Java Mailing List Archive

http://www.junlu.com/

Home » users-digest.tomcat »

users Digest 19 Mar 2013 19:49:50 -0000 Issue 11302

users-digest-help

2013-03-19


Author LoginPost Reply

users Digest 19 Mar 2013 19:49:50 -0000 Issue 11302

Topics (messages 240505 through 240528)

Re: Procrun and Tomcat service/OS shutdown on Windows
 240505 by: Harris, Jeffrey E.
 240506 by: André Warnier

Re: SSL Best Practices
 240507 by: Martin Gainty
 240508 by: Harris, Jeffrey E.
 240509 by: chris derham
 240511 by: Harris, Jeffrey E.
 240512 by: Martin Gainty
 240514 by: Harris, Jeffrey E.
 240515 by: Jeffrey D. Fisher
 240517 by: Harris, Jeffrey E.
 240518 by: Christopher Schultz
 240519 by: Christopher Schultz
 240521 by: Jeffrey D. Fisher
 240522 by: Harris, Jeffrey E.
 240524 by: Mark Thomas

Re: Starting tomcat7w from batch file
 240510 by: Mladen Turk
 240513 by: David kerber
 240516 by: Christopher Schultz

problems faced in deploying servlet
 240520 by: Satya Priya Das
 240523 by: Muralidhar Yaragalla
 240525 by: Leo Donahue - RDSA IT

Re: Deadlock when using jetty 8 JDBCSessionManager and Tomcat 7 JDBC Connector
 240526 by: Colin Ingarfield

Upgrading Tomcat in the customer base
 240527 by: Patrick Flaherty

Tomcat jdbc-pool not closing statements
 240528 by: Bertrand Guay-Paquet

Administrivia:

---------------------------------------------------------------------
To post to the list, e-mail: users@(protected)
To unsubscribe, e-mail: users-digest-unsubscribe@(protected)
For additional commands, e-mail: users-digest-help@(protected)

----------------------------------------------------------------------


Attachment: users_240505.eml (zipped)


> -----Original Message-----
> From: Jeffrey Janner [mailto:Jeffrey.Janner@(protected)]
> Sent: Monday, March 18, 2013 12:27 PM
> To: 'Tomcat Users List'
> Subject: RE: Procrun and Tomcat service/OS shutdown on Windows
>
> > -----Original Message-----
> > From: Harris, Jeffrey E. [mailto:Jeffrey.Harris@(protected)]
> > Sent: Thursday, March 14, 2013 11:52 AM
> > To: Tomcat Users List
> > Subject: RE: Procrun and Tomcat service/OS shutdown on Windows
> >
> > Edit the registry so Tomcat depends on the HSQLDB shutdown. This
> only
> > works if HSQLDB is also started as a service.
> >
> > Edit the service entry in the registry (under
> > HKEY_Local_Machine\system\currentcontrolset\services\<Tomcat Service
> > Name>) so Tomcat depends on HSQLDB. This only works if HSQLDB is
> also
> > started as a service. If HSQLDB is started some other way (i.e., by
> > the Tomcat web app), you can try and install it as a service using
> the
> > srvany utility (or possibly the sc utility).
> >
> > If you can configure Tomcat to be dependent on HSQLDB, this will also
> > force HSQLDB to start before Tomcat.
> >
>
> I just wanted to post a word of warning on depending on this last
> "feature".
> While Windows will start the HSQLDB server before the Tomcat server, it
> doesn't necessarily imply that the DB will be ready for service. As
> soon as the HSQLDB service reports "started", Windows will start the
> next service that's dependant on it. You will want to verify the
> behavior of your database before relying on this feature.
> Spoken as one bitten by trying to do this with Oracle some years back.
> The Oracle DB will report started looong before the recovery process is
> complete and the DB is open for connections.
> Jeff
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@(protected)
> For additional commands, e-mail: users-help@(protected)

Good point!

Jeffrey Harris
Jeffrey Harris

This e-mail and any attachments are intended only for the use of the addressee(s) named herein and may contain proprietary information. If you are not the intended recipient of this e-mail or believe that you received this email in error, please take immediate action to notify the sender of the apparent error by reply e-mail; permanently delete the e-mail and any attachments from your computer; and do not disseminate, distribute, use, or copy this message and any attachments.


Attachment: users_240506.eml (zipped)
Harris, Jeffrey E. wrote:
>
>> -----Original Message-----
>> From: Jeffrey Janner [mailto:Jeffrey.Janner@(protected)]
>> Sent: Monday, March 18, 2013 12:27 PM
>> To: 'Tomcat Users List'
>> Subject: RE: Procrun and Tomcat service/OS shutdown on Windows
>>
>>> -----Original Message-----
>>> From: Harris, Jeffrey E. [mailto:Jeffrey.Harris@(protected)]
>>> Sent: Thursday, March 14, 2013 11:52 AM
>>> To: Tomcat Users List
>>> Subject: RE: Procrun and Tomcat service/OS shutdown on Windows
>>>
>>> Edit the registry so Tomcat depends on the HSQLDB shutdown. This
>> only
>>> works if HSQLDB is also started as a service.
>>>
>>> Edit the service entry in the registry (under
>>> HKEY_Local_Machine\system\currentcontrolset\services\<Tomcat Service
>>> Name>) so Tomcat depends on HSQLDB. This only works if HSQLDB is
>> also
>>> started as a service. If HSQLDB is started some other way (i.e., by
>>> the Tomcat web app), you can try and install it as a service using
>> the
>>> srvany utility (or possibly the sc utility).
>>>
>>> If you can configure Tomcat to be dependent on HSQLDB, this will also
>>> force HSQLDB to start before Tomcat.
>>>
>> I just wanted to post a word of warning on depending on this last
>> "feature".
>> While Windows will start the HSQLDB server before the Tomcat server, it
>> doesn't necessarily imply that the DB will be ready for service. As
>> soon as the HSQLDB service reports "started", Windows will start the
>> next service that's dependant on it. You will want to verify the
>> behavior of your database before relying on this feature.
>> Spoken as one bitten by trying to do this with Oracle some years back.
>> The Oracle DB will report started looong before the recovery process is
>> complete and the DB is open for connections.
>> Jeff
>>
>
> Good point!
>

An additional note maybe :
This may or may not be applicable to Tomcat running as a Service through procrun, but
having written programs in Perl which act as Windows Services, I know that the "service
program" itself can indicate to Windows how long it will take to start it as a service or
stop it as a service. This then conditions Windows (probably the "Windows Service
Manager") to wait that long, before it declares the Service as non-responsive (and, in the
case of a "stop service" signal, starts taking more drastic action).
For example, this impacts the "progress bar" which you see during a "start service" or
"stop service" action in the GUI interaction with Services. If the Service tells Windows
that it needs one full minute to start, then that progress bar will take a minute to reach
100%.
I do not know if procrun currently allows the setting of this kind of parameter. But if
it doesn't, and if this would help you, you could always file an enhancement request.

Note that I do use this in the programs mentioned above, without really understanding how
it works deep down. It is all a bit weird, because it doesn't seem to be 100%
deterministic, and involves a Windows "Event loop" with "messages" between the program and
the Service Manager. But in my case it does work for where I wanted it to work, and I
never dug deeper.




Attachment: users_240507.eml (zipped)
Jeff

do you have keystore and certificate..if not go to verisign and get a CATrusted pfx...
the cost is worth it and anything you create with a self-signed cert will be broken in less than 5 min

Feel free to Pingback if you have any questions.

Martin




> From: Jeffrey.Janner@(protected)
> To: users@(protected)
> Subject: RE: SSL Best Practices
> Date: Mon, 18 Mar 2013 13:34:44 +0000
>
> > -----Original Message-----
> > From: Jeffrey D. Fisher [mailto:jeff.fisher12237@(protected)]
> > Sent: Friday, March 15, 2013 3:03 PM
> > To: users@(protected)
> > Subject: SSL Best Practices
> >
> > Gentlemen (Ladies):
> >
> >
> >
> > I am looking for a published "best practice" on editing the SERVER.XML
> > configuration file to use SSL/HTTPS. The key are imported into the
> > keystore.
> >
> >
> >
> > Any input is appreciated.
> >
> >
> >
> > Jeff Fisher
> >
> > Omaha, NE
>
> I would start by reading the Tomcat Documentation on the subject.
> It's pretty straightforward.
> Jeff
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@(protected)
> For additional commands, e-mail: users-help@(protected)
>
           

Attachment: users_240508.eml (zipped)


> -----Original Message-----
> From: Martin Gainty [mailto:mgainty@(protected)]
> Sent: Monday, March 18, 2013 6:22 PM
> To: Tomcat Users List
> Subject: RE: SSL Best Practices
>
> Jeff
>
> do you have keystore and certificate..if not go to verisign and get a
> CATrusted pfx...
> the cost is worth it and anything you create with a self-signed cert
> will be broken in less than 5 min
>
> Feel free to Pingback if you have any questions.
>
> Martin
>
>
>
>
> > From: Jeffrey.Janner@(protected)
> > To: users@(protected)
> > Subject: RE: SSL Best Practices
> > Date: Mon, 18 Mar 2013 13:34:44 +0000
> >
> > > -----Original Message-----
> > > From: Jeffrey D. Fisher [mailto:jeff.fisher12237@(protected)]
> > > Sent: Friday, March 15, 2013 3:03 PM
> > > To: users@(protected)
> > > Subject: SSL Best Practices
> > >
> > > Gentlemen (Ladies):
> > >
> > >
> > >
> > > I am looking for a published "best practice" on editing the
> > > SERVER.XML configuration file to use SSL/HTTPS. The key are
> imported
> > > into the keystore.
> > >
> > >
> > >
> > > Any input is appreciated.
> > >
> > >
> > >
> > > Jeff Fisher
> > >
> > > Omaha, NE
> >
> > I would start by reading the Tomcat Documentation on the subject.
> > It's pretty straightforward.
> > Jeff
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@(protected)
> > For additional commands, e-mail: users-help@(protected)
> >
>

I am not sure what you mean by "anything you create with a self-signed cert
will be broken in less than 5 min". It depends on the purpose and certificate use in his
organization. If his organization already has its own CA and issues its own certificates,
and this will be used only as an internal system, then self-signed certificates issued
by an internal CA are fine.

If the system is only for testing, or communicates with a limited number of systems (i.e.,
it is a firewalled backend system that only communicates with a front-end system), then again,
a self-signed certificate would be fine.

If his organization already uses PKI certificates, then he should follow the rules
established in his organization's Certificate Practice Statement, if it has issued
one.

I do agree that if this is a public facing system, or one in an organization with a large
number of users that does not have its own CA infrastructure, then a commercial certificate
would be the best choice.

Jeffrey Harris

This e-mail and any attachments are intended only for the use of the addressee(s) named herein and may contain proprietary information. If you are not the intended recipient of this e-mail or believe that you received this email in error, please take immediate action to notify the sender of the apparent error by reply e-mail; permanently delete the e-mail and any attachments from your computer; and do not disseminate, distribute, use, or copy this message and any attachments.


Attachment: users_240509.eml (zipped)
> If the system is only for testing, or communicates with a limited number of systems (i.e.,
> it is a firewalled backend system that only communicates with a front-end system), then again,
> a self-signed certificate would be fine.

+1

> If his organization already uses PKI certificates, then he should follow the rules
> established in his organization's Certificate Practice Statement, if it has issued
> one.
>
> I do agree that if this is a public facing system, or one in an organization with a large
> number of users that does not have its own CA infrastructure, then a commercial certificate
> would be the best choice.

Commercial certificate authorities are actively targeted by hackers,
and when they are broken into, the trust each os has configured of
such certificates can cause issues. The recent google ssl certificate
issue shows what happens when things go wrong. If users will access
the site via a browser, then the browser warning will confuse
them/make them used to ignoring security warnings. For applications
communicating with each other, a self signed certificate will actually
be more secure than a certificate authority issued certificate -
assuming you trust your internal security more than you trust that of
a commercial certificate authority. It all depends on what the
certificate will be used for.

Chris


Attachment: users_240511.eml (zipped)


> -----Original Message-----
> From: cjderham@(protected)
> derham
> Sent: Tuesday, March 19, 2013 1:58 AM
> To: Tomcat Users List
> Subject: Re: SSL Best Practices
>
> > If the system is only for testing, or communicates with a limited
> > number of systems (i.e., it is a firewalled backend system that only
> > communicates with a front-end system), then again, a self-signed
> certificate would be fine.
>
> +1
>
> > I do agree that if this is a public facing system, or one in an
> > organization with a large number of users that does not have its own
> > CA infrastructure, then a commercial certificate would be the best
> choice.
>
> Commercial certificate authorities are actively targeted by hackers,
> and when they are broken into, the trust each os has configured of such
> certificates can cause issues. The recent google ssl certificate issue
> shows what happens when things go wrong. If users will access the site
> via a browser, then the browser warning will confuse them/make them
> used to ignoring security warnings. For applications communicating with
> each other, a self signed certificate will actually be more secure than
> a certificate authority issued certificate - assuming you trust your
> internal security more than you trust that of a commercial certificate
> authority. It all depends on what the certificate will be used for.
>
> Chris
>

What you say is all true, but if the public is accessing the site,
there is no real alternative to a commercial certificate, because there will
be no way to ascertain the trust of the site at all, and as you say users will be
confused by the browser warnings.

Unfortunately, the security of the Internet is dependent on a relatively handful
of commercial certificate authorities, several of whom have either been hacked,
or who have not properly vetted requesters for certificates.

Jeffrey Harris

This e-mail and any attachments are intended only for the use of the addressee(s) named herein and may contain proprietary information. If you are not the intended recipient of this e-mail or believe that you received this email in error, please take immediate action to notify the sender of the apparent error by reply e-mail; permanently delete the e-mail and any attachments from your computer; and do not disseminate, distribute, use, or copy this message and any attachments.


Attachment: users_240512.eml (zipped)

1)Have you ever tried to coerce IE to accept a self-signed cert
2)if you purchase a pfx with a self-signed certificate sold to you by chris_is_a_hacker.com for 1.00 then who do you think can break it

The cert allows browser to contact the sites SSL connector..by presenting credentials usually from a Name Server such as ADS or LDAP

the real work involves breaking the algorithm implemented by the key

in order to establish Key exchange on a SSLv2 transport

I sincerely doubt even chris_is_a-hacker can break any of the RSA algorithms implemented by the key inside a versign.pfx

'Nuf Said
Martin
______________________________________________
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.




> From: Jeffrey.Harris@(protected)
> To: users@(protected)
> Date: Tue, 19 Mar 2013 06:04:52 -0400
> Subject: RE: SSL Best Practices
>
>
>
> > -----Original Message-----
> > From: cjderham@(protected)
> > derham
> > Sent: Tuesday, March 19, 2013 1:58 AM
> > To: Tomcat Users List
> > Subject: Re: SSL Best Practices
> >
> > > If the system is only for testing, or communicates with a limited
> > > number of systems (i.e., it is a firewalled backend system that only
> > > communicates with a front-end system), then again, a self-signed
> > certificate would be fine.
> >
> > +1
> >
> > > I do agree that if this is a public facing system, or one in an
> > > organization with a large number of users that does not have its own
> > > CA infrastructure, then a commercial certificate would be the best
> > choice.
> >
> > Commercial certificate authorities are actively targeted by hackers,
> > and when they are broken into, the trust each os has configured of such
> > certificates can cause issues. The recent google ssl certificate issue
> > shows what happens when things go wrong. If users will access the site
> > via a browser, then the browser warning will confuse them/make them
> > used to ignoring security warnings. For applications communicating with
> > each other, a self signed certificate will actually be more secure than
> > a certificate authority issued certificate - assuming you trust your
> > internal security more than you trust that of a commercial certificate
> > authority. It all depends on what the certificate will be used for.
> >
> > Chris
> >
>
> What you say is all true, but if the public is accessing the site,
> there is no real alternative to a commercial certificate, because there will
> be no way to ascertain the trust of the site at all, and as you say users will be
> confused by the browser warnings.
>
> Unfortunately, the security of the Internet is dependent on a relatively handful
> of commercial certificate authorities, several of whom have either been hacked,
> or who have not properly vetted requesters for certificates.
>
> Jeffrey Harris
>
> This e-mail and any attachments are intended only for the use of the addressee(s) named herein and may contain proprietary information. If you are not the intended recipient of this e-mail or believe that you received this email in error, please take immediate action to notify the sender of the apparent error by reply e-mail; permanently delete the e-mail and any attachments from your computer; and do not disseminate, distribute, use, or copy this message and any attachments.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@(protected)
> For additional commands, e-mail: users-help@(protected)
>
           

Attachment: users_240514.eml (zipped)


> -----Original Message-----
> From: Martin Gainty [mailto:mgainty@(protected)]
> Sent: Tuesday, March 19, 2013 7:35 AM
> To: Tomcat Users List
> Subject: RE: SSL Best Practices
>
>
> 1)Have you ever tried to coerce IE to accept a self-signed cert 2)if
> you purchase a pfx with a self-signed certificate sold to you by
> chris_is_a_hacker.com for 1.00 then who do you think can break it

I use self-signed certificates from my own CA for testing.

>
> The cert allows browser to contact the sites SSL connector..by
> presenting credentials usually from a Name Server such as ADS or LDAP
>

Most certificates are not backed by a name server. The existence of the certificate
is deemed sufficient to provide proof of identity (if issued by a trusted 3rd party,
such as Verisign).

> the real work involves breaking the algorithm implemented by the key
>
> in order to establish Key exchange on a SSLv2 transport
>

The SSLv2 transport is sufficiently broken (or weak) that most SSL reliant applications
disable it (or recommend in sufficiently strong terms that users disable it).

> I sincerely doubt even chris_is_a-hacker can break any of the RSA
> algorithms implemented by the key inside a versign.pfx

If I am chris_is_a-hacker, I do not need to break anything, because by
providing a PFX file (rather than by submitting a certificate request
and having a certificate issued directly to me), I have a copy of the private
key, and I can impersonate the user or website at will, depending on the kind
of certificate(s) included in the pfx file.

And as for breaking the key algorithm, I do not have to do that all (even if I did
the right steps in having a certificate properly issued). There are a number of
weaknesses in the SSL protocol itself that I can attack any of those to inject
a man-in-the-middle attack.

(In any case, I believe we have moved significantly off topic in this discussion.)

This e-mail and any attachments are intended only for the use of the addressee(s) named herein and may contain proprietary information. If you are not the intended recipient of this e-mail or believe that you received this email in error, please take immediate action to notify the sender of the apparent error by reply e-mail; permanently delete the e-mail and any attachments from your computer; and do not disseminate, distribute, use, or copy this message and any attachments.


Attachment: users_240515.eml (zipped)
Yes, I do have a CA-issued certificate with a chain to a trusted CA. I've
imported it to the keystore. I am close to a solution. When I attempt to
open the default Apache web page using "https:" I get an error page that
says that the server cannot open the page. It opens with "http:" just fine.
I have configured the normal ports i.e. "80" and "443" to redirect to
"8443". The reason for this is that the users having to include the port
numbers (8080 or 8443) would not be acceptable. They need only enter the
DNS name into the browser and DNS does the rest.

I am missing something in the configuration of SERVER.XML, WEB.XML or both
to get the server to answer to an https connection. I cannot find what it
is that I have not done or I have missed!

Any input would be appreciated.

Best...

Jeffrey D. Fisher
Omaha, NE USA

-----Original Message-----
From: Martin Gainty [mailto:mgainty@(protected)]
Sent: Monday, March 18, 2013 5:22 PM
To: Tomcat Users List
Subject: RE: SSL Best Practices

Jeff

do you have keystore and certificate..if not go to verisign and get a
CATrusted pfx...
the cost is worth it and anything you create with a self-signed cert will be
broken in less than 5 min

Feel free to Pingback if you have any questions.

Martin




> From: Jeffrey.Janner@(protected)
> To: users@(protected)
> Subject: RE: SSL Best Practices
> Date: Mon, 18 Mar 2013 13:34:44 +0000
>
> > -----Original Message-----
> > From: Jeffrey D. Fisher [mailto:jeff.fisher12237@(protected)]
> > Sent: Friday, March 15, 2013 3:03 PM
> > To: users@(protected)
> > Subject: SSL Best Practices
> >
> > Gentlemen (Ladies):
> >
> >
> >
> > I am looking for a published "best practice" on editing the
> > SERVER.XML configuration file to use SSL/HTTPS. The key are imported
> > into the keystore.
> >
> >
> >
> > Any input is appreciated.
> >
> >
> >
> > Jeff Fisher
> >
> > Omaha, NE
>
> I would start by reading the Tomcat Documentation on the subject.
> It's pretty straightforward.
> Jeff
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@(protected)
> For additional commands, e-mail: users-help@(protected)
>
           



Attachment: users_240517.eml (zipped)


> -----Original Message-----
> From: Jeffrey D. Fisher [mailto:jeff.fisher12237@(protected)]
> Sent: Tuesday, March 19, 2013 10:34 AM
> To: 'Tomcat Users List'; mgainty@(protected)
> Subject: RE: SSL Best Practices
>
> Yes, I do have a CA-issued certificate with a chain to a trusted CA.
> I've imported it to the keystore. I am close to a solution. When I
> attempt to open the default Apache web page using "https:" I get an
> error page that says that the server cannot open the page. It opens
> with "http:" just fine.
> I have configured the normal ports i.e. "80" and "443" to redirect to
> "8443". The reason for this is that the users having to include the
> port numbers (8080 or 8443) would not be acceptable. They need only
> enter the DNS name into the browser and DNS does the rest.
>
> I am missing something in the configuration of SERVER.XML, WEB.XML or
> both to get the server to answer to an https connection. I cannot find
> what it is that I have not done or I have missed!
>
> Any input would be appreciated.
>
> Best...
>
> Jeffrey D. Fisher
> Omaha, NE USA
>

I ran into this same issue; make sure you have 'secure="true"' in the connector:

<Connector protocol="org.apache.coyote.http11.Http11Protocol" port="7443" SSLEnabled="true"
         maxThreads="150" scheme="https" secure="true" keystorePass="mypassword"
         clientAuth="want" sslProtocol="TLS" keystoreFile=".\conf\myks.jks"
         truststoreFile=".\conf\myts.jks" />

Jeffrey Harris


This e-mail and any attachments are intended only for the use of the addressee(s) named herein and may contain proprietary information. If you are not the intended recipient of this e-mail or believe that you received this email in error, please take immediate action to notify the sender of the apparent error by reply e-mail; permanently delete the e-mail and any attachments from your computer; and do not disseminate, distribute, use, or copy this message and any attachments.


Attachment: users_240518.eml (zipped)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Martin,

On 3/18/13 6:21 PM, Martin Gainty wrote:
> do you have keystore and certificate..if not go to verisign and get
> a CATrusted pfx...
>
> the cost is worth it and anything you create with a self-signed
> cert will be broken in less than 5 min

Using a "trusted" CA gains you absolutely nothing when it comes to
security through encryption. The only reason to ever use a "trusted"
CA is so that your clients can have some level of trust that your site
is who you say it is. That's why they are called trusted 3rd-parties.

Realistically, even getting a "trusted" CA to sign your certificate
doesn't help: most CAs blindly sign any request they get as long as
you have a couple hundred dollars. At least with "EV" certificates,
the CAs are supposed to verify that you are who you say you are, but
personal experience with a few well-known CAs lets me know that it's
not true research. If you have the cash to pay for the certificate,
you can get an EV certificate *by self-assertion* that you are who you
say you are, which is, of course, contrary to the whole EV scheme.

But, the encryption will work regardless of whether the certificate
has been self-signed. You will not be hacked in 5 minutes (or if you
do, it has nothing to do with whether you signed your own certificate
or not).

Stop spreading FUD.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEAREIAAYFAlFIePkACgkQ9CaO5/Lv0PDqGwCfauMsrxBbfu+PjDkhG/grDozs
3twAoIsRCV45/HfhhnFlE+S/exClhtxQ
=HTHQ
-----END PGP SIGNATURE-----


Attachment: users_240519.eml (zipped)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Martin,

On 3/19/13 7:34 AM, Martin Gainty wrote:
> 1)Have you ever tried to coerce IE to accept a self-signed cert

This is a trust issue, not a security issue. They are related, but not
equivalent.

> 2)if you purchase a pfx with a self-signed certificate sold to you
> by chris_is_a_hacker.com for 1.00 then who do you think can break
> it

I'm not sure what a PFX is, but the certificate itself is as strong as
the key used to create it. If you generate a 1-bit key, you'll be
hacked in 0 minutes. But nobody does that: we all create 4096-bit keys
which, theoretically, can't be broken even by a well-funded adversary
with unreasonably-limited computing power before the sun gets tired of
shining.

> The cert allows browser to contact the sites SSL connector..by
> presenting credentials usually from a Name Server such as ADS or
> LDAP

Woah, your algorithm has started to bring-in random bits of search
results from the Internet. Time to re-set your learning tree and start
again.

> the real work involves breaking the algorithm implemented by the
> key

Yup. Good luck with RSA and friends.

> in order to establish Key exchange on a SSLv2 transport

Anyone using SSLv2 is vulnerable, which is why it's no longer used.
For a long time, now.

> I sincerely doubt even chris_is_a-hacker can break any of the RSA
> algorithms implemented by the key inside a versign.pfx

While true, it's also true of your own self-signature. Verisign uses a
2048-bit key to sign everything. Most sites these days use 4096-bit
keys (at least those I configure, apache.org, etc.). (Oddly enough,
Facebook uses a 1024-bit key.) If you create a server cert with a
4096-bit key, you are creating a fairly secure certificate no matter
who signs it. And, if you sign it yourself and keep the key secure
(which is kind of impossible unless you are using a different key for
signing than you do for the server's key) then you are doing better
than any CA out there.

Again, the CA is only there to provide a trusted 3rd-party: they have
nothing to do with the security of the connection, the hackability of
the server, etc.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEAREIAAYFAlFIe4cACgkQ9CaO5/Lv0PBlOQCbBMGVp6wcP9aBJUunxWXNzmNz
YRAAnjrY4vSZSX8KlE7mER287II6l6w9
=ADG9
-----END PGP SIGNATURE-----


Attachment: users_240521.eml (zipped)
Could we dispense with the ego-clanking, please? Really? Keep in mind that EVERYONE has the same problem regardless of your IQ level: for everything you know there are three to five things you do not know and at least one that you do not know you do not know. Accept that fact and life gets somewhat clearer. If I had known that this was the normal board-of-faire I would not have subscribed to this.

Jeff Fisher
Omaha, NE

-----Original Message-----
From: Christopher Schultz [mailto:chris@(protected)]
Sent: Tuesday, March 19, 2013 9:52 AM
To: Tomcat Users List
Subject: Re: SSL Best Practices

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Martin,

On 3/19/13 7:34 AM, Martin Gainty wrote:
> 1)Have you ever tried to coerce IE to accept a self-signed cert

This is a trust issue, not a security issue. They are related, but not equivalent.

> 2)if you purchase a pfx with a self-signed certificate sold to you by
> chris_is_a_hacker.com for 1.00 then who do you think can break it

I'm not sure what a PFX is, but the certificate itself is as strong as the key used to create it. If you generate a 1-bit key, you'll be hacked in 0 minutes. But nobody does that: we all create 4096-bit keys which, theoretically, can't be broken even by a well-funded adversary with unreasonably-limited computing power before the sun gets tired of shining.

> The cert allows browser to contact the sites SSL connector..by
> presenting credentials usually from a Name Server such as ADS or LDAP

Woah, your algorithm has started to bring-in random bits of search results from the Internet. Time to re-set your learning tree and start again.

> the real work involves breaking the algorithm implemented by the key

Yup. Good luck with RSA and friends.

> in order to establish Key exchange on a SSLv2 transport

Anyone using SSLv2 is vulnerable, which is why it's no longer used.
For a long time, now.

> I sincerely doubt even chris_is_a-hacker can break any of the RSA
> algorithms implemented by the key inside a versign.pfx

While true, it's also true of your own self-signature. Verisign uses a 2048-bit key to sign everything. Most sites these days use 4096-bit keys (at least those I configure, apache.org, etc.). (Oddly enough, Facebook uses a 1024-bit key.) If you create a server cert with a 4096-bit key, you are creating a fairly secure certificate no matter who signs it. And, if you sign it yourself and keep the key secure (which is kind of impossible unless you are using a different key for signing than you do for the server's key) then you are doing better than any CA out there.

Again, the CA is only there to provide a trusted 3rd-party: they have nothing to do with the security of the connection, the hackability of the server, etc.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEAREIAAYFAlFIe4cACgkQ9CaO5/Lv0PBlOQCbBMGVp6wcP9aBJUunxWXNzmNz
YRAAnjrY4vSZSX8KlE7mER287II6l6w9
=ADG9
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@(protected)
For additional commands, e-mail: users-help@(protected)



Attachment: users_240522.eml (zipped)


> -----Original Message-----
> From: Jeffrey D. Fisher [mailto:jeff.fisher12237@(protected)]
> Sent: Tuesday, March 19, 2013 11:28 AM
> To: 'Tomcat Users List'
> Subject: RE: SSL Best Practices
>
> Could we dispense with the ego-clanking, please? Really? Keep in mind
> that EVERYONE has the same problem regardless of your IQ level: for
> everything you know there are three to five things you do not know and
> at least one that you do not know you do not know. Accept that fact
> and life gets somewhat clearer. If I had known that this was the
> normal board-of-faire I would not have subscribed to this.
>
> Jeff Fisher
> Omaha, NE
>
> -----Original Message-----
> From: Christopher Schultz [mailto:chris@(protected)]
> Sent: Tuesday, March 19, 2013 9:52 AM
> To: Tomcat Users List
> Subject: Re: SSL Best Practices
>

I have been a member of this mailing list for a few weeks, and I am
actually surprised by how respectful the posters tend to be, compared
to some technical mailing lists I have subscribed to.

Jeffrey Harris

This e-mail and any attachments are intended only for the use of the addressee(s) named herein and may contain proprietary information. If you are not the intended recipient of this e-mail or believe that you received this email in error, please take immediate action to notify the sender of the apparent error by reply e-mail; permanently delete the e-mail and any attachments from your computer; and do not disseminate, distribute, use, or copy this message and any attachments.

Attachment: users_240524.eml (zipped)
On 19/03/2013 15:28, Jeffrey D. Fisher wrote:
> Could we dispense with the ego-clanking, please? Really? Keep in
> mind that EVERYONE has the same problem regardless of your IQ level:
> for everything you know there are three to five things you do not
> know and at least one that you do not know you do not know. Accept
> that fact and life gets somewhat clearer. If I had known that this
> was the normal board-of-faire I would not have subscribed to this.

Posts from Martin are somewhat of a special case. If you check the
archives you'll find he has a long history of responding with something
that looks reasonable if you don't know the subject matter but is often
complete and utter nonsense.

To be fair, he does - occasionally - produce a valid, useful response.

Many of us have tried to offer suggestions to Martin as to how he might
improve the quality of his responses. When I tried, I used his answers
from a thread where he was particularly wide of the mark to offer
examples of how he could improve. I was met with hostility and an
insistence that he was right and I was wrong. While I don't always get
things right (and there is plenty of evidence of that in the archives) I
am happy to admit when I get things wrong. This wasn't one of those times.

While most of us simply ignore posts from Martin, someone does sometimes
find it necessary to step in and point out the various errors in his
posts. This is primarily to protect folks searching the archives at some
point in the future wasting their time following some of the more off
the wall suggestions put forward.

If I thought it would actually achieve anything, I'd unsubscribe him
from the mailing list and ban him from re-joining but that is very
likely to turn into a rather pointless game of wack-a-mole as all he'd
have to do is get another gmail address and sign up again.

Mark


Attachment: users_240510.eml (zipped)
On 03/18/2013 03:59 PM, David kerber wrote:
> start "C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\bin\tomcat7w.exe" //MS//Small-55009
>

You can also copy/rename tomcat7w.exe to small-55009w.exe and you won't need any params.


Regards
--
^TM


Attachment: users_240513.eml (zipped)
On 3/19/2013 2:04 AM, Mladen Turk wrote:
> On 03/18/2013 03:59 PM, David kerber wrote:
>> start "C:\Program Files (x86)\Apache Software Foundation\Tomcat
>> 7.0\bin\tomcat7w.exe" //MS//Small-55009
>>
>
> You can also copy/rename tomcat7w.exe to small-55009w.exe and you won't
> need any params.

Hmmm. I had forgotten about that option. That would be easy to fit
into my initial configuration script too...

Thanks for the suggestion!



Attachment: users_240516.eml (zipped)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

André,

On 3/18/13 12:03 PM, André Warnier wrote:
> Harris, Jeffrey E. wrote:
>>
>> start "" "D:\Tomcat 7.0\bin\tomcat7w.exe" //MS//Tomcat7
>>
>> See
>> http://stackoverflow.com/questions/154075/using-the-dos-start-command-with-parameters-passed-to-the-started-program
>
>>
> Judging by that thread though, there appears to be as many
> different suggestions as people.. ;-) Windows's CMD shell has so
> many quirks in general, that it is really hard to figure out how it
> will handle a command-line.

Windows CMD.EXE basically does not handle the command-line: each
program handles it by itself, which is why quotes don't always work, etc.

I remember long ago trying to find out how to process wildcards on the
command-line from a C program, and the Borland C compiler actually
came with a library that you would just link-in and it would handle
the wildcard expansion in command-line parameters. It's colossally
stupid to have all client programs handle their own command-line
expansion, but that's what CMD.EXE and its predecessor COMMAND.COM
required. I believe it's a relic of having to operate in a very small
amount of RAM: not every program needs complicated wildcard expansion,
command-line parsing, etc. so the shell was made to be as slim as
possible.

> It`s almost worth installing a Windows bash port just to avoid it.
> Not that I've ever tried it though.

It wouldn't help in this case, because you'd probably still want to
use the "start" program to launch your stuff. Using cygwin and &'ing a
process just means that you have to leave the shell sitting around to
avoid killing it. I'm not sure how a program like "nohup" actually
works on Windows, so I'm not convinced there's a good way to solve
David's problem -- using the "" trick is as good as any hack.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEAREIAAYFAlFId44ACgkQ9CaO5/Lv0PDPFwCeOms0gD2zfzfes+c2KTEtjWpM
rZIAoLjWPCm+M/ByS6saCdcQUfao06qe
=tZzP
-----END PGP SIGNATURE-----


Attachment: users_240520.eml (zipped)
I am a retd. software person,worked with autocoder,COBOL,assembler,c, and now trying to learn java,
I am using Java for the Web with Servlets,jsp,and EJB by Budi Kurniwan, but unfortunatetely the tomcat v4 has been used in the book for examples.
Downloading of tomcat6.0.36, and installing of tomcat has been done success fully.The example in chapter one has been compiled and tested o.k.,The servlet context example compiled and deployed successfully.
Now the example for RequestDemoServlet has been compiled  o.k, but when I want to deploy the example
with index.html file using action element, the source not found message is displayed. I have used alias name,class name, even url-mapping but result is same.
A directory myapp has been created under which  subdirs are build,doc,web and build.xml build.properties file. The wb.xml file created as per book with //DTDWeb application 2.3//en
pL. guide me how I can trace the causes of resource not found message.
Thanks
s.p.das

Attachment: users_240523.eml (zipped)
What are u exactly trying to do? what book you are studying and what
examples you are using is not that relevant here. You have written a html
file and in the form tag you have configured the "action" attribute and
still you are facing problem. is it? or what exactly is your problem? if
possible paste the log.


On Tue, Mar 19, 2013 at 8:49 PM, Satya Priya Das <am_spdas@(protected):

> I am a retd. software person,worked with autocoder,COBOL,assembler,c, and
> now trying to learn java,
> I am using Java for the Web with Servlets,jsp,and EJB by Budi Kurniwan,
> but unfortunatetely the tomcat v4 has been used in the book for examples.
> Downloading of tomcat6.0.36, and installing of tomcat has been done
> success fully.The example in chapter one has been compiled and tested
> o.k.,The servlet context example compiled and deployed successfully.
> Now the example for RequestDemoServlet has been compiled o.k, but when I
> want to deploy the example
> with index.html file using action element, the source not found message is
> displayed. I have used alias name,class name, even url-mapping but result
> is same.
> A directory myapp has been created under which subdirs are build,doc,web
> and build.xml build.properties file. The wb.xml file created as per book
> with //DTDWeb application 2.3//en
> pL. guide me how I can trace the causes of resource not found message.
> Thanks
> s.p.das




--
Thanks And Regards,
*Muralidhar Yaragalla.
*

Attachment: users_240525.eml (zipped)
>-----Original Message-----
>From: Satya Priya Das [mailto:am_spdas@(protected)]
>Subject: problems faced in deploying servlet
>
>I am a retd. software person,worked with autocoder,COBOL,assembler,c, and
>now trying to learn java, I am using Java for the Web with Servlets,jsp,and EJB
>by Budi Kurniwan, but unfortunatetely the tomcat v4 has been used in the
>book for examples.
>Downloading of tomcat6.0.36, and installing of tomcat has been done success
>fully.The example in chapter one has been compiled and tested o.k.,The
>servlet context example compiled and deployed successfully.
>Now the example for RequestDemoServlet has been compiled  o.k, but when
>I want to deploy the example with index.html file using action element, the
>source not found message is displayed. I have used alias name,class name,
>even url-mapping but result is same.
>A directory myapp has been created under which  subdirs are build,doc,web
>and build.xml build.properties file. The wb.xml file created as per book with
>//DTDWeb application 2.3//en pL. guide me how I can trace the causes of
>resource not found message.
>Thanks
>s.p.das

I looked up your book online using Google Books. I can see on page 31 where your project starts, but it skips the rest of the pages to page 34. I'm guessing this line is your problem:

<FORM ACTION=servlet/ResponseDemoServlet METHOD="POST">

Tomcat 4 had something called the invoker servlet turned on by default, which meant requests were passed through the mapping of: servlet/someservletname.
Tomcat 6 doesn't have that on by default anymore, and you should leave it that way.

All you need to do is update the url-mapping for your form's action to the correct url pattern, based on how you deployed your "myapp" and how you referenced this servlet in your web.xml.

You are likely going to be confused throughout this book if all the examples are based on Tomcat 4. I don't know anyone still putting HTML code in out.println statements. Can you afford to get a newer book on JSP/Servlets? There are also semi-decent websites that have some newer content.

Leo


Attachment: users_240526.eml (zipped)
First of all, thank you this detailed analysis of the situation.
Based on the bug report I suspected the driver, but it now seems clear
it was (at least part of) the problem.

re: Why was it necessary for the abandoned connection thread to act?
I'm not sure.. I looked into the JDBC Session manager class and it
appeared to be simply reading/deserializing a session from the
database when the deadlock occurred. I would expect that to be a very
fast query -- this is a production system but under very light load.

I looked into the pool configuration and 'removed abandoned timeout'
was 60 seconds. That timeout seems a bit short, but if it takes > 60
sec to load a session from the database then there is a serious
performance issue. I've never observed delays like that in the
application.

My guess at this point is perhaps the db (Amazon RDS/MySql) was
unavailable/very slow/down in some way, causing this connection to be
held beyond the timeout. I don't have great visibility into
performance or outage information for RDS, tho I may reach out to DBAs
and try to get it.

Thanks again for your help.

Regards,
Colin

On Mon, Mar 18, 2013 at 6:39 AM, Mark Thomas <markt@(protected):
> On 15/03/2013 21:36, Colin Ingarfield wrote:
>
> Short version:
> Your upgrade to the latest Connector/J will have fixed this particular
> problem.
>
>
> Long version:
>
> <snip/>
>
>>>>> Found one Java-level deadlock: =============================
>
> <snip>
>
> Thread 1:
>
>>>>> Here are the stack traces: Thread 12820: (state = BLOCKED) -
>>>>> com.mysql.jdbc.ConnectionImpl.getCharacterSetMetadata() @bci=0,
>>>>> line=2851 (Compiled frame) -
>>>>> com.mysql.jdbc.Field.getStringFromBytes(int, int) @bci=37,
>>>>> line=717 (Compiled frame) - com.mysql.jdbc.Field.getName() @bci=17,
>>>>> line=631 (Interpreted frame) -
>>>>> com.mysql.jdbc.ResultSetImpl.buildIndexMapping() @bci=78, line=752
>>>>> (Compiled frame) -
>>>>> com.mysql.jdbc.ResultSetImpl.findColumn(java.lang.String) @bci=12,
>>>>> line=1110 (Interpreted frame) -
>>>>> com.mysql.jdbc.ResultSetImpl.getString(java.lang.String) @bci=3,
>>>>> line=5609 (Interpreted frame) -
>>>>> org.eclipse.jetty.server.session.JDBCSessionManager$1.run()
>>>>> @bci=111, line=844 (Interpreted frame) -
>
> <snip/>
>
> Thread 2:
>
>>>>> Thread 890: (state = BLOCKED) -
>>>>> com.mysql.jdbc.ResultSetImpl.realClose(boolean) @bci=0, line=7195
>>>>> (Interpreted frame) - com.mysql.jdbc.ResultSetImpl.close() @bci=2,
>>>>> line=909 (Interpreted frame) -
>>>>> com.mysql.jdbc.StatementImpl.realClose(boolean, boolean) @bci=126,
>>>>> line=2478 (Interpreted frame) -
>>>>> com.mysql.jdbc.PreparedStatement.realClose(boolean, boolean)
>>>>> @bci=71, line=3098 (Interpreted frame) -
>>>>> com.mysql.jdbc.ConnectionImpl.closeAllOpenStatements() @bci=90,
>>>>> line=1628 (Interpreted frame) -
>>>>> com.mysql.jdbc.ConnectionImpl.realClose(boolean, boolean, boolean,
>>>>> java.lang.Throwable) @bci=176, line=4388 (Interpreted frame) -
>>>>> com.mysql.jdbc.ConnectionImpl.close() @bci=32, line=1601
>>>>> (Interpreted frame) -
>>>>> org.apache.tomcat.jdbc.pool.PooledConnection.disconnect(boolean)
>>>>> @bci=47, line=330 (Interpreted frame) -
>
> <snip/>
>
>>>>> Once I dug up these stack traces I started to wonder if the mysql
>>>>> driver was the problem (or contributing to the problem.) I was
>>>>> using Connector/J version 5.1.19 when the deadlock occurred. I
>>>>> found this bug: http://bugs.mysql.com/bug.php?id=61247 which
>>>>> sounds a lot like what appears to have happened. I'm interested in
>>>>> your thoughts on this.
>
> The problem is related to two threads accessing the same connection.
> Given the scenario - the pool spots a potentially abandoned connection
> and tries to close it - I don't view this as unreasonable behaviour by
> the pool since there are no other options available.
>
> The problem is that Thread 1 (above) results in this call order:
> ResultSetImpl.findColumn(java.lang.String) - Syncs on ResultSetImpl
> ...
> ConnectionImpl.getCharacterSetMetadata()   - Syncs on ConnectionImpl
>
> while Thread 2 results in this call order:
> ConnectionImpl.close()        - Syncs on ConnectionImpl
> ...
> ResultSetImpl.realClose(boolean) - Syncs on ResultSetImpl
>
> Two threads obtaining the same locks in a different order will result in
> a deadlock.
>
> I'd view that as a bug in the JDBC driver since - to my mind - "thread
> safe" includes "doesn't deadlock". However, I can see a counter argument
> that goes along the lines of:
> - The deadlock is triggered when the cleaner thread tries to close an
> active connection
> - The cleaner thread is closing abandoned connections
> - The only cause of an abandoned connection is buggy client code
> - Therefore the real root cause is buggy client code
>
>
>>>>> In the meantime I have upgraded to latest Connector/J which
>>>>> includes a fix for this bug. I was running the old driver for
>>>>> months before this deadlock, though, so it will be difficult to
>>>>> know if it fixes the issue or not.
>
> A review of the Connector/J code indicates that this particular deadlock
> has been fixed (all the syncs above now sync on a new connectionMutex
> object). This a) fixes this particular deadlock and b) ensures that
> external code that syncs on a Connection/ResultSet/whatever can't
> interfere and trigger a deadlock.
>
> <snip/>
>
>> My database access code is built on Spring 3's JDBC APIs, so I do not
>> do any explicit connection management in my code. Its Spring's job to
>> get connections and release them, and I assume its JDBC APIs is
>> well-tested. So I don't think my code is the problem here.
>
> I agree but see the counter argument above. If the code accessing the
> database is perfect it shouldn't need to worry about abandoned connections.
>
>> The Jetty session manager is storing HTTP session data in the
>> database, and it does acquire connections directly from the pool. I
>> haven't dug through the Jetty source to see if they are doing anything
>> questionable, tho I did email their user list about this issue.
>
> I don't see anything that jumps out at me but there is the "Why does it
> need to managed abandoned connections?" question.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@(protected)
> For additional commands, e-mail: users-help@(protected)
>


Attachment: users_240527.eml (zipped)
Hi,

We deploy tomcat in our own folder (c:\rsi_tc\tomcat) on a WIndows
machine as a service. We use the service.bat to install
as a service. Historically to update tomcat we would remove the
current version and install the new version. There is rub in all
this which we have to change the service login to be an account that
can access files from a network share. Therefore when
we upgrade tomcat, we remove the current version and install the new
version and then someone ( the customer :-( ) has to
go into the service and change the service login back to the account
that will give them access to the network share.

I'm looking for a way (if possible) to avoid having the customer to
have change the service login. I'm looking for suggestions
to make this easier and have the following questions about whether
some of my thoughts to make it easier are safe.

1. Can I *not* uninstall the service and just replace the folder
structure on the file system with the new version? I have tried it
  and it seems to work but question whether or not it is safe. I
know if a major version changes I cannot do this as the service
  calls tomcat6.exe vs tomcat7.exe for instance and therefore would
have to do the complete uninstall/install.

2. If I do the above does calling the "service.bat install" again
using the *newer* service.bat version make a difference? We are
calling it (the newer service.bat)
  and it seems to be harmless and thought that it might help in
case something in the batch install changed, we would get the changes.

Bottom line, has anyone faced this dilemma and found a successful way
to upgrade a tomcat instance that uses a unique service login.

Thanks for any input.
Pat




 


Attachment: users_240528.eml (zipped)
Hello,

I'm using Tomcat 7.0.34 via TomEE 1.5.1 with MySQL. I noticed a memory
leak in my web application which uses jdbc connection pooling with
Tomcat's jdbc-pool.

The com.mysql.jdbc.JDBC4Connection class has a field named
"openStatements" which holds, as you can imagine, open sql statements.
This structure grows continuously over time and no statements are ever
released. I stepped into my code to verify that I closed opened
statements and it is the case.

Digging some more, I downloaded Tomcat's source and it seems that
jdbc-pool discards all calls to java.sql.Statement.close() in
StatementDecoratorInterceptor#invoke(Object proxy, Method method,
Object[] args)

I see what could be a bug in StatementCache#closeInvoked() which is
called by the above method. Here is the code with my own comments added:
@Override
public void closeInvoked() {
  boolean shouldClose = true;
  if (cacheSize.get() < maxCacheSize) {
     // omitted for brievety
  }
  closed = true;
  // [1] I think "delegate = null" is done too soon
  delegate = null;
  if (shouldClose) {
     // check its body below
     super.closeInvoked();
  }
}

// This is super.closeInvoked()
public void closeInvoked() {
  if (getDelegate()!=null) {
     // never true when coming from
     // StatementCache#closeInvoked()
     // because of [1]
     try {
        getDelegate().close();
     }catch (SQLException ignore) {
     }
  }
  closed = true;
  delegate = null;
}

Regards,
Bertrand

©2008 junlu.com - Jax Systems, LLC, U.S.A.