente e lo segnali cortesemente al mittente e allo scrivente distruggendo subito l'originale. Ogni altro utilizzo sarà considerato illegale. La distribuzione, modifica, copia o divulgazione dello stesso assolutamente proibita, e gli abusi tanto del messaggio che dei suoi allegati saranno immediatamente perseguiti ai sensi della normativa vigente ed in ogni sede prevista. Fintel Engineering Srl - Fiscalità Innovazione Territorio Enti Locali non si assume alcuna responsabilità per usi impropri di questo messaggio o di sue parti. This message is for the designated recipient only and may contain privileged or confidential information. If you are received it in error, we apologize for this. Please notify the sender immediately and delete the original. Any other use of the message is illegal. Fintel Engineering Srl - Fiscalità Innovazione Territorio Enti Locali does not accept any liability for corruption, interception or damages, if any, caused by unauthorized use of this message or parts.
RE: restrict per user public_html to serve static files only...
From: Kim [mailto:k...@aerodrive.com] Subject: Re: restrict per user public_html to serve static files only... Please do not top-post; it's rude and annoying. each user can have his/her own web.xml and can do whatever URL mapping in web.xml to serve his/her servlet ??? You first say users cannot have dynamic content, then state that users can have their own servlets. Both can't be true at the same time. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: restrict per user public_html to serve static files only...
Hi, Charles Really sorry as I'm new here. ok. here is the ans to your question - You first say users cannot have dynamic content, then state that users can have their own servlets. Both can't be true at the same time. ans : I would like to restrict the per user web application to only serve static files only. But the current implementation of Tomcat would enable web application on a per user basic, i.e. they can deploy a web.xml in WEB-INF and execute servlet or JSP in tomcat. Regards, Kim 2012/6/27 Caldarale, Charles R chuck.caldar...@unisys.com: From: Kim [mailto:k...@aerodrive.com] Subject: Re: restrict per user public_html to serve static files only... Please do not top-post; it's rude and annoying. each user can have his/her own web.xml and can do whatever URL mapping in web.xml to serve his/her servlet ??? You first say users cannot have dynamic content, then state that users can have their own servlets. Both can't be true at the same time. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: restrict per user public_html to serve static files only...
Kim, when we ask to not top-post, here is what we mean. This is a correctly formatted version of your last message : -- start Hi, Charles Really sorry as I'm new here. 2012/6/27 Caldarale, Charles R chuck.caldar...@unisys.com: From: Kim [mailto:k...@aerodrive.com] Subject: Re: restrict per user public_html to serve static files only... Please do not top-post; it's rude and annoying. each user can have his/her own web.xml and can do whatever URL mapping in web.xml to serve his/her servlet ??? You first say users cannot have dynamic content, then state that users can have their own servlets. Both can't be true at the same time. I would like to restrict the per user web application to only serve static files only. But the current implementation of Tomcat would enable web application on a per user basic, i.e. they can deploy a web.xml in WEB-INF and execute servlet or JSP in tomcat. Regards, Kim -- end You see, it's easy to read, in a logical order, thus easy to know which answer relates to which question/remark. And it saves you retyping the question. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: restrict per user public_html to serve static files only...
Hi, Kolinko Really thanks. Yes, I have hunt down to UserConfig in the source tree on Tomcat and can modify UserConfig.java to skip those user context if there exists a /WEB-INF/web.xml in their public_html directory. And I can also insert a Valve filter to skip those URL with jsp extension ... But I do think it's very clumsy solution and I'm looking for a more elegant solution in that for a per-user web application the only serlvet that can be invoked is the DefaultServlet that serve static files only.. Regards, Kim For reference, User Web Applications feature is implemented via a Listener, o.a.catalina.startup.UserConfig which enumerates users and deploys their web applications. Documentation is in config/listeners.html and config/host.html. Currently it creates web application for each user when Tomcat starts. Probably it could be improved to perform such deployment once in a while on Lifecycle.PERIODIC_EVENT. First, you need to prevent not only jsps, but servlets as well. I think I would create my own UserConfig listener so that it would skip directories that have WEB-INF and META-INF directories in them. Things to beware are WEB-INF/web.xml, WEB-INF/lib (because of web fragments feature of Servlet 3.0), WEB-INF/classes (unlikely, but just to be sure; maybe it could be used to reconfigure logging). There should not be META-INF/context.xml file. (Though as far as I remember when an application is deployed via UserConfig the context.xml file is ignored). Second, Processing of Jsp files can be enabled though two constructs a) explicit mapping of JspServlet, like it is done in conf/web.xml b) implicitly by using jsp-property-group with url pattern that patches the file. I think that removing JspServlet mappings from global conf/web.xml will disable JSP processing for you. 2012/6/27 André Warnier a...@ice-sa.com: Have a look first at the file (catalina_home)/conf/catalina.policy, section WEB APPLICATION PERMISSIONS. It seems to me that by not granting those permissions (other than to your own webapps), you can greatly restrict what users can do. Note that regardless of contents of conf/catalina.policy every web application is granted permission to load its own classes and write to its own temporary directory. The servlet spec requires it. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: multiple tomcat on same server ajp stops working
2012/6/27 Pierluigi Santin Fintel p.san...@fintelengineering.it: I have a situation where i have several tomcats installed on the same server (windows) Each tomcat has its own ports the first listens to 8080 ajp 8009 the second listens to 8081 ajp 8010 I have this problem running 7 tomcats from port 8080 to 8086 work fine but ajp of the first 3 (8009,8010,8011) stop working (while they work if each tomcat is run in isolation). It seems like no more than 4 ajp listeners can run...how this can be? 1. What are their shutdown port numbers? 8005 + 4 = 8009. 2. What is in the logs? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: restrict per user public_html to serve static files only...
Hi, Warnier 2012/6/27 André Warnier a...@ice-sa.com: Kim, when we ask to not top-post, here is what we mean. This is a correctly formatted version of your last message : -- start Hi, Charles Really sorry as I'm new here. 2012/6/27 Caldarale, Charles R chuck.caldar...@unisys.com: From: Kim [mailto:k...@aerodrive.com] Subject: Re: restrict per user public_html to serve static files only... Please do not top-post; it's rude and annoying. each user can have his/her own web.xml and can do whatever URL mapping in web.xml to serve his/her servlet ??? You first say users cannot have dynamic content, then state that users can have their own servlets. Both can't be true at the same time. I would like to restrict the per user web application to only serve static files only. But the current implementation of Tomcat would enable web application on a per user basic, i.e. they can deploy a web.xml in WEB-INF and execute servlet or JSP in tomcat. Regards, Kim -- end You see, it's easy to read, in a logical order, thus easy to know which answer relates to which question/remark. And it saves you retyping the question. I got it now. Thanks for the help and really sorry for my mistake. Regards, Kim - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
R: multiple tomcat on same server ajp stops working
THAT'S THE ANSWER!the shutdown port of the 4th tomcat was colliding with the ajp port of the 1st tomcat and so on. Changed the ajp port to avoid this solved the problem. There was nothing in the logs . Thanks again Kostantin -Messaggio originale- Da: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Inviato: mercoledì 27 giugno 2012 16:24 A: Tomcat Users List Oggetto: Re: multiple tomcat on same server ajp stops working 2012/6/27 Pierluigi Santin Fintel p.san...@fintelengineering.it: I have a situation where i have several tomcats installed on the same server (windows) Each tomcat has its own ports the first listens to 8080 ajp 8009 the second listens to 8081 ajp 8010 I have this problem running 7 tomcats from port 8080 to 8086 work fine but ajp of the first 3 (8009,8010,8011) stop working (while they work if each tomcat is run in isolation). It seems like no more than 4 ajp listeners can run...how this can be? 1. What are their shutdown port numbers? 8005 + 4 = 8009. 2. What is in the logs? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat DBCP Connection pool issue
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kiran, On 6/26/12 7:24 PM, Kiran Badi wrote: Resource name=jdbc/mysitedb auth=Container type=javax.sql.DataSource maxActive=100 maxIdle=30 maxWait=1 100 active db connections sounds like a lot. Do you really need to support 100 simultaneous connections to your database? Can your database support that many connections with active queries from each? Do you have a cluster? Remember that each member in the cluster will therefore open a maximum of 100 connections to your database. 10 cluster members means 1000 simultaneous connections. I had a bug in my code and I was not closing connection, I fixed it and now this is working fine. You should enable abandoned detection and logging. an architectural comment: it's probably not a great idea to obtain a database connection directly from your Servlet. Doing so likely ties your business logic directly to both the servlet API *and* the JDBC API. If you want to switch to some other data source (e.g. a non-JDBC-supported data source like MongoDB, Cassandra, etc.), then you have to re-write your whole app. If you want to support Websocket, then you have to completely re-write your webapp. If you want to create an Android or Swing-based version, you have to completely re-write your app. See the pattern here? I know existing design is somewhat a kind of limitation,but again at this point ,its just to hard to implement this change. Let me think over this.It will take sometime. There's no time like the present: this problem will only get worse over time. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/rISAACgkQ9CaO5/Lv0PC8MwCeMVv+gx6x4ItxZspgJwI0e2km 458An0CPoRxJQBmh/AKRQFo4o64ByJZE =eQp9 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: how to configure Tomcat for leveraging browser caching?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Subhrajyoti, On 6/27/12 3:16 AM, choudh...@labware.com wrote: Hi , I ran Google's Page Speed( https://developers.google.com/speed/pagespeed/ ) on our web app to analyze and optimize our web site . One of the many items under Web Performance Best Practices ( https://developers.google.com/speed/docs/best-practices/caching#LeverageBrowserCaching ) as listed in Page Speed says To take advantage of the full benefits of caching consistently across all browsers, we recommend that you configure your web server to explicitly set caching headers and apply them to all cacheable static resources, not just a small subset (such as images). Cacheable resources include JS and CSS files, image files, and other binary object files (media files, PDFs, Flash files, etc.). In general, HTML is not static, and shouldn't be considered cacheable. How do I configure tomcat to achieve the same ? I know it can be done via Filters by putting some HTTP headers but can we do it without touching code just by configuration ? It looks like you can use urlrewrite [1] with a set configuration to set headers for specific URL patterns. So, technically, you need code to do it, but you can use existing code instead of writing your own. url-rewrite might be a bit heavy for your needs, and you may decide to write your own simple filter. - -chris [1] http://www.tuckey.org/urlrewrite/ -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/rIgUACgkQ9CaO5/Lv0PDSSwCcCn69rXiHBI3RJtjXWDbrfni+ gcQAn13BawxoC5RzD4Ot7tJBVX4ZNqnR =/w3Y -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: using clearReferencesStopTimerThreads value for context
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, On 6/27/12 4:12 AM, Mark Thomas wrote: Getting rid of that message is simple. Fix the bug in the web application. +1 FWIW, Oracle/MySQL says that this bug has been fixed in Connector/J 5.1.11 (http://bugs.mysql.com/bug.php?id=36565). If you can't upgrade, you might have some success with a ServletContextListener with the following contextDestroyed method: public void contextDestroyed(ServletContextEvent e) { try { ClassLoader myClassLoader = this.getClass().getClassLoader(); Class clazz = Class.forName(com.mysql.jdbc.ConnectionImpl, false, myClassLoader); if(!(clazz.getClassLoader() == myClassLoader)) { log.info(MySQL ConnectionImpl was loaded with another ClassLoader: ( + clazz.getClassLoader() + ): cancelling anyway); } else { log.info(MySQL ConnectionImpl was loaded with the WebappClassLoader: cancelling the Timer); } Field f = clazz.getDeclaredField(cancelTimer); f.setAccessible(true); Timer timer = (Timer) f.get(null); timer.cancel(); log.info(completed timer cancellation); } catch (ClassNotFoundException cnfe) { // Ignore log.error(Cannot cancel, cnfe); } catch (NoSuchFieldException nsfe) { // Ignore log.error(Cannot cancel, nsfe); } catch (SecurityException se) { log.info(Failed to shut-down MySQL Statement Cancellation Timer due to a SecurityException, se); } catch (IllegalAccessException iae) { log.info(Failed to shut-down MySQL Statement Cancellation Timer due to an IllegalAccessException, iae); } } -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/rI+4ACgkQ9CaO5/Lv0PBu5gCgw6GPz8gGEgS+yjeJDK20krPA ugMAnRtm4r3ehNIG/cZhGeU/yS1pIhBY =eHCR -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Failed allocating AJP message buffer
Hi everyone, Just to let you know that installing the latest release of mod_jk resolved our issue with http crashing with errors Failed allocating AJP message buffer in mod_jk.log. So we pass from 1.2.35 to 1.2.37. Regards, 2012/6/22 Pierre Ayotte pi.r.ayo...@gmail.com Hello Christopher, Yes we saw on wednesday taht the 1.2.37 has been release sot we just put the it in production yesterday night. All keep you inform. We also make thoses changes to httpd.conf base on recommendation from a collegue: - ThreadsPerChild down to 1000 instead of 3000 - Remove ThreadLimit 9000 because apparently this does not serve on Windows Do you think this could help? 2012/6/21 Christopher Schultz ch...@christopherschultz.net -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pierre, On 6/20/12 6:26 PM, Pierre Ayotte wrote: Our Configuration = Apache Apache/2.2.22 on Windows 2008 R2 x64 mod_ssl/2.2.22 OpenSSL/0.9.8t with certificates in place mod_jk/1.2.35 with a load balancer to 5 workers There were a bunch of fixes in mod_jk 1.2.36 and 1.2.37. Is it possible to test with the latest version? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/jkUwACgkQ9CaO5/Lv0PD7ewCcCMNw8g2O5Ejv9CDYhIcWmAPK PzUAnA8RIWsETMPD9yTIVl9BQaqEo6Yu =chWd -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Failed allocating AJP message buffer
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pierre, On 6/27/12 11:36 AM, Pierre Ayotte wrote: Just to let you know that installing the latest release of mod_jk resolved our issue with http crashing with errors Failed allocating AJP message buffer in mod_jk.log. So we pass from 1.2.35 to 1.2.37. Good to know. There were a lot of changes to the win32 code around 1.2.35 and some of them caused all sorts of problems. I believe most of them have been worked out and 1.2.37 should be much more stable for you. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/rTD4ACgkQ9CaO5/Lv0PAF3gCeJKopRyticr0nah2OQ91svdrh erwAnAoiFbupvuWaDLDJMw9kAjQAM9nU =QBCI -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: High CPU usage in Tomcat 7
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 James, On 6/20/12 12:27 PM, James Lampert wrote: We just had a report of extremely high CPU usage from the Tomcat job on one of our customer installations. A WRKACTJOB screen shot from before we forcibly shut Tomcat down and restarted it shows: Subsystem/Job Type CPU % FunctionStatus CATALINA BCH .0 CMD-QSH TIMW QP0ZSPWT BCI 112.2 JVM-org.apache TIMW (QP0ZSPWT being the system-generated job that's doing the actual work for the CATALINA job.) Of particular interest is that, at least at the moment the screen shot was taken, the QP0ZSPWT job was taking up what appears to be more than an entire processor, even though it's in a time-wait state. Based on a Google search on tomcat 7 high cpu usage, I'm suspecting a previously unknown tightloop in our application (which was what I suspected even before I did the Google search). The pages I looked at also said something about profiling and thread dumps, to find the offending thread, but since the job has been terminated and restarted, and is not currently malfunctioning, I wouldn't be able to do so even if I knew how (which at present I don't). I've passed on the log files generated by our application itself to someone better equipped to deal with them than I, and I've asked the Java-400 List at Midrange.com about AS/400-specific steps to track down the offending thread if the problem is observed again, but I would also value any insights this list might offer. The advice you got about thread dumps was spot-on: get yourself a thread dump [1] whenever you think your process is using too much CPU time. Better yet, take a few of them and compare. If you do have a tight loop, you'll probably be able to see it because one thread will be stuck in the same method for a while. Taking a thread dump *should* be easy (not sure on AS/400) and it doesn't take a long time to get one. That means you don't disturb current users like taking a heap dump would (heap dumps in my experience tend to pause the entire JVM). I suppose you're about to take-down the JVM so user inconvenience isn't a huge deal. You might also consider that high CPU usage isn't necessarily bad, unless it's impacting the operation of one or more services. Assuming that your suspected-tight-loop finally completes, it might be better to just let it finish rather than taking-down the JVM entirely. - -chris [1] http://wiki.apache.org/tomcat/HowTo#How_do_I_obtain_a_thread_dump_of_my_running_webapp_.3F -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/rTZEACgkQ9CaO5/Lv0PDL5wCgu683MJwUBQzgn2HKPcDinUEF PyYAnAvPWYtbSB8PiKF4OfFchPKbMTcL =ETGk -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
How to initiate session id change from application code?
Hi, can I force Tomcat to change session id from my application code? I know that in Tomcat7 there is a changeSessionIdOnAuthentication attribute that can be used with container managed security, but how can I protect my application from session fixation attacks if I don't use container managed security? Invalidating session, creating new session and copying session attributes is expensive and does't work with some libraries, e.g. OpenWebBeans store session objects to HttpSession only before passivation for performance reasons. Regards, Pavel - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: How to initiate session id change from application code?
Good Evening Pavel Implementing a SSL Connector on Tomcat will prevent Session Fixation attack http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.htmlEz az üzenet bizalmas. Ha nem ön az akinek szánva volt, akkor kérjük, hogy jelentse azt nekünk vissza. Semmiféle továbbítása vagy másolatának készítése nem megengedett. Ez az üzenet csak ismeret cserét szolgál és semmiféle jogi alkalmazhatósága sincs. Mivel az electronikus üzenetek könnyen megváltoztathatóak, ezért minket semmi felelöség nem terhelhet ezen üzenet tartalma miatt. Date: Thu, 28 Jun 2012 00:11:32 +0200 Subject: How to initiate session id change from application code? From: pavel.arn...@loutka.cz To: users@tomcat.apache.org Hi, can I force Tomcat to change session id from my application code? I know that in Tomcat7 there is a changeSessionIdOnAuthentication attribute that can be used with container managed security, but how can I protect my application from session fixation attacks if I don't use container managed security? Invalidating session, creating new session and copying session attributes is expensive and does't work with some libraries, e.g. OpenWebBeans store session objects to HttpSession only before passivation for performance reasons. Regards, Pavel - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Wish to use an independent class module in Tomcat
On 1:59 PM, Cotton, Joseph B wrote: My question may be covered by the Tomcat documentation and I am just confused by all the new terminology. I have spent hours in reading and still I am looking to an answer. We wish to have a class running on Tomcat that contains system wide info and multiple database connections into DB2 on the mainframe. All other apps runing on Tomcat will open an instance of this class to access the static info and one of five open connections. Opening and closing database connections is very slow and we wish to leave open the connections and just reuse them as needed. We wrote the class and it runs ok. Yet to get it to run with an app, we need to load the class jar file into the app and references in context.xml and web.xml as listed in the documentation. But that defeats the purpose of the global app because then there are multiple instances of the class. We tried to insert a reference inGlobalNamingResources of server.xml. It doesn't seem to work for us. Or are we off base with this design? Is app to app communication allowed? Can I call a class from one app to another without first loading the called class into the calling class? I am using NetBeans IDE 7.1.1, Apache Tomcat 7.0.22 and Java 6.23 (build 1.6.0_23-b05). Java 7 is not an option in our shop yet because we are supporting a commercial package that breaks when run under Java 7. I would appreciate if the group could point me to the correct documentation to do what we are looking for, and perhaps a translation of the Tomcat specific terminology and jargon. Thanks Joe Hi, Joe- You might consider placing your connection manager in the Tomcat lib directory and implementing it a singleton. -Terence Bandoian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Wish to use an independent class module in Tomcat
On 1:59 PM, Cotton, Joseph B wrote: My question may be covered by the Tomcat documentation and I am just confused by all the new terminology. I have spent hours in reading and still I am looking to an answer. We wish to have a class running on Tomcat that contains system wide info and multiple database connections into DB2 on the mainframe. All other apps runing on Tomcat will open an instance of this class to access the static info and one of five open connections. Opening and closing database connections is very slow and we wish to leave open the connections and just reuse them as needed. We wrote the class and it runs ok. Yet to get it to run with an app, we need to load the class jar file into the app and references in context.xml and web.xml as listed in the documentation. But that defeats the purpose of the global app because then there are multiple instances of the class. We tried to insert a reference inGlobalNamingResources of server.xml. It doesn't seem to work for us. Or are we off base with this design? Is app to app communication allowed? Can I call a class from one app to another without first loading the called class into the calling class? I am using NetBeans IDE 7.1.1, Apache Tomcat 7.0.22 and Java 6.23 (build 1.6.0_23-b05). Java 7 is not an option in our shop yet because we are supporting a commercial package that breaks when run under Java 7. I would appreciate if the group could point me to the correct documentation to do what we are looking for, and perhaps a translation of the Tomcat specific terminology and jargon. Thanks Joe A link to the Tomcat documentation: http://tomcat.apache.org/tomcat-7.0-doc/appdev/deployment.html#Shared_Library_Files -Terence Bandoian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org