svn commit: r1076586 - in /tomcat/trunk: java/org/apache/catalina/authenticator/ java/org/apache/catalina/core/ java/org/apache/catalina/startup/ test/org/apache/catalina/core/
Author: markt Date: Thu Mar 3 11:16:51 2011 New Revision: 1076586 URL: http://svn.apache.org/viewvc?rev=1076586view=rev Log: [SECURITY] Start of fix for issue reported on users list that @ServletSecurity annotations were ignored. This fix is not yet complete. This first part: - Triggers the loading of the Wrapper before the constraints are processed to ensure that any @ServletSecurity annotations are taken account of - Makes sure the constraints collection is thread-safe given new usage - Adds scanning for @ServletSecurity when a Servlet is loaded - Ensure there is always an authenticator when using the embedded Tomcat class so that @ServletSecurity will have an effect - Adds a simple unit test to check @ServletSecurity annotations are processed Further commits will add additional test cases and any changes required for those test cases to pass Added: tomcat/trunk/test/org/apache/catalina/core/TestStandardWrapper.java (with props) Modified: tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java tomcat/trunk/java/org/apache/catalina/core/StandardContext.java tomcat/trunk/java/org/apache/catalina/core/StandardWrapper.java tomcat/trunk/java/org/apache/catalina/startup/Tomcat.java Modified: tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=1076586r1=1076585r2=1076586view=diff == --- tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java (original) +++ tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java Thu Mar 3 11:16:51 2011 @@ -37,6 +37,7 @@ import org.apache.catalina.Manager; import org.apache.catalina.Realm; import org.apache.catalina.Session; import org.apache.catalina.Valve; +import org.apache.catalina.Wrapper; import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Response; import org.apache.catalina.deploy.LoginConfig; @@ -478,6 +479,13 @@ public abstract class AuthenticatorBase } } +// The Servlet may specify security constraints through annotations. +// Ensure that they have been processed before constraints are checked +Wrapper wrapper = (Wrapper) request.getMappingData().wrapper; +if (wrapper.getServlet() != null) { +wrapper.load(); +} + Realm realm = this.context.getRealm(); // Is this request URI subject to a security constraint? SecurityConstraint [] constraints Modified: tomcat/trunk/java/org/apache/catalina/core/StandardContext.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/StandardContext.java?rev=1076586r1=1076585r2=1076586view=diff == --- tomcat/trunk/java/org/apache/catalina/core/StandardContext.java (original) +++ tomcat/trunk/java/org/apache/catalina/core/StandardContext.java Thu Mar 3 11:16:51 2011 @@ -298,7 +298,8 @@ public class StandardContext extends Con /** * The security constraints for this web application. */ -private SecurityConstraint constraints[] = new SecurityConstraint[0]; +private volatile SecurityConstraint constraints[] = +new SecurityConstraint[0]; private final Object constraintsLock = new Object(); Modified: tomcat/trunk/java/org/apache/catalina/core/StandardWrapper.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/StandardWrapper.java?rev=1076586r1=1076585r2=1076586view=diff == --- tomcat/trunk/java/org/apache/catalina/core/StandardWrapper.java (original) +++ tomcat/trunk/java/org/apache/catalina/core/StandardWrapper.java Thu Mar 3 11:16:51 2011 @@ -42,9 +42,11 @@ import javax.servlet.ServletContext; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; +import javax.servlet.ServletSecurityElement; import javax.servlet.SingleThreadModel; import javax.servlet.UnavailableException; import javax.servlet.annotation.MultipartConfig; +import javax.servlet.annotation.ServletSecurity; import org.apache.catalina.Container; import org.apache.catalina.ContainerServlet; @@ -1075,10 +1077,20 @@ public class StandardWrapper extends Con } } +ServletSecurity secAnnotation = +servlet.getClass().getAnnotation(ServletSecurity.class); +Context ctxt = (Context) getParent(); +if (secAnnotation != null) { +ctxt.addServletSecurity( +new ApplicationServletRegistration(this, ctxt), +new ServletSecurityElement(secAnnotation)); +} + +
svn commit: r1076587 - /tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
Author: markt Date: Thu Mar 3 11:24:35 2011 New Revision: 1076587 URL: http://svn.apache.org/viewvc?rev=1076587view=rev Log: Fix typo Modified: tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java Modified: tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=1076587r1=1076586r2=1076587view=diff == --- tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java (original) +++ tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java Thu Mar 3 11:24:35 2011 @@ -482,7 +482,7 @@ public abstract class AuthenticatorBase // The Servlet may specify security constraints through annotations. // Ensure that they have been processed before constraints are checked Wrapper wrapper = (Wrapper) request.getMappingData().wrapper; -if (wrapper.getServlet() != null) { +if (wrapper.getServlet() == null) { wrapper.load(); } - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1076589 - /tomcat/trunk/test/org/apache/catalina/core/TestStandardWrapper.java
Author: markt Date: Thu Mar 3 11:31:56 2011 New Revision: 1076589 URL: http://svn.apache.org/viewvc?rev=1076589view=rev Log: @ServletSecurity support Add tests for subclasses Modified: tomcat/trunk/test/org/apache/catalina/core/TestStandardWrapper.java Modified: tomcat/trunk/test/org/apache/catalina/core/TestStandardWrapper.java URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/core/TestStandardWrapper.java?rev=1076589r1=1076588r2=1076589view=diff == --- tomcat/trunk/test/org/apache/catalina/core/TestStandardWrapper.java (original) +++ tomcat/trunk/test/org/apache/catalina/core/TestStandardWrapper.java Thu Mar 3 11:31:56 2011 @@ -35,7 +35,19 @@ import org.apache.tomcat.util.buf.ByteCh public class TestStandardWrapper extends TomcatBaseTest { -public void testSecurityAnnotations1() throws Exception { +public void testSecurityAnnotationsSimple() throws Exception { +doDenyTest(DenyServlet.class.getName()); +} + +public void testSecurityAnnotationsSubclass1() throws Exception { +doDenyTest(SubclassDenyServlet.class.getName()); +} + +public void testSecurityAnnotationsSubclass2() throws Exception { +doAllowTest(SubclassAllowServlet.class.getName()); +} + +private void doDenyTest(String servletClassName) throws Exception { // Setup Tomcat instance Tomcat tomcat = getTomcatInstance(); @@ -43,8 +55,7 @@ public class TestStandardWrapper extends Context ctx = tomcat.addContext(, System.getProperty(java.io.tmpdir)); -Wrapper wrapper = Tomcat.addServlet(ctx, servlet, -org.apache.catalina.core.TestStandardWrapper$DenyServlet); +Wrapper wrapper = Tomcat.addServlet(ctx, servlet, servletClassName); wrapper.setAsyncSupported(true); ctx.addServletMapping(/, servlet); @@ -56,6 +67,30 @@ public class TestStandardWrapper extends assertNull(bc.toString()); assertEquals(403, rc); + +} + +private void doAllowTest(String servletClassName) throws Exception { +// Setup Tomcat instance +Tomcat tomcat = getTomcatInstance(); + +// Must have a real docBase - just use temp +Context ctx = +tomcat.addContext(, System.getProperty(java.io.tmpdir)); + +Wrapper wrapper = Tomcat.addServlet(ctx, servlet, servletClassName); +wrapper.setAsyncSupported(true); +ctx.addServletMapping(/, servlet); + +tomcat.start(); + +// Call the servlet once +ByteChunk bc = new ByteChunk(); +int rc = getUrl(http://localhost:; + getPort() + /, bc, null); + +assertEquals(OK, bc.toString()); +assertEquals(200, rc); + } @ServletSecurity(@HttpConstraint(EmptyRoleSemantic.DENY)) @@ -67,7 +102,16 @@ public class TestStandardWrapper extends throws ServletException, IOException { resp.setContentType(text/plain); -resp.getWriter().print(FAIL); +resp.getWriter().print(OK); } } + +public static class SubclassDenyServlet extends DenyServlet { +private static final long serialVersionUID = 1L; +} + +@ServletSecurity(@HttpConstraint(EmptyRoleSemantic.PERMIT)) +public static class SubclassAllowServlet extends DenyServlet { +private static final long serialVersionUID = 1L; +} } - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 50860] New: In case of invalid or empty slqQuery connection are always invalidated without usefull information
https://issues.apache.org/bugzilla/show_bug.cgi?id=50860 Summary: In case of invalid or empty slqQuery connection are always invalidated without usefull information Product: Tomcat Modules Version: unspecified Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: jdbc-pool AssignedTo: dev@tomcat.apache.org ReportedBy: ol...@apache.org The code is (in PooledConnection.java#validate(int validateAction,String sql) ) Statement stmt = null; try { stmt = connection.createStatement(); stmt.execute(query); stmt.close(); this.lastValidated = now; return true; } catch (Exception ignore) { if (log.isDebugEnabled()) log.debug(Unable to validate object:,ignore); if (stmt!=null) try { stmt.close();} catch (Exception ignore2){/*NOOP*/} } return false; So in the case of null or invalid query (connection is always invalidated : seems normal :-) ). But without any usefull message (except if you use debug : but seems complicated in a production env). So IMHO adding a log.warning in case of null query could be usefull. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 43497] Add ability to escape rendered output of JSP expressions
https://issues.apache.org/bugzilla/show_bug.cgi?id=43497 Mark Thomas ma...@apache.org changed: What|Removed |Added Status|NEW |RESOLVED Resolution||WONTFIX --- Comment #5 from Mark Thomas ma...@apache.org 2011-03-03 07:14:32 EST --- It is not as simple as this patch suggests. The necessary escaping to prevent XSS varies by context [1]. The necessary context information is not available to Tomcat so Tomcat is unable to ensure that the correct escaping is applied. There are several possible approaches to solve this issue but none of them can be currently applied to Tomcat: 1. Provide methods to do this in the framework being used and expect/require developers to set the context appropriately. 2. Use a framework that is sufficiently strict that the context is always known and the necessary escaping can be applied automatically. 3. Modify the EL spec to allow the context to be supplied. At this point the escaping may as well be automatically applied as well. Option 3 could be implemented in Tomcat if the EL spec was changed. That would be Tomcat 8 at the earliest. [1] http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 43497] Add ability to escape rendered output of JSP expressions
https://issues.apache.org/bugzilla/show_bug.cgi?id=43497 --- Comment #6 from Nacho Coloma icol...@gmail.com 2011-03-03 07:46:15 EST --- I disagree. 99% of the XSS injection cases are described in the mentioned link as RULE #1: escape HTML. Even worse, 99% of these cases could be implemented by simply escaping lt; or any UTF-8 equivalent (some of the escaped characters proposed in the link, like gt; do not have any known exploits in modern browsers). We are talking about any use of ${user.name}, ${post.contents}, ${comment}. These are by far the most common use case. Other cases: * Cases where sanitizing is NOT desired: you can always fallback to lt;c:out * A command-line flag can be used to disable sanitizing altogether. * Cases where extra processing is desired (like attribute escaping): for these cases the programmer can invoke extra functions. I have to say, I have not found a single case where attribute escaping (or javascript for that matter) was required. I don't mind sanitizing these by hand, but this patch would make 99% of Tomcat applications safer by default. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1076606 - in /tomcat/trunk/test/org/apache/catalina: core/TestStandardWrapper.java startup/TomcatBaseTest.java
Author: markt Date: Thu Mar 3 12:56:07 2011 New Revision: 1076606 URL: http://svn.apache.org/viewvc?rev=1076606view=rev Log: @ServletSecurity Refactor to reduce duplication in test code Add tests for method constraints Modified: tomcat/trunk/test/org/apache/catalina/core/TestStandardWrapper.java tomcat/trunk/test/org/apache/catalina/startup/TomcatBaseTest.java Modified: tomcat/trunk/test/org/apache/catalina/core/TestStandardWrapper.java URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/core/TestStandardWrapper.java?rev=1076606r1=1076605r2=1076606view=diff == --- tomcat/trunk/test/org/apache/catalina/core/TestStandardWrapper.java (original) +++ tomcat/trunk/test/org/apache/catalina/core/TestStandardWrapper.java Thu Mar 3 12:56:07 2011 @@ -21,6 +21,7 @@ import java.io.IOException; import javax.servlet.ServletException; import javax.servlet.annotation.HttpConstraint; +import javax.servlet.annotation.HttpMethodConstraint; import javax.servlet.annotation.ServletSecurity; import javax.servlet.annotation.ServletSecurity.EmptyRoleSemantic; import javax.servlet.http.HttpServlet; @@ -36,41 +37,28 @@ import org.apache.tomcat.util.buf.ByteCh public class TestStandardWrapper extends TomcatBaseTest { public void testSecurityAnnotationsSimple() throws Exception { -doDenyTest(DenyServlet.class.getName()); +doTest(DenyAllServlet.class.getName(), false, false); } public void testSecurityAnnotationsSubclass1() throws Exception { -doDenyTest(SubclassDenyServlet.class.getName()); +doTest(SubclassDenyAllServlet.class.getName(), false, false); } public void testSecurityAnnotationsSubclass2() throws Exception { -doAllowTest(SubclassAllowServlet.class.getName()); +doTest(SubclassAllowAllServlet.class.getName(), false, true); } -private void doDenyTest(String servletClassName) throws Exception { -// Setup Tomcat instance -Tomcat tomcat = getTomcatInstance(); - -// Must have a real docBase - just use temp -Context ctx = -tomcat.addContext(, System.getProperty(java.io.tmpdir)); - -Wrapper wrapper = Tomcat.addServlet(ctx, servlet, servletClassName); -wrapper.setAsyncSupported(true); -ctx.addServletMapping(/, servlet); - -tomcat.start(); - -// Call the servlet once -ByteChunk bc = new ByteChunk(); -int rc = getUrl(http://localhost:; + getPort() + /, bc, null); - -assertNull(bc.toString()); -assertEquals(403, rc); - +public void testSecurityAnnotationsMethods1() throws Exception { +doTest(MethodConstraintServlet.class.getName(), false, false); +} + +public void testSecurityAnnotationsMethods2() throws Exception { +doTest(MethodConstraintServlet.class.getName(), true, true); } -private void doAllowTest(String servletClassName) throws Exception { +private void doTest(String servletClassName, boolean usePost, +boolean expect200) throws Exception { + // Setup Tomcat instance Tomcat tomcat = getTomcatInstance(); @@ -86,15 +74,23 @@ public class TestStandardWrapper extends // Call the servlet once ByteChunk bc = new ByteChunk(); -int rc = getUrl(http://localhost:; + getPort() + /, bc, null); - -assertEquals(OK, bc.toString()); -assertEquals(200, rc); +int rc; +if (usePost) { +rc = postUrl(null, http://localhost:; + getPort() + /, bc, null); +} else { +rc = getUrl(http://localhost:; + getPort() + /, bc, null); +} +if (expect200) { +assertEquals(OK, bc.toString()); +assertEquals(200, rc); +} else { +assertNull(bc.toString()); +assertEquals(403, rc); +} } -@ServletSecurity(@HttpConstraint(EmptyRoleSemantic.DENY)) -public static class DenyServlet extends HttpServlet { +public static class TestServlet extends HttpServlet { private static final long serialVersionUID = 1L; @Override @@ -104,14 +100,35 @@ public class TestStandardWrapper extends resp.setContentType(text/plain); resp.getWriter().print(OK); } + +@Override +protected void doPost(HttpServletRequest req, HttpServletResponse resp) +throws ServletException, IOException { +doGet(req, resp); +} +} + +@ServletSecurity(@HttpConstraint(EmptyRoleSemantic.DENY)) +public static class DenyAllServlet extends TestServlet { +private static final long serialVersionUID = 1L; } -public static class SubclassDenyServlet extends DenyServlet { +public static class SubclassDenyAllServlet
Re: Connection draining when upload to large
On 17.02.2011 11:58, Mark Thomas wrote: Given this, I am leaning even more towards just fixing the original issue that the connection is not dropped when the request exceeds the upload limit and leaving the rest of the behaviour unchanged. Getting back to this (and sorry for the pause): What's the exact situation we want to skip swallowing the rest of the request and close the connection? - only if Servlet 3 Uploads reach their max POST size? - also if other uploads or more generally reading the request input is aborted? In the later case: how do we detect abort? Possibilities: - if the app called close() on the servlet input stream or the reader. This doesn't necessary indicate an abort. - if the app sets status 413 (request entity too large). Should be possible since it is unlikely that the response was already committed when the app detected that the reuest data is to big. - any other reliable mechanism? It's easy to make it configurable (e.g. connector attribute swallowAbortedUploads or swallowInput passed down to the processor the same way like disableUploadTimeout). Regards, Rainer - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 50863] New: Memory usage increase after JSP compilation
https://issues.apache.org/bugzilla/show_bug.cgi?id=50863 Summary: Memory usage increase after JSP compilation Product: Tomcat 6 Version: 6.0.32 Platform: PC Status: NEW Severity: normal Priority: P2 Component: Jasper AssignedTo: dev@tomcat.apache.org ReportedBy: sebastien.mur...@gmail.com Created an attachment (id=26726) -- (https://issues.apache.org/bugzilla/attachment.cgi?id=26726) PrintScreen of YourKit. I run Tomcat 6.0.32 in a memory profiler (Yourkit) and I discover after every jsp compilation the memory usage increase. I put the parameter fork=true, but still, every time the JspServlet is call, the JDTCompiler is not release and JspServlet too. When you have a lots a jsp pages to compile, tomcat will generate a OutOfMemory exception very fast. Any tips? Thanks -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release jdbc-pool 1.1.0.0
Thanks, I will get this taken care of, and reroll. Filip On 3/2/2011 8:21 PM, sebb wrote: On 2 March 2011 22:09, Filip Hanik - Dev Listsdevli...@hanik.com wrote: Source and Binary Packages http://people.apache.org/~fhanik/jdbc-pool/v1.1.0.0/ tomcat-juli.jar has NOTICE and LICENSE files, but none of the pool jars do. apache-tomcat-jdbc-1.1.0.0-src.zip contains the file test/org/apache/tomcat/jdbc/test/Bug50571.java which is not in the SVN TAG. Tag http://svn.apache.org/repos/asf/tomcat/tags/JDBC_POOL_1_1_0_0/ JDBC_POOL_1_1_0_0/test/org/apache/tomcat/jdbc/test/Bug50805.java has no AL header Documentation http://people.apache.org/~fhanik/jdbc-pool/jdbc-pool.html The proposed 1.1.0.0 release is: [ ] Broken - do not release [ ] Alpha - go ahead and release as 1.1.0.0 Alpha [ ] Beta - go ahead and release as 1.1.0.0 Beta [ ] Stable - go ahead and release as 1.1.0.0 Stable best Filip - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - No virus found in this message. Checked by AVG - www.avg.com Version: 10.0.1204 / Virus Database: 1435/3478 - Release Date: 03/02/11 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 50864] New: Reconfigure pool on the fly using JMX
https://issues.apache.org/bugzilla/show_bug.cgi?id=50864 Summary: Reconfigure pool on the fly using JMX Product: Tomcat Modules Version: unspecified Platform: PC Status: NEW Severity: normal Priority: P2 Component: jdbc-pool AssignedTo: dev@tomcat.apache.org ReportedBy: fha...@apache.org Provide a way to reconfigure the jdbc-pool using JMX and have it take effect when changes are submitted. http://markmail.org/message/x6wem3zkxl4ps7ki -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[RESULT] [VOTE] Release jdbc-pool 1.1.0.0
I'll cancel this vote, get all the NOTICE and LICENSE files correct, as well as the tag matching the jars. best Filip On 3/2/2011 3:09 PM, Filip Hanik - Dev Lists wrote: Source and Binary Packages http://people.apache.org/~fhanik/jdbc-pool/v1.1.0.0/ Tag http://svn.apache.org/repos/asf/tomcat/tags/JDBC_POOL_1_1_0_0/ Documentation http://people.apache.org/~fhanik/jdbc-pool/jdbc-pool.html The proposed 1.1.0.0 release is: [ ] Broken - do not release [ ] Alpha - go ahead and release as 1.1.0.0 Alpha [ ] Beta - go ahead and release as 1.1.0.0 Beta [ ] Stable - go ahead and release as 1.1.0.0 Stable best Filip - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - No virus found in this message. Checked by AVG - www.avg.com Version: 10.0.1204 / Virus Database: 1435/3477 - Release Date: 03/02/11 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 50863] Memory usage increase after JSP compilation
https://issues.apache.org/bugzilla/show_bug.cgi?id=50863 Mark Thomas ma...@apache.org changed: What|Removed |Added Status|NEW |RESOLVED Resolution||INVALID OS/Version||All --- Comment #1 from Mark Thomas ma...@apache.org 2011-03-03 13:50:10 EST --- This question belongs on the users mailing list. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1076731 - in /tomcat/trunk/test/org/apache/catalina: core/TestStandardWrapper.java startup/TomcatBaseTest.java
Author: markt Date: Thu Mar 3 19:13:52 2011 New Revision: 1076731 URL: http://svn.apache.org/viewvc?rev=1076731view=rev Log: Test that individual roles are correctly handled Modified: tomcat/trunk/test/org/apache/catalina/core/TestStandardWrapper.java tomcat/trunk/test/org/apache/catalina/startup/TomcatBaseTest.java Modified: tomcat/trunk/test/org/apache/catalina/core/TestStandardWrapper.java URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/core/TestStandardWrapper.java?rev=1076731r1=1076730r2=1076731view=diff == --- tomcat/trunk/test/org/apache/catalina/core/TestStandardWrapper.java (original) +++ tomcat/trunk/test/org/apache/catalina/core/TestStandardWrapper.java Thu Mar 3 19:13:52 2011 @@ -18,6 +18,10 @@ package org.apache.catalina.core; import java.io.IOException; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; import javax.servlet.ServletException; import javax.servlet.annotation.HttpConstraint; @@ -30,6 +34,9 @@ import javax.servlet.http.HttpServletRes import org.apache.catalina.Context; import org.apache.catalina.Wrapper; +import org.apache.catalina.authenticator.BasicAuthenticator; +import org.apache.catalina.deploy.LoginConfig; +import org.apache.catalina.startup.TestTomcat.MapRealm; import org.apache.catalina.startup.Tomcat; import org.apache.catalina.startup.TomcatBaseTest; import org.apache.tomcat.util.buf.ByteChunk; @@ -37,27 +44,35 @@ import org.apache.tomcat.util.buf.ByteCh public class TestStandardWrapper extends TomcatBaseTest { public void testSecurityAnnotationsSimple() throws Exception { -doTest(DenyAllServlet.class.getName(), false, false); +doTest(DenyAllServlet.class.getName(), false, false, false); } public void testSecurityAnnotationsSubclass1() throws Exception { -doTest(SubclassDenyAllServlet.class.getName(), false, false); +doTest(SubclassDenyAllServlet.class.getName(), false, false, false); } public void testSecurityAnnotationsSubclass2() throws Exception { -doTest(SubclassAllowAllServlet.class.getName(), false, true); +doTest(SubclassAllowAllServlet.class.getName(), false, false, true); } public void testSecurityAnnotationsMethods1() throws Exception { -doTest(MethodConstraintServlet.class.getName(), false, false); +doTest(MethodConstraintServlet.class.getName(), false, false, false); } public void testSecurityAnnotationsMethods2() throws Exception { -doTest(MethodConstraintServlet.class.getName(), true, true); +doTest(MethodConstraintServlet.class.getName(), true, false, true); +} + +public void testSecurityAnnotationsRole1() throws Exception { +doTest(RoleAllowServlet.class.getName(), false, true, true); +} + +public void testSecurityAnnotationsRole2() throws Exception { +doTest(RoleDenyServlet.class.getName(), false, true, false); } private void doTest(String servletClassName, boolean usePost, -boolean expect200) throws Exception { +boolean useRole, boolean expect200) throws Exception { // Setup Tomcat instance Tomcat tomcat = getTomcatInstance(); @@ -70,15 +85,35 @@ public class TestStandardWrapper extends wrapper.setAsyncSupported(true); ctx.addServletMapping(/, servlet); +if (useRole) { +MapRealm realm = new MapRealm(); +realm.addUser(testUser, testPwd); +realm.addUserRole(testUser, testRole); +ctx.setRealm(realm); + +ctx.setLoginConfig(new LoginConfig(BASIC, null, null, null)); +ctx.getPipeline().addValve(new BasicAuthenticator()); +} + tomcat.start(); -// Call the servlet once ByteChunk bc = new ByteChunk(); +MapString,ListString reqHeaders = null; +if (useRole) { +reqHeaders = new HashMapString,ListString(); +ListString authHeaders = new ArrayListString(); +// testUser, testPwd +authHeaders.add(Basic dGVzdFVzZXI6dGVzdFB3ZA==); +reqHeaders.put(Authorization, authHeaders); +} + int rc; if (usePost) { -rc = postUrl(null, http://localhost:; + getPort() + /, bc, null); +rc = postUrl(null, http://localhost:; + getPort() + /, bc, +reqHeaders, null); } else { -rc = getUrl(http://localhost:; + getPort() + /, bc, null); +rc = getUrl(http://localhost:; + getPort() + /, bc, reqHeaders, +null); } if (expect200) { @@ -131,4 +166,14 @@ public class TestStandardWrapper extends public static class MethodConstraintServlet extends TestServlet { private static final long serialVersionUID
svn commit: r1076736 - in /tomcat/trunk/modules/jdbc-pool: build.properties.default build.xml sign.sh test/org/apache/tomcat/jdbc/test/Bug50571.java test/org/apache/tomcat/jdbc/test/Bug50805.java
Author: fhanik Date: Thu Mar 3 19:20:38 2011 New Revision: 1076736 URL: http://svn.apache.org/viewvc?rev=1076736view=rev Log: Add missing files and license header Add NOTICE/LICENSE to all JAR files Added: tomcat/trunk/modules/jdbc-pool/test/org/apache/tomcat/jdbc/test/Bug50571.java Modified: tomcat/trunk/modules/jdbc-pool/build.properties.default tomcat/trunk/modules/jdbc-pool/build.xml tomcat/trunk/modules/jdbc-pool/sign.sh tomcat/trunk/modules/jdbc-pool/test/org/apache/tomcat/jdbc/test/Bug50805.java Modified: tomcat/trunk/modules/jdbc-pool/build.properties.default URL: http://svn.apache.org/viewvc/tomcat/trunk/modules/jdbc-pool/build.properties.default?rev=1076736r1=1076735r2=1076736view=diff == --- tomcat/trunk/modules/jdbc-pool/build.properties.default (original) +++ tomcat/trunk/modules/jdbc-pool/build.properties.default Thu Mar 3 19:20:38 2011 @@ -28,7 +28,7 @@ version.major=1 version.minor=1 version.build=0 -version.patch=0 +version.patch=1 version.suffix= # - Default Base Path for Dependent Packages - Modified: tomcat/trunk/modules/jdbc-pool/build.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/modules/jdbc-pool/build.xml?rev=1076736r1=1076735r2=1076736view=diff == --- tomcat/trunk/modules/jdbc-pool/build.xml (original) +++ tomcat/trunk/modules/jdbc-pool/build.xml Thu Mar 3 19:20:38 2011 @@ -76,6 +76,11 @@ pathelement location=${h2.jar}/ /path + fileset id=license.notice dir=${basedir} +include name=NOTICE/ +include name=LICENSE/ + /fileset + !-- Version info filter set -- tstamp format property=TODAY pattern=MMM d locale=en/ @@ -126,6 +131,7 @@ !-- connection pool API file-- jar jarfile=${tomcat-jdbc-api.jar} update=true fileset dir=${tomcat.api}/ + fileset refid=license.notice/ /jar delete file=${basedir}/java/org/apache/tomcat/jdbc/pool/package.html/ /target @@ -152,6 +158,7 @@ fileset dir=${basedir}/java include name=org/apache/tomcat/jdbc/**/*.xml / /fileset + fileset refid=license.notice/ /jar !-- connection pool source file-- @@ -159,6 +166,7 @@ fileset dir=${basedir}/java include name=org/apache/tomcat/jdbc/** / /fileset + fileset refid=license.notice/ /jar /target @@ -184,11 +192,13 @@ fileset dir=${basedir}/test include name=org/apache/tomcat/jdbc/**/*.xml / /fileset + fileset refid=license.notice/ /jar jar jarfile=${tomcat-jdbc-test-src.jar} update=true fileset dir=${basedir}/test include name=org/apache/tomcat/jdbc/** / /fileset + fileset refid=license.notice/ /jar /target Modified: tomcat/trunk/modules/jdbc-pool/sign.sh URL: http://svn.apache.org/viewvc/tomcat/trunk/modules/jdbc-pool/sign.sh?rev=1076736r1=1076735r2=1076736view=diff == --- tomcat/trunk/modules/jdbc-pool/sign.sh (original) +++ tomcat/trunk/modules/jdbc-pool/sign.sh Thu Mar 3 19:20:38 2011 @@ -15,7 +15,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -VERSION=v1.1.0.0 +VERSION=v1.1.0.1 for i in $(find output/release/$VERSION -name *.zip -o -name *.tar.gz); do echo Signing $i echo $1|gpg --passphrase-fd 0 -a -b $i Added: tomcat/trunk/modules/jdbc-pool/test/org/apache/tomcat/jdbc/test/Bug50571.java URL: http://svn.apache.org/viewvc/tomcat/trunk/modules/jdbc-pool/test/org/apache/tomcat/jdbc/test/Bug50571.java?rev=1076736view=auto == --- tomcat/trunk/modules/jdbc-pool/test/org/apache/tomcat/jdbc/test/Bug50571.java (added) +++ tomcat/trunk/modules/jdbc-pool/test/org/apache/tomcat/jdbc/test/Bug50571.java Thu Mar 3 19:20:38 2011 @@ -0,0 +1,39 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the License); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an AS IS BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.tomcat.jdbc.test; + +import org.apache.tomcat.jdbc.pool.interceptor.ConnectionState; + +public class Bug50571
svn commit: r1076740 - /tomcat/tags/JDBC_POOL_1_1_0_1/
Author: fhanik Date: Thu Mar 3 19:22:19 2011 New Revision: 1076740 URL: http://svn.apache.org/viewvc?rev=1076740view=rev Log: New tag with same code as 1.1.0.0 but corrected license files and added missing test Added: tomcat/tags/JDBC_POOL_1_1_0_1/ (props changed) - copied from r1076739, tomcat/trunk/modules/jdbc-pool/ Propchange: tomcat/tags/JDBC_POOL_1_1_0_1/ -- --- svn:ignore (added) +++ svn:ignore Thu Mar 3 19:22:19 2011 @@ -0,0 +1,7 @@ +build.properties +includes +output +.settings +.classpath +bin + Propchange: tomcat/tags/JDBC_POOL_1_1_0_1/ -- svn:mergeinfo = /tomcat/tc6.0.x/trunk/modules/jdbc-pool:742915 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[VOTE] Release jdbc-pool 1.1.0.1
Source and Binary Packages http://people.apache.org/~fhanik/jdbc-pool/v1.1.0.1/ Tag http://svn.apache.org/repos/asf/tomcat/tags/JDBC_POOL_1_1_0_1/ Documentation http://people.apache.org/~fhanik/jdbc-pool/jdbc-pool.html The proposed 1.1.0.1 release is: [ ] Broken - do not release [ ] Alpha - go ahead and release as 1.1.0.1 Alpha [ ] Beta - go ahead and release as 1.1.0.1 Beta [ ] Stable - go ahead and release as 1.1.0.1 Stable best Filip - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1076736 - in /tomcat/trunk/modules/jdbc-pool: build.properties.default build.xml sign.sh test/org/apache/tomcat/jdbc/test/Bug50571.java test/org/apache/tomcat/jdbc/test/Bug50805.java
2011/3/3 fha...@apache.org: Author: fhanik Date: Thu Mar 3 19:20:38 2011 New Revision: 1076736 URL: http://svn.apache.org/viewvc?rev=1076736view=rev Log: Add missing files and license header Add NOTICE/LICENSE to all JAR files Added: tomcat/trunk/modules/jdbc-pool/test/org/apache/tomcat/jdbc/test/Bug50571.java svn:eol-style is missing for the new file. Just saying. I do not think it is a show-stopper. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release jdbc-pool 1.1.0.1
On 3 March 2011 19:24, Filip Hanik - Dev Lists devli...@hanik.com wrote: Source and Binary Packages http://people.apache.org/~fhanik/jdbc-pool/v1.1.0.1/ Tag http://svn.apache.org/repos/asf/tomcat/tags/JDBC_POOL_1_1_0_1/ Documentation http://people.apache.org/~fhanik/jdbc-pool/jdbc-pool.html Top of the page says: Version 7.0.x, MMM d Bottom says Copyright © 1999-, Apache Software Foundation Similarly, the changelog.html file in the binary archive says: Version 7.0.x, MMM d Tomcat JDBC Connection Pool 1.1.0.0 ... Copyright © 1999-, Apache Software Foundation Note the incorrect version number. Builds OK with Java 1.5; tests compile OK with Java 1.6. Ant warning: build.xml:182: warning: 'includeantruntime' was not set, defaulting to build.sysclasspath=last; set to false for repeatable builds There were a lot of errors generated when I first ran the test: [junit] Testcase: testHalfway(org.apache.tomcat.jdbc.test.AbandonPercentageTest): Caused an ERROR [junit] Unsupported database file version or invalid file header in file Old database: C:\Documents and Settings\User\.h2\test.data.db - please convert the database to a SQL script and re-create it. [90048-129] They went away when I deleted the directory and re-ran the test. It would be better to create the test database in the current working directory if possible - that should avoid the problem, as well as making it easier to tidy up afterward. If not possible, then the test that normally creates the database could check for this error and recreate the database. The proposed 1.1.0.1 release is: [ ] Broken - do not release [ ] Alpha - go ahead and release as 1.1.0.1 Alpha [ ] Beta - go ahead and release as 1.1.0.1 Beta [ ] Stable - go ahead and release as 1.1.0.1 Stable best Filip - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Where do we stand with maven publishing?
Where do we stand with publishing Tomcat jars/artifacts to a Maven repository. I see that the mvn-pub.xml has been updated, but I don't see where the source JARs are generated from. best Filip - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1076736 - in /tomcat/trunk/modules/jdbc-pool: build.properties.default build.xml sign.sh test/org/apache/tomcat/jdbc/test/Bug50571.java test/org/apache/tomcat/jdbc/test/Bug50805.java
On 3/3/2011 1:25 PM, Konstantin Kolinko wrote: 2011/3/3fha...@apache.org: Author: fhanik Date: Thu Mar 3 19:20:38 2011 New Revision: 1076736 URL: http://svn.apache.org/viewvc?rev=1076736view=rev Log: Add missing files and license header Add NOTICE/LICENSE to all JAR files Added: tomcat/trunk/modules/jdbc-pool/test/org/apache/tomcat/jdbc/test/Bug50571.java svn:eol-style is missing for the new file. Just saying. I do not think it is a show-stopper. thanks, my home dir got wiped, and along with that, the svn settings Best regards, Konstantin Kolinko - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - No virus found in this message. Checked by AVG - www.avg.com Version: 10.0.1204 / Virus Database: 1435/3479 - Release Date: 03/03/11 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Where do we stand with maven publishing?
2011/3/4 Filip Hanik - Dev Lists devli...@hanik.com: Where do we stand with publishing Tomcat jars/artifacts to a Maven repository. I see that the mvn-pub.xml has been updated, but I don't see where the source JARs are generated from. Are you talking about Tomcat 7? res/maven/mvn.properties.default has: #Where do we load the libraries from tomcat.lib.path=../../output/build/lib tomcat.bin.path=../../output/build/bin tomcat.src.path=../../output/src-jars tomcat.embed.path=../../output/embed tomcat.embed.src.path=../../output/embed-src-jars tomcat.extras.path=../../output/extras tomcat.extras.src.path=../../output/extras-src-jars The files in those *-src-jars folders are generated when you do `ant release`. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Where do we stand with maven publishing?
On 3/3/2011 5:25 PM, Konstantin Kolinko wrote: 2011/3/4 Filip Hanik - Dev Listsdevli...@hanik.com: Where do we stand with publishing Tomcat jars/artifacts to a Maven repository. I see that the mvn-pub.xml has been updated, but I don't see where the source JARs are generated from. Are you talking about Tomcat 7? res/maven/mvn.properties.default has: #Where do we load the libraries from tomcat.lib.path=../../output/build/lib tomcat.bin.path=../../output/build/bin tomcat.src.path=../../output/src-jars tomcat.embed.path=../../output/embed tomcat.embed.src.path=../../output/embed-src-jars tomcat.extras.path=../../output/extras tomcat.extras.src.path=../../output/extras-src-jars The files in those *-src-jars folders are generated when you do `ant release`. Got it. It doesn't seem to be published to https://repository.apache.org/ nor to ibiblio http://mirrors.ibiblio.org/pub/mirrors/maven2/org/apache/tomcat/catalina/ Does it mean we're not running it anymore? Filpi Best regards, Konstantin Kolinko - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - No virus found in this message. Checked by AVG - www.avg.com Version: 10.0.1204 / Virus Database: 1435/3480 - Release Date: 03/03/11 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org