www.archive-ie-2012.com » IE » C » CALIBER

Choose link from "Titles, links and description words view":

Or switch to "Titles and links view".

    Archived pages: 164 . Archive date: 2012-07.

  • Title: Apache Tomcat
    Descriptive info: .. Apache Tomcat.. Administration.. Status.. Tomcat Manager.. Documentation.. Release Notes.. Change Log.. Tomcat Documentation.. Tomcat Online.. Home Page.. FAQ.. Bug Database.. Open Bugs.. Users Mailing List.. Developers Mailing List.. IRC.. Miscellaneous.. Servlets Examples.. JSP Examples.. Sun's Java Server Pages Site.. Sun's Servlet Site.. If you're seeing this page via a web browser, it means you've setup Tomcat successfully.. Congratulations!.. As you may have guessed by now, this is the default Tomcat home page.. It can be found on the local filesystem at:.. $CATALINA_HOME/webapps/ROOT/index.. html.. where "$CATALINA_HOME" is the root of the Tomcat installation directory.. If you're seeing this page, and you don't think you should be, then you're  ...   and administration information than is found in the INSTALL file.. NOTE: For security reasons, using the administration webapp is restricted to users with role "admin".. The manager webapp is restricted to users with role "manager".. Users are defined in.. $CATALINA_HOME/conf/tomcat-users.. xml.. Included with this release are a host of sample Servlets and JSPs (with associated source code), extensive documentation, and an introductory guide to developing web applications.. Tomcat mailing lists are available at the Tomcat project web site:.. users@tomcat.. apache.. org.. for general questions related to configuring and using Tomcat.. dev@tomcat.. for developers working on Tomcat.. Thanks for using Tomcat!.. Copyright 1999-2007 Apache Software Foundation.. All Rights Reserved..

    Original link path: /
    Open archive

  • Title:
    Descriptive info: ================================================================================ Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements.. See the NOTICE file distributed with this work for additional information regarding copyright ownership.. The ASF licenses this file to You under the Apache License, Version 2.. 0 (the "License"); you may not use this file except in compliance with the License.. You may obtain a copy of the License at http://www.. org/licenses/LICENSE-2.. 0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.. See the License for the specific language governing permissions and limitations under the License.. ================================================================================ $Id: RELEASE-NOTES 612940 2008-01-17 19:22:26Z markt $ Apache Tomcat Version 6.. 0.. 16 Release Notes ============================= KNOWN ISSUES IN THIS RELEASE: ============================= * Dependency Changes * JNI Based Applications * Bundled APIs * Web application reloading and static fields in shared libraries * Tomcat on Linux * Enabling SSI and CGI Support * Security manager URLs * Symlinking static resources * Enabling invoker servlet * Viewing the Tomcat Change Log * When all else fails =================== Dependency Changes: =================== Tomcat 6.. 0 is designed to run on JSE 5.. 0 and later.. In addition, Tomcat 6.. 0 uses the Eclipse JDT Java compiler for compiling JSP pages.. This means you no longer need to have the complete Java Development Kit (JDK) to run Tomcat, but a Java Runtime Environment (JRE) is sufficient.. The Eclipse JDT Java compiler is bundled with the binary Tomcat distributions.. Tomcat can also be configured to use the compiler from the JDK to compile JSPs, or any other Java compiler supported by Apache Ant.. ======================= JNI Based Applications: ======================= Applications that require native libraries must ensure that the libraries have been loaded prior to use.. Typically, this is done with a call like: static { System.. loadLibrary("path-to-library-file"); } in some class.. However, the application must also ensure that the library is not loaded more than once.. If the above code were placed in a class inside the web application (i.. e.. under /WEB-INF/classes or /WEB-INF/lib), and the application were reloaded, the loadLibrary() call would be attempted a second time.. To avoid this problem, place classes that load native libraries outside of the web application, and ensure that the loadLibrary() call is executed only once during the lifetime of a particular JVM.. ============= Bundled APIs:  ...   objects instantiated by the web application.. To avoid class loading related problems (ClassCastExceptions, messages indicating that the classloader is stopped, etc.. ), the shared libraries state should be reinitialized.. Something which might help is to avoid putting classes which would be referenced by a shared static field in the web application classloader, and putting them in the shared classloader instead (JARs should be put in the "lib" folder, and classes should be put in the "classes" folder).. ================ Tomcat on Linux: ================ GLIBC 2.. 2 / Linux 2.. 4 users should define an environment variable: export LD_ASSUME_KERNEL=2.. 2.. 5 Redhat Linux 9.. 0 users should use the following setting to avoid stability problems: export LD_ASSUME_KERNEL=2.. 4.. 1 There are some Linux bugs reported against the NIO sendfile behavior, make sure you have a JDK that is up to date, or disable sendfile behavior in the Connector.. 6427312: (fc) FileChannel.. transferTo() throws IOException "system call interrupted".. 5103988: (fc) FileChannel.. transferTo should return -1 for EAGAIN instead throws IOException.. 6253145: (fc) FileChannel.. transferTo on Linux fails when going beyond 2GB boundary.. 6470086: (fc) FileChannel.. transferTo(2147483647, 1, channel) cause "Value too large" exception.. ============================= Enabling SSI and CGI Support: ============================= Because of the security risks associated with CGI and SSI available to web applications, these features are disabled by default.. To enable and configure CGI support, please see the cgi-howto.. html page.. To enable and configue SSI support, please see the ssi-howto.. ====================== Security manager URLs: ====================== In order to grant security permissions to JARs located inside the web application repository, use URLs of of the following format in your policy file: file:${catalina.. home}/webapps/examples/WEB-INF/lib/driver.. jar ============================ Symlinking static resources: ============================ By default, Unix symlinks will not work when used in a web application to link resources located outside the web application root directory.. This behavior is optional, and the "allowLinking" flag may be used to disable the check.. ========================= Enabling invoker servlet: ========================= Starting with Tomcat 4.. 1.. 12, the invoker servlet is no longer available by default in all webapps.. Enabling it for all webapps is possible by editing $CATALINA_HOME/conf/web.. xml to uncomment the "/servlet/*" servlet-mapping definition.. Using the invoker servlet in a production environment is not recommended and is unsupported.. More details are available on the Tomcat FAQ at http://tomcat.. org/faq/misc.. html#invoker.. ============================== Viewing the Tomcat Change Log: ============================== See changelog.. html in this directory.. ==================== When all else fails: ==================== See the FAQ http://tomcat.. org/faq/..

    Original link path: /RELEASE-NOTES.txt
    Open archive

  • Title: Apache Tomcat 6.0 - Changelog
    Descriptive info: Apache Tomcat 6.. Links.. Docs Home.. User Guide.. 1) Introduction.. 2) Setup.. 3) First webapp.. 4) Deployer.. 5) Manager.. 6) Realms and AAA.. 7) Security Manager.. 8) JNDI Resources.. 9) JDBC DataSources.. 10) Classloading.. 11) JSPs.. 12) SSL.. 13) SSI.. 14) CGI.. 15) Proxy Support.. 16) MBean Descriptor.. 17) Default Servlet.. 18) Clustering.. 19) Load Balancer.. 20) Connectors.. 21) Monitoring and Management.. 22) Logging.. 23) APR/Native.. 24) Virtual Hosting.. 25) Advanced IO.. 26) Additional Components.. 27) Mavenized.. Reference.. Configuration.. Javadocs.. JK 1.. 2 Documentation.. Apache Tomcat Development.. Building.. Changelog.. Developers.. Architecture.. Functional Specs.. print-friendly.. version.. Tomcat 6.. 16 (remm).. General.. Update commons-logging to version 1.. 1 and the NSIS installer to 2.. 34.. (markt).. Update to commons-pool version 1.. 4, native version 1.. 12 and update the download location for the commons libraries.. Change chunked input parsing, always parse CRLF directly after a chunk has been received, except if data is not available.. If data is not available for CRLF parsing, we run into BZ 11117, and must defer the parsing of CRLF to the next read event.. This fixes the incorrect blocking when using CometProcessor and the draining data during the READ event where it before would block incorrectly waiting for the next chunk (fhanik).. The CometProcessor interface now extends the javax.. servlet.. Servlet interface(fhanik).. Fix CVE-2007-5342 by limiting permissions granted to JULI.. Fix handling of CometEvent.. close when called during BEGIN event (fhanik).. 43594.. : Use setenv from CATALINA_BASE (if set) in preference to the one in CATALINA_HOME.. Patch provided by Shaddy Baddah.. (markt/jim).. 43692.. : Clean up unused entires from build scripts.. Patch provided by Paul Shemansky.. 43775.. : Don't try to change line endings of binary files in the source distribution.. 43846.. : Fix block simulated read and writes causing timeouts.. Add non blocking parsing of HTTP request headers.. Perf improvements(fhanik).. 43957.. : Service.. bat doesn't configure logging correctly.. Patch provided by Richard Fearn.. Cookie handling/parsing changes! The following behavior has been changed with regards to Tomcat's cookie handling a) Cookies containing control characters, except 0x09(HT), are rejected using an InvalidArgumentException.. b) If cookies are not quoted, they will be quoted if they contain tspecials(ver0), tspecials2(ver1) characters.. c) Escape character '\\' is allowed and respected as a escape character, will be unescaped during parsing.. Cookie parsing of $Version regression from 6.. 15 has been fixed.. The script that builds the windows installer was including additional files due to the way it processes recurrsive file selectors.. The selectors have been modified to only include the intended files.. Catalina.. Fix ManagerServlet.. expireSessions throws Exceptions as iterate longer session lists at production servers.. (pero).. 38131.. : WatchedResource doesn't work if app is outside host appbase webapps.. Patch provided by Peter Lynch (pero).. Add -Dorg.. catalina.. tribes.. dns_lookups=false as default.. The ability to turn off reverse DNS lookups for membership.. (fhanik).. Set correct StandardManager.. sessionCounter after reload/restart.. 42503.. : ServletContext.. getResourceAsStream() could return stale data.. Patch provided by Arvind Srinivasan.. (funkman/jim).. 43236.. : When resetting the response, also reset the flags associated with using a writer or an output stream to allow the user to change character set after the reset.. 43241.. : Make ServletContext.. getResourceAsStream() conform to the specification.. Patch provided by John Kew.. 43530.. : doc link fixes provided by Paul Shemansky (funkman).. 43675.. : Fix a possible logging related classloader leak.. 43687.. Remove conditional headers on Form Auth replay, since the UA (esp.. FireFox) isn't expecting it.. 43706.. : WebDAV copy/move now returns 201 on success.. Based on a patch by Panagiotis Astithas.. 43840.. : Include user principal if possible when serializing / de-serializing sessions.. 43868.. : MBean methods getInvoke and getSetter were broken.. 43887.. : Make error messages much more helpful when illegal Servlet names are used.. Based on a patch provided by Mike Baranczak.. Fix a bug that causes CGI Servlet to fail when it is included.. Improve the webDAV Servlet Javadocs to make clear that the WebDAV Servlet can not be used as the default servlet.. 43993.. : mime mapping for WS-Policy.. Patch by Fabian Ritzmann (funkman).. 44041.. : Fix duplicate class definition under load.. 44084.. : JASSRealm was broken for application provided Principals.. Patch provided by Noah Levitt.. Coyote.. 43622.. : Don't overwrite the min compression size set by the compression attribute with the default.. 43839.. : URL based session tracking failed when a session cookie from a parent context was present.. Based on a patch by Yuan Qingyun.. 43914.. : URLs in location headers should be encoded.. Patch provided by Ivan Todoroski.. Jasper.. 43285.. : Missing EL Coercion causes argument type mismatch.. Patch provided by Bernhard Huemer.. 43702.. : Inner class files have unnecessarily long names.. 43743.. : Fix NPE when compiling nest tag files packaged in a JAR.. 43757.. : Rather than use string matching to work out the line in the JSP with the error, use the SMAP info and the knowledge that for a scriptlet there is a one to one line mapping.. 43758.. : Fix NPE when scripting elements are empty.. 43909.. : Make sure locale maps to wrapped ELContext.. Patch provided by Tuomas Kiviaho.. 43944.. : Fix a missing resource exception.. Improve docs for Jasper configuration.. Put options in alphabetcial order, add some missing options, deprecate an unused one and address feedback about the page provided on the users list.. Webapps.. 43173.. : Fix typo in logging documentation regarding location of logging.. properties.. 43344.. : Fix typo in if.. jsp example.. Patch provided by Tim Nowaczyk.. 43468.. : Fix possible NPE when listing contexts in the Manager application.. 43515.. : Fix bug in Manager application that may have caused problems when listing contexts.. Patch provided by Lucas Galfaso.. 43611.. : Provide an error message if user tries to upload a war for a context defined in server.. xml rather than failing silently.. 43800.. : Make relationship between APR and the native connector clearer.. 44088.. : Fix expire session button in manager.. 44094.. : Add a note about the side effects of configuring a context as privileged.. Cluster.. Fix FarmWarDeployer can be only configured as host subelement (pero).. Fix wrong at ReplicationValve (pero).. Add get/set methods for properties in the Tcp Failure detector.. (fhanik/jim).. 15 (remm).. Fix the MD5 file contents in distribution.. Add ANT script to be able to publish signed Tomcat JAR's to ASF Maven repo (fhanik).. Use Eclipse JDT 3.. 3.. Guess java location from the PATH environment and improve fix for 37284.. Add NIO connector to server.. xml parsing warning, remove Connector as exception case.. 43653.. : Fix SSL buffer mixup when response is unable to write more than socket buffer can handle.. 43643.. : If connector doesn't support external executor, display warning.. 43641.. : Property bind multicast address for cluster membership.. 42693.. : Fix JSP compiler bug.. Add mbean descriptor for virtual webapp loader.. 43487.. : Fix request processing stats.. 43435.. : Don't iterate and relocate sessions if they are not part of the map.. 43356.. : Keystore parameter is relative to CATALINA_BASE, Truststore is either defined as parameter, javax.. net.. ssl.. trustStore or if empty defaults to the keystore.. SSL Client cert authentication changed from boolean to "true|false|want" (fhanik).. 30949.. : Improve previous fix.. Ensure requests are re-cycled on cross-context includes and forwards when an exception occurs in the target page.. 42944.. : Correctly handle servlet mappings that use a '+' character as part of the url pattern.. 42951.. : Don't use CATALINA_OPTS when stopping Tomcat.. This allows options for starting and stopping to be set on JAVA_OPTS and options for starting only to be set on CATALINA_OPTS.. Without this fix, some startup options (eg the port for remote JMX) would cause stop to fail.. Based on a fix suggested by Michael Vorburger.. Port of r454193 (.. 36976.. ) from Tomcat 5.. 5.. x.. (markt,rjung).. Validation of attributes and elements used in server.. (remm).. 43175.. : Fix typos in servlet XSD files.. Patch provided by Takayuki Kaneko.. 43216.. : Set correct StandardSession#accessCount as StandardSession.. ACTIVITY_CHECK is true.. Patch provided by Takayuki Kaneko (pero).. Made session createTime accessible for all SessionManager via JMX (pero).. 43129.. : Support logging of all response header values at AccessLogValve (ex.. add %{Set-Cookie}o to your pattern).. Support logging of all response header values at ExtendedAccessLogValve (ex.. add x-O(Set-Cookie) to your pattern).. Support logging of current thread name at AccessLogValve (ex.. add %I to your pattern).. Usefull to compare access logging entry later with a stacktraces.. Improve large-file support (more then 4 Gb) at all AccessLogValves, backport from 5.. 25.. Optimized JDBCAccessLogValve combined pattern request attribute access.. o.. a.. juli.. ClassLoaderLogManager handle more then one system property replacement at file logging.. 43338.. : Support '*' servlet-name mapping at filter-mapping.. Patch provided by Keiichi Fujino.. 41797.. : CNFE/NPE thrown from function mapper when externalizing Patch by Tuomas Kiviaho- tuomas.. kiviahos at ikis fi (funkman).. 43453.. : ClassCastException at org.. core.. StandardContext.. findStatusPage(int) (funkman).. Fix important vulnerability when webdav is enabled for write.. Call stopAwait in StandardServer.. stop if  ...   Tweak startup time display.. Adjustments to handling exceptions with Comet.. If the event is closed asynchronously, generate an end event for cleanup on the next event.. Cleanup hello webapp from the docs and fix a XSS issue in the JSP.. Examples webapp cleanup.. Submitted by Takayuki Kaneko and Markus Schönhaber.. 41289.. : Create configBase, since it is no longer created elsewhere.. Submitted by Shiva Kumar H R.. Fixed NIO memory leak caused by the NioChannel cache not working properly.. Added flag to enable/disable the usage of the pollers selector instead of a Selector pool when the serviet is reading/writing from the input/output streams The flag is.. -Dorg.. tomcat.. util.. NioSelectorShared=true.. Requests with multiple content-length headers are now rejected.. 41675.. Add a couple of DEBUG-level logging statements to Http11Processors when sending error responses.. Patch by Ralf Hauser.. Reuse digester used by the modeler.. When the platform does not support deferred accept, put accepted sockets in the poller.. Fix problem with blocking reads for keepalive when using an executor (the number of busy threads is always 0).. The poller now has good performance, so remove firstReadTimeout.. Fix previous update to servlet 2.. 5 xsd to use correct declaration.. Update host configuration document for new behaviour for directories in appBase.. 39540.. Add link to httpd 2.. 2 mod_proxy_ajp docs in AJP connector doc.. 41227.. Add a bit of DEBUG-level logging to JspC so users know which file is being compiled.. Remove some dead utility code, and refactor stream capture as part of the Ant compiler.. Support the trim directive of JSP 2.. 1 as an equivalent of Jasper's own parameter.. 41790.. : Close file stream used to read the Java source.. Fix reporting of errors which do not correspond to a portion of the JSP source.. Remove try/catch usage for annotation processing in classic tags.. The usage of the log method might have been questionable as well.. Cleanup of the message that is displayed for compilation errors.. Skip BOM when reading a JSP file.. 10 (remm).. Unify usage of security manager flag, submitted by Arvind Srinivasan.. Fix formatting of CGI variable SCRIPT_NAME.. 41521.. : Support * for servlet-name, submitted by Paul McMahan.. Cache getServletContext value, submitted by Arvind Srinivasan.. Add options for handling special URL characters in paths, and disallow '\' and encoded '/' due to possible differences in behavior between Tomcat and a front end webserver.. Fix bad comparison for FORM processing, submitted by Anil Saldhana.. 41608.. Make log levels consistent when Servlet.. service() throws an exception.. Reduce usage of MessageBytes.. getLength(), submitted by Arvind Srinivasan.. 41558.. : Don't call synced method on every request, submitted by Arvind Srinivasan.. Switch to a thread local page context pool.. 9 (remm).. Use 2.. 5 xsd in Tomcat webapps.. Compression filter improvements, submitted by Eric Hedström.. Properly return connector names.. Remove logging of the XML validation flag.. Correct error messages for context.. 41217.. : Set secure flag correctly on SSO cookie, submitted by Chris Halstead.. 40524.. : request.. getAuthType() now returns CLIENT_CERT rather than CLIENT-CERT.. 40526.. : Return support for JPDA_OPTS to catalina.. bat and add a new option JPDA_SUSPEND, submitted by by Kurt Roy.. 41265.. : In embedded, remove the code that resets checkInterval values of zero to 300.. 37869.. : Fix getting client certificate, submitted by Christophe Pierret.. 40960.. : Throw a timeout exception when getting a timeout rather than a generic IOE, submitted by Christophe Pierret.. EL validation fixes for attributes.. 41327.. : Show full URI for a 404.. JspException now uses getCause() as the result for getRootCause().. 41466.. : When using the NioChannel and SecureNioChannel its important to use the channels buffers.. 8 (remm).. Make provided instances of RequestDispatcher thread safe.. Optional development oriented loader implementation.. (funkman).. Optimized access log valve, submitted by Takayuki Kaneko.. Fix error messages when parsing context.. xml that incorrectly referred to web.. : Set secure attribute on SSO cookie when cookie is created during a secure request.. Patch provided by Chris Halstead.. : HttpServletRequest.. getAuthType() now returns CLIENT_CERT rather than CLIENT-CERT for certificate authentication as per the spec.. Note that web.. xml continues to use CLIENT-CERT to specify the certificate authentication should be used.. 41401.. : Add support for JPDA_OPTS to catalina.. bat and add a JPDA_SUSPEND environment variable to both startup scripts.. Patch provided by Kurt Roy.. Use the tomcat-native-1.. 10 as recommended version.. OpenSSL detection on some platforms was broken 1.. 8 will continue to work, although on some platforms there can be JVM crash if IPV6 is enabled and platform doesn't support IPV4 mapped addresses on IPV6 sockets.. When displaying JSP source after an exception, handle included files.. Display the JSP source when a compilation error occurs and display the correct line number rather than start of a scriptlet block.. Fix NPE when processing dynamic attributes.. More accurate EL usage validation.. Fix regression for implicit taglib and page data version numbers.. : Allow JspServlet checkInterval init parameter to be explicitly set to the stated default value of zero by removing the code that resets it to 300 if explicitly specified as zero.. Patch provided by Vijay.. Add a virtual hosting how-to contributed by Hassan Schroeder.. Update all webapps to use the servlet 2.. 5 xsd.. 39572.. : Improvements to CompressionFilter example provided by Eric Hedström.. 7 (remm).. Fix installer's bitmap (mturk).. Refactor logging of errors which may occur when reading a post body (remm).. : Also use the SSL_INFO_CLIENT_CERT field if the chain is empty, submitted by Grzegorz Grzybek (remm).. 6 (remm).. Fix tagging which did not include 6.. 5's changelog (remm).. 5 (remm).. 40585.. : Fix parameterised constructor for o.. FileHandler so parameters have an effect.. Escape invalid characters from request.. getLocale.. (markt, remm).. Update required version for native to 1.. 8.. Do not log broken pipe errors which can occur when flushing the content of an error page.. Fix firstReadTimeout behavior for the AJP connector.. 41057.. : Make jsp:plugin output XHTML compliant.. Cluster interface cleanup.. Refactoring to allow usage of executors.. 4 (remm).. Update to NSIS 2.. 22 (remm).. Fix regression in 6.. 3 with Windows wrapper (mturk).. 3 (remm).. 37509.. : Do not remove whitespace from the end of values defined in logging.. properties files.. 38198.. : Add reference to Context documentation from Host documentation that explains how Context name is obtained from the Context filename.. 40844.. Missing syncs in JDBCRealm.. 40901.. : Encode directory listing output.. Based on a patch provided by Chris Halstead.. 40929.. : Correct JavaDoc for StandardClassLoader.. 41008.. : Allow POST to be used for indexed queries with CGI Servlet.. Fix usage of print on the servlet output stream if the processor never used a writer (fhanik).. Fix logic of sameSameObjects used to determine correct wrapping of request and response objects (fhanik).. Update TLD scan lists, and disable caching for now (remm).. Add system property to WebappClassLoader to allow disabling setting references to null when stopping it (remm).. Add clustered SSO code, submitted by Fabien Carrion (remm).. 40860.. : Log exceptions and other problems during parameter processing.. Enable JMX for trust store attributes for SSL connector.. Port memory usage reduction changes to the java.. io HTTP connector.. MessageBytes.. setString(null) will remove the String value.. : Caching large strings is not useful and takes too much memory, so don't cache these (remm).. Add keepAliveTimeout attribute to most connectors (mturk, remm).. Relax EL type validation for litterals.. Update some version numbers to 2.. (funkman, remm).. Add xsds for JSP 2.. 1 (remm).. 41106.. : Update validation checks for EL to also include legacy 1.. 2 tags (remm).. 40677.. : Update SSL documentation to indicate that PKCS11 keystores may be used.. 2 (remm).. Various tweaks to distribution (remm, funkman).. Update Tomcat native to 1.. 7 (mturk).. Update to JDT 3.. Fix EJB annotation interface (remm).. Fix passing of the keystore password for the NIO connector (fhanik).. 1 (remm).. 37439.. ,.. 40823.. : Documentation cleanup (markt).. Refactor exception processing using Throwable.. getCause to improve exception chaining (remm).. Remove dead code involving the Logger (funkman).. 37458.. : Fix some exceptions which could happen during classloading (markt).. 40817.. : Fix CGI path (markt).. 34956.. : Add the possibility to enforce usage of request and response wrapper objects (markt).. Many fixes for JSP 2.. 1 compliance, invloving tag files handling, deferred expressions validation, bom encoding support (remm).. Many HTTP NIO connector fixes and refactorings (fhanik).. HTTP NIO connector performance improvements (fhanik).. Add packetSize option for the classic AJP connector (jfclere).. Implement explicit flushing in AJP (mturk).. 0 (remm).. SSLEngine attribute added to the AprLifecycleListener(fhanik).. Add API for Comet IO handling (remm, fhanik).. Servlet 2.. 5 support (remm).. JSP 2.. 1 support (jhook, remm).. Unifed EL 2.. 1 support (jhook).. SSLEnabled attribute required for SSL to be turned on, on all HTTP connectors (fhanik).. Memory usage reduction for the HTTP connectors, except java.. io (remm).. Modeler update to use dynamic mbeans rather than model mbeans, which consume more resources (costin).. New cluster configuration and new documentation (fhanik).. Copyright 1999-2006, Apache Software Foundation..

    Original link path: /docs/changelog.html
    Open archive

  • Title: Apache Tomcat 6.0 - Documentation Index
    Descriptive info: Documentation Index.. Introduction.. This is the top-level entry point of the documentation bundle for the.. Servlet/JSP container.. Apache Tomcat version 6.. 0 implements the Servlet 2.. 5 and JavaServer Pages 2.. 1 specifications from the.. Java Community Process.. , and includes many additional features that make it a useful platform for developing and deploying web applications and web services.. Select one of the links from the navigation menu (to the left) to drill down to the more detailed documentation that is available.. Each available manual is described in more detail below.. Apache Tomcat User Guide.. The following documents will assist you in downloading, installing Apache Tomcat 6, and using many of the Apache Tomcat features.. - A brief, high level, overview of Apache Tomcat.. Setup.. - How to install and run Apache Tomcat on a variety of platforms.. First web application.. - An introduction to the concepts of a.. web application.. as defined in the.. 4 Specification.. Covers basic organization of your web application source tree, the structure of a web application archive, and an introduction to the web application deployment descriptor (.. /WEB-INF/web.. ).. Deployer.. - Operating the Apache Tomcat Deployer to deploy, precompile, and validate web applications.. Manager.. - Operating the.. web app to deploy, undeploy, and redeploy applications while Apache Tomcat is running.. Realms and Access Control.. - Description of how to configure.. Realms.. (databases of users, passwords, and their associated roles) for use in web applications that utilize.. Container Managed Security.. Security Manager.. - Configuring and using a Java Security Manager to support fine-grained control over the behavior of your web applications.. JNDI Resources.. - Configuring standard and custom resources in the JNDI naming context that is provided to each web application.. JDBC DataSource.. - Configuring a  ...   load balancer application.. Connectors.. - Connectors available in Apache Tomcat, and native web server integration.. Monitoring and Management.. - Enabling JMX Remote support, and using tools to monitor and manage Apache Tomcat.. Logging.. - Configuring logging in Apache Tomcat.. Apache Portable Runtime.. - Using APR to provide superior performance, scalability and better integration with native server technologies.. Virtual Hosting.. - Configuring vitual hosting in Apache Tomcat.. Advanced IO.. - Extensions available over regular, blocking IO.. Additional Components.. - Obtaining additional, optional components.. The following documents are aimed at.. System Administrators.. who are responsible for installing, configuring, and operating a Apache Tomcat 6 server.. Release notes.. - Known issues in this Apache Tomcat release.. Apache Tomcat Server Configuration Reference.. - Reference manual that documents all available elements and attributes that may be placed into a Apache Tomcat 6.. conf/server.. file.. JK Documentation.. - Complete documentation and HOWTOs on the JK native webserver connector, used to interface Apache Tomcat with servers like Apache HTTPd, IIS and others.. Servlet API Javadocs.. - The Servlet 2.. 5 API Javadocs.. JSP API Javadocs.. - The JSP 2.. 1 API Javadocs.. Apache Tomcat Developers.. The following documents are for Java developers who wish to contribute to the development of the.. project.. Building from Source.. - Details the steps necessary to download Apache Tomcat 6 source code (and the other packages that it depends on), and build a binary distribution from those sources.. - Details the changes made to Apache Tomcat.. - Apache Tomcat development status.. - List of active Apache Tomcat contributors.. Functional Specifications.. - Requirements specifications for features of the.. servlet container portion of Apache Tomcat 6.. - Javadoc API documentation for Apache Tomcat's internals.. Apache Tomcat Architecture.. - Documentation of the Apache Tomcat Server Architecture..

    Original link path: /docs/index.html
    Open archive

  • Title: Apache Tomcat 6.0 - Introduction
    Descriptive info: For administrators and web developers alike, there are some important bits of information you should familiarize yourself with before starting out.. This document serves as a brief introduction to some of the concepts and terminology behind the Tomcat container.. As well, where to go when you need help.. Terminology.. In the course of reading these documents, you'll run across a number of terms; some specific to Tomcat, and others defined by the.. Servlet.. or.. JSP.. specifications.. Context.. - In a nutshell, a Context is a web application.. Term2.. - This is it.. Term3.. - This is it!.. Directories and Files.. Throughout the docs, you'll notice there are numerous references to.. $CATALINA_HOME.. This represents the root of your Tomcat installation.. When we say, "This information can be found in your $CATALINA_HOME/README.. txt file" we mean to look at the README.. txt file at the root of your Tomcat install.. These are some of the key tomcat directories, all relative to.. :.. /bin.. - Startup, shutdown, and other scripts.. The.. *.. sh.. files (for Unix systems) are functional duplicates of the.. bat.. files (for Windows systems).. Since the Win32 command-line lacks certain functionality, there are some additional files in here.. /conf.. - Configuration files and related DTDs.. The most important file in here is server.. It is the main configuration file for the container.. /logs.. - Log files are here by default.. /webapps.. - This is where your webapps go.. Configuring Tomcat.. This section will acquaint you with  ...   Tomcat 6, but 3.. x, 4.. x and 5.. Doing 3.. x or 4.. x things to 6 will probably not work in most cases as the server.. xml files are very different.. Current document - most documents will list potential hangups.. Be sure to fully read the relevant documentation as it will save you much time and effort.. There's nothing like scouring the web only to find out that the answer was right in front of you all along!.. Tomcat FAQ.. as maintained by the developers.. Tomcat WIKI.. Tomcat FAQ at.. jGuru.. Tomcat mailing list archives - numerous sites archive the Tomcat mailing lists.. Since the links change over time, clicking here will search.. Google.. The TOMCAT-USER mailing list, which you can subscribe to.. here.. If you don't get a reply, then there's a good chance that your question was probably answered in the list archives or one of the FAQs.. Although questions about web application development in general are sometimes asked and answered, please focus your questions on Tomcat-specific issues.. The TOMCAT-DEV mailing list, which you can subscribe to.. This list is.. reserved.. for discussions about the development of Tomcat itself.. Questions about Tomcat configuration, and the problems you run into while developing and running applications, will normally be more appropriate on the TOMCAT-USER list instead.. And, if you think something should be in the docs, by all means let us know on the TOMCAT-DEV list, or send one of the doc authors email..

    Original link path: /docs/introduction.html
    Open archive

  • Title: Apache Tomcat 6.0 - Tomcat Setup
    Descriptive info: Tomcat Setup.. This document introduces several ways to set up Tomcat for running on different platforms.. Please note that some advanced setup issues are not covered here: the full distribution (ZIP file or tarball) includes a file called RUNNING.. txt which discusses these issues.. We encourage you to refer to it if the information below does not answer some of your questions.. Windows.. Installing Tomcat on Windows can be done easily using the Windows installer.. Its interface and functionality is similar to other wizard based installers, with only a few items of interest.. Installation as a service.. : Tomcat will be installed as a Windows NT/2k/XP service no matter what setting is selected.. Using the checkbox on the component page sets the service as "auto" startup, so that Tomcat is automatically started when Windows starts.. For optimal security, the service should be run as a separate user, with reduced permissions (see the Windows Services administration tool and its documentation).. Java location.. : The installer will use the registry or the JAVA_HOME environment variable to determine the base path of a J2SE 5 JRE.. Tray icon.. : When Tomcat is run as a service, there will not be any tray icon present when Tomcat is running.. Note that when choosing to run Tomcat at the end of installation, the tray icon will be used even if Tomcat was installed as a service.. Refer to the.. Windows Service HOW-TO.. for information on how to manage Tomcat as Windows NT service.. The installer will create shortcuts allowing starting and configuring Tomcat.. It  ...   and that.. CATALINA_HOME.. is an environment variable pointing to the base path of the Tomcat installation.. Please note that you should use the GNU make (gmake) instead of the native BSD make on FreeBSD systems.. Download a commons-daemon binary from the Jakarta Commons download page, and place jsvc.. tar.. gz and commons-daemon.. jar in the.. cd $CATALINA_HOME/bin tar xvfz jsvc.. gz cd jsvc-src autoconf.. /configure make cp jsvc.. cd.. Tomcat can then be run as a daemon using the following commands.. cd $CATALINA_HOME.. /bin/jsvc -cp.. /bin/bootstrap.. jar \ -outfile.. /logs/catalina.. out -errfile.. err \ org.. startup.. Bootstrap.. jsvc has other useful parameters, such as.. -user.. which causes it to switch to another user after the daemon initialization is complete.. This allows, for example, running Tomcat as a non privileged user while still being able to use privileged ports.. jsvc --help.. will return the full jsvc usage information.. In particular, the.. -debug.. option is useful to debug issues running jsvc.. The file.. $CATALINA_HOME/bin/jsvc/native/tomcat.. can be used as a template for starting Tomcat automatically at boot time from.. /etc/init.. d.. The file is currently setup for running Tomcat 4.. x, so it is necessary to edit it and change the classname from.. BootstrapService.. to.. Bootstrap.. Note that the Commons-Daemon JAR file must be on your runtime classpath to run Tomcat in this manner.. The Commons-Daemon JAR file is in the Class-Path entry of the bootstrap.. jar manifest, but if you get a ClassNotFoundException or a NoClassDefFoundError for a Commons-Daemon class, add the Commons-Daemon JAR to the -cp argument when launching jsvc..

    Original link path: /docs/setup.html
    Open archive

  • Title: Application Developer's Guide - Table of Contents
    Descriptive info: Contents.. Installation.. Deployment.. Source Code.. Processes.. Example App.. Application Developer's Guide.. Table of Contents.. Preface.. This manual includes contributions from many members of the Tomcat Project developer community.. The following authors have provided significant content:.. Craig R.. McClanahan (.. craigmcc@apache.. The information presented is divided into the following sections:.. - Briefly describes the information covered here, with links and references to other sources of information.. - Covers acquiring and installing the required software components to use Tomcat for web application development.. Deployment Organization.. - Discusses the standard  ...   options for integration with Tomcat in your development environment.. Source Organization.. - Describes a useful approach to organizing the source code directories for your project, and introduces the.. build.. used by Ant to manage compilation.. Development Processes.. - Provides brief descriptions of typical development processes utilizing the recommended deployment and source organizations.. Example Application.. - This directory contains a very simple, but functionally complete, "Hello, World" application built according to the principles described in this manual.. You can use this application to practice using the described techniques..

    Original link path: /docs/appdev/index.html
    Open archive

  • Title: Apache Tomcat 6.0 - Tomcat Web Application Deployment
    Descriptive info: Tomcat Web Application Deployment.. A word on Contexts.. Deployment on Tomcat startup.. Deploying on a running Tomcat server.. Deploying using the Tomcat Manager.. Deploying using the Tomcat Client Deployer.. Deployment is the term used for the process of installing a web application (either a 3rd party WAR or your own custom web application) into the Tomcat server.. Web application deployment may be accomplished in a number of ways within the Tomcat server.. Statically; the web application is setup before Tomcat is started.. Dynamically; in conjunction with the Tomcat Manager web application or manipulating already deployed web applications.. The Tomcat Manager is a tool that allows URL-based web application deployment features.. There is also a tool called the Client Deployer, which is a command shell based script that interacts with the Tomcat Manager but provides additional functionality such as compiling and validating web applications as well as packaging web application into web application resource (WAR) files.. There is no installation required for static deployment of web applications as this is provided out of the box by Tomcat.. Nor is any installation required for deployment functions with the Tomcat Manager, although some configuration is required as detailed in the Tomcat Manager manual.. An installation is however required if you wish to use the Tomcat Client Deployer (TCD).. The TCD is not packaged with the Tomcat core distribution, and must therefore be downloaded separately from the Downloads area.. The download is usually labelled.. apache-tomcat-6.. x-deployer.. TCD has prerequisites of Apache Ant 1.. 6.. 2+ and a Java installation.. Your environment should define an ANT_HOME environment value pointing to the root of your Ant installation, and a JAVA_HOME value pointing to your Java installation.. Additionally, you should ensure Ant's ant command, and the Java javac compiler command run from the command shell that your operating system provides.. Download the TCD distribution.. The TCD package need not be extracted into any existing Tomcat installation, it can be extracted to any location.. Read Using the.. Tomcat Client Deployer.. In talking about deployment of web applications, the concept of a.. is required to be understood.. A Context is what Tomcat calls a web application.. In order to configure a Context within Tomcat a.. Context Descriptor.. is required.. A Context Descriptor is simply an XML file that contains Tomcat related configuration for a Context, e.. g naming resources or session manager configuration.. In earlier versions of Tomcat the content of a Context Descriptor configuration was often stored within Tomcat's primary configuration file.. server.. but this is now discouraged (although it currently still works).. Context Descriptors not only help Tomcat to know how to configure Contexts but other tools such as the Tomcat Manager and TCD often use these Context Descriptors to perform their roles properly.. The locations for Context Descriptors are;.. $CATALINA_HOME/conf/[enginename]/[hostname]/context.. $CATALINA_HOME/webapps/[webappname]/META-INF/context.. Files in (1) are named [webappname].. xml but files in (2) are named context.. If a Context Descriptor is not provided for a Context, Tomcat configures the Context using default values.. If you are not interested in using the Tomcat Manager, or TCD, then you'll need to deploy your web applications statically to Tomcat, followed by a Tomcat startup.. The location you deploy web applications to for this type of deployment is called the.. appBase.. which is specified per Host.. You either copy a so-called.. exploded web application.. , i.. e non-compressed, to this location, or a compressed web application resource.. WAR file.. The web applications present in the location specified by the Host's (default Host is "localhost").. attribute (default appBase is "$CATALINA_HOME/webapps") will be deployed on Tomcat startup only if the Host's.. deployOnStartup.. attribute is "true".. The following deployment sequence will  ...   of the previously deployed web application) is added to the.. $CATALINA_HOME/conf/[enginename]/[hostname]/.. directory.. Undeployment of a web application if its document base (docBase) is deleted.. Note that on Windows, this assumes that anti-locking features (see Context configuration) are enabled, otherwise it is not possible to delete the resources of a running web application.. Note that web application reloading can also be configured in the loader, in which case loaded classes will be tracked for changes.. The Tomcat Manager is covered in its.. own manual page.. Deploying using the Client Deployer Package.. Finally, deployment of web application may be achieved using the Tomcat Client Deployer.. This is a package which can be used to validate, compile, compress to.. WAR, and deploy web applications to production or development Tomcat servers.. It should be noted that this feature uses the Tomcat Manager and as such the target Tomcat server should be running.. It is assumed the user will be familar with Apache Ant for using the TCD.. Apache Ant is a scripted build tool.. The TCD comes pre-packaged with a build script to use.. Only a modest understanding of Apache Ant is required (installation as listed earlier in this page, and familiarity with using the operating system command shell and configuring environment variables).. The TCD includes Ant tasks, the Jasper page compiler for JSP compilation before deployment, as well as a task which validates the web application Context Descriptor.. The validator task (class.. org.. ant.. ValidatorTask.. ) allows only one parameter: the base path of an exploded web application.. The TCD uses an exploded web application as input (see the list of the properties used below).. A web application that is programatically deployed with the deployer may include a Context Desciptor in.. /META-INF/context.. The TCD includes a ready-to-use Ant script, with the following targets:.. compile.. (default): Compile and validate the web application.. This can be used standalone, and does not need a running Tomcat server.. The compiled application will only run on the associated Tomcat 5.. x server release, and is not guaranteed to work on another Tomcat release, as the code generated by Jasper depends on its runtime component.. It should also be noted that this target will also compile automatically any Java source file located in the.. /WEB-INF/classes.. folder of the web application.. deploy.. : Deploy a web application (compiled or not) to a Tomcat server.. undeploy.. : Undeploy a web application.. start.. : Start web application.. reload.. : Reload web application.. stop.. : Stop web application.. In order for the deployment to be configured, create a file called.. deployer.. in the TCD installation directory root.. In this file, add the following name=value pairs per line:.. Additionally, you will need to ensure that a user has been setup for the target Tomcat Manager (which TCD uses) otherwise the TCD will not authenticate with the Tomcat Manager and the deployment will fail.. To do this, see the Tomcat Manager page.. : The build folder used will be, by default,.. ${build}/webapp/${path}.. After the end of the execution of the.. target, the web application.. WAR will be located at.. war.. webapp.. : The directory containing the exploded web application which will be compiled and validated.. By default, the folder is.. myapp.. path.. : Deployed context path of the web application, by default.. /myapp.. url.. : Absolute URL to the Tomcat Manager web application of a running Tomcat server, which will be used to deploy and undeploy the web application.. By default, the deployer will attempt to access a Tomcat instance running on localhost, at.. http://localhost:8080/manager.. username.. : Tomcat Manager username (user should have a role of manager).. password.. : Tomcat Manager password..

    Original link path: /docs/deployer-howto.html
    Open archive

  • Title: Apache Tomcat 6.0 - Manager App HOW-TO
    Descriptive info: Manager App HOW-TO.. Configuring Manager Application Access.. Supported Manager Commands.. Deploy A New Application Remotely.. Deploy A New Application from a Local Path.. List Currently Deployed Applications.. Reload An Existing Application.. List OS and JVM Properties.. List Available Global JNDI Resources.. List Available Security Roles.. Session Statistics.. Start an Existing Application.. Stop an Existing Application.. Undeploy an Existing Application.. Executing Manager Commands With Ant.. Using the JMX Proxy Servlet.. What is JMX Proxy Servlet?.. Query command.. Set command.. In many production environments, it is very useful to have the capability to deploy a new web application, or undeploy an existing one, without having to shut down and restart the entire container.. In addition, you can request an existing application to reload itself, even if you have not declared it to be.. reloadable.. in the Tomcat 6 server configuration file.. To support these capabilities, Tomcat 6 includes a web application (installed by default on context path.. /manager.. ) that supports the following functions:.. Deploy a new web application from the uploaded contents of a WAR file.. Deploy a new web application, on a specified context path, from the server file system.. List the currently deployed web applications, as well as the sessions that are currently active for those web apps.. Reload an existing web application, to reflect changes in the contents of.. /WEB-INF/lib.. List the OS and JVM property values.. List the available global JNDI resources, for use in deployment tools that are preparing.. ResourceLink.. elements nested in a.. Context.. deployment description.. List the available security roles defined in the user database.. Start a stopped application (thus making it available again).. Stop an existing application (so that it becomes unavailable), but do not undeploy it.. Undeploy a deployed web application and delete its document base directory (unless it was deployed from file system).. A default Tomcat installation includes the manager.. To add an instance of the Manager web application.. to a new host install the.. manager.. context configuration file in the.. $CATALINA_HOME/conf/[enginename]/[hostname].. Here is an example:.. Context path="/manager" debug="0" privileged="true" docBase="/usr/local/kinetic/tomcat6/server/webapps/manager" /Context.. If you have Tomcat configured to support multiple virtual hosts (websites) you would need to configure a Manager for each.. There are three ways to use the.. As an application with a user interface you use in your browser.. Here is an example URL where you can replace.. localhost.. with your website host name:.. http://localhost/manager/html/.. A minimal version using HTTP requests only which is suitable for use by scripts setup by system administrators.. Commands are given as part of the request URI, and responses are in the form of simple text that can be easily parsed and processed.. See.. for more information.. A convenient set of task definitions for the.. Ant.. (version 1.. 4 or later) build tool.. The description below uses the variable name $CATALINA_HOME to refer to the directory into which you have installed Tomcat 6, and is the base directory against which most relative paths are resolved.. However, if you have configured Tomcat 6 for multiple instances by setting a CATALINA_BASE directory, you should use $CATALINA_BASE instead of $CATALINA_HOME for each of these references.. It would be quite unsafe to ship Tomcat with default settings that allowed anyone on the Internet to execute the Manager application on your server.. Therefore, the Manager application is shipped with the requirement that anyone who attempts to use it must authenticate themselves, using a username and password that have the role.. associated with them.. Further, there is no username in the default users file (.. ) that is assigned this role.. Therefore, access to the Manager application is completely disabled by default.. To enable access to the Manager web application, you must either create a new username/password combination and associate the role name.. with it, or add the.. role to some existing username/password combination.. Exactly where this is done depends on which.. Realm.. implementation you are using:.. MemoryRealm.. - If you have not customized your.. $CATALINA_HOME/conf/server.. to select a different one, Tomcat 6 defaults to an XML-format file stored at.. , which can be edited with any text editor.. This file contains an XML.. user.. for each individual user, which might look something like this:.. user name="craigmcc" password="secret" roles="standard,manager" /.. which defines the username and password used by this individual to log on, and the role names he or she is associated with.. You can add the.. role to the comma-delimited.. roles.. attribute for one or more existing users, and/or create new users with that assigned role.. JDBCRealm.. - Your user and role information is stored in a database accessed via JDBC.. Add the.. role to one or more existing users, and/or create one or more new users with this role assigned, following the standard procedures for your environment.. JNDIRealm.. - Your user and role information is stored in a directory server accessed via LDAP.. The first time you attempt to issue one of the Manager commands described in the next section, you will be challenged to log on using BASIC authentication.. The username and password you enter do not matter, as long as they identify a valid user in the users database who possesses the role.. In addition to the password restrictions the manager web application could be restricted by the remote IP address or host by adding a.. RemoteAddrValve.. RemoteHostValve.. Here is an example of restricting access to the localhost by IP address:.. Context path="/manager" privileged="true" docBase="/usr/local/kinetic/tomcat6/server/webapps/manager" Valve className="org.. valves.. RemoteAddrValve" allow="127\.. 0\.. 1"/ /Context.. All commands that the Manager application knows how to process are specified in a single request URI like this:.. http://{host}:{port}/manager/{command}?{parameters}.. where.. {host}.. and.. {port}.. represent the hostname and port number on which Tomcat is running,.. {command}.. represents the Manager command you wish to execute, and.. {parameters}.. represents the query parameters that are specific to that command.. In the illustrations below, customize the host and port appropriately for your installation.. Most commands accept one or more of the following query parameters:.. - The context path (including the leading slash) of the web application you are dealing with.. To select the ROOT web application, specify "/".. NOTE.. - It is not possible to perform administrative commands on the Manager application itself.. war.. - URL of a web application archive (WAR) file, pathname of a directory which contains the web application, or a Context configuration ".. xml" file.. You can use URLs in any of the following formats:.. file:/absolute/path/to/a/directory.. - The absolute path of a directory that contains the unpacked version of a web application.. This directory will be attached to the context path you specify without any changes.. file:/absolute/path/to/a/webapp.. - The absolute path of a web application archive (WAR) file.. This is valid.. only.. for the.. /deploy.. command, and is the only acceptable format to that command.. jar:file:/absolute/path/to/a/warfile.. war!/.. - The URL to a local web application archive (WAR) file.. You can use any syntax that is valid for the.. JarURLConnection.. class for reference to an entire JAR file.. file:/absolute/path/to/a/context.. - The absolute path of a web application Context configuration ".. xml" file which contains the Context configuration element.. - The directory name for the web applciation context in the Host's application base directory.. - The name of a web application war file located in the Host's application base directory.. Each command will return a response in.. text/plain.. format (i.. plain ASCII with no HTML markup), making it easy for both humans and programs to read).. The first line of the response wil begin with either.. OK.. FAIL.. , indicating whether the requested command was successful or not.. In the case of failure, the rest of the first line will contain a description of the problem that was encountered.. Some commands include additional lines of information as described below.. Internationalization Note.. - The Manager application looks up its message strings in resource bundles, so it is possible that the strings have been translated for your platform.. The examples below show the English version of the messages.. WARNING:.. the legacy commands.. /install.. /remove.. are deprecated.. They are presently equivalent to.. /undeploy.. , but could be removed in a future release.. http://localhost:8080/manager/deploy?path=/foo.. Upload the web application archive (WAR) file that is specified as the request data in this HTTP PUT request, install it into the.. directory of our corresponding virtual host, and start , using the directory name or the war file name without the.. war extension as the path.. The application can later be undeployed (and the corresponding application directory removed) by use of the.. command.. WAR file may include Tomcat specific deployment configuration, by including a Context configuration XML file in.. URL parameters include:.. update.. : When set to true, any existing update will be undeployed first.. The default value is set to false.. tag.. : Specifying a tag name, this allows associating the deployed webapp with a version number.. The application version can be later redeployed when needed using only the tag.. - This command is the logical opposite of the.. If installation and startup is successful, you will receive a response like this:.. OK - Deployed application at context path /foo.. Otherwise, the response will start with.. and include an error message.. Possible causes for problems include:.. Application already exists at path /foo.. The context paths for all currently running web applications must be unique.. Therefore, you must undeploy the existing web application using this context path, or choose a different context path for the new one.. parameter may be specified as a parameter on the URL, with a value of.. true.. to avoid this error.. In that case, an undeploy will be performed on an existing application before performing the deployment.. Encountered exception.. An exception was encountered trying to start the new web application.. Check the Tomcat 6 logs for the details, but likely explanations include problems parsing your.. file, or missing classes encountered when initializing application event listeners and filters.. Deploy and start a new web application, attached to the specified context.. (which must not be in use by any other web application).. This command is the logical opposite of the.. There are a number of different ways the deploy command can be used.. Deploy a version of a previously deployed webapp.. This can be used to deploy a previous version of a web application, which has been deployed  ...   resource.. http://localhost:8080/manager/sessions?path=/examples.. Display the default session timeout for a web application, and the number of currently active sessions that fall within ten-minute ranges of their actual timeout times.. For example, after restarting Tomcat and then executing one of the JSP samples in the.. /examples.. web app, you might get something like this:.. OK - Session information for application at context path /examples Default maximum session inactive interval 30 minutes 30 - 40 minutes:1 sessions.. http://localhost:8080/manager/start?path=/examples.. Signal a stopped application to restart, and make itself available again.. Stopping and starting is useful, for example, if the database required by your application becomes temporarily unavailable.. It is usually better to stop the web application that relies on this database rather than letting users continuously encounter database exceptions.. OK - Started application at context path /examples.. An exception was encountered trying to start the web application.. http://localhost:8080/manager/stop?path=/examples.. Signal an existing application to make itself unavailable, but leave it deployed.. Any request that comes in while an application is stopped will see an HTTP error 404, and this application will show as "stopped" on a list applications command.. OK - Stopped application at context path /examples.. An exception was encountered trying to stop the web application.. http://localhost:8080/manager/undeploy?path=/examples.. WARNING.. - This command will delete any web application artifacts that exist within.. directory (typically "webapps") for this virtual host.. This will delete the the application.. WAR, if present, the application directory resulting either from a deploy in unpacked form or from.. WAR expansion as well as the XML Context definition from.. If you simply want to take an application out of service, you should use the.. /stop.. command instead.. Signal an existing application to gracefully shut itself down, and remove it from Tomcat (which also makes this context path available for reuse later).. In addition, the document root directory is removed, if it exists in the.. OK - Undeployed application at context path /examples.. An exception was encountered trying to undeploy the web application.. In addition to the ability to execute Manager commands via HTTP requests, as documented above, Tomcat 6 includes a convenient set of Task definitions for the.. In order to use these commands, you must perform the following setup operations:.. Download the binary distribution of Ant from.. http://ant.. You must use version.. 1.. or later.. Install the Ant distribution in a convenient directory (called ANT_HOME in the remainder of these instructions).. Copy the file.. server/lib/catalina-ant.. jar.. from your Tomcat 6 installation into Ant's library directory (.. $ANT_HOME/lib.. $ANT_HOME/bin.. directory to your.. PATH.. environment variable.. Configure at least one username/password combination in your Tomcat user database that includes the.. role.. To use custom tasks within Ant, you must declare them first with a.. taskdef.. Therefore, your.. file might look something like this:.. project name="My Application" default="compile" basedir=".. " !-- Configure the directory into which the web application is built -- property name="build" value="${basedir}/build"/ !-- Configure the context path for this application -- property name="path" value="/myapp"/ !-- Configure properties to access the Manager application -- property name="url" value="http://localhost:8080/manager"/ property name="username" value="myusername"/ property name="password" value="mypassword"/ !-- Configure the custom Ant tasks for the Manager application -- taskdef name="deploy" classname="org.. DeployTask"/ taskdef name="list" classname="org.. ListTask"/ taskdef name="reload" classname="org.. ReloadTask"/ taskdef name="resources" classname="org.. ResourcesTask"/ taskdef name="roles" classname="org.. RolesTask"/ taskdef name="start" classname="org.. StartTask"/ taskdef name="stop" classname="org.. StopTask"/ taskdef name="undeploy" classname="org.. UndeployTask"/ !-- Executable Targets -- target name="compile" description="Compile web application" !--.. construct web application in ${build} subdirectory, and generated a ${path}.. -- /target target name="deploy" description="Install web application" depends="compile" deploy url="${url}" username="${username}" password="${password}" path="${path}" war="file:${build}${path}.. war"/ /target target name="reload" description="Reload web application" depends="compile" reload url="${url}" username="${username}" password="${password}" path="${path}"/ /target target name="undeploy" description="Remove web application" undeploy url="${url}" username="${username}" password="${password}" path="${path}"/ /target /project.. Now, you can execute commands like.. ant deploy.. to deploy the application to a running instance of Tomcat, or.. ant reload.. to tell Tomcat to reload it.. Note also that most of the interesting values in this.. file are defined as replaceable properties, so you can override their values from the command line.. For example, you might consider it a security risk to include the real manager password in your.. file's source code.. To avoid this, omit the password property, and specify it from the command line:.. ant -Dpassword=secret deploy.. Tasks output capture.. Using.. or later, the Catalina tasks offer the option to capture their output in properties or external files.. They support directly the following subset of the.. redirector.. type attributes:.. Attribute.. Required.. output.. Name of a file to which to write the output.. If the error stream is not also redirected to a file or property, it will appear in this output.. No.. error.. The file to which the standard error of the command should be redirected.. logError.. This attribute is used when you wish to see error output in Ant's log and you are redirecting output to a file/property.. The error output will not be included in the output file/property.. If you redirect error with the.. errorProperty.. attributes, this will have no effect.. append.. Whether output and error files should be appended to or overwritten.. Defaults to.. false.. createemptyfiles.. Whether output and error files should be created even when empty.. outputproperty.. The name of a property in which the output of the command should be stored.. Unless the error stream is redirected to a separate file or stream, this property will include the error output.. errorproperty.. The name of a property in which the standard error of the command should be stored.. A couple of additional attributes can also be specified:.. alwaysLog.. This attribute is used when you wish to see the output you are capturing, appearing also in the Ant's log.. It must not be used unless you are capturing task output.. This attribute will be supported directly by.. in Ant 1.. failonerror.. This attribute is used when you wish to avoid that any manager command processing error terminates the ant execution.. It must be set to.. , if you want to capture error output, otherwise execution will terminate before anything can be captured.. This attribute acts only on manager command execution, any wrong or missing command attribute will still cause Ant execution termination.. They also support the embedded.. element in which you can specify its full set of attributes, but.. input.. inputstring.. inputencoding.. that, even if accepted, are not used because they have no meaning in this context.. Refer to.. ant manual.. for details on.. element attributes.. Here is a sample build file extract that shows how this output redirection support can be used:.. target name="manager.. deploy" depends="context.. status" if="context.. notInstalled" deploy url="${mgr.. url}" username="${mgr.. username}" password="${mgr.. password}" path="${mgr.. context.. path}" config="${mgr.. descriptor}"/ /target target name="manager.. deploy.. war" depends="context.. deployable" deploy url="${mgr.. password}" update="${mgr.. update}" path="${mgr.. path}" war="${mgr.. file}"/ /target target name="context.. status" property name="running" value="${mgr.. path}:running"/ property name="stopped" value="${mgr.. path}:stopped"/ list url="${mgr.. url}" outputproperty="ctx.. status" username="${mgr.. password}" /list condition property="context.. running" contains string="${ctx.. status}" substring="${running}"/ /condition condition property="context.. stopped" contains string="${ctx.. status}" substring="${stopped}"/ /condition condition property="context.. notInstalled" and isfalse value="${context.. running}"/ isfalse value="${context.. stopped}"/ /and /condition condition property="context.. deployable" or istrue value="${context.. notInstalled}"/ and istrue value="${context.. running}"/ istrue value="${mgr.. update}"/ /and and istrue value="${context.. stopped}"/ istrue value="${mgr.. update}"/ /and /or /condition condition property="context.. undeployable" or istrue value="${context.. running}"/ istrue value="${context.. stopped}"/ /or /condition /target.. even if it doesn't make many sense, and is always a bad idea, calling a Catalina task more than once, badly set Ant tasks depends chains may cause that a task be called more than once in the same Ant run, even if not intended to.. A bit of caution should be exercised when you are capturing output from that task, because this could lead to something unexpected:.. when capturing in a property you will find in it only the output from the.. first.. call, because Ant properties are immutable and once set they cannot be changed,.. when capturing in a file, each run will overwrite it and you will find in it only the.. last.. call output, unless you are using the.. append="true".. attribute, in which case you will see the output of each task call appended to the file.. What is JMX Proxy Servlet.. The JMX Proxy Servlet is a lightweight proxy to get and set the tomcat internals.. (Or any class that has been exposed via an MBean) Its usage is not very user friendly but the UI is extremely help for integrating command line scripts for monitoring and changing the internals of tomcat.. You can do two things with the proxy: get information and set information.. For you to really understand the JMX Proxy Servlet, you should have a general understanding of JMX.. If you don't know what JMX is, then prepare to be confused.. JMX Query command.. This takes the form:.. http://webserver/manager/jmxproxy/?qry=STUFF.. Where.. STUFF.. is the JMX query you wish to perform.. For example, here are some queries you might wish to run:.. qry=*%3Atype%3DRequestProcessor%2C* -- type=RequestProcessor.. which will locate all workers which can process requests and report their state.. qry=*%3Aj2eeType=Servlet%2c* -- j2eeType=Servlet.. which return all loaded servlets.. qry=Catalina%3Atype%3DEnvironment%2Cresourcetype%3DGlobal%2Cname%3DsimpleValue -- Catalina:type=Environment,resourcetype=Global,name=simpleValue.. which look for a specific MBean by the given name.. You'll need to experiment with this to really understand its capabilites.. If you provide no.. qry.. parameter, then all of the MBeans will be displayed.. We really recommend looking at the tomcat source code and understand the JMX spec to get a better understanding of all the queries you may run.. JMX Set command.. Now that you can query an MBean, its time to muck with Tomcat's internals! The general form of the set command is :.. http://webserver/manager/jmxproxy/?set=BEANNAME att=MYATTRIBUTE val=NEWVALUE.. So you need to provide 3 request parameters:.. set.. : The full bean name.. att.. : The attribute you wish to alter.. val.. : The new value.. If all goes ok, then it will say OK, otherwise an error message will be shown.. For example, lets say we wish to turn up debugging on the fly for the.. ErrorReportValve.. The following will set debugging to 10.. http://localhost:8080/manager/jmxproxy/ ?set=Catalina%3Atype%3DValve%2Cname%3DErrorReportValve%2Chost%3Dlocalhost att=debug val=10.. and my result is (YMMV):.. Result: ok.. Here is what I see if I pass in a bad value.. Here is the URL I used, I try set debugging equal to 'cowbell':.. http://localhost:8080/manager/jmxproxy/ ?set=Catalina%3Atype%3DValve%2Cname%3DErrorReportValve%2Chost%3Dlocalhost att=debug val=cowbell.. When I try that, my result is.. Error: java.. lang.. NumberFormatException: For input string: "cowbell"..

    Original link path: /docs/manager-howto.html
    Open archive

  • Title: Apache Tomcat 6.0 - Realm Configuration HOW-TO
    Descriptive info: Realm Configuration HOW-TO.. Quick Start.. What is a Realm?.. Configuring a Realm.. Common Features.. Digested Passwords.. Manager Application.. Logging Within Realms.. Standard Realm Implementations.. DataSourceRealm.. JAASRealm.. This document describes how to configure Tomcat to support.. container managed security.. , by connecting to an existing "database" of usernames, passwords, and user roles.. You only need to care about this if you are using a web application that includes one or more.. security-constraint.. elements, and a.. login-config.. element defining how users are required to authenticate themselves.. If you are not utilizing these features, you can safely skip this document.. For fundamental background information about container managed security, see the.. Servlet Specification (Version 2.. 4).. , Section 12.. For information about utilizing the.. Single Sign On.. feature of Tomcat 6 (allowing a user to authenticate themselves once across the entire set of web applications associated with a virtual host), see.. Overview.. A.. is a "database" of usernames and passwords that identify valid users of a web application (or set of web applications), plus an enumeration of the list of.. associated with each valid user.. You can think of roles as similar to.. groups.. in Unix-like operating systems, because access to specific web application resources is granted to all users possessing a particular role (rather than enumerating the list of associated usernames).. A particular user can have any number of roles associated with their username.. Although the Servlet Specification describes a portable mechanism for applications to.. declare.. their security requirements (in the.. deployment descriptor), there is no portable API defining the interface between a servlet container and the associated user and role information.. In many cases, however, it is desireable to "connect" a servlet container to some existing authentication database or mechanism that already exists in the production environment.. Therefore, Tomcat 6 defines a Java interface (.. Realm.. ) that can be implemented by "plug in" components to establish this connection.. Five standard plug-ins are provided, supporting connections to various sources of authentication information:.. - Accesses authentication information stored in a relational database, accessed via a JDBC driver.. - Accesses authentication information stored in a relational database, accessed via a named JNDI JDBC DataSource.. - Accesses authentication information stored in an LDAP based directory server, accessed via a JNDI provider.. - Accesses authentication information stored in an in-memory object collection, which is initialized from an XML document (.. conf/tomcat-users.. - Accesses authentication information through the Java Authentication Authorization Service (JAAS) framework.. It is also possible to write your own.. implementation, and integrate it with Tomcat 6.. To do so, you need to:.. Implement.. ,.. Place your compiled realm in $CATALINA_HOME/server/lib,.. Declare your realm as described in the "Configuring a Realm" section below,.. Declare your realm to the.. MBeans Descriptor.. Before getting into the details of the standard Realm implementations, it is important to understand, in general terms, how a Realm is configured.. In general, you will be adding an XML element to your.. configuration file, that looks something like this:.. Realm className=".. class name for this implementation".. other attributes for this implementation.. /.. Realm.. element can be nested inside any one of of the following.. Container.. elements.. The location of the Realm element has a direct impact on the "scope" of that Realm (i.. which web applications will share the same authentication information):.. Inside an Engine element.. - This Realm will be shared across ALL web applications on ALL virtual hosts, UNLESS it is overridden by a Realm element nested inside a subordinate.. Host.. Inside a Host element.. - This Realm will be shared across ALL web applications for THIS virtual host, UNLESS it is overridden by a Realm element nested inside a subordinate.. Inside a Context element.. - This Realm will be used ONLY for THIS web application.. For each of the standard.. implementations, the user's password (by default) is stored in clear text.. In many environments, this is undesireable because casual observers of the authentication data can collect enough information to log on successfully, and impersonate other users.. To avoid this problem, the standard implementations support the concept of.. digesting.. user passwords.. This allows the stored version of the passwords to be encoded (in a form that is not easily reversible), but that the.. implementation can still utilize for authentication.. When a standard realm authenticates by retrieving the stored password and comparing it with the value presented by the user, you can select digested passwords by specifying the.. digest.. attribute on your.. The value for this attribute must be one of the digest algorithms supported by the.. security.. MessageDigest.. class (SHA, MD2, or MD5).. When you select this option, the contents of the password that is stored in the.. must be the cleartext version of the password, as digested by the specified algorithm.. When the.. authenticate().. method of the Realm is called, the (cleartext) password specified by the user is itself digested by the same algorithm, and the result is compared with the value returned by the.. An equal match implies that the cleartext version of the original password is the same as the one presented by the user, so that this user should be authorized.. To calculate the digested value of a cleartext password, two convenience techniques are supported:.. If you are writing an application that needs to calculate digested passwords dynamically, call the static.. Digest().. method of the.. realm.. RealmBase.. class, passing the cleartext password and the digest algorithm name as arguments.. This method will return the digested password.. If you want to execute a command line utility to calculate the digested password, simply execute.. java org.. RealmBase \ -a {algorithm} {cleartext-password}.. and the digested version of this cleartext password will be returned to standard output.. If using digested passwords with DIGEST authentication, the cleartext used to generate the digest is different.. In the examples above.. {cleartext-password}.. must be replaced with.. {username}:{realm}:{cleartext-password}.. For example, in a development environment this might take the form.. testUser:localhost:8080:testPassword.. To use either of the above techniques, the.. $CATALINA_HOME/lib/catalina.. $CATALINA_HOME/bin/tomcat-juli.. files will need to be on your class path to make the.. RealmBase.. class available.. Non-ASCII usernames and/or passwords are supported using.. RealmBase \ -a {algorithm} -e {encoding} {input}.. but care is required to ensure that the non-ASCII input is correctly passed to the digester.. The digester returns.. {input}:{digest}.. If the input appears corrupted in the return, the digest will be invalid.. The example application shipped with Tomcat 6 includes an area that is protected by a security constraint, utilizing form-based login.. To access it, point your browser at.. http://localhost:8080/examples/jsp/security/protected/.. and log on with one of the usernames and passwords described for the default.. If you wish to use the.. to deploy and undeploy applications in a running Tomcat 6 installation, you MUST add the "manager" role to at least one username in your selected Realm implementation.. This is because the manager web application itself uses a security constraint that requires role "manager" to access ANY request URI within that application.. For security reasons, no username in the default Realm (i.. using.. is assigned the "manager" role.. Therfore, no one will be able to utilize the features of this application until the Tomcat administrator specifically assigns this role to one or more users.. Realm Logging.. Debugging and exception messages logged by a.. will be recorded by the logging configuration associated with the container for the realm: its surrounding.. Host.. , or.. Engine.. is an implementation of the Tomcat 6.. interface that looks up users in a relational database accessed via a JDBC driver.. There is substantial configuration flexibility that lets you adapt to existing table and column names, as long as your database structure conforms to the following requirements:.. There must be a table, referenced below as the.. table, that contains one row for every valid user that this.. should recognize.. table must contain at least two columns (it may contain more if your existing applications required it):.. Username to be recognized by Tomcat when the user logs in.. Password to be recognized by Tomcat when the user logs in.. This value may in cleartext or digested - see below for more information.. user roles.. table, that contains one row for every valid role that is assigned to a particular user.. It is legal for a user to have zero, one, or more than one valid role.. Username to be recognized by Tomcat (same value as is specified in the.. table).. Role name of a valid role associated with this user.. To set up Tomcat to use JDBCRealm, you will need to follow these steps:.. If you have not yet done so, create tables and columns in your database that conform to the requirements described above.. Configure a database username and password for use by Tomcat, that has at least read only access to the tables described above.. (Tomcat will never attempt to write to these tables.. ).. Place a copy of the JDBC driver you will be using inside the.. $CATALINA_HOME/lib.. Note that.. JAR files are recognized!.. Set up a.. element, as described below, in your.. Restart Tomcat 6 if it is already running.. Realm Element Attributes.. To configure JDBCRealm, you will create a.. element and nest it in your.. file, as described.. above.. The following attributes are supported by this implementation:.. className.. The fully qualified Java class name of this Realm implementation.. You.. MUST.. specify the value ".. JDBCRealm.. " here.. connectionName.. The database username used to establish a JDBC connection.. connectionPassword.. The database password used to establish a JDBC connection.. connectionURL.. The database URL used to establish a JDBC connection.. The digest algorithm used to store passwords in non-plaintext formats.. Valid values are those accepted for the algorithm name by the.. If not specified, passwords are stored in clear text.. driverName.. The fully qualified Java class name of the JDBC driver to be used.. Consult the documentation for your JDBC driver for the appropriate value.. roleNameCol.. The name of the column, in the.. table, that contains the name of a role assigned to this user.. userCredCol.. table, that contains the password for this user (either in clear text, or digested if the.. attribute is set).. userNameCol.. tables, that contains the username of this user.. userRoleTable.. The name of the table that contains one row for each.. assigned to a particular.. This table must include at least the columns named by the.. attributes.. userTable.. to be recognized by Tomcat.. Example.. An example SQL script to create the needed tables might look something like this (adapt the syntax as required for your particular database):.. create table users ( user_name varchar(15) not null primary key, user_pass varchar(15) not null ); create table user_roles ( user_name varchar(15) not null, role_name varchar(15) not null, primary key (user_name, role_name) );.. Example.. elements are included (commented out) in the default.. Here's an example for using a MySQL database called "authority", configured with the tables described above, and accessed with username "dbuser" and password "dbpass":.. Realm className="org.. JDBCRealm" debug="99" driverName="org.. gjt.. mm.. mysql.. Driver" connectionURL="jdbc:mysql://localhost/authority?user=dbuser amp;password=dbpass" userTable="users" userNameCol="user_name" userCredCol="user_pass" userRoleTable="user_roles" roleNameCol="role_name"/.. Additional Notes.. JDBCRealm operates according to the following rules:.. When a  ...   using the.. expression.. Not used if you are using the.. Name of the attribute in the user's entry containing the user's password.. If you specify this value, JNDIRealm will bind to the directory using the values specified by.. properties, and retrieve the corresponding attribute for comparison to the value specified by the user being authenticated.. If the.. attribute is set, the specified digest algorithm is applied to the password offered by the user before comparing it with the value retrieved from the directory.. If you do.. specify this value, JNDIRealm will attempt a simple bind to the directory using the DN of the user's entry and password specified by the user, with a successful bind being interpreted as an authenticated user.. A pattern for the distinguished name (DN) of the user's directory entry, following the syntax supported by the.. class with.. marking where the actual username should be inserted.. You can use this property instead of.. when the distinguished name contains the username and is otherwise the same for all users.. The name of an attribute in the user's directory entry containing zero or more values for the names of roles assigned to this user.. property to specify the name of an attribute to be retrieved from individual role entries found by searching the directory.. is not specified all the roles for a user derive from the role search.. The LDAP filter expression to use when searching for a user's directory entry, with.. Use this property (along with the.. properties) instead of.. to search the directory for the user's entry.. property for the user's entry.. Creation of the appropriate schema in your directory server is beyond the scope of this document, because it is unique to each directory server implementation.. In the examples below, we will assume that you are using a distribution of the OpenLDAP directory server (version 2.. 11 or later), which can be downloaded from.. http://www.. openldap.. Assume that your.. slapd.. conf.. file contains the following settings (among others):.. database ldbm suffix dc="mycompany",dc="com" rootdn "cn=Manager,dc=mycompany,dc=com" rootpw secret.. We will assume for.. that the directory server runs on the same machine as Tomcat.. http://java.. com/products/jndi/docs.. for more information about configuring and using the JNDI LDAP provider.. Next, assume that this directory server has been populated with elements as shown below (in LDIF format):.. # Define top-level entry dn: dc=mycompany,dc=com objectClass: dcObject dc:mycompany # Define an entry to contain people # searches for users are based on this entry dn: ou=people,dc=mycompany,dc=com objectClass: organizationalUnit ou: people # Define a user entry for Janet Jones dn: uid=jjones,ou=people,dc=mycompany,dc=com objectClass: inetOrgPerson uid: jjones sn: jones cn: janet jones mail: j.. jones@mycompany.. com userPassword: janet # Define a user entry for Fred Bloggs dn: uid=fbloggs,ou=people,dc=mycompany,dc=com objectClass: inetOrgPerson uid: fbloggs sn: bloggs cn: fred bloggs mail: f.. bloggs@mycompany.. com userPassword: fred # Define an entry to contain LDAP groups # searches for roles are based on this entry dn: ou=groups,dc=mycompany,dc=com objectClass: organizationalUnit ou: groups # Define an entry for the "tomcat" role dn: cn=tomcat,ou=groups,dc=mycompany,dc=com objectClass: groupOfUniqueNames cn: tomcat uniqueMember: uid=jjones,ou=people,dc=mycompany,dc=com uniqueMember: uid=fbloggs,ou=people,dc=mycompany,dc=com # Define an entry for the "role1" role dn: cn=role1,ou=groups,dc=mycompany,dc=com objectClass: groupOfUniqueNames cn: role1 uniqueMember: uid=fbloggs,ou=people,dc=mycompany,dc=com.. An example.. element for the OpenLDAP directory server configured as described above might look like this, assuming that users use their uid (e.. g.. jjones) to login to the application and that an anonymous connection is sufficient to search the directory and retrieve role information:.. JNDIRealm" debug="99" connectionURL="ldap://localhost:389" userPattern="uid={0},ou=people,dc=mycompany,dc=com" roleBase="ou=groups,dc=mycompany,dc=com" roleName="cn" roleSearch="(uniqueMember={0})" /.. With this configuration, the realm will determine the user's distinguished name by substituting the username into the.. , authenticate by binding to the directory with this DN and the password received from the user, and search the directory to find the user's roles.. Now suppose that users are expected to enter their email address rather than their userid when logging in.. In this case the realm must search the directory for the user's entry.. (A search is also necessary when user entries are held in multiple subtrees corresponding perhaps to different organizational units or company locations).. Further, suppose that in addition to the group entries you want to use an attribute of the user's entry to hold roles.. Now the entry for Janet Jones might read as follows:.. dn: uid=jjones,ou=people,dc=mycompany,dc=com objectClass: inetOrgPerson uid: jjones sn: jones cn: janet jones mail: j.. com memberOf: role2 memberOf: role3 userPassword: janet.. This realm configuration would satisfy the new requirements:.. JNDIRealm" debug="99" connectionURL="ldap://localhost:389" userBase="ou=people,dc=mycompany,dc=com" userSearch="(mail={0})" userRoleName="memberOf" roleBase="ou=groups,dc=mycompany,dc=com" roleName="cn" roleSearch="(uniqueMember={0})" /.. Now when Janet Jones logs in as "j.. com", the realm searches the directory for a unique entry with that value as its mail attribute and attempts to bind to the directory as.. uid=jjones,ou=people,dc=mycompany,dc=com.. with the given password.. If authentication succeeds, she is assigned three roles: "role2" and "role3", the values of the "memberOf" attribute in her directory entry, and "tomcat", the value of the "cn" attribute in the only group entry of which she is a member.. Finally, to authenticate the user by retrieving the password from the directory and making a local comparison in the realm, you might use a realm configuration like this:.. JNDIRealm" debug="99" connectionName="cn=Manager,dc=mycompany,dc=com" connectionPassword="secret" connectionURL="ldap://localhost:389" userPassword="userPassword" userPattern="uid={0},ou=people,dc=mycompany,dc=com" roleBase="ou=groups,dc=mycompany,dc=com" roleName="cn" roleSearch="(uniqueMember={0})" /.. However, as discussed above, the default bind mode for authentication is usually to be preferred.. JNDIRealm operates according to the following rules:.. Thus, any changes you have made to the directory (new users, changed passwords or roles, etc.. Any changes to the directory information for an already authenticated user will.. Administering the information in the directory server is the responsibility of your own applications.. is a simple demonstration implementation of the Tomcat 6.. interface.. It is not designed for production use.. At startup time, MemoryRealm loads information about all users, and their corresponding roles, from an XML document (by default, this document is loaded from.. Changes to the data in this file are not recognized until Tomcat is restarted.. To configure MemoryRealm, you will create a.. MemoryRealm.. pathname.. Absolute or relative (to $CATALINA_HOME) pathname of the XML document containing our valid usernames, passwords, and roles.. See below for more information on the format of this file.. If not specified, the value.. is used.. User File Format.. The users file (by default,.. must be an XML document, with a root element.. tomcat-users.. Nested inside the root element will be a.. element for each valid user, consisting of the following attributes:.. name.. - Username this user must log on with.. - Password this user must log on with (in clear text if the.. attribute was not set on the.. element, or digested appropriately as described.. otherwise).. - Comma-delimited list of the role names associated with this user.. The default installation of Tomcat 6 is configured with a MemoryRealm nested inside the.. Engine.. element, so that it applies to all virtual hosts and web applications.. The default contents of the.. file is:.. tomcat-users user name="tomcat" password="tomcat" roles="tomcat" / user name="role1" password="tomcat" roles="role1" / user name="both" password="tomcat" roles="tomcat,role1" / /tomcat-users.. MemoryRealm operates according to the following rules:.. When Tomcat first starts up, it loads all defined users and their associated information from the users file.. Changes to the data in this file will.. be recognized until Tomcat is restarted.. Administering the information in the users file is the responsibility of your application.. is an implementation of the Tomcat 4.. interface that authenticates users through the Java Authentication Authorization Service (JAAS) framework, a Java package that is available as an optional package in Java 2 SDK 1.. 3 and is fully integrated as of SDK 1.. 4.. Using JAASRealm gives the developer the ability to combine practically any conceivable security realm with Tomcat's CMA.. JAASRealm is prototype for Tomcat of the proposed JAAS-based J2EE authentication framework for J2EE v1.. 4, based on the.. JCP Specification Request 196.. to enhance container-managed security and promote 'pluggable' authentication mechanisms whose implementations would be container-independent.. Based on the JAAS login module and principal (see.. auth.. spi.. LoginModule.. Principal.. ), you can develop your own security mechanism or wrap another third-party mechanism for integration with the CMA as implemented by Tomcat.. To set up Tomcat to use JAASRealm with your own JAAS login module, you will need to follow these steps:.. Write your own LoginModule, User and Role classes based on JAAS (see.. the JAAS Authentication Tutorial.. the JAAS Login Module Developer's Guide.. ) to be managed by the JAAS Login Context (.. login.. LoginContext.. ) When developing your LoginModule, note that JAASRealm's built-in.. CallbackHandler.. +only recognizes the.. NameCallback.. PasswordCallback.. at present.. Although not specified in JAAS, you should create seperate classes to distinguish between users and roles, extending.. , so that Tomcat can tell which Principals returned from your login module are users and which are roles (see.. JAASRealm.. Regardless, the first Principal returned is.. always.. treated as the user Principal.. Place the compiled classes on Tomcat's classpath.. Set up a login.. config file for Java (see.. JAAS LoginConfig file.. ) and tell Tomcat where to find it by specifying its location to the JVM, for instance by setting the environment variable:.. JAVA_OPTS=-DJAVA_OPTS=-Djava.. config==$CATALINA_HOME/conf/jaas.. config.. Configure your security-constraints in your web.. xml for the resources you want to protect.. Configure the JAASRealm module in your server.. To configure JAASRealm as for step 6 above, you create a.. file within your.. node.. appName.. The name of the application as configured in your login configuration file (.. JAAS LoginConfig.. userClassNames.. A comma-seperated list of the names of the classes that you have made for your user.. Principals.. roleClassNames.. A comma-seperated list of the names of the classes that you have made for your role.. useContextClassLoader.. Instructs JAASRealm to use the context class loader for loading the user-specified.. LoginModule.. class and associated.. Principal.. classes.. The default value is.. , which is backwards-compatible with the way Tomcat 4 works.. To load classes using the container's classloader, specify.. Here is an example of how your server.. xml snippet should look.. JAASRealm" appName="MyFooRealm" userClassNames="org.. foobar.. FooUser" roleClassNames="org.. FooRole" debug="99"/.. It is the responsibility of your login module to create and save User and Role objects representing Principals for the user (.. Subject.. If your login module doesn't create a user object but also doesn't throw a login exception, then the Tomcat CMA will break and you will be left at the http://localhost:8080/myapp/j_security_check URI or at some other unspecified location.. The flexibility of the JAAS approach is two-fold:.. you can carry out whatever processing you require behind the scenes in your own login module.. you can plug in a completely different LoginModule by changing the configuration and restarting the server, without any code changes to your application.. Thus, any changes you have made in the security mechanism directly (new users, changed passwords or roles, etc.. For FORM-based authentication, that means until the session times out or is invalidated; for BASIC authentication, that means until the user closes their browser.. Any changes to the security information for an already authenticated user will.. As with other.. implementations, digested passwords are supported if the.. element in.. contains a.. attribute; JAASRealm's.. will digest the password prior to passing it back to the..

    Original link path: /docs/realm-howto.html
    Open archive

  • Title: Apache Tomcat 6.0 - Security Manager HOW-TO
    Descriptive info: Security Manager HOW-TO.. Background.. The Java.. SecurityManager.. is what allows a web browser to run an applet in its own sandbox to prevent untrusted code from accessing files on the local file system, connecting to a host other than the one the applet was loaded from, and so on.. In the same way the SecurityManager protects you from an untrusted applet running in your browser, use of a SecurityManager while running Tomcat can protect your server from trojan servlets, JSPs, JSP beans, and tag libraries.. Or even inadvertent mistakes.. Imagine if someone who is authorized to publish JSPs on your site inadvertently included the following in their JSP:.. % System.. exit(1); %.. Every time this JSP was executed by Tomcat, Tomcat would exit.. Using the Java SecurityManager is just one more line of defense a system administrator can use to keep the server secure and reliable.. - A security audit have been conducted using the Tomcat 5 codebase.. Most of the critical package have been protected and a new security package protection mechanism has been implemented.. Still, make sure that you are satisfied with your SecurityManager configuration before allowing untrusted users to publish web applications, JSPs, servlets, beans, or tag libraries.. However, running with a SecurityManager is definitely better than running without one.. Permissions.. Permission classes are used to define what Permissions a class loaded by Tomcat will have.. There are a number of Permission classes that are a standard part of the JDK, and you can create your own Permission class for use in your own web applications.. Both techniques are used in Tomcat 6.. Standard Permissions.. This is just a short summary of the standard system SecurityManager Permission classes applicable to Tomcat.. com/security/.. PropertyPermission.. - Controls read/write access to JVM properties such as.. home.. RuntimePermission.. - Controls use of some System/Runtime functions like.. exit().. exec().. Also control the package access/definition.. io.. FilePermission.. - Controls read/write/execute access to files and directories.. SocketPermission.. - Controls use of network sockets.. NetPermission.. - Controls use of multicast network connections.. reflect.. ReflectPermission.. - Controls use of reflection to do class introspection.. SecurityPermission.. - Controls access to Security methods.. AllPermission.. - Allows access to all permissions, just as if you were running Tomcat without a SecurityManager.. Tomcat Custom Permissions.. Tomcat utilizes a custom permission class called.. naming.. JndiPermission.. This permission controls read access to JNDI named file based resources.. The permission name is the JNDI name and there are no actions.. A trailing "*" can be used to do wild card matching for a JNDI named file resource when granting permission.. For example, you might include the following in your policy file:.. permission org.. JndiPermission "jndi://localhost/examples/*";.. A Permission entry like this is generated dynamically for each web application that is deployed, to allow it to read its own static resources but disallow it from using file access to read any other files (unless permissions for those files are explicitly granted).. Also, Tomcat always dynamically creates the following file permission:.. permission java.. FilePermission "** your application context**", "read";.. Where **your application context** equals the folder(or WAR file) under which your application has been deployed.. Configuring Tomcat With A SecurityManager.. Policy File Format.. The security policies implemented by the Java SecurityManager are configured in the.. $CATALINA_HOME/conf/catalina.. policy.. This file completely replaces the.. file present in your JDK system directories.. catalina.. file can be edited by hand, or you can use the.. policytool.. application that comes with Java 1.. 2 or later.. Entries in the.. file use the standard.. file format, as follows:.. // Example policy file entry grant [signedBy signer ,] [codeBase code source ] { permission class [ name [, action list ]]; };.. signedBy.. codeBase.. entries are optional when granting permissions.. Comment lines begin with "//" and end at the end of the current line.. is in the form of a URL, and for a file URL can use the.. ${java.. home}.. ${catalina.. properties (which are expanded out to the directory paths defined for them by  ...   "java.. home", "read"; permission java.. *", "read"; permission java.. PropertyPermission "javax.. *", "read"; // OS Specific properties to allow read access permission java.. PropertyPermission "os.. name", "read"; permission java.. version", "read"; permission java.. arch", "read"; permission java.. PropertyPermission "file.. separator", "read"; permission java.. PropertyPermission "path.. PropertyPermission "line.. separator", "read"; // JVM properties to allow read access permission java.. vendor", "read"; permission java.. vendor.. url", "read"; permission java.. class.. specification.. vm.. name", "read"; // Required for OpenJMX permission java.. RuntimePermission "getAttribute"; // Allow read of JAXP compliant XML parser debug permission java.. PropertyPermission "jaxp.. debug", "read"; // Precompiled JSPs need access to this package.. RuntimePermission "accessClassInPackage.. jasper.. runtime"; permission java.. runtime.. *"; }; // You can assign additional permissions to particular web applications by // adding additional "grant" entries here, based on the code base for that // application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files.. // // Different permissions can be granted to JSP pages, classes loaded from // the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/ // directory, or even to individual jar files in the /WEB-INF/lib/ directory.. // // For instance, assume that the standard "examples" application // included a JDBC driver that needed to establish a network connection to the // corresponding database and used the scrape taglib to get the weather from // the NOAA web server.. You might create a "grant" entries like this: // // The permissions granted to the context root directory apply to JSP pages.. // grant codeBase "file:${catalina.. home}/webapps/examples/-" { // permission java.. SocketPermission "dbhost.. mycompany.. com:5432", "connect"; // permission java.. SocketPermission "*.. noaa.. gov:80", "connect"; // }; // // The permissions granted to the context WEB-INF/classes directory // grant codeBase "file:${catalina.. home}/webapps/examples/WEB-INF/classes/-" { // }; // // The permission granted to your JDBC driver // grant codeBase "jar:file:${catalina.. jar!/-" { // permission java.. com:5432", "connect"; // }; // The permission granted to the scrape taglib // grant codeBase "jar:file:${catalina.. home}/webapps/examples/WEB-INF/lib/scrape.. gov:80", "connect"; // };.. Starting Tomcat With A SecurityManager.. Once you have configured the.. file for use with a SecurityManager, Tomcat can be started with a SecurityManager in place by using the "-security" option:.. $CATALINA_HOME/bin/catalina.. sh start -security (Unix) %CATALINA_HOME%\bin\catalina start -security (Windows).. Configuring Package Protection in Tomcat.. Starting with Tomcat 5, it is now possible to configure which Tomcat internal package are protected againts package definition and access.. com/security/seccodeguide.. : Be aware that removing the default package protection could possibly open a security hole.. The Default Properties File.. # # List of comma-separated packages that start with or equal this string # will cause a security exception to be thrown when # passed to checkPackageAccess unless the # corresponding RuntimePermission ("accessClassInPackage.. "+package) has # been granted.. package.. access=sun.. ,org.. coyote.. , org.. # # List of comma-separated packages that start with or equal this string # will cause a security exception to be thrown when # passed to checkPackageDefinition unless the # corresponding RuntimePermission ("defineClassInPackage.. # # by default, no packages are restricted for definition, and none of # the class loaders supplied with the JDK call checkPackageDefinition.. # package.. definition=sun.. ,java.. file for use with a SecurityManager, remember to re-start Tomcat.. Troubleshooting.. If your web application attempts to execute an operation that is prohibited by lack of a required Permission, it will throw an.. AccessControLException.. or a.. SecurityException.. when the SecurityManager detects the violation.. Debugging the permission that is missing can be challenging, and one option is to turn on debug output of all security decisions that are made during execution.. This is done by setting a system property before starting Tomcat.. The easiest way to do this is via the.. CATALINA_OPTS.. Execute this command:.. export CATALINA_OPTS=-Djava.. debug=all (Unix) set CATALINA_OPTS=-Djava.. debug=all (Windows).. before starting Tomcat.. - This will generate.. many megabytes.. of output! However, it can help you track down problems by searching for the word "FAILED" and determining which permission was being checked for.. See the Java security documentation for more options that you can specify here as well..

    Original link path: /docs/security-manager-howto.html
    Open archive

  • Archived pages: 164