getSession() thread-safe? User A can see user B's account

[Dave]

Is the following method thread-safe?  
   
  I use my own way for authentication. After authenticated, a user info is put 
into session,  when logout, call session.invalidate();
   
Current symptom is: a user info gets into another user's session. So 
sometimes User A can see User B's info.
   

  The way to get session:  is it thread-safe?
   
public static HttpSession getHttpSession(boolean create) {
FacesContext context = FacesContext.getCurrentInstance();
return (HttpSession)context.getExternalContext().getSession(create);
  }
   
  If a user clicks two buttons at the same time(two requests belong to one same 
session), will it be thread-safe?
   
  Thanks for help.


-
Yahoo! Music Unlimited - Access over 1 million songs.Try it free. 

Re: getSession() thread-safe? User A can see user B's account

[Dave]

Hi Chris,
   
  I am using JSF (apache faces). The way to get Session or HttpServletRequest 
from a backing bean is through FacesContext. Backing beans are not servlet, so 
can not access HttpServletRequest directly.
   
  After synchronizing the method, I still got the same problem. 
   
  It is in production stage and users are starting to use it. I am very 
nerveous.
  Thanks!
   
  Dave
  

Christopher Schultz <[EMAIL PROTECTED]> wrote:
  DAve,

> Current symptom is: a user info gets into another user's session. So
> sometimes User A can see User B's info.
> 
> The way to get session: is it thread-safe?
> 
> public static HttpSession getHttpSession(boolean create) { 
> FacesContext context = FacesContext.getCurrentInstance(); return
> (HttpSession)context.getExternalContext().getSession(create); }

A static getHttpSession method is almost sure to cause problems. Why are
you not using HttpServletRequest.getSession? This method accepts no
information from the caller that identifies the user trying to get their
session. How do you identify users or sessions? Where is the session id?

-chris




-
Yahoo! Music Unlimited - Access over 1 million songs.Try it free. 

Re: getSession() thread-safe? User A can see user B's account

[Dave]

Hi Tim,
   
  It is very strange. I do not understand how a User object in Session A gets 
into Session B. It seems that after a session is expired or invalidated, that 
session is attached to another user's request. 
  Just one guess.
   
  Please share more when you find anything.
   
  Thanks,
  Dave

Timothy Collett <[EMAIL PROTECTED]> wrote:
  On Jul 20, 2006, at 8:36 PM, Dave wrote:

> Is the following method thread-safe?
>
> I use my own way for authentication. After authenticated, a user 
> info is put into session, when logout, call session.invalidate();
>
> Current symptom is: a user info gets into another user's 
> session. So sometimes User A can see User B's info.

Actually, I'm seeing something very similar, and it's a good thing my 
webapp is only in testing, or it would, indeed, be causing problems...

I've got custom User and UserSession classes for tracking users in 
general and logged-in users, respectively. For the moment, the main 
symptoms of the problem are that the username field and the test/live 
data field are getting munged between users somehow. I've tried to 
trace it, and haven't been able to determine the mechanism by which 
it happens. It's also somewhat disturbing that it's just those two 
fields, and none of the rest of them.

I'll try and take another look, recreate my last experiments with the 
problem, and come back with some more detailed information.

Timothy Collett

--

Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.
~haiku~


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
See the all-new, redesigned Yahoo.com.  Check it out.

Tomcat and Blog

[Dave]

I need to add Blog feature into my web application. Is there any blog software 
that can run inside tomcat? can tomcat support php?  Do you have to run Apache 
for blog?
   
  Thanks!


-
How low will we go? Check out Yahoo! Messenger’s low  PC-to-Phone call rates.

Re: Tomcat and Blog

[Dave]

I could not find anything related to blog from the site. Thanks!

Wendy Smoak <[EMAIL PROTECTED]> wrote:  On 7/22/06, Dave wrote:

> I need to add Blog feature into my web application. Is there any blog 
> software that can run inside tomcat? can tomcat support php? Do you have to 
> run Apache for blog?

JSPWiki comes to mind... http://www.jspwiki.org/

-- 
Wendy

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
Do you Yahoo!?
 Next-gen email? Have it all with the  all-new Yahoo! Mail Beta.

Re: Tomcat and Blog

[Dave]

Very helpful. That is what I am looking for.
   
  The installation instruction is for Tomcat. I am using JBoss. 
   
  For tomcat:
  export CATALINA_HOME=/opt/jakarta-tomcat-5.5.9
   
  For JBoss, what should it be?
   
  Hopefully I have a Roller WAR file and drop it into deploy directory. Is 
there an Roller installation instruction for JBoss?
   
  Thanks!

Nicholas Schuetz <[EMAIL PROTECTED]> wrote:
  Try

http://rollerweblogger.org

You'll like it ;)

Dave wrote:
> I could not find anything related to blog from the site. Thanks!
>
> Wendy Smoak wrote: On 7/22/06, Dave wrote:
>
> 
>> I need to add Blog feature into my web application. Is there any blog 
>> software that can run inside tomcat? can tomcat support php? Do you have to 
>> run Apache for blog?
>> 
>
> JSPWiki comes to mind... http://www.jspwiki.org/
>
> 


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
Groups are talking. We´re listening. Check out the handy changes to 
Yahoo! Groups. 

Roller deployment into JBoss, roller not available

[Dave]

http://rollerweblogger.org/wiki/Wiki.jsp?page=InstallationGuideJBoss
   
  I followed the instruction to deploy Roller into JBoss using exploded war 
file. But
   
  http://localhost:8080/roller
   
  The requested resource (/roller/) is not available.
   
  Other applications were available (the JBoss is running).  
   
  Thanks for help.


-
See the all-new, redesigned Yahoo.com.  Check it out.

Re: Tomcat and Blog

[Dave]

I downloaded roller and installed into JBoss. It is running.
  But I tried to change the language of a weblog to Chinese (locale), but the 
weblog still showed up in English.
   
  What is the way to change language of weblogs?
   
  Thanks!

Wendy Smoak <[EMAIL PROTECTED]> wrote:
  On 7/22/06, Dave wrote:

> I could not find anything related to blog from the site. Thanks!

Oops, wrong topic. Okay, try Roller instead:
http://rollerweblogger.org/page/project

Google turns up a few more: http://www.google.com/search?q=java+blog+software

-- 
Wendy

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
How low will we go? Check out Yahoo! Messenger’s low  PC-to-Phone call rates.

chat software

[Dave]

I am using JBoss and JSF.  Can anyone recommend a chat software that enables 
instant conversation between two users? It is better to be open source, support 
audio and file transfer. Thanks!

-
Yahoo! Music Unlimited - Access over 1 million songs.Try it free. 

how to allocate a domain for each user

[Dave]

I saw some website that has a domain for each user, for example
   
  user1.company.com
  user2.company.com
   
  how to implement this? Thanks!


-
Do you Yahoo!?
 Everyone is raving about the  all-new Yahoo! Mail.

Is there a way to change browser URL using response?

[Dave]

During a HTTP request-response cycle, is there a way to change Browser URL 
using response?  Redirect can that. But it cause performance/network traffic 
issue. 
   
  For JSF page navigation(non-redirect case), page has been changed but browser 
still shows the old URL. Sometimes it makes more sense to show the new page URL.
   
  Does HTTP 1.x specify a way to manipulate browser URL using a normal response?
   
  Thanks!


-
Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ 
countries) for 2¢/min or less.

Form login UTF-8 username problem

[Dave]

Web application using JBoss 4.0.3SP1 and servlets. 
I am using FORM authentication. Can username be UTF-8? 
I create an account, its username is in UTF-8 encoding, chinese characters. 
But login was not successful. Can JBoss built-in authentication handle UTF-8 
encoding for username? 

Ascii username works. 

I tried to use a filter to set request encoding to UTF-8, but the filter was 
not called for URL pattern "j_security_check". 

 
filter 
/j_security_check 
 

  
Right now I am using a filter to set request encoding to UTF-8 for all requests 
in order to support chinese characters. It works great except Form login. The 
username is created in UTF-8 and stored in database. 

The related part in login-config.xml 

 

java:/DefaultDS 
 
select password from User where username=? 
 

So I suspect the FORM login need to go through a filter to set its encoding to 
UTF-8. Otherwise, the server side would assume iso-8859-1 encoding, and it 
would not find the username in database table.  Is there a way to tell Web 
Container about the request encoding?
  
Thanks for help. Have a nice day!


-
Yahoo! Mail
Bring photos to life! New PhotoMail  makes sharing a breeze. 

Re: Form login UTF-8 username problem

[Dave]

Hi Martin,
   
  Thanks!  
  I already have the following at the beginning of all the jsp pages.
   
  <%@ page contentType="text/html; charset=UTF-8"%>
   
  

Martin Gainty <[EMAIL PROTECTED]> wrote:
  Dave-

I believe you can effect this encoding if you specify encoding="UTF-8" in the 
xml element e.g.


I am not aware of CJK implementations that use UTF-8 ..you may want to consider 
UTF-16
Scott does this look ok?
HTH,
Martin-
- Original Message - 
From: "Dave" 
To: 
Sent: Thursday, March 02, 2006 12:02 PM
Subject: Form login UTF-8 username problem


> Web application using JBoss 4.0.3SP1 and servlets. 
> I am using FORM authentication. Can username be UTF-8? 
> I create an account, its username is in UTF-8 encoding, chinese characters. 
> But login was not successful. Can JBoss built-in authentication handle UTF-8 
> encoding for username? 
> 
> Ascii username works. 
> 
> I tried to use a filter to set request encoding to UTF-8, but the filter was 
> not called for URL pattern "j_security_check". 
> 
> 
> filter 
> /j_security_check 
> 
> 
> 
> Right now I am using a filter to set request encoding to UTF-8 for all 
> requests in order to support chinese characters. It works great except Form 
> login. The username is created in UTF-8 and stored in database. 
> 
> The related part in login-config.xml 
> 
> > flag="required"> 
> 
> java:/DefaultDS 
> 
> select password from User where username=? 
> 
> 
> So I suspect the FORM login need to go through a filter to set its encoding 
> to UTF-8. Otherwise, the server side would assume iso-8859-1 encoding, and it 
> would not find the username in database table. Is there a way to tell Web 
> Container about the request encoding?
> 
> Thanks for help. Have a nice day!
> 
> 
> -
> Yahoo! Mail
> Bring photos to life! New PhotoMail makes sharing a breeze.


-
Yahoo! Mail
Bring photos to life! New PhotoMail  makes sharing a breeze. 

RE: Form login UTF-8 username problem

[Dave]

Hi Daniel,
   
  I am not quite understanding. Is it a security hole?
  User needs a username and password to login to the web application.
   
  Thanks!
Daniel Blumenthal <[EMAIL PROTECTED]> wrote:
  As a security concern, you might not want to allow full UTF-8 usernames.
There are a number of invisible characters (from the soft hyphen to various
connector characters) which people can use to spoof other users' names.

Daniel


> -Original Message-
> From: Mark Thomas [mailto:[EMAIL PROTECTED] 
> Sent: Friday, March 03, 2006 1:50 PM
> To: Tomcat Users List
> Subject: Re: Form login UTF-8 username problem
> 
> Dave wrote:
> > Web application using JBoss 4.0.3SP1 and servlets. 
> > I am using FORM authentication. Can username be UTF-8? 
> > I create an account, its username is in UTF-8 encoding, 
> chinese characters. 
> > But login was not successful. Can JBoss built-in 
> authentication handle UTF-8 encoding for username? 
> 
> This looks like 
> http://issues.apache.org/bugzilla/show_bug.cgi?id=31198
> 
> It is fixed in 5.5.7+
> 
> Mark
> 
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
> 



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
Yahoo! Mail
Bring photos to life! New PhotoMail  makes sharing a breeze. 

Re: programatic jaas authentication

[Dave]

I have the same problem to solve. I am using JSF also. In any page I allow user 
to type in username and password, after login, stay in the same page.
   
  Can anyone point a tutorial/doc ? Thanks!

Jan Zach <[EMAIL PROTECTED]> wrote:
  Hi Everybody,

I got working container JAAS authentication (area protected by url set in 
web.xml), I also know how to authenticate against JAAS. But what I cannot sort 
out is how to programatically force container to authenticate (from login 
dialog), i.e., how to get principal to the session/http request. I use JSF.
Any idea?

Thanks a lot

Jan




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
Brings words and photos together (easily) with
 PhotoMail  - it's free and works with Yahoo! Mail.

How to populate session after authenticate

[Dave]

I am using JBoss. The servlet Form authentication is nice, but I need something 
more flexible.
   
  Users are allowed to login on any unprotected page and stay in the same page 
after lgoin.  I have database table to store username and password.
   
  After verifying username and password, what information needs to put into 
session(or other data structure) so that:
  HttpServletRequest.getRemoteUser() will return the remote user.
   
  Thanks!


-
Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ 
countries) for 2¢/min or less.

undeploy then redeploy, sessionId valid?

[Dave]

Undeploy a web application, then redeploy it.
   
  Click a link in an old page(page before undeploy), making the first request 
after redeploy.
   
  In a filter:
   
  String sessionId = httpRequest.getRequestedSessionId();
boolean valid = httpRequest.isRequestedSessionIdValid();
   
  sessionId is " AD890098123763728AD80"
  valid: true.
   
  This means that the old sessionId is still valid.
   
  what is the criteria to determine whether a session id is valid or not?
  How to detect redeploy in a filter?  
   
  Thanks!
  David
   
   


-
New Yahoo! Messenger with Voice. Call regular phones from your PC and save big.

Re: RSS help

[Dave]

Is there a way that NewsReader knows whether a page has been updated? How? the 
page is dynamic collecting data from database.
  Thanks!

Santosh Puranshettiwar <[EMAIL PROTECTED]> wrote:
  Dave wrote:
> Thanks,
> 
> It semms that it is easy to write the XML file for a Feed. But how 
> does NewsReader know the page (pointed by feed link) has been changed, 
> what are the changes, updated time?
> 
> I have not got the idea yet :)
> 
The NewsReader /polls/ the feed regularly.
As such there is no mechanism for notifying changes.
> Dave
>
>
> Michael Hencin wrote: Dave
>
> I went thru the same thing. Basically all you need to do is make an XML file
> and put it on a web server some place. Then provide the link. People can
> copy the link and paste it into any rss reader, or if their browser
> understands what to do, it will add the rss feed link to the integrated
> reader. 
>
> So you need to create the XML file, save that file to your web server. Then
> provide a link for people to use.
>
> Here are some links I came by
>
> http://searchenginewatch.com/showPage.html?page=2175271
>
>
> http://en.wikipedia.org/wiki/RSS_%28file_format%29
>
> Mike
>
>
> -Original Message-
> From: Dave [mailto:[EMAIL PROTECTED] 
> Sent: Saturday, November 18, 2006 2:21 AM
> To: users@myfaces.apache.org; Tomcat Users List
> Subject: RSS help
>
> How to support RSS in a website so that people can subscribe? I googled and
> found lots of documents about how to subscribe and about news readers, but
> not talking about how to support RSS functionality in a website?
>
> Thanks,
> Dave
>
>
> -
> Sponsored Link
>
> Mortgage rates as low as 4.625% - $150,000 loan for $579 a month.
> Intro-*Terms
>
>
> -
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>
> 
> -
> Sponsored Link
>
> Mortgage rates near 39yr lows. $420,000 Mortgage for $1,399/mo - Calculate 
> new house payment
> 

Also, I wonder how this question pertains to this mailing list?

-- 
Santosh.

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



 
-
Sponsored Link

Mortgage rates near 39yr lows. $310,000 Mortgage for $999/mo -  Calculate new 
house payment

BBS

[Dave]

Any BBS software that can be integrated well with JSF application deployed on 
Tomcat?
   
  Thanks.!

 
-
Cheap Talk? Check out Yahoo! Messenger's low PC-to-Phone call rates.

domain level session tracking (cookie based)

[Dave]

Hi,
 
We are using JBoss 4.0.5GA. The web server can be accessed using a number of 
subdomains, such as:
 
a.mydomain.com
b.mydomain.com
 
In a same web browser instance, if a user visits a.mydomain.com, then click 
b.mydomain.com in the page, the new page will be a different session. 
 
For cookie based session tracking, how to configure domain-level ?  
 
that is , a.mydomain.com and b.mydomain.com share the same session id.
 
Thanks for help.
Dave
 
 


  

apache & tomcat on xserve leopard

[Dave]

Hi,
I have a new xserve and it is running both apache and tomcat But it  
doesn't seem like they are hooked together.
I am looking to deploy open bluedragon via war file with tomcat and  
still use apache to server up coldfusion 8.


If I edit the files manually it works fine but the issue is that the  
leopard server over writes all the files if you make changes.
The main thing I need to add to apache is a proxypass and  
proxypassreverse which there is an entry for in the xserve gui but it  
doesnt add them correctly and does not work.


It seems kind of odd that both come pre-installed and running but not  
together and I can't find much info on this.


Anyone have any ideas for me?

thanks 



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: apache & tomcat on xserve leopard

[Dave]

thanks Peter...
It is a shame because  the gui is so nice. I had another issue before  
where it was overwriting the files and we needed to add a jrun line in  
and we just built an include for that and all was well but not working  
for this. The gui does have proxying on it but its going to the wrong  
place for this to work.


thanks and I will try the httpd list




On Jul 21, 2008, at 2:21 AM, Peter Crowther wrote:


From: Dave [mailto:[EMAIL PROTECTED]
I have a new xserve and it is running both apache and tomcat But it
doesn't seem like they are hooked together.

[...]

If I edit the files manually it works fine but the issue is that the
leopard server over writes all the files if you make changes.
The main thing I need to add to apache is a proxypass and
proxypassreverse which there is an entry for in the xserve gui but it
doesnt add them correctly and does not work.


Typical Apple - a superb interface for the common operations,  
actively broken for the uncommon ones.  You'll probably have more  
luck on an httpd list than a Tomcat list for this one, as most  
people on this list hook httpd and Tomcat together using AJP rather  
than by proxying.  That configuration is sufficiently complex that I  
suspect Apple won't have coded for it, though you might want to check.


[...]

Anyone have any ideas for me?


The main answers you'll get on here are, I suspect, "Don't use  
xserve" or "Don't use the pre-packaged server applications".  I'm in  
the second camp.  You almost certainly won't be able to get the  
config you need using Apple's GUI; Apple's GUI is overwriting the  
correct config; you probably can't ensure that nobody ever uses  
Apple's GUI to make config changes; so the way to a system that  
works and keeps working is to install versions of the applications  
that can't have their config overwritten at whim.


   - Peter

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

image download

[Dave]

For http://domain.com/servlet/pictures/image.jpg"/>
 
in servlet get method,
 
InputStream is = new FileInputStream("/apphome/pictures/image.jpg");
OutputStream os = response.getOutputStream();
 
byte[] buffer = new byte[256*1024];  //256k
while (true) {
 int n = is.read(buffer);
     if (n < 0)
  return;
  os.write(buffer, 0, n);
}
 
is.close();
os.close();
 
 
Is this the right way? Sometimes only the half image is shown on web page. Is  
there a more efficient and robust way?  How about for audio/video files?
 
I want to take at how Tomcat does it. Could anyone tell me which class?
thanks
Dave


  

Re: image download

[Dave]

InputStream is = new FileInputStream("/apphome/pictures/image.jpg");
OutputStream os = response.getOutputStream();
 
byte[] buffer = new byte[256*1024];  //256k
while (true) {
 int n = is.read(buffer);
     if (n < 0)
  break;
  os.write(buffer, 0, n);
}
 
is.close();
os.close();


--- On Fri, 9/26/08, Dave <[EMAIL PROTECTED]> wrote:

From: Dave <[EMAIL PROTECTED]>
Subject: image download
To: "Tomcat Users List" 
Date: Friday, September 26, 2008, 6:33 PM

For http://domain.com/servlet/pictures/image.jpg"/>
 
in servlet get method,
 
InputStream is = new FileInputStream("/apphome/pictures/image.jpg");
OutputStream os = response.getOutputStream();
 
byte[] buffer = new byte[256*1024];  //256k
while (true) {
 int n = is.read(buffer);
     if (n < 0)
  return;
  os.write(buffer, 0, n);
}
 
is.close();
os.close();
 
 
Is this the right way? Sometimes only the half image is shown on web page. Is 
there a more efficient and robust way?  How about for audio/video files?
 
I want to take at how Tomcat does it. Could anyone tell me which class?
thanks
Dave


  


  

Jasper compiler version, how to configure

[Dave]

In my development environment using JDK 1.5, the jsp compilation is fine. But 
after deploy to JBoss 4.0.5(w/ tomcat 5.5), the JSP compiler complains 
templates such as 
List 

I started JBoss using jdk 1.5, configured in run.sh (JAVA_HOME). It seems that 
the JSP compiler is not using the java version 1.5. 

How to configure the JSP compiler java version, using the same version JDK 1.5 
that starts Tomcat? 

Thanks for help. 
Dave


  

video/x-flv mime-mapping does not for Tomcat 5.5

[Dave]

we are using JBoss4.0.5.  For flash video, we added 
 

  flv
  video/x-flv
 
 
in tomcat conf/web.xml.
 
Restarted jboss. When uploading a foo.flv,  uploadeFile.getContentType returns 
"application/octet-stream", not "video/x-flv".  Could you please help me?
 
Thanks,
Dave


  

AddResource: how to prevent adding session id to stylesheet URL

[Dave]

Hi,
We are using AddResource to add stylesheet dynamically, like:
 
addResource.addStyleSheet(context, AddResource.HEADER_BEGIN, "/main.css");
 
In the generated HTML, the current session id is in the URL, like:
 

 
This breaks web browser caching. Style sheet is static. We want browser to 
cache it for one month. But adding session id breaks browser caching because 
session id is dynamic and the stylesheet url will change from one session to 
another.
 
Is there a way to prevent session id being added to the URL?  we use 
cookie-based session tracking , if cookie is disabled, URL rewriting session  
tracking will be used.
 
Thanks for help.
Dave



  

open a window in a new session

[Dave]

I am using servlet.  How to open a window in a new session?
   
  I tried javascript
   
  onclick="window.open(...)"
   
  but the opened window belongs to the same servlet session (see from user 
login name).
   
  Thanks for help!
  David
   
   
   

 
-
Never miss an email again!
Yahoo! Toolbar alerts you the instant new Mail arrives. Check it out.

Re: open a window in a new session

[Dave]

Hi Chris,
  Thanks for your reply.
   
  How to configure server(Tomcat, I am using JBoss) to use URL-encoded session 
id tracking?  I did not do anything. Is cookie used for session tracking by 
default?
   
  Thanks!
  David

Christopher Schultz <[EMAIL PROTECTED]> wrote:
  -BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Dave,

Dave wrote:
> I am using servlet. How to open a window in a new session?
> 
> I tried javascript
> 
> onclick="window.open(...)"
> 
> but the opened window belongs to the same servlet session (see from
> user login name).

If you are using cookie-based session id tracking, you might not be able
to do this at all.

If you switch to URL-encoded session id tracking, you can simply leave
the session id out of the popup's URL and your popup will not inherit
the current session from the old one.

- -chris

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF+UX89CaO5/Lv0PARAkSIAKCb4gWA+EPb/D6FU/iPKz9rvknUywCfa6mU
OlpwtfMF+5EA6ICgWorRP04=
=rGp+
-END PGP SIGNATURE-

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



 
-
Food fight? Enjoy some healthy debate
in the Yahoo! Answers Food & Drink Q&A.

Re: open a window in a new session

[Dave]

If I open an IE from windows desktop, and then access the link, it will start a 
new session. Is there any control on cookie, like do not use cookie for this 
new window?
Thanks!
Christopher Schultz <[EMAIL PROTECTED]> wrote:  -BEGIN PGP SIGNED 
MESSAGE-
Hash: SHA1

Dave,

Dave wrote:
> I am using servlet. How to open a window in a new session?
> 
> I tried javascript
> 
> onclick="window.open(...)"
> 
> but the opened window belongs to the same servlet session (see from
> user login name).

If you are using cookie-based session id tracking, you might not be able
to do this at all.

If you switch to URL-encoded session id tracking, you can simply leave
the session id out of the popup's URL and your popup will not inherit
the current session from the old one.

- -chris

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF+UX89CaO5/Lv0PARAkSIAKCb4gWA+EPb/D6FU/iPKz9rvknUywCfa6mU
OlpwtfMF+5EA6ICgWorRP04=
=rGp+
-END PGP SIGNATURE-

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



 
-
Expecting? Get great news right away with email Auto-Check.
Try the Yahoo! Mail Beta.

FileUpload to different machine

[Dave]

Web application using JSF deployed on JBoss runing on Linux. Another server 
machine is Windows 2003. For file upload, all the file need to be stored in the 
windows machine. Questions: 
  how to access the windows' file system from Linux? 
  For file upload, can the file be uploaded directly into the windows machine 
even though the JBoss is running on the Linux machine? 
   
  Thanks
  dave
   
   

 
-
Be a PS3 game guru.
Get your game face on with the latest PS3 news and previews at Yahoo! Games.

force to start a new servlet session

[Dave]

On JSF page, click a button to open a new window. The request will join the 
existing session. Is there a way to create a new HTTP servlet session for the 
request(clicking the button)?
   
  public HttpSession getSession(boolean create) 



Create a new session only when no session already exists even if create=true.

 

What I am trying to do is to Start a brand new session so that the new session

will not have the user authentication information from the existing session.

 

Thanks for ideas.

Dave



   
-
Ahhh...imagining that irresistible "new car" smell?
 Check outnew cars at Yahoo! Autos.

Load balancer (apache or hardware)

[Dave]

I am in the process of setting up a cluster of a number of JBoss. Should I use 
Apache or hardware load balancer in the front?  Please advise. I am concerned 
about about Security and Performance.
   
  Thanks
  Dave

   
-
Don't let your dream ride pass you by.Make it a reality with Yahoo! Autos. 

How to disconnect a request from current session

[Dave]

For cookie based session tracking, on a jsp or jsf page, when a user click 
links, all requests are in the same session. Is there a way to open a new 
session when a user clicks a link and send a request?  Can Filter do that ?
   
  If I open a new IE from desktop, all requests from the new IE window are in a 
different session. Is there a way to run IE or any other application by 
clicking on a page? 
   
  Thanks for any help.
  David

   
-
Be a better pen pal. Text or chat with friends inside Yahoo! Mail. See how.

Re: SSL problem with Tomcat 5.5

[Dave]

In my case, apache is in the front as a load balancer (JK module). I read an 
instruction that says SSL is only needed between client and Apache, but SSL is 
not configured between apache and tomcat. I am using JBOSS 4.2.2.
   
  In my environment, the security between apache and tomcat is a concern. How 
to configure SSL all the way between client --> Apache --> Tomcat?
   
  Thanks!
  dave
  

Schadler Johann <[EMAIL PROTECTED]> wrote:
  To ensure you have a valid keystore with the included private key and a 
refer to an alias 'tomcat' I recommend strongly to create a new keystore as 
described in the reference (see links in other answer mails). At least you 
can create a self-signed certificate if you don't need one signed by a 
trusted CA.

To check if SSL is running you can test it from a Linux or Unix box with 
installed OpenSSL with the following command:

echo -e "GET /jsp-examples/index.jsp HTTP/1.0\r\n\r\n"|openssl 
s_client -connect localhost:8443 -ssl3 -debug -quiet

Replace URI-context and welcome file, replace hostname and port if 
neccessary, change SSL mode to ssl2 or tsl as needed

Johann


- Original Message - 
From: "Bob Grabbe" 
To: "'Tomcat Users List'" 
Sent: Monday, November 26, 2007 10:48 PM
Subject: RE: SSL problem with Tomcat 5.5


> OK, I've attached a new file with the startup. Unfortunately I'm not 
> seeing
> anything in any logs that indicate any https requests.
> Just in case, what's the command to generate a new empty keystore file ?
> I've seen the notes on the tomcat docs for creating the csr, but I didn't 
> do
> that this time. I might try it though, if I can get godaddy to go through
> the process with me again,
>
> Thanks
>
> Bob Grabbe
> University of Michigan
> [EMAIL PROTECTED]
> _
> "Research is the process of going up alleys to see if they are blind." --
> Marston Bates
>
>> -Original Message-
>> From: Hassan Schroeder [mailto:[EMAIL PROTECTED]
>> Sent: Monday, November 26, 2007 4:09 PM
>> To: Tomcat Users List
>> Subject: Re: SSL problem with Tomcat 5.5
>> What would be best would be catalina.log at startup, showing
>> whether the SSL connector started cleanly.
>>
>> And of course, any log entry relating specifically to an HTTPS
>> request.
>>
>> > I didn't generate a new csr, I figured renewing the cert shouldn't
>> need
>> > that. Do I need to go through that or should I be able to just renew
>> it ?
>>
>> Dunno about GoDaddy, but when I "renew" a Thawte cert for one of
>> my sites, I have to generate a new cert request. So I just create a new
>> keystore file, named something like keystore-example.com-2007, and
>> use that for the new cert.
>>
>> HTH!
>> --
>> Hassan Schroeder  [EMAIL PROTECTED]
>>
>> -
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>>
>
>





> -
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED] 


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



   
-
Get easy, one-click access to your favorites.  Make Yahoo! your homepage.

tomcat session security hole

[Dave]

Hi, I am using URL rewriting for session tracking, ie, session id is on the 
URL. After I login into a web application, if someone else knows my current 
session id, he/she can access my account using the session id. It is ok because 
it is difficult for others to guess my session id.  But right now I encounter 
an issue that will breach the security.
   
  Our web application is using a 3rd party payment system, when a user clicks 
pay button, we need to tell the payment system a return URL, a page URL to go 
after a user finishes with the payment system. The return url needs to have the 
user's session id so that he/she will not need to login again after returning 
from the payment system. In this case, the 3rd payment system will know the 
user's session id, a security hole.
   
  Is there a solution for this scenario? the same security hole for cookie 
based session tracking?  In our case, we have to use URL rewriting because 
sometimes a new session is needed when users click some links on pages.
   
  In my opinion, session id is not sufficient to identify a session, it should 
have client's ip address for more security.
   
  Thanks for any ideas.
  Dave
   
   
   
   

   
-
Looking for last minute shopping deals?  Find them fast with Yahoo! Search.

Re: tomcat session security hole

[Dave]

Hi Martin,
   
  Thanks for your help. 
  I looked at the two links you provided. But I do not understand how they can 
solve the problem. I  must be missing something.
   
  For SSL,  the URL still needs to have session id, for example,
  
https://www.xyz.com/returnPage.jsp;jsessionid=188727usdfkjaf-92098js8980?name='Foo'
   
  For session id encription that is one-way encription appending a digest code 
to the URL, the URL also needs to have session id so that Tomcat will know the 
session id of the requests.
   
  
https://www.xyz.com/returnPage.jsp;jsessionid=188727usdfkjaf-92098js8980?name='Foo'&digest='abc123'
   
  Please give me further help. Thanks,
  Dave
   
   
  

Martin Gainty <[EMAIL PROTECTED]> wrote:
  Hi Dave

http://www.securityfocus.com/infocus/1774
suggests either implementing with
SSL connector
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

-or-
Encrypt each sessionid
If you dont have the former you'll definitely want to implement the latter..
heres an example
http://www.spiration.co.uk/post/1199

Martin--
- Original Message -
From: "Dave" 
To: "Tomcat Users List" 
Sent: Tuesday, December 18, 2007 9:09 PM
Subject: tomcat session security hole


> Hi, I am using URL rewriting for session tracking, ie, session id is on
the URL. After I login into a web application, if someone else knows my
current session id, he/she can access my account using the session id. It is
ok because it is difficult for others to guess my session id. But right now
I encounter an issue that will breach the security.
>
> Our web application is using a 3rd party payment system, when a user
clicks pay button, we need to tell the payment system a return URL, a page
URL to go after a user finishes with the payment system. The return url
needs to have the user's session id so that he/she will not need to login
again after returning from the payment system. In this case, the 3rd payment
system will know the user's session id, a security hole.
>
> Is there a solution for this scenario? the same security hole for cookie
based session tracking? In our case, we have to use URL rewriting because
sometimes a new session is needed when users click some links on pages.
>
> In my opinion, session id is not sufficient to identify a session, it
should have client's ip address for more security.
>
> Thanks for any ideas.
> Dave
>
>
>
>
>
>
> -
> Looking for last minute shopping deals? Find them fast with Yahoo!
Search.


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



   
-
Never miss a thing.   Make Yahoo your homepage.

SSL client authentication

[Dave]

Hi, I need some help on SSL client authentication.
   
  If a user has digital certificate installed on his/her machine,  we like to 
authenticate the user using digital certificate, otherwise using 
username/password.
   
  When I set clientAuth="true" in server.xml,  open IE to the server URL 
(https),  IE popup a window asking for the client certificate even though there 
is no certificate found in client machine.
   
  1. how to ask client browser(IE) to ignore digital certificate if not found?
  2. on server, how to get the client certificate for verification?  java API?
   
  Thank for help.
  Dave

   
-
Looking for last minute shopping deals?  Find them fast with Yahoo! Search.

JBoss 4.2.2, http port is not working, but https is working

[Dave]

JBoss 4.2.2, cluster config, ie  JBoss/server/all,  tomcat server.xml 
configures ports as following:
   
   
   
  

  
   
  the https port 443 is working, but the port 8080 is not working. Firewall is 
disabled.
  I used filter to log all requests, but no requests for 8080 port.  I changed 
the port to 80, no luck.
   
  Thanks for any help.
Dave
   

   
-
Never miss a thing.   Make Yahoo your homepage.

Re: JBoss 4.2.2, http port is not working, but https is working

[Dave]

I have found answer from JBoss forum. JBoss 4.2 bind to localhost by default.
  Thanks.

David Smith <[EMAIL PROTECTED]> wrote:
  I don't see anything obviously wrong here. I assume jboss.bind.address 
is set somewhere else in the config. Is there anything in the logs 
indicating a problem? Have you verified via netstat that tomcat is 
listening on 8080 and the address you've specified?

--David

Dave wrote:
> JBoss 4.2.2, cluster config, ie JBoss/server/all, tomcat server.xml 
> configures ports as following:
> 
> > maxThreads="250" maxHttpHeaderSize="8192"
> emptySessionPath="true" protocol="HTTP/1.1"
> enableLookups="false" redirectPort="443" acceptCount="100"
> connectionTimeout="2" disableUploadTimeout="true" />
> 
> > maxThreads="150" scheme="https" secure="true"
> clientAuth="true" sslProtocol="TLS"
> keystoreFile="${jboss.server.home.dir}/conf/my.keystore"
> keystorePass="123456"/>
>
> > emptySessionPath="true" enableLookups="false" redirectPort="443" />
> 
> the https port 443 is working, but the port 8080 is not working. Firewall is 
> disabled.
> I used filter to log all requests, but no requests for 8080 port. I changed 
> the port to 80, no luck.
> 
> Thanks for any help.
> Dave
> 
>
> 
> -
> Never miss a thing. Make Yahoo your homepage.
> 


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



   
-
Never miss a thing.   Make Yahoo your homepage.

how to pop up a window requested by server

[Dave]

We have a JSF application running on JBoss/Tomcat, and have a requirement for 
users to send short instant messages. When user A sees user B online and wants 
to talk with him/her:
   
  1. A clicks a button, pop up a window to chat with B
  2. On B's machine, pop up a chat window.
   
  How to implement the second? We think about using Applet,  are there other 
ways ?
  Thanks for any idea on how to implement this for JSF application.
   
  Dave
   
   

   
-
Boardwalk for $500? In 2007? Ha! 
Play Monopoly Here and Now (it's updated for today's economy) at Yahoo! Games.

Re: how to pop up a window requested by server

[Dave]

Thanks for ideas. But the poll is consuming resource even when no messages. Is 
there a way for server to push something to client?
   
  Thanks!
  

David Delbecq <[EMAIL PROTECTED]> wrote:
  If you use Ajax4Jsf, you can use a4j:poll to have a part of your page
refreshed every x milliseconds using javascript. In this part you could
put your code to popup something on B if there are new messages.
En l'instant pr‰[is du 28/06/07 14:36, Dave s'exprimait en ces termes:
> We have a JSF application running on JBoss/Tomcat, and have a requirement for 
> users to send short instant messages. When user A sees user B online and 
> wants to talk with him/her:
> 
> 1. A clicks a button, pop up a window to chat with B
> 2. On B's machine, pop up a chat window.
> 
> How to implement the second? We think about using Applet, are there other 
> ways ?
> Thanks for any idea on how to implement this for JSF application.
> 
> Dave
> 
> 
>
> 
> -
> Boardwalk for $500? In 2007? Ha! 
> Play Monopoly Here and Now (it's updated for today's economy) at Yahoo! Games.
> 


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



   
-
Fussy? Opinionated? Impossible to please? Perfect.  Join Yahoo!'s user panel 
and lay it on us.

Session Tracking(URL rewriting) how to avoid session Id in URL

[Dave]

Hi, I am using JSF on JBOSS.
   
  I disabled cookies and use URL rewriting for session tracking. 
  All  URLs have session id that are added automatically.  I like 
to the link to open in a new session. How to prevent session id on the URL?
   
  Thanks,
dave

 
-
The fish are biting.
 Get more visitors on your site using Yahoo! Search Marketing.

Re: Programmic login to tomcat using username and password

[Dave]

I think this feature is very basic. Everything should have a programmatic way.

zhu quanxin <[EMAIL PROTECTED]> wrote:  hi,David,

My aim is that tomcat could authenticate users without promoting
any login form. I give out the userID and password in the servlet
code. when users navagate the servlet page, they would login to tomcat
as that userID identity.



Thanks a lot!
Zhu quanxin



2007/9/6, David Delbecq :
> Hi,
>
> Am not sure to understand what you want to do. You want to login user
> without requiring it, ever, to authenticate? That seems to me quite
> paradoxal. Maybe you should explain a bit more what you try to achieve...
>
> ÖìÈ«öÎ a ¨¦crit :
> > Hi,
> >
> > I have already enabled the SSO function in server.xml. It could be
> > promoted the challenge once when I visit the first webapp and without
> > login to all the webapps in the host. But I do not want any login form
> > promoted to users. So my point is, how do I write code in a jsp or
> > servlet to auto login to the first webapp without the login-form
> > promoted to users.
> > For example, in websphere application server, the following code
> > could be auto login to the server, If we give the right username and
> > password pair.
> >
> > code begin
> > --
> > LoginContext lc = null;
> >
> > try {
> > lc = new LoginContext("WSLogin",
> > new WSCallbackHandlerImpl("userName", "password"));
> > } catch (LoginException le) {
> > System.out.println("Cannot create LoginContext. " + le.getMessage());
> > // Insert the error processing code
> > } catch(SecurityException se) {
> > System.out.println("Cannot create LoginContext." + se.getMessage());
> > // Insert the error processing code
> > }
> >
> > try {
> > lc.login();
> > } catch (LoginException le) {
> > System.out.println("Fails to create Subject. " + le.getMessage());
> > // Insert the error processing code
> > 
> > code end
> >
> > I do not know if tomcat provide some APIs like the above, and we
> > could use the API to programmic login to the tomcat server. and where
> > to find the instruction to use the API?
> >
> >
> > Many Thanks!
> > Zhu quanxin
> >
> >
> >
> > 2007/9/5, David Delbecq :
> >
> >> http://tomcat.apache.org/tomcat-5.5-doc/config/host.html
> >>
> >> See section about single-sign. This share credential between webapps.
> >>
> >> Note: it's not a "programamtic". It just let all your application share
> >> a same authentification token. Once you authenticate using J2EE
> >> compliant method in application X, it's not necessary to login into
> >> other application Y on same host that is also using J2EE compliant
> >> authentification mecanism.
> >>
> >> En l'instant pr¨¦cis du 05/09/07 16:51, ÖìÈ«öÎ s'exprimait en ces termes:
> >>
> >>> hi, everyone
> >>>
> >>> I meet a problem about programmic login. I setup a tomcat server,
> >>> and deploy two WAR files (applications) on it. One of the application
> >>> A is protected by server authentication, and the other application B
> >>> is not. I want to setup a scenario : when user navigates the
> >>> application B, he could programmic login to tomcat using username and
> >>> password that is coded in the application of B, and then he
> >>> navigates the application A in the same browser, he never needs to
> >>> response the challenge promoted by application A.
> >>>
> >>> I would very appreciate if someone could help me.
> >>>
> >>> Thanks
> >>>
> >>> Zhu Quanxin
> >>>
> >>> -
> >>> To start a new topic, e-mail: users@tomcat.apache.org
> >>> To unsubscribe, e-mail: [EMAIL PROTECTED]
> >>> For additional commands, e-mail: [EMAIL PROTECTED]
> >>>
> >>>
> >> --
> >> http://www.noooxml.org/
> >>
> >>
> >> -
> >> To start a new topic, e-mail: users@tomcat.apache.org
> >> To unsubscribe, e-mail: [EMAIL PROTECTED]
> >> For additional commands, e-mail: [EMAIL PROTECTED]
> >>
> >>
> >>
>
> -
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>


-- 
ÖÂ
Àñ£¡

ÖìÈ«öÎ


   
-
Be a better Globetrotter. Get better travel answers from someone who knows.
Yahoo! Answers - Check it out.

cookie-based session tracking, how to start a new session

[Dave]

For cookie-based session tracking,  when a user clicks a link on a jsp page, 
how to make the request belong to a new session, not existing session.
   
  Thanks!
  dave

   
-
Never miss a thing.   Make Yahoo your homepage.

How to use https together with http

[Dave]

For jsf page (myfaces), some data need to go through SSL such as bank 
information.
  For better performance, other pages(or forms) can use http.  
   
   ... 
   
   ... 
   
  if a form may contain personal data, it should be summitted using https. Also 
we need to let user know it is secure by showing a lock and https:// in 
browser address bar.
   
  How can I do this?
   
  sometimes The IE browser shows a warning: the page contains both secure and 
nonsecure data.  what is the meaning? how to avoid the warning?
   
  Thanks for ideas.
  Dave

   
-
Looking for last minute shopping deals?  Find them fast with Yahoo! Search.

Re: cookie-based session tracking, how to start a new session

[Dave]

Hi Chris,
   
  Thanks for ideas. 
   
  > Use two separate instances of the web browser.
   
  this is the best solution.  Is there a way for openning a new instance of web 
browser such as IE by clicking a link on JSP page?
   
  Dave


Christopher Schultz <[EMAIL PROTECTED]> wrote:
  -BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Dave,

Dave wrote:
| For cookie-based session tracking, when a user clicks a link on a
| jsp page, how to make the request belong to a new session, not
| existing session.

Since there can only be one session (JSESSIONID) cookie for any given
host/path combination (not entirely true, but Tomcat will pick one and
stick with it), the best you can do with cookies is abandon your current
session and start an entirely new one.

If you want separate windows with separate sessions you need to do one
of the following (in increasing order of difficulty):

1. Use two separate instances of the web browser.
2. Use two different web browsers (e.g. MSIE and ff)
3. Disable cookie-based session tracking (which will fall-back to
~ URL-rewriting), and remove the HttpServletResponse.encodeURL
~ call from the URL you want to act like a jumping-off point.
4. Hack Tomcat's session manager so that it uses a session cookie
~ with a name other than JSESSIONID (i.e. it will accept both),
~ and include some way to notify the session manager that the existing
~ (JSESSIONID) session should be ignored in favor of the other one
~ (maybe MYJSESSIONID).

Note that the last one is a total PITA to do in the first place, ties
you to a single version of Tomcat (unless you re-hack each one), and
breaks the servlet specification (which mandates that the session cookie
name is JSESSIONID).

Hope that helps,
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkejLl0ACgkQ9CaO5/Lv0PDiqQCeM8Y0OpEJJobq1t+YZUoooMkg
ZgcAoJQSnqLOyGU1uWJyJ0VWMVyG9U1+
=zSsj
-END PGP SIGNATURE-

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



   
-
Looking for last minute shopping deals?  Find them fast with Yahoo! Search.

JasperException: PermGen space

[Dave]

Hi, I am using JBoss 4.0.5GA on Federa Core 6 Linux for JSF application. After 
running for two days, got the following exception on server side. How to avoid 
it? Thanks for help. Dave
   
  Caused by: org.apache.jasper.JasperException: PermGen space
at 
org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:455)
at 
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:377)
at 
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:314)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:264)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at 
org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:672)
at 
org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:463)
at 
org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:398)
at 
org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:301)
at 
org.apache.myfaces.context.servlet.ServletExternalContextImpl.dispatch(ServletExternalContextImpl.java:419)

   
-
Looking for last minute shopping deals?  Find them fast with Yahoo! Search.

how to auto redirect to https from http

[Dave]

Hi,
  when user types http://www.mydomain.com, how to redirect to secure url 
https://www.mydomain.com?  I know that a servlet filter can do that. Is there 
an easier way?
   
  In server.xml,  redirectPort="8443" for port 80, it did not work as I 
expected.
   
   
  


  Thanks for help.
   
  Dave

   
-
Be a better friend, newshound, and know-it-all with Yahoo! Mobile.  Try it now.

Tomcat SSL for multiple domains

[Dave]

Hi I am running JBoss w/tomcat on a Linux machine. the machine has one IP 
address. But there are two top-level domains (not subdomains) mapping to the ip 
address.
   
  www.domain1.com
  www.domain2.com
   
  I need to setup SSL. As far as I know, SSL certificate is set up for one 
domain only. Using the different domains will get a security warning from web 
browser. (domain name does not match)
   
  Can SSL certificate be ip address based? Or Tomcat support SSL multiple 
domains(prevent warnings from browser)?
   
  Thanks,
Dave

   
-
Looking for last minute shopping deals?  Find them fast with Yahoo! Search.

Re: how to auto redirect to https from http

[Dave]

Chris,
   
  The url is not changed when I point to http://www.mydomain.com/login.html in 
browser. The .html is mapped to servlet. I expected it to change to https://
   
  So it is not secure to start as http and then switch to https to use the same 
http session because session id to visible to man-in-the-middle. Am I right? If 
not secure, why is it allowed to be working this way?
   
  Even start with https, if url-rewriting is used for session 
tracking(sessionid in url), it is not secure anymore, right?
   
  Thanks,
Dave

Christopher Schultz <[EMAIL PROTECTED]> wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Dave,

Dave wrote:
| I moved the inside the
as the following:
|
| 
| 
| Automatic SLL
Forwarding
| /login.html
| 
|
CONFIDENTIAL
| 
| 
| 
|
| But http://www.mydomain.com/login.html did not redirect to secure URL.

:(

It's possible that Tomcat ignores that setting during its own
authentication process (which would suck if it were the case). What the
the URL say when you are being asked to login?

| As you mentioned, If I start as http, then redirect to https when
| login, and keep https after login. Does that mean https is using the
| http session?

Well, it's not a "http session" per-se... it's the session that was
created while you were in http mode. The answer is yes: Tomcat will
continue to use that session. If, however, you kill any sessions
(yourself) as you switch to https, then any fallback to http will lose
the session (because the browser will refuse to send a "secure" cookie
through a non-secure channel.

| Is there any security hole? If a man-in-the-middle knows the session
| id from http and the same session id is used by https?

This does not require man-in-the-middle. It's just plain-old session
hijacking. This can happen whether you are using SSL or not -- if
someone can guess your session id, you're pwned.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkerLLYACgkQ9CaO5/Lv0PBSbQCgs51ON7Uwam/6mMs+5w4e0dv4
AwgAoK//OfuOISynFSbnV+jU6kqI2N6N
=14Kp
-END PGP SIGNATURE-

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




   
-
Be a better friend, newshound, and know-it-all with Yahoo! Mobile.  Try it now.

Re: how to auto redirect to https from http

[Dave]

Hi Chris,
   
  I moved the  inside the  as 
the following:
   
   

Automatic SLL 
Forwarding
/login.html

   
CONFIDENTIAL




  But http://www.mydomain.com/login.html  did not redirect to secure URL.
   
  As you mentioned, If I start as http, then redirect to https when login,  and 
keep https after login. Does that mean https is using the http session? Is 
there any security hole? If a man-in-the-middle knows the session id from http 
and the same session id is used by https?
   
  Thanks for help.
  Dave

Christopher Schultz <[EMAIL PROTECTED]> wrote:
  -BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Dave,

Dave wrote:
| I tried the method, it worked.
| But when I tried to protect login page only,
|
| 
| protected
pages
| /login.jsp
| 
|
| restarted tomcat, and went to http://www.mydomain.com
|
| it was redirected to secure URL. It should stay insecure until going
to login page.
|
| anything I was missing?

Is that your entire configuration? If you've
told Tomcat that /* should be CONFIDENTIAL, then all traffic will be
redirected to HTTPS.

Move the CONFIDENTIAL part into the that
represents your login page, and leave the rest of the app non-CONFIDENTIAL.

Remember that Tomcat will not automatically go from HTTPS to HTTP, so
you'll have to make that happen yourself. Also remember that if your
session id cookie was created in HTTPS mode, your browser will not send
it back to the server when you're in HTTP mode.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkerHyAACgkQ9CaO5/Lv0PClgACfRQm66ro0lctDvrEnA0paYC0Y
ziIAn35jRaXBkefSfaz6l1cn9fOokmfe
=0RZ/
-END PGP SIGNATURE-

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



   
-
Looking for last minute shopping deals?  Find them fast with Yahoo! Search.

Re: how to auto redirect to https from http

[Dave]

Hi Hazem,
  Thanks,
   
  I tried the method, it worked.
  But  when I tried to protect login page only,
   
  
protected pages
/login.jsp
 

  restarted tomcat, and went to http://www.mydomain.com
   
  it was redirected to secure URL. It should stay insecure until going to login 
page.
   
  anything I was missing?
   
  Thanks
  Dave

Hazem DAOUD <[EMAIL PROTECTED]> wrote:
  Hi Dave,

Try to add this to web.xml under tomcat_install_dir/conf:
"
/

Protected Context
/*



CONFIDENTIAL

/
"

That works for me.

Regards.

--Hazem.

Dave a écrit :
> Hi,
> when user types http://www.mydomain.com, how to redirect to secure url 
> https://www.mydomain.com? I know that a servlet filter can do that. Is there 
> an easier way?
> 
> In server.xml, redirectPort="8443" for port 80, it did not work as I expected.
> 
> > maxThreads="250" strategy="ms" maxHttpHeaderSize="8192"
> emptySessionPath="true"
> enableLookups="false" redirectPort="8443" acceptCount="100"
> connectionTimeout="2" disableUploadTimeout="true"/>
> 
> > maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
> emptySessionPath="true"
> scheme="https" secure="true" clientAuth="false"
> keystoreFile="${jboss.server.home.dir}/keystore"
> keystorePass="123456" sslProtocol = "TLS" />
>
> Thanks for help.
> 
> Dave
>
> 
> -
> Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.
> 



   
-
Looking for last minute shopping deals?  Find them fast with Yahoo! Search.

Can Tomcat support multiple SSL certificates for multiple domains?

[Dave]

Hi,
   
  I have one JBoss instance (4.0.5GA) running on Linux. The machine has one IP 
with two domains.
  www.domain1.com
  www.domain2.com
   
  I have two SSL certificates, one for each domain, imported into keystore.
  I need to use both without any warnings from browser
  https://www.domain1.com
  https://www.domain2.com
   
  Can Tomcat pick the right certificate based on current domain name?
   
  But according to
  http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
   
  keyAlias  Add this element if your have more than one key in the 
KeyStore. If the element is not present the first key read in the KeyStore will 
be used.
   
  How to work around this?
   
  Thanks for help!
  Dave

   
-
Looking for last minute shopping deals?  Find them fast with Yahoo! Search.

how to use different session id from http to https

[Dave]

Hi,
   
  I am using JBoss 4.0.5GA.  Cookie-based session tracking is used. 
  Starting with http, when user clicks login, redirect to https, but the same 
session id is used for https. It is not safe.
   
  after calling session.invalidate(),  the sessoin id in the cookie is used for 
https.
   
  If the jsessionid cookie is set to empty string after session.invalidate()
   
  session.invalidate();
  Cookie cookie = new Cookie("jsessionid", "");
  response.addCookie(cookie);
   
  The jsessionid cookie is changed to the empty string in browser. But the 
empty string will be used to create the new https session.  I hope tomcat to 
generate a new unique session id.
   
  Is there a way to delete cookie?
  for security reason, how to set a different session id for https when 
redirecting from http to https?
   
  Thanks for help.
  Dave
   

   
-
Never miss a thing.   Make Yahoo your homepage.

Re: how to use different session id from http to https

[Dave]

session.invalidate();
session = request.getSession(true);

  The new session will have the same session id.

Bill Barker <[EMAIL PROTECTED]> wrote:
  
"Dave" wrote in message 
news:[EMAIL PROTECTED]
> Hi,
>
> I am using JBoss 4.0.5GA. Cookie-based session tracking is used.
> Starting with http, when user clicks login, redirect to https, but the 
> same session id is used for https. It is not safe.
>
> after calling session.invalidate(), the sessoin id in the cookie is used 
> for https.
>
> If the jsessionid cookie is set to empty string after 
> session.invalidate()
>
> session.invalidate();
> Cookie cookie = new Cookie("jsessionid", "");
> response.addCookie(cookie);
>

Why not simply:
session.invalidate();
session = request.getSession(true);

> The jsessionid cookie is changed to the empty string in browser. But the 
> empty string will be used to create the new https session. I hope tomcat 
> to generate a new unique session id.
>
> Is there a way to delete cookie?
> for security reason, how to set a different session id for https when 
> redirecting from http to https?
>
> Thanks for help.
> Dave
>
>
>
> -
> Never miss a thing. Make Yahoo your homepage. 




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



   
-
Looking for last minute shopping deals?  Find them fast with Yahoo! Search.

OT: a java question - static initialization

[Dave]

class Foo {
   
   private static int;
   
  static {
 a = 100;
  }
   
  Foo() { 

  }
   
  }
   
  Class.forName("package.Foo").newInstance();
   
  The static init block of Foo is not called.
   
  I am using Java 1.5 update14.  It is a bug?
   
  Thanks
  Dave
   
   

   
-
Never miss a thing.   Make Yahoo your homepage.

OT: java memory question -Xmx2048m

[Dave]

Our Linux(FC) machine has 8G physical memory and 12G swap size.  I am using JDK 
1.5.   I tried to set the Java option -Xmx to set max heap size for best 
performance,   the allowed max heap size is 2048M .  Does that mean that the 
JVM can not use all the physical memory (8G) ?  Thanks.
  Dave

   
-
Never miss a thing.   Make Yahoo your homepage.

Re: OT: java memory question -Xmx2048m

[Dave]

I installed Linux FC6 64-bit on the machine DELL 2590(I think it is INTEL type 
CPU). But JVM 64-bit is only available for AMD and SPARC.  Is the SUN not 
support INTEL?
   
  Thanks, Dave

David Delbecq <[EMAIL PROTECTED]> wrote:
  En l'instant précis du 25/02/08 13:51, Dave s'exprimait en ces termes:
> Our Linux(FC) machine has 8G physical memory and 12G swap size. I am using 
> JDK 1.5. I tried to set the Java option -Xmx to set max heap size for best 
> performance, the allowed max heap size is 2048M . Does that mean that the JVM 
> can not use all the physical memory (8G) ? Thanks.
> Dave
>
> 
> -
> Never miss a thing. Make Yahoo your homepage.
> 
The maximum memory the JVM can use depends on the maximum size of 
continuous memory segment the OS you run on allows you to reserve.
On 32 bits linux, it's about 2G (that is 4G minus memory area reserved 
for kernel, minus memory area used by libraries minus other thingies jvm 
might use). To get more you will need a 64bits JVM + a 64 bits OS. Note 
it's a limitation of hardware architecture and OS more than a limitation 
of JVM.

PS: if you plan to swap-out 12G of datas, i hope your disks are fast :)


-- 
http://www.devlog.be (a belgian developer's logs)



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



   
-
Never miss a thing.   Make Yahoo your homepage.

how to package common lib and ear file

[Dave]

I have an ear application with entity,business and web modules.
  
  
  foo.par

  
  bar.ejb3

  

baz.war
/


  

  The .par, .ejb3 and war files use classes in common.jar.  I put the 
common.jar under /server/default/lib.
   
  In the common.jar,  
   
  String className = System.getProperty("FooClassName");
Class.forName(className).newInstance();
   
  trying to instantiate the class "package.Foo" that is defined in web module 
inside the ear file,  throws a exception:
   
   java.lang.ClassNotFoundException: No ClassLoaders found for: package.Foo
   
  the class package.Foo is application specific and  can not be put into 
common.jar that is a common library. However the common lib needs to 
instantiate the application specific class.
   
  How to solve this issue?   is classloader the answer? 
  
Thanks for any help.
Dave


   
-
Be a better friend, newshound, and know-it-all with Yahoo! Mobile.  Try it now.

response goes through load balancer?

[Dave]

Hi, I am using Apache mod JK as load balancer for tomcat instances. Tomcat 
instances are on the different machines with public IP addresses. Will the HTTP 
responses go back to the Apache load balance? If so, it will slow down the 
response. how to instruct tomcat not to send response to Apache? Thanks for 
help.
   
  Dave

   
-
Be a better friend, newshound, and know-it-all with Yahoo! Mobile.  Try it now.

Re: response goes through load balancer?

[Dave]

Hi Felix,
   
  Thank you for your help. 
  One apache in the front end as load balancer is not sufficient for heavy 
traffic. If I use two apaches in the front, how to use DNS to load balancing 
Apaches?  That is, some requests go to Apache1, and the others go to Apache2.
   
  For example, for the domain:  
www.mydomain.com
   
  there is only one IP for the domain in DNS. How to set up DNS for the purpose?
   
  For 10 tomcat instances, each Apache has the same 10 workers, or 5 
workers/each apache?
   
  Thanks in advance for further help.
   
  Dave
   
  

Felix Schumacher <[EMAIL PROTECTED]> wrote:
  On Thu, May 8, 2008 6:16 am, Dave wrote:
> Hi, I am using Apache mod JK as load balancer for tomcat instances. Tomcat
> instances are on the different machines with public IP addresses. Will the
> HTTP responses go back to the Apache load balance? If so, it will slow
> down the response. how to instruct tomcat not to send response to Apache?
> Thanks for help.
Hi Dave,

the mod_jk connection will talk to the apache server only. Tomcat and
apache are communicating with AJP, not with HTTP, so the original
web-client would not be able to understand the answers from tomcat
directly.

If your apache server will suffer a slow down by too many
connections/clients, will depend on the kind of connections. Are they
cpu/disk intensive, or will the just saturate your internet network
connection?

You could use two or more apache servers in front of the tomcat servers to
achieve a loadbalancing there. Those apache servers could be loadbalanced
itself by dns ot other means and could be talking directly and
independently with the web-clients.

Since the backend-tomcat instances are encoded in the session id's each
apache would know which request would have to go to which tomcat.

HTH
Felix
>
> Dave
>
>
> -
> Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it
> now.



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



   
-
Be a better friend, newshound, and know-it-all with Yahoo! Mobile.  Try it now.

prevent directory list

[Dave]

Hi, I am using JBoss 4.0.5. 
   
  I tried to prevent directory listing by adding the following in web.xml, but 
got error: Child name 'default' is not unique.
   

default
org.apache.catalina.servlets.DefaultServlet

  debug
  0


  listings
  false

1
   
   
  Could someone help me on how to prevent directory listing? 
  I tried to  change default to default1, it did not work.
   
  Thanks very much.
  Dave

   
-
Be a better friend, newshound, and know-it-all with Yahoo! Mobile.  Try it now.

where to put common jar lib in ear file

[Dave]

We have an ear file with one entity ejb jar, one session ebj jar, and two web 
modules that use a common library:  common.jar.
 
Where to put the common.jar in the ear file? Thanks.
Dave


  

Using addFilter and addServlet

[Dave]

I'm using Tomcat 7.0.42.  Most examples of ServletContext.addFilter() and 
ServletContext.addServlet() show it being used from a contextInitialized() 
event handler, however, the Servlet 3.0 spec doesn't limit the use of 
addServlet/addFilter to contextInitialized() (unless it is in there 
somewhere and I missed it).


I have successfully used addServlet() from the init() method of a Servlet 
(e.g. I've dynamically created several servlets from a servlet that I 
specify in a web.xml), however, I have not successfully been able to use
addFilter() from my Servlet init method (although I have done so from a 
contextInitialized event handler).


My questions are:

1) am I totally off the mark in thinking it is OK to use addServlet() from 
the the init() method of a Servlet?  Should I expect this feature to exist 
in future releases or is it a side-effect that could disappear at anytime?


2) should I be able to use addFilter() from an init() method or is that 
crazy.


Thanks,

Dave


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Using addFilter and addServlet

[Dave]

On Wed, 17 Jul 2013, Mark Thomas wrote:


No problem. The expectation of the EG (this was before I was an EG
member but I've chatted about this with Filip who was on the EG for
Servlet 3.0) was that the adding was only for use during context start.
There was some debate about adding during run-time but the conclusion
was not to support that - I think due to potential complexity vs.
benefit / minimal demand.



I can certainly understand that.  I'm speculating that using addServlet() 
from init() worked because of the Tomcat's support for lazy servlet init. 
There's no analogous notion for filters so they never had a chance.



If you have a use case, feel free to open a Jira for the Servlet EG to
consider for 3.2. Contact details should be in the 3.1 spec.



My use case is pretty simple.  I have a ``parent'' servlet that 
instantiates a number of ``child'' servlets (there's no real hierarchy 
here, once they're started they're all peers) based on the parent's 
 values (e.g. query a database, read configs from a dir, etc). 
And, I have multiple parents defined per web.xml file.


I have a reasonable work-around so it's not a big deal.  It would just be 
a little cleaner if I could do it the way I originally planned.


Dave

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Embedded Tomcat common classloader

[Dave Breeze]

on loader not finding this class?


many thanks


Dave Breeze
Linkedin:https://uk.linkedin.com/in/dabreeze

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Embedded Tomcat common classloader

[Dave Breeze]

Thanks Mark
appreciate that the url was for 8.0

With regards to classpath that was my first attempt - unfortunately it
would seem that Tomcat does not support wildcards in the classpath -
for example dirpath/lib/*.jar - at least in version 9.


Dave Breeze
Linkedin:https://uk.linkedin.com/in/dabreeze

On Thu, 6 Jun 2024 at 17:23, Mark Thomas  wrote:
>
> On 06/06/2024 17:52, Dave Breeze wrote:
> >   I have an issue with embedded Tomcat and classloaders.
> >
> > I have a java servlet application that runs in an embedded
> > Tomcat(9.0.70) instance.
>
> 
>
> > https://tomcat.apache.org/tomcat-8.0-doc/class-loader-howto.html
>
> Those are the Tomcat 8.0.x docs. You are using Tomcat 9.0.x.
>
> Tomcat embedded does not set up the class loader structure you get with
> a standard Tomcat instance. Tomcat just uses the classpath.
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Embedded Tomcat common classloader

[Dave Breeze]

hi
first thank you for the insights. I did not realise that the wildcard
was expanded by the shell. I thought this was handled by java itself.

However in my instance the jvm is not being created by a shell but by
a JNI wrapper. Originally this JNI wrapper included myDir/lib/*.jar in
the classpath setting - this caused
org.apache.tomcat.util.compat.JreCompat.jarFileNewInstance to attempt
to unzip a file of myDir/lib/*.jar - and caused a
FileNotFoundException.

in response to your update I changed the wrapper to navigate through
myDir and construct a classpath containing every jar (approx 100
files). This enabled the embedded Tomcat instance to resolve all
referenced classes

thanks again
Dave Breeze
Linkedin:https://uk.linkedin.com/in/dabreeze

On Fri, 7 Jun 2024 at 15:02, Chuck Caldarale  wrote:
>
>
> > On Jun 7, 2024, at 08:11, Christopher Schultz 
> >  wrote:
> >
> > On 6/7/24 01:49, Mark Thomas wrote:
> >> On 06/06/2024 18:48, Dave Breeze wrote:
> >>> Thanks Mark
> >>> appreciate that the url was for 8.0
> >>>
> >>> With regards to classpath that was my first attempt - unfortunately it
> >>> would seem that Tomcat does not support wildcards in the classpath -
> >>> for example dirpath/lib/*.jar - at least in version 9.
> >> The requirements for setting the class path are set by the JVM, not by 
> >> Tomcat. If you want all the JARs in a directory to be included in the 
> >> class path then you should add dirpath/lib/* to the class path.
> >
> > I think you'd have to specifically mention every .jar file in that 
> > directory in the classpath, right? I've never known Java to bother 
> > resolving glob patterns on its own. This is usually the responsibility of 
> > the command shell.
>
>
> As Mark stated, you can use an asterisk appended to a directory path in the 
> CLASSPATH value to add all of the jars in that directory to the classpath. 
> (It’s been that way since Java 6.) This works even without shell expansion. 
> For example,
>
> java -cp mylib/* ClassName
>
> does use shell expansion, but will fail if there is more than one file in 
> mylib, since the shell doesn’t generate path separators.
>
> These constructs:
>
> java -cp .:mylib/* ClassName[works in bash, zsh will complain]
> java -cp ‘mylib/*’ ClassName
>
> do not use shell expansion, since a Linux/UNIX shell is put off by the colon 
> or apostrophes.
>
>   - Chuck
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Farm deploy random failures

[Dave B]

I'm having intermittent failures when I deploy to a cluster. I see the 
war file sent to slave nodes but it then becomes zero size. It happens 
on different nodes and not all the time.


Upon failure, Master node .out shows

SEVERE [Catalina-utility-1] 
org.apache.catalina.ha.tcp.SimpleTcpCluster.send Unable to send message 
through cluster sender.
org.apache.catalina.tribes.ChannelException: Send failed, 
attempt:[1] max:[1]; Faulty members:tcp://{172, xx, xx, xx}:5222;
at 
org.apache.catalina.tribes.transport.nio.ParallelNioSender.doLoop(ParallelNioSender.java:217)
at 
org.apache.catalina.tribes.transport.nio.ParallelNioSender.sendMessage(ParallelNioSender.java:78)
at 
org.apache.catalina.tribes.transport.nio.PooledParallelSender.sendMessage(PooledParallelSender.java:51)
at 
org.apache.catalina.tribes.transport.ReplicationTransmitter.sendMessage(ReplicationTransmitter.java:65)
at 
org.apache.catalina.tribes.group.ChannelCoordinator.sendMessage(ChannelCoordinator.java:83)
at 
org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:89)
at 
org.apache.catalina.tribes.group.interceptors.ThroughputInterceptor.sendMessage(ThroughputInterceptor.java:62)
at 
org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:89)
at 
org.apache.catalina.tribes.group.interceptors.MessageDispatchInterceptor.sendMessage(MessageDispatchInterceptor.java:93)



Slave node .out shows



 WARNING [Tribes-Task-Receiver[localhost-Channel]-7] 
org.apache.catalina.tribes.group.GroupChannel.messageReceived Error 
receiving message:

java.lang.NullPointerException
at 
org.apache.catalina.ha.deploy.FileMessageFactory.writeMessage(FileMessageFactory.java:247)
at 
org.apache.catalina.ha.deploy.FarmWarDeployer.messageReceived(FarmWarDeployer.java:226)
at 
org.apache.catalina.ha.tcp.SimpleTcpCluster.messageReceived(SimpleTcpCluster.java:821)
at 
org.apache.catalina.ha.tcp.SimpleTcpCluster.messageReceived(SimpleTcpCluster.java:803)
at 
org.apache.catalina.tribes.group.GroupChannel.messageReceived(GroupChannel.java:345)
at 
org.apache.catalina.tribes.group.ChannelInterceptorBase.messageReceived(ChannelInterceptorBase.java:96)
at 
org.apache.catalina.tribes.group.interceptors.TcpFailureDetector.messageReceived(TcpFailureDetector.java:118)
at 
org.apache.catalina.tribes.group.ChannelInterceptorBase.messageReceived(ChannelInterceptorBase.java:96)
at 
org.apache.catalina.tribes.group.ChannelInterceptorBase.messageReceived(ChannelInterceptorBase.java:96)
at 
org.apache.catalina.tribes.group.interceptors.ThroughputInterceptor.messageReceived(ThroughputInterceptor.java:94)
at 
org.apache.catalina.tribes.group.ChannelInterceptorBase.messageReceived(ChannelInterceptorBase.java:96)
at 
org.apache.catalina.tribes.group.ChannelCoordinator.messageReceived(ChannelCoordinator.java:288)
at 
org.apache.catalina.tribes.transport.ReceiverBase.messageDataReceived(ReceiverBase.java:272)
at 
org.apache.catalina.tribes.transport.nio.NioReplicationTask.drainChannel(NioReplicationTask.java:229)
at 
org.apache.catalina.tribes.transport.nio.NioReplicationTask.run(NioReplicationTask.java:103)
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

at java.lang.Thread.run(Thread.java:750)


and here is the cluster section of master node server.xml



  
  className="org.apache.catalina.tribes.group.GroupChannel">
className="org.apache.catalina.tribes.membership.McastService"

  address="xxx.xxx.xxx.xxx"
  port=""
  frequency="500"
  dropTime="5000"
  localLoopbackDisabled="false"/>
className="org.apache.catalina.tribes.transport.nio.NioReceiver"

  address="auto"
  port="5221"
  selectorTimeout="100"
  maxThreads="20"
  timeout="5000"
  autoBind="1000"/>
className="org.apache.catalina.tribes.transport.ReplicationTransmitter">
  className="org.apache.catalina.tribes.transport.nio.PooledParallelSender"

  timeout="5000"/>

className="org.apache.catalina.tribes.group.interceptors.TcpFailureDetector"

  connectTimeout="5000"/>
className="org.apache.catalina.tribes.group.interceptors.MessageDispatchInterceptor"/>
className="org.apache.catalina.tribes.group.interceptors.ThroughputInterceptor"/>

  
  
  className="org.apache.catalina.ha.deploy.FarmWarDeployer"

 

Setting java.protocol.handler.pkgs for Tomcat

[Dave Breeze]

Tomcat 9.0.71

I need to use a custom protocol handler. I set JAVA_OPTS to:

 -Djava.protocol.handler.pkgs=com.ibm.crypto.provider

My JAVA_OPTS setting,however, is ignored. This is due to catalina.sh
containing

JAVA_OPTS="$JAVA_OPTS
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources"

The result of catalina.sh is that the jvm has
2  -Djava.protocol.handler.pkgs settings - first  the custom protocol
then org.apache.catalina.webresources. The net result being that Tomcat is
started with -Djava.protocol.handler.pkgs=org.apache.catalina.webresources.


   1. What is the best way of setting java.protocol.handler.pkgs other than
   modifying catalina.sh
   2. do i need to set java.protocol.handler.pkgs to just my custom handler
   or should it be set to a concatenation of
   custom + org.apache.catalina.webresources
   3. if a concatenation of handlers is required what is the syntax

thank you


Dave Breeze
Linkedin:https://uk.linkedin.com/in/dabreeze

Re: Setting java.protocol.handler.pkgs for Tomcat

[Dave Breeze]

Many thanks Mark for the answers - appreciated.

Just to be clear I am running 9.0.71 simply by invoking startup.sh
(currently testing). I am not running embedded. I am not too sure
therefore about the "Call
org.apache.catalina.webresources.TomcatURLStreamHandlerFactory#addUserFactory(URLStreamHandlerFactory)"
Could you please explain further

thanks again
Dave Breeze
Linkedin:https://uk.linkedin.com/in/dabreeze

Dave Breeze
Linkedin:https://uk.linkedin.com/in/dabreeze


On Fri, 20 Jan 2023 at 11:01, Mark Thomas  wrote:
>
> On 20/01/2023 09:53, Dave Breeze wrote:
> > Tomcat 9.0.71
> >
> > I need to use a custom protocol handler. I set JAVA_OPTS to:
> >
> >   -Djava.protocol.handler.pkgs=com.ibm.crypto.provider
> >
> > My JAVA_OPTS setting,however, is ignored. This is due to catalina.sh
> > containing
> >
> > JAVA_OPTS="$JAVA_OPTS
> > -Djava.protocol.handler.pkgs=org.apache.catalina.webresources"
> >
> > The result of catalina.sh is that the jvm has
> > 2  -Djava.protocol.handler.pkgs settings - first  the custom protocol
> > then org.apache.catalina.webresources. The net result being that Tomcat is
> > started with -Djava.protocol.handler.pkgs=org.apache.catalina.webresources.
> >
> >
> > 1. What is the best way of setting java.protocol.handler.pkgs other than
> > modifying catalina.sh
>
> Call
> org.apache.catalina.webresources.TomcatURLStreamHandlerFactory#addUserFactory(URLStreamHandlerFactory)
>
> to add your custom handler.
>
> > 2. do i need to set java.protocol.handler.pkgs to just my custom handler
> > or should it be set to a concatenation of
> > custom + org.apache.catalina.webresources
>
> If you do it that way, it needs to be both.
>
> > 3. if a concatenation of handlers is required what is the syntax
>
> | delimited
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Setting java.protocol.handler.pkgs for Tomcat

[Dave Breeze]

Thanks again Mark
I have no access to the source for the webapp.
what I was think was that if in catalina.sh the line:

JAVA_OPTS="$JAVA_OPTS
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources"

was simply re-ordered to

JAVA_OPTS="-Djava.protocol.handler.pkgs=org.apache.catalina.webresources
$JAVA_OPTS "

then users could use JAVA_OPTS to set the value.

thanks

Dave Breeze
Linkedin:https://uk.linkedin.com/in/dabreeze

On Fri, 20 Jan 2023 at 12:17, Mark Thomas  wrote:
>
> On 20/01/2023 11:18, Dave Breeze wrote:
> > Many thanks Mark for the answers - appreciated.
> >
> > Just to be clear I am running 9.0.71 simply by invoking startup.sh
> > (currently testing). I am not running embedded. I am not too sure
> > therefore about the "Call
> > org.apache.catalina.webresources.TomcatURLStreamHandlerFactory#addUserFactory(URLStreamHandlerFactory)"
> > Could you please explain further
>
> You'd need to call it from your application code (probably a
> ServletContextListener).
>
> Alternatively, you could write a Tomcat level LifecycleListener to add
> it if the JAR with the handler is in $CATALINA_BASE/lib
>
> Hmm. It looks like we can remove this in Tomcat 10 onwards and use the
> ServiceLoader mechanism. (OK, may need to deprecate this in 10 and
> remove it in Tomcat 11).
>
> Mark
>
>
> >
> > thanks again
> > Dave Breeze
> > Linkedin:https://uk.linkedin.com/in/dabreeze
> >
> > Dave Breeze
> > Linkedin:https://uk.linkedin.com/in/dabreeze
> >
> >
> > On Fri, 20 Jan 2023 at 11:01, Mark Thomas  wrote:
> >>
> >> On 20/01/2023 09:53, Dave Breeze wrote:
> >>> Tomcat 9.0.71
> >>>
> >>> I need to use a custom protocol handler. I set JAVA_OPTS to:
> >>>
> >>>-Djava.protocol.handler.pkgs=com.ibm.crypto.provider
> >>>
> >>> My JAVA_OPTS setting,however, is ignored. This is due to catalina.sh
> >>> containing
> >>>
> >>> JAVA_OPTS="$JAVA_OPTS
> >>> -Djava.protocol.handler.pkgs=org.apache.catalina.webresources"
> >>>
> >>> The result of catalina.sh is that the jvm has
> >>> 2  -Djava.protocol.handler.pkgs settings - first  the custom protocol
> >>> then org.apache.catalina.webresources. The net result being that Tomcat is
> >>> started with 
> >>> -Djava.protocol.handler.pkgs=org.apache.catalina.webresources.
> >>>
> >>>
> >>>  1. What is the best way of setting java.protocol.handler.pkgs other 
> >>> than
> >>>  modifying catalina.sh
> >>
> >> Call
> >> org.apache.catalina.webresources.TomcatURLStreamHandlerFactory#addUserFactory(URLStreamHandlerFactory)
> >>
> >> to add your custom handler.
> >>
> >>>  2. do i need to set java.protocol.handler.pkgs to just my custom 
> >>> handler
> >>>  or should it be set to a concatenation of
> >>>  custom + org.apache.catalina.webresources
> >>
> >> If you do it that way, it needs to be both.
> >>
> >>>  3. if a concatenation of handlers is required what is the syntax
> >>
> >> | delimited
> >>
> >> Mark
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Setting java.protocol.handler.pkgs for Tomcat

[Dave Breeze]

thanks
i have just done a quick and dirty test - I found a tomcat launcher code I
did as an exercise - quickly modified it to set the handler to a
concatenation. Tomcat launches correctly and uses the ibm safkeyring

thanks again
Dave Breeze
Linkedin:https://uk.linkedin.com/in/dabreeze


On Fri, 20 Jan 2023 at 15:55, Thomas Meyer  wrote:

> The reason was class loader issues
>
> Am 20. Januar 2023 13:37:11 MEZ schrieb Mark Thomas :
> >From memory, there is a reason the Tomcat handler has to be first. I
> forget exactly why that is. I'd need to dig into this some more (and I have
> my hands full working on the RFC 9128 implementation at the moment).
> >
> >In your case, it looks like a custom LifecycleListener would work. In
> terms of changes to Tomcat, I'd lean more towards a Tomcat specific system
> property you could use instead of java.protocol.handler.pkgs
> >for Tomcat 8.5.x - 10.1x with the whole lot being replaced by a
> ServiceLoader in 11.0.x
> >
> >Mark
> >
> >
> >On 20/01/2023 12:28, Dave Breeze wrote:
> >> Thanks again Mark
> >> I have no access to the source for the webapp.
> >> what I was think was that if in catalina.sh the line:
> >>
> >> JAVA_OPTS="$JAVA_OPTS
> >> -Djava.protocol.handler.pkgs=org.apache.catalina.webresources"
> >>
> >> was simply re-ordered to
> >>
> >> JAVA_OPTS="-Djava.protocol.handler.pkgs=org.apache.catalina.webresources
> >> $JAVA_OPTS "
> >>
> >> then users could use JAVA_OPTS to set the value.
> >>
> >> thanks
> >>
> >> Dave Breeze
> >> Linkedin:https://uk.linkedin.com/in/dabreeze
> >>
> >> On Fri, 20 Jan 2023 at 12:17, Mark Thomas  wrote:
> >>>
> >>> On 20/01/2023 11:18, Dave Breeze wrote:
> >>>> Many thanks Mark for the answers - appreciated.
> >>>>
> >>>> Just to be clear I am running 9.0.71 simply by invoking startup.sh
> >>>> (currently testing). I am not running embedded. I am not too sure
> >>>> therefore about the "Call
> >>>>
> org.apache.catalina.webresources.TomcatURLStreamHandlerFactory#addUserFactory(URLStreamHandlerFactory)"
> >>>> Could you please explain further
> >>>
> >>> You'd need to call it from your application code (probably a
> >>> ServletContextListener).
> >>>
> >>> Alternatively, you could write a Tomcat level LifecycleListener to add
> >>> it if the JAR with the handler is in $CATALINA_BASE/lib
> >>>
> >>> Hmm. It looks like we can remove this in Tomcat 10 onwards and use the
> >>> ServiceLoader mechanism. (OK, may need to deprecate this in 10 and
> >>> remove it in Tomcat 11).
> >>>
> >>> Mark
> >>>
> >>>
> >>>>
> >>>> thanks again
> >>>> Dave Breeze
> >>>> Linkedin:https://uk.linkedin.com/in/dabreeze
> >>>>
> >>>> Dave Breeze
> >>>> Linkedin:https://uk.linkedin.com/in/dabreeze
> >>>>
> >>>>
> >>>> On Fri, 20 Jan 2023 at 11:01, Mark Thomas  wrote:
> >>>>>
> >>>>> On 20/01/2023 09:53, Dave Breeze wrote:
> >>>>>> Tomcat 9.0.71
> >>>>>>
> >>>>>> I need to use a custom protocol handler. I set JAVA_OPTS to:
> >>>>>>
> >>>>>> -Djava.protocol.handler.pkgs=com.ibm.crypto.provider
> >>>>>>
> >>>>>> My JAVA_OPTS setting,however, is ignored. This is due to catalina.sh
> >>>>>> containing
> >>>>>>
> >>>>>> JAVA_OPTS="$JAVA_OPTS
> >>>>>> -Djava.protocol.handler.pkgs=org.apache.catalina.webresources"
> >>>>>>
> >>>>>> The result of catalina.sh is that the jvm has
> >>>>>> 2  -Djava.protocol.handler.pkgs settings - first  the custom
> protocol
> >>>>>> then org.apache.catalina.webresources. The net result being that
> Tomcat is
> >>>>>> started with
> -Djava.protocol.handler.pkgs=org.apache.catalina.webresources.
> >>>>>>
> >>>>>>
> >>>>>>   1. What is the best way of setting java.protocol.handler.pkgs
> other than
> >>>>>>   modifying catalina.sh
> >>>>>
> &

Tomcat client certicate authentication

[Dave Breeze]

hi
this is Tomcat 9.0 running embedded

I am trying to authorize access by client certificate. I want the
servlet response to be tailored to the user's role. In other words I
am not looking to deny access by role.

The connector has sslCon.setProperty("clientAuth", "required");
The context has a config file set serverAppContext.setConfigFile(contextURL);
The config file contains



  


users.xml contains



  
  
  
  



Certificates are imported into the browser and the browser prompts for
cert selection.

There are no security constraints on the apps web.xml.

In the servlet there is a test of httpReq.isUserInRole("cart-admin").
This always fails. Also a req.getUserPrincipal() call always returns
null. The request does not seem to be authenticated.

Further in the servlet a X509Certificate[] certs = (X509Certificate[])
req.getAttribute("javax.servlet.request.X509Certificate") correctly
returns both the certificate from the browser plus the Cert Auth. A
getSubjectX500Principal().getName() call on the browser certificate
returns the cn/o/ou setting that should match with users.xml.

What am I missing here?


Dave Breeze
Linkedin:https://uk.linkedin.com/in/dabreeze

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat client certicate authentication

[Dave Breeze]

Thanks  Chris
the application is requesting certificate authentication - and this is
working - it is just the mapping of users to roles that is not
happening

I implemented an org.apache.catalina.realm.X509UsernameRetriever and
configured using X509UsernameRetrieverClassName but it was never
called. In my servlet, however, I can retrieve the certificates.

thanks for your help

Dave Breeze
Linkedin:https://uk.linkedin.com/in/dabreeze

On Sun, 29 Jan 2023 at 22:21, Christopher Schultz
 wrote:
>
> Dave,
>
> On 1/28/23 09:28, Dave Breeze wrote:
> > this is Tomcat 9.0 running embedded
> >
> > I am trying to authorize access by client certificate. I want the
> > servlet response to be tailored to the user's role. In other words I
> > am not looking to deny access by role.
> >
> > The connector has sslCon.setProperty("clientAuth", "required");
> > The context has a config file set 
> > serverAppContext.setConfigFile(contextURL);
> > The config file contains
> >
> > 
> > 
> > >   debug="9"
> >   pathname="/var/CartS3Server/cartapp/users.xml"/>
> > 
> >
> > users.xml contains
> >
> > 
> > 
> >
> >
> >
> > > roles="cart-admin"/>
> > 
> >
> >
> > Certificates are imported into the browser and the browser prompts for
> > cert selection.
> >
> > There are no security constraints on the apps web.xml.
> >
> > In the servlet there is a test of httpReq.isUserInRole("cart-admin").
> > This always fails. Also a req.getUserPrincipal() call always returns
> > null. The request does not seem to be authenticated.
>  >
> > Further in the servlet a X509Certificate[] certs = (X509Certificate[])
> > req.getAttribute("javax.servlet.request.X509Certificate") correctly
> > returns both the certificate from the browser plus the Cert Auth. A
> > getSubjectX500Principal().getName() call on the browser certificate
> > returns the cn/o/ou setting that should match with users.xml.
> >
> > What am I missing here?
>
> If the application does not request authentication, Tomcat will not
> perform if on behalf of the application. If you want a Principal and to
> be able to check roles, etc. then you'll need to request CLIENT-CERT
> authentication in web.xml (or the embedded equivalent).
>
> -chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat client certicate authentication

[Dave Breeze]

Chris
thanks for your mail
Apologies for confusion. Yes I am requesting certificates
- sslCon.setProperty("clientAuth", "required") and a user can only connect
by supplying a valid certificate.

I removed constraints from the web.xml as I did not want access to a
servlet restricted to a role - I need the servlet to respond
differently based on role. what I have decided to do in the servlet is to
retrieve the user-id from the certificate and determine their role by using
a security product native to the platform on which Tomcat is running

Thanks for your help.

Dave Breeze
Linkedin:https://uk.linkedin.com/in/dabreeze


On Mon, 30 Jan 2023 at 15:41, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Dave,
>
> On 1/30/23 04:21, Dave Breeze wrote:
> > Thanks  Chris
> > the application is requesting certificate authentication - and this is
> > working - it is just the mapping of users to roles that is not
> > happening
>
> No, the server is requesting the certificate information; the
> application is not. From your original posting:
>
>
> On 1/28/23 09:28, Dave Breeze wrote:
>  > There are no security constraints on the apps web.xml.
>
> With no security constraints, the application is not requesting
> authentication. Tomcat therefore does not provide any "authentication
> information" to the application. If the client sends a certificate
> (which is happening at the request of the /server/), then Tomcat will
> forward that certificate information to the application. But it will not
> use it for any kind of authentication or authorization.
>
> > I implemented an org.apache.catalina.realm.X509UsernameRetriever and
> > configured using X509UsernameRetrieverClassName but it was never
> > called. In my servlet, however, I can retrieve the certificates.
>
> That's consistent with your configuration IMO.
>
> You will have to tell your application to use CLIENT-CERT authentication
> if you want Tomcat to parse that cert chain for you, populate the user
> principal, etc.
>
> -chris
>
> > On Sun, 29 Jan 2023 at 22:21, Christopher Schultz
> >  wrote:
> >>
> >> Dave,
> >>
> >> On 1/28/23 09:28, Dave Breeze wrote:
> >>> this is Tomcat 9.0 running embedded
> >>>
> >>> I am trying to authorize access by client certificate. I want the
> >>> servlet response to be tailored to the user's role. In other words I
> >>> am not looking to deny access by role.
> >>>
> >>> The connector has sslCon.setProperty("clientAuth", "required");
> >>> The context has a config file set
> serverAppContext.setConfigFile(contextURL);
> >>> The config file contains
> >>>
> >>> 
> >>> 
> >>>  >>>debug="9"
> >>>pathname="/var/CartS3Server/cartapp/users.xml"/>
> >>> 
> >>>
> >>> users.xml contains
> >>>
> >>> 
> >>> 
> >>> 
> >>> 
> >>>  roles="cart-user"/>
> >>>  roles="cart-admin"/>
> >>> 
> >>>
> >>>
> >>> Certificates are imported into the browser and the browser prompts for
> >>> cert selection.
> >>>
> >>> There are no security constraints on the apps web.xml.
> >>>
> >>> In the servlet there is a test of httpReq.isUserInRole("cart-admin").
> >>> This always fails. Also a req.getUserPrincipal() call always returns
> >>> null. The request does not seem to be authenticated.
> >>   >
> >>> Further in the servlet a X509Certificate[] certs = (X509Certificate[])
> >>> req.getAttribute("javax.servlet.request.X509Certificate") correctly
> >>> returns both the certificate from the browser plus the Cert Auth. A
> >>> getSubjectX500Principal().getName() call on the browser certificate
> >>> returns the cn/o/ou setting that should match with users.xml.
> >>>
> >>> What am I missing here?
> >>
> >> If the application does not request authentication, Tomcat will not
> >> perform if on behalf of the application. If you want a Principal and to
> >> be able to check roles, etc. then you'll need to request CLIENT-CERT
> >> authentication in web.xml (or the embedded equivalent).
> >>
> >> -chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Microsoft Edge (Chromium based) not prompting for logons

[Dave Ford]

We've set up out Tomcat Manager to use LDAP for authentication - (note,
this is not MS AD, but linux-based LDAP server). The OS our tomcat
servers are running on is Linux and they're not intergrated with our AD
domain in any way at all.

Our users have been happily logging into the Tomcat manager app using
various web browsers for some time - they get prompted for a username
and password, they provide their credentials (which is the same user
name and password as they're currently logged onto windows with, but
with no domain\ or @domain info in the username), they're checked
against LDAP servers, and are let into the app assuming they're
allowed.

However, we've recently received reports that some of our users who
have had their Windows machines copies of Edge upgraded to the latest
version are no longer being prompted for credentials.  Instead, they're
directly immediately to a 401 unauthorised message. Other browsers,
including Chrome, still prompt.

We've changed nothing at the tomcat end, so this is clearly a problem
with the behaviour of Edge - but I'm keep to try and understand it. 

I can't find any useful information in the tomcat logs - is it possible
to turn up the logging for the manager app to see exactly what
credentials (well, username) is being passed by Edge to it?

Thanks
Dave

Re: Microsoft Edge (Chromium based) not prompting for logons

[Dave Ford]

On Mon, 2020-09-14 at 09:12 -0400, Christopher Schultz wrote:
> Are you using HTTP or HTTPS?

HTTPS.


> TLDR: visit edge://policy in Edge and look for AuthSchemes. If the
> value doesn't include "basic", add it and re-try.

Yeah, that was it - I wasn't able to change our edge settings - that's
locked down by others.  Finding out where to change the authentication
methods at the tomcat end was a bit harder than I hoped - I'd assumed
it was in the tomcat server area, rather than th eapplication itself,
which explains why I wasn't able to find much in the documentation - I
was looking at the wrong place.

Thanks very much - got a route forward throug this now 
Thanks
Dave

Monitoring Tomcat with SNMP?

[Dave Morrow]

Does anyone out there have any experience with monitoring Tomcat using the SNMP 
agent in JDK 1.5?  I am looking to use an SNMP tool to gather statistics from 
the JVM.

David A. Morrow
Technical Systems Lead
Autodata Solutions Company
[EMAIL PROTECTED]
http://www.autodata.net
Tel: (519) 951-6079
Fax: (519) 451-6615 

< Poor planning on your part does not necessarily constitute an emergency on my 
part! >

This message has originated from Autodata Solutions. The attached material is 
the Confidential and Proprietary Information of Autodata Solutions. This email 
and any files transmitted with it are confidential and intended solely for the 
use of the individual or entity to whom they are addressed. If you have 
received this email in error please delete this message and notify the Autodata 
system administrator at [EMAIL PROTECTED] 

RE: Monitoring Tomcat with SNMP?

[Dave Morrow]

I'd like to use SNMP which is referenced here
http://java.sun.com/j2se/1.5.0/docs/guide/management/SNMP.html


David A. Morrow
Technical Systems Lead
Autodata Solutions Company
[EMAIL PROTECTED]
http://www.autodata.net
Tel: (519) 951-6079
Fax: (519) 451-6615 

< Poor planning on your part does not necessarily constitute an
emergency on my part! >

This message has originated from Autodata Solutions. The attached
material is the Confidential and Proprietary Information of Autodata
Solutions. This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please delete
this message and notify the Autodata system administrator at
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>

-Original Message-
From: Peter Lin [mailto:[EMAIL PROTECTED] 
Sent: Friday, November 04, 2005 8:36 AM
To: Tomcat Users List
Subject: Re: Monitoring Tomcat with SNMP?

tomcat has the status servlet, so you could use that to monitor tomcat.
other than that, you'd probably have to write a servlet to return snmp
results

peter

On 11/4/05, Dave Morrow <[EMAIL PROTECTED]> wrote:
>
> Does anyone out there have any experience with monitoring Tomcat using

> the SNMP agent in JDK 1.5? I am looking to use an SNMP tool to gather 
> statistics from the JVM.
>
> David A. Morrow
> Technical Systems Lead
> Autodata Solutions Company
> [EMAIL PROTECTED]
> http://www.autodata.net
> Tel: (519) 951-6079
> Fax: (519) 451-6615
>
> < Poor planning on your part does not necessarily constitute an 
> emergency on my part! >
>
> This message has originated from Autodata Solutions. The attached 
> material is the Confidential and Proprietary Information of Autodata 
> Solutions. This email and any files transmitted with it are 
> confidential and intended solely for the use of the individual or 
> entity to whom they are addressed. If you have received this email in 
> error please delete this message and notify the Autodata system
administrator at [EMAIL PROTECTED]  [EMAIL PROTECTED]>
>
>
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Monitoring Tomcat with SNMP?

[Dave Morrow]

It is just the SNMP stuff I am initially after...but I cannot seem
to get it to work, was hoping someone had some experience with it.
Thanks for the advice though. 


David A. Morrow
Technical Systems Lead
Autodata Solutions Company
[EMAIL PROTECTED]
http://www.autodata.net
Tel: (519) 951-6079
Fax: (519) 451-6615 

< Poor planning on your part does not necessarily constitute an
emergency on my part! >

This message has originated from Autodata Solutions. The attached
material is the Confidential and Proprietary Information of Autodata
Solutions. This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please delete
this message and notify the Autodata system administrator at
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>

-Original Message-
From: Peter Lin [mailto:[EMAIL PROTECTED] 
Sent: Friday, November 04, 2005 1:02 PM
To: Tomcat Users List
Subject: Re: Monitoring Tomcat with SNMP?

that depends on what you want to monitor. if you just want low level JVM
stuff, SNMP is probably sufficient, though I personally haven't tried.
If you want to know the stats that Tomcat maintains in it's mbeans for
the container, I don't think SNMP is going to give you those stats.

just something to consider.

peter


On 11/4/05, Dave Morrow <[EMAIL PROTECTED]> wrote:
>
> I'd like to use SNMP which is referenced here 
> http://java.sun.com/j2se/1.5.0/docs/guide/management/SNMP.html
>
>
> David A. Morrow
> Technical Systems Lead
> Autodata Solutions Company
> [EMAIL PROTECTED]
> http://www.autodata.net
> Tel: (519) 951-6079
> Fax: (519) 451-6615
>
> < Poor planning on your part does not necessarily constitute an 
> emergency on my part! >
>
> This message has originated from Autodata Solutions. The attached 
> material is the Confidential and Proprietary Information of Autodata 
> Solutions. This email and any files transmitted with it are 
> confidential and intended solely for the use of the individual or 
> entity to whom they are addressed. If you have received this email in 
> error please delete this message and notify the Autodata system 
> administrator at [EMAIL PROTECTED] 
> <mailto:[EMAIL PROTECTED]>
>
> -Original Message-
> From: Peter Lin [mailto:[EMAIL PROTECTED]
> Sent: Friday, November 04, 2005 8:36 AM
> To: Tomcat Users List
> Subject: Re: Monitoring Tomcat with SNMP?
>
> tomcat has the status servlet, so you could use that to monitor
tomcat.
> other than that, you'd probably have to write a servlet to return snmp

> results
>
> peter
>
> On 11/4/05, Dave Morrow <[EMAIL PROTECTED]> wrote:
> >
> > Does anyone out there have any experience with monitoring Tomcat 
> > using
>
> > the SNMP agent in JDK 1.5? I am looking to use an SNMP tool to 
> > gather statistics from the JVM.
> >
> > David A. Morrow
> > Technical Systems Lead
> > Autodata Solutions Company
> > [EMAIL PROTECTED]
> > http://www.autodata.net
> > Tel: (519) 951-6079
> > Fax: (519) 451-6615
> >
> > < Poor planning on your part does not necessarily constitute an 
> > emergency on my part! >
> >
> > This message has originated from Autodata Solutions. The attached 
> > material is the Confidential and Proprietary Information of Autodata

> > Solutions. This email and any files transmitted with it are 
> > confidential and intended solely for the use of the individual or 
> > entity to whom they are addressed. If you have received this email 
> > in error please delete this message and notify the Autodata system
> administrator at [EMAIL PROTECTED]  > [EMAIL PROTECTED]>
> >
> >
> >
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Session-timeout

[Dave Morrow]

Hi all.  I have a server with multiple applications running under Tomcat 5.5

In /conf/web.xml  is set to 30

In /webapps/myapp/WEB-INF/web.xml  is set to -1 
(infinite)

Users are being timed out of their sessions after 30 minutes as opposed to 
never being timed out.  


David A. Morrow
Technical Systems Lead
Autodata Solutions Company
[EMAIL PROTECTED]
http://www.autodata.net

* PLEASE NOTE THAT EFFECTIVE DEC 1,2005 MY TELEPHONE NUMBER WILL CHANGE *

NEW !!! Tel: (519) 963-3020
Fax: (519) 451-6615 

< Poor planning on your part does not necessarily constitute an emergency on my 
part! >

This message has originated from Autodata Solutions. The attached material is 
the Confidential and Proprietary Information of Autodata Solutions. This email 
and any files transmitted with it are confidential and intended solely for the 
use of the individual or entity to whom they are addressed. If you have 
received this email in error please delete this message and notify the Autodata 
system administrator at [EMAIL PROTECTED] 

Help with session-timeout

[Dave Morrow]

Hi all.  I have a server with multiple applications running under Tomcat 5.5

In /conf/web.xml  is set to 30

In /webapps/myapp/WEB-INF/web.xml  is set to -1 
(infinite)

Users are being timed out of their sessions after 30 minutes as opposed to 
never being timed out.  

Can anyone assist with this?  Any help would be greatly appreciated.


David A. Morrow
Technical Systems Lead
Autodata Solutions Company
[EMAIL PROTECTED]
http://www.autodata.net

* PLEASE NOTE THAT EFFECTIVE DEC 1,2005 MY TELEPHONE NUMBER WILL CHANGE *

NEW !!! Tel: (519) 963-3020
Fax: (519) 451-6615 

< Poor planning on your part does not necessarily constitute an emergency on my 
part! >

This message has originated from Autodata Solutions. The attached material is 
the Confidential and Proprietary Information of Autodata Solutions. This email 
and any files transmitted with it are confidential and intended solely for the 
use of the individual or entity to whom they are addressed. If you have 
received this email in error please delete this message and notify the Autodata 
system administrator at [EMAIL PROTECTED] 

RE: Help with session-timeout

[Dave Morrow]

Thanks Rob.  I'll keep this investigation open.  It's really annoying
me. 



David A. Morrow
Technical Systems Lead
Autodata Solutions Company
[EMAIL PROTECTED]
http://www.autodata.net

* PLEASE NOTE THAT EFFECTIVE DEC 1,2005 MY TELEPHONE NUMBER WILL CHANGE
*

NEW !!! Tel: (519) 963-3020
Fax: (519) 451-6615 

< Poor planning on your part does not necessarily constitute an
emergency on my part! >

This message has originated from Autodata Solutions. The attached
material is the Confidential and Proprietary Information of Autodata
Solutions. This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please delete
this message and notify the Autodata system administrator at
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>

-Original Message-
From: Rob Dickey [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, November 29, 2005 2:23 PM
To: Dave Morrow
Cc: 'Tomcat Users List'
Subject: RE: Help with session-timeout

Are there any other services involved (JDBC, etc.) that are referenced
by or in the session, or where the sessions are dependent? Just
wondering why TC threads are invalidating the session...

Another option to test is add a line of code in your login process
(whatever establishes the HttpSession object) and manually set the
timeout with the
HttpSession.setMaxInactiveInterval() method.  I believe this method
overrides any descriptor settings.

Of course, having said all of that, your descriptors should work as you
have specified.  Perhaps the "multiple applications" or other service
timeout descriptors are influencing the session timeouts...I've seen
stranger things happen...you might find this link useful as a test of
your TC session timeout setup...
http://www.jguru.com/faq/view.jsp?EID=127074

HTH,
Rob

-Original Message-
From: Dave Morrow [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 29, 2005 10:48 AM
To: Tomcat Users List
Subject: Help with session-timeout

Hi all.  I have a server with multiple applications running under Tomcat
5.5

In /conf/web.xml  is set to 30

In /webapps/myapp/WEB-INF/web.xml  is set
to
-1 (infinite)

Users are being timed out of their sessions after 30 minutes as opposed
to never being timed out.  

Can anyone assist with this?  Any help would be greatly appreciated.


David A. Morrow
Technical Systems Lead
Autodata Solutions Company
[EMAIL PROTECTED]
http://www.autodata.net

* PLEASE NOTE THAT EFFECTIVE DEC 1,2005 MY TELEPHONE NUMBER WILL CHANGE
*

NEW !!! Tel: (519) 963-3020
Fax: (519) 451-6615 

< Poor planning on your part does not necessarily constitute an
emergency on my part! >

This message has originated from Autodata Solutions. The attached
material is the Confidential and Proprietary Information of Autodata
Solutions. This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please delete
this message and notify the Autodata system administrator at
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Mod_jk and Security

[Dave Morrow]

Hi all.  I have a website running under Tomcat 5.5.9

I would like to use mod_jk to allow Apache to serve all static content however, 
I cannot figure out how to serve this content only if the user has already 
logged into the application.  This application uses Tomcat sessions.

Anyone have experience in this?


David A. Morrow
Technical Systems Lead
Autodata Solutions Company
[EMAIL PROTECTED]
http://www.autodata.net

NEW !!! Tel: (519) 963-3020
Fax: (519) 451-6615 

< Poor planning on your part does not necessarily constitute an emergency on my 
part! >

This message has originated from Autodata Solutions. The attached material is 
the Confidential and Proprietary Information of Autodata Solutions. This email 
and any files transmitted with it are confidential and intended solely for the 
use of the individual or entity to whom they are addressed. If you have 
received this email in error please delete this message and notify the Autodata 
system administrator at [EMAIL PROTECTED] 

Tomcat 5.5.12 custom Resource factory - javax.naming.NamingException: Cannot create resource instance

[Dave Whitla]

Calling Craig  help please.

I am trying to deploy a client web-application to a distributed app which relies
on ActiveMQ as its core async messaging medium.

I have declared the appropriate resources in the GlobalNamingResources section
of server.xml and referenced them via ResourceLinks in the context.xml.

The org.activemq.jndi.JNDIReferenceFactory and all it's dependencies are
available to the server in jars copied to ${tomcat.home}/common/lib.

When tomcat starts org.activemq.jndi.JNDIReferenceFactory methods are called to
create the resource references as expected. They are bound in the JNDI tree
afterwards as expected.  However they cannot be retrieved.  Attempts to look
them up in the deployed webapp result in NamingExceptions being thrown with the
message "Cannot create resource instance".

Interestingly, when debugging tomcat during this process it seems the
references' "factory" attributes are null, causing NamingManager to use the
tomcat default ResourceFactory instead of the ActiveMQ factory when looking up
the references - as is clear in the stack trace.

Unless I have made a simple configuration error, I think that
org.apache.catalina.core.NamingContextListener.addResource calls the wrong
ResourceRef constructor, not specifying a factory parameter.

This is real frustrating and if I dont sort it out soon I'm gonna get my arse
kicked.  Any help would be much appreciated.

server.xml:


...







context.xml under WAR META-INF:








Excerpt from java class where the resource is looked up:

private synchronized void tryToSubscribe()
throws JMSException, NamingException {
if (! subscribed) {
try {
InitialContext initCtx = getInitialContext();
Context envCtx = (Context) initCtx.lookup("java:comp/env");
ConnectionFactory connectionFactory =
lookupConnectionFactory(envCtx);
Topic destination = lookupTopic(envCtx);
connection = connectionFactory.createConnection();
session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
MessageConsumer consumer = Session.createDurableSubscriber(
destination, DURABLE_SUBSCRIPTION_NAME);
consumer.setMessageListener(this);
connection.start();
subscribed = true;
} catch (JMSException e) {
LOG.log(
Level.SEVERE, 
"Caught JMSException during agent destination subscription",
e);
throw e;
} catch (NamingException e) {
LOG.log(
Level.SEVERE,
"Caught NamingException during agent destination subscription");
throw e;
}
}
}

private ConnectionFactory lookupConnectionFactory(Context namingContext)
throws NamingException {
try {
return (ConnectionFactory)
namingContext.lookup("jms/MessageBusConnectionFactory");
} catch (NamingException e) {
LOG.log(
Level.SEVERE,
"Could not retrieve MessageBus connection factory via JNDI: ", e);
throw e;
}
}

Stack trace excerpt:

21/12/2005 18:56:20 com.wotif.jaguar.search.util.MessageBusAgent
lookupConnectionFactory
SEVERE: Could not retrieve MessageBus connection factory via JNDI: 
javax.naming.NamingException: Cannot create resource instance
at org.apache.naming.factory.ResourceFactory.
getObjectInstance(ResourceFactory.java:132)
at javax.naming.spi.NamingManager.
getObjectInstance(NamingManager.java:304)
at org.apache.naming.NamingContext.lookup(NamingContext.java:792)
at org.apache.naming.NamingContext.lookup(NamingContext.java:139)
at org.apache.naming.NamingContext.lookup(NamingContext.java:780)
at org.apache.naming.NamingContext.lookup(NamingContext.java:152)
at blah.MessageBusAgent.lookupConnectionFactory(MessageBusAgent.java:96)
at blah.MessageBusAgent.tryToSubscribe(MessageBusAgent.java:139)
at blah.MessageBusAgent.access$200(MessageBusAgent.java:35)
at blah.MessageBusAgent$Subscriber.run(MessageBusAgent.java:181)
at java.lang.Thread.run(Thread.java:595)



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Tomcat 5.5.12 - custom Resource doesn't work

[Dave Whitla]

I am trying to deploy a client web-application to a distributed app which relies
on ActiveMQ as its core async messaging medium.

I have declared the appropriate resources in the GlobalNamingResources section
of server.xml and referenced them via ResourceLinks in the context.xml.

The org.activemq.jndi.JNDIReferenceFactory and all it's dependencies are
available to the server in jars copied to ${tomcat.home}/common/lib.

When tomcat starts org.activemq.jndi.JNDIReferenceFactory methods are called to
create the resource references as expected. They are bound in the JNDI tree
afterwards as expected.  However they cannot be retrieved.  Attempts to look
them up in the deployed webapp result in NamingExceptions being thrown with the
message "Cannot create resource instance".

Interestingly, when debugging tomcat during this process it seems the
references' "factory" attributes are null, causing NamingManager to use the
tomcat default ResourceFactory instead of the ActiveMQ factory when looking up
the references - as is clear in the stack trace.

Unless I have made a simple configuration error, I think that
org.apache.catalina.core.NamingContextListener.addResource calls the wrong
ResourceRef constructor, not specifying a factory parameter.

Any help would be much appreciated.

server.xml:


...






context.xml under WAR META-INF:







Excerpt from java class where the resource is looked up:

private synchronized void tryToSubscribe()
throws JMSException, NamingException {
if (! subscribed) {
try {
InitialContext initCtx = getInitialContext();
Context envCtx = (Context) initCtx.lookup("java:comp/env");
ConnectionFactory connectionFactory =
lookupConnectionFactory(envCtx);
Topic destination = lookupTopic(envCtx);
connection = connectionFactory.createConnection();
session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
MessageConsumer consumer = Session.createDurableSubscriber(
destination, DURABLE_SUBSCRIPTION_NAME);
consumer.setMessageListener(this);
connection.start();
subscribed = true;
} catch (JMSException e) {
LOG.log(
Level.SEVERE, 
"Caught JMSException during agent destination subscription",
e);
throw e;
} catch (NamingException e) {
LOG.log(
Level.SEVERE,
"Caught NamingException during agent destination subscription");
throw e;
}
}
}

private ConnectionFactory lookupConnectionFactory(Context namingContext)
throws NamingException {
try {
return (ConnectionFactory)
namingContext.lookup("jms/MessageBusConnectionFactory");
} catch (NamingException e) {
LOG.log(
Level.SEVERE,
"Could not retrieve MessageBus connection factory via JNDI: ", e);
throw e;
}
}

Stack trace excerpt:

21/12/2005 18:56:20 com.wotif.jaguar.search.util.MessageBusAgent
lookupConnectionFactory
SEVERE: Could not retrieve MessageBus connection factory via JNDI: 
javax.naming.NamingException: Cannot create resource instance
at org.apache.naming.factory.ResourceFactory.
getObjectInstance(ResourceFactory.java:132)
at javax.naming.spi.NamingManager.
getObjectInstance(NamingManager.java:304)
at org.apache.naming.NamingContext.lookup(NamingContext.java:792)
at org.apache.naming.NamingContext.lookup(NamingContext.java:139)
at org.apache.naming.NamingContext.lookup(NamingContext.java:780)
at org.apache.naming.NamingContext.lookup(NamingContext.java:152)
at blah.MessageBusAgent.lookupConnectionFactory(MessageBusAgent.java:96)
at blah.MessageBusAgent.tryToSubscribe(MessageBusAgent.java:139)
at blah.MessageBusAgent.access$200(MessageBusAgent.java:35)
at blah.MessageBusAgent$Subscriber.run(MessageBusAgent.java:181)
at java.lang.Thread.run(Thread.java:595)



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

How to diagnose a TomCat hang?

[Dave Pullin]

Briefly: Is there anyway to figure out what TomCat is doing, or trying to
do, when it hangs and does not respond to any http or https request?

Details: I am running Tomcat 5.1.12 on Redhat9 on a 4 processor server. I
get frequent but random Tomcat hangs. It has not happened on a 1 processor
system, with either Linux or Windows. I can force the hang to happen fairly
reliably if I run tests to bombard the server with http requests (several
per second). According to logs it happens after the end of processing one
request and before the beginning the next. It is apparently not within
application code, unless it's a finalizer. I have run a higher priority
daemon thread in same JVM that just writes the time to a log file, and it
hangs at the same time, so it could be the JVM that's hanging, or whatever
does the real threading. Mostly, but not always, 'top' shows the 'java'
process using 99.9% of CPU, and 2 of the 4 processors at about 40%.  I can
kill the java process with 'kill -9', but I can't figure what it was stuck
doing.

Any suggestions?


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: How to diagnose a TomCat hang?

[Dave Pullin]

Thank you. I've now tried kill -QUIT. The java process didn't die and it
didn't write anything to catalina.out.  May be that indicates what is hung,
if it's not catching the QUIT signal?


-Original Message-
From: Tim Lucia [mailto:[EMAIL PROTECTED]
Sent: Wednesday, January 18, 2006 1:37 PM
To: 'Tomcat Users List'
Subject: RE: How to diagnose a TomCat hang?


kill -QUIT will cause a stack dump... including any Java deadlocks.

-----Original Message-
From: Dave Pullin [mailto:[EMAIL PROTECTED]
Sent: Wednesday, January 18, 2006 1:33 PM
To: users@tomcat.apache.org
Subject: How to diagnose a TomCat hang?


Briefly: Is there anyway to figure out what TomCat is doing, or trying to
do, when it hangs and does not respond to any http or https request?

Details: I am running Tomcat 5.1.12 on Redhat9 on a 4 processor server. I
get frequent but random Tomcat hangs. It has not happened on a 1 processor
system, with either Linux or Windows. I can force the hang to happen fairly
reliably if I run tests to bombard the server with http requests (several
per second). According to logs it happens after the end of processing one
request and before the beginning the next. It is apparently not within
application code, unless it's a finalizer. I have run a higher priority
daemon thread in same JVM that just writes the time to a log file, and it
hangs at the same time, so it could be the JVM that's hanging, or whatever
does the real threading. Mostly, but not always, 'top' shows the 'java'
process using 99.9% of CPU, and 2 of the 4 processors at about 40%.  I can
kill the java process with 'kill -9', but I can't figure what it was stuck
doing.

Any suggestions?


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: How to diagnose a TomCat hang?

[Dave Pullin]

I am using JDK 1.5, so may be not good news for you.

btw - I have not observed the hang on my 2 processor systems - only the 4
processor -- but that could just be luck -- it's obviously very time
dependent.
Dave

-Original Message-
From: tamsin [mailto:[EMAIL PROTECTED]
Sent: Wednesday, January 18, 2006 2:03 PM
To: Tomcat Users List
Subject: RE: How to diagnose a TomCat hang?


Just out of interest, what version of java are you using?

We had to disable the second processor on our production server while
running 1.4, due to the app hanging as you describe.

We're about to update to jdk 1.5, so might try re-enabling that second
processor again...

Tamsin

w: www.anorakgirl.co.uk



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

How to diagnose a TomCat hang?

[Dave Pullin]

Thanks to Tim Lucia I found the solution to my problem. In case any one else
gets this problem here's the answer.


Problem Briefly: Is there anyway to figure out what TomCat is doing, or
trying to
do, when it hangs and does not respond to any http or https request?

Problem Details: I am running Tomcat 5.1.12 on Redhat9 on a 4 processor
server. I get frequent but random Tomcat hangs. It has not happened on a 1
processor system, with either Linux or Windows. I can force the hang to
happen fairly reliably if I run tests to bombard the server with http
requests (several
per second). According to logs it happens after the end of processing one
request and before the beginning the next. It is apparently not within
application code, unless it's a finalizer. I have run a higher priority
daemon thread in same JVM that just writes the time to a log file, and it
hangs at the same time, so it could be the JVM that's hanging, or whatever
does the real threading. Mostly, but not always, 'top' shows the 'java'
process using 99.9% of CPU, and 2 of the 4 processors at about 40%.  I can
kill the java process with 'kill -9', but I can't figure what it was stuck
doing.

Any suggestions?

Answer:
The linux command 'kill -QUIT ' dumps the state of the JVM to
catalina.out which shows, for example, where you are in your code if it is
in an infinite loop or a wait-deadlock. kill -QUIT does not actually stop
Tomcat.

(You find the pid of tomcat to use in 'kill -QUIT ' using the command
'ps -ef | grep java' which gives output like this:

root 30625 1  0 Jan22 ?00:10:00
/pgm/java/bin/java -Djava.util.logging.manager=org.apache.juli.ClassLoaderLo
gManager -Djava.util.logging.config.file=/data/tomcat/conf/logging.propertie
s -Djava.endorsed.dirs=/pgm/tomcat/common/endorsed -classpath
:/pgm/tomcat/bin/bootstrap.jar:/pgm/tomcat/bin/commons-logging-api.jar -Dcat
alina.base=/data/tomcat -Dcatalina.home=/pgm/tomcat -Djava.io.tmpdir=/data/t
omcat/temp org.apache.catalina.startup.Bootstrap start
root 11354 11056  0 08:30 pts/100:00:00 grep java

The pid is 30625 in this case - so the command is 'kill -QUIT 30625'
)


If kill -QUIT does not write stuff to catalina.out, the JVM is hung. This
was my problem, and the cause was a kernel SMP threading bug. I switched
from Redhat 9 (2.4.20 kernel) to Fedora Core 4 (2.6.11-1.1369_FC4smp kernel)
and have now run for 48 hours without a hang.

Changing LD_ASSUME_KERNEL also made a difference. See the tomcat release
notes ...
#GLIBC 2.2 / Linux 2.4 users should define an environment variable:
#export LD_ASSUME_KERNEL=2.2.5
#
#Redhat Linux 9.0 users should use the following setting to avoid
#stability problems:
#export LD_ASSUME_KERNEL=2.4.1

On Redhat 9 running on the 4-way SMP, LD_ASSUME_KERNEL=2.2.5, or nothing at
all seemed to be more stable than the recommended LD_ASSUME_KERNEL=2.4.1.

I am current running Fedora Core 4 with LD_ASSUME_KERNEL=2.2.5 and it seems
to be stable.

Dave





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Tomcat nightly builds

[Dave Colasurdo]

It seems that the Tomcat nightly build *binaries* are invalid..

I'm looking at the the page:

http://cvs.apache.org/builds/jakarta-tomcat-5/nightly/

and the two binary images each contain only 45 bytes.

Ultimately, I am looking for the most recent changes to the jsp-examples 
in *binary or war* format.  These changes did not make it into 5.5.15. 
I assume I will be able to find these changes in binary format when the 
correct nightly build binaries are created.


Any idea when a nightly binary will be available for 5.5.x?

Also, here is some additional info from Yoav (from an off list email) on 
this subject.


Yoav Shapira wrote:


The binary nightly builds do seem to be broken, and the source ones
look out of whack too (way, way too big: the source distro should be a
little less than 6MB, instead it's 173MB).  Moreover, because the name
hasn't been changed from jakarta-* to apache-*, I can tell the script
generating the nightly builds hasn't been updated in a long time.



Thanks
-Dave-

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

KeepGenerated

[Dave Morrow]

Hi all, I recently made a change to my tomcat web.xml file in an effort
to avoid having to clear the work directory in an environment where
frequent code changes are being made.  I added the setting of
KeepGenerated=false.  

It appears that this change has had the desired effect and I no longer
need to clear the work directory after every deployment of a new WAR
file..but at the same time, the same applications have seen a
dramatic improvement in performance.

It's my understand that JSP compilers read JSP source files and
generate/compile Java servlet classes (.class binary). To get the
binary, there is an intermediary file: the Java source code of the
compiled servlet. (Note: .java is not a .class is not a .jsp. It goes
.jsp --> .java --> .class). "keepgenerated" is whether to keep the
servlet java source code after the class file is compiled. A reason to
keep servlet source code is to match a runtime error from the servlet
class to the matching JSP code that created the problem.

If my thinking is correct, the change in KeepGenerated should have
decrease performance?  Am I correct in this assumption?  
Does anyonw know of any drawbacks to what I have done?
 
Any advice would be greatly appreciated.
 
David Morrow
Technical Systems Lead
Autodata Solutions Company
[EMAIL PROTECTED]
http://www.autodatasolutions.com  
 
Tel: (519) 963-3020
Fax: (519) 451-6615
 
< Lead, follow or get out of the way! >
 
This message has originated from Autodata Solutions. The attached
material is the Confidential and Proprietary Information of Autodata
Solutions. This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please delete
this message and notify the Autodata system administrator at
[EMAIL PROTECTED]  >

 

RE: KeepGenerated

[Dave Morrow]

I have, indeed, replicated this several times on several servers. 


David Morrow
Technical Systems Lead
Autodata Solutions Company
[EMAIL PROTECTED]
http://www.autodatasolutions.com
 
Tel: (519) 963-3020
Fax: (519) 451-6615
 
< Lead, follow or get out of the way! >
 
This message has originated from Autodata Solutions. The attached
material is the Confidential and Proprietary Information of Autodata
Solutions. This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please delete
this message and notify the Autodata system administrator at
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>


-Original Message-
From: Caldarale, Charles R [mailto:[EMAIL PROTECTED] 
Sent: Saturday, February 04, 2006 10:58 AM
To: Tomcat Users List
Subject: RE: KeepGenerated

> From: Dave Morrow [mailto:[EMAIL PROTECTED]
> Subject: KeepGenerated
> 
> If my thinking is correct, the change in KeepGenerated should have 
> decrease performance?  Am I correct in this assumption?
> Does anyonw know of any drawbacks to what I have done?

Changing keepgenerated shouldn't really have much of an effect at all,
other than the very minor difference on the first reference to a .jsp
due to deleting (or not) the generated .java source.  Once the .jsp has
been compiled into servlet form, I can't see any reason for a
performance impact one way or the other.  I suppose if the .java code is
some kind of watched resource, that might have some small effect.

Are you sure nothing else has changed?  Can you readily reproduce the
difference by changing only that attribute?  This is strange.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

scheme="https" not working?

[Dave Brondsema]

I'm using Tomcat 5.5.15 on Windows 2000.  I have this connector:


I can access
http://eaglesnest-test.cornerstone.edu:443/manager/html
but I get no response when attempting to access
https://eaglesnest-test.cornerstone.edu:443/manager/html

Somehow it's running unsecured but still on port 443.

What's happening?


Here are the logfiles:

DEBUG 2006-02-20 11:20:29,288 org.apache.catalina.startup.Embedded -
Setting naming prefix=org.apache.naming
DEBUG 2006-02-20 11:20:29,413 org.apache.catalina.startup.Catalina -
Digester for server.xml created 125
DEBUG 2006-02-20 11:20:30,600 org.apache.coyote.http11.Http11AprProtocol
- Attribute soLinger: -1
DEBUG 2006-02-20 11:20:30,600 org.apache.coyote.http11.Http11AprProtocol
- Attribute soTimeout: 6
DEBUG 2006-02-20 11:20:30,600 org.apache.coyote.http11.Http11AprProtocol
- Attribute tcpNoDelay: true
DEBUG 2006-02-20 11:20:30,632 org.apache.coyote.http11.Http11AprProtocol
- Attribute port: 443
DEBUG 2006-02-20 11:20:30,632 org.apache.coyote.http11.Http11AprProtocol
- Attribute maxHttpHeaderSize: 8192
DEBUG 2006-02-20 11:20:30,632 org.apache.coyote.http11.Http11AprProtocol
- Attribute maxThreads: 150
DEBUG 2006-02-20 11:20:30,632 org.apache.coyote.http11.Http11AprProtocol
- Attribute minSpareThreads: 25
DEBUG 2006-02-20 11:20:30,632 org.apache.coyote.http11.Http11AprProtocol
- Attribute maxSpareThreads: 75
DEBUG 2006-02-20 11:20:30,632 org.apache.coyote.http11.Http11AprProtocol
- Attribute enableLookups: false
DEBUG 2006-02-20 11:20:30,647 org.apache.coyote.http11.Http11AprProtocol
- Attribute backlog: 100
DEBUG 2006-02-20 11:20:30,647 org.apache.coyote.http11.Http11AprProtocol
- Attribute secure: true
DEBUG 2006-02-20 11:20:30,647 org.apache.coyote.http11.Http11AprProtocol
- Attribute clientauth: false
DEBUG 2006-02-20 11:20:30,647 org.apache.coyote.http11.Http11AprProtocol
- Attribute secure: true
DEBUG 2006-02-20 11:20:30,647 org.apache.coyote.http11.Http11AprProtocol
- Attribute protocol: TLS
DEBUG 2006-02-20 11:20:30,647 org.apache.coyote.http11.Http11AprProtocol
- Attribute keystore: C:\Program Files\Apache Software Foundation\Tomcat
5.5\conf\ssl_keystore
DEBUG 2006-02-20 11:20:30,647 org.apache.coyote.http11.Http11AprProtocol
- Attribute keypass: XXX
DEBUG 2006-02-20 11:20:30,647 org.apache.coyote.http11.Http11AprProtocol
- Attribute keytype: JKS
INFO 2006-02-20 11:20:30,975 org.apache.catalina.realm.JAASRealm -
Setting useContextClassLoader = false
DEBUG 2006-02-20 11:20:30,975 org.apache.catalina.core.ContainerBase -
Add child StandardContext[] StandardHost[eaglesnest-test.cornerstone.edu]
DEBUG 2006-02-20 11:20:30,991 org.apache.catalina.core.ContainerBase -
Add child StandardHost[eaglesnest-test.cornerstone.edu]
StandardEngine[Catalina]
DEBUG 2006-02-20 11:20:31,179 org.apache.catalina.connector.Connector -
Creating name for connector Catalina:type=Connector,port=443
DEBUG 2006-02-20 11:20:31,179 org.apache.coyote.http11.Http11AprProtocol
- Attribute jkHome: C:\Program Files\Apache Software Foundation\Tomcat 5.5
INFO 2006-02-20 11:20:31,194 org.apache.coyote.http11.Http11AprProtocol
- Initializing Coyote HTTP/1.1 on http-443
INFO 2006-02-20 11:20:31,194 org.apache.catalina.startup.Catalina -
Initialization processed in 1781 ms
...


-- 
Dave Brondsema
Software Developer
Cornerstone University



signature.asc
Description: OpenPGP digital signature

Re: scheme="https" not working?

[Dave Brondsema]

Markus Schönhaber wrote:
> Dave Brondsema wrote:
>> I'm using Tomcat 5.5.15 on Windows 2000.  I have this connector:
>> >maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>>enableLookups="false" disableUploadTimeout="true"
>>acceptCount="100" secure="true"
>>clientAuth="false" sslProtocol="TLS"
>>keystoreFile="C:\Program Files\Apache Software
>> Foundation\Tomcat 5.5\conf\ssl_keystore" keystorePass="XXX"
>>keystoreType="JKS"/>
>>
>> I can access
>> http://eaglesnest-test.cornerstone.edu:443/manager/html
>> but I get no response when attempting to access
>> https://eaglesnest-test.cornerstone.edu:443/manager/html
>>
>> Somehow it's running unsecured but still on port 443.
>>
>> What's happening?
>>
>>
>> Here are the logfiles:
>>
>> DEBUG 2006-02-20 11:20:29,288 org.apache.catalina.startup.Embedded -
>> Setting naming prefix=org.apache.naming
>> DEBUG 2006-02-20 11:20:29,413 org.apache.catalina.startup.Catalina -
>> Digester for server.xml created 125
>> DEBUG 2006-02-20 11:20:30,600 org.apache.coyote.http11.Http11AprProtocol
>> - Attribute soLinger: -1
> 
> [...]
> 
> Since you're using APR, you have to configure your  the APR way:
> http://tomcat.apache.org/tomcat-5.5-doc/apr.html#HTTPS
> AFAIK you can't use the Java keystore with APR but have to use certificates.
> 
> As an alternative: don't use APR and keep your configuration as-is.
> 

Thanks, that worked.  But shouldn't there be errors or warnings if I'm
using Java keystore attributes (e.g. keystoreFile) with APR?

-- 
Dave Brondsema
Software Developer
Cornerstone University



signature.asc
Description: OpenPGP digital signature

Multiple Tomcat 5.5 on Windows 2003

[Dave Weitzel]

Hi,

I need to run multiple Tomcat 5.5 instances on Windows 2003 behind IIS. 

Each instance will be supporting different clients with applications
that are not able to be restarted using the tomcat 5.5 manager/admin
tools.

I have managed to get isapi.redirect to work for the different IIS sites
but can only run the Tomcat installs from their individual catalina.bat
files under a dos window.

I have established how to install these using the zip file not the exe,
but am not sure how to set them up to run as services so that they will
start on a system reboot.

Under tomcat 3 there was a jk_nt_service.exe program along with a
wrapper.properties file that was used, will this still work with 5.5 on
Windows 2003?

Any assistance welcome

 

Thanks

 

Dave

Problem with URL Format ;jessionid with mod_jk

[Dave Morrow]

Hi all.  I have somewhat of a perplexing problem.  
 
My site uses Apache 2.0 with mod_jk1.2 to connect to a Tomcat
application.  The Tomcat app uses a session ID on the URL line.  Apache
is configured to log in "combined" log format.
In the URL in the POST , I see
/myapplication/page.jsp;jsessionid=KJHDFSALKJHBFBFLKBF 
My log analysis product, Deepmetrix Livestats cannot handle the ; in
this entry and is recording each session as a unique file extension.
Anyone know how I might get around this?
 
David Morrow
Technical Systems Lead
Autodata Solutions Company
[EMAIL PROTECTED]
http://www.autodatasolutions.com  
 
Tel: (519) 963-3020
Fax: (519) 451-6615
 
< Lead, follow or get out of the way! >
 
This message has originated from Autodata Solutions. The attached
material is the Confidential and Proprietary Information of Autodata
Solutions. This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please delete
this message and notify the Autodata system administrator at
[EMAIL PROTECTED]  >

 

Problem with URL Format ;jessionid with mod_jk

[Dave Morrow]

Hi all.  I have somewhat of a perplexing problem.  
 
My site uses Apache 2.0 with mod_jk1.2 to connect to a Tomcat
application.  The Tomcat app uses a session ID on the URL line.  Apache
is configured to log in "combined" log format.
In the URL in the POST , I see
/myapplication/page.jsp;jsessionid=KJHDFSALKJHBFBFLKBF 
My log analysis product, Deepmetrix Livestats cannot handle the ; in
this entry and is recording each session as a unique file extension.
Anyone know how I might get around this?
 
David Morrow
Technical Systems Lead
Autodata Solutions Company
[EMAIL PROTECTED]
http://www.autodatasolutions.com  
 
Tel: (519) 963-3020
Fax: (519) 451-6615
 
< Lead, follow or get out of the way! >
 
This message has originated from Autodata Solutions. The attached
material is the Confidential and Proprietary Information of Autodata
Solutions. This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please delete
this message and notify the Autodata system administrator at
[EMAIL PROTECTED]  >