Tomcat: Configuring Access Logging

This is third in my series of posts detailing my efforts to stand up a Tomcat/ACF10 development environment next to my existing Apache/JRun/ACF9 stack. For background, see the first post in the series.

Access logging in Tomcat is fairly straightforward to set up, and the official docs are very understandable. The default configuration installed with ACF10 includes an entry for access logging in ./cfusion/runtime/conf/server.xml. Toward the bottom of the file, find the <Host> element and its child access log <Valve> element.

<Host name="localhost" ... >
   <Valve
      className="org.apache.catalina.valves.AccessLogValve"
      directory="/tmp"
      prefix="access-"
      suffix=".log"
      pattern="common"
      rotatable="true"
      fileDateFormat="yyyy-MM-dd"
   />
   ...
</Host>

Most of what’s shown there is easy to understand. A couple of items are worth touching on:

  • the pattern attribute specifies what gets logged for each request; as noted in the docs “common” and “combined” are short-cuts for standard sequences of commonly-used field
  • the fileDatePattern attribute is used to specify the naming mask for the log file; it also specifies the frequency at which the log files are rotated if the logs are specified as being rotatable. Where this mask goes to the day level, access logs will be specified each day.
  • I’ve temporarily set up the access logs to be created in the /tmp folder just for convenience as I work through configuring; I will change this to have the logs created in a more standard (and more secure) location as I get closer to wrapping this up.

Configure your logs as needed, restart the server, bounce a couple requests off it, and verify that the access logs are present and functional.

Tomcat: Disabling Directory Listings

This is the second in a series of posts detailing my efforts to stand up a Tomcat/ACF10 development environment next to my existing Apache/JRun/ACF9 stack. For background, see the first post in the series.

I will focus my initial configuration efforts on some basics for securing the Tomcat/ACF10 stack, addressing things I know the security scanning services on our network look specifically for. I will start with disabling directory listings provided by default when a browser requests a URL for a directory without a default document. In this post (and all future posts in the series, unless I specifically indicate otherwise), I will use paths based upon my installation of ACF10 in the default location on Mac OS X systems. By default ACF10 is installed in /Applications/ColdFusion10; you can translate as needed for your installation.

To disable directory listings, find the <servlet> element within file ./cfusion/runtime/conf/web.xml. Within that element, find (or insert) an <init-param> element with a child <param-name> element with a value of listings. Set the <param-value> element to false.

<servlet>
   <servlet-name>default</servlet-name>
   <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
   ...
   <init-param>
      <param-name>listings</param-name>
      <param-value>false</param-value>
   </init-param>
   ...
</servlet>

Restart the server, and we can check this one off our list.

Exploring Tomcat and ColdFusion 10

With the recent availability of a pre-release version of Adobe’s ColdFusion 10 CFML engine, I am going to be doing a bit of comparative exploring to see how this upcoming version lines up against the current 9.01 version. My intent is to install and configure ACF10 on one or more of my development systems in a manner where it can run alongside the currently-installed ACF9 so that I can get a feel, in particular, for any performance differences between these two versions and to ensure that when ACF10 is officially available, any compatibility issues with our CFML-based applications have been addressed.

My current development systems are Mac OS X and Linux boxes, running ACF 9.01 under Apache’s Web server. I will install ACF10 in a stand-alone mode in order to be able to run both servers concurrently. In this mode, ACF10 will be running with the bundled Apache Tomcat server for use as both its application server (replacing the JRun application server historically used with ACF) and as its Web server.

The first portion of this effort, then, will focus on getting ACF10 and Tomcat configured to function as needed in my development environment. With that in mind, I will be exploring the following Tomcat-related configuration needs and blogging about them (as well as anything else of interest I stumble into) in the coming days:

You can see that list is a mix of security-related settings and configuration settings related to how our application folders are structured (and the desire to run these applications through both the new Tomcat/ACF10 stack and the old Apache/JRun/ACF9 stack).

In terms of structure, all of the applications reside in a folder outside of the Apache webroot, and are found via a set of aliases. The folder structure below that top-level folder is set up as follows (with their corresponding application URL’s listed in parens):

  • appGroup1
    • common
    • app1a (http://localhost/app1a/)
    • app1b (http://localhost/appab/)
    • app1c (http://localhost/app1c/)
  • appGroup2
    • common
    • app2a (http://localhost/app2a/)
    • app2b (http://localhost/app2b/)
    • app2n (http://localhost/app2n/)
  • app3 (http://localhost/app3/)
  • shared

Within each of the application groups “appGroup1” and “appGroup2”, the “common” folder contains assets shared by the applications in the corresponding group; this folder is aliased into each of the individual applications within the group to appear as if it were nested below the application folder (e.g., http://localhost/app1a/common, http://localhost/app1b/common). All of the applications reference the “shared” folder as a root level folder “/shared” (i.e., as http://localhost/shared).

Further, most of the applications have a default document that relies on SSI to function properly as part of the applications’ respective authentication and security framework. I also do all of testing and prototyping in a folder immediately off of my home folder; I will need to have that folder served by Tomcat/ACF10 just as it is currently under the other stack.

Finally, a caveat: I am a complete noob when it comes to Tomcat, so I will be learning as I go. I am almost certainly going to find sub-optimal ways to make portions of the work. If you see such mis-steps and have recommendations for other and/or better ways, please point them out in the comments on each post.

We have our work cut out for us. Stay tuned.

MAX Day 3 Recap

A quick recap of the final day of Adobe MAX…

  • Started the day in an excellent hands-on lab session led by Simon Slooten on building CF-powered Flex applications. He did a great job moving through an appropriate amount of material to introduce those of us who haven’t yet had a chance to play with Flex and using it as the front-end for Web-based, data-driven apps.
  • Sat in on a fairly interesting panel discussion on what might lie ahead for the next year or so within the RIA area for developers. This one could have (and probably should have) been at least half an hour longer.
  • Finished the conference with a session with Sean Corfield on event-driven programming within CF. Kind of a mind-bending concept, focused on using a similar paradigm within the server side of the Web app world as you would use on the client side with a Flex- or AJAX-based front end. Very interesting. It might have been easier to get my head around more completely had it (my head) not just plain been full at this point in the week.
  • Spent a couple hours wandering around downtown SF and Chinatown with the guys. It was good to just wander and watch people. Had a great dinner at a place called Santorini Mediterranean Cuisine: dolmos, saganaki, hummus, babbaganoush, souvlakia…

And it’s a wrap. I head for home and family this morning.

All in all, not a bad conference. I’d come hoping for a better feel for what Flex is/does/might help us with and hoping for some general nuggets as far as CF and Web app development in general. I got both of those, along with a chance to talk to fellow developers and get a read on where Adobe is taking CF. Adobe, generally speaking, did a decent job with the conference: decent broad coverage, decent venue, good end-of-day events, decent stuff in the exhibit hall. Thumbs up for those. Thumbs down for not providing a decent bag to the conference attendees, nor for even including a pen with the shopping bag full of throw-away product literature when you check in, and for not ensuring decent WiFi in the convention center (Opera Mini and Google Talk on my Blackberry were lifesavers this week). And a big “Thank you!” for Kristen Schofield of Adobe’s CF team for the CF t-shirts for me and Jeff on the last conference day!

It will be interesting to see where the new Bolt CF IDE goes, and how it compares to existing alternatives like CFEclipse, etc. Mark Drew has indicated that Bolt by no means signals the end of life for CFEclipse. Given that IDE’s tend to be a religious thing with some (most?) devs, I’m sure there will be some interesting turns ahead.

MAX Day 2 Recap

A quick recap of MAX Day 2…

  • Two very good sessions by Charlie Arehart on hidden (or less well-known) stuff in CF8 and the use of Derby (the open source Java-based database from the Apache project that comes as part of CF8). Both were excellent sessions with lots of good pointers that left me with a fairly lengthy list of things to follow up on for our team at work. Charlie, as always, did a great job covering lots of ground at the right level. I’ve sat in on several of his presos at CFUnited in the past and he is a very strong presenter. So far, these two sessions were probably — in terms of valuable potential takeaways — the high point of the conference so far.
  • A disappointing session by Scott Stroz on “hack-proofing” your CF app. Not much new ground to plow (which I suppose could be considered a good thing, given our focus on some of this stuff in the past 18 months). He kind of let the audience hijack his session with questions, comments, and even “me too’s” and ended up spending 75% of the preso on SQL injection which left very little time for the remaining two thirds of his talk.
  • Another disappointing talk on the use of jQuery and AIR by Ed Finkler. Too much jQuery, particularly given that about 90% of the audience indicated that they were at least somewhat familiar with it, and not enough AIR. Sharp guy, obviously knows his stuff, entertaining speaker with a dry sense of humor, but the preso itself missed.
  • The keynote, hosted by Ben Forta and Tim Buntel, highlighted some pretty impressive workflow integration on the design side of Adobe’s product lines, touched on the coming IDE for CF (codenamed “Bolt” in honor of the old CF lightning bolt; an Eclipse-based environment which looks to have some pretty interesting capabilities for the coders in house but for which few if any details are really available), and some cool stuff called Alchemy that allows for existing C/C++ code to be automagically transterpolated into ActionScript for use in Flash.
  • Spent a bit of time talking with the CF designee in the Adobe “support lab” about a couple things we’ve bumped in to, and posing a couple of questions about things that Ben had mentioned related to the new CF IDE. Walked away thinking “That was a waste of time…”
  • MAX hosted a customer appreciation event at the de Young Museum and California Museum of Sciences in the evening. Very cool place to spend a couple hours hanging out. Saw the show in the new Morrison Planetarium; also very cool!
  • Late dinner with Jeff and Blaine (we lost Marco somewhere at the museum, but did talk to him late after he got back) at the Pinecrest Diner. Try the hot pastrami on rye. It’s the kind of place that — had they had one on the menu — I would have ordered the chicken fried steak sandwich. The guy who runs it is a 30-year old guy whose grandfather had it in this same location since the 1960’s, is trained in Italy as a chef, and is keeping the place going. Great basic food and an interesting menu.

So, kind of a mixed bag from a technical standpoint but I did get a couple of items of real value from Charlie’s presos.