Re: instructions for setting up jaas over db in tomcat
I used the following link: http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html#JAASRealm It tooks some research, but I finally got it to work. /robert Ittay Dror wrote: Hi, I haven't found anywhere a step-by-step instructions or reference code on how to set up jaas. Please help me with this as I'm very much lost. What I need: - authentication vs a DB - a ROOT webapp - tomcat 5.5 - where to put the 'Realm' element (can it be in conf/Catalina/localhost/ROOT.xml?) - what to put inside jaas.config - where to get an implementation of a login module. tagish isn't good for me since they require a specific db schema (i'm porting an existing application). Is there a standalone package with jboss's implementations? Thanx, Ittay - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: instructions for setting up jaas over db in tomcat
Have you read anything here? http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/tutorials/GeneralAcnOnly.html /robert Ittay Dror wrote: Robert Taylor wrote: I used the following link: http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html#JAASRealm doesn't contain whether i can put 'Realm' in ROOT.xml doesn't say anything about where to get a LoginModule implementation, or how to config jaas.config. It tooks some research, but I finally got it to work. my point exactly. i believe every person setting up tomcat does this research and i wondered if anyone created a guide. /robert Ittay Dror wrote: Hi, I haven't found anywhere a step-by-step instructions or reference code on how to set up jaas. Please help me with this as I'm very much lost. What I need: - authentication vs a DB - a ROOT webapp - tomcat 5.5 - where to put the 'Realm' element (can it be in conf/Catalina/localhost/ROOT.xml?) - what to put inside jaas.config - where to get an implementation of a login module. tagish isn't good for me since they require a specific db schema (i'm porting an existing application). Is there a standalone package with jboss's implementations? Thanx, Ittay - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Undeploy leaves residual files
I had the same issues and it looks like we are using similar technologies. Struts1.2.7, Hibernate 3.0.5, Spring 1.2.3 The struts issue (I think) is caused by validator access the validator.dtd resource and no releasing it. Under WEB-INF/classes/org/apache/commons/validator/resources I added both validator_1_1_3.dtd and validator-rules_1_0.dtd. Fpr struts, I moved (added) struts-config_1_2.dtd, tiles-config_1_1.dtd, and web-app_2_3.dtd to WEB-INF/classes/org/apache/struts/resources. For ehcache.jar, I ended up moving it to the CATALINE_HOME/common/lib directory. After that, everything seems to be working okay. I only just moved the ehcache out of WEB-INF/lib yesterday so I'm still testing those waters, but for now, it appears to have solved the problem. I posted a question concerning the same issue earlier on this list but it was never answered (see ehacache prevents web app reload). I checked the Hibernate forum and found some postings but none that seemed to resolved this issue. Please let me know if you figure a way to leave ehcache under WEB-INF/lib. It really rubs me the wrong way to have to treat it special during deployment. HTH /robert Allistair Crossley wrote: Hi, I've noticed that undeploy of my web applications that the ROOT folder is left behind as follows; ROOT WEB-INF classes log4j.properties lib ehcache.jar struts.jar The web application has a ContextListener that calls LogManager shutdowns and Introspector.flushCaches and so fourth to attempt to release resources. Is this part of that kind of problem? Regards, Allistair. FONT SIZE=1 FACE=VERDANA,ARIAL COLOR=BLUE --- QAS Ltd. Registered in England: No 2582055 Registered in Australia: No 082 851 474 --- /FONT - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
ehacache prevents web app reload
Greetings, I'm using Tomcat 5.9 and Spring1.2.3, and Hibernate3. I have to stop and start Tomcat each time I need to reload my web app, otherwise, ehcache is holding onto a resource which prevents the old web app from being deleted so it can be replaced by the reloaded one. I searched the Hibernate forum and found some discussions which indicate a memory leak. Gavin finally chimmed in with Guys, there is a method called SessionFactory.close() that you MUST call to release resources. I'm using HibernateInterceptor so I assume this should be handled under the covers. Any ideas? /robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat 5.5.9: [JSTL] The absolute uri: http://java.sun.com/jstl/c cannot be resolved in either web.xml or the jar files deployed with this application
Greetings, I'm running Tomcat 5.5.9 on Win2K, JDK1.5 and have observed that there is a problem resolving the JSTL taglibs when using their specified absolute uri. I believe I have everything installed correctly because if I use the relative location to the .tld instead of the uri it works fine. I had the same problem with Tomcat 5.5.7 and found others had similar issues when pre-compiling. http://marc.theaimsgroup.com/?l=tomcat-userm=110857231722295w=2 Which pointed to this bug: http://issues.apache.org/bugzilla/show_bug.cgi?id=33373 So I downloaded 5.5.9 in the hopes that it may have been fixed, but it doesn't appear so. Is this still an issue in 5.5.9, or do I have to configure something else. Have I missed any documentation notes about this problem? /robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 5.5.9: [JSTL] The absolute uri: http://java.sun.com/jstl/c cannot be resolved in either web.xml or the jar files deployed with this application
Digby, thanks. That was it. Next time I'll think instead of cutting and pasting. /robert Digby wrote: I think this is what you need now: %@ taglib prefix=c uri=http://java.sun.com/jsp/jstl/core; % Note the extra /jsp/ Digby Robert Taylor wrote: Greetings, I'm running Tomcat 5.5.9 on Win2K, JDK1.5 and have observed that there is a problem resolving the JSTL taglibs when using their specified absolute uri. I believe I have everything installed correctly because if I use the relative location to the .tld instead of the uri it works fine. I had the same problem with Tomcat 5.5.7 and found others had similar issues when pre-compiling. http://marc.theaimsgroup.com/?l=tomcat-userm=110857231722295w=2 Which pointed to this bug: http://issues.apache.org/bugzilla/show_bug.cgi?id=33373 So I downloaded 5.5.9 in the hopes that it may have been fixed, but it doesn't appear so. Is this still an issue in 5.5.9, or do I have to configure something else. Have I missed any documentation notes about this problem? /robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat5.5.7 and Log4j
Greetings, I'm trying to use Log4j in my web app and I'm having some difficulty. I'm running Tomcat5.5.7 and JDK 1.5.0 I've followed the instructions here: http://jakarta.apache.org/tomcat/tomcat-5.5-doc/logging.html -placed log4j.jar and commons-logging.jar in commons/lib -placed log4j.xml in commons/classes -Added the following to the Tomcat startup: -Dlog4j.configuration=file:///D:/j2ee_containers/servlet/tomcat/5.5.7/Tomcat%205.5/common/classes/log4j.xml It looks like Tomcat is finding and recognizing log4j.xml but is failing with the following error in the log file: log4j:ERROR A org.apache.log4j.xml.DOMConfigurator object is not assignable to a org.apache.log4j.spi.Configurator variable. log4j:ERROR The class org.apache.log4j.spi.Configurator was loaded by log4j:ERROR [EMAIL PROTECTED] whereas object of type log4j:ERROR org.apache.log4j.xml.DOMConfigurator was loaded by [WebappClassLoader delegate: false repositories: -- Parent Classloader: [EMAIL PROTECTED] ]. log4j:ERROR Could not instantiate configurator [org.apache.log4j.xml.DOMConfigurator]. I googled for this and didn't find anything relavent. http://www.google.com/search?biw=1266hl=enq=A+%22org.apache.log4j.xml.DOMConfigurator%22+object+is+not+assignable+to+a+%22org.apache.log4j.spi.Configurator%22+variable.btnG=Google+Search Any hints (even if its RTFM with a link) would be great. /robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: security-constraint to limit jsp access
Jay, There was just a fairly exhausive thread on this topic. Here is the outcome: http://nagoya.apache.org/eyebrowse/[EMAIL PROTECTED]msgNo=163858 /robert -Original Message- From: Jay Wright [mailto:[EMAIL PROTECTED] Sent: Saturday, December 18, 2004 7:55 PM To: [EMAIL PROTECTED] Subject: security-constraint to limit jsp access I have a struts 1.2.4 webapp in which I'm trying to hide my jsp's from being accessed directly. Instead of throwing them in the WEB-INF folder, I'd rather just restrict access to them through the security-constraint in the web.xml. I recently read that adding: security-constraint web-resource-collection web-resource-nameJSPs/web-resource-name url-pattern/struts/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection /security-constraint to the web.xml file will restrict access to files in the directory from direct URL access, but not from redirection or jsp forwarding, so they can still be accessed through struts action mappings. But this doesn't work. It seems to be ignorning the constraint altogether, as if I am missing an additional configuration. Is there something I need to add? I know my mapping is correct because if I throw: user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint into the constraint, it does try to connect to the pages through a secure channel. I've scanned the web, now I'm on the mailing list: will this work and/or what is the best way to prevent direct access to the JSPs? Thanks, Jay - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: cannot connect a sqlserver
When you restore a backup using SQLServer, you must delete and re-add the database users for that database. It's deceiving, because when you restore the database, and look at the users in Enterprise Manager, they are still there and you have no problem querying the database using Query Analyzer. Try deleting the users, then adding them back and don't forget to re-run your permissions once you've added the users back. /robert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, December 16, 2004 8:56 AM To: [EMAIL PROTECTED] Subject: cannot connect a sqlserver I have a problem building a testserver with a webapp using sqlserver2000. We got a productionserver running, so I installed java SDK (j2sdk-1_4_2_04-windows-i586-p.exe),tomcat (jakarta-tomcat-4.1.30.exe) and SQLserver2000 (restored a backup) and took the .war file from the productionserver and placed it under the webapps directory. I changed the .properties file started Tomcat again. Are ther more changes to do??? This is the SQLException I get: java.sql.SQLException: [Microsoft][SQLServer 2000 Driver for JDBC][SQLServer]Invalid object name 'LogonUser'. at com.microsoft.jdbc.base.BaseExceptions.createException(Unknown Source) at com.microsoft.jdbc.base.BaseExceptions.getException(Unknown Source) at com.microsoft.jdbc.sqlserver.tds.TDSRequest.processErrorToken(Unknown Source) at com.microsoft.jdbc.sqlserver.tds.TDSRequest.processReplyToken(Unknown Source) at com.microsoft.jdbc.sqlserver.tds.TDSRPCRequest.processReplyToken(Unknown Source) at com.microsoft.jdbc.sqlserver.tds.TDSRequest.processReply(Unknown Source) at com.microsoft.jdbc.sqlserver.SQLServerImplStatement.getNextResultType(Unkn own Source) at com.microsoft.jdbc.base.BaseStatement.commonTransitionToState(Unknown Source) at com.microsoft.jdbc.base.BaseStatement.postImplExecute(Unknown Source) at com.microsoft.jdbc.base.BasePreparedStatement.postImplExecute(Unknown Source) at com.microsoft.jdbc.base.BaseStatement.commonExecute(Unknown Source) at com.microsoft.jdbc.base.BaseStatement.executeQueryInternal(Unknown Source) at com.microsoft.jdbc.base.BasePreparedStatement.executeQuery(Unknown Source) at org.apache.commons.dbcp.DelegatingPreparedStatement.executeQuery(Delegatin gPreparedStatement.java:205) at com.quinity.standard.business.StdEntity.retrieve(StdEntity.java) at nl.terrafilius.lms.business.LogonUser.retrieveWithLogonData(LogonUser.java ) at nl.terrafilius.lms.servlet.HandlerLogon.handleActionLogon(HandlerLogon.jav a) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java: 39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorIm pl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at com.quinity.standard.servlet.StdHandler.handle(StdHandler.java) at com.quinity.standard.servlet.StdHandler.handle(StdHandler.java) at com.quinity.standard.servlet.StdController.doPost(StdController.java) at javax.servlet.http.HttpServlet.service(HttpServlet.java:760) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applicati onFilterChain.java:247) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilter Chain.java:193) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve. java:256) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.inv okeNext(StandardPipeline.java:643) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480 ) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve. java:191) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.inv okeNext(StandardPipeline.java:643) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480 ) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2422) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:1 80) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.inv okeNext(StandardPipeline.java:643) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValv e.java:171) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.inv okeNext(StandardPipeline.java:641) at
RE: [OT] cannot connect a sqlserver
David, Thanks for the clarification. Can you elaborate on how you can use SQL Enterprise Manager to generate necessary SQL script to create the users and roles specific to that database, and to apply the object-level permissions or point me to the docs? I have a script which I use for permisions, but I had to create it and maintain it manually. I have been using Enterprise Manager UI to manage users when restoring from a backup. It would be great to place all of this into a single script for execution. /robert -Original Message- From: David Boyer [mailto:[EMAIL PROTECTED] Sent: Thursday, December 16, 2004 10:45 AM To: [EMAIL PROTECTED] Subject: RE: [OT] cannot connect a sqlserver For the sake of clarifcation, this is only necessary when restoring to an instance of SQL server that is different from the one on which the backup was created. On your production server, you can use SQL Enterprise Manager to generate the necessary SQL script to create the users and roles specific to that database, and to apply the object-level permissions. That way, you just restore the database to the test server, run the SQL script, and you should be ready to go. [EMAIL PROTECTED] 12/16/2004 8:41:40 AM When you restore a backup using SQLServer, you must delete and re-add the database users for that database. It's deceiving, because when you restore the database, and look at the users in Enterprise Manager, they are still there and you have no problem querying the database using Query Analyzer. Try deleting the users, then adding them back and don't forget to re-run your permissions once you've added the users back. /robert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, December 16, 2004 8:56 AM To: [EMAIL PROTECTED] Subject: cannot connect a sqlserver I have a problem building a testserver with a webapp using sqlserver2000. We got a productionserver running, so I installed java SDK (j2sdk-1_4_2_04-windows-i586-p.exe),tomcat (jakarta-tomcat-4.1.30.exe) and SQLserver2000 (restored a backup) and took the .war file from the productionserver and placed it under the webapps directory. I changed the .properties file started Tomcat again. Are ther more changes to do??? This is the SQLException I get: java.sql.SQLException: [Microsoft][SQLServer 2000 Driver for JDBC][SQLServer]Invalid object name 'LogonUser'. at com.microsoft.jdbc.base.BaseExceptions.createException(Unknown Source) at com.microsoft.jdbc.base.BaseExceptions.getException(Unknown Source) at com.microsoft.jdbc.sqlserver.tds.TDSRequest.processErrorToken(Unknown Source) at com.microsoft.jdbc.sqlserver.tds.TDSRequest.processReplyToken(Unknown Source) at com.microsoft.jdbc.sqlserver.tds.TDSRPCRequest.processReplyToken(Unknown Source) at com.microsoft.jdbc.sqlserver.tds.TDSRequest.processReply(Unknown Source) at com.microsoft.jdbc.sqlserver.SQLServerImplStatement.getNextResultType(Unkn own Source) at com.microsoft.jdbc.base.BaseStatement.commonTransitionToState(Unknown Source) at com.microsoft.jdbc.base.BaseStatement.postImplExecute(Unknown Source) at com.microsoft.jdbc.base.BasePreparedStatement.postImplExecute(Unknown Source) at com.microsoft.jdbc.base.BaseStatement.commonExecute(Unknown Source) at com.microsoft.jdbc.base.BaseStatement.executeQueryInternal(Unknown Source) at com.microsoft.jdbc.base.BasePreparedStatement.executeQuery(Unknown Source) at org.apache.commons.dbcp.DelegatingPreparedStatement.executeQuery(Delegatin gPreparedStatement.java:205) at com.quinity.standard.business.StdEntity.retrieve(StdEntity.java) at nl.terrafilius.lms.business.LogonUser.retrieveWithLogonData(LogonUser.java ) at nl.terrafilius.lms.servlet.HandlerLogon.handleActionLogon(HandlerLogon.jav a) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java: 39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorIm pl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at com.quinity.standard.servlet.StdHandler.handle(StdHandler.java) at com.quinity.standard.servlet.StdHandler.handle(StdHandler.java) at com.quinity.standard.servlet.StdController.doPost(StdController.java) at javax.servlet.http.HttpServlet.service(HttpServlet.java:760) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applicati onFilterChain.java:247) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilter Chain.java:193) at
RE: [OT] cannot connect a sqlserver
Thanks David. /robert -Original Message- From: David Boyer [mailto:[EMAIL PROTECTED] Sent: Thursday, December 16, 2004 11:27 AM To: [EMAIL PROTECTED] Subject: RE: [OT] cannot connect a sqlserver In Enterprise Manager: Right-click on the database, select All Tasks, and Generate SQL Script This will let you script various portions of the database for later recreation. It may take a couple tries until you find the combination of objects and options for the specific situation. [EMAIL PROTECTED] 12/16/2004 10:03:14 AM David, Thanks for the clarification. Can you elaborate on how you can use SQL Enterprise Manager to generate necessary SQL script to create the users and roles specific to that database, and to apply the object-level permissions or point me to the docs? I have a script which I use for permisions, but I had to create it and maintain it manually. I have been using Enterprise Manager UI to manage users when restoring from a backup. It would be great to place all of this into a single script for execution. /robert -Original Message- From: David Boyer [mailto:[EMAIL PROTECTED] Sent: Thursday, December 16, 2004 10:45 AM To: [EMAIL PROTECTED] Subject: RE: [OT] cannot connect a sqlserver For the sake of clarifcation, this is only necessary when restoring to an instance of SQL server that is different from the one on which the backup was created. On your production server, you can use SQL Enterprise Manager to generate the necessary SQL script to create the users and roles specific to that database, and to apply the object-level permissions. That way, you just restore the database to the test server, run the SQL script, and you should be ready to go. [EMAIL PROTECTED] 12/16/2004 8:41:40 AM When you restore a backup using SQLServer, you must delete and re-add the database users for that database. It's deceiving, because when you restore the database, and look at the users in Enterprise Manager, they are still there and you have no problem querying the database using Query Analyzer. Try deleting the users, then adding them back and don't forget to re-run your permissions once you've added the users back. /robert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, December 16, 2004 8:56 AM To: [EMAIL PROTECTED] Subject: cannot connect a sqlserver I have a problem building a testserver with a webapp using sqlserver2000. We got a productionserver running, so I installed java SDK (j2sdk-1_4_2_04-windows-i586-p.exe),tomcat (jakarta-tomcat-4.1.30.exe) and SQLserver2000 (restored a backup) and took the .war file from the productionserver and placed it under the webapps directory. I changed the .properties file started Tomcat again. Are ther more changes to do??? This is the SQLException I get: java.sql.SQLException: [Microsoft][SQLServer 2000 Driver for JDBC][SQLServer]Invalid object name 'LogonUser'. at com.microsoft.jdbc.base.BaseExceptions.createException(Unknown Source) at com.microsoft.jdbc.base.BaseExceptions.getException(Unknown Source) at com.microsoft.jdbc.sqlserver.tds.TDSRequest.processErrorToken(Unknown Source) at com.microsoft.jdbc.sqlserver.tds.TDSRequest.processReplyToken(Unknown Source) at com.microsoft.jdbc.sqlserver.tds.TDSRPCRequest.processReplyToken(Unknown Source) at com.microsoft.jdbc.sqlserver.tds.TDSRequest.processReply(Unknown Source) at com.microsoft.jdbc.sqlserver.SQLServerImplStatement.getNextResultType(Unkn own Source) at com.microsoft.jdbc.base.BaseStatement.commonTransitionToState(Unknown Source) at com.microsoft.jdbc.base.BaseStatement.postImplExecute(Unknown Source) at com.microsoft.jdbc.base.BasePreparedStatement.postImplExecute(Unknown Source) at com.microsoft.jdbc.base.BaseStatement.commonExecute(Unknown Source) at com.microsoft.jdbc.base.BaseStatement.executeQueryInternal(Unknown Source) at com.microsoft.jdbc.base.BasePreparedStatement.executeQuery(Unknown Source) at org.apache.commons.dbcp.DelegatingPreparedStatement.executeQuery(Delegatin gPreparedStatement.java:205) at com.quinity.standard.business.StdEntity.retrieve(StdEntity.java) at nl.terrafilius.lms.business.LogonUser.retrieveWithLogonData(LogonUser.java ) at nl.terrafilius.lms.servlet.HandlerLogon.handleActionLogon(HandlerLogon.jav a) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java: 39) at
RE: [newbie] Container Managed Security - preventing direct accessto .jsp
That is exactly how I want to do it. In fact, if you look at my original message I describe what you recommend almost exactly. Anyhow, I finally created a VERY simple security example web app with the following web.xml: ?xml version=1.0 encoding=ISO-8859-1? web-app xmlns=http://java.sun.com/xml/ns/j2ee; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd; version=2.4 descriptionSimple Security Example/description display-nameSimple Security Example/display-name welcome-file-list welcome-fileindex.jsp/welcome-file /welcome-file-list error-page error-code403/error-code location/403.jsp/location /error-page security-constraint display-nameExample Security Constraint/display-name web-resource-collection web-resource-nameProtected Area/web-resource-name url-pattern/secure/*/url-pattern /web-resource-collection auth-constraint/ /security-constraint /web-app And it work! Yeeeha! Thanks for the help and discussion Ben. /robert -Original Message- From: Ben Souther [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 14, 2004 10:35 PM To: Tomcat Users List Subject: RE: [newbie] Container Managed Security - preventing direct accessto .jsp It appears that there is no standard way to do this even though it's implied in the spec. I don't know how standard this is but it works. The trick is in the auth-constraint node (note the commented out role-name). Since it is exclusive. Not declaring a role-name for the protected resource denies access to everyone. You then catch the 403 error with an error page mapping and you're good to go. The JSPs can still be accessed from the request dispatcher so you can reach them through the MVC pattern. I suppose a simpler solution would be simply to create a servelet-mapping with a url pattern of *.jsp and map it to an error servlet. If you want to test this out quickly grab the SimpleMVC.war from http://simple.souther.us and replace the web.xml file with this one. You'd have to create your own no-jsp-4-u.html page. Hope it helps -Ben ?xml version=1.0 encoding=ISO-8859-1? web-app xmlns=http://java.sun.com/xml/ns/j2ee; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd; version=2.4 servlet servlet-name ControllerServlet /servlet-name servlet-class us.souther.simple.mvc.ControllerServlet/servlet-class /servlet servlet-mapping servlet-nameControllerServlet/servlet-name url-pattern/simple-mvc/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-name off-limits /web-resource-name url-pattern *.jsp /url-pattern /web-resource-collection auth-constraint !--role-name manager /role-name-- /auth-constraint /security-constraint error-page error-code403/error-code location/no-jsp-4-u.html/location /error-page /web-app - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [newbie] Container Managed Security - preventing direct access to .jsp
Ping... Please let me know if this questions is just too obvious and I'll gladly RTFM...even more. And yes, I know this list is not here just to serve _my_ interests. It just seems like a common idiom to provide a portable mechanism for protecting direct access to .jsp so as to enforce access through some controller. I have in the past placed .jsp files behind WEB-INF, but I don't believe that is portable and would like to use CMS to achieve this. Thanks again. /robert -Original Message- From: Robert Taylor [mailto:[EMAIL PROTECTED] Sent: Monday, December 13, 2004 8:59 PM To: [EMAIL PROTECTED] Subject: [newbie] Container Managed Security - preventing direct access to .jsp Greetings, I'm new to Tomcat and this mailing list, and have a question regarding configuring Tomcat to simply disallow access to .jsp pages which I have been protected via the security-constraint/ in my web app web.xml file. From what I understand, the following should do the trick and cause a 403 error to be sent to the browser by the container. I would like to trap that error code and display a user friendly page (I chose any page so I would know it's working). I've simply modified the Tomcat jsp-examples web app. Here's a snippet of the necessary artifacts in the web.xml file. error-page error-code403/error-code location/dates/date.jsp/location /error-page security-constraint display-nameExample Security Constraint/display-name web-resource-collection web-resource-nameProtected Area/web-resource-name url-pattern/security/protected/*/url-pattern /web-resource-collection /security-constraint I believe the constraint is working, but I don't think the error-page/ is catching the 403 status code. This is probably because a 403 status code is not returned, but rather a 200 (I verified this by looking at the response headers). Anyhow, the content of the returned page is below within the content/: content You are logged in as remote user null in session D97EE937BEC953A7E82E42B3956AED86 No user principal could be identified. To check whether your username has been granted a particular role, enter it here: If you have configured this app for form-based authentication, you can log off by clicking here. This should cause you to be returned to the logon page after the redirect that is performed. /content I'm sure this has happened to someone else, I just cannot find where. I googled and didn't come up with much. I searched the archives using You are logged in as remote user null in session and no matches were found. Any help would be greatly appreciated. /robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [newbie] Container Managed Security - preventing direct accessto .jsp
Yes. That would be an alternative approach. However, I want to use CMS (Container Managed Security) to protect direct access to .jsp pages. This should be possible as per the Servlet specification. /robert -Original Message- From: Ben Souther [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 14, 2004 1:16 PM To: Tomcat Users List Subject: RE: [newbie] Container Managed Security - preventing direct accessto .jsp Filters are portable. On Tue, 2004-12-14 at 12:32, Robert Taylor wrote: Ping... Please let me know if this questions is just too obvious and I'll gladly RTFM...even more. And yes, I know this list is not here just to serve _my_ interests. It just seems like a common idiom to provide a portable mechanism for protecting direct access to .jsp so as to enforce access through some controller. I have in the past placed .jsp files behind WEB-INF, but I don't believe that is portable and would like to use CMS to achieve this. Thanks again. /robert -Original Message- From: Robert Taylor [mailto:[EMAIL PROTECTED] Sent: Monday, December 13, 2004 8:59 PM To: [EMAIL PROTECTED] Subject: [newbie] Container Managed Security - preventing direct access to .jsp Greetings, I'm new to Tomcat and this mailing list, and have a question regarding configuring Tomcat to simply disallow access to .jsp pages which I have been protected via the security-constraint/ in my web app web.xml file. From what I understand, the following should do the trick and cause a 403 error to be sent to the browser by the container. I would like to trap that error code and display a user friendly page (I chose any page so I would know it's working). I've simply modified the Tomcat jsp-examples web app. Here's a snippet of the necessary artifacts in the web.xml file. error-page error-code403/error-code location/dates/date.jsp/location /error-page security-constraint display-nameExample Security Constraint/display-name web-resource-collection web-resource-nameProtected Area/web-resource-name url-pattern/security/protected/*/url-pattern /web-resource-collection /security-constraint I believe the constraint is working, but I don't think the error-page/ is catching the 403 status code. This is probably because a 403 status code is not returned, but rather a 200 (I verified this by looking at the response headers). Anyhow, the content of the returned page is below within the content/: content You are logged in as remote user null in session D97EE937BEC953A7E82E42B3956AED86 No user principal could be identified. To check whether your username has been granted a particular role, enter it here: If you have configured this app for form-based authentication, you can log off by clicking here. This should cause you to be returned to the logon page after the redirect that is performed. /content I'm sure this has happened to someone else, I just cannot find where. I googled and didn't come up with much. I searched the archives using You are logged in as remote user null in session and no matches were found. Any help would be greatly appreciated. /robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [newbie] Container Managed Security - preventing direct access to .jsp
Thanks Hassan. I didn't realize that was added to the 2.4 spec. Thanks for pointing that out. Even so, it would be nice to know how to use CMS to achieve this. Maybe a better way to form the question would be how do I use CMS to protect .jsp pages from direct access and return a user friendly page/message when a .jsp page is requested without going through the controller? /robert -Original Message- From: Hassan Schroeder [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 14, 2004 2:21 PM To: Tomcat Users List Subject: Re: [newbie] Container Managed Security - preventing direct access to .jsp Robert Taylor wrote: Please let me know if this questions is just too obvious and I'll gladly RTFM... See below :-) It just seems like a common idiom to provide a portable mechanism for protecting direct access to .jsp so as to enforce access through some controller. I have in the past placed .jsp files behind WEB-INF, but I don't believe that is portable and would like to use CMS to achieve this. Given that the Java Servlet Specification Version 2.4, page 70 sez: A special directory exists within the application hierarchy named WEB-INF. This directory contains all things related to the application that aren't in the document root of the application. The WEB-INF node is not part of the public document tree of the application. No file contained in the WEB-INF directory may be served directly to a client by the container. I don't know how much more portable you want it to be :-) HTH! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [newbie] Container Managed Security - preventing direct access to .jsp
Fair enough. When I mention Container Managed Security, I am refering to using security constraints defined in web.xml to prevent direct access to resources. More specifically in Section 12.8 of the 2.4 specification: Security constraints are a declarative way of defining the protection of web content. A security constraint associates authorization and or user data constraints with HTTP operations on web resources. A security constraint, which is represented by security-constraint in deployment descriptor, consists of the following elements: web resource collection (web-resource-collection in deployment descriptor) authorization constraint (auth-constraint in deployment descriptor) user data constraint (user-data-constraint in deployment descriptor) The HTTP operations and web resources to which a security constraint applies (i.e. the constrained requests) are identified by one or more web resource collections. A web resource collection consists of the following elements: URL patterns (url-pattern in deployment descriptor) HTTP methods (http-method in deployment descriptor) An authorization constraint establishes a requirement for authentication and names the authorization roles permitted to perform the constrained requests. A user must be a member of at least one of the named roles to be permitted to perform the constrained requests. The special role name * is a shorthand for all role names defined in the deployment descriptor. An authorization constraint that names no roles indicates that access to the constrained requests must not be permitted under any circumstances. Does this not imply that I can do what I am trying to do? /robert -Original Message- From: Hassan Schroeder [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 14, 2004 5:07 PM To: Tomcat Users List Subject: Re: [newbie] Container Managed Security - preventing direct access to .jsp Robert Taylor wrote: I didn't realize that was added to the 2.4 spec. It was in 2.3, too. I'd guess it was in the spec from the get-go, but don't have an older copy to hand to confirm. Even so, it would be nice to know how to use CMS to achieve this. What is your definition of Container Managed Security, then, if not this? The container prevents direct access to the resources placed within WEB-INF, without you having to do anything else. Maybe a better way to form the question would be how do I use CMS to protect .jsp pages from direct access as above. and return a user friendly page/message when a .jsp page is requested without going through the controller? A custom 404 page should take care of it. And you can get as fancy with that as you like :-) FWIW! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [newbie] Container Managed Security - preventing direct access to .jsp
I'm not trying to re-invent anything. I'm just trying to leverage the specification to secure resources. Personally I prefer WEB-INF to contain web application configuration and information resources instead of content and other non-configuration resources. IMHO, its intuitive that way. For anyone else that may even be remotely interested in this topic, some further googling produced some interesting results. I searched using the string: preventing direct access to .jsp files It appears that there is no standard way to do this even though it's implied in the spec. Here's a good example: http://forums.bea.com/bea/message.jspa?messageID=202433201 Oh well... /robert -Original Message- From: Hassan Schroeder [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 14, 2004 5:55 PM To: Tomcat Users List Subject: Re: [newbie] Container Managed Security - preventing direct access to .jsp Robert Taylor wrote: Does this not imply that I can do what I am trying to do? I suppose; I'm just baffled why you want to reinvent this particular built-in wheel, but don't let that stop you :-) -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[newbie] Container Managed Security - preventing direct access to .jsp
Greetings, I'm new to Tomcat and this mailing list, and have a question regarding configuring Tomcat to simply disallow access to .jsp pages which I have been protected via the security-constraint/ in my web app web.xml file. From what I understand, the following should do the trick and cause a 403 error to be sent to the browser by the container. I would like to trap that error code and display a user friendly page (I chose any page so I would know it's working). I've simply modified the Tomcat jsp-examples web app. Here's a snippet of the necessary artifacts in the web.xml file. error-page error-code403/error-code location/dates/date.jsp/location /error-page security-constraint display-nameExample Security Constraint/display-name web-resource-collection web-resource-nameProtected Area/web-resource-name url-pattern/security/protected/*/url-pattern /web-resource-collection /security-constraint I believe the constraint is working, but I don't think the error-page/ is catching the 403 status code. This is probably because a 403 status code is not returned, but rather a 200 (I verified this by looking at the response headers). Anyhow, the content of the returned page is below within the content/: content You are logged in as remote user null in session D97EE937BEC953A7E82E42B3956AED86 No user principal could be identified. To check whether your username has been granted a particular role, enter it here: If you have configured this app for form-based authentication, you can log off by clicking here. This should cause you to be returned to the logon page after the redirect that is performed. /content I'm sure this has happened to someone else, I just cannot find where. I googled and didn't come up with much. I searched the archives using You are logged in as remote user null in session and no matches were found. Any help would be greatly appreciated. /robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [newbie] Container Managed Security - preventing direct access to .jsp
Sorry. I left off some info: Tomcat 5.0.25 Win2k JDK1.4.2 /robert -Original Message- From: Robert Taylor [mailto:[EMAIL PROTECTED] Sent: Monday, December 13, 2004 8:59 PM To: [EMAIL PROTECTED] Subject: [newbie] Container Managed Security - preventing direct access to .jsp Greetings, I'm new to Tomcat and this mailing list, and have a question regarding configuring Tomcat to simply disallow access to .jsp pages which I have been protected via the security-constraint/ in my web app web.xml file. From what I understand, the following should do the trick and cause a 403 error to be sent to the browser by the container. I would like to trap that error code and display a user friendly page (I chose any page so I would know it's working). I've simply modified the Tomcat jsp-examples web app. Here's a snippet of the necessary artifacts in the web.xml file. error-page error-code403/error-code location/dates/date.jsp/location /error-page security-constraint display-nameExample Security Constraint/display-name web-resource-collection web-resource-nameProtected Area/web-resource-name url-pattern/security/protected/*/url-pattern /web-resource-collection /security-constraint I believe the constraint is working, but I don't think the error-page/ is catching the 403 status code. This is probably because a 403 status code is not returned, but rather a 200 (I verified this by looking at the response headers). Anyhow, the content of the returned page is below within the content/: content You are logged in as remote user null in session D97EE937BEC953A7E82E42B3956AED86 No user principal could be identified. To check whether your username has been granted a particular role, enter it here: If you have configured this app for form-based authentication, you can log off by clicking here. This should cause you to be returned to the logon page after the redirect that is performed. /content I'm sure this has happened to someone else, I just cannot find where. I googled and didn't come up with much. I searched the archives using You are logged in as remote user null in session and no matches were found. Any help would be greatly appreciated. /robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Help!
Hi Desiree, I have Tomcat3.2.1 installed on Win98. All I did was download and unzip binaries to my hard drive c:\apache.org\. It created the appropriate directory structure. I then editted the tomcat.bat file and set TOMCAT_HOME=c:\apache.org\tomcat and JAVA_HOME=c:\jdk1.3. I then ran the tomcat.bat file with an argument of 'start' (without the quotes). Tomcat cranked right up. You should be able to find necessary documentation on under TOMCAT_HOME\doc\uguide\tomcat_ug.html HTH -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 25, 2001 7:23 PM To: [EMAIL PROTECTED] Subject: Help! hi! I've downloaded the binary version of tomcat 3.1.1 build in my computer(Win 98) and I can't seem to run it. I've followed the instructions from a book and from jakarta.apache.com. I've installed the jdk, and edited the tomcat.bat file. The book told me though that the default installation for Tomcat will run under Unix, Windows NT and Windows 2000 and that users with Windows 9X should consult the Tomcat website for configuration information. I explored in the internet the whole afternoon for the configuration but i had no luck. My last resort is you. Pls. tell me how to configure this computer so that i'll be able to run the Tomcat Server. __ Do You Yahoo!? Yahoo! Auctions - Buy the things you want at great prices. http://auctions.yahoo.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
RE: Run tomcat with windows 98
Hi Manuel, You might try tweeking some of the memory options under the MS-DOS window properties. I'm not sure if this will help, but it may be worth a try. Robert -Original Message- From: manuel riche [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 24, 2001 5:46 PM To: [EMAIL PROTECTED] Subject: Run tomcat with windows 98 When i launch tomcat with windows 98 after the start the MS-DOS command window crash (it's the same with Jstart utility) i don't understand why - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Cocoon and Tomcat
Greetings, I want to use Cocoon for XSL transforms with Tomcat. I'm fairly new to Tomcat and have read all available documentation (including the archives)on intalling Cocoon using Tomcat. Configuration: Win98, Tomcat3.2.1, Cocoon1.7.4 I have added all necessary Cocoon components to the Tomcat classpath (in tomcat.bat). I have created a context in which to test Cocoon and added its definition to the server.xml I have defined the Cocoon servlet and its mapping of *.xml extensions in my contexts respective web.xml. I have defined init parameters which initializes Cocoon using its cocoon.properties file I have added a copy of the cocoon.properties to the web-inf directory. Directory hierarchy and contents: c:\work\web\test\names.xml c:\work\web\test\names.xsl c:\work\web\test\web-inf\lib c:\work\web\test\web-inf\classes c:\work\web\test\web-inf\web.xml c:\work\web\test\web-inf\cocoon.properties web.xml excerpt with cocoon definition: servlet servlet-nameorg.apache.cocoon.Cocoon/servlet-name servlet-classorg.apache.cocoon.Cocoon/servlet-class init-param param-nameproperties/param-name param-value /test/cocoon.properties /param-value /init-param /servlet servlet-mapping servlet-nameorg.apache.cocoon.Cocoon/servlet-name url-pattern*.xml/url-pattern /servlet-mapping server.xml excerpt with context definition: Context path="/test" docBase="c:/work/web/test" debug="0" reloadable="true" trusted="false" /Context Each time I try and access names.xml( http://localhost:8080/test/names.xml ), I get a 404 error. I checked the log files, but nothing indicates that Cocoon generated an error. There is actually nothing to indicate Cocoon was even invoked. I can access other files in the same directory without any problems. I have defined and configured other servlets and they work as expected. My *.jsp files are served up as expected. If anyone can offer some advice on configuring and using Cocoon with Tomcat in Win98 environment, it would be greatly appreciated. Robert Taylor - Senior Developer MuleWork Technologies, L.L.C. [EMAIL PROTECTED] 770.891.9858 http://www.mulework.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
