Re: Unexpanded WAR and FileNotFoundException: META-INF/MANIFEST.MF

[Арсений Зинченко]

Hi, Chris. Thanks for replay.

Biggest problem is that I'm not our application  developer >.<


2014-07-23 17:26 GMT+03:00 Christopher Schultz :

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Арсений,
>
> On 7/23/14, 10:14 AM, Арсений Зинченко wrote:
> > We have Tomcat with:
> >
> >  > autoDeploy="false" deployOnStartup="true" >
> >
> > While startup I got ERROR in log:
> >
> > 14-07-22 15:13:01,551+0100 > 289   INFO
> > [com.***.listener.PropertiesConfigListener] (main:) Adapter is a
> > log4j adapter ?org.slf4j.impl.Log4jLoggerAdapter 14-07-22
> > 15:13:01,552+0100 > 290   ERROR
> > [com.***.listener.PropertiesConfigListener] (main:) Exception
> > getting codebase versionjava.io.FileNotFoundException:
> > META-INF/MANIFEST.MF (No such file or directory)
> >
> > I understood, that PropertiesConfigListener can't find path to this
> > file, but - it can't get MANIFEST.MF from inside WAR-file?
> >
> > Any tips - how it can be fixed?
>
> Your com.***.listener.PropertiesConfigListener needs to know how to
> load files from inside WAR files if you don't want to expand the WAR file.
>
> How does your code currently attempt to load the file? You are
> probably using a FileInputStream or something like that, which can't
> operate within a JAR/WAR file.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJTz8YJAAoJEBzwKT+lPKRYuaAQAKO7Ck6MIVnT672vX1ZzY41Z
> HKgg+Dk/sjVdZXh+fXWTTyAD9FeG5hN7eEkd95LuO5RApmwj03EU8AsHs8drGQX9
> rOdkpc0ucrgxP0KCQ7VlJ7n3SPZ64ASQ8PPMbs0VpkdWFueMz53GjL6hAkEi5p4f
> 5xK1NJK95e50AokMElbi4YBienZYCDWKV1/0Wh9FfhVnaBWqwFKfiBxoePpHsr18
> m8Xh9I27Q+4HPP+34AOGpDSSN2LIl9VFa1suBsgEjdlKvN3HAjQfFee2dAgvUj64
> lDGCJbzUD+HriQeNqXjUSDYqsLsfn2Wd/cA6HgP2tTvt3AFciDFqON6nyWC9Cl22
> 3W+8L5rKmzIYP/Se2084VB8TOEKBg2D9T8Am0FDyKExwvJNY/l8Hxc7IPbZw5aWE
> /cwTIvO2u9M4lPzDx5RUrhy8VlZSIubAr41P1vgO58BPKLM8vSJsqE/SNMKuoZ+c
> 3TgqiYyUwlGRQV0JsCNARQw2haDq1YLfGfpsnt0/wWh1LJ9caD8S2d++6IT56x66
> oCmIwZvTI9lmBzIqA8ZGifIyzuiVut79Xcg/CL8Pvje5uZhRXkRw8yIuAp86ymH5
> S2setIwthjGBKsEOnPMGXjQDePIA83Xa220jQpxyfnUXWb3xXZSb1OGb3IeZepM9
> 2QXHx/ouQpeV7dsXrjLi
> =WKOD
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Unexpanded WAR and FileNotFoundException: META-INF/MANIFEST.MF

[Арсений Зинченко]

Hi.

We have Tomcat with:



While startup I got ERROR in log:

14-07-22 15:13:01,551+0100 > 289   INFO
 [com.***.listener.PropertiesConfigListener] (main:) Adapter is a log4j
adapter ?org.slf4j.impl.Log4jLoggerAdapter
14-07-22 15:13:01,552+0100 > 290   ERROR
[com.***.listener.PropertiesConfigListener] (main:) Exception getting
codebase versionjava.io.FileNotFoundException: META-INF/MANIFEST.MF (No
such file or directory)

I understood, that PropertiesConfigListener can't find path to this file,
but - it can't get MANIFEST.MF from inside WAR-file?

Any tips - how it can be fixed?

Thanks.

Tomcat autodeploy doesn't return actual files via HTTP

[Арсений Зинченко]

 Hi. Faced with little bit odd behavior of Tomcat 7 && Java 1.6.

Old file is:

$ curl http://localhost:8084First file

I mean - *war-file* contains only one index.jsp page with text "First page":

$ jar tf ../app-application/APP.war
META-INF/
META-INF/MANIFEST.MF
index.jsp

Tomcat's server.xml has next components config:



  

Then - I copied new *war-file*:

$ cat ../tmp/1/index.jspSecond file

$ cd ../tmp/1/ && jar cf APP.war index.jsp

$ cp APP.war ../../app-application/
cp: overwrite `../../app-application/APP.war'? y

And see in log:

 INFO: Undeploying context [/APP]
 Jun 3, 2014 1:16:40 PM org.apache.catalina.startup.HostConfig deployWAR
 INFO: Deploying web application archive /home/user/APP/app-application/APP.war

Buit - when I'm trying open it with browser - I got old file again:

$ curl http://localhost:8084/First file

And only after full Tomcat's reboot - I see new file;

$ curl http://localhost:8084Second file

Why? Am I missed something? Tomcat keep it in some cache?
Thanks.

Tomcat 5.5 vs 7.0 SSL

[Арсений Зинченко]

Hi.

Faced with very odd behavior of Tomcat 7...

Have two instances on same box - Tomcat 5.5 and Tomcat 7.

Both have same configuration - first from 5.5:



Next - from 7.0:



Also - both configured for CLIENT-CERT authentification (same applicaion
with same web.xml).

In browser installed  cert, but - when I'm trying open connection to 7
Tomcat - I got 401 - Cannot authenticate with the provided credentials and
no authentification attempt in log:

10.***.***.15 - - [02/Jun/2014:17:10:31 +0300] "GET /service/ HTTP/1.1" 401
1049

But connection to 5.5 - succsessfull with same browser && certificate.

Also, in ssldump I see that browser can't make "handshake" with 7.0 server:

1 2  0.0317 (0.0308)  S>C  Handshake
  ServerHello
Version 3.1
session_id[32]=
  53 8c 85 d7 cf 17 a1 45 8a 4e 64 e6 95 7f 2b f3
  cb 74 0a f3 13 40 71 e8 74 50 53 1a 00 24 a0 76
cipherSuite TLS_DHE_DSS_WITH_AES_128_CBC_SHA
compressionMethod   NULL
  Certificate
  ServerKeyExchange
  CertificateRequest
certificate_types   rsa_sign
certificate_types   dss_sign
certificate_authority
  30 62 31 0b 30 09 06 03 55 04 06 13 02 55 41 31
  10 30 0e 06 03 55 04 08 13 07 55 6e 6b 6e 6f 77
  6e 31 0d 30 0b 06 03 55 04 07 13 04 4b 69 65 76
  31 0f 30 0d 06 03 55 04 0a 13 06 4c 75 78 6f 66
  74 31 0c 30 0a 06 03 55 04 0b 13 03 4c 4d 53 31
  13 30 11 06 03 55 04 03 13 0a 61 7a 69 6e 63 68
  65 6e 6b 6f
certificate_authority
  30 60 31 0b 30 09 06 03 55 04 06 13 02 55 41 31
// and that's all

But on 5.5 - everyting OK:

1 2  0.0213 (0.0195)  S>C  Handshake
  ServerHello
Version 3.1
session_id[32]=
  53 8c 85 89 be 1f c5 63 e2 16 a0 a0 dc 5b aa 68
  0d 1c 8d b7 24 c5 13 0a 24 0a 66 9b 54 f4 b0 0f
cipherSuite TLS_DHE_DSS_WITH_AES_128_CBC_SHA
compressionMethod   NULL
  Certificate
  ServerKeyExchange
  ServerHelloDone
1 3  0.0256 (0.0042)  C>S  Handshake
  ClientKeyExchange
DiffieHellmanClientPublicValue[96]=
  4a 39 5e f5 2a c1 58 13 6b 7c 98 0b 44 d7 9a 42
  bf 48 c2 6e a4 c6 6d 50 a7 89 8f 53 a4 54 92 a5
  81 18 1b 22 63 cf c1 63 8f 36 9f d2 59 c3 3e 67
  1f 4e 18 01 db f2 9d 07 0b 81 12 39 64 62 83 84
  78 dc 36 9b 00 34 f5 34 44 2d 92 eb d9 f6 b0 7e
  c4 66 d9 ad f2 bf 7f fb 07 56 eb 58 5d 58 41 2e

What I'm doing wrong?

Thanks.

Re: CATALINA_PID != real PID

[Арсений Зинченко]

Hi, Leon.

Thanks for replay.

Don't know why - but now it works good :-)

CATALINA_PID != real PID

[Арсений Зинченко]

Hi, guys.

I set:

$ export CATALINA_PID="$CATALINA_HOME/conf/catalina.pid"

Started *Tomcat*:

$ ./bin/startup.shUsing CATALINA_BASE:
/home/tomcats/apache-tomcat-7.0.53Using CATALINA_HOME:
/home/tomcats/apache-tomcat-7.0.53Using CATALINA_TMPDIR:
/home/tomcats/apache-tomcat-7.0.53/tempUsing JRE_HOME:
/usr/java/jdk1.6.0_45/jre/Using CLASSPATH:
/home/tomcats/apache-tomcat-7.0.53/bin/bootstrap.jar:/home/tomcats/apache-tomcat-7.0.53/bin/tomcat-juli.jarUsing
CATALINA_PID:
/home/tomcats/apache-tomcat-7.0.53/conf/catalina.pidTomcat started.

Checked pid-file:

$ cat /home/tomcats/apache-tomcat-7.0.53/conf/catalina.pid28461

But - there is no process 28461:

$ ps aux | grep 28461
tomcats  28599  0.0  0.0 103240   872 pts/0S+   12:50   0:00 grep 28461

$ ps -p 28461
  PID TTY  TIME CMD

And Tomcat's JVM runs with other PID:

$ ps u | grep tomcat | grep java | grep -v grep | cut -d" " -f 330133

So - for what exactly CATALINA_PID variable needs or - why it's return
wrong number?

>From "*Tomcat the Definitive Guide*" of *Jason Brittain* book we know that:

CATALINA_PID This variable may optionally hold the path to the process ID
file that Tomcat should use when starting up and shutting down. None

Use:

$ cat /etc/redhat-releaseCentOS release 6.4 (Final)

Thanks for advice.

Re: where find documentation

[Арсений Зинченко]

I used this one:

http://wiki.metawerx.net/wiki/Web.xml


2014-05-15 16:05 GMT+03:00 Francesco Viscomi :

> Hi all,
> i'm try to find a documentation that describe every tag inside the web.xml
> file, but i wasn't able to find anything about that on
> http://tomcat.apache.org/tomcat-5.5-doc/config/context.html
>
>
> someone can help me?
> thanks in advance;
> Francesco
> Italy
>

Re: How to monitor performance of tomcat

[Арсений Зинченко]

Hi.

We use JavaMelody for "moment performance checks" on test box and Zabbix
monitoring system to have whole history. Zabbix can use JMX connection to
Tomcat instance and have set of included teamplates, for example - number
of threads, current memory usage, gzip usage and so on. Main virtue of
Zabbix ++ JMX is that it store all data in database + can draw graphs.


2014-04-08 18:00 GMT+03:00 Jeffrey Janner :

> > -Original Message-
> > From: Randhir Singh [mailto:randhir.si...@sterlite.com]
> > Sent: Tuesday, April 08, 2014 6:05 AM
> > To: users@tomcat.apache.org
> > Subject: How to monitor performance of tomcat
> >
> > We have an application which has JBoss as the application server with
> > Tomcat as the web server, our application has Oracle 11g as the
> > database. I would give some further background to the issue we are
> > facing, since the last 1 1/2 months, the application slows down.
> > Sometimes it comes back to normal, specially on week-ends. But other
> > times we restart JBoss & Tomcat to bring back the application to
> > normal.
> >
> >
> >
> > We have been using jconsole to monitor tomcat like
> >
> >
> >
> > jconsole 10.101.17.79:8891
> >
> >
> >
> > which monitors our tomcat for a work order system. If the memory usage
> > does not show spike and shows constant reading, the GC button is
> > clicked to invoke the garbage collector.
> >
> >
> >
> > I checked out on the net and got some clue as below:
> >
> >
> >
> > 1)  Javamelody - It seems to be a 3rd party tool which is not
> > recommended.
> >
> > 2)  There is a command mentioned to see the admin console,
> > http:/// but it is not displaying the required page.
> >
> >
> >
> > Please give your inputs whether jconsole should be a help in the right
> > direction or some other way to monitor the performance of Tomcat.
> >
> Jconsole and JVisualVm are quite useful tools for basic monitoring, if you
> understand how to use them and their limitations.
> Why did you get the impression that JavaMelody is not recommended?  It
> does offer an awful lot of monitoring/debugging information, but you need
> to careful in setting it up.  Under Tomcat 7, it will autodeploy with no
> security by default and expose a lot of potentially confidential
> information to whomever connects using the well-known "context" for it
> (which can't be changed).  If you want to use it, I suggest limiting it to
> your development environment only, or reading up on how to secure it as
> best as possible.
> Jeff
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Tomcat && log4j vs MySQL

[Арсений Зинченко]

Hi.

Question are not exactly about Tomcat - but I hope somebody can help with
it.

So - we have Tomcat running. Apllication in it use log4j to write logs.

log4j configured to use syslogd daemon and syslogd uses MySQL to store logs.

Problem is that when we have any error in log - it writes it with newlines
when "at" in trace added.

For example:

14-03-24 13:49:59,574+0200 > 1641034 ERROR [com***l]
(http-8443-Processor25:CN=setevoy, OU=Unknown, O=Unknown, L=Unknown,
ST=Unknown, C=Unknown:10.***.***.15) Error in finding user: 'CN=setevoy,
OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown'
org.s***.EmptyResultDataAccessException: Incorrect result size: expected 1,
actual 0
at org.***(***.java:1520)
at com.***(***.java:288)
at sun.***0(Native Method)

Then - in database table its added again with "newlines" fro every "at'
element and, as it new line, it's added it with new entry for every line.

So tables looks like (this other error trace, not from example above):

mysql> select ID,Message from SystemEvents order by ID desc limit
60;...| 258433 | at java.lang.Thread.run(Thread.java:662)
| 258432 |
at 
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
  | 258431 | at
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
| 258430 | at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:541)


Instead of add error entirely in one cell of table.

Could it be reconfigured someway?

Thanks.

Add certificate without Tomcat restart

[Арсений Зинченко]

Hi.

We have two-side authentification on our Tomcat:


keystoreFile="/home/someuser/apache-tomcat-5.5.23/conf/.ssl/somealias.jks"
   keyAlias="somealias"
   keystorePass="somepass"

truststoreFile="/home/someuser/apache-tomcat-5.5.23/conf/.ssl/trustcacerts.jks"
   truststorePass="somepass" />

Is there any way to add certificate to truststore and get Tomcat load it
without restart it?

I mean - after:

$ keytool -import -v -trustcacerts -alias somealias -file some.cer
-keystore ../trustcacerts.jks

Thanks.

Re: Using different SSL-connector settings for various Context

[Арсений Зинченко]

> Please don't top post here. Respond below the text to which you are
responding.
It's easier to read that way. See below.

Sorry - it's Google formatting if press "Answer".

> That should be solvable just by the  of each Context.

I tried google it - but nothing... Can you please give liink to something
about it?

Plus some additional info.

Now - we use configuration via web.xml:

  

  *
  /sourcename/*


  cert


  CONFIDENTIAL

  
  
CLIENT-CERT
  
  
cert
  

And for ROOT - configuration described in server.xml:

   
 https://some"; />
  

So task is - create second context for <
url-pattern>/sourcename/* with
CLIENT-CERT but in Context "terminology".


2014-02-04 André Warnier :

> Hi.
>
> Please don't top post here. Respond below the text to which you are
> responding.
> It's easier to read that way. See below.
>
>
>
>> 2014-02-04 André Warnier :
>>
>>  Арсений Зинченко wrote:
>>>
>>>  Hi.
>>>>
>>>> Task is - have ability to use HTTP/HTTPS without clientAuth for ROOT,
>>>> but
>>>> enable two-factor auth (clientAuth="true" and using trustedstore.jks)
>>>> for
>>>> other Context.
>>>>
>>>> Can somebody please any tips?
>>>>
>>>>
>>>>  I don't know much about SSL, but isn't the answer right here ?
>>>
>>> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support
>>>
>>> clientAuth
>>>
>>> Set to true if you want the SSL stack to require a valid certificate
>>> chain
>>> from the client before accepting a connection. Set to want if you want
>>> the
>>> SSL stack to request a client Certificate, but not fail if one isn't
>>> presented. A false value (which is the default) will not require a
>>> certificate chain unless the client requests a resource protected by a
>>> security constraint that uses CLIENT-CERT authentication.
>>>
>>> If I understand the above correctly, then setting clientAuth="false" in
>>> the Connector, and then requesting a CLIENT-CERT authentication only in
>>> your "other Context", should do the trick, no ?
>>>
>>>
>>>
> Арсений Зинченко wrote:
> > Yes, this is exactly what I'm want and I see this manual to.
> > But - how to specify different clientAuth= for different Context's ? I
> > found "SSL Authenticator
> > Valve<http://tomcat.apache.org/tomcat-7.0-doc/config/
> valve.html#SSL_Authenticator_Valve>"
>
> > - but there is nohting about how to do it... And I don't see any
> > possibility to make with any other Context
> > options<http://tomcat.apache.org/tomcat-7.0-doc/config/
> context.html#Context_Parameters>...
> >
> >
> Sorry, as I mentioned earlier, I do not know much about SSL and cannot
> help you with the details.
>
> One thing though : the setup of an SSL connection happens *before* Tomcat
> even knows to which application the browser wants to talk.  Some properties
> of that connection may not be changeable anymore, at the level of a Context.
> You can just tell the Context to make use or not of some of these
> properties, not really change them.
>
> In your case though, it seems that you want the following :
> - clients connect via SSL
> - some Context's then (later) require clientAuth
> - and some other Context's (later) do not require clientAuth
> That should be solvable just by the  of each Context.
>
> If you want some Context's to be accessible via HTTP/HTTPS, and others
> only via HTTPS, that also is a parameter that you can specify in each
> context's web.xml.
> ( or something like that)
>
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Using different SSL-connector settings for various Context

[Арсений Зинченко]

Yes, this is exactly what I'm want and I see this manual to.
But - how to specify different clientAuth= for different Context's ? I
found "SSL Authenticator
Valve<http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#SSL_Authenticator_Valve>"
- but there is nohting about how to do it... And I don't see any
possibility to make with any other Context
options<http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Context_Parameters>...



2014-02-04 André Warnier :

> Арсений Зинченко wrote:
>
>> Hi.
>>
>> Task is - have ability to use HTTP/HTTPS without clientAuth for ROOT, but
>> enable two-factor auth (clientAuth="true" and using trustedstore.jks) for
>> other Context.
>>
>> Can somebody please any tips?
>>
>>
> I don't know much about SSL, but isn't the answer right here ?
>
> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support
>
> clientAuth
>
> Set to true if you want the SSL stack to require a valid certificate chain
> from the client before accepting a connection. Set to want if you want the
> SSL stack to request a client Certificate, but not fail if one isn't
> presented. A false value (which is the default) will not require a
> certificate chain unless the client requests a resource protected by a
> security constraint that uses CLIENT-CERT authentication.
>
> If I understand the above correctly, then setting clientAuth="false" in
> the Connector, and then requesting a CLIENT-CERT authentication only in
> your "other Context", should do the trick, no ?
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Using different SSL-connector settings for various Context

[Арсений Зинченко]

Hi.

Task is - have ability to use HTTP/HTTPS without clientAuth for ROOT, but
enable two-factor auth (clientAuth="true" and using trustedstore.jks) for
other Context.

Can somebody please any tips?

Re: Tomcat && SSL: two issues

[Арсений Зинченко]

Hi, Chris.

So - 5.5 yes, very old - but we still use it. I hope - will update some
day...

> I can see that you have clientAuth="want"... what happens if the client
declines to send a certificate? // if it's connection not to restricted
area - Tomcat will open it, if to /some/page - will decline with
"handshake_error" or something like it, I don't remeber all error from last
few days :D

> top-level certificate that is used to sign the individual client
certificates. That way, you don't have to bother storing all of the
individual client certificates

Yes, thanks - I know, and we have one "top-level cert" for server. But here
some difficults in our... "organisation" - so we decide for users use
self-signed cert.

> That looks like a LDAP username. Does LDAP have anything to do with this?

No - this is just usual "username" which taken from user's cert and
compared with entry in database.

And at least - about Firefox issue. TThe problem was due to different
(yes... I don't know it till today) keystore types. Only my own cert was
created as PCKS12. Other used .JKS then convert it .p12 and something like
this...
After we re-generate cert exactly in .p12 - problem was solved.

So for now only with Chrome browser.

P.S. Sorry for errors\typos and thanks for tips :-)



2014-01-31 Christopher Schultz :

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Арсений,
>
> On 1/31/14, 5:15 AM, Арсений Зинченко wrote:
> > We have Tomcat with two factor authentication when access to
> > /some/pagerequested.
> >
> > Auth configured with JDBCRealm & Oracle database:
> >
> >  > driverName="oracle.jdbc.driver.OracleDriver" ...
> >
> > SSL-connector:
> >
> >  > minSpareThreads="25" maxSpareThreads="75" enableLookups="false"
> > disableUploadTimeout="true" acceptCount="100" scheme="https"
> > secure="true" clientAuth="want" sslProtocol="TLS"
> > keystoreFile="/home/keystore.jks" keyAlias="keystore"
> > keystorePass="password" truststoreFile="/home/trustcacerts.jks"
> > truststorePass="password" />
>
> It's nice when people say "two-factor authentication" and actually use
> two different factors. Yay, you!
>
> (I can see that you have clientAuth="want"... what happens if the
> client declines to send a certificate?)
>
> > Auth requring via web.xml:
> >
> >  
> > *
> > /some/* 
> >  cert 
> > 
> > CONFIDENTIAL
> >   
> > CLIENT-CERT 
> >  cert 
>
> Aah, okay: Tomcat will refuse the request if it is for a protected
> web-resource-collection.
>
> > Client's cert created with keytool:
> >
> > $ keytool -genkey -alias somealias -keystore somekey.p12 -storetype
> > PKCS12 $ keytool -export -alias somealias -file somefile.cer
> > -keystore somekey.p12 -storetype PKCS12
> >
> > somefile.cer - imported to Tomcat's trustcacerts.jks and
> > somekey.p12 - to client's browsers.
>
> Ok. Note that if you want to do 2-factor properly, you should have
> everyone sharing the second factor (the client certificate).
>
> Also, this is typically done by generating a top-level certificate
> that is used to sign the individual client certificates. That way, you
> don't have to bother storing all of the individual client
> certificates... you just store the parent cert and validate all
> clients against that one. It makes management much easier.
>
> > User's present in trustcacerts.jks like:
> >
> > somealias, 30-Jan-2014, trustedCertEntry, Certificate fingerprint
> > (MD5): 60:A1:CE:35:2D:5E:01:22:65:A7:26:19:9E:D6:F3:74
> >
> > And present in Oracle database, like:
> >
> > USER_NAME: CN=someuser, OU=Unknown, O=Unknown, L=Unknown, ST=Kiev,
> > C=UA
> >
> > ROLE_NAME: cert
>
> That looks like a LDAP username. Does LDAP have anything to do with this?
>
> > (not exactly same - but about it)
> >
> > Tomcat 5.5.23, running on SuSE 10. Users - on Windows7, Firefox
> > 26.0 and Chrome 32.0.1700.76 m.
>
> You need to upgrade. Tomcat 5.5 is no longer supported.
>
> > So - we have two issues.
> >
> > 1) Some (!) of users when connecting with Chrome got error:
> >
> > Error code: ERR_SSL_PROTOCOL_ERROR
> >
> > In Catalina-' log:
> >
> > WARNING: Exception getting SSL attributes
> > javax.net.ssl.SSLHandshakeException: renegotiation is not allowed
> >
> > Attempts add lines allowUnsafeLegacyRenegotiatio

Tomcat && SSL: two issues

[Арсений Зинченко]

Hi, people.

We have Tomcat with two factor authentication when access to
/some/pagerequested.

Auth configured with JDBCRealm & Oracle database:

  

Auth requring via web.xml:

  ^M
^M
  *^M
  /some/*^M
^M
^M
  cert^M
^M
^M
  CONFIDENTIAL^M
^M
  ^M
  ^M
CLIENT-CERT^M
  ^M
  ^M
cert^M
  ^M

 Client's cert created with keytool:

$ keytool -genkey -alias somealias -keystore somekey.p12 -storetype PKCS12
$ keytool -export -alias somealias -file somefile.cer -keystore
somekey.p12 -storetype PKCS12

somefile.cer - imported to Tomcat's trustcacerts.jks and somekey.p12 -
to client's browsers.

User's present in trustcacerts.jks like:

somealias, 30-Jan-2014, trustedCertEntry,
Certificate fingerprint (MD5):
60:A1:CE:35:2D:5E:01:22:65:A7:26:19:9E:D6:F3:74

And present in Oracle database, like:

USER_NAME: CN=someuser, OU=Unknown, O=Unknown, L=Unknown, ST=Kiev, C=UA

ROLE_NAME: cert

(not exactly same - but about it)

Tomcat 5.5.23, running on SuSE 10. Users - on Windows7, Firefox 26.0
and Chrome 32.0.1700.76 m.

So - we have two issues.

1) Some (!) of users when connecting with Chrome got error:

Error code: ERR_SSL_PROTOCOL_ERROR

In Catalina-' log:

WARNING: Exception getting SSL attributes
javax.net.ssl.SSLHandshakeException: renegotiation is not allowed

Attempts add lines allowUnsafeLegacyRenegotiation="true" and
allowLegacyHelloMessages="true" doesn't give results (was added to
Connector or -D(option) to CATALINA_OPTS).

What else can be done? All googled tips says only about this two parametrs.

2) Using Firefox - from some machines give error 403, from others -
normal auth. It's look like (from Tomcat auth-log):

10.***.**.132 - CN=someuser, OU=**, O=company, L=Kiev, ST=Ukraine,
C=UA [30/Jan/2014:16:50:29 +] "GET /some/page HTTP/1.1" 403 1108
// Got auth failed;
10.***.***.132 - CN=someanotheruser, OU=**, O=company, L=Kiev,
ST=Unknown, C=UA [30/Jan/2014:16:17:29 +] "GET /some/page
HTTP/1.1" 200 81 // Normal result.

I only think about may be some difference in browser's configs... But
which exactly? Or - something another?

Unfortunatelly - we haven't access to tcpdump and ssldump now, so I
can't check for details.

Thanks for any tips/links.

 
 powered by
nullTranslate 
  
username2— select a translation: null <#>
[jˈuːzənɛɪːm tˈuː]
username2 
0
.
 See also: 

LinguaLeo

Re: ssl without keystorePass in open text in server.xml

[Арсений Зинченко]

Why are plain text passwords in the config files? Because there is no good
way to "secure" them. When Tomcat needs to connect to a database, it needs
the original password. While the password could be encoded, there still
needs to be a mechanism to decode it. And since the source to Tomcat is
freely available, the attacker would know the decoding method. So at best,
the password is obscured - but not really protected.

http://wiki.apache.org/tomcat/FAQ/Password


2014/1/30 Mark Thomas 

> On 30/01/2014 09:46, Ja kub wrote:
> > is it possible not to write keystorePass in open text server.xml, and
> make
> > tomcat to ask for it at startup ?
> > or specify only some hash of it (rather not possible) ?
>
> http://wiki.apache.org/tomcat/FAQ/Password
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: JAVA_OPTS vs CATALINA_OPTS

[Арсений Зинченко]

Thanks for your replay, Neven.
Eventually - I decided to heed advices and remove JAVA_OPTS at all. So -
now using only CATALINA_OPTS in /bin/setenv.bat.


2014/1/28 Neven Cvetkovic 

> On Tue, Jan 28, 2014 at 4:00 AM, Арсений Зинченко  >wrote:
> >
> >  About point 4 - this is main goal: as we have few Java-applications
> > running
> > in this very system - they must use "global" memory options, thats why I
> > suggested set System variable JAVA_OPTS. But namely Tomcat - must use
> > another memory perametrs.
> >
>
> Arsenije,
>
> That's one way of doing it, yes.  My personal preference is to keep
> system-wide settings empty, and then size each Java process separately (in
> their corresponding startup script). Having said that, it really depends on
> type of applications you are running on you system. Are they same type of
> applications, or are they significantly different? If different, I probably
> want to size them differently, and customize each one of them. Yes, it is
> easy to set default values in the JAVA_OPTS globally, but that's rarely
> what I want for my applications.
>
> Also, others pointed out - it is confusing to see both JAVA_OPTS and
> CATALINA_OPTS both setting up -Xmx and -Xms values. Ultimately, everything
> boils down to a single line:
>
> java.exe %JAVA_OPTS% %CATALINA_OPTS% ...
> java.exe -Xmx1G -Xms512M -Xmx4G -Xms2G ...
>
> Yes, the later will override former parameter, but I wouldn't count on it
> :)
>
> Think if you need to add another Java process that requires 4G, how would
> you set the size of memory of that process?
>
> So, unless all Java applications on that box (you said you had only few) -
> are of similar type and require same sizing, I wouldn't use JAVA_OPTS
> system-wide setting.
>
>
> >
> > So, if I correctly understood - for me better solution will be:
> >
> > 1) set CATALINA_OPTS with Xmx4G etc - in /bin/setenv.bat;
> > 2) set JAVA_OPTS with Xmx1G etc - as system variable.
> >
> > Yep?
> >
>
> It is TOMCAT_HOME/bin/setenv.bat (wherever you installed Tomcat).
>
> Yes, that is one possible solution, if all your Java apps need to be sized
> the same.
>
> I prefer sizing each Java application separately in a script that starts
> it.
>
> Hope that helps!
> n.
>

Re: JAVA_OPTS vs CATALINA_OPTS

[Арсений Зинченко]

A lot of thanks, Neven! This is perfect explanation - considering my
English :-)

About point 4 - this is main goal: as we have few Java-applications running
in this very system - they must use "global" memory options, thats why I
suggested set System variable JAVA_OPTS. But namely Tomcat - must use
another memory perametrs.

So, if I correctly understood - for me better solution will be:

1) set CATALINA_OPTS with Xmx4G etc - in /bin/setenv.bat;
2) set JAVA_OPTS with Xmx1G etc - as system variable.

Yep?



2014/1/28 André Warnier 

> Арсений Зинченко wrote:
>
>> OK, thanks - I'll do it from now (really - never used this file before,
>> just now found reference to it in catalina.bat) . But - last question,
>> please: in setenv.bat - must be used CATALINA_OPTS or JAVA_OPTS?
>>
>>
> Ok, let us be really clear here.
>
> 1) The command to *stop* Tomcat starts *another* instance of Java JVM (and
> Tomcat), *just* to send a stop signal to the running Tomcat. And after
> that, this second instance of Java and Tomcat exits.
>
> 2) Options given in JAVA_OPTS are used in *both* the command to start and
> to stop Tomcat.
> Options given in CATALINA_OPTS are used *only* in the command that starts
> Tomcat, and not in the command that stops Tomcat.
> In other words :
> - startup.(bat|sh) : java %JAVA_OPTS% %CATALINA_OPTS% tomcat-stuff
> - shutdown.(bat|sh) : java %JAVA_OPTS% tomcat-stuff
>
> That is just the way that these command files are written.
>
> 3) So,
> - if you use JAVA_OPTS to indicate a Heap of 4 GB, then this Heap of 4 GB
> will be allocated :
>   - for the JVM instance that starts and runs Tomcat (which is what you
> want)
>   - but *also* for the JVM instance that stops Tomcat (which you probably
> do not want, just to send a stop signal)(because then, just for a short
> moment, you need 4 + 4 = 8 GB of Heap)
>
> - if you use CATALINA_OPTS to indicate a Heap of 4 GB, then this Heap will
> be allocated
> - *only* for the JVM instance which starts and runs Tomcat
> - and *not* for JVM instance that stops Tomcat (that one will use a
> minimal Heap, so the total would be only 4 + 0.1 GB)
>
> 4) and if you make either one of the above be a general "system variable",
> then they will be used by *any* Java JVM that you start on that system.
>  This is probably not what you want either, so don't do that.
>
>
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: JAVA_OPTS vs CATALINA_OPTS

[Арсений Зинченко]

OK, thanks - I'll do it from now (really - never used this file before,
just now found reference to it in catalina.bat) . But - last question,
please: in setenv.bat - must be used CATALINA_OPTS or JAVA_OPTS?


2014/1/27 Christopher Schultz 

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Арсений,
>
> On 1/27/14, 10:58 AM, Арсений Зинченко wrote:
> > Thanks, Christopher.
> >
> > OK, what about next:
> >
> > Set JAVA_OPTS as system variable (for all other applications); and
> > create setenv.bat in /bin/ directory with CATALINA_OPTS whith
> > Xmx/Xms for Tomcat?
> >
> > Will it be more correctly than set CATALINA_OPTS as System
> > variable? Or - by the way, in setevn.bat must be used JAVA_OPTS
> > too? <https://plus.google.com/u/0/113253806461878935497?prsrc=4>
> >
> >
> > 2014/1/27 Christopher Schultz 
> >
> > Арсений,
> >
> > On 1/27/14, 9:21 AM, Арсений Зинченко wrote:
> >>>> We have a little dispute with my colleague about using this
> >>>> variables.
> >>>>
> >>>> So: have Windows-box machine. On it - runing few different
> >>>> Java-application, including Tomcat.
> >>>>
> >>>> Needs to set memory for Tomcat other, than for all other
> >>>> Java-applications.
> >>>>
> >>>> My proposal is set to System variables:
> >>>>
> >>>> JAVA_OPTS "-Xmx1024M -Xms512M -XX:MaxPermSize512M"
> >>>> CATALINA_OPTS "-Xmx4096M -Xms2048M -XX:MaxPermSize=1024M"
> >>>>
> >>>> But, as he asserts - this is not correct way:
> >>>>
> >>>>
> >>>> - CATALINA_OPTS must NOT contain memory limits like "Xmx",
> >>>> "Xms" etc; - Java Garbage collector will work differently
> >>>> because JAVA_OPTS have another opts for memory then
> >>>> CATALINA_OPTS, so - this will worse Tomcat performance; - and
> >>>> so on
> >
> > Tomcat runs Java roughly in this way:
> >
> > $JAVA_HOME/bin/java $JAVA_OPTS $CATALINA_OPTS  \
> > org.apache.catalina.startup.Bootstrap
> >
> > If you have these options configured using both environment
> > variables, then CATALINA_OPTS (the later one) will win because
> > that's how the JVM parses arguments: the last one on the
> > command-line wins. So, it's perfectly safe to do what you have
> > described above.
> >
> > On the other hand, note that since JAVA_OPTS specifies 0.5GiB of
> > heap space for when you are /not/ launching Tomcat, then running
> > "bin\shutdown.bat" will pre-allocate 0.5GiB of heap space just to
> > send the "shutdown" command to a running Tomcat instance, and then
> > terminate. It's kind of a waste.
> >
> > I totally agree with Dan's comments about how using "system
> > variables": just use bin/setenv.bat and keep everything locally.
> >
> >>>> His suggestion is to set JAVA_OPTS with memory limits exactly
> >>>> to Tomcat startup script (not as system variable at all).
> >
> > +1
> >
> >>>> So, my question is: is it correct to set memory limits for
> >>>> Tomcat via CATALINA_OPTS variable? If in system also present
> >>>> JAVA_OPTS - will it have influence on to Tomcat's
> >>>> perfarmance?
> >
> > See above.
> >
> > -chris
>
> I would always recommend that you use bin/setenv.sh (or
> bin\setenv.bat) because you can then set the value differently for
> each Tomcat instance that you have. This becomes an issue if you have
> many different Tomcat instances, which I tend to do.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJS5oLSAAoJEBzwKT+lPKRY8BMP/06E75p4L2fx75ekKgyVFuVX
> vM/tBcP3ulHlEVHAzcTl+gNui4Px0hjRRdKBxU9in/gSRSsD2xkJJa5eXF0EvSn1
> e9BNiVY78JZITSu1wBar0YmIf11EJEtGhhtj/fSkJUxIMhp9YYpM1s9CrxckkIef
> WFQZOnLVdWUq2xxkPiY8AbK7h5zDgo+riBd4HcSC6ymPT0oYCldGIZki7nZ8lxMb
> G3i52aTCiuaOlKYBhdKBsfDdkFJvqF+zZEXdsw+FKP+mKZvpEt5Fn1cWSTX7FXxS
> mWApl7J8FZW+zwX734qUw3ThLIbY2RCwT78VPkPcHK9rbWcKbI4UQ1WIGZeL5U+K
> IqX1MOIJ+dVCJ7rgvtjYWYlfDoovYqfJ6vCoPU5I3Xh0CMzGaKMZY/QZ+gFUXtdu
> 0ym/DQJB13cgjWbOi4YFeL8jNRjgui2UkdtThOzfSzL4eY3C+L5Ca0bb/ExReWTb
> X05q1RVeTB6rTScTYiPCNMKfZ7S2JnXcoXgEeHpKoGo8EPClKLGlLRmFplk/U4Do
> ZdCLLjCavrkEVg6pUEf7UZDJ/qH/VDC0nyNnqJJQHRhjUBh/bMR1yjrzNOnkLOeV
> x0BMEHK8ND76EZ0L5+bwZlAQxvCqjQ/vH1IBmrUsjS60rgMyocJB//UDIZOEOAiq
> 9MXTB+fLRv2ziADmiWJ1
> =QPaR
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: JAVA_OPTS vs CATALINA_OPTS

[Арсений Зинченко]

Thanks, Christopher.

OK, what about next:

Set JAVA_OPTS as system variable (for all other applications); and create
setenv.bat in /bin/ directory with CATALINA_OPTS whith Xmx/Xms for Tomcat?

Will it be more correctly than set CATALINA_OPTS as System variable? Or -
by the way, in setevn.bat must be used JAVA_OPTS too?
<https://plus.google.com/u/0/113253806461878935497?prsrc=4>


2014/1/27 Christopher Schultz 

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Арсений,
>
> On 1/27/14, 9:21 AM, Арсений Зинченко wrote:
> > We have a little dispute with my colleague about using this
> > variables.
> >
> > So: have Windows-box machine. On it - runing few different
> > Java-application, including Tomcat.
> >
> > Needs to set memory for Tomcat other, than for all other
> > Java-applications.
> >
> > My proposal is set to System variables:
> >
> > JAVA_OPTS "-Xmx1024M -Xms512M -XX:MaxPermSize512M" CATALINA_OPTS
> > "-Xmx4096M -Xms2048M -XX:MaxPermSize=1024M"
> >
> > But, as he asserts - this is not correct way:
> >
> >
> > - CATALINA_OPTS must NOT contain memory limits like "Xmx", "Xms"
> > etc; - Java Garbage collector will work differently because
> > JAVA_OPTS have another opts for memory then CATALINA_OPTS, so -
> > this will worse Tomcat performance; - and so on
>
> Tomcat runs Java roughly in this way:
>
> $JAVA_HOME/bin/java $JAVA_OPTS $CATALINA_OPTS  \
>  org.apache.catalina.startup.Bootstrap
>
> If you have these options configured using both environment variables,
> then CATALINA_OPTS (the later one) will win because that's how the JVM
> parses arguments: the last one on the command-line wins. So, it's
> perfectly safe to do what you have described above.
>
> On the other hand, note that since JAVA_OPTS specifies 0.5GiB of heap
> space for when you are /not/ launching Tomcat, then running
> "bin\shutdown.bat" will pre-allocate 0.5GiB of heap space just to send
> the "shutdown" command to a running Tomcat instance, and then
> terminate. It's kind of a waste.
>
> I totally agree with Dan's comments about how using "system
> variables": just use bin/setenv.bat and keep everything locally.
>
> > His suggestion is to set JAVA_OPTS with memory limits exactly to
> > Tomcat startup script (not as system variable at all).
>
> +1
>
> > So, my question is: is it correct to set memory limits for Tomcat
> > via CATALINA_OPTS variable? If in system also present JAVA_OPTS -
> > will it have influence on to Tomcat's perfarmance?
>
> See above.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJS5n9ZAAoJEBzwKT+lPKRYXJAQAIoI/6t21bVVHXGH+KZDVOvy
> e+YsyWJRdRtFCDCIc+Y3YtY+8q+uDQRyqBQyJLNgdmkNEdbrGf1a/n74Mg4bNilA
> GxOi7D75tiMni3T4rz4nUc5nyTnCOBNYuitrpjZMWfvd/ajHdSAEWuivGa87A/oL
> C7Y4Bu6KB+2dwNifOwYWPzRq9yl+25G7SBo+URH8HMTHVEBVrDYflTudX0q9D4XI
> XK5CNTiOQvfKgu/3HCjcZSq75LspTIC0Kw9P+GRX9PoJJCvAlF3TQgLghJ9S3YOT
> l0n3A5UE2cZycUv3NEJrdoerWbYsbDexq47eeQ2CMVoHeTBBFDAZK4uR7EneFsea
> 89WI39tNT0+jrScFQ7eKCv72yxUb05gunOnWMHe23vx10BXVT2at8jvgSlJs2SSy
> co2B9PrNqwZRZtzZCS38A5DmXts9KlEFnc7bd5Fu4ME4jEs/sODd8+CXc9Fpsmee
> 68v2w0avaAKjngvirhMq+X12t+NZSIK5TTsz9XA36AGEnDEAgWZUNQ/6GSG2oA2F
> tiQzIKkl/MTl8ZEYbI0ZydQgsdhbdvcQ+51dRsqlk1wj+Rlp9d3rOnUgtHn0w4xO
> wUid16DjQyCKiqBw+2ATpf6bK1m/cCKQxbkBmfMUXa4wR9Hok3M0fCwsJrHOt74T
> 1k9HFMAfUZSNelfdCvsC
> =M2Q+
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: JAVA_OPTS vs CATALINA_OPTS

[Арсений Зинченко]

Hi, Dan. Thanks for replay.

> he JVM is only going to accept one value for Xmx and Xms.  Specifying the
same options in JAVA_OPTS and CATALINA_OPTS would just be confusing.

As I says before - we have few Java-application on same machine. So - for
them needs to set Xmx 1G, but for Tomcat - 4G.

> Don’t set these as system variables.  You’d want to define them in
setenv.bat
> Again, don’t set system variables for these.  There’s no reason to set
them system wide.

Same reason - few Java-applications wich all need same Java_opts (exclude
Tomcat).

> Since you’re on Windows, you’re probably running as a service and that’s
going to be a bit different

No, Tomcat started via command line (rather - from .bat script wich call
%catalina_home%/bin/startup.bat).


2014/1/27 Daniel Mikusa 

> On Jan 27, 2014, at 9:21 AM, Арсений Зинченко  wrote:
>
> > Hi.
> >
> > I'm sorry for so kindly question - but needs experts advice...
> >
> > We have a little dispute with my colleague about using this variables.
> >
> > So: have Windows-box machine. On it - runing few different
> > Java-application, including Tomcat.
> >
> > Needs to set memory for Tomcat other, than for all other
> Java-applications.
> >
> > My proposal is set to System variables:
> >
> > JAVA_OPTS "-Xmx1024M -Xms512M -XX:MaxPermSize512M"
> > CATALINA_OPTS "-Xmx4096M -Xms2048M -XX:MaxPermSize=1024M”
>
> Don’t set these as system variables.  You’d want to define them in
> setenv.bat if you’re running from the command prompt or with the Windows
> Service utility (either [1] or [2]), if you’re running as a service.
>
> >
> > But, as he asserts - this is not correct way:
> >
> >
> >   - CATALINA_OPTS must NOT contain memory limits like "Xmx", "Xms" etc;
>
> There are no restrictions to what you can set in CATALINA_OPTS.  You could
> put your memory setting there if you wanted.  Having said that, if you’re
> running as a Windows service then you wouldn’t.  You'd set your heap memory
> settings through the service wrapper (either [1] or [2]).
>
> If you’re running from the console (not likely) or on Linux / Unix then
> you’d set your heap settings in the setenv.sh|bat script.  Again, you could
> put memory settings in CATALINA_OPTS or in JAVA_OPTS.  Setting them in
> CATALINA_OPTS is generally a better choice though because settings in
> CATALINA_OPTS are only applied when Tomcat is started.  If you set them in
> JAVA_OPTS then they’ll be applied when you start and stop the instance,
> something you probably don’t want for your heap settings.
>
> >   - Java Garbage collector will work differently because JAVA_OPTS have
> >   another opts for memory then CATALINA_OPTS, so - this will worse Tomcat
> >   performance;
>
> I’m not sure I follow your logic here.  The JVM is only going to accept
> one value for Xmx and Xms.  Specifying the same options in JAVA_OPTS and
> CATALINA_OPTS would just be confusing.
>
> >   - and so on
> >
> > His suggestion is to set JAVA_OPTS with memory limits exactly to Tomcat
> > startup script (not as system variable at all).
>
> Again, don’t set system variables for these.  There’s no reason to set
> them system wide.
>
> >
> > So, my question is: is it correct to set memory limits for Tomcat via
> > CATALINA_OPTS variable?
>
> Generally, but it depends on how you are starting Tomcat.  Since you’re on
> Windows, you’re probably running as a service and that’s going to be a bit
> different.  See above comments.
>
> > If in system also present JAVA_OPTS - will it have influence on to
> Tomcat's performance?
>
> I think I answered this above.  If it’s not clear, let me know.
>
> >
> > Thanks.
>
> Dan
>
> [1] -
> http://tomcat.apache.org/tomcat-7.0-doc/windows-service-howto.html#Command_line_parameters
> [2] -
> http://tomcat.apache.org/tomcat-7.0-doc/windows-service-howto.html#Tomcat7w_monitor_application
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

JAVA_OPTS vs CATALINA_OPTS

[Арсений Зинченко]

Hi.

I'm sorry for so kindly question - but needs experts advice...

We have a little dispute with my colleague about using this variables.

So: have Windows-box machine. On it - runing few different
Java-application, including Tomcat.

Needs to set memory for Tomcat other, than for all other Java-applications.

My proposal is set to System variables:

JAVA_OPTS "-Xmx1024M -Xms512M -XX:MaxPermSize512M"
CATALINA_OPTS "-Xmx4096M -Xms2048M -XX:MaxPermSize=1024M"

But, as he asserts - this is not correct way:


   - CATALINA_OPTS must NOT contain memory limits like "Xmx", "Xms" etc;
   - Java Garbage collector will work differently because JAVA_OPTS have
   another opts for memory then CATALINA_OPTS, so - this will worse Tomcat
   performance;
   - and so on

His suggestion is to set JAVA_OPTS with memory limits exactly to Tomcat
startup script (not as system variable at all).

So, my question is: is it correct to set memory limits for Tomcat via
CATALINA_OPTS variable? If in system also present JAVA_OPTS - will it
have influence
on to Tomcat's perfarmance?

Thanks.

Re: Tomcat JBDCRealm with Oracle DB

[Арсений Зинченко]

No errors, but I already found problem cause - forgot run `commit` in
SQLPLUS after added rows with username&role. :-( Thanks for replay.


2013/12/16 André Warnier 

> Арсений Зинченко wrote:
>
>> Hi.
>>
>> I configured two JDBCRealm's - for MySQL and Oracle databases.
>>
>> Both DB have same tables with same content:
>>
>> mysql> show tables;
>> +--+
>> | Tables_in_tmc_access |
>> +--+
>> | user_roles   |
>> | users|
>> +--+
>>
>> mysql> desc user_roles;
>> +---+--+--+-+-+---+
>> | Field | Type | Null | Key | Default | Extra |
>> +---+--+--+-+-+---+
>> | user_name | varchar(100) | NO   | PRI | NULL|   |
>> | role_name | varchar(100) | NO   | PRI | NULL|   |
>> +---+--+--+-+-+---+
>> 2 rows in set (0.00 sec)
>>
>> mysql> desc users;
>> +---+--+--+-+-+---+
>> | Field | Type | Null | Key | Default | Extra |
>> +---+--+--+-+-+---+
>> | user_name | varchar(100) | NO   | PRI | NULL|   |
>> | user_pass | varchar(100) | NO   | | NULL|   |
>> +---+--+--+-+-+---+
>> 2 rows in set (0.00 sec)
>>
>> mysql> select * from users,user_roles;
>> ++---+++
>> | user_name  | user_pass | user_name  | role_name  |
>> ++---+++
>> | indexadmin | password  | indexadmin | indexadmin |
>> ++---+++
>> 1 row in set (0.00 sec)
>>
>> Oracle:
>>
>> SQL> SELECT table_name FROM user_tables;
>>
>> TABLE_NAME
>> --
>> TMC_USERS_SET
>> USER_ROLES_SET
>>
>> SQL> desc USER_ROLES_SET;
>>  Name  Null?Type
>>  - 
>> 
>>  USER_NAME NOT NULL VARCHAR2(100)
>>  ROLE_NAME NOT NULL VARCHAR2(100)
>>
>> SQL> desc TMC_USERS_SET;
>>  Name  Null?Type
>>  - 
>> 
>>  USER_NAME NOT NULL VARCHAR2(100)
>>  USER_PASS NOT NULL VARCHAR2(100)
>>
>>
>> SQL> select * from TMC_USERS_SET,USER_ROLES_SET;
>>
>> USER_NAME
>> 
>> 
>> USER_PASS
>> 
>> 
>> USER_NAME
>> 
>> 
>> ROLE_NAME
>> 
>> 
>> indexadmin
>> password
>> indexadmin
>> indexadmin
>>
>> server.xml config:
>>
>> 
>>
>>
>>
>>   >  driverName="oracle.jdbc.driver.OracleDriver"
>>   connectionURL="jdbc:oracle:thin:@oraclehost:1521:correctscheme"
>>  connectionName="tmc" connectionPassword="tmc"
>>   userTable="tmc_users_set" userNameCol="user_name"
>> userCredCol="user_pass"
>>   userRoleTable="user_roles_set" roleNameCol="role_name" />
>>
>> web.xml:
>>
>>
>> 
>>
>>   
>> Restricted Area
>> /index.jsp
>>   
>>
>>   
>> indexadmin
>>   
>>
>> 
>>
>> 
>>   BASIC
>> 
>>
>> 
>>   indexadmin
>> 
>>
>>
>> So, when I switch config to Oracle Realm - it is not working (just return
>> again login-window)... With MySQL - working perfect.
>>
>> What I'm doing wrong?
>>
>>
> Not looking at the Tomcat logfiles ?
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Tomcat JBDCRealm with Oracle DB

[Арсений Зинченко]

Hi.

I configured two JDBCRealm's - for MySQL and Oracle databases.

Both DB have same tables with same content:

mysql> show tables;
+--+
| Tables_in_tmc_access |
+--+
| user_roles   |
| users|
+--+

mysql> desc user_roles;
+---+--+--+-+-+---+
| Field | Type | Null | Key | Default | Extra |
+---+--+--+-+-+---+
| user_name | varchar(100) | NO   | PRI | NULL|   |
| role_name | varchar(100) | NO   | PRI | NULL|   |
+---+--+--+-+-+---+
2 rows in set (0.00 sec)

mysql> desc users;
+---+--+--+-+-+---+
| Field | Type | Null | Key | Default | Extra |
+---+--+--+-+-+---+
| user_name | varchar(100) | NO   | PRI | NULL|   |
| user_pass | varchar(100) | NO   | | NULL|   |
+---+--+--+-+-+---+
2 rows in set (0.00 sec)

mysql> select * from users,user_roles;
++---+++
| user_name  | user_pass | user_name  | role_name  |
++---+++
| indexadmin | password  | indexadmin | indexadmin |
++---+++
1 row in set (0.00 sec)

Oracle:

SQL> SELECT table_name FROM user_tables;

TABLE_NAME
--
TMC_USERS_SET
USER_ROLES_SET

SQL> desc USER_ROLES_SET;
 Name  Null?Type
 - 

 USER_NAME NOT NULL VARCHAR2(100)
 ROLE_NAME NOT NULL VARCHAR2(100)

SQL> desc TMC_USERS_SET;
 Name  Null?Type
 - 

 USER_NAME NOT NULL VARCHAR2(100)
 USER_PASS NOT NULL VARCHAR2(100)


SQL> select * from TMC_USERS_SET,USER_ROLES_SET;

USER_NAME

USER_PASS

USER_NAME

ROLE_NAME

indexadmin
password
indexadmin
indexadmin

server.xml config:





  

web.xml:




  
Restricted Area
/index.jsp
  

  
indexadmin
  




  BASIC



  indexadmin



So, when I switch config to Oracle Realm - it is not working (just return
again login-window)... With MySQL - working perfect.

What I'm doing wrong?