You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Shanti Suresh <sh...@umich.edu> on 2012/09/04 21:18:31 UTC
Tomcat HeapMemoryUsage MBean question
Greetings,
I would like to graph Tomcat's HeapMemoryUsage -> used mbean value for
trending. I have installed Tomcat's manager application with a user
belonging only to the "manager-jmx" role. I would like to use curl to get
the data. I have a couple of questions:
(1) I don't seem to be able to assign an empty password or otherwise no
password to a user in "tomcat-users.xml". Or could I?
(2) How do I get just the "used" value from the composite HeapMemoryUsage
mbean? I guess I could subsequently search for pattern "used=". But just
curious if I could get the value directly. None of the following queries
worked:
https://localhost:8453/manager/jmxproxy?qry=java.lang:type=Memory/HeapMemoryUsage
https://localhost:8453/manager/jmxproxy?qry=java.lang:type=Memory/HeapMemoryUsage:used
https://localhost:8453/manager/jmxproxy?qry=java.lang:type=Memory/HeapMemoryUsage.used
Thanks!
-Shanti
Re: Tomcat HeapMemoryUsage MBean question
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Shanti,
On 9/7/12 11:32 AM, Shanti Suresh wrote:
> Also, what I would like to achieve is to have a secure jmxproxy
> servlet for "set" operations. But have no authentication and
> authorization for get operations.
I personally think that's a bad idea: just set some simple username
and password and have your client use it: any decent command-line HTTP
client should support HTTP BASIC authentication.
> I tried might to "tighten" only the "set" operations of the
> "jmxproxy" servlet by modifying manager/WEB-INF/web.xml as
> follows, and it didn't work. I actually tried the url-pattern
> below with "/jmxproxy/?get*", but I was still able to query
> successfully without a "401 Unauthorized" failure. So I figured
> that I may not be using the right pattern. A url-pattern of
> "/jmxproxy/*" does return a 401 Unauthorized error message on
> "get".
>
> -------snippet from manager/web.xml:----- <security-constraint>
> <web-resource-collection> <web-resource-name>JMX Proxy
> interface</web-resource-name>
> <url-pattern>/jmxproxy/?set*</url-pattern>
> </web-resource-collection> <auth-constraint>
> <role-name>manager-jmx</role-name> </auth-constraint>
> </security-constraint>
>
> -----end of snippet----
You can't do that: the servlet spec's url-pattern matching only
matches the path of the URL and does not include the query string.
> I am further restricting who may access the manager application in
> "conf/Catalina/localhost/manager.xml" to localhost:
>
> ----manager.xml:---- <Context path="/manager" privileged="true"
> docBase="/opt/tomcat/mgmt/apache/webapps/manager"> <Valve
> className="org.apache.catalina.valves.RemoteAddrValve"
> allow="127\.0\.0\.1"/> </Context> -------------
That's good.
> So I can somehow secure the "set" but open up the "get" and "qry",
> I will be in happy curl-land.
Log it as an enhancement request in Bugzilla. I proposed this kind of
thing a few months ago though I can't seem to find the thread at the
moment. It was mildly rejected due to lack of interest, but but it
seems we have a real use-case where a user wants this capability.
Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBKNMwACgkQ9CaO5/Lv0PDVNgCfRIUWq2gs1W0OUa8Qkpzl1fx6
4CMAoIk7z8cTYFm+14WBjVVyFavzbNVY
=ymJa
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat HeapMemoryUsage MBean question
Posted by Konstantin Kolinko <kn...@gmail.com>.
2012/9/8 Shanti Suresh <sh...@umich.edu>:
> Hi Konstantin,
>
> True. JMX data can be sensitive.
>
> I am not a JSP expert. I created the following "test.jsp" page and have it
> sitting in webapps/manager/. It doesn't work. I have the error message
> below the JSP text. Would you have a suggestion for what I might have in
> this page?
>
1) All HTML text around is unnecessary.
It will be thrown away when forward is performed.
> <jsp:forward page="/jmxproxy/">
> <jsp:param name="get" value="java.lang%3Atype%3DMemory" />
2) You do not need to url-encode the parameter value. Those %3A and
%3D are actually ":" and "=".
> <jsp:param name="att" value="HeapMemoryUsage" />
> <jsp:param name="key" value="used" />
> </jsp:forward>
The following works for me:
1. In web.xml in configuration for CsrfPreventionFilter, add the
following to the value of "entryPoints" parameter:
[[[
,/test.jsp
]]]
2. The following is test.jsp
[[[
<%@page session="false"%>
<jsp:forward page="/jmxproxy/">
<jsp:param name="get" value="java.lang:type=Memory" />
<jsp:param name="att" value="HeapMemoryUsage" />
<jsp:param name="key" value="used" />
</jsp:forward>
]]]
If I navigate to
http://localhost:8080/manager/test.jsp
it displays
OK - Attribute get 'java.lang:type=Memory' - HeapMemoryUsage - key
'used' = 9081352
By default this new page is not secured, so it does not ask for password.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat HeapMemoryUsage MBean question
Posted by Shanti Suresh <sh...@umich.edu>.
Greetings, all,
Thank you for this wonderful mailing list.
Hi Konstantin,
That JSP worked like a charm :-) Thank you.
Hi Pid,
Good suggestion on using Groovy. I would like to stick with what's readily
available with Tomcat, if I can help it. I know security with unsecured
JMX is an issue. But if JMX is secured properly, I believe it is nothing
to shy away from for scripting.
Hi Christopher,
When you say, "You can use JMX internally for convenience, but not expose
the JMXProxyServlet at all.", what do you mean by that? This is what I
would like to achieve. Konstantin's JSP page retrieves the composite Heap
metrics (Tomcat 7.0.23) even with membership in "manager-jmx" role mandated
inside "manager/WEB-INF/web.xml". I do have to permit access though to
localhost inside the "Catalina/localhost/manager.xml" context file for the
JSP to work unauthenticated:
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.0\.0\.1"/>
I have a feeling that's not what you mean. Could you please elaborate on
how not to expose the JMXProxyServlet externally? I was surprised that I
do have to permit localhost access inside "manager.xml" because I thought
all JSPs inside "webapps/manager/" should be automatically trusted and
permitted by the "manager" webapp by default.
Also, I plan to have the JSP page get me a bunch of JMX metrics.
Thanks!
-Shanti
On Sat, Sep 8, 2012 at 7:44 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Pid,
>
> On 9/8/12 4:57 AM, Pid * wrote:
> > On 7 Sep 2012, at 22:00, Shanti Suresh <sh...@umich.edu> wrote:
> >
> >> Hi Konstantin,
> >>
> >> True. JMX data can be sensitive.
> >
> >
> > If you're concerned about security do not use the JMXProxy Servlet
> > at all. Configure security on an exposed JMX port and then interact
> > with the JVM by connecting to the port. Scripts written in Groovy,
> > for example, make this pretty easy to do.
>
> Or just expose the exact data you want by providing a JSP or servlet
> that fetches that one piece of data and returns it. You can use JMX
> internally for convenience, but not expose the JMXProxyServlet at all.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>
> iEYEARECAAYFAlBL2F0ACgkQ9CaO5/Lv0PAb0QCfeHhny/xTv4RlPdahzlXXlXs2
> Q+IAnAxFP8Ge0XRBk+aU0HFdYT+a1oCA
> =B9bC
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Tomcat HeapMemoryUsage MBean question
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Pid,
On 9/8/12 4:57 AM, Pid * wrote:
> On 7 Sep 2012, at 22:00, Shanti Suresh <sh...@umich.edu> wrote:
>
>> Hi Konstantin,
>>
>> True. JMX data can be sensitive.
>
>
> If you're concerned about security do not use the JMXProxy Servlet
> at all. Configure security on an exposed JMX port and then interact
> with the JVM by connecting to the port. Scripts written in Groovy,
> for example, make this pretty easy to do.
Or just expose the exact data you want by providing a JSP or servlet
that fetches that one piece of data and returns it. You can use JMX
internally for convenience, but not expose the JMXProxyServlet at all.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBL2F0ACgkQ9CaO5/Lv0PAb0QCfeHhny/xTv4RlPdahzlXXlXs2
Q+IAnAxFP8Ge0XRBk+aU0HFdYT+a1oCA
=B9bC
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat HeapMemoryUsage MBean question
Posted by Pid * <pi...@pidster.com>.
On 7 Sep 2012, at 22:00, Shanti Suresh <sh...@umich.edu> wrote:
> Hi Konstantin,
>
> True. JMX data can be sensitive.
If you're concerned about security do not use the JMXProxy Servlet at all.
Configure security on an exposed JMX port and then interact with the
JVM by connecting to the port. Scripts written in Groovy, for example,
make this pretty easy to do.
p
>
> I am not a JSP expert. I created the following "test.jsp" page and have it
> sitting in webapps/manager/. It doesn't work. I have the error message
> below the JSP text. Would you have a suggestion for what I might have in
> this page?
>
> ---------- Start of test.jsp:-----
>
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "
> http://www.w3.org/TR/html4/strict.dtd">
> <html>
> <head>
> <title>Test JSP</title>
> <style type="text/css">
> <!--
> BODY
> {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;font-size:12px;}
> H1
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
> PRE, TT {border: 1px dotted #525D76}
> A {color : black;}A.name {color : black;}
> -->
> </style>
> </head>
> <body>
> <h1>Test JSP</h1>
> <p>
> Welcome to Test JSP page.
> </p>
>
> <jsp:forward page="/jmxproxy/">
> <jsp:param name="get" value="java.lang%3Atype%3DMemory" />
> <jsp:param name="att" value="HeapMemoryUsage" />
> <jsp:param name="key" value="used" />
> </jsp:forward>
>
> </body>
>
> </html>
>
> --------------End of test.jsp---------
>
> On invoking the above JSP page, I get:
>
> -------------Start of HTTP connection output:---
> * About to connect() to localhost port 8090
> * Trying 127.0.0.1... connected
> * Connected to localhost (127.0.0.1) port 8090
>> GET /manager/test.jsp HTTP/1.1
>> User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5
> OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
>> Host: localhost:8090
>> Accept: */*
>>
> < HTTP/1.1 200 OK
> < Server: Apache-Coyote/1.1
> < Set-Cookie: JSESSIONID=3FC31B7F279B68E4417186B5DC702D68; Path=/manager/;
> HttpOnly
> < Content-Type: text/plain;charset=ISO-8859-1
> < Content-Length: 86
> < Date: Fri, 07 Sep 2012 20:47:51 GMT
> Error - javax.management.MalformedObjectNameException: Key properties
> cannot be empty
> * Connection #0 to host localhost left intact
> * Closing connection #0
>
> -------------End of HTTP Connection output-----
>
> Thanks.
>
> -Shanti
>
> On Fri, Sep 7, 2012 at 4:29 PM, Konstantin Kolinko
> <kn...@gmail.com>wrote:
>
>> 2012/9/7 Shanti Suresh <sh...@umich.edu>:
>>> Hi Christopher, Hi Konstantin,
>>>
>>> On Fri, Sep 7, 2012 at 1:54 PM, Christopher Schultz <
>>> chris@christopherschultz.net> wrote:
>>>
>>>>
>>>> I personally think that's a bad idea: just set some simple username
>>>> and password and have your client use it: any decent command-line HTTP
>>>> client should support HTTP BASIC authentication.
>>>>
>>>
>>> Sure. I can do that. It just leaves the set operations vulnerable too
>>> though. I can use digested passwords too, but still my scripts will need
>>> to be hard-coded with the password.
>>>
>>>
>>>>
>>>> That's good.
>>>>
>>>> Sure :-) Thanks.
>>>
>>>
>>>>
>>>> Log it as an enhancement request in Bugzilla. I proposed this kind of
>>>> thing a few months ago though I can't seem to find the thread at the
>>>> moment. It was mildly rejected due to lack of interest, but but it
>>>> seems we have a real use-case where a user wants this capability.
>>>>
>>>
>>> Oh, most certainly, there is a definite use-case for this feature. And
>>> others will use it heavily once you have the capability. It just doesn't
>>> seem like a good plan to have the get and set secured the same way.
>>>
>>
>> With "get" you can view someone's password.
>> With "set" you can change it, or change assigned roles.
>>
>> (with certain Realm implementations).
>>
>> There is not much difference. I think allowing generic "get" or
>> generic "set" is a bad idea.
>>
>> Best regards,
>> Konstantin Kolinko
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat HeapMemoryUsage MBean question
Posted by Shanti Suresh <sh...@umich.edu>.
Hi Konstantin,
True. JMX data can be sensitive.
I am not a JSP expert. I created the following "test.jsp" page and have it
sitting in webapps/manager/. It doesn't work. I have the error message
below the JSP text. Would you have a suggestion for what I might have in
this page?
---------- Start of test.jsp:-----
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "
http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Test JSP</title>
<style type="text/css">
<!--
BODY
{font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;font-size:12px;}
H1
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
PRE, TT {border: 1px dotted #525D76}
A {color : black;}A.name {color : black;}
-->
</style>
</head>
<body>
<h1>Test JSP</h1>
<p>
Welcome to Test JSP page.
</p>
<jsp:forward page="/jmxproxy/">
<jsp:param name="get" value="java.lang%3Atype%3DMemory" />
<jsp:param name="att" value="HeapMemoryUsage" />
<jsp:param name="key" value="used" />
</jsp:forward>
</body>
</html>
--------------End of test.jsp---------
On invoking the above JSP page, I get:
-------------Start of HTTP connection output:---
* About to connect() to localhost port 8090
* Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 8090
> GET /manager/test.jsp HTTP/1.1
> User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5
OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
> Host: localhost:8090
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Set-Cookie: JSESSIONID=3FC31B7F279B68E4417186B5DC702D68; Path=/manager/;
HttpOnly
< Content-Type: text/plain;charset=ISO-8859-1
< Content-Length: 86
< Date: Fri, 07 Sep 2012 20:47:51 GMT
Error - javax.management.MalformedObjectNameException: Key properties
cannot be empty
* Connection #0 to host localhost left intact
* Closing connection #0
-------------End of HTTP Connection output-----
Thanks.
-Shanti
On Fri, Sep 7, 2012 at 4:29 PM, Konstantin Kolinko
<kn...@gmail.com>wrote:
> 2012/9/7 Shanti Suresh <sh...@umich.edu>:
> > Hi Christopher, Hi Konstantin,
> >
> > On Fri, Sep 7, 2012 at 1:54 PM, Christopher Schultz <
> > chris@christopherschultz.net> wrote:
> >
> >>
> >> I personally think that's a bad idea: just set some simple username
> >> and password and have your client use it: any decent command-line HTTP
> >> client should support HTTP BASIC authentication.
> >>
> >
> > Sure. I can do that. It just leaves the set operations vulnerable too
> > though. I can use digested passwords too, but still my scripts will need
> > to be hard-coded with the password.
> >
> >
> >>
> >> That's good.
> >>
> >> Sure :-) Thanks.
> >
> >
> >>
> >> Log it as an enhancement request in Bugzilla. I proposed this kind of
> >> thing a few months ago though I can't seem to find the thread at the
> >> moment. It was mildly rejected due to lack of interest, but but it
> >> seems we have a real use-case where a user wants this capability.
> >>
> >
> > Oh, most certainly, there is a definite use-case for this feature. And
> > others will use it heavily once you have the capability. It just doesn't
> > seem like a good plan to have the get and set secured the same way.
> >
>
> With "get" you can view someone's password.
> With "set" you can change it, or change assigned roles.
>
> (with certain Realm implementations).
>
> There is not much difference. I think allowing generic "get" or
> generic "set" is a bad idea.
>
> Best regards,
> Konstantin Kolinko
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Tomcat HeapMemoryUsage MBean question
Posted by Konstantin Kolinko <kn...@gmail.com>.
2012/9/7 Shanti Suresh <sh...@umich.edu>:
> Hi Christopher, Hi Konstantin,
>
> On Fri, Sep 7, 2012 at 1:54 PM, Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
>>
>> I personally think that's a bad idea: just set some simple username
>> and password and have your client use it: any decent command-line HTTP
>> client should support HTTP BASIC authentication.
>>
>
> Sure. I can do that. It just leaves the set operations vulnerable too
> though. I can use digested passwords too, but still my scripts will need
> to be hard-coded with the password.
>
>
>>
>> That's good.
>>
>> Sure :-) Thanks.
>
>
>>
>> Log it as an enhancement request in Bugzilla. I proposed this kind of
>> thing a few months ago though I can't seem to find the thread at the
>> moment. It was mildly rejected due to lack of interest, but but it
>> seems we have a real use-case where a user wants this capability.
>>
>
> Oh, most certainly, there is a definite use-case for this feature. And
> others will use it heavily once you have the capability. It just doesn't
> seem like a good plan to have the get and set secured the same way.
>
With "get" you can view someone's password.
With "set" you can change it, or change assigned roles.
(with certain Realm implementations).
There is not much difference. I think allowing generic "get" or
generic "set" is a bad idea.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat HeapMemoryUsage MBean question
Posted by Shanti Suresh <sh...@umich.edu>.
Hi Christopher, Hi Konstantin,
On Fri, Sep 7, 2012 at 1:54 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Shanti,
>
> I personally think that's a bad idea: just set some simple username
> and password and have your client use it: any decent command-line HTTP
> client should support HTTP BASIC authentication.
>
Sure. I can do that. It just leaves the set operations vulnerable too
though. I can use digested passwords too, but still my scripts will need
to be hard-coded with the password.
>
> That's good.
>
> Sure :-) Thanks.
>
> Log it as an enhancement request in Bugzilla. I proposed this kind of
> thing a few months ago though I can't seem to find the thread at the
> moment. It was mildly rejected due to lack of interest, but but it
> seems we have a real use-case where a user wants this capability.
>
Oh, most certainly, there is a definite use-case for this feature. And
others will use it heavily once you have the capability. It just doesn't
seem like a good plan to have the get and set secured the same way.
On Fri, Sep 7, 2012 at 2:35 PM, Konstantin Kolinko
<kn...@gmail.com>wrote:
> 2012/9/7 Shanti Suresh <sh...@umich.edu>:
> >
> > So I can somehow secure the "set" but open up the "get" and "qry", I will
> > be in happy curl-land.
> >
>
> My suggestion would be to write a custom jsp page that will collect
> parameters, validate them and then will do a forward to jmxproxy.
>
> It is easy to secure a single page. It is much better than allowing
> access to the whole jmxproxy.
>
> <jsp:forward page="/jmxproxy/">
> <jsp:param name="set" value="..." />
> ...
> </jsp:forward>
>
I see. I can look at that option.
Thanks.
-Shanti
Re: Tomcat HeapMemoryUsage MBean question
Posted by Konstantin Kolinko <kn...@gmail.com>.
2012/9/7 Shanti Suresh <sh...@umich.edu>:
>
> So I can somehow secure the "set" but open up the "get" and "qry", I will
> be in happy curl-land.
>
My suggestion would be to write a custom jsp page that will collect
parameters, validate them and then will do a forward to jmxproxy.
It is easy to secure a single page. It is much better than allowing
access to the whole jmxproxy.
<jsp:forward page="/jmxproxy/">
<jsp:param name="set" value="..." />
...
</jsp:forward>
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat HeapMemoryUsage MBean question
Posted by Shanti Suresh <sh...@umich.edu>.
Ah, okay. Thank you!
Also, what I would like to achieve is to have a secure jmxproxy servlet for
"set" operations. But have no authentication and authorization for get
operations.
I tried might to "tighten" only the "set" operations of the "jmxproxy"
servlet by modifying manager/WEB-INF/web.xml as follows, and it didn't
work. I actually tried the url-pattern below with "/jmxproxy/?get*", but I
was still able to query successfully without a "401 Unauthorized" failure.
So I figured that I may not be using the right pattern. A url-pattern of
"/jmxproxy/*" does return a 401 Unauthorized error message on "get".
-------snippet from manager/web.xml:-----
<security-constraint>
<web-resource-collection>
<web-resource-name>JMX Proxy interface</web-resource-name>
<url-pattern>/jmxproxy/?set*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager-jmx</role-name>
</auth-constraint>
</security-constraint>
-----end of snippet----
I am further restricting who may access the manager application in
"conf/Catalina/localhost/manager.xml" to localhost:
----manager.xml:----
<Context path="/manager" privileged="true"
docBase="/opt/tomcat/mgmt/apache/webapps/manager">
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.0\.0\.1"/>
</Context>
-------------
So I can somehow secure the "set" but open up the "get" and "qry", I will
be in happy curl-land.
Thanks.
-Shanti
On Fri, Sep 7, 2012 at 11:06 AM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Shanti,
>
> On 9/7/12 10:07 AM, Shanti Suresh wrote:
> > We are running v7.0.23. So "key" I hope should do the trick. But
> > it doesn't seem to be.
>
> Well, that feature was added in 7.0.27 and you are running 7.0.23. So
> you don't have a version that supports that feature. So upgrade if you
> want to use that new feature.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>
> iEYEARECAAYFAlBKDX4ACgkQ9CaO5/Lv0PAqeQCgnKsti+7GM6TPXn6PuQcR1p11
> lgoAni83lEMf51nmyOKo2mXipUuxt0D2
> =6wCM
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Tomcat HeapMemoryUsage MBean question
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Shanti,
On 9/7/12 10:07 AM, Shanti Suresh wrote:
> We are running v7.0.23. So "key" I hope should do the trick. But
> it doesn't seem to be.
Well, that feature was added in 7.0.27 and you are running 7.0.23. So
you don't have a version that supports that feature. So upgrade if you
want to use that new feature.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBKDX4ACgkQ9CaO5/Lv0PAqeQCgnKsti+7GM6TPXn6PuQcR1p11
lgoAni83lEMf51nmyOKo2mXipUuxt0D2
=6wCM
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat HeapMemoryUsage MBean question
Posted by Shanti Suresh <sh...@umich.edu>.
Hi Christopher,
We are running v7.0.23. So "key" I hope should do the trick. But it
doesn't seem to be.
Thanks!
-Shanti
On Thu, Sep 6, 2012 at 7:48 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> ...
> Shanti,
>
> The "key" parameter was added in 7.0.27 and I don't believe it was
> back-ported to Tomcat 6.0.x. What version are you running?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>
> iEYEARECAAYFAlBJNkwACgkQ9CaO5/Lv0PBr/QCgru/OI/DxTEbHGXgiaVXHwFuM
> 9UkAoIYWd9oH+Hm0j+IaDtE+cDOWtr0s
> =/mh1
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Tomcat HeapMemoryUsage MBean question
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Shanti,
On 9/6/12 10:15 AM, Shanti Suresh wrote:
> Oh my! Thank you! I remember reading that a while back but just
> missed it when in need. However, the syntax didn't produce the
> desired results.
>
> "
> https://hostname_fqdn:8453/manager/jmxproxy/?get=java.lang:type=Memory&att=HeapMemoryUsage&key=used"
>
>
==> gives me the composite result back:
>
> OK - Attribute get 'java.lang:type=Memory' - HeapMemoryUsage=
> javax.management.openmbean.CompositeDataSupport(compositeType=javax.management.openmbean.CompositeType(name=java.lang.management.MemoryUsage,items=((itemName=committed,itemType=javax.management.openmbean.SimpleType(name=java.lang.Long)),(itemName=init,itemType=javax.management.openmbean.SimpleType(name=java.lang.Long)),(itemName=max,itemType=javax.management.openmbean.SimpleType(name=java.lang.Long)),(itemName=used,itemType=javax.management.openmbean.SimpleType(name=java.lang.Long)))),contents={committed=422940672,
>
>
init=0, max=3087007744, used=116903640})
>
>
> I will try some more. But I may be doing something wrong,
> perhaps?
The "key" parameter was added in 7.0.27 and I don't believe it was
back-ported to Tomcat 6.0.x. What version are you running?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBJNkwACgkQ9CaO5/Lv0PBr/QCgru/OI/DxTEbHGXgiaVXHwFuM
9UkAoIYWd9oH+Hm0j+IaDtE+cDOWtr0s
=/mh1
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat HeapMemoryUsage MBean question
Posted by Shanti Suresh <sh...@umich.edu>.
Hi Christopher,
On Wed, Sep 5, 2012 at 9:46 AM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Shanti,
>
> On 9/4/12 3:18 PM, Shanti Suresh wrote:
> > I would like to graph Tomcat's HeapMemoryUsage -> used mbean value
> > for trending. I have installed Tomcat's manager application with a
> > user belonging only to the "manager-jmx" role. I would like to use
> > curl to get the data. I have a couple of questions:
> >
> > (1) I don't seem to be able to assign an empty password or
> > otherwise no password to a user in "tomcat-users.xml". Or could
> > I?
>
> What did you try? What happened when you tried that?
>
I still get the basic authentication dialog box. And typing an empty
password, gives me an Unauthorized exception.
>
> > (2) How do I get just the "used" value from the composite
> > HeapMemoryUsage mbean? I guess I could subsequently search for
> > pattern "used=". But just curious if I could get the value
> > directly. None of the following queries worked:
> >
> https://localhost:8453/manager/jmxproxy?qry=java.lang:type=Memory/HeapMemoryUsage
> >
> >
>
> https://localhost:8453/manager/jmxproxy?qry=java.lang:type=Memory/HeapMemoryUsage:used
> >
> https://localhost:8453/manager/jmxproxy?qry=java.lang:type=Memory/HeapMemoryUsage.used
>
> The
> >
> exact question you are asking is answered in an example of the
> JMXProxy's "get" operation usage:
>
> http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#JMX_Get_command
>
Oh my! Thank you! I remember reading that a while back but just missed it
when in need. However, the syntax didn't produce the desired results.
"
https://hostname_fqdn:8453/manager/jmxproxy/?get=java.lang:type=Memory&att=HeapMemoryUsage&key=used"
==> gives me the composite result back:
OK - Attribute get 'java.lang:type=Memory' - HeapMemoryUsage=
javax.management.openmbean.CompositeDataSupport(compositeType=javax.management.openmbean.CompositeType(name=java.lang.management.MemoryUsage,items=((itemName=committed,itemType=javax.management.openmbean.SimpleType(name=java.lang.Long)),(itemName=init,itemType=javax.management.openmbean.SimpleType(name=java.lang.Long)),(itemName=max,itemType=javax.management.openmbean.SimpleType(name=java.lang.Long)),(itemName=used,itemType=javax.management.openmbean.SimpleType(name=java.lang.Long)))),contents={committed=422940672,
init=0, max=3087007744, used=116903640})
I will try some more. But I may be doing something wrong, perhaps?
Thanks.
-Shanti
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>
> iEYEARECAAYFAlBHV6EACgkQ9CaO5/Lv0PBvawCfS0UPId5r3QHubKNI81p+0Uo9
> oigAnA6SZdrc7uli5looMShWeHv1NuoH
> =TdSs
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Tomcat HeapMemoryUsage MBean question
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Shanti,
On 9/4/12 3:18 PM, Shanti Suresh wrote:
> I would like to graph Tomcat's HeapMemoryUsage -> used mbean value
> for trending. I have installed Tomcat's manager application with a
> user belonging only to the "manager-jmx" role. I would like to use
> curl to get the data. I have a couple of questions:
>
> (1) I don't seem to be able to assign an empty password or
> otherwise no password to a user in "tomcat-users.xml". Or could
> I?
What did you try? What happened when you tried that?
> (2) How do I get just the "used" value from the composite
> HeapMemoryUsage mbean? I guess I could subsequently search for
> pattern "used=". But just curious if I could get the value
> directly. None of the following queries worked:
> https://localhost:8453/manager/jmxproxy?qry=java.lang:type=Memory/HeapMemoryUsage
>
>
https://localhost:8453/manager/jmxproxy?qry=java.lang:type=Memory/HeapMemoryUsage:used
> https://localhost:8453/manager/jmxproxy?qry=java.lang:type=Memory/HeapMemoryUsage.used
The
>
exact question you are asking is answered in an example of the
JMXProxy's "get" operation usage:
http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#JMX_Get_command
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBHV6EACgkQ9CaO5/Lv0PBvawCfS0UPId5r3QHubKNI81p+0Uo9
oigAnA6SZdrc7uli5looMShWeHv1NuoH
=TdSs
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org