Re: help in setup ssl in tomcat
This is another link from verisign. SSL Certificates support. http://www.verisign.com/support/ssl-certificates-support/page_dev020184.html --- Richard S <[EMAIL PROTECTED]> wrote: > hi all > > I would like to establish public key > private key ssl setup in > tomcat. I dont know how to proceed please help me > regarding this. > > > regards > Richard > > > - > To unsubscribe, e-mail: > [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] > > __ Yahoo! DSL Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Question about tomcat bugzilla which is resolved but not fixed.
Hi, We've come across a problem in Tomcat 5.5.17 not completely dissimilar to the following issue: http://issues.apache.org/bugzilla/show_bug.cgi?id=33374 I notice that this issue has been marked fixed, but the comments on there indicate that the bug isnt actually fixed, and that the problem remains. Indeed, looking in the source of 5.5.25 it does not seem to contain the code in the patch in this issue. Can anyone answer why not? I wonder if i should attempt to patch the current 5.5.25 and try this fix to see if it solves our problem? Any other suggestions? ( The problem we have is threads in tomcat stuck in socketRead up to the maxThreads, yet no similar connections on apache webserver. (modjk)) Thanks, Dan Message sent using UebiMiau 2.7.10 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Can you call an MBean programatically from the command line?
Hi, I use JProfiler amongst other tools and this has some useful MBeans which i'd like to activate at a given point from a scheduled job. All sounds very simple. However I cannot find a command line tool, perhaps similar to JConsole which allows me to execute a given MBean. Surely such a tool is available? If not then how hard would it be to write one? Thanks! Dan Message sent using UebiMiau 2.7.10 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Windows Migration 5.5.23 to 6.0.18 - java.lang.ClassNotFoundException: org.apache.catalina.startup.Catalina
I am migrating from 5.5.23 on Windows to 6.0.18. I have installed the Windows Service binary download and can start up the server fine with the installation defaults. I then point CATALINA_BASE to my actual tomcat base directory that I use for my project with 5.5.23 and I get the following: java.lang.ClassNotFoundException: org.apache.catalina.startup.Catalina at java.net.URLClassLoader$1.run(URLClassLoader.java:200) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:188) at java.lang.ClassLoader.loadClass(ClassLoader.java:306) at java.lang.ClassLoader.loadClass(ClassLoader.java:251) at org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:215) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:390) What other changes should I make after installation? With 5.5.23 that was all that was necessary, is there another step to use a custom catalina base with 6.x? Are they not backwards-compatible in this sense? Thanks, Dan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Windows Migration 5.5.23 to 6.0.18 - java.lang.ClassNotFoundException: org.apache.catalina.startup.Catalina
CATALINA_HOME is pointing there, that is the default from the installtion. Here is the view of the tomcat service params: -Dcatalina.home=C:\Program Files\Apache Software Foundation\Tomcat 6.0.18 -Dcatalina.base=c:\dev\tomcat -Djava.endorsed.dirs=C:\Program Files\Apache Software Foundation\Tomcat 6.0.18\endorsed -Djava.io.tmpdir=C:\Program Files\Apache Software Foundation\Tomcat 6.0.18\temp -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.util.logging.config.file=C:\Program Files\Apache Software Foundation\Tomcat 6.0.18\conf\logging.properties Thanks, Dan -Original Message- From: Flavio Crispim [mailto:flavio.cris...@sulamerica.com.br] Sent: January-21-09 11:46 AM To: Tomcat Users List Subject: Re: Windows Migration 5.5.23 to 6.0.18 - java.lang.ClassNotFoundException: org.apache.catalina.startup.Catalina Hi Dan You need to set CATALINA_HOME variable pointingo to your installation directory. Flavio regards "Dan" gravou em 21/01/2009 14:27:27: > I am migrating from 5.5.23 on Windows to 6.0.18. I have installed the > Windows Service binary download and can start up the server fine with > the installation defaults. > > I then point CATALINA_BASE to my actual tomcat base directory that I > use for > my project with 5.5.23 and I get the following: > > java.lang.ClassNotFoundException: org.apache.catalina.startup.Catalina > at java.net.URLClassLoader$1.run(URLClassLoader.java:200) > at java.security.AccessController.doPrivileged(Native Method) > at java.net.URLClassLoader.findClass(URLClassLoader.java:188) > at java.lang.ClassLoader.loadClass(ClassLoader.java:306) > at java.lang.ClassLoader.loadClass(ClassLoader.java:251) > at org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:215) > at > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:390) > > What other changes should I make after installation? With 5.5.23 that > was all that was necessary, is there another step to use a custom > catalina base > with 6.x? Are they not backwards-compatible in this sense? > > Thanks, > > Dan > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Windows Migration 5.5.23 to 6.0.18 - java.lang.ClassNotFoundException: org.apache.catalina.startup.Catalina
I haven't changed anything from the default installation. I did the following: 1. Installed 6.0.18 as windows service 2. Launch the service after a successful installation, no problems it starts. Tried the tomcat6.exe directly, no problems. 3. Click the service tray icon to change the -Dcatalina.base directory to c:\dev\tomcat 4. Restart the service, it fails with the classnotfound exception as noted, same if I use tomcat6.exe. The c:\dev\tomcat contains my webapps etc. so it has a bin/conf/logs/shared/webapps/ directories. I'm really stumped on this one as I've used tomcat for years with no problems. Is there a CLASSPATH environment variable that needs to exist? Thanks, Dan -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: January-21-09 12:16 PM To: Tomcat Users List Subject: RE: Windows Migration 5.5.23 to 6.0.18 - java.lang.ClassNotFoundException: org.apache.catalina.startup.Catalina > From: Dan [mailto:d...@tipjarawards.com] > Subject: RE: Windows Migration 5.5.23 to 6.0.18 - > java.lang.ClassNotFoundException: org.apache.catalina.startup.Catalina > > -Dcatalina.base=c:\dev\tomcat And what's under c:\dev\tomcat? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Windows Migration 5.5.23 to 6.0.18 - java.lang.ClassNotFoundException: org.apache.catalina.startup.Catalina
I did read that but it didn't explicitly mention the change in the properties files etc. for classloader. I did expect the server to at least boot up with errors or something. Thanks for the help, will simply copy the installation default properties files to my base and should be good. Best, Dan -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: January-21-09 1:24 PM To: Caldarale, Charles R; Tomcat Users List Subject: RE: Windows Migration 5.5.23 to 6.0.18 - java.lang.ClassNotFoundException: org.apache.catalina.startup.Catalina > From: Caldarale, Charles R > Subject: RE: Windows Migration 5.5.23 to 6.0.18 - > java.lang.ClassNotFoundException: org.apache.catalina.startup.Catalina > > If you simply expect your 5.5 conf/server.xml and conf/*.properties > files to work in Tomcat 6, you're sadly mistaken. You might want to read this: http://tomcat.apache.org/migration.html - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSL Vulnerability in Tomcat and/or JVM?
I experienced this exact same issue with McAfee secure scan. If you are you using JSSE as your provider you should be okay. You can submit this as a false positive scan and let them know you are using JSSE instead of OpenSSL. You can check to see which provider you are using by looking at your connector. JSSE APR/OpenSSL Dan -Original Message- From: Brian Braun [mailto:brianbr...@gmail.com] Sent: Friday, September 14, 2012 1:06 AM To: Tomcat Users List Subject: SSL Vulnerability in Tomcat and/or JVM? Hi, In my site I'm using a certificate from www.securitymetrics.com. Today they disabled my certificate. This is supposed to be the main reason: Description: SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability Synoposis: It may be possible to obtain sensitive information from the remote host with SSL/TLS-enabled services. Impact: A vulnerability exists in SSL 3.0 and TLS 1.0 that could allow information disclosure if an attacker intercepts encrypted traffic served from an affected system. TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected. This script tries to establish an SSL/TLS remote connection using an affected SSL version and cipher suite, and then solicits return data. If returned application data is not fragmented with an empty or one-byte record, it is likely vulnerable. OpenSSL uses empty fragments as a countermeasure unless the 'SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS' option is specified when OpenSSL is initialized. Microsoft implemented one-byte fragments as a countermeasure, and the setting can be controlled via the registry key H KEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders \\SCHANNEL\\SendExtraRecord . Therefore, if multiple applications use the same SSL/TLS implementation, some may be vulnerable while others may not, depending on whether or not a countermeasure has been enabled. Note that this script detects the vulnerability in the SSLv3/TLSv1 protocol implemented in the server. It does not detect the BEAST attack where it exploits the vulnerability at HTTPS client-side (i.e., Internet browser). The detection at server-side does not necessarily mean your server is vulnerable to the BEAST attack because the attack exploits the vulnerability at client-side, and both SSL/TLS clients and servers can independently employ the split record countermeasure. See also : http://www.openssl.org/~bodo/tls-cbc.txt http://vnhacker.blogspot.com/2011/09/beast.html http://technet.microsoft.com/en-us/security/bulletin/ms12-006 http://support.microsoft.com/kb/2643584 http://blogs.msdn.com/b/kaushal/archive/2012/01/21/fixing-the-beast.aspxData Received: Negotiated cipher suite: EDH-RSA-DES- CBC3-SHA|SSLv3|Kx=DH|Au=RSA|Enc=3DES(168)|Mac=SHA1 Resolution: Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported. Configure SSL/TLS servers to only support cipher suites that do not use block ciphers. Apply patches if available. Note that additional configuration may be required after the installation of the MS12-006 security update in order to enable the split-record countermeasure. See http://support.microsoft.com/kb/2643584 for details. Risk Factor: Medium/ CVSS2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE: CVE-2011-3389 This is supposed to explain it further: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389 What should I do? Should I modify the parameters in my Tomcat Connector? Should I upgrade my JVM? Should I upgrade Tomcat to a most recent version? Should I use Windows instead of Linux? (I'm joking with the last one!) Some information you may need to answer this: - Linux Centos 5.8 - I'm using an SSL certificate from geotrust, a very current one (as far as I know). - JVM: 1.6.0_11-b03 - Tomcat 7.0.10 (Even though I disguised it as 7.0.25, actually so securitymetrics don't bother me with some very obscure vulnerabilities that would force me to update it otherwise) - This is the relevant entry in my server.xml file: Thanks in advance! Brian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Populating Oracle v$session.program from Tomcat Context.xml
Hello all... We have some working tomcat 6 instances that we'd like to identify by querying the v$session.program field the oracle database they connect to. While there are no errors on startup for the tomcat instance, and we can connect to the database, nothing gets populated in v$session. This functionality seems to work for the oracle thin driver, but when I try using OCI nothing happens. The original field values persist. I've also tried the module and client_info fields, also with no luck. Here’s a sample from my resource block minus the extra stuff. I’ve posted this question to the oracle support forums with no luck, but I’m assuming more people here are running oracle than people there running tomcat. Any help would be greatly appreciated. Thanks, Dan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Populating Oracle v$session.program from Tomcat Context.xml
On Mon, Mar 14, 2011 at 10:57 AM, chris derham wrote: >> We have some working tomcat 6 instances that we'd like to identify > > > Can you use the combination of machine and schema name to identify the > instance? You didn't detail your environment, but if you have a cluster, > then the machine name would uniquely identify the instance. If you have > multiple different instances on the same machine, then surely the schema > name would allow you to identify which user it is? This covers all > possibilities unless you have different apps on the same machine in > different tomcat instances talking to the same schema. > > Chris > We are running all of our web-applications from two machines, and they all use the same schema/username, so unfortunately I need the program, client_info, module, etc field to identify them. We are running a RAC, and I'm querying gv$session which should get me all cluster member connections. As David said, this does work with the thin driver, but I need the service/load balancing functionality from OCI. Any more suggestions are welcome! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Populating Oracle v$session.program from Tomcat Context.xml
On Mon, Mar 14, 2011 at 11:25 AM, Dan wrote: > On Mon, Mar 14, 2011 at 10:57 AM, chris derham wrote: >>> We have some working tomcat 6 instances that we'd like to identify >> >> >> Can you use the combination of machine and schema name to identify the >> instance? You didn't detail your environment, but if you have a cluster, >> then the machine name would uniquely identify the instance. If you have >> multiple different instances on the same machine, then surely the schema >> name would allow you to identify which user it is? This covers all >> possibilities unless you have different apps on the same machine in >> different tomcat instances talking to the same schema. >> >> Chris >> > > We are running all of our web-applications from two machines, and they > all use the same schema/username, so unfortunately I need the program, > client_info, module, etc field to identify them. > > We are running a RAC, and I'm querying gv$session which should get me > all cluster member connections. > > As David said, this does work with the thin driver, but I need the > service/load balancing functionality from OCI. Any more suggestions > are welcome! > Does anyone else have any additional thoughts on this? I'd sure appreciate more input. TIA, Dan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Populating Oracle v$session.program from Tomcat Context.xml
We'd like to be able to tell apart database sessions from the 15 or so tomcat applications we have running on our web-servers. Most of them use similar logins, so we can't query the username from gv$session. We were hoping to instead query to program field to tell them apart. We were able to make this functionality work with the thin client, but we'd rather use the OCI client because it allows our web-apps to reconnect to the database service after a loss of connectivity (say during a cluster node reboot). So far though we've had no luck in getting it to work with OCI. Most of the suggestions and info out on the web imply that the best way to do it with OCI is programmatically from the java app. That's the dilemma. Do we have to take the time to change our apps to populate the program field, or can we do it from the context.xml file from our app? On Tue, Mar 15, 2011 at 8:23 PM, Jorge Medina wrote: > What is the problem that you are trying to solve? > > On Mon, Mar 14, 2011 at 4:25 PM, Dan wrote: >> On Mon, Mar 14, 2011 at 11:25 AM, Dan wrote: >>> On Mon, Mar 14, 2011 at 10:57 AM, chris derham wrote: >>>>> We have some working tomcat 6 instances that we'd like to identify >>>> >>>> >>>> Can you use the combination of machine and schema name to identify the >>>> instance? You didn't detail your environment, but if you have a cluster, >>>> then the machine name would uniquely identify the instance. If you have >>>> multiple different instances on the same machine, then surely the schema >>>> name would allow you to identify which user it is? This covers all >>>> possibilities unless you have different apps on the same machine in >>>> different tomcat instances talking to the same schema. >>>> >>>> Chris >>>> >>> >>> We are running all of our web-applications from two machines, and they >>> all use the same schema/username, so unfortunately I need the program, >>> client_info, module, etc field to identify them. >>> >>> We are running a RAC, and I'm querying gv$session which should get me >>> all cluster member connections. >>> >>> As David said, this does work with the thin driver, but I need the >>> service/load balancing functionality from OCI. Any more suggestions >>> are welcome! >>> >> >> Does anyone else have any additional thoughts on this? I'd sure >> appreciate more input. >> >> TIA, >> >> Dan >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 11 & Request Attributes
We use Shibboleth SP, which passes request attributes from Apache over AJP to Tomcat; after upgrading from Tomcat 10.1 to Tomcat 11, the request attributes aren't coming over. Does anyone know of anything that changed in Tomcat 11 that might affect request attributes being passed over AJP? -- Thanks, Dan -- *NOTICE:* This e-mail message and all attachments transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is strictly prohibited. The contents of this e-mail are confidential and may be subject to work product privileges. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
Is the HTTP/2 Rapid Reset Exploit still possible on 2.4.58?
2] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:50:49.170250 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:51:49.172490 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:52:49.175332 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:53:49.177549 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:54:49.180415 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:55:49.183590 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:56:49.186589 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:57:49.188894 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:58:49.191320 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:59:49.193887 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 14:00:49.197064 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 14:01:49.199302 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 Thanks! Dan -- *NOTICE:* This e-mail message and all attachments transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is strictly prohibited. The contents of this e-mail are confidential and may be subject to work product privileges. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
Re: Is the HTTP/2 Rapid Reset Exploit still possible on 2.4.58?
Yep, wrong list. Sorry. On Mon, Nov 13, 2023 at 4:37 PM Chuck Caldarale wrote: > You may have the wrong mailing list - this one is for Tomcat, but your > query seems to be solely about Apache httpd. > > - Chuck > > > > > On Nov 13, 2023, at 16:03, Dan McLaughlin > wrote: > > > > In the past several weeks, we've been dealing with what seems to be a > > denial of service attack against our site. We were seeing similar > messages > > in our logs before Apache became unresponsive. I contributed it to > > the HTTP/2 Rapid Reset Exploit because we ran 2.4.57 then. Last week, I > > upgraded to 2.4.58, but we were hit again today. In this case, these > > messages started about 48 hours ago until the httpd process finally > became > > unresponsive. There wasn't a single request in the access logs from this > > source IP, just these repeated messages in the error log. Besides > > blocking the IP, can I change any settings to protect against this? > Maybe > > a mod_qos configuration? > > > > [Mon Nov 13 13:25:49.099207 2023] [http2:warn] [pid 124004:tid 492] > [client > > 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, > > scheduled=1, ready=0, out_buffer=0 > > [Mon Nov 13 13:26:49.102423 2023] [http2:warn] [pid 124004:tid 492] > [client > > 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, > > scheduled=1, ready=0, out_buffer=0 > > [Mon Nov 13 13:27:49.105261 2023] [http2:warn] [pid 124004:tid 492] > [client > > 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, > > scheduled=1, ready=0, out_buffer=0 > > [Mon Nov 13 13:28:49.108454 2023] [http2:warn] [pid 124004:tid 492] > [client > > 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, > > scheduled=1, ready=0, out_buffer=0 > > [Mon Nov 13 13:29:49.110794 2023] [http2:warn] [pid 124004:tid 492] > [client > > 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, > > scheduled=1, ready=0, out_buffer=0 > > [Mon Nov 13 13:30:49.113728 2023] [http2:warn] [pid 124004:tid 492] > [client > > 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, > > scheduled=1, ready=0, out_buffer=0 > > [Mon Nov 13 13:31:49.116023 2023] [http2:warn] [pid 124004:tid 492] > [client > > 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, > > scheduled=1, ready=0, out_buffer=0 > > [Mon Nov 13 13:32:49.119196 2023] [http2:warn] [pid 124004:tid 492] > [client > > 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, > > scheduled=1, ready=0, out_buffer=0 > > [Mon Nov 13 13:33:49.122450 2023] [http2:warn] [pid 124004:tid 492] > [client > > 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, > > scheduled=1, ready=0, out_buffer=0 > > [Mon Nov 13 13:34:49.124970 2023] [http2:warn] [pid 124004:tid 492] > [client > > 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, > > scheduled=1, ready=0, out_buffer=0 > > [Mon Nov 13 13:35:49.127724 2023] [http2:warn] [pid 124004:tid 492] > [client > > 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, > > scheduled=1, ready=0, out_buffer=0 > > [Mon Nov 13 13:36:49.130275 2023] [http2:warn] [pid 124004:tid 492] > [client > > 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, > > scheduled=1, ready=0, out_buffer=0 > > [Mon Nov 13 13:37:49.133470 2023] [http2:warn] [pid 124004:tid 492] > [client > > 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, > > scheduled=1, ready=0, out_buffer=0 > > [Mon Nov 13 13:38:49.136233 2023] [http2:warn] [pid 124004:tid 492] > [client > > 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, > > scheduled=1, ready=0, out_buffer=0 > > [Mon Nov 13 13:39:49.138935 2023] [http2:warn] [pid 124004:tid 492] > [client > > 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, > > scheduled=1, ready=0, out_buffer=0 > > [Mon Nov 13 13:40:49.141993 2023] [http2:warn] [pid 124004:tid 492] > [client > > 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, > > scheduled=1, ready=0, out_buffer=0 > > [Mon Nov 13 13:41:49.144710 2023] [http2:warn] [pid 124004:tid 492] > [client > > 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, > > scheduled=1, ready=0, out_buffer=0 > > [Mon Nov 13 13:42:49.147057 2023] [http2:warn] [pid 124004:tid 492] > [client > > 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, > > scheduled=1, ready=0, out_buffer=0 > > [Mon Nov 13 13:43:49.150223 2023] [http2
Session Cookie Logging
Does anyone know what class we would crank the log level up to see why Tomcat would ignore cookie-config in our web.xml? We are using Tomcat 10.1.18. Our app WAR is named secure#Foo.war. We've always depended on the name of the WAR to name the Context Path/Name. The only reason I'm messing with this is because we can't get the cookie path to be anything other than /. We gave up trying to use the cookie settings in the context.xml since we couldn't get the sessionCookiePath to use our cookie path /secure/Foo. No matter what we tried, the cookie path was always /. This is what our context.xml looked like before we moved to trying to use the web.xml cookie-config. Since setting the cookie path wasn't working using the context.xml, we removed all the cookie settings except for the CookieProcessor so we could set sameSite, and we moved to trying to use the cookie-config in web.xml. In our web.xml, we have default-context-path at the top, and we have session-config at the bottom. Everything is in the order defined in the xsd. /secure/Foo 30 __Host-JSESSIONID /secure/Foo Session Cookie true true -1 COOKIE When we try to use the web.xml to set the cookie it's even worse than with the context.xml, with the context.xml we at least got a cookie, now we don't get a cookie set at all. I've tried with autodeploy off/on and deployonstartup off/on. Now I just want to crank up log levels to see what's going on. -- Thanks, Dan -- *NOTICE:* This e-mail message and all attachments transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is strictly prohibited. The contents of this e-mail are confidential and may be subject to work product privileges. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
Re: Session Cookie Logging
Which one wins the catalina-base/conf/web.xml or the Webapp/WEB-INF/web.xml. I just noticed that the one under catalina base contains: 30 Or do they get merged? Thanks, Dan On Thu, Jan 25, 2024 at 7:00 PM Dan McLaughlin wrote: > Does anyone know what class we would crank the log level up to see why > Tomcat would ignore cookie-config in our web.xml? > > We are using Tomcat 10.1.18. Our app WAR is named secure#Foo.war. We've > always depended on the name of the WAR to name the Context Path/Name. > > The only reason I'm messing with this is because we can't get the cookie > path to be anything other than /. We gave up trying to use the cookie > settings in the context.xml since we couldn't get the sessionCookiePath to > use our cookie path /secure/Foo. No matter what we tried, the cookie path > was always /. > > This is what our context.xml looked like before we moved to trying to use > the web.xml cookie-config. > > privileged="false" > unpackWAR="true" > swallowOutput="true" > clearReferencesHttpClientKeepAliveThread="true" > clearReferencesStopThreads="false" > clearReferencesStopTimerThreads="true" > clearReferencesObjectStreamClassCaches="true" > clearReferencesRmiTargets="true" > clearReferencesThreadLocals="true" > renewThreadsWhenStoppingContext="true" > antiResourceLocking="false" > skipMemoryLeakChecksOnJvmShutdown="false" > copyXML="false" > unloadDelay="1" > useNaming="false" > sessionCookieName="__Host-JSESSIONID" > sessionCookiePath="/secure/Foo" > useHttpOnly="true" > cookies="true" > logEffectiveWebXml="false"> > > > > Since setting the cookie path wasn't working using the context.xml, we > removed all the cookie settings except for the CookieProcessor so we could > set sameSite, and we moved to trying to use the cookie-config in web.xml. > > In our web.xml, we have default-context-path at the top, and we have > session-config at the bottom. Everything is in the order defined in the xsd. > > /secure/Foo > > > 30 > > __Host-JSESSIONID > /secure/Foo > Session Cookie > true > true > -1 > > COOKIE > > > When we try to use the web.xml to set the cookie it's even worse than with > the context.xml, with the context.xml we at least got a cookie, now we > don't get a cookie set at all. > > I've tried with autodeploy off/on and deployonstartup off/on. > > Now I just want to crank up log levels to see what's going on. > > > -- > > Thanks, > > Dan > -- *NOTICE:* This e-mail message and all attachments transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is strictly prohibited. The contents of this e-mail are confidential and may be subject to work product privileges. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
Re: Session Cookie Logging
I think I just figured it out. __Host- doesn't allow for setting a path to anything other than /. It would have been nice if Tomcat would have logged an error instead of silently failing, or forcing the path to / and not saying anything. That would have saved me a ton of time. -- Thanks, Dan On Thu, Jan 25, 2024 at 7:27 PM Dan McLaughlin wrote: > Which one wins the catalina-base/conf/web.xml or the > Webapp/WEB-INF/web.xml. > > I just noticed that the one under catalina base contains: > > > 30 > > > Or do they get merged? > > Thanks, > > Dan > > On Thu, Jan 25, 2024 at 7:00 PM Dan McLaughlin wrote: > >> Does anyone know what class we would crank the log level up to see why >> Tomcat would ignore cookie-config in our web.xml? >> >> We are using Tomcat 10.1.18. Our app WAR is named secure#Foo.war. We've >> always depended on the name of the WAR to name the Context Path/Name. >> >> The only reason I'm messing with this is because we can't get the cookie >> path to be anything other than /. We gave up trying to use the cookie >> settings in the context.xml since we couldn't get the sessionCookiePath to >> use our cookie path /secure/Foo. No matter what we tried, the cookie path >> was always /. >> >> This is what our context.xml looked like before we moved to trying to use >> the web.xml cookie-config. >> >> > privileged="false" >> unpackWAR="true" >> swallowOutput="true" >> clearReferencesHttpClientKeepAliveThread="true" >> clearReferencesStopThreads="false" >> clearReferencesStopTimerThreads="true" >> clearReferencesObjectStreamClassCaches="true" >> clearReferencesRmiTargets="true" >> clearReferencesThreadLocals="true" >> renewThreadsWhenStoppingContext="true" >> antiResourceLocking="false" >> skipMemoryLeakChecksOnJvmShutdown="false" >> copyXML="false" >> unloadDelay="1" >> useNaming="false" >> sessionCookieName="__Host-JSESSIONID" >> sessionCookiePath="/secure/Foo" >> useHttpOnly="true" >> cookies="true" >> logEffectiveWebXml="false"> >> >> >> >> Since setting the cookie path wasn't working using the context.xml, we >> removed all the cookie settings except for the CookieProcessor so we could >> set sameSite, and we moved to trying to use the cookie-config in web.xml. >> >> In our web.xml, we have default-context-path at the top, and we have >> session-config at the bottom. Everything is in the order defined in the xsd. >> >> /secure/Foo >> >> >> 30 >> >> __Host-JSESSIONID >> /secure/Foo >> Session Cookie >> true >> true >> -1 >> >> COOKIE >> >> >> When we try to use the web.xml to set the cookie it's even worse than >> with the context.xml, with the context.xml we at least got a cookie, now we >> don't get a cookie set at all. >> >> I've tried with autodeploy off/on and deployonstartup off/on. >> >> Now I just want to crank up log levels to see what's going on. >> >> >> -- >> >> Thanks, >> >> Dan >> > -- *NOTICE:* This e-mail message and all attachments transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is strictly prohibited. The contents of this e-mail are confidential and may be subject to work product privileges. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
Re: Session Cookie Logging
To give more context we originally moved to use __Host-JSESSIONID but were seeing issues with the cookie getting overwritten when switching between application contexts on the same host. I thought the routeid would play a part in keeping the session cookies separate, but the browsers apparently don't care. So we are moving to using __Secure- instead. -- Thanks, Dan On Thu, Jan 25, 2024 at 9:29 PM Dan McLaughlin wrote: > I think I just figured it out. __Host- doesn't allow for setting a path to > anything other than /. > > It would have been nice if Tomcat would have logged an error instead of > silently failing, or forcing the path to / and not saying anything. That > would have saved me a ton of time. > > -- > > Thanks, > > Dan > > On Thu, Jan 25, 2024 at 7:27 PM Dan McLaughlin wrote: > >> Which one wins the catalina-base/conf/web.xml or the >> Webapp/WEB-INF/web.xml. >> >> I just noticed that the one under catalina base contains: >> >> >> 30 >> >> >> Or do they get merged? >> >> Thanks, >> >> Dan >> >> On Thu, Jan 25, 2024 at 7:00 PM Dan McLaughlin wrote: >> >>> Does anyone know what class we would crank the log level up to see why >>> Tomcat would ignore cookie-config in our web.xml? >>> >>> We are using Tomcat 10.1.18. Our app WAR is named secure#Foo.war. We've >>> always depended on the name of the WAR to name the Context Path/Name. >>> >>> The only reason I'm messing with this is because we can't get the cookie >>> path to be anything other than /. We gave up trying to use the cookie >>> settings in the context.xml since we couldn't get the sessionCookiePath to >>> use our cookie path /secure/Foo. No matter what we tried, the cookie path >>> was always /. >>> >>> This is what our context.xml looked like before we moved to trying to >>> use the web.xml cookie-config. >>> >>> >> privileged="false" >>> unpackWAR="true" >>> swallowOutput="true" >>> clearReferencesHttpClientKeepAliveThread="true" >>> clearReferencesStopThreads="false" >>> clearReferencesStopTimerThreads="true" >>> clearReferencesObjectStreamClassCaches="true" >>> clearReferencesRmiTargets="true" >>> clearReferencesThreadLocals="true" >>> renewThreadsWhenStoppingContext="true" >>> antiResourceLocking="false" >>> skipMemoryLeakChecksOnJvmShutdown="false" >>> copyXML="false" >>> unloadDelay="1" >>> useNaming="false" >>> sessionCookieName="__Host-JSESSIONID" >>> sessionCookiePath="/secure/Foo" >>> useHttpOnly="true" >>> cookies="true" >>> logEffectiveWebXml="false"> >>> >>> >>> >>> Since setting the cookie path wasn't working using the context.xml, we >>> removed all the cookie settings except for the CookieProcessor so we could >>> set sameSite, and we moved to trying to use the cookie-config in web.xml. >>> >>> In our web.xml, we have default-context-path at the top, and we have >>> session-config at the bottom. Everything is in the order defined in the xsd. >>> >>> /secure/Foo >>> >>> >>> 30 >>> >>> __Host-JSESSIONID >>> /secure/Foo >>> Session Cookie >>> true >>> true >>> -1 >>> >>> COOKIE >>> >>> >>> When we try to use the web.xml to set the cookie it's even worse than >>> with the context.xml, with the context.xml we at least got a cookie, now we >>> don't get a cookie set at all. >>> >>> I've tried with autodeploy off/on and deployonstartup off/on. >>> >>> Now I just want to crank up log levels to see what's going on. >>> >>> >>> -- >>> >>> Thanks, >>> >>> Dan >>> >> -- *NOTICE:* This e-mail message and all attachments transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is strictly prohibited. The contents of this e-mail are confidential and may be subject to work product privileges. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
Re: Session Cookie Logging
Well, so much for that theory. __Secure-JSESSIONID still sets the sessionCookiePath to /. I even removed the entire session-config from the web.xml and turned on copyXML to extract the secure#Foo.xml out to the conf/Catalina/localhost folder. Based on the documentation, if I don't set sessionCookiePath in the context.xml and it's not set by the webapp, which I've confirmed it's not, then the cookie path should be set to the context path. I know the contact path is correct because I can load the application at /secure/Foo just fine. Not sure what's changed in the latest release of Tomcat 10.1, but this has never been an issue in the past that I'm aware of. What seems to work is not to try to set any cookie-config settings in the web.xml or any of the session cookie settings in the context.xml, and leave the OOB CookieProcessor. I'm pretty sure that works fine, and it configures the default JSESSIONID using the context path as the cookie path. At least it does in my local Docker environment. Anyway, I'd appreciate any pointers if anyone else has any ideas. My next step is to try rolling back the Tomcat versions to find when the behavior changed. -- Thanks, Dan On Thu, Jan 25, 2024 at 9:42 PM Dan McLaughlin wrote: > To give more context we originally moved to use __Host-JSESSIONID but were > seeing issues with the cookie getting overwritten when switching between > application contexts on the same host. I thought the routeid would play a > part in keeping the session cookies separate, but the browsers apparently > don't care. So we are moving to using __Secure- instead. > > -- > > Thanks, > > Dan > > > On Thu, Jan 25, 2024 at 9:29 PM Dan McLaughlin wrote: > >> I think I just figured it out. __Host- doesn't allow for setting a path >> to anything other than /. >> >> It would have been nice if Tomcat would have logged an error instead of >> silently failing, or forcing the path to / and not saying anything. That >> would have saved me a ton of time. >> >> -- >> >> Thanks, >> >> Dan >> >> On Thu, Jan 25, 2024 at 7:27 PM Dan McLaughlin wrote: >> >>> Which one wins the catalina-base/conf/web.xml or the >>> Webapp/WEB-INF/web.xml. >>> >>> I just noticed that the one under catalina base contains: >>> >>> >>> 30 >>> >>> >>> Or do they get merged? >>> >>> Thanks, >>> >>> Dan >>> >>> On Thu, Jan 25, 2024 at 7:00 PM Dan McLaughlin wrote: >>> >>>> Does anyone know what class we would crank the log level up to see why >>>> Tomcat would ignore cookie-config in our web.xml? >>>> >>>> We are using Tomcat 10.1.18. Our app WAR is named secure#Foo.war. >>>> We've always depended on the name of the WAR to name the Context Path/Name. >>>> >>>> The only reason I'm messing with this is because we can't get the >>>> cookie path to be anything other than /. We gave up trying to use the >>>> cookie settings in the context.xml since we couldn't get the >>>> sessionCookiePath to use our cookie path /secure/Foo. No matter what we >>>> tried, the cookie path was always /. >>>> >>>> This is what our context.xml looked like before we moved to trying to >>>> use the web.xml cookie-config. >>>> >>>> >>> privileged="false" >>>> unpackWAR="true" >>>> swallowOutput="true" >>>> clearReferencesHttpClientKeepAliveThread="true" >>>> clearReferencesStopThreads="false" >>>> clearReferencesStopTimerThreads="true" >>>> clearReferencesObjectStreamClassCaches="true" >>>> clearReferencesRmiTargets="true" >>>> clearReferencesThreadLocals="true" >>>> renewThreadsWhenStoppingContext="true" >>>> antiResourceLocking="false" >>>> skipMemoryLeakChecksOnJvmShutdown="false" >>>> copyXML="false" >>>> unloadDelay="1" >>>> useNaming="false" >>>> sessionCookieName="__Host-JSESSIONID" >>>> sessionCookiePath="/secure/Foo" >>>> useHttpOnly="true" >>>> cookies="true" >>>> logEffectiveWebXml="false"> >>>> >>>> >>>> >>>> Since setting the cookie path wasn't working using the cont
Re: Session Cookie Logging
Hey Konstantin, Thanks for the reply. I synced the source last night. I haven't had a chance to step through with a debugger yet. But the only way I could get the Cookie Path set was to modify the context.xml and add sessionCookiePath to every application. I'm pretty sure this wasn't how things worked in the past. And the documentation even states (or how I interpret it) that the cookie path should default to the context path if cookie path isn't set by the app or in the context.xml. We don't set it anywhere in our code that I could find, and it's not in our web.xml either. I also checked the server.xml and context.xml in catalina base, and nothing sets anything related to the session cookie. Locally in docker, I could confirm that if you don't set anything except the cookie processor, then you end up with a JSESSIONID with a cookie path that is the same as the context if it's not the root context. But if you try to set sessionCookie in the context.xml for the app to _Secure-JSESSIONID and you don't set the sessionCookiePath, then your cookie path will be / regardless of what the context path is. Seems like a bug to me. If I have time to try some more tests and can confirm the same using the examples web app, then I'll open a bug. We do set privileged="false" in our context.xml so the only thing I can think of is that the cookie processor or whatever code is managing the cookies is blocked from calling the api's needed to check the context path and so it defaults to /. Anyway, I'd have to do quite a bit more testing before I'd feel comfortable opening a bug, but there looks to be changes in the areas related to Sessions and Cookies lately, so I'm guessing at this point that one of those changes introduced a behavior change. -- Thanks, Dan On Fri, Jan 26, 2024 at 2:36 AM Konstantin Kolinko wrote: > пт, 26 янв. 2024 г. в 04:01, Dan McLaughlin : > > > > Does anyone know what class we would crank the log level up to see why > > Tomcat would ignore cookie-config in our web.xml? > > > > We are using Tomcat 10.1.18. Our app WAR is named secure#Foo.war. We've > > always depended on the name of the WAR to name the Context Path/Name. > > > > The only reason I'm messing with this is because we can't get the cookie > > path to be anything other than /. We gave up trying to use the cookie > > settings in the context.xml since we couldn't get the sessionCookiePath > to > > use our cookie path /secure/Foo. No matter what we tried, the cookie path > > was always /. > > > > This is what our context.xml looked like before we moved to trying to use > > the web.xml cookie-config. > > > > > privileged="false" > > unpackWAR="true" > > swallowOutput="true" > > clearReferencesHttpClientKeepAliveThread="true" > > clearReferencesStopThreads="false" > > clearReferencesStopTimerThreads="true" > > clearReferencesObjectStreamClassCaches="true" > > clearReferencesRmiTargets="true" > > clearReferencesThreadLocals="true" > > renewThreadsWhenStoppingContext="true" > > antiResourceLocking="false" > > skipMemoryLeakChecksOnJvmShutdown="false" > > copyXML="false" > > unloadDelay="1" > > useNaming="false" > > sessionCookieName="__Host-JSESSIONID" > > sessionCookiePath="/secure/Foo" > > useHttpOnly="true" > > cookies="true" > > logEffectiveWebXml="false"> > > > > > > > > Since setting the cookie path wasn't working using the context.xml, we > > removed all the cookie settings except for the CookieProcessor so we > could > > set sameSite, and we moved to trying to use the cookie-config in web.xml. > > > > In our web.xml, we have default-context-path at the top, and we have > > session-config at the bottom. Everything is in the order defined in the > xsd. > > > > /secure/Foo > > > > > > 30 > > > > __Host-JSESSIONID > > /secure/Foo > > Session Cookie > > true > > true > > -1 > > > > COOKIE > > > > > > When we try to use the web.xml to set the cookie it's even worse than > with > > the context.xml, with the context.xml we at least got a cookie, now we > > don't get a cookie set at all. > > > > I've tried with autodeploy off/on and deployonstartup off/on. > > > > Now I just want to crank up l
Re: Session Cookie Logging
Hey Mark,
If you see a bug report, then that will mean I was able to reproduce it. I
see different behaviors in our local docker environment. Still, it's
nowhere as complex as our production environment--where everything is
clustered and behind load balancers, etc... It probably would be easier
for me to reproduce in our pre-prod environment and attach a debugger to
see where the / is coming from.
I glanced at the code, and SessionConfig is the only place setting the
CookiePath to / might happen. Would you agree?
} else {
// Only handle special case of ROOT context where cookies require a
// path of '/' but the servlet spec uses an empty string
if (contextPath.length() == 0) {
contextPath = "/";
}
}
--
Thanks,
Dan
On Sat, Jan 27, 2024 at 12:12 AM Mark Thomas wrote:
> On 26/01/2024 22:22, Dan McLaughlin wrote:
> > Hey Konstantin,
> >
> > Thanks for the reply.
> >
> > I synced the source last night. I haven't had a chance to step through
> with
> > a debugger yet. But the only way I could get the Cookie Path set was to
> > modify the context.xml and add sessionCookiePath to every application.
> I'm
> > pretty sure this wasn't how things worked in the past. And the
> > documentation even states (or how I interpret it) that the cookie path
> > should default to the context path if cookie path isn't set by the app or
> > in the context.xml. We don't set it anywhere in our code that I could
> find,
> > and it's not in our web.xml either. I also checked the server.xml and
> > context.xml in catalina base, and nothing sets anything related to the
> > session cookie.
> >
> > Locally in docker, I could confirm that if you don't set anything except
> > the cookie processor, then you end up with a JSESSIONID with a cookie
> path
> > that is the same as the context if it's not the root context. But if you
> > try to set sessionCookie in the context.xml for the app to
> > _Secure-JSESSIONID and you don't set the sessionCookiePath, then your
> > cookie path will be / regardless of what the context path is.
>
> I have tested this with a clean build of both 10.1.x and 11.0.x and both
> correctly set the path to "/examples" when I open the Servlet session
> example in the examples app with sessionCookieName="_Secure-JSESSIONID".
>
> > Seems like a
> > bug to me. If I have time to try some more tests and can confirm the same
> > using the examples web app, then I'll open a bug. We do
> > set privileged="false" in our context.xml so the only thing I can think
> of
> > is that the cookie processor or whatever code is managing the cookies is
> > blocked from calling the api's needed to check the context path and so it
> > defaults to /.
>
> Nope. Cookie processing doesn't require privileged.
>
> > Anyway, I'd have to do quite a bit more testing before I'd feel
> comfortable
> > opening a bug, but there looks to be changes in the areas related to
> > Sessions and Cookies lately, so I'm guessing at this point that one of
> > those changes introduced a behavior change.
>
> There have been a few changes but nothing that is likely to affect this.
> I don't recall any changes that touched cookie paths in a long time.
>
> This looks like an app issue (or an issue in a library the app uses) to
> me at the moment.
>
> If you are able to reproduce this on a clean install of the latest
> 10.1.x release (or any other currently supported version) I'd be happy
> to take another look. All we'd need would be the steps to recreate the
> issue from the clean install.
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
--
*NOTICE:* This e-mail message and all attachments transmitted with
it are for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure, or distribution is strictly prohibited. The contents of this
e-mail are confidential and may be subject to work product privileges. If
you are not the intended recipient, please contact the sender by reply
e-mail and destroy all copies of the original message.
Re: Session Cookie Logging
Hey Mark,
I was able to identify the problem - there was a session configuration with
cookie configuration in the catalina-base/web.xml file.
I just wanted to suggest that it would be great if logging could be enabled
to show not only what the parameters were set to, but also where the
values came from. It seems like the sessionCookiePath could be resolved in
many ways, such as from the filename of the war, context.xml file name, the
sessionCookiePath, the cookie-config under the web.xml file in the
catalina-base/conf directory or from the web.xml packaged in the WAR. I
haven't had a chance to look at the logic in the Apache code, but this
would be a helpful addition and would have saved a lot of time trying to
debug where the value came from.
--
Thanks,
Dan
On Thu, Feb 1, 2024 at 10:31 AM Mark Thomas wrote:
>
>
> On 27/01/2024 14:38, Dan McLaughlin wrote:
> > Hey Mark,
> >
> > If you see a bug report, then that will mean I was able to reproduce
> it. I
> > see different behaviors in our local docker environment. Still, it's
> > nowhere as complex as our production environment--where everything is
> > clustered and behind load balancers, etc... It probably would be easier
> > for me to reproduce in our pre-prod environment and attach a debugger to
> > see where the / is coming from.
> >
> > I glanced at the code, and SessionConfig is the only place setting the
> > CookiePath to / might happen. Would you agree?
> >
> > } else {
> > // Only handle special case of ROOT context where cookies require a
> > // path of '/' but the servlet spec uses an empty string
> > if (contextPath.length() == 0) {
> > contextPath = "/";
> > }
>
> There are other places such as the RewriteValve. I think debugging is
> your best option here.
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
--
*NOTICE:* This e-mail message and all attachments transmitted with
it are for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure, or distribution is strictly prohibited. The contents of this
e-mail are confidential and may be subject to work product privileges. If
you are not the intended recipient, please contact the sender by reply
e-mail and destroy all copies of the original message.
Tomcat Manager 403's with LDAP Realm
We've had the same LDAP realm configured for probably 10 years, and the same roles in our LDAP for probably the same. We have 4 roles configured in LDAP manager-gui, manager-jmx, manager-script, and manager-status. My user only has the manager-gui role. Everything has worked fine up until about the time we moved to Tomcat 10.1. Now, I can log in just fine, but if I try to click stop, start, reload, or undeploy, I always get a 403. I don't see any errors in the logs telling me why. Does anyone have pointers on debugging this? My user only has the manager-gui role; the only users with the JMX or script roles are the users I use for Nagios monitoring of JMX parameters. FYI... I can't reproduce it using Tomcat 10.1 running in docker using the same LDAP realm configuration, so that tells me it has nothing to do with the roles not being correct...and they should be correct since they haven't changed since I set things up probably 10 years ago. The only change has been the upgrade of Tomcat. Could CSRF somehow be involved? It might be about when CSRF was introduced that I started having issues. I haven't tried removing the filter yet, only because it really doesn't seem related based on my understanding of how the filter works. If someone knows the specific packages, I might want to bump up the logging on; that would probably be most helpful at this point. Cheers! Dan -- *NOTICE:* This e-mail message and all attachments transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is strictly prohibited. The contents of this e-mail are confidential and may be subject to work product privileges. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
9.0.70 / 9.0.71 regression?
Are there any known regressions / open issues with 9.0.70 or 9.0.71 that could cause something like the below? We encountered a very odd issue today, where after upgrading the version of spring-boot for one of our rest microservices (and getting a newer tomcat) it stopped processing our calls properly. But only when it was deployed in an env where the requests were going thru a SSO authentication layer first, and having a number of extra headers added to the request. When we tested locally, in an env without the SSO filtering, we didn't see the issue. It was a very odd problem, it presented to the end user as simply getting 404 errors back from the service. Tomcat was indeed sending 404 errors - but our integrated monitoring (datadog) was not even showing us the proper requests coming in - instead, each request that arrived came across with some partial (random) URL, which then didn't match any of our services, and was sent back as a 404. We haven't yet done any further debugging about where in the tomcat stack the request was being completely corrupted. I also haven't isolated if it was 9.0.71 or 9.0.70 - 9.0.69 works, and 9.0.71 fails. Thanks, Dan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: 9.0.70 / 9.0.71 regression?
Thanks for updating - sorry I didn't get a chance to run it down more. I should be able to do a test in our SSO enabled env this next week with 9.0.73. Dan On 2/27/23 4:06 AM, Mark Thomas wrote: Looks like this is the issue: https://bz.apache.org/bugzilla/show_bug.cgi?id=66488 That you only see the problem when using the SSO layer is consistent with our understanding of that bug. Mark On 16/02/2023 08:37, Mark Thomas wrote: On 16/02/2023 00:42, Dan Armbrust wrote: Are there any known regressions / open issues with 9.0.70 or 9.0.71 that could cause something like the below? The closest I can think of is this: https://bz.apache.org/bugzilla/show_bug.cgi?id=66388 but it is fixed in 9.0.71 and I'd expect it to impact resource lookup (i.e.finding files on disk) but not the request URI since the URL class isn't used got processing the request URI. It would be good to track this down ASAP as we are about to start the next round of releases. Mark We encountered a very odd issue today, where after upgrading the version of spring-boot for one of our rest microservices (and getting a newer tomcat) it stopped processing our calls properly. But only when it was deployed in an env where the requests were going thru a SSO authentication layer first, and having a number of extra headers added to the request. When we tested locally, in an env without the SSO filtering, we didn't see the issue. It was a very odd problem, it presented to the end user as simply getting 404 errors back from the service. Tomcat was indeed sending 404 errors - but our integrated monitoring (datadog) was not even showing us the proper requests coming in - instead, each request that arrived came across with some partial (random) URL, which then didn't match any of our services, and was sent back as a 404. We haven't yet done any further debugging about where in the tomcat stack the request was being completely corrupted. I also haven't isolated if it was 9.0.71 or 9.0.70 - 9.0.69 works, and 9.0.71 fails. Thanks, Dan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat Clustering, Mod_JK, Fail_on_Status, Stopped Application
Hello, This is probably a question that would be better suited for the dev list, but I thought I'd start here first. Does anyone understand the reasoning behind why Tomcat, when clustered, throws an HTTP status 404 and not a 503 when you have an application deployed but stopped or paused? What's confusing to me is why the Tomcat developers felt a 404 was an appropriate response even when Tomcat is clustered. It seems to me that a 503 would be more appropriate when Tomcat is clustered for several reasons. 1) When Tomcat is clustered, and you only have an application stopped or paused on one of the clustered nodes, it doesn't mean the request is truly unavailable; it just needs to be retried on a node where the application is running. 2) Since it's throwing a 404, that means if you don't want a stopped or paused app to cause the clustered application to become unavailable, you have to configure mod_jk fail_on_status to failover for 404s. 3) Lastly, configuring mod_jk to failover for 404s means you will never throw a 404 even when all apps are started, but a page really doesn't exist. 4) It seems to fail over for every 404 would make it very easy to create a DOS attack causing mod_jk to thrash by simply making lots of requests for pages you know don't exist. Anyways, just wondering if anyone out there understands why the decision was made that a 404 was still the appropriate status code to throw even when Tomcat is clustered. I think I understand that my only option is to failover for 404s considering the current implementation. I've looked to see if there was a configuration setting related to clustering that would allow me to change the behavior, and I couldn't find one; the only solution seems to be to write a custom listener that detects that an application is deployed but stopped or paused, and then throw a 503 instead. I asked ChatPGT what it thought about all this, and here is what it had to say... *"Your points are absolutely valid and they highlight some of the challenges with using a 404 status for situations where a web application is stopped or paused in a clustered environment. A 503 status would indeed be more semantically appropriate in these situations as it more accurately indicates that the service is temporarily unavailable rather than the resource being not found.* *1) As you correctly pointed out, in a clustered environment, a stopped or paused application on one node does not necessarily mean that the requested resource is not available. It could simply be that the resource needs to be requested from a different node where the application is running.2) Configuring `mod_jk` to failover on 404 errors can help in these situations, but it comes with the drawback of treating all 404 errors as potential failover triggers, which may not always be appropriate or efficient.3) If `mod_jk` is configured to failover on 404 errors, then, as you mentioned, a true 404 error (where a page really does not exist across all nodes) would not be surfaced to the client. Instead, `mod_jk` would keep trying to find a node that can handle the request, potentially wasting resources.4) Lastly, you're right that this setup could potentially be exploited for a denial of service (DoS) attack. An attacker could generate a large number of requests for non-existent pages, causing `mod_jk` to constantly attempt failovers and use up system resources.In an ideal world, Tomcat would provide a more nuanced way to differentiate between these scenarios and return a 503 status when an application is stopped or paused, especially in a clustered environment. However, as of my knowledge cutoff in September 2021, this is not the case. I'm not aware of the specific reasons why the Tomcat developers chose to use a 404 status for these situations, but it's possible that it was a simpler option to implement and it met the needs of most users at the time.The custom Valve solution discussed earlier could potentially help address these challenges by allowing you to control the error status that Tomcat returns based on the specific state of the application and server. But this does require additional custom development and testing.This is certainly an interesting topic, and I appreciate your insights. Let me know if you have any further questions or thoughts!"* -- Thanks, Dan -- *NOTICE:* This e-mail message and all attachments transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is strictly prohibited. The contents of this e-mail are confidential and may be subject to work product privileges. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
Re: Tomcat Clustering, Mod_JK, Fail_on_Status, Stopped Application
Hey Mark, Thanks for the information and quick response! The typical use case is either during a hot redeployment of an application; we don't use the application context versions only because we had issues with it in the past, but the last time I tried it was years ago. If I remember correctly, the problems might have been classloader issues or related to JMX conflicts. For that reason, we redeploy using the same context and version. When the redeployment happens using the same context version, there is a small window where the app is stopped during the redeployment. The other case is on rare occasions, we will need to stop just one application deployed on a Tomcat node to troubleshoot something where clustering is making it more difficult to debug. We don't want to take down all the apps or the entire Tomcat node because we need it to handle the load. We don't hot deploy often, so it's not a huge issue, and even more rarely do we run into issues in production where we need to stop just one app, but it has happened. It would just be nice not to have to go tell mod_jk that a node was down for an application or have to stop Tomcat to get it to not send requests to a stopped app, if it was stopped and threw a 503 it would just happen. The only reason I even looked at this is that I've been tasked with implementing a comprehensive solution for handling all the different error conditions properly and displaying the proper error pages. We are also implementing a way to put all our applications in a "Down for Maintenance Mode" without having to stop them and that can be scheduled at the individual application level. I'll look at using a valve if we decide it's a big enough issue. Thanks again for the explanation! Dan On Wed, Jun 14, 2023 at 2:32 PM Mark Thomas wrote: > On 14/06/2023 19:49, Dan McLaughlin wrote: > > Hello, > > > > This is probably a question that would be better suited for the dev list, > > but I thought I'd start here first. > > That depends. It is generally better to start on the users list. > > > Does anyone understand the reasoning behind why Tomcat, when clustered, > > throws an HTTP status 404 and not a 503 when you have an application > > deployed but stopped or paused? > > The issue you describe only affects stopped applications. If an > application is paused then any requests to that application should be > held until the application is unpaused (or the client timeouts out). > > The current Tomcat Mapper dates back to at least Tomcat 4. It might be > earlier but I don't know the Tomcat 3 code well enough to find the > Tomcat 3 mapping code in the web interface and I'm not curious enough to > check the code out so I can use grep. > > The clustering implementation dates back to Tomcat 5. > > You'll need to dig through the archives to see if this topic was ever > raised and, if it was, the result of that discussion. Probably around > the time clustering was added. > > > I think I understand that my only option is to > > failover for 404s considering the current implementation. > > That might cause problems. If the node returning 404 is marked as down > you'll have a DoS vulnerability that is trivial to exploit. > > > I've looked to > > see if there was a configuration setting related to clustering that would > > allow me to change the behavior, and I couldn't find one; the only > solution > > seems to be to write a custom listener that detects that an application > is > > deployed but stopped or paused, and then throw a 503 instead. > > That would be a better short-term solution and fairly simple to write. > I'd probably do it as a Valve as you'll get access to Tomcat's internals > that way. > > The clustering implementation generally assumes that all applications > are available on all nodes. If that isn't the case I wouldn't be > surprised to see log messages indicating issues with replication. > > What is the use case for stopping one (or more) web applications on a node? > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- *NOTICE:* This e-mail message and all attachments transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is strictly prohibited. The contents of this e-mail are confidential and may be subject to work product privileges. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
Words of Wisdom re: Context Versioning - Parallel Deployment
Does anyone have any advice on implementing Context Versioning (parallel deployment) in Tomcat? It seems to have been a feature for quite some time. Is it stable? What are the typical issues people run into? JMX issues? Classloader issues? I've tried to do a parallel deployment with our applications as they exist today, and I can already see a few problems we'd have to address. 1) We have a concept of a workdir where we will extract configuration-related properties files, XML, etc... on initial start-up; the workdir also contains working files related to things like XA transaction logs and application-specific logging. We'd probably need to append the context version to our workdir path so that each version can have separate application logs, configuration settings, etc... 2) We use JMX MBeans throughout our apps to allow real-time configuration of our applications. Since our apps weren't originally developed with parallel deployment in mind, so a parallel deployment results in two app versions trying to use the same JMX MBeans. I can see in our app logs when I try to deploy two versions, the second version will either throw an exception and fail to start because the MBean exists, or it will try to destroy and recreate the MBean--which could cause issues if it changes a setting that the first version of the app depended on. I assume we will need to fix all our code to somehow version the MBeans so there aren't conflicts. 3) Do third-party dependencies that use JMX pose any issues? We use jgroups and log4j2. Both create their own mbeans, but it seems we have control over the names they use. Do you know if there are any other issues we need to consider? Words of wisdom? Thanks! Dan -- *NOTICE:* This e-mail message and all attachments transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is strictly prohibited. The contents of this e-mail are confidential and may be subject to work product privileges. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
Re: Tomcat Clustering, Mod_JK, Fail_on_Status, Stopped Application
So I tried to create a Valve to check to see if the application is stopped
and convert the 404 response to a 503, but I haven't had any luck getting
it to work. Is there another internal API that I should be using?
context.getState().isAvailable
ways seems to report the app is available even though it's stopped.
import org.apache.catalina.*;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.valves.ValveBase;
import jakarta.servlet.ServletException;
import java.io.IOException;
import java.util.logging.Logger;
import java.util.logging.Level;
public class DownForMaintenanceValve extends ValveBase {
// Create a Logger
private static final Logger log = Logger.getLogger(DownForMaintenanceValve.
class.getName());
public DownForMaintenanceValve() {
log.info("DownForMaintenanceValve started");
}
@Override
public void invoke(Request request, Response response) throws
IOException, ServletException
{
Context context = request.getContext();
if (!context.getState().isAvailable()) {
log.info("Application is not available, sending 503");
response.sendError(503);
} else {
log.fine("Application is available, passing to next valve");
getNext().invoke(request, response);
}
}
}
--
Thanks,
Dan
On Wed, Jun 14, 2023 at 2:32 PM Mark Thomas wrote:
> On 14/06/2023 19:49, Dan McLaughlin wrote:
> > Hello,
> >
> > This is probably a question that would be better suited for the dev list,
> > but I thought I'd start here first.
>
> That depends. It is generally better to start on the users list.
>
> > Does anyone understand the reasoning behind why Tomcat, when clustered,
> > throws an HTTP status 404 and not a 503 when you have an application
> > deployed but stopped or paused?
>
> The issue you describe only affects stopped applications. If an
> application is paused then any requests to that application should be
> held until the application is unpaused (or the client timeouts out).
>
> The current Tomcat Mapper dates back to at least Tomcat 4. It might be
> earlier but I don't know the Tomcat 3 code well enough to find the
> Tomcat 3 mapping code in the web interface and I'm not curious enough to
> check the code out so I can use grep.
>
> The clustering implementation dates back to Tomcat 5.
>
> You'll need to dig through the archives to see if this topic was ever
> raised and, if it was, the result of that discussion. Probably around
> the time clustering was added.
>
> > I think I understand that my only option is to
> > failover for 404s considering the current implementation.
>
> That might cause problems. If the node returning 404 is marked as down
> you'll have a DoS vulnerability that is trivial to exploit.
>
> > I've looked to
> > see if there was a configuration setting related to clustering that would
> > allow me to change the behavior, and I couldn't find one; the only
> solution
> > seems to be to write a custom listener that detects that an application
> is
> > deployed but stopped or paused, and then throw a 503 instead.
>
> That would be a better short-term solution and fairly simple to write.
> I'd probably do it as a Valve as you'll get access to Tomcat's internals
> that way.
>
> The clustering implementation generally assumes that all applications
> are available on all nodes. If that isn't the case I wouldn't be
> surprised to see log messages indicating issues with replication.
>
> What is the use case for stopping one (or more) web applications on a node?
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
--
*NOTICE:* This e-mail message and all attachments transmitted with
it are for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure, or distribution is strictly prohibited. The contents of this
e-mail are confidential and may be subject to work product privileges. If
you are not the intended recipient, please contact the sender by reply
e-mail and destroy all copies of the original message.
Re: Tomcat Clustering, Mod_JK, Fail_on_Status, Stopped Application
When I attach with a debugger, I can see what's causing it not to
work. When the Web Application is started, then
request.getContext(); returns the correct Web Application context, but
when the application is stopped, request.getContext(); returns the
ROOT context, which is up, so the 404 is passed on. Why would
request.getContext(); return ROOT if that wasn't the requested
context? Is this a bug?
--
Thanks,
Dan
--
Thanks,
Dan McLaughlin
DJAB Enterprises, LLC
d...@djabenterprises.com
mobile: 512.633.8086
NOTICE: This e-mail message and all attachments transmitted with it
are for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is strictly prohibited. The contents of
this e-mail are confidential and may be subject to work product
privileges. If you are not the intended recipient, please contact the
sender by reply e-mail and destroy all copies of the original message.
On Tue, Jun 20, 2023 at 9:41 AM Dan McLaughlin wrote:
>
> So I tried to create a Valve to check to see if the application is stopped
> and convert the 404 response to a 503, but I haven't had any luck getting it
> to work. Is there another internal API that I should be using?
> context.getState().isAvailable ways seems to report the app is available even
> though it's stopped.
> import org.apache.catalina.*;
> import org.apache.catalina.connector.Request;
> import org.apache.catalina.connector.Response;
> import org.apache.catalina.valves.ValveBase;
>
> import jakarta.servlet.ServletException;
> import java.io.IOException;
> import java.util.logging.Logger;
> import java.util.logging.Level;
>
> public class DownForMaintenanceValve extends ValveBase {
>
> // Create a Logger
> private static final Logger log =
> Logger.getLogger(DownForMaintenanceValve.class.getName());
>
> public DownForMaintenanceValve() {
> log.info("DownForMaintenanceValve started");
> }
>
> @Override
> public void invoke(Request request, Response response) throws IOException,
> ServletException {
> Context context = request.getContext();
> if (!context.getState().isAvailable()) {
> log.info("Application is not available, sending 503");
> response.sendError(503);
> } else {
> log.fine("Application is available, passing to next valve");
> getNext().invoke(request, response);
> }
> }
> }
>
>
> --
>
> Thanks,
> Dan
>
> On Wed, Jun 14, 2023 at 2:32 PM Mark Thomas wrote:
>>
>> On 14/06/2023 19:49, Dan McLaughlin wrote:
>> > Hello,
>> >
>> > This is probably a question that would be better suited for the dev list,
>> > but I thought I'd start here first.
>>
>> That depends. It is generally better to start on the users list.
>>
>> > Does anyone understand the reasoning behind why Tomcat, when clustered,
>> > throws an HTTP status 404 and not a 503 when you have an application
>> > deployed but stopped or paused?
>>
>> The issue you describe only affects stopped applications. If an
>> application is paused then any requests to that application should be
>> held until the application is unpaused (or the client timeouts out).
>>
>> The current Tomcat Mapper dates back to at least Tomcat 4. It might be
>> earlier but I don't know the Tomcat 3 code well enough to find the
>> Tomcat 3 mapping code in the web interface and I'm not curious enough to
>> check the code out so I can use grep.
>>
>> The clustering implementation dates back to Tomcat 5.
>>
>> You'll need to dig through the archives to see if this topic was ever
>> raised and, if it was, the result of that discussion. Probably around
>> the time clustering was added.
>>
>> > I think I understand that my only option is to
>> > failover for 404s considering the current implementation.
>>
>> That might cause problems. If the node returning 404 is marked as down
>> you'll have a DoS vulnerability that is trivial to exploit.
>>
>> > I've looked to
>> > see if there was a configuration setting related to clustering that would
>> > allow me to change the behavior, and I couldn't find one; the only solution
>> > seems to be to write a custom listener that detects that an application is
>> > deployed but stopped or paused, and then throw a 503 instead.
>>
>> That would be a better short-term solution and fairly simple to write.
>> I'd probably do it as a Valve as you'll get access to Tomcat's internals
>> that way.
>>
>> The clustering implementation generally assumes t
Re: Tomcat Clustering, Mod_JK, Fail_on_Status, Stopped Application
We typically don't deploy a ROOT context in our production
environments--for no other reason than making it more difficult to poke
around. I'll look at that as an option. Thanks for the tips.
--
Thanks,
Dan
On Tue, Jun 20, 2023 at 10:28 AM Mark Thomas wrote:
> On 20/06/2023 15:41, Dan McLaughlin wrote:
> > So I tried to create a Valve to check to see if the application is
> stopped
> > and convert the 404 response to a 503, but I haven't had any luck getting
> > it to work. Is there another internal API that I should be using?
> > context.getState().isAvailable
> > ways seems to report the app is available even though it's stopped.
>
> The code is looking at the wrong Context. Since the web application has
> been stopped the request won't be mapped to it. I'm guessing the request
> has been mapped to the root context which is available.
>
> You'll need to do something like:
>
> Container[] containers = request.getHost().findChildren();
> for (Container container : containers) {
> if (container.getState().isAvailable()) {
> continue;
> }
> Context context = (Context) container;
> if (request.getDecodedRequestURI().equals(context.getPath()) ||
> request.getDecodedRequestURI().startsWith(
> context.getPath() + '/')) {
> response.sendError(HttpServletResponse.SC_SERVICE_UNAVAILABLE);
> }
> }
>
> I haven't optimised this at all. It isn't particularly efficient. It is
> just to give you an idea.
>
> Actually. I have just had a much better idea. It works by taking
> advantage of the Servlet specification mapping rules which require the
> longest context path match.
>
> Lets assume you have /app1 /app2 and /app3
>
> In your ROOT web application create a maintenance Servlet that just
> returns a 503 and map it to "/app1/*" "/app2/*" and /app3/*".
>
> If app1 is running, the longest context path match rule means it will be
> mapped to /app1 and the application will handle it. If the web
> application is stopped, the request will be mapped to ROOT where it will
> match the maintenance Servlet and return a 503.
>
> The only thing that this won't work for is if you want to take the RROT
> web application out of service.
>
> Mark
>
>
> > import org.apache.catalina.*;
> > import org.apache.catalina.connector.Request;
> > import org.apache.catalina.connector.Response;
> > import org.apache.catalina.valves.ValveBase;
> >
> > import jakarta.servlet.ServletException;
> > import java.io.IOException;
> > import java.util.logging.Logger;
> > import java.util.logging.Level;
> >
> > public class DownForMaintenanceValve extends ValveBase {
> >
> > // Create a Logger
> > private static final Logger log =
> Logger.getLogger(DownForMaintenanceValve.
> > class.getName());
> >
> > public DownForMaintenanceValve() {
> > log.info("DownForMaintenanceValve started");
> > }
> >
> > @Override
> > public void invoke(Request request, Response response) throws
> > IOException, ServletException
> > {
> > Context context = request.getContext();
> > if (!context.getState().isAvailable()) {
> > log.info("Application is not available, sending 503");
> > response.sendError(503);
> > } else {
> > log.fine("Application is available, passing to next valve");
> > getNext().invoke(request, response);
> > }
> > }
> > }
> >
> >
> > --
> >
> > Thanks,
> > Dan
> >
> > On Wed, Jun 14, 2023 at 2:32 PM Mark Thomas wrote:
> >
> >> On 14/06/2023 19:49, Dan McLaughlin wrote:
> >>> Hello,
> >>>
> >>> This is probably a question that would be better suited for the dev
> list,
> >>> but I thought I'd start here first.
> >>
> >> That depends. It is generally better to start on the users list.
> >>
> >>> Does anyone understand the reasoning behind why Tomcat, when clustered,
> >>> throws an HTTP status 404 and not a 503 when you have an application
> >>> deployed but stopped or paused?
> >>
> >> The issue you describe only affects stopped applications. If an
> >> application is paused then any requests to that application should be
> >> held until the application is unpaused (or the client timeouts out).
> >>
> >> The current Tomcat Mapper dates back to at least Tomcat 4. It might be
> >> earlier but I don't know the Tomcat 3 code well enough to find the
> &
Re: Tomcat Clustering, Mod_JK, Fail_on_Status, Stopped Application
Mark,
What are your thoughts on changing the Tomcat codebase to return a 503
instead of a 404 if a context is marked as distributable or if
clustering is enabled and deployed but stopped? When I did searches
years ago on this issue, most people at the time would recommend
adding 404 to the fail_on_status, which is what we did...until I
realized that we were causing our own internal DOS attack when we had
a 404 mistakenly left in our apps; that got me thinking how easy it
would be to make mod_jk thrash by just requesting pages that didn't
exist. It's not a huge issue for us since most of our apps are
authenticated using SAML, so all requests are intercepted before the
request is ever sent to Tomcat, but for our apps that don't require
authentication, it would be easy to exploit any app that had 404 in
the fail_on_status.
--
Thanks,
Dan
On Tue, Jun 20, 2023 at 10:41 AM Dan McLaughlin
wrote:
>
> We typically don't deploy a ROOT context in our production environments--for
> no other reason than making it more difficult to poke around. I'll look at
> that as an option. Thanks for the tips.
>
> --
>
> Thanks,
> Dan
>
>
> On Tue, Jun 20, 2023 at 10:28 AM Mark Thomas wrote:
>>
>> On 20/06/2023 15:41, Dan McLaughlin wrote:
>> > So I tried to create a Valve to check to see if the application is stopped
>> > and convert the 404 response to a 503, but I haven't had any luck getting
>> > it to work. Is there another internal API that I should be using?
>> > context.getState().isAvailable
>> > ways seems to report the app is available even though it's stopped.
>>
>> The code is looking at the wrong Context. Since the web application has
>> been stopped the request won't be mapped to it. I'm guessing the request
>> has been mapped to the root context which is available.
>>
>> You'll need to do something like:
>>
>> Container[] containers = request.getHost().findChildren();
>> for (Container container : containers) {
>> if (container.getState().isAvailable()) {
>> continue;
>> }
>> Context context = (Context) container;
>> if (request.getDecodedRequestURI().equals(context.getPath()) ||
>> request.getDecodedRequestURI().startsWith(
>> context.getPath() + '/')) {
>> response.sendError(HttpServletResponse.SC_SERVICE_UNAVAILABLE);
>> }
>> }
>>
>> I haven't optimised this at all. It isn't particularly efficient. It is
>> just to give you an idea.
>>
>> Actually. I have just had a much better idea. It works by taking
>> advantage of the Servlet specification mapping rules which require the
>> longest context path match.
>>
>> Lets assume you have /app1 /app2 and /app3
>>
>> In your ROOT web application create a maintenance Servlet that just
>> returns a 503 and map it to "/app1/*" "/app2/*" and /app3/*".
>>
>> If app1 is running, the longest context path match rule means it will be
>> mapped to /app1 and the application will handle it. If the web
>> application is stopped, the request will be mapped to ROOT where it will
>> match the maintenance Servlet and return a 503.
>>
>> The only thing that this won't work for is if you want to take the RROT
>> web application out of service.
>>
>> Mark
>>
>>
>> > import org.apache.catalina.*;
>> > import org.apache.catalina.connector.Request;
>> > import org.apache.catalina.connector.Response;
>> > import org.apache.catalina.valves.ValveBase;
>> >
>> > import jakarta.servlet.ServletException;
>> > import java.io.IOException;
>> > import java.util.logging.Logger;
>> > import java.util.logging.Level;
>> >
>> > public class DownForMaintenanceValve extends ValveBase {
>> >
>> > // Create a Logger
>> > private static final Logger log = Logger.getLogger(DownForMaintenanceValve.
>> > class.getName());
>> >
>> > public DownForMaintenanceValve() {
>> > log.info("DownForMaintenanceValve started");
>> > }
>> >
>> > @Override
>> > public void invoke(Request request, Response response) throws
>> > IOException, ServletException
>> > {
>> > Context context = request.getContext();
>> > if (!context.getState().isAvailable()) {
>> > log.info("Application is not available, sending 503");
>> > response.sendError(503);
>> > } else {
>> > log.fine("Application is available,
Re: Tomcat Clustering, Mod_JK, Fail_on_Status, Stopped Application
One thing I just tested was to undeploy the ROOT context, which is how
we run anyways, and this causes request.getContext() to return null,
which with the code, as is, results in a null pointer and a 500 being
thrown--which inadvertently would cause mod_jk to retry on another
node. I don't like letting code knowingly throw null pointers, so I
was thinking of just checking if the context is null and throwing a
503. The only problem is that the valve would only work when the ROOT
context wasn't deployed, so your two other suggestions would be the
only options.
Mark,
I've been considering opening an official enhancement request to the
clustering implementation in Tomcat that would state the following...
Currently, when an application within a clustered environment is
unavailable or stopped, Tomcat returns an HTTP 404 (Not Found) status
code. While this behavior is generally acceptable in a non-clustered
environment, it can lead to less than optimal routing decisions by
load balancers within a clustered setup.
Most load balancers, including mod_jk, do not interpret a 404 status
code as an indication of application unavailability warranting a
failover. Moreover, reconfiguring load balancers to treat 404 codes as
triggers for failover could potentially expose systems to DOS attacks,
as malicious users could generate unnecessary failovers by requesting
non-existent resources.
While there are workarounds to this issue, such as creating a custom
valve to check the application status and modifying the 404 to a 503,
or using root context and servlet mappings to return a 503, these
solutions require custom implementations by the end user. This adds
complexity and is not an ideal solution.
In light of this, I propose that Tomcat should return an HTTP 503
(Service Unavailable) status code when an application is not available
in a clustered environment. The 503 code, which signifies temporary
unavailability of the application, would align more accurately with
the circumstances and could enable load balancers to make more
informed and effective routing decisions.
Thoughts?
--
Thanks,
Dan
--
Thanks,
Dan McLaughlin
Robert Clay Vineyards
Proprietor/Vigneron
d...@robertclayvineyards.com
mobile: 512.633.8086
main: 325.261.0075
https://robertclayvineyards.com
Facebook | Instagram
On Tue, Jun 20, 2023 at 10:28 AM Mark Thomas wrote:
>
> On 20/06/2023 15:41, Dan McLaughlin wrote:
> > So I tried to create a Valve to check to see if the application is stopped
> > and convert the 404 response to a 503, but I haven't had any luck getting
> > it to work. Is there another internal API that I should be using?
> > context.getState().isAvailable
> > ways seems to report the app is available even though it's stopped.
>
> The code is looking at the wrong Context. Since the web application has
> been stopped the request won't be mapped to it. I'm guessing the request
> has been mapped to the root context which is available.
>
> You'll need to do something like:
>
> Container[] containers = request.getHost().findChildren();
> for (Container container : containers) {
> if (container.getState().isAvailable()) {
> continue;
> }
> Context context = (Context) container;
> if (request.getDecodedRequestURI().equals(context.getPath()) ||
> request.getDecodedRequestURI().startsWith(
> context.getPath() + '/')) {
> response.sendError(HttpServletResponse.SC_SERVICE_UNAVAILABLE);
> }
> }
>
> I haven't optimised this at all. It isn't particularly efficient. It is
> just to give you an idea.
>
> Actually. I have just had a much better idea. It works by taking
> advantage of the Servlet specification mapping rules which require the
> longest context path match.
>
> Lets assume you have /app1 /app2 and /app3
>
> In your ROOT web application create a maintenance Servlet that just
> returns a 503 and map it to "/app1/*" "/app2/*" and /app3/*".
>
> If app1 is running, the longest context path match rule means it will be
> mapped to /app1 and the application will handle it. If the web
> application is stopped, the request will be mapped to ROOT where it will
> match the maintenance Servlet and return a 503.
>
> The only thing that this won't work for is if you want to take the RROT
> web application out of service.
>
> Mark
>
>
> > import org.apache.catalina.*;
> > import org.apache.catalina.connector.Request;
> > import org.apache.catalina.connector.Response;
> > import org.apache.catalina.valves.ValveBase;
> >
> > import jakarta.servlet.ServletException;
> > import java.io.IOException;
> > import java.uti
Re: Tomcat Clustering, Mod_JK, Fail_on_Status, Stopped Application
FYI... Here is the valve I finally came up with that seems to work.
import org.apache.catalina.*;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.valves.ValveBase;
import jakarta.servlet.ServletException;
import java.io.IOException;
import java.util.logging.Logger;
import java.util.logging.Level;
import jakarta.servlet.http.HttpServletResponse;
public class DownForMaintenanceValve extends ValveBase {
// Create a Logger instance to log activity
private static final Logger log =
Logger.getLogger(DownForMaintenanceValve.class.getName());
// Constructor logs that the valve has been instantiated
public DownForMaintenanceValve() {
log.info("DownForMaintenanceValve started");
}
// Main method of the Valve, where the logic is implemented
@Override
public void invoke(Request request, Response response) throws
IOException, ServletException {
// Get the Context of the request
Context context = request.getContext();
// If the context is null, log an info message and send a 503 error
if (context == null) {
log.info("Context is null, sending 503");
response.sendError(HttpServletResponse.SC_SERVICE_UNAVAILABLE);
return; // Stop further execution
}
// If the context is not available, log an info message and send a 503 error
if (!context.getState().isAvailable()) {
log.info("Application is not available, sending 503");
response.sendError(HttpServletResponse.SC_SERVICE_UNAVAILABLE);
} else {
// If the context is available, get all contexts (children of the host)
Container[] containers = request.getHost().findChildren();
// Iterate over all contexts
for (Container container : containers) {
// If the current context is available, skip the rest of the loop
if (container.getState().isAvailable()) {
continue;
}
// Cast the container to Context to be able to call Context methods
context = (Context) container;
// If the request URI matches the path of the context or is a subpath
of the context,
// log an info message and send a 503 error
if (request.getDecodedRequestURI().equals(context.getPath()) ||
request.getDecodedRequestURI().startsWith(context.getPath() + '/')) {
log.info("Application is not available, sending 503");
response.sendError(HttpServletResponse.SC_SERVICE_UNAVAILABLE);
return; // Stop further execution
}
}
// If no unavailable context matching the request URI was found, log a
fine message
// and pass the request to the next Valve
log.info("Application is available, passing to next valve");
getNext().invoke(request, response);
}
}
}
--
Thanks,
Dan
On Tue, Jun 20, 2023 at 12:15 PM Dan McLaughlin
wrote:
>
> One thing I just tested was to undeploy the ROOT context, which is how
> we run anyways, and this causes request.getContext() to return null,
> which with the code, as is, results in a null pointer and a 500 being
> thrown--which inadvertently would cause mod_jk to retry on another
> node. I don't like letting code knowingly throw null pointers, so I
> was thinking of just checking if the context is null and throwing a
> 503. The only problem is that the valve would only work when the ROOT
> context wasn't deployed, so your two other suggestions would be the
> only options.
>
> Mark,
>
> I've been considering opening an official enhancement request to the
> clustering implementation in Tomcat that would state the following...
>
> Currently, when an application within a clustered environment is
> unavailable or stopped, Tomcat returns an HTTP 404 (Not Found) status
> code. While this behavior is generally acceptable in a non-clustered
> environment, it can lead to less than optimal routing decisions by
> load balancers within a clustered setup.
>
> Most load balancers, including mod_jk, do not interpret a 404 status
> code as an indication of application unavailability warranting a
> failover. Moreover, reconfiguring load balancers to treat 404 codes as
> triggers for failover could potentially expose systems to DOS attacks,
> as malicious users could generate unnecessary failovers by requesting
> non-existent resources.
>
> While there are workarounds to this issue, such as creating a custom
> valve to check the application status and modifying the 404 to a 503,
> or using root context and servlet mappings to return a 503, these
> solutions require custom implementations by the end user. This adds
> complexity and is not an ideal solution.
>
> In light of this, I propose that Tomcat should return an HTTP 503
> (Service Unavailable) status code when an application is not available
> in a clustered environment. The 503 code, which signifies temporary
> unavailability of the application, would align more accurately with
> the circumstances and could enable load balancers to make more
> informed and effective routing decisions.
&
Angular -> Apache 2.4.57 -> Tomcat 10.1.10 over HTTP2
3 08:27:51.174 FINE [https-openssl-nio-x.x.x.x-18443-exec-6] org.apache.coyote.http2.Http2UpgradeHandler.startRequestBodyFrame Connection [b], Stream [23] startRequestBodyFrame returned [java.nio.HeapByteBuffer[pos=0 lim=65535 cap=65535]] 11-Jul-2023 08:27:51.174 FINE [https-openssl-nio-x.x.x.x-18443-exec-6] org.apache.coyote.http2.Stream$StandardStreamInputBuffer.onDataAvailable Data added to inBuffer when read thread is waiting. Signalling that thread to continue 11-Jul-2023 08:27:51.174 FINE [https-openssl-nio-x.x.x.x-18443-exec-8] org.apache.coyote.http2.WindowAllocationManager.notify Connection [b], Stream [23], Waiting type [0], Notify type [3] 11-Jul-2023 08:27:51.174 FINE [https-openssl-nio-x.x.x.x-18443-exec-6] org.apache.coyote.http2.Http2UpgradeHandler.upgradeDispatch Entry, Connection [b], SocketStatus [OPEN_READ] 11-Jul-2023 08:27:51.174 FINE [https-openssl-nio-x.x.x.x-18443-exec-6] org.apache.coyote.http2.Http2UpgradeHandler.init Connection [b], State [CONNECTED] 11-Jul-2023 08:27:51.174 FINE [https-openssl-nio-x.x.x.x-18443-exec-8] org.apache.coyote.http2.Stream$StandardStreamInputBuffer.swallowUnread Swallowing [13,878] bytes previously read into input stream buffer 11-Jul-2023 08:27:51.175 FINE [https-openssl-nio-x.x.x.x-18443-exec-8] org.apache.coyote.http2.Http2AsyncUpgradeHandler.writeWindowUpdate Connection [b], Sent window update to client increasing window by [13,878] bytes 11-Jul-2023 08:27:51.175 FINE [https-openssl-nio-x.x.x.x-18443-exec-6] org.apache.coyote.http2.Http2UpgradeHandler.upgradeDispatch Exit, Connection [b], SocketState [ASYNC_IO] 11-Jul-2023 08:27:51.175 FINE [https-openssl-nio-x.x.x.x-18443-exec-8] org.apache.coyote.http2.Stream.recycle Connection [b], Stream [23] has been recycled What do you think? Is there a bug here somewhere, or do we need to tweak an H2 config setting in Apache or Tomcat? -- Thanks, Dan -- *NOTICE:* This e-mail message and all attachments transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is strictly prohibited. The contents of this e-mail are confidential and may be subject to work product privileges. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
Re: Angular -> Apache 2.4.57 -> Tomcat 10.1.10 over HTTP2
@markt I was looking over the latest release notes for 10.1.11. Any chance either of these changes could be related... - [image: Fix:] Refactor blocking reads and writes for the NIO connector to remove code paths that could allow a notification from the Poller to be missed resuting in a timeout rather than the expected read or write. (markt) - [image: Fix:] Refactor waiting for an HTTP/2 stream or connection window update to handle spurious wake-ups during the wait. (markt) -- Thanks, Dan On Tue, Jul 11, 2023 at 9:43 AM Dan McLaughlin wrote: > We have many Angular applications, and we currently use Angular 15. I'm > using Apache 2.4.57 and Tomcat 10.1.10/JDK20 on Windows 2019 (don't ask). > > For several years now, I've used the following configuration without > issues. > > Angular <-H2-> Apache <-MOD_JK/AJP 1.3--> Tomcat > > This week I've been working on replacing mod_jk with mod_http2, and for > the most part, things are working, but I'm running into issues where we do > HTTP POSTs of JSON to Rest APIs. We are using Spring Framework 6.0.10. The > only things I have yet to try are upgrading to Tomcat 10.1.11 and > updating to the latest JDK20 release. We are using Amazon Corretto. > > Angular <-H2-> Apache <-MOD_HTTP2/H2--> Tomcat > > Everything seems to be working fine except for places in our apps where we > do things like a POST of JSON to a Rest API. To debug what's going on, > I've enabled dumpio on Apache, and I can see the entire JSON getting > posted. I've installed Wireshark on the backend where Tomcat is running, > and I've captured the TCP packets containing the JSON, and I can see that > the entire JSON is making it to Tomcat. When I compare the JSON in a diff > tool, the JSON is the same, so I know it's making it intact. So I enabled > FINE logging for HTTP2 on Tomcat, and I see everything looks to come > through to Tomcat fine until it hits... > > org.apache.coyote.http2.Stream$StandardStreamInputBuffer.doRead The Stream > input buffer is empty. Waiting for more data > > At this point, things hang for 20 seconds until a timeout occurs, and > Tomcat closes the connection. > > Here's the odd thing, the same post doesn't always fail. In about 1 out of > 10 attempts, the POST will succeed. When it does succeed and I compare the > HTTP2 logs in Tomcat, everything looks the same until the end of the > connection. Here are the logs showing a POST that succeeds vs. one that > fails. Is there something we should be doing in our Angular apps > differently when HTTP2 is used in place of AJP, or is this potentially a > bug? > > Success... > > 11-Jul-2023 08:51:45.427 FINE [https-openssl-nio-exec-15] > org.apache.coyote.http2.Http2UpgradeHandler.updateOverheadCount Connection > [18], Stream [0], Frame type [HEADERS] resulted in new overhead count of > [-260] > 11-Jul-2023 08:51:45.427 FINE [https-openssl-nio-exec-15] > org.apache.coyote.http2.Http2Parser.validateFrame Connection [18], Stream > [0], Frame type [PING], Flags [1], Payload size [8] > 11-Jul-2023 08:51:45.427 FINE [https-openssl-nio-exec-15] > org.apache.coyote.http2.Http2UpgradeHandler$PingManager.receivePing > Connection [18] Round trip time measured as [11,769,300]ns > 11-Jul-2023 08:51:45.427 FINE [https-openssl-nio-exec-15] > org.apache.coyote.http2.Http2Parser.validateFrame Connection [18], Stream > [13], Frame type [DATA], Flags [0], Payload size [8000] > 11-Jul-2023 08:51:45.427 FINE [https-openssl-nio-exec-15] > org.apache.coyote.http2.Http2Parser.readDataFrame Connection [18], Stream > [13], Data length [8000], Padding length [none] > 11-Jul-2023 08:51:45.427 FINE [https-openssl-nio-exec-15] > org.apache.coyote.http2.Http2UpgradeHandler.updateOverheadCount Connection > [18], Stream [0], Frame type [DATA] resulted in new overhead count of [-280] > 11-Jul-2023 08:51:45.428 FINE [https-openssl-nio-exec-15] > org.apache.coyote.http2.Http2UpgradeHandler.startRequestBodyFrame > Connection [18], Stream [13] startRequestBodyFrame returned > [java.nio.HeapByteBuffer[pos=0 lim=65535 cap=65535]] > 11-Jul-2023 08:51:45.428 FINE [https-openssl-nio-exec-15] > org.apache.coyote.http2.Stream$StandardStreamInputBuffer.onDataAvailable > Data added to inBuffer when read thread is waiting. Signalling that thread > to continue > 11-Jul-2023 08:51:45.428 FINE [https-openssl-nio-exec-15] > org.apache.coyote.http2.Http2Parser.validateFrame Connection [18], Stream > [13], Frame type [DATA], Flags [1], Payload size [5878] > 11-Jul-2023 08:51:45.428 FINE [https-openssl-nio-exec-15] > org.apache.coyote.http2.Http2Parser.readDataFrame Connection [18], Stream > [13], Data length [5878], Padding length
Re: Angular -> Apache 2.4.57 -> Tomcat 10.1.10 over HTTP2
I just upgraded to Tomcat 10.1.11, and it still fails. A comparison of the logs between a failed POST on 10.1.10 and 10.1.11 look slightly different, but it still fails for the same reason. I'm going to try updating the JDK and see if that helps. -- Thanks, Dan On Tue, Jul 11, 2023 at 10:32 AM Dan McLaughlin wrote: > @markt > > I was looking over the latest release notes for 10.1.11. Any chance either > of these changes could be related... > > >- [image: Fix:] Refactor blocking reads and writes for the NIO >connector to remove code paths that could allow a notification from the >Poller to be missed resuting in a timeout rather than the expected read or >write. (markt) >- [image: Fix:] Refactor waiting for an HTTP/2 stream or connection >window update to handle spurious wake-ups during the wait. (markt) > > > -- > > Thanks, > > Dan > > On Tue, Jul 11, 2023 at 9:43 AM Dan McLaughlin wrote: > >> We have many Angular applications, and we currently use Angular 15. I'm >> using Apache 2.4.57 and Tomcat 10.1.10/JDK20 on Windows 2019 (don't ask). >> >> For several years now, I've used the following configuration without >> issues. >> >> Angular <-H2-> Apache <-MOD_JK/AJP 1.3--> Tomcat >> >> This week I've been working on replacing mod_jk with mod_http2, and for >> the most part, things are working, but I'm running into issues where we do >> HTTP POSTs of JSON to Rest APIs. We are using Spring Framework 6.0.10. The >> only things I have yet to try are upgrading to Tomcat 10.1.11 and >> updating to the latest JDK20 release. We are using Amazon Corretto. >> >> Angular <-H2-> Apache <-MOD_HTTP2/H2--> Tomcat >> >> Everything seems to be working fine except for places in our apps where >> we do things like a POST of JSON to a Rest API. To debug what's going on, >> I've enabled dumpio on Apache, and I can see the entire JSON getting >> posted. I've installed Wireshark on the backend where Tomcat is running, >> and I've captured the TCP packets containing the JSON, and I can see that >> the entire JSON is making it to Tomcat. When I compare the JSON in a diff >> tool, the JSON is the same, so I know it's making it intact. So I enabled >> FINE logging for HTTP2 on Tomcat, and I see everything looks to come >> through to Tomcat fine until it hits... >> >> org.apache.coyote.http2.Stream$StandardStreamInputBuffer.doRead The >> Stream input buffer is empty. Waiting for more data >> >> At this point, things hang for 20 seconds until a timeout occurs, and >> Tomcat closes the connection. >> >> Here's the odd thing, the same post doesn't always fail. In about 1 out >> of 10 attempts, the POST will succeed. When it does succeed and I compare >> the HTTP2 logs in Tomcat, everything looks the same until the end of the >> connection. Here are the logs showing a POST that succeeds vs. one that >> fails. Is there something we should be doing in our Angular apps >> differently when HTTP2 is used in place of AJP, or is this potentially a >> bug? >> >> Success... >> >> 11-Jul-2023 08:51:45.427 FINE [https-openssl-nio-exec-15] >> org.apache.coyote.http2.Http2UpgradeHandler.updateOverheadCount Connection >> [18], Stream [0], Frame type [HEADERS] resulted in new overhead count of >> [-260] >> 11-Jul-2023 08:51:45.427 FINE [https-openssl-nio-exec-15] >> org.apache.coyote.http2.Http2Parser.validateFrame Connection [18], Stream >> [0], Frame type [PING], Flags [1], Payload size [8] >> 11-Jul-2023 08:51:45.427 FINE [https-openssl-nio-exec-15] >> org.apache.coyote.http2.Http2UpgradeHandler$PingManager.receivePing >> Connection [18] Round trip time measured as [11,769,300]ns >> 11-Jul-2023 08:51:45.427 FINE [https-openssl-nio-exec-15] >> org.apache.coyote.http2.Http2Parser.validateFrame Connection [18], Stream >> [13], Frame type [DATA], Flags [0], Payload size [8000] >> 11-Jul-2023 08:51:45.427 FINE [https-openssl-nio-exec-15] >> org.apache.coyote.http2.Http2Parser.readDataFrame Connection [18], Stream >> [13], Data length [8000], Padding length [none] >> 11-Jul-2023 08:51:45.427 FINE [https-openssl-nio-exec-15] >> org.apache.coyote.http2.Http2UpgradeHandler.updateOverheadCount Connection >> [18], Stream [0], Frame type [DATA] resulted in new overhead count of [-280] >> 11-Jul-2023 08:51:45.428 FINE [https-openssl-nio-exec-15] >> org.apache.coyote.http2.Http2UpgradeHandler.startRequestBodyFrame >> Connection [18], Stream [13] startRequestBodyFrame returned >
Re: Angular -> Apache 2.4.57 -> Tomcat 10.1.10 over HTTP2
[proxy_http2:trace1] [pid 14776:tid 5676] h2_proxy_session.c(1010): [remote x.x.x.x:18443] h2_proxy_session(499): fed 13 bytes of input to session [Tue Jul 11 08:27:51.184357 2023] [proxy_http2:debug] [pid 14776:tid 5676] h2_proxy_session.c(1201): [remote x.x.x.x:18443] AH03345: h2_proxy_session(499): transit [WAIT] -- data read --> [BUSY] [Tue Jul 11 08:27:51.184357 2023] [proxy:debug] [pid 14776:tid 5676] proxy_util.c(2584): AH00943: H2: has released connection for (as01:18443) [Tue Jul 11 08:27:51.184357 2023] [proxy_http2:debug] [pid 14776:tid 5676] mod_proxy_http2.c(458): [remote x.x.x.x:63451] AH03377: leaving handler -- Thanks, Dan On Tue, Jul 11, 2023 at 11:00 AM Dan McLaughlin wrote: > I just upgraded to Tomcat 10.1.11, and it still fails. A comparison of > the logs between a failed POST on 10.1.10 and 10.1.11 look slightly > different, but it still fails for the same reason. I'm going to try > updating the JDK and see if that helps. > > -- > > Thanks, > > Dan > > On Tue, Jul 11, 2023 at 10:32 AM Dan McLaughlin wrote: > >> @markt >> >> I was looking over the latest release notes for 10.1.11. Any chance >> either of these changes could be related... >> >> >>- [image: Fix:] Refactor blocking reads and writes for the NIO >>connector to remove code paths that could allow a notification from the >>Poller to be missed resuting in a timeout rather than the expected read or >>write. (markt) >>- [image: Fix:] Refactor waiting for an HTTP/2 stream or connection >>window update to handle spurious wake-ups during the wait. (markt) >> >> >> -- >> >> Thanks, >> >> Dan >> >> On Tue, Jul 11, 2023 at 9:43 AM Dan McLaughlin wrote: >> >>> We have many Angular applications, and we currently use Angular 15. I'm >>> using Apache 2.4.57 and Tomcat 10.1.10/JDK20 on Windows 2019 (don't ask). >>> >>> For several years now, I've used the following configuration without >>> issues. >>> >>> Angular <-H2-> Apache <-MOD_JK/AJP 1.3--> Tomcat >>> >>> This week I've been working on replacing mod_jk with mod_http2, and for >>> the most part, things are working, but I'm running into issues where we do >>> HTTP POSTs of JSON to Rest APIs. We are using Spring Framework 6.0.10. The >>> only things I have yet to try are upgrading to Tomcat 10.1.11 and >>> updating to the latest JDK20 release. We are using Amazon Corretto. >>> >>> Angular <-H2-> Apache <-MOD_HTTP2/H2--> Tomcat >>> >>> Everything seems to be working fine except for places in our apps where >>> we do things like a POST of JSON to a Rest API. To debug what's going on, >>> I've enabled dumpio on Apache, and I can see the entire JSON getting >>> posted. I've installed Wireshark on the backend where Tomcat is running, >>> and I've captured the TCP packets containing the JSON, and I can see that >>> the entire JSON is making it to Tomcat. When I compare the JSON in a diff >>> tool, the JSON is the same, so I know it's making it intact. So I enabled >>> FINE logging for HTTP2 on Tomcat, and I see everything looks to come >>> through to Tomcat fine until it hits... >>> >>> org.apache.coyote.http2.Stream$StandardStreamInputBuffer.doRead The >>> Stream input buffer is empty. Waiting for more data >>> >>> At this point, things hang for 20 seconds until a timeout occurs, and >>> Tomcat closes the connection. >>> >>> Here's the odd thing, the same post doesn't always fail. In about 1 out >>> of 10 attempts, the POST will succeed. When it does succeed and I compare >>> the HTTP2 logs in Tomcat, everything looks the same until the end of the >>> connection. Here are the logs showing a POST that succeeds vs. one that >>> fails. Is there something we should be doing in our Angular apps >>> differently when HTTP2 is used in place of AJP, or is this potentially a >>> bug? >>> >>> Success... >>> >>> 11-Jul-2023 08:51:45.427 FINE [https-openssl-nio-exec-15] >>> org.apache.coyote.http2.Http2UpgradeHandler.updateOverheadCount Connection >>> [18], Stream [0], Frame type [HEADERS] resulted in new overhead count of >>> [-260] >>> 11-Jul-2023 08:51:45.427 FINE [https-openssl-nio-exec-15] >>> org.apache.coyote.http2.Http2Parser.validateFrame Connection [18], Stream >>> [0], Frame type [PING], Flags [1], Payload size [8] >>> 11-Jul-2023 08:51:45.427
Re: Angular -> Apache 2.4.57 -> Tomcat 10.1.10 over HTTP2
One other note, is I can switch to h2c, and it still fails, and a packet capture shows the entire JSON is delivered to Tomcat, and when I put the JSON from the packet inspection together (Packets 10199 --> 10208) and compare it to what the browser says was sent, they are identical. There are no signs of TCP retransmissions or other things you might expect to see if there was a networking related issue. 1048 2.473101 sourceip destinationip TCP 71 58116 → 18443 [PSH, ACK] Seq=1 Ack=1 Win=8212 Len=17 1049 2.473232 sourceip destinationip TCP 1514 58116 → 18443 [ACK] Seq=18 Ack=1 Win=8212 Len=1460 1050 2.473232 sourceip destinationip TCP 1155 58116 → 18443 [PSH, ACK] Seq=1478 Ack=1 Win=8212 Len=1101 1053 2.484659 sourceip destinationip TCP 60 58116 → 18443 [ACK] Seq=2579 Ack=18 Win=8212 Len=0 1055 2.487967 sourceip destinationip TCP 71 58116 → 18443 [PSH, ACK] Seq=2579 Ack=35 Win=8212 Len=17 10199 22.689703 sourceip destinationip TCP 1514 58116 → 18443 [ACK] Seq=2596 Ack=147 Win=8211 Len=1460 10200 22.689703 sourceip destinationip TCP 1514 58116 → 18443 [ACK] Seq=4056 Ack=147 Win=8211 Len=1460 10201 22.689703 sourceip destinationip TCP 1514 58116 → 18443 [ACK] Seq=5516 Ack=147 Win=8211 Len=1460 10202 22.689703 sourceip destinationip TCP 1514 58116 → 18443 [ACK] Seq=6976 Ack=147 Win=8211 Len=1460 10203 22.689703 sourceip destinationip TCP 1514 58116 → 18443 [ACK] Seq=8436 Ack=147 Win=8211 Len=1460 10204 22.689703 sourceip destinationip TCP 1514 58116 → 18443 [ACK] Seq=9896 Ack=147 Win=8211 Len=1460 10205 22.689703 sourceip destinationip TCP 1514 58116 → 18443 [ACK] Seq=11356 Ack=147 Win=8211 Len=1460 10206 22.689703 sourceip destinationip TCP 1514 58116 → 18443 [ACK] Seq=12816 Ack=147 Win=8211 Len=1460 10207 22.689703 sourceip destinationip TCP 1514 58116 → 18443 [ACK] Seq=14276 Ack=147 Win=8211 Len=1460 10208 22.689703 sourceip destinationip TCP 873 58116 → 18443 [PSH, ACK] Seq=15736 Ack=147 Win=8211 Len=819 10212 22.691800 sourceip destinationip TCP 60 58116 → 18443 [ACK] Seq=16555 Ack=177 Win=8211 Len=0 10216 22.701706 sourceip destinationip TCP 60 58116 → 18443 [ACK] Seq=16555 Ack=190 Win=8211 Len=0 1. There is a significant time gap between the packets indexed at 1055 and 10199. The timestamp jumps from 2.487967 to 22.689703, a difference of about 20 seconds, which matches up with the timeout of 20 seconds. 2. The acknowledgement number (Ack) remains constant at 147 from packet 10199 to 10208, which may suggest that the recipient has not yet acknowledged receipt of these packets. Then it increases to 177 at packet 10212, and to 190 at 10216, suggesting acknowledgements were received for those packets. 3. Packets 10199 --> 10208 contain the full contents of the JSON. Thanks, Dan On Tue, Jul 11, 2023 at 11:43 AM Dan McLaughlin wrote: > I was already using the latest Amazon Corretto 20, so I tried moving to > the latest OpenJDK 20, which made no difference. So I'm now using the > latest Apache HTTPD 2.4, Tomcat 10.1, and JDK20. > > So it's either some configuration in Apache or Tomcat that needs to be > tweaked, an issue with our app (but moving back to mod_jk over AJP works), > or it's a bug in either mod_http2 or Tomcat 10.1. > > If someone at Apache thinks this might be a bug let me know and I'll open > a bug report, I just need to know if you think the issue might be with > mod_http2 or Tomcat, and I honestly don't know how to tell at this point. > So some guidance from someone that knows the code might be of some help at > this point. > > In case it helps any, here are the logs from mod_http2 that match with the > failed POST that match the tomcat logs that I posted earlier in this thread > if it helps point in at Apache or Tomcat as the source of the problem... > > One thing to point out is that at the time Tomcat says: > > "11-Jul-2023 08:27:31.166 FINE [https-openssl-nio-x.x.x.x-18443-exec-8] > org.apache.coyote.http2.Stream$StandardStreamInputBuffer.doRead The Stream > input buffer is empty. Waiting for more data" > > Apache repeatedly logs: > > [Tue Jul 11 08:27:31.061803 2023] [proxy_http2:trace3] [pid 14776:tid > 5676] h2_proxy_session.c(1047): (11)Resource temporarily unavailable: > [remote x.x.x.x:18443] h2_proxy_session(499): read from conn > [Tue Jul 11 08:27:31.061803 2023] [proxy_http2:debug] [pid 14776:tid 5676] > h2_proxy_session.c(1201): [remote x.x.x.x:18443] AH03345: > h2_proxy_session(499): transit [BUSY] -- no io --> [WAIT] > > Here is the full log from Apache... > > [Tue Jul 11 08:27:31.048120 2023] [proxy:trace2] [pid 14776:tid 5676] > mod_proxy.c(884): [remote x.x.x.x:63451] AH03461: attempting to match URI > path '/MyApp/rest/savejson' against prefix '/MyApp' for proxying, referer: > https://myapp.mydomain.com/MyApp/app/reporting/report/424243 > [Tue Jul 11 08:27:31.048793 2023] [prox
Re: Angular -> Apache 2.4.57 -> Tomcat 10.1.10 over HTTP2
Hi Mark, I already provided the output from org.apache.coyote.http2.level = FINE in the very first post to this thread. I didn't include everything because all the header information includes things I don't necessarily want to post publicly and because it would take a while for me to obfuscate. I will see if it's reproducible with a curl command and if I can reproduce it in a standalone docker image. I will also try with mod_proxy_http, as suggested by Chris. Let me know if there is more logging I truncated that you need to see that might tell you where the problem is; if I can provide it, I will. -- Thanks, Dan On Wed, Jul 12, 2023 at 3:34 AM Mark Thomas wrote: > > On 11/07/2023 19:10, Dan McLaughlin wrote: > > One other note, is I can switch to h2c, and it still fails, and a packet > > capture shows the entire JSON is delivered to Tomcat, and when I put the > > JSON from the packet inspection together (Packets 10199 --> 10208) and > > compare it to what the browser says was sent, they are identical. There are > > no signs of TCP retransmissions or other things you might expect to see if > > there was a networking related issue. > > Hi Dan, > > This looks like a possible Tomcat bug to me. > > To debug futher I'd suggest the following: > > Enable http2 debug logging by adding the following to > $CATALINA_BASE/conf/logging.properties > > org.apache.coyote.http2.level = FINE > > (that line should already be there, it just needs to be uncommented). > > If you can provide a curl command or similar that triggers this issue > then please feel free to open a Bugzilla issue and attached the script > and any relevant configuration snippets for httpd etc and we can try and > reproduce it. > > Thanks, > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -- *NOTICE:* This e-mail message and all attachments transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is strictly prohibited. The contents of this e-mail are confidential and may be subject to work product privileges. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Angular -> Apache 2.4.57 -> Tomcat 10.1.10 over HTTP2
I can confirm that if I switch h2 to http, everything works as expected, change it back to h2 or h2c, and it breaks. Mark, Please let me know if the http2 logs weren't enough to tell you what's happening; if not, I'll work on creating a simple standalone reproduction using docker. -- Thanks, Dan On Wed, Jul 12, 2023 at 6:00 AM Dan McLaughlin wrote: > > Hi Mark, > > I already provided the output from org.apache.coyote.http2.level = > FINE in the very first post to this thread. I didn't include > everything because all the header information includes things I don't > necessarily want to post publicly and because it would take a while > for me to obfuscate. I will see if it's reproducible with a curl > command and if I can reproduce it in a standalone docker image. > > I will also try with mod_proxy_http, as suggested by Chris. > > Let me know if there is more logging I truncated that you need to see > that might tell you where the problem is; if I can provide it, I will. > > -- > > Thanks, > > Dan > > > > On Wed, Jul 12, 2023 at 3:34 AM Mark Thomas wrote: > > > > On 11/07/2023 19:10, Dan McLaughlin wrote: > > > One other note, is I can switch to h2c, and it still fails, and a packet > > > capture shows the entire JSON is delivered to Tomcat, and when I put the > > > JSON from the packet inspection together (Packets 10199 --> 10208) and > > > compare it to what the browser says was sent, they are identical. There > > > are > > > no signs of TCP retransmissions or other things you might expect to see if > > > there was a networking related issue. > > > > Hi Dan, > > > > This looks like a possible Tomcat bug to me. > > > > To debug futher I'd suggest the following: > > > > Enable http2 debug logging by adding the following to > > $CATALINA_BASE/conf/logging.properties > > > > org.apache.coyote.http2.level = FINE > > > > (that line should already be there, it just needs to be uncommented). > > > > If you can provide a curl command or similar that triggers this issue > > then please feel free to open a Bugzilla issue and attached the script > > and any relevant configuration snippets for httpd etc and we can try and > > reproduce it. > > > > Thanks, > > > > Mark > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- *NOTICE:* This e-mail message and all attachments transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is strictly prohibited. The contents of this e-mail are confidential and may be subject to work product privileges. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Angular -> Apache 2.4.57 -> Tomcat 10.1.10 over HTTP2
Mark,
I'm working on a test case. I've built a simple spring boot war with a rest
API "jsonInput" that accepts any JSON and responds with {"message":"OK"}.
What I've determined so far is that it only happens when you are proxying
the request through Apache using mod_proxy_http2, and the size of the JSON
that you are sending has something to do with the problem. I can send a
large JSON or a small one directly to Tomcat, which works. If I send a
small JSON through mod_proxy_http2, it also works, but if I send the JSON
that our client apps are sending, which is quite large, it fails.
Before I spend more time on this test case, can you think of any setting in
Tomcat or mod_proxy_http2 that might cause the POST of the larger JSON to
fail?
--
Thanks,
Dan
On Wed, Jul 12, 2023 at 2:36 PM Mark Thomas wrote:
>
> 12 Jul 2023 13:40:18 Dan McLaughlin :
>
> > I can confirm that if I switch h2 to http, everything works as
> > expected, change it back to h2 or h2c, and it breaks.
>
> That makes me think it is an h2 bug in Tomcat.
>
> > Mark, Please let me know if the http2 logs weren't enough to tell you
> > what's happening; if not, I'll work on creating a simple standalone
> > reproduction using docker.
>
> I've looked through those logs and don't see anything. Enabling debug
> logs for org.apache.tomcat.util.net might help but a reproducible test
> case is probably the easiest for us to work with.
>
> If you can avoid using docker that helps as it is one less thing for us
> to unpick when digging for the root cause but we can work with a docker
> based reproducible test case if needed.
>
> Mark
>
> >
> > --
> >
> > Thanks,
> >
> > Dan
> >
> > On Wed, Jul 12, 2023 at 6:00 AM Dan McLaughlin
> > wrote:
> >>
> >> Hi Mark,
> >>
> >> I already provided the output from org.apache.coyote.http2.level =
> >> FINE in the very first post to this thread. I didn't include
> >> everything because all the header information includes things I don't
> >> necessarily want to post publicly and because it would take a while
> >> for me to obfuscate. I will see if it's reproducible with a curl
> >> command and if I can reproduce it in a standalone docker image.
> >>
> >> I will also try with mod_proxy_http, as suggested by Chris.
> >>
> >> Let me know if there is more logging I truncated that you need to see
> >> that might tell you where the problem is; if I can provide it, I will.
> >>
> >> --
> >>
> >> Thanks,
> >>
> >> Dan
> >>
> >>
> >>
> >> On Wed, Jul 12, 2023 at 3:34 AM Mark Thomas wrote:
> >>>
> >>> On 11/07/2023 19:10, Dan McLaughlin wrote:
> >>>> One other note, is I can switch to h2c, and it still fails, and a
> >>>> packet
> >>>> capture shows the entire JSON is delivered to Tomcat, and when I put
> >>>> the
> >>>> JSON from the packet inspection together (Packets 10199 --> 10208)
> >>>> and
> >>>> compare it to what the browser says was sent, they are identical.
> >>>> There are
> >>>> no signs of TCP retransmissions or other things you might expect to
> >>>> see if
> >>>> there was a networking related issue.
> >>>
> >>> Hi Dan,
> >>>
> >>> This looks like a possible Tomcat bug to me.
> >>>
> >>> To debug futher I'd suggest the following:
> >>>
> >>> Enable http2 debug logging by adding the following to
> >>> $CATALINA_BASE/conf/logging.properties
> >>>
> >>> org.apache.coyote.http2.level = FINE
> >>>
> >>> (that line should already be there, it just needs to be uncommented).
> >>>
> >>> If you can provide a curl command or similar that triggers this issue
> >>> then please feel free to open a Bugzilla issue and attached the
> >>> script
> >>> and any relevant configuration snippets for httpd etc and we can try
> >>> and
> >>> reproduce it.
> >>>
> >>> Thanks,
> >>>
> >>> Mark
> >>>
> >>> -
> >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >>> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>>
> >
> > --
> >
> >
> >
Re: Angular -> Apache 2.4.57 -> Tomcat 10.1.10 over HTTP2
Well, the deeper I get into the problem, the more complicated it gets. I
thought I was onto something, thinking the size of the JSON might have
something to do with it, so I created a Python script to call curl POSTs
with increasingly larger JSON thinking I would eventually hit some size
limit, but what I'm seeing is that it seems to fail less with smaller JSON
files, although it will fail on just about any size. I even changed the
Python script to retry failed POSTs, which will work on over half the
second or third attempt.
So I decided to try to create a maven project to build the test war, then
start a Tomcat and Apache docker image..and I can't reproduce the issue.
My worst fear was that I was dealing with something potentially
Windows-specific, back to the drawing board.
--
Thanks,
Dan
On Wed, Jul 12, 2023 at 4:05 PM Dan McLaughlin wrote:
> Mark,
>
> I'm working on a test case. I've built a simple spring boot war with a
> rest API "jsonInput" that accepts any JSON and responds
> with {"message":"OK"}. What I've determined so far is that it only happens
> when you are proxying the request through Apache using mod_proxy_http2, and
> the size of the JSON that you are sending has something to do with the
> problem. I can send a large JSON or a small one directly to Tomcat, which
> works. If I send a small JSON through mod_proxy_http2, it also works, but
> if I send the JSON that our client apps are sending, which is quite large,
> it fails.
>
> Before I spend more time on this test case, can you think of any setting
> in Tomcat or mod_proxy_http2 that might cause the POST of the larger JSON
> to fail?
>
> --
>
> Thanks,
>
> Dan
>
> On Wed, Jul 12, 2023 at 2:36 PM Mark Thomas wrote:
>
>>
>> 12 Jul 2023 13:40:18 Dan McLaughlin :
>>
>> > I can confirm that if I switch h2 to http, everything works as
>> > expected, change it back to h2 or h2c, and it breaks.
>>
>> That makes me think it is an h2 bug in Tomcat.
>>
>> > Mark, Please let me know if the http2 logs weren't enough to tell you
>> > what's happening; if not, I'll work on creating a simple standalone
>> > reproduction using docker.
>>
>> I've looked through those logs and don't see anything. Enabling debug
>> logs for org.apache.tomcat.util.net might help but a reproducible test
>> case is probably the easiest for us to work with.
>>
>> If you can avoid using docker that helps as it is one less thing for us
>> to unpick when digging for the root cause but we can work with a docker
>> based reproducible test case if needed.
>>
>> Mark
>>
>> >
>> > --
>> >
>> > Thanks,
>> >
>> > Dan
>> >
>> > On Wed, Jul 12, 2023 at 6:00 AM Dan McLaughlin
>> > wrote:
>> >>
>> >> Hi Mark,
>> >>
>> >> I already provided the output from org.apache.coyote.http2.level =
>> >> FINE in the very first post to this thread. I didn't include
>> >> everything because all the header information includes things I don't
>> >> necessarily want to post publicly and because it would take a while
>> >> for me to obfuscate. I will see if it's reproducible with a curl
>> >> command and if I can reproduce it in a standalone docker image.
>> >>
>> >> I will also try with mod_proxy_http, as suggested by Chris.
>> >>
>> >> Let me know if there is more logging I truncated that you need to see
>> >> that might tell you where the problem is; if I can provide it, I will.
>> >>
>> >> --
>> >>
>> >> Thanks,
>> >>
>> >> Dan
>> >>
>> >>
>> >>
>> >> On Wed, Jul 12, 2023 at 3:34 AM Mark Thomas wrote:
>> >>>
>> >>> On 11/07/2023 19:10, Dan McLaughlin wrote:
>> >>>> One other note, is I can switch to h2c, and it still fails, and a
>> >>>> packet
>> >>>> capture shows the entire JSON is delivered to Tomcat, and when I put
>> >>>> the
>> >>>> JSON from the packet inspection together (Packets 10199 --> 10208)
>> >>>> and
>> >>>> compare it to what the browser says was sent, they are identical.
>> >>>> There are
>> >>>> no signs of TCP retransmissions or other things you might expect to
>> >>>> see if
>> >>>> there was a networking related issue.
>> &
Re: Angular -> Apache 2.4.57 -> Tomcat 10.1.10 over HTTP2
Hey Mark,
I found a workaround/fix. On the Tomcat Connector, instead of using
protocol=HTTP/1.1, I changed it to
protocol="org.apache.coyote.http11.Http11Nio2Protocol," I haven't had
a single failure since. Not only that, but our application response
times are noticeably faster.
--
Thanks,
Dan
On Wed, Jul 12, 2023 at 9:58 PM Dan McLaughlin wrote:
>
> Well, the deeper I get into the problem, the more complicated it gets. I
> thought I was onto something, thinking the size of the JSON might have
> something to do with it, so I created a Python script to call curl POSTs with
> increasingly larger JSON thinking I would eventually hit some size limit, but
> what I'm seeing is that it seems to fail less with smaller JSON files,
> although it will fail on just about any size. I even changed the Python
> script to retry failed POSTs, which will work on over half the second or
> third attempt.
>
> So I decided to try to create a maven project to build the test war, then
> start a Tomcat and Apache docker image..and I can't reproduce the issue.
>
> My worst fear was that I was dealing with something potentially
> Windows-specific, back to the drawing board.
>
> --
>
> Thanks,
>
> Dan
>
> On Wed, Jul 12, 2023 at 4:05 PM Dan McLaughlin wrote:
>>
>> Mark,
>>
>> I'm working on a test case. I've built a simple spring boot war with a rest
>> API "jsonInput" that accepts any JSON and responds with {"message":"OK"}.
>> What I've determined so far is that it only happens when you are proxying
>> the request through Apache using mod_proxy_http2, and the size of the JSON
>> that you are sending has something to do with the problem. I can send a
>> large JSON or a small one directly to Tomcat, which works. If I send a small
>> JSON through mod_proxy_http2, it also works, but if I send the JSON that our
>> client apps are sending, which is quite large, it fails.
>>
>> Before I spend more time on this test case, can you think of any setting in
>> Tomcat or mod_proxy_http2 that might cause the POST of the larger JSON to
>> fail?
>>
>> --
>>
>> Thanks,
>>
>> Dan
>>
>> On Wed, Jul 12, 2023 at 2:36 PM Mark Thomas wrote:
>>>
>>>
>>> 12 Jul 2023 13:40:18 Dan McLaughlin :
>>>
>>> > I can confirm that if I switch h2 to http, everything works as
>>> > expected, change it back to h2 or h2c, and it breaks.
>>>
>>> That makes me think it is an h2 bug in Tomcat.
>>>
>>> > Mark, Please let me know if the http2 logs weren't enough to tell you
>>> > what's happening; if not, I'll work on creating a simple standalone
>>> > reproduction using docker.
>>>
>>> I've looked through those logs and don't see anything. Enabling debug
>>> logs for org.apache.tomcat.util.net might help but a reproducible test
>>> case is probably the easiest for us to work with.
>>>
>>> If you can avoid using docker that helps as it is one less thing for us
>>> to unpick when digging for the root cause but we can work with a docker
>>> based reproducible test case if needed.
>>>
>>> Mark
>>>
>>> >
>>> > --
>>> >
>>> > Thanks,
>>> >
>>> > Dan
>>> >
>>> > On Wed, Jul 12, 2023 at 6:00 AM Dan McLaughlin
>>> > wrote:
>>> >>
>>> >> Hi Mark,
>>> >>
>>> >> I already provided the output from org.apache.coyote.http2.level =
>>> >> FINE in the very first post to this thread. I didn't include
>>> >> everything because all the header information includes things I don't
>>> >> necessarily want to post publicly and because it would take a while
>>> >> for me to obfuscate. I will see if it's reproducible with a curl
>>> >> command and if I can reproduce it in a standalone docker image.
>>> >>
>>> >> I will also try with mod_proxy_http, as suggested by Chris.
>>> >>
>>> >> Let me know if there is more logging I truncated that you need to see
>>> >> that might tell you where the problem is; if I can provide it, I will.
>>> >>
>>> >> --
>>> >>
>>> >> Thanks,
>>> >>
>>> >> Dan
>>> >>
>>> >>
>>> >>
>>> >> On Wed, Jul 12, 2023 at 3:34 AM Mark Thomas wrote:
>>> >
Re: Angular -> Apache 2.4.57 -> Tomcat 10.1.10 over HTTP2
Mark,
Never mind the last message, I thought it was working, but I had
looked at my test balancer config and forgot I had left the
application config using http instead of h2. So it's still busted. I
am running out of time on my end to spend on this at the moment.
Since it seems to be a Windows-specific issue, it will take me a lot
longer to set up a way to reproduce it since I don't have the
flexibility of spinning up docker images. I will be moving back to
mod_jk for now since I know that works. If I can provide you anything
else as far as logs from our environment that might point to what's
going on without me having to create a way to reproduce it for a bug
report I'd be happy to do so, but for now, I have to get back to
working on other things on my plate.
--
Thanks,
Dan
On Wed, Jul 12, 2023 at 10:56 PM Dan McLaughlin wrote:
>
> Hey Mark,
>
> I found a workaround/fix. On the Tomcat Connector, instead of using
> protocol=HTTP/1.1, I changed it to
> protocol="org.apache.coyote.http11.Http11Nio2Protocol," I haven't had
> a single failure since. Not only that, but our application response
> times are noticeably faster.
>
> --
>
> Thanks,
>
> Dan
> On Wed, Jul 12, 2023 at 9:58 PM Dan McLaughlin wrote:
> >
> > Well, the deeper I get into the problem, the more complicated it gets. I
> > thought I was onto something, thinking the size of the JSON might have
> > something to do with it, so I created a Python script to call curl POSTs
> > with increasingly larger JSON thinking I would eventually hit some size
> > limit, but what I'm seeing is that it seems to fail less with smaller JSON
> > files, although it will fail on just about any size. I even changed the
> > Python script to retry failed POSTs, which will work on over half the
> > second or third attempt.
> >
> > So I decided to try to create a maven project to build the test war, then
> > start a Tomcat and Apache docker image..and I can't reproduce the issue.
> >
> > My worst fear was that I was dealing with something potentially
> > Windows-specific, back to the drawing board.
> >
> > --
> >
> > Thanks,
> >
> > Dan
> >
> > On Wed, Jul 12, 2023 at 4:05 PM Dan McLaughlin wrote:
> >>
> >> Mark,
> >>
> >> I'm working on a test case. I've built a simple spring boot war with a
> >> rest API "jsonInput" that accepts any JSON and responds with
> >> {"message":"OK"}. What I've determined so far is that it only happens when
> >> you are proxying the request through Apache using mod_proxy_http2, and the
> >> size of the JSON that you are sending has something to do with the
> >> problem. I can send a large JSON or a small one directly to Tomcat, which
> >> works. If I send a small JSON through mod_proxy_http2, it also works, but
> >> if I send the JSON that our client apps are sending, which is quite large,
> >> it fails.
> >>
> >> Before I spend more time on this test case, can you think of any setting
> >> in Tomcat or mod_proxy_http2 that might cause the POST of the larger JSON
> >> to fail?
> >>
> >> --
> >>
> >> Thanks,
> >>
> >> Dan
> >>
> >> On Wed, Jul 12, 2023 at 2:36 PM Mark Thomas wrote:
> >>>
> >>>
> >>> 12 Jul 2023 13:40:18 Dan McLaughlin :
> >>>
> >>> > I can confirm that if I switch h2 to http, everything works as
> >>> > expected, change it back to h2 or h2c, and it breaks.
> >>>
> >>> That makes me think it is an h2 bug in Tomcat.
> >>>
> >>> > Mark, Please let me know if the http2 logs weren't enough to tell you
> >>> > what's happening; if not, I'll work on creating a simple standalone
> >>> > reproduction using docker.
> >>>
> >>> I've looked through those logs and don't see anything. Enabling debug
> >>> logs for org.apache.tomcat.util.net might help but a reproducible test
> >>> case is probably the easiest for us to work with.
> >>>
> >>> If you can avoid using docker that helps as it is one less thing for us
> >>> to unpick when digging for the root cause but we can work with a docker
> >>> based reproducible test case if needed.
> >>>
> >>> Mark
> >>>
> >>> >
> >>> > --
> >>> >
> >>> > Thanks,
> >>> >
> >>
Status Code 500 on /manager/status after upgrade to 9.0.45
I just upgraded from 9.0.39 to 9.0.45 and experiencing something odd. When I go to http:///manager/status<http://%3ctomcat_server%3e/manager/status> the page fully renders but is delivered with HTTP Status 500. This isn't a problem when viewing in a browser, but my automated monitoring tool isn't working because it thinks there is no data. Any suggestions ? Thanks. Dan Schreck | Director of IT Operations | Foundation Source Phone & Fax: +1 203-319-3727 | dschr...@foundationsource.com 55 Walls Drive, 3rd Floor, Fairfield CT 06824 www.foundationsource.com The finest compliment we can receive is an introduction to friends, family, and colleagues from an appreciative client. Foundation Source is the nation's leading provider of support services for private foundations. The contents of this email are provided for informational purposes only and should not be construed as tax, legal or financial advice.
Re: war filename in url. I want this to be different
This should work (in server.xml): assuming that /webapps/companyName/warfilename.war is a valid filepath. Dan Dean Hiller wrote: I am trying to make a hosted service(with a few small apps) that companies can purchase. I want the default tomcat app(my app as I took default over) to be run when a url like this is used http://xsoftware.biz/ and I want the req.war app to be run when this url is used http://xsoftware.biz//req I basically want to store the companyName in the request so the app knows which company is being accessed, but want the correct web app to be executed as well. How can I do this? Any good documentation on this? I don't want a war file per companyName obviously, but it is like I want to change out the default tomcat behavior where normally that would be mapped to the war file name. Is this even possible? thanks, dean - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat 4.1 with MS SQL2005
Currently my Tomcat 4.1 application works with MS SQL2000. I have not been able to connect with MS SQL2005 by copying sqljdbc.jar to the lib folder & setting JDBC Driver Class to com.microsoft.sqlserver.jdbc.SQLServerDriver. How can I get Tomcat4.1 to connect to MS SQL2005? Dan Decker - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Using MX4J's HTTP Connector with Tomcat 5.5 and JDK 1.5
Hi, I'd like to get Tomcat 5.5 on JDK 1.5 to use MX4J's HTTP Connector in order to avoid firewall issues. Could someone please provide me with a quick rundown? Thanks Dan - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Response already committed
I'm getting a problem that appears to occur randomly. If I request the
same page in my webapp over and over most of the time it will come up
fine but sometimes tomcat won't return anything and I'll get a blank
page and this error in the log:
Oct 3, 2006 4:20:22 PM org.apache.jk.core.MsgContext action
INFO: Response already committed
It also happens for static files like stylesheets so sometimes you will
request a page and then the styles won't get loaded. Anyone have any
clues as to what this could be? I'm googling around and looking through
my tomcat book but haven't found an answer yet. I'm using tomcat 5.5
with the mod_jk connector and apache 2. Here is my server.xml:
--
Dan Adams
Senior Software Engineer
Interactive Factory
617.235.5857
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Response already committed
Hmm, I don't think that is the culprit. I think all of our stuff is thread safe. We're using a framework (Tapestry) which shields us from threading issues like that and prevents us from storing request stuff in the session. Also, if that were the case would that cause problems when loading static files? I don't think so. Also, we are using a filter which when it tries to do a redirect will throw an error complaining about this so this happens way before our app ever gets to do anything: ERROR: response is comitted cannot forward (this is a very strange problem!, check you haven't done anything to the response (ie, written to it) before here On Tue, 2006-10-03 at 15:39 -0500, Caldarale, Charles R wrote: > > From: Dan Adams [mailto:[EMAIL PROTECTED] > > Subject: Response already committed > > > > I'm getting a problem that appears to occur randomly. If I request the > > same page in my webapp over and over most of the time it will come up > > fine but sometimes tomcat won't return anything and I'll get a blank > > page and this error in the log: > > > > Oct 3, 2006 4:20:22 PM org.apache.jk.core.MsgContext action > > INFO: Response already committed > > Any chance that the logic in your servlet is not thread-safe? > Repeatedly submitting requests could get more than one going at the same > time, causing improperly scoped variables to be overwritten. For > example, is request-specific data being stored in the session? > > - Chuck > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you > received this in error, please contact the sender and delete the e-mail > and its attachments from all computers. > > - > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > -- Dan Adams Senior Software Engineer Interactive Factory 617.235.5857 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
change in versions?
I had a tomcat 5.5.17 install with a bunch of webapps that was running great. Then I had to set up a new tomcat install on another server so I grabbed 5.5.20 and all of a sudden the urlrewritefilter in my apps stopped working completely. So after like a day of frustration and trying to figure out the cause I copied the old tomcat install from the other machine and everything worked perfect. Anyone have any clues as to what this could be? -- Dan Adams Senior Software Engineer Interactive Factory 617.235.5857 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
tomcat not passing resources to my filters
Okay, I just set up a new tomcat with the latest version (5.5.20). My webapp is using urlrewritefilter. Whenever I request a url the filter will output what it's doing to the log even if it doesn't end up doing anything with a url. I've got this down to a base test case and what's happening is that if I request a url that does not end in .html then urlrewritefilter is called during the request and can do it's thing. But if the file ends .html then tomcat serves up the file as-is and the filter never even gets called. Is this something new? This seems to be something that has changed since 5.5.17 because it didn't do this then. Anyone have any ideas? -- Dan Adams Senior Software Engineer Interactive Factory 617.235.5857 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Response committed before getting to the filters
So every once in a while when you make a request to the server you won't get anything back and the log will show that one of the filters complained that response is already committed. So I restarted tomcat with the jpda debugger on, fired up my debugger in eclipse, and set a breakpoint at the place in the filter where this message is printed. My app has 2 filters right now and the breakpoint is in the second filter. So when I hit the breakpoint I went down in the stack trace to the point at which tomcat calls doFilter on the first filter in the filter chain. At that point is the stack, response.isCommitted() evaluates to 'true'(!?). Exploring the objects the response shows that the headers written so far are: Transfer-Encoding = chunked Date = Fri, 06 Oct 2006 14:33:33 GMT and contentLength == -1. Why would the response be committed before even getting to any of the code in my application? Even suggestions on what to investigate further would be help at this point. Thanks in advance. -- Dan Adams Senior Software Engineer Interactive Factory 617.235.5857 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Response committed before getting to the filters
The source code for both is below (this code is actually from the spring
library if that makes any difference).
I really don't think the filters have anything to do with it. I just set
a conditional breakpoint in the first line of doFilter() in the first
filter that gets called by tomcat for when response.isCommitted()
evaluates to true. As soon as it happened again that breakpoint got hit
and response.isCommitted() was, in fact, true. But in every other normal
request the breakpoint never gets hit.
This is what the first filter does (sorry looks ugly in email):
public final void doFilter(ServletRequest request, ServletResponse
response, FilterChain filterChain)
throws ServletException, IOException {
if (!(request instanceof HttpServletRequest) || !(response
instanceof HttpServletResponse)) {
throw new ServletException("OncePerRequestFilter just supports
HTTP requests");
}
HttpServletRequest httpRequest = (HttpServletRequest) request;
HttpServletResponse httpResponse = (HttpServletResponse) response;
String alreadyFilteredAttributeName =
getAlreadyFilteredAttributeName();
if (request.getAttribute(alreadyFilteredAttributeName) != null ||
shouldNotFilter(httpRequest)) {
// proceed without invoking this filter
filterChain.doFilter(request, response);
}
else {
// invoke this filter
request.setAttribute(alreadyFilteredAttributeName, Boolean.TRUE);
doFilterInternal(httpRequest, httpResponse, filterChain);
}
}
and doFilterInternal() is:
protected void doFilterInternal(
HttpServletRequest request, HttpServletResponse response,
FilterChain filterChain)
throws ServletException, IOException {
SessionFactory sessionFactory = lookupSessionFactory(request);
Session session = null;
boolean participate = false;
if (isSingleSession()) {
// single session mode
if (TransactionSynchronizationManager.hasResource(sessionFactory))
{
// Do not modify the Session: just set the participate flag.
participate = true;
}
else {
logger.debug("Opening single Hibernate Session in
OpenSessionInViewFilter");
session = getSession(sessionFactory);
TransactionSynchronizationManager.bindResource(sessionFactory,
new SessionHolder(session));
}
}
else {
// deferred close mode
if (SessionFactoryUtils.isDeferredCloseActive(sessionFactory)) {
// Do not modify deferred close: just set the participate flag.
participate = true;
}
else {
SessionFactoryUtils.initDeferredClose(sessionFactory);
}
}
try {
filterChain.doFilter(request, response);
}
finally {
if (!participate) {
if (isSingleSession()) {
// single session mode
TransactionSynchronizationManager.unbindResource(sessionFactory);
logger.debug("Closing single Hibernate Session in
OpenSessionInViewFilter");
try {
closeSession(session, sessionFactory);
}
catch (RuntimeException ex) {
logger.error("Unexpected exception on closing Hibernate
Session", ex);
}
}
else {
// deferred close mode
SessionFactoryUtils.processDeferredClose(sessionFactory);
}
}
}
}
On Fri, 2006-10-06 at 11:00 -0400, David Smith wrote:
> So what does the first filter do? Does it do anything with the response
> before chaining to the second one?
>
> --David
>
> Dan Adams wrote:
> > So every once in a while when you make a request to the server you won't
> > get anything back and the log will show that one of the filters
> > complained that response is already committed. So I restarted tomcat
> > with the jpda debugger on, fired up my debugger in eclipse, and set a
> > breakpoint at the place in the filter where this message is printed.
> >
> > My app has 2 filters right now and the breakpoint is in the second
> > filter. So when I hit the breakpoint I went down in the stack trace to
> > the point at which tomcat calls doFilter on the first filter in the
> > filter chain. At that point is the stack, response.isCommitted()
> > evaluates to 'true'(!?). Exploring the objects the response shows that
> > the headers written so far are:
> >
> > Transfer-Encoding = chunked
> > Date = Fri, 06 Oct 2006 14:33:33 GMT
> >
> > and contentLength == -1.
> >
> > Why would the response be committed before even getting to any of the
> > code in my application? Even suggestions on what to investigate further
> > would be help at this point. Thanks in advance.
> >
> >
>
>
> -----
&g
Re: Response committed before getting to the filters
So I set a conditional breakpoint for response.isCommitted() all the way
down in CoyoteAdapter.service() (called by Http11Processor.process())
and the response was committed at that point when this happened. Here is
the source where the breakpoint was:
// Parse and set Catalina and configuration specific
// request parameters
if ( postParseRequest(req, request, res, response) ) {
// Calling the container
// BREAKPOINT IS HERE
connector.getContainer().getPipeline().getFirst().invoke(request,
response);
}
I'm going to try to go ever further down and see if there is a point at
which it isn't committed.
On Fri, 2006-10-06 at 10:51 -0400, Dan Adams wrote:
> So every once in a while when you make a request to the server you won't
> get anything back and the log will show that one of the filters
> complained that response is already committed. So I restarted tomcat
> with the jpda debugger on, fired up my debugger in eclipse, and set a
> breakpoint at the place in the filter where this message is printed.
>
> My app has 2 filters right now and the breakpoint is in the second
> filter. So when I hit the breakpoint I went down in the stack trace to
> the point at which tomcat calls doFilter on the first filter in the
> filter chain. At that point is the stack, response.isCommitted()
> evaluates to 'true'(!?). Exploring the objects the response shows that
> the headers written so far are:
>
> Transfer-Encoding = chunked
> Date = Fri, 06 Oct 2006 14:33:33 GMT
>
> and contentLength == -1.
>
> Why would the response be committed before even getting to any of the
> code in my application? Even suggestions on what to investigate further
> would be help at this point. Thanks in advance.
>
--
Dan Adams
Senior Software Engineer
Interactive Factory
617.235.5857
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Resolved: Response committed before getting to the filters
Thankfully (and shamefully) it did in fact turn out to be something on
our end. Basically there was object that had a reference to the response
output stream that would close the stream when it was getting garbage
collected which had as a side effect that tomcat would set the response
that owned the stream as being committed already. Thanks for the help.
Lesson learned: double check that streams are closed correctly.
On Fri, 2006-10-06 at 12:33 -0400, Dan Adams wrote:
> So I set a conditional breakpoint for response.isCommitted() all the way
> down in CoyoteAdapter.service() (called by Http11Processor.process())
> and the response was committed at that point when this happened. Here is
> the source where the breakpoint was:
>
> // Parse and set Catalina and configuration specific
> // request parameters
> if ( postParseRequest(req, request, res, response) ) {
> // Calling the container
>
> // BREAKPOINT IS HERE
> connector.getContainer().getPipeline().getFirst().invoke(request,
> response);
> }
>
> I'm going to try to go ever further down and see if there is a point at
> which it isn't committed.
>
> On Fri, 2006-10-06 at 10:51 -0400, Dan Adams wrote:
> > So every once in a while when you make a request to the server you won't
> > get anything back and the log will show that one of the filters
> > complained that response is already committed. So I restarted tomcat
> > with the jpda debugger on, fired up my debugger in eclipse, and set a
> > breakpoint at the place in the filter where this message is printed.
> >
> > My app has 2 filters right now and the breakpoint is in the second
> > filter. So when I hit the breakpoint I went down in the stack trace to
> > the point at which tomcat calls doFilter on the first filter in the
> > filter chain. At that point is the stack, response.isCommitted()
> > evaluates to 'true'(!?). Exploring the objects the response shows that
> > the headers written so far are:
> >
> > Transfer-Encoding = chunked
> > Date = Fri, 06 Oct 2006 14:33:33 GMT
> >
> > and contentLength == -1.
> >
> > Why would the response be committed before even getting to any of the
> > code in my application? Even suggestions on what to investigate further
> > would be help at this point. Thanks in advance.
> >
--
Dan Adams
Senior Software Engineer
Interactive Factory
617.235.5857
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: need to unsubscribe
Did you try? To unsubscribe, e-mail: [EMAIL PROTECTED] Dan Decker Microsoft Dynamics GP Developer www.Business-Computers.com (303)499-2039 -Original Message- From: khozaima shakir [mailto:[EMAIL PROTECTED] Sent: Monday, October 09, 2006 11:53 AM To: users@tomcat.apache.org Subject: need to unsubscribe Hello All, I have been trying to unsubscribe to this mailing list , and save many emails for that , haven't been able to un-subscribe myself... can anyone adivse how to ?? Thanks khozaima - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: need to unsubscribe
Have you been able to un-subscribe? Dan Decker Microsoft Dynamics GP Developer www.Business-Computers.com (303)499-2039 -Original Message- From: khozaima shakir [mailto:[EMAIL PROTECTED] Sent: Monday, October 09, 2006 11:53 AM To: users@tomcat.apache.org Subject: need to unsubscribe Hello All, I have been trying to unsubscribe to this mailing list , and save many emails for that , haven't been able to un-subscribe myself... can anyone adivse how to ?? Thanks khozaima - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat using MS SQL2000 Named Instance
I am trying to get Tomcat to connect to a MS SQL2000 Named instance rather than the default instance. Using the following it connects to the database TWO on the default server KEYSTONE with no problems. jdbc:sqlserver://KEYSTONE;databaseName=TWO When I try to access the MS SQL2000 named instance KEYSTONE\GP90 it still connects to the default jdbc:sqlserver://KEYSTONE;instanceName=GP90;databaseName=TWO Dan Decker
RE: Tomcat using MS SQL2000 Named Instance
It does not work when I use \\GP90. I tried the following and it works on the default instance. jdbc:sqlserver://KEYSTONE:1433;databaseName=TWO To determine if it is using the port #, I changed the port to 1430 and it no longer worked for the default instance. This tells me it is looking at the port #. Does the 2nd SQL2000 instance use a different port#? If so could I change the port # to the one the 2nd instance uses and would it work? How do you determine what port the 2nd instance is using? Thanks Dan Decker Microsoft Dynamics GP Developer www.Business-Computers.com (303)499-2039 -Original Message- From: Karen Koch [mailto:[EMAIL PROTECTED] Sent: Thursday, October 12, 2006 8:29 AM To: 'Tomcat Users List' Cc: [EMAIL PROTECTED] Subject: RE: Tomcat using MS SQL2000 Named Instance Try this: jdbc:microsoft:sqlserver://KEYSTONE\\GP90:1433;SelectMethod=cursor;Datab aseN ame=TWO Note the double backslash before the instance name. Struggled with this briefly myself recently -- the answer was in the PDF help file for the JDBC driver. Karen Koch -Original Message----- From: Dan Decker [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 11, 2006 6:28 PM To: users@tomcat.apache.org Subject: Tomcat using MS SQL2000 Named Instance I am trying to get Tomcat to connect to a MS SQL2000 Named instance rather than the default instance. Using the following it connects to the database TWO on the default server KEYSTONE with no problems. jdbc:sqlserver://KEYSTONE;databaseName=TWO When I try to access the MS SQL2000 named instance KEYSTONE\GP90 it still connects to the default jdbc:sqlserver://KEYSTONE;instanceName=GP90;databaseName=TWO Dan Decker - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat using MS SQL2000 Named Instance
Peter - Thanks. I want to try it. I do not know how to find the port number the named instance is listening on. Do you know how to find what its number is? Dan Decker Microsoft Dynamics GP Developer www.Business-Computers.com (303)499-2039 -Original Message- From: Peter Ries [mailto:[EMAIL PROTECTED] Sent: Thursday, October 12, 2006 9:44 AM To: users@tomcat.apache.org Subject: RE: Tomcat using MS SQL2000 Named Instance Dan, Have you tried using the server name of Keystone and specifying the unique port number the named instance is listening on? I believe that should work. I think that would be something like this: jdbc:sqlserver://KEYSTONE:;databaseName=TWO ...where you replace with the port number. ~Peter -Original Message- From: Dan Decker [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 11, 2006 4:28 PM To: users@tomcat.apache.org Subject: Tomcat using MS SQL2000 Named Instance I am trying to get Tomcat to connect to a MS SQL2000 Named instance rather than the default instance. Using the following it connects to the database TWO on the default server KEYSTONE with no problems. jdbc:sqlserver://KEYSTONE;databaseName=TWO When I try to access the MS SQL2000 named instance KEYSTONE\GP90 it still connects to the default jdbc:sqlserver://KEYSTONE;instanceName=GP90;databaseName=TWO Dan Decker - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat using MS SQL2000 Named Instance
Karen - Thanks for your help. The double backslash is now working. I had to upgrade the SQL 2000 named instance to SP4. Dan Decker Microsoft Dynamics GP Developer www.Business-Computers.com (303)499-2039 -Original Message- From: Karen Koch [mailto:[EMAIL PROTECTED] Sent: Thursday, October 12, 2006 11:58 AM To: 'Tomcat Users List' Cc: [EMAIL PROTECTED] Subject: RE: Tomcat using MS SQL2000 Named Instance Odd -- works for me using the double backslash just fine... You do seem to missing "microsoft:" in the beginning of the connection string, not sure if that's a typo or not. Mine began "jdbc:microsoft:sqlserver:" etc. Did not have to mess with the port numbers (this was one of the things that I tried along the way). -Original Message- From: Dan Decker [mailto:[EMAIL PROTECTED] Sent: Thursday, October 12, 2006 11:50 AM To: 'Karen Koch'; 'Tomcat Users List' Subject: RE: Tomcat using MS SQL2000 Named Instance It does not work when I use \\GP90. I tried the following and it works on the default instance. jdbc:sqlserver://KEYSTONE:1433;databaseName=TWO To determine if it is using the port #, I changed the port to 1430 and it no longer worked for the default instance. This tells me it is looking at the port #. Does the 2nd SQL2000 instance use a different port#? If so could I change the port # to the one the 2nd instance uses and would it work? How do you determine what port the 2nd instance is using? Thanks Dan Decker Microsoft Dynamics GP Developer www.Business-Computers.com (303)499-2039 -Original Message- From: Karen Koch [mailto:[EMAIL PROTECTED] Sent: Thursday, October 12, 2006 8:29 AM To: 'Tomcat Users List' Cc: [EMAIL PROTECTED] Subject: RE: Tomcat using MS SQL2000 Named Instance Try this: jdbc:microsoft:sqlserver://KEYSTONE\\GP90:1433;SelectMethod=cursor;Datab aseN ame=TWO Note the double backslash before the instance name. Struggled with this briefly myself recently -- the answer was in the PDF help file for the JDBC driver. Karen Koch -Original Message- From: Dan Decker [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 11, 2006 6:28 PM To: users@tomcat.apache.org Subject: Tomcat using MS SQL2000 Named Instance I am trying to get Tomcat to connect to a MS SQL2000 Named instance rather than the default instance. Using the following it connects to the database TWO on the default server KEYSTONE with no problems. jdbc:sqlserver://KEYSTONE;databaseName=TWO When I try to access the MS SQL2000 named instance KEYSTONE\GP90 it still connects to the default jdbc:sqlserver://KEYSTONE;instanceName=GP90;databaseName=TWO Dan Decker - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
mod_jk and url encoding
Okay, i'm using tomcat 5.5 and mod_jk with apache 2. It looks like I've got jk set up okay for the most part. I'm able to use the site as I did before switching to mod_jk except for one thing. When I try to access the following url I got a 404 from apache and tomcat never gets a chance to touch the url (I have a request dump valve in there dumping all requests): /sdirect/_sp=Shome&sp=Sadmin%2FHome/admin/Home, $AdminBorder.$Nav.link.html now the problem is the %2F. If I replace that with a / like this it works fine: /sdirect/_sp=Shome&sp=Sadmin/Home/admin/Home,$AdminBorder.$Nav.link.html I even tried adding JkOptions +ForwardUIREscaped to my httpd.conf with no luck. Any ideas on why this is not making it to tomcat when %2F is used?? I am really befuddled with this one. -- Dan Adams Software Engineer Interactive Factory - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: mod_jk and url encoding
got it. needed AllowEncodedSlashes On. On Tue, 2005-11-15 at 14:35 -0500, Dan Adams wrote: > Okay, i'm using tomcat 5.5 and mod_jk with apache 2. It looks like I've > got jk set up okay for the most part. I'm able to use the site as I did > before switching to mod_jk except for one thing. When I try to access > the following url I got a 404 from apache and tomcat never gets a chance > to touch the url (I have a request dump valve in there dumping all > requests): > > /sdirect/_sp=Shome&sp=Sadmin%2FHome/admin/Home, > $AdminBorder.$Nav.link.html > > now the problem is the %2F. If I replace that with a / like this it > works fine: > > /sdirect/_sp=Shome&sp=Sadmin/Home/admin/Home,$AdminBorder.$Nav.link.html > > I even tried adding JkOptions +ForwardUIREscaped to my httpd.conf with > no luck. Any ideas on why this is not making it to tomcat when %2F is > used?? I am really befuddled with this one. > -- Dan Adams Software Engineer Interactive Factory - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
tomcat catalina.out and log4j
need some help with log4j... I have implemented it on our Tomcat 5 server, everything is fine as well. I can see my messages writting to the catalina.out. However I'm running on Solaris 8, so when I go to search the catalina.out with grep. I receive the following. Binary file catalina.out matches This only started after the log4j implementation. So, I can provided my properties file if need be, and whatever else. I've also looked at the API and don't see that it's doign a binary write or that it changes the file descriptor of catalina.out. I could be missing it, but anyway, any help is appreciated. _ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat Connection Pool config
Has anyone else tried to use the connection pool in Tomcat with the below parameters.. removeAbandonedTRUE removeAbandonedTimeout10 logAbandonedTRUE I can see that when I first issue a connect I get below, and I can use that datasource. But according to the commons-dbcp api, for a fail safe I can set removeAbandoned and removeAbandonedTimeout to clean up any abandoned connections.. But this does not seem to work and is causing me problems. I can throw a page together that gets 4 connections, then do nothing with them and they are never removed. I then tried getting the 4 connections and then setting them immediately to null and closing the browser, thinking there was some sort of reference here. But still they will not get removed. Any one else ever seen this? AbandonedObjectPool is used ([EMAIL PROTECTED]) LogAbandoned: true RemoveAbandoned: true RemoveAbandonedTimeout: 10 _ FREE pop-up blocking with the new MSN Toolbar get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
duplicate deploy with virtual hosts
Okay, I have a working configuration with 2 virtual hosts but I would like to have tomcat extract the wars automatically without auto-deploying them to their own webapps because this causes my applications to get launched twice each. I tried setting unpackWARs="true" and deployOnStartup="false" but then my apps don't get extracted. Any help would really be appreciated. -- Dan Adams Software Engineer Interactive Factory - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat Shutdown Unexpectedly
Hello Vasily, Thanks for the information, but in all honesty I don't think that this is the solution. The links you provided point to several errors that occur, which aren't present on our machines. On our machines the tomcat logs are completely devoid of any reason for the crash, and the Windows Event Manager simply states that the process "Shutdown Unexpectedly". Is there someplace where we can look to research this problem further? My lack of knowledge about Tomcat is probably starting to show. One more piece of information, Tomcat is running in standalone mode ... meaning, without the aide of Apache Server. May this be the problem? Thanks again Dan -Original Message- From: Vasily Ivanov [mailto:[EMAIL PROTECTED] Sent: Thursday, May 11, 2006 9:20 AM To: Tomcat Users List Subject: Re: Tomcat Shutdown Unexpectedly Hi, We've recently had something very similar with Tomcat and Apache Web Server. Have a look here (read all in threads): http://www.mail-archive.com/users@tomcat.apache.org/msg09335.html http://marc.theaimsgroup.com/?l=tomcat-user&m=106193808515738&w=2 We changed configuration of Tomcat and Apache Web Server to be in sync. Few days passed after fix's been placed, but it looks ok now. Hope it'll help you. Cheers, Vasily On 5/11/06, zhann <[EMAIL PROTECTED]> wrote: > Hello. > > > We are having a strange Tomcat issue on one of our client's machines. > The problem is that it shuts down randomly. There is nothing in the > Tomcat Log to indicate why this is occuring, and the Windows Event > Manager simply states that the process "shut down unexpectedly". We > have tried recreating this problem in-house, but have absolutely no > luck. > > > > We are running tomcat 5.x and Java 1.4.x. The machine that this is > installed on is Windows 2003 with all the latest updates. One other > thing to note, this installation of tomcat is using Load ballancing. > > > > If anyone can point me in a direction of where to look, it would be > very helpful. I have scoured the internet and the newsgroups but can't > find a similar problem anywhere. > > > > Thanks in advance > Dan > > > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat Shutdown Unexpectedly
Hello ... No, I have not. I honestly don't even know where to look. Since I don't want it to get worse, we are simply restarting tomcat immediately after it goes down. Dan -Original Message- From: Sean2006 [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 16, 2006 10:00 PM To: users@tomcat.apache.org Subject: RE: Tomcat Shutdown Unexpectedly Dan, Have you found a solution to this problem? Thanks, Sep. -- View this message in context: http://www.nabble.com/Tomcat-Shutdown-Unexpectedly-t1598450.html#a4416594 Sent from the Tomcat - User forum at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Problem with Tomcat Unexpectedly Shutting Down
Hello Everyone, This is a repost of a prior error which was never solved. We are having a strange Tomcat issue on one of our client's machines. The problem is that it shuts down randomly. There is nothing in the Tomcat Log to indicate why this is occurring, and the Windows Event Manager simply states that the process "shut down unexpectedly". We have tried recreating this problem in-house, but have absolutely no luck. We are running tomcat 5.0.27 and Java 1.4.2_06. The machine that this is installed on is Windows 2003 with all the latest updates. Tomcat is running in standalone mode, meaning without Apache. One other thing to note, this installation of tomcat is using Load balancing. If anyone can point me in a direction of where to look, it would be very helpful. I have scoured the internet and newsgroups but can't find a similar problem anywhere. Recently, another installation of ours shut down with the exact same problem. We have avoided reinstalling everything because we weren't convinced that this would solve anything. During our research we came up with a great number of leads, but none of them seemed to work. Please, if you have any information as to how to solve this problem, or even where to look for more information it would be most helpful. We are primarily developers with very little knowledge of Tomcat as a whole, so we are struggling to find a solution. Thanks in advance Dan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Problem with Tomcat Unexpectedly Shutting Down
Hello Martin, The fact is our application is the only one running under tomcat. However, again, it runs fine absolutely everywhere else. As for the load balancer, the problem is that the client specifically paid for this feature and by shutting it off we will have to admit failure and refund the money. So, this is kind of an option that the administration will not agree with, as you can probably imagine. To be honest, I too think that this is a problem with the load balancer, but I have no way to prove it. Is there something we need to do for the load balancer to work properly? More importantly, is there a way to determine if in fact the load balancer is causing the problem? My lack of knowledge of Tomcat is one thing, but I have absolutely no knowledge of how a load balancer works at all. The most interesting bit, the load balancer is active, but only on one machine ... meaning, it isn't actually balancing anything. However, the second installation that also went down does not have load balancing running on it. This doesn't help my argument with the administration that this is truly a load balancing issue. Please keep in mind that we have dozens of other installations running without any problems. Thanks for the response, it is greatly appreciated. Dan -Original Message- From: Martin Gainty [mailto:[EMAIL PROTECTED] Sent: Sunday, May 21, 2006 3:09 PM To: Tomcat Users List Subject: Re: Problem with Tomcat Unexpectedly Shutting Down If you Start each webapp independently and note behaviour of the Tomcat engine can you determine which webapp is causing this malady? Specifically if you unload your balancer / restart Tomcat /does Tomcat Engine shutdown unexpectedly? Thanks, Martin -- This email message and any files transmitted with it contain confidential information intended only for the person(s) to whom this email message is addressed. If you have received this email message in error, please notify the sender immediately by telephone or email and destroy the original message without making a copy. Thank you. - Original Message - From: "Dan Golob" <[EMAIL PROTECTED]> To: "'Tomcat Users List'" Sent: Sunday, May 21, 2006 7:03 AM Subject: Problem with Tomcat Unexpectedly Shutting Down > Hello Everyone, > > This is a repost of a prior error which was never solved. > > We are having a strange Tomcat issue on one of our client's machines. The > problem is that it shuts down randomly. There is nothing in the Tomcat > Log > to indicate why this is occurring, and the Windows Event Manager simply > states that the process "shut down unexpectedly". We have tried > recreating > this problem in-house, but have absolutely no luck. > > We are running tomcat 5.0.27 and Java 1.4.2_06. The machine that this is > installed on is Windows 2003 with all the latest updates. Tomcat is > running > in standalone mode, meaning without Apache. One other thing to note, this > installation of tomcat is using Load balancing. > > If anyone can point me in a direction of where to look, it would be very > helpful. I have scoured the internet and newsgroups but can't find a > similar problem anywhere. > > Recently, another installation of ours shut down with the exact same > problem. We have avoided reinstalling everything because we weren't > convinced that this would solve anything. During our research we came up > with a great number of leads, but none of them seemed to work. Please, if > you have any information as to how to solve this problem, or even where to > look for more information it would be most helpful. We are primarily > developers with very little knowledge of Tomcat as a whole, so we are > struggling to find a solution. > > Thanks in advance > Dan > > > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JNDI datasource failing
I hope someone can help me with this problem. I have a webapp that used
an JNDI datasource that runs fine on my local test environment. When I
put it on my server it fails with the following error:
javax.servlet.jsp.JspException: Unable to get connection, DataSource invalid:
"org.apache.tomcat.dbcp.dbcp.SQLNestedException: Cannot create JDBC driver of class
'' for connect URL 'null'"
JDBC drivers for postgreSQL are in /common/lib.
I wrote a java app that uses straight JDBC with the same connection URL and
other parameters and it worked just fine.
My local test environment is tomcat 5.5 running through eclipse with the web
tools plugins.
In production I'm using tomcat 5.5 also, exporting my project as a WAR file.
I'm at a loss as to what could be wrong. Can anyone help me?
Dan
Here are my configuration files:
server.xml
--
META-INF/context.xml
WEB-INF/web.xml
---
http://java.sun.com/xml/ns/j2ee";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";>
Website
index.jsp
Database Connection
jdbc/DB
javax.sql.DataSource
Container
index.jsp
---
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";>
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<%@ taglib uri="http://java.sun.com/jsp/jstl/sql"; prefix="sql" %>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core"; prefix="c" %>
<%-- here we test to see if an email address has been submitted or not --%>
select
address from email_store where address='${param.email}'
${emailCheck.rowCount}
insert into email_store
(address) values ('${param.email}')
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDI datasource failing
I have tried to put the resource in the server.xml file, and found that
the same problem occurred.
Also the exact same configuration works flawlessly in my test
environment, so I don't know. I'd rather keep the details in my webapp's
context if possible.
Dan
Martin Grogan wrote:
Hi Dan,
I had the exact problem with my hosting company. The problem was the
resource was not being read from our context.xml file on Tomcat
startup. The guys at the hosting company had to put the entry for the
resource inside our context in the Tomcat common config.
Maybe you are experiencing something like this?
Martin
Dan Simmonds wrote:
I hope someone can help me with this problem. I have a webapp that
used an JNDI datasource that runs fine on my local test environment.
When I put it on my server it fails with the following error:
javax.servlet.jsp.JspException: Unable to get connection, DataSource
invalid: "org.apache.tomcat.dbcp.dbcp.SQLNestedException: Cannot
create JDBC driver of class '' for connect URL 'null'"
JDBC drivers for postgreSQL are in /common/lib.
I wrote a java app that uses straight JDBC with the same connection
URL and other parameters and it worked just fine.
My local test environment is tomcat 5.5 running through eclipse with
the web tools plugins.
In production I'm using tomcat 5.5 also, exporting my project as a
WAR file.
I'm at a loss as to what could be wrong. Can anyone help me?
Dan
Here are my configuration files:
server.xml
--
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
/>
className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/>
enableLookups="false" redirectPort="8443"
protocol="AJP/1.3" />
directory="logs" prefix="localhost_access_log."
suffix=".txt"
pattern="common" resolveHosts="false"/>
reloadable="true"/>
directory="logs" prefix="trinket_access_log."
suffix=".txt"
pattern="common" resolveHosts="false"/>
META-INF/context.xml
WEB-INF/web.xml
---
http://java.sun.com/xml/ns/j2ee";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";>
Website
index.jsp
Database Connection
jdbc/DB
javax.sql.DataSource
Container
index.jsp
---
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";>
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<%@ taglib uri="http://java.sun.com/jsp/jstl/sql"; prefix="sql" %>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core"; prefix="c" %>
<%-- here we test to see if an email address has been submitted or
not --%>
select
address from email_store where address='${param.email}'
${emailCheck.rowCount}
insert into
email_store (address) values ('${param.email}')
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Allocate exception : NoClassDefFoundError
Hi everyone. I am running tomcat 5.5 I have a webapp which has been running fine for weeks. I uploaded some changes to some of the classes that are in the WEB-INF/classes directory and suddenly whenever I try to call my servlet I get the following error: 21:31:38,328 ERROR [User]:145 - Allocate exception for servlet User java.lang.NoClassDefFoundError: javax/servlet/Servlet at java.lang.ClassLoader.defineClass1(Native Method) at java.lang.ClassLoader.defineClass(Unknown Source) at java.security.SecureClassLoader.defineClass(Unknown Source) at java.net.URLClassLoader.defineClass(Unknown Source) at java.net.URLClassLoader.access$100(Unknown Source) at java.net.URLClassLoader$1.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(Unknown Source) at java.lang.ClassLoader.loadClass(Unknown Source) at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source) at java.lang.ClassLoader.loadClass(Unknown Source) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1267) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1198) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1034) at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:757) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:130) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105) at org.apache.catalina.valves.FastCommonAccessLogValve.invoke(FastCommonAccessLogValve.java:495) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:199) at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:282) at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:754) at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:684) at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:876) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684) at java.lang.Thread.run(Unknown Source) JSPs still run fine. But this servlet wont run. It is the only servlet on the webapp, and was working fine 10 minutes ago. The only action I performed was to copy over the class files and restart tomcat. Does anyone have any clues as to what might have caused this? Regards, Dan - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [SPAM:] - RE: Restricting access to localhost for an HTTP connector - Email has different SMTP TO: and MIME TO: fields in the email addresses
How do I get this tomcat email to stop? I have sent messages to unsubscribe to no avail. -Original Message- From: Leo Donahue - PLANDEVX [mailto:[EMAIL PROTECTED] Sent: Thursday, June 08, 2006 2:13 PM To: Tomcat Users List Subject: RE: [SPAM:] - RE: Restricting access to localhost for an HTTP connector - Email has different SMTP TO: and MIME TO: fields in the email addresses In your server.xml you will add an address element and specify it as: 127.0.0.1 Leo From: Mark Claassen [mailto:[EMAIL PROTECTED] Sent: Thursday, June 08, 2006 10:51 AM To: 'Tomcat Users List' Subject: [SPAM:] - RE: Restricting access to localhost for an HTTP connector - Email has different SMTP TO: and MIME TO: fields in the email addresses Thanks. I thought I heard that it was possible though the address, but was not sure. I read this in the docs, but I guess I didn't / don't understand the short explanation of "address". From: Filip Hanik - Dev Lists [mailto:[EMAIL PROTECTED] Sent: Thursday, June 08, 2006 1:24 PM To: Tomcat Users List Subject: Re: Restricting access to localhost for an HTTP connector yes, you can bind the connector the 127.0.0.1, meaning it will only listen on that address use the "address" attribute in the connector http://tomcat.apache.org/tomcat-5.5-doc/config/http.html Mark Claassen wrote: Is there to configure an HTTP Connector to only allow connections from localhost? We have a server that has an HTTPS port that handles all public access. However, we would like to leave a non SSL port open for a monitoring program we have running on the same machine. We would like to not allow anyone else to be able to access the non-SSL port. I know that the apache webserver has mechanism to do this, but I was wondering if a standalone tomcat could also do what we need. Thanks, Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Filip Hanik - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[OT] Looking for engineers in boston
Hey guys. Sorry for the spam. My company is looking for good engineers in boston. You can find the job posting details here: http://www.ifactory.com/about/jobs.php To be honest that job description is only half the picture. We also do a lot of: - Testing using TDD - Tapestry - Hibernate - Agile/iterative development including peer programming and code reviews It's a great, small company that really great to work at (we have a game room and a dedicated beer fridge). So send your resumes over to either me or [EMAIL PROTECTED] -- Dan Adams Senior Software Engineer Interactive Factory 617.235.5857 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Jmx-console for Tomcat
On 23.10.2006, at 10:07, Mikolaj Rydzewski wrote: Hi, I hope you will not find it a spam ;-) I wrote small application to work with Mbeans, and day after day it evolved in something bigger. I'd like to present you a web enabled jmx console. If you know what mbeans and jmx are you can give it a try. This is alpha version, I'll appreciate your opinions. http://www.ceti.pl/~miki/komputery/jmx/ Interesting. How does your webapp compare to MX4J's http adapter (mx4j.sf.net)? Best regards Dan - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Jmx-console for Tomcat
On 23.10.2006, at 23:09, Mikolaj Rydzewski wrote: Dan Baumann wrote: Interesting. How does your webapp compare to MX4J's http adapter (mx4j.sf.net)? I didn't try hard, but I was unable to run mx4j and its http adapter. So it's hard to compare with it. http://mx4j.sourceforge.net/docs/ch05.html It seems that this adapter runs its own, very simple, http server. One has to write a code to start it. Am I right? That's correct, and it's the one thing I don't like about MX4J, since it requires an additional port to be opened in the firewall. The rest is pretty slick though: MX4J defines a set of commands that can be invoked via http, and results are served as XML. The HTML frontend is actually just a XSLT stylesheet that post-processes the XML result, and you can register custom XSLT stylesheets easily. Insofar, MX4J's http adapter is not only a HTML frontend, but can also be used for integration very well (where other apps consume the XML, e.g. for monitoring). So comparing to above, my app is much easier to run. Just deploy war file. It is 'just' a presentation (struts/jsp) layer over plain javax.management API. But sure, I could consider using mx4j to enhance it. Granted, deploying a war file is dead simple. Personally, I'm using a simple spring-based webapp just to start up the MX4J http adapter (on a different port). My preferred solution would be MX4J behind a servlet, so I could get rid of using the extra port. I've looked at the MX4J sources shortly, but it seems quite a bit of work. Another option would be a proxy servlet which talks to MX4J's web server internally, but could be accessed through the standard Tomcat port. Cheers, Dan - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Monitor Tomcat
On 30.10.2006, at 11:21, Thomas Nowotny wrote: I use a lot of tomcat in differnt systems with different jobs. Now I like to monitor them. I'm realy intressted in values like hit per s/ m/h or something like that. I can not parse the logfiles and I don't want to use jmeter so I need another way of monitoring / graphing it. One of the best ways would be to get the data via snmp but also any other output (script, xml whatever) would be great. Has anyone an idea? If you want to access the data provided by Tomcat via JMX, have a look at these links (going from simplest to most advanced): Tomcat JMX Proxy Servlet http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html#What%20is% 20JMX%20Proxy%20Servlet Jmx-console webapp for Tomcat http://marc.theaimsgroup.com/?l=tomcat-user&m=116162965621141&w=2 Tomcat Probe http://www.lambdaprobe.org/ MX4J HttpAdaptor http://mx4j.sf.net/ JManage http://www.jmanage.org/ Hyperic http://www.hyperic.com/ The first 3 projects are Tomcat-specific, the latter 3 are generic JMX clients. Cheers, Dan - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
mod_jk affinity for a lamed tomcat instance
I have a load-balanced cluster of application servers configured via mod_jk. If one of the application servers has a "soft" JVM error (for instance OOME: PermGen), mod_jk seems to develop an unfortunate affinity for this lamed instance (probably because this server is no longer processing requests and looks fairly idle). How can I alert the AJP connector on the tomcat side that this app server is dead so that mod_jk no longer routes requests to it? Thanks in advance, Dan -- Dan Ackerson conject AG, Auenstraße 100, 80469 München Fon:+49 (89)95414.120 Fax:+49 (89)95414.555 mobil: +49 (172) 81 39 549 [EMAIL PROTECTED] www.conject.com konsequent conject.
reply_timeout
Is reply_timeout designed to be set... 1. only for the loadbalancing worker. 2. for every worker except the loadbalancer. 3. for every worker including the loadbalancer. Thanks, Dan Carwin - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: mod_jk affinity for a lamed tomcat instance
Sorry if I wasn't clear - I wanted to know if their was a way I could
programmatically alert mod_jk from Tomcat that this worker should be
disabled. This way, the worker could automatically signal to mod_jk that it
was "lamed" and I wouldn't have to run over to the jk-status page to
manually disable it.
For example : MyOutOfMemoryListener.class { setAJPErrorState(true); }
--
View this message in context:
http://www.nabble.com/mod_jk-affinity-for-a-lamed-tomcat-instance-tf2581047.html#a7221335
Sent from the Tomcat - User mailing list archive at Nabble.com.
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: mod_jk affinity for a lamed tomcat instance
> What's possible though is making an http request to the status worker to > disable or stop a worker. Unfortunately this change is not persistant > concerning apache restarts. This is an excellent solution - especially as the application servers are restarted more often than Apache! :) Thanks everyone for your input - I will let you know the results. -- View this message in context: http://www.nabble.com/mod_jk-affinity-for-a-lamed-tomcat-instance-tf2581047.html#a7228699 Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: session replication/tomcat 5.5
On 14.11.2006, at 22:44, Tim Lucia wrote: Let me now ask my own question about this -- Lambda Probe is a great tool for inspecting your app's current state (and Tomcat's overall state.) Is it possible to get, using /probe or any other app (including tomcat's own manager) the current state of the connection pools in a machine- readable form (XML, one per line, CSV, etc.)? One that could easily be parsed with perl for consumption by MRTG? Lambda Probe's generated HTML isn't too easily parsed, at least for my novice perl skills. You might want to have a look at Tomcat's JMX Proxy Servlet (part of the manager webapp, IIRC): http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html#What%20is% 20JMX%20Proxy%20Servlet The JMX Proxy Servlet is a lightweight proxy to get and set the tomcat internals. (Or any class that has been exposed via an MBean) Its usage is not very user friendly but the UI is extremely help for integrating command line scripts for monitoring and changing the internals of tomcat. If that's not enough, MX4J's HTTP adaptor serves XML, and lets you register custom XSLT stylesheets to transform the output. The default stylesheet transforms the XML to HTML. Regards, Dan -Original Message- From: Tim Lucia [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 14, 2006 4:29 PM To: 'Tomcat Users List' Subject: RE: session replication/tomcat 5.5 I forgot to mention that we peak at about 6000 sessions on the average day. The all-time max for 2006 is 6810 sessions. For monitoring, we do several things. 1) We use lambda probe 2) We use MRTG and some scripts to graph things that the manager will readily disclose, like requests, threads, sessions, etc. 3) We use MRTG and some built-in application statistics for application-specific statistics At some point, I will probably use lamdaprobe to populate MRTG graphs of the connection pools. Right now we don't really monitor them per se When you say "sessions per instance" keep in mind that sessions are shared across the cluster (or domain if so partitioned), otherwise it wouldn't be fault-tolerant. There is no pro-active alert if something is bad, other then the customers call the support line ;-) But we do have a large monitor in the engineering department visible to most of us with the vital MRTG graphs on display. Tim -Original Message- From: David O'Dell [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 14, 2006 3:03 PM To: Tomcat Users List Subject: Re: session replication/tomcat 5.5 Good to hear that someone is using this. I want to try this out in my environment with 8 instances of tomcat each with around 2,500 sessions per instance. Does this sound feasible? Also how do you monitor the cluster status? Tim Lucia wrote: As a case study, I have, in production, 4 Dell 2850 servers (running Red Hat Enterprise V4.) Apache httpd on one, using JK for load balancing. The other three are running Tomcat in a 3-way multicast cluster, multicasting with replication on a private VLAN (192.168.x) The application accesses several DB servers running Oracle and MySQL, depending on the DB requested. Over time, this handles 2 requests per second average, with peaks at about 5-6 requests per second (Per Tomcat, so times 3). This does not begin to tax the Tomcat servers for memory or CPU. The bulk of the time is database latency. Our usage profile is extremely regular and predictable -- we service school districts and they mainly use it from 8 to 3 (local time.) This configuration has been very reliable and far-surpasses the system it replaced - based on IIS and JRun. HTH, Tim -Original Message- From: David O'Dell [mailto:[EMAIL PROTECTED] Sent: Monday, November 13, 2006 2:27 PM To: Tomcat Users List Subject: session replication/tomcat 5.5 Is anyone using session replication in production? Is there an alternative to using multicasting? In the doc http://tomcat.apache.org/tomcat-5.5-doc/cluster-howto.html It states "This is an algorithm that is only efficient when the clusters are small." I have 6 tomcat instances behind a load balancer, is this still considered small? - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ---
Re: Restart TC with cron/sh
On Mon, Jul 7, 2008 at 8:43 AM, Piller Sébastien <[EMAIL PROTECTED]> wrote: > Hello, > > I have my application in production for a month now. I've some problem of > memory leak that force me to restart TC each few days. Or, you know, you could fix the actual problem - the memory leak. Go get yourself a profiler, and fix the problem :) This one is pretty good, and has a free demo: http://www.ej-technologies.com/products/jprofiler/overview.html - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Coyote connector and documentation..
Hi, I'm a bit confused about the documentation on the http connector. The tomcat documentation talks about parameters such as maxProcessors rather than maxThreads which seems to be the term used everywhere else. Are these the same or not? Also; The documentation on the http connector is linked in with the tomcat 4.1 docs. Is it the same as with Tomcat 5.5? Thanks! Dan
Tricks for enabling manager & host-manager via IIS
Are there tricks to getting IIS 6 to properly pass the auth check for manager and host_manager to the browser? - We have enabled the manager and host-manager apps, and they work through the http connector. - We have other apps working via isapi redirector. The difference between the working apps and the manager/host-manager is the auth mechanism, that is the use of the tomcat-user.xml file. Only manager and host-manager use this. It seems like IIS is blocking the auth check, and so Tomcat returns a 403 when we try to talk to the manager app. ___ HTTP Status 403 - Access to the requested resource has been denied type Status report message Access to the requested resource has been denied description Access to the specified resource (Access to the requested resource has been denied) has been forbidden. Apache Tomcat/5.5.17 ___ As a workaround we also tried doing the auth through IIS and setting tomcatAuthentication="false" in the connector, but this did not work. Tomcat 5.5.17 JVM 1.5.0_11 Isapi redirect 1.2.18 IIS 6.0 Thanks, Dan Carwin - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tricks for enabling manager & host-manager via IIS
Resending... Are there tricks/gotchas to getting IIS 6 to properly pass the auth check for manager and host_manager to the browser? - We have enabled the manager and host-manager apps, and they work through the http connector. - We have other apps working via isapi redirector. The difference between the working apps and the manager/host-manager is the auth mechanism, that is the use of the tomcat-user.xml file. Only manager and host-manager use this. It seems like IIS is blocking the auth check, and so Tomcat returns a 403 when we try to talk to the manager app. ___ HTTP Status 403 - Access to the requested resource has been denied type Status report message Access to the requested resource has been denied description Access to the specified resource (Access to the requested resource has been denied) has been forbidden. Apache Tomcat/5.5.17 ___ As a workaround we also tried doing the auth through IIS and setting tomcatAuthentication="false" in the connector, but this did not work. Tomcat 5.5.17 JVM 1.5.0_11 Isapi redirect 1.2.18 IIS 6.0 Thanks, Dan Carwin - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Diagnosing Tomcat memory usage
Actually, you have no idea how much your code actually increased it. You just think it increased 50%, because that is what the OS sees. If you were using 190 MB of memory before, the JVM may have left your system usage at 200 MB. Then, when your app bumps the memory up to 201 MB, the JVM needs to get more memory from the system. So it typically doubles what it currently has allocated. Thats why you jumped from 200 to 400. So, while your usage may have only gone up by a few MB, due to a higher concurrent load, whatever, it looks like it doubled, because that is how the JVM behaves. And the JVM will never release that memory back to the system - it will stay at 400 MB until the next time you restart it. If you have a leak, and a few weeks from now, you use up all of the 400 MB, the next jump will probably be 800 MB. If you want to find out how much memory you are actually using, you need to look inside the VM, with a tool like "jstat" (part of java). On 10/10/07, Andrew Hole <[EMAIL PROTECTED]> wrote: > I've an java application running under tomcat and in the last week > memory usage increase 50%, from 200M to 400M. I want to know exactly > why this happens. Some suggestion? > > Thanks a lot > > - > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Custom Log Formatter
Hello, it is my understanding that if I specify the fully qualified name of a class that implements java.util.logging.Formatter like so in conf/logging.properties: 2localhost.org.apache.juli.FileHandler.formatter = CustomFormat Then juli should use that class to format log messages that go into my localhost log. I've built CustomFormat into a jar, and placed it in Tomcat 6.0/lib. When I do this, nothing is logged into my localhost log, but the file is created. What am I doing wrong? This is Tomcat 6.0 on Windows XP, java 1.6.
Service on Windows Server 2003
I have a difficult but severe problem with the tomcat service launcher on windows server 2003. Our application installs itself, tomcat, and a jvm, and then runs a bat file which registers the tomcat server, using our provided jvm. I _know_ this code works fine almost everywhere - it has been in use for years, on dozens of systems. However, we have a new customer, a 1/2 a world away, who has installed our application on a Windows Server 2003 box with 4 GB of ram that is using a Spanish Locale. The server is brand new - so its an almost perfectly clean install on windows. After we register the tomcat service - the service refuses to start tomcat. There are no useful error messages - just something along the lines of the service failed to start. I'm not sure exactly, because it's in Spanish. It looks rather similar to this bug: http://issues.apache.org/bugzilla/show_bug.cgi?id=41538 which if you ask me, has been closed completely prematurely by someone who didn't understand the real problem. When I run the tomcat5w.exe command - all of the parameters are set correctly. I cannot find any reason why this service refuses to start on this particular configuration, yet - it won't run. And it also happens on another one of their machines (which is identical). I also cannot reproduce the problem locally on my test systems - so I still haven't been able to pinpoint what is different about their configuration that is triggering this. Suggestions? I have very limited ability to do debugging on the system that is showing the problem. Thanks, Dan - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Service on Windows Server 2003
I am using this version of java: C:\NetProvision\jre\bin>java -version java version "1.5.0_07" Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_07-b03) Java HotSpot(TM) Client VM (build 1.5.0_07-b03, mixed mode) The jvm.dll version that I am using reports File version: 5.0.70.3 Full version: 1.5.0_07-b03 Description: Java HotSpot(TM) Server VM The way I register the service is with the following script: setlocal set TOMCAT_HOME=%1\tomcat set CATALINA_HOME=%TOMCAT_HOME% set CATALINA_BASE=%CATALINA_HOME% set JAVA_HOME=%1\jre set SERVICE_NAME=Tomcat5 set PR_DISPLAYNAME=Apache Tomcat set PR_DESCRIPTION=Apache Tomcat Server set PR_LOGPATH=%CATALINA_HOME%\logs set PR_CLASSPATH=%CATALINA_HOME%\bin\bootstrap.jar set PR_JVM=%JAVA_HOME%\bin\server\jvm.dll set PR_STDOUTPUT=auto set PR_STDERROR=auto cd %TOMCAT_HOME%\bin %TOMCAT_HOME%\bin\tomcat5.exe //IS//Tomcat5 --StartClass org.apache.catalina.startup.Bootstrap --StopClass org.apache.catalina.startup.Bootstrap --StartParams start --StopParams stop --Startup=auto --StartMode jvm --StopMode jvm --JvmOptions "-Dcatalina.base=%CATALINA_BASE%;-Dcatalina.home=%CATALINA_HOME%;-Djava.rmi.server.hostname=%COMPUTERNAME%;-Djava.endorsed.dirs=%CATALINA_HOME%\common\endorsed;-Djava.io.tmpdir=%CATALINA_BASE%\temp;-Djava.net.preferIPv4Stack=true" --JvmSs 250 --JvmMs 512 --JvmMx 512 The version of Tomcat is (I know, its old, can't help it right now): C:\NetProvision\tomcat\bin>version.bat Using CATALINA_BASE: C:\NetProvision\tomcat Using CATALINA_HOME: C:\NetProvision\tomcat Using CATALINA_TMPDIR: C:\NetProvision\tomcat\temp Using JAVA_HOME: C:\NetProvision\jre\ Server version: Apache Tomcat/5.5.9 Server built: Mar 26 2005 02:21:04 Server number: 5.5.9.0 OS Name:Windows 2003 OS Version: 5.2 Architecture: x86 JVM Version:1.5.0_07-b03 JVM Vendor: Sun Microsystems Inc. I still can't recreate the problem locally - I'm hoping to get access to the problematic system again later today, and I'll try to capture some more detailed error logs. I don't think that LD_LIBRARY_PATH is set - but I'll verify that on the problem machine. Likewise, none of my test machines have this key: HKLM\System\CurrentControlSet\Control\SessionManager\SafeDllSearchMode - but I'll check that on the problem machine as well when I get a chance. Thanks for any advice... Dan - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Service on Windows Server 2003
jvm.cfg contains the following: -client KNOWN -server KNOWN -hotspot ALIASED_TO -client -classic WARN -native ERROR -green ERROR I don't think that there is a JAVA_OPTS variable set, but I will verify that on the problem machine. Thanks, Dan On 10/26/00, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Dan- > > do you have any alternative JVMs that are supported such as this entry in > environment var JAVA_OPTS > -XXaltjvm= > > Also -- > which types are supported in %JRE_HOME%/lib/i386/jvm.cfg (and more > importantly which order) > server= > client= > > Thanks > M-- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Service on Windows Server 2003
Finally - I understand most of what is wrong! I finally got access to the system again, and after pulling off the debug log from the service launcher, things became clear. It turns out that on this system, the command that was actually being run to register the service was: %TOMCAT_HOME%\bin\tomcat5.exe //IS//Tomcat5 --StartClass org.apache.catalina.startup.Bootstrap --StopClass org.apache.catalina.startup.Bootstrap --StartParams start --StopParams stop --Startup=auto --StartMode jvm --StopMode jvm --JvmOptions "-Dcatalina.base=%CATALINA_BASE%;-Dcatalina.home=%CATALINA_HOME%;-Djava.rmi.server.hostname=%COMPUTERNAME%;-Djava.endorsed.dirs=%CATALINA_HOME%\common\endorsed;-Djava.io.tmpdir=%CATALINA_BASE%\temp; -XX:+UseConcMarkSweepGC; -XX:+UseParNewGC;-Djava.net.preferIPv4Stack=true" --JvmSs 250 --JvmMs 512 --JvmMx 512 Most notably, there was a space in front of the two -XX parameters here: -Djava.io.tmpdir=%CATALINA_BASE%\temp; -XX:+UseConcMarkSweepGC; -XX:+UseParNewGC; Those spaces were causing the tomcat launch to fail - but this is the really strange part I still don't quite understand - it only fails Windows Server 2003. On Windows XP, the register service command appears to strip out those extra spaces - they aren't there when I look at the result with tomcat5w.exe. But, on Windows Server 2003, those spaces get put in verbatim. Why would this work on XP, and fail on server 2003? Thanks, Dan - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
apxs problem
I am putting together RPMs for apache and tomcat and I want to include the mod_jk connector with the apache RPM but I get an error that apxs cannot be found even though I give the full path to apxs. The commands that I do are (in apache) ./configure --enable-ssl=shared --enable-so --with-ldap --enable-ldap --enable-auth-ldap make make DESTDIR=/var/tmp/httpd-2.0.55-1-root install (in jakarta-tomcat-connectors-1.2.15-src/jk/native) ./configure --with-apxs=/var/tmp/httpd-2.0.55-1-root/usr/local/apache2/bin/apxs The configure fails with: checking for perl... /usr/bin/perl could not find /var/tmp/httpd-2.0.55-1-root/usr/local/apache2/bin/apxs configure: error: You must specify a valid --with-apxs path Note that since I'm building for purposes of packaging, I'm not installing apache in its intended location but in a temporary location. This is obviously the problem since if I do actually install apache, the connector configure script works fine. Thing is, I don't want to have install apache just to build the connector. Is there any way to do this? Thanks, Dan. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: apxs problem
Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dan, Dan Ciarniello wrote: I am putting together RPMs for apache and tomcat and I want to include the mod_jk connector with the apache RPM :( Don't do that; instead, have a separate RPM that just contains mod_jk and maybe a script to install it on top of an existing Apache httpd RPM install. Forgive my skepticism, but are you building RPMs for a particular distro or will there be yet another set of packaged versions of Tomcat-related software out there that does not work properly. No, I'm not building for a particular distribution. I'm building for a specific configuration based on the way that we run things on my company's servers. I have considered a separate RPM for the connector but it seemed a bit silly for a single file especially when all our servers run both Apache and Tomcat and the connector will be required on all of them. but I get an error that apxs cannot be found even though I give the full path to apxs. Stupid question: is that full path correct? Absolutely. bash command line completion is a wonderful thing :-) Note that since I'm building for purposes of packaging, I'm not installing apache in its intended location but in a temporary location. This is obviously the problem since if I do actually install apache, the connector configure script works fine. Thing is, I don't want to have install apache just to build the connector. Is there any way to do this? Ideally, the connector should be built on the machine that will be running it. Is it acceptable to create an RPM that actually builds the module instead of installing a previously-built binary? It takes only a few seconds to build mod_jk from source. Since mod_jk requires Apache httpd to be installed, installing such an RPM would require that apxs be available in a known location, right? I hadn't considered that. You're right that mod_jk doesn't take long to build so building as part of the installation should not be a problem. Thanks, Dan. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: apxs problem
Rainer Jung wrote: If you put the jk modules into your apache rpm, you couple the lifecycle of those two together. So you need to build and deliver a new rpm whenever at least one of apache httpd and of jk have a new version, you want to deploy. The release cycles of httpd and jk are very different from each other, so you might want to consider unbundling and maybe not even installing jk into the httpd directory, but in a different tree. That will make your updates and rollbacks easier. This isn't really an issue since we are very conservative when it comes to deploying servers - we are, after all, still using Apache 2.0.55 and mod_jk 1.2.15. Having said that, it doesn't look like I will be able to do what I was hoping to do so separate RPMs it is. Thanks for the help, Dan. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
directory listings per webapp
I want to create a webapp that just lists the content of a directory - but I don't want to turn on directory listing globally. I've seen lots of people say it can be done, just do but I've yet to find a working example. Can someone tell me what I'm missing here? I have a file: tomcat/conf/Catalina/localhost/foo.xml The contents are: Now this, all by itself works for creating the webapp, and it will get a directory listing if I enable global directory listing in the web.xml file, but I don't want that. So, I created: tomcat/server/webapps/billing/WEB-INF/web.xml The contents are: http://java.sun.com/dtd/web-app_2_3.dtd";> foo org.apache.catalina.servlets.DefaultServlet debug 0 listings true 1 foo /foo/* But this doesn't work. What do I need to do to make this happen? Thanks, Dan - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
