Re: Tomcat sessions issue?
On 19/08/2010 04:50, Christopher Schultz wrote: Robin, On 8/18/2010 5:57 PM, Robin Diederen wrote: That's interesting to say the least. I agree with André's assessment: you have a cookie collision. See below for hints for removing the conflict. Without cookies enabled, I can't login to either of both applications. You probably haven't been properly encoding your URLs. Or the app designers haven't. Tut. So I designed another test: using two browsers I visited both applications. And guess what: it works like a charm! So I guess you are right on the cookies :-). The only one thing I do not understand: I've done this a few times before and I never ran into these issues. The only difference is that I'm using a newer version of LifeRay for the first time, but AFAIK the other LifeRay version I used uses JSESSION too.. The difference is probably that in other installations you haven't deployed both applications to the root (/) context path. You never did tell us how you deployed the two, so I suspect that both webapps are deployed as ROOT. In that case, you get cookies from both webapps that look like this: host=myserver.com, path=/, name=JSESSIONID, value=12345... Two Tomcats can't both exist in the same domain name space, unless there's a mapping error in mod_jk. After a cursory look through the server.xml, (cursory because of the trauma of wading through comments), I note: Listener className=org.apache.jk.config.ApacheConfig modJk=/opt/zimbra/httpd/modules/mod_jk.so / The OP made reference to the jvmRoute=jvmAlfresco1, so I think we need to understand what's going on there to find a resolution. p There's no difference between the identifying portions of the cookie (host, path, and name) so one overwrites the other. Simply deploying LifeRay to, say, /liferay and Alfresco to, say, /alfresco, you should be good to go. Note that if you deploy them in this way, you ought to be able to deploy them into a single Tomcat instance and save yourself some RAM and some administration. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: How can i tell how much of allocated heap is being used?
On 18.08.2010 20:41, laredotornado wrote: Hi, I'm using Tomcat 6.0.26, Java 1.6 on Linux kernel 2.6.18-164.11.1.el5. I'm trying to figure out if there if we can figure out how much of our allocated heap memory is actually being used. Grateful for any thoughts you might have, - Dave Caution 1: used does include garbage. Dead object size is never known. If you want to know used without garbage, you need to wait for a GC (or trigger one). Caution 2: There are different GC's cleaning up the young generation, the tenured generation and perm gen. It might even be very different when using JVMs like JRockit, or the IBM or HP JVM or Apache Harmony (the later is not certified for legal reasons). Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat sessions issue?
To add the obvious: Use your browser to have a look at your JSESSIONID cookies (and any other cookies of the same name used by both apps) after loging in to LifeRay and after loging in to Alfresco. Write down domain and path properties and see whether they conflict (whether one of the cookies from Liferay would also apply to Alfresco or vice versa). You might need to read a bit about how cookies work (domain and path). Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JNDI: LDAPv3 with StartTLS
On 18.08.2010 22:45, Igor Galić wrote: org.apache.catalina.realm.JNDIRealm.getUserByPattern(JNDIRealm.java:1269) This means, that you specified userPattern='...' in your realm configuration. And you since your pattern looks like '(uid={0})(...)' it is probably wrong. You have specified userSearch='uid={0}', too. So I believe you want to read the fine documentation http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html especially about JNDIRealm and settle using userSearch. Great! That fixed it, and it now works! Thank you very much, Felix. I would very much like to document this. I am thus asking you for permission to use, host, reference or whatever is your liking, the code you have provided. Igor: It would be nice if you could add it to the Tomcat Wiki. Felix: would you like to contribute your code? I didn't read it in detail but I guess it is very generic and would be a nice addon to the standard JNDIRealm? Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Installation problem [newbie]
On 18/08/2010 21:51, Ron Wheeler wrote: *C:\Program Files\apache-tomcat-6.0.29\binecho %JAVA_HOME%* *C:\Program Files\Java\jdk1.6.0_17\bin* and C:\Documents and Settings\Jonjava -version java version 1.6.0_21 Spot the difference between these two things. Then, uninstall Tomcat and /then/, join the HTTPD users mailing list to ask about configuring Apache HTTPD with PHP. p 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: loaderClass for jsps
On 18/08/2010 16:38, Konstantin Kolinko wrote: 2010/8/18 Pid p...@pidster.com: On 18/08/2010 16:09, Amir Wasim wrote: org.eclipse.jdt.internal.compiler.classfmt.ClassFormatException at org.eclipse.jdt.internal.compiler.classfmt.ClassFileReader.init(ClassFileReader.java:342) at org.apache.jasper.compiler.JDTCompiler$1.findType(JDTCompiler.java:206) at org.apache.jasper.compiler.JDTCompiler$1.findType(JDTCompiler.java:178) Which basically means that the classes referenced in the jsp are not being loaded through this custom class loader. Can someone please let me know how to configure it so that the classes in JSPs are also loaded through this class loader That seems like an Eclipse specific question, rather than a Tomcat one. The Eclipse IDE uses a custom config when launching apps in Tomcat, you'll have to track down where that config is and adjust it if possible. It is not Eclipse IDE, but Eclipse JDT compiler called by Jasper (see jasper-jdt.jar in TC distribution). Back to the question: Jsp classes are loaded by org.apache.jasper.servlet.JasperLoader. You can start digging from there. Oh, yes. Doh. (more coffee, Pid, more coffee). p Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: Tomcat sessions issue?
On 19.08.2010 09:25, Pid wrote: On 19/08/2010 04:50, Christopher Schultz wrote: Robin, On 8/18/2010 5:57 PM, Robin Diederen wrote: That's interesting to say the least. I agree with André's assessment: you have a cookie collision. See below for hints for removing the conflict. Without cookies enabled, I can't login to either of both applications. You probably haven't been properly encoding your URLs. Or the app designers haven't. Tut. So I designed another test: using two browsers I visited both applications. And guess what: it works like a charm! So I guess you are right on the cookies :-). The only one thing I do not understand: I've done this a few times before and I never ran into these issues. The only difference is that I'm using a newer version of LifeRay for the first time, but AFAIK the other LifeRay version I used uses JSESSION too.. The difference is probably that in other installations you haven't deployed both applications to the root (/) context path. You never did tell us how you deployed the two, so I suspect that both webapps are deployed as ROOT. In that case, you get cookies from both webapps that look like this: host=myserver.com, path=/, name=JSESSIONID, value=12345... Two Tomcats can't both exist in the same domain name space, unless there's a mapping error in mod_jk. After a cursory look through the server.xml, (cursory because of the trauma of wading through comments), I note: Listener className=org.apache.jk.config.ApacheConfig modJk=/opt/zimbra/httpd/modules/mod_jk.so / The OP made reference to the jvmRoute=jvmAlfresco1, so I think we need to understand what's going on there to find a resolution. Good point, so adding to the look at the cookies recommendation: if you are using load-balancing with mod_jk, you need to configure a unique jvmRoute for each Tomcat in server.xml. Tomcat will then add a dot . and the value of jvmRoute to the end of the session id used in the JSESSIONID cookies. You can see it when looking at the value of the cookie in the browser. mod_jk reads this suffix from the cookie when it is send together with each request by the browser and looks up the right Tomcat, assuming that the name of the member workers in the load-baancers are the same as the jvmRoute of the Tomct they are pointing to. If for some reason you get that wrong (worker names do not fit the jvmRoutes of the respective Tomcats), requests will eventually be send to the wrong Tomcat which does not know about the user session (except when using session clustering, an advanced topic). Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: 501 Method not implemented with successive POST requests
Christopher Schultz wrote: You'd be amazed how fast a reproducable bug can be fixed ;) Particularly if it can also be repeated or duplicated. ;-) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Is there a better way to disable JSESSIONID in the URLs?
I was going to write this off list because its off topic, but maybe the information is useful. On Thu, Aug 19, 2010 at 5:19 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Wesley, On 8/17/2010 6:05 PM, Wesley Acheson wrote: I know of no better way to fix this. This is what we *had* to do to pass PCI too so its no small deal. Wow, who made you disable jsessionids in URLs to achieve PCI compliance? Whoever did that doesn't understand Java webapp security. Or Internet security for that matter. :( Of course, there might just be some heavy-handed PCI requirements that the working group pulled out of their asses in a few minutes and then got on with a great deal of self-congratulations for making the Internet safe. - -chris It was a third party ethical hacker, who's report we needed to be clean for PCI. In general though I have to say I agree and the ;jsessionid thing is pretty insecure. Yes you can regenerate sessionId's after a client logs in. (Though not in our case). Yes It only appears on the first page if the user doesn't have cookies enabled. We disabled both accepting of URL sessionId's and the session encoding URLs. Our application has worked well since with no problems. In fact better as we can cache certain pages in their entirity without being concerned with url rewriting. If we use relative URLs to static content served by Apache Httpd this now works too as otherwise Apache httpd gives a 404 (correctly) if there is a jsessionId in the URL. In my honest opinion the URL jsessionid thing is a bad idea. Its not even added as parameter to the URL but rather part of the request URL itself. So many websites don't function without cookies anyway. It would be just better to use session cookies or at least leave an option in server.xml or context xml to disable it. Imagine the following senario. Someone goes to malicious-site.com which has some javascript running in the background that posts to one of your forms. Card withdrawal for instance. This javascript can post all the details to your site, however it cannot write cookies for your domain. However if it was either able to guess a jessionid or one could have been used from somewhere else and jessionid is a parameter in the url theres nothing stopping them posting to http://yoursite/withdrawMoney;jsessionid=xxx. Yes I know you need more security measures than that in place for this type of attack but I still believe that its valuable being able to disable it. Resin does allow you I wish tomcat would. Regards, Wesley Acheson - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat sessions issue?
Pid wrote: ... After a cursory look through the server.xml, (cursory because of the trauma of wading through comments), I note: Listener className=org.apache.jk.config.ApacheConfig modJk=/opt/zimbra/httpd/modules/mod_jk.so / The OP made reference to the jvmRoute=jvmAlfresco1, so I think we need to understand what's going on there to find a resolution. I saw that too, but I believe this is just a reference to nod_jk's auto-configuration capability. It does not necessarily mean that the Op /is/ accessing his Tomcat's through Apache/mod_jk. And as far as I know, I don't think it would matter anyway. There is another simple test of which I did not think before : - login to instance A, verify it works - check in the browser for any JSESSIONID cookie, note the beginning of the value - login to instance B - check again the cookies for JSESSIONID If there is only one, and it has changed, then there is the collision. I am willing to be convinced, but I am not sure by the way that the cookie path is part of what identifies a separate cookie. In other words, can the browser really hold two distinct cookies where the cookie name and hostname are the same, and only the path differs ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: war not redeploying
On 18/08/2010 20:04, Sean McEligot wrote: By the way, please create or edit your webapp's META-INF/context.xml, not the default one. I've reset context.xml back to default except jdbc resources and access logging. How are you configuring access logging in conf/context.xml? And why? p 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Problem ReverseAjax.dwr on Tomcat7.0.0
*System:* Windows7 *Tomcat: *Tomcat 7.0.0 32-bit Windows zip( Simply unzip it, do nothing on configure file) *DWR:* DWR2 Firstly sorry for my English.(I'm not good at it[?]) I'm working on a project build on Appfuse. And we add DWR reverseAjax into it. You know, it works well on Tomat6. But when i move this project onto Tomcat7.0.0, it comes out that the reverseAjax is not working. Screenshots [image: ss.jpg] When i change to Tomcat6, it works again. So, if i need to do any configuration on Tomcat7 to make it support reverseAjax? Thianks -- weic 魏超 E-mail nnever...@gmail.com 厦门中软海晟信息技术有限公司 厦门市软件园二期观日路2号,361008
Re: Tomcat 5.5.23 request.getAttribute(foo) returns unexpected NULL
2010/8/12 Thomas Treitlinger ttreitlin...@gmail.com: Hello, I have a number of JSP pages which use the JSTL core library to set a request attribute like this: c:set var=foo scope=request FOO-VALUE/c:set The JSPs then forward to a Servlet like this: jsp:forward page=/request.go / The Servlet later invokes String s = (String) request.getAttribute(foo) Maybe somebody calls your page directly? The usual solution to avoid that is to move the page into WEB-INF directory. You can jsp:forward page=/WEB-INF/_jsp/request.go /, but nobody can call it directly. Also there is one more possible catch: if 'c:' prefix is not associated with a taglib, c:set will be rendered as text, without invoking the tag library. Maybe the jsp or other file was corrupted somehow? The application was running in Tomcat 5.5.23 (Linux/Slackware) I wonder if you can upgrade to a later version. I usually mention this page: http://tomcat.apache.org/security-5.html Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem ReverseAjax.dwr on Tomcat7.0.0
魏超 wrote: *System:* Windows7 *Tomcat: *Tomcat 7.0.0 32-bit Windows zip( Simply unzip it, do nothing on configure file) *DWR:* DWR2 Firstly sorry for my English.(I'm not good at it[?]) No problem, 魏超, we're even worse in .. ? I'm working on a project build on Appfuse. And we add DWR reverseAjax into it. You know, it works well on Tomat6. But when i move this project onto Tomcat7.0.0, it comes out that the reverseAjax is not working. Screenshots [image: ss.jpg] When i change to Tomcat6, it works again. So, if i need to do any configuration on Tomcat7 to make it support reverseAjax? I know nothing about your problem, but here are a few general tips : - this list usually strips any attachments, so we did not get the attached screenshot. If you want to attach information, you have to paste it, as text, inside the message. Please remove any comments or passwords. - this list is for the Tomcat server itself, not for applications running inside the sever. People here probably do not know much about Appfuse or DWR reverseAjax, so they may not be able to help you. You would probably receive better help on a support list dedicated to these applications. - saying that the reverseAjax is not working does not help very much. Try to describe what is the problem. - if the problem happens to be specific to Tomcat, then there must be Tomcat logfiles showing the problem (in tomcat/logs). Can you paste the relevant part of these logfiles here ? - if the platform is Windows 7, then make sure that it is not the UAC (User Account Control) which interferes with Tomcat or with your application. If possible, disable UAC completely and try again. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
FW: Problem ReverseAjax.dwr on Tomcat7.0.0
Dear Weic, I think the issue more belongs to DWR-Users Mailing List than here. Some relevant information that might help: Tomcat 7 uses Servlet 3.0. To avoid certain types of cross-site scripting attacks, Servlet 3.0 supports HttpOnly cookies. HttpOnly cookies are not exposed to the client-side scripting code. In case DWR reverAJAX using cookies, this might not work with Tomcat 7.0. P.S. Avoid using screenshots / attachments while using this community. With best regards, Nishant Hadole From: 魏超 [mailto:nnever...@gmail.com] Sent: Thursday, August 19, 2010 2:21 PM To: users@tomcat.apache.org Subject: Problem ReverseAjax.dwr on Tomcat7.0.0 System: Windows7 Tomcat: Tomcat 7.0.0 32-bit Windows zip( Simply unzip it, do nothing on configure file) DWR: DWR2 Firstly sorry for my English.(I'm not good at it) I'm working on a project build on Appfuse. And we add DWR reverseAjax into it. You know, it works well on Tomat6. But when i move this project onto Tomcat7.0.0, it comes out that the reverseAjax is not working. Screenshots When i change to Tomcat6, it works again. So, if i need to do any configuration on Tomcat7 to make it support reverseAjax? Thianks -- weic 魏超 E-mail nnever...@gmail.com 厦门中软海晟信息技术有限公司 厦门市软件园二期观日路2号,361008 Important notice: This e-mail and any attachment there to contains corporate proprietary information. If you have received it by mistake, please notify us immediately by reply e-mail and delete this e-mail and its attachments from your system. Thank You.
Re: 501 Method not implemented with successive POST requests
Thanks folks, I submitted the issue as a bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=49779 Hans 2010/8/19 Christopher Schultz ch...@christopherschultz.net: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pid/Hans, On 8/16/2010 5:53 AM, Pid wrote: On 16/08/2010 09:52, Hans Wahn wrote: I'd like to provide more information. Any suggestions what is the best way to accomplish that? See above, regarding trace log. Also, providing a stack trace if there is one from the error log and any access log data. You might consider *not* sending the 100 header and just proceeding as normal. Also, can you try your tests against a similarly-configured Tomcat 6.0.29 instance? It may be that some code has changed in Tomcat 7 and some regression occurred. Especially if you have a super-simple test case (and it looks like you do: you have an automated client that makes a limited and deterministic set of requests, and you can probably whip-together a skeleton webapp that behaves badly on command), you should probably file this as a bug and submit everything you've got: HTTP conversation logs, the example webapp, and the automated client. You'd be amazed how fast a reproducable bug can be fixed ;) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxsrQUACgkQ9CaO5/Lv0PDeOACfR5A4AkbA5JxEX5zihfSAL9BS c4kAnRQB0BT8N8jUO65Oniq0y1e0QGB5 =6gqR -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JNDI: LDAPv3 with StartTLS
On 19/08/2010 08:36, Rainer Jung wrote: On 18.08.2010 22:45, Igor Galić wrote: Felix: would you like to contribute your code? I didn't read it in detail but I guess it is very generic and would be a nice addon to the standard JNDIRealm? +1 LDAP/JNDI seems tricky for a lot of people, the better support Tomcat has the easier everyone's lives will be. p 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Sessions mix-up on Tomcat 6.0.26 on Linux
Hi, I have developed a web application using jsp and servlets with oracle database. The application is working fine on windows, but the problem arises when we deploy it on Linux(64bit), we get session issues in the application. The session variables get mixed up and we can see previously logged user's profile page. The menu options sometime show of previously logged users, sometimes currently logged user's. For example, session.getAttribute(role_id) sometime retrieves 3 and sometimes 1 depending on previous values. please help! Yawar S. Khan Senior Manager - Business Applications Information Technology Group (Karachi) yawar.sa...@mcb.com.pk mailto:yawar.sa...@mcb.com.pk SST: 021-5656723 Cell: 0334-3752196 Success is a Journey, not a Destination... This E-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. MCB Bank does not accept liability for any errors or omissions.
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
Yawar Saeed Khan/ITG/Karachi wrote: Hi, I have developed a web application using jsp and servlets with oracle database. and with Tomcat also ? The application is working fine on windows, Windows version, JVM version, tomcat version ? but the problem arises when we deploy it on Linux(64bit), Linux version, JVM version, tomcat version ? we get session issues in the application. The session variables get mixed up and we can see previously logged user's profile page. The menu options sometime show of previously logged users, sometimes currently logged user's. For example, session.getAttribute(role_id) sometime retrieves 3 and sometimes 1 depending on previous values. Have you watched the JSESSIONID cookie in the browser after the different steps ? The JSESSIONID cookie value contains (or should contain) the session-id for your current session. This value should not change during the whole user session. Does it ? What about differences in configuration between Windows and Linux ? Are you doing any kind of load-balancing in one case and not in the other ? Is there anything (proxy, firewall, load-balancer, http server, ..) between the browser and the tomcat server ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [css-d] Floating images - understanding the details
Pardon I knew that, I must have been having an off day. Yes what I said is wrong. On Thu, Aug 19, 2010 at 12:46 PM, Bobby Jack bobbykj...@yahoo.co.uk wrote: --- On Wed, 8/18/10, Wesley Acheson wesley.ache...@gmail.com wrote: No-one spotted the deliberate mistake? ;) 4 values: are Top, bottom, left and right. should be 4 values: are top, right, bottom, left - Bobby
Re: [css-d] Floating images - understanding the details
Wesley Acheson wrote: Pardon I knew that, I must have been having an off day. Yes what I said is wrong. And you are having another, it seems. Isn't this the wrong list for that ? Oh well, there are just weeks like that.. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
On Thu, 2010-08-19 at 12:45 +0200, André Warnier wrote: Yawar Saeed Khan/ITG/Karachi wrote: Hi, I have developed a web application using jsp and servlets with oracle database. and with Tomcat also ? Look in the subject line. :) The application is working fine on windows, Windows version, JVM version, tomcat version ? but the problem arises when we deploy it on Linux(64bit), Linux version, JVM version, tomcat version ? Look in the subject line. :) we get session issues in the application. The session variables get mixed up and we can see previously logged user's profile page. The menu options sometime show of previously logged users, sometimes currently logged user's. For example, session.getAttribute(role_id) sometime retrieves 3 and sometimes 1 depending on previous values. Have you watched the JSESSIONID cookie in the browser after the different steps ? The JSESSIONID cookie value contains (or should contain) the session-id for your current session. This value should not change during the whole user session. Does it ? What about differences in configuration between Windows and Linux ? Are you doing any kind of load-balancing in one case and not in the other ? Is there anything (proxy, firewall, load-balancer, http server, ..) between the browser and the tomcat server ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Is there a better way to disable JSESSIONID in the URLs?
Sorry to pull the thread back to my original problem, but I have one more question here. So far it looks like there's no way to prevent JSESSIONIDs from being injected into URLs that Tomcat might encode unless you implement a servlet filter to override that behavior. My follow-up question is this: given the increasing emphasis on security (and acknowledging that there's as much fear-mongering as there is legitimate threats involved in that business and both cost money and time regardless of the legitimacy of the issue), does it make sense to for Tomcat, and maybe even the servlet spec, to provide the option for the servlet container to disable this functionality at the container level, e.g. with a container configuration switch somewhere? . The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. This message is privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: war not redeploying
On Wed, Aug 18, 2010 at 3:57 PM, Mark Eggers its_toas...@yahoo.com wrote: Are you starting and stopping Tomcat under Cygwin? I've seen some interesting file locking problems (as well as the terminate batch job? question) when running Windows applications under Cygwin. How are you deploying your web application? Are you copying the new war file into $CATALINA_HOME/webapps, using the manager application, or deploying via an IDE? I'm on Linux at the moment, so I can't explore this. However, here are some things you might try. 1. Run everything under DOS. I'll give it a try, thought I can't imaging how cygwin would have locks unless you cd'd into your expanded war or opened files there. If you're a UNIX person, then this is not going to be as comfortable as running Cygwin, but it will remove some unintended consequences. Or as Konstantin suggested, run things on Linux. 2. Use the manager application for deployment. I removed both ROOT and manager webapps. Only my webapp remains. If you are looking at a command line mechanism for deploying applications to production, you might take a look at the Ant tasks. Documentation for the Ant tasks can be found here: http://tomcat.apache.org/tomcat-6.0-doc/manager-howto.html#Executing_Manager_Commands_With_Ant I would like it if it worked without the manager webapp, but I'm think it doesn't. 3. Use the IDE in a development environment Both NetBeans and Eclipse allow you to deploy to a running Tomcat (and start / stop Tomcat) from within the IDE. In a development environment I find that much more convenient than opening a shell and executing commands. I might try Eclipse, but we have 20 webapps running on 11 tomcat servers, and one login server must always be running, so it becomes complicated. Some quick notes on your web application (which I don't think will affect its loading and unloading): 1. Debug is no longer a valid attribute for the Context element. removed. 2. There appear to be some issues with with your Resource element describing your JDBC connection. Yes, maxIdle, maxActive. It looked harmless so I never go around to fixing it, but I'll do that. 3. Some of the connection pool threads issues could be due to a JDBC driver. If you're using MySQL, make sure you have the latest JDBC driver. Versions before 5.1.11 did cause problems. oracle-9.0.2.0.0.jar over oracle. There is a home grown connection pool in front of the tomcat pool. It's been used for 11 years to prevent connection leaks. I can look at that. . . . . just my two cents. /mde/ - Original Message From: Sean McEligot seanmc...@gmail.com To: Tomcat Users List users@tomcat.apache.org Sent: Wed, August 18, 2010 12:04:46 PM Subject: Re: war not redeploying On Wed, Aug 18, 2010 at 11:56 AM, Konstantin Kolinko knst.koli...@gmail.com wrote: 6.0.25 An odd version... I'm in the middle of purchasing springsource-tc. The version is actually springsource tomcat-6.0.25.A-RELEASE, but I don't think they change anything except they have multiple catalina.base servers for one catalina.home. I had the same problem on standard tomcat 6.0.20. shutdown; rm -rf webapps/appname work/* temp/*; startup. Do you run rm -rf on Windows? Yes. I'm using cygwin. Note, that there is also the following file: conf/Catalina/localhost/appname.xml What is its modification time? Is clock set up correctly on the machine? The clock is working.There isn't anything in conf/Catalina/localhost. The directory is empty. antiJARLocking=true antiResourceLocking=true It would be better to test on some Linux machine. You won't be using the above options on Solaris. Well, this is important in production, but also in development. Since the problem is sporadic and fails silently. There's been a few occasions where I think my code fix isn't working, only to find out the code was never deployed. That can be very frustrating. For now I'll reset the context.xml to Context since none of those options are helping me. Also different end-of-line handling, '/' vs '\', file names, filename case sensitivity may catch you. WatchedResourcebuild.txt/WatchedResource WatchedResource is used to reload a webapp (e.g. when editing web.xml), not to redeploy it. OK. I don't need WatchedResource then. I've removed it. By the way, please create or edit your webapp's META-INF/context.xml, not the default one. I've reset context.xml back to default except jdbc resources and access logging. Are there any messages in the logs? No. The logs are silent when I deploy. There were some errors on the last undeploy before it stopped working. See below. Are you using this webapps folder (e.g., Tomcat can be run with a different CATALINA_BASE). I'm sure because I've verified it when redeploy is working. Best regards, Konstantin Kolinko - To unsubscribe, e-mail:
RE: Sessions mix-up on Tomcat 6.0.26 on Linux
Yawar Saeed Khan/ITG/Karachi wrote: I have developed a web application using jsp and servlets with oracle database. The application is working fine on windows, Or at least running on that platform hasn't uncovered the latent bugs in your webapp. but the problem arises when we deploy it on Linux(64bit), we get session issues in the application. The session variables get mixed up and we can see previously logged user's profile page. This happens frequently for applications that misuse scope, doing such things as storing the request or response object in the session or some ThreadLocal field. It has never been shown to be an issue in a stable version of Tomcat. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Problem ReverseAjax.dwr on Tomcat7.0.0
From: 魏超 [mailto:nnever...@gmail.com] Subject: Problem ReverseAjax.dwr on Tomcat7.0.0 Tomcat: Tomcat 7.0.0 32-bit Please test again on 7.0.2. Many, many bugs have been fixed between 7.0.0 and 7.0.2, so the issue you're having may have already been addressed. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: war not redeploying
On Thu, Aug 19, 2010 at 3:41 AM, Pid p...@pidster.com wrote: On 18/08/2010 20:04, Sean McEligot wrote: By the way, please create or edit your webapp's META-INF/context.xml, not the default one. I've reset context.xml back to default except jdbc resources and access logging. How are you configuring access logging in conf/context.xml? Context Valve className=org.apache.catalina.valves.AccessLogValve prefix=access suffix=.log pattern=common/ And why? I probably just saw another Valve commented out there (comet) and added this one in the same place. Where should it go? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
Ben Souther wrote: On Thu, 2010-08-19 at 12:45 +0200, André Warnier wrote: Yawar Saeed Khan/ITG/Karachi wrote: Hi, I have developed a web application using jsp and servlets with oracle database. and with Tomcat also ? Look in the subject line. :) Ok, I overlooked the subject line (*). Mea culpa. However, a raly long experience with problem reports tells me that when someone says : it is just the same, only the OS changes or I did not change anything, in the end it never turns out that way. So my questions remain, despite the subject line. Basically, by asking these questions (and asking them over and over again), the purpose is not to bother the OP. The purpose is to try to delimit the issue properly from the start, rather than having to spend 10 back-and-forth messages to do so. Clearly in this case, if all elements were identical except for the OS, this kind of issue would not happen. Ergo, there must be something else than the OS involved. I am just trying to find out what it is, and maybe in the process get the OP to figure it out too. (*) Maybe it was because it did not have a HELP!! or ASAP or tomcat does not work in it. ;-) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: war not redeploying
From: Sean McEligot [mailto:seanmc...@gmail.com] Subject: Re: war not redeploying I probably just saw another Valve commented out there (comet) and added this one in the same place. Where should it go? Normally, one just uncomments the existing AccessLogValve in conf/server.xml. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Feedback Requested: Proposed CLI Tool for Apache Tomcat; kitty.
Any interest in the code moving to the ASF incubator? On Aug 16, 2010, at 4:06 PM, Networked wrote: Elevator pitch Myself and Peary Chiu have created a lightweight utility for administering Tomcat from the command line in our copious amounts of free time on the weekends. This is a very rough utility, but we wanted a command line administration utility that made it very easy and quick to debug a Tomcat server via JMX. We are looking to solicit feedback from the community on this utility. Really it could be used for any application server, but because of Tomcat's relevance and our familiarity with it, we prefer to offer to this audience. The reason we are creating this utility is because we didn't feel that jconsole or other utilities such as jmxsh were not swift enough or user friendly enough for troubleshooting Tomcat in a production environment. We have nothing against these projects, we just had a different preference for this tool. Needs to be improved We are aware that it needs some features, such as: - #1 Documentation - Easier navigation - Bash-style auto completion (if accomplished, could also benefit the Jython project) - Compile Jython code to Java classes We are working on getting these problems addressed. To our knowledge it works without issue with Jython 2.5.1+. (http://sourceforge.net/projects/jython/files/) What we'd appreciate Feel free to reply back with bugs and enhancement requests. We believe this will eventually be a useful, lightweight administration utility for Tomcat. We believe that by putting this out to the community early, we can address the needs of the community for such a utility, if at all, and have the community give some feedback on their general thoughts on the project. Fin Code is available at: http://github.com/msacks/kitty Thanks for your friendly replies, Matthew Sacks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: war not redeploying
On Thu, Aug 19, 2010 at 9:11 AM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Sean McEligot [mailto:seanmc...@gmail.com] Subject: Re: war not redeploying I probably just saw another Valve commented out there (comet) and added this one in the same place. Where should it go? Normally, one just uncomments the existing AccessLogValve in conf/server.xml. I didn't see that. I only RTFM. I fixed it now. Thanks. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Help on Tomcat 6.0.29 and Comet
Hello everybody. We have an application which was developed using comet and gwt and it was build over the tomcat 6.0.16 code. It was working very well and as according to the documentation, we are closing all the come events when we reach the event type ERROR and END. The application has never been tested with any other newer version of tomcat since the version 6.0.16. I was asked to test the application using the tomcat version 6.0.29. I was expceting to see the app working fine and for my surprise, the comet part of the application started failing and throwing IllegalStateException and NullPointerException. Thus I went to the tomcat change log and I found that on the version 6.0.19 there was a change in the comet async close and i am pretty sure that this is the part the is failing in my application. During a lot of debug sessions, i realized that tomcat was, by itself, recycling all my requests/responses and turning them into null objects, so when I was manually invoking event.close() i was getting the IllegalStateException because the request was nullified by tomcat and when I tried to write back to the client I was getting the NullPointerException because my response has been nullified as well. The only way to make my application is avoid closing the event in the END event, only in the ERROR event (and all the other ones). I am not sure this is the bests approach neither a good practice. Does anyone has any though to share on this? Thiago - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
On 19/08/2010 14:02, Caldarale, Charles R wrote: Yawar Saeed Khan/ITG/Karachi wrote: I have developed a web application using jsp and servlets with oracle database. The application is working fine on windows, Or at least running on that platform hasn't uncovered the latent bugs in your webapp. but the problem arises when we deploy it on Linux(64bit), we get session issues in the application. The session variables get mixed up and we can see previously logged user's profile page. This happens frequently for applications that misuse scope, doing such things as storing the request or response object in the session or some ThreadLocal field. It has never been shown to be an issue in a stable version of Tomcat. +1 Odds on the session or request is being stored in an instance field in a servlet somewhere. p - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: Is there a better way to disable JSESSIONID in the URLs?
On 19/08/2010 13:32, Scott Hamilton wrote: Sorry to pull the thread back to my original problem, but I have one more question here. So far it looks like there's no way to prevent JSESSIONIDs from being injected into URLs that Tomcat might encode unless you implement a servlet filter to override that behavior. My follow-up question is this: given the increasing emphasis on security (and acknowledging that there's as much fear-mongering as there is legitimate threats involved in that business and both cost money and time regardless of the legitimacy of the issue), does it make sense to for Tomcat, and maybe even the servlet spec, to provide the option for the servlet container to disable this functionality at the container level, e.g. with a container configuration switch somewhere? You could always submit a patch and see what the devs think. ;) p The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. This message is privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: Configure read/write-access in TomCat
My project-name is Server - but I guess that your answer still is correct. Thanks! Den 19-08-2010 05:06, Christopher Schultz skrev: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mr. Andersen, On 8/18/2010 7:16 AM, K A wrote: security-constraint web-resource-collection web-resource-nameuser open part/web-resource-name url-pattern/Server/user/*/url-pattern /web-resource-collection auth-constraint role-nameuser/role-name role-nameadmin/role-name /auth-constraint /security-constraint Your URL pattern is wrong: the URL should be relative to the context, not to the server. Presumably, your webapp's name is Server, and the context path is /Server. That means that your URL pattern ought to be: url-pattern/user/*/url-pattern I couldn't see if anyone actually answered your question, here, or just argued about how well-documented conf/web.xml was. Hope that helps. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxsn7YACgkQ9CaO5/Lv0PD8wQCgqhQO4lZakkFERdZuoOEWOHih TXwAn1wbwPsnpxnV8a92qjjAtR0tWSJt =P2ht -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Sessions mix-up on Tomcat 6.0.26 on Linux
Chuck, what you say makes sense but I check the behavior on windows. the problem is in Linux environment only. I would imagine that tomcat configuration might be different on both machines, but have no clue abt configuring tomcat. (maybe session cache issue?) I just installed tomcat 6.0.26 on both machines with default configurations. From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Thu 19-Aug-10 7:02 PM To: Tomcat Users List Subject: RE: Sessions mix-up on Tomcat 6.0.26 on Linux Yawar Saeed Khan/ITG/Karachi wrote: I have developed a web application using jsp and servlets with oracle database. The application is working fine on windows, Or at least running on that platform hasn't uncovered the latent bugs in your webapp. but the problem arises when we deploy it on Linux(64bit), we get session issues in the application. The session variables get mixed up and we can see previously logged user's profile page. This happens frequently for applications that misuse scope, doing such things as storing the request or response object in the session or some ThreadLocal field. It has never been shown to be an issue in a stable version of Tomcat. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org This E-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. MCB Bank does not accept liability for any errors or omissions. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat sessions issue?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pid, On 8/19/2010 3:25 AM, Pid wrote: On 19/08/2010 04:50, Christopher Schultz wrote: The difference is probably that in other installations you haven't deployed both applications to the root (/) context path. You never did tell us how you deployed the two, so I suspect that both webapps are deployed as ROOT. In that case, you get cookies from both webapps that look like this: host=myserver.com, path=/, name=JSESSIONID, value=12345... Two Tomcats can't both exist in the same domain name space, unless there's a mapping error in mod_jk. Different ports :( After a cursory look through the server.xml, (cursory because of the trauma of wading through comments), I note: Listener className=org.apache.jk.config.ApacheConfig modJk=/opt/zimbra/httpd/modules/mod_jk.so / Yuk. Don't use that, Robin! - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxtU94ACgkQ9CaO5/Lv0PD+5wCfYOijQPKsWlY5U3mgGgcgRI5J RgIAn1Pv3O+rh1LnMtkCYxvaBbdB2utT =8iGv -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Sessions mix-up on Tomcat 6.0.26 on Linux
Ok, let me share my source code with you... my index.jsp page has a html form which submits the form data to a servlet called loginmanager. this is the code inside doPost function; try { userbean user = new userbean(); // usebean is a class the has setter and getter functions for user attributes user.setUserId(request.getParameter(txt_userid)); user.setPassword(request.getParameter(txt_pass)); user = udac.login(user); //udac is a class that has data access functions, login function takes user object and checks its existence in db and sets isValid attribute for that user if (user.isValid()){ HttpSession session = request.getSession(true); session.setAttribute(user_id,user.getUserId()); session.setAttribute(user_name,user.getName()); session.setAttribute(role_id,user.getRole()); session.setAttribute(role_desc, user.getRoleDesc()); session.setAttribute(last_login, user.getLastLogin()); response.sendRedirect(main.jsp); //logged-in page }else{ response.sendRedirect(index.jsp?user=+user.isValid()); //revert back to login page } } finally { out.close(); } Previously i had tried a simple way; my index.jsp file called itself on form submit, below code was in index.jsp (no servlet etc); //after form is submitted String query = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE, a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION a, ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ; query = query + AND LOWER(a.USER_ID) = LOWER('+ request.getParameter(txt_userid) + ') AND a.PASSWORD = '+ epass +'; boolean hasdata=false; java.sql.ResultSet rs = connection.executeQuery(query); while(rs.next()) { hasdata=true; session.setAttribute(user_id,rs.getString(USER_ID)); session.setAttribute(user_name,rs.getString(NAME)); session.setAttribute(branch_code,rs.getString(BRANCH_CODE)); session.setAttribute(role_id,rs.getString(ROLE_ID)); session.setAttribute(role_desc,rs.getString(ROLE_DESC)); session.setAttribute(last_login,rs.getString(LAST_LOGIN_DATE)); upsql = UPDATE LOGIN_INFORMATION SET LAST_LOGIN_DATE = SYSDATE WHERE USER_ID = '+ rs.getString(USER_ID) +'; int up = connection.executeUpdate(UPDATE LOGIN_INFORMATION SET LAST_LOGIN_DATE = SYSDATE WHERE USER_ID = '+ rs.getString(USER_ID) +'); int audit_insrt = InsertAuditEntry(F001, (String) session.getAttribute(user_id), (String) session.getAttribute(branch_code)); response.sendRedirect(main.jsp); //out.println(Logged in); } behaviour is same in both cases. thanks! From: Pid [mailto:p...@pidster.com] Sent: Thu 19-Aug-10 9:03 PM To: Tomcat Users List Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux On 19/08/2010 14:02, Caldarale, Charles R wrote: Yawar Saeed Khan/ITG/Karachi wrote: I have developed a web application using jsp and servlets with oracle database. The application is working fine on windows, Or at least running on that platform hasn't uncovered the latent bugs in your webapp. but the problem arises when we deploy it on Linux(64bit), we get session issues in the application. The session variables get mixed up and we can see previously logged user's profile page. This happens frequently for applications that misuse scope, doing such things as storing the request or response object in the session or some ThreadLocal field. It has never been shown to be an issue in a stable version of Tomcat. +1 Odds on the session or request is being stored in an instance field in a servlet somewhere. p - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org This E-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. MCB Bank does not accept liability for any errors or omissions. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For
Re: JNDI: LDAPv3 with StartTLS
Am Donnerstag, den 19.08.2010, 09:36 +0200 schrieb Rainer Jung: On 18.08.2010 22:45, Igor Galić wrote: org.apache.catalina.realm.JNDIRealm.getUserByPattern(JNDIRealm.java:1269) This means, that you specified userPattern='...' in your realm configuration. And you since your pattern looks like '(uid={0})(...)' it is probably wrong. You have specified userSearch='uid={0}', too. So I believe you want to read the fine documentation http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html especially about JNDIRealm and settle using userSearch. Great! That fixed it, and it now works! Thank you very much, Felix. I would very much like to document this. I am thus asking you for permission to use, host, reference or whatever is your liking, the code you have provided. Igor: It would be nice if you could add it to the Tomcat Wiki. Felix: would you like to contribute your code? I didn't read it in detail but I guess it is very generic and would be a nice addon to the standard JNDIRealm? I will open a ticket with an enhancement request. Though I don't know which version of the patch would be a better fit. Bye Felix Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JNDI: LDAPv3 with StartTLS
Am Mittwoch, den 18.08.2010, 20:45 + schrieb Igor Galić: org.apache.catalina.realm.JNDIRealm.getUserByPattern(JNDIRealm.java:1269) This means, that you specified userPattern='...' in your realm configuration. And you since your pattern looks like '(uid={0})(...)' it is probably wrong. You have specified userSearch='uid={0}', too. So I believe you want to read the fine documentation http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html especially about JNDIRealm and settle using userSearch. Great! That fixed it, and it now works! Thank you very much, Felix. I would very much like to document this. I am thus asking you for permission to use, host, reference or whatever is your liking, the code you have provided. Use it as you like. As Rainer has hinted, the apache wiki would be a good place for documentation :) Bye Felix Bye Felix So long, i - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
2010/8/19 Yawar Saeed Khan/ITG/Karachi yawar.sa...@mcb.com.pk: Ok, let me share my source code with you... HttpSession session = request.getSession(true); response.sendRedirect(main.jsp); //logged-in page See documentation on HttpServletResponse.encodeRedirectURL( ) method. It must be used here. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Is there a better way to disable JSESSIONID in the URLs?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Wesley, On 8/19/2010 3:57 AM, Wesley Acheson wrote: We disabled both accepting of URL sessionId's and the session encoding URLs. Our application has worked well since with no problems. In fact better as we can cache certain pages in their entirity without being concerned with url rewriting. If we use relative URLs to static content served by Apache Httpd this now works too as otherwise Apache httpd gives a 404 (correctly) if there is a jsessionId in the URL. Apache httpd's behavior is a matter of opinion at this point. I believe it should /not/ give you 404s, but there are at least two workarounds for that: mod_rewrite and mod_jk's StripSession setting. In my honest opinion the URL jsessionid thing is a bad idea. Its not even added as parameter to the URL but rather part of the request URL itself. The HTTP/URL spec calls this a parameter: it's /not/ part of the path. So many websites don't function without cookies anyway. It would be just better to use session cookies or at least leave an option in server.xml or context xml to disable it. The servlet specification mandates this behavior. Tomcat simply must support it. The spec says nothing of configurability, so Tomcat does not provide any. Hence the need to write a filter to achieve your desired behavior. Imagine the following senario. Someone goes to malicious-site.com which has some javascript running in the background that posts to one of your forms. Card withdrawal for instance. This javascript can post all the details to your site, however it cannot write cookies for your domain. However if it was either able to guess a jessionid or one could have been used from somewhere else and jessionid is a parameter in the url theres nothing stopping them posting to http://yoursite/withdrawMoney;jsessionid=xxx. What stops javascript from making a request to a site and adding headers like, for instance the Cookie header? I haven't hacked around with javascript capabilities so I really don't know if that's legal to do. I would imagine that most web browsers have robust enough javascript support that a telnet client could be written on them. Yes I know you need more security measures than that in place for this type of attack but I still believe that its valuable being able to disable it. Resin does allow you I wish tomcat would. As is often said, patches are always welcome. ;) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxtVVwACgkQ9CaO5/Lv0PDMhACgtlf12f4RGKslsuNPUEFZujTK 1dAAoKZQWuZLBG4T543mzddDtHE3eWvI =PBrQ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Sessions mix-up on Tomcat 6.0.26 on Linux
Konstantin, it seems that I will have to use HttpServletResponse.encodeRedirectURL( ) in every hyperlink ? will that solve my sessions problem? From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Sent: Thu 19-Aug-10 10:00 PM To: Tomcat Users List Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux 2010/8/19 Yawar Saeed Khan/ITG/Karachi yawar.sa...@mcb.com.pk: Ok, let me share my source code with you... HttpSession session = request.getSession(true); response.sendRedirect(main.jsp); //logged-in page See documentation on HttpServletResponse.encodeRedirectURL( ) method. It must be used here. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org This E-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. MCB Bank does not accept liability for any errors or omissions. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Is there a better way to disable JSESSIONID in the URLs?
On Thu, Aug 19, 2010 at 12:01, Christopher Schultz ch...@christopherschultz.net wrote: The servlet specification mandates this behavior. Tomcat simply must support it. The spec says nothing of configurability, so Tomcat does not provide any. Hence the need to write a filter to achieve your desired behavior. That's not inviolable dogma. Tomcat does have some settings that make it operate out-of-spec, e.g. non-standard cookie parsing. I don't see why an option couldn't be added to disable JSESSIONID in URLs, if enough people would find it useful. -- Len - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JNDI: LDAPv3 with StartTLS
Use it as you like. As Rainer has hinted, the apache wiki would be a good place for documentation :) Excellent. Thank you very much, will do that. i - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Sessions mix-up on Tomcat 6.0.26 on Linux
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yawar, I'm marking this as off-topic for /your/ request. I just have some comments for you. Take them or leave them. On 8/19/2010 11:53 AM, Yawar Saeed Khan/ITG/Karachi wrote: Ok, let me share my source code with you... my index.jsp page has a html form which submits the form data to a servlet called loginmanager. this is the code inside doPost function; try { userbean user = new userbean(); // usebean is a class the has setter and getter functions for user attributes user.setUserId(request.getParameter(txt_userid)); user.setPassword(request.getParameter(txt_pass)); user = udac.login(user); //udac is a class that has data access functions, login function takes user object and checks its existence in db and sets isValid attribute for that user Not using Tomcat's container-managed login? Any particular reason why not? It's quite easy to configure and has the added benefit of being properly tested. if (user.isValid()){ HttpSession session = request.getSession(true); session.setAttribute(user_id,user.getUserId()); session.setAttribute(user_name,user.getName()); session.setAttribute(role_id,user.getRole()); session.setAttribute(role_desc, user.getRoleDesc()); session.setAttribute(last_login, user.getLastLogin()); Why not session.setAttribute(user, user)? response.sendRedirect(main.jsp); //logged-in page That should be: response.sendRedirect(request.getContextPath() + response.encodeRedirectURL(/main.jsp)); }else{ response.sendRedirect(index.jsp?user=+user.isValid()); //revert back to login page That should be: response.sendRedirect(request.getContextPath() + response.encodeRedirectURL(/main.jsp) + ?user= + java.net.URLEncoder.encode(user.isValid())); It always helps to format and encode things properly. } } finally { out.close(); } What is out? Previously i had tried a simple way; my index.jsp file called itself on form submit, below code was in index.jsp (no servlet etc); //after form is submitted String query = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE, a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION a, ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ; query = query + AND LOWER(a.USER_ID) = LOWER('+ request.getParameter(txt_userid) + ') AND a.PASSWORD = '+ epass +'; boolean hasdata=false; java.sql.ResultSet rs = connection.executeQuery(query); Wow: this is a SQL injection attack just waiting to happen. What happens if I submit the txt_userid request parameter as ') OR 1; or, even better, '); DELETE FROM LOGIN_INFORMATION; or some other evil thing? I believe that certain JDBC drivers will not execute more than one query per executeQuery() call, but you can't really count on that. It's easy to use a PreparedStatement and just do it properly: poof! SQL injection attacks are a thing of the past (unless the driver is broken, but they test those things very well). Also, most SQL databases perform case-insensitive string comparisons, so your LOWER(a.USER_ID) = LOWER(...) can probably be simplified. Note that it also means you likely have case-insensitive passwords (though you haven't shown us what epass is -- is could have been hashed. while(rs.next()) { hasdata=true; session.setAttribute(user_id,rs.getString(USER_ID)); session.setAttribute(user_name,rs.getString(NAME)); session.setAttribute(branch_code,rs.getString(BRANCH_CODE)); session.setAttribute(role_id,rs.getString(ROLE_ID)); session.setAttribute(role_desc,rs.getString(ROLE_DESC)); session.setAttribute(last_login,rs.getString(LAST_LOGIN_DATE)); upsql = UPDATE LOGIN_INFORMATION SET LAST_LOGIN_DATE = SYSDATE WHERE USER_ID = '+ rs.getString(USER_ID) +'; int up = connection.executeUpdate(UPDATE LOGIN_INFORMATION SET LAST_LOGIN_DATE = SYSDATE WHERE USER_ID = '+ rs.getString(USER_ID) +'); int audit_insrt = InsertAuditEntry(F001, (String) session.getAttribute(user_id), (String) session.getAttribute(branch_code)); response.sendRedirect(main.jsp); How many redirects do you end up sending? Hopefully, only one. But this code is bad, bad, bad. It makes me wonder what other nuggets can be found in your code. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxtY30ACgkQ9CaO5/Lv0PA1pgCcDe1cNVlaqRNlWAbyQVybng4X OpUAn3ab9KDdsYvVGYzQmoeB871SgUqp =eEX2 -END PGP
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yawar, On 8/19/2010 11:28 AM, Yawar Saeed Khan/ITG/Karachi wrote: Chuck, what you say makes sense but I check the behavior on windows. the problem is in Linux environment only. I would imagine that tomcat configuration might be different on both machines, but have no clue abt configuring tomcat. (maybe session cache issue?) I just installed tomcat 6.0.26 on both machines with default configurations. You didn't mention if Windows was 32-bit or 64-bit. Are we talking about the same hardware? Equivalent hardware? What about number of cores? Sometimes, these things don't expose themselves unless true simultaneity is possible -- which requires more than one processor core. Isn't non-determinism fun? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxtZGYACgkQ9CaO5/Lv0PA3WwCeM0hqKcQTuA1gta0976o0uvm8 pE8AniQ4sbF9+KDAToJiQD4jc0zHuglw =kqi+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: truststoreFile vs javax.net.ssl.trustStore
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Estanislao, On 8/16/2010 4:34 AM, Estanislao Gonzalez wrote: thanks a lot for your help! I've solved the matter but I have still some questions and some interesting findings I would like to share, so please continue reading this email :-) Glad you found the problem and that things are working and/or making sense, now. My proposal to this people was to read the connector configuration and set up httpclient in a proper way. To my knowledge this could be done this way: --- Connector[] connectors = org.apache.catalina.ServerFactory.getServer().findService(Catalina).findConnectors(); for (Connector connector : connectors) { if (connector.getSecure()) { String tsFile = (String)connector.getAttribute(truststoreFile); String tsPass = (String)connector.getAttribute(truststorePass); if (tsFile != null) { //this is the connector we are looking for if (tsPass == null) tsPass = changeit;//tomcat default //file and pass are known, set up httpclient properly break; } } } This procedure has several problems: 1. You never know which connector you're going to get. If multiple connectors are configured, you might guess the wrong one. 2. This library might not have access to Tomcat code when used, so this procedure wouldn't be at all valid in those environments. 3. Even when used within Tomcat, it may not be appropriate to configure the library to share Tomcat's trustStore. What would be better is having the library allow you to configure the trust store to be used, and then you duplicate the configuration you already have for Tomcat. You mentioned that setting the JVM variable with the truststoreFile and pass will do. But this will show the password to anyone making a ps... or am I missing something? That is correct. There are other ways of setting system properties, though. You can call System.setProperty before the library is initialized and you should be okay. You can read the system properties from a file and they won't show up in a process listing. Do you see any problem or better solution? I think the best way is letting tomcat handle the whole configuration from servlet.xml file, and, if required, accessing the configuration from those servlet that requires to. No, Tomcat should use its own configuration and the httpclient should use it's own separate configuration. If they allow you to configure the trustStore via some mechanism, then use it. If they don't allow you to do that, you should file an enhancement request since this really is a requirement for a useful library of this kind. Good luck, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxtaeQACgkQ9CaO5/Lv0PCI+ACcCJZ3L4h3pE2+hvhLd3KgbA9+ oJQAn3flSOKsHF9G/SMjqINc//Ioh1JA =gOxo -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JNDI: LDAPv3 with StartTLS
On 19.08.2010 18:55, Igor Galić wrote: Use it as you like. As Rainer has hinted, the apache wiki would be a good place for documentation :) Excellent. Thank you very much, will do that. URL: http://wiki.apache.org/tomcat/ :) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Sessions mix-up on Tomcat 6.0.26 on Linux
On 8/19/2010 11:28 AM, Yawar Saeed Khan/ITG/Karachi wrote: Chuck, what you say makes sense but I check the behavior on windows. All that says to me is that your testing environment on Windows is inadequate. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Apache reverse proxy to tomcat application server
Hi List, I'm running mod_jk on a apache 2.2.14 connecting to a second host, running tomcat 5 server with a third party application. This application is configured to display some company internal information when accessing the page directly without any subdirectory: like: http://servername/ A second application part is located under address http://servername/application - please note, this is not a directory, this is a servlet-mapping made by tomcat (and we can't change the tomcat setup as we would loose support for it) My problem is now, that I only what to grant access to http://servername/application for external customers through the apache mod_jk setup. But of some reason do I have trouble implementing this. The stuff only works if I configure mod_jk to JkMount /* - but with that, also the page ttp://servername/ is access-able. I've also tried it with Rewrite rules (to make sure everything else than http://servername/application is redirected to this address), etc. but nothing was/is working. Please find below some information about my setup: ### ### setup information ### mod_jk version: 1.2.30 mod_jk httpd configuration (that's how it is working but it will allow access to any application, served by the tomcat server): # Some URL Redirecting is required RewriteEngine On RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -d [OR] RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -f RewriteCond %{REQUEST_URI} !=/application RewriteRule .* /application # Load Module LoadModule jk_module modules/mod_jk.so # Worker File JkWorkersFile /path to worker file/workers.properties # Where to put the log JkLogFile /path to log file/mod_jk.log # Log level JkLogLevel debug # Select the timestamp log format JkLogStampFormat[%a %b %d %H:%M:%S %Y] JkMount /* worker1 mod_jk worker configuration: # Define 1 real worker using ajp13 worker.list=worker1 # Set properties for worker1 (ajp13) worker.worker1.type=ajp13 worker.worker1.host=chnovmn3.lcsys.ch worker.worker1.port=8009 worker.worker1.connection_pool_timeout=60 worker.worker1.socket_keepalive=1 mod_jk log output (if required, I can provide some more log information): [Thu Aug 19 16:59:19 2010] [27595:1142135104] [debug] ws_write::mod_jk.c (507): written 8 out of 8 [Thu Aug 19 16:59:19 2010] [27595:1142135104] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1336): received from ajp13 pos=0 len=769 max=8192 [Thu Aug 19 16:59:19 2010] [27595:1142135104] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1336): 03 02 FD 6C 69 67 6E 3D 22 72 69 67 68 74 22 20 - ...lign=right. [Thu Aug 19 16:59:19 2010] [27595:1142135104] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1336): 001077 69 64 74 68 3D 22 33 36 30 22 20 63 6F 6C 73 - width=360.cols [Thu Aug 19 16:59:19 2010] [27595:1142135104] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1336): 002070 61 6E 3D 22 31 22 3E 3C 62 3E 50 61 73 73 77 - pan=1bPassw [Thu Aug 19 16:59:19 2010] [27595:1142135104] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1336): 00306F 72 64 3A 20 3C 2F 62 3E 3C 2F 74 64 3E 3C 74 - ord:./b/tdt [Thu Aug 19 16:59:19 2010] [27595:1142135104] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1336): 004064 20 63 6C 61 73 73 3D 22 6C 6F 67 69 6E 22 20 - d.class=login. [Thu Aug 19 16:59:19 2010] [27595:1142135104] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1336): 005061 6C 69 67 6E 3D 22 6C 65 66 74 22 20 77 69 64 - align=left.wid [Thu Aug 19 16:59:19 2010] [27595:1142135104] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1336): 006074 68 3D 22 34 34 30 22 20 63 6F 6C 73 70 61 6E - th=440.colspan [Thu Aug 19 16:59:19 2010] [27595:1142135104] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1336): 00703D 22 31 22 3E 3C 69 6E 70 75 74 20 6F 6E 6B 65 - =1input.onke [Thu Aug 19 16:59:19 2010] [27595:1142135104] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1336): 008079 70 72 65 73 73 3D 22 69 66 20 28 65 76 65 6E - ypress=if.(even [Thu Aug 19 16:59:19 2010] [27595:1142135104] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1336): 009074 2E 6B 65 79 43 6F 64 65 21 3D 31 33 29 20 72 - t.keyCode!=13).r [Thu Aug 19 16:59:19 2010] [27595:1142135104] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1336): 00a065 74 75 72 6E 20 74 72 75 65 3B 20 73 65 74 49 - eturn.true;.setI [Thu Aug 19 16:59:19 2010] [27595:1142135104] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1336): 00b06E 70 75 74 28 64 6F 63 75 6D 65 6E 74 2E 66 6F - nput(document.fo [Thu Aug 19 16:59:19 2010] [27595:1142135104] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1336): 00c072 6D 73 5B 30 5D 2C 20 27 44 65 73 74 69 6E 61 - rms[0],.'Destina [Thu Aug 19 16:59:19 2010] [27595:1142135104] [debug] ajp_connection_tcp_get_message::jk_ajp_common.c (1336): 00d074 69 6F 6E 41 63 74 69 6F 6E 27 2C 20 27 4C 6F -
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
Okay I've a little tehory could you post the entire code for loginmanager. How is udac declared? If its a class variable then *ITS NOT THREAD SAFE*. As a basic rule don't declare class variables in a servlet (There are exceptions to this rule but you shouldn't under normal circumstances)
Re: Apache reverse proxy to tomcat application server
On 19.08.2010 20:27, li...@cgi-net.ch wrote: Hi List, I'm running mod_jk on a apache 2.2.14 connecting to a second host, running tomcat 5 server with a third party application. This application is configured to display some company internal information when accessing the page directly without any subdirectory: like: http://servername/ A second application part is located under address http://servername/application - please note, this is not a directory, this is a servlet-mapping made by tomcat (and we can't change the tomcat setup as we would loose support for it) My problem is now, that I only what to grant access to http://servername/application for external customers through the apache mod_jk setup. But of some reason do I have trouble implementing this. How did you try to achive that? JkMount /application|/* worker1 Is the application deployed on Tomcat using the same context name /application? What was the exact result, when you tried that? The stuff only works if I configure mod_jk to JkMount /* - but with that, also the page ttp://servername/ is access-able. I've also tried it with Rewrite rules (to make sure everything else than http://servername/application is redirected to this address), etc. but nothing was/is working. Rewriting will not be necessary as long as the context name on Tomcat is /application. Please find below some information about my setup: ### ### setup information ### mod_jk version: 1.2.30 mod_jk httpd configuration (that's how it is working but it will allow access to any application, served by the tomcat server): # Some URL Redirecting is required RewriteEngine On RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -d [OR] RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -f RewriteCond %{REQUEST_URI} !=/application RewriteRule .* /application Let's remove the rewriting as long as we are debugging your original problem. # Load Module LoadModule jk_module modules/mod_jk.so # Worker File JkWorkersFile /path to worker file/workers.properties # Where to put the log JkLogFile /path to log file/mod_jk.log # Log level JkLogLevel debug # Select the timestamp log format JkLogStampFormat[%a %b %d %H:%M:%S %Y] JkMount /* worker1 mod_jk worker configuration: # Define 1 real worker using ajp13 worker.list=worker1 # Set properties for worker1 (ajp13) worker.worker1.type=ajp13 worker.worker1.host=chnovmn3.lcsys.ch worker.worker1.port=8009 worker.worker1.connection_pool_timeout=60 worker.worker1.socket_keepalive=1 The log snippert you provided was parts of the log produced by successful requests, i.e. requests that were forwarded to tomcat and replied stuff. Please do provide the log contents for a request that does not work, i.e. which does show the problem. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: war not redeploying
I now have one war that redeploys correctly (Cavs.war) and one that does not redeploy (blview.war) $ ls -l work/Catalina/localhost/ total 0 drwxrwx---+ 1 Administrators SYSTEM 0 2010-08-19 14:35 Cavs drwxrwx---+ 1 Administrators SYSTEM 0 2010-08-19 14:01 blview (todays date) $ ls -l webapps/ total 19088 drwxrwx---+ 1 Administrators SYSTEM0 2010-08-19 14:34 Cavs -rwxr-x---+ 1 Sean McEligot None 17543690 2010-08-19 14:34 Cavs.war drwxrwx---+ 1 Administrators SYSTEM0 2010-08-18 15:36 blview (yesterdays date) -rwxr-x---+ 1 Sean McEligot None1995771 2010-08-19 13:21 blview.war ls -ltr webapps/blview/WEB-INF/classes/blview/servlets/ otal 8 rwxrwx---+ 1 Administrators SYSTEM 5557 2010-08-18 14:50 BLView.class (yesterdays date) $ unzip -l webapps/blview.war | grep servlets 5558 08-19-2010 08:10 WEB-INF/classes/blview/servlets/BLView.class (today's date) It reaches the checkResourcs code that checks the timestamps 19-Aug-2010 14:04:16.78 FINE org.apache.catalina.startup.HostConfig.checkResources Checking context[/blview] redeploy resource C:\gfm\springsource-tc\misc\webapps\blview.war 19-Aug-2010 14:04:16.78 FINE org.apache.catalina.startup.HostConfig.checkResources Checking context[/blview] redeploy resource C:\gfm\springsource-tc\misc\webapps\blview 19-Aug-2010 14:04:16.78 FINE org.apache.catalina.startup.HostConfig.checkResources Checking context[/blview] reload resource c:\gfm\springsource-tc\misc\conf\web.xml 19-Aug-2010 14:04:16.78 FINE org.apache.catalina.startup.HostConfig.checkResources Checking context[/blview] reload resource c:\gfm\springsource-tc\misc\conf\context.xml HostConfig.java : checkResources File resource = new File(resources[i]); if (log.isDebugEnabled()) log.debug(Checking context[ + app.name + ] redeploy resource + resource); Checking context[/blview] redeploy resource C:\gfm\springsource-tc\misc\webapps\blview.war if (resource.exists()) { long lastModified = ((Long) app.redeployResources.get(resources[i])).longValue(); if ((!resource.isDirectory()) resource.lastModified() lastModified) { // Undeploy application if (log.isInfoEnabled()) Never gets here - log.info(sm.getString(hostConfig.undeploy, app.name)); - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache reverse proxy to tomcat application server
On Thu, 19 Aug 2010 20:57:57 +0200, Rainer Jung rainer.j...@kippdata.de wrote: On 19.08.2010 20:27, li...@cgi-net.ch wrote: Hi List, I'm running mod_jk on a apache 2.2.14 connecting to a second host, running tomcat 5 server with a third party application. This application is configured to display some company internal information when accessing the page directly without any subdirectory: like: http://servername/ A second application part is located under address http://servername/application - please note, this is not a directory, this is a servlet-mapping made by tomcat (and we can't change the tomcat setup as we would loose support for it) My problem is now, that I only what to grant access to http://servername/application for external customers through the apache mod_jk setup. But of some reason do I have trouble implementing this. How did you try to achive that? JkMount /application|/* worker1 I tried it with JkMount /application worker1 and with JkMount /application* worker1 Quick question, you've written JkMOunt /application|/, what does the | stand for? Is the application deployed on Tomcat using the same context name /application? Yes What was the exact result, when you tried that? Well it displays the login page, but the formatting of the does not work, and when I hit the submit button, nothing is happening. Do you think that it is possible that /application does require / to be access able as well (both application coming from the same vendor and are related to each other) The stuff only works if I configure mod_jk to JkMount /* - but with that, also the page ttp://servername/ is access-able. I've also tried it with Rewrite rules (to make sure everything else than http://servername/application is redirected to this address), etc. but nothing was/is working. Rewriting will not be necessary as long as the context name on Tomcat is /application. Please find below some information about my setup: ### ### setup information ### mod_jk version: 1.2.30 mod_jk httpd configuration (that's how it is working but it will allow access to any application, served by the tomcat server): # Some URL Redirecting is required RewriteEngine On RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -d [OR] RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -f RewriteCond %{REQUEST_URI} !=/application RewriteRule .* /application Let's remove the rewriting as long as we are debugging your original problem. OK, I've anyway disabled them already since they were not working # Load Module LoadModule jk_module modules/mod_jk.so # Worker File JkWorkersFile /path to worker file/workers.properties # Where to put the log JkLogFile /path to log file/mod_jk.log # Log level JkLogLevel debug # Select the timestamp log format JkLogStampFormat[%a %b %d %H:%M:%S %Y] JkMount /* worker1 mod_jk worker configuration: # Define 1 real worker using ajp13 worker.list=worker1 # Set properties for worker1 (ajp13) worker.worker1.type=ajp13 worker.worker1.host=chnovmn3.lcsys.ch worker.worker1.port=8009 worker.worker1.connection_pool_timeout=60 worker.worker1.socket_keepalive=1 The log snippert you provided was parts of the log produced by successful requests, i.e. requests that were forwarded to tomcat and replied stuff. Please do provide the log contents for a request that does not work, i.e. which does show the problem. I can send you more log files, but I think the problem is more related with the application it self. The error I receive from apache is 404 which means he can not find the document (which indicates that I've made some configuration mistake) General question, is it possible to allow access to /* to make the stuff working but restrict access for customers to /application (like you can do it with directory stanza in apache) Thanks and all the best, Simon - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache reverse proxy to tomcat application server
On 19.08.2010 21:17, li...@cgi-net.ch wrote: On Thu, 19 Aug 2010 20:57:57 +0200, Rainer Jungrainer.j...@kippdata.de wrote: On 19.08.2010 20:27, li...@cgi-net.ch wrote: Hi List, I'm running mod_jk on a apache 2.2.14 connecting to a second host, running tomcat 5 server with a third party application. This application is configured to display some company internal information when accessing the page directly without any subdirectory: like: http://servername/ A second application part is located under address http://servername/application - please note, this is not a directory, this is a servlet-mapping made by tomcat (and we can't change the tomcat setup as we would loose support for it) My problem is now, that I only what to grant access to http://servername/application for external customers through the apache mod_jk setup. But of some reason do I have trouble implementing this. How did you try to achive that? JkMount /application|/* worker1 I tried it with JkMount /application worker1 and with JkMount /application* worker1 Quick question, you've written JkMOunt /application|/, what does the | stand for? JkMount /application|/* worker1 is a short syntax for the two rules JkMount /application worker1 JkMount /application/* worker1 Is the application deployed on Tomcat using the same context name /application? Yes Good. What was the exact result, when you tried that? Well it displays the login page, but the formatting of the does not work, and when I hit the submit button, nothing is happening. Do you think that it is possible that /application does require / to be access able as well (both application coming from the same vendor and are related to each other) Aaaah! Yes it is quote possible that the page contains links to other content that does not reside under /application. Those could be CSS (style sheets) responsible for correct rendering and JS (JavaScript files) responsible for actions when pressing buttons. You can look at the source code of the login page or use some browser plugin that shows you all links referenced in the page. Some browsers might show you the info out of the box. The stuff only works if I configure mod_jk to JkMount /* - but with that, also the page ttp://servername/ is access-able. I've also tried it with Rewrite rules (to make sure everything else than http://servername/application is redirected to this address), etc. but nothing was/is working. Rewriting will not be necessary as long as the context name on Tomcat is /application. Please find below some information about my setup: ### ### setup information ### mod_jk version: 1.2.30 mod_jk httpd configuration (that's how it is working but it will allow access to any application, served by the tomcat server): # Some URL Redirecting is required RewriteEngine On RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -d [OR] RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -f RewriteCond %{REQUEST_URI} !=/application RewriteRule .* /application Let's remove the rewriting as long as we are debugging your original problem. OK, I've anyway disabled them already since they were not working # Load Module LoadModule jk_module modules/mod_jk.so # Worker File JkWorkersFile /path to worker file/workers.properties # Where to put the log JkLogFile /path to log file/mod_jk.log # Log level JkLogLevel debug # Select the timestamp log format JkLogStampFormat[%a %b %d %H:%M:%S %Y] JkMount /* worker1 mod_jk worker configuration: # Define 1 real worker using ajp13 worker.list=worker1 # Set properties for worker1 (ajp13) worker.worker1.type=ajp13 worker.worker1.host=chnovmn3.lcsys.ch worker.worker1.port=8009 worker.worker1.connection_pool_timeout=60 worker.worker1.socket_keepalive=1 The log snippert you provided was parts of the log produced by successful requests, i.e. requests that were forwarded to tomcat and replied stuff. Please do provide the log contents for a request that does not work, i.e. which does show the problem. I can send you more log files, but I think the problem is more related with the application it self. Right. The error I receive from apache is 404 which means he can not find the document (which indicates that I've made some configuration mistake) You can look at the Apache access log to check, what other resources the browser tries to access. Maybe they are contained in a few other folders or have a few file content suffixes you can add with a couple of additional JkMounts. General question, is it possible to allow access to /* to make the stuff working but restrict access for customers to /application (like you can do it withdirectory stanza in apache) In principle it is possible. The details depend on what customers are (defined by IP or what?) and which URLs precisely need to be public vs. private. Regards, Rainer - To unsubscribe, e-mail:
RE: Sessions mix-up on Tomcat 6.0.26 on Linux
source code is attached; suggestions are welcome. From: Wesley Acheson [mailto:wesley.ache...@gmail.com] Sent: Fri 20-Aug-10 12:38 AM To: Tomcat Users List Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux Okay I've a little tehory could you post the entire code for loginmanager. How is udac declared? If its a class variable then *ITS NOT THREAD SAFE*. As a basic rule don't declare class variables in a servlet (There are exceptions to this rule but you shouldn't under normal circumstances) This E-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. MCB Bank does not accept liability for any errors or omissions. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache reverse proxy to tomcat application server
li...@cgi-net.ch wrote: Hi List, I'm running mod_jk on a apache 2.2.14 connecting to a second host, running tomcat 5 server with a third party application. This application is configured to display some company internal information when accessing the page directly without any subdirectory: like: http://servername/ A second application part is located under address http://servername/application - please note, this is not a directory, this is a servlet-mapping made by tomcat (and we can't change the tomcat setup as we would loose support for it) My problem is now, that I only what to grant access to http://servername/application for external customers through the apache mod_jk setup. But of some reason do I have trouble implementing this. The stuff only works if I configure mod_jk to JkMount /* - but with that, also the page ttp://servername/ is access-able. I've also tried it with Rewrite rules (to make sure everything else than http://servername/application is redirected to this address), etc. but nothing was/is working. Apart from the help Rainer is giving you, I have a suggestion about your setup. But first a question : you seem to be proxying just about everything from Apache httpd to Tomcat. Do you need Apache httpd then ? why not just have Tomcat listen on port 80 and handle everything itself ? If you have some reason anyway to have Apachje httpd in front, then here is the suggestion : - remove all JkMount directives. - instead, configure Apache httpd as follows : Location / # here is the stuff that you want only internal users to see. # Let's say that all these users have IP addresses in the 192.168.* range Order Allow,Deny Allow from 192.168.0.0/16 Deny from all # the following is the same as a JkMount * for everything in this location SetHandler jakarta-servlet ... any other Apache directives .. /Location Location /application # This is the stuff that everyone can see, so we override the above for this location Order Allow,Deny Allow from all # the following is the same as a JkMount * for everything in this location SetHandler jakarta-servlet .. any other Apache directives .. /Location That's it. Instead of the allow/deny stuff above, you can use any Apache-level authentication/authorization/access control you want, inside of each Location. AAA will happen *before* the call is forwarded to Tomcat. You can also exclude some URLs inside each location, from being forwarded by mod_jk to Tomcat, by using something like SetEnvIf REQUEST_URI \.(css|gif|jpg|js)$ no-jk for example, to have all your images, stylesheets, javascript,.. served directly by Apache (if you want, and if it makes sense in your context). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [OT] Sessions mix-up on Tomcat 6.0.26 on Linux
thanks for your constructive comments, as I mentioned that bad, bad, bad code is out. no longer in the application... your comments on my current code tells me that this code is not bad, but I should check out tomcat's container managed logins... right? plus I would like to mention that I have client side form validations (js) to stop query busters. From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Thu 19-Aug-10 11:01 PM To: Tomcat Users List Subject: Re: [OT] Sessions mix-up on Tomcat 6.0.26 on Linux -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yawar, I'm marking this as off-topic for /your/ request. I just have some comments for you. Take them or leave them. On 8/19/2010 11:53 AM, Yawar Saeed Khan/ITG/Karachi wrote: Ok, let me share my source code with you... my index.jsp page has a html form which submits the form data to a servlet called loginmanager. this is the code inside doPost function; try { userbean user = new userbean(); // usebean is a class the has setter and getter functions for user attributes user.setUserId(request.getParameter(txt_userid)); user.setPassword(request.getParameter(txt_pass)); user = udac.login(user); //udac is a class that has data access functions, login function takes user object and checks its existence in db and sets isValid attribute for that user Not using Tomcat's container-managed login? Any particular reason why not? It's quite easy to configure and has the added benefit of being properly tested. if (user.isValid()){ HttpSession session = request.getSession(true); session.setAttribute(user_id,user.getUserId()); session.setAttribute(user_name,user.getName()); session.setAttribute(role_id,user.getRole()); session.setAttribute(role_desc, user.getRoleDesc()); session.setAttribute(last_login, user.getLastLogin()); Why not session.setAttribute(user, user)? response.sendRedirect(main.jsp); //logged-in page That should be: response.sendRedirect(request.getContextPath() + response.encodeRedirectURL(/main.jsp)); }else{ response.sendRedirect(index.jsp?user=+user.isValid()); //revert back to login page That should be: response.sendRedirect(request.getContextPath() + response.encodeRedirectURL(/main.jsp) + ?user= + java.net.URLEncoder.encode(user.isValid())); It always helps to format and encode things properly. } } finally { out.close(); } What is out? Previously i had tried a simple way; my index.jsp file called itself on form submit, below code was in index.jsp (no servlet etc); //after form is submitted String query = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE, a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION a, ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ; query = query + AND LOWER(a.USER_ID) = LOWER('+ request.getParameter(txt_userid) + ') AND a.PASSWORD = '+ epass +'; boolean hasdata=false; java.sql.ResultSet rs = connection.executeQuery(query); Wow: this is a SQL injection attack just waiting to happen. What happens if I submit the txt_userid request parameter as ') OR 1; or, even better, '); DELETE FROM LOGIN_INFORMATION; or some other evil thing? I believe that certain JDBC drivers will not execute more than one query per executeQuery() call, but you can't really count on that. It's easy to use a PreparedStatement and just do it properly: poof! SQL injection attacks are a thing of the past (unless the driver is broken, but they test those things very well). Also, most SQL databases perform case-insensitive string comparisons, so your LOWER(a.USER_ID) = LOWER(...) can probably be simplified. Note that it also means you likely have case-insensitive passwords (though you haven't shown us what epass is -- is could have been hashed. while(rs.next()) { hasdata=true; session.setAttribute(user_id,rs.getString(USER_ID)); session.setAttribute(user_name,rs.getString(NAME)); session.setAttribute(branch_code,rs.getString(BRANCH_CODE)); session.setAttribute(role_id,rs.getString(ROLE_ID)); session.setAttribute(role_desc,rs.getString(ROLE_DESC)); session.setAttribute(last_login,rs.getString(LAST_LOGIN_DATE)); upsql = UPDATE LOGIN_INFORMATION SET LAST_LOGIN_DATE = SYSDATE WHERE USER_ID = '+ rs.getString(USER_ID) +'; int up = connection.executeUpdate(UPDATE LOGIN_INFORMATION SET LAST_LOGIN_DATE = SYSDATE WHERE USER_ID = '+ rs.getString(USER_ID) +'); int audit_insrt = InsertAuditEntry(F001,
Re: Apache reverse proxy to tomcat application server
On Thu, 19 Aug 2010 21:28:25 +0200, Rainer Jung rainer.j...@kippdata.de wrote: On 19.08.2010 21:17, li...@cgi-net.ch wrote: On Thu, 19 Aug 2010 20:57:57 +0200, Rainer Jungrainer.j...@kippdata.de wrote: On 19.08.2010 20:27, li...@cgi-net.ch wrote: Hi List, I'm running mod_jk on a apache 2.2.14 connecting to a second host, running tomcat 5 server with a third party application. This application is configured to display some company internal information when accessing the page directly without any subdirectory: like: http://servername/ A second application part is located under address http://servername/application - please note, this is not a directory, this is a servlet-mapping made by tomcat (and we can't change the tomcat setup as we would loose support for it) My problem is now, that I only what to grant access to http://servername/application for external customers through the apache mod_jk setup. But of some reason do I have trouble implementing this. How did you try to achive that? JkMount /application|/* worker1 I tried it with JkMount /application worker1 and with JkMount /application* worker1 Quick question, you've written JkMOunt /application|/, what does the | stand for? JkMount /application|/* worker1 is a short syntax for the two rules JkMount /application worker1 JkMount /application/* worker1 Thanks for that hint, might be useful for further work Is the application deployed on Tomcat using the same context name /application? Yes Good. What was the exact result, when you tried that? Well it displays the login page, but the formatting of the does not work, and when I hit the submit button, nothing is happening. Do you think that it is possible that /application does require / to be access able as well (both application coming from the same vendor and are related to each other) Aaaah! Yes it is quote possible that the page contains links to other content that does not reside under /application. Those could be CSS (style sheets) responsible for correct rendering and JS (JavaScript files) responsible for actions when pressing buttons. You can look at the source code of the login page or use some browser plugin that shows you all links referenced in the page. Some browsers might show you the info out of the box. OK, I'll need to check that - please note that this will require some time. The stuff only works if I configure mod_jk to JkMount /* - but with that, also the page ttp://servername/ is access-able. I've also tried it with Rewrite rules (to make sure everything else than http://servername/application is redirected to this address), etc. but nothing was/is working. Rewriting will not be necessary as long as the context name on Tomcat is /application. Please find below some information about my setup: ### ### setup information ### mod_jk version: 1.2.30 mod_jk httpd configuration (that's how it is working but it will allow access to any application, served by the tomcat server): # Some URL Redirecting is required RewriteEngine On RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -d [OR] RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -f RewriteCond %{REQUEST_URI} !=/application RewriteRule .* /application Let's remove the rewriting as long as we are debugging your original problem. OK, I've anyway disabled them already since they were not working # Load Module LoadModule jk_module modules/mod_jk.so # Worker File JkWorkersFile /path to worker file/workers.properties # Where to put the log JkLogFile /path to log file/mod_jk.log # Log level JkLogLevel debug # Select the timestamp log format JkLogStampFormat[%a %b %d %H:%M:%S %Y] JkMount /* worker1 mod_jk worker configuration: # Define 1 real worker using ajp13 worker.list=worker1 # Set properties for worker1 (ajp13) worker.worker1.type=ajp13 worker.worker1.host=chnovmn3.lcsys.ch worker.worker1.port=8009 worker.worker1.connection_pool_timeout=60 worker.worker1.socket_keepalive=1 The log snippert you provided was parts of the log produced by successful requests, i.e. requests that were forwarded to tomcat and replied stuff. Please do provide the log contents for a request that does not work, i.e. which does show the problem. I can send you more log files, but I think the problem is more related with the application it self. Right. The error I receive from apache is 404 which means he can not find the document (which indicates that I've made some configuration mistake) You can look at the Apache access log to check, what other resources the browser tries to access. Maybe they are contained in a few other folders or have a few file content suffixes you can add with a couple of additional JkMounts. As soon as I've checked the source code of the page, I'll try to go with this solution. Hope it works General question, is it possible to allow access to /* to make
Re: Is there a better way to disable JSESSIONID in the URLs?
On Thu, Aug 19, 2010 at 6:25 PM, Len Popp len.p...@gmail.com wrote: On Thu, Aug 19, 2010 at 12:01, Christopher Schultz ch...@christopherschultz.net wrote: The servlet specification mandates this behavior. Tomcat simply must support it. The spec says nothing of configurability, so Tomcat does not provide any. Hence the need to write a filter to achieve your desired behavior. That's not inviolable dogma. Tomcat does have some settings that make it operate out-of-spec, e.g. non-standard cookie parsing. I don't see why an option couldn't be added to disable JSESSIONID in URLs, if enough people would find it useful. -- Len Is there anywhere we could vote for such a feature? I know Resin has it as I've stated before.
Re: Apache reverse proxy to tomcat application server
On Thu, 19 Aug 2010 21:35:40 +0200, li...@cgi-net.ch wrote: On Thu, 19 Aug 2010 21:28:25 +0200, Rainer Jung rainer.j...@kippdata.de wrote: On 19.08.2010 21:17, li...@cgi-net.ch wrote: On Thu, 19 Aug 2010 20:57:57 +0200, Rainer Jungrainer.j...@kippdata.de wrote: On 19.08.2010 20:27, li...@cgi-net.ch wrote: Hi List, I'm running mod_jk on a apache 2.2.14 connecting to a second host, running tomcat 5 server with a third party application. This application is configured to display some company internal information when accessing the page directly without any subdirectory: like: http://servername/ A second application part is located under address http://servername/application - please note, this is not a directory, this is a servlet-mapping made by tomcat (and we can't change the tomcat setup as we would loose support for it) My problem is now, that I only what to grant access to http://servername/application for external customers through the apache mod_jk setup. But of some reason do I have trouble implementing this. How did you try to achive that? JkMount /application|/* worker1 I tried it with JkMount /application worker1 and with JkMount /application* worker1 Quick question, you've written JkMOunt /application|/, what does the | stand for? JkMount /application|/* worker1 is a short syntax for the two rules JkMount /application worker1 JkMount /application/* worker1 Thanks for that hint, might be useful for further work Is the application deployed on Tomcat using the same context name /application? Yes Good. What was the exact result, when you tried that? Well it displays the login page, but the formatting of the does not work, and when I hit the submit button, nothing is happening. Do you think that it is possible that /application does require / to be access able as well (both application coming from the same vendor and are related to each other) Aaaah! Yes it is quote possible that the page contains links to other content that does not reside under /application. Those could be CSS (style sheets) responsible for correct rendering and JS (JavaScript files) responsible for actions when pressing buttons. You can look at the source code of the login page or use some browser plugin that shows you all links referenced in the page. Some browsers might show you the info out of the box. OK, I'll need to check that - please note that this will require some time. You were right, there were *.js files, which the application is/was sharing between / and /application With JkMount /*.js worker1 everything is working now - except some pictures, but this is fine (can do the same for them too) The stuff only works if I configure mod_jk to JkMount /* - but with that, also the page ttp://servername/ is access-able. I've also tried it with Rewrite rules (to make sure everything else than http://servername/application is redirected to this address), etc. but nothing was/is working. Rewriting will not be necessary as long as the context name on Tomcat is /application. Please find below some information about my setup: ### ### setup information ### mod_jk version: 1.2.30 mod_jk httpd configuration (that's how it is working but it will allow access to any application, served by the tomcat server): # Some URL Redirecting is required RewriteEngine On RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -d [OR] RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} -f RewriteCond %{REQUEST_URI} !=/application RewriteRule .* /application Let's remove the rewriting as long as we are debugging your original problem. OK, I've anyway disabled them already since they were not working # Load Module LoadModule jk_module modules/mod_jk.so # Worker File JkWorkersFile /path to worker file/workers.properties # Where to put the log JkLogFile /path to log file/mod_jk.log # Log level JkLogLevel debug # Select the timestamp log format JkLogStampFormat[%a %b %d %H:%M:%S %Y] JkMount /* worker1 mod_jk worker configuration: # Define 1 real worker using ajp13 worker.list=worker1 # Set properties for worker1 (ajp13) worker.worker1.type=ajp13 worker.worker1.host=chnovmn3.lcsys.ch worker.worker1.port=8009 worker.worker1.connection_pool_timeout=60 worker.worker1.socket_keepalive=1 The log snippert you provided was parts of the log produced by successful requests, i.e. requests that were forwarded to tomcat and replied stuff. Please do provide the log contents for a request that does not work, i.e. which does show the problem. I can send you more log files, but I think the problem is more related with the application it self. Right. The error I receive from apache is 404 which means he can not find the document (which indicates that I've made some configuration mistake) You can look at the Apache access log to check, what other resources the browser tries to access.
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
Sorry can't see it. Are you sure you attached it? you could use something like pastebin if the mail list does accept attachments On Thu, Aug 19, 2010 at 9:27 PM, Yawar Saeed Khan/ITG/Karachi yawar.sa...@mcb.com.pk wrote: source code is attached; suggestions are welcome. From: Wesley Acheson [mailto:wesley.ache...@gmail.com] Sent: Fri 20-Aug-10 12:38 AM To: Tomcat Users List Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux Okay I've a little tehory could you post the entire code for loginmanager. How is udac declared? If its a class variable then *ITS NOT THREAD SAFE*. As a basic rule don't declare class variables in a servlet (There are exceptions to this rule but you shouldn't under normal circumstances) This E-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. MCB Bank does not accept liability for any errors or omissions. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Sessions mix-up on Tomcat 6.0.26 on Linux
Client side validation is for convenience and user feedback. Server side validation is still required. Nothing requires a user to use a browser, or to not use extension like Fiddle or Tamper to play with the information once it's passed your validation scripts. . . . just my two cents. /mde/ - Original Message From: Yawar Saeed Khan/ITG/Karachi yawar.sa...@mcb.com.pk To: Tomcat Users List users@tomcat.apache.org Sent: Thu, August 19, 2010 12:27:08 PM Subject: RE: [OT] Sessions mix-up on Tomcat 6.0.26 on Linux thanks for your constructive comments, as I mentioned that bad, bad, bad code is out. no longer in the application... your comments on my current code tells me that this code is not bad, but I should check out tomcat's container managed logins... right? plus I would like to mention that I have client side form validations (js) to stop query busters. From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Thu 19-Aug-10 11:01 PM To: Tomcat Users List Subject: Re: [OT] Sessions mix-up on Tomcat 6.0.26 on Linux -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yawar, I'm marking this as off-topic for /your/ request. I just have some comments for you. Take them or leave them. On 8/19/2010 11:53 AM, Yawar Saeed Khan/ITG/Karachi wrote: Ok, let me share my source code with you... my index.jsp page has a html form which submits the form data to a servlet called loginmanager. this is the code inside doPost function; try { userbean user = new userbean(); // usebean is a class the has setter and getter functions for user attributes user.setUserId(request.getParameter(txt_userid)); user.setPassword(request.getParameter(txt_pass)); user = udac.login(user); //udac is a class that has data access functions, login function takes user object and checks its existence in db and sets isValid attribute for that user Not using Tomcat's container-managed login? Any particular reason why not? It's quite easy to configure and has the added benefit of being properly tested. if (user.isValid()){ HttpSession session = request.getSession(true); session.setAttribute(user_id,user.getUserId()); session.setAttribute(user_name,user.getName()); session.setAttribute(role_id,user.getRole()); session.setAttribute(role_desc, user.getRoleDesc()); session.setAttribute(last_login, user.getLastLogin()); Why not session.setAttribute(user, user)? response.sendRedirect(main.jsp); //logged-in page That should be: response.sendRedirect(request.getContextPath() + response.encodeRedirectURL(/main.jsp)); }else{ response.sendRedirect(index.jsp?user=+user.isValid()); //revert back to login page That should be: response.sendRedirect(request.getContextPath() + response.encodeRedirectURL(/main.jsp) + ?user= + java.net.URLEncoder.encode(user.isValid())); It always helps to format and encode things properly. } } finally { out.close(); } What is out? Previously i had tried a simple way; my index.jsp file called itself on form submit, below code was in index.jsp (no servlet etc); //after form is submitted String query = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE, a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION a, ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ; query = query + AND LOWER(a.USER_ID) = LOWER('+ request.getParameter(txt_userid) + ') AND a.PASSWORD = '+ epass +'; boolean hasdata=false; java.sql.ResultSet rs = connection.executeQuery(query); Wow: this is a SQL injection attack just waiting to happen. What happens if I submit the txt_userid request parameter as ') OR 1; or, even better, '); DELETE FROM LOGIN_INFORMATION; or some other evil thing? I believe that certain JDBC drivers will not execute more than one query per executeQuery() call, but you can't really count on that. It's easy to use a PreparedStatement and just do it properly: poof! SQL injection attacks are a thing of the past (unless the driver is broken, but they test those things very well). Also, most SQL databases perform case-insensitive string comparisons, so your LOWER(a.USER_ID) = LOWER(...) can probably be simplified. Note that it also means you likely have case-insensitive passwords (though you haven't shown us what epass is -- is could have been hashed. while(rs.next()) { hasdata=true; session.setAttribute(user_id,rs.getString(USER_ID)); session.setAttribute(user_name,rs.getString(NAME)); session.setAttribute(branch_code,rs.getString(BRANCH_CODE));
Re: Apache reverse proxy to tomcat application server
On Thu, 19 Aug 2010 21:33:24 +0200, André Warnier a...@ice-sa.com wrote: li...@cgi-net.ch wrote: Hi List, I'm running mod_jk on a apache 2.2.14 connecting to a second host, running tomcat 5 server with a third party application. This application is configured to display some company internal information when accessing the page directly without any subdirectory: like: http://servername/ A second application part is located under address http://servername/application - please note, this is not a directory, this is a servlet-mapping made by tomcat (and we can't change the tomcat setup as we would loose support for it) My problem is now, that I only what to grant access to http://servername/application for external customers through the apache mod_jk setup. But of some reason do I have trouble implementing this. The stuff only works if I configure mod_jk to JkMount /* - but with that, also the page ttp://servername/ is access-able. I've also tried it with Rewrite rules (to make sure everything else than http://servername/application is redirected to this address), etc. but nothing was/is working. Apart from the help Rainer is giving you, I have a suggestion about your setup. But first a question : you seem to be proxying just about everything from Apache httpd to Tomcat. Do you need Apache httpd then ? why not just have Tomcat listen on port 80 and handle everything itself ? Sharing / was only done to check if it works with that way. I need the reverse proxy because the tomcat application server is located in the intranet, and customer from outside should not access this server directly. That's why we use a reverse proxy - which of course is located in a secure DMZ. If you have some reason anyway to have Apachje httpd in front, then here is the suggestion : - remove all JkMount directives. - instead, configure Apache httpd as follows : Location / # here is the stuff that you want only internal users to see. # Let's say that all these users have IP addresses in the 192.168.* range Order Allow,Deny Allow from 192.168.0.0/16 Deny from all # the following is the same as a JkMount * for everything in this location SetHandler jakarta-servlet ... any other Apache directives .. /Location Location /application # This is the stuff that everyone can see, so we override the above for this location Order Allow,Deny Allow from all # the following is the same as a JkMount * for everything in this location SetHandler jakarta-servlet .. any other Apache directives .. /Location That's it. Instead of the allow/deny stuff above, you can use any Apache-level authentication/authorization/access control you want, inside of each Location. AAA will happen *before* the call is forwarded to Tomcat. You can also exclude some URLs inside each location, from being forwarded by mod_jk to Tomcat, by using something like SetEnvIf REQUEST_URI \.(css|gif|jpg|js)$ no-jk for example, to have all your images, stylesheets, javascript,.. served directly by Apache (if you want, and if it makes sense in your context). Thanks for that idea, I was already thinking about something like that. Since I have resolved the first Issue now, I should be able to move forward and try this. Thanks and all the best, Simon - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
tomcat mutual authentication doesn't work
Hi All, I am trying to setup mutual authentication for an app in tomcat/webapps/ folder. I have done the following to create a Trust Store for Tomcat 6.0 to use: I created the keystore and truststore too. keystore has a PrivateKeyEntry and truststore has a trustedCertEntry. Here is my server.xml config: Connector port=8443 enableLookups=true acceptCount=100 connectionTimeout=2 useURIValidationHack=false disableUploadTimeout=true scheme=https secure=true SSLEnabled=true clientAuth=true sslProtocol=TLS keystoreFile=C:/Apache Software Foundation/Tomcat 6.0/conf/tomcat.keystore keystorePass=server truststoreFile=C:/Apache Software Foundation/Tomcat 6.0/conf/tmp/tomcat.truststore truststorePass=client/ Here is my /tomcat/conf/web.xml config: web-app .. security-constraint web-resource-collection web-resource-namemyapp/web-resource-name url-pattern/*/url-pattern /web-resource-collection /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config . /web-app My tomcat https port is 8443 (https://localhost:8443/myapp). When I try to access using firefox, it gives me the following error: SSL peer cannot verify your certificate (Errorcode: ssl_error_bad_cert_alert) This is after I imported the server certificate and have the client certificate (same as the one in truststore) installed in my firefox. If I change the clientAuth=false, it works fine, with just server authentication.. doesn't care for whether client has a certificate or not. Can someone please help? I have read so many articles online but this seems to be the gist of most of the articles. Do i have to create any roles and/or change tomcat-users.xml too? Please help. I need to get this working!! :-(( -- View this message in context: http://old.nabble.com/tomcat-mutual-authentication-doesn%27t-work-tp29486233p29486233.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Sessions mix-up on Tomcat 6.0.26 on Linux
yea I did attach a .java file, anyways I am posting the code here; package org.mcb.services; import java.io.IOException; import java.io.PrintWriter; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; /** * * @author yawar.saeed */ public class loginmanager extends HttpServlet { protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType(text/html;charset=iso-8859-1); PrintWriter out = response.getWriter(); try { userbean user = new userbean(); user.setUserId(request.getParameter(txt_userid)); user.setPassword(request.getParameter(txt_pass)); user = udac.login(user); if (user.isValid()){ HttpSession session = request.getSession(true); session.setAttribute(user_id,user.getUserId()); session.setAttribute(user_name,user.getName()); session.setAttribute(role_id,user.getRole()); session.setAttribute(role_desc, user.getRoleDesc()); session.setAttribute(last_login, user.getLastLogin()); //response.sendRedirect(main.jsp); //logged-in page response.sendRedirect(response.encodeRedirectURL(main.jsp)); }else{ // response.sendRedirect(index.jsp?user=+user.isValid()); //revert back to login page response.sendRedirect(response.encodeRedirectURL(index.jsp?user=+user.isValid())); //revert back to login page } } finally { out.close(); } } @Override protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { processRequest(request, response); } @Override protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { processRequest(request, response); } } From: Wesley Acheson [mailto:wesley.ache...@gmail.com] Sent: Fri 20-Aug-10 1:56 AM To: Tomcat Users List Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux Sorry can't see it. Are you sure you attached it? you could use something like pastebin if the mail list does accept attachments On Thu, Aug 19, 2010 at 9:27 PM, Yawar Saeed Khan/ITG/Karachi yawar.sa...@mcb.com.pk wrote: source code is attached; suggestions are welcome. From: Wesley Acheson [mailto:wesley.ache...@gmail.com] Sent: Fri 20-Aug-10 12:38 AM To: Tomcat Users List Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux Okay I've a little tehory could you post the entire code for loginmanager. How is udac declared? If its a class variable then *ITS NOT THREAD SAFE*. As a basic rule don't declare class variables in a servlet (There are exceptions to this rule but you shouldn't under normal circumstances) This E-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. MCB Bank does not accept liability for any errors or omissions. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org This E-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. MCB Bank does not accept liability for any errors or omissions. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
Maybe its just be but I still don't see where uadc is declared or even imported. On Thu, Aug 19, 2010 at 10:26 PM, Yawar Saeed Khan/ITG/Karachi yawar.sa...@mcb.com.pk wrote: yea I did attach a .java file, anyways I am posting the code here; package org.mcb.services; import java.io.IOException; import java.io.PrintWriter; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; /** * * @author yawar.saeed */ public class loginmanager extends HttpServlet { protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType(text/html;charset=iso-8859-1); PrintWriter out = response.getWriter(); try { userbean user = new userbean(); user.setUserId(request.getParameter(txt_userid)); user.setPassword(request.getParameter(txt_pass)); user = udac.login(user); if (user.isValid()){ HttpSession session = request.getSession(true); session.setAttribute(user_id,user.getUserId()); session.setAttribute(user_name,user.getName()); session.setAttribute(role_id,user.getRole()); session.setAttribute(role_desc, user.getRoleDesc()); session.setAttribute(last_login, user.getLastLogin()); //response.sendRedirect(main.jsp); //logged-in page response.sendRedirect(response.encodeRedirectURL(main.jsp)); }else{ // response.sendRedirect(index.jsp?user=+user.isValid()); //revert back to login page response.sendRedirect(response.encodeRedirectURL(index.jsp?user=+user.isValid())); //revert back to login page } } finally { out.close(); } } @Override protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { processRequest(request, response); } @Override protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { processRequest(request, response); } } From: Wesley Acheson [mailto:wesley.ache...@gmail.com] Sent: Fri 20-Aug-10 1:56 AM To: Tomcat Users List Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux Sorry can't see it. Are you sure you attached it? you could use something like pastebin if the mail list does accept attachments On Thu, Aug 19, 2010 at 9:27 PM, Yawar Saeed Khan/ITG/Karachi yawar.sa...@mcb.com.pk wrote: source code is attached; suggestions are welcome. From: Wesley Acheson [mailto:wesley.ache...@gmail.com] Sent: Fri 20-Aug-10 12:38 AM To: Tomcat Users List Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux Okay I've a little tehory could you post the entire code for loginmanager. How is udac declared? If its a class variable then *ITS NOT THREAD SAFE*. As a basic rule don't declare class variables in a servlet (There are exceptions to this rule but you shouldn't under normal circumstances) This E-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. MCB Bank does not accept liability for any errors or omissions. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org This E-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. MCB Bank does not accept liability for any errors or omissions. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 5.5 Trust Stores and Client Authentication
Did you finally figure out how to fix this issue? I am having the same issue today.. Can you please help, if you happen to look at this? The only change is I am using tomcat 6.0 Thanks much. -A Ron Perkins-2 wrote: Hi All, I have done the following to create a Trust Store for Tomcat to use: Created a keystore with new certificate: keytool -genkey -alias mycert -keyalg RSA -kaypass changeit -keystore keystore.jks -storepass changeit Exported certificate: keytool -export -alias mycert -file mycert.cer -keystore keystore.jks -storepass changeit Imported certificate into trust store: keytool -import -v -trustcacerts alias mycert -keypass changeit -file mycert.cer -keystore cacerts.jks -storepass changeit Added the following Connector into server.xml to allow Client Authentication: Connector port=443 scheme=https secure=true keystoreFile=C:/keystore.jks keystorePass=changeit keystoreType=JKS keyAlias=mykey truststoreFile=C:/cacerts.jks truststorePass=changeit truststoreType=JKS sslProtocol=TLS maxSpareThreads=75 maxThreads=350 uRIEncoding=UTF-8 minSpareThreads=25 clientAuth=true /Connector After starting Tomcat up, using netstat I can see that port 443 is listening... When using IE to test the connection to the https default page I get IE's no communication web page displayed. If I use Firefox this gives me the following error: SSL peer cannot verify your certificate (Error code: ssl_error_bad_cert_alert) I was expecting a message to say that the client needs a client certificate? I then installed the client certificate mycert.cer into the client browsers, but has no effect and I still recevie the same error messages. To check that I have SSL correctly installed, if I change clientAuth=true to clientAuth=false then default Tomcatwebpage is displayed within the browsers. What have I done wrong? I am thinking that it is the way that I have created the Trust store that is the problem? Thanks for any help in advance... - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/Tomcat-5.5-Trust-Stores-and-Client-Authentication-tp23132214p29486541.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat mutual authentication doesn't work
On 19.8.2010 22:35, aravidu wrote: I created the keystore and truststore too. keystore has a PrivateKeyEntry and truststore has a trustedCertEntry. Are those self-signed certificates? Could you provide exact commands you used to create them? I believe you must have one key pair for server, and one key pair for every client. In other words, at least two key pairs, in case you are describing when there is only one client. Let those keys be called ServerPublic, ServerPrivate, ClientPublic and ClientPrivate. You should: 1. generate ServerPublic+ServerPrivate in tomcat.keystore file, 2. generate ClientPublic+ClientPrivate in, say, client.keystore file, 3. import ClientPublic in tomcat.truststore, and 4. import ClientPublic+ClientPrivate (usually in form of pkcs12 file) in firefox (Your certificates tab inside certificate manager). 5. import ServerPublic in firefox Something like this: 1. keytool -genkeypair -keystore tomcat.keystore ... 2. keytool -genkeypair -keystore client.keystore ... 3a. keytool -exportcert -keystore client.keystore -file client.cert ... 3b. keytool -importcert -keystore server.truststore -file client.cert ... 4a. convert client.keystore to client.pkcs12 (google for that) 4b. Firefox, Tools, Options, Advanced, View Certificates, Your certificates, Import, client.pkcs12 5. Point firefox to webapp, add security exception. Regards, Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JNDI: LDAPv3 with StartTLS
- Rainer Jung rainer.j...@kippdata.de wrote: On 19.08.2010 18:55, Igor Galić wrote: Use it as you like. As Rainer has hinted, the apache wiki would be a good place for documentation :) Excellent. Thank you very much, will do that. URL: http://wiki.apache.org/tomcat/ :) Done: http://wiki.apache.org/tomcat/JNDI_startTLs_HowTo Feedback very welcome. bye, i -- Igor Galić Tel: +43 (0) 664 886 22 883 Mail: i.ga...@brainsware.org URL: http://brainsware.org/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Sessions mix-up on Tomcat 6.0.26 on Linux
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yawar, On 8/19/2010 3:27 PM, Yawar Saeed Khan/ITG/Karachi wrote: your comments on my current code tells me that this code is not bad, but I should check out tomcat's container managed logins... right? This code seems to be doing more work than necessary. Container-managed authentication and authorization is a useful service provided by the container. I highly recommend taking a look at using it, but it may be ... disruptive to your existing workflows. plus I would like to mention that I have client side form validations (js) to stop query busters. I'm sure that hackers will be sure to leave javascript enabled when they visit your site. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxtsuYACgkQ9CaO5/Lv0PBOsQCgnldndPM7po8wlgYUq6k/QDT3 1mAAoKo/47GXpG4dIEfRNpkZnX/SSveb =zrJ+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Wesley, On 8/19/2010 5:04 PM, Wesley Acheson wrote: Maybe its just be but I still don't see where uadc is declared or even imported. ...or even used. I'm guessing that the bad code exists outside of this login servlet. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxts1YACgkQ9CaO5/Lv0PBitwCeMXvEXLi1L9rnLmTVP4nofIGH NkAAnj9DTqFLwLAYxb2MQuI6v6ckVcYm =DR0I -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat mutual authentication doesn't work
Thank you so much for your response!! To answer your questions: 1. Yes, they are self-signed certificates. 2. Yes, I am dealing with only one client. I am using firefox. Here is the tomcat.keystore entry: (i believe this will be my ServerPrivateKey) keytool -list -keystore tomcat.keystore Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry tomcat, Aug 15, 2010, PrivateKeyEntry, Certificate fingerprint (MD5): 56:E0:24:CC:7F:45:6F:C5:F2:07:D0:5C:27:33:04:18 Here is the tomcat.keystore entry: (i believe this will be my ClientPublicKey) keytool -list -keystore tomcat.truststore Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry clientcert, Aug 19, 2010, trustedCertEntry, Certificate fingerprint (MD5): 11:7F:F8:FF:3B:85:CD:A0:72:5C:1B:52:D4:C4:29:E6 I have not worked with SSL before so, I am a bit new to this. See the difference in these two: keystore has PrivateKeyEntry and truststore has trustedCertEntry. I don't have a client.keystore. Commands I used for creating a truststore adding keys to it: keytool -export -alias clientcert -file client-cert.cer -keystore tomcat.truststore keytool -import -file client-cert.cer -alias clientcert -keystore tomcat.truststore I already had a preloaded tomcat.keystore to begin with. So, I did not change that. Before making the server request, I went to Firefox- Options- Advanced- View Certificates- Import- client-cert.cer Then, made a server request. First time, server produces it's certificate and I add the exception (install it into my browser). Upon completion, I see this error: SSL peer cannot verify your certificate. (Error code: ssl_error_bad_cert_alert) Let me know if this doesn't make sense. Regards, Aravind. Ognjen Blagojevic-5 wrote: On 19.8.2010 22:35, aravidu wrote: I created the keystore and truststore too. keystore has a PrivateKeyEntry and truststore has a trustedCertEntry. Are those self-signed certificates? Could you provide exact commands you used to create them? I believe you must have one key pair for server, and one key pair for every client. In other words, at least two key pairs, in case you are describing when there is only one client. Let those keys be called ServerPublic, ServerPrivate, ClientPublic and ClientPrivate. You should: 1. generate ServerPublic+ServerPrivate in tomcat.keystore file, 2. generate ClientPublic+ClientPrivate in, say, client.keystore file, 3. import ClientPublic in tomcat.truststore, and 4. import ClientPublic+ClientPrivate (usually in form of pkcs12 file) in firefox (Your certificates tab inside certificate manager). 5. import ServerPublic in firefox Something like this: 1. keytool -genkeypair -keystore tomcat.keystore ... 2. keytool -genkeypair -keystore client.keystore ... 3a. keytool -exportcert -keystore client.keystore -file client.cert ... 3b. keytool -importcert -keystore server.truststore -file client.cert ... 4a. convert client.keystore to client.pkcs12 (google for that) 4b. Firefox, Tools, Options, Advanced, View Certificates, Your certificates, Import, client.pkcs12 5. Point firefox to webapp, add security exception. Regards, Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/tomcat-mutual-authentication-doesn%27t-work-tp29486233p29487220.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org