sessions in WML/WAP
Is there such a thing as a session in WML? I am trying to reference 'session.getAttribute(...)' in a jsp page that produces WML and viewed in a WAP browser. Is this even a possibility? I am trying to use Tomcat's security framework(j_security_check) to protect a url pattern and authenticate users. I have made similar method calls within normal jsp pages, served up via Tomcat, but have not been able to the same in a jsp page that produces WML viewed in a WAP browser. Thanks in advance, Bob - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Tomcat - Sessions and WAP Browsers
The real problem I am running into is that most WAP browsers don't support cookies and thus the storing of session data in the cookie. I use Tomcat as my servlet engine, and I have a secured part of my site. How Tomcat works in a web environment is this. When you request a page that is secured, tomcat places the session variable 'tomcat.auth.originalLocation' into the session. This variable holds onto the requested URL. After placing the variable into the session, it forwards you to your specified login page i.e. '/secure/login.jsp'. Upon successful login/authentication it will forward you to the page referenced in the 'tomcat.auth.originalLocation' session variable, along with placing a few more variables in the session. This becomes a problem in the WAP browser environment because none of the WAP browsers support cookies, thus cannot get access to the session variable 'tomcat.auth.originalLocation'. Hope this makes more sense? Thanks for your thoughts, Bob - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Server Side Includes (SSI) and Tomcat
Is there a way for pages served up by Tomcat to interpret SSI's. For example, I have an entire dir. structure that I secure via FORM based security, thus must be served up by Tomcat. Some files in this directory contain SSI's '!--#include virtual="/includes/header.htm"--' however Tomcat doesn't recognize the SSI include tags. Is there a way around this other than making each page a JSP page with JSP include tags? Thanks in advance, Bob - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
RE: error-page ignored under Tomcat-3.2.1
Were you ever able to get an answer to this question? I am running into the same problem using Tomcat 3.2.1. Thanks in advance , Bob -Original Message- From: Mueller, Franz [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 17, 2001 12:22 AM To: '[EMAIL PROTECTED]' Subject: error-page ignored under Tomcat-3.2.1 Hi, the following entry in the web.xml - file is ignored under tomcat3.2.1 but works as expected with 4.0b1. error-page error-code404/error-code location404.html/location /error-page Under tomcat3.2.1 I've got an OutOfMemory-Exception, when entering location/404.html/location. Any suggestions? Regards, fm - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Server Side Includes(SSI) and Tomcat vs JSP Include Directive
Does Tomcat have the ability to parse a common SSI like the following on an '.shtm' page. !-- BEGIN HEADER TABLE-- !--#include virtual="/includes/header.htm"-- !-- END HEADER TABLE-- My setup is Tomcat 3.2.1 and IIS 4.0. I have '.shtm' files in a Tomcat url-protected directory. I want Tomcat to be able to serve up the '.shtm' correctly, which requires it to parse through the '.shtm' files and acknowledge the SSI include syntax. I don't want to convert all the '.shtm' pages into '.jsp' files just to use the JSP include directive. Any Ideas? Thanks in advance, Bob - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
RE: how to enable ssi in tomcat. Urgent plssssssss
I agree with you, however if I set a url-protected directory all the files in that url-protected directory must be under Tomcat, and thus if some of the files are shtm's and use SSI, the headers and footers will no longer show up because the page is now being server up by Tomcat rather than IIS. When protecting a a directory via url-pattern in web.xml it is my understanding that anything with that url pattern is served up by Tomcat regadless of the file type. See example below... i.e. My Protected Directory - url-pattern/sales/*/url-pattern My Tomcat Directory Structure - tomcat/ webapps/ mysite/ sales/ index.shtm test.jsp figures.shtm salespeople.jsp Any thoughts, Bob -Original Message- From: Jan Labanowski [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 31, 2001 9:15 AM To: [EMAIL PROTECTED]; Jan Labanowski; [EMAIL PROTECTED] Subject: Re: how to enable ssi in tomcat. Urgent pl SSI (Server Side Includes) work only in Apache. They do not work in Tomcat. You have to choose... Either you do SSI or JSP, you cannot have both. If you have: JkMount /*.jsp ajp13 JkMount /servlet/* ajp13 in you mod_jk.conf and AddType text/html .shtml AddHandler server-parsed .shtml in your httpd.conf You should be OK, i.e., the *.jsp files will go to Tomcat, and *.shtml will be processed by Apache. In Apache2.0, there may be a possibility of chaining the output from JSP to the handler in Apache, but for Apache 1.3 it is just not possible, and you have to choose in which way you will serve your Dynamic content Jan http://www.ccl.net/cca/software/UNIX/apache/index.shtml On Wed, 31 Jan 2001, Suresh.S.V wrote: Hi Iam using tomcat 3.2.1+ apache 1.3.14 .In this servlets and jsp are working fine. When i stop tomcat server side includes are working fine in html.But when i start tomcat also html includes are not working.Its urgent.Pls help me. Thanxregds Suresh - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] Jan K. Labanowski|phone: 614-292-9279, FAX: 614-292-7168 Ohio Supercomputer Center|Internet: [EMAIL PROTECTED] 1224 Kinnear Rd, |http://www.ccl.net/chemistry.html Columbus, OH 43212-1163 |http://www.osc.edu/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
RE: How to prevent a .jsp from being accessed directly?
You may want to try setting the url pattern relative to the root i.e. url-pattern/dir1/subdir1/selectroster.jsp/url-pattern Bob -Original Message- From: Michael Molloy [mailto:[EMAIL PROTECTED]] Sent: Monday, January 29, 2001 7:41 PM To: Tomcat Subject: How to prevent a .jsp from being accessed directly? I'm using the following web.xml file inside a servlet context (/opt/tomcat/webapps/staging/WEB-INF/web.xml). However, it's not preventing direct access to the jsp file, which is what I'm hoping to achieve. I got this from the O'Reilly Javaserver Pages book, but it's not working. Any suggestions? Thanks --Michael web-app servlet servlet-nameRosterServlet/servlet-name servlet-classRosterServlet/servlet-class load-on-startup1/load-on-startup /servlet servlet-mapping servlet-nameRosterServlet/servlet-name url-pattern/process/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-nameno-access/web-resource-name url-patternselectroster.jsp/url-pattern /web-resource-collection auth-constraint role-namenobody/role-name /auth-constraint /security-constraint /web-app - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
RE: How to prevent a .jsp from being accessed directly?
You may also want to try setting the url pattern relative to the root going only down to the directory in which it exist to see if that atleast works, rather than specifying the coplete path to the file. i.e. url-pattern/dir1/subdir1/*/url-pattern Bob -Original Message- From: Michael Molloy [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 30, 2001 4:09 PM To: Tomcat Subject: How to prevent a .jsp from being accessed directly? Since no one responded, does that mean there's nothing wrong with the xml below? It's still not working. Any suggestions would be welcome. --Michael -Original Message- From: Michael Molloy [mailto:[EMAIL PROTECTED]] Sent: Monday, January 29, 2001 7:41 PM To: Tomcat Subject: How to prevent a .jsp from being accessed directly? I'm using the following web.xml file inside a servlet context (/opt/tomcat/webapps/staging/WEB-INF/web.xml). However, it's not preventing direct access to the jsp file, which is what I'm hoping to achieve. I got this from the O'Reilly Javaserver Pages book, but it's not working. Any suggestions? Thanks --Michael web-app servlet servlet-nameRosterServlet/servlet-name servlet-classRosterServlet/servlet-class load-on-startup1/load-on-startup /servlet servlet-mapping servlet-nameRosterServlet/servlet-name url-pattern/process/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-nameno-access/web-resource-name url-patternselectroster.jsp/url-pattern /web-resource-collection auth-constraint role-namenobody/role-name /auth-constraint /security-constraint /web-app - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
RE: How to prevent a .jsp from being accessed directly?
Don't include the www in your url-pattern rather if you directory structure is Tomcat | -- webapps | -- mywebapp | -- jsps selectroster.jsp another.jsp another2.jsp you would include url-pattern/jsps/selectroster.jsp/url-pattern What version of tomcat are you using? What is your environment? Bob -Original Message- From: Michael Molloy [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 30, 2001 4:44 PM To: [EMAIL PROTECTED] Subject: RE: How to prevent a .jsp from being accessed directly? I've tried several variations, from your suggestion below to including the entire url (www. . . .). I'll take another look at it. Thanks --Michael -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 30, 2001 4:29 PM To: [EMAIL PROTECTED] Subject: RE: How to prevent a .jsp from being accessed directly? You may want to try setting the url pattern relative to the root i.e. url-pattern/dir1/subdir1/selectroster.jsp/url-pattern Bob -Original Message- From: Michael Molloy [mailto:[EMAIL PROTECTED]] Sent: Monday, January 29, 2001 7:41 PM To: Tomcat Subject: How to prevent a .jsp from being accessed directly? I'm using the following web.xml file inside a servlet context (/opt/tomcat/webapps/staging/WEB-INF/web.xml). However, it's not preventing direct access to the jsp file, which is what I'm hoping to achieve. I got this from the O'Reilly Javaserver Pages book, but it's not working. Any suggestions? Thanks --Michael web-app servlet servlet-nameRosterServlet/servlet-name servlet-classRosterServlet/servlet-class load-on-startup1/load-on-startup /servlet servlet-mapping servlet-nameRosterServlet/servlet-name url-pattern/process/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-nameno-access/web-resource-name url-patternselectroster.jsp/url-pattern /web-resource-collection auth-constraint role-namenobody/role-name /auth-constraint /security-constraint /web-app - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
RE: Form Authentication works on standalone no with IIS ? - 405 Error
I found the root of the HTTP 405 Error. I had my 'login.jsp' page in a directory called '/security' however I did not have an entry in the 'uriworkermap.properties' file for the '/security' directory as such '/security/*=ajp12'. The result I was getting was a 'HTTP Error 405 405 Method Not Allowed' Just thought I would let you know, Bob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 25, 2001 6:46 PM To: [EMAIL PROTECTED] Subject: Form Authentication works on standalone no with IIS ? Tomcat v 3.2.1 and IIS 4.0 I am using form based authentication for url-pattern "/sales/*". Whenever I try to access files under this protected URL I am prompted with the login page "/security/login.jsp". However, when I try to login I get the following 405 error, and the resulting URL in the location bar is : http://localhost/security/j_security_check. If I run this in standalone Tomcat everything works fine. Why doesn't it work correctly when integrated with IIS? HTTP Error 405 405 Method Not Allowed The method specified in the Request Line is not allowed for the resource identified by the request. Please ensure that you have the proper MIME type set up for the resource you are requesting. Please contact the server's administrator if this problem persists. What do I need to do to get it to work correctly with IIS? Thanks in advance, Bob - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
configuring 1 webapp with multiple form logon pages
Using 3.2.1 has anyone configured a webapp that has multiple form-based logon pages. Basically I need a different logon page for each corporate unit? It appears to me that that by default, tomcat allows only 1 login page per webapp. Any Ideas? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
RE: configuring 1 webapp with multiple form logon pages
The logon page is determined by which section of the site the users are trying to access. For example if the user is trying to get to the Marketing section they will be prompted with the Marketing logon page, that represents the Marketing's UI look/feel. However, if the user wanted to go to the Sales section they would be prompted with the Sales logon page that is consistent with the Sales Look/Feel. Is this more clear? Thanks Bob -Original Message- From: Randy Layman [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 25, 2001 9:12 AM To: [EMAIL PROTECTED] Subject: RE: configuring 1 webapp with multiple form logon pages My question is, how do you know which logon page to use? Is there something special about the machine they are requesting from? Do they try and go to a special (corporate unit specific) URL? Or is it supposed to guess somehow? One thing to remember is that the form-based logins are jsp pages. You can look at the HTTP request headers or whatever you want to make the decision about which login page to show, but in my experience this is usually very difficult to do - everyone wants to go the same URL and us any computer, but recieve their customized login page. Randy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 25, 2001 10:29 AM To: [EMAIL PROTECTED] Subject: configuring 1 webapp with multiple form logon pages Using 3.2.1 has anyone configured a webapp that has multiple form-based logon pages. Basically I need a different logon page for each corporate unit? It appears to me that that by default, tomcat allows only 1 login page per webapp. Any Ideas? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Form Base Auth - 1 webapp; multiple url patterns
Here is my setup... Tomcat v3.2.1 Within out Intranet webapp, I have setup a separate security 'url-pattern' for both SALES, and MARKETING. I have assigned each 'url-pattern' an associated 'auth-constraint'(role). When I access a SALES URL, I am taken to the 'form-login-page' to login , which works fine. I am able to login correctly and then redirect to my originally requested secure SALES URL. However, once I am in logged in to the SALES section, I try to access a secure MARKETING URL, and am given the 'form-error-page' as a result. What I wanted to happen is to be prompted with the 'form-login-page' again so that I can login using a valid username/password associated with the 'marketing' role, not the 'form-error-page'. To workaround this, I made a small change to the FormAuthHandler class, to bring me back to the 'form-login-page' re-setting the parameter 'tomcat.auth.originalLocation' as well. Let me know if you want to know the modifications. What I really need is to be able to remain authenticated in the SALES section as well as the MARKETING section. Is it inherently possible for 1 session to be authenticated to multiple url-patterns, using different username/password? For example, referencing the config snippets below, would it be possible for me to login to the secure SALES section using username=sales password=sales01, and then once authenticated to the SALES section, select a MARKETING URL and then login simultaneously to the MARKETING secure section using username=market password=market01? What I have found with this scenario is that I can only be authenticated to one of the url-patterns at a time. Is there an easy way around this other than creating a new user that has both roles? I can't really have one common userid/password combination that has both roles because the two groups don't want the other group accessing their private info. The only person that should be able to access both sites with one login is the admin. *** Snippet from web.xml *** security-constraint web-resource-collection web-resource-nameSALES/web-resource-name url-pattern/secure/sales/*/url-pattern /web-resource-collection auth-constraint role-namesales/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-nameMARKETING/web-resource-name url-pattern/secure/marketing/*/url-pattern /web-resource-collection auth-constraint role-namemarketing/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method realm-nameSecure/realm-name form-login-config form-login-page/login/login.jsp/form-login-page form-error-page/login/login.jsp?login=false/form-error-page /form-login-config /login-config *** End Snippet *** *** Snippet from tomcat-users.xml*** !-- Users/Roles -- user name="sales" password="sales01" roles="sales" / user name="market" password="market01" roles="marketing" / user name="admin" password="password" roles="sales,marketing" / *** End Snippet *** Sorry this is so long, but just tried to be very descriptive... Any ideas would be appreciated, we are planing on moving to LDAP in the future but we need an interim fix. Thanks in advance, Bob - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
org.apache.tomcat.request.SecurityCheck???
Does anyone know why there is no functionality inside the method SecurityCheck.errorPage( Request req, Response response)? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
RE: IIS and Basic Authentication
Has anyone successfully setup form-based security authentication? Have you gotten the error page to display when the wrong username/password was entered? What do you recommend for implementing form-based security? Thanks in advance, Bob -Original Message- From: McAllister, Andrew [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 16, 2001 2:02 PM To: '[EMAIL PROTECTED]' Subject: RE: IIS and Basic Authentication Yes, that was it. I removed all authentication methods (except anonymous) and it started passing the headers correctly. I did this by selecting "Properties" on my "Default Web Site". Then I chose "Directory Security" then "Edit" in the "Anonymous access and authentication control." Then I unchecked the Basic and Integrated windows checkboxes. Then restarted IIS. Worked great. Thank you very much. Andrew McAllister University of Missouri -Original Message- From: Ignacio J. Ortega [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 16, 2001 11:17 AM To: '[EMAIL PROTECTED]' Subject: RE: IIS and Basic Authentication Problem: I'm trying to get IIS (with the isapi redirector) and Tomcat to cooperate on basic authentication. I've written a servlet that handles the basic authentication correctly using the req.getHeader("Authorization"); method and it works well when I connect directly to Tomcat on port 8080. But when I connect via IIS using the redirector, it never passes the authorization header to the servlet. Perhaps you need to completely disable IIS Basic auth, i did run into a problem that looks like yours, but i did see the headers from tomcat, but this was after disable the basic auth from IIS, i dont remember but now it's working for me without problems, so i see auth headers from tomcat. FYI TC3.3 has inside a new option for the AJP12Interceptor to use with IIS that do not tries to read the authenticated user trought AJP12 , lefting this task to Tomcat, thus doing all basic auth trought tomcat without problems... Saludos , Ignacio J. Ortega - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
FORM BASED AUTHENTICATION...
Has anyone successfully setup form-based security authentication? Have you gotten the error page to display when the wrong username/password was entered? What do you recommend for implementing form-based security? Thanks in advance, Bob - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Security Authentication Problem - examples
Tomcat 3.2.1 standalone I am trying to test out the security authentication example. I type in the following URL (http://localhost:8080/examples/jsp/security/protected/index.jsp) and then I am prompted for Basic Authentication. I type in (tomcat, tomcat) and then I am authenticated. However, I am not in turn given access to the 'index.jsp' page. I actually get a 404 error. However, after I am authenticated, and I get the 404 Error I manually type in the follwoing URL 'http://localhost:8080/examples/jsp/security/protected/jsp/security/protecte d/index.jsp' and I am able to access the secured page. Another thing, when I type in the following URL to browse the directory: 'http://localhost:8080/examples/jsp/security/protected/' I'm actually given the contents of the 'http://localhost:8080/examples/' to browse. Why is it directing me there? I have set up the authentication with my other webapps and the same type of behavior take place. Does anyone have any ideas as to why this is happening. Thanks in advance, Bob - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
RE: FORM BASED AUTHENTICATION...
I was using 3.1 and then I found the following post http://mikal.org/interests/java/tomcat_users/msg02828.html in which they were having the same types of problems I was experencing. So I installed ver 3.2.1 and everything works as originally anticipated. All the form based logins work. Bob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 16, 2001 3:00 PM To: [EMAIL PROTECTED] Subject: FORM BASED AUTHENTICATION... Has anyone successfully setup form-based security authentication? Have you gotten the error page to display when the wrong username/password was entered? What do you recommend for implementing form-based security? Thanks in advance, Bob - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]