Re: Can't Connect to Apache.org Network
On 6/12/2018 3:33 PM, Olaf Kock wrote: On 12.06.2018 23:33, Igal Sapir wrote: Perhaps it to revisit the thresholds that trigger warnings/bans. The Tomcat SVN repo might be much larger today than it was when those were last examined and set. You might want to start at https://github.com/apache/tomcat instead of pulling down SVN commit by commit. If only for speed. Unless you want to commit back to svn, that is. (well - I haven't checked if that git mirror contains the SVN metadata - you'd be lucky if it does) Yes, I need to be able to commit back to SVN on the different branches (pulling only the trunk was manageable). Thanks, Igal - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Can't Connect to Apache.org Network
On 12.06.2018 23:33, Igal Sapir wrote: Perhaps it to revisit the thresholds that trigger warnings/bans. The Tomcat SVN repo might be much larger today than it was when those were last examined and set. You might want to start at https://github.com/apache/tomcat instead of pulling down SVN commit by commit. If only for speed. Unless you want to commit back to svn, that is. (well - I haven't checked if that git mirror contains the SVN metadata - you'd be lucky if it does) Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Can't Connect to Apache.org Network
Update: On 6/12/2018 11:55 AM, Igal Sapir wrote: According to Mark in that thread [1], there is a daily threshold and if you exceed it you get a warning. "If you trigger three warnings in a period" you get banned for a long term (weeks). I did not see any warnings. The process failed with "error: git-svn died of signal 11", and seeing no other messages I simply tried it again, and then again, making it "three times". @Mark - is it possible to unban the IP or do I need to find a way to get a new IP address? I should have a new IP address soon, so hopefully that part will be taken care of. Perhaps it to revisit the thresholds that trigger warnings/bans. The Tomcat SVN repo might be much larger today than it was when those were last examined and set. Also, a ban of a few days can be as effective as a few weeks, yet less intrusive in case of a false positive as happened here. Thanks, Igal [1] https://issues.apache.org/jira/browse/INFRA-10509 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Can't Connect to Apache.org Network
On 6/12/2018 11:41 AM, Igal Sapir wrote: The last thing I was trying to do was a complete SVN pull with 'git svn clone' of Tomcat, which failed mid-process with 'error: git-svn died of signal 11'. A google search shows results with the title "[INFRA-10509] Can't connect to SVN - banned? - ASF ... - Apache issues" for https://issues.apache.org/jira/browse/INFRA-10509 but ironically I can view that page due to the issue described in this post (I will look it up through my cellular device). OK, perhaps I should have checked that link above on my cell phone before sending the message (I had a typo there, should read [I can /not/ view that page]. According to Mark in that thread [1], there is a daily threshold and if you exceed it you get a warning. "If you trigger three warnings in a period" you get banned for a long term (weeks). I did not see any warnings. The process failed with "error: git-svn died of signal 11", and seeing no other messages I simply tried it again, and then again, making it "three times". @Mark - is it possible to unban the IP or do I need to find a way to get a new IP address? Thanks, Igal [1] https://issues.apache.org/jira/browse/INFRA-10509 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Can't Connect to Apache.org Network
Hi all, I am experiencing a weird network issue and as of ~48 hours ago I can not connect to the Apache.org network. I am connected via AT Fiber and spent half the day on the phone with them in vain. Unfortunately it is not simple to get a new IP from AT (even though it is supposedly a dynamic address). I have multiple machines with different operating systems and they all fail to connect (same outbound IP), so this is not an issue with my workstation. When I try to connect from a different location (via a different ISP) I can connect with no issue. The only solution I can think of ATM is to get a VPN service, but I rather find a more permanent solution. The last thing I was trying to do was a complete SVN pull with 'git svn clone' of Tomcat, which failed mid-process with 'error: git-svn died of signal 11'. A google search shows results with the title "[INFRA-10509] Can't connect to SVN - banned? - ASF ... - Apache issues" for https://issues.apache.org/jira/browse/INFRA-10509 but ironically I can view that page due to the issue described in this post (I will look it up through my cellular device). Any ideas are welcomed. I include a couple of TraceRoute samples below. In the first one, to svn.apache.org, notice that hop 12 is the destination IP. WEIRD. > tracert svn.apache.org Tracing route to svn.apache.org [209.188.14.144] over a maximum of 30 hops: 1 <1 ms <1 ms <1 ms 192.168.254.254 2 6 ms 7 ms 5 ms 107-216-140-1.lightspeed.irvnca.sbcglobal.net [107.216.140.1] 3 4 ms 3 ms 3 ms 64.148.105.186 4 * * * Request timed out. 5 12 ms 5 ms 6 ms 12.83.38.217 6 6 ms 6 ms 6 ms ggr2.la2ca.ip.att.net [12.122.128.101] 7 * * * Request timed out. 8 * * * Request timed out. 9 25 ms 25 ms 25 ms PHOENIX-NAP.bear1.Phoenix1.Level3.net [4.14.71.174] 10 25 ms 24 ms 25 ms 108.170.0.29 11 * * * Request timed out. 12 25 ms 25 ms 25 ms 209.188.14.144 13 * * * Request timed out. 14 * * * Request timed out. 15 * * * Request timed out. 16 * * * Request timed out. 17 * * * Request timed out. 18 * * * Request timed out. 19 * * * Request timed out. 20 * * * Request timed out. 21 * * * Request timed out. 22 * * * Request timed out. 23 * * * Request timed out. 24 * * * Request timed out. 25 * * * Request timed out. 26 * * * Request timed out. 27 * * * Request timed out. 28 * * * Request timed out. 29 * * * Request timed out. 30 * * * Request timed out. Trace complete. > tracert tomcat.apache.org Tracing route to tomcat.apache.org [40.79.78.1] over a maximum of 30 hops: 1 <1 ms 1 ms 1 ms 192.168.254.254 2 4 ms 4 ms 3 ms 107-216-140-1.lightspeed.irvnca.sbcglobal.net [107.216.140.1] 3 3 ms 4 ms 3 ms 64.148.105.186 4 * * * Request timed out. 5 11 ms 12 ms 9 ms 12.83.38.221 6 6 ms 5 ms 5 ms gar2.la2ca.ip.att.net [12.122.128.133] 7 6 ms 5 ms 6 ms 12.245.156.22 8 69 ms 69 ms 66 ms be-71-0.ibr02.lax03.ntwk.msn.net [104.44.8.108] 9 66 ms 66 ms 66 ms be-3-0.ibr01.sn4.ntwk.msn.net [104.44.4.5] 10 66 ms 65 ms 66 ms be-1-0.ibr02.sn4.ntwk.msn.net [104.44.4.204] 11 65 ms 65 ms 65 ms be-6-0.ibr01.atb.ntwk.msn.net [104.44.4.46] 12 65 ms 66 ms 66 ms be-1-0.ibr02.atb.ntwk.msn.net [104.44.4.39] 13 66 ms 67 ms 66 ms be-6-0.ibr01.cnr01.bn6.ntwk.msn.net [104.44.4.48] 14 66 ms 65 ms 65 ms ae103-0.icr04.bn6.ntwk.msn.net [104.44.10.8] 15 * * * Request timed out. 16 * * * Request timed out. 17 * * * Request timed out. 18 * * * Request timed out. 19 * * * Request timed out. 20 * * * Request timed out. 21 * * * Request timed out. 22 * * * Request timed out. 23 * * * Request timed out. 24 * * * Request timed out. 25 * * * Request timed out. 26 * * * Request timed out. 27 * * * Request timed out. 28 * * * Request timed out. 29 * * * Request timed out. 30 * * * Request timed out. Trace complete. Thank you, Igal
Re: Tomcat Secure WebSockets clients - hostname verification
On Tue, Jun 12, 2018 at 7:05 PM André Warnier (tomcat) wrote: > This is a bit OT, but I have a question since the beginning of this thread > : > Is Tomcat really supposed to provide a websocket *client* API ? > Yes, the client API is part of the websockets EE specification. Initially, Tomcat had just enough to implement the requirements of the specification, so it was unusable in practice (users were supposed to use another client, such as Tyrus which is now donated to Jakarta - feels nice to talk again about "Sun" donating software to Jakarta :D ). Gradually, missing items are implemented (as users didn't understand they really had to use something else and using the Tomcat client was not mandatory, it seems), but since this is not part of the specification, the config is all proprietary. Rémy
Re: creation of virtual directories
On 6/12/2018 10:48 AM, Christopher Schultz wrote: You want http://tomcat.apache.org/tomcat-9.0-doc/config/resources.html You'd add something like this: Which would make the content of W:\some\path visible at the root of the web application. Note that normally handling will apply. So, for example, anything named *.jsp will get treated as as JSP page. You'll want to edit your web application's META-INF/context.xml file. If no such file exists, create a new one with this in it: Then nest everything else inside that XML element wrapper. I thought that the XML declaration is required but testing shows that it is not, and that the above example works (further investigation revealed that in XML 1.1 the declaration is required but we're using XML 1.0 here). Good to know. Igal - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: creation of virtual directories
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jeffrey, On 6/12/18 1:21 PM, Jeffrey Beckstrom wrote: > Do I enter this information into a GUI or directly into a file. If > a file, what file? This may seem basic but have never touched > Tomcat before. Mark Thomas 6/12/18 11:39 AM >>> > On 11/06/2018 20:11, Jeffrey Beckstrom wrote: >> We would go with the latest which appears to be 9. Google found >> articles for V7 and one that said it changed in 8 but did not >> describe the change. > > You want > http://tomcat.apache.org/tomcat-9.0-doc/config/resources.html > > > You'd add something like this: > > className="org.apache.catalina.webresources.DirResourceSet" > webAppMount="/"/> > > Which would make the content of W:\some\path visible at the root of > the web application. Note that normally handling will apply. So, > for example, anything named *.jsp will get treated as as JSP page. You'll want to edit your web application's META-INF/context.xml file. If no such file exists, create a new one with this in it: Then nest everything else inside that XML element wrapper. - -chris > Mark Thomas 6/11/18 3:06 PM >>> >> On 11/06/18 19:58, Jeffrey Beckstrom wrote: >>> We are looking at migrating from Glassfish to Tomcat. In >>> Glassfish, we created alternatedocroot_N entries to map a path >>> in Glassfish to a windows drive. >>> >>> How do we perform a similar function in Tomcat? >> >> Tomcat version? (it changed between 7.0.x and 8.0.x) >> >> Mark >> >> - >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >> -- >> >> This email has been scanned for spam and viruses. Visit the >> following link to report this email as spam: >> > https://attseg.cloud-protect.net/index01.php?mod_id=11_option=logi tem_id=1528744019-gV-baVzK1ou7_address=jbeckstrom%40gcrta.org ort=1 > > >> >> >> >> >> - >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > -- > > This email has been scanned for spam and viruses. Visit the > following link to report this email as spam: > https://attseg.cloud-protect.net/index01.php?mod_id=11_option=logi tem_id=1528817962-Ncrr7YHBFuFg_address=jbeckstrom%40gcrta.org ort=1 > > > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsgB2oACgkQHPApP6U8 pFgmYA//YZpc1vRGdk8t0GGKquEmhj/9e8ok685VUHnKS2e2W8OHRb9Akwbilss9 uNCvxe+Scmd2QQvjVqaxk0FCZFqp8QuXIEoQdvZmsan+YIV7L6uh/fTfIepT/eqU XgfA5IDAQ1KtdDidNBH/nh7SppxsmTmigp6mvT56ik+E2+l89uW0K76zr9sDM/GI S96IueOsEip576xlSC27f4SypXmf7c9LZPeNy1gUBElgQx4pmLWGDDzEDQ6Vjty/ se37tjRc3B/iGbddH9rUh5YJ9d5tpirbqKzBOup8tQbfeIz814M6c40jI4OUtICV m26Ae5i+DUTHwVsH4pF0T2DEEvBbeIqA6yfruKtpcpVXBJOSCHWcvxVy73lOr0Ce SqGGGklMpD3Xc4kV8XpdAjr5s+lJniCavpP3E2HKlh5N5gGMEV+C9efqaNyC6Jwq YS5d7TWd8BbxNXDtffWuS3hzYNbeOotWLhZTNUlbiq/Xbe1ZB7j4okkCoVCvSLG7 mgYMMJtEX2JxqN2fTgPe4Mo4XU9CnTRhZnIYJFWUFbkjeprPRGbnQssVP6mCWZzu um2ANMOvZGS2l8KnY8CVxO43XLscwi5KxBtvz3hZGVPyH+h6MxeaVn/K/xCqwUJk idwNzNJXUUUl1+BW5Rosx5V4KamPvppSYPuB/0CSK9AGbZAyTSg= =MaX7 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Secure WebSockets clients - hostname verification
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 André, On 6/12/18 1:06 PM, André Warnier (tomcat) wrote: > On 12.06.2018 18:13, Mark Thomas wrote: [snip].. >> >> I'll see what I can do. The major constraint is that all this has >> to be set via Tomcat specific user properties as there is no API >> for in the Java WebSocket API. >> > > This is a bit OT, but I have a question since the beginning of > this thread : Is Tomcat really supposed to provide a websocket > *client* API ? > > From the initial post, I understood that what the OP wants to do, > is to connect, *from* a Tomcat servlet, *to* an external websocket > server (not necessarily Tomcat). If so, it is certainly nice to > help him doing so, but if it means providing functionalities that > the standard Java API websocket client doesn't, does that not make > this thing less portable ? > > Or did I get this all wrong ? IIRC, ironically, the WS server needs to be built upon a WS client, so the WS client is simply already there. The Websocket API is part of Java EE (or whatever it's called, now) so it won't be a part of the standard JRE libraries. Thus there really isn't any "standard Java API websocket client" other than those provided by vendors e.g. Tomcat. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsgBwwACgkQHPApP6U8 pFjrThAAuQgujTj9ow5ToGLo5FHETkGLfwUS3OeNwE863jv1IZBBVe6Nqp+hapf+ oVhEWURt+VxgKmrARlNNodXyCCWQKzEI9LuRAV4yStlV0JRT5WKoNsRN+8t6OdwA EDqhjHSXbW7dbYUkN4wOdwfQfPy8blmgbNHu2DoA9+WXIDqlkY/6C2iQ0spbJJQY qBHILLDL8wnxPiWalB+W1azPvtMwG+J2QiFmHUZEF91Q1RmYYTkHG6a7lDyP1bVY QcK3Len31Xh6fmDLrR8qS+PuCsCKbA6uD+aKC6PDOVCwFN/xUiT8lIIwK9Peb/5H /k/0gTUtpkxRszQ7Of5a40fF7VYqvS6uOCFDZSTgrg/YFo/mKis3aoc6iccT8wU9 AW5KdGobgv4YHk0/uGhHMGEKxs6o7/Z9FUnpwBmXtr3Xm+ObdwY7RvmqsNrGWRAZ RNjcUgvlBMKvUcD4LYWdynPWqJ2GRwDT/KDsqkNSy6bFphBQc3ctQ0w+qxzM2lSn K5aaBBzAlAXDSgeOJ0UVLYbw5AOWZELMGKe0p8dQdcRGjh1hIQ4hYQzpdU85VpAC KoYLchCMQHmmYzZknBsRfkIiMOcOF9DFzQzJ+l80k5L7R/uDaNBbAVuW6QHz9h6y OQazNr4dOy8t7m/8gn1bwdThbkG2AXBOlfVYsQArnSVCerqeijU= =bbuA -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: creation of virtual directories
Do I enter this information into a GUI or directly into a file. If a file, what file? This may seem basic but have never touched Tomcat before. >>> Mark Thomas 6/12/18 11:39 AM >>> On 11/06/2018 20:11, Jeffrey Beckstrom wrote: > We would go with the latest which appears to be 9. Google found articles > for V7 and one that said it changed in 8 but did not describe the change. You want http://tomcat.apache.org/tomcat-9.0-doc/config/resources.html You'd add something like this: Which would make the content of W:\some\path visible at the root of the web application. Note that normally handling will apply. So, for example, anything named *.jsp will get treated as as JSP page. HTH, Mark Mark Thomas 6/11/18 3:06 PM >>> > On 11/06/18 19:58, Jeffrey Beckstrom wrote: > > We are looking at migrating from Glassfish to Tomcat. In Glassfish, we > > created alternatedocroot_N entries to map a path in Glassfish to a > > windows drive. > > > > How do we perform a similar function in Tomcat? > > Tomcat version? (it changed between 7.0.x and 8.0.x) > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > -- > > This email has been scanned for spam and viruses. Visit the following > link to report this email as spam: > https://attseg.cloud-protect.net/index01.php?mod_id=11_option=logitem_id=1528744019-gV-baVzK1ou7_address=jbeckstrom%40gcrta.org=1 > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- This email has been scanned for spam and viruses. Visit the following link to report this email as spam: https://attseg.cloud-protect.net/index01.php?mod_id=11_option=logitem_id=1528817962-Ncrr7YHBFuFg_address=jbeckstrom%40gcrta.org=1 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Secure WebSockets clients - hostname verification
On 12.06.2018 18:13, Mark Thomas wrote: [snip].. I'll see what I can do. The major constraint is that all this has to be set via Tomcat specific user properties as there is no API for in the Java WebSocket API. This is a bit OT, but I have a question since the beginning of this thread : Is Tomcat really supposed to provide a websocket *client* API ? From the initial post, I understood that what the OP wants to do, is to connect, *from* a Tomcat servlet, *to* an external websocket server (not necessarily Tomcat). If so, it is certainly nice to help him doing so, but if it means providing functionalities that the standard Java API websocket client doesn't, does that not make this thing less portable ? Or did I get this all wrong ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Secure WebSockets clients - hostname verification
On 12/06/2018 16:12, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 6/11/18 10:31 AM, Mark Thomas wrote: On 11/06/18 11:47, Weiner Harald wrote: What are your thoughts? I'm leaning towards adding: SSLParameters sslParams = new SSLParameters(); sslParams.setEndpointIdentificationAlgorithm("HTTPS"); sslSocket.setSSLParameters(sslParams); unconditionally to WsWebSocketContainer.createSSLEngine() I've been trying to think of a use case where you'd want to use TLS without wanting to verify the host name and I can't think of one. Testing. I'd argue that for testing to be meaningful you need to be using a real cert and an appropriate trust store. It would be very useful to be able to configure this, so if you are going to patch the code, please make this configurable by the client. > See HttpsURLConnection.setHostnameVerifier I think it's appropriate to simply match that API unless there are any objections. I'll see what I can do. The major constraint is that all this has to be set via Tomcat specific user properties as there is no API for in the Java WebSocket API. Mark - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsf1OMACgkQHPApP6U8 pFibhw/+ODRL4BZfk9fTWxLFSEyKEJQORJgfVveHaqzsW34BzRVEx7nVGBL+T8t1 m0E+mhQY+m+YyTKsWpAzNEd/752UMFV6jHhn8Nle6I+puLpZ8tEKj4MSd2JDDC2Y Te4mD4QwMgkdNIU8aacXqj1hJanyB4vvfSd+PpFiW/o0kWKHirpSdra87XvLqbMM A75lKzFdyqZWJ9JBqSoQID3vLQMyBzZ+MI8XWacuT69hMWioMpiAc2iSVw73TUXO kt9jFlP6K17QzJ3j2kmdm1TAQDupFNNs2W5M15Eo7ahj3xa137s+lZgTjI7b8rhS dekDyD++7biKJSCnyd8XIQ+FM6UjEwCIzGtdRRNvjw+ufk9S7IDnJhD7DAeGqNOc bq4ezaG8iFRI7h3lkJx+AeF23KaW36VEK8bbNK5phjyIfZ0crF43Xv8nTOyf1S0E Pqj38sr9baa0JcRnYvGLS9ZDtYpDFQaQuti7p8IJs/DJ6yr+d7KvO/ZBawU6K8e0 EttmjavdB0RfooI61LBj0bazHANvhISY5xzmJIqDIYAtwlYf1Ww9X0CrpWmrPd1y RE/M2RpXj6lcVCPqXzqSXVE/DfJXlmj5iqB4lGJBS0TrcWFvKHH5kp0reUlZNtRG l+FshDzZylsz5tqN3DtyNjQoQN9rW181O7+j2f5exa9IS9fUgek= =GeP9 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: creation of virtual directories
On 11/06/2018 20:11, Jeffrey Beckstrom wrote: We would go with the latest which appears to be 9. Google found articles for V7 and one that said it changed in 8 but did not describe the change. You want http://tomcat.apache.org/tomcat-9.0-doc/config/resources.html You'd add something like this: Which would make the content of W:\some\path visible at the root of the web application. Note that normally handling will apply. So, for example, anything named *.jsp will get treated as as JSP page. HTH, Mark Mark Thomas 6/11/18 3:06 PM >>> On 11/06/18 19:58, Jeffrey Beckstrom wrote: > We are looking at migrating from Glassfish to Tomcat. In Glassfish, we > created alternatedocroot_N entries to map a path in Glassfish to a > windows drive. > > How do we perform a similar function in Tomcat? Tomcat version? (it changed between 7.0.x and 8.0.x) Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- This email has been scanned for spam and viruses. Visit the following link to report this email as spam: https://attseg.cloud-protect.net/index01.php?mod_id=11_option=logitem_id=1528744019-gV-baVzK1ou7_address=jbeckstrom%40gcrta.org=1 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: creation of virtual directories
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jeffrey, On 6/11/18 3:11 PM, Jeffrey Beckstrom wrote: > We would go with the latest which appears to be 9. Google found > articles for V7 and one that said it changed in 8 but did not > describe the change. Mark Thomas 6/11/18 3:06 PM >>> > On 11/06/18 19:58, Jeffrey Beckstrom wrote: >> We are looking at migrating from Glassfish to Tomcat. In >> Glassfish, we created alternatedocroot_N entries to map a path in >> Glassfish to a windows drive. >> >> How do we perform a similar function in Tomcat? > > Tomcat version? (it changed between 7.0.x and 8.0.x) You are looking for "resources"[1] (not to be confused with "resources"[2] or "JNDI resources"[3]). You want to use or inside inside your element in META-INF/context.xml. In general, I'd recommend using for non-code files, because you don't want a user to be able to upload a file which then takes precedence over a file or library that comes with your application . Note that resources are *cached by default*, so if you have dynamic changes to the filesystem (e.g. file-uploads, separate processed making changes to the fs, etc.) then you'll want to disable that. Hope that helps, - -chris [1] http://tomcat.apache.org/tomcat-9.0-doc/config/resources.html [2] http://tomcat.apache.org/tomcat-9.0-doc/config/globalresources.html [3] http://tomcat.apache.org/tomcat-9.0-doc/jndi-resources-howto.html -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsf1jYACgkQHPApP6U8 pFg5EBAAxxEGTUpLisTCMJ2kOIVRwmaj+hkrzo7LbsH/M4JXqoBftKpaM43MyyXz 86Y5GbDGjhJVp1fdKAcI/gFdfI0HAJlbuUAZqYsp6Qd5YEPraw5SJfO5vbwVh7Z1 VffWNlGOd/YYa7OCYY1x1NRCon/dQI5wBdHKjeNeqd9TH65lpnLkygpnet7qWM4O L1s4OtvzUHlHY0XXYoSN4yiFco/o8jnWxMAZFCF+NncC1yU18qQLh3jOpefKmlvb i/VTkhMPaA7o9E+VdXe5dA48TlSqOVwXQJ7NNTIgIzRxF7i1TAk9Lj9NkJD3wrTd ZAUu56w5BaIaPq0E46T5IVczbmWpIdMjRx0DYQN77z2nhxULLBmmOI9aiIpa4brE jX3IH4H6e5LqK9croDbnlB38P4LzhJJGLFaF5tvoteRV0FulFcVaJblVzarjheR3 Sy7tRrnk+9MwwWw2xhEjB3CjKsJzh3LU/9eI/TD8o7fl7g9IJDJ8+eZCRQQSUqBR O11XYL0/rSwKW2pxdav+TO84o1I72oxPklyCNMyZ0Ty7/XA3hO6P3LnxdUBzt9NB mZGRsSwU2YPPNXFtSZS0gM6LBlpv3/9wK0cbAibXlraVu2P7jOQ/DPPkZX8y3Yh9 AwmIE0IpktlBG48Oy0Tq5yDDEs6srwGi7SNuN7FoQUvONz5UEls= =oqLS -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Secure WebSockets clients - hostname verification
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 6/11/18 10:31 AM, Mark Thomas wrote: > On 11/06/18 11:47, Weiner Harald wrote: > > > >> What are your thoughts? > > I'm leaning towards adding: > > SSLParameters sslParams = new SSLParameters(); > sslParams.setEndpointIdentificationAlgorithm("HTTPS"); > sslSocket.setSSLParameters(sslParams); > > unconditionally to WsWebSocketContainer.createSSLEngine() > > I've been trying to think of a use case where you'd want to use > TLS without wanting to verify the host name and I can't think of > one. Testing. It would be very useful to be able to configure this, so if you are going to patch the code, please make this configurable by the client. See HttpsURLConnection.setHostnameVerifier I think it's appropriate to simply match that API unless there are any objections. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsf1OMACgkQHPApP6U8 pFibhw/+ODRL4BZfk9fTWxLFSEyKEJQORJgfVveHaqzsW34BzRVEx7nVGBL+T8t1 m0E+mhQY+m+YyTKsWpAzNEd/752UMFV6jHhn8Nle6I+puLpZ8tEKj4MSd2JDDC2Y Te4mD4QwMgkdNIU8aacXqj1hJanyB4vvfSd+PpFiW/o0kWKHirpSdra87XvLqbMM A75lKzFdyqZWJ9JBqSoQID3vLQMyBzZ+MI8XWacuT69hMWioMpiAc2iSVw73TUXO kt9jFlP6K17QzJ3j2kmdm1TAQDupFNNs2W5M15Eo7ahj3xa137s+lZgTjI7b8rhS dekDyD++7biKJSCnyd8XIQ+FM6UjEwCIzGtdRRNvjw+ufk9S7IDnJhD7DAeGqNOc bq4ezaG8iFRI7h3lkJx+AeF23KaW36VEK8bbNK5phjyIfZ0crF43Xv8nTOyf1S0E Pqj38sr9baa0JcRnYvGLS9ZDtYpDFQaQuti7p8IJs/DJ6yr+d7KvO/ZBawU6K8e0 EttmjavdB0RfooI61LBj0bazHANvhISY5xzmJIqDIYAtwlYf1Ww9X0CrpWmrPd1y RE/M2RpXj6lcVCPqXzqSXVE/DfJXlmj5iqB4lGJBS0TrcWFvKHH5kp0reUlZNtRG l+FshDzZylsz5tqN3DtyNjQoQN9rW181O7+j2f5exa9IS9fUgek= =GeP9 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: IIS authentication applies to static but not dynamic requests (servlets, JSPs). Any way to control that?
On 12.06.2018 02:57, charlie arehart wrote: -Original Message- From: Igal @ Lucee.org Sent: Monday, June 11, 2018 04:55 PM To: users@tomcat.apache.org Subject: Re: IIS authentication applies to static but not dynamic requests (servlets, JSPs). Any way to control that? Charlie, Are you sure that the static requests are passed to Tomcat? Can you verify that in the response headers? The logical explanation that I can think of is that IIS still serves the static content, but passes the JSP stuff to Tomcat without checking the security permissions. HTH, Igal Sapir Thanks, Igal. No, I agree the static files are NOT passed to Tomcat. I wasn't saying that they were. :-) I was implying rather that they do NOT go to Tomcat, and are NOT processed by the Tomcat connector/ISAPI Filter (because they are not in the uriworkermap.properties list of processed URLs). This was to confirm that they WERE therefore being handled CORRECTLY by IIS, in that a user trying to run the request who did NOT have access to the files (per Windows on the server) would find the request rejected (per the Windows Authentication feature in IIS). The problem is that jsps and servlets, which ARE passed to Tomcat by the connector (are in the uriworkermap.properties mappings) are NOT being properly rejected by IIS (or the connector, whichever should have control). Now, I should add that I had in mind at one time a test to change the order of the modules in IIS, to put the ISAPIFilterModule below the WindowsAuthentication and FileAuthorization module, to see if that would "help'. Yes, that is probably what you should do. (This being said by a non-IIS specialist). But really, that should not be needed (even if it would help). Users of Tomcat (who want to implement web server file security like this) shouldn't (I'd think) have to know of such a low-level tweak. You are not really talking about "users of Tomcat" here. You are talking about a fairly shophisticated setup with a front-end reverse proxy webserver (which in addition takes care of user authentication/authorization), and a back-end Tomcat. That's indeed beyond a mere "Tomcat user"'s area of competence, and more of a sysadmin's area. And so it is for most user authentication scenarios in a www context. I would think that the connector (the Tomcat isapifilter.dll) could/should implement such a security for the user. Why should it ? Think of it this way : for the front-end webserver, the isapi module is just "an application", which processes certain URLs, and generates a response. Just like the other "application" which returns the local static pages served by IIS, in response to another kind of URL. In other words, as far as IIS is concerned, it doesn't even /know/ that in order to generate those response pages, isapi communicates with some back-end server. The standard builtin IIS application which returns static pages, also does not handle authentication/authorization, and it relies on the same built-in WindowsAuthentication and FileAuthorization which you mention above, to take care of that. Same thing for isapi (and any other application or "proxy module"). It would complicate things a whole lot if the isapi module would need to take care of the AAA part. It would need its own duplicate logic to handle that, its own corresponding setup parameters etc. And it would need this not only for "Windows Authentication", but for each different kind of authentication one may want to apply inside of IIS (think Kerberos, SiteMinder, OpenID, SAML, just to name a few). I suppose someone may quibble with that. Yeah, see above. I had also meant to test things out in pure asp.net, to see if an aspx page got honored this way (was protected by Windows Auth and file security, like a static file). I forgot to do these before writing. (Someone wanting me to get this to the Tomcat folks for attention pressed me about it, and I forgot these were 2 things I wanted to check before writing in.) But perhaps someone familiar with all this may have a thought based simply on what has been shared so far. As an additional note : if you do NOT want the front-end IIS webserver to take care of the user authentication for Tomcat, you can do that too : just do not authenticate these URLs at the IIS level (leave them "public", as they are now), and implement the Windows authentication inside of Tomcat, using the SPNEGO module. But I suggest that you don't, because it is much easier to let IIS do that, and just pass on the authenticated user-id to Tomcat, through isapi. /charlie - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: