DO NOT REPLY [Bug 48373] New: Can not get clients from TomcatBayeux
https://issues.apache.org/bugzilla/show_bug.cgi?id=48373
Summary: Can not get clients from TomcatBayeux
Product: Tomcat 7
Version: trunk
Platform: PC
OS/Version: Windows XP
Status: NEW
Severity: normal
Priority: P2
Component: Modules: bayeux
AssignedTo: dev@tomcat.apache.org
ReportedBy: wujunc...@gmail.com
When call the getClients method,there will be a Exception:
java.lang.ArrayStoreException: java.util.HashMap$Entry
maybe this method should be:
public ListClient getClients() {
return java.util.Arrays.asList(clients.values().toArray(new Client[0]));
}
instead of this:
public ListClient getClients() {
return java.util.Arrays.asList(clients.entrySet().toArray(new Client[0]));
}
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r889585 - /tomcat/trunk/modules/bayeux/java/org/apache/tomcat/bayeux/request/PublishRequest.java
Author: markt
Date: Fri Dec 11 12:14:05 2009
New Revision: 889585
URL: http://svn.apache.org/viewvc?rev=889585view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48370
Remove some unused imports
Modified:
tomcat/trunk/modules/bayeux/java/org/apache/tomcat/bayeux/request/PublishRequest.java
Modified:
tomcat/trunk/modules/bayeux/java/org/apache/tomcat/bayeux/request/PublishRequest.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/modules/bayeux/java/org/apache/tomcat/bayeux/request/PublishRequest.java?rev=889585r1=889584r2=889585view=diff
==
---
tomcat/trunk/modules/bayeux/java/org/apache/tomcat/bayeux/request/PublishRequest.java
(original)
+++
tomcat/trunk/modules/bayeux/java/org/apache/tomcat/bayeux/request/PublishRequest.java
Fri Dec 11 12:14:05 2009
@@ -23,18 +23,16 @@
import org.apache.catalina.comet.CometEvent;
import org.apache.tomcat.bayeux.HttpError;
import org.apache.tomcat.bayeux.BayeuxException;
-import org.apache.tomcat.bayeux.BayeuxRequest;
import org.apache.tomcat.bayeux.ChannelImpl;
import org.apache.tomcat.bayeux.ClientImpl;
import org.apache.tomcat.bayeux.MessageImpl;
+import org.apache.tomcat.bayeux.RequestBase;
import org.apache.tomcat.bayeux.TomcatBayeux;
import org.json.JSONException;
import org.json.JSONObject;
import org.apache.cometd.bayeux.Bayeux;
-import java.util.List;
-import org.apache.cometd.bayeux.Message;
-import java.util.Iterator;
-import org.apache.tomcat.bayeux.*;
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
/**
* Handshake request Bayeux message.
@@ -44,10 +42,10 @@
* @version 1.0
*
*/
-public class PublishRequest extends RequestBase implements BayeuxRequest {
-
-JSONObject msgData = null;
+public class PublishRequest extends RequestBase {
+private static final Log log = LogFactory.getLog(RequestBase.class);
+
protected static HashMapString,Object responseTemplate = new
HashMapString,Object();
static {
@@ -55,6 +53,8 @@
responseTemplate.put(Bayeux.ADVICE_FIELD, new HashMapString,
Object());
}
+JSONObject msgData = null;
+
public PublishRequest(TomcatBayeux tb, CometEvent event, JSONObject jsReq)
throws JSONException {
super(tb, event, jsReq);
}
@@ -69,6 +69,7 @@
*
* @return HttpError This method returns null if no errors were found
*/
+@Override
public HttpError validate() {
if(channel==null|| (!this.getTomcatBayeux().hasChannel(channel)))
return new HttpError(400,Channel Id not valid., null);
@@ -87,6 +88,7 @@
/**
* Send the event message to all registered subscribers.
*/
+@Override
public int process(int prevops) throws BayeuxException {
super.process(prevops);
response = (HashMapString, Object)responseTemplate.clone();
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 48370] PublishRequest.java can not be compiled
https://issues.apache.org/bugzilla/show_bug.cgi?id=48370 Mark Thomas ma...@apache.org changed: What|Removed |Added Status|NEW |RESOLVED Resolution||FIXED --- Comment #1 from Mark Thomas ma...@apache.org 2009-12-11 04:15:08 GMT --- Thanks for the report. I suspect the recent exercise making logs final and private broke this since RequestBase does have a log. I've added a log to PublishRequest and cleaned up the imports as well. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r889587 - /tomcat/trunk/modules/bayeux/java/org/apache/tomcat/bayeux/TomcatBayeux.java
Author: markt
Date: Fri Dec 11 12:17:27 2009
New Revision: 889587
URL: http://svn.apache.org/viewvc?rev=889587view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48373
Patch suggested by wujunchen
Modified:
tomcat/trunk/modules/bayeux/java/org/apache/tomcat/bayeux/TomcatBayeux.java
Modified:
tomcat/trunk/modules/bayeux/java/org/apache/tomcat/bayeux/TomcatBayeux.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/modules/bayeux/java/org/apache/tomcat/bayeux/TomcatBayeux.java?rev=889587r1=889586r2=889587view=diff
==
--- tomcat/trunk/modules/bayeux/java/org/apache/tomcat/bayeux/TomcatBayeux.java
(original)
+++ tomcat/trunk/modules/bayeux/java/org/apache/tomcat/bayeux/TomcatBayeux.java
Fri Dec 11 12:17:27 2009
@@ -105,7 +105,7 @@
}
public ListClient getClients() {
-return java.util.Arrays.asList(clients.entrySet().toArray(new
Client[0]));
+return java.util.Arrays.asList(clients.values().toArray(new
Client[0]));
}
public SecurityPolicy getSecurityPolicy() {
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 48373] Can not get clients from TomcatBayeux
https://issues.apache.org/bugzilla/show_bug.cgi?id=48373 Mark Thomas ma...@apache.org changed: What|Removed |Added Status|NEW |RESOLVED Resolution||FIXED --- Comment #1 from Mark Thomas ma...@apache.org 2009-12-11 04:18:05 GMT --- Thanks for the report and your suggested fix. Your fix makes sense to me so I have applied it to trunk. Many thanks. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r889585 - /tomcat/trunk/modules/bayeux/java/org/apache/tomcat/bayeux/request/PublishRequest.java
Did you mena PublishRequest.class? +private static final Log log = LogFactory.getLog(RequestBase.class); -Tim ma...@apache.org wrote: Author: markt Date: Fri Dec 11 12:14:05 2009 New Revision: 889585 URL: http://svn.apache.org/viewvc?rev=889585view=rev Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48370 Remove some unused imports Modified: tomcat/trunk/modules/bayeux/java/org/apache/tomcat/bayeux/request/PublishRequest.java - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r889585 - /tomcat/trunk/modules/bayeux/java/org/apache/tomcat/bayeux/request/PublishRequest.java
On 11/12/2009 12:37, Tim Funk wrote: Did you mena PublishRequest.class? +private static final Log log = LogFactory.getLog(RequestBase.class); I did. I was too quick with the copy and paste. Mark -Tim ma...@apache.org wrote: Author: markt Date: Fri Dec 11 12:14:05 2009 New Revision: 889585 URL: http://svn.apache.org/viewvc?rev=889585view=rev Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48370 Remove some unused imports Modified: tomcat/trunk/modules/bayeux/java/org/apache/tomcat/bayeux/request/PublishRequest.java - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r889596 - /tomcat/trunk/modules/bayeux/java/org/apache/tomcat/bayeux/request/PublishRequest.java
Author: markt
Date: Fri Dec 11 12:47:13 2009
New Revision: 889596
URL: http://svn.apache.org/viewvc?rev=889596view=rev
Log:
Use the right class for the logger
Modified:
tomcat/trunk/modules/bayeux/java/org/apache/tomcat/bayeux/request/PublishRequest.java
Modified:
tomcat/trunk/modules/bayeux/java/org/apache/tomcat/bayeux/request/PublishRequest.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/modules/bayeux/java/org/apache/tomcat/bayeux/request/PublishRequest.java?rev=889596r1=889595r2=889596view=diff
==
---
tomcat/trunk/modules/bayeux/java/org/apache/tomcat/bayeux/request/PublishRequest.java
(original)
+++
tomcat/trunk/modules/bayeux/java/org/apache/tomcat/bayeux/request/PublishRequest.java
Fri Dec 11 12:47:13 2009
@@ -44,7 +44,7 @@
*/
public class PublishRequest extends RequestBase {
-private static final Log log = LogFactory.getLog(RequestBase.class);
+private static final Log log = LogFactory.getLog(PublishRequest.class);
protected static HashMapString,Object responseTemplate = new
HashMapString,Object();
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r889606 - in /tomcat/trunk/java/org/apache/catalina/authenticator: FormAuthenticator.java LocalStrings.properties
Author: markt
Date: Fri Dec 11 13:12:57 2009
New Revision: 889606
URL: http://svn.apache.org/viewvc?rev=889606view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47537
Return an error page if a forward during form auth fails rather than a zero
length 200 response.
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
tomcat/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java?rev=889606r1=889605r2=889606view=diff
==
--- tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
Fri Dec 11 13:12:57 2009
@@ -30,6 +30,7 @@
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;
+import org.apache.catalina.Globals;
import org.apache.catalina.Realm;
import org.apache.catalina.Session;
import org.apache.catalina.connector.Request;
@@ -307,16 +308,24 @@
* @param response Response we are populating
* @param configLogin configuration describing how authentication
* should be performed
+ * @throws IOException If the forward to the login page fails and the call
+ * to {...@link HttpServletResponse#sendError(int,
String)
+ * throws an {...@link IOException}
*/
protected void forwardToLoginPage(Request request,
-HttpServletResponse response, LoginConfig config) {
+HttpServletResponse response, LoginConfig config)
+throws IOException {
RequestDispatcher disp =
context.getServletContext().getRequestDispatcher
(config.getLoginPage());
try {
disp.forward(request.getRequest(), response);
} catch (Throwable t) {
-log.warn(Unexpected error forwarding to login page, t);
+String msg = sm.getString(formAuthenticator.forwardLoginFail);
+log.warn(msg, t);
+request.setAttribute(Globals.EXCEPTION_ATTR, t);
+response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
+msg);
}
}
@@ -328,16 +337,24 @@
* @param response Response we are populating
* @param configLogin configuration describing how authentication
* should be performed
+ * @throws IOException If the forward to the error page fails and the call
+ * to {...@link HttpServletResponse#sendError(int,
String)
+ * throws an {...@link IOException}
*/
protected void forwardToErrorPage(Request request,
-HttpServletResponse response, LoginConfig config) {
+HttpServletResponse response, LoginConfig config)
+throws IOException {
RequestDispatcher disp =
context.getServletContext().getRequestDispatcher
(config.getErrorPage());
try {
disp.forward(request.getRequest(), response);
} catch (Throwable t) {
-log.warn(Unexpected error forwarding to error page, t);
+String msg = sm.getString(formAuthenticator.forwardErrorFail);
+log.warn(msg, t);
+request.setAttribute(Globals.EXCEPTION_ATTR, t);
+response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
+msg);
}
}
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties?rev=889606r1=889605r2=889606view=diff
==
--- tomcat/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties
(original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties
Fri Dec 11 13:12:57 2009
@@ -27,3 +27,6 @@
authenticator.sessionExpired=The time allowed for the login process has been
exceeded. If you wish to continue you must either click back twice and re-click
the link you requested or close and re-open your browser
authenticator.unauthorized=Cannot authenticate with the provided credentials
authenticator.userDataConstraint=This request violates a User Data constraint
for this application
+
+formAuthenticator.forwardErrorFail=Unexpected error forwarding to error page
+formAuthenticator.forwardLoginFail=Unexpected error forwarding to login page
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r889609 - /tomcat/tc5.5.x/trunk/STATUS.txt
Author: markt Date: Fri Dec 11 13:20:28 2009 New Revision: 889609 URL: http://svn.apache.org/viewvc?rev=889609view=rev Log: Proposal Modified: tomcat/tc5.5.x/trunk/STATUS.txt Modified: tomcat/tc5.5.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/STATUS.txt?rev=889609r1=889608r2=889609view=diff == --- tomcat/tc5.5.x/trunk/STATUS.txt (original) +++ tomcat/tc5.5.x/trunk/STATUS.txt Fri Dec 11 13:20:28 2009 @@ -234,3 +234,10 @@ http://people.apache.org/~markt/patches/2009-11-27-bug48300-tc5.patch +1: markt -1: + +* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47537 + Return an error page rather than a zero length 200 reposne if the forward to + the login or error page fails during FORM authentication + http://svn.apache.org/viewvc?rev=889606view=rev + +1: markt + -1: - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r889611 - /tomcat/tc6.0.x/trunk/STATUS.txt
Author: markt Date: Fri Dec 11 13:21:07 2009 New Revision: 889611 URL: http://svn.apache.org/viewvc?rev=889611view=rev Log: Proposal Modified: tomcat/tc6.0.x/trunk/STATUS.txt Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=889611r1=889610r2=889611view=diff == --- tomcat/tc6.0.x/trunk/STATUS.txt (original) +++ tomcat/tc6.0.x/trunk/STATUS.txt Fri Dec 11 13:21:07 2009 @@ -480,3 +480,10 @@ http://svn.apache.org/viewvc?rev=888072view=rev +1: markt -1: + +* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47537 + Return an error page rather than a zero length 200 reposne if the forward to + the login or error page fails during FORM authentication + http://svn.apache.org/viewvc?rev=889606view=rev + +1: markt + -1: - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 47537] Empty response when forward to login page fails
https://issues.apache.org/bugzilla/show_bug.cgi?id=47537 --- Comment #1 from Mark Thomas ma...@apache.org 2009-12-11 05:21:55 GMT --- Thanks for the report. This has been fixed in trunk (for Tomcat 7) and proposed for back port to 6.0.x and 5.5.x -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 47544] Ant DeployTask silently ignores config when war is set.
https://issues.apache.org/bugzilla/show_bug.cgi?id=47544 Mark Thomas ma...@apache.org changed: What|Removed |Added Status|NEW |RESOLVED Resolution||DUPLICATE --- Comment #1 from Mark Thomas ma...@apache.org 2009-12-11 05:31:28 GMT --- This issue is a subset of the issues described in 47467. Fixing 47467 will fix this. *** This bug has been marked as a duplicate of bug 47467 *** -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 47467] Deployment of the war file by URL when contextpath is not specified in Manager Application.
https://issues.apache.org/bugzilla/show_bug.cgi?id=47467 Mark Thomas ma...@apache.org changed: What|Removed |Added CC||bku...@martellotech.com --- Comment #14 from Mark Thomas ma...@apache.org 2009-12-11 05:31:28 GMT --- *** Bug 47544 has been marked as a duplicate of this bug. *** -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r889615 - in /tomcat: tc5.5.x/trunk/container/webapps/docs/config/index.xml tc6.0.x/trunk/webapps/docs/config/index.xml trunk/webapps/docs/config/index.xml
Author: markt
Date: Fri Dec 11 13:47:10 2009
New Revision: 889615
URL: http://svn.apache.org/viewvc?rev=889615view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47656
Add information on system property replacement in config files.
Modified:
tomcat/tc5.5.x/trunk/container/webapps/docs/config/index.xml
tomcat/tc6.0.x/trunk/webapps/docs/config/index.xml
tomcat/trunk/webapps/docs/config/index.xml
Modified: tomcat/tc5.5.x/trunk/container/webapps/docs/config/index.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/docs/config/index.xml?rev=889615r1=889614r2=889615view=diff
==
--- tomcat/tc5.5.x/trunk/container/webapps/docs/config/index.xml (original)
+++ tomcat/tc5.5.x/trunk/container/webapps/docs/config/index.xml Fri Dec 11
13:47:10 2009
@@ -39,6 +39,14 @@
specific tasks - for that, see the various emHOW-TO/em documents on the
main index page./p
+pThe Tomcat configuration files support Apache Ant style variable
+substitution. A system property with the name codepropname/code may be
+used in a configuration file using the syntax code${propname}/code. All
+system properties are available including those set using the code-D/code
+syntax, those automatically made available by the JVM and those configured in
+the code$CATALINA_BASE/conf/catalina.properties/code file.
+/p
+
pThe configuration element descriptions are organized into the following
major categories:/p
ul
Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/index.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/index.xml?rev=889615r1=889614r2=889615view=diff
==
--- tomcat/tc6.0.x/trunk/webapps/docs/config/index.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/config/index.xml Fri Dec 11 13:47:10 2009
@@ -39,6 +39,14 @@
specific tasks - for that, see the various emHOW-TO/em documents on the
main index page./p
+pThe Tomcat configuration files support Apache Ant style variable
+substitution. A system property with the name codepropname/code may be
+used in a configuration file using the syntax code${propname}/code. All
+system properties are available including those set using the code-D/code
+syntax, those automatically made available by the JVM and those configured in
+the code$CATALINA_BASE/conf/catalina.properties/code file.
+/p
+
pThe configuration element descriptions are organized into the following
major categories:/p
ul
Modified: tomcat/trunk/webapps/docs/config/index.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/index.xml?rev=889615r1=889614r2=889615view=diff
==
--- tomcat/trunk/webapps/docs/config/index.xml (original)
+++ tomcat/trunk/webapps/docs/config/index.xml Fri Dec 11 13:47:10 2009
@@ -39,6 +39,14 @@
specific tasks - for that, see the various emHOW-TO/em documents on the
main index page./p
+pThe Tomcat configuration files support Apache Ant style variable
+substitution. A system property with the name codepropname/code may be
+used in a configuration file using the syntax code${propname}/code. All
+system properties are available including those set using the code-D/code
+syntax, those automatically made available by the JVM and those configured in
+the code$CATALINA_BASE/conf/catalina.properties/code file.
+/p
+
pThe configuration element descriptions are organized into the following
major categories:/p
ul
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 47656] Documentation on server configuration should include note about ant-style variable substitution
https://issues.apache.org/bugzilla/show_bug.cgi?id=47656 Mark Thomas ma...@apache.org changed: What|Removed |Added Status|NEW |RESOLVED Resolution||FIXED --- Comment #1 from Mark Thomas ma...@apache.org 2009-12-11 05:48:23 GMT --- Thanks for the report. I have added some text to the docs for trunk 6.0.x and 5.5.x which will be included in 7.0.0 onwards, 6.0.21 onwards and 5.5.29 onwards. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r889617 - in /tomcat: tc5.5.x/trunk/container/webapps/docs/changelog.xml tc6.0.x/trunk/webapps/docs/changelog.xml
Author: markt Date: Fri Dec 11 13:51:12 2009 New Revision: 889617 URL: http://svn.apache.org/viewvc?rev=889617view=rev Log: Chnagelog updates Modified: tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Modified: tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml?rev=889617r1=889616r2=889617view=diff == --- tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml (original) +++ tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml Fri Dec 11 13:51:12 2009 @@ -147,6 +147,10 @@ bug41564/bug: Add some information on installing Tomcat as a service on operating systems with User Account Control, e.g. Vista. (markt) /fix + fix +bug47656/bug: Add information to documentation on system property +replacement in configuration files. (markt) + /fix /changelog /subsection /section Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=889617r1=889616r2=889617view=diff == --- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Fri Dec 11 13:51:12 2009 @@ -469,6 +469,10 @@ (markt) /fix fix +bug47656/bug: Add information to documentation on system property +replacement in configuration files. (markt) + /fix + fix bug47705/bug: Fix division by zero error in the manager when trying to expire sessions when the session timeout is set to infinite. (funkman) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 43656] ELSupport.coerceToType modifies BigDecimal Values
https://issues.apache.org/bugzilla/show_bug.cgi?id=43656 --- Comment #26 from Adam Hardy adam.ha...@cyberspaceroad.com 2009-12-11 07:09:30 UTC --- Created an attachment (id=24692) -- (https://issues.apache.org/bugzilla/attachment.cgi?id=24692) zip containing JSP, TLD and java file I came across this bug today - at least it looks a lot like it. If I try to pass in a null to the function, it falls over giving me the following: java.lang.IllegalArgumentException: Cannot convert 0 of type class java.lang.Long to class java.lang.Number org.apache.el.lang.ELSupport.coerceToNumber(ELSupport.java:250) Which is at best misleading and at worst, just the wrong way to handle nulls. Hopefully this is reproducible everywhere. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 43656] ELSupport.coerceToType modifies BigDecimal Values
https://issues.apache.org/bugzilla/show_bug.cgi?id=43656 Adam Hardy adam.ha...@cyberspaceroad.com changed: What|Removed |Added Status|RESOLVED|REOPENED Resolution|WORKSFORME | --- Comment #27 from Adam Hardy adam.ha...@cyberspaceroad.com 2009-12-11 07:11:44 UTC --- The attached zip causes the stack trace in 6.0.20 -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 43656] ELSupport.coerceToType won't handle null for java.lang.Number
https://issues.apache.org/bugzilla/show_bug.cgi?id=43656 Adam Hardy adam.ha...@cyberspaceroad.com changed: What|Removed |Added CC||adam.ha...@cyberspaceroad.c ||om Summary|ELSupport.coerceToType |ELSupport.coerceToType |modifies BigDecimal Values |won't handle null for ||java.lang.Number -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[PATCH]: Session cookie domain/path support
Hello :)
This patch adds support for configuring session cookie domain and path
parameter on per-context basis.
Configuration is done by editing META-INF/context.xml
Context sessionCookiePath=/something sessionCookieDomain=.domain.tld /
Applies to 6.0.20.
Best regards, Brane
Index: java/org/apache/catalina/core/StandardContext.java
===
--- java/org/apache/catalina/core/StandardContext.java (revision 832150)
+++ java/org/apache/catalina/core/StandardContext.java (working copy)
@@ -289,8 +289,22 @@
*/
private boolean cookies = true;
+/**
+ * Cookie domain for session cookies
+`*/
+private String sessionCookieDomain = null;
/**
+ * Forced path for session cookies
+ */
+private String sessionCookiePath = null;
+
+/**
+ * Forced session cookie name
+ */
+private String sessionCookieName = null;
+
+/**
* Should we allow the codeServletContext.getContext()/code method
* to access the context of other web applications in this server?
*/
@@ -1149,9 +1163,65 @@
}
+/**
+ * Returns cookie domain for session (JSESSIONID) cookies
+ */
+public String getSessionCookieDomain() {
+return sessionCookieDomain;
+}
+/**
+ * Sets cookie domain for session (JSESSIONID) cookies
+ * @param domain session cookie domain name
+ */
+public void setSessionCookieDomain(String domain) {
+if (domain == null || domain.length() 1) {
+throw new IllegalArgumentException(Session cookie domain name cannot be zero-length string.);
+}
+sessionCookieDomain = domain.trim();
+}
/**
+ * Returns forced session cookie path
+ */
+public String getSessionCookiePath() {
+return sessionCookiePath;
+}
+
+/**
+ * Returns session cookie name for application context.
+ */
+public String getSessionCookieName() {
+if (sessionCookieName != null) {
+return sessionCookieName;
+}
+return Globals.SESSION_COOKIE_NAME;
+}
+
+/**
+ * Sets session cookie name for application context
+ *
+ * @param name Session cookie name
+ */
+public void setSessionCookieName(String name) {
+if (name == null || name.length() 1) {
+throw new IllegalArgumentException(Session cookie name cannot be zero-length string.);
+}
+sessionCookieName = name;
+}
+
+/**
+ * Sets forced session cookie path;
+ * @param String forced session cookie path.
+ */
+public void setSessionCookiePath(String forcedPath) {
+if (forcedPath == null || forcedPath.length() 1 || forcedPath.charAt(0) != '/') {
+throw new IllegalArgumentException(Session cookie path must be non-zero string starting with / character.);
+}
+sessionCookiePath = forcedPath;
+}
+
+/**
* Return the allow crossing servlet contexts flag.
*/
public boolean getCrossContext() {
Index: java/org/apache/catalina/connector/Request.java
===
--- java/org/apache/catalina/connector/Request.java (revision 832150)
+++ java/org/apache/catalina/connector/Request.java (working copy)
@@ -1663,7 +1663,6 @@
* @param id The new session id
*/
public void setRequestedSessionId(String id) {
-
this.requestedSessionId = id;
}
@@ -2290,6 +2289,24 @@
manager = context.getManager();
if (manager == null)
return (null); // Sessions are not supported
+
+// get context session cookie name and possibly override
+// currently set requestedSessionId
+String scn = context.getSessionCookieName();
+if (scn != null ! scn.equals(Globals.SESSION_COOKIE_NAME)) {
+// try to fetch cookie scn
+Cookie cs[] = getCookies();
+if (cs != null) {
+for (Cookie c: cs) {
+if (c != null scn.equals(c.getName())) {
+// override requested session id value
+requestedSessionId = c.getValue();
+break;
+}
+}
+}
+}
+
if (requestedSessionId != null) {
try {
session = manager.findSession(requestedSessionId);
@@ -2327,7 +2344,7 @@
// Creating a new session cookie based on that session
if ((session != null) (getContext() != null)
getContext().getCookies()) {
-Cookie cookie = new Cookie(Globals.SESSION_COOKIE_NAME,
+Cookie cookie = new Cookie(getContext().getSessionCookieName(),
session.getIdInternal());
configureSessionCookie(cookie);
response.addCookieInternal(cookie, context.getUseHttpOnly());
[PATCH]: X-Forwarded-For support
Hello :)
This patch adds support for X-Forwarded-For (or any other) http request header
holding ip address of real client so that request.getRemoteAddr() return
correct address if tomcat is running behind apache or any other reverse http
proxy.
Best regards, Brane
Index: java/org/apache/catalina/connector/RequestFacade.java
===
--- java/org/apache/catalina/connector/RequestFacade.java (revision 832150)
+++ java/org/apache/catalina/connector/RequestFacade.java (working copy)
@@ -477,6 +477,20 @@
throw new IllegalStateException(
sm.getString(requestFacade.nullRequest));
}
+
+// is this forwarded request?
+if (request.getConnector().getForwarded()) {
+String header = request.getConnector().getForwardedForHeader();
+if (header != null) {
+// check for header header in request
+String v = request.getHeader(header);
+// if header is found, return its value,
+// otherwise fallback to original behaviour
+if (v != null v.length() 0) {
+return v;
+}
+}
+}
return request.getRemoteAddr();
}
@@ -489,6 +503,20 @@
sm.getString(requestFacade.nullRequest));
}
+// is this forwarded request?
+if (request.getConnector().getForwarded()) {
+String header = request.getConnector().getForwardedForHeader();
+if (header != null) {
+// check for header header in request
+String v = request.getHeader(header);
+// if header is found, return its value,
+// otherwise fallback to original behaviour
+if (v != null v.length() 0) {
+return v;
+}
+}
+}
+
return request.getRemoteHost();
}
@@ -929,6 +957,12 @@
sm.getString(requestFacade.nullRequest));
}
+// is this forwarded request?
+if (request.getConnector().getForwarded()) {
+// it's impossible to identify remote port...
+return -1;
+}
+
return request.getRemotePort();
}
Index: java/org/apache/catalina/connector/Connector.java
===
--- java/org/apache/catalina/connector/Connector.java (revision 832150)
+++ java/org/apache/catalina/connector/Connector.java (working copy)
@@ -184,8 +184,21 @@
*/
protected boolean secure = false;
+/**
+ * If true use hostHeader or else check the headers for retrieving information
+ * from the original request to control what is returned by
+ * ServletRequest#getServerName() and ServletRequest#getServerPort()
+ * and ServletRequest#getRemoteAddr() (see Configuring mod_proxy). Default is false.
+ */
+protected boolean forwarded = false;
/**
+ * The forwarded for header to use. Default is X-Forwarded-For.
+ * This value is only used if forwarded is true.
+ */
+protected String forwardedForHeader = X-Forwarded-For;
+
+/**
* The string manager for this package.
*/
protected StringManager sm =
@@ -848,6 +861,48 @@
setProperty(secure, Boolean.toString(secure));
}
+/**
+ * Returns forwarded status for this connector
+ */
+public boolean getForwarded() {
+return this.forwarded;
+}
+
+/**
+ * Sets forwarded flag.
+ * If true use hostHeader or else check the headers for retrieving information from the original
+ * request to control what is returned by ServletRequest#getServerName() and ServletRequest#getServerPort()
+ * and ServletRequest#getRemoteAddr() (see Configuring mod_proxy). Default is false.
+ *
+ * @param forwarded Forwarded flag
+ */
+public void setForwarded(boolean forwarded) {
+this.forwarded = forwarded;
+}
+
+/**
+ * Returns forwarded-for header name. This header is then
+ * used for HttpServletRequest#getRemoteAddr to determine
+ * IP address of final client.
+ */
+public String getForwardedForHeader() {
+return this.forwardedForHeader;
+}
+
+/**
+ * Sets forwarded-for http request header name. This header is used to
+ * to determine client's IP address by HttpServletRequest#getRemoteAddr
+ * if forwarded flag is true.
+ *
+ * @param name forwarded-for header name
+ */
+public void setForwardedForHeader(String name) {
+if (name == null || name.length() 1) {
+throw new IllegalStateException(forwardedForHeader cannot be null or zero-length string.);
+}
+this.forwardedForHeader = name;
+}
+
/**
* Return the character encoding to be used for the URI.
DO NOT REPLY [Bug 48378] New: X-Forwarded-For request header support
https://issues.apache.org/bugzilla/show_bug.cgi?id=48378 Summary: X-Forwarded-For request header support Product: Tomcat 6 Version: 6.0.20 Platform: PC OS/Version: Linux Status: NEW Severity: enhancement Priority: P2 Component: Connectors AssignedTo: dev@tomcat.apache.org ReportedBy: b...@najdi.si Created an attachment (id=24697) -- (https://issues.apache.org/bugzilla/attachment.cgi?id=24697) X-Forwarded-For tomcat support This patch adds support for X-Forwarded-For (configurable) http request header if Tomcat is running behind Apache or any other http reverse proxy. Documentation is included in standard tomcat docs. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PATCH]: X-Forwarded-For support
On 11/12/2009 16:36, Brane F. Gračnar wrote: Hello :) This patch adds support for X-Forwarded-For (or any other) http request header holding ip address of real client so that request.getRemoteAddr() return correct address if tomcat is running behind apache or any other reverse http proxy. Brane, Patches are best attached to bugzilla entries so they don't get lost. That said, the new (in 6.0.21) RemoteIp valve provides the same (and more) functionality so I am sorry to say that I don't think this patch would be accepted. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 48378] X-Forwarded-For request header support
https://issues.apache.org/bugzilla/show_bug.cgi?id=48378 Mark Thomas ma...@apache.org changed: What|Removed |Added Status|NEW |RESOLVED Resolution||DUPLICATE --- Comment #1 from Mark Thomas ma...@apache.org 2009-12-11 08:46:28 GMT --- This functionality has already been added to trunk and 6.0.x *** This bug has been marked as a duplicate of bug 47330 *** -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 47330] proposal : port of mod_remoteip in Tomcat as RemoteIpValve
https://issues.apache.org/bugzilla/show_bug.cgi?id=47330 Mark Thomas ma...@apache.org changed: What|Removed |Added CC||b...@najdi.si --- Comment #13 from Mark Thomas ma...@apache.org 2009-12-11 08:46:28 GMT --- *** Bug 48378 has been marked as a duplicate of this bug. *** -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 46976] tomcat 6 doesn't support configuration of domain parameter of generated session cookies
https://issues.apache.org/bugzilla/show_bug.cgi?id=46976 Mark Thomas ma...@apache.org changed: What|Removed |Added Status|NEW |RESOLVED Resolution||DUPLICATE --- Comment #1 from Mark Thomas ma...@apache.org 2009-12-11 08:48:58 GMT --- Bug 48379 has a better patch for this. *** This bug has been marked as a duplicate of bug 48379 *** -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 48379] Session cookie domain and path configuration support
https://issues.apache.org/bugzilla/show_bug.cgi?id=48379 --- Comment #1 from Mark Thomas ma...@apache.org 2009-12-11 08:48:58 GMT --- *** Bug 46976 has been marked as a duplicate of this bug. *** -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 48379] Session cookie domain and path configuration support
https://issues.apache.org/bugzilla/show_bug.cgi?id=48379 --- Comment #2 from Mark Thomas ma...@apache.org 2009-12-11 08:49:59 GMT --- Created an attachment (id=24698) -- (https://issues.apache.org/bugzilla/attachment.cgi?id=24698) Updated patch for this issue Add the patch from the dev list that the OP forgot to attach -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r889701 - /tomcat/trunk/java/org/apache/catalina/startup/ContextConfig.java
Author: markt
Date: Fri Dec 11 17:04:36 2009
New Revision: 889701
URL: http://svn.apache.org/viewvc?rev=889701view=rev
Log:
JARs without any web.xml fragments should not impact the status of distributable
Modified:
tomcat/trunk/java/org/apache/catalina/startup/ContextConfig.java
Modified: tomcat/trunk/java/org/apache/catalina/startup/ContextConfig.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/startup/ContextConfig.java?rev=889701r1=889700r2=889701view=diff
==
--- tomcat/trunk/java/org/apache/catalina/startup/ContextConfig.java (original)
+++ tomcat/trunk/java/org/apache/catalina/startup/ContextConfig.java Fri Dec 11
17:04:36 2009
@@ -1866,7 +1866,11 @@
jarFile = urlConn.getJarFile();
JarEntry fragmentEntry =
jarFile.getJarEntry(FRAGMENT_LOCATION);
-if (fragmentEntry != null) {
+if (fragmentEntry == null) {
+// If there is no web.xml, normal JAR no impact on
+// distributable
+fragment.setDistributable(true);
+} else {
stream = jarFile.getInputStream(fragmentEntry);
InputSource source = new InputSource(
urlConn.getJarFileURL().toString() +
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r889707 - /tomcat/trunk/webapps/docs/config/valve.xml
Author: markt Date: Fri Dec 11 17:14:26 2009 New Revision: 889707 URL: http://svn.apache.org/viewvc?rev=889707view=rev Log: Remove docs for valve that was replaced with filter Modified: tomcat/trunk/webapps/docs/config/valve.xml Modified: tomcat/trunk/webapps/docs/config/valve.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/valve.xml?rev=889707r1=889706r2=889707view=diff == --- tomcat/trunk/webapps/docs/config/valve.xml (original) +++ tomcat/trunk/webapps/docs/config/valve.xml Fri Dec 11 17:14:26 2009 @@ -583,47 +583,6 @@ /section -section name=Add Default Character Set Valve - - subsection name=Introduction - -pThe HTTP specification is clear that if no character set is specified for -media sub-types of the text media type, the ISO-8859-1 character set must -be used. However, browsers may attempt to auto-detect the character set. -This may be exploited by an attacker to perform an XSS attack. Internet -Explorer has this behaviour by default. Other browsers have an option to -enable it./p - -pThis valve prevents the attack by explicitly setting a character set. -Unless the provided character set is explicitly overridden by the user the -browser will adhere to the explicitly set character set, thus preventing the -XSS attack./p - -pThis Valve may be used at the codeEngine/code, codeHost/code or -codeContext/code level as required. Normally, this Valve would be used -at the codeEngine/code level./p - - /subsection - - subsection name=Attributes - -pThe strongAdd Default Character Set Valve/strong supports the -following configuration attributes:/p - -attributes - - attribute name=className required=true -pJava class name of the implementation to use. This MUST be set to -strongorg.apache.catalina.valves.AddDefaultCharsetValve/strong./p - /attribute - -/attributes - - /subsection - -/section - - section name=Remote IP Valve subsection name=Introduction - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r889716 - in /tomcat/trunk: java/org/apache/catalina/ java/org/apache/catalina/authenticator/ java/org/apache/catalina/connector/ java/org/apache/catalina/ha/session/ java/org/apache/catal
Author: markt
Date: Fri Dec 11 17:30:59 2009
New Revision: 889716
URL: http://svn.apache.org/viewvc?rev=889716view=rev
Log:
Address session fixation by changing the session ID on authentication. This is
enabled by default. This should be safe since this also happens when sessions
migrate between nodes in a cluster. If an app can't handle a changing ID, then
the feature can be disabled in the authenticator.
Modified:
tomcat/trunk/java/org/apache/catalina/Manager.java
tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
tomcat/trunk/java/org/apache/catalina/connector/Request.java
tomcat/trunk/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java
tomcat/trunk/java/org/apache/catalina/session/ManagerBase.java
tomcat/trunk/webapps/docs/config/valve.xml
Modified: tomcat/trunk/java/org/apache/catalina/Manager.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/Manager.java?rev=889716r1=889715r2=889716view=diff
==
--- tomcat/trunk/java/org/apache/catalina/Manager.java (original)
+++ tomcat/trunk/java/org/apache/catalina/Manager.java Fri Dec 11 17:30:59 2009
@@ -260,6 +260,15 @@
/**
+ * Change the session ID of the current session to a new randomly generated
+ * session ID.
+ *
+ * @param session The session to change the session ID for
+ */
+public void changeSessionId(Session session);
+
+
+/**
* Get a session from the recycled ones or create a new empty one.
* The PersistentManager manager does not need to create session data
* because it reads it from the Store.
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=889716r1=889715r2=889716view=diff
==
--- tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
Fri Dec 11 17:30:59 2009
@@ -38,6 +38,7 @@
import org.apache.catalina.Lifecycle;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.LifecycleListener;
+import org.apache.catalina.Manager;
import org.apache.catalina.Pipeline;
import org.apache.catalina.Realm;
import org.apache.catalina.Session;
@@ -123,6 +124,12 @@
/**
+ * Should the session ID, if any, be changed upon a successful
+ * authentication to prevent a session fixation attack?
+ */
+protected boolean changeSessionIdOnAuthentication = true;
+
+/**
* The Context to which this Valve is attached.
*/
protected Context context = null;
@@ -513,6 +520,7 @@
*/
return;
}
+
}
if (log.isDebugEnabled()) {
@@ -726,6 +734,13 @@
request.setUserPrincipal(principal);
Session session = request.getSessionInternal(false);
+
+if (session != null changeSessionIdOnAuthentication) {
+Manager manager = request.getContext().getManager();
+manager.changeSessionId(session);
+request.changeSessionId(session.getId());
+}
+
// Cache the authentication information in our session, if any
if (cache) {
if (session != null) {
Modified: tomcat/trunk/java/org/apache/catalina/connector/Request.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Request.java?rev=889716r1=889715r2=889716view=diff
==
--- tomcat/trunk/java/org/apache/catalina/connector/Request.java (original)
+++ tomcat/trunk/java/org/apache/catalina/connector/Request.java Fri Dec 11
17:30:59 2009
@@ -2252,6 +2252,40 @@
/**
+ * Change the ID of the session that this request is associated with. There
+ * are several things that may trigger an ID change. These include mmoving
+ * between nodes in a cluster and session fixation prevention during the
+ * authentication process.
+ *
+ * @param session The session to change the session ID for
+ */
+public void changeSessionId(String newSessionId) {
+// This should only ever be called if there was an old session ID but
+// double check to be sure
+if (requestedSessionId != null requestedSessionId.length() 0) {
+requestedSessionId = newSessionId;
+}
+
+if (context != null !context.getServletContext()
+.getEffectiveSessionTrackingModes().contains(
+SessionTrackingMode.COOKIE))
+return;
+
+if (response != null) {
+Cookie newCookie =
+
svn commit: r889719 - /tomcat/trunk/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java
Author: markt
Date: Fri Dec 11 17:33:27 2009
New Revision: 889719
URL: http://svn.apache.org/viewvc?rev=889719view=rev
Log:
Cleanup of unused method and parameter
Modified:
tomcat/trunk/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java
Modified:
tomcat/trunk/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java?rev=889719r1=889718r2=889719view=diff
==
--- tomcat/trunk/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java
Fri Dec 11 17:33:27 2009
@@ -19,8 +19,6 @@
import java.io.IOException;
import javax.servlet.ServletException;
-import javax.servlet.SessionTrackingMode;
-import javax.servlet.http.Cookie;
import org.apache.catalina.Container;
import org.apache.catalina.Context;
@@ -38,7 +36,6 @@
import org.apache.catalina.ha.session.DeltaSession;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
-import org.apache.catalina.core.ApplicationSessionCookieConfig;
import org.apache.catalina.session.ManagerBase;
import org.apache.catalina.session.PersistentManager;
import org.apache.catalina.util.LifecycleSupport;
@@ -229,7 +226,7 @@
getCluster().getManager(((ClusterManager)manager).getName()) != null)
||
(manager instanceof PersistentManager)))
- handlePossibleTurnover(request, response);
+ handlePossibleTurnover(request);
}
// Pass this request on to the next valve in our pipeline
getNext().invoke(request, response);
@@ -238,11 +235,10 @@
/**
* handle possible session turn over.
*
- * @see JvmRouteBinderValve#handleJvmRoute(Request, Response, String,
String)
+ * @see JvmRouteBinderValve#handleJvmRoute(Request, String, String)
* @param request current request
- * @param response current response
*/
-protected void handlePossibleTurnover(Request request, Response response) {
+protected void handlePossibleTurnover(Request request) {
String sessionID = request.getRequestedSessionId() ;
if (sessionID != null) {
long t1 = System.currentTimeMillis();
@@ -252,7 +248,7 @@
log.debug(sm.getString(jvmRoute.missingJvmRouteAttribute));
return;
}
-handleJvmRoute( request, response, sessionID, jvmRoute);
+handleJvmRoute( request, sessionID, jvmRoute);
if (log.isDebugEnabled()) {
long t2 = System.currentTimeMillis();
long time = t2 - t1;
@@ -311,15 +307,13 @@
* SessionID change propagate to the other cluster nodes.
*
* @param request current request
- * @param response
- *Tomcat Response
* @param sessionId
*request SessionID from Cookie
* @param localJvmRoute
*local jvmRoute
*/
protected void handleJvmRoute(
-Request request, Response response,String sessionId, String
localJvmRoute) {
+Request request, String sessionId, String localJvmRoute) {
// get requested jvmRoute.
String requestJvmRoute = null;
int index = sessionId.indexOf(.);
@@ -342,7 +336,7 @@
String newSessionID = id + . + localJvmRoute;
// OK - turnover the session and inform other cluster nodes
if (catalinaSession != null) {
-changeSessionID(request, response, sessionId, newSessionID,
+changeSessionID(request, sessionId, newSessionID,
catalinaSession);
numberOfSessions++;
} else {
@@ -353,7 +347,7 @@
}
if (catalinaSession != null) {
// session is rewrite at other request, rewrite this also
-changeRequestSessionID(request, response, sessionId,
newSessionID);
+changeRequestSessionID(request, sessionId, newSessionID);
} else {
if (log.isDebugEnabled()) {
log.debug(sm.getString(jvmRoute.cannotFindSession,sessionId));
@@ -367,7 +361,6 @@
* change session id and send to all cluster nodes
*
* @param request current request
- * @param response current response
* @param sessionId
*original session id
* @param newSessionID
@@ -375,8 +368,8 @@
* @param catalinaSession
*current session with original session id
*/
-protected void changeSessionID(Request request,
-Response response, String sessionId, String newSessionID, Session
catalinaSession) {
+protected
svn commit: r889722 - /tomcat/tc6.0.x/trunk/STATUS.txt
Author: markt Date: Fri Dec 11 17:44:35 2009 New Revision: 889722 URL: http://svn.apache.org/viewvc?rev=889722view=rev Log: Proposal Modified: tomcat/tc6.0.x/trunk/STATUS.txt Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=889722r1=889721r2=889722view=diff == --- tomcat/tc6.0.x/trunk/STATUS.txt (original) +++ tomcat/tc6.0.x/trunk/STATUS.txt Fri Dec 11 17:44:35 2009 @@ -487,3 +487,13 @@ http://svn.apache.org/viewvc?rev=889606view=rev +1: markt -1: + +* Address https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 + Prevent session fixation by changing session ID on authentication by default + If you don't like the session ID changing by default, feel free to caveat your + vote. If there is suggicient support for the patch but insufficient support + for changing the ID by default I'll apply the patch with the default set to + not change the session ID + http://svn.apache.org/viewvc?rev=889716view=rev + +1: markt + -1: - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r889723 - /tomcat/tc5.5.x/trunk/STATUS.txt
Author: markt Date: Fri Dec 11 17:44:42 2009 New Revision: 889723 URL: http://svn.apache.org/viewvc?rev=889723view=rev Log: Proposal Modified: tomcat/tc5.5.x/trunk/STATUS.txt Modified: tomcat/tc5.5.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/STATUS.txt?rev=889723r1=889722r2=889723view=diff == --- tomcat/tc5.5.x/trunk/STATUS.txt (original) +++ tomcat/tc5.5.x/trunk/STATUS.txt Fri Dec 11 17:44:42 2009 @@ -241,3 +241,13 @@ http://svn.apache.org/viewvc?rev=889606view=rev +1: markt -1: + +* Address https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 + Prevent session fixation by changing session ID on authentication by default + If you don't like the session ID changing by default, feel free to caveat your + vote. If there is suggicient support for the patch but insufficient support + for changing the ID by default I'll apply the patch with the default set to + not change the session ID + http://svn.apache.org/viewvc?rev=889716view=rev + +1: markt + -1: - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 45255] support disable jsessionid from url against session fixation attacks
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255 --- Comment #21 from Mark Thomas ma...@apache.org 2009-12-11 09:45:21 GMT --- I have patched Tomcat 7 to change the session ID on authentication by default. The same patch has been proposed for 6.0.x and 5.5.x although the default may be not to change the session ID. With this patch applied the situation is: Tomcat 7 - Not vulnerable by default since session ID changes on authentication - If this default is changed by the user (eg because the application can't handle a changing session ID) then the risks may be minimised by disabling session tracking via URL (a new feature in Servlet 3) Tomcat 5 6 - Can be prevented by enabling changing the session ID on authentication (if there is insufficient support for this to be enabled by default) - If the application can't handle a changing session ID then the risks may be minimised by writing a custom filter that checks request.isRequestedSessionIdFromURL() and responds accordingly (eg rejecting the request) With these changes in place, although there will not be an option to disabled URL re-writing, I believe that there will be sufficient options to prevent session fixation which is, after all, the reason behind the request to be able to disable URL rewriting. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 48381] New: Hostnames in the Host section are converted to lower case
https://issues.apache.org/bugzilla/show_bug.cgi?id=48381 Summary: Hostnames in the Host section are converted to lower case Product: Tomcat 6 Version: 6.0.20 Platform: PC OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: Catalina AssignedTo: dev@tomcat.apache.org ReportedBy: jens.a...@web.de Created an attachment (id=24700) -- (https://issues.apache.org/bugzilla/attachment.cgi?id=24700) Webapp for demonstrating the bug Overview: If the attribute name in the Host configuration contains upper case letters and you use a case-sensitive file system than the configuration files are looked up in the wrong directory (hostname converted to lower case) RFC 1035 (DNS) says in section 2.3.1.: Note that while upper and lower case letters are allowed in domain names, no significance is attached to the case. That is, two names with the same spelling but different case are to be treated as if identical. Let us suppose we have this configuration in the server.xml: Engine name=Catalina defaultHost=Tux Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ Host name=Tux appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false /Host /Engine The expected behavior is, that the configuration files are searched under $CATALINA_BASE/conf/[engine_name]/[host_name] which is in our case $CATALINA_BASE/conf/Catalina/Tux Instead Tomcat converts silently Tux to tux and searches under $CATALINA_BASE/conf/Catalina/tux Steps to reproduce: 1. Configure the server.xml with a hostname which contains upper case letters. See above. 2. Deploy the webapp tomcatbug cd webapps unzip tomcatbug.zip cd tomcatbug ant all 3. Create a file $CATALINA_BASE/conf/Catalina/Tux/tomcatbug.xml with this content Context Resource name=bean/MyBeanFactory auth=Container type=MyBean factory=org.apache.naming.factory.BeanFactory bar=23/ /Context 4. Start tomcat and browse to http://Tux:8080/tomcatbug/TomcatBug Actual result: html head titleTomcat Bug/title /head body h1Tomcat Bug/h1 javax.naming.NamingException: Cannot create resource instance at org.apache.naming.factory.ResourceEnvFactory.getObjectInstance(ResourceEnvFactory.java:114) at javax.naming.spi.NamingManager.getObjectInstance(NamingManager.java:304) at org.apache.naming.NamingContext.lookup(NamingContext.java:793) at org.apache.naming.NamingContext.lookup(NamingContext.java:140) at org.apache.naming.NamingContext.lookup(NamingContext.java:781) at org.apache.naming.NamingContext.lookup(NamingContext.java:153) at TomcatBug.doGet(TomcatBug.java:29) at javax.servlet.http.HttpServlet.service(HttpServlet.java:617) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454) at java.lang.Thread.run(Thread.java:619) /body /html Expected result: html head titleTomcat Bug/title /head body h1Tomcat Bug/h1 foo = Default Foo, bar = 23 /body /html As a workaround you should not use upper case letters in hostnames. This should be written in the documentation. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 48381] Hostnames in the Host section are converted to lower case
https://issues.apache.org/bugzilla/show_bug.cgi?id=48381 --- Comment #1 from japel jens.a...@web.de 2009-12-11 12:52:16 UTC --- Created an attachment (id=24701) -- (https://issues.apache.org/bugzilla/attachment.cgi?id=24701) This patch is for the documentation (use lower case hostnames) -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 48381] Hostnames in the Host section are converted to lower case
https://issues.apache.org/bugzilla/show_bug.cgi?id=48381 --- Comment #2 from japel jens.a...@web.de 2009-12-11 12:56:17 UTC --- Created an attachment (id=24702) -- (https://issues.apache.org/bugzilla/attachment.cgi?id=24702) Hoastnames are no longer lower case internally This patch might have several side effects and the core developers most likely had their reasons for converting hostnames to lower case internally. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Tomcat Wiki] Update of Tomcat_and_IIS_Howto by Tony.Britton
Dear Wiki user,
You have subscribed to a wiki page or wiki category on Tomcat Wiki for change
notification.
The Tomcat_and_IIS_Howto page has been changed by Tony.Britton.
The comment on this change is: added text for programmatic Web Service
Extension entry into IIS 6.0.
http://wiki.apache.org/tomcat/Tomcat_and_IIS_Howto?action=diffrev1=11rev2=12
--
'Taken from
http://msdn.microsoft.com/library/en-us/iissdk/html/8fcd5343-07cb-49e9-a206-0c65a988dcca.asp?frame=true
and
'
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/html/425ff52d-9998-44a9-95dd-b46b2e390db8.asp
' or Google the Microsoft web site for Creating Sites and Virtual
Directories Using ADSI and Enabling ISAPI Filters Using ADSI
- ' with
http://www.google.com/search?q=%22Creating+Sites+and+Virtual+Directories+Using+ADSI%22+site%3Amsdn.microsoft.com
+ ' with
http://www.google.com/search?q=%22Creating+Sites+and+Virtual+Directories+Using+ADSI%22+site%3Amsdn.microsoft.com
' and
http://www.google.com/search?q=%22Enabling+ISAPI+Filters+Using+ADSI%22+site%3Amsdn.microsoft.com
Option Explicit
Dim IIsPath
Dim ConnectorPath
- Dim FiltersObj
+ Dim FiltersObj
- Dim FilterObj
+ Dim FilterObj
- Dim LoadOrder
+ Dim LoadOrder
Dim Name 'of the filter and the virtual directory
Dim DLLName
'Double-check this path
ConnectorPath = C:\Program Files\Apache Software Foundation\Jakarta Isapi
Redirector\bin\
-
+
'Configure the first (default) web site on a machine. Change to 2 for the
second web site, etc.
IIsPath = IIS://LocalHost/W3SVC/1/
@@ -37, +37 @@
If LoadOrder Then
LoadOrder = LoadOrder ,
End If
- LoadOrder = LoadOrder Name
+ LoadOrder = LoadOrder Name
- FiltersObj.FilterLoadOrder = LoadOrder
+ FiltersObj.FilterLoadOrder = LoadOrder
- FiltersObj.SetInfo
+ FiltersObj.SetInfo
'Actually create the filter
'ToDo: set priority. This might be possible with the FilterFlags property,
but the IIS doc says:
' Because this property is internally configured by IIS, you should consider
it to be read-only. Do not configure this property.
- Set FilterObj = FiltersObj.Create(IIsFilter, Name)
+ Set FilterObj = FiltersObj.Create(IIsFilter, Name)
- FilterObj.FilterPath = ConnectorPath DLLName
+ FilterObj.FilterPath = ConnectorPath DLLName
FilterObj.SetInfo
-
-
}}}
-
- Save this script to a file with a VBS extension. Open it in Notepad and
verify that the Connector``Path variable is correct for your connector
installation. Then open a command prompt and run it with the cscript
interpreter: `cscript filename.vbs` . Restart IIS, and test the connector as
mentioned in the Howto (go to http://localhost/servlets-examples/ ).
+ Save this script to a file with a VBS extension. Open it in Notepad and
verify that the ConnectorPath variable is correct for your connector
installation. Then open a command prompt and run it with the cscript
interpreter: `cscript filename.vbs` . Restart IIS, and test the connector as
mentioned in the Howto (go to http://localhost/servlets-examples/ ).
Corrections on the above script and suggestions on how to get it into the
Setup program are welcome.
You still need to do the other steps on the
[[http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html|IIS Howto
page]], such as adding your contexts, etc.
- --
+ --
+
Added by SkyBristol on 4/11/2006
The setup file included here and the script to add the ISAPI filter work just
fine in IIS6, but there is one additional step needed. You must also allow
access to the filter through the Web Service Extensions part of IIS. To do this
graphically, do the following:
+ 1) open the IIS Manager and go to the Web Service Extensions item under the
appropriate server 2) Click the Add a new Web service extension item under
Tasks 3) Give it a name like jakarta 4) Browse to the isapi_redirect.dll
file you installed above as a Required File 5) Check the box to enable this
extension
- 1) open the IIS Manager and go to the Web Service Extensions item under the
appropriate server
- 2) Click the Add a new Web service extension item under Tasks
- 3) Give it a name like jakarta
- 4) Browse to the isapi_redirect.dll file you installed above as a Required
File
- 5) Check the box to enable this extension
- --
+ Added by Tony.Britton on 12/11/2009:
+
+ To add the Jakarta WSE programmatically, run the following line at a command
prompt:
+ (Change the File Path/File Name as appropriate)
+ {{{
+ cscript.exe //NOLOGO iisext.vbs /AddFile C:\Program Files\Apache Software
Foundation\Jakarta Isapi Redirector\bin\isapi_redirect.dll 1 jakarta 1 jakarta
+ }}}
+ --
+
Added by MaiPiu on 12 May 2006
- IIS and Tomcat: you found also in Other links see here UsefulLinks.
- Little notice: Using the present help, I made working IIS 6.0 , Jk, Tomcat
5.0 on Windows2003
Storing Tomcat Sessions to MySQL (and Memcached) Round-Robin without sticky sessions
Hello, Thanks in advance for your help. I would like to know if anyone is currently modifying, has modified, or plans to modify Tomcat 6.0.20 to store/read sessions directly in Memcached + MySQL to enable session persistence with round-robin and without sticky sessions? If so would you be so kind as to point me in the right direction? Our top level design requirement is 'no sticky sessions' + 'round robin' + 'MySQL or Amazon SimpleDB' After getting this solution working I would like to donate the code to the Tomcat project. It will be useful for those wishing to deploy Tomcat + Amazon EC2 + Amazon Elastic Load Balancer. Thank you, Anthony 925-456-4343 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
