Inhaltsverzeichnis
Apache Tomcat 5
Apache Tomcat ist eine Implementierung der Java Servlet und der JavaServer Pages Technologie. Die Java Servlet und die JavaServer Pages Spezifikationen sind hier Java Community Process beschrieben.
Installation
Für einen erfolgreichen Betrieb eines Apache Tomcat Applications Servers sind folgende Komponenten erforderlich:
- Java Development Kit Sun's JDK.
Eine Beschreibung zur Installation von von Sun's JDK ist ebenfalls in diesem dokuwiki unter installation_von_sun_s_jdk beschrieben.
tomcat5.i386
(tomcat5) - Apache Servlet/JSP Engine, RI for Servlet 2.4/JSP 2.0 APItomcat5-admin-webapps.i386
(tomcat5-admin-webapps) - The administrative web applications for Jakarta Tomcattomcat5-common-lib.i386
(tomcat5-common-lib) - Libraries needed to run the Tomcat Web container (part)tomcat5-jasper.i386
(tomcat5-jasper) - Compiler JARs and associated scripts for tomcat5tomcat5-jsp-2.0-api.i386
(tomcat5-jsp-2.0-api) - Jakarta Tomcat Servlet and JSP implementation classestomcat5-server-lib.i386
(tomcat5-server-lib) - Libraries needed to run the Tomcat Web container (part)tomcat5-servlet-2.4-api.i386
(tomcat5-servlet-2.4-api) - Jakarta Tomcat Servlet implementation classestomcat5-webapps.i386
(tomcat5-webapps) - Web applications for Jakarta Tomcat
Nach einer erfolgreichen Installation der genannten Pakete, kann mit folgendem Befehl die aktuelle Version der Apache Tomcat Installation überprüft werden und sollte in etwa wie nachfolgend dargestellt aussehen:
# service tomcat5 version Server version: Apache Tomcat/5.5.23 Server built: Aug 27 2008 07:11:38 Server number: 5.5.23.0 OS Name: Linux OS Version: 2.6.18-92.1.13.el5 Architecture: i386 JVM Version: 1.6.0_06-b02 JVM Vendor: Sun Microsystems Inc.
Konfiguration
Folgende Konfigurationsdateien sollten mindestens angepasst werden:
/etc/init.d/tomcat5
- Start/Stop usw. -Script für Apache Tomcat/etc/tomcat5/tomcat5.conf
- Haupt-Konfigurationsdatei/etc/tomcat5/server.xml
- Server-Konfiguration (Ports usw.)/etc/tomcat5/tomcat-users.xml
- Benutzerverwaltung
Ab hier werden root
-Rechte zur Ausführung der nachfolgenden Befehle benötigt. Um root
zu werden geben Sie bitte folgenden Befehl ein:
$ su - Password:
/etc/init.d/tomcat5
Die Änderungen betreffen das Start/Stop usw. -Script und dienen der Stabilität.
Falls diese Änderungen nicht vorgenommen werden und die Log-Datei /var/log/tomcat5/catalina.out
nicht mit den entsprechenden Rechten existiert, ist ein Start unmöglich!
Der Standard-Port 8080
wurde auf 8000
abgeändert. Dies hat keine tiefere Bedeutung und soll nur die Möglichkeit einer solchen Änderung demonstrieren!
Es gibt auch noch einige kosmetische Anpassungen (welche vernachlässigt werden könnten).
Die relevanten Änderungen diesbezüglich sind mit einem Kommentar
# Tachtler
versehen.
#!/bin/bash # # tomcat5 This shell script takes care of starting and stopping Tomcat # # chkconfig: - 80 20 # ### BEGIN INIT INFO # Provides: tomcat5 # Required-Start: $network $syslog # Required-Stop: $network $syslog # Default-Start: # Default-Stop: # Description: Release implementation for Servlet 2.4 and JSP 2.0 # Short-Description: start and stop tomcat ### END INIT INFO # # - originally written by Henri Gomez, Keith Irwin, and Nicolas Mailhot # - heavily rewritten by Deepak Bhole and Jason Corley # ############################################################################## # Script-Name : tomcat5 # # Description : This script is normaly placed in /etc/init.d and is the # # standard script for using the standard CentOS tomcat5 # # installation. Modified, because if /var/log/tomcat5/ # # catalina.out doesn't exist, /usr/bin/dtomcat5 failed. # # Modifications see "Tachtler"-Tags. # # Last update : 19.06.2008 # # Version : 1.00 # ############################################################################## ############################################################################## # H I S T O R Y # ############################################################################## # Version : x.xx # # Description : <Description> # # -------------------------------------------------------------------------- # # Version : x.xx # # Description : <Description> # # -------------------------------------------------------------------------- # ############################################################################## # commented out until the RHEL and FC daemon functions converge # Source the function library if [ -r "/etc/rc.d/init.d/functions" ]; then . /etc/rc.d/init.d/functions fi NAME="$(basename $0)" unset ISBOOT if [ "${NAME:0:1}" = "S" -o "${NAME:0:1}" = "K" ]; then NAME="${NAME:3}" ISBOOT="1" fi # For SELinux we need to use 'runuser' not 'su' if [ -x "/sbin/runuser" ]; then SU="/sbin/runuser" else SU="su" fi # Get the tomcat config (use this for environment specific settings) TOMCAT_CFG="/etc/tomcat5/tomcat5.conf" if [ -r "$TOMCAT_CFG" ]; then . ${TOMCAT_CFG} fi # Get instance specific config file if [ -r "/etc/sysconfig/${NAME}" ]; then . /etc/sysconfig/${NAME} fi # Define which connector port to use # Tachtler # default: CONNECTOR_PORT="${CONNECTOR_PORT:-8080}" CONNECTOR_PORT="${CONNECTOR_PORT:-8000}" # Path to the tomcat launch script TOMCAT_SCRIPT="/usr/bin/dtomcat5" # Path to the script that will refresh jar symlinks on startup TOMCAT_RELINK_SCRIPT="${CATALINA_HOME}/bin/relink" # Tomcat program name TOMCAT_PROG="$NAME" # Define the tomcat username TOMCAT_USER="${TOMCAT_USER:-tomcat}" # Define the tomcat log file TOMCAT_LOG="${TOMCAT_LOG:-/var/log/tomcat5/catalina.out}" RETVAL="0" # remove when the RHEL and FC daemon functions converge # (pulled from /etc/rc.d/init.d/functions) # function checkpid() { # local i # for i in $* ; do # if [ -d "/proc/${i}" ]; then # return 0 # fi # done # return 1 # } # remove when the RHEL and FC daemon functions converge # (pulled from /etc/rc.d/init.d/functions) # function echo_failure() { # echo -en "\\033[60G" # echo -n "[ " # echo -n $"FAILED" # echo -n " ]" # echo -ne "\r" # return 1 # } # remove when the RHEL and FC daemon functions converge # (pulled from /etc/rc.d/init.d/functions) # function echo_success() { # echo -en "\\033[60G" # echo -n "[ " # echo -n $"OK" # echo -n " ]" # echo -ne "\r" # return 0 # } # Look for open ports, as the function name might imply function findFreePorts() { local isSet1="false" local isSet2="false" local isSet3="false" local lower="8000" randomPort1="0" randomPort2="0" randomPort3="0" local -a listeners="( $( netstat -ntl | \ awk '/^tcp/ {gsub("(.)*:", "", $4); print $4}' ) )" while [ "$isSet1" = "false" ] || \ [ "$isSet2" = "false" ] || \ [ "$isSet3" = "false" ]; do let port="${lower}+${RANDOM:0:4}" if [ -z `expr " ${listeners[*]} " : ".*\( $port \).*"` ]; then if [ "$isSet1" = "false" ]; then export randomPort1="$port" isSet1="true" elif [ "$isSet2" = "false" ]; then export randomPort2="$port" isSet2="true" elif [ "$isSet3" = "false" ]; then export randomPort3="$port" isSet3="true" fi fi done } function makeHomeDir() { if [ ! -d "$CATALINA_HOME" ]; then echo "$CATALINA_HOME does not exist, creating" if [ ! -d "/var/lib/${NAME}" ]; then mkdir -p /var/lib/${NAME} cp -pLR /var/lib/tomcat5/* /var/lib/${NAME} fi mkdir -p $CATALINA_HOME ${CATALINA_HOME}/conf /var/cache/${NAME}/temp \ /var/cache/${NAME}/work /var/log/${NAME} for i in temp work; do ln -fs /var/cache/${NAME}/${i} ${CATALINA_HOME}/${i} done for i in common server shared webapps; do ln -fs /var/lib/${NAME}/${i} ${CATALINA_HOME}/${i} done ln -fs /var/log/${NAME} ${CATALINA_HOME}/logs cp -pLR /etc/tomcat5/* ${CATALINA_HOME}/conf/ cp -pLR /usr/share/tomcat5/bin $CATALINA_HOME cp -pLR /var/cache/tomcat5/work/* ${CATALINA_HOME}/work/ chown ${TOMCAT_USER}:${TOMCAT_USER} /var/log/${NAME} fi } # Tachtler function makeLogFile() { if [ ! -e "${TOMCAT_LOG}" ]; then echo "${TOMCAT_LOG} does not exist, creating" touch ${TOMCAT_LOG} chown ${TOMCAT_USER}:${TOMCAT_USER} ${TOMCAT_LOG} fi } function parseOptions() { options="" options="$options $( awk '!/^#/ && !/^$/ { ORS=" "; print "export ", $0, ";" }' \ $TOMCAT_CFG )" if [ -r "/etc/sysconfig/${NAME}" ]; then options="$options $( awk '!/^#/ && !/^$/ { ORS=" "; print "export ", $0, ";" }' \ /etc/sysconfig/${NAME} )" fi TOMCAT_SCRIPT="$options $TOMCAT_SCRIPT" } # See how we were called. function start() { echo -n "Starting ${TOMCAT_PROG}: " if [ -f "/var/lock/subsys/${NAME}" ] ; then if [ -f "/var/run/${NAME}.pid" ]; then read kpid < /var/run/${NAME}.pid if checkpid $kpid 2>&1; then echo "$NAME process already running" return -1 else echo "lock file found but no process running for" echo "pid $kpid, continuing" fi fi fi export CATALINA_PID="/var/run/${NAME}.pid" touch $CATALINA_PID chown ${TOMCAT_USER}:${TOMCAT_USER} $CATALINA_PID # Tachtler - run # Create a log file catalina.log if it doesn't exist makeLogFile # Tachtler - end if [ "$CATALINA_HOME" != "/usr/share/tomcat5" ]; then # Create a tomcat directory if it doesn't exist makeHomeDir # If CATALINA_HOME doesn't exist modify port number so that # multiple instances don't interfere with each other findFreePorts # Tachtler # default: sed -i -e "s/8005/${randomPort1}/g" -e "s/8080/${CONNECTOR_PORT}/g" \ sed -i -e "s/8005/${randomPort1}/g" -e "s/8000/${CONNECTOR_PORT}/g" \ -e "s/8009/${randomPort2}/g" -e "s/8443/${randomPort3}/g" \ ${CATALINA_HOME}/conf/server.xml fi $TOMCAT_RELINK_SCRIPT $SU - $TOMCAT_USER -c "$TOMCAT_SCRIPT start" >> $TOMCAT_LOG 2>&1 RETVAL="$?" if [ "$RETVAL" -eq 0 ]; then echo_success touch /var/lock/subsys/${NAME} else echo_failure fi echo return $RETVAL } function status() { RETVAL="1" if [ -f "/var/run/${NAME}.pid" ]; then read kpid < /var/run/${NAME}.pid if checkpid $kpid 2>&1; then echo "$0 is already running (${kpid})" RETVAL="0" else echo "lock file found but no process running for pid $kpid" fi else pid="$(pgrep -u tomcat java)" if [ -n "$pid" ]; then echo "$0 running (${pid}) but no PID file exists" RETVAL="0" else echo "$0 is stopped" fi fi return $RETVAL } function stop() { local STOP_VERBOSE="false" echo -n "Stopping $TOMCAT_PROG: " if [ -f "/var/lock/subsys/${NAME}" ]; then $SU - $TOMCAT_USER -c "$TOMCAT_SCRIPT stop" >> $TOMCAT_LOG 2>&1 RETVAL="$?" if [ "$RETVAL" -eq "0" ]; then count="0" if [ -f "/var/run/${NAME}.pid" ]; then read kpid < /var/run/${NAME}.pid until [ "$(ps --pid $kpid | grep -c $kpid)" -eq "0" ] || \ [ "$count" -gt "$SHUTDOWN_WAIT" ]; do if [ "$STOP_VERBOSE" = "true" ]; then echo -n -e "\nwaiting for processes $kpid to exit" fi sleep 1 let count="${count}+1" done if [ "$count" -gt "$SHUTDOWN_WAIT" ]; then if [ "$STOP_VERBOSE" = "true" ]; then echo -n -e "\nkilling processes which didn't stop" echo -n -e "after " echo -n "$SHUTDOWN_WAIT seconds" fi kill -9 $kpid fi echo_success if [ "$count" -gt "0" ]; then echo -n -e "\n" fi fi rm -f /var/lock/subsys/$NAME /var/run/$NAME.pid else echo_failure fi fi } # See how we were called. case "$1" in start) parseOptions start ;; stop) parseOptions stop ;; restart) parseOptions stop sleep 2 start ;; condrestart) if [ -f "/var/run/${NAME}.pid" ]; then parseOptions stop start fi ;; status) status ;; version) parseOptions "${JAVA_HOME}/bin/java" \ -classpath "${CATALINA_HOME}/server/lib/catalina.jar" \ org.apache.catalina.util.ServerInfo ;; *) echo "Usage: $TOMCAT_PROG {start|stop|restart|condrestart|status|version}" exit 1 esac exit $RETVAL
/etc/tomcat5/tomcat5.conf
Die Änderungen betreffen den Standard-Port 8080
welcher auf 8000
abgeändert wurde. Dies hat wie schon erwähnt keine tiefere Bedeutung und soll nur die Möglichkeit einer solchen Änderung demonstrieren!
Es gibt auch noch einige kosmetische Anpassungen (welche vernachlässigt werden könnten).
Die relevanten Änderungen diesbezüglich sind mit einem Kommentar
# Tachtler
versehen.
# tomcat5 service configuration file # you could also override JAVA_HOME here # Where your java installation lives JAVA_HOME="/usr/lib/jvm/java" # Where your tomcat installation lives # That change from previous RPM where TOMCAT_HOME # used to be /var/tomcat. # Now /var/tomcat will be the base for webapps only CATALINA_HOME="/usr/share/tomcat5" JASPER_HOME="/usr/share/tomcat5" CATALINA_TMPDIR="/usr/share/tomcat5/temp" JAVA_ENDORSED_DIRS="/usr/share/tomcat5/common/endorsed" # You can pass some parameters to java # here if you wish to #JAVA_OPTS="-Xminf0.1 -Xmaxf0.3" # Use JAVA_OPTS to set java.library.path for libtcnative.so # Tachtler # default: #JAVA_OPTS="-Djava.library.path=/usr/lib" JAVA_OPTS="-Djava.library.path=/usr/lib" # Bug 190: # https://www.jpackage.org/bugzilla/show_bug.cgi?id=190 # System property catalina.ext.dirs should be set to its default value # for ExtensionValidator to be functional. JAVA_OPTS="$JAVA_OPTS -Dcatalina.ext.dirs=$CATALINA_HOME/shared/lib:$CATALINA_HOME/common/lib" # What user should run tomcat TOMCAT_USER="tomcat" # You can change your tomcat locale here #LANG=en_US # Time to wait in seconds, before killing process SHUTDOWN_WAIT=30 # Set the TOMCAT_PID location CATALINA_PID=/var/run/tomcat5.pid # Connector port is 8080 for this tomcat5 instance # Tachtler # default: CONNECTOR_PORT=8080 CONNECTOR_PORT=8000 # If you wish to further customize your tomcat environment, # put your own definitions here # (i.e. LD_LIBRARY_PATH for some jdbc drivers) # Just do not forget to export them :)
/etc/tomcat5/server.xml
Die Änderungen betreffen den Standard-Port 8080
welcher auf 8000
abgeändert wurde. Dies hat wie schon erwähnt keine tiefere Bedeutung und soll nur die Möglichkeit einer solchen Änderung demonstrieren!
WICHTIG Der Apache Tomcat horcht nur auf die IP-Adress 127.0.0.1
.
Die relevanten Änderungen diesbezüglich sind mit einem Kommentar
<!-- Tachtler -->
versehen.
<!-- Example Server Configuration File --> <!-- Note that component elements are nested corresponding to their parent-child relationships with each other --> <!-- A "Server" is a singleton element that represents the entire JVM, which may contain one or more "Service" instances. The Server listens for a shutdown command on the indicated port. Note: A "Server" is not itself a "Container", so you may not define subcomponents such as "Valves" or "Loggers" at this level. --> <!-- Tachtler --> <!-- default: <Server port="8005" shutdown="SHUTDOWN"> --> <Server port="8005" shutdown="SHUTDOWN" address="127.0.0.1"> <!-- Comment these entries out to disable JMX MBeans support used for the administration web application --> <Listener className="org.apache.catalina.core.AprLifecycleListener" /> <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" /> <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> <Listener className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/> <!-- Global JNDI resources --> <GlobalNamingResources> <!-- Test entry for demonstration purposes --> <Environment name="simpleValue" type="java.lang.Integer" value="30"/> <!-- Editable user database that can also be used by UserDatabaseRealm to authenticate users --> <Resource name="UserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" description="User database that can be updated and saved" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" pathname="conf/tomcat-users.xml" /> </GlobalNamingResources> <!-- A "Service" is a collection of one or more "Connectors" that share a single "Container" (and therefore the web applications visible within that Container). Normally, that Container is an "Engine", but this is not required. Note: A "Service" is not itself a "Container", so you may not define subcomponents such as "Valves" or "Loggers" at this level. --> <!-- Define the Tomcat Stand-Alone Service --> <Service name="Catalina"> <!-- A "Connector" represents an endpoint by which requests are received and responses are returned. Each Connector passes requests on to the associated "Container" (normally an Engine) for processing. By default, a non-SSL HTTP/1.1 Connector is established on port 8080. You can also enable an SSL HTTP/1.1 Connector on port 8443 by following the instructions below and uncommenting the second Connector entry. SSL support requires the following steps (see the SSL Config HOWTO in the Tomcat 5 documentation bundle for more detailed instructions): * If your JDK version 1.3 or prior, download and install JSSE 1.0.2 or later, and put the JAR files into "$JAVA_HOME/jre/lib/ext". * Execute: %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows) $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA (Unix) with a password value of "changeit" for both the certificate and the keystore itself. By default, DNS lookups are enabled when a web application calls request.getRemoteHost(). This can have an adverse impact on performance, so you can disable it by setting the "enableLookups" attribute to "false". When DNS lookups are disabled, request.getRemoteHost() will return the String version of the IP address of the remote client. --> <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --> <!-- Tachtler --> <!-- default: <Connector port="8080" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" redirectPort="8443" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" /> --> <Connector port="8000" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" redirectPort="8443" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" antiJARLocking="true" address="127.0.0.1" /> <!-- Note : To disable connection timeouts, set connectionTimeout value to 0 --> <!-- Note : To use gzip compression you could set the following properties : compression="on" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml" --> <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> <!-- <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> --> <!-- Define an AJP 1.3 Connector on port 8009 --> <!-- Tachtler --> <!-- default: <Connector port="8009" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" /> --> <Connector port="8009" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" address="127.0.0.1" /> <!-- Define a Proxied HTTP/1.1 Connector on port 8082 --> <!-- See proxy documentation for more information about using this. --> <!-- <Connector port="8082" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" acceptCount="100" connectionTimeout="20000" proxyPort="80" disableUploadTimeout="true" /> --> <!-- An Engine represents the entry point (within Catalina) that processes every request. The Engine implementation for Tomcat stand alone analyzes the HTTP headers included with the request, and passes them on to the appropriate Host (virtual host). --> <!-- You should set jvmRoute to support load-balancing via AJP ie : <Engine name="Standalone" defaultHost="localhost" jvmRoute="jvm1"> --> <!-- Define the top level container in our container hierarchy --> <Engine name="Catalina" defaultHost="localhost"> <!-- The request dumper valve dumps useful debugging information about the request headers and cookies that were received, and the response headers and cookies that were sent, for all requests received by this instance of Tomcat. If you care only about requests to a particular virtual host, or a particular application, nest this element inside the corresponding <Host> or <Context> entry instead. For a similar mechanism that is portable to all Servlet 2.4 containers, check out the "RequestDumperFilter" Filter in the example application (the source for this filter may be found in "$CATALINA_HOME/webapps/examples/WEB-INF/classes/filters"). Note that this Valve uses the platform's default character encoding. This may cause problems for developers in another encoding, e.g. UTF-8. Use the RequestDumperFilter instead. Also note that enabling this Valve will write a ton of stuff to your logs. They are likely to grow quite large. This extensive log writing will definitely slow down your server. Request dumping is disabled by default. Uncomment the following element to enable it. --> <!-- <Valve className="org.apache.catalina.valves.RequestDumperValve"/> --> <!-- Because this Realm is here, an instance will be shared globally --> <!-- This Realm uses the UserDatabase configured in the global JNDI resources under the key "UserDatabase". Any edits that are performed against this UserDatabase are immediately available for use by the Realm. --> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/> <!-- Comment out the old realm but leave here for now in case we need to go back quickly --> <!-- <Realm className="org.apache.catalina.realm.MemoryRealm" /> --> <!-- Replace the above Realm with one of the following to get a Realm stored in a database and accessed via JDBC --> <!-- <Realm className="org.apache.catalina.realm.JDBCRealm" driverName="org.gjt.mm.mysql.Driver" connectionURL="jdbc:mysql://localhost/authority" connectionName="test" connectionPassword="test" userTable="users" userNameCol="user_name" userCredCol="user_pass" userRoleTable="user_roles" roleNameCol="role_name" /> --> <!-- <Realm className="org.apache.catalina.realm.JDBCRealm" driverName="oracle.jdbc.driver.OracleDriver" connectionURL="jdbc:oracle:thin:@ntserver:1521:ORCL" connectionName="scott" connectionPassword="tiger" userTable="users" userNameCol="user_name" userCredCol="user_pass" userRoleTable="user_roles" roleNameCol="role_name" /> --> <!-- <Realm className="org.apache.catalina.realm.JDBCRealm" driverName="sun.jdbc.odbc.JdbcOdbcDriver" connectionURL="jdbc:odbc:CATALINA" userTable="users" userNameCol="user_name" userCredCol="user_pass" userRoleTable="user_roles" roleNameCol="role_name" /> --> <!-- Define the default virtual host Note: XML Schema validation will not work with Xerces 2.2. --> <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false"> <!-- Defines a cluster for this node, By defining this element, means that every manager will be changed. So when running a cluster, only make sure that you have webapps in there that need to be clustered and remove the other ones. A cluster has the following parameters: className = the fully qualified name of the cluster class clusterName = a descriptive name for your cluster, can be anything mcastAddr = the multicast address, has to be the same for all the nodes mcastPort = the multicast port, has to be the same for all the nodes mcastBindAddress = bind the multicast socket to a specific address mcastTTL = the multicast TTL if you want to limit your broadcast mcastSoTimeout = the multicast readtimeout mcastFrequency = the number of milliseconds in between sending a "I'm alive" heartbeat mcastDropTime = the number a milliseconds before a node is considered "dead" if no heartbeat is received tcpThreadCount = the number of threads to handle incoming replication requests, optimal would be the same amount of threads as nodes tcpListenAddress = the listen address (bind address) for TCP cluster request on this host, in case of multiple ethernet cards. auto means that address becomes InetAddress.getLocalHost().getHostAddress() tcpListenPort = the tcp listen port tcpSelectorTimeout = the timeout (ms) for the Selector.select() method in case the OS has a wakup bug in java.nio. Set to 0 for no timeout printToScreen = true means that managers will also print to std.out expireSessionsOnShutdown = true means that useDirtyFlag = true means that we only replicate a session after setAttribute,removeAttribute has been called. false means to replicate the session after each request. false means that replication would work for the following piece of code: (only for SimpleTcpReplicationManager) <% HashMap map = (HashMap)session.getAttribute("map"); map.put("key","value"); %> replicationMode = can be either 'pooled', 'synchronous' or 'asynchronous'. * Pooled means that the replication happens using several sockets in a synchronous way. Ie, the data gets replicated, then the request return. This is the same as the 'synchronous' setting except it uses a pool of sockets, hence it is multithreaded. This is the fastest and safest configuration. To use this, also increase the nr of tcp threads that you have dealing with replication. * Synchronous means that the thread that executes the request, is also the thread the replicates the data to the other nodes, and will not return until all nodes have received the information. * Asynchronous means that there is a specific 'sender' thread for each cluster node, so the request thread will queue the replication request into a "smart" queue, and then return to the client. The "smart" queue is a queue where when a session is added to the queue, and the same session already exists in the queue from a previous request, that session will be replaced in the queue instead of replicating two requests. This almost never happens, unless there is a large network delay. --> <!-- When configuring for clustering, you also add in a valve to catch all the requests coming in, at the end of the request, the session may or may not be replicated. A session is replicated if and only if all the conditions are met: 1. useDirtyFlag is true or setAttribute or removeAttribute has been called AND 2. a session exists (has been created) 3. the request is not trapped by the "filter" attribute The filter attribute is to filter out requests that could not modify the session, hence we don't replicate the session after the end of this request. The filter is negative, ie, anything you put in the filter, you mean to filter out, ie, no replication will be done on requests that match one of the filters. The filter attribute is delimited by ;, so you can't escape out ; even if you wanted to. filter=".*\.gif;.*\.js;" means that we will not replicate the session after requests with the URI ending with .gif and .js are intercepted. The deployer element can be used to deploy apps cluster wide. Currently the deployment only deploys/undeploys to working members in the cluster so no WARs are copied upons startup of a broken node. The deployer watches a directory (watchDir) for WAR files when watchEnabled="true" When a new war file is added the war gets deployed to the local instance, and then deployed to the other instances in the cluster. When a war file is deleted from the watchDir the war is undeployed locally and cluster wide --> <!-- <Cluster className="org.apache.catalina.cluster.tcp.SimpleTcpCluster" managerClassName="org.apache.catalina.cluster.session.DeltaManager" expireSessionsOnShutdown="false" useDirtyFlag="true" notifyListenersOnReplication="true"> <Membership className="org.apache.catalina.cluster.mcast.McastService" mcastAddr="228.0.0.4" mcastPort="45564" mcastFrequency="500" mcastDropTime="3000"/> <Receiver className="org.apache.catalina.cluster.tcp.ReplicationListener" tcpListenAddress="auto" tcpListenPort="4001" tcpSelectorTimeout="100" tcpThreadCount="6"/> <Sender className="org.apache.catalina.cluster.tcp.ReplicationTransmitter" replicationMode="pooled" ackTimeout="15000" waitForAck="true"/> <Valve className="org.apache.catalina.cluster.tcp.ReplicationValve" filter=".*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;"/> <Deployer className="org.apache.catalina.cluster.deploy.FarmWarDeployer" tempDir="/tmp/war-temp/" deployDir="/tmp/war-deploy/" watchDir="/tmp/war-listen/" watchEnabled="false"/> <ClusterListener className="org.apache.catalina.cluster.session.ClusterSessionListener"/> </Cluster> --> <!-- Normally, users must authenticate themselves to each web app individually. Uncomment the following entry if you would like a user to be authenticated the first time they encounter a resource protected by a security constraint, and then have that user identity maintained across *all* web applications contained in this virtual host. --> <!-- <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> --> <!-- Access log processes all requests for this virtual host. By default, log files are created in the "logs" directory relative to $CATALINA_HOME. If you wish, you can specify a different directory with the "directory" attribute. Specify either a relative (to $CATALINA_HOME) or absolute path to the desired directory. --> <!-- <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/> --> <!-- Access log processes all requests for this virtual host. By default, log files are created in the "logs" directory relative to $CATALINA_HOME. If you wish, you can specify a different directory with the "directory" attribute. Specify either a relative (to $CATALINA_HOME) or absolute path to the desired directory. This access log implementation is optimized for maximum performance, but is hardcoded to support only the "common" and "combined" patterns. --> <!-- <Valve className="org.apache.catalina.valves.FastCommonAccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/> --> </Host> </Engine> </Service> </Server>
Zugriffs-Log aktivieren
Um ein Zugriffs-Log zu aktivieren sind nachfolgende Zeilen in der /usr/share/tomcat5/conf/server.xml
notwendig (nur relevanter Ausschnitt):
... <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/> --> <!-- Tachtler --> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="${catalina.base}/logs" prefix="localhost_access_log." suffix=".txt" pattern="%h %l %u "%t" "%r" %s %b %D %S" resolveHost="false" /> ...
Die Ausgabe erfolgt hier in der LOG-Datei /var/log/tomcat/localhost_access_log.2010-07-14.txt
und sieht in etwa wie folgt aus:
79.228.208.100 - - [14/Jul/2010:10:16:40 +0200] "GET /index.jsp HTTP/1.1" 200 574 79.228.208.100 - - [14/Jul/2010:10:16:40 +0200] "GET /start.do HTTP/1.1" 200 21787
/etc/tomcat5/tomcat-users.xml
Um die tomcat5-admin-webapps.i386
erfolgreich betreiben zu können, ist die Anmeldung als admin
bzw. und manager
erforderlich. Da in der Konfiguratiosndatei /etc/tomcat5/tomcat-users.xml
aber weder eine Rolle admin
noch eine Rolle manager
enthalten ist, muss die Originalkonfiguration wie nachfolgend dargestellt:
<?xml version='1.0' encoding='utf-8'?> <tomcat-users> <role rolename="tomcat"/> <role rolename="role1"/> <user username="tomcat" password="tomcat" roles="tomcat"/> <user username="role1" password="tomcat" roles="role1"/> <user username="both" password="tomcat" roles="tomcat,role1"/> </tomcat-users>
folgendermaßen angepasst werden:
<?xml version='1.0' encoding='utf-8'?> <tomcat-users> <role rolename="manager"/> <role rolename="tomcat"/> <role rolename="admin"/> <role rolename="role1"/> <user username="tomcat" password="tomcat" roles="tomcat"/> <user username="both" password="tomcat" roles="tomcat,role1"/> <user username="admin" password="geheim" roles="admin,manager"/> <user username="role1" password="tomcat" roles="role1"/> </tomcat-users>
Mit nachfolgendem Befehl, kann ein password=
auch verschlüsselt werden. Das dazu benötigte Script bringt der Apache Tomcat leider erst ab Version 6 mit und befindet sich im bin
-Verzeichnis des Apache Tomcat.
Der Aufruf des Befehls ist wie folgt zu realisieren:
# <Pfad zu Tomcat-Installation>/bin/digest.sh -a SHA geheim geheim:906072001efddf3e11e6d2b5782f4777fe038739
Anschließend könnte die Konfigurationsdatei /etc/tomcat5/tomcat-users.xml
auch wie nachfolgend dargestellt aussehen:
<?xml version='1.0' encoding='utf-8'?> <tomcat-users> <role rolename="manager"/> <role rolename="tomcat"/> <role rolename="admin"/> <role rolename="role1"/> <user username="tomcat" password="536c0b339345616c1b33caf454454d8b8a190d6c" roles="tomcat"/> <user username="both" password="536c0b339345616c1b33caf454454d8b8a190d6c" roles="tomcat,role1"/> <user username="admin" password="906072001efddf3e11e6d2b5782f4777fe038739" roles="admin,manager"/> <user username="role1" password="536c0b339345616c1b33caf454454d8b8a190d6c" roles="role1"/> </tomcat-users>
Starten des Apache Tomcat
Um den Apache Tomcat zu starten kann folgender Befehl angewandt werden:
# service tomcat5 start Starting tomcat5: [ OK ]
Um den Apache Tomcat zu stoppen kann folgender Befehl angewandt werden:
# service tomcat5 stop Stopping tomcat5: [ OK ]
Eine Überprüfung ob der Start des Apache Tomcat erfolgreich war kann mit folgendem Befehl durchgeführt werden, welcher nachfolgende Ausgabe erzeugen sollte:
# netstat -tulpen Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN 91 196641 13651/java tcp 0 0 127.0.0.1:8005 0.0.0.0:* LISTEN 91 196650 13651/java tcp 0 0 0.0.0.0:8009 0.0.0.0:* LISTEN 91 196646 13651/java
Die Ausgabe in der Log-Datei, hier /var/log/tomcat5/catalina.log
sollte folgendermaßen aussehen:
Using CATALINA_BASE: /usr/share/tomcat5 Using CATALINA_HOME: /usr/share/tomcat5 Using CATALINA_TMPDIR: /usr/share/tomcat5/temp Using JRE_HOME: Oct 20, 2008 11:42:24 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent INFO: The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/java/jdk1.6.0_06/jre/lib/i386/client:/usr/java/jdk1.6.0_06/jre/lib /i386:/usr/java/jdk1.6.0_06/jre/../lib/i386:/usr/java/packages/lib/i386:/lib:/usr/lib Oct 20, 2008 11:42:25 PM org.apache.coyote.http11.Http11BaseProtocol init INFO: Initializing Coyote HTTP/1.1 on http-127.0.0.1-8000 Oct 20, 2008 11:42:25 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 1994 ms Oct 20, 2008 11:42:25 PM org.apache.catalina.core.StandardService start INFO: Starting service Catalina Oct 20, 2008 11:42:25 PM org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/5.5.23 Oct 20, 2008 11:42:25 PM org.apache.catalina.core.StandardHost start INFO: XML validation disabled Oct 20, 2008 11:42:27 PM org.apache.catalina.core.ApplicationContext log INFO: org.apache.webapp.balancer.BalancerFilter: init(): ruleChain: [org.apache.webapp.balancer.RuleChain: [org.apache.webapp.balancer.rules.URLStringMatchRule: Target string: News / Redirect URL: http://www.cn n.com], [org.apache.webapp.balancer.rules.RequestParameterRule: Target param name: paramName / Target param value: paramValue / Redirect URL: http://www.yahoo.com], [org.apache.webapp.balancer.rules.AcceptEvery thingRule: Redirect URL: http://jakarta.apache.org]] Oct 20, 2008 11:42:27 PM org.apache.catalina.core.ApplicationContext log INFO: ContextListener: contextInitialized() Oct 20, 2008 11:42:27 PM org.apache.catalina.core.ApplicationContext log INFO: SessionListener: contextInitialized() Oct 20, 2008 11:42:27 PM org.apache.catalina.core.ApplicationContext log INFO: ContextListener: contextInitialized() Oct 20, 2008 11:42:27 PM org.apache.catalina.core.ApplicationContext log INFO: SessionListener: contextInitialized() Oct 20, 2008 11:42:28 PM org.apache.coyote.http11.Http11BaseProtocol start INFO: Starting Coyote HTTP/1.1 on http-127.0.0.1-8000 Oct 20, 2008 11:42:28 PM org.apache.jk.common.ChannelSocket init INFO: JK: ajp13 listening on /0.0.0.0:8009 Oct 20, 2008 11:42:28 PM org.apache.jk.server.JkMain start INFO: Jk running ID=0 time=0/56 config=null Oct 20, 2008 11:42:28 PM org.apache.catalina.storeconfig.StoreLoader load INFO: Find registry server-registry.xml at classpath resource Oct 20, 2008 11:42:29 PM org.apache.catalina.startup.Catalina start INFO: Server startup in 3886 ms
Um den Apache Tomcat dauerhaft bei jedem Neustart des Rechners automatisch zu starten geben Sie bitte als root
folgenden Befehl ein, um zu überprüfen wie die aktuelle Konfiguration des Startverhaltens des aktuellen tomcat5
-Daemons aussieht:
chkconfig --list | grep tomcat5 squid 0:off 1:off 2:off 3:off 4:off 5:off 6:off
Falls die Ausgabe wie oben gezeigt erscheinen sollte, wird der tomcat5
-Daemon nicht bei jedem Neustart des Rechners gestartet. Um dies zu ändern geben Sie bitte folgende Befehle ein:
# chkconfig tomcat5 on
* Aktivieren des automatischen Startens des tomcat5
-Daemons.
Das erneute Eingeben des Befehls zur Überprüfung, wie die aktuelle Konfiguration des Startverhaltens des tomcat5
-Daemons aussieht, sollte dann wie folgt erscheinen:
# chkconfig --list | grep tomcat5 squid 0:off 1:off 2:on 3:on 4:on 5:on 6:off
Ergänzung: JRE_HOME
Beim aktuellen Starten des Apache Tomcat und genauerer Betrachtung der /var/log/tomcat5/catalina.out
fällt auf, dass die Umgebungsvariable JRE_HOME
nicht gesetzt wurde. (Auszug aus der Log-Datei /var/log/tomcat5/catalina.out
):
Using CATALINA_BASE: /usr/share/tomcat5 Using CATALINA_HOME: /usr/share/tomcat5 Using CATALINA_TMPDIR: /usr/share/tomcat5/temp Using JRE_HOME: ...
Ab hier werden root
-Rechte zur Ausführung der nachfolgenden Befehle benötigt. Um root
zu werden geben Sie bitte folgenden Befehl ein:
$ su - Password:
Um die Umgebungsvariable JRE_HOME
zu ergänzen, müssen zwei neue Konfigurationsdateien im Verzeichnis /etc/profile.d
erstellt werden. Um in das Verzeichnis /etc/profile.d
zu wechseln wird folgender Befehl ausgeführt:
# cd /etc/profile.d
Die beiden neuen Konfigurationsdateien heißen:
/etc/profile.d/java.csh
/etc/profile.d/java.sh
Um die Konfigurationsdatei /etc/profiles.d/java.csh
anzulegen, wird folgender Befehl ausgeführt:
# touch /etc/profile.d/java.csh
Der Inhalt sollte wie folgt aussehen:
# Make JAVA_HOME and JRE_HOME be defined for everyone setenv JAVA_HOME /usr/java/default setenv JRE_HOME $JAVA_HOME/jre setenv PATH $JAVA_HOME/bin:$JRE_HOME/bin:$PATH
Ebenso um die Konfigurationsdatei /etc/profiles.d/java.sh
anzulegen, wird folgender Befehl ausgeführt:
# touch /etc/profile.d/java.sh
Der Inhalt sollte wie folgt aussehen:
# Make JAVA_HOME and JRE_HOME be defined for everyone export JAVA_HOME=/usr/java/default export JRE_HOME=$JAVA_HOME/jre export PATH=$JAVA_HOME/bin:$JRE_HOME/bin:$PATH
Abschließend müssen beide Konfigurationsdateien noch das Dateirecht „ausführbar“ erhalten, was mit folgendem Befehl durchgeführt werden kann:
# chmod 755 /etc/profile.d/java*
Ein Neustart ist nun erforderlich!
Ein Neustart kann mit folgendem Befehl durchgeführt werden:
# service tomcat5 restart Stopping tomcat5: [ OK ] Starting tomcat5: [ OK ]
Um zu sehen ob alles ordnungsgemäß ausgeführt wurde, können folgende Befehle genutzt werden, welche eine Ausgabe wie folgende erzeugen sollten:
# set | grep _HOME JAVA_HOME=/usr/java/default JRE_HOME=/usr/java/default/jre
und
# set | grep PATH PATH=/usr/java/default/bin:/usr/java/default/jre/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
Beim erneuten Starten des Apache Tomcat und erneuter Betrachtung der /var/log/tomcat5/catalina.out
fällt auf, dass die Umgebungsvariable JRE_HOME
jetzt gesetzt wurde. (Auszug aus der Log-Datei /var/log/tomcat5/catalina.out
):
Using CATALINA_BASE: /usr/share/tomcat5 Using CATALINA_HOME: /usr/share/tomcat5 Using CATALINA_TMPDIR: /usr/share/tomcat5/temp Using JRE_HOME: /usr/java/default/jre ...
Ergänzung: tomcat-native-lib
Beim aktuellen Starten des Apache Tomcat und erneuter genauerer Betrachtung der /var/log/tomcat5/catalina.out
fällt auf, dass folgender Hinweis
The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: …
angezeigt wurde. (Auszug aus der Log-Datei /var/log/tomcat5/catalina.out
):
Using CATALINA_BASE: /usr/share/tomcat5 Using CATALINA_HOME: /usr/share/tomcat5 Using CATALINA_TMPDIR: /usr/share/tomcat5/temp Using JRE_HOME: /usr/java/jdk1.6.0_06/jre Oct 21, 2008 12:41:58 AM org.apache.catalina.core.AprLifecycleListener lifecycleEvent INFO: The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/java/jdk1.6.0_06/jre/lib/i386/client:/usr/java/jdk1.6.0_06/jre/lib /i386:/usr/java/jdk1.6.0_06/jre/../lib/i386:/usr/java/packages/lib/i386:/lib:/usr/lib ...
Um die Performance zu verbessern wäre das Vorhandensein der „The Apache Tomcat Native library“ sehr wünschenswert.
Herunterladen tomcat-native-lib
Es gibt ein RPM-Paket welches unter folgender Adresse heruntergeladen werden kann:
Installation tomcat-native-lib
Eine mögliche Installation wäre das RPM-Paket mit folgendem Befehl zu installieren, ausgehend davon, das das RPM-Paket sich im Verzeichnis /tmp
befindet:
# yum localinstall --nogpgcheck /tmp/tomcat-native-1.1.15-1.el5.i386.rpm
Neustart Apache Tomcat
Durch einen Neustart des Apache Tomcat mit folgendem Befehl:
# service tomcat5 restart Stopping tomcat5: [ OK ] Starting tomcat5: [ OK ]
und wiederum genauerer Betrachtung der /var/log/tomcat5/catalina.out
fällt auf, dass der Hinweis
The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: …
verschwunden ist. (Komplette Log-Datei /var/log/tomcat5/catalina.out
):
Using CATALINA_BASE: /usr/share/tomcat5 Using CATALINA_HOME: /usr/share/tomcat5 Using CATALINA_TMPDIR: /usr/share/tomcat5/temp Using JRE_HOME: /usr/java/jdk1.6.0_06/jre Oct 21, 2008 12:59:02 AM org.apache.coyote.http11.Http11AprProtocol init INFO: Initializing Coyote HTTP/1.1 on http-127.0.0.1-8000 Oct 21, 2008 12:59:02 AM org.apache.coyote.ajp.AjpAprProtocol init INFO: Initializing Coyote AJP/1.3 on ajp-8009 Oct 21, 2008 12:59:02 AM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 2020 ms Oct 21, 2008 12:59:02 AM org.apache.catalina.core.StandardService start INFO: Starting service Catalina Oct 21, 2008 12:59:02 AM org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/5.5.23 Oct 21, 2008 12:59:03 AM org.apache.catalina.core.StandardHost start INFO: XML validation disabled Oct 21, 2008 12:59:04 AM org.apache.catalina.core.ApplicationContext log INFO: org.apache.webapp.balancer.BalancerFilter: init(): ruleChain: [org.apache.webapp.balancer.RuleChain: [org.apache.webapp.balancer.rules.URLStringMatchRule: Target string: News / Redirect URL: http://www.cn n.com], [org.apache.webapp.balancer.rules.RequestParameterRule: Target param name: paramName / Target param value: paramValue / Redirect URL: http://www.yahoo.com], [org.apache.webapp.balancer.rules.AcceptEvery thingRule: Redirect URL: http://jakarta.apache.org]] Oct 21, 2008 12:59:05 AM org.apache.catalina.core.ApplicationContext log INFO: ContextListener: contextInitialized() Oct 21, 2008 12:59:05 AM org.apache.catalina.core.ApplicationContext log INFO: SessionListener: contextInitialized() Oct 21, 2008 12:59:05 AM org.apache.catalina.core.ApplicationContext log INFO: ContextListener: contextInitialized() Oct 21, 2008 12:59:05 AM org.apache.catalina.core.ApplicationContext log INFO: SessionListener: contextInitialized() Oct 21, 2008 12:59:05 AM org.apache.coyote.http11.Http11AprProtocol start INFO: Starting Coyote HTTP/1.1 on http-127.0.0.1-8000 Oct 21, 2008 12:59:05 AM org.apache.coyote.ajp.AjpAprProtocol start INFO: Starting Coyote AJP/1.3 on ajp-8009 Oct 21, 2008 12:59:05 AM org.apache.catalina.storeconfig.StoreLoader load INFO: Find registry server-registry.xml at classpath resource Oct 21, 2008 12:59:06 AM org.apache.catalina.startup.Catalina start INFO: Server startup in 3527 ms
Ebenfalls ist zu beobachten, das das Starten des Apache Tomcat nun deutlich schneller von statten geht, hier zum Vergleich:
vorher
INFO: Server startup in 8194 ms
nachher
INFO: Server startup in 3527 ms
Ergänzung: log4j
Das Apache Logging Services Project erstellt und verwaltet „Open-Source Software“ zur Generierung von LOG-Dateien für Applikationen und stellt diese unentgeltlich jedermann zur Verfügung.
Installation log4j
Ab hier werden root
-Rechte zur Ausführung der nachfolgenden Befehle benötigt. Um root
zu werden geben Sie bitte folgenden Befehl ein:
$ su - Password:
Folgende Schritte sind zur Installation von log4j notwendig.
Schritt 1
Es muss ein „Symbolischen Link“ im Verzeichnis /var/lib/tomcat5/commons/lib
auf den bereits vorhandenen „Symblischen Link“ /usr/share/java/log4j.jar
, welcher auf die Datei /usr/share/java/log4j-1.2.13.jar
zeigt, mit folgendem Befehl erstellt werden:
# ln -s /usr/share/java/log4j.jar /var/lib/tomcat5/common/lib/log4j.jar
Zur Überprüfung ob die ordnungsgemäß funktioniert hat, geben Sie folgende beiden Befehle ein, welche nachfolgende Ausgaben erzeugen sollten:
# ll /var/lib/tomcat5/common/lib ... lrwxrwxrwx 1 root root 25 Oct 22 09:04 log4j.jar -> /usr/share/java/log4j.jar ... # ll /var/lib/tomcat5/common/lib/log4j.jar lrwxrwxrwx 1 root root 25 Oct 22 09:04 /var/lib/tomcat5/common/lib/log4j.jar -> /usr/share/java/log4j.jar
Schritt 2
Es muss ein weiterer „Symbolischen Link“ im Verzeichnis /var/lib/tomcat5/commons/lib
auf den bereits vorhandenen „Symblischen Link“ /usr/share/java/commons-logging.jar
, welcher auf die Datei /usr/share/java/commons-logging-1.0.4.jar
zeigt, mit folgendem Befehl erstellt werden:
# ln -s /usr/share/java/commons-logging.jar /var/lib/tomcat5/common/lib/commons-logging.jar
Zur Überprüfung ob auch dies ordnungsgemäß funktioniert hat, geben Sie folgende beiden Befehle ein, welche nachfolgende Ausgaben erzeugen sollten:
# ll /var/lib/tomcat5/common/lib ... lrwxrwxrwx 1 root root 35 Oct 22 09:12 commons-logging.jar -> /usr/share/java/commons-logging.jar ... # ll /var/lib/tomcat5/common/lib/commons-logging.jar lrwxrwxrwx 1 root root 35 Oct 22 09:12 /var/lib/tomcat5/common/lib/commons-logging.jar -> /usr/share/java/commons-logging.jar
Schritt 3
Es muss eine Konfiguration für im Verzeichnis /var/lib/tomcat5/common/classes
mit dem Namen log4j.properties
mit folgendem Befehl anagelegt werden:
# touch /var/lib/tomcat5/common/classes/log4j.properties
Der Inhalt der Konfigurationsdatei könnte evtl. wie folgt aussehen:
log4j.rootLogger=INFO, Catalina log4j.appender.Catalina=org.apache.log4j.RollingFileAppender log4j.appender.Catalina.File=${catalina.home}/logs/catalina.out log4j.appender.Catalina.layout=org.apache.log4j.PatternLayout log4j.appender.Catalina.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss} [%-5p] [%-20C{1}] [%-20M] - %m%n
Schritt 4
Ein Neustart ist nun erfordelich!
Ein Neustart kann mit folgendem Befehl durchgeführt werden:
# service tomcat5 restart Stopping tomcat5: [ OK ] Starting tomcat5: [ OK ]
Die Log-Datei des Apache Tomcat sollte nach einem Neustart dann wie folgt aussehen:
Using CATALINA_BASE: /usr/share/tomcat5 Using CATALINA_HOME: /usr/share/tomcat5 Using CATALINA_TMPDIR: /usr/share/tomcat5/temp Using JRE_HOME: /usr/java/jdk1.6.0_06/jre 2008-10-22 14:59:13 [INFO ] [Http11AprProtocol ] [pause ] - Pausing Coyote HTTP/1.1 on http-127.0.0.1-8000 2008-10-22 14:59:13 [INFO ] [AjpAprProtocol ] [pause ] - Pausing Coyote AJP/1.3 on ajp-8009 2008-10-22 14:59:14 [INFO ] [StandardService ] [stop ] - Stopping service Catalina 2008-10-22 14:59:15 [INFO ] [ApplicationContext ] [log ] - SessionListener: contextDestroyed() 2008-10-22 14:59:15 [INFO ] [ApplicationContext ] [log ] - ContextListener: contextDestroyed() 2008-10-22 14:59:15 [INFO ] [ApplicationContext ] [log ] - SessionListener: contextDestroyed() 2008-10-22 14:59:15 [INFO ] [ApplicationContext ] [log ] - ContextListener: contextDestroyed() 2008-10-22 14:59:15 [INFO ] [Http11AprProtocol ] [destroy ] - Stopping Coyote HTTP/1.1 on http-127.0.0.1-8000 2008-10-22 14:59:15 [INFO ] [AjpAprProtocol ] [destroy ] - Stopping Coyote AJP/1.3 on ajp-8009 Using CATALINA_BASE: /usr/share/tomcat5 Using CATALINA_HOME: /usr/share/tomcat5 Using CATALINA_TMPDIR: /usr/share/tomcat5/temp Using JRE_HOME: /usr/java/jdk1.6.0_06/jre 2008-10-22 14:59:24 [INFO ] [Http11AprProtocol ] [init ] - Initializing Coyote HTTP/1.1 on http-127.0.0.1-8000 2008-10-22 14:59:24 [INFO ] [AjpAprProtocol ] [init ] - Initializing Coyote AJP/1.3 on ajp-8009 2008-10-22 14:59:24 [INFO ] [Catalina ] [load ] - Initialization processed in 2001 ms 2008-10-22 14:59:24 [INFO ] [StandardService ] [start ] - Starting service Catalina 2008-10-22 14:59:24 [INFO ] [StandardEngine ] [start ] - Starting Servlet Engine: Apache Tomcat/5.5.23 2008-10-22 14:59:24 [INFO ] [StandardHost ] [start ] - XML validation disabled 2008-10-22 14:59:26 [INFO ] [ApplicationContext ] [log ] - org.apache.webapp.balancer.BalancerFilter: init(): ruleChain: [org.apache.webapp.balancer.RuleChain: [org.apache.webapp.balancer.rules.URLStringMatchRule: Target string: News / Redirect URL: http://www.cnn.com], [org.apache.webapp.balancer.rules.RequestParameterRule: Target param name: paramName / Target param value: paramValue / Redirect URL: http://www.yahoo.com], [org.apache.webapp.balancer.rules.AcceptEverythingRule: Redirect URL: http://jakarta.apache.org]] 2008-10-22 14:59:26 [INFO ] [ApplicationContext ] [log ] - ContextListener: contextInitialized() 2008-10-22 14:59:26 [INFO ] [ApplicationContext ] [log ] - SessionListener: contextInitialized() 2008-10-22 14:59:26 [INFO ] [ApplicationContext ] [log ] - ContextListener: contextInitialized() 2008-10-22 14:59:26 [INFO ] [ApplicationContext ] [log ] - SessionListener: contextInitialized() 2008-10-22 14:59:27 [INFO ] [Http11AprProtocol ] [start ] - Starting Coyote HTTP/1.1 on http-127.0.0.1-8000 2008-10-22 14:59:27 [INFO ] [AjpAprProtocol ] [start ] - Starting Coyote AJP/1.3 on ajp-8009 2008-10-22 14:59:27 [INFO ] [StoreLoader ] [load ] - Find registry server-registry.xml at classpath resource 2008-10-22 14:59:27 [INFO ] [Catalina ] [start ] - Server startup in 3536 ms
Apache HTTP Webserver einbinden
Ein sehr häufige Kombination besteht aus dem Apache HTTP Webserver und dem Apache Tomcat.
Zwei der Möglichkeiten, wie so eine Verbindung zustande kommen kann, sollen im folgenden beschrieben werden. Die Möglichkeiten sind
- mod_jk
- mod_proxy_ajp
mod_jk
Ich persönlich bevorzuge die Möglichkeit über mod_jk. Die Gründe dafür sind historisch bedingt, da diese Art der Verbindung der beiden Server bereits vor der Möglichkeit der Nutzung des mod_proxy_ajp bestanden hat. Zum anderen sind meiner Ansicht folgende Vorteile gegeben:
- Senden von spezifischen Anfragen an den Apache Tomcat z.B. (nur *.jsp-Seiten)
- Logging Möglichkeiten (mod_jk.log)
Nachteile sind jedoch:
- Aufwendigere Konfiguration
- Keine verzeichnisspezifische Weiterleitung
Im folgenden soll die Vorschaltung des Apache HTTP Webserver vor den Apache Tomcat gezeigt werden:
Herunterladen mod_jk
Um das mod_jk nutzen zu können muss dieses nach der Installation erste einmal heruntergeladen werden. Dies kann unter folgendem Link erfolgen. Die aktuelle stabile Version ist 1.2.13
Einbinden mod_jk
Ab hier werden root
-Rechte zur Ausführung der nachfolgenden Befehle benötigt. Um root
zu werden geben Sie bitte folgenden Befehl ein:
$ su - Password:
Nach dem erfolgreichen herunterladen der Datei mit z.B. dem Namen mod_jk-1.2.23-apache-2.2.x-linux-i686.so
, sollte diese noch umbenannt werden und in das Verzeichnis /etc/httpd/modules
mit folgendem Befehl verschoben werden:
# mv /tmp/mod_jk-1.2.23-apache-2.2.x-linux-i686.so /etc/httpd/modules/mod_jk.so
Folgende Modifikationen sind an der Konfigurationsdatei /etc/httpd/conf/httpd.conf
durchzuführen:
Schritt 1
Laden des Modules:
LoadModule jk_module modules/mod_jk.so
Schritt 2
Konfiguration des Modules:
<IfModule mod_jk.c> # Apache httpd and Apache Tomcat Connector Configuration. # JkRequestLogFormat: %r %q - not used, because form-field e.g. password # are shown. JkShmSize 64k JkShmFile "/var/cache/tomcat5/temp/mod_jk.shm" JkLogFile "/var/log/httpd/mod_jk.log" JkLogLevel error JkLogStampFormat "[%a, %d.%m.%Y %H:%M:%S] " JkRequestLogFormat "%w %R %V %v %s %b %B %U %p %T %H %m" JkWorkerProperty workers.tomcat_home="/usr/share/tomcat5" JkWorkerProperty workers.java_home="$JAVA_HOME" JkWorkerProperty worker.list=worker1 JkWorkerProperty worker.worker1.type=ajp13 JkWorkerProperty worker.worker1.host=127.0.0.1 JkWorkerProperty worker.worker1.port=8009 </IfModule>
* Dies ist nur eine Beispielkonfiguration. Die Bedeutung der einzelnen Befehle kann in der Dokumentation The Apache Tomcat Connector - Reference Guide detailliert nachgelesen werden
- JkShmSize 64k
nur erforderlich für balancer- und status.worker - Zusätzlicher Cache-Speicher auf der Festplatte (Shared Memeory)
- JkShmFile „/var/cache/tomcat5/temp/mod_jk.shm“
nur erforderlich für balancer- und status.worker - Datei für den zusätzlichen Cache-Speicher auf der Festplatte (Shared Memeory)
- JkLogFile „/var/log/httpd/mod_jk.log“
Log-Datei des Modules mod_jk
- JkLogLevel error
Loglevel der Log-Datei des Modules mod_jk - Standard ist info
- JkLogStampFormat „[%a, %d.%m.%Y %H:%M:%S] „
Format des verwendeten Zeitstempels - siehe auch The Apache Tomcat Connector - Reference Guide
- JkRequestLogFormat “%w %R %V %v %s %b %B %U %p %T %H %m“
Format des Log-Eintrags - siehe auch The Apache Tomcat Connector - Reference Guide
- JkWorkerProperty workers.tomcat_home=„/usr/share/tomcat5“
Heimatverzeichnis des Apache Tomcat
- JkWorkerProperty workers.java_home=„$JAVA_HOME“
Heimatverzeichnis der installierten Java-Version (hier global definierte Variable - z.B. /usr/java/jdk1.6.0_06
)
- JkWorkerProperty worker.worker1.type=ajp13
Protokoll-Typ des AJP-Protokolls (1.2 oder 1.3 - wobei 1.3 zu verwenden ist!)
- JkWorkerProperty worker.worker1.host=127.0.0.1
IP-Adresse des Apache Tomcat-Servers
- JkWorkerProperty worker.worker1.port=8009
AJP-Port des Apache Tomcat-Servers
Schritt 3
Falls kein virtueller Host definiert ist, können folgende Konfigurationsangaben ebenfalls in der Datei /etc/httpd/conf/httpd.conf
definiert werden. Falls ein virtuellen Host definiert wurde, könnte dieser wie folgt aussehen:
# # tachtler.net # <VirtualHost *:80> ServerAdmin webmaster@tachtler.net ServerName tachtler.net ServerAlias www.tachtler.net ServerPath / DocumentRoot "/usr/share/tomcat5/webapps/ROOT" <Directory "/usr/share/tomcat5/webapps/ROOT"> Options FollowSymLinks AllowOverride None Order allow,deny Allow from all </Directory> JkMount /*.do worker1 JkMount /*.jsp worker1 DirectoryIndex index.htm ErrorLog logs/homepage_error.log CustomLog logs/homepage_access.log combined </VirtualHost>
WICHTIG sind hier die beiden Zeilen:
JkMount /*.jsp worker1 JkMount /*.do worker1
Die erste Zeile, weist den Apache HTTP Webserver alle angeforderten Seiten mit der Endung .jsp
an den Apache Tomcat zur Erstellung weiterzuleiten.
Die zweite Zeile, weist den Apache HTTP Webserver alle angeforderten Seiten mit der Endung .do
an den Apache Tomcat zur Erstellung weiterzuleiten. Die ist z.B. bei Nutzung des Apache Struts Frameworks der Fall.
Ein Neustart ist nun erforderlich!
Ein Neustart kann mit folgendem Befehl durchgeführt werden:
# service tomcat5 restart Stopping tomcat5: [ OK ] Starting tomcat5: [ OK ]
Beispiel
Falls Sie nun folgende einfache *.jsp-Datei in den hier angegebenen DocumentRoot „/usr/share/tomcat5/webapps/ROOT“
legen,
<%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>JSP-Testseite</title> </head> <body> <font style="font-family: arial; font-size: 0.8em"><%=new java.util.Date()%></font> </body> </html>
und diese wie folgt wie hier z.B. wie folgt aufrufen:
sollte das aktuelle Datum und die aktuelle Uhrzeit wie folgt dargestellt erscheinen
Mon Oct 27 16:56:34 CET 2008
mod_proxy_ajp
Die Konfiguration des mod_proxy_ajp ist im Vergleich zum mod_jk viel einfacher und bietet auch andere Möglichkeiten. Jedoch ist ein grosser Nachteil aus meiner Sicht, dass alle Anfragen (auch *.html-Seiten) so an den Apache Tomcat weitergeleitet werden.
WICHTIG Ab Version Apache HTTP Webserver 2.2.5 kann dies mit dem Befehl
ProxyPassMatch
jedoch ebenfalls erfolgen, wurde aber von mir noch nicht getestet!
Die Konfiguration ist im Gegensatz zum mod_jk einfacher und sieht wie folgt aus:
Einbinden mod_proxy_ajp
Ab hier werden root
-Rechte zur Ausführung der nachfolgenden Befehle benötigt. Um root
zu werden geben Sie bitte folgenden Befehl ein:
$ su - Password:
Folgende Modifikationen sind an der Konfigurationsdatei /etc/httpd/conf/httpd.conf
durchzuführen:
Schritt 1
Laden der Module:
LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
Schritt 2
Konfiguration des Modules:
Falls kein virtueller Host definiert ist, können folgende Konfigurationsangaben ebenfalls in der Datei /etc/httpd/conf/httpd.conf
definiert werden. Falls ein virtuellen Host definiert wurde, könnte dieser wie folgt aussehen:
# # tomcat.tachtler.net # <VirtualHost *:80> ServerAdmin webmaster@tachtler.net ServerName tomcat.tachtler.net ServerAlias www.tomcat.tachtler.net ServerPath / DocumentRoot "/var/www/html/tomcat" <Directory "/var/www/html/tomcat"> Options None AllowOverride AuthConfig Order allow,deny Allow from all </Directory> ProxyRequests Off ProxyPass /default ajp://127.0.0.1:8009/default ProxyPassReverse /default ajp://127.0.0.1:8009/default ProxyPass /admin ajp://127.0.0.1:8009/admin ProxyPassReverse /admin ajp://127.0.0.1:8009/admin ProxyPass /balancer ajp://127.0.0.1:8009/balancer ProxyPassReverse /balancer ajp://127.0.0.1:8009/balancer ProxyPass /host-manager ajp://127.0.0.1:8009/host-manager ProxyPassReverse /host-manager ajp://127.0.0.1:8009/host-manager ProxyPass /jsp-examples ajp://127.0.0.1:8009/jsp-examples ProxyPassReverse /jsp-examples ajp://127.0.0.1:8009/jsp-examples ProxyPass /manager ajp://127.0.0.1:8009/manager ProxyPassReverse /manager ajp://127.0.0.1:8009/manager ProxyPass /servlets-examples ajp://127.0.0.1:8009/servlets-examples ProxyPassReverse /servlets-examples ajp://127.0.0.1:8009/servlets-examples ProxyPass /tomcat-docs ajp://127.0.0.1:8009/tomcat-docs ProxyPassReverse /tomcat-docs ajp://127.0.0.1:8009/tomcat-docs ProxyPass /webdav ajp://127.0.0.1:8009/webdav ProxyPassReverse /webdav ajp://127.0.0.1:8009/webdav DirectoryIndex index.htm ErrorLog logs/tomcat_error.log CustomLog logs/tomcat_access.log combined </VirtualHost>
* Dies ist nur eine Beispielkonfiguration. Die Bedeutung der einzelnen Befehle kann in der Dokumentation Apache Module mod_proxy detailliert nachgelesen werden
- ProxyRequests Off
Deaktivieren der Eigenschaft als Standard Proxy zu fungieren!
- ProxyPass
Alles was an die Anwendung im Verzeichnis und in der URL default
gerichtet wird soll an den Apache Tomcat weitergeleitet erden, gleichzeitig wird das Verzeichnis default
zum Wurzelverzeichnis ROOT
bei diesem Aufruf!
- ProxyPassReverse
Dies dient der „Rückwertsauflösung“ (reverse) der gestellten Anfragen.
- DirectoryIndex index.htm
WICHTIG - Dies ist nicht unbedingt erforderlich - hier wird folgende Datei mit dem Namen index.htm
zum laden des virtuellen Hosts und der Anwendung die sich hinter dem Verzeichnis default
befindet benutzt!
Die Datei index.htm
sieht in diesem Beispiel wie folgt aus:
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <meta http-equiv="refresh" content="0; URL=http://www.tomcat.tachtler.net/default"> <title>Welcome to Tomcat</title> </head> <body> </body> </html>
LDAP Authentifizierung
Um die Benutzer, wie z.B. admin
, oder manager
des Apache Tomcat gegen eine LDAP-Server, hier z.B. OpenLDAP zu authentifizieren, bedarf es nachfolgende Änderungen in folgenden Konfigurationsdateien:
tomcat-users.xml
server.xml
Ab hier werden root
-Rechte zur Ausführung der nachfolgenden Befehle benötigt. Um root
zu werden geben Sie bitte folgenden Befehl ein:
$ su - Password:
tomcat-users.xml
Falls die aktuelle /etc/tomcat5/tomcat-users.xml
wie folgt aussehen sollte:
<?xml version='1.0' encoding='utf-8'?> <tomcat-users> <role rolename="manager"/> <role rolename="tomcat"/> <role rolename="admin"/> <role rolename="role1"/> <user username="tomcat" password="tomcat" roles="tomcat"/> <user username="both" password="tomcat" roles="tomcat,role1"/> <user username="admin" password="geheim" roles="admin,manager"/> <user username="role1" password="tomcat" roles="role1"/> </tomcat-users>
sollte diese wieder auf die Standard-Konfiguration zurückgesetzte werden, wie nachstehend gezeigt:
<?xml version='1.0' encoding='utf-8'?> <tomcat-users> <role rolename="tomcat"/> <role rolename="role1"/> <user username="tomcat" password="tomcat" roles="tomcat"/> <user username="role1" password="tomcat" roles="role1"/> <user username="both" password="tomcat" roles="tomcat,role1"/> </tomcat-users>
Alle hier noch enthaltenen Benutzer und Passwörter sind nicht mehr relevant, da die Konfigurationsdatei /etc/tomcat5/tomcat-users.xml
nicht mehr benötigt wird!
server.xml
In der Konfigurationsdatei /etc/tomcat5/server.xml
wird die Datenbasis von der eben wieder auf die Standard-Konfiguration zurückgesetzten Konfigurationsdatei /etc/tomcat5/tomcat-users.xml
auf LDAP umgestellt.
Dazu wird eine org.apache.catalina.realm.JNDIRealm
Klasse verwendet und nicht mehr org.apache.catalina.UserDatabase
.
Die relevanten Änderungen diesbezüglich sind mit einem Kommentar
<!-- Tachtler -->
versehen.
<!-- Example Server Configuration File --> <!-- Note that component elements are nested corresponding to their parent-child relationships with each other --> <!-- A "Server" is a singleton element that represents the entire JVM, which may contain one or more "Service" instances. The Server listens for a shutdown command on the indicated port. Note: A "Server" is not itself a "Container", so you may not define subcomponents such as "Valves" or "Loggers" at this level. --> <!-- Tachtler --> <!-- default: <Server port="8005" shutdown="SHUTDOWN"> --> <Server port="8005" shutdown="SHUTDOWN" address="127.0.0.1"> <!-- Comment these entries out to disable JMX MBeans support used for the administration web application --> <Listener className="org.apache.catalina.core.AprLifecycleListener" /> <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" /> <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> <Listener className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/> <!-- Global JNDI resources --> <GlobalNamingResources> <!-- Test entry for demonstration purposes --> <Environment name="simpleValue" type="java.lang.Integer" value="30"/> <!-- Tachtler --> <!-- Editable user database that can also be used by UserDatabaseRealm to authenticate users <Resource name="UserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" description="User database that can be updated and saved" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" pathname="conf/tomcat-users.xml" /> --> </GlobalNamingResources> <!-- A "Service" is a collection of one or more "Connectors" that share a single "Container" (and therefore the web applications visible within that Container). Normally, that Container is an "Engine", but this is not required. Note: A "Service" is not itself a "Container", so you may not define subcomponents such as "Valves" or "Loggers" at this level. --> <!-- Define the Tomcat Stand-Alone Service --> <Service name="Catalina"> <!-- A "Connector" represents an endpoint by which requests are received and responses are returned. Each Connector passes requests on to the associated "Container" (normally an Engine) for processing. By default, a non-SSL HTTP/1.1 Connector is established on port 8080. You can also enable an SSL HTTP/1.1 Connector on port 8443 by following the instructions below and uncommenting the second Connector entry. SSL support requires the following steps (see the SSL Config HOWTO in the Tomcat 5 documentation bundle for more detailed instructions): * If your JDK version 1.3 or prior, download and install JSSE 1.0.2 or later, and put the JAR files into "$JAVA_HOME/jre/lib/ext". * Execute: %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows) $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA (Unix) with a password value of "changeit" for both the certificate and the keystore itself. By default, DNS lookups are enabled when a web application calls request.getRemoteHost(). This can have an adverse impact on performance, so you can disable it by setting the "enableLookups" attribute to "false". When DNS lookups are disabled, request.getRemoteHost() will return the String version of the IP address of the remote client. --> <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --> <!-- Tachtler --> <!-- default: <Connector port="8080" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" redirectPort="8443" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" /> --> <Connector port="8000" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" redirectPort="8443" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" antiJARLocking="true" address="127.0.0.1" /> <!-- Note : To disable connection timeouts, set connectionTimeout value to 0 --> <!-- Note : To use gzip compression you could set the following properties : compression="on" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml" --> <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> <!-- <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> --> <!-- Define an AJP 1.3 Connector on port 8009 --> <!-- Tachtler --> <!-- default: <Connector port="8009" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" /> --> <Connector port="8009" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" address="127.0.0.1" /> <!-- Define a Proxied HTTP/1.1 Connector on port 8082 --> <!-- See proxy documentation for more information about using this. --> <!-- <Connector port="8082" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" acceptCount="100" connectionTimeout="20000" proxyPort="80" disableUploadTimeout="true" /> --> <!-- An Engine represents the entry point (within Catalina) that processes every request. The Engine implementation for Tomcat stand alone analyzes the HTTP headers included with the request, and passes them on to the appropriate Host (virtual host). --> <!-- You should set jvmRoute to support load-balancing via AJP ie : <Engine name="Standalone" defaultHost="localhost" jvmRoute="jvm1"> --> <!-- Define the top level container in our container hierarchy --> <Engine name="Catalina" defaultHost="localhost"> <!-- The request dumper valve dumps useful debugging information about the request headers and cookies that were received, and the response headers and cookies that were sent, for all requests received by this instance of Tomcat. If you care only about requests to a particular virtual host, or a particular application, nest this element inside the corresponding <Host> or <Context> entry instead. For a similar mechanism that is portable to all Servlet 2.4 containers, check out the "RequestDumperFilter" Filter in the example application (the source for this filter may be found in "$CATALINA_HOME/webapps/examples/WEB-INF/classes/filters"). Note that this Valve uses the platform's default character encoding. This may cause problems for developers in another encoding, e.g. UTF-8. Use the RequestDumperFilter instead. Also note that enabling this Valve will write a ton of stuff to your logs. They are likely to grow quite large. This extensive log writing will definitely slow down your server. Request dumping is disabled by default. Uncomment the following element to enable it. --> <!-- <Valve className="org.apache.catalina.valves.RequestDumperValve"/> --> <!-- Because this Realm is here, an instance will be shared globally --> <!-- This Realm uses the UserDatabase configured in the global JNDI resources under the key "UserDatabase". Any edits that are performed against this UserDatabase are immediately available for use by the Realm. --> <!-- Tachtler --> <!-- default: <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/> --> <!-- Tachtler --> <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionName="cn=Ersatzbenutzer,dc=tachtler,dc=net" connectionPassword="geheim" connectionURL="ldap://ldap.tachtler.net:389" userPattern="uid={0},ou=People,dc=tachtler,dc=net" roleBase="ou=TomcatRoles,dc=tachtler,dc=net" roleName="cn" roleSearch="(uniqueMember={0})" /> <!-- Comment out the old realm but leave here for now in case we need to go back quickly --> <!-- <Realm className="org.apache.catalina.realm.MemoryRealm" /> --> <!-- Replace the above Realm with one of the following to get a Realm stored in a database and accessed via JDBC --> <!-- <Realm className="org.apache.catalina.realm.JDBCRealm" driverName="org.gjt.mm.mysql.Driver" connectionURL="jdbc:mysql://localhost/authority" connectionName="test" connectionPassword="test" userTable="users" userNameCol="user_name" userCredCol="user_pass" userRoleTable="user_roles" roleNameCol="role_name" /> --> <!-- <Realm className="org.apache.catalina.realm.JDBCRealm" driverName="oracle.jdbc.driver.OracleDriver" connectionURL="jdbc:oracle:thin:@ntserver:1521:ORCL" connectionName="scott" connectionPassword="tiger" userTable="users" userNameCol="user_name" userCredCol="user_pass" userRoleTable="user_roles" roleNameCol="role_name" /> --> <!-- <Realm className="org.apache.catalina.realm.JDBCRealm" driverName="sun.jdbc.odbc.JdbcOdbcDriver" connectionURL="jdbc:odbc:CATALINA" userTable="users" userNameCol="user_name" userCredCol="user_pass" userRoleTable="user_roles" roleNameCol="role_name" /> --> <!-- Define the default virtual host Note: XML Schema validation will not work with Xerces 2.2. --> <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false"> <!-- Defines a cluster for this node, By defining this element, means that every manager will be changed. So when running a cluster, only make sure that you have webapps in there that need to be clustered and remove the other ones. A cluster has the following parameters: className = the fully qualified name of the cluster class clusterName = a descriptive name for your cluster, can be anything mcastAddr = the multicast address, has to be the same for all the nodes mcastPort = the multicast port, has to be the same for all the nodes mcastBindAddress = bind the multicast socket to a specific address mcastTTL = the multicast TTL if you want to limit your broadcast mcastSoTimeout = the multicast readtimeout mcastFrequency = the number of milliseconds in between sending a "I'm alive" heartbeat mcastDropTime = the number a milliseconds before a node is considered "dead" if no heartbeat is received tcpThreadCount = the number of threads to handle incoming replication requests, optimal would be the same amount of threads as nodes tcpListenAddress = the listen address (bind address) for TCP cluster request on this host, in case of multiple ethernet cards. auto means that address becomes InetAddress.getLocalHost().getHostAddress() tcpListenPort = the tcp listen port tcpSelectorTimeout = the timeout (ms) for the Selector.select() method in case the OS has a wakup bug in java.nio. Set to 0 for no timeout printToScreen = true means that managers will also print to std.out expireSessionsOnShutdown = true means that useDirtyFlag = true means that we only replicate a session after setAttribute,removeAttribute has been called. false means to replicate the session after each request. false means that replication would work for the following piece of code: (only for SimpleTcpReplicationManager) <% HashMap map = (HashMap)session.getAttribute("map"); map.put("key","value"); %> replicationMode = can be either 'pooled', 'synchronous' or 'asynchronous'. * Pooled means that the replication happens using several sockets in a synchronous way. Ie, the data gets replicated, then the request return. This is the same as the 'synchronous' setting except it uses a pool of sockets, hence it is multithreaded. This is the fastest and safest configuration. To use this, also increase the nr of tcp threads that you have dealing with replication. * Synchronous means that the thread that executes the request, is also the thread the replicates the data to the other nodes, and will not return until all nodes have received the information. * Asynchronous means that there is a specific 'sender' thread for each cluster node, so the request thread will queue the replication request into a "smart" queue, and then return to the client. The "smart" queue is a queue where when a session is added to the queue, and the same session already exists in the queue from a previous request, that session will be replaced in the queue instead of replicating two requests. This almost never happens, unless there is a large network delay. --> <!-- When configuring for clustering, you also add in a valve to catch all the requests coming in, at the end of the request, the session may or may not be replicated. A session is replicated if and only if all the conditions are met: 1. useDirtyFlag is true or setAttribute or removeAttribute has been called AND 2. a session exists (has been created) 3. the request is not trapped by the "filter" attribute The filter attribute is to filter out requests that could not modify the session, hence we don't replicate the session after the end of this request. The filter is negative, ie, anything you put in the filter, you mean to filter out, ie, no replication will be done on requests that match one of the filters. The filter attribute is delimited by ;, so you can't escape out ; even if you wanted to. filter=".*\.gif;.*\.js;" means that we will not replicate the session after requests with the URI ending with .gif and .js are intercepted. The deployer element can be used to deploy apps cluster wide. Currently the deployment only deploys/undeploys to working members in the cluster so no WARs are copied upons startup of a broken node. The deployer watches a directory (watchDir) for WAR files when watchEnabled="true" When a new war file is added the war gets deployed to the local instance, and then deployed to the other instances in the cluster. When a war file is deleted from the watchDir the war is undeployed locally and cluster wide --> <!-- <Cluster className="org.apache.catalina.cluster.tcp.SimpleTcpCluster" managerClassName="org.apache.catalina.cluster.session.DeltaManager" expireSessionsOnShutdown="false" useDirtyFlag="true" notifyListenersOnReplication="true"> <Membership className="org.apache.catalina.cluster.mcast.McastService" mcastAddr="228.0.0.4" mcastPort="45564" mcastFrequency="500" mcastDropTime="3000"/> <Receiver className="org.apache.catalina.cluster.tcp.ReplicationListener" tcpListenAddress="auto" tcpListenPort="4001" tcpSelectorTimeout="100" tcpThreadCount="6"/> <Sender className="org.apache.catalina.cluster.tcp.ReplicationTransmitter" replicationMode="pooled" ackTimeout="15000" waitForAck="true"/> <Valve className="org.apache.catalina.cluster.tcp.ReplicationValve" filter=".*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;"/> <Deployer className="org.apache.catalina.cluster.deploy.FarmWarDeployer" tempDir="/tmp/war-temp/" deployDir="/tmp/war-deploy/" watchDir="/tmp/war-listen/" watchEnabled="false"/> <ClusterListener className="org.apache.catalina.cluster.session.ClusterSessionListener"/> </Cluster> --> <!-- Normally, users must authenticate themselves to each web app individually. Uncomment the following entry if you would like a user to be authenticated the first time they encounter a resource protected by a security constraint, and then have that user identity maintained across *all* web applications contained in this virtual host. --> <!-- <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> --> <!-- Access log processes all requests for this virtual host. By default, log files are created in the "logs" directory relative to $CATALINA_HOME. If you wish, you can specify a different directory with the "directory" attribute. Specify either a relative (to $CATALINA_HOME) or absolute path to the desired directory. --> <!-- <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/> --> <!-- Access log processes all requests for this virtual host. By default, log files are created in the "logs" directory relative to $CATALINA_HOME. If you wish, you can specify a different directory with the "directory" attribute. Specify either a relative (to $CATALINA_HOME) or absolute path to the desired directory. This access log implementation is optimized for maximum performance, but is hardcoded to support only the "common" and "combined" patterns. --> <!-- <Valve className="org.apache.catalina.valves.FastCommonAccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/> --> </Host> </Engine> </Service> </Server>
Die wichtigesten Änderungen sind hier folgende:
- Auskommentieren, oder löschen der alten Datenbasis (
org.apache.catalina.UserDatabase
)
<!-- Tachtler --> <!-- Editable user database that can also be used by UserDatabaseRealm to authenticate users <Resource name="UserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" description="User database that can be updated and saved" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" pathname="conf/tomcat-users.xml" /> -->
und auch hier
<!-- Tachtler --> <!-- default: <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/> -->
- Einsetzen der LDAP-Abfrage, gegen einen LDAP-Server, welcher keine anonymouse binds erlaubt! (
org.apache.catalina.realm.JNDIRealm
)
<!-- Tachtler --> <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionName="cn=Ersatzbenutzer,dc=tachtler,dc=net" connectionPassword="geheim" connectionURL="ldap://ldap.tachtler.net:389" userPattern="uid={0},ou=People,dc=tachtler,dc=net" roleBase="ou=TomcatRoles,dc=tachtler,dc=net" roleName="cn" roleSearch="(uniqueMember={0})" />
Falls ein LDAP-Server zum Einsatz kommt, der anonymouse binds erlaubt, reichen auch folgende Zeilen aus:
<!-- Tachtler --> <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionURL="ldap://ldap.tachtler.net:389" userPattern="uid={0},ou=People,dc=tachtler,dc=net" roleBase="ou=TomcatRoles,dc=tachtler,dc=net" roleName="cn" roleSearch="(uniqueMember={0})"
Abschließend ist ein Neustart des Apache Tomcat mit folgendem Befehl erforderlich:
# service tomcat5 restart Stopping tomcat5: [ OK ] Starting tomcat5: [ OK ]
Anlage eines entsprechenden LDAP-Baumes
Als erstes wird eine
organizationalUnit
mit dem Namen
- TomcatRoles
unterhalb des Wurzelverzeichnisses, hier „dc=tachtler, dc=net
“ benötigt.
Anschließend werden folgende Objekte vom Typ
groupOfUniqueNames
dem Pfad „ou=TomcatRoles,dc=tachtler,dc=net
“ hinzugefügt:
- admin
- manager
Abschließend werden den jeweiligen „groupOfUniqueNames
“ folgende Benutzer der Objekt-Eigenschaft
uniqueMember
hinzugefügt:
- admin
- uid=klaus,ou=people,dc=tachtler,dc=net
- manager
- uid=klaus,ou=people,dc=tachtler,dc=net
- uid=werauchimmer,ou=people,dc=tachtler,dc=net
Somit wären für die Anwendung admin
der Benutzer klaus
zugelassen und für die für die Anwendung manager
der Benutzer klaus
und werauchimmer
!
Auslösen der Authentifizierung
Dies ist nach der Standard-Installation des Apache Tomcat bereits erledigt, jedoch soll hier zur Vervollständigung kurz erwähnt sein, wie es zur Authentifizierung kommt.
Innerhalb des jeweiligen WEB-Verzeichnisses, hier z.B. der Anwendung manager
welcher ausnahmsweise in
/usr/share/tomcat5/server/webapps
und NICHT in
/usr/share/tomcat5/webapps
installiert ist, gibt es ein Verzeichnis mit dem Namen
- WEB-INF
Innerhalb diese Verzeichnisses befindet sich die Konfigurationsdatei dieser Anwendung mit dem Namen
web.xml
Der Inhalt dieser Konfigurationsdatei
/usr/share/tomcat5/server/webapps/manager/WEB-INF/web.xml
sieht wie folgt aus (Ausschnitt relevanter Teil):
... <!-- Define a Security Constraint on this Application --> <security-constraint> <web-resource-collection> <web-resource-name>HTMLManger and Manager command</web-resource-name> <url-pattern>/jmxproxy/*</url-pattern> <url-pattern>/html/*</url-pattern> <url-pattern>/list</url-pattern> <url-pattern>/sessions</url-pattern> <url-pattern>/start</url-pattern> <url-pattern>/stop</url-pattern> <url-pattern>/install</url-pattern> <url-pattern>/remove</url-pattern> <url-pattern>/deploy</url-pattern> <url-pattern>/undeploy</url-pattern> <url-pattern>/reload</url-pattern> <url-pattern>/save</url-pattern> <url-pattern>/serverinfo</url-pattern> <url-pattern>/status/*</url-pattern> <url-pattern>/roles</url-pattern> <url-pattern>/resources</url-pattern> </web-resource-collection> <auth-constraint> <!-- NOTE: This role is not present in the default users file --> <role-name>manager</role-name> </auth-constraint> </security-constraint> <!-- Define the Login Configuration for this Application --> <login-config> <auth-method>BASIC</auth-method> <realm-name>Tomcat Manager Application</realm-name> </login-config> <!-- Security roles referenced by this web application --> <security-role> <description> The role that is required to log in to the Manager Application </description> <role-name>manager</role-name> </security-role> </web-app>
Dieser Ausschnitt bewirkt die Abfrage nach dem Benutzer, welcher die Rolle manager
haben muss!