headers
Allen Reese | 9 Feb 21:07
Picon
Favicon

RE: Cores with FlushableGzipOutputStream

Try again now that I'm subscribed.

> -----Original Message-----
> From: Allen Reese
> Sent: Thursday, February 09, 2012 12:03 PM
> To: 'users <at> tomcat.apache.org'
> Cc: Lars Anderson
> Subject: Cores with FlushableGzipOutputStream
> 
> We've just upgraded from tomcat 6.0.33 to 6.0.35 and started having the
> JVM core on our production boxes.
> 
> I'm trying to determine what the next course of action should be here.
> I have an Oracle Support contract, but they don't seem to see this as a
> JVM issue, and blame it on a native lib.
> 
> 
> Thanks.
> 
> Allen Reese
> Core Platforms
> Yahoo!, Inc.
> 
> Running on linux x86-64, jdk 6u27, 6u29, 6u30, 7u2
> 
> We run several tests and the output is:
> 
> Jdk 	| Version	| flags
> 	|
> 6u30	| 6.0.33	| compression enabled
(Continue reading)

Permalink | Reply | 5 comments |
headers
C C | 9 Feb 20:40
Picon
Favicon
Gravatar

ServletException logging changes between 5.5 and 6.0/7.0?

Hello,

I'm seeing a difference in the way Tomcat handles logging exceptions thrown by a servlet, and I wonder if
it's a configuration change or if this is simply how Tomcat is expected to behave.

Tomcat versions tested: 5.5.26, 6.0.35, 7.0.25
OS: Windows 7
Java: 1.5.0_22 for Tomcat 5.5.26 and 6.0.35, 1.6.0_24 for Tomcat 7.0.25

To test, I created a webapp with a single servlet, ExceptionServlet, that simply throw a ServletException
in its service() method, e.g.:

public class ExceptionServlet extends HttpServlet {
        protected void service(HttpServletRequest arg0, HttpServletResponse arg1)

                        throws ServletException, IOException {
                throw new ServletException("HEY SERVLET EXCEPTION");
        }
}

Further, the webapp uses log4j (1.2.16) and commons-logging (1.1.1). The log4j.properties for the
webapp looks like this:

log4j.rootLogger=INFO,A
log4j.appender.A=org.apache.log4j.RollingFileAppender

log4j.appender.A.file=/opt/personal/logs/ex/ex.info.log
log4j.appender.A.layout=org.apache.log4j.PatternLayout
log4j.appender.A.layout.conversionPattern=%m%n
log4j.appender.A.maxFileSize=10MB
(Continue reading)

Permalink | Reply | 10 comments |
headers
Casper Wandahl Schmidt | 9 Feb 19:07
Picon
Gravatar

mod_jk and URL rewriting/proxying?

Hi List

I have a quick question (I hope).

I'm using mod_jk to forward from Apache httpd 2.2.8 to tomcat 7.0.20 
(Ubuntu 8.04). I think I saw something on this list some time ago but 
can't remember what it was really about (the real issue was not want I 
want to do).

So I want users to access my webapp from xxx.yyy.zz and then have 
apache/mod_jk to change it to xxx.yyy.zz/myapp

According to 
http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html I have 
to manipulate headers but as far as I remember there was something about 
ProxyPass and ProxyPassReverse. Are they only available to mod_proxy or 
mod_ajp?

I don't want the app to become ROOT since I have another app that should 
be running as ROOT. I thought about making seperat host's in server.xml 
but I dont like the fact that I need to restart tomcat each time I need 
to add a new host so I thought I might achieve want I want by letting 
apache httpd take care of that part.

Kind regards
Casper
Permalink | Reply | 8 comments |
headers
Sanjeev Sharma | 9 Feb 17:17
Favicon
Gravatar

controlling Server Authentication only vs Mutual authentication

Hi,

I work on an java web-app running on Tomcat 7.  The entire application is required be doing SSL on port 443
(everything is accessed via https://).  Two different login options are given to the user :
username/password or client certificate authentication.  We employ application-managed security as
opposed to contain-manage (i.e. we don't use realms).  I have the following connector in my server.xml :

<Connector port="443"
           protocol="HTTP/1.1"
           SSLEnabled="true"
           maxThreads="150"
           scheme="https"
           secure="true"
           keystoreFile="d:\certs\server_cert.jks"
           keystorePass="changeit"
           truststoreFile="d:\certs\truststore.jks"
           truststorePass="changeit"
           clientAuth="true"
           sslProtocol="TLS" />


This forces mutual authentication on anything I try to access using https.  How can I configure tomcat so
that only specific links (a specific struts action for example) would require mutual authentication or
how can I exclude from the mutual authentication.

Thanks,
Sanjeev.
Permalink | Reply | 0 comments |
headers
Jesse Farinacci | 9 Feb 16:35
Picon
Gravatar

JmxRemoteLifecycleListener binding to all IP addresses

Greetings,

I am using Apache Tomcat 7.0.25 using IBM J9 VM (build 2.4, JRE 1.6.0
IBM J9 2.4 Linux s390x-64 jvmxz6460sr8ifx-20100609_59383).

Inspired by the flurry of JMX related questions on this list, I
attempted to follow the official documentation[1] to enable remote JMX
access. My sanitized conf/server.xml:

<?xml version="1.0" encoding="utf-8"?>
<Server address="a.b.c.d" port="8081">
  <Listener className="org.apache.catalina.core.AprLifecycleListener"/>
  <Listener className="org.apache.catalina.core.JasperListener"/>
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
  <Listener className="org.apache.catalina.mbeans.JmxRemoteLifecycleListener"
          rmiRegistryPortPlatform="8181" rmiServerPortPlatform="8182" />
  <GlobalNamingResources>
    <Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
      readonly="true"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
      pathname="${catalina.home}/conf/tomcat-users.xml"/>
  </GlobalNamingResources>
  <Service name="Catalina">
    <Connector scheme="http" address="a.b.c.d" port="8080"
      compression="on" enableLookups="false" URIEncoding="UTF-8"/>
    <Connector scheme="https" address="a.b.c.d" port="8443" secure="true"
      compression="on" enableLookups="false" URIEncoding="UTF-8"
      SSLEnabled="true"
SSLCertificateFile="${catalina.home}/conf/cacert.pem"
(Continue reading)

Permalink | Reply | 2 comments |
headers
Josh Gooding | 9 Feb 14:52
Picon

JMX enabled - not able to monitor connection pooling

Using: Toncat 6.0.35 AND 7.0.<latest> in a Win32 Environment.  My JMX
params are as follows:  -Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.port=6969
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=false

This is only on my dev box, so I am no so much worried about security at
this point, I just want to get it working for now, I'll work on the
security as the next piece, where I move it over to SSL and having
authentication for a production box.

In TC7, I have enabled JMX, and in Hyperic I'm able to monitor the extras
except the one thing I need to.  I also checked in JConsole, just to make
sure it wasn't an initial id10t error.  I want to be able to monitor the
connection pool. Is there an option that I have to enable to be able to
monitor connection pooling in Tomcat via JMX and Hyperic?  I checked the
Hyp. forums to no real avail.  This user group seems to be better with
information so I just wanted to see if anyone else out there is using
Hyperic, monitoring CP's, and what they did to get it working.  As always
thanks in advance.

Warmest Regards,

Josh
Permalink | Reply | 1 comment |
headers
Andres Aguado | 9 Feb 13:51
Picon
Gravatar

Enabling JMX Remote Ports to connect Tomcat server remotelly with jconsole tool

Hi Guys!

    First of all, I want to be grateful for help. I'm (very) newbie
with apache-tomcat world, level 1 (I've installed Tomcat sucessfully
once ;-) )

    Well, I've a Tomcat 5.5.27 version with an application in
production environment and i've installed the same version for windows
on a VM-WiXP to test configuration before applying changes to
production server
    And I want to monitorize the application remotelly through
jconsole. So, I've added this lines to catalina startup script:

set CATALINA_OPTS=-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.port=8999
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=false (When all works I'll
add authentication, but now i need to run jconsole.)

   Now I'm accesible to 8999 port (RMI Registry?) telneting, but
jconsole outputs a connection error. I've executed netstat -an command
and I've seen that 8999 port connextion is STABLISHED, but there is
another port (48657) to the tomcat ip in SYN_WAIT.

    Well, I've been reading documentation and it seems that i must
configure manually an additional port to connect through jconsole
because this port is a random port (RMIServer and RMIConnection?) and
it's a problem to gain access through firewalls

    I've been reading more information and I've arrived to this document
(Continue reading)

Permalink | Reply | 11 comments |
headers
Lev A KARATUN | 9 Feb 06:25
Picon
Favicon

Problems with LDAP authentication

Hi again.

So, my boss told me that it's insecure to give anyone the password to view 
tomcat's logs and that should be an authentication based on Active 
Directory.

I've been reading the manuals for some time, and configured my Tomcat the 
following way:

$CATALINA_BASE/conf/Catalina/localhost/myapp.xml

<Context antiResourceLocking="false" privileged="true" 
docBase="$CATALINA_BASE/logs" reloadable="true">

        <Realm className="org.apache.catalina.realm.JNDIRealm" 
        connectionURL="ldap://raiffeisen.ru:389"
         connectionName="myaccount <at> raiffeisen.ru"  (I also tried the 
format connectionName="cn=myaccount,dc=raiffeisen,dc=ru" - does it matter 
what format do I use?)
        connectionPassword="mypassword"
        referrals="follow"
        userBase="OU=_Users,DC=raiffeisen,DC=ru"
        userSearch="(sAMAccountName={0})"
        userSubtree="true"
        roleBase="OU=_Groups,DC=raiffeisen,DC=ru"
        roleName="cn"
        roleSubtree="true"
        roleSearch="(member={0})"
  />
</Context>
(Continue reading)

Permalink | Reply | 0 comments |
headers
Mari Masuda | 9 Feb 01:51
Picon
Favicon
Gravatar

choosing an httpd connector

Hello,

I am very new to Tomcat and am trying to determine which connector to use when using Tomcat with Apache.  Here
is my situation:

1.  I am setting up a Drupal site that will be publicly accessible to anyone on the internet.  I intend to use
Apache Solr as the search mechanism for said site, hence my need for Tomcat.

2.  Although most of the information on the site is public, some of it is only allowed to be seen by people
logged in with a specific Drupal role.

3.  The restricted data should not appear in the search results when a search is performed by a user without
the proper role.  However, all of the data -- even the restricted stuff -- needs to be indexed by Solr so that
it is findable by those logged in with the specific role.

4.  Drupal and Solr will be running on the same machine.

5.  Solr should only be accessible by Drupal.

6.  Access to Drupal should be over https to prevent the disclosure of the restricted data when search
results are returned over the internet to an authorized user.

Given these constraints I am not sure which connector would be the best choice.  I came across this article
from 2010 as a result of my (mostly unsuccessful) Googling:
http://www.tomcatexpert.com/blog/2010/06/16/deciding-between-modjk-modproxyhttp-and-modproxyajp
but since I am just the de facto programmer at my work I am not well-versed in system administration so it is
highly likely that there is something obvious that I am missing.  I have searched the list archives as well,
but I think my search was too broad or otherwise used the wrong terminology so I apologize if this question
has been answered multiple times already.  If so, I am happy to RTFM and would appreciate any and all
pointers to existing threads.
(Continue reading)

Permalink | Reply | 2 comments |
headers
Caldarale, Charles R | 9 Feb 00:10
Picon
Favicon

RE: Why am I Getting org.apache.catalina.realm.JDBCRealm getPassword SEVERE: Exception performing authentication?

> From: shmoldie <at> gmail.com [mailto:shmoldie <at> gmail.com] 
> On Behalf Of Jonathan Rosenberg
> Subject: Re: Why am I Getting org.apache.catalina.realm.JDBCRealm 
> getPassword SEVERE: Exception performing authentication?

> there is no effective web.xml output in any of the log files.

So what are your logging levels set to?  The logEffectiveWebXml tag should be logging at INFO, so you're
going to need at least that set in your conf/logging.properties file, assuming you haven't switched to log4j.

Might want to post your conf/context.xml for us, just to see if there might be a typo in it.

 - Chuck

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use
only by the intended recipient. If you received this in error, please contact the sender and delete the
e-mail and its attachments from all computers.
Permalink | Reply | 3 comments |
headers
Mark Potts | 8 Feb 22:55
Gravatar

newbie having trouble with manager-gui sign in

Hi,
    I'm a newbie with an inherited apache-tomcat-6.0.33 installation.
    The host server is a 64 bit Centos 5 (2.6.18-274.3.1.el5) install.
    I'm having trouble accessing the tomcat manager-gui from an
    internet-based browser access.  As near as I can determine this was
    a standard/default installation of tomcat.  I have root access but
    lack the knowledge of how to use it to advantage here.

    I've added the following lines:
       <role rolename="manager-gui"/>
       <user username="Myadmin" password="HereOmitted" roles="standard,manager-gui" />
    between the
    <tomcat-users>  and  </tomcat-users>   lines of the appBase/conf/tomcat-user.xml
    file.

    When attempting to access the manager on my server from the web as:
        http://xx.yy.co:8080/manager/list  (where xx and yy are legitimate
        parts of my server's domain)
    I am prompted with a login popup requesting user name and password under the
    label of:
       A username and password are being requested by http://xx.yy.co:8080.
       The site says: "Tomcat Manager Application"
    I (carefully) enter the username (Myadmin in my example above) and password
    (HereOmitted in my example above) but am repeatedly rejected.
    I find nothing in the tomcat 6.0 manager-gui documentation to indicate
    that I need to restart tomcat to get the new username/password configuration
    info to take effect.  Since this is a production system, a restart can only
    be accomplished at certain times, if that is needed.
    I do not see nor do I know if there should be evidence of a tomcat
    manager thread/process.
(Continue reading)

Permalink | Reply | 3 comments |

Gmane