Tomcat Web Hosting Blog - Java, JSP, EJB, Hibernate

Chapter 5: Basic Tomcat Confi guration // Precompiled JSPs need access to this package. permission java.lang.RuntimePermission accessClassInPackage.org.apache.jasper.runtime ; permission java.lang.RuntimePermission accessClassInPackage.org.apache.jasper.runtime.* ;}; These minimal permissions are granted by default to Web applications. A typical secured production configuration will require opening up additional access to the Web applications, such as socket access to a JDBC server or network access to an external authentication system. catalina.properties: Finer-Grained Control over Access Checks Last but not least, the $CATALINA_HOME/conf/catalina.properties file is read during a secured Tomcat 6 server startup, and allows administrators to configure access control at a Java package level. This level of restriction causes a SecurityException to be reported should an errant or malicious Web application attempt to access these Tomcat 6 internal classes directly, or if a new class definition is attempted under these highly privileged packages. The following lines in the catalina.propertiesfile specify the name of the internal packages that should be restricted. Where partial package names are specified, any subpackages are protected as well. package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat., org.apache.jasper.,sun.beans. package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote., org.apache.tomcat.,org.apache.jasper. Other lines in catalina.propertiesinclude path definitions for the common, server, and shared class loaders (see Chapter 9 on Tomcat class loading): common.loader=${catalina.home}/lib,${catalina.home}/lib/*.jar server.loader= shared.loader= The last line of catalina.propertiesenables the use of the String cache. This cache is used internally in the conversion methods ByteChunk.toString()and CharChunk.toString(). tomcat.util.buf.StringCache.byte.enabled=true Bootstrapping Configuration Before concluding this chapter, it is important to reiterate that any Web-based administration tool (such as the admin tool discussed in the last section of this chapter) is itself a Tomcat 6 hosted Web application. This means that Tomcat 6 must be running and operating for you to be able to access it. Tomcat 6 includes a default bootstrap configuration to ensure that these tools can start under most circumstances. However, in the unlikely event that you have made manual modifications and the Tomcat 6 instance will not start up, your only remaining recourse is to edit the XML configuration files via a text editor. This is the primary reason why this chapter has devoted considerable coverage to Tomcat administration from the perspective of manually editing the XML configuration files.

For high quality website hosting services please check java web hosting website.

Chapter 5: Basic Tomcat Confi guration The first section enables access to system properties that enable JNDI and JDBC access: grant { // Required for JNDI lookup of named JDBC DataSource s and // javamail named MimePart DataSource used to send mail permission java.util.PropertyPermission java.home , read ; permission java.util.PropertyPermission java.naming.* , read ; permission java.util.PropertyPermission javax.sql.* , read ; The next section enables read-only access to some operating system description properties (the type of operating system that is running and what it uses to separate file extensions in a file name): // OS Specific properties to allow read access permission java.util.PropertyPermission os.name , read ; permission java.util.PropertyPermission os.version , read ; permission java.util.PropertyPermission os.arch , read ; permission java.util.PropertyPermission file.separator , read ; permission java.util.PropertyPermission path.separator , read ; permission java.util.PropertyPermission line.separator , read ; The third section enables read-only access to some JVM-specific properties that are often used in application programming: // JVM properties to allow read access permission java.util.PropertyPermission java.version , read ; permission java.util.PropertyPermission java.vendor , read ; permission java.util.PropertyPermission java.vendor.url , read ; permission java.util.PropertyPermission java.class.version , read ; permission java.util.PropertyPermission java.specification.version , read ; permission java.util.PropertyPermission java.specification.vendor , read ; permission java.util.PropertyPermission java.specification.name , read ; permission java.util.PropertyPermission java.vm.specification.version , read ; permission java.util.PropertyPermission java.vm.specification.vendor , read ; permission java.util.PropertyPermission java.vm.specification.name , read ; permission java.util.PropertyPermission java.vm.version , read ; permission java.util.PropertyPermission java.vm.vendor , read ; permission java.util.PropertyPermission java.vm.name , read ; The next section is required for the use of MX4J (formerly called OpenJMX), providing JMX support for Tomcat 6 (see Chapter 16 for more information on JMX): // Required for OpenJMX permission java.lang.RuntimePermission getAttribute ; The last two sections provide access to XML parser debug and precompiled JSPs, required frequently during code development (see JavaBean and JAXP specifications for more details on these properties): // Allow read of JAXP compliant XML parser debug permission java.util.PropertyPermission jaxp.debug , read ;

For high quality java hosting services please check java web hosting website.

Chapter 5: Basic Tomcat Confi guration If you look at the catalina.policy file, you see that the first set of permissions grant code from the Java compiler directories all access to all resources (this is essentially the Java compiler and runtime system code): // These permissions apply to javac grant codeBase file:${java.home}/lib/- { permission java.security.AllPermission; }; // These permissions apply to all shared system extensions grant codeBase file:${java.home}/jre/lib/ext/- { permission java.security.AllPermission; }; // These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre grant codeBase file:${java.home}/../lib/- { permission java.security.AllPermission; }; // These permissions apply to all shared system extensions when // ${java.home} points at $JAVA_HOME/jre grant codeBase file:${java.home}/lib/ext/- { permission java.security.AllPermission; }; One clear message here is that you must protect these directories using your operating system file- protection features (that is, via file ownership and permission settings). The next section grants Catalina server code, logging code, and API libraries access to all resources: // These permissions apply to the daemon code grant codeBase file:${catalina.home}/bin/commons-daemon.jar { permission java.security.AllPermission; }; // These permissions apply to the logging API grant codeBase file:${catalina.home}/bin/tomcat-juli.jar { permission java.security.AllPermission; }; // These permissions apply to the server startup code grant codeBase file:${catalina.home}/bin/bootstrap.jar { permission java.security.AllPermission; }; // These permissions apply to the servlet API classes // and those that are shared across all class loaders // located in the lib directory grant codeBase file:${catalina.home}/lib/- { permission java.security.AllPermission; }; Again, in a secure configuration, you must be careful to lock down the preceding directories, thus preventing an attacker from adding malicious code to them. Any class files introduced into these directories will automatically be granted access to all system resources. The final set contains the permissions given to Web applications by default. They are significantly more restrictive (that is, they are never granted the all-powerful permission java.security.AllPermission).

For high quality jboss hosting services please check jboss web hosting website.

Chapter 5: Basic Tomcat Confi guration zip application/zip Simulating Apache Web Server: Welcome File Handling The last section in the web.xml file pertains only to Tomcat s standalone mode of operation. To be compatible with the default behavior of the Apache Web server, the default servlet will display a welcome file if the incoming URI is terminated, as shown in the following example: http://www.wrox.com/ The default servlet examines the root directory of the named virtual host ( www.wrox.com) and looks for index.html, index.htm, or index.jsp in turn to be displayed. Each Web application may override this list in its own deployment descriptor (web.xml ) file: index.html index.htm index.jsp In the following section, another file in the $CATALINA_HOME/conf directory catlina.policy is examined. Fine-Grained Access Control: catalina.policy Chapter 14 provides complete coverage of the role of the Tomcat security manager and its use of this policy file. For now, it is adequate to take a quick browse through the file to understand how it provides access control for a Tomcat 6 server administrator. Tomcat 6 leverages the built-in fine-grained security model of Java 2. When enabled, the basis of the security system is as follows: Any access to system resources that is not explicitly allowed is prohibited. This means that you must anticipate all the resources that the Tomcat 6 server will access, and explicitly grant permission for it to do so. By default, Catalina starts up without security. You need to start Tomcat 6 with the following option for it to run with a security manager: > startup -security It is only in this secured mode that the catalina.policy file will be read, processed, and enforced. Some of the more important sections of the catalina.policy file are discussed later in the chapter, but details of the file are not covered at this time. The general policy entry is in the following form, where the is typically a body of trusted code: grant { permission list… };

For high quality java hosting services please check tomcat web hosting website.

Chapter 5: Basic Tomcat Confi guration cgi /cgi-bin/* –> Session Timeout Configuration The element configures the amount of time during which Tomcat 6 will maintain a session on the server side on behalf of a client. For example, the client may be in the middle of an online shopping transaction and still have products in the shopping cart. In this case, if the client does not return to the cart for 30 minutes, and no session persistence is used (see Chapter 6 for a description of the session persistence manager), all the client s cart information is lost. As administrators, it is important to balance carefully the value with the potential of overloading the server with too many stale sessions: 30 Handling Client-Side Helper Activation: Mime Mappings The next set of elements contains the default elements. Tomcat 6 uses these mappings to serve static files with specific extensions to the client. It generates an HTTP Content-Type header when transmitting the file to the client (typically a browser). Most browsers use a helper application to process the file being transmitted if they recognize the content type specified. For example, Microsoft Internet Explorer may start Microsoft MediaPlayer when it detects the video/x-mpeg content type. Note that these are only the default mappings; a Web application s own deployment descriptor (web.xml file) can override or add to this list: abs audio/x-mpeg ai application/postscript aif audio/x-aiff aifc audio/x-aiff … more mime mappings… Z application/x-compress z application/x-compress (continued)

If you looking for unlimited one inclusive web hosting plan please check unlimited web hosting website.

Chapter 5: Basic Tomcat Confi guration https://www.wrox.com/bookstore/BuyBook/proTomcat5 1. Coyote connector with SSL support (/conf/server.xml) 2. Virtual host name (/conf/server.xml) 3. Context path (in Context Descriptor XML file) 4. Servlet mapping using URL pattern “/BuyBook/” (application’s web.xml) 5. Processed by servlet Figure 5-3: How server.xml and web.xml are involved in URL parsing In the figure, the URL https://www.wrox.com/bookstore/BuyBook/proTomcat5 is parsed through the nested components that make up a Tomcat server. First, the protocol portion ( https://) is parsed by the Service and the Coyote Connector with SSL support is selected, and the request is passed to the Engine. Next, the host name (www.wrox.com) is parsed by the Engine and one of its Host components is selected (the one that matches the www.wrox.comhost name). The Host then attempts to match the URL against the Contexts of its deployed Web applications the match in this case is /bookstore, and the bookstore Web application is selected to handle the request (the Context information itself is stored in a Context descriptor file). Last but not least, the Context hosting the Web application performs a match against the defined in the deployment descriptor (the web.xml file of the Web application), and the URL pattern /BuyBook/*matches the Book- Purchase servlet. This servlet is finally handed the URL request to process. It is easy to see how the component hierarchy helps in forwarding the request to a single servlet in a Web application for processing. SSI and CGI Mappings Now it s time to take a look at the next section of the default web.xmlfile. The next two default servlet mappings are commented out. They support SSI and CGI when Tomcat 6 is configured to work in standalone mode: ssi *.shtml –>

For high quality website hosting services please check cheap web hosting website.

Chapter 5: Basic Tomcat Confi guration For example, if the host is www.wrox.com, and a standalone version of the Tomcat 6 server is running, then the following URL will map to the servlet named default: http://www.wrox.com// The portion defaults to the name of the application s WAR file if not explicitly specified in a element. If you look back at the definition earlier in this file, you see that it was specified that the org.apache.catalina.servlets.DefaultServlet will be handling this request. The second is commented out because it is for the security-sensitive invoker servlet. You may uncomment this to enable the invokerservlet in test configurations: invoker /servlet/* –> The rule here specifies the following: When you see a URL request fitting the pattern /servlet/* , route it to the invokerservlet. Therefore, the following URL request is sent to a servlet called invoker: http://www.wrox.com//servlet/ If you refer back in the file, the org.apache.catalina.servlets.InvokerServletis specified to process the request. This invokerservlet in turn invokes the servlet that is named by examining the incoming URL. The next two elements specify that all URLs containing *.jspand *.jspxshould be passed to the servlet named jsp for processing. In the earlier , the jspservlet is declared to be the org.apache.jasper.servlet.JspServletclass: jsp *.jsp jsp *.jspx How server.xml, Context Descriptors, and web.xml Work Together Figure 5-3 illustrates how an incoming URL is parsed by the various components of a Tomcat 6 server, and how a with a controls the final mapping of the request to a specific servlet in a Web application.

For high quality java hosting services please check tomcat web hosting website.

Chapter 5: Basic Tomcat Confi guration
debug 0
expires 666
isVirtualWebappRelative 0 4 –> The next servlet definition is also used exclusively for configuring the Tomcat 6 server to mimic an Apache Web server. If you would like the standalone Tomcat 6 server to process CGI, you need to uncomment the following section: cgi org.apache.catalina.servlets.CGIServlet
clientInputTimeout 100
debug 6
cgiPathPrefix WEB-INF/cgi 5 –> Matching URL s : Servlet Mappings A element specifies how incoming requests containing a specific URL pattern are to be handled: default / The rule set up here specifies: When you see a URL request fitting the pattern, route it to the default servlet.

For high quality java hosting services please check java web hosting website.

Chapter 5: Basic Tomcat Confi guration Parameter Description development fork checkIntervalmodificationTestInterval compiler classdebuginfo keepgenerated mappedfilegenStrAsChar ArraydumpSmaptrimSpaces supressSmap scratchdir xpoweredBy compilerTargetVM compilerSourceVM Default is set to true. Indicates that JSP is under development and that Jasper should honor the modificationTestInterval parameter to update/recompile JSPs if modified. Default is set to true. Indicates that a separate JVM should be forked to compile JSPs. These eliminate resource contention and potential class loader conflicts during JSP or Web application development. The time interval, specified in seconds, between which Jasper will check to see if a JSP needs to be recompiled. Default is 0, indicating that checks are performed with background processing. Used mainly with developmentset to true. The threshold value, specified in seconds since the last compile, that a JSP is eligible for modification check again. Default is 4. The buffer size used when reading resources. By default, it is set to 2048 or 2KB. The buffer size used when writing resources. By default, it is set to 2048 or 2KB. Default is true. This causes Jasper to retain the compiled JSPs (servlets) between invocations. This can significantly speed up the application startup time. These are optimization and debugging options for JSP developers. Your development team may request specific settings during the debugging phases of their projects. Temporary directory required during JSP compilation. Default is a temporary directory under the $CATALINA_HOME/workdirectory. Generates the X-Powered-By special header. Default is false. The target VM for the compiled servlets. Default is 1.4on JDK 1.4 and 1.5for higher versions of JDK. The source VM for the generated servlets. Default is 1.4on JDK 1.4 and 1.5for higher versions of JDK. SSI and CGI Servlets Configuration The next set of servlets is commented out. You should uncomment them if you plan to add Apache-style server-side include (SSI) processing features to the standalone Tomcat 6 server. ssi org.apache.catalina.ssi.SSIServletServlet
buffered 1 (continued)

For high quality java hosting services please check java web hosting website.

Chapter 5: Basic Tomcat Confi guration Configuring the Invoker Servlet The invoker servlet can be used to load and execute any servlet directly, using a URL similar to the following: http:////servlet/ Because of its capability to invoke any servlet directly (with or without prior configuration within a Web application) the invoker servlet is considered a major security risk in production systems. Therefore, this servlet should be used only in test configurations. Tomcat 6 s default web.xmlfile has the invoker servlet configuration commented out for this security-related reason. You can uncomment it and enable the servlet on test configurations. The invoker servlet is configured as follows: invoker org.apache.catalina.servlets.InvokerServlet
debug 0 2 –> Configuring the Jsp Servlet The JspServlet converts JSP pages to servlets and executes them. This servlet has a development code name of Jasper but is frequently referred to as Japser. Jasper is used to process JSP pages. The following web.xmlsegment shows the configuration of this servlet: jsp org.apache.jasper.servlet.JspServlet
fork false
xpoweredBy false 3 Other initialization parameters for Jasper that are used frequently are explained in the following table.

For high quality website hosting services please check cheap web hosting website.