It also handles optionally normalizing the request and optionally checking the request for unsafe escape sequences. Handles response generation when a request encounters an error. Calls the appropriate error handler if specified, or generates the default error response if not specified. Note: You may specify attributes that do not appear in the list above. These attribute settings will be saved in a list and made available to the secure socket factory when secure is set true.
Supported attributes are:. You may enter the settings into the registry by double-clicking on this file in Windows Explorer. The uriworkermap. See the document mentioned in the next paragraph for details on its use. Tomcat will initialize, write the configuration files, and then shutdown. Authenticates the user if required for a request. The authentication occurs using data from "user" and "user roles" tables accessed using a JDBC connection.
Handles requests processed by Tomcat running in-process. It has no effect if Tomcat was not started in-process by the Tomcat connector. Important Note: The most stable and robust connector for connecting Tomcat 3. Instead, the configuration file is written each time Tomcat is started. Handles turning a JSP page into a loaded servlet for execution. Execution for the loaded servlet is handled the same as any other servlet.
It uses Jasper for translating the JSP to a Java file, then performs compilation to a class file directly rather than using Jasper for the class compilation. This module constructs and sets the classloader for each context. It supports the Servlet 2. The available attributes allow control over the context classloader's parent. With the default attributes, "trusted" contexts get the Server Classloader as their parent and "untrusted" contexts get the Apps Classloader as their parent.
For Tomcat 3. If additionalJars is specified as a Context property and as a LoaderInterceptor11 attribute, both lists are added. This module enables logging of when module methods are called. The log output goes to the ContextManager's log channel. Event logging is automatically enabled if the ContextManager's debug level is set greater than 5. An obj. The contents of this obj. This module has no effect if you specify a "-Djava. Setting the policy on the command line is the preferred method.
Handles some miscellaneous tasks that help implement behavior related to the Servlet 2. Creates new session IDs when needed for a request. If the randomFile is not available, the class specified by randomClass will be used.
In this case, initialization of class occurs on the first request requiring a session. Note: The initialization for the java. SecureRandom class can take a relatively long time. For development purposes, you may speed this up by specifying java. Random as the randomClass setting. This should be done only for development since the random sequence generated by java.
Random is predictable. It compares the user name and password information provided by the CredentialsInterceptor against data in memory obtained from an XML file. Since passwords are stored in text form, you should not use this module when security is important. Generates the response for requests that map to static files or directories.
The display of directory listings may be disabled. Handles an enhancement to tag libary support by managing a pool tag objects. Tag objects will be created the first time a JSP page runs.
After use the tag objects are placed in a pool. The next time the JSP page runs, the tag objects are retrieved from the pool rather than recreated. If this module is not present, tag objects can't be retrieved from the pool and tag objects are created for each use.
Provides special handling for "trusted" contexts which have a interceptors. This file can specify modules to be added to the server as if they were specified in the server.
Set the "work" directory for contexts which don't have the "work" directory specified explicitly. Base directory for tomcat installation. It is typically guessed by the startup program, but you can override it here. Directory where temporary files will be created. Base directory for the tomcat instance. While 'install' is used to find the libraries, 'home' is used to resolve almost all relative paths - webapps, work, etc.
A string describing the logfile format. The value of request. Should be the remote users name, as indicated by an identd lookup. Currently it is always "-". It should probably better be recorded while reading the headers. The value of response. Should differ between different internal requests, as Apache httpd does, but this is currently not supported.
File in which to record Ajp12 connector info and password. Such a property would normally be set using command line arguments. Enables Tomcat's authentication, ignoring any authentication from the web server sending the requests. Maximun number of spare threads. Unused threads will be terminated as needed to keep the number of spare threads under this number. Minimum number of spare threads.
Additional threads will be created as needed to keep the number of spare threads up to this number. File in which to record Ajp13 connector info and password. This setting can be overridden by a ContextManager property named "ajpid13". Such a property would normally be set using a command line argument. If true and a password has been set, password checking is performed on the first Ajp13 request of a newly opened connection. If the password doesn't match, the request is ignored and the connection closed.
If they match, the connection is "authenticated" and the current and future requests on that connection are processed normally.
If false or a password isn't set, password checking of the Ajp13 connection is disabled. The password is set using either the secret or useSecret attributes. The desired shutdown password. If set, the shutDownEnable attribute is automatically set true. The connectors supplied with Tomcat 3. Enable shutdown signal via this connector. This attribute is automatically set true if a password is set using the secret or useSecret attributes.
This means that the user returned by HttpServletRequest. If you are using Tomcat with a web server, such as Apache, and you want to use the user authenticated by the web server, set this attribute false.
Enables use of a random number as the shutdown password. Default parent directory for the following paths. Ignored whenever any of the following paths is absolute.
The desired worker. Must be set to one of the workers defined in the workers. Defaults to "ajp13" if an Ajp13Connector is in use, otherwise it defaults to "ajp12". If true , forward all requests to Tomcat. This helps ensure that all the behavior configured in the web. If false , let Apache serve static resources.
Warning: When false , some configuration in the web. If true , the root context is not mapped to Tomcat. If false and forwardAll is true , all requests to the root context are mapped to Tomcat. If false and forwardAll is false , only JSP and servlets requests to the root context are mapped to Tomcat.
When false , to correctly serve Tomcat's root context in the default host you must also modify the DocumentRoot setting in Apache's httpd. Any other characters present in the value will be ignored. Overrides the Server header for the http response.
If set, the value for this attribute overrides any Server header set by a web application. If not set, any value specified by the application is used. If the application does not specify a value then no Server header is set. If true , any Server header set by a web application will be removed. Note that if server is set, this attribute is effectively ignored.
If not set, the default value of false will be used. Use this attribute to enable SSL traffic on a connector. When turning this value true you will want to set the scheme and the secure attributes as well to pass the correct request.
This is set to true by default. The priority of the request processing threads within the JVM. JVM default used if not set. Care should be taken if explicitly setting this value.
This is equivalent to standard attribute connectionLinger. See Socket Performance Options. All three performance attributes must be set else the JVM defaults will be used for all three. When a connector is stopped, it will try to release the acceptor thread by opening a connector to itself.
The default value is and the value is in milliseconds. Default value is 1 per processor but not more than 2. When accepting a socket, the operating system holds a global lock.
So the benefit of going above 2 threads diminishes rapidly. Having more than one thread is for system that need to accept connections very rapidly. However usually just increasing acceptCount will solve that problem. Increasing this value may also be beneficial when a large amount of send file operations are going on.
This value is important, since connection clean up is done on the same thread, so do not set this value to an extremely high one. The default value is milliseconds. Note that the use of sendfile will disable any compression that Tomcat may otherwise have performed on the response.
If true then java. When you are using direct buffers, make sure you allocate the appropriate amount of memory for the direct memory space. This attribute controls the size of this buffer. By default this read buffer is sized at bytes. For lower concurrency, you can increase this to buffer more data. For an extreme amount of keep alive connections, decrease this number or increase your heap size. By default this write buffer is sized at bytes.
For low concurrency you can increase this to buffer more response data. The default value here is pretty low, you should up it if you are not dealing with tens of thousands concurrent connections.
To reduce garbage collection, the NIO connector caches these channel objects. This value specifies the size of this cache. The default value is , and represents that the cache will hold NioChannel objects. Other values are -1 for unlimited cache and 0 for no cache. The integer value specifies how many objects to keep in the cache at most.
The default is Use this option when the command line org. NioSelectorShared value is set to false. Default value is When a selector is returned to the pool, the system can decide to keep it or let it be GC'd.
Default value is -1 unlimited. Only one connector can inherit a network socket. This can option can be used to automatically start Tomcat once a connection request is made to the systemd super daemon's port. SelectorProvider class for more details. The following command line options are available for the NIO connector: -Dorg.
Set this value to false if you wish to use a selector for each thread. When you set it to false , you can control the size of the pool of selectors by using the selectorPool.
To reduce garbage collection, the NIO2 connector caches these channel objects. The default value is , and represents that the cache will hold Nio2Channel objects. If listening on an IPv6 address on a dual stack system, should the connector only listen on the IPv6 address? If not specified the default is false and the connector will listen on the IPv6 address and the equivalent IPv4 address if present. Number of threads used to poll kept alive connections.
On Windows the default is chosen so that the sockets managed by each thread is less than For Linux the default is 1. Changing the default on Windows is likely to have a negative performance impact. Duration of a poll call in microseconds. Lowering this value will slightly decrease latency of connections being kept alive in some cases, but will use more CPU as more poll calls are being made.
The default value is 2ms. Amount of sockets that the poller responsible for sending static files asynchronously can hold at a given time. Extra connections will be closed right away without any data being sent resulting in a zero length file on the client side. Note that in most cases, sendfile is a call that will return right away being taken care of "synchronously" by the kernel , and the sendfile poller will not be used, so the amount of static files which can be sent concurrently is much larger than the specified amount.
First implemented in Tomcat 9 and back-ported to 8. This allows multiple SSL configurations to be associated with a single secure connector with the configuration used for any given connection determined by the host name requested by the client. To facilitate this, the SSLHostConfig element was added which can be used to define one of these configurations.
At the same time, support was added for multiple certificates to be associated with a single SSLHostConfig. For further information, see the SSL Support section below. No special configuration is required to enable this support. See the sslImplementationName attribute of the Connector.
Additional configuration attributes are available. The proxyName and proxyPort attributes can be used when Tomcat is run behind a proxy server. These attributes modify the values returned to web applications that call the request. Without configuring these attributes, the values returned would reflect the server name and port on which the connection from the proxy server was received, rather than the server name and port to whom the client directed the original request.
You will also need to set the scheme and secure attributes to the values https and true respectively, to pass correct information to the servlets. Prior to Tomcat 8. From Tomcat 8. This is to aid simpler switching between connector implementations for SSL connectors. The types of the Certificate s must be unique. As of Tomcat 8. It is expected that Tomcat 10 will drop support for the SSL configuration attributes in the Connector. In addition to the standard TLS related request attributes defined in section 3.
Name of the file that contains the concatenated certificate revocation lists for the certificate authorities. The format is PEM-encoded. If not defined, client certificates will not be checked against a certificate revocation list unless an OpenSSL based connector is used and certificateRevocationListPath is defined.
Name of the directory that contains the certificate revocation lists for the certificate authorities. Set to required if you want the SSL stack to require a valid certificate chain from the client before accepting a connection. Set to optional if you want the SSL stack to request a client Certificate, but not fail if one isn't presented. Set to optionalNoCA if you want client certificates to be optional and you don't want Tomcat to check them against the list of trusted CAs.
The maximum number of intermediate certificates that will be allowed when validating client certificates. If not specified, the default value of 10 will be used. Name of the file that contains the concatenated certificates for the trusted certificate authorities. Name of the directory that contains the certificates for the trusted certificate authorities.
The ciphers to enable using the OpenSSL syntax. See the OpenSSL documentation for the list of ciphers supported and the syntax.
Note that, by default, the order in which ciphers are defined is treated as an order of preference. See honorCipherOrder. Configures if compression is disabled.
The default is true. Default is false. Note that when TLS session tickets are in use, the full peer certificate chain will only be available on the first connection. Subsequent connections that use a ticket to estrablish the TLS session will only have the peer certificate, not the full chain.
Set to true to enforce the server's cipher order from the ciphers setting instead of allowing the client to choose the cipher. The default is false. Use of this feature requires Java 8 or later. The name of the SSL Host. This should either be the fully qualified domain name e.
Configures if insecure renegotiation is allowed. The KeyManager algorithm to be used. This defaults to KeyManagerFactory. For other vendors, consult the JVM documentation for the default value. The names of the protocols to support when communicating with clients. This should be a list of any combination of the following:.
A plus sign adds the protocol, a minus sign removes it form the current list. The list is built starting from an empty list. Note that TLSv1. If a single protocol is specified it will not support SSLv2Hello. Should the JSSE provider enable certificate revocation checks? If certificateRevocationListFile is set then this attribute is ignored and revocation checks are always enabled.
This attribute is intended to enable revocation checks that have been configured for the current JSSE provider via other means. Why do you need the absolute path? You can and should work with relative paths. See my update — Bozho. Thanks for your update. What you show would allow me to access application resources in code, but I'm not sure how I would translate that into something I could put in my web.
But as you will be reading this parameter in the code anyway, you can put that logic there, rather than the xml — Bozho. You can use Stefan Stefan This would allow me to get the path in the code of my application, but no from the web.
Sign up or log in Sign up using Google. Sign up using Facebook. Sign up using Email and Password. Post as a guest Name.
Email Required, but never shown. The Overflow Blog. Stack Gives Back Safety in numbers: crowdsourcing data on nefarious IP addresses. Featured on Meta.
0コメント