encrypt the database password
Hi All, There is a tomcat server with some database setup. cd apache-tomcat-6.0.29/conf cat server.xml Resource auth=Container driverClassName=oracle.jdbc.driver.OracleDriver factory=oracle.jdbc.pool.OracleDataSourceFactory maxActive=20 maxIdle=10 maxWait=-1 name=jdbc/abc password=abcADMIN type=oracle.jdbc.pool.OracleDataSource url=jdbc:oracle:thin:@localhost:1521:mydb user=abc / So which the plain password, end user may get the password directly. How can create encrypted password within server.xml
Re: Tomcat user roles
Thanks to all for the explanation. I have a new question regarding the admin role. With default setup, if I login as admin, I can start,stop, undeploy and deploy the application. Now, because the admin password has been shared by team, and I can't not share it with team. So I plan to disable undeploy and deploy function from the web admin URL for the admin account. If anyone need deploy new version, they have to login the Unix box to do it manually. With that I can trace and have records easily. So I edit the file webapps/manager/WEB-INF/web.xml, and remove all the xml sessions for remove, install, undeploy, deploy and save. But after I restart the tomcat server, *I still can deploy and undeploy*. Something I missed? part of tomcat-users.xml role rolename=manager/ role rolename=tomcat/ role rolename=admin/ role rolename=role1/ role rolename=monitoring/ user username=admin password=XXX roles=admin,manager/ user username=monitoring password=XXX roles=monitoring/ Below are the lines I remove from the web.xml file. servlet-mapping servlet-nameManager/servlet-name url-pattern/install/url-pattern /servlet-mapping servlet-mapping servlet-nameManager/servlet-name url-pattern/remove/url-pattern /servlet-mapping servlet-mapping servlet-nameManager/servlet-name url-pattern/deploy/url-pattern /servlet-mapping servlet-mapping servlet-nameManager/servlet-name url-pattern/undeploy/url-pattern /servlet-mapping url-pattern/remove/url-pattern url-pattern/deploy/url-pattern url-pattern/undeploy/url-pattern url-pattern/reload/url-pattern I don't find the admin part in web.xml. Regards, Bill On Wed, Nov 30, 2011 at 5:25 AM, Mark Thomas ma...@apache.org wrote: On 29/11/2011 17:05, Christopher Schultz wrote: Mark, On 11/29/11 11:15 AM, ma...@apache.org wrote: Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bill, On 11/28/11 7:08 PM, Bill Wang wrote: Here I have the last question, what's the reload option, is it same as stop/start? According to markt (who is known to be occasionally trustworthy): reload = stop + start I'm pretty sure I didn't say that. Sorry, you said: On 11/25/11 12:47 PM, Mark Thomas wrote: There is no such command as restart. You'll need: url-pattern/html/stop/url-pattern url-pattern/html/start/url-pattern I drew my own (perhaps incorrect) conclusion from that. In short: reload != restart Fuller explanation below. There is a subtle but important difference. Mark Reload keeps the same Context object (and doesn't reread the Context config) but does re-read web.xml and allows Jars to be updated. Stop/start creates a new Context object (as well as re-reading web.xml) and is therefore is a full restart of the context. Reload is sort of half a restart. There is no single command equivalent to stop/start. Gotcha. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat user roles
Thanks for everyone who replied me. I successfully did it. Now on-call team can stop/start the tomcat instances by themselves, but with other action,such as deploy, undeploy, check server status, they will get access denied . * * That's perfect. Here I have the last question, what's the reload option, is it same as stop/start? If it is, maybe I just need assign /html/reload to on-call team Regards, Bill On Sat, Nov 26, 2011 at 5:53 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, On 11/25/11 12:47 PM, Mark Thomas wrote: There is no such command as restart. You'll need: url-pattern/html/stop/url-pattern url-pattern/html/start/url-pattern Whoops. Thanks for catching that. You'll probably want: url-pattern/html/list/url-pattern as well. +1 - -chrs -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEUEARECAAYFAk7P5EAACgkQ9CaO5/Lv0PANjgCgt7PvxplfvSpeR3Z7TJF8+kHN S9QAl3kZqiTIxMiGyI27YJmz7zVZ11U= =OHNN -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat user roles
Hi Mark, Thanks, with your help, I find out this link: http://onjava.com/onjava/2001/07/24/tomcat.html, seems you need me setup MemoryRealm, then setup security constraint in webapps/manager/WEB-INF/web.xml There is an exist role manager , I try to understand it and add a new role restart in this web.xml, always get permission deny. So could you please give some instruction on how to setup below URL to that role restart only? http://hostname:8181/manager/html/stop?path=/APPNAME http://hostname:8181/manager/html/start?path=/APPNAME Regards, Bill On Thu, Nov 24, 2011 at 7:06 PM, ma...@apache.org wrote: Bill Wang bw57...@gmail.com wrote: Hi Tomcat guru, I have questions for the tomcat user roles setup. On-call team (24*7 support) need permission to restart one tomcat services, if they get call. I think it is maybe possible to let them restart tomcat throught Tomcat Web Application Manager (the admin url http://server:port/manager) My request is, I can't give the admin username and password directly to on-call team, admin account can not only restart the application, it can deploy and undeploy applications, that's too dangerous. So how can I setup the tomcat-users.xml or other config file to let on-call team has only permission to restart that particular application, not else. Regards, Bill You can create a new role in web.xml called restart and limit it to the list, start and stop commands since each command is part of the URL. Then you assign that role to a new user in your Realm. I'm on my phone so can't give an exact example. If that isn't enough info, I'm sure someone else can fill in the gaps for you. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat user roles
Hi Tomcat guru, I have questions for the tomcat user roles setup. On-call team (24*7 support) need permission to restart one tomcat services, if they get call. I think it is maybe possible to let them restart tomcat throught Tomcat Web Application Manager (the admin url http://server:port/manager) My request is, I can't give the admin username and password directly to on-call team, admin account can not only restart the application, it can deploy and undeploy applications, that's too dangerous. So how can I setup the tomcat-users.xml or other config file to let on-call team has only permission to restart that particular application, not else. Regards, Bill
Re: two questions about the session timeout in tomcat
Hi Chris, Pid Geroge, Thanks to everyone who replied my mail. I try to answer your questions in one mail. 1. I access the admin interface by manager app. I'd like to have exist command to run and get the report easily, if there is no the command, I will think to use wget | crul. 2. The application with sessions under 60 normally has no issue. But when the session go up to 80 ~ 100, I start to get calls from the customer. It happens many times at random time. Sometime I have to restart it, without any changes, after restart, customer can continuous use it. This performance issue is very annoying. 3. From Chris explanation, looks to change the timeout to 30 minutes will be good idea, since I don't care of the end users to login the system more frequently, I need more stable system. The server has other heavy applications running, CPU load is always up to 10 ~ 20, available physical memory is not too much (10GB). 4. We are doing the troubleshooting on this application recently and don't find too much can be done. Check with network and DBA team, they all report me there is no issue. Contacted with Developers who maintain the tomcat app codes, they said the code running in their testing environment is fine. I am planned to do some load testing, but it is just in plan. 5. @ Pid: Can you explain me more detail on how to do with your suggestion, I am not developer, don't write codes, my role in this project is to setup the webserver, tomcat service and make it running and stable. *** The session count per application can be read via a JMX connection and a request to the appropriate MBean. *** 6. @ Geroge Sorry, I don't understand your question. We DO have Oracle Database in the backend. *** Are you storing objects on the session, in particular JDBC connections or result sets? *** Regards Bill On Sat, Oct 8, 2011 at 1:23 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bill, On 10/6/2011 7:20 PM, Bill Wang wrote: Recently one of Tomcat application has performance issue, which get slow respond with high sessions. Can you give us some numbers? At what point do things slow down, and by how much do they slow down? One team member recommend me to adjust the session timeout from 60 minutes to 30 minutes. I will do that, but before change it, I'd like to understand how the performance related with the expire session timeout. session-timeout60/session-timeout I'm not sure performance will change at all when changing the session timeout. Tomcat runs session-expiration tasks periodically, and the performance of that has more to do with the number of total sessions than the timeout itself. If you have lots of sessions that must timeout instead of being explicitly invalidated (i.e. people close their browsers instead of logging-out), then you will have a lot of wasted memory that may prevent the garbage collector from working efficiently. It's best to destroy sessions as soon as they are not needed, so short session timeouts can help with that. On the other hand, you want to give users a reasonable amount of time to get a cup of coffee, etc. without forcing them to re-login every time. You'll have to determine what is an appropriate amount of time for your users. There is another option: selectively extend the session timeout for certain sessions, or for certain operations. If a user enters a flow that is expected to take a long time or the consequences of having the session time out are frustrating (i.e. you have to re-enter tons of data), you can change the session timeout for that one session to be longer than the default. When the flow is over, you can re-set it back to the default. We do that for a number of tasks in our webapp, for instance. Second, currently I monitor the session count by login the admin interface, Do you mean using the manager app? the manual way is not efficiency, can I run some commands to get the sessions number? With that I can set a cronjob and generate the session report easily. If you have the manager app deployed, you can use the text or XML interfaces from the command-line instead of the HTML interface. Simple use of wget, curl, etc. should allow you to do this kind of thing. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6PC2gACgkQ9CaO5/Lv0PBo3gCgvV7dAylXSz1vz3jRX2jmr1lE E9kAoMKnHUgOC5MEx31lz121tXT1aV8J =CGz3 -END PGP SIGNATURE
two questions about the session timeout in tomcat
Hi Tomcat Guru, Recently one of Tomcat application has performance issue, which get slow respond with high sessions. One team member recommend me to adjust the session timeout from 60 minutes to 30 minutes. I will do that, but before change it, I'd like to understand how the performance related with the expire session timeout. session-timeout60/session-timeout Second, currently I monitor the session count by login the admin interface, the manual way is not efficiency, can I run some commands to get the sessions number? With that I can set a cronjob and generate the session report easily. Regards, Bill
tomcat code in version control
Hi Tomcat expert, We have one tomcat application install in our tomcat server (apache-tomcat-6.0.29 + jre1.6.0_22) it is successfully deployed. Now we are thinking to source version control on it. Do I need import all below folders and files to version control, or some of them? bash-3.00$ ls META-INF WEB-INF help imagesjsp scripts src styles work For my understand, work folder is generated automatically, and no need source control. Any others can be excluded? Regards, Bill
Re: Accident: After app in one tomcat is deleted, the same app in another tomcat is disappeared.
Hi Konstantin Pid, Thank you for your reply. My tomcat is apache-tomcat-6.0.14, I start tomcat by bin/startup.sh and stop by bin/shutdown.sh There is no conf/Catalina/localhost/myapp.xml I find the folder Catalina/localhost under $CATALINE_HOME/work, but I don't find any xml file under it. There are some folders with same app name under webapp. As you recommend, I will check the log file, if I found anything, will let you know. Regards, Bill On Fri, Dec 3, 2010 at 9:38 PM, Pid p...@pidster.com wrote: On 12/3/10 5:23 AM, Konstantin Kolinko wrote: 2010/12/3 Bill Wang bw57...@gmail.com: Is it possible? I do not think that it is possible. Maybe you are running more than 2 tomcat instances (e.g. failed to stop some old one properly). Maybe one of them runs with wrong $CATALINA_HOME or wrong $CATALINA_BASE. Maybe one of them runs with root (nobody should configure their tomcats like that, but mention here for completeness). What are your exact Tomcat versions? What connectors do you use? How do you start them? (jsvc, scripts; are those versions from tomcat.apache.org, or repacked ones). Maybe you had symlinks somewhere. Maybe you deleted the xml files from ${catalina.base}/conf/Catalina/localhost. That also will cause undeployment. Anyway, when Tomcat autodeploys or undeploys a webapp, it prints relevant messages in its logs. What was the docBase in ${catalina.base}/conf/Catalina/localhost/myapp.xml? If you had a full path to the file in both, then both servers could have been loading the same .war, rather than the copy in the other location. This might cause both apps to unload, but it wouldn't delete .war files. p
Accident: After app in one tomcat is deleted, the same app in another tomcat is disappeared.
Hi All, Let me explain the situation. We got running tomcat with application ABC in /export/home/xyz/apache-tomcat/webapp/ABC, applicaiton ABC is deployed by ABC.war, and owner is xyz We plan to migrate to /opt/tomcat/apache-tomcat/webapp/ABC, so I install the second tomcat under /opt/tomcat, owner is tcadmin, Idid the adjust such as java path, catalina home path or others. account xyz and tcadmin are in different groups. Today, with the new tomcat running, I accident delete the war file under /opt/tomcat/apache-tomcat/webapp, then /opt/tomcat/apache-tomcat/webapp/ABC is disappeared. It is fine, I shouldn't clean war file when the services is running, then I'd like to copy the folder /export/home/xyz/apache-tomcat/webapp/ABC to /opt/tomcat/apache-tomcat/webapp/ABC. Then the strange thing happened. the old app: /export/home/xyz/apache-tomcat/webapp/ABC is disappeared. Is it possible? I have checked history, all commands running in both account: xyz and tcadmin. There is no any rm command running by xyz. So I need your help to give me the suggestion. Regards, Bill
Re: Any tools to detect tomcat services failure, and start it again automatically?
Thanks everyone, I simplify the problem with my own request. In our real env, only one application deployed in one apache-tomcat server. And application will always have its name under opt folder as: /opt/tomcat/APP_NAME/tomcat-VERSION/webapp/APP_NAME tomcat version: 5.5, 6.0.18, 6.0.29 Unix env:Solaris 8/10 I wrote a small script to detect the application status easily. $ cat tomcat_status instance=$1 status=$(/usr/ucb/ps -auwwwx |nawk '$1=$1' OFS=\n |nawk -F \/ -v s=$instance '/Dcatalina.home=/($4==s)') if [[ $status == ]]; then echo Application $instance is NOT running. exit 0 else echo Application $instance is running. exit 1 fi With that, I can detect the exit ID in cronjob, if find any application is not running, the cronjob will try to start it. This simple script has fixed my current problem, I will think to write another script, which will detect the application service status by error logs. Happy to share it to everyone, if you have any question regarding this script, just ask. Regards, Bill On Fri, Nov 12, 2010 at 4:17 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pid, On 11/11/2010 3:40 AM, Pid wrote: You could set CATALINA_PID and check that the process ID* contained in the file is active. That is one way of doing things, but Tomcat might not be healthy even though the process is running. For instance, I can imagine the following scenarios where the process would be running, but not considered healthy: 1. Database connection pool is exhausted - possibly permanently 2. Request processing thread pool is exhausted - possibly permanently 3. JVM has experienced an OOME and parts of Tomcat may be unstable That last one is very difficult to detect. ;) In these cases, a Tomcat bounce might be the best action to take. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkzcJUMACgkQ9CaO5/Lv0PBwwgCgky9a2BYJuKrPLUMMSLp9vSZ/ 0bMAni/grbihuKLgPMG070pKJdBL5/Te =3jNj -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Any tools to detect tomcat services failure, and start it again automatically?
Thanks to Christopher , Rainer, and Rainer again. I will try to understand the jsvc. But for SMF, because we don't run tomcat as root, I am not sure if SMF can be set and run by normal user. I need check that first. My idea is, for most applications, normally I get three options: start, stop and status. But tomcat's catalina.sh has only two choices, startup and shutdown. I can't find exist command/script to show the tomcat status. If I can show the status, I can write the script to start the tomcat, when its status show tomcat service is down. So is it possible to ask tomcat develop team to write a general script or tool to detect tomcat status directly? Regards, Bill Christopher Schultz -BEGIN PGP SIGNE On Sat, Nov 6, 2010 at 6:59 AM, Rainer Jung rainer.j...@kippdata.de wrote: On 05.11.2010 16:17, Rainer Frey wrote: On Friday 05 November 2010 12:51:25 Bill Wang wrote: Hi All, I am searching the tool (or script) to be used for my tomcat env, that it can keep running as daemon in background, detect the tomcat services (several versions of tomcat). If it found the services don't run, or have failure, it will start it again automatically. I think I can put the script in cronjob, and run every 5 minutes, or by other way, please recommend. My env is: Solaris 10 with Apache-tomcat 6.0.29 or Jakarta-tomcat 6.0.18 Doesn't the Solaris 10 Service Management Framework provide that feature? You'd have to create an appropriate service script for tomcat though. Unforunately I only heard about the SMF from advertising, never used it myself. +1, if you primarily want to detect crashes, SMF is the way to go, at least if you like using what your platform provides. If you are looking for a more platform independent way jsvc is often used. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Any tools to detect tomcat services failure, and start it again automatically?
Hi All, I am searching the tool (or script) to be used for my tomcat env, that it can keep running as daemon in background, detect the tomcat services (several versions of tomcat). If it found the services don't run, or have failure, it will start it again automatically. I think I can put the script in cronjob, and run every 5 minutes, or by other way, please recommend. My env is: Solaris 10 with Apache-tomcat 6.0.29 or Jakarta-tomcat 6.0.18 Regards, Bill
How to stop tomcat to be run more than two times.
Hi all, I have installed apache-tomcat-6.0.29 on my solaris box, then i start the tomcat services succsfully. But my question is, when the tomcat services is running, I try to start it again, the script (startup.sh) don't stop me, and start the second tomcat services. So how can I let tomcat to check, if there are exist tomcat services, do not start? Regards, Bill