You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Petr Sumbera <Pe...@Sun.COM> on 2008/10/24 09:49:44 UTC
relation between Tomcat and Apache Commons
Hi Tomcat gurus,
The question I have is rather philosophical and not really technical
(I'm evaluating Tomcat 6 integration into OpenSolaris).
While compiling Tomcat 6.0.16 it requires:
Apache Commons Daemon
Apache Commons Collections
Apache Commons DBCP
Apache Commons Pool
But after compilation I see just commons-daemon.jar. Where are the others?
Is there 1-1 mapping between Apache Commons module version and Tomcat
version? I mean, new version of Apache common module (e.g fixing
security issue) results in new Tomcat version?
Thanks,
Petr
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: relation between Tomcat and Apache Commons
Posted by Leon Rosenberg <ro...@googlemail.com>.
On Fri, Oct 31, 2008 at 1:09 PM, Andrew Ralph Feller, afelle1
<af...@lsu.edu> wrote:
> That is a good point.
>
> What is your preferred method of running Tomcat? JSVC? Startup / shutdown
> scripts? Front-end with Apache HTTP server? Standalone?
standalone with start/shutdown scripts as non-privileged user
regards
Leon
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: relation between Tomcat and Apache Commons
Posted by Petr Sumbera <Pe...@Sun.COM>.
I'm running jsvc as root. If you look in jsvc.c you will see some linux
ifdefs. Particularly look for set_caps() function.
Petr
Andrew Ralph Feller, afelle1 wrote:
>
> Petr,
>
> Are you executing JSVC as root or no? If you aren't, then I can
> understand
> why your non-root account cannot bind to 443. The way JSVC works is by
> starting up under the account that executed it and then spawning a child
> process that is owned by the account specified in the -user option.
>
> A-
>
> On 10/31/08 10:56 AM, "Petr Sumbera" <Pe...@Sun.COM> wrote:
>
>>
>>
>> Caldarale, Charles R wrote:
>>>
>>>> From: Andrew Ralph Feller, afelle1 [mailto:afelle1@lsu.edu]
>>>> Subject: Re: relation between Tomcat and Apache Commons
>>>>
>>>> it seems possible to run Tomcat on a non-privileged port with a
>>>> non-root account and have requests for port 443 redirected to
>>>> Tomcat's listening port.
>>>
>>> Of course - but it requires additional configuration (e.g., iptables,
>>> firewall). Using jsvc may be simpler and avoid dependencies external to
>>> Tomcat.
>>>
>>
>> What I have just found is that jsvc enables Tomcat to bind privileged
>> port
>> only on Linux (it's using capabilities).
>>
>> For example on Solaris one need to add net_privadd privilege for Tomcat
>> user. This can be done by modifying /etc/user_attr. In such case I
>> believe
>> there is no need for jsvc.
>>
>> grep tomcat /etc/user_attr
>> tomcat::::defaultpriv=basic,net_privaddr
>>
>> --
>>
>> Petr
>
> --
> Andrew R. Feller, Analyst
> Information Technology Services
> 200 Fred Frey Building
> Louisiana State University
> Baton Rouge, LA 70803
> (225) 578-3737 (Office)
> (225) 578-6400 (Fax)
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/relation-between-Tomcat-and-Apache-Commons-tp20145816p20270558.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: relation between Tomcat and Apache Commons
Posted by "Andrew Ralph Feller, afelle1" <af...@lsu.edu>.
Petr,
Are you executing JSVC as root or no? If you aren't, then I can understand
why your non-root account cannot bind to 443. The way JSVC works is by
starting up under the account that executed it and then spawning a child
process that is owned by the account specified in the -user option.
A-
On 10/31/08 10:56 AM, "Petr Sumbera" <Pe...@Sun.COM> wrote:
>
>
> Caldarale, Charles R wrote:
>>
>>> From: Andrew Ralph Feller, afelle1 [mailto:afelle1@lsu.edu]
>>> Subject: Re: relation between Tomcat and Apache Commons
>>>
>>> it seems possible to run Tomcat on a non-privileged port with a
>>> non-root account and have requests for port 443 redirected to
>>> Tomcat's listening port.
>>
>> Of course - but it requires additional configuration (e.g., iptables,
>> firewall). Using jsvc may be simpler and avoid dependencies external to
>> Tomcat.
>>
>
> What I have just found is that jsvc enables Tomcat to bind privileged port
> only on Linux (it's using capabilities).
>
> For example on Solaris one need to add net_privadd privilege for Tomcat
> user. This can be done by modifying /etc/user_attr. In such case I believe
> there is no need for jsvc.
>
> grep tomcat /etc/user_attr
> tomcat::::defaultpriv=basic,net_privaddr
>
> --
>
> Petr
--
Andrew R. Feller, Analyst
Information Technology Services
200 Fred Frey Building
Louisiana State University
Baton Rouge, LA 70803
(225) 578-3737 (Office)
(225) 578-6400 (Fax)
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: relation between Tomcat and Apache Commons
Posted by Petr Sumbera <Pe...@Sun.COM>.
Caldarale, Charles R wrote:
>
>> From: Andrew Ralph Feller, afelle1 [mailto:afelle1@lsu.edu]
>> Subject: Re: relation between Tomcat and Apache Commons
>>
>> it seems possible to run Tomcat on a non-privileged port with a
>> non-root account and have requests for port 443 redirected to
>> Tomcat's listening port.
>
> Of course - but it requires additional configuration (e.g., iptables,
> firewall). Using jsvc may be simpler and avoid dependencies external to
> Tomcat.
>
What I have just found is that jsvc enables Tomcat to bind privileged port
only on Linux (it's using capabilities).
For example on Solaris one need to add net_privadd privilege for Tomcat
user. This can be done by modifying /etc/user_attr. In such case I believe
there is no need for jsvc.
grep tomcat /etc/user_attr
tomcat::::defaultpriv=basic,net_privaddr
--
Petr
--
View this message in context: http://www.nabble.com/relation-between-Tomcat-and-Apache-Commons-tp20145816p20268834.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: relation between Tomcat and Apache Commons
Posted by "Andrew Ralph Feller, afelle1" <af...@lsu.edu>.
That is a good point.
What is your preferred method of running Tomcat? JSVC? Startup / shutdown
scripts? Front-end with Apache HTTP server? Standalone?
A-
On 10/30/08 3:49 PM, "Caldarale, Charles R" <Ch...@unisys.com>
wrote:
>> From: Andrew Ralph Feller, afelle1 [mailto:afelle1@lsu.edu]
>> Subject: Re: relation between Tomcat and Apache Commons
>>
>> it seems possible to run Tomcat on a non-privileged port with a
>> non-root account and have requests for port 443 redirected to
>> Tomcat's listening port.
>
> Of course - but it requires additional configuration (e.g., iptables,
> firewall). Using jsvc may be simpler and avoid dependencies external to
> Tomcat.
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you received
> this in error, please contact the sender and delete the e-mail and its
> attachments from all computers.
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
--
Andrew R. Feller, Analyst
Information Technology Services
200 Fred Frey Building
Louisiana State University
Baton Rouge, LA 70803
(225) 578-3737 (Office)
(225) 578-6400 (Fax)
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: relation between Tomcat and Apache Commons
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Andrew Ralph Feller, afelle1 [mailto:afelle1@lsu.edu]
> Subject: Re: relation between Tomcat and Apache Commons
>
> it seems possible to run Tomcat on a non-privileged port with a
> non-root account and have requests for port 443 redirected to
> Tomcat's listening port.
Of course - but it requires additional configuration (e.g., iptables, firewall). Using jsvc may be simpler and avoid dependencies external to Tomcat.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: relation between Tomcat and Apache Commons
Posted by "Andrew Ralph Feller, afelle1" <af...@lsu.edu>.
Chuck,
I'm already following up on this on a different thread, however it seems
possible to run Tomcat on a non-privileged port with a non-root account and
have requests for port 443 redirected to Tomcat's listening port. This way
Tomcat can run as non-root and no need to compile and use JSVC. I haven't
done this yet, which is why I started the "JSVC vs startup / shutdown
scripts" thread.
Would love your $0.02,
A-
On 10/30/08 1:56 PM, "Caldarale, Charles R" <Ch...@unisys.com>
wrote:
>> From: Petr Sumbera [mailto:Petr.Sumbera@Sun.COM]
>> Subject: Re: relation between Tomcat and Apache Commons
>>
>> Btw I don't see any benefit using jsvc. Is somebody using it? Why?
>
> Judging from the comments on this list, many people are using it. The primary
> reason is to avoid running Tomcat as root (principle of least privilege) when
> using ports 80 and 443.
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you received
> this in error, please contact the sender and delete the e-mail and its
> attachments from all computers.
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
--
Andrew R. Feller, Analyst
Information Technology Services
200 Fred Frey Building
Louisiana State University
Baton Rouge, LA 70803
(225) 578-3737 (Office)
(225) 578-6400 (Fax)
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: relation between Tomcat and Apache Commons
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Petr Sumbera [mailto:Petr.Sumbera@Sun.COM]
> Subject: Re: relation between Tomcat and Apache Commons
>
> Btw I don't see any benefit using jsvc. Is somebody using it? Why?
Judging from the comments on this list, many people are using it. The primary reason is to avoid running Tomcat as root (principle of least privilege) when using ports 80 and 443.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: relation between Tomcat and Apache Commons
Posted by Petr Sumbera <Pe...@Sun.COM>.
Rainer Jung-3 wrote:
>
> Commons collections seems to be a relict and not really used.
> DBCP and pool is contained in tomcat-dbcp.jar. We ranem the packages in
> order to make to dbcp and pool classes independant of any webapp bundled
> dbcp or pool versions.
>
And how about commons-daemon.jar in bin directory?
According to http://tomcat.apache.org/tomcat-6.0-doc/setup.html it is used
with jsvc only.
Btw I don't see any benefit using jsvc. Is somebody using it? Why?
Thanks,
Petr
--
View this message in context: http://www.nabble.com/relation-between-Tomcat-and-Apache-Commons-tp20145816p20251071.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: relation between Tomcat and Apache Commons
Posted by Rainer Jung <ra...@kippdata.de>.
PetrS schrieb:
>
> Rainer Jung-3 wrote:
> And what about Eclipse JDT Runtime Binary? Are these also renamed into
> jasper-jdt.jar? The same reason?
Here it's slightly different: The jar file used to include JDT is named
non-standard, but the classes contained in it still have the original
org.eclipse.jdt package names. JDT is used by Tomcat to compile JSPs.
> There are also some other dependencies which doesn't seem to be used on
> Solaris and can be removed from build.xml:
> tcnative-1.dll, nsis.exe. Are these used just on Windows?
nsis.exe: Nullsoft Installer, Windows only
tcnative-1.dll: Tomcat Native connector. For Windows we provide a
prepackaged installer which includes tcnative. For all other platforms
you have to download, compile and install tcnative yourself (if you want
to use it). So the dll in build.xml is only relevant for Windows, but
providing a tcnative-1.so could be an optional task when including
Tomcat into an OpenSolaris distribution.
Regards,
Rainer
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: relation between Tomcat and Apache Commons
Posted by PetrS <Pe...@Sun.COM>.
Rainer Jung-3 wrote:
>
> Commons collections seems to be a relict and not really used.
> DBCP and pool is contained in tomcat-dbcp.jar. We ranem the packages in
> order to make to dbcp and pool classes independant of any webapp bundled
> dbcp or pool versions.
>
And what about Eclipse JDT Runtime Binary? Are these also renamed into
jasper-jdt.jar? The same reason?
There are also some other dependencies which doesn't seem to be used on
Solaris and can be removed from build.xml:
tcnative-1.dll, nsis.exe. Are these used just on Windows?
Thanks,
Petr
--
View this message in context: http://www.nabble.com/relation-between-Tomcat-and-Apache-Commons-tp20145816p20149674.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: relation between Tomcat and Apache Commons
Posted by Rainer Jung <ra...@kippdata.de>.
Petr Sumbera schrieb:
> Hi Tomcat gurus,
>
> The question I have is rather philosophical and not really technical
> (I'm evaluating Tomcat 6 integration into OpenSolaris).
>
> While compiling Tomcat 6.0.16 it requires:
>
> Apache Commons Daemon
> Apache Commons Collections
> Apache Commons DBCP
> Apache Commons Pool
>
> But after compilation I see just commons-daemon.jar. Where are the others?
Commons collections seems to be a relict and not really used.
DBCP and pool is contained in tomcat-dbcp.jar. We ranem the packages in
order to make to dbcp and pool classes independant of any webapp bundled
dbcp or pool versions.
The renaming is done by an ant target named "build-tomcat-dbcp" in our
main build.xml.
Which version gets used for a Tomcat release is decided when doing the
release, usually it's the latest one. Technically the information is
contained in build.properties.default.
There is a very recent discussion about providing an alternative
database pool, the code was brought into our repos this week. We might
provide it as an alternative pool and some time in the future this
implementation might become the default database pool for Tomcat. But
this is far from being decided.
> Is there 1-1 mapping between Apache Commons module version and Tomcat
> version? I mean, new version of Apache common module (e.g fixing
> security issue) results in new Tomcat version?
No strict mapping. Of course if the dbcp bug is *very* serious, it's not
unlikely, that there will be Tomcat release.
Regards,
Rainer
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org