svn commit: r1494915 - in /tomcat/trunk: java/org/apache/catalina/ java/org/apache/catalina/core/ java/org/apache/catalina/deploy/ java/org/apache/catalina/startup/ test/org/apache/catalina/core/
Author: markt Date: Thu Jun 20 10:38:49 2013 New Revision: 1494915 URL: http://svn.apache.org/r1494915 Log: Servlet 3.1 Implement the new deny-uncovered-http-methods element in server.xml Modified: tomcat/trunk/java/org/apache/catalina/Context.java tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties tomcat/trunk/java/org/apache/catalina/core/StandardContext.java tomcat/trunk/java/org/apache/catalina/deploy/WebXml.java tomcat/trunk/java/org/apache/catalina/startup/ContextConfig.java tomcat/trunk/java/org/apache/catalina/startup/FailedContext.java tomcat/trunk/java/org/apache/catalina/startup/WebRuleSet.java tomcat/trunk/test/org/apache/catalina/core/TesterContext.java Modified: tomcat/trunk/java/org/apache/catalina/Context.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/Context.java?rev=1494915r1=1494914r2=1494915view=diff == --- tomcat/trunk/java/org/apache/catalina/Context.java (original) +++ tomcat/trunk/java/org/apache/catalina/Context.java Thu Jun 20 10:38:49 2013 @@ -329,6 +329,20 @@ public interface Context extends Contain /** + * Return the deny-uncovered-http-methods flag for this web application. + */ +public boolean getDenyUncoveredHttpMethods(); + + +/** + * Set the deny-uncovered-http-methods flag for this web application. + * + * @param denyUncoveredHttpMethods The new deny-uncovered-http-methods flag + */ +public void setDenyUncoveredHttpMethods(boolean denyUncoveredHttpMethods); + + +/** * Return the display name of this web application. */ public String getDisplayName(); Modified: tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties?rev=1494915r1=1494914r2=1494915view=diff == --- tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties (original) +++ tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties Thu Jun 20 10:38:49 2013 @@ -140,7 +140,9 @@ standardContext.startFailed=Context [{0} standardContext.startingContext=Exception starting Context with name [{0}] standardContext.stoppingContext=Exception stopping Context with name [{0}] standardContext.uncoveredHttpMethod=For security constraints with URL pattern [{0}] only the HTTP methods [{1}] are covered. All other methods are uncovered. +standardContext.uncoveredHttpMethodFix=Adding security constraints with URL pattern [{0}] to deny access with the uncovered HTTP methods that are not one of the following [{1}] standardContext.uncoveredHttpOmittedMethod=For security constraints with URL pattern [{0}] the HTTP methods [{1}] are uncovered. +standardContext.uncoveredHttpOmittedMethodFix=Adding security constraints with URL pattern [{0}] to deny access with the uncovered HTTP methods [{1}] standardContext.urlPattern.patternWarning=WARNING: URL pattern {0} must start with a ''/'' in Servlet 2.4 standardContext.webappClassLoader.missingProperty=Unable to set the web application class loader property [{0}] to [{1}] as the property does not exist. standardContext.workPath=Exception obtaining work path for context [{0}] Modified: tomcat/trunk/java/org/apache/catalina/core/StandardContext.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/StandardContext.java?rev=1494915r1=1494914r2=1494915view=diff == --- tomcat/trunk/java/org/apache/catalina/core/StandardContext.java (original) +++ tomcat/trunk/java/org/apache/catalina/core/StandardContext.java Thu Jun 20 10:38:49 2013 @@ -348,6 +348,9 @@ public class StandardContext extends Con private boolean delegate = false; +private boolean denyUncoveredHttpMethods; + + /** * The display name of this web application. */ @@ -1684,6 +1687,19 @@ public class StandardContext extends Con this.tldScanTime = tldScanTime; } + +@Override +public boolean getDenyUncoveredHttpMethods() { +return denyUncoveredHttpMethods; +} + + +@Override +public void setDenyUncoveredHttpMethods(boolean denyUncoveredHttpMethods) { +this.denyUncoveredHttpMethods = denyUncoveredHttpMethods; +} + + /** * Return the display name of this web application. */ @@ -5345,7 +5361,6 @@ public class StandardContext extends Con private void checkConstraintsForUncoveredMethods() { // TODO - Add an option to lower the log level of any uncovered method //warnings to debug -// TODO - Implement adding constraints to deny uncovered methods SetString coveredPatterns = new HashSet(); MapString,SetString urlMethodMap = new HashMap();
svn commit: r1494918 - /tomcat/trunk/webapps/examples/jsp/security/protected/index.jsp
Author: markt Date: Thu Jun 20 10:41:55 2013 New Revision: 1494918 URL: http://svn.apache.org/r1494918 Log: The form needs a submit button Modified: tomcat/trunk/webapps/examples/jsp/security/protected/index.jsp Modified: tomcat/trunk/webapps/examples/jsp/security/protected/index.jsp URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/examples/jsp/security/protected/index.jsp?rev=1494918r1=1494917r2=1494918view=diff == --- tomcat/trunk/webapps/examples/jsp/security/protected/index.jsp (original) +++ tomcat/trunk/webapps/examples/jsp/security/protected/index.jsp Thu Jun 20 10:41:55 2013 @@ -64,17 +64,18 @@ in session b%= session.getId() %/b } % -To check whether your username has been granted a particular role, +To check whether your user name has been granted a particular role, enter it here: form method=GET action='%= response.encodeURL(index.jsp) %' input type=text name=role value=%= util.HTMLFilter.filter(role) % +input type=submit /form brbr -If you have configured this app for form-based authentication, you can log -off by clicking +If you have configured this application for form-based authentication, you can +log off by clicking a href='%= response.encodeURL(index.jsp?logoff=true) %'here/a. -This should cause you to be returned to the logon page after the redirect +This should cause you to be returned to the login page after the redirect that is performed. /body - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1494925 - /tomcat/trunk/java/org/apache/catalina/core/StandardContext.java
Author: markt Date: Thu Jun 20 11:03:22 2013 New Revision: 1494925 URL: http://svn.apache.org/r1494925 Log: Fix some copy/paste errors Modified: tomcat/trunk/java/org/apache/catalina/core/StandardContext.java Modified: tomcat/trunk/java/org/apache/catalina/core/StandardContext.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/StandardContext.java?rev=1494925r1=1494924r2=1494925view=diff == --- tomcat/trunk/java/org/apache/catalina/core/StandardContext.java (original) +++ tomcat/trunk/java/org/apache/catalina/core/StandardContext.java Thu Jun 20 11:03:22 2013 @@ -5384,7 +5384,7 @@ public class StandardContext extends Con // Pre-calculate so we don't do this for every iteration of the // following loop ListString omNew = null; -if (omittedMethods.length == 0) { +if (omittedMethods.length != 0) { omNew = Arrays.asList(omittedMethods); } @@ -5397,9 +5397,11 @@ public class StandardContext extends Con SetString om = urlOmittedMethodMap.get(pattern); if (om == null) { om = new HashSet(); -urlMethodMap.put(pattern, om); +urlOmittedMethodMap.put(pattern, om); +om.addAll(omNew); +} else { +om.retainAll(omNew); } -om.retainAll(omNew); } else { // Build the union of methods for this pattern SetString m = urlMethodMap.get(pattern); - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1494926 - /tomcat/trunk/webapps/examples/WEB-INF/web.xml
Author: markt Date: Thu Jun 20 11:03:54 2013 New Revision: 1494926 URL: http://svn.apache.org/r1494926 Log: Explicitly deny the uncovered methods in the examples Modified: tomcat/trunk/webapps/examples/WEB-INF/web.xml Modified: tomcat/trunk/webapps/examples/WEB-INF/web.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/examples/WEB-INF/web.xml?rev=1494926r1=1494925r2=1494926view=diff == --- tomcat/trunk/webapps/examples/WEB-INF/web.xml (original) +++ tomcat/trunk/webapps/examples/WEB-INF/web.xml Thu Jun 20 11:03:54 2013 @@ -235,12 +235,13 @@ /jsp-config security-constraint - display-nameExample Security Constraint/display-name + display-nameExample Security Constraint - part 1/display-name web-resource-collection - web-resource-nameProtected Area/web-resource-name + web-resource-nameProtected Area - Allow methods/web-resource-name !-- Define the context-relative URL(s) to be protected -- url-pattern/jsp/security/protected/*/url-pattern - !-- If you list http methods, only those methods are protected -- + !-- If you list http methods, only those methods are protected so -- + !-- the constraint below ensures all other methods are denied -- http-methodDELETE/http-method http-methodGET/http-method http-methodPOST/http-method @@ -252,6 +253,20 @@ role-namerole1/role-name /auth-constraint /security-constraint + security-constraint + display-nameExample Security Constraint - part 2/display-name + web-resource-collection + web-resource-nameProtected Area - Deny methods/web-resource-name + !-- Define the context-relative URL(s) to be protected -- + url-pattern/jsp/security/protected/*/url-pattern + http-method-omissionDELETE/http-method-omission + http-method-omissionGET/http-method-omission + http-method-omissionPOST/http-method-omission + http-method-omissionPUT/http-method-omission + /web-resource-collection + !-- An empty auth constraint denies access -- + auth-constraint / +/security-constraint !-- Default login configuration uses form-based authentication -- login-config - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1494930 - /tomcat/trunk/java/org/apache/catalina/core/StandardContext.java
Author: markt Date: Thu Jun 20 11:17:51 2013 New Revision: 1494930 URL: http://svn.apache.org/r1494930 Log: Another copy/paste error Also need to protect any remaining patterns with only omitted methods. Modified: tomcat/trunk/java/org/apache/catalina/core/StandardContext.java Modified: tomcat/trunk/java/org/apache/catalina/core/StandardContext.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/StandardContext.java?rev=1494930r1=1494929r2=1494930view=diff == --- tomcat/trunk/java/org/apache/catalina/core/StandardContext.java (original) +++ tomcat/trunk/java/org/apache/catalina/core/StandardContext.java Thu Jun 20 11:17:51 2013 @@ -5473,7 +5473,44 @@ public class StandardContext extends Con standardContext.uncoveredHttpOmittedMethodFix, pattern, msg.toString().trim())); SecurityCollection collection = new SecurityCollection(); -for (String method : methods) { +for (String method : omittedMethods) { +collection.addMethod(method); +} +collection.addPattern(pattern); +collection.setName(deny-uncovered-http-methods); +SecurityConstraint constraint = new SecurityConstraint(); +constraint.setAuthConstraint(true); +constraint.addCollection(collection); +addConstraint(constraint); +} else { +log.error(sm.getString( +standardContext.uncoveredHttpOmittedMethod, +pattern, msg.toString().trim())); +} +} +} +for (Map.EntryString, SetString entry : +urlOmittedMethodMap.entrySet()) { +String pattern = entry.getKey(); +if (coveredPatterns.contains(pattern)) { +// Fully covered. Ignore any partial coverage +continue; +} + +SetString omittedMethods = entry.getValue(); + +if (omittedMethods.size() 0) { +StringBuilder msg = new StringBuilder(); +for (String method : omittedMethods) { +msg.append(method); +msg.append(' '); +} +if (getDenyUncoveredHttpMethods()) { +log.info(sm.getString( +standardContext.uncoveredHttpOmittedMethodFix, +pattern, msg.toString().trim())); +SecurityCollection collection = new SecurityCollection(); +for (String method : omittedMethods) { collection.addMethod(method); } collection.addPattern(pattern); - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1494951 - in /tomcat/trunk/java/org/apache/catalina: core/LocalStrings.properties core/StandardContext.java deploy/LocalStrings.properties deploy/SecurityConstraint.java
Author: markt Date: Thu Jun 20 12:27:08 2013 New Revision: 1494951 URL: http://svn.apache.org/r1494951 Log: Refactor with a view to adding some unit tests Modified: tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties tomcat/trunk/java/org/apache/catalina/core/StandardContext.java tomcat/trunk/java/org/apache/catalina/deploy/LocalStrings.properties tomcat/trunk/java/org/apache/catalina/deploy/SecurityConstraint.java Modified: tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties?rev=1494951r1=1494950r2=1494951view=diff == --- tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties (original) +++ tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties Thu Jun 20 12:27:08 2013 @@ -139,10 +139,6 @@ standardContext.servletMap.pattern=Inval standardContext.startFailed=Context [{0}] startup failed due to previous errors standardContext.startingContext=Exception starting Context with name [{0}] standardContext.stoppingContext=Exception stopping Context with name [{0}] -standardContext.uncoveredHttpMethod=For security constraints with URL pattern [{0}] only the HTTP methods [{1}] are covered. All other methods are uncovered. -standardContext.uncoveredHttpMethodFix=Adding security constraints with URL pattern [{0}] to deny access with the uncovered HTTP methods that are not one of the following [{1}] -standardContext.uncoveredHttpOmittedMethod=For security constraints with URL pattern [{0}] the HTTP methods [{1}] are uncovered. -standardContext.uncoveredHttpOmittedMethodFix=Adding security constraints with URL pattern [{0}] to deny access with the uncovered HTTP methods [{1}] standardContext.urlPattern.patternWarning=WARNING: URL pattern {0} must start with a ''/'' in Servlet 2.4 standardContext.webappClassLoader.missingProperty=Unable to set the web application class loader property [{0}] to [{1}] as the property does not exist. standardContext.workPath=Exception obtaining work path for context [{0}] Modified: tomcat/trunk/java/org/apache/catalina/core/StandardContext.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/StandardContext.java?rev=1494951r1=1494950r2=1494951view=diff == --- tomcat/trunk/java/org/apache/catalina/core/StandardContext.java (original) +++ tomcat/trunk/java/org/apache/catalina/core/StandardContext.java Thu Jun 20 12:27:08 2013 @@ -5359,172 +5359,11 @@ public class StandardContext extends Con private void checkConstraintsForUncoveredMethods() { -// TODO - Add an option to lower the log level of any uncovered method -//warnings to debug -SetString coveredPatterns = new HashSet(); -MapString,SetString urlMethodMap = new HashMap(); -MapString,SetString urlOmittedMethodMap = new HashMap(); - -// First build the lists of covered patterns and those patterns that -// might be uncovered -for (SecurityConstraint constraint : constraints) { -SecurityCollection[] collections = constraint.findCollections(); -for (SecurityCollection collection : collections) { -String[] patterns = collection.findPatterns(); -String[] methods = collection.findMethods(); -String[] omittedMethods = collection.findOmittedMethods(); -// Simple case: no methods -if (methods.length == 0 omittedMethods.length == 0) { -for (String pattern : patterns) { -coveredPatterns.add(pattern); -} -continue; -} - -// Pre-calculate so we don't do this for every iteration of the -// following loop -ListString omNew = null; -if (omittedMethods.length != 0) { -omNew = Arrays.asList(omittedMethods); -} - -// Only need to process uncovered patterns -for (String pattern : patterns) { -if (!coveredPatterns.contains(pattern)) { -if (methods.length == 0) { -// Build the interset of omitted methods for this -// pattern -SetString om = urlOmittedMethodMap.get(pattern); -if (om == null) { -om = new HashSet(); -urlOmittedMethodMap.put(pattern, om); -om.addAll(omNew); -} else { -om.retainAll(omNew); -} -} else { -
buildbot exception in ASF Buildbot on tomcat-trunk
The Buildbot has detected a new failure on builder tomcat-trunk while building ASF Buildbot. Full details are available at: http://ci.apache.org/builders/tomcat-trunk/builds/4458 Buildbot URL: http://ci.apache.org/ Buildslave for this Build: bb-vm_ubuntu Build Reason: scheduler Build Source Stamp: [branch tomcat/trunk] 1493490 Blamelist: BUILD FAILED: exception svn upload_2 sincerely, -The Buildbot
buildbot exception in ASF Buildbot on tomcat-7-trunk
The Buildbot has detected a new failure on builder tomcat-7-trunk while building ASF Buildbot. Full details are available at: http://ci.apache.org/builders/tomcat-7-trunk/builds/1244 Buildbot URL: http://ci.apache.org/ Buildslave for this Build: bb-vm_ubuntu Build Reason: scheduler Build Source Stamp: [branch tomcat/tc7.0.x/trunk] 1493908 Blamelist: BUILD FAILED: exception svn upload_2 sincerely, -The Buildbot
buildbot failure in ASF Buildbot on tomcat-6-trunk
The Buildbot has detected a new failure on builder tomcat-6-trunk while building ASF Buildbot. Full details are available at: http://ci.apache.org/builders/tomcat-6-trunk/builds/555 Buildbot URL: http://ci.apache.org/ Buildslave for this Build: bb-vm_ubuntu Build Reason: scheduler Build Source Stamp: [branch tomcat/tc6.0.x/trunk] 1494081 Blamelist: BUILD FAILED: failed svn sincerely, -The Buildbot
svn commit: r1494963 - /tomcat/trunk/test/org/apache/catalina/deploy/TestSecurityConstraint.java
Author: markt Date: Thu Jun 20 12:51:45 2013 New Revision: 1494963 URL: http://svn.apache.org/r1494963 Log: Some simple unit tests Modified: tomcat/trunk/test/org/apache/catalina/deploy/TestSecurityConstraint.java Modified: tomcat/trunk/test/org/apache/catalina/deploy/TestSecurityConstraint.java URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/deploy/TestSecurityConstraint.java?rev=1494963r1=1494962r2=1494963view=diff == --- tomcat/trunk/test/org/apache/catalina/deploy/TestSecurityConstraint.java (original) +++ tomcat/trunk/test/org/apache/catalina/deploy/TestSecurityConstraint.java Thu Jun 20 12:51:45 2013 @@ -30,13 +30,60 @@ import static org.junit.Assert.assertFal import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; +import org.junit.Assert; import org.junit.Test; +import org.apache.juli.logging.Log; +import org.apache.juli.logging.LogFactory; + public class TestSecurityConstraint { private static final String URL_PATTERN = /test; private static final String ROLE1 = R1; +private static final Log DUMMY_LOG = LogFactory.getLog(DUMMY); + +private static final SecurityConstraint GET_ONLY; +private static final SecurityConstraint POST_ONLY; + +private static final SecurityConstraint GET_OMIT; +private static final SecurityConstraint POST_OMIT; + +static { +// Configure the constraints to use in the tests +GET_ONLY = new SecurityConstraint(); +GET_ONLY.addAuthRole(ROLE1); +SecurityCollection scGetOnly = new SecurityCollection(); +scGetOnly.addMethod(GET); +scGetOnly.addPattern(URL_PATTERN); +scGetOnly.setName(GET-ONLY); +GET_ONLY.addCollection(scGetOnly); + +POST_ONLY = new SecurityConstraint(); +POST_ONLY.addAuthRole(ROLE1); +SecurityCollection scPostOnly = new SecurityCollection(); +scPostOnly.addMethod(POST); +scPostOnly.addPattern(URL_PATTERN); +scPostOnly.setName(POST_ONLY); +POST_ONLY.addCollection(scPostOnly); + +GET_OMIT = new SecurityConstraint(); +GET_OMIT.addAuthRole(ROLE1); +SecurityCollection scGetOmit = new SecurityCollection(); +scGetOmit.addOmittedMethod(GET); +scGetOmit.addPattern(URL_PATTERN); +scGetOmit.setName(GET_OMIT); +GET_OMIT.addCollection(scGetOmit); + +POST_OMIT = new SecurityConstraint(); +POST_OMIT.addAuthRole(ROLE1); +SecurityCollection scPostOmit = new SecurityCollection(); +scPostOmit.addOmittedMethod(POST); +scPostOmit.addPattern(URL_PATTERN); +scPostOmit.setName(POST_OMIT); +POST_OMIT.addCollection(scPostOmit); +} + /** * Uses the examples in SRV.13.4 as the basis for these tests */ @@ -205,4 +252,115 @@ public class TestSecurityConstraint { // Example 13-9 is the same as 13-7 } + +@Test +public void testFindUncoveredHttpMethods01() { +// No new constraints if denyUncoveredHttpMethods is false +SecurityConstraint[] result = +SecurityConstraint.findUncoveredHttpMethods( +new SecurityConstraint[] {GET_ONLY}, false, DUMMY_LOG); +Assert.assertEquals(0, result.length); +} + + +@Test +public void testFindUncoveredHttpMethods02() { +// No new constraints if denyUncoveredHttpMethods is false +SecurityConstraint[] result = +SecurityConstraint.findUncoveredHttpMethods( +new SecurityConstraint[] {GET_OMIT}, false, DUMMY_LOG); +Assert.assertEquals(0, result.length); +} + + +@Test +public void testFindUncoveredHttpMethods03() { +// No new constraints if denyUncoveredHttpMethods is false +SecurityConstraint[] result = +SecurityConstraint.findUncoveredHttpMethods( +new SecurityConstraint[] {POST_ONLY}, false, DUMMY_LOG); +Assert.assertEquals(0, result.length); +} + + +@Test +public void testFindUncoveredHttpMethods04() { +// No new constraints if denyUncoveredHttpMethods is false +SecurityConstraint[] result = +SecurityConstraint.findUncoveredHttpMethods( +new SecurityConstraint[] {POST_OMIT}, false, DUMMY_LOG); +Assert.assertEquals(0, result.length); +} + + +@Test +public void testFindUncoveredHttpMethods05() { +SecurityConstraint[] result = +SecurityConstraint.findUncoveredHttpMethods( +new SecurityConstraint[] {GET_ONLY}, true, DUMMY_LOG); +Assert.assertEquals(1, result.length); +// Should be a deny constraint +Assert.assertTrue(result[0].getAuthConstraint()); +// Should have a single collection +Assert.assertEquals(1,
Re: CVE-2013-1571, VU#225657
Sebb, On 6/19/13 4:26 AM, sebb wrote: On 19 June 2013 09:15, Mark Thomas ma...@apache.org wrote: On 19/06/2013 00:42, Nick Williams wrote: Oracle has announced a Javadoc vulnerability (CVE-2013-1571 [1], VU#225657 [2]) whereby Javadoc generated with Java 5, Java 6, or Java 7 7u25 is vulnerable to a frame injection attack. Oracle has provided a repair-in-place tool for Javadoc that cannot be easily regenerated, but is urging developers to regenerate whatever Javadoc they can using Java 7u25. For all practical purses, the vulnerability really only applies to publicly-hosted Javadoc, so the Javadoc in our existing Maven artifacts, downloads, and archived downloads really doesn't have to be worried about (not that we could do anything about it). My thoughts on this: 1) We should apply the repair-in-place tool ASAP to the Javadoc on the website for Tomcat 6 and Tomcat 7. And Tomcat 5 and earlier. The javadoc for those isn't linked but remains available. I'll get on to this now. 2) Future Tomcat 6 and 7 Javadoc should be generated with 7u25 or better. Hmm. That will need some thought as the build needs to be run with the minimum Java version required for that major version. Maybe we can just run the Javadoc part with a different JDK. Either that, or run the fix tool over the result. This needs some investigation. There will be no fix for Java 5 or 6. Thankfully, generating Javadoc using a different JDK than you used to compile is quite easy in both Maven and Ant. In fact, I personally prefer it that way, because the Javadoc is much more visually attractive in Java 7. Hopefully it will be as simple as you suggest. I found for JMeter that the only file that needed fixing was the top-level index.html. If always true that reduces what needs to be checked-out/put back. There's also a bug in the quick-fix tool - it fails to delete the renamed original file (on Windows, which locks files from delete) because it fails to call fis.close() first. [The code does not check that the delete is successful either.] Should be easily possible to run the (fixed) tool on locally generated javadoc before committing in future. Wow, the code for that quick-fix tool really is awful. If run in recursuve-mode, it will leave every file that matches the file list (index.html, etc.) open until the finalizers run (hah). There are also swallowed exceptions, no finally blocks, etc. It looks like it was written by a novice Java programmer. The good news is that the license allows you (we) to modify the source code and redistribute it. So, we can even publish a fixed version if we choose to (rather than merely keeping it for ourselves). -chris signature.asc Description: OpenPGP digital signature
svn commit: r1494974 - /tomcat/trunk/java/org/apache/catalina/deploy/SecurityConstraint.java
Author: markt Date: Thu Jun 20 13:19:54 2013 New Revision: 1494974 URL: http://svn.apache.org/r1494974 Log: Prevent duplicate deny constraints Modified: tomcat/trunk/java/org/apache/catalina/deploy/SecurityConstraint.java Modified: tomcat/trunk/java/org/apache/catalina/deploy/SecurityConstraint.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/deploy/SecurityConstraint.java?rev=1494974r1=1494973r2=1494974view=diff == --- tomcat/trunk/java/org/apache/catalina/deploy/SecurityConstraint.java (original) +++ tomcat/trunk/java/org/apache/catalina/deploy/SecurityConstraint.java Thu Jun 20 13:19:54 2013 @@ -683,7 +683,7 @@ public class SecurityConstraint implemen continue; } -SetString omittedMethods = urlOmittedMethodMap.get(pattern); +SetString omittedMethods = urlOmittedMethodMap.remove(pattern); SetString methods = entry.getValue(); if (omittedMethods == null) { - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1494975 - /tomcat/trunk/test/org/apache/catalina/deploy/TestSecurityConstraint.java
Author: markt Date: Thu Jun 20 13:20:08 2013 New Revision: 1494975 URL: http://svn.apache.org/r1494975 Log: Some more unit tests Modified: tomcat/trunk/test/org/apache/catalina/deploy/TestSecurityConstraint.java Modified: tomcat/trunk/test/org/apache/catalina/deploy/TestSecurityConstraint.java URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/deploy/TestSecurityConstraint.java?rev=1494975r1=1494974r2=1494975view=diff == --- tomcat/trunk/test/org/apache/catalina/deploy/TestSecurityConstraint.java (original) +++ tomcat/trunk/test/org/apache/catalina/deploy/TestSecurityConstraint.java Thu Jun 20 13:20:08 2013 @@ -363,4 +363,96 @@ public class TestSecurityConstraint { Assert.assertEquals(1, sc.findMethods().length); Assert.assertEquals(POST, sc.findMethods()[0]); } + + +@Test +public void testFindUncoveredHttpMethods09() { +SecurityConstraint[] result = +SecurityConstraint.findUncoveredHttpMethods( +new SecurityConstraint[] {GET_ONLY, GET_OMIT}, true, +DUMMY_LOG); +Assert.assertEquals(0, result.length); +} + + +@Test +public void testFindUncoveredHttpMethods10() { +SecurityConstraint[] result = +SecurityConstraint.findUncoveredHttpMethods( +new SecurityConstraint[] {POST_ONLY, POST_OMIT}, true, +DUMMY_LOG); +Assert.assertEquals(0, result.length); +} + + +@Test +public void testFindUncoveredHttpMethods11() { +SecurityConstraint[] result = +SecurityConstraint.findUncoveredHttpMethods( +new SecurityConstraint[] {GET_ONLY, POST_ONLY}, true, +DUMMY_LOG); +Assert.assertEquals(1, result.length); +// Should be a deny constraint +Assert.assertTrue(result[0].getAuthConstraint()); +// Should have a single collection +Assert.assertEquals(1, result[0].findCollections().length); +SecurityCollection sc = result[0].findCollections()[0]; +// Should list GET and POST as omitted methods +Assert.assertEquals(0, sc.findMethods().length); +Assert.assertEquals(2, sc.findOmittedMethods().length); +HashSetString omittedMethods = new HashSet(); +for (String omittedMethod : sc.findOmittedMethods()) { +omittedMethods.add(omittedMethod); +} +Assert.assertTrue(omittedMethods.remove(GET)); +Assert.assertTrue(omittedMethods.remove(POST)); +} + + +@Test +public void testFindUncoveredHttpMethods12() { +SecurityConstraint[] result = +SecurityConstraint.findUncoveredHttpMethods( +new SecurityConstraint[] {GET_OMIT, POST_OMIT}, true, +DUMMY_LOG); +Assert.assertEquals(0, result.length); +} + + +@Test +public void testFindUncoveredHttpMethods13() { +SecurityConstraint[] result = +SecurityConstraint.findUncoveredHttpMethods( +new SecurityConstraint[] {GET_ONLY, POST_OMIT}, true, +DUMMY_LOG); +Assert.assertEquals(1, result.length); +// Should be a deny constraint +Assert.assertTrue(result[0].getAuthConstraint()); +// Should have a single collection +Assert.assertEquals(1, result[0].findCollections().length); +SecurityCollection sc = result[0].findCollections()[0]; +// Should list POST as a method +Assert.assertEquals(1, sc.findMethods().length); +Assert.assertEquals(0, sc.findOmittedMethods().length); +Assert.assertEquals(POST, sc.findMethods()[0]); +} + + +@Test +public void testFindUncoveredHttpMethods14() { +SecurityConstraint[] result = +SecurityConstraint.findUncoveredHttpMethods( +new SecurityConstraint[] {GET_OMIT, POST_ONLY}, true, +DUMMY_LOG); +Assert.assertEquals(1, result.length); +// Should be a deny constraint +Assert.assertTrue(result[0].getAuthConstraint()); +// Should have a single collection +Assert.assertEquals(1, result[0].findCollections().length); +SecurityCollection sc = result[0].findCollections()[0]; +// Should list GET as a method +Assert.assertEquals(1, sc.findMethods().length); +Assert.assertEquals(0, sc.findOmittedMethods().length); +Assert.assertEquals(GET, sc.findMethods()[0]); +} } - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1494978 - /tomcat/trunk/webapps/docs/changelog.xml
Author: markt Date: Thu Jun 20 13:25:03 2013 New Revision: 1494978 URL: http://svn.apache.org/r1494978 Log: Servlet 3.1 implementation is complete Modified: tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1494978r1=1494977r2=1494978view=diff == --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Thu Jun 20 13:25:03 2013 @@ -51,6 +51,10 @@ subsection name=Catalina changelog add +Implement JSR 340 - Servlet 3.1. The JSR 340 implementation includes +contributions from Nick Williams. (markt) + /add + add Implement JSR 356 - WebSockets. The JSR 356 implementation includes contributions from Nick Williams and Rossen Stoyanchev. (markt) /add @@ -116,12 +120,6 @@ Port storeconfig functionality, which can persist to server.xml and context.xml runtime container configuration changes. (remm) /add - add -bug54552/bug: Servlet 3.1. Implement -codeHttpSessionIdListener/code and -codeHttpServletRequest#changeSessionId()/code. Patch provided by -Nick Williams. (markt) - /add fix bug54708/bug: Change the name of the working directory for the ROOT application (located under $CATALINA_BASE/work by default) from _ to - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1494982 - /tomcat/trunk/webapps/docs/changelog.xml
Author: markt Date: Thu Jun 20 13:28:16 2013 New Revision: 1494982 URL: http://svn.apache.org/r1494982 Log: Fix whitespace Modified: tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1494982r1=1494981r2=1494982view=diff == --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Thu Jun 20 13:28:16 2013 @@ -52,7 +52,7 @@ changelog add Implement JSR 340 - Servlet 3.1. The JSR 340 implementation includes -contributions from Nick Williams. (markt) +contributions from Nick Williams. (markt) /add add Implement JSR 356 - WebSockets. The JSR 356 implementation includes - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: CVE-2013-1571, VU#225657
On 20 June 2013 14:16, Christopher Schultz ch...@christopherschultz.net wrote: Sebb, On 6/19/13 4:26 AM, sebb wrote: On 19 June 2013 09:15, Mark Thomas ma...@apache.org wrote: On 19/06/2013 00:42, Nick Williams wrote: Oracle has announced a Javadoc vulnerability (CVE-2013-1571 [1], VU#225657 [2]) whereby Javadoc generated with Java 5, Java 6, or Java 7 7u25 is vulnerable to a frame injection attack. Oracle has provided a repair-in-place tool for Javadoc that cannot be easily regenerated, but is urging developers to regenerate whatever Javadoc they can using Java 7u25. For all practical purses, the vulnerability really only applies to publicly-hosted Javadoc, so the Javadoc in our existing Maven artifacts, downloads, and archived downloads really doesn't have to be worried about (not that we could do anything about it). My thoughts on this: 1) We should apply the repair-in-place tool ASAP to the Javadoc on the website for Tomcat 6 and Tomcat 7. And Tomcat 5 and earlier. The javadoc for those isn't linked but remains available. I'll get on to this now. 2) Future Tomcat 6 and 7 Javadoc should be generated with 7u25 or better. Hmm. That will need some thought as the build needs to be run with the minimum Java version required for that major version. Maybe we can just run the Javadoc part with a different JDK. Either that, or run the fix tool over the result. This needs some investigation. There will be no fix for Java 5 or 6. Thankfully, generating Javadoc using a different JDK than you used to compile is quite easy in both Maven and Ant. In fact, I personally prefer it that way, because the Javadoc is much more visually attractive in Java 7. Hopefully it will be as simple as you suggest. I found for JMeter that the only file that needed fixing was the top-level index.html. If always true that reduces what needs to be checked-out/put back. There's also a bug in the quick-fix tool - it fails to delete the renamed original file (on Windows, which locks files from delete) because it fails to call fis.close() first. [The code does not check that the delete is successful either.] Should be easily possible to run the (fixed) tool on locally generated javadoc before committing in future. Wow, the code for that quick-fix tool really is awful. If run in recursuve-mode, it will leave every file that matches the file list (index.html, etc.) open until the finalizers run (hah). There are also swallowed exceptions, no finally blocks, etc. I've made some fixes (resource closures); these are at: https://svn.apache.org/repos/asf/commons/proper/commons-javadocfix-plugin/trunk/src/main/java/org/apache/commons/plugins/javadocfix/JavadocFixTool.java Comments welcome if you spot any more. [If you checkout [1] and mvn install the plugin, you should be able to run it locally] [1] https://svn.apache.org/repos/asf/commons/proper/commons-javadocfix-plugin/trunk/ It looks like it was written by a novice Java programmer. Who either did not use an IDE or ignored the warnings. The good news is that the license allows you (we) to modify the source code and redistribute it. So, we can even publish a fixed version if we choose to (rather than merely keeping it for ourselves). That's how I read it too. -chris - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1494999 - in /tomcat/trunk: conf/context.xml webapps/docs/changelog.xml
Author: markt Date: Thu Jun 20 13:50:49 2013 New Revision: 1494999 URL: http://svn.apache.org/r1494999 Log: Make changes to global web.xml trigger reloads Modified: tomcat/trunk/conf/context.xml tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/conf/context.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/conf/context.xml?rev=1494999r1=1494998r2=1494999view=diff == --- tomcat/trunk/conf/context.xml (original) +++ tomcat/trunk/conf/context.xml Thu Jun 20 13:50:49 2013 @@ -18,8 +18,10 @@ !-- The contents of this file will be loaded for each web application -- Context -!-- Default set of monitored resources -- +!-- Default set of monitored resources. If one of these changes, the -- +!-- web application will be reloaded. -- WatchedResourceWEB-INF/web.xml/WatchedResource +WatchedResource${catalina.base}/conf/web.xml/WatchedResource !-- Uncomment this to disable session persistence across Tomcat restarts -- !-- Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1494999r1=1494998r2=1494999view=diff == --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Thu Jun 20 13:50:49 2013 @@ -125,6 +125,10 @@ application (located under $CATALINA_BASE/work by default) from _ to ROOT. (markt) /fix + add +Change default configuration so that a change to the global web.xml file +will trigger a reload of all web applications. (markt) + /add /changelog /subsection subsection name=Coyote - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1495015 - /tomcat/trunk/webapps/docs/jndi-resources-howto.xml
Author: markt Date: Thu Jun 20 14:24:34 2013 New Revision: 1495015 URL: http://svn.apache.org/r1495015 Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=53665 Document when a javax.mail.Authenticator is configured. Modified: tomcat/trunk/webapps/docs/jndi-resources-howto.xml Modified: tomcat/trunk/webapps/docs/jndi-resources-howto.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/jndi-resources-howto.xml?rev=1495015r1=1495014r2=1495015view=diff == --- tomcat/trunk/webapps/docs/jndi-resources-howto.xml (original) +++ tomcat/trunk/webapps/docs/jndi-resources-howto.xml Thu Jun 20 14:24:34 2013 @@ -509,8 +509,13 @@ Transport.send(message); codejavax.mail.Session.getInstance(java.util.Properties)/code as part of the codejava.util.Properties/code collection. In addition to the properties defined in Annex A of the JavaMail specification, individual -providers may also support additional properties like codepassword/code. +providers may also support additional properties. /p + +pIf the resource is configured with a codepassword/code attribute and +either a codemail.smtp.user/code or codemail.user/code attribute +then Tomcatapos;s resource factory will configure and add a +codejavax.mail.Authenticator/code to the mail session./p h34. Install the JavaMail libraries/h3 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1495016 - in /tomcat/tc7.0.x/trunk: ./ webapps/docs/changelog.xml webapps/docs/jndi-resources-howto.xml
Author: markt Date: Thu Jun 20 14:26:40 2013 New Revision: 1495016 URL: http://svn.apache.org/r1495016 Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=53665 Document when a javax.mail.Authenticator is configured. Modified: tomcat/tc7.0.x/trunk/ (props changed) tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml tomcat/tc7.0.x/trunk/webapps/docs/jndi-resources-howto.xml Propchange: tomcat/tc7.0.x/trunk/ -- Merged /tomcat/trunk:r1495015 Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1495016r1=1495015r2=1495016view=diff == --- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Thu Jun 20 14:26:40 2013 @@ -103,6 +103,11 @@ Complete the document for codeMessageDispatch15Interceptor/code. (kfujino) /add + add +bug53655/bug: Document the circumstances under which Tomcat will add +a codejavax.mail.Authenticator/code to mail sessions created via a +JNDI resource. (markt) + /add /changelog /subsection subsection name=Other Modified: tomcat/tc7.0.x/trunk/webapps/docs/jndi-resources-howto.xml URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/jndi-resources-howto.xml?rev=1495016r1=1495015r2=1495016view=diff == --- tomcat/tc7.0.x/trunk/webapps/docs/jndi-resources-howto.xml (original) +++ tomcat/tc7.0.x/trunk/webapps/docs/jndi-resources-howto.xml Thu Jun 20 14:26:40 2013 @@ -509,8 +509,13 @@ Transport.send(message); codejavax.mail.Session.getInstance(java.util.Properties)/code as part of the codejava.util.Properties/code collection. In addition to the properties defined in Annex A of the JavaMail specification, individual -providers may also support additional properties like codepassword/code. +providers may also support additional properties. /p + +pIf the resource is configured with a codepassword/code attribute and +either a codemail.smtp.user/code or codemail.user/code attribute +then Tomcatapos;s resource factory will configure and add a +codejavax.mail.Authenticator/code to the mail session./p h34. Install the JavaMail libraries/h3 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 53665] Minor JNDI Howto document enhancement concerning mail properties
https://issues.apache.org/bugzilla/show_bug.cgi?id=53665 Mark Thomas ma...@apache.org changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #2 from Mark Thomas ma...@apache.org --- This has been fixed in trunk and 7.0.x and will be included in 7.0.42 onwards. I based the changes on the information in the SO question rather than the suggested patch as it provides a little more concrete information about what is going on. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 53776] Multitenancy support for JDBCRealm
https://issues.apache.org/bugzilla/show_bug.cgi?id=53776 Mark Thomas ma...@apache.org changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |WONTFIX --- Comment #3 from Mark Thomas ma...@apache.org --- As per previous comment. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 54499] Implementation of Extensible EL Interpreter
https://issues.apache.org/bugzilla/show_bug.cgi?id=54499 --- Comment #7 from Mark Thomas ma...@apache.org --- I'm +0 to include this in trunk. What do other committers think? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 54503] SAML2 based single sign on
https://issues.apache.org/bugzilla/show_bug.cgi?id=54503 --- Comment #3 from Mark Thomas ma...@apache.org --- That is a big patch. I have one immediate concern with the proposed patch with is the unknown licensing of the new JAR file. Looking more broadly, I think it would be worth (re-)considering adding JASPIC to Tomcat. Most of the code should be available in TomEE. That would then provide a standard mechanism to plug-in additional authentication mechanisms such as SAML2. At the moment, I'd be happier with SAML2 as an optional extra rather than as a core component. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1495043 - /tomcat/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java
Author: markt Date: Thu Jun 20 15:07:55 2013 New Revision: 1495043 URL: http://svn.apache.org/r1495043 Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=54745 Fix JarScanning when Tomcat is started via Java WebStart. Patch provided by Nick Williams. Modified: tomcat/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java Modified: tomcat/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java?rev=1495043r1=1495042r2=1495043view=diff == --- tomcat/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java Thu Jun 20 15:07:55 2013 @@ -290,7 +290,8 @@ public class StandardJarScanner implemen callback.scan((JarURLConnection) conn, isWebapp); } else { String urlStr = url.toString(); -if (urlStr.startsWith(file:) || urlStr.startsWith(jndi:)) { +if (urlStr.startsWith(file:) || urlStr.startsWith(jndi:) || +urlStr.startsWith(http:) || urlStr.startsWith(https:)) { if (urlStr.endsWith(Constants.JAR_EXT)) { URL jarURL = new URL(jar: + urlStr + !/); callback.scan((JarURLConnection) jarURL.openConnection(), - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1495046 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/tomcat/util/scan/StandardJarScanner.java webapps/docs/changelog.xml
Author: markt Date: Thu Jun 20 15:10:22 2013 New Revision: 1495046 URL: http://svn.apache.org/r1495046 Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=54745 Fix JarScanning when Tomcat is started via Java WebStart. Patch provided by Nick Williams. Modified: tomcat/tc7.0.x/trunk/ (props changed) tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Propchange: tomcat/tc7.0.x/trunk/ -- Merged /tomcat/trunk:r1495043 Modified: tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java?rev=1495046r1=1495045r2=1495046view=diff == --- tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java (original) +++ tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java Thu Jun 20 15:10:22 2013 @@ -252,7 +252,8 @@ public class StandardJarScanner implemen callback.scan((JarURLConnection) conn); } else { String urlStr = url.toString(); -if (urlStr.startsWith(file:) || urlStr.startsWith(jndi:)) { +if (urlStr.startsWith(file:) || urlStr.startsWith(jndi:) || +urlStr.startsWith(http:) || urlStr.startsWith(https:)) { if (urlStr.endsWith(Constants.JAR_EXT)) { URL jarURL = new URL(jar: + urlStr + !/); callback.scan((JarURLConnection) jarURL.openConnection()); Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1495046r1=1495045r2=1495046view=diff == --- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Thu Jun 20 15:10:22 2013 @@ -70,6 +70,10 @@ methods that does not include GET. (markt) /fix fix +bug54745/bug: Fix JAR file scanning when Tomcat is deployed via Java +Web Start. Patch provided by Nick Williams. (markt) + /fix + fix bug55073/bug, bug55108/bug, bug55109/bug amp; bug55110/bug: Small performance improvements. Patches provided by Adrian Nistor. (markt) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 54745] Tomcat JarScanning does not work when Tomcat started with Java Web Start
https://issues.apache.org/bugzilla/show_bug.cgi?id=54745 Mark Thomas ma...@apache.org changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #3 from Mark Thomas ma...@apache.org --- Having looked at this more closely, the JARs must already be on the class path so I don;t see any issues. The patch has been applied to trunk and 7.0.x and will be included in 7.0.42 onwards. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 54808] Add numberOfVersionsToKeep when undeployOldVersions is set to true
https://issues.apache.org/bugzilla/show_bug.cgi?id=54808 Mark Thomas ma...@apache.org changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |WONTFIX --- Comment #3 from Mark Thomas ma...@apache.org --- It has been a month without any further feedback so I am resolving this as WONTFIX. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1495047 - /tomcat/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java
Author: markt Date: Thu Jun 20 15:14:02 2013 New Revision: 1495047 URL: http://svn.apache.org/r1495047 Log: Fix indent Modified: tomcat/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java Modified: tomcat/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java?rev=1495047r1=1495046r2=1495047view=diff == --- tomcat/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java Thu Jun 20 15:14:02 2013 @@ -291,7 +291,7 @@ public class StandardJarScanner implemen } else { String urlStr = url.toString(); if (urlStr.startsWith(file:) || urlStr.startsWith(jndi:) || -urlStr.startsWith(http:) || urlStr.startsWith(https:)) { +urlStr.startsWith(http:) || urlStr.startsWith(https:)) { if (urlStr.endsWith(Constants.JAR_EXT)) { URL jarURL = new URL(jar: + urlStr + !/); callback.scan((JarURLConnection) jarURL.openConnection(), - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 54745] Tomcat JarScanning does not work when Tomcat started with Java Web Start
https://issues.apache.org/bugzilla/show_bug.cgi?id=54745 --- Comment #4 from Nick Williams nicho...@nicholaswilliams.net --- Excellent! Thanks! -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: CVE-2013-1571, VU#225657
Sebb, On 6/20/13 9:31 AM, sebb wrote: On 20 June 2013 14:16, Christopher Schultz ch...@christopherschultz.net wrote: Sebb, On 6/19/13 4:26 AM, sebb wrote: On 19 June 2013 09:15, Mark Thomas ma...@apache.org wrote: On 19/06/2013 00:42, Nick Williams wrote: Oracle has announced a Javadoc vulnerability (CVE-2013-1571 [1], VU#225657 [2]) whereby Javadoc generated with Java 5, Java 6, or Java 7 7u25 is vulnerable to a frame injection attack. Oracle has provided a repair-in-place tool for Javadoc that cannot be easily regenerated, but is urging developers to regenerate whatever Javadoc they can using Java 7u25. For all practical purses, the vulnerability really only applies to publicly-hosted Javadoc, so the Javadoc in our existing Maven artifacts, downloads, and archived downloads really doesn't have to be worried about (not that we could do anything about it). My thoughts on this: 1) We should apply the repair-in-place tool ASAP to the Javadoc on the website for Tomcat 6 and Tomcat 7. And Tomcat 5 and earlier. The javadoc for those isn't linked but remains available. I'll get on to this now. 2) Future Tomcat 6 and 7 Javadoc should be generated with 7u25 or better. Hmm. That will need some thought as the build needs to be run with the minimum Java version required for that major version. Maybe we can just run the Javadoc part with a different JDK. Either that, or run the fix tool over the result. This needs some investigation. There will be no fix for Java 5 or 6. Thankfully, generating Javadoc using a different JDK than you used to compile is quite easy in both Maven and Ant. In fact, I personally prefer it that way, because the Javadoc is much more visually attractive in Java 7. Hopefully it will be as simple as you suggest. I found for JMeter that the only file that needed fixing was the top-level index.html. If always true that reduces what needs to be checked-out/put back. There's also a bug in the quick-fix tool - it fails to delete the renamed original file (on Windows, which locks files from delete) because it fails to call fis.close() first. [The code does not check that the delete is successful either.] Should be easily possible to run the (fixed) tool on locally generated javadoc before committing in future. Wow, the code for that quick-fix tool really is awful. If run in recursuve-mode, it will leave every file that matches the file list (index.html, etc.) open until the finalizers run (hah). There are also swallowed exceptions, no finally blocks, etc. I've made some fixes (resource closures); these are at: https://svn.apache.org/repos/asf/commons/proper/commons-javadocfix-plugin/trunk/src/main/java/org/apache/commons/plugins/javadocfix/JavadocFixTool.java Comments welcome if you spot any more. I think you want to do a lot of the close() operations in finally blocks, in case exceptions occur. While it probably won't allow the program to function any better (that is, the old file need not be deleted unless it is successfully-processed), it will reduce the number of file handles kept open by the process. -chris signature.asc Description: OpenPGP digital signature
Re: CVE-2013-1571, VU#225657
On 20 June 2013 16:33, Christopher Schultz ch...@christopherschultz.net wrote: Sebb, On 6/20/13 9:31 AM, sebb wrote: On 20 June 2013 14:16, Christopher Schultz ch...@christopherschultz.net wrote: Sebb, On 6/19/13 4:26 AM, sebb wrote: On 19 June 2013 09:15, Mark Thomas ma...@apache.org wrote: On 19/06/2013 00:42, Nick Williams wrote: Oracle has announced a Javadoc vulnerability (CVE-2013-1571 [1], VU#225657 [2]) whereby Javadoc generated with Java 5, Java 6, or Java 7 7u25 is vulnerable to a frame injection attack. Oracle has provided a repair-in-place tool for Javadoc that cannot be easily regenerated, but is urging developers to regenerate whatever Javadoc they can using Java 7u25. For all practical purses, the vulnerability really only applies to publicly-hosted Javadoc, so the Javadoc in our existing Maven artifacts, downloads, and archived downloads really doesn't have to be worried about (not that we could do anything about it). My thoughts on this: 1) We should apply the repair-in-place tool ASAP to the Javadoc on the website for Tomcat 6 and Tomcat 7. And Tomcat 5 and earlier. The javadoc for those isn't linked but remains available. I'll get on to this now. 2) Future Tomcat 6 and 7 Javadoc should be generated with 7u25 or better. Hmm. That will need some thought as the build needs to be run with the minimum Java version required for that major version. Maybe we can just run the Javadoc part with a different JDK. Either that, or run the fix tool over the result. This needs some investigation. There will be no fix for Java 5 or 6. Thankfully, generating Javadoc using a different JDK than you used to compile is quite easy in both Maven and Ant. In fact, I personally prefer it that way, because the Javadoc is much more visually attractive in Java 7. Hopefully it will be as simple as you suggest. I found for JMeter that the only file that needed fixing was the top-level index.html. If always true that reduces what needs to be checked-out/put back. There's also a bug in the quick-fix tool - it fails to delete the renamed original file (on Windows, which locks files from delete) because it fails to call fis.close() first. [The code does not check that the delete is successful either.] Should be easily possible to run the (fixed) tool on locally generated javadoc before committing in future. Wow, the code for that quick-fix tool really is awful. If run in recursuve-mode, it will leave every file that matches the file list (index.html, etc.) open until the finalizers run (hah). There are also swallowed exceptions, no finally blocks, etc. I've made some fixes (resource closures); these are at: https://svn.apache.org/repos/asf/commons/proper/commons-javadocfix-plugin/trunk/src/main/java/org/apache/commons/plugins/javadocfix/JavadocFixTool.java Comments welcome if you spot any more. I think you want to do a lot of the close() operations in finally blocks, in case exceptions occur. Agreed, but it was simpler to just fix the main-line code. At least now the resources are closed if exceptions don't occur - which was not the case previously. While it probably won't allow the program to function any better (that is, the old file need not be deleted unless it is successfully-processed), it will reduce the number of file handles kept open by the process. Just noticed that the original file is renamed too early. If the code generates an IOE before the temporary file is completed and the rename attempted, the user is not informed that the file has been renamed. -chris - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 55017] Ability to configure RMI bind address
https://issues.apache.org/bugzilla/show_bug.cgi?id=55017 --- Comment #12 from Mark Thomas ma...@apache.org --- Overall patch looks OK. One questions: Why are SSL and rmiBindAddress mutually exclusive? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 55017] Ability to configure RMI bind address
https://issues.apache.org/bugzilla/show_bug.cgi?id=55017 --- Comment #13 from Alexey Noskov alexey.nos...@gmail.com --- It's because I found no way to specify bind address when using SslRMIServerSocketFactory. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 54503] SAML2 based single sign on
https://issues.apache.org/bugzilla/show_bug.cgi?id=54503 --- Comment #4 from Toby Hobson toby.hob...@cloudseal.com --- (In reply to Mark Thomas from comment #3) That is a big patch. I have one immediate concern with the proposed patch with is the unknown licensing of the new JAR file. Looking more broadly, I think it would be worth (re-)considering adding JASPIC to Tomcat. Most of the code should be available in TomEE. That would then provide a standard mechanism to plug-in additional authentication mechanisms such as SAML2. At the moment, I'd be happier with SAML2 as an optional extra rather than as a core component. Which jar? saml2-core is licensed under Apache 2 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 55017] Ability to configure RMI bind address
https://issues.apache.org/bugzilla/show_bug.cgi?id=55017 --- Comment #14 from Mark Thomas ma...@apache.org --- I see what you mean. Fair enough. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1495154 - /tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java
Author: markt Date: Thu Jun 20 20:01:07 2013 New Revision: 1495154 URL: http://svn.apache.org/r1495154 Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=55071 Remove unnecessary call to commit(). The rs.close() just above will commit anything that needs to be committed. Modified: tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java Modified: tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java?rev=1495154r1=1495153r2=1495154view=diff == --- tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java (original) +++ tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java Thu Jun 20 20:01:07 2013 @@ -557,7 +557,6 @@ public class JDBCRealm containerLog.warn(sm.getString(jdbcRealm.abnormalCloseResultSet)); } } -dbConnection.commit(); } } catch (SQLException e) { - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1495155 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/catalina/realm/JDBCRealm.java webapps/docs/changelog.xml
Author: markt Date: Thu Jun 20 20:04:03 2013 New Revision: 1495155 URL: http://svn.apache.org/r1495155 Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=55071 Remove unnecessary call to commit(). The rs.close() just above will commit anything that needs to be committed. Modified: tomcat/tc7.0.x/trunk/ (props changed) tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Propchange: tomcat/tc7.0.x/trunk/ -- Merged /tomcat/trunk:r1495154 Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java?rev=1495155r1=1495154r2=1495155view=diff == --- tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java (original) +++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java Thu Jun 20 20:04:03 2013 @@ -576,7 +576,6 @@ public class JDBCRealm containerLog.warn(sm.getString(jdbcRealm.abnormalCloseResultSet)); } } -dbConnection.commit(); } } catch (SQLException e) { Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1495155r1=1495154r2=1495155view=diff == --- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Thu Jun 20 20:04:03 2013 @@ -74,6 +74,10 @@ Web Start. Patch provided by Nick Williams. (markt) /fix fix +bug55071/bug: Ensure original exception is reported if JDBC Realm +fails to read a userapos;s credentials. (markt) + /fix + fix bug55073/bug, bug55108/bug, bug55109/bug amp; bug55110/bug: Small performance improvements. Patches provided by Adrian Nistor. (markt) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 55071] try finally catch structure masks original exception in JDBCRealm.getPassword()
https://issues.apache.org/bugzilla/show_bug.cgi?id=55071 Mark Thomas ma...@apache.org changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #5 from Mark Thomas ma...@apache.org --- Ah, the joys of svn archeology. The dbConnection.commit() is a result of fixing 10623. I am not convinced it was ever necessary. The fix for 10623 also added the rs.close() which does essentially the same thing. This has been fixed in trunk and 7.0.x and will be included in 7.0.42 onwards. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 54756] EXCEPTION_ACCESS_VIOLATION with APR crashing Tomcat
https://issues.apache.org/bugzilla/show_bug.cgi?id=54756 Mark Thomas ma...@apache.org changed: What|Removed |Added Status|NEEDINFO|RESOLVED Resolution|--- |FIXED --- Comment #10 from Mark Thomas ma...@apache.org --- No further reports of errors in almost 2 months. I am going to assume that this issue is fixed. Feel free to re-open it if that is not the case. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 55078] Configuring a DataSource Resource with dataSourceJNDI does not work as expected
https://issues.apache.org/bugzilla/show_bug.cgi?id=55078 Mark Thomas ma...@apache.org changed: What|Removed |Added Component|Catalina|jdbc-pool Version|trunk |unspecified Product|Tomcat 7|Tomcat Modules --- Comment #4 from Mark Thomas ma...@apache.org --- Moving to the correct project. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1495169 - in /tomcat/trunk: java/org/apache/catalina/authenticator/ test/org/apache/catalina/authenticator/ webapps/docs/
Author: markt Date: Thu Jun 20 20:36:08 2013 New Revision: 1495169 URL: http://svn.apache.org/r1495169 Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=55101 Make BASIC auth parsing more tolerant of whitespace. Added: tomcat/trunk/test/org/apache/catalina/authenticator/TestBasicAuthParser.java (with props) Modified: tomcat/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java tomcat/trunk/test/org/apache/catalina/authenticator/TestNonLoginAndBasicAuthenticator.java tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java?rev=1495169r1=1495168r2=1495169view=diff == --- tomcat/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java (original) +++ tomcat/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java Thu Jun 20 20:36:08 2013 @@ -44,8 +44,7 @@ import org.apache.tomcat.util.codec.bina * @version $Id$ */ -public class BasicAuthenticator -extends AuthenticatorBase { +public class BasicAuthenticator extends AuthenticatorBase { private static final Log log = LogFactory.getLog(BasicAuthenticator.class); @@ -98,9 +97,6 @@ public class BasicAuthenticator } // Validate any credentials already included with this request -String username = null; -String password = null; - MessageBytes authorization = request.getCoyoteRequest().getMimeHeaders() .getValue(authorization); @@ -108,44 +104,27 @@ public class BasicAuthenticator if (authorization != null) { authorization.toBytes(); ByteChunk authorizationBC = authorization.getByteChunk(); -if (authorizationBC.startsWithIgnoreCase(basic , 0)) { -authorizationBC.setOffset(authorizationBC.getOffset() + 6); - -byte[] decoded = Base64.decodeBase64( -authorizationBC.getBuffer(), -authorizationBC.getOffset(), -authorizationBC.getLength()); - -// Get username and password -int colon = -1; -for (int i = 0; i decoded.length; i++) { -if (decoded[i] == ':') { -colon = i; -break; -} -} - -if (colon 0) { -username = new String(decoded, B2CConverter.ISO_8859_1); -} else { -username = new String( -decoded, 0, colon, B2CConverter.ISO_8859_1); -password = new String( -decoded, colon + 1, decoded.length - colon - 1, -B2CConverter.ISO_8859_1); +BasicCredentials credentials = null; +try { +credentials = new BasicCredentials(authorizationBC); +String username = credentials.getUsername(); +String password = credentials.getPassword(); + +principal = context.getRealm().authenticate(username, password); +if (principal != null) { +register(request, response, principal, +HttpServletRequest.BASIC_AUTH, username, password); +return (true); } - -authorizationBC.setOffset(authorizationBC.getOffset() - 6); } - -principal = context.getRealm().authenticate(username, password); -if (principal != null) { -register(request, response, principal, -HttpServletRequest.BASIC_AUTH, username, password); -return (true); +catch (IllegalArgumentException iae) { +if (log.isDebugEnabled()) { +log.debug(Invalid Authorization + iae.getMessage()); +} } } +// the request could not be authenticated, so reissue the challenge StringBuilder value = new StringBuilder(16); value.append(Basic realm=\); value.append(getRealmName(context)); @@ -156,9 +135,139 @@ public class BasicAuthenticator } - @Override protected String getAuthMethod() { return HttpServletRequest.BASIC_AUTH; } + + +/** + * Parser for an HTTP Authorization header for BASIC authentication + * as per RFC 2617 section 2, and the Base64 encoded credentials as + * per RFC 2045 section 6.8. + */ +protected static class BasicCredentials { + +// the only authentication method supported by this parser +// note: we include single white space as its delimiter +private static final String
[Bug 55101] BasicAuthenticator parser and associated unit tests
https://issues.apache.org/bugzilla/show_bug.cgi?id=55101 Mark Thomas ma...@apache.org changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #3 from Mark Thomas ma...@apache.org --- Thanks for the patches. They have been applied to trunk and will be included in Tomcat 8.0.0 onwards. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1495155 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/catalina/realm/JDBCRealm.java webapps/docs/changelog.xml
2013/6/21 ma...@apache.org: Author: markt Date: Thu Jun 20 20:04:03 2013 New Revision: 1495155 URL: http://svn.apache.org/r1495155 Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=55071 Remove unnecessary call to commit(). The rs.close() just above will commit anything that needs to be committed. I think you are wrong here. rs.close() will commit happens only when autoCommit is set to true (looking at java.sql.Connection javadoc linked in comment 2 of the bugzilla issue). JDBCRealm runs with setAutoCommit(false) (around line 721 in its open() method) Modified: tomcat/tc7.0.x/trunk/ (props changed) tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Propchange: tomcat/tc7.0.x/trunk/ -- Merged /tomcat/trunk:r1495154 Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java?rev=1495155r1=1495154r2=1495155view=diff == --- tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java (original) +++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java Thu Jun 20 20:04:03 2013 @@ -576,7 +576,6 @@ public class JDBCRealm containerLog.warn(sm.getString(jdbcRealm.abnormalCloseResultSet)); } } -dbConnection.commit(); } } catch (SQLException e) { Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1495155r1=1495154r2=1495155view=diff == --- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Thu Jun 20 20:04:03 2013 @@ -74,6 +74,10 @@ Web Start. Patch provided by Nick Williams. (markt) /fix fix +bug55071/bug: Ensure original exception is reported if JDBC Realm +fails to read a userapos;s credentials. (markt) + /fix + fix bug55073/bug, bug55108/bug, bug55109/bug amp; bug55110/bug: Small performance improvements. Patches provided by Adrian Nistor. (markt) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1495155 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/catalina/realm/JDBCRealm.java webapps/docs/changelog.xml
On 20/06/2013 21:51, Konstantin Kolinko wrote: 2013/6/21 ma...@apache.org: Author: markt Date: Thu Jun 20 20:04:03 2013 New Revision: 1495155 URL: http://svn.apache.org/r1495155 Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=55071 Remove unnecessary call to commit(). The rs.close() just above will commit anything that needs to be committed. I think you are wrong here. Quite possibly :) rs.close() will commit happens only when autoCommit is set to true (looking at java.sql.Connection javadoc linked in comment 2 of the bugzilla issue). JDBCRealm runs with setAutoCommit(false) (around line 721 in its open() method) I'll go and re-read the docs... Yep. I mis-read it. I'll fix that now. Mark Modified: tomcat/tc7.0.x/trunk/ (props changed) tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Propchange: tomcat/tc7.0.x/trunk/ -- Merged /tomcat/trunk:r1495154 Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java?rev=1495155r1=1495154r2=1495155view=diff == --- tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java (original) +++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java Thu Jun 20 20:04:03 2013 @@ -576,7 +576,6 @@ public class JDBCRealm containerLog.warn(sm.getString(jdbcRealm.abnormalCloseResultSet)); } } -dbConnection.commit(); } } catch (SQLException e) { Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1495155r1=1495154r2=1495155view=diff == --- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Thu Jun 20 20:04:03 2013 @@ -74,6 +74,10 @@ Web Start. Patch provided by Nick Williams. (markt) /fix fix +bug55071/bug: Ensure original exception is reported if JDBC Realm +fails to read a userapos;s credentials. (markt) + /fix + fix bug55073/bug, bug55108/bug, bug55109/bug amp; bug55110/bug: Small performance improvements. Patches provided by Adrian Nistor. (markt) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [Bug 55102] New: Add ability to report time taken to prepare response
On Jun 15, 2013, at 10:09 AM, bugzi...@apache.org wrote: https://issues.apache.org/bugzilla/show_bug.cgi?id=55102 Summary: Add ability to report time taken to prepare response Created attachment 30438 -- https://issues.apache.org/bugzilla/attachment.cgi?id=30438action=edit Patch against trunk@r1493385 to record and output time to commit Tomcat's AccessLogValve is able to report the time taken to send an entire request using %D. This is the total processing time and may be affected by network conditions. It is sometimes useful to be able to record the time taken by the server to prepare the response and send the first content to the client. Attached is a patch that records the time the response is committed and then allows that to be reported in the access log using a '%F' pattern (which is the same as used by the mod-log-firstbyte module for HTTPD). Any thoughts on this patch? Is it suitable for trunk, and if so should I commit it? Is this something worth back porting to 7.0? Thanks Jeremy - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1495197 - /tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java
Author: markt Date: Thu Jun 20 21:34:09 2013 New Revision: 1495197 URL: http://svn.apache.org/r1495197 Log: r1495154 incorrectly removed the commit Restore the commit and clean the code up a little. Modified: tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java Modified: tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java?rev=1495197r1=1495196r2=1495197view=diff == --- tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java (original) +++ tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java Thu Jun 20 21:34:09 2013 @@ -527,47 +527,42 @@ public class JDBCRealm // connection may try to be opened again. On normal conditions (including // invalid login - the above is only used once. int numberOfTries = 2; -while (numberOfTries0) { +while (numberOfTries 0) { try { - // Ensure that we have an open database connection open(); -try { -stmt = credentials(dbConnection, username); -rs = stmt.executeQuery(); +stmt = credentials(dbConnection, username); +rs = stmt.executeQuery(); +dbConnection.commit(); -if (rs.next()) { -dbCredentials = rs.getString(1); -} -rs.close(); -rs = null; -if (dbCredentials == null) { -return (null); -} +if (rs.next()) { +dbCredentials = rs.getString(1); +} +if (dbCredentials != null) { dbCredentials = dbCredentials.trim(); -return dbCredentials; - -} finally { -if (rs!=null) { -try { -rs.close(); -} catch(SQLException e) { - containerLog.warn(sm.getString(jdbcRealm.abnormalCloseResultSet)); -} -} } -} catch (SQLException e) { +return dbCredentials; +} catch (SQLException e) { // Log the problem for posterity containerLog.error(sm.getString(jdbcRealm.exception), e); +} finally { +if (rs != null) { +try { +rs.close(); +} catch(SQLException e) { +containerLog.warn(sm.getString( +jdbcRealm.abnormalCloseResultSet)); +} +} +} -// Close the connection so that it gets reopened next time -if (dbConnection != null) -close(dbConnection); - +// Close the connection so that it gets reopened next time +if (dbConnection != null) { +close(dbConnection); } numberOfTries--; - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [Bug 55102] New: Add ability to report time taken to prepare response
On 20/06/2013 22:22, Jeremy Boynes wrote: On Jun 15, 2013, at 10:09 AM, bugzi...@apache.org wrote: https://issues.apache.org/bugzilla/show_bug.cgi?id=55102 Summary: Add ability to report time taken to prepare response Created attachment 30438 -- https://issues.apache.org/bugzilla/attachment.cgi?id=30438action=edit Patch against trunk@r1493385 to record and output time to commit Tomcat's AccessLogValve is able to report the time taken to send an entire request using %D. This is the total processing time and may be affected by network conditions. It is sometimes useful to be able to record the time taken by the server to prepare the response and send the first content to the client. Attached is a patch that records the time the response is committed and then allows that to be reported in the access log using a '%F' pattern (which is the same as used by the mod-log-firstbyte module for HTTPD). Any thoughts on this patch? Is it suitable for trunk, and if so should I commit it? Is this something worth back porting to 7.0? I was just starting to look at this when Konstantin pointed out an earlier mistake of mine that needed fixing. I'll get back to this shortly. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1495202 - /tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java
Author: markt Date: Thu Jun 20 21:38:59 2013 New Revision: 1495202 URL: http://svn.apache.org/r1495202 Log: r1495155 incorrectly removed the commit Restore the commit and clean the code up a little. Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java?rev=1495202r1=1495201r2=1495202view=diff == --- tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java (original) +++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java Thu Jun 20 21:38:59 2013 @@ -546,47 +546,42 @@ public class JDBCRealm // connection may try to be opened again. On normal conditions (including // invalid login - the above is only used once. int numberOfTries = 2; -while (numberOfTries0) { +while (numberOfTries 0) { try { - // Ensure that we have an open database connection open(); -try { -stmt = credentials(dbConnection, username); -rs = stmt.executeQuery(); +stmt = credentials(dbConnection, username); +rs = stmt.executeQuery(); +dbConnection.commit(); -if (rs.next()) { -dbCredentials = rs.getString(1); -} -rs.close(); -rs = null; -if (dbCredentials == null) { -return (null); -} +if (rs.next()) { +dbCredentials = rs.getString(1); +} +if (dbCredentials != null) { dbCredentials = dbCredentials.trim(); -return dbCredentials; - -} finally { -if (rs!=null) { -try { -rs.close(); -} catch(SQLException e) { - containerLog.warn(sm.getString(jdbcRealm.abnormalCloseResultSet)); -} -} } +return dbCredentials; + } catch (SQLException e) { - // Log the problem for posterity containerLog.error(sm.getString(jdbcRealm.exception), e); - -// Close the connection so that it gets reopened next time -if (dbConnection != null) -close(dbConnection); - +} finally { +if (rs != null) { +try { +rs.close(); +} catch(SQLException e) { +containerLog.warn(sm.getString( +jdbcRealm.abnormalCloseResultSet)); +} +} +} + +// Close the connection so that it gets reopened next time +if (dbConnection != null) { +close(dbConnection); } numberOfTries--; - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 55071] try finally catch structure masks original exception in JDBCRealm.getPassword()
https://issues.apache.org/bugzilla/show_bug.cgi?id=55071 --- Comment #6 from Mark Thomas ma...@apache.org --- Opps. My analysis assumed autoCommit == true which it doesn't. The commit is therefore required. I've restored it and cleaned up the code. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 55102] Add ability to report time taken to prepare response
https://issues.apache.org/bugzilla/show_bug.cgi?id=55102 --- Comment #2 from Mark Thomas ma...@apache.org --- Generally the patch looks good to me. It is missing documentation. Other than that I see no reason not to add it to trunk and 7.0.x. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1495197 - /tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java
Mark, On 6/20/13 5:34 PM, ma...@apache.org wrote: Author: markt Date: Thu Jun 20 21:34:09 2013 New Revision: 1495197 URL: http://svn.apache.org/r1495197 Log: r1495154 incorrectly removed the commit Restore the commit and clean the code up a little. Modified: tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java Modified: tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java?rev=1495197r1=1495196r2=1495197view=diff == --- tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java (original) +++ tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java Thu Jun 20 21:34:09 2013 @@ -527,47 +527,42 @@ public class JDBCRealm // connection may try to be opened again. On normal conditions (including // invalid login - the above is only used once. int numberOfTries = 2; -while (numberOfTries0) { +while (numberOfTries 0) { try { - // Ensure that we have an open database connection open(); -try { -stmt = credentials(dbConnection, username); -rs = stmt.executeQuery(); +stmt = credentials(dbConnection, username); +rs = stmt.executeQuery(); +dbConnection.commit(); I still don't understand the commit, here. I read Konstantin's comment about JDBCRealm /not/ running in auto-commit mode... why is that? I don't see any INSERT/UPDATE/DELETE statements anywhere in the code, nor are they user-configurable. So, why bother with conn.setAutoCommit(false) and conn.commit() in the first place? If we are going to have commit() why not rollback()? The use of commit() and/or rollback() implies that there is some connection state which is useful to the thread of execution. This cannot be the case as JDBCRealm uses a single-connection yet allows multiple threads to use it. Any reason not to eliminate all manipulation of the auto-commit state /and/ remove the commit calls? -chris signature.asc Description: OpenPGP digital signature
[Bug 55071] try finally catch structure masks original exception in JDBCRealm.getPassword()
https://issues.apache.org/bugzilla/show_bug.cgi?id=55071 --- Comment #7 from Christopher Schultz ch...@christopherschultz.net --- I still think commit() should not be called. For the shared-connection of JDBCRealm to ever be put into auto-commit=false would be an enormous mistake, assuming any data modification was taking place... which it is not. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1495208 - /tomcat/trunk/java/org/apache/tomcat/websocket/pojo/PojoMethodMapping.java
Author: markt Date: Thu Jun 20 21:58:25 2013 New Revision: 1495208 URL: http://svn.apache.org/r1495208 Log: Refactor in preparation for fixing BZ 55120 Modified: tomcat/trunk/java/org/apache/tomcat/websocket/pojo/PojoMethodMapping.java Modified: tomcat/trunk/java/org/apache/tomcat/websocket/pojo/PojoMethodMapping.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/websocket/pojo/PojoMethodMapping.java?rev=1495208r1=1495207r2=1495208view=diff == --- tomcat/trunk/java/org/apache/tomcat/websocket/pojo/PojoMethodMapping.java (original) +++ tomcat/trunk/java/org/apache/tomcat/websocket/pojo/PojoMethodMapping.java Thu Jun 20 21:58:25 2013 @@ -95,9 +95,9 @@ public class PojoMethodMapping { this.onOpen = open; this.onClose = close; this.onError = error; -onOpenParams = getPathParams(onOpen, false, false); -onCloseParams = getPathParams(onClose, false, true); -onErrorParams = getPathParams(onError, true, false); +onOpenParams = getPathParams(onOpen, MethodType.ON_OPEN); +onCloseParams = getPathParams(onClose, MethodType.ON_CLOSE); +onErrorParams = getPathParams(onError, MethodType.ON_ERROR); } @@ -176,8 +176,8 @@ public class PojoMethodMapping { } -private static PojoPathParam[] getPathParams(Method m, boolean isOnError, -boolean isClose) { +private static PojoPathParam[] getPathParams(Method m, +MethodType methodType) { if (m == null) { return new PojoPathParam[0]; } @@ -189,10 +189,12 @@ public class PojoMethodMapping { Class? type = types[i]; if (type.equals(Session.class)) { result[i] = new PojoPathParam(type, null); -} else if (isOnError type.equals(Throwable.class)) { +} else if (methodType == MethodType.ON_ERROR + type.equals(Throwable.class)) { foundThrowable = true; result[i] = new PojoPathParam(type, null); -} else if (isClose type.equals(CloseReason.class)) { +} else if (methodType == MethodType.ON_CLOSE +type.equals(CloseReason.class)) { result[i] = new PojoPathParam(type, null); } else { Annotation[] paramAnnotations = paramsAnnotations[i]; @@ -210,7 +212,7 @@ public class PojoMethodMapping { } } } -if (isOnError !foundThrowable) { +if (methodType == MethodType.ON_ERROR !foundThrowable) { throw new IllegalArgumentException(sm.getString( pojoMethodMapping.onErrorNoThrowable, m.getName(), m.getDeclaringClass().getName())); @@ -565,4 +567,11 @@ public class PojoMethodMapping { return decoder; } } + + +private static enum MethodType { +ON_OPEN, +ON_CLOSE, +ON_ERROR +} } - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [Bug 55102] New: Add ability to report time taken to prepare response
On 20.06.2013 23:22, Jeremy Boynes wrote: On Jun 15, 2013, at 10:09 AM, bugzi...@apache.org wrote: https://issues.apache.org/bugzilla/show_bug.cgi?id=55102 Summary: Add ability to report time taken to prepare response Created attachment 30438 -- https://issues.apache.org/bugzilla/attachment.cgi?id=30438action=edit Patch against trunk@r1493385 to record and output time to commit Tomcat's AccessLogValve is able to report the time taken to send an entire request using %D. This is the total processing time and may be affected by network conditions. It is sometimes useful to be able to record the time taken by the server to prepare the response and send the first content to the client. Attached is a patch that records the time the response is committed and then allows that to be reported in the access log using a '%F' pattern (which is the same as used by the mod-log-firstbyte module for HTTPD). Any thoughts on this patch? Is it suitable for trunk, and if so should I commit it? Is this something worth back porting to 7.0? I haven't looked at the concrete patch but the feature sounded useful. Regards, Rainer - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1495216 - in /tomcat/trunk: java/org/apache/tomcat/websocket/pojo/PojoEndpointBase.java java/org/apache/tomcat/websocket/pojo/PojoMethodMapping.java test/org/apache/tomcat/websocket/pojo/
Author: markt Date: Thu Jun 20 22:24:25 2013 New Revision: 1495216 URL: http://svn.apache.org/r1495216 Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=55120 @OnOpen needs to support an optional EndpointConfig parameter. Based on a patch by Niki Dokovski. Modified: tomcat/trunk/java/org/apache/tomcat/websocket/pojo/PojoEndpointBase.java tomcat/trunk/java/org/apache/tomcat/websocket/pojo/PojoMethodMapping.java tomcat/trunk/test/org/apache/tomcat/websocket/pojo/TestPojoEndpointBase.java tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/java/org/apache/tomcat/websocket/pojo/PojoEndpointBase.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/websocket/pojo/PojoEndpointBase.java?rev=1495216r1=1495215r2=1495216view=diff == --- tomcat/trunk/java/org/apache/tomcat/websocket/pojo/PojoEndpointBase.java (original) +++ tomcat/trunk/java/org/apache/tomcat/websocket/pojo/PojoEndpointBase.java Thu Jun 20 22:24:25 2013 @@ -56,7 +56,8 @@ public abstract class PojoEndpointBase e if (methodMapping.getOnOpen() != null) { try { methodMapping.getOnOpen().invoke(pojo, -methodMapping.getOnOpenArgs(pathParameters, session)); +methodMapping.getOnOpenArgs( +pathParameters, session, config)); } catch (IllegalAccessException e) { // Reflection related problems Modified: tomcat/trunk/java/org/apache/tomcat/websocket/pojo/PojoMethodMapping.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/websocket/pojo/PojoMethodMapping.java?rev=1495216r1=1495215r2=1495216view=diff == --- tomcat/trunk/java/org/apache/tomcat/websocket/pojo/PojoMethodMapping.java (original) +++ tomcat/trunk/java/org/apache/tomcat/websocket/pojo/PojoMethodMapping.java Thu Jun 20 22:24:25 2013 @@ -112,8 +112,9 @@ public class PojoMethodMapping { public Object[] getOnOpenArgs(MapString,String pathParameters, -Session session) throws DecodeException { -return buildArgs(onOpenParams, pathParameters, session, null, null); +Session session, EndpointConfig config) throws DecodeException { +return buildArgs(onOpenParams, pathParameters, session, config, null, +null); } @@ -124,8 +125,8 @@ public class PojoMethodMapping { public Object[] getOnCloseArgs(MapString,String pathParameters, Session session, CloseReason closeReason) throws DecodeException { -return buildArgs( -onCloseParams, pathParameters, session, null, closeReason); +return buildArgs(onCloseParams, pathParameters, session, null, null, +closeReason); } @@ -136,8 +137,8 @@ public class PojoMethodMapping { public Object[] getOnErrorArgs(MapString,String pathParameters, Session session, Throwable throwable) throws DecodeException { -return buildArgs( -onErrorParams, pathParameters, session, throwable, null); +return buildArgs(onErrorParams, pathParameters, session, null, +throwable, null); } @@ -189,6 +190,9 @@ public class PojoMethodMapping { Class? type = types[i]; if (type.equals(Session.class)) { result[i] = new PojoPathParam(type, null); +} else if (methodType == MethodType.ON_OPEN +type.equals(EndpointConfig.class)) { +result[i] = new PojoPathParam(type, null); } else if (methodType == MethodType.ON_ERROR type.equals(Throwable.class)) { foundThrowable = true; @@ -223,13 +227,15 @@ public class PojoMethodMapping { private static Object[] buildArgs(PojoPathParam[] pathParams, MapString,String pathParameters, Session session, -Throwable throwable, CloseReason closeReason) +EndpointConfig config, Throwable throwable, CloseReason closeReason) throws DecodeException { Object[] result = new Object[pathParams.length]; for (int i = 0; i pathParams.length; i++) { Class? type = pathParams[i].getType(); if (type.equals(Session.class)) { result[i] = session; +} else if (type.equals(EndpointConfig.class)) { +result[i] = config; } else if (type.equals(Throwable.class)) { result[i] = throwable; } else if (type.equals(CloseReason.class)) { Modified: tomcat/trunk/test/org/apache/tomcat/websocket/pojo/TestPojoEndpointBase.java URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/websocket/pojo/TestPojoEndpointBase.java?rev=1495216r1=1495215r2=1495216view=diff
[Bug 55120] ISA exception is thrown during application start when there is annotated ServerEndpoint POJO
https://issues.apache.org/bugzilla/show_bug.cgi?id=55120 Mark Thomas ma...@apache.org changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #3 from Mark Thomas ma...@apache.org --- Thanks for the patch. It has been applied to trunk and will be included in 8.0.0 onwards. I did make a number of changes: 1. I did some refactoring in r1495208 the meant the patch needed some small tweaks. 2. The patch always looked for an EndpointConfig parameter rather than only on OnOpen methods. 3. We always use spaces instead of tabs. 4. I changed a few line breaks. 5. I fixed a typo in a test method name. 6. I amended the test to check that the config was actually passed. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1495218 - /tomcat/trunk/test/org/apache/tomcat/websocket/pojo/TestPojoEndpointBase.java
Author: markt Date: Thu Jun 20 22:29:54 2013 New Revision: 1495218 URL: http://svn.apache.org/r1495218 Log: Fix spacing Modified: tomcat/trunk/test/org/apache/tomcat/websocket/pojo/TestPojoEndpointBase.java Modified: tomcat/trunk/test/org/apache/tomcat/websocket/pojo/TestPojoEndpointBase.java URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/websocket/pojo/TestPojoEndpointBase.java?rev=1495218r1=1495217r2=1495218view=diff == --- tomcat/trunk/test/org/apache/tomcat/websocket/pojo/TestPojoEndpointBase.java (original) +++ tomcat/trunk/test/org/apache/tomcat/websocket/pojo/TestPojoEndpointBase.java Thu Jun 20 22:29:54 2013 @@ -75,6 +75,7 @@ public class TestPojoEndpointBase extend Assert.assertTrue(Server failed to close connection, closed); } + @Test public void testOnOpenPojoMethod() throws Exception { // Set up utility classes @@ -107,7 +108,6 @@ public class TestPojoEndpointBase extend } - @ServerEndpoint(/) public static class OnOpenServerEndpoint { - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1494915 - in /tomcat/trunk: java/org/apache/catalina/ java/org/apache/catalina/core/ java/org/apache/catalina/deploy/ java/org/apache/catalina/startup/ test/org/apache/catalina/core/
2013/6/20 ma...@apache.org Author: markt Date: Thu Jun 20 10:38:49 2013 New Revision: 1494915 URL: http://svn.apache.org/r1494915 Log: Servlet 3.1 Implement the new deny-uncovered-http-methods element in server.xml That's for the xml but what about annotations? We are processing them when loading the servlet. Shouldn't we add check for uncovered methods to the o.a.catalina.core.StandardContext.addServletSecurity(...): Index: C:/tc8.0.x/java/org/apache/catalina/core/StandardContext.java === --- C:/tc8.0.x/java/org/apache/catalina/core/StandardContext.java (revision 1495273) +++ C:/tc8.0.x/java/org/apache/catalina/core/StandardContext.java (working copy) @@ -5828,6 +5828,7 @@ newSecurityConstraints) { addConstraint(securityConstraint); } +checkConstraintsForUncoveredMethods(); } }