You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "epicwinter@hotmail.com" <ep...@hotmail.com> on 2009/02/05 06:51:46 UTC
WEB-INF/classes vs WEB-INF/lib/classes.jar file
Is there any advantage why I should not just jar all my class files and put them in WEB-INF/lib rather than exploding the jar file to the classes directory?
I like developing with the classes and I understand it is nice to let tomcat deploy a .war file but it also creates some problems for me because i deploy to multiple production servers with different settings that get overwritten every time my war file is expanded.
_________________________________________________________________
Windows Live™: Keep your life in sync.
http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t1_allup_explore_022009
Re: WEB-INF/classes vs WEB-INF/lib/classes.jar file
Posted by Mikolaj Rydzewski <mi...@ceti.pl>.
epicwinter@hotmail.com wrote:
> Is there any advantage why I should not just jar all my class files and put them in WEB-INF/lib rather than exploding the jar file to the classes directory?
>
>
> I like developing with the classes and I understand it is nice to let tomcat deploy a .war file but it also creates some problems for me because i deploy to multiple production servers with different settings that get overwritten every time my war file is expanded.
>
Use ant/maven and build preconfigured war files. It's much, much easier
to distribute/deploy single war file instead of expanded directory (not
to mention single .class files for updates).
You can keep site-specific configuration files outside of
webapplication, so they will not get overwritten with deploys.
--
Mikolaj Rydzewski <mi...@ceti.pl>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: WEB-INF/classes vs WEB-INF/lib/classes.jar file
Posted by Rusty Wright <ru...@gmail.com>.
Of course it will; no doubts about it! Any self-respecting maven fanatic can assure you of that!!
;-)
epicwinter@hotmail.com wrote:
> Thanks for all the replies. Nice to know i can do this without any side effects.
> I think I will have to look into maven and see if that fits my deployment needs.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: WEB-INF/classes vs WEB-INF/lib/classes.jar file
Posted by "epicwinter@hotmail.com" <ep...@hotmail.com>.
Thanks for all the replies. Nice to know i can do this without any side effects. I think I will have to look into maven and see if that fits my deployment needs.
_________________________________________________________________
Windows Live™: E-mail. Chat. Share. Get more ways to connect.
http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t2_allup_explore_022009
Re: WEB-INF/classes vs WEB-INF/lib/classes.jar file
Posted by David Smith <dn...@cornell.edu>.
epicwinter@hotmail.com wrote:
> Is there any advantage why I should not just jar all my class files and put them in WEB-INF/lib rather than exploding the jar file to the classes directory?
>
>
> I like developing with the classes and I understand it is nice to let tomcat deploy a .war file but it also creates some problems for me because i deploy to multiple production servers with different settings that get overwritten every time my war file is expanded.
>
>
Functionally I don't think there is a difference between jars and classes.
>From a management prospective however, the jar solution implies that
collection of classes has a separate development life cycle from the
webapp. If you fix some problem in the classes, just rebuild and
distribute the jar file. Provided you didn't make a breaking change,
customers should just be able to drop in the updated jar and restart the
webapp. A collection of classes splayed out in the classes folder
creates a more challenging update scenario.
In the case you describe above, the jar solution makes it easy to update
a number of webapps with different configs.
--David
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: WEB-INF/classes vs WEB-INF/lib/classes.jar file
Posted by Mikolaj Rydzewski <mi...@ceti.pl>.
André Warnier wrote:
> In addition, it would avoid having to put some potentially sensible
> values in a web-xml file which has to be readable by the Tomcat user.
Also some other, than web.xml, file with sensible values has to readable
by Tomcat user ;-)
--
Mikolaj Rydzewski <mi...@ceti.pl>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: WEB-INF/classes vs WEB-INF/lib/classes.jar file
Posted by André Warnier <aw...@ice-sa.com>.
Bill Barker wrote:
> "André Warnier" <aw...@ice-sa.com> wrote in message
> news:498AD66A.4080601@ice-sa.com...
>> Mikolaj Rydzewski wrote:
>>> André Warnier wrote:
>>>> if I have a webapp consistig of just a couple of classes and a
>>>> WEB-INF/web.xml config file, but this web.xml file contains some
>>>> parameters that are "each-client-dependent", and some customers are
>>>> insisting to receive the updates as a war file, how can I achieve that ?
>>>>
>>>> Someone earlier here mentioned that you could put the settings in a file
>>>> outside the application, but that is not possible in this case, or is it
>>>> ?
>>> You can have web.xml parameter, e.g.
>>>
>>> <context-param>
>>> <param-name>config-file-location</param-name>
>>> <param-value>/filesystem/path or URL or
>>> some-other-location</param-value>
>>> </context-param>
>>>
>>> And then you can retrieve parameter value, thus, read config file.
>>> Idea is, that param-value is the same for every client/build. E.g. points
>>> to configuration file in $CATALINA_HOME/conf. So you can have one war
>>> file and client dependant configurations.
>>>
>>>
>> Ok, that would work if you wrote the webapp yourself, and all the filters
>> that go with it. It would however not work if there are some
>> customer-specific parameters in web.xml, that are outside of your control.
>> (I'm thinking for example of a UrlRewrite or jCIFS filter)
>>
>> Would there be a way to create a war file that does not contain a
>> WEB-INF/web.xml file, but maybe contains a "soft link" to a whole web.xml
>> file located somewhere else ?
>>
>> The basic idea is : I could still give my customer a war-file that he can
>> deploy containing my updated classes of jars or whatever, but it would not
>> overwrite his customer-specific web.xml when he deploys it.
>>
>> I think this issue is so general/generic that there must exist some way,
>> no ?
>
> This is totally Tomcat specific, so won't necessarily port if you decide to
> change containers (but without looking probably still works for GlassFish
> and JBoss). Tomcat does Ant style variable replacement when parsing web.xml
> (both the one in conf and the one in WEB-INF). So something like
>
> <context-param>
> <param-name>config-file-location</param-name>
> <param-value>${my.config.file.location}</param-value>
> </context-param>
>
> will work if the System property my.config.file.location is set by the
> startup script/Windows service manager.
>
That sounds like a good idea !
Usually, there are only a few parameters that change per customer, like
the IP address of some external server, or some login id/pw for a remote
service. That would really do the trick in most cases.
In addition, it would avoid having to put some potentially sensible
values in a web-xml file which has to be readable by the Tomcat user.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: WEB-INF/classes vs WEB-INF/lib/classes.jar file
Posted by Gregor Schneider <rc...@googlemail.com>.
How about md5sum?
Rgds
Gregor
--
just because your paranoid, doesn't mean they're not after you...
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available @ http://pgpkeys.pca.dfn.de:11371
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: WEB-INF/classes vs WEB-INF/lib/classes.jar file
Posted by André Warnier <aw...@ice-sa.com>.
Mikolaj Rydzewski wrote:
> André Warnier wrote:
>> chown root/root /bin/ps
>> chmod 700 /bin/ps
> User can build his own ps binary.
>
> Security by obscurity is not a good way to go.
>
I was just kidding. ;-)
I'd still like to make it work though.
It looks like such a nice way to solve the problem, apart from the fact
that the -D command-line options do show up on the ps display.
I've been trying to twist it with things like
/usr/lib/jvm/java "`cat hidden-file`" ...
and stuff like that, but of course it doesn't help either.
Another thought :
Isn't there a way to have Java read a properties file when it starts up ?
Answering my own question : probably, but then it has again to be
readable by the userid starting the JVM.
Ok, so it does not work for things that one wants to keep hidden, but it
still works for normal settings that might be different between
customers, like the IP address of some external host.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: WEB-INF/classes vs WEB-INF/lib/classes.jar file
Posted by Mikolaj Rydzewski <mi...@ceti.pl>.
André Warnier wrote:
> chown root/root /bin/ps
> chmod 700 /bin/ps
User can build his own ps binary.
Security by obscurity is not a good way to go.
--
Mikolaj Rydzewski <mi...@ceti.pl>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: WEB-INF/classes vs WEB-INF/lib/classes.jar file
Posted by André Warnier <aw...@ice-sa.com>.
Mikolaj Rydzewski wrote:
> André Warnier wrote:
>> start)
>> su - tomcatuser -c "/var/lib/jvm/java $CONFIDENTIAL_SETTINGS -jar
>> ...."
> All of your 'confidential settings' will be visible to all users with
> one command:
>
> ps aux
>
Ooops.
chown root/root /bin/ps
chmod 700 /bin/ps
Damn! it sounded so nice.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: WEB-INF/classes vs WEB-INF/lib/classes.jar file
Posted by Mikolaj Rydzewski <mi...@ceti.pl>.
André Warnier wrote:
> start)
> su - tomcatuser -c "/var/lib/jvm/java $CONFIDENTIAL_SETTINGS -jar
> ...."
All of your 'confidential settings' will be visible to all users with
one command:
ps aux
There're ways to restrict such listing to only your processes. But
anyway, command line arguments are not a good place to specify
confidential values.
In my opinion there're mostly two cases:
1.
Customer doesn't know anything, or knows very little about passwords,
architecture, etc. So you usually embed such information in some kind of
configuration file (web.xml or some other properties file), etc. In
short words: you know all the details, but you will not break/steal
customer's service/data.
2. Customer is security-aware. So either he isn't your customer anymore
;-) Or you do not have any access to his infrastructure. You're forced
to use JNDI resources so you usually do not need any
usernames/passwords. Even if, username is useless without access to
customer's infrastructure. Finally, his team will review war file before
deploy anyway.
In my opinion it is mush simpler, more secure to have just another
tomcat installation, dedicated for one special-and-important
application, run by dedicated user, than to mess with some strange JVM
startup options.
--
Mikolaj Rydzewski <mi...@ceti.pl>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: WEB-INF/classes vs WEB-INF/lib/classes.jar file
Posted by André Warnier <aw...@ice-sa.com>.
Bill Barker wrote:
>
> This is totally Tomcat specific, so won't necessarily port if you decide to
> change containers (but without looking probably still works for GlassFish
> and JBoss). Tomcat does Ant style variable replacement when parsing web.xml
> (both the one in conf and the one in WEB-INF). So something like
>
> <context-param>
> <param-name>config-file-location</param-name>
> <param-value>${my.config.file.location}</param-value>
> </context-param>
>
> will work if the System property my.config.file.location is set by the
> startup script/Windows service manager.
>
That sounds like a good idea !
Usually, there are only a few parameters that change per customer, like
the IP address of some external server, or some login id/pw for a remote
service. That would really do the trick in most cases.
In addition, it would avoid having to put some potentially sensible
values in a web-xml file which has to be readable by the Tomcat user.
(And even by me, come to think of it).
And we don't even have to change the applications.
I'll expand that a bit for later reference by dummies like me :
Under Unix/Linux, the /etc/init.d/tomcat script is run by root, so such
settings could set as some variable which would be expanded in the line
calling up the JVM, no matter which user the JVM starts under, like :
file : /etc/confidential/tomcat_settings.sh (only readable by root)
REALLY_CONFIDENTIAL_SETTINGS="-D myfilter.auth.pw=secretpw"
...
file : /etc/init.d/tomcat
CONFIDENTIAL_SETTINGS=""
if [ -f "/etc/confidential/tomcat_settings.sh" ]; then
. "/etc/confidential/tomcat_settings.sh"
fi
...
start)
su - tomcatuser -c "/var/lib/jvm/java $CONFIDENTIAL_SETTINGS -jar ...."
file : (tomcat_home)/webapps/myapp/WEB-INF/web.xml
...
<init-param>
<param-name>secretpw</param-name>
<param-value>$(myfilter.auth.pw)</param-value>
</init-param>
...
So now we can give the customer a new war file, with an update of his
application, including a WEB-INF/web.xml file, and he can just install
it and overwrite his existing web.xml, without even us having to know
the secret password.
Great !
Please feel free to comment, particularly if there is a mistake above.
Also, I believe the above - if correct - could be a useful addition to
the Tomcat FAQ, but I can't figure out if (or how) to add something
there. It seems to display "immutable page" everywhere and I can't find
an option to add something.
I guess this could better be another post.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: WEB-INF/classes vs WEB-INF/lib/classes.jar file
Posted by Bill Barker <wb...@wilshire.com>.
"Andr� Warnier" <aw...@ice-sa.com> wrote in message
news:498AD66A.4080601@ice-sa.com...
> Mikolaj Rydzewski wrote:
>> Andr� Warnier wrote:
>>> if I have a webapp consistig of just a couple of classes and a
>>> WEB-INF/web.xml config file, but this web.xml file contains some
>>> parameters that are "each-client-dependent", and some customers are
>>> insisting to receive the updates as a war file, how can I achieve that ?
>>>
>>> Someone earlier here mentioned that you could put the settings in a file
>>> outside the application, but that is not possible in this case, or is it
>>> ?
>> You can have web.xml parameter, e.g.
>>
>> <context-param>
>> <param-name>config-file-location</param-name>
>> <param-value>/filesystem/path or URL or
>> some-other-location</param-value>
>> </context-param>
>>
>> And then you can retrieve parameter value, thus, read config file.
>> Idea is, that param-value is the same for every client/build. E.g. points
>> to configuration file in $CATALINA_HOME/conf. So you can have one war
>> file and client dependant configurations.
>>
>>
> Ok, that would work if you wrote the webapp yourself, and all the filters
> that go with it. It would however not work if there are some
> customer-specific parameters in web.xml, that are outside of your control.
> (I'm thinking for example of a UrlRewrite or jCIFS filter)
>
> Would there be a way to create a war file that does not contain a
> WEB-INF/web.xml file, but maybe contains a "soft link" to a whole web.xml
> file located somewhere else ?
>
> The basic idea is : I could still give my customer a war-file that he can
> deploy containing my updated classes of jars or whatever, but it would not
> overwrite his customer-specific web.xml when he deploys it.
>
> I think this issue is so general/generic that there must exist some way,
> no ?
This is totally Tomcat specific, so won't necessarily port if you decide to
change containers (but without looking probably still works for GlassFish
and JBoss). Tomcat does Ant style variable replacement when parsing web.xml
(both the one in conf and the one in WEB-INF). So something like
<context-param>
<param-name>config-file-location</param-name>
<param-value>${my.config.file.location}</param-value>
</context-param>
will work if the System property my.config.file.location is set by the
startup script/Windows service manager.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: WEB-INF/classes vs WEB-INF/lib/classes.jar file
Posted by André Warnier <aw...@ice-sa.com>.
Mikolaj Rydzewski wrote:
> André Warnier wrote:
>> if I have a webapp consistig of just a couple of classes and a
>> WEB-INF/web.xml config file, but this web.xml file contains some
>> parameters that are "each-client-dependent", and some customers are
>> insisting to receive the updates as a war file, how can I achieve that ?
>>
>> Someone earlier here mentioned that you could put the settings in a
>> file outside the application, but that is not possible in this case,
>> or is it ?
> You can have web.xml parameter, e.g.
>
> <context-param>
> <param-name>config-file-location</param-name>
> <param-value>/filesystem/path or URL or
> some-other-location</param-value>
> </context-param>
>
> And then you can retrieve parameter value, thus, read config file.
> Idea is, that param-value is the same for every client/build. E.g.
> points to configuration file in $CATALINA_HOME/conf. So you can have one
> war file and client dependant configurations.
>
>
Ok, that would work if you wrote the webapp yourself, and all the
filters that go with it. It would however not work if there are some
customer-specific parameters in web.xml, that are outside of your
control. (I'm thinking for example of a UrlRewrite or jCIFS filter)
Would there be a way to create a war file that does not contain a
WEB-INF/web.xml file, but maybe contains a "soft link" to a whole
web.xml file located somewhere else ?
The basic idea is : I could still give my customer a war-file that he
can deploy containing my updated classes of jars or whatever, but it
would not overwrite his customer-specific web.xml when he deploys it.
I think this issue is so general/generic that there must exist some way,
no ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: WEB-INF/classes vs WEB-INF/lib/classes.jar file
Posted by Mikolaj Rydzewski <mi...@ceti.pl>.
André Warnier wrote:
> if I have a webapp consistig of just a couple of classes and a
> WEB-INF/web.xml config file, but this web.xml file contains some
> parameters that are "each-client-dependent", and some customers are
> insisting to receive the updates as a war file, how can I achieve that ?
>
> Someone earlier here mentioned that you could put the settings in a
> file outside the application, but that is not possible in this case,
> or is it ?
You can have web.xml parameter, e.g.
<context-param>
<param-name>config-file-location</param-name>
<param-value>/filesystem/path or URL or
some-other-location</param-value>
</context-param>
And then you can retrieve parameter value, thus, read config file.
Idea is, that param-value is the same for every client/build. E.g.
points to configuration file in $CATALINA_HOME/conf. So you can have one
war file and client dependant configurations.
--
Mikolaj Rydzewski <mi...@ceti.pl>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: WEB-INF/classes vs WEB-INF/lib/classes.jar file
Posted by André Warnier <aw...@ice-sa.com>.
Bill Barker wrote:
> ignoring the maven fanatics, Tomcat's classloader searches the
> WEB-INF/classes directory before the WEB-INF/lib/*.jar. This means that it
> is sometimes nice to use WEB-INF/classes for a development server. But for
> a production server you won't see much difference.
>
Sorry to butt in, but with I believe a question related to what the OP
was asking, and to the above :
Also ignoring the Maven and Ant fanatics (just quoting Bill's words), if
I have a webapp consistig of just a couple of classes and a
WEB-INF/web.xml config file, but this web.xml file contains some
parameters that are "each-client-dependent", and some customers are
insisting to receive the updates as a war file, how can I achieve that ?
Someone earlier here mentioned that you could put the settings in a file
outside the application, but that is not possible in this case, or is it ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: WEB-INF/classes vs WEB-INF/lib/classes.jar file
Posted by Bill Barker <wb...@wilshire.com>.
ignoring the maven fanatics, Tomcat's classloader searches the
WEB-INF/classes directory before the WEB-INF/lib/*.jar. This means that it
is sometimes nice to use WEB-INF/classes for a development server. But for
a production server you won't see much difference.
<ep...@hotmail.com> wrote in message
news:BLU145-W4482E2DB3F2697C2CF7C5DC3C00@phx.gbl...
Is there any advantage why I should not just jar all my class files and put
them in WEB-INF/lib rather than exploding the jar file to the classes
directory?
I like developing with the classes and I understand it is nice to let tomcat
deploy a .war file but it also creates some problems for me because i deploy
to multiple production servers with different settings that get overwritten
every time my war file is expanded.
_________________________________________________________________
Windows Live�: Keep your life in sync.
http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t1_allup_explore_022009
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: WEB-INF/classes vs WEB-INF/lib/classes.jar file
Posted by Rusty Wright <ru...@gmail.com>.
If you build your war files with maven you can use maven's profiles and have it build war files that contain settings tailored for each server.
http://www.sonatype.com/books/maven-book/
http://www.exist.com/better-build-maven
epicwinter@hotmail.com wrote:
> Is there any advantage why I should not just jar all my class files and put them in WEB-INF/lib rather than exploding the jar file to the classes directory?
>
>
> I like developing with the classes and I understand it is nice to let tomcat deploy a .war file but it also creates some problems for me because i deploy to multiple production servers with different settings that get overwritten every time my war file is expanded.
>
>
>
>
> _________________________________________________________________
> Windows Live™: Keep your life in sync.
> http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t1_allup_explore_022009
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org