If you want JTA support in Tomcat you’ll need to use a standalone transaction manager like Atomikos, JOTM, Bitronix, SimpleJTA, JBossTS or GeronimoTM/Jencks. But honestly, if you’re not going to handle transactions across multiple resources, then you can live without JTA (and if you really need JTA, use a full blown application server).
I sat down and debugged through the org.apache.catalina.filters.CorsFilter to figure out why the request was being forbidden. Hopefully this can help someone out in the future. According to the W3 CORS Spec Section 6.2 Preflight Requests, the preflight must reject the request if any header submitted does not match the allowed headers. The default configuration … Read more
A Java update caused the same problem (among others) for me. The update caused Eclipse to use ipv6 when pinging Tomcat and for some reason that doesn’t work with my setup. I fixed it by adding -Djava.net.preferIPv4Stack=true To eclipse.ini.
If you do not want tomcat to show an error page, then do not use sendError(…). Instead use setStatus(…). e.g. if you want to give a 405 response, then you do response.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED); response.getWriter().println(“The method ” + request.getMethod() + ” is not supported by this service.”); Also remember not to throw any Exceptions from your servlet. … Read more
Tomcat is just a servlet container, i.e. it implements only the servlets and JSP specification. Glassfish and JBoss are full Java EE servers (including stuff like EJB, JMS, …), with Glassfish being the reference implementation of the latest Java EE 6 stack, but JBoss in 2010 was not fully supporting it yet.
You can’t usually invalidate a user session(s) immediately you change their account information without resorting to a container specific API, since the only way to access the HttpSession is through the HttpServletRequest object. Instead you can cache the username in an in-memory store and consult it either in a filter or a custom AccessDecisionVoter. Using … Read more
I put together this test app to reproduce the issue using the HTTP testing framework from the Apache HttpClient package: ClassLoader cl = HCTest.class.getClassLoader(); URL url = cl.getResource(“test.keystore”); KeyStore keystore = KeyStore.getInstance(“jks”); char[] pwd = “nopassword”.toCharArray(); keystore.load(url.openStream(), pwd); TrustManagerFactory tmf = TrustManagerFactory.getInstance( TrustManagerFactory.getDefaultAlgorithm()); tmf.init(keystore); TrustManager[] tm = tmf.getTrustManagers(); KeyManagerFactory kmfactory = KeyManagerFactory.getInstance( KeyManagerFactory.getDefaultAlgorithm()); kmfactory.init(keystore, pwd); … Read more
As said before encrypting passwords is just moving the problem somewhere else. Anyway, it’s quite simple. Just write a class with static fields for your secret key and so on, and static methods to encrypt, decrypt your passwords. Encrypt your password in Tomcat’s configuration file (server.xml or yourapp.xml…) using this class. And to decrypt the … Read more
Since Tomcat 7 there is a container provided expires filter that may help. See: Tomcat 10: https://tomcat.apache.org/tomcat-10.0-doc/config/filter.html#Expires_Filter Tomcat 9: https://tomcat.apache.org/tomcat-9.0-doc/config/filter.html#Expires_Filter Tomcat 8: https://tomcat.apache.org/tomcat-8.0-doc/config/filter.html#Expires_Filter Tomcat 7: https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#Expires_Filter Tomcat 6 (unofficial backport): https://github.com/bnegrao/ExpiresFilter ExpiresFilter is a Java Servlet API port of Apache mod_expires. This filter controls the setting of the Expires HTTP header and the max-age directive … Read more
If you are running multiple instances of Tomcat on a single host you should set CATALINA_BASE to be equal to the …/tomcat_instance1 or …/tomcat_instance2 directory as appropriate for each instance and the CATALINA_HOME environment variable to the common Tomcat installation whose files will be shared between the two instances. The CATALINA_BASE environment is optional if … Read more