最近运行一个jnlp程序,但中文显示成了方块,gg里面搜罗一下:
解决乱码问题
在redflag desktop6 sp1中可能打开java控制面板乱码,解决办法如下: 拷贝/usr/share/fonts/zh_CN/TrueType(其它版本可参考 /usr/share/fonts/chinese/TrueType)中的ttf文件到 “/zjant.com/jre/lib/fonts/fallback(如 /usr/java/jre1.6.0_06/lib/fonts/fallback)”夹下,如果在“java安装目录/jre/lib/fonts” 下没有 “fallback”这个目录,可以手工创建一个,即可解决。
转载自:www.dangdangwanggoushu.net
环境:
服务器端: CentOS4.2 + jdk1.5 + JBoss4.2.3GA
客户端: Windows xp sp3 + jdk1.5.0.6
==================================================================================
jconsole远程监视的配置步骤如下:
服务器端:
1. cp $JAVA_HOME/jre/lib/management/jmxremote.password.template \
$JAVA_HOME/www.dangdangwanggoushu.net.jmxremote.password
chmod 600 $JAVA_HOME/jmxremote.password #必须的,否则提示"Error: Password file read access must be restricted…"
2. vi jmxremote.password 去掉#monitorRole RED前的注释并将RED修改为你要设置的密码。(安全起见,只开放有只读权限的用户).由于权限是只读使用:wq!保存退出。
3. 修改 $JBOSS/bin/run.conf,在JAVA_OPT添加三个参数:
-Dcom.sun.management.jmxremote.port=1010
-Dcom.sun.management.jmxremote.password.file=$JAVA_HOME/www.dangdangwanggoushu.net.jmxremote.password
-Dcom.sun.management.jmxremote.ssl=false
下面是我的jboss配置启动参数:
if [ "x$JAVA_OPTS" = "x" ]; then
JAVA_OPTS="-Dcom.sun.management.jmxremote\
-Dcom.sun.management.jmxremote.port=9010\
-Dcom.sun.management.jmxremote.ssl=false\
-Dcom.sun.management.jmxremote.authenticate=false\
-server -Xms256m -Xmx512m -XX:PermSize=128m -XX:MaxPermSize=128m\
-Djava.rmi.server.hostname=192.168.1.122"
fi
提示:如果是在其他机器上进行监控,则必须加上-Djava.rmi.server.hostname=IP项,否则提示无法连接。
4. 执行hostname -i ,如果显示的是127.0.0.1,则需要修改/etc/hosts文件
5. vi /etc/hosts,修改如下:
#127.0.0.1 localhost localhost.localdomain localhost www.dangdangwanggoushu.net
服务器的真实IP地址 localhost localhost.localdomain localhost www.dangdangwanggoushu.net
具体原因是服务器端解释机器名的问题,相关问题见: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6209663
服务器端配置参见: http://java.sun.com/j2se/1.5.0/docs/guide/management/agent.html#remote
6. 启动jboss 检查监听端口是否启动 netstat -na|grep 1010 查看1010端口是否已在监听
[root@download ~]# netstat -nap|grep 9010
tcp 0 0 0.0.0.0:9010 0.0.0.0:* LISTEN 15216/java
========================================================================================
客户端:
1. 到你的jdk安装路径bin目录下,运行jconsole
2. 指定连接参数
远程主机: 服务器的真实IP地址
端口: 9010 ($JAVA_ARGS中-Dcom.sun.management.jmxremote.port指定的端口)
用户名: monitorRole (jmxremote.password中指定的用户名) #我配置的不需要认证,这个项目可以忽略
密码: your_password(jmxremote.password中设置的密码) #我配置的不需要认证,这个项目可以忽略
3. 连接 -> OK
客户端配置参见: http://java.sun.com/j2se/1.5.0/docs/guide/management/jconsole.html
jconsole文档地址:http://java.sun.com/j2se/1.5.0/docs/tooldocs/share/jconsole.html
1.1 Jboss4.2.2 GA
Please go http://www.jboss.org/download/ to find the jboss-4.2.3.GA.zip to download.
1.2 Java SE 5.0 updated 16
And select Platform with Linux, Language with Multi-language, then download
jdk-1_5_0_16-linux-i586.bin.
1.3 Apache httpd 2.0.63
Please go http://httpd.apache.org/download.cgi to find httpd-2.0.63.tar.gz to download.
1.4 Tomcat Connectors 1.2.9
Please go http://apache.deathculture.net/tomcat/tomcat-connectors/jk/source/jk-1.2.26/ to find tomcat-connectors-1.2.26-src.tar.gz to download
Login debian OS with root user, then create a linux user. E.g ‘deploy’.
Login with ‘deploy’ account, then upload jdk-1_5_0_16-linux-i586.bin to home directory.
chmod 755 jdk-1_5_0_16-linux-i586.bin
./ jdk-1_5_0_16-linux-i586.bin
ln –s jdk-1_5_0_16-linux-i586 jdk
Extract java and link it to jdk as above. Then modify envirement variable on profile.
cd /home/deploy
vi .bash_profile
#add for Jboss and jdk begin
JAVA_HOME=/home/deploy/jdk;export JAVA_HOME
CLASSPATH=./:/home/deploy/jdk/lib/dt.jar:/home/deploy/jdk/lib/tools.jar;export CLASSPATH
PATH=$PATH:/home/deploy/jdk/bin:/home/deploy/jdk/jre/bin;export PATH
alias l=”/bin/ls -al”
export HOME=/home/deploy
export PS1=’$PWD>’
set EDITOR=vi
set -o vi
after modify the .bash_profile and save it, then logout.
Login with deploy account, then upload jboss-4.2.3.GA.zip to home directory.
3.1 Extract Jboss package
unzip jboss-4.2.3.zip
move jboss-4.2.3 jboss
Extract jboss-4.2.3.GA.zip to jboss-4.2.3.GA and rename the directory to jboss.
3.2 Copy need LIB and jar to default deployment
If Jboss need to run on cluster, copy some LIB and jar file from its ‘all’ directory to ‘default’ directory. Please execute those commands as follows:
cd ~/jboss/server/default/lib/
cp ~/jboss/server/all/lib/jgroups.jar .
cp ~/jboss/server/all/lib/jbossha.jar .
cd ~/jboss /server/default/deploy
cp -r ~/jboss/server/all/deploy/jboss-web-cluster.sar/ .
cp ~/jboss/server/all/deploy/cluster-service.xml .
cd jboss/server/default/deploy/jboss-web.deployer/META-INF/
3.3 Configure cluster parameter
vi jboss-server.xml
Then, for each JBoss Tomcat instance in the cluster, we need to tell it to add the jvmRoute value to its session cookies so that mod_jk can route incoming requests. Locate the <attribute> element with a name of UseJK, and set its value to true line 114 on jboss-server.xml.
cd ~/jboss/server/default/deploy/jboss-web.deployer/
vi server.xml
Please find the line as <Engine name=”jboss.web” defaultHost=”localhost”>, and add jvmRoute=”debian01″ to this line, different nodes should different jvmRoute name, result as follows:
<Engine name=”jboss.web” jvmRoute=”debian01″ defaultHost=”localhost”>
cd ~/jboss/server/default/deploy
vi cluster-service.xml
Cluster might apply UDP and TCP communication protocol, mask UDP configure node from line 39 to 80, then unmask TCP configure node.
locate line 85, find bind_addr=”thishost” and change thishost to ip address of the current host.
find start_port=”7800″ and change 7800 to 7820.
find TCPPING initial_hosts=”thishost[7800],otherhost[7800]”, change thishost to ip address of the current host,
change otherhost to ip address of another node. thange the two “7800″ to “7820″.
Sample TCP configure as follows:
<Config>
<TCP bind_addr=”10.5.6.44” start_port=”7820” loopback=”true”
tcp_nodelay=”true”
recv_buf_size=”20000000″
send_buf_size=”640000″
discard_incompatible_packets=”true”
enable_bundling=”false”
max_bundle_size=”64000″
max_bundle_timeout=”30″
use_incoming_packet_handler=”true”
use_outgoing_packet_handler=”false”
down_thread=”false” up_thread=”false”
use_send_queues=”false”
sock_conn_timeout=”300″
skip_suspected_members=”true”/>
<TCPPING initial_hosts=”10.5.6.44[7820],10.5.6.246[7820]” port_range=”3″
timeout=”3000″
down_thread=”false” up_thread=”false”
num_initial_members=”3″/>
<MERGE2 max_interval=”100000″
down_thread=”false” up_thread=”false” min_interval=”20000″/>
<FD_SOCK down_thread=”false” up_thread=”false”/>
<FD timeout=”10000″ max_tries=”5″ down_thread=”false” up_thread=”false” shun=”true”/>
<VERIFY_SUSPECT timeout=”1500″ down_thread=”false” up_thread=”false”/>
<pbcast.NAKACK max_xmit_size=”60000″
use_mcast_xmit=”false” gc_lag=”0″
retransmit_timeout=”300,600,1200,2400,4800″
down_thread=”false” up_thread=”false”
discard_delivered_msgs=”true”/>
<pbcast.STABLE stability_delay=”1000″ desired_avg_gossip=”50000″
down_thread=”false” up_thread=”false”
max_bytes=”400000″/>
<pbcast.GMS print_local_addr=”true” join_timeout=”3000″
down_thread=”false” up_thread=”false”
join_retry_timeout=”2000″ shun=”true”
view_bundling=”true”/>
<pbcast.STATE_TRANSFER down_thread=”false” up_thread=”false” use_flush=”false”/>
</Config>
3.4 JNDI DataSource
cd ~/jboss/server/default/deploy
cp ~/jboss/docs/examples/jca/postgres-ds.xml .
vi postgres-ds.xml
Please modify servername, port, database name, user name and password on postgres-ds.xml.
3.5 Configure other node as above.
It seem that debian sarge don’t support apache2.2.x version. If you install apache via apt-get method, apache might not support mod_jk. So should compile and install apache2.0.x by manual.
4.1 Upload apache package
Please upload httpd-2.0.63.tar.gz to /usr/src directory.
4.2 Compile & Install apache2.0.x
Login with root
cd /usr/src/
tar zxvf httpd-2.0.63.tar.gz
cd httpd-2.0.63
./configure -prefix=/usr/local/apache2 –enable-so –enable-modules=all –enable-mods-shared=all
If debian has multiple CPU, please add -with-mpm=prefork to above command line.
make clean
make
make install
4.3 Complie connectors
Upload tomcat-connectors-1.2.26-src.tar.gz to /usr/src directory.
cd /usr/src/tomcat-connectors-1.2.26-src/native
./configure –with-apxs=/usr/local/apache2/bin/apxs
If debian has multiple CPU, please add –enable-prefork to above command line.
make
make install
You can see mod_jk.so on /usr/local/apache2/modules directory.
4.4 Apache & connectors configure
cd /usr/local/apache2/conf
Please add the line to httpd.conf.
Include conf/mod_jk.conf
Please add mod_mk.conf on /usr/local/apache2/conf directory, its content as follows:
# Load mod_jk module
# Specify the filename of the mod_jk lib
LoadModule jk_module modules/mod_jk.so
#LoadModule jk_module modules/mod_jk-1.2.26-httpd-2.2.4.so
# Where to find workers.properties
JkWorkersFile conf/workers.properties
# Where to put jk logs
JkLogFile logs/mod_jk.log
# Set the jk log level [debug/error/info]
JkLogLevel info
# Select the log format
JkLogStampFormat “[%a %b %d %H:%M:%S %Y]”
# JkOptions indicates to send SSK KEY SIZE
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
# JkRequestLogFormat
JkRequestLogFormat “%w %V %T”
# Mount your applications
JkMount /application/* loadbalancer
# You can use external file for mount points.
# It will be checked for updates each 60 seconds.
# The format of the file is: /url=worker
# /examples/*=loadbalancer
#JkMountFile conf/uriworkermap.properties
# Add shared memory.
# This directive is present with 1.2.10 and
# later versions of mod_jk, and is needed for
# for load balancing to work properly
JkShmFile logs/jk.shm
# Add jkstatus for managing runtime data
<Location /jkstatus/>
JkMount status
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Location>
Please add workers.properties on /usr/local/apache2/conf directory, its content as follows:
worker.list=loadbalancer,debian01,debian02
# Define the first node…
worker.debian01.port=8009
worker.debian01.host=10.5.6.246
worker.debian01.type=ajp13
worker.debian01.lbfactor=1
#worker.debian01.local_worker=1
worker.debian01.cachesize=100
# Define the 2nd node…
worker.debian02.port=8009
worker.debian02.host=10.5.6.44
worker.debian02.type=ajp13
worker.debian02.lbfactor=1
#worker.debian02.local_worker=1
worker.debian02.cachesize=100
# Now we define the load-balancing behaviour
worker.loadbalancer.type=lb
worker.loadbalancer.balanced_workers=debian01,debian02
worker.loadbalancer.sticky_session=1
the debian01, debian02 are jvmRoute alias that defined on ~/jboss/server/default/deploy/jboss-web.deployer/server.xml.
10.5.6.246, 10.5.6.44 are ip address of two nodes.
4.5 Start/stop jboss and apache
Login with deploy account, then
cd ~/jboss/bin
./run.sh -b 0.0.0.0
If stop jboss, please input ctrl+c on terminal.
Login with root,
Cd /usr/local/apache2/bin
Start apache as follows:
./apachectl –k start
Stop apache as follows:
./apachectl stop
This document (3024921) is provided subject to the disclaimer at the end of this document.
Symantec discovered a flaw in the DeploymentFileRepository class of the JBoss Application Server. A remote attacker who is able to access the console manager could read or write to files with the permissions of the JBoss AS user. This could potentially lead to arbitrary code execution as the JBoss AS user. (CVE-2006-5750)
Please note that the JBoss AS console manager should always be secured prior to deployment, as directed in the JBoss Application Server Guide. By default, the JBoss AS installer gives users the ability to password protect the console manager, limiting an attack using this vulnerability to authorised users. These steps can also be performed manually.
The quickest and easiest approach to correct this security vulnerability is to;
name=”jboss.admin:service=DeploymentFileRepository”>
./deploy/management
The web-console will still work, without the ability to create alerts/monitors/snapshots.
Secure the Jmx and Web Console’s
1) Secure the JMX Console using a username/password file
a) Locate the jmx-console.war directory. Normally found in server/default/deploy in your JBOSS_HOME directory.
b) edit the WEB-INF/web.xml, uncomment the security-constraint block
c) edit the WEB-INF/jmx-console-users.properties or server/default/conf/props/jmx-console-users.properties (version >=4.0.2) and WEB-INF/jmx-console- roles.properties or
server/default/conf/props/jmx-console-roles.properties (version >=4.0.2) and change the users and passwords to what you desire.
Please note: They will need the JBossAdmin role specified in the web.xml file to run the JMX Console.
d) edit the WEB-INF/jboss-web.xml, uncomment the security-domain block. The security-domain value of jmx-console maps is declared in the login-config.xml JAAS configuration file which
defines how authentication and authorization is done.
2)Secure the JMX Console using your own JAAS domain -
a) edit the WEB-INF/web.xml as above, uncommenting the security-constraint block. Change the role-name value to be the role in your domain that can access the console
b) edit the WEB-INF/jboss-web.xml as in step1, set the security domain to be the name of your security domain. For example, if your login-config.xml has an application-policy whose name
is MyDomain then your JAAS domain java:/jaas/MyDomain
c) redeploy the application.
3)Secure the web console
a) In the deploy directory, locate management/web-console.war and make the same changes as above to the WEB-INF/web.xml, WEB-INF/jboss-web.xml and the users/groups properties
file.
The default JAAS domain used by the web-console is java:/jaas/web-console and is defined in login-config.xml in the conf directory. You can use a custom JAAS domain or customize the existing domain in the same way as with the JMX console. Typically you would just use the same domain (java:/jaas/jmx-console) as the jmx-console so that you have a single user/role mapping to configure.
Update for 4.0.2
The jmx-console-roles.properties and jmx-console-users.properties files have been moved to server\default\conf\props.
The web console,is unpacked already in the default server configuration as deploy/management/console-mgr.sar/web-console.war. Edit the WEB-INF/web.xml and jboss-web.xml files as per securing the JMX console.
A quicker method to secure the Web and JMX console is the following:
1) Navigate to JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/web.xml
and uncomment the security-constraint block, add a block after the end of the block
example:
BASIC
JMXConsole
2) Navigate to JBOSS_HOME/server/default/deploy/jmx-console.war/WEB-INF/jboss-web.xml
and uncomment the security-domain block
3) Navigate to $JBOSS_HOME/server/default/conf/props/jmx-console-users.properties
and change the password for admin
4) Navigate to JBOSS_HOME/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml
and uncomment the security-constraint block
5) Navigate to JBOSS_HOME/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/jboss-web.xml
and uncomment the security-domain block
6) Navigate to JBOSS_HOME/server/default/conf/login-config.xml
and change the path to the web-console-users.properties and the web-console-roles.properties as follows (add props/ to the front of the path)
props/web-console-users.properties
props/web-console-roles.properties
7) Navigate to JBOSS_HOME/server/default/deploy/management/console-mgr.sar/web-console.war/WEB-INF/classes/web-console-*.properties and JBOSS_HOME/server/default/conf/props
edit as needed
8) Navigate to JBOSS_HOME/server/default/conf/props/jmx-console-roles.properties and JBOSS_HOME/server/default/conf/props/web-console-roles.properties
and edit as needed
9) Restart jboss
How to secure the JMX-console and Web-console authentication via SSL
These steps will redirect jboss admin pages to https://localhost:8443
1)You must first enable http authenication as outlined in the sections previously outlined above
…
CONFIDENTIAL
…
CONFIDENTIAL
4) Create a keystore and supply a secure password. (for information on creating a keystore please see TID#3103136 How to install a signed certificate into Jboss for the IDM3 User Application,
http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=
maxThreads=”100″ strategy=”ms” maxHttpHeaderSize=”8192″
emptySessionPath=”true”
scheme=”https” secure=”true” clientAuth=”false”
keystoreFile=”${jboss.server.home.dir}/spitfire/conf/jboss.jks”
keystorePass=”changeit” sslProtocol = “TLS” />
**Note 1: Remember to point “keystoreFile” to the keystore you created. example: ${jboss.server.home.dir}/conf/server.keystore
**Note 2: Remember to change the keystorePass=”changeit” to your keystore password
6)Restart your JBoss Server and test
When restarting the JBoss Server you should see the server running on 2 ports, your http port and your ssl port https:8443
Securing a Web Application in JBoss AS
1) Create a simple security domain for JBoss SX
a) Open the ${jboss.dist}/server/${server.name}/conf/login-config.xml file
1) This file sets up the configuration for the security domains available to applications running in the server. The file contains a few example domains you may want to look at for
reference.
2) JBoss SX uses JAAS for the infrastructure of the underlying security
3) JAAS uses a class called a “login module” to interact with a security store for authenticating credentials.
4) This file basically hooks up a security domain to a JAAS login module.
5) JBoss Application Server comes packed with the “UsersRolesLoginModule”. The “UsersRolesLoginModule” allows you to specify user names, passwords and roles in a simple
property file.
b) Copy the “jmx-console” domain policy
1) The “jmx-console” security domain policy contains the basics for configuring a UsersRolesLoginModule based security domain.
code=”org.jboss.security.auth.spi.UsersRolesLoginModule”
flag = “required”>
name=”usersProperties”>
props/jmx-console-users.properties
name=”rolesProperties”>
props/jmx-console-roles.properties
2) copy this section to the bottom of the file
3) edit the “name” attribute on the application-policy attribute to “my-web”
4) edit the “userProperties” module-option text value to be “props/my-web-users.properties”
5) edit the “roleProperties” module-option text value to be “props/my-web-roles.properties”
6) save the login-config.xml file.
c) In the ${jboss.dist}/server/conf/props directory,
1) copy the jmx-console-users.properties into a new file called my-web-users.properties,
2) copy the jmx-console-roles.properties into a new file called my-web-roles.properties.
3) open “my-web-users.properties” file, notice that you will see a single entry like: “admin=admin” (The structure is “username=password”). When a user logs into the security domain,
the login module will examine the properties data in this file for users.
4) Add a new user, for example “tester=security”, to the file under “admin=admin”
5) Save file
6) open the my-web-roles.properties file, notice an entry similar to the following: “admin=JBossAdmin,HttpInvoker”.
These entries define the roles a user has associated with their account at login. The structure is “username=Role1,Role2,…” the username is the user you wish to assign roles to,and the
Roles entries are a comma separated list of roles to assign to that user.
7) Add a new entry to this file, for example “tester=WebAppUser” on a new line below the “admin=….”.
8) Save file.
2) Configure the web application for security by adding constraints to the web deployment descriptor.
a) modify the web.xml in the WEB-INF directory of the web application you are securing to add in the following:
All resources
Protects all resources
/*
WebAppUser
WebAppUser
BASIC
Test Realm
Note: “security-constraint” is used to define what resources in the web application are protected.
“url-pattern” element specifies the URL pattern to protect (example above protects _all_ resources in the web application)
“auth-contraint” element specifies which roles have access to the protected resource (example just specifies one role)
-This role name must match the name of the role you specified in “my-web-roles.properties” file.
“login-config” element specifies how authentication occurs with the web application.
“auth-method” element specifies how the browser gets credentials from the user.
-”BASIC”, “DIGEST”, “FORM”, and “CLIENT-CERT” are possible methods to retrieve data from the browser user.
The example above uses “BASIC”, but this method should not be used in a production environment unless you are using SSL/TLS
“realm-name” element just specifies the authentication realm name that is given to the browser for authentication.
3) Configure the jboss-web.xml file to point to the “my-web” application.
a) edit the jboss-web.xml in the WEB-INF directory of the web application you are securing
-add the following in the “jboss-web” element:
java:/jaas/my-web
This instructs JBoss Application Server to connect the web application to the “my-web” security domain we defined in the login-config.xml file earlier. 4) Start the JBoss Application Server
5) In a browser navigate to your application
-you should be prompted for username and password.
6) Enter the user and password we created earlier in our example we used “tester” for the username, and “security” for the password.
If your set-up is correct, you will be allowed access to the web application.
To test,
1) close browser
2) open and navigating back to your application.
3) When prompted, enter no credentials, or “admin” with password: admin,
you should not have access to the application
Protecting the Administrator password property file
You can also use a one-way hash for protecting the admin password property file.
In the above section on “Securing a Web Application in JBoss AS” in step 1 section “b” we used the following configuration fragment:
props/jmx-console-users.properties
props/jmx-console-roles.properties
The user is responsible for generating the md5() value, either by themselves or using the following program (please notice that it relies on org.jboss.security.Util, which is in jbosssx.jar).
class HashPassword
{
public static void main(String[] args)
{
String password = args[0];
MessageDigest md = null;
try
{
md = MessageDigest.getInstance(”MD5″);
}
catch(Exception e)
{
e.printStackTrace();
}
byte[] passwordBytes = password.getBytes();
byte[] hash = md.digest(passwordBytes);
String passwordHash = Util.encodeBase64(hash);
System.out.println(”password hash: “+passwordHash);
}
}
Securing the Invokers
1)Enabling authentication to the RMIAdaptor service
- in JBossAS 4.0.x, edit jmx-invoker-service.xml
- in JBossAS 3.2.x, edit jmx-invoker-adaptor-server.sar/META-INF/jboss-service.xml
and uncomment the descriptors section of the invoke operation:
The detached invoker entry point
invoke
The method invocation context
invocation
org.jboss.invocation.Invocation java.lang.Object
securityDomain=”java:/jaas/jmx-console”/>
The value of the securityDomain attribute maps to the security domain name found in the conf/login-config.xml definitions the same way as the jboss.xml, jboss-web.xml security-domain elements.
2)Enabling authorization to the RMIAdaptor service
-An “AuthorizationInterceptor” is available in JBoss. The place the interceptor after the “AuthenticationInterceptor”
configuration: * authorizingClass : Fully Qualified Name of a class that does the authorization and contains a method with the following signature
“public void authorize( Principal caller, Subject subject, String objectname,String opname)” that can throw a java.lang.SecurityException
An example of an authorizing class is the org.jboss.jmx.connector.invoker.RolesAuthorization, which looks for an hardcoded “JBossAdmin?” role in the authenticated subject.
securityDomain=”java:/jaas/jmx-console”/>
authorizingClass=”org.jboss.jmx.connector.invoker.RolesAuthorization”/>
Starting with 4.0.4.GA, Jboss has an authorization delegate that looks for passwords from a properties file called as “jmxinvoker-roles.properties” in a jar file or can be in the conf directory.
securityDomain=”java:/jaas/jmx-console”/>
authorizingClass=”org.jboss.jmx.connector.invoker.ExternalizableRolesAuthorization”/>
The format of the “jmxinvoker-roles.properties” file is:
#Specify the roles that are authorized to access the jmx invoker delimited by comma
roles=testRole,testRole1
If you don’t succeed in securing the RMIInvoker
1) try placing the security-service.xml in a SAR
2) create a folder named security.sar that has a subfolder named META-INF
3) move your security-service.xml to this folder and rename it to jboss-service.xml
4)Place the security.sar in the deploy-folder
Security Alert
Top Issue
| Document ID: | 3024921 |
| Creation Date: | 2007-02-09 15:53:34.0 |
| Modified Date: | 2007-02-09 08:52:10.0 |
| Novell Product: | Identity Manager |
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.
以前都是通过mod_jk来使用apache+tomcat.
今天在晚上看到最新的Apache2.2.4正式发布了proxy功能,于是就进行了一下测试.结果还不错,比mod_jk配置要方便多了.
测试情况:
系统:winxp sp2 apache2.2.4 tomcat 5.0
配置:
1.修改apache的httpd.conf文件,启用proxy,如下:
#########################################################
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
#########################################################
2.在httpd.conf中启用vhost配置
# Virtual hosts
Include conf/extra/httpd-vhosts.conf
3.在httpd-vhost.conf配置一个虚拟主机,如下:
ServerAdmin admin@viiving.com
ProxyPass / ajp://localhost:8009/
ProxyPassReverse / ajp://localhost:8009/
ServerName localhost
ServerAlias test.viiving.com
ErrorLog logs/dummy-host3.www.viiving.com-error_log
CustomLog logs/dummy-host3.www.viiving.com-access_log common
>4.启动tomcat和apache在浏览器中输入http://localhost/index.jsp连接地址就可以访问到tomcat中的内容.
5.其他
linux(CentOS4.4 and Ubuntu6.06)环境下的配置
./configure -prefix=/data/apache2 -enable-so -enable-rewrite=share -enable-proxy=share -enable-proxy-ajp=share -enable-dav =share
______________________________________________________________________
reference other doc
In ubuntu 6.0.6 , vim syntax highlighting is disable by default.
to enable it to uncomment in /etc/vim/vimrc file syntax on item
such as below:
[code]
” Vim5 and later versions support syntax highlighting. Uncommenting the next
” line enables syntax highlighting by default.
syntax on
[/code]
国外
http://lwn.net/
http://www.tldp.org/
https://rhn.redhat.com
http://www.justlinux.com/
http://www.linuxtoday.com/
http://www.linuxquestions.org/
http://www.fokus.gmd.de/linux/
http://www.linux-tutorial.info/
http://public.www.planetmirror.com/
http://www.freebsdforums.org/forums/
http://www.netfilter.org/documentation/
http://www-106.ibm.com/developerworks/linux/
http://www.redhat.com/docs/ redhat官方文档,redhat用户必看
http://www.redhat.com/apps/support/errata/ redhat安全性警告、软件更新和增强,建议每周至少查阅一次
国内
http://www.fanqiang.com/
http://www.linuxsir.com/
http://www.chinaunix.net/
http://www.linuxfans.org/
http://www.linuxeden.com/
http://www.linuxforum.net/
http://www.linuxaid.com.cn/
http://freesoft.online.sh.cn/
http://www-900.ibm.com/developerWorks/cn/linux/index.shtml
redhat linux下载地址
ftp://ftp.redhat.com/pub/redhat/linux
http://redhat.com/download/mirror.html
redhat 发行版全球官方镜像站
http://freesoft.online.sh.cn 国内高速下载
http://www.linuxeden.com/
http://www.freshrpms.net/
http://www.linux.cz/apt-rpm/ - Red Hat linux 7.x repositories (with all freshrpms included too!)
http://apt-rpm.tuxfamily.org/ - Red Hat linux 6.2, 7.x and 8.0 repositories
http://apt.nlc.no/apt/ - Red Hat linux 6.2, 7.x and Rawhide repositories
http://ftp.uninett.no/pub/linux/apt/ - Red Hat linux 6.2, 7.x, 8.0 and Rawhide repositories
http://redhat.usu.edu/ - Red Hat linux 7.2, 7.3 and 8.0 repositories
ftp://mirror.pa.msu.edu/apt/ - Red Hat linux 7.2, 7.3 and 8.0 repositories
http://apt-rpm.codefactory.se/ - Red Hat linux 7.2, 7.3 and 8.0 and gnomehide repositories http://apt.42h.de/ - Red Hat Linux 7.2, 7.3 and 8.0 repositories
http://apt.toggletext.com.au/ - A few Red Hat linux 7.2 custom packages http://people.ecsc.co.uk/~matt/repository.html - Lots of custom Red Hat Linux 8.0 GNOME 2 and related packages
http://ftp-stud.fht-esslingen.de/apt/ - Red Hat linux 7.x, 8.x and rawhide
http://apt.unl.edu/ - Red Hat linux 7.3 and 8.0
http://kde-redhat.sourceforge.net/ - KDE for Red Hat project
linux 常用软件搜索
http://bingle.pku.edu.cn 北大天网ftp搜索,教育网和国内用户查找软件应首先访问,软件特别丰富
http://www.linuxforum.net/ 有很多国外软件的官方镜像,应首先访问
http://rpmfind.net
http://freshmeat.net
http://sourceforge.net
注:很多软件主站是在sourceforge上的,形如http://phpmyadmin.sourceforge.net的地址,可以通过http://sourceforge.net/projects/phpmyadmin这样的地址访问,如不能上也可用http镜象直接下载软件如 http://telia.dl.sourceforge.net/phpmyadmin/
http://www.gnu.org GNU的大本营,gcc,bash之类的软件源码可以到这里得到 linux 文档和FAQs
http://www.tldp.org 强烈推荐! The linux document project: linux HOWTO and guides
http://www.linux.org.tw/CLDP/ 强烈推荐! TLDP中文版,繁体
http://www.linuxgazette.com/ linux在线杂志
http://linux.tcpip.com.**/*ownload/ linux中文版文档和软件下载
http://cosoft.org.cn/html/documents/ 很多中文版手册
http://www.google.com 强烈推荐!本站的讨论内容也可以通过google搜索得到,遇到疑难问题到google搜索会得到比绝大多数论坛更快的回答
linux 桌面主站一览表
GNOME: http://www.gnome.org
KDE: http://www.kde.org
XFce: http://www.xfce.org/
Window Maker: http://www.windowmaker.org/
BlackBox: http://sourceforge.net/projects/blackboxwm
XPde: http://www.xpde.com
ROX: http://sourceforge.net/projects/rox
5dwm: http://5dwm.org/
foXdesktop: http://sourceforge.net/projects/foxdesktop
EDE: http://sourceforge.net/projects/ede
UDE: http://sourceforge.net/projects/udeproject
其它OS:
Mandrake linux http://www.mandrakelinux.com
debian linux http://www.debian.org
slackware linux http://www.slackware.com
suse linux http://www.suse.com
FreeBSD http://www.freebsd.org
netbsd http://www.netbsd.org
openbsd http://www.openbsd.org
Solaris http://www.sun.com/solaris 硬件和安装专业站点
linux Kernel内核: http://www.kernel.org
USB安装问题: http://www.linux-usb.org
笔记本计算机安装: http://www.linux-laptop.net
打印机驱动 http://www.linuxprinting.org
主要服务器软件主站
1. WWW server:
Apache http://www.apache.org Apache
SSL模块Mod_ssl http://www.modssl.org
aol server http://www.aolserver.com
2. Servlets/JSP引擎:
Tomcat: http://jakarta.apache.org
Resin: http://www.caucho.com
开源应用服务器AS–Jboss: http://www.jboss.org
3. 服务器语言:
PHP http://www.php.net
Zend http://www.zend.com
Java http://www.javasoft.com
Python http://www.python.org
Zope http://www.zope.org
Perl http://www.perl.org
Ruby http://www.ruby-lang.org/en
4. 数据库:
MySQL http://www.mysql.com
PostgreSQL http://www.postgresql.org
Oracle http://www.oracle.com
sap db http://www.sapdb.org
PHPMyAdmin — http://www.phpmyadmin.org
PHPPgAdmin: http://sourceforge.net/projects/phppgadmin
5. FTP服务器
wu-ftpd http://www.wu-ftpd.org
Proftpd http://www.proftpd.org
Pure-ftpd http://www.pureftpd.org
ncftpd http://www.ncftpd.com
vsftpd http://vsftpd.beasts.org
6. SMTP服务器
Sendmail http://www.sendmail.org
qmail http://www.qmail.org
Postfix http://www.postfix.org
Exim http://www.exim.org
POP3–qpopper http://www.qpopper.org
7. IMAP服务器
Cyrus-IMAPD http://asg.web.cmu.edu/cyrus/imapd
UW IMAP http://www.washington.edu/imap
courierimap http://www.inter7.com/courierimap
8. 基本安全工具
firewall Iptables: http://www.iptables.org
shorewall: http://www.shorewall.net
inetd Xinetd: http://www.xinetd.org
Openssl: http://www.openssl.org
OpenSSH: http://www.openssh.org
nmap: http://http://www.insecure.org/nmap
Tripwire: http://www.tripwire.org
snort: http://www.snort.org
nessus: http://www.nessus.org
GnuPG: http://www.gnupg.org
chkrootkit: http://www.chkrootkit.org
安全顾问: http://www.cert.org
9. 其它服务器软件
CVS–CVS http://www.cvshome.org
DNS域名解析BIND http://www.isc.org/products/BIND/
DHCP–DHCP http://www.isc.org/products/DHCP/
INN新闻组INN: http://www.isc.org/products/INN/
Proxy代理缓存: Squid http://www.squid-cache.org
Socks代理:http://www.socks.nec.com/
Samba Server: http://www.samba.org
Print CUPS: http://www.cups.org
LDAP OpenLDAP: http://www.openldap.org
流量分析 MRTG http://www.mrtg.org
日志分析 webalizer http://www.mrunix.net/webalizer/
Ipsec/VPN http://www.freeswan.org
路由 Zebra http://www.zebra.org
集群 LVS http://www.linuxvirtualserver.org
MPICH http://www-unix.mcs.anl.gov/mpi/mpich/
PVM:http://www.netlib.org/pvm3/
Rsync: http://rsync.samba.org
linuxconf: http://www.solucorp.qc.ca/linuxconf/
Webmin: http://www.webmin.com
10. 其他
RedHat Advance Server2.1升级内核
http://redhat.pacific.net.au/redhat/linux/updates/enterprise/2.1AS/en/os/SRPMS/
在你的head里面加入一下代码就可以了
< meta HTTP-EQUIV=REFRESH CONTENT="10000;URL='http://www.zjant.com'">
CONTENT=0 代表跳转等待的时间
URL=’http://www.zjant.com’跳转的网址
如果嫌不够保险,可用下面的在page中加入一个java script
内容是:
window.location.replace(’http://www.zjant.com/’);
developerWorks 中国 > Open source | Web development >
Apache HTTP Server 与 Tomcat 的三种连接方式介绍
文档选项
将此页作为电子邮件发送
拓展 Tomcat 应用
下载 IBM 开源 J2EE 应用服务器 WAS CE 新版本 V1.1
级别: 初级
刘 冬 (javayou@gmail.com), 开发工程师,
2007 年 1 月 15 日
整合 Apache Http Server 和 Tomcat 可以提升对静态文件的处理性能、利用 Web 服务器来做负载均衡以及容错、无缝的升级应用程序。本文介绍了三种整合 Apache 和 Tomcat 的方式。
首先我们先介绍一下为什么要让 Apache 与 Tomcat 之间进行连接。事实上 Tomcat 本身已经提供了 HTTP 服务,该服务默认的端口是 8080,装好 tomcat 后通过 8080 端口可以直接使用 Tomcat 所运行的应用程序,你也可以将该端口改为 80。
既然 Tomcat 本身已经可以提供这样的服务,我们为什么还要引入 Apache 或者其他的一些专门的 HTTP 服务器呢?原因有下面几个:
1. 提升对静态文件的处理性能
2. 利用 Web 服务器来做负载均衡以及容错
3. 无缝的升级应用程序
这三点对一个 web 网站来说是非常之重要的,我们希望我们的网站不仅是速度快,而且要稳定,不能因为某个 Tomcat 宕机或者是升级程序导致用户访问不了,而能完成这几个功能的、最好的 HTTP 服务器也就只有 apache 的 http server 了,它跟 tomcat 的结合是最紧密和可靠的。
接下来我们介绍三种方法将 apache 和 tomcat 整合在一起。
这是最常见的方式,你可以在网上找到很多关于配置JK的网页,当然最全的还是其官方所提供的文档。JK 本身有两个版本分别是 1 和 2,目前 1 最新的版本是 1.2.19,而版本 2 早已经废弃了,以后不再有新版本的推出了,所以建议你采用版本 1。
JK 是通过 AJP 协议与 Tomcat 服务器进行通讯的,Tomcat 默认的 AJP Connector 的端口是 8009。JK 本身提供了一个监控以及管理的页面 jkstatus,通过 jkstatus 可以监控 JK 目前的工作状态以及对到 tomcat 的连接进行设置,如下图所示:
图 1:监控以及管理的页面 jkstatus
在这个图中我们可以看到当前JK配了两个连接分别到 8109 和 8209 端口上,目前 s2 这个连接是停止状态,而 s1 这个连接自上次重启后已经处理了 47 万多个请求,流量达到 6.2 个 G,最大的并发数有 13 等等。我们也可以利用 jkstatus 的管理功能来切换 JK 到不同的 Tomcat 上,例如将 s2 启用,并停用 s1,这个在更新应用程序的时候非常有用,而且整个切换过程对用户来说是透明的,也就达到了无缝升级的目的。关于 JK 的配置文章网上已经非常多了,这里我们不再详细的介绍整个配置过程,但我要讲一下配置的思路,只要明白了配置的思路,JK 就是一个非常灵活的组件。
JK 的配置最关键的有三个文件,分别是
httpd.conf
Apache 服务器的配置文件,用来加载 JK 模块以及指定 JK 配置文件信息
workers.properties
到 Tomcat 服务器的连接定义文件
uriworkermap.properties
URI 映射文件,用来指定哪些 URL 由 Tomcat 处理,你也可以直接在 httpd.conf 中配置这些 URI,但是独立这些配置的好处是 JK 模块会定期更新该文件的内容,使得我们修改配置的时候无需重新启动 Apache 服务器。
其中第二、三个配置文件名都可以自定义。下面是一个典型的 httpd.conf 对 JK 的配置
# (httpd.conf) # 加载 mod_jk 模块 LoadModule jk_module modules/mod_jk.so # # Configure mod_jk # JkWorkersFile conf/workers.properties JkMountFile conf/uriworkermap.properties JkLogFile logs/mod_jk.log JkLogLevel warn |
接下来我们在 Apache 的 conf 目录下新建两个文件分别是 workers.properties、uriworkermap.properties。这两个文件的内容大概如下
# # workers.properties # # list the workers by name worker.list=DLOG4J, status # localhost server 1 # ------------------------ worker.s1.port=8109 worker.s1.host=localhost worker.s1.type=ajp13 # localhost server 2 # ------------------------ worker.s2.port=8209 worker.s2.host=localhost worker.s2.type=ajp13 worker.s2.stopped=1 worker.DLOG4J.type=lb worker.retries=3 worker.DLOG4J.balanced_workers=s1, s2 worker.DLOG4J.sticky_session=1 worker.status.type=status |
以上的 workers.properties 配置就是我们前面那个屏幕抓图的页面所用的配置。首先我们配置了两个类型为 ajp13 的 worker 分别是 s1 和 s2,它们指向同一台服务器上运行在两个不同端口 8109 和 8209 的 Tomcat 上。接下来我们配置了一个类型为 lb(也就是负载均衡的意思)的 worker,它的名字是 DLOG4J,这是一个逻辑的 worker,它用来管理前面配置的两个物理连接 s1 和 s2。最后还配置了一个类型为 status 的 worker,这是用来监控 JK 本身的模块。有了这三个 worker 还不够,我们还需要告诉 JK,哪些 worker 是可用的,所以就有 worker.list = DLOG4J, status 这行配置。
接下来便是 URI 的映射配置了,我们需要指定哪些链接是由 Tomcat 处理的,哪些是由 Apache 直接处理的,看看下面这个文件你就能明白其中配置的意义
/*=DLOG4J /jkstatus=status !/*.gif=DLOG4J !/*.jpg=DLOG4J !/*.png=DLOG4J !/*.css=DLOG4J !/*.js=DLOG4J !/*.htm=DLOG4J !/*.html=DLOG4J |
相信你已经明白了一大半了:所有的请求都由 DLOG4J 这个 worker 进行处理,但是有几个例外,/jkstatus 请求由 status 这个 worker 处理。另外这个配置中每一行数据前面的感叹号是什么意思呢?感叹号表示接下来的 URI 不要由 JK 进行处理,也就是 Apache 直接处理所有的图片、css 文件、js 文件以及静态 html 文本文件。
通过对 workers.properties 和 uriworkermap.properties 的配置,可以有各种各样的组合来满足我们前面提出对一个 web 网站的要求。您不妨动手试试!
  |
|
这是利用 Apache 自带的 mod_proxy 模块使用代理技术来连接 Tomcat。在配置之前请确保是否使用的是 2.2.x 版本的 Apache 服务器。因为 2.2.x 版本对这个模块进行了重写,大大的增强了其功能和稳定性。
http_proxy 模式是基于 HTTP 协议的代理,因此它要求 Tomcat 必须提供 HTTP 服务,也就是说必须启用 Tomcat 的 HTTP Connector。一个最简单的配置如下
ProxyPass /images ! ProxyPass /css ! ProxyPass /js ! ProxyPass / http://localhost:8080/ |
在这个配置中,我们把所有 http://localhost 的请求代理到 http://localhost:8080/ ,这也就是 Tomcat 的访问地址,除了 images、css、js 几个目录除外。我们同样可以利用 mod_proxy 来做负载均衡,再看看下面这个配置
ProxyPass /images ! ProxyPass /css ! ProxyPass /js ! ProxyPass / balancer://example/ BalancerMember http://server1:8080/ BalancerMember http://server2:8080/ BalancerMember http://server3:8080/ |
配置比 JK 简单多了,而且它也可以通过一个页面来监控集群运行的状态,并做一些简单的维护设置。
|
|
ajp_proxy 连接方式其实跟 http_proxy 方式一样,都是由 mod_proxy 所提供的功能。配置也是一样,只需要把 http:// 换成 ajp:// ,同时连接的是 Tomcat 的 AJP Connector 所在的端口。上面例子的配置可以改为:
ProxyPass /images ! ProxyPass /css ! ProxyPass /js ! ProxyPass / balancer://example/ BalancerMember ajp://server1:8080/ BalancerMember ajp://server2:8080/ BalancerMember ajp://server3:8080/ |
采用 proxy 的连接方式,需要在 Apache 上加载所需的模块,mod_proxy 相关的模块有 mod_proxy.so、mod_proxy_connect.so、mod_proxy_http.so、mod_proxy_ftp.so、mod_proxy_ajp.so, 其中 mod_proxy_ajp.so 只在 Apache 2.2.x 中才有。如果是采用 http_proxy 方式则需要加载 mod_proxy.so 和 mod_proxy_http.so;如果是 ajp_proxy 则需要加载 mod_proxy.so 和 mod_proxy_ajp.so这两个模块。
|
|
相对于 JK 的连接方式,后两种在配置上是比较简单的,灵活性方面也一点都不逊色。但就稳定性而言就不像 JK 这样久经考验,毕竟 Apache 2.2.3 推出的时间并不长,采用这种连接方式的网站还不多,因此,如果是应用于关键的互联网网站,还是建议采用 JK 的连接方式。
|
最 近dw上新的系统,使用在/etc/hosts里面配置主机名来映射IP地址。然后通过域名来访问mysql,结果在使用loadrunner进行性能 测试的时候,当使用10个并发,持续10分钟测试php连接mysql的速度。发现随着时间的推移,数据库连接的速度明显下降,平均的连接时间都在20s 以上。
而且在mysql 中的processlist列表里面出现了很多类似下面的连接。
| 1045 | unauthenticated user | 10.0.1.70:59038 | NULL | Connect | | login | NULL |
这个时候通过php访问mysql的速度很慢。
最后通过修改mysql的配置,在my.cnf中加入
[mysqld]
skip-name-resolve
back_log=500
再次用同样的方法测试,得到的结果是平均连接时间在5.116s。
由此可见,域名访问mysql对速度的影响之大出乎我们意料!!
Powered by ZJANT
