You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2007/10/21 05:04:57 UTC
[Fwd: [Security] - **Updated** Important vulnerability disclosed
in Apache Tomcat webdav servlet]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Please that an additional patch has been developed as a result of
further investigation.
A vulnerability in the Apache Tomcat webdav servlet was publicly
disclosed on full-disclosure on 14-Oct-2007.[1]
The Tomcat security team has evaluated this vulnerability and
determined that default installations of Tomcat 6.0.x, 5.5.x and 4.1.x
and not affected.
In order to be affected systems must have:
- - one or more contexts configured for webdav using Tomcat's built-in
webdav implementation
- - enabled write capability via webdav
Note:
- - Tomcat 6.0.x has no webdav enabled contexts by default
- - Tomcat 5.5.x and 4.1.x have a read-only webdav enabled context
(/webdav) by default
Systems with write-enabled webdav contexts that use Tomcat's built-in
webdav servlet are exposed to this vulnerability which, for such
systems, is important.
The mitigations available are:
- - Disable write access until a fixed version is released
- - Limit write access to trusted users
- - Apply the following patch which will be included in the next
releases of 6.0.x, 5.5.x and 4.1.x
Index: src/share/org/apache/catalina/servlets/WebdavServlet.java
===================================================================
- --- src/share/org/apache/catalina/servlets/WebdavServlet.java
(revision 584648)
+++ src/share/org/apache/catalina/servlets/WebdavServlet.java (working
copy)
@@ -252,6 +252,7 @@
try {
documentBuilderFactory =
DocumentBuilderFactory.newInstance();
documentBuilderFactory.setNamespaceAware(true);
+ documentBuilderFactory.setExpandEntityReferences(false);
documentBuilder =
documentBuilderFactory.newDocumentBuilder();
} catch(ParserConfigurationException e) {
throw new ServletException
** Additional Path **
Index: org/apache/catalina/servlets/LocalStrings.properties
===================================================================
- --- org/apache/catalina/servlets/LocalStrings.properties (revision
586817)
+++ org/apache/catalina/servlets/LocalStrings.properties (working copy)
@@ -25,6 +25,7 @@
invokerServlet.notNamed=Cannot call invoker servlet with a named
dispatcher
invokerServlet.noWrapper=Container has not called setWrapper() for
this servlet
webdavservlet.jaxpfailed=JAXP initialization failed
+webdavservlet.enternalEntityIgnored=The request included a reference
to an external entity with PublicID {0} and SystemID {1} which was ignored
directory.filename=Filename
directory.lastModified=Last Modified
directory.parent=Up To {0}
Index: org/apache/catalina/servlets/WebdavServlet.java
===================================================================
- --- org/apache/catalina/servlets/WebdavServlet.java (revision 586817)
+++ org/apache/catalina/servlets/WebdavServlet.java (working copy)
@@ -20,6 +20,7 @@
import java.io.IOException;
+import java.io.StringReader;
import java.io.StringWriter;
import java.io.Writer;
import java.security.MessageDigest;
@@ -36,6 +37,7 @@
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;
+import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.UnavailableException;
import javax.servlet.http.HttpServletRequest;
@@ -57,6 +59,7 @@
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
+import org.xml.sax.EntityResolver;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;
@@ -245,6 +248,8 @@
documentBuilderFactory.setNamespaceAware(true);
documentBuilderFactory.setExpandEntityReferences(false);
documentBuilder =
documentBuilderFactory.newDocumentBuilder();
+ documentBuilder.setEntityResolver(
+ new WebdavResolver(this.getServletContext()));
} catch(ParserConfigurationException e) {
throw new ServletException
(sm.getString("webdavservlet.jaxpfailed"));
@@ -2779,6 +2784,26 @@
}
+ // --------------------------------------------- WebdavResolver
Inner Class
+ /**
+ * Work around for XML parsers that don't fully respect
+ * {@link
DocumentBuilderFactory#setExpandEntityReferences(false)}. External
+ * references are filtered out for security reasons. See
CVE-2007-5461.
+ */
+ private class WebdavResolver implements EntityResolver {
+ private ServletContext context;
+
+ public WebdavResolver(ServletContext theContext) {
+ context = theContext;
+ }
+
+ public InputSource resolveEntity (String publicId, String
systemId) {
+
context.log(sm.getString("webdavservlet.enternalEntityIgnored",
+ publicId, systemId));
+ return new InputSource(
+ new StringReader("Ignored external entity"));
+ }
+ }
};
[1]
http://archives.neohapsis.com/archives/fulldisclosure/2007-10/0371.html
- ---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHGsHZb7IeiTPGAkMRApR0AJwN589C3UddiSIDJ3NRp16wEo9ueACbBanu
H4Ys6YNInkmyph16Qy0Cbz4=
=dUO/
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [Fwd: [Security] - **Updated** Important vulnerability disclosed in Apache Tomcat webdav servlet]
Posted by Costin Manolache <co...@gmail.com>.
What is apache doing ? Better be consistent, both sides (log or no log) have
value.
( log - good to know it's happening, no-log - don't want to fill the logs
with garbage if they do it from lots of machines / drones )
Costin
What is
On 10/21/07, Rémy Maucherat <re...@apache.org> wrote:
>
> On Sat, 2007-10-20 at 23:04 -0400, Mark Thomas wrote:
> > The mitigations available are:
> > - - Disable write access until a fixed version is released
> > - - Limit write access to trusted users
> > - - Apply the following patch which will be included in the next
> > releases of 6.0.x, 5.5.x and 4.1.x
>
> Since it's an obvious hacking attempt, I chose to use this method
> instead:
> documentBuilder.setEntityResolver
> (new EntityResolver() {
> public InputSource resolveEntity(String publicId,
> String systemId)
> throws SAXException, IOException {
> return new InputSource(new StringReader(""));
> }
> });
>
> -> no logging, replace with blank text (I was using an ISE right before
> instead of an input source, but there's no real justification)
>
> Rémy
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
Re: [Fwd: [Security] -
**Updated** Important vulnerability disclosed in Apache Tomcat webdav
servlet]
Posted by "William L. Thomson Jr." <wl...@gentoo.org>.
On Tue, 2007-10-23 at 00:39 +0100, Mark Thomas wrote:
> William L. Thomson Jr. wrote:
>
> > Mostly because
> > to my understanding one must be authorized in webdav or etc to be able
> > to exploit the vulnerability.
>
> To be clear, authorisation is not required for this vulnerability. Of
> course, if you open up write access without authorisation then you are
> taking on a whole bunch of other risks.
Thanks for the clarification.
This was misleading
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5461
This one is not as clear, but implies via remote authenticated users
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5461
Could be all are assuming no one in their right educated mind would open
write access up to the world. But ya never know :)
--
William L. Thomson Jr.
Gentoo/Java
Re: [Fwd: [Security] - **Updated** Important vulnerability disclosed
in Apache Tomcat webdav servlet]
Posted by Mark Thomas <ma...@apache.org>.
William L. Thomson Jr. wrote:
> Mostly because
> to my understanding one must be authorized in webdav or etc to be able
> to exploit the vulnerability.
To be clear, authorisation is not required for this vulnerability. Of
course, if you open up write access without authorisation then you are
taking on a whole bunch of other risks.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
RE: Measuring bytes sent and received from and to Tomcat
Posted by Dave Rathnow <Da...@umsltd.com>.
For our application, it's not that complicated. All we need to know is
the number of bytes sent and received over the wire. We aren't using
SSL, redirects, etc.
-----Original Message-----
From: Johnny Kewl [mailto:john@kewlstuff.co.za]
Sent: October 22, 2007 11:26 PM
To: Tomcat Developers List
Subject: Re: Measuring bytes sent and received from and to Tomcat
------------------------------------------------------------------------
---
HARBOR: http://coolharbor.100free.com/index.htm
Now Tomcat is also a cool application server
------------------------------------------------------------------------
---
----- Original Message -----
From: "Dave Rathnow" <Da...@umsltd.com>
To: "Tomcat Developers List" <de...@tomcat.apache.org>
Sent: Monday, October 22, 2007 10:00 PM
Subject: Measuring bytes sent and received from and to Tomcat
=====================================================
Hi there, interesting question, more I think about it, more complicated
it gets ;)
Dont think its easy from TC, its too sophisticated, compression, SSL,
redirects, dispatches, clustering... think its hard to get a true
network measurement.
I would plunder something like TCPMon
https://tcpmon.dev.java.net/source/browse/tcpmon/
Its a NB plugin so can play with it first....
Its really just a (bind - client) ie port 8080 to 8081 type idea - so
its easy to install, and easy to setup across multiple sites, clusters
etc etc.
Steal this (relay or tunnel) code and just mod it... I think you will be
able to modify it for client IP's cookies, special headers... anything
and then call it from a browser and get client billing breakdowns....
maybe...
==============================================
We have an application that collects data from, and sends data to,
remote embedded devices. Traditionally we have used TCP and UDP to send
and receive data over satellite. The latest release of our product will
be using other communication medium with our devices making HTTP request
to our application that is running under JBoss/Tomcat.
The way we bill our clients is by charging them a usage fee based on the
number of bytes being sent over the air/wire. Because of this, we need
to have a accurate count of the number of bytes sent and received from
each site, which is uniquely identified by it's IP address. Using
either UDP and TCP this is simple as we are in control of the end
socket.
Is there a way we can do the same thing with Tomcat? It's simple for us
to measure the number of byte in the payload of the HTTP
request/response, however that isn't enough. We need to know the total
number of bytes being sent and received for each HTTP request.
Can someone suggest a way I could get an accurate count of these bytes?
Thanks,
Dave.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional
commands, e-mail: dev-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional
commands, e-mail: dev-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Measuring bytes sent and received from and to Tomcat
Posted by Johnny Kewl <jo...@kewlstuff.co.za>.
---------------------------------------------------------------------------
HARBOR: http://coolharbor.100free.com/index.htm
Now Tomcat is also a cool application server
---------------------------------------------------------------------------
----- Original Message -----
From: "Dave Rathnow" <Da...@umsltd.com>
To: "Tomcat Developers List" <de...@tomcat.apache.org>
Sent: Monday, October 22, 2007 10:00 PM
Subject: Measuring bytes sent and received from and to Tomcat
=====================================================
Hi there, interesting question, more I think about it, more complicated it
gets ;)
Dont think its easy from TC, its too sophisticated, compression, SSL,
redirects, dispatches, clustering... think its hard to get a true network
measurement.
I would plunder something like TCPMon
https://tcpmon.dev.java.net/source/browse/tcpmon/
Its a NB plugin so can play with it first....
Its really just a (bind - client) ie port 8080 to 8081 type idea - so its
easy to install, and easy to setup across multiple sites, clusters etc etc.
Steal this (relay or tunnel) code and just mod it... I think you will be
able to modify it for client IP's cookies, special headers... anything
and then call it from a browser and get client billing breakdowns....
maybe...
==============================================
We have an application that collects data from, and sends data to,
remote embedded devices. Traditionally we have used TCP and UDP to send
and receive data over satellite. The latest release of our product will
be using other communication medium with our devices making HTTP request
to our application that is running under JBoss/Tomcat.
The way we bill our clients is by charging them a usage fee based on the
number of bytes being sent over the air/wire. Because of this, we need
to have a accurate count of the number of bytes sent and received from
each site, which is uniquely identified by it's IP address. Using
either UDP and TCP this is simple as we are in control of the end
socket.
Is there a way we can do the same thing with Tomcat? It's simple for us
to measure the number of byte in the payload of the HTTP
request/response, however that isn't enough. We need to know the total
number of bytes being sent and received for each HTTP request.
Can someone suggest a way I could get an accurate count of these bytes?
Thanks,
Dave.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Measuring bytes sent and received from and to Tomcat
Posted by Filip Hanik - Dev Lists <de...@hanik.com>.
it's very easy, take a look at
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/InternalOutputBuffer.java?view=markup
then look for (case sensitive search)
outputStream.write(
and that is where we write bytes to the socket, just modify this class
for your own purposes
Filip
Dave Rathnow wrote:
> I took a look at lamdaprobe but it only counts the payload and not the
> HTTP request.
>
> Back to my original question.....can anyone help?
>
>
> -----Original Message-----
> From: Henri Gomez [mailto:henri.gomez@gmail.com]
> Sent: October 26, 2007 05:31 AM
> To: Tomcat Developers List
> Subject: Re: Measuring bytes sent and received from and to Tomcat
>
> Well it should works since the Lamba Probe, got these numbers for HTTP
> and AJP.
>
> ie :
>
> http://www.lambdaprobe.org/d/screenshots/full/charts.png
>
> Regards
>
> 2007/10/25, Dave Rathnow <Da...@umsltd.com>:
>
>> Hello Again,
>>
>> I was wondering if someone could give me some help with this. I think
>>
>
>
>> using a connector is probably the way to go to solve this problem;
>> however, I'm not sure where to start. How do I create my own
>> connector and the plumb it into Tomcat so it will be used. I will be
>> using a separate port other than 8080 for the devices that will be
>> sending and receiveing data so, if possible, I would like to leave the
>>
>
>
>> default connector on port 8080.
>>
>> Again, I don't want to reimplement the code that parses the HTTP. All
>>
>
>
>> I need to do is count the number of bytes arriving and being sent so
>> if I can reuse code from an existing connector, that would be great.
>>
>> Thanks,
>> Dave.
>>
>> -----Original Message-----
>> From: costin@gmail.com [mailto:costin@gmail.com] On Behalf Of Costin
>> Manolache
>> Sent: October 22, 2007 04:50 PM
>> To: Dave Rathnow
>> Cc: Tomcat Developers List
>> Subject: Re: Measuring bytes sent and received from and to Tomcat
>>
>> Well, if you want absolute byte - connector seems the only place,
>> there are space and tabs beeing skipped when parsing headers, etc.
>>
>> If you are ok with an estimate - the AccessLogValve is ok, add all the
>>
>
>
>> header lengths + method + http/1.1. You'll miss bytes for encodings,
>> spaces.
>>
>> Re. where to add - each connector is different on how it reads/parse
>> the message, you probably want to do it close to the 'read()' call,
>> save it somewhere associated with the request ( a note or attribute )
>> and read it in a valve or filter.
>>
>> Costin
>>
>>
>> On 10/22/07, Dave Rathnow <Da...@umsltd.com> wrote:
>>
>>> I looked at connectors but wasn't sure if this was what I wanted.
>>> To avoid anther wild goose chase I decided to ask. Can you point me
>>>
>
>
>>> in the direction of some documentation where I might be able to get
>>>
>> started?
>>
>>> Dave.
>>>
>>> -----Original Message-----
>>> From: Costin Manolache [mailto:costin@gmail.com]
>>> Sent: October 22, 2007 04:28 PM
>>> To: Tomcat Developers List
>>> Subject: Re: Measuring bytes sent and received from and to Tomcat
>>>
>>> 'bytes' should be counted at a lower level, in connector. I'm not
>>> sure
>>>
>>> this is something generic enough - but you can make some changes to
>>> your tomcat, where read() is done from socket.
>>>
>>> I guess it would be nice to have a JMX graph with bytes/sec in/out.
>>>
>>> Costin
>>> 'bytes'
>>>
>>> On 10/22/07, Dave Rathnow <Da...@umsltd.com> wrote:
>>>
>>>> We looked at using a valve but we weren't sure if it would work.
>>>> Correct me if I'm wrong, but it appears as though valves are
>>>> chained
>>>>
>>>> together in a calling sequence and that some valves could change
>>>> the
>>>>
>>>> content of the request or response. This means we may not get an
>>>> accurate measure of the number of total number bytes that make up
>>>> the request.
>>>>
>>>> Also, the AccessLogValve has a pattern code to get the number of
>>>> bytes
>>>>
>>>> sent, excluding the HTTP headers, but does not have a pattern code
>>>>
>
>
>>>> to get the number of bytes sent, including the HTTP headers, which
>>>>
>
>
>>>> is what we really need.
>>>>
>>>> Have I missed something?
>>>>
>>>> Dave.
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: yoavshapira@gmail.com [mailto:yoavshapira@gmail.com] On
>>>> Behalf
>>>>
>>>> Of Yoav Shapira
>>>> Sent: October 22, 2007 02:36 PM
>>>> To: Tomcat Developers List
>>>> Subject: Re: Measuring bytes sent and received from and to Tomcat
>>>>
>>>> Hey,
>>>>
>>>> On 10/22/07, Dave Rathnow <Da...@umsltd.com> wrote:
>>>>
>>>>> Is there a way we can do the same thing with Tomcat? It's
>>>>> simple for us to measure the number of byte in the payload of
>>>>> the HTTP request/response, however that isn't enough. We need
>>>>> to know the total number of bytes being sent and received for
>>>>> each HTTP
>>>>>
>> request.
>>
>>>>> Can someone suggest a way I could get an accurate count of these
>>>>>
>>>> bytes?
>>>>
>>>> You can probably start with the AccessLogValve that ships with
>>>>
>> Tomcat:
>>
>>>> http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html
>>>>
>>>> Out of the box it will get you the complete bytes in the response.
>>>> See the above docs on how to configure that. If you want to log
>>>> the
>>>>
>>>> complete bytes on the request, I think you'll have to extend the
>>>> Valve, but it should be pretty easy to do.
>>>>
>>>> Yoav
>>>>
>>>> ------------------------------------------------------------------
>>>> --
>>>> - To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For
>>>> additional commands, e-mail: dev-help@tomcat.apache.org
>>>>
>>>>
>>>> ------------------------------------------------------------------
>>>> --
>>>> - To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For
>>>> additional commands, e-mail: dev-help@tomcat.apache.org
>>>>
>>>>
>>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For
>> additional commands, e-mail: dev-help@tomcat.apache.org
>>
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional
> commands, e-mail: dev-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Measuring bytes sent and received from and to Tomcat
Posted by Johnny Kewl <jo...@kewlstuff.co.za>.
---------------------------------------------------------------------------
HARBOR: http://coolharbor.100free.com/index.htm
Now Tomcat is also a cool pojo application server
---------------------------------------------------------------------------
David, have you looked at this...
https://tcpmon.dev.java.net/source/browse/tcpmon/
Its going to be easy... because it almost does what you want already.
It does mean that in TC you will change the connector port to say 8081
But the clients will still see 8080
ie [Client whether that be Browser or Apache] --- 8080[Billing
System]8081 ----- [TC]
So you dont mess with TC's internal stable code (what are you going to do
with the data if you do that?).... keep it outside.
Ig start writing reports to disk from TC's buffer socket.... I think you
going to kill TC's performance, so then you going to want to sneak the data
into a filter or create a special header.... oh boy!
Now... if you build your tunnel (Billing System) in a servlet....
>From your admin port say (8085) you from a browser, simple start/stop
Billing System.
As soon as that happens clients can see TC, and if the billing system is
off.... clients are off.
Then you also have a way to get data.... you can ask the Billing System...
how many bytes for Client IP xyz (its a servlet), etc.
When you business get huge with load sharing and remote offices.... the
billing system is just a servlet, so its easy.
I would keep it outside of TC.... but put it in a servlet.
If you CVS that swoftware down I think you going to find the relay socket
logic is probably 30 lines of code... it listens and forwards, cant be too
bad...
And then... if you want (unlikely) you embed your special servlet in TC, and
add some xml configuration...
My 1/2 cent worth ;)
----- Original Message -----
From: "Dave Rathnow" <Da...@umsltd.com>
To: "Tomcat Developers List" <de...@tomcat.apache.org>
Sent: Friday, October 26, 2007 11:58 PM
Subject: RE: Measuring bytes sent and received from and to Tomcat
I took a look at lamdaprobe but it only counts the payload and not the
HTTP request.
Back to my original question.....can anyone help?
-----Original Message-----
From: Henri Gomez [mailto:henri.gomez@gmail.com]
Sent: October 26, 2007 05:31 AM
To: Tomcat Developers List
Subject: Re: Measuring bytes sent and received from and to Tomcat
Well it should works since the Lamba Probe, got these numbers for HTTP
and AJP.
ie :
http://www.lambdaprobe.org/d/screenshots/full/charts.png
Regards
2007/10/25, Dave Rathnow <Da...@umsltd.com>:
>
> Hello Again,
>
> I was wondering if someone could give me some help with this. I think
> using a connector is probably the way to go to solve this problem;
> however, I'm not sure where to start. How do I create my own
> connector and the plumb it into Tomcat so it will be used. I will be
> using a separate port other than 8080 for the devices that will be
> sending and receiveing data so, if possible, I would like to leave the
> default connector on port 8080.
>
> Again, I don't want to reimplement the code that parses the HTTP. All
> I need to do is count the number of bytes arriving and being sent so
> if I can reuse code from an existing connector, that would be great.
>
> Thanks,
> Dave.
>
> -----Original Message-----
> From: costin@gmail.com [mailto:costin@gmail.com] On Behalf Of Costin
> Manolache
> Sent: October 22, 2007 04:50 PM
> To: Dave Rathnow
> Cc: Tomcat Developers List
> Subject: Re: Measuring bytes sent and received from and to Tomcat
>
> Well, if you want absolute byte - connector seems the only place,
> there are space and tabs beeing skipped when parsing headers, etc.
>
> If you are ok with an estimate - the AccessLogValve is ok, add all the
> header lengths + method + http/1.1. You'll miss bytes for encodings,
> spaces.
>
> Re. where to add - each connector is different on how it reads/parse
> the message, you probably want to do it close to the 'read()' call,
> save it somewhere associated with the request ( a note or attribute )
> and read it in a valve or filter.
>
> Costin
>
>
> On 10/22/07, Dave Rathnow <Da...@umsltd.com> wrote:
> >
> >
> > I looked at connectors but wasn't sure if this was what I wanted.
> > To avoid anther wild goose chase I decided to ask. Can you point me
> > in the direction of some documentation where I might be able to get
> started?
> >
> > Dave.
> >
> > -----Original Message-----
> > From: Costin Manolache [mailto:costin@gmail.com]
> > Sent: October 22, 2007 04:28 PM
> > To: Tomcat Developers List
> > Subject: Re: Measuring bytes sent and received from and to Tomcat
> >
> > 'bytes' should be counted at a lower level, in connector. I'm not
> > sure
>
> > this is something generic enough - but you can make some changes to
> > your tomcat, where read() is done from socket.
> >
> > I guess it would be nice to have a JMX graph with bytes/sec in/out.
> >
> > Costin
> > 'bytes'
> >
> > On 10/22/07, Dave Rathnow <Da...@umsltd.com> wrote:
> > >
> > >
> > > We looked at using a valve but we weren't sure if it would work.
> > > Correct me if I'm wrong, but it appears as though valves are
> > > chained
>
> > > together in a calling sequence and that some valves could change
> > > the
>
> > > content of the request or response. This means we may not get an
> > > accurate measure of the number of total number bytes that make up
> > > the request.
> > >
> > > Also, the AccessLogValve has a pattern code to get the number of
> > > bytes
> >
> > > sent, excluding the HTTP headers, but does not have a pattern code
> > > to get the number of bytes sent, including the HTTP headers, which
> > > is what we really need.
> > >
> > > Have I missed something?
> > >
> > > Dave.
> > >
> > >
> > > -----Original Message-----
> > > From: yoavshapira@gmail.com [mailto:yoavshapira@gmail.com] On
> > > Behalf
>
> > > Of Yoav Shapira
> > > Sent: October 22, 2007 02:36 PM
> > > To: Tomcat Developers List
> > > Subject: Re: Measuring bytes sent and received from and to Tomcat
> > >
> > > Hey,
> > >
> > > On 10/22/07, Dave Rathnow <Da...@umsltd.com> wrote:
> > > > Is there a way we can do the same thing with Tomcat? It's
> > > > simple for us to measure the number of byte in the payload of
> > > > the HTTP request/response, however that isn't enough. We need
> > > > to know the total number of bytes being sent and received for
> > > > each HTTP
> request.
> > > >
> > > > Can someone suggest a way I could get an accurate count of these
> > > bytes?
> > >
> > > You can probably start with the AccessLogValve that ships with
> Tomcat:
> > > http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html
> > >
> > > Out of the box it will get you the complete bytes in the response.
> > > See the above docs on how to configure that. If you want to log
> > > the
>
> > > complete bytes on the request, I think you'll have to extend the
> > > Valve, but it should be pretty easy to do.
> > >
> > > Yoav
> > >
> > > ------------------------------------------------------------------
> > > --
> > > - To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For
> > > additional commands, e-mail: dev-help@tomcat.apache.org
> > >
> > >
> > > ------------------------------------------------------------------
> > > --
> > > - To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For
> > > additional commands, e-mail: dev-help@tomcat.apache.org
> > >
> > >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For
> additional commands, e-mail: dev-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional
commands, e-mail: dev-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
RE: Measuring bytes sent and received from and to Tomcat
Posted by Dave Rathnow <Da...@umsltd.com>.
I took a look at lamdaprobe but it only counts the payload and not the
HTTP request.
Back to my original question.....can anyone help?
-----Original Message-----
From: Henri Gomez [mailto:henri.gomez@gmail.com]
Sent: October 26, 2007 05:31 AM
To: Tomcat Developers List
Subject: Re: Measuring bytes sent and received from and to Tomcat
Well it should works since the Lamba Probe, got these numbers for HTTP
and AJP.
ie :
http://www.lambdaprobe.org/d/screenshots/full/charts.png
Regards
2007/10/25, Dave Rathnow <Da...@umsltd.com>:
>
> Hello Again,
>
> I was wondering if someone could give me some help with this. I think
> using a connector is probably the way to go to solve this problem;
> however, I'm not sure where to start. How do I create my own
> connector and the plumb it into Tomcat so it will be used. I will be
> using a separate port other than 8080 for the devices that will be
> sending and receiveing data so, if possible, I would like to leave the
> default connector on port 8080.
>
> Again, I don't want to reimplement the code that parses the HTTP. All
> I need to do is count the number of bytes arriving and being sent so
> if I can reuse code from an existing connector, that would be great.
>
> Thanks,
> Dave.
>
> -----Original Message-----
> From: costin@gmail.com [mailto:costin@gmail.com] On Behalf Of Costin
> Manolache
> Sent: October 22, 2007 04:50 PM
> To: Dave Rathnow
> Cc: Tomcat Developers List
> Subject: Re: Measuring bytes sent and received from and to Tomcat
>
> Well, if you want absolute byte - connector seems the only place,
> there are space and tabs beeing skipped when parsing headers, etc.
>
> If you are ok with an estimate - the AccessLogValve is ok, add all the
> header lengths + method + http/1.1. You'll miss bytes for encodings,
> spaces.
>
> Re. where to add - each connector is different on how it reads/parse
> the message, you probably want to do it close to the 'read()' call,
> save it somewhere associated with the request ( a note or attribute )
> and read it in a valve or filter.
>
> Costin
>
>
> On 10/22/07, Dave Rathnow <Da...@umsltd.com> wrote:
> >
> >
> > I looked at connectors but wasn't sure if this was what I wanted.
> > To avoid anther wild goose chase I decided to ask. Can you point me
> > in the direction of some documentation where I might be able to get
> started?
> >
> > Dave.
> >
> > -----Original Message-----
> > From: Costin Manolache [mailto:costin@gmail.com]
> > Sent: October 22, 2007 04:28 PM
> > To: Tomcat Developers List
> > Subject: Re: Measuring bytes sent and received from and to Tomcat
> >
> > 'bytes' should be counted at a lower level, in connector. I'm not
> > sure
>
> > this is something generic enough - but you can make some changes to
> > your tomcat, where read() is done from socket.
> >
> > I guess it would be nice to have a JMX graph with bytes/sec in/out.
> >
> > Costin
> > 'bytes'
> >
> > On 10/22/07, Dave Rathnow <Da...@umsltd.com> wrote:
> > >
> > >
> > > We looked at using a valve but we weren't sure if it would work.
> > > Correct me if I'm wrong, but it appears as though valves are
> > > chained
>
> > > together in a calling sequence and that some valves could change
> > > the
>
> > > content of the request or response. This means we may not get an
> > > accurate measure of the number of total number bytes that make up
> > > the request.
> > >
> > > Also, the AccessLogValve has a pattern code to get the number of
> > > bytes
> >
> > > sent, excluding the HTTP headers, but does not have a pattern code
> > > to get the number of bytes sent, including the HTTP headers, which
> > > is what we really need.
> > >
> > > Have I missed something?
> > >
> > > Dave.
> > >
> > >
> > > -----Original Message-----
> > > From: yoavshapira@gmail.com [mailto:yoavshapira@gmail.com] On
> > > Behalf
>
> > > Of Yoav Shapira
> > > Sent: October 22, 2007 02:36 PM
> > > To: Tomcat Developers List
> > > Subject: Re: Measuring bytes sent and received from and to Tomcat
> > >
> > > Hey,
> > >
> > > On 10/22/07, Dave Rathnow <Da...@umsltd.com> wrote:
> > > > Is there a way we can do the same thing with Tomcat? It's
> > > > simple for us to measure the number of byte in the payload of
> > > > the HTTP request/response, however that isn't enough. We need
> > > > to know the total number of bytes being sent and received for
> > > > each HTTP
> request.
> > > >
> > > > Can someone suggest a way I could get an accurate count of these
> > > bytes?
> > >
> > > You can probably start with the AccessLogValve that ships with
> Tomcat:
> > > http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html
> > >
> > > Out of the box it will get you the complete bytes in the response.
> > > See the above docs on how to configure that. If you want to log
> > > the
>
> > > complete bytes on the request, I think you'll have to extend the
> > > Valve, but it should be pretty easy to do.
> > >
> > > Yoav
> > >
> > > ------------------------------------------------------------------
> > > --
> > > - To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For
> > > additional commands, e-mail: dev-help@tomcat.apache.org
> > >
> > >
> > > ------------------------------------------------------------------
> > > --
> > > - To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For
> > > additional commands, e-mail: dev-help@tomcat.apache.org
> > >
> > >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For
> additional commands, e-mail: dev-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional
commands, e-mail: dev-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Measuring bytes sent and received from and to Tomcat
Posted by Henri Gomez <he...@gmail.com>.
Well it should works since the Lamba Probe, got these numbers for HTTP and AJP.
ie :
http://www.lambdaprobe.org/d/screenshots/full/charts.png
Regards
2007/10/25, Dave Rathnow <Da...@umsltd.com>:
>
> Hello Again,
>
> I was wondering if someone could give me some help with this. I think
> using a connector is probably the way to go to solve this problem;
> however, I'm not sure where to start. How do I create my own connector
> and the plumb it into Tomcat so it will be used. I will be using a
> separate port other than 8080 for the devices that will be sending and
> receiveing data so, if possible, I would like to leave the default
> connector on port 8080.
>
> Again, I don't want to reimplement the code that parses the HTTP. All I
> need to do is count the number of bytes arriving and being sent so if I
> can reuse code from an existing connector, that would be great.
>
> Thanks,
> Dave.
>
> -----Original Message-----
> From: costin@gmail.com [mailto:costin@gmail.com] On Behalf Of Costin
> Manolache
> Sent: October 22, 2007 04:50 PM
> To: Dave Rathnow
> Cc: Tomcat Developers List
> Subject: Re: Measuring bytes sent and received from and to Tomcat
>
> Well, if you want absolute byte - connector seems the only place, there
> are space and tabs beeing skipped when parsing headers, etc.
>
> If you are ok with an estimate - the AccessLogValve is ok, add all the
> header lengths + method + http/1.1. You'll miss bytes for encodings,
> spaces.
>
> Re. where to add - each connector is different on how it reads/parse the
> message, you probably want to do it close to the 'read()' call, save it
> somewhere associated with the request ( a note or attribute ) and read
> it in a valve or filter.
>
> Costin
>
>
> On 10/22/07, Dave Rathnow <Da...@umsltd.com> wrote:
> >
> >
> > I looked at connectors but wasn't sure if this was what I wanted. To
> > avoid anther wild goose chase I decided to ask. Can you point me in
> > the direction of some documentation where I might be able to get
> started?
> >
> > Dave.
> >
> > -----Original Message-----
> > From: Costin Manolache [mailto:costin@gmail.com]
> > Sent: October 22, 2007 04:28 PM
> > To: Tomcat Developers List
> > Subject: Re: Measuring bytes sent and received from and to Tomcat
> >
> > 'bytes' should be counted at a lower level, in connector. I'm not sure
>
> > this is something generic enough - but you can make some changes to
> > your tomcat, where read() is done from socket.
> >
> > I guess it would be nice to have a JMX graph with bytes/sec in/out.
> >
> > Costin
> > 'bytes'
> >
> > On 10/22/07, Dave Rathnow <Da...@umsltd.com> wrote:
> > >
> > >
> > > We looked at using a valve but we weren't sure if it would work.
> > > Correct me if I'm wrong, but it appears as though valves are chained
>
> > > together in a calling sequence and that some valves could change the
>
> > > content of the request or response. This means we may not get an
> > > accurate measure of the number of total number bytes that make up
> > > the request.
> > >
> > > Also, the AccessLogValve has a pattern code to get the number of
> > > bytes
> >
> > > sent, excluding the HTTP headers, but does not have a pattern code
> > > to get the number of bytes sent, including the HTTP headers, which
> > > is what we really need.
> > >
> > > Have I missed something?
> > >
> > > Dave.
> > >
> > >
> > > -----Original Message-----
> > > From: yoavshapira@gmail.com [mailto:yoavshapira@gmail.com] On Behalf
>
> > > Of Yoav Shapira
> > > Sent: October 22, 2007 02:36 PM
> > > To: Tomcat Developers List
> > > Subject: Re: Measuring bytes sent and received from and to Tomcat
> > >
> > > Hey,
> > >
> > > On 10/22/07, Dave Rathnow <Da...@umsltd.com> wrote:
> > > > Is there a way we can do the same thing with Tomcat? It's simple
> > > > for us to measure the number of byte in the payload of the HTTP
> > > > request/response, however that isn't enough. We need to know the
> > > > total number of bytes being sent and received for each HTTP
> request.
> > > >
> > > > Can someone suggest a way I could get an accurate count of these
> > > bytes?
> > >
> > > You can probably start with the AccessLogValve that ships with
> Tomcat:
> > > http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html
> > >
> > > Out of the box it will get you the complete bytes in the response.
> > > See the above docs on how to configure that. If you want to log the
>
> > > complete bytes on the request, I think you'll have to extend the
> > > Valve, but it should be pretty easy to do.
> > >
> > > Yoav
> > >
> > > --------------------------------------------------------------------
> > > - To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For
> > > additional commands, e-mail: dev-help@tomcat.apache.org
> > >
> > >
> > > --------------------------------------------------------------------
> > > - To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For
> > > additional commands, e-mail: dev-help@tomcat.apache.org
> > >
> > >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
RE: Measuring bytes sent and received from and to Tomcat
Posted by Dave Rathnow <Da...@umsltd.com>.
Hello Again,
I was wondering if someone could give me some help with this. I think
using a connector is probably the way to go to solve this problem;
however, I'm not sure where to start. How do I create my own connector
and the plumb it into Tomcat so it will be used. I will be using a
separate port other than 8080 for the devices that will be sending and
receiveing data so, if possible, I would like to leave the default
connector on port 8080.
Again, I don't want to reimplement the code that parses the HTTP. All I
need to do is count the number of bytes arriving and being sent so if I
can reuse code from an existing connector, that would be great.
Thanks,
Dave.
-----Original Message-----
From: costin@gmail.com [mailto:costin@gmail.com] On Behalf Of Costin
Manolache
Sent: October 22, 2007 04:50 PM
To: Dave Rathnow
Cc: Tomcat Developers List
Subject: Re: Measuring bytes sent and received from and to Tomcat
Well, if you want absolute byte - connector seems the only place, there
are space and tabs beeing skipped when parsing headers, etc.
If you are ok with an estimate - the AccessLogValve is ok, add all the
header lengths + method + http/1.1. You'll miss bytes for encodings,
spaces.
Re. where to add - each connector is different on how it reads/parse the
message, you probably want to do it close to the 'read()' call, save it
somewhere associated with the request ( a note or attribute ) and read
it in a valve or filter.
Costin
On 10/22/07, Dave Rathnow <Da...@umsltd.com> wrote:
>
>
> I looked at connectors but wasn't sure if this was what I wanted. To
> avoid anther wild goose chase I decided to ask. Can you point me in
> the direction of some documentation where I might be able to get
started?
>
> Dave.
>
> -----Original Message-----
> From: Costin Manolache [mailto:costin@gmail.com]
> Sent: October 22, 2007 04:28 PM
> To: Tomcat Developers List
> Subject: Re: Measuring bytes sent and received from and to Tomcat
>
> 'bytes' should be counted at a lower level, in connector. I'm not sure
> this is something generic enough - but you can make some changes to
> your tomcat, where read() is done from socket.
>
> I guess it would be nice to have a JMX graph with bytes/sec in/out.
>
> Costin
> 'bytes'
>
> On 10/22/07, Dave Rathnow <Da...@umsltd.com> wrote:
> >
> >
> > We looked at using a valve but we weren't sure if it would work.
> > Correct me if I'm wrong, but it appears as though valves are chained
> > together in a calling sequence and that some valves could change the
> > content of the request or response. This means we may not get an
> > accurate measure of the number of total number bytes that make up
> > the request.
> >
> > Also, the AccessLogValve has a pattern code to get the number of
> > bytes
>
> > sent, excluding the HTTP headers, but does not have a pattern code
> > to get the number of bytes sent, including the HTTP headers, which
> > is what we really need.
> >
> > Have I missed something?
> >
> > Dave.
> >
> >
> > -----Original Message-----
> > From: yoavshapira@gmail.com [mailto:yoavshapira@gmail.com] On Behalf
> > Of Yoav Shapira
> > Sent: October 22, 2007 02:36 PM
> > To: Tomcat Developers List
> > Subject: Re: Measuring bytes sent and received from and to Tomcat
> >
> > Hey,
> >
> > On 10/22/07, Dave Rathnow <Da...@umsltd.com> wrote:
> > > Is there a way we can do the same thing with Tomcat? It's simple
> > > for us to measure the number of byte in the payload of the HTTP
> > > request/response, however that isn't enough. We need to know the
> > > total number of bytes being sent and received for each HTTP
request.
> > >
> > > Can someone suggest a way I could get an accurate count of these
> > bytes?
> >
> > You can probably start with the AccessLogValve that ships with
Tomcat:
> > http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html
> >
> > Out of the box it will get you the complete bytes in the response.
> > See the above docs on how to configure that. If you want to log the
> > complete bytes on the request, I think you'll have to extend the
> > Valve, but it should be pretty easy to do.
> >
> > Yoav
> >
> > --------------------------------------------------------------------
> > - To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For
> > additional commands, e-mail: dev-help@tomcat.apache.org
> >
> >
> > --------------------------------------------------------------------
> > - To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For
> > additional commands, e-mail: dev-help@tomcat.apache.org
> >
> >
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Measuring bytes sent and received from and to Tomcat
Posted by Costin Manolache <co...@apache.org>.
Well, if you want absolute byte - connector seems the only place, there are
space and tabs beeing skipped when parsing headers, etc.
If you are ok with an estimate - the AccessLogValve is ok, add all the
header lengths + method + http/1.1. You'll miss bytes for encodings, spaces.
Re. where to add - each connector is different on how it reads/parse the
message, you probably want to do it close to the 'read()' call, save it
somewhere associated with the request ( a note or attribute ) and read it in
a valve or filter.
Costin
On 10/22/07, Dave Rathnow <Da...@umsltd.com> wrote:
>
>
> I looked at connectors but wasn't sure if this was what I wanted. To
> avoid anther wild goose chase I decided to ask. Can you point me in the
> direction of some documentation where I might be able to get started?
>
> Dave.
>
> -----Original Message-----
> From: Costin Manolache [mailto:costin@gmail.com]
> Sent: October 22, 2007 04:28 PM
> To: Tomcat Developers List
> Subject: Re: Measuring bytes sent and received from and to Tomcat
>
> 'bytes' should be counted at a lower level, in connector. I'm not sure
> this is something generic enough - but you can make some changes to your
> tomcat, where read() is done from socket.
>
> I guess it would be nice to have a JMX graph with bytes/sec in/out.
>
> Costin
> 'bytes'
>
> On 10/22/07, Dave Rathnow <Da...@umsltd.com> wrote:
> >
> >
> > We looked at using a valve but we weren't sure if it would work.
> > Correct me if I'm wrong, but it appears as though valves are chained
> > together in a calling sequence and that some valves could change the
> > content of the request or response. This means we may not get an
> > accurate measure of the number of total number bytes that make up the
> > request.
> >
> > Also, the AccessLogValve has a pattern code to get the number of bytes
>
> > sent, excluding the HTTP headers, but does not have a pattern code to
> > get the number of bytes sent, including the HTTP headers, which is
> > what we really need.
> >
> > Have I missed something?
> >
> > Dave.
> >
> >
> > -----Original Message-----
> > From: yoavshapira@gmail.com [mailto:yoavshapira@gmail.com] On Behalf
> > Of Yoav Shapira
> > Sent: October 22, 2007 02:36 PM
> > To: Tomcat Developers List
> > Subject: Re: Measuring bytes sent and received from and to Tomcat
> >
> > Hey,
> >
> > On 10/22/07, Dave Rathnow <Da...@umsltd.com> wrote:
> > > Is there a way we can do the same thing with Tomcat? It's simple
> > > for us to measure the number of byte in the payload of the HTTP
> > > request/response, however that isn't enough. We need to know the
> > > total number of bytes being sent and received for each HTTP request.
> > >
> > > Can someone suggest a way I could get an accurate count of these
> > bytes?
> >
> > You can probably start with the AccessLogValve that ships with Tomcat:
> > http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html
> >
> > Out of the box it will get you the complete bytes in the response.
> > See the above docs on how to configure that. If you want to log the
> > complete bytes on the request, I think you'll have to extend the
> > Valve, but it should be pretty easy to do.
> >
> > Yoav
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For
> > additional commands, e-mail: dev-help@tomcat.apache.org
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For
> > additional commands, e-mail: dev-help@tomcat.apache.org
> >
> >
>
RE: Measuring bytes sent and received from and to Tomcat
Posted by Dave Rathnow <Da...@umsltd.com>.
I looked at connectors but wasn't sure if this was what I wanted. To
avoid anther wild goose chase I decided to ask. Can you point me in the
direction of some documentation where I might be able to get started?
Dave.
-----Original Message-----
From: Costin Manolache [mailto:costin@gmail.com]
Sent: October 22, 2007 04:28 PM
To: Tomcat Developers List
Subject: Re: Measuring bytes sent and received from and to Tomcat
'bytes' should be counted at a lower level, in connector. I'm not sure
this is something generic enough - but you can make some changes to your
tomcat, where read() is done from socket.
I guess it would be nice to have a JMX graph with bytes/sec in/out.
Costin
'bytes'
On 10/22/07, Dave Rathnow <Da...@umsltd.com> wrote:
>
>
> We looked at using a valve but we weren't sure if it would work.
> Correct me if I'm wrong, but it appears as though valves are chained
> together in a calling sequence and that some valves could change the
> content of the request or response. This means we may not get an
> accurate measure of the number of total number bytes that make up the
> request.
>
> Also, the AccessLogValve has a pattern code to get the number of bytes
> sent, excluding the HTTP headers, but does not have a pattern code to
> get the number of bytes sent, including the HTTP headers, which is
> what we really need.
>
> Have I missed something?
>
> Dave.
>
>
> -----Original Message-----
> From: yoavshapira@gmail.com [mailto:yoavshapira@gmail.com] On Behalf
> Of Yoav Shapira
> Sent: October 22, 2007 02:36 PM
> To: Tomcat Developers List
> Subject: Re: Measuring bytes sent and received from and to Tomcat
>
> Hey,
>
> On 10/22/07, Dave Rathnow <Da...@umsltd.com> wrote:
> > Is there a way we can do the same thing with Tomcat? It's simple
> > for us to measure the number of byte in the payload of the HTTP
> > request/response, however that isn't enough. We need to know the
> > total number of bytes being sent and received for each HTTP request.
> >
> > Can someone suggest a way I could get an accurate count of these
> bytes?
>
> You can probably start with the AccessLogValve that ships with Tomcat:
> http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html
>
> Out of the box it will get you the complete bytes in the response.
> See the above docs on how to configure that. If you want to log the
> complete bytes on the request, I think you'll have to extend the
> Valve, but it should be pretty easy to do.
>
> Yoav
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For
> additional commands, e-mail: dev-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For
> additional commands, e-mail: dev-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Measuring bytes sent and received from and to Tomcat
Posted by Costin Manolache <co...@gmail.com>.
'bytes' should be counted at a lower level, in connector. I'm not sure this
is something generic enough - but you can make some changes to your tomcat,
where read() is done from socket.
I guess it would be nice to have a JMX graph with bytes/sec in/out.
Costin
'bytes'
On 10/22/07, Dave Rathnow <Da...@umsltd.com> wrote:
>
>
> We looked at using a valve but we weren't sure if it would work.
> Correct me if I'm wrong, but it appears as though valves are chained
> together in a calling sequence and that some valves could change the
> content of the request or response. This means we may not get an
> accurate measure of the number of total number bytes that make up the
> request.
>
> Also, the AccessLogValve has a pattern code to get the number of bytes
> sent, excluding the HTTP headers, but does not have a pattern code to
> get the number of bytes sent, including the HTTP headers, which is what
> we really need.
>
> Have I missed something?
>
> Dave.
>
>
> -----Original Message-----
> From: yoavshapira@gmail.com [mailto:yoavshapira@gmail.com] On Behalf Of
> Yoav Shapira
> Sent: October 22, 2007 02:36 PM
> To: Tomcat Developers List
> Subject: Re: Measuring bytes sent and received from and to Tomcat
>
> Hey,
>
> On 10/22/07, Dave Rathnow <Da...@umsltd.com> wrote:
> > Is there a way we can do the same thing with Tomcat? It's simple for
> > us to measure the number of byte in the payload of the HTTP
> > request/response, however that isn't enough. We need to know the
> > total number of bytes being sent and received for each HTTP request.
> >
> > Can someone suggest a way I could get an accurate count of these
> bytes?
>
> You can probably start with the AccessLogValve that ships with Tomcat:
> http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html
>
> Out of the box it will get you the complete bytes in the response.
> See the above docs on how to configure that. If you want to log the
> complete bytes on the request, I think you'll have to extend the Valve,
> but it should be pretty easy to do.
>
> Yoav
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional
> commands, e-mail: dev-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
RE: Measuring bytes sent and received from and to Tomcat
Posted by Dave Rathnow <Da...@umsltd.com>.
We looked at using a valve but we weren't sure if it would work.
Correct me if I'm wrong, but it appears as though valves are chained
together in a calling sequence and that some valves could change the
content of the request or response. This means we may not get an
accurate measure of the number of total number bytes that make up the
request.
Also, the AccessLogValve has a pattern code to get the number of bytes
sent, excluding the HTTP headers, but does not have a pattern code to
get the number of bytes sent, including the HTTP headers, which is what
we really need.
Have I missed something?
Dave.
-----Original Message-----
From: yoavshapira@gmail.com [mailto:yoavshapira@gmail.com] On Behalf Of
Yoav Shapira
Sent: October 22, 2007 02:36 PM
To: Tomcat Developers List
Subject: Re: Measuring bytes sent and received from and to Tomcat
Hey,
On 10/22/07, Dave Rathnow <Da...@umsltd.com> wrote:
> Is there a way we can do the same thing with Tomcat? It's simple for
> us to measure the number of byte in the payload of the HTTP
> request/response, however that isn't enough. We need to know the
> total number of bytes being sent and received for each HTTP request.
>
> Can someone suggest a way I could get an accurate count of these
bytes?
You can probably start with the AccessLogValve that ships with Tomcat:
http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html
Out of the box it will get you the complete bytes in the response.
See the above docs on how to configure that. If you want to log the
complete bytes on the request, I think you'll have to extend the Valve,
but it should be pretty easy to do.
Yoav
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional
commands, e-mail: dev-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Measuring bytes sent and received from and to Tomcat
Posted by Yoav Shapira <yo...@apache.org>.
Hey,
On 10/22/07, Dave Rathnow <Da...@umsltd.com> wrote:
> Is there a way we can do the same thing with Tomcat? It's simple for us
> to measure the number of byte in the payload of the HTTP
> request/response, however that isn't enough. We need to know the total
> number of bytes being sent and received for each HTTP request.
>
> Can someone suggest a way I could get an accurate count of these bytes?
You can probably start with the AccessLogValve that ships with Tomcat:
http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html
Out of the box it will get you the complete bytes in the response.
See the above docs on how to configure that. If you want to log the
complete bytes on the request, I think you'll have to extend the
Valve, but it should be pretty easy to do.
Yoav
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Measuring bytes sent and received from and to Tomcat
Posted by Dave Rathnow <Da...@umsltd.com>.
We have an application that collects data from, and sends data to,
remote embedded devices. Traditionally we have used TCP and UDP to send
and receive data over satellite. The latest release of our product will
be using other communication medium with our devices making HTTP request
to our application that is running under JBoss/Tomcat.
The way we bill our clients is by charging them a usage fee based on the
number of bytes being sent over the air/wire. Because of this, we need
to have a accurate count of the number of bytes sent and received from
each site, which is uniquely identified by it's IP address. Using
either UDP and TCP this is simple as we are in control of the end
socket.
Is there a way we can do the same thing with Tomcat? It's simple for us
to measure the number of byte in the payload of the HTTP
request/response, however that isn't enough. We need to know the total
number of bytes being sent and received for each HTTP request.
Can someone suggest a way I could get an accurate count of these bytes?
Thanks,
Dave.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [Fwd: [Security] - **Updated**
Important vulnerability disclosed in Apache Tomcat webdav servlet]
Posted by "William L. Thomson Jr." <wl...@gentoo.org>.
On Sun, 2007-10-21 at 14:03 -0400, William L. Thomson Jr. wrote:
> On Sun, 2007-10-21 at 17:41 +0100, Mark Thomas wrote:
> > William L. Thomson Jr. wrote:
> > > I take it down streams should run with the first patches to work around
> > > this vulnerability till next release. I already applied the one liner,
> > > kinda glad I did not apply the other last night ;) Please advise,
> > > thanks.
> >
> > You need a version of the second patch for a complete fix. If you want
> > logging - apply my version, if you don't - apply Remy's. Both fix the
> > problem, just in slightly different ways.
> >
> > We'll have to wait and see which way the voting goes for which patch
> > gets incorporated into the code base.
>
> That's what I am interested in, and willing to wait a bit for. Don't
> want to appear to be taking sides or adding in my own opinion based on
> which one to apply/go with or not. Prefer to stick with what ever
> direction upstream goes in and/or recommends.
>
For what it's worth, I am thinking logging might be best. Mostly because
to my understanding one must be authorized in webdav or etc to be able
to exploit the vulnerability. So it's more of an attack from within, and
IMHO it's even more important to log those. It's one thing to be
attacked from the outside world, but being attacked from within can be
worse. Since in theory they are trusted to a point.
Either way I do agree with the other post on being consistent with other
projects.
--
William L. Thomson Jr.
Gentoo/Java
Re: [Fwd: [Security] - **Updated**
Important vulnerability disclosed in Apache Tomcat webdav servlet]
Posted by "William L. Thomson Jr." <wl...@gentoo.org>.
On Sun, 2007-10-21 at 17:41 +0100, Mark Thomas wrote:
> William L. Thomson Jr. wrote:
> > I take it down streams should run with the first patches to work around
> > this vulnerability till next release. I already applied the one liner,
> > kinda glad I did not apply the other last night ;) Please advise,
> > thanks.
>
> You need a version of the second patch for a complete fix. If you want
> logging - apply my version, if you don't - apply Remy's. Both fix the
> problem, just in slightly different ways.
>
> We'll have to wait and see which way the voting goes for which patch
> gets incorporated into the code base.
That's what I am interested in, and willing to wait a bit for. Don't
want to appear to be taking sides or adding in my own opinion based on
which one to apply/go with or not. Prefer to stick with what ever
direction upstream goes in and/or recommends.
Thanks much :)
--
William L. Thomson Jr.
Gentoo/Java
Re: [Fwd: [Security] - **Updated** Important vulnerability disclosed
in Apache Tomcat webdav servlet]
Posted by jean-frederic clere <jf...@gmail.com>.
jkew wrote:
> Mark Thomas wrote:
>> William L. Thomson Jr. wrote:
>>
>>> I take it down streams should run with the first patches to work around
>>> this vulnerability till next release. I already applied the one liner,
>>> kinda glad I did not apply the other last night ;) Please advise,
>>> thanks.
>>>
>>
>> You need a version of the second patch for a complete fix. If you want
>> logging - apply my version, if you don't - apply Remy's. Both fix the
>> problem, just in slightly different ways.
>>
>>
>
> I've been using Mark's patch, which I personally prefer right now. I'll
> experiment with Remy's patch on Monday, but I have a slightly tangential
> question:
>
> Q. Where should I put, and how should I build a unit test for the webdav
> issue? I noticed that Jean-Frederic created a great unit test within
> /test for the cookie issue, but I don't believe his patch was ever
> committed. Is there a formal unit test framework for these issues?
No yet but I think we should have tests for nearly everything.
Cheers
Jean-Frederic
>
> My existing test for the webdav issue is just a war file, but I'd like
> something semi-permanent and manageable. I'm a little ignorant of of the
> history here, so forgive me if I'm a little lost.
>> We'll have to wait and see which way the voting goes for which patch
>> gets incorporated into the code base.
>>
>> Mark
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [Fwd: [Security] - **Updated** Important vulnerability disclosed
in Apache Tomcat webdav servlet]
Posted by jkew <jo...@sourcelabs.com>.
Mark Thomas wrote:
> William L. Thomson Jr. wrote:
>
>> I take it down streams should run with the first patches to work around
>> this vulnerability till next release. I already applied the one liner,
>> kinda glad I did not apply the other last night ;) Please advise,
>> thanks.
>>
>
> You need a version of the second patch for a complete fix. If you want
> logging - apply my version, if you don't - apply Remy's. Both fix the
> problem, just in slightly different ways.
>
>
I've been using Mark's patch, which I personally prefer right now. I'll
experiment with Remy's patch on Monday, but I have a slightly tangential
question:
Q. Where should I put, and how should I build a unit test for the webdav
issue? I noticed that Jean-Frederic created a great unit test within
/test for the cookie issue, but I don't believe his patch was ever
committed. Is there a formal unit test framework for these issues?
My existing test for the webdav issue is just a war file, but I'd like
something semi-permanent and manageable. I'm a little ignorant of of the
history here, so forgive me if I'm a little lost.
> We'll have to wait and see which way the voting goes for which patch
> gets incorporated into the code base.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [Fwd: [Security] - **Updated** Important vulnerability disclosed
in Apache Tomcat webdav servlet]
Posted by Mark Thomas <ma...@apache.org>.
William L. Thomson Jr. wrote:
> I take it down streams should run with the first patches to work around
> this vulnerability till next release. I already applied the one liner,
> kinda glad I did not apply the other last night ;) Please advise,
> thanks.
You need a version of the second patch for a complete fix. If you want
logging - apply my version, if you don't - apply Remy's. Both fix the
problem, just in slightly different ways.
We'll have to wait and see which way the voting goes for which patch
gets incorporated into the code base.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [Fwd: [Security] - **Updated** Important
vulnerability disclosed in Apache Tomcat webdav servlet]
Posted by "William L. Thomson Jr." <wl...@gentoo.org>.
On Sun, 2007-10-21 at 09:09 -0400, Mark Thomas wrote:
> Rémy Maucherat wrote:
> > Since it's an obvious hacking attempt, I chose to use this method
> > instead:
> > documentBuilder.setEntityResolver
> > (new EntityResolver() {
> > public InputSource resolveEntity(String publicId,
> > String systemId)
> > throws SAXException, IOException {
> > return new InputSource(new StringReader(""));
> > }
> > });
> >
> > -> no logging, replace with blank text (I was using an ISE right before
> > instead of an input source, but there's no real justification)
>
> I don't think no logging for an obvious hacking attempt is a good idea.
>
> I also think that there is a slim chance of a legitimate use of an
> entity and in this case the logging gives the administrator a chance
> of working out why something isn't working.
I take it down streams should run with the first patches to work around
this vulnerability till next release. I already applied the one liner,
kinda glad I did not apply the other last night ;) Please advise,
thanks.
--
William L. Thomson Jr.
Gentoo/Java
Re: [Fwd: [Security] - **Updated** Important vulnerability disclosed
in Apache Tomcat webdav servlet]
Posted by Mark Thomas <ma...@apache.org>.
Rémy Maucherat wrote:
> Since it's an obvious hacking attempt, I chose to use this method
> instead:
> documentBuilder.setEntityResolver
> (new EntityResolver() {
> public InputSource resolveEntity(String publicId,
> String systemId)
> throws SAXException, IOException {
> return new InputSource(new StringReader(""));
> }
> });
>
> -> no logging, replace with blank text (I was using an ISE right before
> instead of an input source, but there's no real justification)
I don't think no logging for an obvious hacking attempt is a good idea.
I also think that there is a slim chance of a legitimate use of an
entity and in this case the logging gives the administrator a chance
of working out why something isn't working.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [Fwd: [Security] - **Updated** Important vulnerability
disclosed in Apache Tomcat webdav servlet]
Posted by Rémy Maucherat <re...@apache.org>.
On Sat, 2007-10-20 at 23:04 -0400, Mark Thomas wrote:
> The mitigations available are:
> - - Disable write access until a fixed version is released
> - - Limit write access to trusted users
> - - Apply the following patch which will be included in the next
> releases of 6.0.x, 5.5.x and 4.1.x
Since it's an obvious hacking attempt, I chose to use this method
instead:
documentBuilder.setEntityResolver
(new EntityResolver() {
public InputSource resolveEntity(String publicId,
String systemId)
throws SAXException, IOException {
return new InputSource(new StringReader(""));
}
});
-> no logging, replace with blank text (I was using an ISE right before
instead of an input source, but there's no real justification)
Rémy
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org