Re: Container Managed Security?
Use LDAP Based authentication ... I have this working very nicely only our servers Read JNDI Realm topic of tomcat Gurus - Original Message - From: Bjørn T Johansen [EMAIL PROTECTED] To: 'Tomcat Users List' tomcat-user@jakarta.apache.org Sent: Thursday, April 07, 2005 7:05 AM Subject: Container Managed Security? I have a small question... I am used to providing my own authentication system when developing web systems, but I am now looking into providing container based security instead. But when writing authentication myself, I have full control and can put differenf information that I need into the session scope. How do I do this using Tomcat's FORM-based authentication? Is there some listener I can hook onto or similar? Regards, BTJ -- -- - Bjørn T Johansen [EMAIL PROTECTED] -- - Someone wrote: I understand that if you play a Windows CD backwards you hear strange Satanic messages To which someone replied: It's even worse than that; play it forwards and it installs Windows -- - - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: RES: JVM' sperm size always increase after hot deploy to tomcat 5.0.28
Paulo Alvim wrote: Thank you all It's good to know that we're not alone...but since we used to have workable 'hot deploy' others pre-J2EE App Servers our customers will insist with that - maybe we'll have to reconsider other App Server as our main Open-Source production environment option. Does anyone know if JBoss 4 makes improvement in this area? I really can't believe that it's so hard... Guess that won't help, because JBoss uses Tomcat as web container. Check: http://issues.apache.org/bugzilla/show_bug.cgi?id=26135 and try Tomcat 5.5x Generally these undeploy memory leakage issues are mainly coded into the webapp or in libraries. Some references won't be garbage collected when undeploying. There seem to be problems with commons-logging and beanutils, but could also be self-made, of course. Cheers, Michael - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Realm instance within webapp
Hello, Can I put my Realm subclass within my webapp instead of inside Tomcat's lib directories somehow? My custom Realm subclass uses other classes within my webapp, so I'm finding I have to include more and more of my webapp within the Tomcat lib directories - not very nice at all :-( Or am I missing something? My passwords are in an XML file, so none of the existing Realm classes work for me. Is there a better way? Thanks, Graeme -- Graeme Pyle Raspberry Solutions Email: [EMAIL PROTECTED] Cell: 083 415 1642 Office: (011) 447 5396 Web: www.raspberry.co.za - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Realm instance within webapp
Graeme Pyle wrote: Hello, Can I put my Realm subclass within my webapp instead of inside Tomcat's lib directories somehow? No. Realms require access to Tomcat internals in order to work. My custom Realm subclass uses other classes within my webapp, so I'm finding I have to include more and more of my webapp within the Tomcat lib directories - not very nice at all :-( Indeed. Or am I missing something? My passwords are in an XML file, so none of the existing Realm classes work for me. Is there a better way? Realms should be independent of webapp. Any Realm should work with any webapp. Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Max URL length for 5.0.28
I guess it's the standard (of HTTP?) that imposes the 255 max length limit on the size of URLs and not Tomcat. -Behi On Apr 9, 2005 1:08 AM, Jimmy Ray [EMAIL PROTECTED] wrote: Tomcat 5.0.28, HPUX Trying to use a URL that is 266 chars long and it seems to be truncated. Is there a max length setting for Tomcat? Regards, Jimmy Ray __ Yahoo! Messenger Show us what our next emoticon should look like. Join the fun. http://www.advision.webevents.yahoo.com/emoticontest - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Behrang Saeedzadeh http://www.jroller.com/page/behrangsa
Re: Max URL length for 5.0.28
Sorry, I was wrong :p http://lists.evolt.org/archive/Week-of-Mon-20010528/033585.html http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2 Regards, Behi. On Apr 9, 2005 4:12 PM, Behrang Saeedzadeh [EMAIL PROTECTED] wrote: I guess it's the standard (of HTTP?) that imposes the 255 max length limit on the size of URLs and not Tomcat. -Behi On Apr 9, 2005 1:08 AM, Jimmy Ray [EMAIL PROTECTED] wrote: Tomcat 5.0.28, HPUX Trying to use a URL that is 266 chars long and it seems to be truncated. Is there a max length setting for Tomcat? Regards, Jimmy Ray __ Yahoo! Messenger Show us what our next emoticon should look like. Join the fun. http://www.advision.webevents.yahoo.com/emoticontest - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Behrang Saeedzadeh http://www.jroller.com/page/behrangsa -- Behrang Saeedzadeh http://www.jroller.com/page/behrangsa
Re: Max URL length for 5.0.28
According to the spec, maybe your client or proxy is problematic. I was googling around and i guess I found a result that was saying that IE supports URL lengths of about 2000 chars long. So if your client is IE, maybe the problem roots in somewhere else (possibly Tomcat.) -Behi On Apr 9, 2005 4:15 PM, Behrang Saeedzadeh [EMAIL PROTECTED] wrote: Sorry, I was wrong :p http://lists.evolt.org/archive/Week-of-Mon-20010528/033585.html http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2 Regards, Behi. On Apr 9, 2005 4:12 PM, Behrang Saeedzadeh [EMAIL PROTECTED] wrote: I guess it's the standard (of HTTP?) that imposes the 255 max length limit on the size of URLs and not Tomcat. -Behi On Apr 9, 2005 1:08 AM, Jimmy Ray [EMAIL PROTECTED] wrote: Tomcat 5.0.28, HPUX Trying to use a URL that is 266 chars long and it seems to be truncated. Is there a max length setting for Tomcat? Regards, Jimmy Ray __ Yahoo! Messenger Show us what our next emoticon should look like. Join the fun. http://www.advision.webevents.yahoo.com/emoticontest - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Behrang Saeedzadeh http://www.jroller.com/page/behrangsa -- Behrang Saeedzadeh http://www.jroller.com/page/behrangsa -- Behrang Saeedzadeh http://www.jroller.com/page/behrangsa
Major Install Problems
Been trying to install on Ubuntu for ages, this is the latest error: dpkg -i tomcat4_4.1.31-2_all.deb (Reading database ... 82691 files and directories currently installed.) Preparing to replace tomcat4 4.1.31-2 (using tomcat4_4.1.31-2_all.deb) ... Stopping Tomcat 4.1 servlet engine: (not running). Unpacking replacement tomcat4 ... Setting up tomcat4 (4.1.31-2) ... Starting Tomcat 4.1 servlet engine using Java from /usr/lib/j2se/1.4: invoke-rc.d: initscript tomcat4, action start failed. -- Whatever you Wanadoo: http://www.wanadoo.co.uk/time/ This email has been checked for most known viruses - find out more at: http://www.wanadoo.co.uk/help/id/7098.htm - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Container Managed Security?
That doesn't help with my problem, does it? I need to create a session object when a user logs in, is this possible? BTJ Gurumoorthy wrote: Use LDAP Based authentication ... I have this working very nicely only our servers Read JNDI Realm topic of tomcat Gurus - Original Message - From: Bjørn T Johansen [EMAIL PROTECTED] To: 'Tomcat Users List' tomcat-user@jakarta.apache.org Sent: Thursday, April 07, 2005 7:05 AM Subject: Container Managed Security? I have a small question... I am used to providing my own authentication system when developing web systems, but I am now looking into providing container based security instead. But when writing authentication myself, I have full control and can put differenf information that I need into the session scope. How do I do this using Tomcat's FORM-based authentication? Is there some listener I can hook onto or similar? Regards, BTJ -- -- - Bjørn T Johansen [EMAIL PROTECTED] -- - Someone wrote: I understand that if you play a Windows CD backwards you hear strange Satanic messages To which someone replied: It's even worse than that; play it forwards and it installs Windows -- - - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Container Managed Security?
javax.servlet.http.SessionListener For a summary, read the javadocs. For full details read the spec. Mark Bjørn T Johansen wrote: I have a small question... I am used to providing my own authentication system when developing web systems, but I am now looking into providing container based security instead. But when writing authentication myself, I have full control and can put differenf information that I need into the session scope. How do I do this using Tomcat's FORM-based authentication? Is there some listener I can hook onto or similar? Regards, BTJ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Container Managed Security?
Opps. Typo. That should be: javax.servlet.http.HttpSessionListener Mark Thomas wrote: javax.servlet.http.SessionListener For a summary, read the javadocs. For full details read the spec. Mark Bjørn T Johansen wrote: I have a small question... I am used to providing my own authentication system when developing web systems, but I am now looking into providing container based security instead. But when writing authentication myself, I have full control and can put differenf information that I need into the session scope. How do I do this using Tomcat's FORM-based authentication? Is there some listener I can hook onto or similar? Regards, BTJ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Application-level control of web-resources
What are the possibilites for application-level control of resources like JSP-resources? This would open up for e.g. creating a wiki-like application, where each wiki-page is a valid JSP-page, which is created dynamically and stored elsewhere than within the deployed WAR-file. If anyone fancy this type of functionality - or have tried to implement it by whatever means possible - please make a statement! Morten Sabroe Mortensen - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
images/static content in jar
I have a war that has folder like /images and /content, is there a way to config tomcat so that I can package these in jar, I know I can write a custom servlet todo this but I would like this to be handled by the servers servlet container. The reason this is my concern is that I think that the servlet container has a better model for handling request rather than a servlet that has to invoke a openStream, seems this would cause some contention and perf issues. Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: images/static content in jar
Don Hill wrote: I have a war that has folder like /images and /content, is there a way to config tomcat so that I can package these in jar, I know I can write a custom servlet todo this but I would like this to be handled by the servers servlet container. The reason this is my concern is that I think that the servlet container has a better model for handling request rather than a servlet that has to invoke a openStream, seems this would cause some contention and perf issues. Just to clarify (not really offering a solution, sorry). The reason why you want to do that is to have some ability like skins in Mozilla and other products, right? I mean, all static content can be a packaged into a WAR file, if packaging is what you need. If you'd like to have skins for your application, even dynamic skins, I'd sugest a servlet that would unpack/remove all static content from a set of JARs. A skin change would: - unpack a new JAR to a temp dir - stop or pause the application - mv static dir to some other name - mv temp dir to static - un-pause application - cleanup Access to static content would still be better off being handled through a servlet, how would you expire the old data otehrwise? Imagine half of your skin being new and the other half old... Nix. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RES: RES: JVM' sperm size always increase after hot deploy to tomcat 5.0.28
Thanks Michael... But we had already tried to put both the PropertyUtils.clearDescriptors(); and the Introspector.flushCaches(); in the ServletContextListener - contextDestroyed and it didn't help so much (...) I'll try also with the logging LogManager.shutdown();. But try Tomcat 5.5x - do you recommend that because it has improvements in this area? -Mensagem original- De: Michael Echerer [mailto:[EMAIL PROTECTED] Enviada em: sábado, 9 de abril de 2005 07:23 Para: Tomcat Users List Assunto: Re: RES: JVM' sperm size always increase after hot deploy to tomcat 5.0.28 Paulo Alvim wrote: Thank you all It's good to know that we're not alone...but since we used to have workable 'hot deploy' others pre-J2EE App Servers our customers will insist with that - maybe we'll have to reconsider other App Server as our main Open-Source production environment option. Does anyone know if JBoss 4 makes improvement in this area? I really can't believe that it's so hard... Guess that won't help, because JBoss uses Tomcat as web container. Check: http://issues.apache.org/bugzilla/show_bug.cgi?id=26135 and try Tomcat 5.5x Generally these undeploy memory leakage issues are mainly coded into the webapp or in libraries. Some references won't be garbage collected when undeploying. There seem to be problems with commons-logging and beanutils, but could also be self-made, of course. Cheers, Michael - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Changing from BASIC authentication to FORM-based
I have Tomcat 5.5.4 running on WindowsXP with BASIC authentication working via the Memory Realm and it works fine. I want to change to FORM-based authentication. I've 'BASIC' to 'FORM' in web.xml and have a logon.html page with a form action=j_security_check (but it gives a HTTP 408 timeout error immediately... any ideas? Are there any online tutorials to help configure this? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Container Managed Security?
That seems to be what I am looking for I will look into this... Thx... :) BTJ Mark Thomas wrote: Opps. Typo. That should be: javax.servlet.http.HttpSessionListener Mark Thomas wrote: javax.servlet.http.SessionListener For a summary, read the javadocs. For full details read the spec. Mark Bjørn T Johansen wrote: I have a small question... I am used to providing my own authentication system when developing web systems, but I am now looking into providing container based security instead. But when writing authentication myself, I have full control and can put differenf information that I need into the session scope. How do I do this using Tomcat's FORM-based authentication? Is there some listener I can hook onto or similar? Regards, BTJ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat user 'roles' question
From: Bill Barker [EMAIL PROTECTED] Custom Realms really aren't all that hard. You typically create a class that extends RealmBase (http://jakarta.apache.org/tomcat/tomcat-5.5-doc/catalina/docs/api/org/apache/catalina/realm/RealmBase.html, changing the '5.5' to the TC version you care about, unless it's 3.3 where the package is different). Then you override the 'getPassword(String)' (returns the db-password of the user), the 'getPrincipal(String)' (returns the userPrincipal for the user), and the 'getName()' (returns the name of the realm -- any identifying string). If you return anything but a o.a.c.realm.GenericPrincipal from getPrincipal, then you'll have to override the 'hasRole(Principal, String)' method as well. Thank you, that gives me a place to start. But I don't want to _authenticate_ the user at all... that's done elsewhere (one of two different places, actually,) and handled by a Filter. And yet I realize that somehow Tomcat has to know who the user is. :/ If I create a realm and configure it, will I be able to circumvent the user getting prompted for a userID and password? Can I (in the Filter) place a GenericPrincipal object in the session under some key? I'm really only after the programmatic security of isUserInRole(...) here, but would like to stick to the standard way of doing things as much as possible. -- Wendy Smoak - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat user 'roles' question
Wendy Smoak [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] From: Bill Barker [EMAIL PROTECTED] Custom Realms really aren't all that hard. You typically create a class that extends RealmBase (http://jakarta.apache.org/tomcat/tomcat-5.5-doc/catalina/docs/api/org/apache/catalina/realm/RealmBase.html, changing the '5.5' to the TC version you care about, unless it's 3.3 where the package is different). Then you override the 'getPassword(String)' (returns the db-password of the user), the 'getPrincipal(String)' (returns the userPrincipal for the user), and the 'getName()' (returns the name of the realm -- any identifying string). If you return anything but a o.a.c.realm.GenericPrincipal from getPrincipal, then you'll have to override the 'hasRole(Principal, String)' method as well. Thank you, that gives me a place to start. But I don't want to _authenticate_ the user at all... that's done elsewhere (one of two different places, actually,) and handled by a Filter. And yet I realize that somehow Tomcat has to know who the user is. :/ If I create a realm and configure it, will I be able to circumvent the user getting prompted for a userID and password? Can I (in the Filter) place a GenericPrincipal object in the session under some key? I'm really only after the programmatic security of isUserInRole(...) here, but would like to stick to the standard way of doing things as much as possible. The Realm will populate the 'userRoles' only if they are accessing a protected page (one that is under a security-contraint), so it doesn't change prompting. And, no, a normal Filter can't set the userPrincipal, since that requires access to Tomcat internals. You could use a Valve, but it sounds like for what you want, you could simply wrap the HttpServletRequest in your Filter with a wrapper that overrides isUserInRole. If anything, this would be more 'the standard way', since then your app would also be portable to another Servlet Container. -- Wendy Smoak - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: still not clear with connection pooling in tomcat
thanks a lot doug, if I have any problem I will trouble again. just a couple of questions. there were two parameters in the email you sent the other day. I did not get the meaning of those parameters stating that active connections should be 100 and the other with 30 as the value. what is the difference between max active and inactive connections? and just a curious question, is tomcat really used on heavy duty commertial websites? thanks Krishnakant. Send instant messages to your online friends http://uk.messenger.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Major Install Problems
From: asdasd sdfsdfsd [mailto:[EMAIL PROTECTED] Subject: Major Install Problems Been trying to install on Ubuntu for ages, this is the latest error: What happens if you try the tar or zip file from the real Tomcat download area (http://archive.apache.org/dist/jakarta/tomcat-4/v4.1.31/bin/jakarta-tom cat-4.1.31.zip)? While you're at it, why not use the current level (5.5.7)? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Application-level control of web-resources
On Sat, Apr 09, 2005 at 06:35:51PM +0200, Morten Sabroe Mortensen wrote: : This would open up for e.g. creating a wiki-like application, where each : wiki-page is a valid JSP-page, which is created dynamically and stored : elsewhere than within the deployed WAR-file. Why use real pages? Those are a pain to manage, especially in Java webapps (which are supposed to be sealed applications). Many such systems (think blogs) stash the content in a database (or some other data store) and map URIs to those entries. In turn, accessing a URL merges the content and a static template at runtime. The end-user doesn't know they're hitting a virtual resource and, quite frankly, they shouldn't care. Read up on the Front Controller, Page Controller, and Decorator design patterns for insight. -QM -- software -- http://www.brandxdev.net/ tech news -- http://www.RoarNetworX.com/ code scan -- http://www.JxRef.org/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Application-level control of web-resources
QM wrote: On Sat, Apr 09, 2005 at 06:35:51PM +0200, Morten Sabroe Mortensen wrote: : This would open up for e.g. creating a wiki-like application, where each : wiki-page is a valid JSP-page, which is created dynamically and stored : elsewhere than within the deployed WAR-file. Why use real pages? Those are a pain to manage, especially in Java webapps (which are supposed to be sealed applications). Hi QM, I know what you say is the prevailing wisdom. But, I would be interested to know your thoughts regarding pregenerating JSP or velocity templates such that the decoration (and content inclusion) happens prior to runtime. For example, we use XSLT to pregenerate the pages (managed through our CMS) so that as much as possible exists in the page/template. This leaves only what is *required* to be dynamic for runtime. Thoughts? (I can take it :) best, -Rob Many such systems (think blogs) stash the content in a database (or some other data store) and map URIs to those entries. In turn, accessing a URL merges the content and a static template at runtime. The end-user doesn't know they're hitting a virtual resource and, quite frankly, they shouldn't care. Read up on the Front Controller, Page Controller, and Decorator design patterns for insight. -QM - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Application-level control of web-resources
Hi QM, -Because real pages has more power over them than, say, a more simple wiki-page parsed to an XML-format and XSLT'et to HTML/XHTML/WML/XHTML-MP -whatever. I want to be free to stash the content in a database, the file-system or some other WAR-external resource. I want to be free to have my hieracial wiki-like system deliver content by different means of processing - dynamic JSP's being the missing link. If the application is in control, it can pre-validate or restrict the pages to exclude, say, scripting and to enforce, say, a valid XML form of JSP's, in any way it wants to. It is a matter of technical freedom. Up until now, no filter or front-controller can control the origin or WAR-resources. Morten Sabroe Morten -Original Message- From: QM [mailto:[EMAIL PROTECTED] Sent: 9. april 2005 23:32 To: Tomcat Users List Subject: Re: Application-level control of web-resources On Sat, Apr 09, 2005 at 06:35:51PM +0200, Morten Sabroe Mortensen wrote: : This would open up for e.g. creating a wiki-like application, where each : wiki-page is a valid JSP-page, which is created dynamically and stored : elsewhere than within the deployed WAR-file. Why use real pages? Those are a pain to manage, especially in Java webapps (which are supposed to be sealed applications). Many such systems (think blogs) stash the content in a database (or some other data store) and map URIs to those entries. In turn, accessing a URL merges the content and a static template at runtime. The end-user doesn't know they're hitting a virtual resource and, quite frankly, they shouldn't care. Read up on the Front Controller, Page Controller, and Decorator design patterns for insight. -QM -- software -- http://www.brandxdev.net/ tech news -- http://www.RoarNetworX.com/ code scan -- http://www.JxRef.org/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Changing from BASIC authentication to FORM-based
Did you restart Tomcat after making the web.xml change? It's been my experience that authentication method changes like this actually get handled from deeper within Tomcat's internal code, not just the application, and the only way to register the change is by a full restart. Brent Sims Systems Analyst 2 KC Human Services - Road rage, air rage. Why should I be forced to divide my rage into separate categories? To me, it's just one big, all-round, everyday rage. I don't have time for fine distinctions. I'm too busy screaming at people. - George Carlin [EMAIL PROTECTED] 04/09/05 11:00 AM I have Tomcat 5.5.4 running on WindowsXP with BASIC authentication working via the Memory Realm and it works fine. I want to change to FORM-based authentication. I've 'BASIC' to 'FORM' in web.xml and have a logon.html page with a form action=j_security_check (but it gives a HTTP 408 timeout error immediately... any ideas? Are there any online tutorials to help configure this? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Application-level control of web-resources
...To be more specific, I consider creating my own custom-modification
of Tomcat including functionality for application-level control of
resources - see the below sketch. I kind of think upon a modified
'JspServlet' hidden behind a nice interface so as to avoid fiddling
directly with JSP-compilation and so on.
Is this possible?
How hard is it to implement?
Are there alternatives (like hacking class-loaders or
file-system-access)?
I believe, that it can be done by direct JSPC-invocation or abuse of the
file-system containing unpacked WAR's - both compromises the integrity
of WAR's - I do not consider any of these a clean of pure way of doing
it. I want programmatic control.
Dynamic JSP's/resources are (sadly) not part of Sun's specifications.
As far as I can tell from a short look at the source-code for Tomcat, it
should not be too hard to create this functionality. It would be a nice
experiment.
If you care to comment, I would like to here some opinions from people
with insight into the internals of Tomcat.
Morten Sabroe Mortensen
- BEGIN: Idea for application-level control of resources: -
The idea is this:
A web-resource like e.g. a JSP-page is to be obtained by the
servlet-engine from the web-application through an interface like this:
/**
* Description of a resource within the context of a servlet-engine. */
public interface Resource {
/**
*
*/
long getTimeModification()
throws
IOException;
/**
*
*/
InputStream getInputStream(String path)
throws
IOException;
}
When a user-agent addresses e.g. a JSP-page, a 'ResourceManager' set by
the application is requested by the servlet-engine with the purpose of
delivering the resource:
ServletContext (modified - Tomcat-specific):
void setResourceManager(ResourceManager resourceManager) ...
ResourceManager getResourceManager() ...
Resource getResourceAsResource(String path)
{
Resource res=null;
{
ResourceManager resourceManager=getResourceManager();
if (resourceManager!=null)
{
res=resourceManager.getResource(path);
}
}
return res;
}
void addResourceListener(ResourceListener l)
void removeResourceListener(ResourceListener l)
void fireResourceUpdate(ResourceEvent ev)
interface ResourceManager:
Resource getResource(String path) ...
interface ResourceListener:
void onResourceUpdate(ResourceEvent ev) ... //event-object must
contain path-information
There could be two strategies for accessing a resource:
1) Each time a resource like e.g. a JSP-page is requested, the
servlet-engine performs a lookup for the 'Resource' object and uses
'getTimeModification()' to determine, if the JSP-page has changed and
therefore should be re-compiled and re-loaded. The resource could also
have been removed completely, which would result in no 'Resource' object
being found and 'null' returned - in which case the page no longer
exists.
2) The application always notifies the servlet-engine about changes to
resources. If a resource like e.g. a JSP-page is changed or removed, the
application calls 'fireResourceUpdate()' which again trickers all
'ResourceListener' instances, where the servlet-engine itself per
default has a specific listener added and this listener makes the
servlet-engine perform a lookup for the 'Resource' as in 1).
The 'ResourceManager' could implement a chain-of-responsibility, but
this can be left to the specific application and does not need to be
part of the interface between the servlet-engine and the
web-application.
Interesting types of resources include JSP-pages/-fragments and
tag-libraries.
As I see it, the 'Resource'-type of interface could also be in play,
when Tomcat differs between obtaining resources from an unpacked
WAR-file to when the WAR-file is actually unpacked within the
file-system and JSP-pages are added or changed directly within the
file-system. Tomcat must have something like my 'Resource'-functionality
already, but possibly not expressed as an interface between Tomcat and
web-applications. When moving to a live repository like a file-system,
the 'Resource.getTimeModification()' comes into play. There is a
possibility for a unification here.
- END: Idea for application-level control of resources. -
-Original Message-
From: Morten Sabroe Mortensen [mailto:[EMAIL PROTECTED]
Sent: 9. april 2005 18:36
To: tomcat-user@jakarta.apache.org
Subject: Application-level control of web-resources
What are the possibilites for application-level control of resources
like JSP-resources?
This would open up for e.g. creating a wiki-like application, where each
wiki-page is a valid JSP-page, which is created dynamically and stored
elsewhere than within the deployed WAR-file.
If anyone fancy this type of functionality - or have tried to implement
it by whatever means possible - please make a statement!
Morten Sabroe Mortensen
