gmane.comp.jakarta.tomcat.user

Re: Shared data source (Bug 49543)

Robert Anderson — 2012-05-24T15:23:25

Exactly, I had no way of knowing because the documentation of ResourceLink
does not inform these "details". :)

Konstantin was perfect in his description in bugzilla.



On Thu, May 24, 2012 at 12:06 PM, Christopher Schultz <
chris< at >christopherschultz.net> wrote:

Re: memory leak in tomcat

Warren Bell — 2012-05-24T15:22:23

Is this the same server with the Wicket app you posted about earlier ?
If so, you have a Wicket app that is storing the
SessionFactoryObjectFactory on a page as a class member. Wicket stores
each page a user has been to in the user's session. If the page has
class members, then it serializes them and stores them too. I have seen
this kind of thing happen many times before causing big memory usage.

Remove the Wicket app and run the Eclipse Memory Analyzer.

Thanks,

Warren Bell

On 5/24/12 5:42 AM, Konstantin Kolinko wrote:

Re: user switching or application interacting with container based authentication

André Warnier — 2012-05-24T15:20:26

Upon further thinking, of course you would not necessarily need an Apache httpd front-end 
for this, and could do this all within Tomcat.
The container-level authentication comes first, before your webapp is even called.
So that is your Tomcat-level authentication, by company.
Then you could still have some servlet filter (which runs after the container-level 
authentication) to pick up this special POST parameter and do your "application-level" 
authentication.

Re: user switching or application interacting with container based authentication

André Warnier — 2012-05-24T15:15:03

So, if I understand correctly :
- the first level of authentication is, say, by company, and is meant basically to avoid 
some unauthorised people accessing the website of each customer
- the second level of authentication is within this company's dedicated website, and is 
meant to distinguish between different "actors" within that website.
- and within the website, there is an incentive for the actors to use their own id, and 
not someone else's when they do something

As far as the "within the one website" thing is concerned, the other suggestions that you 
have received seem the way to go.  How you really integrate that into each action that 
these people do, I don't know really.
But I would imagine that you could have some kind of applet within your web pages, which 
reads a barcode from a barcode reader, and adds what it has read as a POST parameter, 
before it submits the form to the server.
And then on the server, you pick up this special parameter, and switch the userPrincipal 
on-the-fly, as they say.

As far as the first-level authentication is concerned, here is maybe a bit of lateral 
thinking :
If you put an Apache httpd front-end in front of Tomcat, then you could install some form 
of standard authentication at the Apache httpd level, which protects that website "in 
general" with the "company login".  Then only if that authentication succeeds, you would 
proxy the calls to Tomcat (using mod_jk for instance).  But Tomcat would know nothing 
about this front-end authentication, and would not need to know.
Similarly, Apache httpd would never know - nor need to know - when the user at the Tomcat 
level changes.

I think such a scheme would keep things nicely separated, and simplify the whole design.

Re: memory leak in tomcat

Christopher Schultz — 2012-05-24T15:12:23

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Konstantin,

On 5/24/12 8:42 AM, Konstantin Kolinko wrote:

It may, if the ClassLoader holds references to Class objects (it does)
that contain static members with lots of data (not so sure about this
part).


+1

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk++T9YACgkQ9CaO5/Lv0PAwAQCfZSz67ALyFrRfZaVYs6Tjoee7
Q4UAnA/Q2vIjecxXPEW+BzsN7GeSJQk3
=zQcP
-----END PGP SIGNATURE-----

Re: Shared data source (Bug 49543)

Christopher Schultz — 2012-05-24T15:06:42

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Robert,

On 5/24/12 10:57 AM, Robert Anderson wrote:

Gotcha: you didn't know that this was an example only relevant to
tomcat-jdbc (not that you should have -- I didn't know, either). I
thought you were already using tomcat-jdbc and I believe the docs
there are accurate.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk++ToIACgkQ9CaO5/Lv0PDFHQCgrXsXmL3C/Cc3a74Lt8ul8Ton
RyQAn0WwW4ZfQVJz3s8pHHh/ulBm7vwX
=XrXd
-----END PGP SIGNATURE-----

RE: maxParameterCount with Tomcat 5.5.23

Haenni, Tia — 2012-05-24T14:59:13

For my Red Hat delivered Tomcat, changes to the connector attribute were ignored. However, I did find a fix that works.

In tomcat5.conf, after all other settings are added to JAVA_OPTS, add the value you desire for max parameter count like this:

# RH KB 100383
# Override default max parameter count of 512
JAVA_OPTS="$JAVA_OPTS -Dorg.apache.tomcat.util.http.Parameters.MAX_COUNT=10000"

The Red Hat KB article references JBoss run script, but the above works fine for standalone Tomcat.

-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale< at >unisys.com] 
Sent: Friday, May 11, 2012 3:51 PM
To: Tomcat Users List
Subject: RE: maxParameterCount with Tomcat 5.5.23



It would be interesting to know who's publishing such garbage.


Not on a Tomcat mangled by Red Hat - you're on your own with that.  If you use a real Tomcat, it will certainly work.

- Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe< at >tomcat.apache.org
For additional commands, e-mail: users-help< at >tomcat.apache.org

Re: Shared data source (Bug 49543)

Robert Anderson — 2012-05-24T14:57:58

Chris,

Basically, the ResourceLink documentation doesn't say that to enable shared
pool with different credentials:

1) You have to add tomcat-jdbc.jar in Tomcat 6.0 classpath;

2) You have to put the attributes in global resource definition:
factory="org.apache.tomcat.jdbc.pool.DataSourceFactory" and
alternateUsernameAllowed="true".


Cheers,

Robert

On Thu, May 24, 2012 at 11:46 AM, Christopher Schultz <
chris< at >christopherschultz.net> wrote:

Re: Shared data source (Bug 49543)

Christopher Schultz — 2012-05-24T14:46:35

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Robert,

On 5/24/12 7:50 AM, Robert Anderson wrote:

So, how does your "script" deviate from the Tomcat documentation? It
seems that you followed the docs and now it works. Right?

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEUEARECAAYFAk++ScsACgkQ9CaO5/Lv0PAy4ACWNsbvFopO5tY0s0SXCDfnmXEb
7wCfTJA3lvlqkl7hXrAcVB70EREQ7EU=
=ssa2
-----END PGP SIGNATURE-----

Re: user switching or application interacting with container based authentication

Christopher Schultz — 2012-05-24T14:38:48

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris,

On 5/23/12 7:06 PM, chris derham wrote:

NB: ACEGI is now called "Spring Security".

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk++R/gACgkQ9CaO5/Lv0PAgXwCgtJy6H3IQ/zTXXAGE8NTfmYMN
nSEAnjDvGCXJBkvAyP4dTtCNgGq0Bnp/
=xMMQ
-----END PGP SIGNATURE-----

Re: user switching or application interacting with container based authentication

Christopher Schultz — 2012-05-24T14:37:44

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dirk,

On 5/23/12 7:01 PM, dirk ooms wrote:

We use securityfilter for AAA and the user is stored in the session:
you can just replace the user object and boom: you are a new user. We
support "user impersonation" in this way and allows administrators to
masquerade as another user and then go back to their original login.

Switching to securityfilter may not be a great plan for you, though
it's not terribly hard to do. But, its a possibility.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk++R7gACgkQ9CaO5/Lv0PBVSQCePHZUW/l2Ybdcqegu206zfY+g
6rIAniyLbfpW0m96AeietxvHYXysOW7r
=ROLF
-----END PGP SIGNATURE-----

Re: encrypt the database password

Filip Hanik Mailing Lists — 2012-05-24T14:19:56

yes, there is, search http://tomcat.markmail.org for the same
org.apache.tomcat.util.digester.PROPERTY_SOURCE
is a system property where you can add the code that digests properties in server.xml
This code can 'decode' your encoded properties



----- Original Message -----

Re: Shared data source (Bug 49543)

Konstantin Kolinko — 2012-05-24T14:03:20

2012/5/24 Robert Anderson <ranomail< at >gmail.com>:

I added it to Bugzilla.
https://issues.apache.org/bugzilla/show_bug.cgi?id=53289


Thank you. It is good to have a working example.

Best regards,
Konstantin Kolinko

Re: memory leak in tomcat

Konstantin Kolinko — 2012-05-24T12:42:24

2012/5/24 Christian Kaufhold <kaufhold4j< at >googlemail.com>:

So the memory is used for something useful? That is not a "memory
leak". It is just a web application requiring a lot of memory.

WebappClassLoader is the classloader that is used to load the classes
of your webapp.  Of course, it remembers every class that it loaded
(to satisfy repeated class.forName() calls) and every class that it
loads has a reference it it (via getClass().getClassLoader()).

There may be many classes, but I do not think that the classloader
itself is responsible for 300 Mb of memory.


That would be a hibernate question. I have no clue what that class is about.

Best regards,
Konstantin Kolinko

Re: memory leak in tomcat

André Warnier — 2012-05-24T12:38:53


One giant leap in the dark and totally-uneducated guess : due to some logical or 
configuration error, this application creates a new session at each request, and they 
never time out ?

memory leak in tomcat

Christian Kaufhold — 2012-05-24T12:21:33

Hi,

I have a leaking Tomcat App
I checked the heap with the Eclipse Memory Analyser
and it says

The classloader/component *"org.apache.catalina.loader.WebappClassLoader < at >
0x94532f50"*
occupies *376.421.152 (79,51%)* bytes. The memory is accumulated in one
instance of
*"java.util.HashMap$Entry[]"* loaded by *"<system class loader>"*.

and the data that is in the entries of the gigantic Map is
org.hibernate.impl.SessionFactoryObjectFactory

Does anyone know why this?

Christian




**
  Class Name Shallow Heap Retained Heap

   - java.util.HashMap$Entry[64] < at > 0xaa9314c0 <mat://object/0xaa9314c0>

272 339.906.832 [image: \]

   - *table* java.util.HashMap < at > 0xaa931498 <mat://object/0xaa931498>

40 339.906.872 [image: .][image: \]

   - *map* org.hibernate.util.FastHashMap < at > 0x94e4bc98<mat://object/0x94e4bc98>

16 339.906.888 [image: .][image: .][image: \]

   - *INSTANCES* class org.hibernate.impl.SessionFactoryObjectFactory < at >
   0x759319f8 <mat://object/0x759319f8>

24 339.907.088 [image: .][image: .][image: .][image: \]

   - *[1788]* java.lang.Object[5120] < at > 0x95148470 <mat://object/0x95148470>

20.496 375.206.992 [image: .][image: .][image: .][image: .][image: \]

   - *elementData* java.util.Vector < at > 0x94538998 <mat://object/0x94538998>

24 375.207.016 [image: .][image: .][image: .][image: .][image: .][image: \]

   - *classes* org.apache.catalina.loader.WebappClassLoader < at >
0x94532f50<mat://object/0x94532f50>

176 376.421.152 [image: .][image: .][image: .][image: .][image:
.][image: .][image:
+]

   - *contextClassLoader* java.lang.Thread < at > 0x94e1ac60
Thread-10<mat://object/0x94e1ac60>
   *Thread*

112 7.112 [image: .][image: .][image: .][image: .][image: .][image: .][image:
+]

   - *contextClassLoader* de.bfd.tools.ConnectionPool$ConnPoolMultiCaster < at >
   0x94e1ad00 Thread-9 <mat://object/0x94e1ad00> »

136 592 [image: .][image: .][image: .][image: .][image: .][image: .][image:
+]

   - *contextClassLoader* java.lang.Thread < at > 0x9bb7b548
Keep-Alive-Timer<mat://object/0x9bb7b548>»

112 168 [image: .][image: .][image: .][image: .][image: .][image: .][image:
+]

   - *classloader* java.security.ProtectionDomain < at >
0x9453a160<mat://object/0x9453a160>»

Re: Shared data source (Bug 49543)

Robert Anderson — 2012-05-24T11:50:01

Hi,

Now it's working! Follows the script:

1) Tomcat 6.0.35: copy tomcat-jdbc.jar to CATALINA_HOME/lib. Tomcat 7.0.x
is ready.

2)  Create a global resource in CATALINA_HOME/conf/server.xml. Attributes
in bold *MUST *be present:

    <Resource name="jdbc/pgserver" auth="Container"
type="javax.sql.DataSource" removeAbandoned="true"
removeAbandonedTimeout="300"
                                   maxActive="200" maxIdle="10"
maxWait="10000"
                                   validationQuery="select 1"
                                   validationInterval="10000"
                                   testOnBorrow="true"
*
factory="org.apache.tomcat.jdbc.pool.DataSourceFactory"*
                                   driverClassName="org.postgresql.Driver"

url="jdbc:postgresql://localhost:5432/tjse"
                                   username="globaluser"
                                   password="globalpassword"
*                                   alternateUsernameAllowed="true"*

jdbcInterceptors="org.apache.tomcat.jdbc.pool.interceptor.StatementFinalizer"
                                   />


3)  Create a context.xml for apps;

The attribute "name" need not possess the same value of the attribute
"global".

--> CATALINA_HOME/conf/Catalina/localhost/app1.xml (shared connection with
different credential)

<Context>
    <ResourceLink name="jdbc/pgserver"
    global="jdbc/pgserver"
    type="javax.sql.DataSource"
*    factory="org.apache.naming.factory.DataSourceLinkFactory"*
*    username="userapp1"
    password="passwordapp1"*
    />
</Context>

--> CATALINA_HOME/conf/Catalina/localhost/app2.xml (shared connection with
default credential)

<Context>
    <ResourceLink name="jdbc/pgserver"
    global="jdbc/pgserver"
    type="javax.sql.DataSource"
    />
</Context>


4) JSP to test this feature (in both CATALINA_HOME/webapps/app1 and
CATALINA_HOME/webapps/app2):

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<%< at > page session="false" import="javax.naming.*, java.sql.*, javax.sql.*" %>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
    <head>
    <title>Test shared data source</title>
</head>
<body>
<%
    Context ctx = null;
    DataSource ds = null;
    Connection c = null;
    Statement stm = null;
    ResultSet rs = null;

    try {

    ctx = new InitialContext();
    ds = (DataSource)ctx.lookup("java:comp/env/jdbc/pgserver");
    c = ds.getConnection();
    stm = c.createStatement();

    rs = stm.executeQuery("select current_user");

    rs.next();

%>
    Current user: <%= rs.getString(1) %><br/>
<%
    } catch (Exception e) {
%>
    Error: <%= e.getMessage() %>
<%
    } finally {
     if (rs!=null) try  { rs.close(); } catch (Exception ignore){}
     if (stm!=null) try  { stm.close(); } catch (Exception ignore){}
     if (c!=null) try { c.close();} catch (Exception ignore){}    }
%>
</body>
</html>


5) App1 output:

Current user: userapp1

6) App2 output:

Current user: globaluser


Thanks and I hope this script can help others with the same problem.


Cheers,

Robert

On Wed, May 23, 2012 at 8:38 PM, Robert Anderson <ranomail< at >gmail.com> wrote:

Re: user switching or application interacting with container based authentication

dirk ooms — 2012-05-24T10:31:02

Andre,

thanks for your thoughts on this. i agree that this issue brings me to
'a loop of increasing contradictions'.  it's probably good to go one
step back and explain the real-life requirement:

we have an application that is used by many small companies, each
company has its own data and can have multiple users (typically 1 to 5).
within a company there is a requirement to switch users in a fast way
(e.g. using a badge or a fingerprint). think of a restaurant having 1
computer and several waiters. we want to trace what is done by which
waiter and there is also an incentive for the waiter to switch users
because his fee will be based on his logged activities.

my reasoning was: i'll keep the standard proven AAA mechanism for the
initial log in, but allow fast user switching within a company where
there is more trust between users (which is security-wise probably a
weak statement). still there is a need for some type of authentication
because the users can have different roles. but this indeed leads to
conflicts between the standard and the proprietary
authentication/authorization mechanism.

my current reasoning is: i need to keep a standard proven AAA mechanism
also for fast user switching. correct? but how do i tackle this given
that we now have form/container-based authentication. do i need a
parallel standard container-based mechanism? what mechanism exists that
allows to authenticate by scanning a barcode (i.e. a single (possibly
long) string)? any pointer/suggestion will be much appreciated.

dirk

Re: Tomcat 7. MX4J

Peter Roßbach — 2012-05-24T10:19:06

HI Vadzim,

as you like a hot HTTP-JMX access use

http://www.jolokia.org/

chili...

Peter

 
Am 23.05.2012 um 00:06 schrieb Vadzim Mikhalenak:

Re: user switching or application interacting with container based authentication

André Warnier — 2012-05-24T07:37:57

Without going into the technique itself, from your description above it looks to me as if 
this is a scenario so different from what a standard AAA mechanism is designed to achieve, 
that you are going to find yourself getting into a loop of increasing contradictions, if 
you try to fit this into the standard authentication mechanisms.
(In other words : you are going to be using code that has been carefully designed and 
perfected to do things well in one scenario, and try to do something else with it.  I 
would expect all kinds of side-effects, and an endless series of patches upon patches to 
avoid them).

Maybe the first question to ask : why do you need the user to be authenticated /to the 
servlet container/ in the first place ? when, and for what, do you use the return values 
of getUserPrincipal() and/or isUserInRole() ? (I mean really, deep down)

If you rethink the above, imagining that the user-id is just a request parameter like any 
other <form> parameter (*), and that Tomcat itself has no knowledge of an authenticated 
user, what breaks down ?



(*) which according to your own explanation above, you are going to have to do at some 
point anyway.

RE: encrypt the database password

Caldarale, Charles R — 2012-05-24T06:12:03


Only if you don't bother to protect access to your Tomcat server.  And if you don't do that, you've got much, much bigger problems than someone discovering the DB password.


It's amazing how often this inept question comes up.  If you encrypt the password in server.xml, how do you expect Tomcat to open data base connections?  Read the FAQ:

http://wiki.apache.org/tomcat/FAQ/Password

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.