date:20130620

svn commit: r1494915 - in /tomcat/trunk: java/org/apache/catalina/ java/org/apache/catalina/core/ java/org/apache/catalina/deploy/ java/org/apache/catalina/startup/ test/org/apache/catalina/core/

2013-06-20 Thread markt

Author: markt
Date: Thu Jun 20 10:38:49 2013
New Revision: 1494915

URL: http://svn.apache.org/r1494915
Log:
Servlet 3.1 Implement the new deny-uncovered-http-methods element in server.xml

Modified:
tomcat/trunk/java/org/apache/catalina/Context.java
tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties
tomcat/trunk/java/org/apache/catalina/core/StandardContext.java
tomcat/trunk/java/org/apache/catalina/deploy/WebXml.java
tomcat/trunk/java/org/apache/catalina/startup/ContextConfig.java
tomcat/trunk/java/org/apache/catalina/startup/FailedContext.java
tomcat/trunk/java/org/apache/catalina/startup/WebRuleSet.java
tomcat/trunk/test/org/apache/catalina/core/TesterContext.java

Modified: tomcat/trunk/java/org/apache/catalina/Context.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/Context.java?rev=1494915r1=1494914r2=1494915view=diff
==
--- tomcat/trunk/java/org/apache/catalina/Context.java (original)
+++ tomcat/trunk/java/org/apache/catalina/Context.java Thu Jun 20 10:38:49 2013
@@ -329,6 +329,20 @@ public interface Context extends Contain
 
 
 /**
+ * Return the deny-uncovered-http-methods flag for this web application.
+ */
+public boolean getDenyUncoveredHttpMethods();
+
+
+/**
+ * Set the deny-uncovered-http-methods flag for this web application.
+ *
+ * @param denyUncoveredHttpMethods The new deny-uncovered-http-methods flag
+ */
+public void setDenyUncoveredHttpMethods(boolean denyUncoveredHttpMethods);
+
+
+/**
  * Return the display name of this web application.
  */
 public String getDisplayName();

Modified: tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties?rev=1494915r1=1494914r2=1494915view=diff
==
--- tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties 
(original)
+++ tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties Thu Jun 
20 10:38:49 2013
@@ -140,7 +140,9 @@ standardContext.startFailed=Context [{0}
 standardContext.startingContext=Exception starting Context with name [{0}]
 standardContext.stoppingContext=Exception stopping Context with name [{0}]
 standardContext.uncoveredHttpMethod=For security constraints with URL pattern 
[{0}] only the HTTP methods [{1}] are covered. All other methods are uncovered.
+standardContext.uncoveredHttpMethodFix=Adding security constraints with URL 
pattern [{0}] to deny access with the uncovered HTTP methods that are not one 
of the following [{1}]
 standardContext.uncoveredHttpOmittedMethod=For security constraints with URL 
pattern [{0}] the HTTP methods [{1}] are uncovered.
+standardContext.uncoveredHttpOmittedMethodFix=Adding security constraints with 
URL pattern [{0}] to deny access with the uncovered HTTP methods [{1}]
 standardContext.urlPattern.patternWarning=WARNING: URL pattern {0} must start 
with a ''/'' in Servlet 2.4
 standardContext.webappClassLoader.missingProperty=Unable to set the web 
application class loader property [{0}] to [{1}] as the property does not exist.
 standardContext.workPath=Exception obtaining work path for context [{0}]

Modified: tomcat/trunk/java/org/apache/catalina/core/StandardContext.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/StandardContext.java?rev=1494915r1=1494914r2=1494915view=diff
==
--- tomcat/trunk/java/org/apache/catalina/core/StandardContext.java (original)
+++ tomcat/trunk/java/org/apache/catalina/core/StandardContext.java Thu Jun 20 
10:38:49 2013
@@ -348,6 +348,9 @@ public class StandardContext extends Con
 private boolean delegate = false;
 
 
+private boolean denyUncoveredHttpMethods;
+
+
 /**
  * The display name of this web application.
  */
@@ -1684,6 +1687,19 @@ public class StandardContext extends Con
 this.tldScanTime = tldScanTime;
 }
 
+
+@Override
+public boolean getDenyUncoveredHttpMethods() {
+return denyUncoveredHttpMethods;
+}
+
+
+@Override
+public void setDenyUncoveredHttpMethods(boolean denyUncoveredHttpMethods) {
+this.denyUncoveredHttpMethods = denyUncoveredHttpMethods;
+}
+
+
 /**
  * Return the display name of this web application.
  */
@@ -5345,7 +5361,6 @@ public class StandardContext extends Con
 private void checkConstraintsForUncoveredMethods() {
 // TODO - Add an option to lower the log level of any uncovered method
 //warnings to debug
-// TODO - Implement adding constraints to deny uncovered methods
 SetString coveredPatterns = new HashSet();
 MapString,SetString urlMethodMap = new HashMap();

svn commit: r1494918 - /tomcat/trunk/webapps/examples/jsp/security/protected/index.jsp

2013-06-20 Thread markt

Author: markt
Date: Thu Jun 20 10:41:55 2013
New Revision: 1494918

URL: http://svn.apache.org/r1494918
Log:
The form needs a submit button

Modified:
tomcat/trunk/webapps/examples/jsp/security/protected/index.jsp

Modified: tomcat/trunk/webapps/examples/jsp/security/protected/index.jsp
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/examples/jsp/security/protected/index.jsp?rev=1494918r1=1494917r2=1494918view=diff
==
--- tomcat/trunk/webapps/examples/jsp/security/protected/index.jsp (original)
+++ tomcat/trunk/webapps/examples/jsp/security/protected/index.jsp Thu Jun 20 
10:41:55 2013
@@ -64,17 +64,18 @@ in session b%= session.getId() %/b
   }
 %
 
-To check whether your username has been granted a particular role,
+To check whether your user name has been granted a particular role,
 enter it here:
 form method=GET action='%= response.encodeURL(index.jsp) %'
 input type=text name=role value=%= util.HTMLFilter.filter(role) %
+input type=submit 
 /form
 brbr
 
-If you have configured this app for form-based authentication, you can log
-off by clicking
+If you have configured this application for form-based authentication, you can
+log off by clicking
 a href='%= response.encodeURL(index.jsp?logoff=true) %'here/a.
-This should cause you to be returned to the logon page after the redirect
+This should cause you to be returned to the login page after the redirect
 that is performed.
 
 /body



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1494925 - /tomcat/trunk/java/org/apache/catalina/core/StandardContext.java

2013-06-20 Thread markt

Author: markt
Date: Thu Jun 20 11:03:22 2013
New Revision: 1494925

URL: http://svn.apache.org/r1494925
Log:
Fix some copy/paste errors

Modified:
tomcat/trunk/java/org/apache/catalina/core/StandardContext.java

Modified: tomcat/trunk/java/org/apache/catalina/core/StandardContext.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/StandardContext.java?rev=1494925r1=1494924r2=1494925view=diff
==
--- tomcat/trunk/java/org/apache/catalina/core/StandardContext.java (original)
+++ tomcat/trunk/java/org/apache/catalina/core/StandardContext.java Thu Jun 20 
11:03:22 2013
@@ -5384,7 +5384,7 @@ public class StandardContext extends Con
 // Pre-calculate so we don't do this for every iteration of the
 // following loop
 ListString omNew = null;
-if (omittedMethods.length == 0) {
+if (omittedMethods.length != 0) {
 omNew = Arrays.asList(omittedMethods);
 }
 
@@ -5397,9 +5397,11 @@ public class StandardContext extends Con
 SetString om = urlOmittedMethodMap.get(pattern);
 if (om == null) {
 om = new HashSet();
-urlMethodMap.put(pattern, om);
+urlOmittedMethodMap.put(pattern, om);
+om.addAll(omNew);
+} else {
+om.retainAll(omNew);
 }
-om.retainAll(omNew);
 } else {
 // Build the union of methods for this pattern
 SetString m = urlMethodMap.get(pattern);



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1494926 - /tomcat/trunk/webapps/examples/WEB-INF/web.xml

2013-06-20 Thread markt

Author: markt
Date: Thu Jun 20 11:03:54 2013
New Revision: 1494926

URL: http://svn.apache.org/r1494926
Log:
Explicitly deny the uncovered methods in the examples

Modified:
tomcat/trunk/webapps/examples/WEB-INF/web.xml

Modified: tomcat/trunk/webapps/examples/WEB-INF/web.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/examples/WEB-INF/web.xml?rev=1494926r1=1494925r2=1494926view=diff
==
--- tomcat/trunk/webapps/examples/WEB-INF/web.xml (original)
+++ tomcat/trunk/webapps/examples/WEB-INF/web.xml Thu Jun 20 11:03:54 2013
@@ -235,12 +235,13 @@
 /jsp-config
 
security-constraint
-  display-nameExample Security Constraint/display-name
+  display-nameExample Security Constraint - part 1/display-name
   web-resource-collection
- web-resource-nameProtected Area/web-resource-name
+ web-resource-nameProtected Area - Allow methods/web-resource-name
  !-- Define the context-relative URL(s) to be protected --
  url-pattern/jsp/security/protected/*/url-pattern
- !-- If you list http methods, only those methods are protected --
+ !-- If you list http methods, only those methods are protected so --
+ !-- the constraint below ensures all other methods are denied --
  http-methodDELETE/http-method
  http-methodGET/http-method
  http-methodPOST/http-method
@@ -252,6 +253,20 @@
  role-namerole1/role-name
   /auth-constraint
 /security-constraint
+   security-constraint
+  display-nameExample Security Constraint - part 2/display-name
+  web-resource-collection
+ web-resource-nameProtected Area - Deny methods/web-resource-name
+ !-- Define the context-relative URL(s) to be protected --
+ url-pattern/jsp/security/protected/*/url-pattern
+ http-method-omissionDELETE/http-method-omission
+ http-method-omissionGET/http-method-omission
+ http-method-omissionPOST/http-method-omission
+ http-method-omissionPUT/http-method-omission
+  /web-resource-collection
+  !-- An empty auth constraint denies access --
+  auth-constraint /
+/security-constraint
 
 !-- Default login configuration uses form-based authentication --
 login-config



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1494930 - /tomcat/trunk/java/org/apache/catalina/core/StandardContext.java

2013-06-20 Thread markt

Author: markt
Date: Thu Jun 20 11:17:51 2013
New Revision: 1494930

URL: http://svn.apache.org/r1494930
Log:
Another copy/paste error
Also need to protect any remaining patterns with only omitted methods.

Modified:
tomcat/trunk/java/org/apache/catalina/core/StandardContext.java

Modified: tomcat/trunk/java/org/apache/catalina/core/StandardContext.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/StandardContext.java?rev=1494930r1=1494929r2=1494930view=diff
==
--- tomcat/trunk/java/org/apache/catalina/core/StandardContext.java (original)
+++ tomcat/trunk/java/org/apache/catalina/core/StandardContext.java Thu Jun 20 
11:17:51 2013
@@ -5473,7 +5473,44 @@ public class StandardContext extends Con
 standardContext.uncoveredHttpOmittedMethodFix,
 pattern, msg.toString().trim()));
 SecurityCollection collection = new SecurityCollection();
-for (String method : methods) {
+for (String method : omittedMethods) {
+collection.addMethod(method);
+}
+collection.addPattern(pattern);
+collection.setName(deny-uncovered-http-methods);
+SecurityConstraint constraint = new SecurityConstraint();
+constraint.setAuthConstraint(true);
+constraint.addCollection(collection);
+addConstraint(constraint);
+} else {
+log.error(sm.getString(
+standardContext.uncoveredHttpOmittedMethod,
+pattern, msg.toString().trim()));
+}
+}
+}
+for (Map.EntryString, SetString entry :
+urlOmittedMethodMap.entrySet()) {
+String pattern = entry.getKey();
+if (coveredPatterns.contains(pattern)) {
+// Fully covered. Ignore any partial coverage
+continue;
+}
+
+SetString omittedMethods = entry.getValue();
+
+if (omittedMethods.size()  0) {
+StringBuilder msg = new StringBuilder();
+for (String method : omittedMethods) {
+msg.append(method);
+msg.append(' ');
+}
+if (getDenyUncoveredHttpMethods()) {
+log.info(sm.getString(
+standardContext.uncoveredHttpOmittedMethodFix,
+pattern, msg.toString().trim()));
+SecurityCollection collection = new SecurityCollection();
+for (String method : omittedMethods) {
 collection.addMethod(method);
 }
 collection.addPattern(pattern);



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1494951 - in /tomcat/trunk/java/org/apache/catalina: core/LocalStrings.properties core/StandardContext.java deploy/LocalStrings.properties deploy/SecurityConstraint.java

2013-06-20 Thread markt

Author: markt
Date: Thu Jun 20 12:27:08 2013
New Revision: 1494951

URL: http://svn.apache.org/r1494951
Log:
Refactor with a view to adding some unit tests

Modified:
tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties
tomcat/trunk/java/org/apache/catalina/core/StandardContext.java
tomcat/trunk/java/org/apache/catalina/deploy/LocalStrings.properties
tomcat/trunk/java/org/apache/catalina/deploy/SecurityConstraint.java

Modified: tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties?rev=1494951r1=1494950r2=1494951view=diff
==
--- tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties 
(original)
+++ tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties Thu Jun 
20 12:27:08 2013
@@ -139,10 +139,6 @@ standardContext.servletMap.pattern=Inval
 standardContext.startFailed=Context [{0}] startup failed due to previous errors
 standardContext.startingContext=Exception starting Context with name [{0}]
 standardContext.stoppingContext=Exception stopping Context with name [{0}]
-standardContext.uncoveredHttpMethod=For security constraints with URL pattern 
[{0}] only the HTTP methods [{1}] are covered. All other methods are uncovered.
-standardContext.uncoveredHttpMethodFix=Adding security constraints with URL 
pattern [{0}] to deny access with the uncovered HTTP methods that are not one 
of the following [{1}]
-standardContext.uncoveredHttpOmittedMethod=For security constraints with URL 
pattern [{0}] the HTTP methods [{1}] are uncovered.
-standardContext.uncoveredHttpOmittedMethodFix=Adding security constraints with 
URL pattern [{0}] to deny access with the uncovered HTTP methods [{1}]
 standardContext.urlPattern.patternWarning=WARNING: URL pattern {0} must start 
with a ''/'' in Servlet 2.4
 standardContext.webappClassLoader.missingProperty=Unable to set the web 
application class loader property [{0}] to [{1}] as the property does not exist.
 standardContext.workPath=Exception obtaining work path for context [{0}]

Modified: tomcat/trunk/java/org/apache/catalina/core/StandardContext.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/StandardContext.java?rev=1494951r1=1494950r2=1494951view=diff
==
--- tomcat/trunk/java/org/apache/catalina/core/StandardContext.java (original)
+++ tomcat/trunk/java/org/apache/catalina/core/StandardContext.java Thu Jun 20 
12:27:08 2013
@@ -5359,172 +5359,11 @@ public class StandardContext extends Con
 
 
 private void checkConstraintsForUncoveredMethods() {
-// TODO - Add an option to lower the log level of any uncovered method
-//warnings to debug
-SetString coveredPatterns = new HashSet();
-MapString,SetString urlMethodMap = new HashMap();
-MapString,SetString urlOmittedMethodMap = new HashMap();
-
-// First build the lists of covered patterns and those patterns that
-// might be uncovered
-for (SecurityConstraint constraint : constraints) {
-SecurityCollection[] collections = constraint.findCollections();
-for (SecurityCollection collection : collections) {
-String[] patterns = collection.findPatterns();
-String[] methods = collection.findMethods();
-String[] omittedMethods = collection.findOmittedMethods();
-// Simple case: no methods
-if (methods.length == 0  omittedMethods.length == 0) {
-for (String pattern : patterns) {
-coveredPatterns.add(pattern);
-}
-continue;
-}
-
-// Pre-calculate so we don't do this for every iteration of the
-// following loop
-ListString omNew = null;
-if (omittedMethods.length != 0) {
-omNew = Arrays.asList(omittedMethods);
-}
-
-// Only need to process uncovered patterns
-for (String pattern : patterns) {
-if (!coveredPatterns.contains(pattern)) {
-if (methods.length == 0) {
-// Build the interset of omitted methods for this
-// pattern
-SetString om = urlOmittedMethodMap.get(pattern);
-if (om == null) {
-om = new HashSet();
-urlOmittedMethodMap.put(pattern, om);
-om.addAll(omNew);
-} else {
-om.retainAll(omNew);
-}
-} else {
-

buildbot exception in ASF Buildbot on tomcat-trunk

2013-06-20 Thread buildbot

The Buildbot has detected a new failure on builder tomcat-trunk while building 
ASF Buildbot.
Full details are available at:
 http://ci.apache.org/builders/tomcat-trunk/builds/4458

Buildbot URL: http://ci.apache.org/

Buildslave for this Build: bb-vm_ubuntu

Build Reason: scheduler
Build Source Stamp: [branch tomcat/trunk] 1493490
Blamelist: 

BUILD FAILED: exception svn upload_2

sincerely,
 -The Buildbot

buildbot exception in ASF Buildbot on tomcat-7-trunk

2013-06-20 Thread buildbot

The Buildbot has detected a new failure on builder tomcat-7-trunk while 
building ASF Buildbot.
Full details are available at:
 http://ci.apache.org/builders/tomcat-7-trunk/builds/1244

Buildbot URL: http://ci.apache.org/

Buildslave for this Build: bb-vm_ubuntu

Build Reason: scheduler
Build Source Stamp: [branch tomcat/tc7.0.x/trunk] 1493908
Blamelist: 

BUILD FAILED: exception svn upload_2

sincerely,
 -The Buildbot

buildbot failure in ASF Buildbot on tomcat-6-trunk

2013-06-20 Thread buildbot

The Buildbot has detected a new failure on builder tomcat-6-trunk while 
building ASF Buildbot.
Full details are available at:
 http://ci.apache.org/builders/tomcat-6-trunk/builds/555

Buildbot URL: http://ci.apache.org/

Buildslave for this Build: bb-vm_ubuntu

Build Reason: scheduler
Build Source Stamp: [branch tomcat/tc6.0.x/trunk] 1494081
Blamelist: 

BUILD FAILED: failed svn

sincerely,
 -The Buildbot

svn commit: r1494963 - /tomcat/trunk/test/org/apache/catalina/deploy/TestSecurityConstraint.java

2013-06-20 Thread markt

Author: markt
Date: Thu Jun 20 12:51:45 2013
New Revision: 1494963

URL: http://svn.apache.org/r1494963
Log:
Some simple unit tests

Modified:
tomcat/trunk/test/org/apache/catalina/deploy/TestSecurityConstraint.java

Modified: 
tomcat/trunk/test/org/apache/catalina/deploy/TestSecurityConstraint.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/deploy/TestSecurityConstraint.java?rev=1494963r1=1494962r2=1494963view=diff
==
--- tomcat/trunk/test/org/apache/catalina/deploy/TestSecurityConstraint.java 
(original)
+++ tomcat/trunk/test/org/apache/catalina/deploy/TestSecurityConstraint.java 
Thu Jun 20 12:51:45 2013
@@ -30,13 +30,60 @@ import static org.junit.Assert.assertFal
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 
+import org.junit.Assert;
 import org.junit.Test;
 
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+
 public class TestSecurityConstraint {
 
 private static final String URL_PATTERN = /test;
 private static final String ROLE1 = R1;
 
+private static final Log DUMMY_LOG = LogFactory.getLog(DUMMY);
+
+private static final SecurityConstraint GET_ONLY;
+private static final SecurityConstraint POST_ONLY;
+
+private static final SecurityConstraint GET_OMIT;
+private static final SecurityConstraint POST_OMIT;
+
+static {
+// Configure the constraints to use in the tests
+GET_ONLY = new SecurityConstraint();
+GET_ONLY.addAuthRole(ROLE1);
+SecurityCollection scGetOnly = new SecurityCollection();
+scGetOnly.addMethod(GET);
+scGetOnly.addPattern(URL_PATTERN);
+scGetOnly.setName(GET-ONLY);
+GET_ONLY.addCollection(scGetOnly);
+
+POST_ONLY = new SecurityConstraint();
+POST_ONLY.addAuthRole(ROLE1);
+SecurityCollection scPostOnly = new SecurityCollection();
+scPostOnly.addMethod(POST);
+scPostOnly.addPattern(URL_PATTERN);
+scPostOnly.setName(POST_ONLY);
+POST_ONLY.addCollection(scPostOnly);
+
+GET_OMIT = new SecurityConstraint();
+GET_OMIT.addAuthRole(ROLE1);
+SecurityCollection scGetOmit = new SecurityCollection();
+scGetOmit.addOmittedMethod(GET);
+scGetOmit.addPattern(URL_PATTERN);
+scGetOmit.setName(GET_OMIT);
+GET_OMIT.addCollection(scGetOmit);
+
+POST_OMIT = new SecurityConstraint();
+POST_OMIT.addAuthRole(ROLE1);
+SecurityCollection scPostOmit = new SecurityCollection();
+scPostOmit.addOmittedMethod(POST);
+scPostOmit.addPattern(URL_PATTERN);
+scPostOmit.setName(POST_OMIT);
+POST_OMIT.addCollection(scPostOmit);
+}
+
 /**
  * Uses the examples in SRV.13.4 as the basis for these tests
  */
@@ -205,4 +252,115 @@ public class TestSecurityConstraint {
 // Example 13-9 is the same as 13-7
 }
 
+
+@Test
+public void testFindUncoveredHttpMethods01() {
+// No new constraints if denyUncoveredHttpMethods is false
+SecurityConstraint[] result =
+SecurityConstraint.findUncoveredHttpMethods(
+new SecurityConstraint[] {GET_ONLY}, false, DUMMY_LOG);
+Assert.assertEquals(0, result.length);
+}
+
+
+@Test
+public void testFindUncoveredHttpMethods02() {
+// No new constraints if denyUncoveredHttpMethods is false
+SecurityConstraint[] result =
+SecurityConstraint.findUncoveredHttpMethods(
+new SecurityConstraint[] {GET_OMIT}, false, DUMMY_LOG);
+Assert.assertEquals(0, result.length);
+}
+
+
+@Test
+public void testFindUncoveredHttpMethods03() {
+// No new constraints if denyUncoveredHttpMethods is false
+SecurityConstraint[] result =
+SecurityConstraint.findUncoveredHttpMethods(
+new SecurityConstraint[] {POST_ONLY}, false, 
DUMMY_LOG);
+Assert.assertEquals(0, result.length);
+}
+
+
+@Test
+public void testFindUncoveredHttpMethods04() {
+// No new constraints if denyUncoveredHttpMethods is false
+SecurityConstraint[] result =
+SecurityConstraint.findUncoveredHttpMethods(
+new SecurityConstraint[] {POST_OMIT}, false, 
DUMMY_LOG);
+Assert.assertEquals(0, result.length);
+}
+
+
+@Test
+public void testFindUncoveredHttpMethods05() {
+SecurityConstraint[] result =
+SecurityConstraint.findUncoveredHttpMethods(
+new SecurityConstraint[] {GET_ONLY}, true, DUMMY_LOG);
+Assert.assertEquals(1, result.length);
+// Should be a deny constraint
+Assert.assertTrue(result[0].getAuthConstraint());
+// Should have a single collection
+Assert.assertEquals(1,

Re: CVE-2013-1571, VU#225657

2013-06-20 Thread Christopher Schultz

Sebb,

On 6/19/13 4:26 AM, sebb wrote:
 On 19 June 2013 09:15, Mark Thomas ma...@apache.org wrote:
 On 19/06/2013 00:42, Nick Williams wrote:

 Oracle has announced a Javadoc vulnerability (CVE-2013-1571 [1],
 VU#225657 [2]) whereby Javadoc generated with Java 5, Java 6, or Java
 7  7u25 is vulnerable to a frame injection attack. Oracle has
 provided a repair-in-place tool for Javadoc that cannot be easily
 regenerated, but is urging developers to regenerate whatever Javadoc
 they can using Java 7u25. For all practical purses, the vulnerability
 really only applies to publicly-hosted Javadoc, so the Javadoc in our
 existing Maven artifacts, downloads, and archived downloads really
 doesn't have to be worried about (not that we could do anything about
 it). My thoughts on this:

 1) We should apply the repair-in-place tool ASAP to the Javadoc on
 the website for Tomcat 6 and Tomcat 7.


 And Tomcat 5 and earlier. The javadoc for those isn't linked but remains
 available.

 I'll get on to this now.


 2) Future Tomcat 6 and 7 Javadoc should be generated with 7u25 or
 better.


 Hmm. That will need some thought as the build needs to be run with the
 minimum Java version required for that major version. Maybe we can just run
 the Javadoc part with a different JDK. Either that, or run the fix tool over
 the result. This needs some investigation.


 There will be no fix for Java 5 or 6. Thankfully, generating
 Javadoc using a different JDK than you used to compile is quite easy
 in both Maven and Ant. In fact, I personally prefer it that way,
 because the Javadoc is much more visually attractive in Java 7.


 Hopefully it will be as simple as you suggest.

 
 I found for JMeter that the only file that needed fixing was the
 top-level index.html.
 If always true that reduces what needs to be checked-out/put back.
 
 There's also a bug in the quick-fix tool - it fails to delete the
 renamed original file (on Windows, which locks files from delete)
 because it fails to call fis.close() first.
 [The code does not check that the delete is successful either.]
 
 Should be easily possible to run the (fixed) tool on locally generated
 javadoc before committing in future.

Wow, the code for that quick-fix tool really is awful. If run in
recursuve-mode, it will leave every file that matches the file list
(index.html, etc.) open until the finalizers run (hah). There are also
swallowed exceptions, no finally blocks, etc.

It looks like it was written by a novice Java programmer.

The good news is that the license allows you (we) to modify the source
code and redistribute it. So, we can even publish a fixed version if we
choose to (rather than merely keeping it for ourselves).

-chris



signature.asc
Description: OpenPGP digital signature

svn commit: r1494974 - /tomcat/trunk/java/org/apache/catalina/deploy/SecurityConstraint.java

2013-06-20 Thread markt

Author: markt
Date: Thu Jun 20 13:19:54 2013
New Revision: 1494974

URL: http://svn.apache.org/r1494974
Log:
Prevent duplicate deny constraints

Modified:
tomcat/trunk/java/org/apache/catalina/deploy/SecurityConstraint.java

Modified: tomcat/trunk/java/org/apache/catalina/deploy/SecurityConstraint.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/deploy/SecurityConstraint.java?rev=1494974r1=1494973r2=1494974view=diff
==
--- tomcat/trunk/java/org/apache/catalina/deploy/SecurityConstraint.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/deploy/SecurityConstraint.java Thu 
Jun 20 13:19:54 2013
@@ -683,7 +683,7 @@ public class SecurityConstraint implemen
 continue;
 }
 
-SetString omittedMethods = urlOmittedMethodMap.get(pattern);
+SetString omittedMethods = urlOmittedMethodMap.remove(pattern);
 SetString methods = entry.getValue();
 
 if (omittedMethods == null) {



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1494975 - /tomcat/trunk/test/org/apache/catalina/deploy/TestSecurityConstraint.java

2013-06-20 Thread markt

Author: markt
Date: Thu Jun 20 13:20:08 2013
New Revision: 1494975

URL: http://svn.apache.org/r1494975
Log:
Some more unit tests

Modified:
tomcat/trunk/test/org/apache/catalina/deploy/TestSecurityConstraint.java

Modified: 
tomcat/trunk/test/org/apache/catalina/deploy/TestSecurityConstraint.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/deploy/TestSecurityConstraint.java?rev=1494975r1=1494974r2=1494975view=diff
==
--- tomcat/trunk/test/org/apache/catalina/deploy/TestSecurityConstraint.java 
(original)
+++ tomcat/trunk/test/org/apache/catalina/deploy/TestSecurityConstraint.java 
Thu Jun 20 13:20:08 2013
@@ -363,4 +363,96 @@ public class TestSecurityConstraint {
 Assert.assertEquals(1, sc.findMethods().length);
 Assert.assertEquals(POST, sc.findMethods()[0]);
 }
+
+
+@Test
+public void testFindUncoveredHttpMethods09() {
+SecurityConstraint[] result =
+SecurityConstraint.findUncoveredHttpMethods(
+new SecurityConstraint[] {GET_ONLY, GET_OMIT}, true,
+DUMMY_LOG);
+Assert.assertEquals(0, result.length);
+}
+
+
+@Test
+public void testFindUncoveredHttpMethods10() {
+SecurityConstraint[] result =
+SecurityConstraint.findUncoveredHttpMethods(
+new SecurityConstraint[] {POST_ONLY, POST_OMIT}, true,
+DUMMY_LOG);
+Assert.assertEquals(0, result.length);
+}
+
+
+@Test
+public void testFindUncoveredHttpMethods11() {
+SecurityConstraint[] result =
+SecurityConstraint.findUncoveredHttpMethods(
+new SecurityConstraint[] {GET_ONLY, POST_ONLY}, true,
+DUMMY_LOG);
+Assert.assertEquals(1, result.length);
+// Should be a deny constraint
+Assert.assertTrue(result[0].getAuthConstraint());
+// Should have a single collection
+Assert.assertEquals(1, result[0].findCollections().length);
+SecurityCollection sc = result[0].findCollections()[0];
+// Should list GET and POST as omitted methods
+Assert.assertEquals(0, sc.findMethods().length);
+Assert.assertEquals(2, sc.findOmittedMethods().length);
+HashSetString omittedMethods = new HashSet();
+for (String omittedMethod : sc.findOmittedMethods()) {
+omittedMethods.add(omittedMethod);
+}
+Assert.assertTrue(omittedMethods.remove(GET));
+Assert.assertTrue(omittedMethods.remove(POST));
+}
+
+
+@Test
+public void testFindUncoveredHttpMethods12() {
+SecurityConstraint[] result =
+SecurityConstraint.findUncoveredHttpMethods(
+new SecurityConstraint[] {GET_OMIT, POST_OMIT}, true,
+DUMMY_LOG);
+Assert.assertEquals(0, result.length);
+}
+
+
+@Test
+public void testFindUncoveredHttpMethods13() {
+SecurityConstraint[] result =
+SecurityConstraint.findUncoveredHttpMethods(
+new SecurityConstraint[] {GET_ONLY, POST_OMIT}, true,
+DUMMY_LOG);
+Assert.assertEquals(1, result.length);
+// Should be a deny constraint
+Assert.assertTrue(result[0].getAuthConstraint());
+// Should have a single collection
+Assert.assertEquals(1, result[0].findCollections().length);
+SecurityCollection sc = result[0].findCollections()[0];
+// Should list POST as a method
+Assert.assertEquals(1, sc.findMethods().length);
+Assert.assertEquals(0, sc.findOmittedMethods().length);
+Assert.assertEquals(POST, sc.findMethods()[0]);
+}
+
+
+@Test
+public void testFindUncoveredHttpMethods14() {
+SecurityConstraint[] result =
+SecurityConstraint.findUncoveredHttpMethods(
+new SecurityConstraint[] {GET_OMIT, POST_ONLY}, true,
+DUMMY_LOG);
+Assert.assertEquals(1, result.length);
+// Should be a deny constraint
+Assert.assertTrue(result[0].getAuthConstraint());
+// Should have a single collection
+Assert.assertEquals(1, result[0].findCollections().length);
+SecurityCollection sc = result[0].findCollections()[0];
+// Should list GET as a method
+Assert.assertEquals(1, sc.findMethods().length);
+Assert.assertEquals(0, sc.findOmittedMethods().length);
+Assert.assertEquals(GET, sc.findMethods()[0]);
+}
 }



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1494978 - /tomcat/trunk/webapps/docs/changelog.xml

2013-06-20 Thread markt

Author: markt
Date: Thu Jun 20 13:25:03 2013
New Revision: 1494978

URL: http://svn.apache.org/r1494978
Log:
Servlet 3.1 implementation is complete

Modified:
tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1494978r1=1494977r2=1494978view=diff
==
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Thu Jun 20 13:25:03 2013
@@ -51,6 +51,10 @@
   subsection name=Catalina
 changelog
   add
+Implement JSR 340 - Servlet 3.1. The JSR 340 implementation includes
+contributions from Nick Williams. (markt) 
+  /add
+  add
 Implement JSR 356 - WebSockets. The JSR 356 implementation includes
 contributions from Nick Williams and Rossen Stoyanchev. (markt)
   /add
@@ -116,12 +120,6 @@
 Port storeconfig functionality, which can persist to server.xml and
 context.xml runtime container configuration changes. (remm)
   /add
-  add
-bug54552/bug: Servlet 3.1. Implement
-codeHttpSessionIdListener/code and
-codeHttpServletRequest#changeSessionId()/code. Patch provided by
-Nick Williams. (markt)
-  /add
   fix
 bug54708/bug: Change the name of the working directory for the ROOT
 application (located under $CATALINA_BASE/work by default) from _ to



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1494982 - /tomcat/trunk/webapps/docs/changelog.xml

2013-06-20 Thread markt

Author: markt
Date: Thu Jun 20 13:28:16 2013
New Revision: 1494982

URL: http://svn.apache.org/r1494982
Log:
Fix whitespace

Modified:
tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1494982r1=1494981r2=1494982view=diff
==
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Thu Jun 20 13:28:16 2013
@@ -52,7 +52,7 @@
 changelog
   add
 Implement JSR 340 - Servlet 3.1. The JSR 340 implementation includes
-contributions from Nick Williams. (markt) 
+contributions from Nick Williams. (markt)
   /add
   add
 Implement JSR 356 - WebSockets. The JSR 356 implementation includes



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: CVE-2013-1571, VU#225657

2013-06-20 Thread sebb

On 20 June 2013 14:16, Christopher Schultz ch...@christopherschultz.net wrote:
Sebb,

On 6/19/13 4:26 AM, sebb wrote:
On 19 June 2013 09:15, Mark Thomas ma...@apache.org wrote:
On 19/06/2013 00:42, Nick Williams wrote:

Oracle has announced a Javadoc vulnerability (CVE-2013-1571 [1],
VU#225657 [2]) whereby Javadoc generated with Java 5, Java 6, or Java
7 7u25 is vulnerable to a frame injection attack. Oracle has
provided a repair-in-place tool for Javadoc that cannot be easily
regenerated, but is urging developers to regenerate whatever Javadoc
they can using Java 7u25. For all practical purses, the vulnerability
really only applies to publicly-hosted Javadoc, so the Javadoc in our
existing Maven artifacts, downloads, and archived downloads really
doesn't have to be worried about (not that we could do anything about
it). My thoughts on this:

1) We should apply the repair-in-place tool ASAP to the Javadoc on
the website for Tomcat 6 and Tomcat 7.

And Tomcat 5 and earlier. The javadoc for those isn't linked but remains
available.

I'll get on to this now.

2) Future Tomcat 6 and 7 Javadoc should be generated with 7u25 or
better.

Hmm. That will need some thought as the build needs to be run with the
minimum Java version required for that major version. Maybe we can just run
the Javadoc part with a different JDK. Either that, or run the fix tool over
the result. This needs some investigation.

There will be no fix for Java 5 or 6. Thankfully, generating
Javadoc using a different JDK than you used to compile is quite easy
in both Maven and Ant. In fact, I personally prefer it that way,
because the Javadoc is much more visually attractive in Java 7.

Hopefully it will be as simple as you suggest.

I found for JMeter that the only file that needed fixing was the
top-level index.html.
If always true that reduces what needs to be checked-out/put back.

There's also a bug in the quick-fix tool - it fails to delete the
renamed original file (on Windows, which locks files from delete)
because it fails to call fis.close() first.
[The code does not check that the delete is successful either.]

Should be easily possible to run the (fixed) tool on locally generated
javadoc before committing in future.

Wow, the code for that quick-fix tool really is awful. If run in
recursuve-mode, it will leave every file that matches the file list
(index.html, etc.) open until the finalizers run (hah). There are also
swallowed exceptions, no finally blocks, etc.

I've made some fixes (resource closures); these are at:

https://svn.apache.org/repos/asf/commons/proper/commons-javadocfix-plugin/trunk/src/main/java/org/apache/commons/plugins/javadocfix/JavadocFixTool.java

Comments welcome if you spot any more.

[If you checkout [1] and mvn install the plugin, you should be able
to run it locally]

[1]
https://svn.apache.org/repos/asf/commons/proper/commons-javadocfix-plugin/trunk/

It looks like it was written by a novice Java programmer.

Who either did not use an IDE or ignored the warnings.

The good news is that the license allows you (we) to modify the source
code and redistribute it. So, we can even publish a fixed version if we
choose to (rather than merely keeping it for ourselves).

That's how I read it too.

-chris

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1494999 - in /tomcat/trunk: conf/context.xml webapps/docs/changelog.xml

2013-06-20 Thread markt

Author: markt
Date: Thu Jun 20 13:50:49 2013
New Revision: 1494999

URL: http://svn.apache.org/r1494999
Log:
Make changes to global web.xml trigger reloads

Modified:
tomcat/trunk/conf/context.xml
tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/conf/context.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/conf/context.xml?rev=1494999r1=1494998r2=1494999view=diff
==
--- tomcat/trunk/conf/context.xml (original)
+++ tomcat/trunk/conf/context.xml Thu Jun 20 13:50:49 2013
@@ -18,8 +18,10 @@
 !-- The contents of this file will be loaded for each web application --
 Context
 
-!-- Default set of monitored resources --
+!-- Default set of monitored resources. If one of these changes, the
--
+!-- web application will be reloaded.   
--
 WatchedResourceWEB-INF/web.xml/WatchedResource
+WatchedResource${catalina.base}/conf/web.xml/WatchedResource
 
 !-- Uncomment this to disable session persistence across Tomcat restarts 
--
 !--

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1494999r1=1494998r2=1494999view=diff
==
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Thu Jun 20 13:50:49 2013
@@ -125,6 +125,10 @@
 application (located under $CATALINA_BASE/work by default) from _ to
 ROOT. (markt)
   /fix
+  add
+Change default configuration so that a change to the global web.xml 
file
+will trigger a reload of all web applications. (markt)
+  /add
 /changelog
   /subsection
   subsection name=Coyote



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1495015 - /tomcat/trunk/webapps/docs/jndi-resources-howto.xml

2013-06-20 Thread markt

Author: markt
Date: Thu Jun 20 14:24:34 2013
New Revision: 1495015

URL: http://svn.apache.org/r1495015
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=53665
Document when a javax.mail.Authenticator is configured.

Modified:
tomcat/trunk/webapps/docs/jndi-resources-howto.xml

Modified: tomcat/trunk/webapps/docs/jndi-resources-howto.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/jndi-resources-howto.xml?rev=1495015r1=1495014r2=1495015view=diff
==
--- tomcat/trunk/webapps/docs/jndi-resources-howto.xml (original)
+++ tomcat/trunk/webapps/docs/jndi-resources-howto.xml Thu Jun 20 14:24:34 2013
@@ -509,8 +509,13 @@ Transport.send(message);
 codejavax.mail.Session.getInstance(java.util.Properties)/code as part 
of
 the codejava.util.Properties/code collection. In addition to the
 properties defined in Annex A of the JavaMail specification, individual
-providers may also support additional properties like 
codepassword/code.
+providers may also support additional properties.
 /p
+
+pIf the resource is configured with a codepassword/code attribute and
+either a codemail.smtp.user/code or codemail.user/code attribute
+then Tomcatapos;s resource factory will configure and add a
+codejavax.mail.Authenticator/code to the mail session./p
 
 h34.  Install the JavaMail libraries/h3
 



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1495016 - in /tomcat/tc7.0.x/trunk: ./ webapps/docs/changelog.xml webapps/docs/jndi-resources-howto.xml

2013-06-20 Thread markt

Author: markt
Date: Thu Jun 20 14:26:40 2013
New Revision: 1495016

URL: http://svn.apache.org/r1495016
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=53665
Document when a javax.mail.Authenticator is configured.

Modified:
tomcat/tc7.0.x/trunk/   (props changed)
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc7.0.x/trunk/webapps/docs/jndi-resources-howto.xml

Propchange: tomcat/tc7.0.x/trunk/
--
  Merged /tomcat/trunk:r1495015

Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1495016r1=1495015r2=1495016view=diff
==
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Thu Jun 20 14:26:40 2013
@@ -103,6 +103,11 @@
 Complete the document for codeMessageDispatch15Interceptor/code.
 (kfujino)
   /add
+  add
+bug53655/bug: Document the circumstances under which Tomcat will 
add
+a codejavax.mail.Authenticator/code to mail sessions created via a
+JNDI resource. (markt)
+  /add
 /changelog
   /subsection
   subsection name=Other

Modified: tomcat/tc7.0.x/trunk/webapps/docs/jndi-resources-howto.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/jndi-resources-howto.xml?rev=1495016r1=1495015r2=1495016view=diff
==
--- tomcat/tc7.0.x/trunk/webapps/docs/jndi-resources-howto.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/jndi-resources-howto.xml Thu Jun 20 
14:26:40 2013
@@ -509,8 +509,13 @@ Transport.send(message);
 codejavax.mail.Session.getInstance(java.util.Properties)/code as part 
of
 the codejava.util.Properties/code collection. In addition to the
 properties defined in Annex A of the JavaMail specification, individual
-providers may also support additional properties like 
codepassword/code.
+providers may also support additional properties.
 /p
+
+pIf the resource is configured with a codepassword/code attribute and
+either a codemail.smtp.user/code or codemail.user/code attribute
+then Tomcatapos;s resource factory will configure and add a
+codejavax.mail.Authenticator/code to the mail session./p
 
 h34.  Install the JavaMail libraries/h3
 



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 53665] Minor JNDI Howto document enhancement concerning mail properties

2013-06-20 Thread bugzilla

https://issues.apache.org/bugzilla/show_bug.cgi?id=53665

Mark Thomas ma...@apache.org changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution|--- |FIXED

--- Comment #2 from Mark Thomas ma...@apache.org ---
This has been fixed in trunk and 7.0.x and will be included in 7.0.42 onwards.

I based the changes on the information in the SO question rather than the
suggested patch as it provides a little more concrete information about what is
going on.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 53776] Multitenancy support for JDBCRealm

2013-06-20 Thread bugzilla

https://issues.apache.org/bugzilla/show_bug.cgi?id=53776

Mark Thomas ma...@apache.org changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution|--- |WONTFIX

--- Comment #3 from Mark Thomas ma...@apache.org ---
As per previous comment.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 54499] Implementation of Extensible EL Interpreter

2013-06-20 Thread bugzilla

https://issues.apache.org/bugzilla/show_bug.cgi?id=54499

--- Comment #7 from Mark Thomas ma...@apache.org ---
I'm +0 to include this in trunk. What do other committers think?

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 54503] SAML2 based single sign on

2013-06-20 Thread bugzilla

https://issues.apache.org/bugzilla/show_bug.cgi?id=54503

--- Comment #3 from Mark Thomas ma...@apache.org ---
That is a big patch.

I have one immediate concern with the proposed patch with is the unknown
licensing of the new JAR file.

Looking more broadly, I think it would be worth (re-)considering adding JASPIC
to Tomcat. Most of the code should be available in TomEE. That would then
provide a standard mechanism to plug-in additional authentication mechanisms
such as SAML2. At the moment, I'd be happier with SAML2 as an optional extra
rather than as a core component.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1495043 - /tomcat/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java

2013-06-20 Thread markt

Author: markt
Date: Thu Jun 20 15:07:55 2013
New Revision: 1495043

URL: http://svn.apache.org/r1495043
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=54745
Fix JarScanning when Tomcat is started via Java WebStart.
Patch provided by Nick Williams.

Modified:
tomcat/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java

Modified: tomcat/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java?rev=1495043r1=1495042r2=1495043view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java 
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java Thu 
Jun 20 15:07:55 2013
@@ -290,7 +290,8 @@ public class StandardJarScanner implemen
 callback.scan((JarURLConnection) conn, isWebapp);
 } else {
 String urlStr = url.toString();
-if (urlStr.startsWith(file:) || urlStr.startsWith(jndi:)) {
+if (urlStr.startsWith(file:) || urlStr.startsWith(jndi:) ||
+urlStr.startsWith(http:) || urlStr.startsWith(https:)) {
 if (urlStr.endsWith(Constants.JAR_EXT)) {
 URL jarURL = new URL(jar: + urlStr + !/);
 callback.scan((JarURLConnection) jarURL.openConnection(),



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1495046 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/tomcat/util/scan/StandardJarScanner.java webapps/docs/changelog.xml

2013-06-20 Thread markt

Author: markt
Date: Thu Jun 20 15:10:22 2013
New Revision: 1495046

URL: http://svn.apache.org/r1495046
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=54745
Fix JarScanning when Tomcat is started via Java WebStart.
Patch provided by Nick Williams.

Modified:
tomcat/tc7.0.x/trunk/   (props changed)

tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml

Propchange: tomcat/tc7.0.x/trunk/
--
  Merged /tomcat/trunk:r1495043

Modified: 
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java?rev=1495046r1=1495045r2=1495046view=diff
==
--- 
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java 
(original)
+++ 
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java 
Thu Jun 20 15:10:22 2013
@@ -252,7 +252,8 @@ public class StandardJarScanner implemen
 callback.scan((JarURLConnection) conn);
 } else {
 String urlStr = url.toString();
-if (urlStr.startsWith(file:) || urlStr.startsWith(jndi:)) {
+if (urlStr.startsWith(file:) || urlStr.startsWith(jndi:) ||
+urlStr.startsWith(http:) || urlStr.startsWith(https:)) 
{
 if (urlStr.endsWith(Constants.JAR_EXT)) {
 URL jarURL = new URL(jar: + urlStr + !/);
 callback.scan((JarURLConnection) jarURL.openConnection());

Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1495046r1=1495045r2=1495046view=diff
==
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Thu Jun 20 15:10:22 2013
@@ -70,6 +70,10 @@
 methods that does not include GET. (markt)
   /fix
   fix
+bug54745/bug: Fix JAR file scanning when Tomcat is deployed via 
Java
+Web Start. Patch provided by Nick Williams. (markt)
+  /fix
+  fix
 bug55073/bug, bug55108/bug, bug55109/bug amp;
 bug55110/bug: Small performance improvements. Patches provided by
 Adrian Nistor. (markt)



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 54745] Tomcat JarScanning does not work when Tomcat started with Java Web Start

2013-06-20 Thread bugzilla

https://issues.apache.org/bugzilla/show_bug.cgi?id=54745

Mark Thomas ma...@apache.org changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution|--- |FIXED

--- Comment #3 from Mark Thomas ma...@apache.org ---
Having looked at this more closely, the JARs must already be on the class path
so I don;t see any issues.

The patch has been applied to trunk and 7.0.x and will be included in 7.0.42
onwards.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 54808] Add numberOfVersionsToKeep when undeployOldVersions is set to true

2013-06-20 Thread bugzilla

https://issues.apache.org/bugzilla/show_bug.cgi?id=54808

Mark Thomas ma...@apache.org changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution|--- |WONTFIX

--- Comment #3 from Mark Thomas ma...@apache.org ---
It has been a month without any further feedback so I am resolving this as
WONTFIX.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1495047 - /tomcat/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java

2013-06-20 Thread markt

Author: markt
Date: Thu Jun 20 15:14:02 2013
New Revision: 1495047

URL: http://svn.apache.org/r1495047
Log:
Fix indent

Modified:
tomcat/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java

Modified: tomcat/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java?rev=1495047r1=1495046r2=1495047view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java 
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java Thu 
Jun 20 15:14:02 2013
@@ -291,7 +291,7 @@ public class StandardJarScanner implemen
 } else {
 String urlStr = url.toString();
 if (urlStr.startsWith(file:) || urlStr.startsWith(jndi:) ||
-urlStr.startsWith(http:) || urlStr.startsWith(https:)) {
+urlStr.startsWith(http:) || urlStr.startsWith(https:)) 
{
 if (urlStr.endsWith(Constants.JAR_EXT)) {
 URL jarURL = new URL(jar: + urlStr + !/);
 callback.scan((JarURLConnection) jarURL.openConnection(),



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 54745] Tomcat JarScanning does not work when Tomcat started with Java Web Start

2013-06-20 Thread bugzilla

https://issues.apache.org/bugzilla/show_bug.cgi?id=54745

--- Comment #4 from Nick Williams nicho...@nicholaswilliams.net ---
Excellent! Thanks!

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: CVE-2013-1571, VU#225657

2013-06-20 Thread Christopher Schultz

Sebb,

On 6/20/13 9:31 AM, sebb wrote:
On 20 June 2013 14:16, Christopher Schultz ch...@christopherschultz.net
wrote:
Sebb,

On 6/19/13 4:26 AM, sebb wrote:
On 19 June 2013 09:15, Mark Thomas ma...@apache.org wrote:
On 19/06/2013 00:42, Nick Williams wrote:

1) We should apply the repair-in-place tool ASAP to the Javadoc on
the website for Tomcat 6 and Tomcat 7.

And Tomcat 5 and earlier. The javadoc for those isn't linked but remains
available.

I'll get on to this now.

2) Future Tomcat 6 and 7 Javadoc should be generated with 7u25 or
better.

Hopefully it will be as simple as you suggest.

I found for JMeter that the only file that needed fixing was the
top-level index.html.
If always true that reduces what needs to be checked-out/put back.

Should be easily possible to run the (fixed) tool on locally generated
javadoc before committing in future.

I've made some fixes (resource closures); these are at:

https://svn.apache.org/repos/asf/commons/proper/commons-javadocfix-plugin/trunk/src/main/java/org/apache/commons/plugins/javadocfix/JavadocFixTool.java

Comments welcome if you spot any more.

I think you want to do a lot of the close() operations in finally
blocks, in case exceptions occur. While it probably won't allow the
program to function any better (that is, the old file need not be
deleted unless it is successfully-processed), it will reduce the number
of file handles kept open by the process.

-chris

signature.asc
Description: OpenPGP digital signature

Re: CVE-2013-1571, VU#225657

2013-06-20 Thread sebb

On 20 June 2013 16:33, Christopher Schultz ch...@christopherschultz.net wrote:
Sebb,

On 6/20/13 9:31 AM, sebb wrote:
On 20 June 2013 14:16, Christopher Schultz ch...@christopherschultz.net
wrote:
Sebb,

On 6/19/13 4:26 AM, sebb wrote:
On 19 June 2013 09:15, Mark Thomas ma...@apache.org wrote:
On 19/06/2013 00:42, Nick Williams wrote:

1) We should apply the repair-in-place tool ASAP to the Javadoc on
the website for Tomcat 6 and Tomcat 7.

And Tomcat 5 and earlier. The javadoc for those isn't linked but remains
available.

I'll get on to this now.

2) Future Tomcat 6 and 7 Javadoc should be generated with 7u25 or
better.

Hmm. That will need some thought as the build needs to be run with the
minimum Java version required for that major version. Maybe we can just
run
the Javadoc part with a different JDK. Either that, or run the fix tool
over
the result. This needs some investigation.

Hopefully it will be as simple as you suggest.

I found for JMeter that the only file that needed fixing was the
top-level index.html.
If always true that reduces what needs to be checked-out/put back.

Should be easily possible to run the (fixed) tool on locally generated
javadoc before committing in future.

I've made some fixes (resource closures); these are at:

https://svn.apache.org/repos/asf/commons/proper/commons-javadocfix-plugin/trunk/src/main/java/org/apache/commons/plugins/javadocfix/JavadocFixTool.java

Comments welcome if you spot any more.

I think you want to do a lot of the close() operations in finally
blocks, in case exceptions occur.

Agreed, but it was simpler to just fix the main-line code.
At least now the resources are closed if exceptions don't occur -
which was not the case previously.

While it probably won't allow the
program to function any better (that is, the old file need not be
deleted unless it is successfully-processed), it will reduce the number
of file handles kept open by the process.

Just noticed that the original file is renamed too early.
If the code generates an IOE before the temporary file is completed
and the rename attempted, the user is not informed that the file has
been renamed.

-chris

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 55017] Ability to configure RMI bind address

2013-06-20 Thread bugzilla

https://issues.apache.org/bugzilla/show_bug.cgi?id=55017

--- Comment #12 from Mark Thomas ma...@apache.org ---
Overall patch looks OK.

One questions: Why are SSL and rmiBindAddress mutually exclusive?

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 55017] Ability to configure RMI bind address

2013-06-20 Thread bugzilla

https://issues.apache.org/bugzilla/show_bug.cgi?id=55017

--- Comment #13 from Alexey Noskov alexey.nos...@gmail.com ---
It's because I found no way to specify bind address when using
SslRMIServerSocketFactory.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 54503] SAML2 based single sign on

2013-06-20 Thread bugzilla

https://issues.apache.org/bugzilla/show_bug.cgi?id=54503

--- Comment #4 from Toby Hobson toby.hob...@cloudseal.com ---
(In reply to Mark Thomas from comment #3)
 That is a big patch.
 
 I have one immediate concern with the proposed patch with is the unknown
 licensing of the new JAR file.
 
 Looking more broadly, I think it would be worth (re-)considering adding
 JASPIC to Tomcat. Most of the code should be available in TomEE. That would
 then provide a standard mechanism to plug-in additional authentication
 mechanisms such as SAML2. At the moment, I'd be happier with SAML2 as an
 optional extra rather than as a core component.

Which jar? saml2-core is licensed under Apache 2

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 55017] Ability to configure RMI bind address

2013-06-20 Thread bugzilla

https://issues.apache.org/bugzilla/show_bug.cgi?id=55017

--- Comment #14 from Mark Thomas ma...@apache.org ---
I see what you mean. Fair enough.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1495154 - /tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java

2013-06-20 Thread markt

Author: markt
Date: Thu Jun 20 20:01:07 2013
New Revision: 1495154

URL: http://svn.apache.org/r1495154
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=55071
Remove unnecessary call to commit(). The rs.close() just above will commit 
anything that needs to be committed.

Modified:
tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java

Modified: tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java?rev=1495154r1=1495153r2=1495154view=diff
==
--- tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java (original)
+++ tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java Thu Jun 20 
20:01:07 2013
@@ -557,7 +557,6 @@ public class JDBCRealm
 
containerLog.warn(sm.getString(jdbcRealm.abnormalCloseResultSet));
 }
 }
-dbConnection.commit();
 }
 
 } catch (SQLException e) {



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1495155 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/catalina/realm/JDBCRealm.java webapps/docs/changelog.xml

2013-06-20 Thread markt

Author: markt
Date: Thu Jun 20 20:04:03 2013
New Revision: 1495155

URL: http://svn.apache.org/r1495155
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=55071
Remove unnecessary call to commit(). The rs.close() just above will commit 
anything that needs to be committed.

Modified:
tomcat/tc7.0.x/trunk/   (props changed)
tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml

Propchange: tomcat/tc7.0.x/trunk/
--
  Merged /tomcat/trunk:r1495154

Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java?rev=1495155r1=1495154r2=1495155view=diff
==
--- tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java 
(original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java Thu Jun 
20 20:04:03 2013
@@ -576,7 +576,6 @@ public class JDBCRealm
 
containerLog.warn(sm.getString(jdbcRealm.abnormalCloseResultSet));
 }
 }
-dbConnection.commit();
 }
 
 } catch (SQLException e) {

Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1495155r1=1495154r2=1495155view=diff
==
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Thu Jun 20 20:04:03 2013
@@ -74,6 +74,10 @@
 Web Start. Patch provided by Nick Williams. (markt)
   /fix
   fix
+bug55071/bug: Ensure original exception is reported if JDBC Realm
+fails to read a userapos;s credentials. (markt)
+  /fix
+  fix
 bug55073/bug, bug55108/bug, bug55109/bug amp;
 bug55110/bug: Small performance improvements. Patches provided by
 Adrian Nistor. (markt)



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 55071] try finally catch structure masks original exception in JDBCRealm.getPassword()

2013-06-20 Thread bugzilla

https://issues.apache.org/bugzilla/show_bug.cgi?id=55071

Mark Thomas ma...@apache.org changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution|--- |FIXED

--- Comment #5 from Mark Thomas ma...@apache.org ---
Ah, the joys of svn archeology.

The dbConnection.commit() is a result of fixing 10623. I am not convinced it
was ever necessary. The fix for 10623 also added the rs.close() which does
essentially the same thing.

This has been fixed in trunk and 7.0.x and will be included in 7.0.42 onwards.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 54756] EXCEPTION_ACCESS_VIOLATION with APR crashing Tomcat

2013-06-20 Thread bugzilla

https://issues.apache.org/bugzilla/show_bug.cgi?id=54756

Mark Thomas ma...@apache.org changed:

   What|Removed |Added

 Status|NEEDINFO|RESOLVED
 Resolution|--- |FIXED

--- Comment #10 from Mark Thomas ma...@apache.org ---
No further reports of errors in almost 2 months. I am going to assume that this
issue is fixed. Feel free to re-open it if that is not the case.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 55078] Configuring a DataSource Resource with dataSourceJNDI does not work as expected

2013-06-20 Thread bugzilla

https://issues.apache.org/bugzilla/show_bug.cgi?id=55078

Mark Thomas ma...@apache.org changed:

   What|Removed |Added

  Component|Catalina|jdbc-pool
Version|trunk   |unspecified
Product|Tomcat 7|Tomcat Modules

--- Comment #4 from Mark Thomas ma...@apache.org ---
Moving to the correct project.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1495169 - in /tomcat/trunk: java/org/apache/catalina/authenticator/ test/org/apache/catalina/authenticator/ webapps/docs/

2013-06-20 Thread markt

Author: markt
Date: Thu Jun 20 20:36:08 2013
New Revision: 1495169

URL: http://svn.apache.org/r1495169
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=55101
Make BASIC auth parsing more tolerant of whitespace.

Added:

tomcat/trunk/test/org/apache/catalina/authenticator/TestBasicAuthParser.java   
(with props)
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java

tomcat/trunk/test/org/apache/catalina/authenticator/TestNonLoginAndBasicAuthenticator.java
tomcat/trunk/webapps/docs/changelog.xml

Modified: 
tomcat/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java?rev=1495169r1=1495168r2=1495169view=diff
==
--- tomcat/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java 
Thu Jun 20 20:36:08 2013
@@ -44,8 +44,7 @@ import org.apache.tomcat.util.codec.bina
  * @version $Id$
  */
 
-public class BasicAuthenticator
-extends AuthenticatorBase {
+public class BasicAuthenticator extends AuthenticatorBase {
 private static final Log log = LogFactory.getLog(BasicAuthenticator.class);
 
 
@@ -98,9 +97,6 @@ public class BasicAuthenticator
 }
 
 // Validate any credentials already included with this request
-String username = null;
-String password = null;
-
 MessageBytes authorization =
 request.getCoyoteRequest().getMimeHeaders()
 .getValue(authorization);
@@ -108,44 +104,27 @@ public class BasicAuthenticator
 if (authorization != null) {
 authorization.toBytes();
 ByteChunk authorizationBC = authorization.getByteChunk();
-if (authorizationBC.startsWithIgnoreCase(basic , 0)) {
-authorizationBC.setOffset(authorizationBC.getOffset() + 6);
-
-byte[] decoded = Base64.decodeBase64(
-authorizationBC.getBuffer(),
-authorizationBC.getOffset(),
-authorizationBC.getLength());
-
-// Get username and password
-int colon = -1;
-for (int i = 0; i  decoded.length; i++) {
-if (decoded[i] == ':') {
-colon = i;
-break;
-}
-}
-
-if (colon  0) {
-username = new String(decoded, B2CConverter.ISO_8859_1);
-} else {
-username = new String(
-decoded, 0, colon, B2CConverter.ISO_8859_1);
-password = new String(
-decoded, colon + 1, decoded.length - colon - 1,
-B2CConverter.ISO_8859_1);
+BasicCredentials credentials = null;
+try {
+credentials = new BasicCredentials(authorizationBC);
+String username = credentials.getUsername();
+String password = credentials.getPassword();
+
+principal = context.getRealm().authenticate(username, 
password);
+if (principal != null) {
+register(request, response, principal,
+HttpServletRequest.BASIC_AUTH, username, password);
+return (true);
 }
-
-authorizationBC.setOffset(authorizationBC.getOffset() - 6);
 }
-
-principal = context.getRealm().authenticate(username, password);
-if (principal != null) {
-register(request, response, principal,
-HttpServletRequest.BASIC_AUTH, username, password);
-return (true);
+catch (IllegalArgumentException iae) {
+if (log.isDebugEnabled()) {
+log.debug(Invalid Authorization + iae.getMessage());
+}
 }
 }
 
+// the request could not be authenticated, so reissue the challenge
 StringBuilder value = new StringBuilder(16);
 value.append(Basic realm=\);
 value.append(getRealmName(context));
@@ -156,9 +135,139 @@ public class BasicAuthenticator
 
 }
 
-
 @Override
 protected String getAuthMethod() {
 return HttpServletRequest.BASIC_AUTH;
 }
+
+
+/**
+ * Parser for an HTTP Authorization header for BASIC authentication
+ * as per RFC 2617 section 2, and the Base64 encoded credentials as
+ * per RFC 2045 section 6.8.
+ */
+protected static class BasicCredentials {
+
+// the only authentication method supported by this parser
+// note: we include single white space as its delimiter
+private static final String

[Bug 55101] BasicAuthenticator parser and associated unit tests

2013-06-20 Thread bugzilla

https://issues.apache.org/bugzilla/show_bug.cgi?id=55101

Mark Thomas ma...@apache.org changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution|--- |FIXED

--- Comment #3 from Mark Thomas ma...@apache.org ---
Thanks for the patches. They have been applied to trunk and will be included in
Tomcat 8.0.0 onwards.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: svn commit: r1495155 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/catalina/realm/JDBCRealm.java webapps/docs/changelog.xml

2013-06-20 Thread Konstantin Kolinko

2013/6/21  ma...@apache.org:
 Author: markt
 Date: Thu Jun 20 20:04:03 2013
 New Revision: 1495155

 URL: http://svn.apache.org/r1495155
 Log:
 Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=55071
 Remove unnecessary call to commit(). The rs.close() just above will commit 
 anything that needs to be committed.

I think you are wrong here.

rs.close() will commit happens only when autoCommit is set to true
(looking at java.sql.Connection javadoc linked in comment 2 of the
bugzilla issue).

JDBCRealm runs with setAutoCommit(false)  (around line 721 in its
open() method)




 Modified:
 tomcat/tc7.0.x/trunk/   (props changed)
 tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java
 tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml

 Propchange: tomcat/tc7.0.x/trunk/
 --
   Merged /tomcat/trunk:r1495154

 Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java
 URL: 
 http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java?rev=1495155r1=1495154r2=1495155view=diff
 ==
 --- tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java 
 (original)
 +++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java Thu 
 Jun 20 20:04:03 2013
 @@ -576,7 +576,6 @@ public class JDBCRealm
  
 containerLog.warn(sm.getString(jdbcRealm.abnormalCloseResultSet));
  }
  }
 -dbConnection.commit();
  }

  } catch (SQLException e) {

 Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
 URL: 
 http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1495155r1=1495154r2=1495155view=diff
 ==
 --- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
 +++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Thu Jun 20 20:04:03 2013
 @@ -74,6 +74,10 @@
  Web Start. Patch provided by Nick Williams. (markt)
/fix
fix
 +bug55071/bug: Ensure original exception is reported if JDBC Realm
 +fails to read a userapos;s credentials. (markt)
 +  /fix
 +  fix
  bug55073/bug, bug55108/bug, bug55109/bug amp;
  bug55110/bug: Small performance improvements. Patches provided by
  Adrian Nistor. (markt)



 -
 To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: dev-h...@tomcat.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: svn commit: r1495155 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/catalina/realm/JDBCRealm.java webapps/docs/changelog.xml

2013-06-20 Thread Mark Thomas

On 20/06/2013 21:51, Konstantin Kolinko wrote:
 2013/6/21  ma...@apache.org:
 Author: markt
 Date: Thu Jun 20 20:04:03 2013
 New Revision: 1495155

 URL: http://svn.apache.org/r1495155
 Log:
 Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=55071
 Remove unnecessary call to commit(). The rs.close() just above will commit 
 anything that needs to be committed.
 
 I think you are wrong here.

Quite possibly :)

 rs.close() will commit happens only when autoCommit is set to true
 (looking at java.sql.Connection javadoc linked in comment 2 of the
 bugzilla issue).
 
 JDBCRealm runs with setAutoCommit(false)  (around line 721 in its
 open() method)

I'll go and re-read the docs...

Yep. I mis-read it. I'll fix that now.

Mark


 Modified:
 tomcat/tc7.0.x/trunk/   (props changed)
 tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java
 tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml

 Propchange: tomcat/tc7.0.x/trunk/
 --
   Merged /tomcat/trunk:r1495154

 Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java
 URL: 
 http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java?rev=1495155r1=1495154r2=1495155view=diff
 ==
 --- tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java 
 (original)
 +++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java Thu 
 Jun 20 20:04:03 2013
 @@ -576,7 +576,6 @@ public class JDBCRealm
  
 containerLog.warn(sm.getString(jdbcRealm.abnormalCloseResultSet));
  }
  }
 -dbConnection.commit();
  }

  } catch (SQLException e) {

 Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
 URL: 
 http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1495155r1=1495154r2=1495155view=diff
 ==
 --- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
 +++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Thu Jun 20 20:04:03 2013
 @@ -74,6 +74,10 @@
  Web Start. Patch provided by Nick Williams. (markt)
/fix
fix
 +bug55071/bug: Ensure original exception is reported if JDBC 
 Realm
 +fails to read a userapos;s credentials. (markt)
 +  /fix
 +  fix
  bug55073/bug, bug55108/bug, bug55109/bug amp;
  bug55110/bug: Small performance improvements. Patches provided 
 by
  Adrian Nistor. (markt)



 -
 To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: dev-h...@tomcat.apache.org

 
 -
 To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: dev-h...@tomcat.apache.org
 


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [Bug 55102] New: Add ability to report time taken to prepare response

2013-06-20 Thread Jeremy Boynes

On Jun 15, 2013, at 10:09 AM, bugzi...@apache.org wrote:

 https://issues.apache.org/bugzilla/show_bug.cgi?id=55102
   Summary: Add ability to report time taken to prepare response
 
 Created attachment 30438
  -- https://issues.apache.org/bugzilla/attachment.cgi?id=30438action=edit
 Patch against trunk@r1493385 to record and output time to commit
 
 Tomcat's AccessLogValve is able to report the time taken to send an entire
 request using %D. This is the total processing time and may be affected by
 network conditions. It is sometimes useful to be able to record the time taken
 by the server to prepare the response and send the first content to the 
 client.
 
 Attached is a patch that records the time the response is committed and then
 allows that to be reported in the access log using a '%F' pattern (which is 
 the
 same as used by the mod-log-firstbyte module for HTTPD).

Any thoughts on this patch? Is it suitable for trunk, and if so should I commit 
it? Is this something worth back porting to 7.0?

Thanks
Jeremy


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1495197 - /tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java

2013-06-20 Thread markt

Author: markt
Date: Thu Jun 20 21:34:09 2013
New Revision: 1495197

URL: http://svn.apache.org/r1495197
Log:
r1495154 incorrectly removed the commit
Restore the commit and clean the code up a little.

Modified:
tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java

Modified: tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java?rev=1495197r1=1495196r2=1495197view=diff
==
--- tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java (original)
+++ tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java Thu Jun 20 
21:34:09 2013
@@ -527,47 +527,42 @@ public class JDBCRealm
 // connection may try to be opened again. On normal conditions 
(including
 // invalid login - the above is only used once.
 int numberOfTries = 2;
-while (numberOfTries0) {
+while (numberOfTries  0) {
 try {
-
 // Ensure that we have an open database connection
 open();
 
-try {
-stmt = credentials(dbConnection, username);
-rs = stmt.executeQuery();
+stmt = credentials(dbConnection, username);
+rs = stmt.executeQuery();
+dbConnection.commit();
 
-if (rs.next()) {
-dbCredentials = rs.getString(1);
-}
-rs.close();
-rs = null;
-if (dbCredentials == null) {
-return (null);
-}
+if (rs.next()) {
+dbCredentials = rs.getString(1);
+}
 
+if (dbCredentials != null) {
 dbCredentials = dbCredentials.trim();
-return dbCredentials;
-
-} finally {
-if (rs!=null) {
-try {
-rs.close();
-} catch(SQLException e) {
-
containerLog.warn(sm.getString(jdbcRealm.abnormalCloseResultSet));
-}
-}
 }
 
-} catch (SQLException e) {
+return dbCredentials;
 
+} catch (SQLException e) {
 // Log the problem for posterity
 containerLog.error(sm.getString(jdbcRealm.exception), e);
+} finally {
+if (rs != null) {
+try {
+rs.close();
+} catch(SQLException e) {
+containerLog.warn(sm.getString(
+jdbcRealm.abnormalCloseResultSet));
+}
+}
+}
 
-// Close the connection so that it gets reopened next time
-if (dbConnection != null)
-close(dbConnection);
-
+// Close the connection so that it gets reopened next time
+if (dbConnection != null) {
+close(dbConnection);
 }
 
 numberOfTries--;



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [Bug 55102] New: Add ability to report time taken to prepare response

2013-06-20 Thread Mark Thomas

On 20/06/2013 22:22, Jeremy Boynes wrote:
 On Jun 15, 2013, at 10:09 AM, bugzi...@apache.org wrote:
 
 https://issues.apache.org/bugzilla/show_bug.cgi?id=55102
   Summary: Add ability to report time taken to prepare response

 Created attachment 30438
  -- https://issues.apache.org/bugzilla/attachment.cgi?id=30438action=edit
 Patch against trunk@r1493385 to record and output time to commit

 Tomcat's AccessLogValve is able to report the time taken to send an entire
 request using %D. This is the total processing time and may be affected by
 network conditions. It is sometimes useful to be able to record the time 
 taken
 by the server to prepare the response and send the first content to the 
 client.

 Attached is a patch that records the time the response is committed and then
 allows that to be reported in the access log using a '%F' pattern (which is 
 the
 same as used by the mod-log-firstbyte module for HTTPD).
 
 Any thoughts on this patch? Is it suitable for trunk, and if so should I 
 commit it? Is this something worth back porting to 7.0?

I was just starting to look at this when Konstantin pointed out an
earlier mistake of mine that needed fixing. I'll get back to this shortly.

Mark


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1495202 - /tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java

2013-06-20 Thread markt

Author: markt
Date: Thu Jun 20 21:38:59 2013
New Revision: 1495202

URL: http://svn.apache.org/r1495202
Log:
r1495155 incorrectly removed the commit
Restore the commit and clean the code up a little.

Modified:
tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java

Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java?rev=1495202r1=1495201r2=1495202view=diff
==
--- tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java 
(original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/JDBCRealm.java Thu Jun 
20 21:38:59 2013
@@ -546,47 +546,42 @@ public class JDBCRealm
 // connection may try to be opened again. On normal conditions 
(including
 // invalid login - the above is only used once.
 int numberOfTries = 2;
-while (numberOfTries0) {
+while (numberOfTries  0) {
 try {
-
 // Ensure that we have an open database connection
 open();
 
-try {
-stmt = credentials(dbConnection, username);
-rs = stmt.executeQuery();
+stmt = credentials(dbConnection, username);
+rs = stmt.executeQuery();
+dbConnection.commit();
 
-if (rs.next()) {
-dbCredentials = rs.getString(1);
-}
-rs.close();
-rs = null;
-if (dbCredentials == null) {
-return (null);
-}
+if (rs.next()) {
+dbCredentials = rs.getString(1);
+}
 
+if (dbCredentials != null) {
 dbCredentials = dbCredentials.trim();
-return dbCredentials;
-
-} finally {
-if (rs!=null) {
-try {
-rs.close();
-} catch(SQLException e) {
-
containerLog.warn(sm.getString(jdbcRealm.abnormalCloseResultSet));
-}
-}
 }
 
+return dbCredentials;
+
 } catch (SQLException e) {
-
 // Log the problem for posterity
 containerLog.error(sm.getString(jdbcRealm.exception), e);
-
-// Close the connection so that it gets reopened next time
-if (dbConnection != null)
-close(dbConnection);
-
+} finally {
+if (rs != null) {
+try {
+rs.close();
+} catch(SQLException e) {
+containerLog.warn(sm.getString(
+jdbcRealm.abnormalCloseResultSet));
+}
+}
+}
+
+// Close the connection so that it gets reopened next time
+if (dbConnection != null) {
+close(dbConnection);
 }
 
 numberOfTries--;



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 55071] try finally catch structure masks original exception in JDBCRealm.getPassword()

2013-06-20 Thread bugzilla

https://issues.apache.org/bugzilla/show_bug.cgi?id=55071

--- Comment #6 from Mark Thomas ma...@apache.org ---
Opps. My analysis assumed autoCommit == true which it doesn't. The commit is
therefore required. I've restored it and cleaned up the code.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 55102] Add ability to report time taken to prepare response

2013-06-20 Thread bugzilla

https://issues.apache.org/bugzilla/show_bug.cgi?id=55102

--- Comment #2 from Mark Thomas ma...@apache.org ---
Generally the patch looks good to me.

It is missing documentation. Other than that I see no reason not to add it to
trunk and 7.0.x.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: svn commit: r1495197 - /tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java

2013-06-20 Thread Christopher Schultz

Mark,

On 6/20/13 5:34 PM, ma...@apache.org wrote:
 Author: markt
 Date: Thu Jun 20 21:34:09 2013
 New Revision: 1495197
 
 URL: http://svn.apache.org/r1495197
 Log:
 r1495154 incorrectly removed the commit
 Restore the commit and clean the code up a little.
 
 Modified:
 tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java
 
 Modified: tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java
 URL: 
 http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java?rev=1495197r1=1495196r2=1495197view=diff
 ==
 --- tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java (original)
 +++ tomcat/trunk/java/org/apache/catalina/realm/JDBCRealm.java Thu Jun 20 
 21:34:09 2013
 @@ -527,47 +527,42 @@ public class JDBCRealm
  // connection may try to be opened again. On normal conditions 
 (including
  // invalid login - the above is only used once.
  int numberOfTries = 2;
 -while (numberOfTries0) {
 +while (numberOfTries  0) {
  try {
 -
  // Ensure that we have an open database connection
  open();
  
 -try {
 -stmt = credentials(dbConnection, username);
 -rs = stmt.executeQuery();
 +stmt = credentials(dbConnection, username);
 +rs = stmt.executeQuery();
 +dbConnection.commit();

I still don't understand the commit, here.

I read Konstantin's comment about JDBCRealm /not/ running in auto-commit
mode... why is that? I don't see any INSERT/UPDATE/DELETE statements
anywhere in the code, nor are they user-configurable. So, why bother
with conn.setAutoCommit(false) and conn.commit() in the first place?

If we are going to have commit() why not rollback()?

The use of commit() and/or rollback() implies that there is some
connection state which is useful to the thread of execution. This cannot
be the case as JDBCRealm uses a single-connection yet allows multiple
threads to use it.

Any reason not to eliminate all manipulation of the auto-commit state
/and/ remove the commit calls?

-chris



signature.asc
Description: OpenPGP digital signature

[Bug 55071] try finally catch structure masks original exception in JDBCRealm.getPassword()

2013-06-20 Thread bugzilla

https://issues.apache.org/bugzilla/show_bug.cgi?id=55071

--- Comment #7 from Christopher Schultz ch...@christopherschultz.net ---
I still think commit() should not be called. For the shared-connection of
JDBCRealm to ever be put into auto-commit=false would be an enormous mistake,
assuming any data modification was taking place... which it is not.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1495208 - /tomcat/trunk/java/org/apache/tomcat/websocket/pojo/PojoMethodMapping.java

2013-06-20 Thread markt

Author: markt
Date: Thu Jun 20 21:58:25 2013
New Revision: 1495208

URL: http://svn.apache.org/r1495208
Log:
Refactor in preparation for fixing BZ 55120

Modified:
tomcat/trunk/java/org/apache/tomcat/websocket/pojo/PojoMethodMapping.java

Modified: 
tomcat/trunk/java/org/apache/tomcat/websocket/pojo/PojoMethodMapping.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/websocket/pojo/PojoMethodMapping.java?rev=1495208r1=1495207r2=1495208view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/websocket/pojo/PojoMethodMapping.java 
(original)
+++ tomcat/trunk/java/org/apache/tomcat/websocket/pojo/PojoMethodMapping.java 
Thu Jun 20 21:58:25 2013
@@ -95,9 +95,9 @@ public class PojoMethodMapping {
 this.onOpen = open;
 this.onClose = close;
 this.onError = error;
-onOpenParams = getPathParams(onOpen, false, false);
-onCloseParams = getPathParams(onClose, false, true);
-onErrorParams = getPathParams(onError, true, false);
+onOpenParams = getPathParams(onOpen, MethodType.ON_OPEN);
+onCloseParams = getPathParams(onClose, MethodType.ON_CLOSE);
+onErrorParams = getPathParams(onError, MethodType.ON_ERROR);
 }
 
 
@@ -176,8 +176,8 @@ public class PojoMethodMapping {
 }
 
 
-private static PojoPathParam[] getPathParams(Method m, boolean isOnError,
-boolean isClose) {
+private static PojoPathParam[] getPathParams(Method m,
+MethodType methodType) {
 if (m == null) {
 return new PojoPathParam[0];
 }
@@ -189,10 +189,12 @@ public class PojoMethodMapping {
 Class? type = types[i];
 if (type.equals(Session.class)) {
 result[i] = new PojoPathParam(type, null);
-} else if (isOnError  type.equals(Throwable.class)) {
+} else if (methodType == MethodType.ON_ERROR
+ type.equals(Throwable.class)) {
 foundThrowable = true;
 result[i] = new PojoPathParam(type, null);
-} else if (isClose  type.equals(CloseReason.class)) {
+} else if (methodType == MethodType.ON_CLOSE 
+type.equals(CloseReason.class)) {
 result[i] = new PojoPathParam(type, null);
 } else {
 Annotation[] paramAnnotations = paramsAnnotations[i];
@@ -210,7 +212,7 @@ public class PojoMethodMapping {
 }
 }
 }
-if (isOnError  !foundThrowable) {
+if (methodType == MethodType.ON_ERROR  !foundThrowable) {
 throw new IllegalArgumentException(sm.getString(
 pojoMethodMapping.onErrorNoThrowable,
 m.getName(), m.getDeclaringClass().getName()));
@@ -565,4 +567,11 @@ public class PojoMethodMapping {
 return decoder;
 }
 }
+
+
+private static enum MethodType {
+ON_OPEN,
+ON_CLOSE,
+ON_ERROR
+}
 }



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [Bug 55102] New: Add ability to report time taken to prepare response

2013-06-20 Thread Rainer Jung

On 20.06.2013 23:22, Jeremy Boynes wrote:
 On Jun 15, 2013, at 10:09 AM, bugzi...@apache.org wrote:
 
 https://issues.apache.org/bugzilla/show_bug.cgi?id=55102
   Summary: Add ability to report time taken to prepare response

 Created attachment 30438
  -- https://issues.apache.org/bugzilla/attachment.cgi?id=30438action=edit
 Patch against trunk@r1493385 to record and output time to commit

 Tomcat's AccessLogValve is able to report the time taken to send an entire
 request using %D. This is the total processing time and may be affected by
 network conditions. It is sometimes useful to be able to record the time 
 taken
 by the server to prepare the response and send the first content to the 
 client.

 Attached is a patch that records the time the response is committed and then
 allows that to be reported in the access log using a '%F' pattern (which is 
 the
 same as used by the mod-log-firstbyte module for HTTPD).
 
 Any thoughts on this patch? Is it suitable for trunk, and if so should I 
 commit it? Is this something worth back porting to 7.0?

I haven't looked at the concrete patch but the feature sounded useful.

Regards,

Rainer


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1495216 - in /tomcat/trunk: java/org/apache/tomcat/websocket/pojo/PojoEndpointBase.java java/org/apache/tomcat/websocket/pojo/PojoMethodMapping.java test/org/apache/tomcat/websocket/pojo/

2013-06-20 Thread markt

Author: markt
Date: Thu Jun 20 22:24:25 2013
New Revision: 1495216

URL: http://svn.apache.org/r1495216
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=55120
@OnOpen needs to support an optional EndpointConfig parameter.
Based on a patch by Niki Dokovski.

Modified:
tomcat/trunk/java/org/apache/tomcat/websocket/pojo/PojoEndpointBase.java
tomcat/trunk/java/org/apache/tomcat/websocket/pojo/PojoMethodMapping.java
tomcat/trunk/test/org/apache/tomcat/websocket/pojo/TestPojoEndpointBase.java
tomcat/trunk/webapps/docs/changelog.xml

Modified: 
tomcat/trunk/java/org/apache/tomcat/websocket/pojo/PojoEndpointBase.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/websocket/pojo/PojoEndpointBase.java?rev=1495216r1=1495215r2=1495216view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/websocket/pojo/PojoEndpointBase.java 
(original)
+++ tomcat/trunk/java/org/apache/tomcat/websocket/pojo/PojoEndpointBase.java 
Thu Jun 20 22:24:25 2013
@@ -56,7 +56,8 @@ public abstract class PojoEndpointBase e
 if (methodMapping.getOnOpen() != null) {
 try {
 methodMapping.getOnOpen().invoke(pojo,
-methodMapping.getOnOpenArgs(pathParameters, session));
+methodMapping.getOnOpenArgs(
+pathParameters, session, config));
 
 } catch (IllegalAccessException e) {
 // Reflection related problems

Modified: 
tomcat/trunk/java/org/apache/tomcat/websocket/pojo/PojoMethodMapping.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/websocket/pojo/PojoMethodMapping.java?rev=1495216r1=1495215r2=1495216view=diff
==
--- tomcat/trunk/java/org/apache/tomcat/websocket/pojo/PojoMethodMapping.java 
(original)
+++ tomcat/trunk/java/org/apache/tomcat/websocket/pojo/PojoMethodMapping.java 
Thu Jun 20 22:24:25 2013
@@ -112,8 +112,9 @@ public class PojoMethodMapping {
 
 
 public Object[] getOnOpenArgs(MapString,String pathParameters,
-Session session) throws DecodeException {
-return buildArgs(onOpenParams, pathParameters, session, null, null);
+Session session, EndpointConfig config) throws DecodeException {
+return buildArgs(onOpenParams, pathParameters, session, config, null,
+null);
 }
 
 
@@ -124,8 +125,8 @@ public class PojoMethodMapping {
 
 public Object[] getOnCloseArgs(MapString,String pathParameters,
 Session session, CloseReason closeReason) throws DecodeException {
-return buildArgs(
-onCloseParams, pathParameters, session, null, closeReason);
+return buildArgs(onCloseParams, pathParameters, session, null, null,
+closeReason);
 }
 
 
@@ -136,8 +137,8 @@ public class PojoMethodMapping {
 
 public Object[] getOnErrorArgs(MapString,String pathParameters,
 Session session, Throwable throwable) throws DecodeException {
-return buildArgs(
-onErrorParams, pathParameters, session, throwable, null);
+return buildArgs(onErrorParams, pathParameters, session, null,
+throwable, null);
 }
 
 
@@ -189,6 +190,9 @@ public class PojoMethodMapping {
 Class? type = types[i];
 if (type.equals(Session.class)) {
 result[i] = new PojoPathParam(type, null);
+} else if (methodType == MethodType.ON_OPEN 
+type.equals(EndpointConfig.class)) {
+result[i] = new PojoPathParam(type, null);
 } else if (methodType == MethodType.ON_ERROR
  type.equals(Throwable.class)) {
 foundThrowable = true;
@@ -223,13 +227,15 @@ public class PojoMethodMapping {
 
 private static Object[] buildArgs(PojoPathParam[] pathParams,
 MapString,String pathParameters, Session session,
-Throwable throwable, CloseReason closeReason)
+EndpointConfig config, Throwable throwable, CloseReason 
closeReason)
 throws DecodeException {
 Object[] result = new Object[pathParams.length];
 for (int i = 0; i  pathParams.length; i++) {
 Class? type = pathParams[i].getType();
 if (type.equals(Session.class)) {
 result[i] = session;
+} else if (type.equals(EndpointConfig.class)) {
+result[i] = config;
 } else if (type.equals(Throwable.class)) {
 result[i] = throwable;
 } else if (type.equals(CloseReason.class)) {

Modified: 
tomcat/trunk/test/org/apache/tomcat/websocket/pojo/TestPojoEndpointBase.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/websocket/pojo/TestPojoEndpointBase.java?rev=1495216r1=1495215r2=1495216view=diff

[Bug 55120] ISA exception is thrown during application start when there is annotated ServerEndpoint POJO

2013-06-20 Thread bugzilla

https://issues.apache.org/bugzilla/show_bug.cgi?id=55120

Mark Thomas ma...@apache.org changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution|--- |FIXED

--- Comment #3 from Mark Thomas ma...@apache.org ---
Thanks for the patch. It has been applied to trunk and will be included in
8.0.0 onwards. I did make a number of changes:

1. I did some refactoring in r1495208 the meant the patch needed some small
tweaks.

2. The patch always looked for an EndpointConfig parameter rather than only on
OnOpen methods.

3. We always use spaces instead of tabs.

4. I changed a few line breaks.

5. I fixed a typo in a test method name.

6. I amended the test to check that the config was actually passed.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1495218 - /tomcat/trunk/test/org/apache/tomcat/websocket/pojo/TestPojoEndpointBase.java

2013-06-20 Thread markt

Author: markt
Date: Thu Jun 20 22:29:54 2013
New Revision: 1495218

URL: http://svn.apache.org/r1495218
Log:
Fix spacing

Modified:
tomcat/trunk/test/org/apache/tomcat/websocket/pojo/TestPojoEndpointBase.java

Modified: 
tomcat/trunk/test/org/apache/tomcat/websocket/pojo/TestPojoEndpointBase.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/websocket/pojo/TestPojoEndpointBase.java?rev=1495218r1=1495217r2=1495218view=diff
==
--- 
tomcat/trunk/test/org/apache/tomcat/websocket/pojo/TestPojoEndpointBase.java 
(original)
+++ 
tomcat/trunk/test/org/apache/tomcat/websocket/pojo/TestPojoEndpointBase.java 
Thu Jun 20 22:29:54 2013
@@ -75,6 +75,7 @@ public class TestPojoEndpointBase extend
 Assert.assertTrue(Server failed to close connection, closed);
 }
 
+
 @Test
 public void testOnOpenPojoMethod() throws Exception {
 // Set up utility classes
@@ -107,7 +108,6 @@ public class TestPojoEndpointBase extend
 }
 
 
-
 @ServerEndpoint(/)
 public static class OnOpenServerEndpoint {
 



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: svn commit: r1494915 - in /tomcat/trunk: java/org/apache/catalina/ java/org/apache/catalina/core/ java/org/apache/catalina/deploy/ java/org/apache/catalina/startup/ test/org/apache/catalina/core/

2013-06-20 Thread Violeta Georgieva

2013/6/20 ma...@apache.org

 Author: markt
 Date: Thu Jun 20 10:38:49 2013
 New Revision: 1494915

 URL: http://svn.apache.org/r1494915
 Log:
 Servlet 3.1 Implement the new deny-uncovered-http-methods element in
server.xml


That's for the xml but what about annotations?
We are processing them when loading the servlet.
Shouldn't we add check for uncovered methods to the
o.a.catalina.core.StandardContext.addServletSecurity(...):

Index: C:/tc8.0.x/java/org/apache/catalina/core/StandardContext.java
===
--- C:/tc8.0.x/java/org/apache/catalina/core/StandardContext.java (revision
1495273)
+++ C:/tc8.0.x/java/org/apache/catalina/core/StandardContext.java (working
copy)
@@ -5828,6 +5828,7 @@
 newSecurityConstraints) {
 addConstraint(securityConstraint);
 }
+checkConstraintsForUncoveredMethods();
 }
 }

58 matches

Mail list logo