cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security SecurityClassLoad.java
billbarker2005/08/03 23:07:46
Modified:catalina/src/share/org/apache/catalina/security
SecurityClassLoad.java
Log:
Fix CNFE when starting in a sandbox.
After the last refactoring, the Jk-Java Connector no longer has need of PAs.
If this changes, the method can always be added back.
Revision ChangesPath
1.18 +1 -12
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security/SecurityClassLoad.java
Index: SecurityClassLoad.java
===
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security/SecurityClassLoad.java,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- SecurityClassLoad.java24 Jul 2004 07:07:37 - 1.17
+++ SecurityClassLoad.java4 Aug 2005 06:07:46 - 1.18
@@ -43,7 +43,6 @@
loadJavaxPackage(loader);
loadCoyotePackage(loader);
loadHttp11Package(loader);
-loadJkPackage(loader);
}
@@ -198,15 +197,5 @@
Response$3);
}
-private final static void loadJkPackage(ClassLoader loader)
-throws Exception {
-String basePackage = org.apache.jk.;
-loader.loadClass
-(basePackage +
- server.JkCoyoteHandler$1);
-loader.loadClass
-(basePackage +
- server.JkCoyoteHandler$StatusLinePrivilegedAction);
-}
}
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 35894] - Tomcat does not start with security enabled
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=35894. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=35894 [EMAIL PROTECTED] changed: What|Removed |Added Status|NEW |RESOLVED Resolution||FIXED --- Additional Comments From [EMAIL PROTECTED] 2005-08-04 08:08 --- This is fixed now in the CVS and will appear in 5.5.11. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security SecurityClassLoad.java
[EMAIL PROTECTED] wrote:
billbarker2005/08/03 23:07:46
Modified:catalina/src/share/org/apache/catalina/security
SecurityClassLoad.java
Log:
Fix CNFE when starting in a sandbox.
After the last refactoring, the Jk-Java Connector no longer has need of PAs. If this changes, the method can always be added back.
This reminds me I need to test security more often.
I look in the preload list for HTTP, and I see a few PAs there. One of
them is:
// End the response status line
if (System.getSecurityManager() != null){
AccessController.doPrivileged(
new PrivilegedAction(){
public Object run(){
buf[pos++] = Constants.CR;
buf[pos++] = Constants.LF;
return null;
}
}
);
} else {
buf[pos++] = Constants.CR;
buf[pos++] = Constants.LF;
}
I think this is fairly funny code. The contents of the PA were a bit
different originally, but I don't see why a PA was ever needed.
Similarly, the other PA is needed because the HttpMessages is a bundle
which will need to be loaded, while the loading should be done during
the init of the connector (like HttpMessages.getMessage(200)).
Rémy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 35894] New: - Tomcat does not start with security enabled
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=35894. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=35894 Summary: Tomcat does not start with security enabled Product: Tomcat 5 Version: 5.0.10 Platform: Other OS/Version: Linux Status: NEW Severity: blocker Priority: P2 Component: Catalina AssignedTo: tomcat-dev@jakarta.apache.org ReportedBy: [EMAIL PROTECTED] I've downloaded the current release 5.5.10 alpha and extracts the archive. Now I've tried to start with security enabled: ./catalina.sh run -security Now I'm getting the following messages: Using CATALINA_BASE: /opt/dev-tools/tomcat/5.5.10/jakarta-tomcat-5.5.10 Using CATALINA_HOME: /opt/dev-tools/tomcat/5.5.10/jakarta-tomcat-5.5.10 Using CATALINA_TMPDIR: /opt/dev-tools/tomcat/5.5.10/jakarta-tomcat-5.5.10/temp Using JRE_HOME: /usr/lib/jvm/java/jre Using Security Manager java.lang.ClassNotFoundException: org.apache.jk.server.JkCoyoteHandler$1 at java.net.URLClassLoader$1.run(URLClassLoader.java:200) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:188) at java.lang.ClassLoader.loadClass(ClassLoader.java:306) at java.lang.ClassLoader.loadClass(ClassLoader.java:251) at org.apache.catalina.security.SecurityClassLoad.loadJkPackage(SecurityClassLoad.java:204) at org.apache.catalina.security.SecurityClassLoad.securityClassLoad(SecurityClassLoad.java:46) at org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:193) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:386) Without security all works fine. Thorsten -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 34396] - security exception using datasource in servlet-instance.init()
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=34396. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=34396 [EMAIL PROTECTED] changed: What|Removed |Added Severity|minor |trivial Priority|P3 |P5 --- Additional Comments From [EMAIL PROTECTED] 2005-07-25 11:13 --- OK. My application in not important. Other J2EE application servers usually throws SecurityException for directory access from asynch Threads started into init() or service() method call. Threre is no difference between servlet.init() and servlet.service(...) permission. I don't see difference in J2EE specification for servlet.service(...) and servlet.init() permission. @see http://java.sun.com/j2ee/j2ee-1_4-fr-spec.pdf Page 87: J2EE.6.2 Java 2 Platform, Standard Edition (J2SE) Requirements It's a trivial problem. Thanks for your effort into developing Tomcat. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 34396] - security exception using datasource in servlet-instance.init()
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=34396. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=34396 --- Additional Comments From [EMAIL PROTECTED] 2005-07-22 16:22 --- Dario, I understand that you need additional permissions for your application becasue you're doing a DataSource creation in the initialization. But I wonder if, instead of changing the policy file that comes with Tomcat, we should simply document this. I'm very hesitant to put DBCP-specific permissions in the default Tomcat policy file. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 34396] - security exception using datasource in servlet-instance.init()
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=34396. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=34396 [EMAIL PROTECTED] changed: What|Removed |Added Status|NEW |NEEDINFO -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 34805] - warn about invalid security contraint url patterns
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=34805. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=34805 [EMAIL PROTECTED] changed: What|Removed |Added Status|NEW |RESOLVED Resolution||FIXED --- Additional Comments From [EMAIL PROTECTED] 2005-07-21 22:15 --- Warning added to SecurityCollection. Thanks for this useful suggestion. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: PayPal Account Security Measures
I did not make any transactions on my Paypal account. Please cancel... marie [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: You have recieve this email because you or someone had tried to used your paypal account at http://www.springbok-computers.co.uk Below is the details about the transaction made: Transaction site : http://www.springbok-computers.co.uk Order ID : FMO17436466 Amount : $263 Date : Wednesday, Jun 08 To confirm or decline this transaction, please follow the link provide below. Please save the fraud alert id for your reference. http://www.paypal-confirmation%2Did-0746795.com If we do not get the confirmation within 5 business days, your account will be suspended until further notice. Sincerely, The PayPal Security Team PROTECT YOUR PASSWORD NEVER give your password to anyone and ONLY log in at https://www.paypal.com/. Protect yourself against fraudulent websites by opening a new web browser (e.g. Internet Explorer or Netscape) and typing in the PayPal URL every time you log in to your account. Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click the Help link located in the top right corner of any PayPal page. PayPal Alert ID : 0746795 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
PayPal Account Security Measures
You have recieve this email because you or someone had tried to used your paypal account at http://www.springbok-computers.co.uk Below is the details about the transaction made: Transaction site : http://www.springbok-computers.co.uk Order ID : FMO17436466 Amount : $263 Date : Wednesday, Jun 08 To confirm or decline this transaction, please follow the link provide below. Please save the fraud alert id for your reference. http://www.paypal-confirmation%2Did-0746795.com If we do not get the confirmation within 5 business days, your account will be suspended until further notice. Sincerely, The PayPal Security Team PROTECT YOUR PASSWORD NEVER give your password to anyone and ONLY log in at https://www.paypal.com/. Protect yourself against fraudulent websites by opening a new web browser (e.g. Internet Explorer or Netscape) and typing in the PayPal URL every time you log in to your account. Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click the Help link located in the top right corner of any PayPal page. PayPal Alert ID : 0746795 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
PayPal Account Security Measures
You have recieve this email because you or someone had tried to used your paypal account at http://www.springbok-computers.co.uk Below is the details about the transaction made: Transaction site : http://www.springbok-computers.co.uk Order ID : FMO17436466 Amount : $263 Date : Wednesday, Jun 08 To confirm or decline this transaction, please follow the link provide below. Please save the fraud alert id for your reference. http://www.paypal-confirmation%2Did-0746795.com If we do not get the confirmation within 5 business days, your account will be suspended until further notice. Sincerely, The PayPal Security Team PROTECT YOUR PASSWORD NEVER give your password to anyone and ONLY log in at https://www.paypal.com/. Protect yourself against fraudulent websites by opening a new web browser (e.g. Internet Explorer or Netscape) and typing in the PayPal URL every time you log in to your account. Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click the Help link located in the top right corner of any PayPal page. PayPal Alert ID : 0746795 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 33911] - Request for security role mapping (role-to-group/user)
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=33911. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=33911 [EMAIL PROTECTED] changed: What|Removed |Added Status|ASSIGNED|NEW --- Additional Comments From [EMAIL PROTECTED] 2005-06-03 15:19 --- Please use tomcat-dev for communicating rather than bug reports. We started a thread on possible summer of code projects. I do not think it is a good idea to change how security is done in Tomcat 5.5.x, and that any change in any upcoming Tomcat should be done once we know a little bit more about the upcoming specification. Conclusion: this is likely not a good summer of code project, due to timing issues. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 33911] - Request for security role mapping (role-to-group/user)
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=33911. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=33911 --- Additional Comments From [EMAIL PROTECTED] 2005-06-01 07:22 --- Hi I saw this thread from google's summer of codes site. I've been using Tomcat for 5-6 years and am new to JAAS. I would like to learn more about this issue and maybe I can contribute some codes. Could anyone point me to some documentations? Thanks -Lou -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 35034] - jndi datasources security manager
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=35034. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=35034 [EMAIL PROTECTED] changed: What|Removed |Added Status|NEW |RESOLVED Resolution||INVALID --- Additional Comments From [EMAIL PROTECTED] 2005-05-24 09:58 --- The commons-dbcp library would need to be written with the security manager in mind (ie, it needs to have PAs). Not a Tomcat bug, and you should be able to use alternate datasource providers. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 35034] New: - jndi datasources security manager
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=35034. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=35034 Summary: jndi datasources security manager Product: Tomcat 5 Version: 5.5.9 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: Catalina AssignedTo: tomcat-dev@jakarta.apache.org ReportedBy: [EMAIL PROTECTED] Running tomcat with security manager: To get a datasource (with jndi) and to use statements you have to grant several accessClassInPackage Permissions to tomcat internal packages to the webapp: permission java.lang.RuntimePermission accessClassInPackage.org.apache.tomcat.dbcp.collections; permission java.lang.RuntimePermission accessClassInPackage.org.apache.tomcat.dbcp.pool.impl; permission java.lang.RuntimePermission accessClassInPackage.org.apache.tomcat.dbcp.dbcp; permission java.lang.RuntimePermission accessClassInPackage.org.apache.tomcat.dbcp.pool; Additionally dbcp needs a permission java.lang.RuntimePermission getClassLoader; permission to load the jdbc driver. And in most cases you need some socket permissions. Datasources will be made available by the container (with JNDI). So the app doesn't matter where the database resides nor how the container makes the connection. The app is not interested in the details how the container will get the connection - it is only interested to have a connection. There is no need to give the whole app a permission to connect to some server only because the container wants to make some connection to this server. The permission if a app should be able to make a connection is given by a resource-link entry in context.xml. The permission to connect to the database server should be given at the container level and only there. Why should the whole app have permission to access tomcat internal packages (org.apache.tomcat.*)? -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
5.5.9 security manager
I'm trying to run my apps with security manager and I noticed some (in my opinion) strange things: (1) The simple JSP HTML BODY %=response.encodeURL(http://jakarta.apache.org;)% /BODY /HTML causes an access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.tomcat.util.net) exception. Of course putting accessClassInPackage.org.apache.tomcat.util.net in my policy file causes that my JSP works well. But isn't this an implementation detail of tomcat that should be hidden to a developer/admin? No non trivial web app will work without this permission - why do you put org.apache.tomcat into package.access in file catalina.properties by default? This does not make sense, because when running without security manager, this entry will be ignored, when running with security manager, no web app will work!? So there following possibilities: 1) change default catalina.properties file (package.access) 2) change default catalina.policy file to add this permission to all code bases 3) respose methods (and all other similar) must use doPrivileged() (2) Obtaining a datasource with JNDI has similar problems: Getting a sql connection requires following permissions for the whole app (correctly spoken for this pieces which uses sql, but practically this is the whole app): permission java.lang.RuntimePermission getClassLoader; permission java.lang.RuntimePermission accessClassInPackage.org.apache.tomcat.dbcp.collections; permission java.lang.RuntimePermission accessClassInPackage.org.apache.tomcat.dbcp.pool.impl; permission java.lang.RuntimePermission accessClassInPackage.org.apache.tomcat.dbcp.dbcp; permission java.lang.RuntimePermission accessClassInPackage.org.apache.tomcat.dbcp.pool; permission java.net.SocketPermission :, connect,resolve; Datasources will be made available by the container (with JNDI). So the app doesn't matter where the database resides nor how the container makes the connection. I'm not interested in the details how the container will get the connection - I'm only interested to have a connection. I don't want to give the whole app a permission to connect to some server only because the container wants to make some connection to this server. The permission if a app should be able to make a connection is given by a resource-link entry in context.xml. The permission to connect to the database server should be given at the container level and only there. Why should the whole app have permission to access tomcat internal packages (org.apache.tomcat.*)? So a doPrivileged() blocks will be neccessary. Is this a general rule when working with tomcat with security manager to expose internal classes to the web apps or is there a better solution I havn't found? Gernot - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 34805] New: - warn about invalid security contraint url patterns
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=34805. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=34805 Summary: warn about invalid security contraint url patterns Product: Tomcat 5 Version: Nightly Build Platform: Other OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: Catalina AssignedTo: tomcat-dev@jakarta.apache.org ReportedBy: [EMAIL PROTECTED] since that is by far not anything like regular expressions or anything known e.g. from ant's build.xml -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 34805] - warn about invalid security contraint url patterns
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=34805. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=34805 --- Additional Comments From [EMAIL PROTECTED] 2005-05-08 20:30 --- Created an attachment (id=14967) -- (http://issues.apache.org/bugzilla/attachment.cgi?id=14967action=view) RealmBase.java.patch for example /login.do will not be matched by url-pattern/login*/url-pattern as per section 11.2 of the Servlet API Specification (http://java.sun.com/aboutJava/communityprocess/first/jsr053/servlet23_PFD.pdf) see also http://java.sun.com/dtd/web-app_2_3.dtd -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 34805] - warn about invalid security contraint url patterns
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=34805. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=34805 --- Additional Comments From [EMAIL PROTECTED] 2005-05-09 01:46 --- I'm -1 to the patch, as is. A url-pattern/login*/url-pattern is a perfectly valid (if somewhat strange :) exact-match pattern, so Tomcat can't fault it. I'm +1 to adding a log.warn to SecurityCollection.addPattern for questionable patterns like this, since it could only reduce the questions on tomcat-user. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 34396] New: - security exception using datasource in servlet-instance.init()
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=34396. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=34396 Summary: security exception using datasource in servlet- instance.init() Product: Tomcat 5 Version: 5.5.7 Platform: All OS/Version: Windows XP Status: NEW Severity: minor Priority: P3 Component: Catalina AssignedTo: tomcat-dev@jakarta.apache.org ReportedBy: [EMAIL PROTECTED] Startup Java Option added: -Djava.security.manager -Djava.security.policy=TOMCAT_HOME/conf/catalina.policy java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.tomcat.dbcp.collections) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264) at java.security.AccessController.checkPermission(AccessController.java:427) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:265) at java.lang.ClassLoader.loadClass(ClassLoader.java:299) at java.lang.ClassLoader.loadClass(ClassLoader.java:251) at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319) at org.apache.tomcat.dbcp.pool.impl.GenericObjectPool.init(GenericObjectPool.java:392) at org.apache.tomcat.dbcp.pool.impl.GenericObjectPool.init(GenericObjectPool.java:258) at org.apache.tomcat.dbcp.dbcp.BasicDataSource.createDataSource(BasicDataSource.java:795) at org.apache.tomcat.dbcp.dbcp.BasicDataSource.getConnection(BasicDataSource.java:540) at it.rgi.webapp.dbms.jdbc.DataSourcePool.get(DataSourcePool.java:123) at it.rgi.webapp.dbms.jdbc.JdbcConnettoreRetry.acquisisciConnessione(JdbcConnettoreRetry.java:901) at it.rgi.webapp.dbms.jdbc.JdbcConnettoreRetry.getDatabaseInfo(JdbcConnettoreRetry.java:754) at it.rgi.webapp.dbms.jdbc.JdbcConnettoreRetry.getDatabaseInfo(JdbcConnettoreRetry.java:752) at it.rgi.webapp.admin.StartUpProcess.database(StartUpProcess.java:534) at it.rgi.webapp.admin.StartUpProcess.execStartUpProcess(StartUpProcess.java:399) at it.rgi.webapp.admin.StartUpProcess.startup(StartUpProcess.java:282) at it.rgi.webapp.admin.StartUpProcess.startup(StartUpProcess.java:254) at it.rgi.webapp.admin.ServletAdmin.single_init(ServletAdmin.java:88) at it.rgi.webapp.admin.ServletAdmin.init(ServletAdmin.java:80) at javax.servlet.GenericServlet.init(GenericServlet.java:211) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:243) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:517) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:275) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:161) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:114) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1062) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:900) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3823) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4087) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:759) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:121) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:737) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:524) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:590) at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:535) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:470
DO NOT REPLY [Bug 34396] - security exception using datasource in servlet-instance.init()
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=34396. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=34396 --- Additional Comments From [EMAIL PROTECTED] 2005-04-11 11:19 --- Created an attachment (id=14677) -- (http://issues.apache.org/bugzilla/attachment.cgi?id=14677action=view) catalina.policy -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 34396] - security exception using datasource in servlet-instance.init()
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
http://issues.apache.org/bugzilla/show_bug.cgi?id=34396.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=34396
--- Additional Comments From [EMAIL PROTECTED] 2005-04-11 11:21 ---
(From update of attachment 14677)
//
// catalina.corepolicy - Security Policy Permissions for Tomcat 5
//
// This file contains a default set of security policies to be enforced (by the
// JVM) when Catalina is executed with the -security option. In addition
// to the permissions granted here, the following additional permissions are
// granted to the codebase specific to each web application:
//
// * Read access to the document root directory
//
// $Id: catalina.policy,v 1.12 2004/09/15 18:57:41 jfarcand Exp $
//
// == SYSTEM CODE PERMISSIONS =
// These permissions apply to javac
grant codeBase file:${java.home}/lib/- {
permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions
grant codeBase file:${java.home}/jre/lib/ext/- {
permission java.security.AllPermission;
};
// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre
grant codeBase file:${java.home}/../lib/- {
permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions when
// ${java.home} points at $JAVA_HOME/jre
grant codeBase file:${java.home}/lib/ext/- {
permission java.security.AllPermission;
};
// == CATALINA CODE PERMISSIONS ===
// These permissions apply to the launcher code
grant codeBase file:${catalina.home}/bin/commons-launcher.jar {
permission java.security.AllPermission;
};
// These permissions apply to the daemon code
grant codeBase file:${catalina.home}/bin/commons-daemon.jar {
permission java.security.AllPermission;
};
// These permissions apply to the commons-logging API
grant codeBase file:${catalina.home}/bin/commons-logging-api.jar {
permission java.security.AllPermission;
};
// These permissions apply to the server startup code
grant codeBase file:${catalina.home}/bin/bootstrap.jar {
permission java.security.AllPermission;
};
// These permissions apply to the JMX server
grant codeBase file:${catalina.home}/bin/jmx.jar {
permission java.security.AllPermission;
};
// These permissions apply to the servlet API classes
// and those that are shared across all class loaders
// located in the common directory
grant codeBase file:${catalina.home}/common/- {
permission java.security.AllPermission;
};
// These permissions apply to the container's core code, plus any additional
// libraries installed in the server directory
grant codeBase file:${catalina.home}/server/- {
permission java.security.AllPermission;
};
// The permissions granted to the balancer WEB-INF/classes directory
grant codeBase file:${catalina.home}/webapps/balancer/WEB-INF/classes/- {
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.tomcat.util.digester;
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.tomcat.util.digester.*;
};
// == WEB APPLICATION PERMISSIONS =
// These permissions are granted by default to all web applications
// In addition, a web application will be given a read FilePermission
// and JndiPermission for all files and directories in its document root.
grant {
// Required for JNDI lookup of named JDBC DataSource's and
// javamail named MimePart DataSource used to send mail
permission java.util.PropertyPermission java.home, read;
permission java.util.PropertyPermission java.naming.*, read;
permission java.util.PropertyPermission javax.sql.*, read;
// OS Specific properties to allow read access
permission java.util.PropertyPermission os.name, read;
permission java.util.PropertyPermission os.version, read;
permission java.util.PropertyPermission os.arch, read;
permission java.util.PropertyPermission file.separator, read;
permission java.util.PropertyPermission path.separator, read;
permission java.util.PropertyPermission line.separator, read;
// JVM properties to allow read access
permission java.util.PropertyPermission java.version, read;
permission java.util.PropertyPermission java.vendor, read;
permission java.util.PropertyPermission java.vendor.url, read;
permission java.util.PropertyPermission java.class.version, read;
permission java.util.PropertyPermission java.specification.version,
read;
permission
DO NOT REPLY [Bug 34396] - security exception using datasource in servlet-instance.init()
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=34396. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=34396 --- Additional Comments From [EMAIL PROTECTED] 2005-04-11 11:25 --- Created an attachment (id=14678) -- (http://issues.apache.org/bugzilla/attachment.cgi?id=14678action=view) catalina.policy catalina.policy (correct version) line 195 must be: // permission java.security.AllPermission; -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 33633] - Tomcat 5.5.6 does not run with security on
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=33633. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=33633 [EMAIL PROTECTED] changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution||WORKSFORME --- Additional Comments From [EMAIL PROTECTED] 2005-03-11 04:06 --- My attempt WAS with JDK 5.0. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 33911] New: - Request for security role mapping (role-to-group/user)
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=33911. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=33911 Summary: Request for security role mapping (role-to-group/user) Product: Tomcat 5 Version: Unknown Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: Catalina AssignedTo: tomcat-dev@jakarta.apache.org ReportedBy: [EMAIL PROTECTED] It would be nice if Tomcat had a way to map J2EE security-role's to one or more groups, users, etc. This is a feature offered by many app servers like WebLogic, Oracle 9iAS and SunONE. This would make it easier for several apps with unique roles to share the same set of groups. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 33633] - Tomcat 5.5.6 does not run with security on
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=33633. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=33633 [EMAIL PROTECTED] changed: What|Removed |Added Status|RESOLVED|REOPENED Resolution|INVALID | --- Additional Comments From [EMAIL PROTECTED] 2005-03-05 16:02 --- I forgot to mention that this happens with JDK 1.5.0_01, could you try with that jdk? Thanks -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 33633] - Tomcat 5.5.6 does not run with security on
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=33633. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=33633 [EMAIL PROTECTED] changed: What|Removed |Added Status|NEW |RESOLVED Resolution||INVALID --- Additional Comments From [EMAIL PROTECTED] 2005-03-04 13:11 --- Also works OK for me with the default policy. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[SECURITY ISSUE] Using allowLinking with deprecated HTTP 1.1 connector
All, A security issue has come to light where a mal-formed request may result in JSP source code disclosure. This issue only applies if all of the following are true: 1. You are using any Tomcat 4 version = 4.1.15 2. You are using the deprecated HTTP 1.1 connector (org.apache.catalina.connector.http.HttpConnector) 3. You have configured 1 or more contexts served by the connector with a resources element that uses the allowLinking parameter and this parameter is set to true. The fix is to use the Coyote HTTP connector (org.apache.coyote.tomcat4.CoyoteConnector). The on-line Tomcat 4 docs have been updated to include a warning about this configuration combination. The next Tomcat 4 release will include the updated documentation. If you are using Tomcat 4 with the standard Coyote HTTP connector this issue does not apply. Tomcat 5.0.x and 5.5.x are unaffected by this issue. Thanks are due to Glenn Choat who reported this issue to the Tomcat team last week. As a reminder, if you have a verified security bug to report please do not post it to email lists or submit a bug report. Security bugs should be reported privately by email to [EMAIL PROTECTED] Regards, Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 33633] New: - Tomcat 5.5.6 does not run with security on
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=33633. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=33633 Summary: Tomcat 5.5.6 does not run with security on Product: Tomcat 5 Version: 5.5.6 Platform: PC OS/Version: Windows 2000 Status: NEW Severity: critical Priority: P2 Component: Catalina AssignedTo: tomcat-dev@jakarta.apache.org ReportedBy: [EMAIL PROTECTED] I try to run tomcat startup script with security=on right after I install Tomcat, i.e., the command: startup.bat -security I get the following exceptions, same problem with Tomcat 5.5.7 (The exception below is from 5.5.7): Feb 18, 2005 8:31:07 AM org.apache.catalina.core.ApplicationContext log SEVERE: Exception starting filter BalancerFilter javax.servlet.ServletException: java.security.AccessControlException: access den ied (java.lang.RuntimePermission accessClassInPackage.org.apache.tomcat.util.dig ester) at org.apache.webapp.balancer.BalancerFilter.init(BalancerFilter.java:84 ) at org.apache.catalina.core.ApplicationFilterConfig.getFilter(Applicatio nFilterConfig.java:225) at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(Applica tionFilterConfig.java:308) at org.apache.catalina.core.ApplicationFilterConfig.init(ApplicationFi lterConfig.java:79) at org.apache.catalina.core.StandardContext.filterStart(StandardContext. java:3508) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4 079) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase .java:759) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java: 121) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(Contain erBase.java:143) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:73 7) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:524) at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.jav a:909) at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.j ava:872) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:474 ) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1106) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java :310) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(Lifecycl eSupport.java:119) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1019) at org.apache.catalina.core.StandardHost.start(StandardHost.java:718) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1011) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:440 ) at org.apache.catalina.core.StandardService.start(StandardService.java:4 50) at org.apache.catalina.core.StandardServer.start(StandardServer.java:683 ) at org.apache.catalina.startup.Catalina.start(Catalina.java:537) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl. java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces sorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:271) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:409) Feb 18, 2005 8:31:07 AM org.apache.catalina.core.StandardContext start SEVERE: Error filterStart Feb 18, 2005 8:31:07 AM org.apache.catalina.core.StandardContext start SEVERE: Context startup failed due to previous errors Feb 18, 2005 8:31:10 AM org.apache.catalina.core.ApplicationContext log INFO: Marking servlet Controller as unavailable -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 33633] - Tomcat 5.5.6 does not run with security on
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=33633. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=33633 [EMAIL PROTECTED] changed: What|Removed |Added Severity|critical|minor Version|5.5.6 |5.5.7 --- Additional Comments From [EMAIL PROTECTED] 2005-02-18 14:45 --- I don't know about the problem (and I don't really care), but if the accessory balancer webapp doesn't work, why not simply remove it ? Besides, the rest of the server will work ok anyway, so try to file more accurate bug reports. Note: this works ok for me with the default policy provided in Tomcat, so I believe the cause of the problem is the policy file you are using. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 33226] - TTL DNS cache security setting in java.net.InetAddress is not honored when set within Servlet on Sun 1.4.2 VM on linux, but is honored in stand-alone java app
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=33226. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=33226 --- Additional Comments From [EMAIL PROTECTED] 2005-01-25 09:03 --- There are no replacement of any component of the Java network stack in Tomcat. If you want to see this resolved, you'll have to look into it (otherwise, the bug will be resolved as WONTFIX). -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 33226] - TTL DNS cache security setting in java.net.InetAddress is not honored when set within Servlet on Sun 1.4.2 VM on linux, but is honored in stand-alone java app
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=33226. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=33226 --- Additional Comments From [EMAIL PROTECTED] 2005-01-25 12:45 --- Try setting networkaddress.cache.ttl on startup via JAVA_OPTS. export JAVA_OPTS=-Dnetworkaddress.cache.ttl=0 -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 33226] - TTL DNS cache security setting in java.net.InetAddress is not honored when set within Servlet on Sun 1.4.2 VM on linux, but is honored in stand-alone java app
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=33226. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=33226 [EMAIL PROTECTED] changed: What|Removed |Added Status|NEW |ASSIGNED --- Additional Comments From [EMAIL PROTECTED] 2005-01-25 18:04 --- (In reply to comment #3) There are no replacement of any component of the Java network stack in Tomcat. If you want to see this resolved, you'll have to look into it (otherwise, the bug will be resolved as WONTFIX). Thanks for the info! I'll look into it. =) -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 33226] - TTL DNS cache security setting in java.net.InetAddress is not honored when set within Servlet on Sun 1.4.2 VM on linux, but is honored in stand-alone java app
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=33226. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=33226 [EMAIL PROTECTED] changed: What|Removed |Added AssignedTo|tomcat- |[EMAIL PROTECTED] |[EMAIL PROTECTED] | Status|ASSIGNED|NEW --- Additional Comments From [EMAIL PROTECTED] 2005-01-25 18:10 --- (In reply to comment #4) Try setting networkaddress.cache.ttl on startup via JAVA_OPTS. export JAVA_OPTS=-Dnetworkaddress.cache.ttl=0 I tried this, but it also doesn't work. I think it has something to do with the interaction of tomcat's several Class loaders and (java.security.Security)'s reloading of dns provider properties cache. Thanks! I'm looking at jvm source code and also tomcat's source. Any input would be appreciated, since this is a new code base for me. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 33226] New: - TTL DNS cache security setting in java.net.InetAddress is not honored when set within Servlet on Sun 1.4.2 VM on linux, but is honored in stand-alone java app
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
http://issues.apache.org/bugzilla/show_bug.cgi?id=33226.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=33226
Summary: TTL DNS cache security setting in java.net.InetAddress
is not honored when set within Servlet on Sun 1.4.2 VM
on linux, but is honored in stand-alone java app
Product: Tomcat 4
Version: 4.1.18
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Unknown
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: [EMAIL PROTECTED]
CC: [EMAIL PROTECTED]
1. From within a stand-alone jdk 1.4.2 app, (like in static void main(String[]
arg)), do a:
java.security.Security.setProperty( networkaddress.cache.ttl, 0 );
This successfully changes the ttl dns cache setting, because
java.security.Security.getProperty( networkaddress.cache.ttl );
returns 0.
Now,
System.out.println( java.net.InetAddress.getByName( earthlink.net ) )
will result in a particular IP resolution like:
earthlink.net/207.217.121.217
However, earthlink.net, for example, has multiple IP addresses that it
round robins through. This can be seen from printing out InetAddress[]
return from:
java.net.InetAddress.getAllByName( earthlink.net );
Now, subsequent java.net.InetAddress.getByName ( earthlink.net ) calls
will show IP addresses cycled in a round-robin manner.
This all works as expected according to:
http://java.sun.com/j2se/1.4.2/docs/api/java/net/InetAddress.html
2. Now, do essentially the same thing in a servlet deployed on Tomcat 4.1.18:
In a browser hit this url to execute the servlet code below:
http://myHost/servletPath?host=earthlink.net
public class TestDnsServlet extends HttpsServlet
{
private void doGet(HttpServletRequest request, HttpServletResponse
response)
throws ServletException, IOException
{
Security.setProperty( networkaddress.cache.ttl, 0 );
try
{
PrintWriter out = response.getWriter();
String hostname = request.getParameter( host );
out.println(htmlbody\n);
out.println(networkaddress.cache.ttl = +
Security.getProperty(networkaddress.cache.ttl) + br\n);
InetAddress[] IP = InetAddress.getAllByName( hostname );
out.println( hostname + :BR\n );
for (int j=0; jIP.length; j++)
{
out.println(+ IP[j] + BR\n);
}
out.println();
for (int j=0; j20; j++)
{
out.println( IP lookup: + InetAddress.getByName( hostname
) + BR\n );
}
out.println(/body/html\n);
}
catch (UnknownHostException e)
{
System.err.println( unknown host );
}
catch (IOException e)
{
e.printStackTrace();
}
}
RESULTS of (2):
The multiple InetAddress.getByName() calls in the above for-loop all return
the first IP returned from InetAddress.getAllByName() as though it is cached,
even though the network.cache.ttl setting is clearly changed to 0.
This makes it seem like Tomcat is somehow intercepting the call and
providing its own implementation?? Perhaps the pluggable DNS Provider made
available by JDK 1.4.2 are being used?
EXPECTATION:
(2) should work the same as (1).
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug, or are watching the assignee.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 33226] - TTL DNS cache security setting in java.net.InetAddress is not honored when set within Servlet on Sun 1.4.2 VM on linux, but is honored in stand-alone java app
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=33226. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=33226 --- Additional Comments From [EMAIL PROTECTED] 2005-01-25 00:16 --- Filing bugs against Tomcat 4.x is mostly a waste of time at the moment. Is the behavior the same for 5.5.7? -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 33226] - TTL DNS cache security setting in java.net.InetAddress is not honored when set within Servlet on Sun 1.4.2 VM on linux, but is honored in stand-alone java app
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=33226. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=33226 --- Additional Comments From [EMAIL PROTECTED] 2005-01-25 02:24 --- (In reply to comment #1) Filing bugs against Tomcat 4.x is mostly a waste of time at the moment. Is the behavior the same for 5.5.7? 5.5.7 alpha exhibits the same behavior. Just curious, why are filing bugs against Tomcat 4.x a waste of time right now? -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 33138] - starting tomcat (catalina) with -security not possible
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=33138. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=33138 [EMAIL PROTECTED] changed: What|Removed |Added Status|NEW |RESOLVED Resolution||INVALID --- Additional Comments From [EMAIL PROTECTED] 2005-01-18 17:05 --- Ok I took a closer look at what you are trying to do and you can't set the Security Manager the way you are doing in, since Tomcat already configure a security manager and the VM doesn't allow this operation. Once the security manager is set, you can't change it. Also, if you turn security on, the following will never be invoked: if (System.getSecurityManager() == null) System.setSecurityManager(new RMISecurityManager()); If you want to achieve what you want, you will need to change the current codebase and replace the curret security manager. I will see if we can make the SecurityManager pluggable easily for Tomcat.next. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 33138] New: - starting tomcat (catalina) with -security not possible
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=33138. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=33138 Summary: starting tomcat (catalina) with -security not possible Product: Tomcat 5 Version: 5.5.4 Platform: PC OS/Version: Linux Status: NEW Severity: major Priority: P2 Component: Catalina AssignedTo: tomcat-dev@jakarta.apache.org ReportedBy: [EMAIL PROTECTED] Problem to solve: = want set/use RMIClassLoader to make stub classes from application server available to JSP; so before JNDI lookup we call if (System.getSecurityManager() == null) System.setSecurityManager(new RMISecurityManager()); To allow this, application must be started with security manager; therefore we want to call catalina.sh start -security (wich does not perform correctly) Environment: [EMAIL PROTECTED]:/opt/jakarta tomcat/bin/catalina.sh version Using CATALINA_BASE: /opt/jakarta/tomcat Using CATALINA_HOME: /opt/jakarta/tomcat Using CATALINA_TMPDIR: /opt/jakarta/tomcat/temp Using JAVA_HOME: /usr/java/jdk1.5.0_01 Server version: Apache Tomcat/5.5.4 Server built: Oct 29 2004 03:09:54 Server number: 5.5.4.0 OS Name:Linux OS Version: 2.6.8-24-default Architecture: i386 JVM Version:1.5.0_01-b08 JVM Vendor: Sun Microsystems Inc. starting tomcat without security: OK [EMAIL PROTECTED]:/opt/jakarta/jakarta-tomcat-5.5.4 bin/catalina.sh start Using CATALINA_BASE: /opt/jakarta/jakarta-tomcat-5.5.4 Using CATALINA_HOME: /opt/jakarta/jakarta-tomcat-5.5.4 Using CATALINA_TMPDIR: /opt/jakarta/jakarta-tomcat-5.5.4/temp Using JAVA_HOME: /usr/java/jdk1.5.0_01 catalina.log contains: 17.01.2005 17:12:56 org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 17.01.2005 17:12:56 org.apache.catalina.startup.Catalina load INFO: Initialization processed in 2899 ms 17.01.2005 17:12:56 org.apache.catalina.core.StandardService start INFO: Starting service Catalina 17.01.2005 17:12:56 org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/5.5.4 17.01.2005 17:12:56 org.apache.catalina.core.StandardHost start INFO: XML validation disabled 17.01.2005 17:12:58 org.apache.catalina.core.ApplicationContext log INFO: ContextListener: contextInitialized() 17.01.2005 17:12:58 org.apache.catalina.core.ApplicationContext log INFO: SessionListener: contextInitialized() 17.01.2005 17:12:58 org.apache.catalina.core.ApplicationContext log INFO: ContextListener: contextInitialized() 17.01.2005 17:12:58 org.apache.catalina.core.ApplicationContext log INFO: SessionListener: contextInitialized() 17.01.2005 17:12:59 org.apache.catalina.core.ApplicationContext log INFO: org.apache.webapp.balancer.BalancerFilter: init(): ruleChain: [org.apache.webapp.balancer.RuleChain: [org.apache.webapp.balancer.rules.URLStringMatchRule: Target string: News / Redirect URL: http://www.cnn.com], [org.apache.webapp.balancer.rules.RequestParameterRule: Target param name: paramName / Target param value: paramValue / Redirect URL: http://www.yahoo.com], [org.apache.webapp.balancer.rules.AcceptEverythingRule: Redirect URL: http://jakarta.apache.org]] 17.01.2005 17:12:59 org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-8080 17.01.2005 17:13:00 org.apache.jk.common.ChannelSocket init INFO: JK2: ajp13 listening on /0.0.0.0:8009 17.01.2005 17:13:00 org.apache.jk.server.JkMain start INFO: Jk running ID=0 time=0/55 config=null 17.01.2005 17:13:00 org.apache.catalina.startup.Catalina start INFO: Server startup in 3857 ms starting tomcat wit security: multiple errors = [EMAIL PROTECTED]:/opt/jakarta/jakarta-tomcat-5.5.4 bin/catalina.sh start -security Using CATALINA_BASE: /opt/jakarta/jakarta-tomcat-5.5.4 Using CATALINA_HOME: /opt/jakarta/jakarta-tomcat-5.5.4 Using CATALINA_TMPDIR: /opt/jakarta/jakarta-tomcat-5.5.4/temp Using JAVA_HOME: /usr/java/jdk1.5.0_01 Using Security Manager catalina.log contains: [EMAIL PROTECTED]:/opt/jakarta/tomcat cat logs/catalina.out 17.01.2005 17:15:20 org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 17.01.2005 17:15:20 org.apache.catalina.startup.Catalina load INFO: Initialization processed in 3244 ms 17.01.2005 17:15:21 org.apache.catalina.core.StandardService start INFO: Starting service Catalina 17.01.2005 17:15:21 org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/5.5.4 17.01.2005 17:15:21 org.apache.catalina.core.StandardHost start INFO: XML validation disabled 17.01.2005 17:15:22
DO NOT REPLY [Bug 33138] - starting tomcat (catalina) with -security not possible
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
http://issues.apache.org/bugzilla/show_bug.cgi?id=33138.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=33138
--- Additional Comments From [EMAIL PROTECTED] 2005-01-17 17:39 ---
As a workaround for now, you can edit file:
${catalina.home}/conf/catalina.properties and make the following properties
empty
package.access=
package.definition=
Some doPrivileged code are missing in the current TC 5.5.x
-- Jeanfrancois
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug, or are watching the assignee.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 28857] - SSLServerSocketFactory needs earlier security provider setup
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=28857. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=28857 [EMAIL PROTECTED] changed: What|Removed |Added Status|NEW |RESOLVED Resolution||WONTFIX --- Additional Comments From [EMAIL PROTECTED] 2005-01-15 14:47 --- This class is part of the deprectaed HTTP/1.1 connectors. Therefore, this patch will not be applied. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: IP security constraint
No, this breaks the spec. There are many other simple alternatives. Please follow up to the tomcat-user list for more information. -Tim Svante Olofsson wrote: Hi! First off, I think Tomcat is a great product. Thanks! Secondly, do you have any plans on adding something like to web.xml: security-constraint web-resource-collection web-resource-nameMy Webapp/web-resource-name url-patterncust1.html/url-pattern /web-resource-collection ip-constraint allow192.168.1.13-192.168.1.55,192.168.10./allow ip-constraint /security-constraint security-constraint web-resource-collection web-resource-nameMy Webapp/web-resource-name url-patterncust2.html/url-pattern /web-resource-collection ip-constraint deny192.168./deny ip-constraint /security-constraint I have looked at the documentation and web, but could not find any other information than a commercial package from Cafesoft. I think this kind of access control would be very useful since webapps can have static pages that should be denied for everyone but a certain ip-range. Example: Customer 1 has access to a service with a certain look-and-feel and some customer specific mods. The name of the page that Customer 1 uses to access the webapp is cust1.html and that passes on some parameters. Customer 2 uses the same webapp but has a different look-and-feel and accesses the SAME webapp through cust2.html. Now it would be nice to limit access to cust1.html and cust2.html so that only the respective customer ip-ranges could access them. I can do this by installing apache and hooking up Tomcat to it, but I would like to use a standalone solution. The Valve functionality is good but it is only on webapp level. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
IP security constraint
Hi! First off, I think Tomcat is a great product. Thanks! Secondly, do you have any plans on adding something like to web.xml: security-constraint web-resource-collection web-resource-nameMy Webapp/web-resource-name url-patterncust1.html/url-pattern /web-resource-collection ip-constraint allow192.168.1.13-192.168.1.55,192.168.10./allow ip-constraint /security-constraint security-constraint web-resource-collection web-resource-nameMy Webapp/web-resource-name url-patterncust2.html/url-pattern /web-resource-collection ip-constraint deny192.168./deny ip-constraint /security-constraint I have looked at the documentation and web, but could not find any other information than a commercial package from Cafesoft. I think this kind of access control would be very useful since webapps can have static pages that should be denied for everyone but a certain ip-range. Example: Customer 1 has access to a service with a certain look-and-feel and some customer specific mods. The name of the page that Customer 1 uses to access the webapp is cust1.html and that passes on some parameters. Customer 2 uses the same webapp but has a different look-and-feel and accesses the SAME webapp through cust2.html. Now it would be nice to limit access to cust1.html and cust2.html so that only the respective customer ip-ranges could access them. I can do this by installing apache and hooking up Tomcat to it, but I would like to use a standalone solution. The Valve functionality is good but it is only on webapp level. Best regards, --Svante -- Svante Olofsson, CEO Agentum Technologies Inc. [EMAIL PROTECTED] Tel. +358 2 232 6200 Mob. +358 40 501 6061 Fax. +358 2 215 3307 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 30539] - possible security hole: mod_jk2 bypassed when client issues Host: header with an invalid port number
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=30539. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=30539 [EMAIL PROTECTED] changed: What|Removed |Added Status|NEW |RESOLVED Resolution||WONTFIX --- Additional Comments From [EMAIL PROTECTED] 2004-11-29 19:50 --- As of November 15, 2004, JK2 is no longer supported. All bugs related to JK2 will be marked as WONTFIX. In its place, some of its features have been backported to jk1. Most of those features will be seen in 1.2.7, which is slated for release on November 30th, 2004. Another alternative is the ajp addition to mod_proxy which will be part of apache 2. For more information on the Tomat connectors docs at http://jakarta.apache.org/tomcat/connectors-doc/ -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 30539] - possible security hole: mod_jk2 bypassed when client issues Host: header with an invalid port number
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=30539. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=30539 --- Additional Comments From [EMAIL PROTECTED] 2004-11-17 22:03 --- Shouldn't this then be an httpd bug? -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 32112] - SSL configuration attributes / security issue
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=32112. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=32112 [EMAIL PROTECTED] changed: What|Removed |Added Status|NEW |RESOLVED Resolution||WONTFIX --- Additional Comments From [EMAIL PROTECTED] 2004-11-17 23:14 --- We assume, and the server admin is responsible for ensuring, that server.xml is secure: there are other sensitive parameters there. We don't want to ask for any information input as part of the startup script, as these are usually executed unattended. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 32112] New: - SSL configuration attributes / security issue
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=32112. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=32112 SSL configuration attributes / security issue Summary: SSL configuration attributes / security issue Product: Tomcat 5 Version: Unknown Platform: All OS/Version: All Status: NEW Severity: Enhancement Priority: Other Component: Connector:Coyote AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] Hello, The SSL configuration attribute 'truststorePass' shows keystore password in server.xml in clear . For more secure environment, it is good to provide the behaviour when keystore password will be asked during tomcat startup . - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security SecurityUtil.java
luehe 2004/10/25 14:18:49
Modified:catalina/src/share/org/apache/catalina/security
SecurityUtil.java
Log:
Call session.setAttribute(Globals.SUBJECT_ATTR, subject) only if
necessary, i.e, only if the session does not already contain such an
attribute, allowing for session persistence optimizations by
persisting only those sessions that have actually changed (i.e., whose
setAttribute() or removeAttribute() have been called) since the
sessions were last persisted.
Revision ChangesPath
1.13 +8 -9
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security/SecurityUtil.java
Index: SecurityUtil.java
===
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security/SecurityUtil.java,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- SecurityUtil.java 20 Aug 2004 14:43:17 - 1.12
+++ SecurityUtil.java 25 Oct 2004 21:18:49 - 1.13
@@ -224,7 +224,7 @@
* @param targetArguments codeObject/code array contains the
* runtime parameters instance.
* @param principal the codePrincipal/code to which the security
- * privilege apply..
+ * privilege applies
*/
private static void execute(final Method method,
final Object targetObject,
@@ -251,18 +251,17 @@
if (session != null){
subject =
(Subject)session.getAttribute(Globals.SUBJECT_ATTR);
-}
-if (subject == null){
-subject = new Subject();
+if (subject == null){
+subject = new Subject();
-if (principal != null){
-subject.getPrincipals().add(principal);
+if (principal != null){
+subject.getPrincipals().add(principal);
+}
+
+session.setAttribute(Globals.SUBJECT_ATTR, subject);
}
}
-
-if (session != null)
-session.setAttribute(Globals.SUBJECT_ATTR, subject);
}
Subject.doAsPrivileged(subject, pea, null);
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security SecurityUtil.java
- Original Message -
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, October 25, 2004 2:18 PM
Subject: cvs commit:
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security
SecurityUtil.java
@@ -251,18 +251,17 @@
if (session != null){
subject =
(Subject)session.getAttribute(Globals.SUBJECT_ATTR);
-}
-if (subject == null){
-subject = new Subject();
+if (subject == null){
+subject = new Subject();
-if (principal != null){
-subject.getPrincipals().add(principal);
+if (principal != null){
+subject.getPrincipals().add(principal);
+}
+
+session.setAttribute(Globals.SUBJECT_ATTR,
subject);
}
}
-
-if (session != null)
-session.setAttribute(Globals.SUBJECT_ATTR,
subject);
}
Subject.doAsPrivileged(subject, pea, null);
With this patch, If there is no session defined, then 'subject' will be null
when I get to the doAsPrivieged.
This message is intended only for the use of the person(s) listed above as the
intended recipient(s), and may contain information that is PRIVILEGED and
CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or
distribute this message or any attachment. If you received this communication in
error, please notify us immediately by e-mail and then delete all copies of this
message and any attachments.
In addition you should be aware that ordinary (unencrypted) e-mail sent through the
Internet is not secure. Do not send confidential or sensitive information, such as
social security numbers, account numbers, personal identification numbers and
passwords, to us via ordinary (unencrypted) e-mail.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security SecurityUtil.java
luehe 2004/10/25 19:02:37
Modified:catalina/src/share/org/apache/catalina/security
SecurityUtil.java
Log:
Create Subject if one was not already associated with the session, and add
it to the session *only* in that case
Revision ChangesPath
1.14 +11 -7
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security/SecurityUtil.java
Index: SecurityUtil.java
===
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security/SecurityUtil.java,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- SecurityUtil.java 25 Oct 2004 21:18:49 - 1.13
+++ SecurityUtil.java 26 Oct 2004 02:02:37 - 1.14
@@ -247,20 +247,24 @@
HttpServletRequest request =
(HttpServletRequest)targetArguments[0];
+boolean hasSubject = false;
HttpSession session = request.getSession(false);
if (session != null){
subject =
(Subject)session.getAttribute(Globals.SUBJECT_ATTR);
+hasSubject = (subject != null);
+}
-if (subject == null){
-subject = new Subject();
+if (subject == null){
+subject = new Subject();
-if (principal != null){
-subject.getPrincipals().add(principal);
-}
-
-session.setAttribute(Globals.SUBJECT_ATTR, subject);
+if (principal != null){
+subject.getPrincipals().add(principal);
}
+}
+
+if (session != null !hasSubject) {
+session.setAttribute(Globals.SUBJECT_ATTR, subject);
}
}
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security SecurityUtil.java
Bill Barker wrote:
- Original Message -
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, October 25, 2004 2:18 PM
Subject: cvs commit:
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security
SecurityUtil.java
@@ -251,18 +251,17 @@
if (session != null){
subject =
(Subject)session.getAttribute(Globals.SUBJECT_ATTR);
-}
-if (subject == null){
-subject = new Subject();
+if (subject == null){
+subject = new Subject();
-if (principal != null){
-subject.getPrincipals().add(principal);
+if (principal != null){
+subject.getPrincipals().add(principal);
+}
+
+session.setAttribute(Globals.SUBJECT_ATTR,
subject);
}
}
-
-if (session != null)
-session.setAttribute(Globals.SUBJECT_ATTR,
subject);
}
Subject.doAsPrivileged(subject, pea, null);
With this patch, If there is no session defined, then 'subject' will be null
when I get to the doAsPrivieged.
Good catch! Fixed so that Subject is created regardless of whether
session exists, but it is added to the session only if the session
did not already contain any.
Jan
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 31362] - Start Catalina under JPDA debugger with -security option fails
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=31362. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=31362 Start Catalina under JPDA debugger with -security option fails [EMAIL PROTECTED] changed: What|Removed |Added Status|NEW |RESOLVED Resolution||FIXED --- Additional Comments From [EMAIL PROTECTED] 2004-09-23 20:21 --- OK, fixed. Thanks for pointing it out ;) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 31362] New: - Start Catalina under JPDA debugger with -security option fails
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=31362. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=31362 Start Catalina under JPDA debugger with -security option fails Summary: Start Catalina under JPDA debugger with -security option fails Product: Tomcat 5 Version: 5.0.28 Platform: Other OS/Version: Windows XP Status: NEW Severity: Normal Priority: Other Component: Catalina AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] Starting Catalina under JPDA debugger with -security option fails. You will get following error message: Error occurred during initialization of VM -Xrun library failed to init: jdwp JDWP unable to access JVMDI Version 1. Maybe you need to start the VM with the -Xdebug option This is a windows jdk1.4 specific bug. It can be fixed by modifying the bin/catalina.bat startup script like this: - %_EXECJAVA% %JAVA_OPTS% %CATALINA_OPTS% -Xrunjdwp:transport=%JPDA_TRANSPORT%,address=%JPDA_ADDRESS%,server=y,suspend=n %DEBUG_OPTS% + %_EXECJAVA% %JAVA_OPTS% %CATALINA_OPTS% -Xdebug -Xrunjdwp:transport=%JPDA_TRANSPORT%,address=%JPDA_ADDRESS%,server=y,suspend=n %DEBUG_OPTS% - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 25367] - SECURITY requests for jsp pages bypass apache AuthUserFile directive
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=25367. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=25367 SECURITY requests for jsp pages bypass apache AuthUserFile directive --- Additional Comments From [EMAIL PROTECTED] 2004-09-09 17:24 --- I posted this one in Apache 2.0 bug database. I think I found the problem but no soltution to it. I agree, this is a security issue. ___ There seems to be a difference between Apache 1.3 and 2.0 : they don't handle htaccess files the same way. Let's say I have a site , protected with an authentification module (e.g mod_auth_pgsql) The site is opened to eveyone, but some directories are dynamically group protected. In this case, we have a httpd.conf with : Directory /var/www/html/mysite AuthName My Realm AuthType basic Auth_PG_host myhost.mydomain.org Auth_PG_port 5432 Auth_PG_database users Auth_PG_encrypted off Auth_PG_user admin Auth_PG_pwd admin Auth_PG_pwd_table users Auth_PG_uid_field iduser Auth_PG_pwd_field passwd Auth_PG_grp_table group Auth_PG_grp_user_field iduser Auth_PG_grp_group_field group AllowOverride All /Directory and a .htaccess file in /var/www/html/mysite/secretdir that requires a particular group Require group secret This works perfectly in both versions (1.3 and 2.0) with both mod_auth_pgsql adapted modules. All files within secretdir are protected. The problem appears you're asking Apache to serve JSP files, which are handled by Tomcat through a mod_jk or mod_jk2 connector (same behavior, I tried it) - in Apache 1.3, the jsp files are protected like htm files : the .htaccess directives are taken into acount BEFORE tomcat handles jsp files - in Apache 2.0, the jsp is handled by tomcat WITHOUT looking to .htaccess (they are visible by everyone and I can't getRemoteUser - returns null) I tried to change the modules loading order without success. I have the same difference with mod_jk and mod_jk2, and with several Basic Authentication Modules. Apache 2.0 works if the REQUIRE directive is set in httpd.conf, but this is not dynamical and therefore doesn't fit my needs. I wonder if there is a magic trick to force Apache 2.0 to handle mod_jk like Apache 1.3 does. Configuration : (Apache 2.0.49 / Apache 1.3.27 + mod_jk / mod jk2 and tomcat 4.1.29) Thanks for reading Alexis - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 25367] - SECURITY requests for jsp pages bypass apache AuthUserFile directive
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=25367. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=25367 SECURITY requests for jsp pages bypass apache AuthUserFile directive [EMAIL PROTECTED] changed: What|Removed |Added Status|NEW |RESOLVED Resolution||DUPLICATE --- Additional Comments From [EMAIL PROTECTED] 2004-09-09 18:36 --- *** This bug has been marked as a duplicate of 25055 *** - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 30618] - pdf problems with security
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=30618. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=30618 pdf problems with security [EMAIL PROTECTED] changed: What|Removed |Added Status|RESOLVED|REOPENED Resolution|DUPLICATE | --- Additional Comments From [EMAIL PROTECTED] 2004-09-06 11:22 --- Is this bug solved in Tomcat 5.5.0 or must I use your patch for the connector? Best regards W. Hoheisel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 30618] - pdf problems with security
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=30618. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=30618 pdf problems with security [EMAIL PROTECTED] changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution||DUPLICATE --- Additional Comments From [EMAIL PROTECTED] 2004-09-06 12:09 --- Tomcat 4.1, 5, and 5.5 use the same code base for the connectors. *** This bug has been marked as a duplicate of 27122 *** - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security SecurityUtil.java
jfarcand2004/08/20 07:28:38
Modified:catalina/src/share/org/apache/catalina/security Tag:
TOMCAT_5_0 SecurityUtil.java
Log:
Fix for Bugzilla 30602: Subject is not available during the first call to the
servlet which use the basic authentication.
All Servlet TCKs passed with Security enabled
Submitted by: Josip Jureta at videotron.ca
Revision ChangesPath
No revision
No revision
1.11.2.1 +9 -7
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security/SecurityUtil.java
Index: SecurityUtil.java
===
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security/SecurityUtil.java,v
retrieving revision 1.11
retrieving revision 1.11.2.1
diff -u -r1.11 -r1.11.2.1
--- SecurityUtil.java 26 May 2004 15:53:20 - 1.11
+++ SecurityUtil.java 20 Aug 2004 14:28:38 - 1.11.2.1
@@ -251,16 +251,18 @@
if (session != null){
subject =
(Subject)session.getAttribute(Globals.SUBJECT_ATTR);
+}
-if (subject == null){
-subject = new Subject();
-
-if (principal != null){
-subject.getPrincipals().add(principal);
-}
-session.setAttribute(Globals.SUBJECT_ATTR, subject);
+if (subject == null){
+subject = new Subject();
+
+if (principal != null){
+subject.getPrincipals().add(principal);
}
}
+
+if (session != null)
+session.setAttribute(Globals.SUBJECT_ATTR, subject);
}
Subject.doAsPrivileged(subject, pea, null);
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security SecurityUtil.java
jfarcand2004/08/20 07:43:17
Modified:catalina/src/share/org/apache/catalina/security
SecurityUtil.java
Log:
Port fix for bug 30602
Revision ChangesPath
1.12 +9 -7
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security/SecurityUtil.java
Index: SecurityUtil.java
===
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security/SecurityUtil.java,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- SecurityUtil.java 26 May 2004 15:53:20 - 1.11
+++ SecurityUtil.java 20 Aug 2004 14:43:17 - 1.12
@@ -251,16 +251,18 @@
if (session != null){
subject =
(Subject)session.getAttribute(Globals.SUBJECT_ATTR);
+}
-if (subject == null){
-subject = new Subject();
-
-if (principal != null){
-subject.getPrincipals().add(principal);
-}
-session.setAttribute(Globals.SUBJECT_ATTR, subject);
+if (subject == null){
+subject = new Subject();
+
+if (principal != null){
+subject.getPrincipals().add(principal);
}
}
+
+if (session != null)
+session.setAttribute(Globals.SUBJECT_ATTR, subject);
}
Subject.doAsPrivileged(subject, pea, null);
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 30618] New: - pdf problems with security
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=30618. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=30618 pdf problems with security Summary: pdf problems with security Product: Tomcat 5 Version: 5.0.27 Platform: PC OS/Version: Windows XP Status: NEW Severity: Normal Priority: Other Component: Unknown AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] Hello, You have Tomcat as a standalone webserver with security. You have two static pdf-pages with a link in the first page to the second page. The first page you can call but when you want to go via the link to the second pdf page you get the internal picture from the Internet Explorer open or save the page. When you open the page you get the error the page can't be open. When you try to save the page you get the same error. The error is reproducible. You can call the pages single over Tomcat, no problem. When you have no security tomcat managed this behavior correct. Thanks in advance W. Hoheisel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 30618] - pdf problems with security
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=30618. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=30618 pdf problems with security [EMAIL PROTECTED] changed: What|Removed |Added Status|NEW |RESOLVED Resolution||DUPLICATE --- Additional Comments From [EMAIL PROTECTED] 2004-08-12 15:13 --- *** This bug has been marked as a duplicate of 27122 *** - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 30539] New: - possible security hole: mod_jk2 bypassed when client issues Host: header with an invalid port number
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=30539. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=30539 possible security hole: mod_jk2 bypassed when client issues Host: header with an invalid port number Summary: possible security hole: mod_jk2 bypassed when client issues Host: header with an invalid port number Product: Tomcat 5 Version: 5.0.24 Platform: Other OS/Version: Linux Status: NEW Severity: Major Priority: Other Component: Connector:AJP AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] I have a specific mod_jk2 2.0.4 configuration which maps 2 different port numbers (running different Apache 2.0.49 virtual hosts) to 2 different Tomcat 5.0.24 services. I managed to do this by using the following workers2.properties configuration (I provide relevant directives only): --- BEGIN SNIP --- [ajp13:localhost:8009] channel=channel.socket:localhost:8009 group=ajp13:localhost:8009 [ajp13:localhost:8010] channel=channel.socket:localhost:8010 group=ajp13:localhost:8010 [channel.socket:localhost:8009] port=8009 host=localhost group=ajp13:localhost:8009 [channel.socket:localhost:8010] port=8010 host=localhost group=ajp13:localhost:8010 # URI mappings [uri:*:80/*.jsp] group=ajp13:localhost:8009 [uri:*:443/*.jsp] group=ajp13:localhost:8009 # mapping from the second Apache virtual host (running on secret port ) # to the second Tomcat service: [uri:*:/*.jsp] group=ajp13:localhost:8010 --- END SNIP --- This configuration works fine, but there's a security problem we've recently discovered that I suspect to be the mod_jk2's fault: If a HTTP client requests a JSP page and supplies a Host: HTTP header, and provides a port there, and the port is not valid (that is, it's not 80, 443, or ), then Apache spills out the JSP file's source instead of putting it through mod_jk2 to be serviced by Tomcat! This can be easily reproduced with livehttpheaders extension for Mozilla. Steps to reproduce: 1) install the livehttpheaders extension in Mozilla: http://livehttpheaders.mozdev.org/ 2) open the livehttpheaders window (Tools-Web Development-Live HTTP Headers) 3) load a JSP page from Apache, it should display normally 4) select the URL line over GET .jsp line in the livehttpheaders window 5) click Replay... 6) change the Host: header to use an invalid port number, e.g. Host: www.example.com:1234 7) click Replay - In my case, I received the source of JSP page (as text/plain). I've tried remedying the problem by supplying additional catch-all URI mappings at the end of workers2.properties, using various patterns: [uri:*.jsp], or [uri:*:*.jsp], but none of them has helped - it seemed that Apache was just bypassing mod_jk2 and _ANY_ URI mappings when the Host header contained an invalid port. So as a temporary workaround I've prepared the following access control mechanism in Apache: --- BEGIN SNIP --- # If the Host: header specifies a port, deny access to JSP files by setting a custom env variable: SetEnvIfNoCase Host \: HOST_PORT_DENIED=yes # The ports 80, 443 and are valid, unset the custom env variable for them: SetEnvIfNoCase Host \:80$ !HOST_PORT_DENIED SetEnvIfNoCase Host \:443$ !HOST_PORT_DENIED SetEnvIfNoCase Host \:$ !HOST_PORT_DENIED # deny access to JSP based on custom env variable presence: Files *.jsp Order Allow,Deny Allow from all Deny from env=HOST_PORT_DENIED /Files --- END SNIP --- This, however, is only a workaround. Ideally, requests with Host: header specifying a port on which Apache doesn't listen, should be denied (IMHO), or at least passed through mod_jk2 and its URI mappings. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 30539] - possible security hole: mod_jk2 bypassed when client issues Host: header with an invalid port number
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=30539. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=30539 possible security hole: mod_jk2 bypassed when client issues Host: header with an invalid port number --- Additional Comments From [EMAIL PROTECTED] 2004-08-09 13:46 --- For the record, the issue has been discovered by Paweł Sawicki ([EMAIL PROTECTED]). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security SecurityClassLoad.java
billbarker2004/07/24 00:07:38
Modified:catalina/src/share/org/apache/catalina/security
SecurityClassLoad.java
Log:
Load the Connector classes from their new package, with their new names.
Revision ChangesPath
1.17 +21 -21
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security/SecurityClassLoad.java
Index: SecurityClassLoad.java
===
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security/SecurityClassLoad.java,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- SecurityClassLoad.java27 Feb 2004 14:58:46 - 1.16
+++ SecurityClassLoad.java24 Jul 2004 07:07:37 - 1.17
@@ -117,55 +117,55 @@
private final static void loadCoyotePackage(ClassLoader loader)
throws Exception {
-String basePackage = org.apache.coyote.tomcat5.;
+String basePackage = org.apache.catalina.connector.;
loader.loadClass
(basePackage +
- CoyoteRequestFacade$GetAttributePrivilegedAction);
+ RequestFacade$GetAttributePrivilegedAction);
loader.loadClass
(basePackage +
- CoyoteRequestFacade$GetParameterMapPrivilegedAction);
+ RequestFacade$GetParameterMapPrivilegedAction);
loader.loadClass
(basePackage +
- CoyoteRequestFacade$GetRequestDispatcherPrivilegedAction);
+ RequestFacade$GetRequestDispatcherPrivilegedAction);
loader.loadClass
(basePackage +
- CoyoteRequestFacade$GetParameterPrivilegedAction);
+ RequestFacade$GetParameterPrivilegedAction);
loader.loadClass
(basePackage +
- CoyoteRequestFacade$GetParameterNamesPrivilegedAction);
+ RequestFacade$GetParameterNamesPrivilegedAction);
loader.loadClass
(basePackage +
- CoyoteRequestFacade$GetParameterValuePrivilegedAction);
+ RequestFacade$GetParameterValuePrivilegedAction);
loader.loadClass
(basePackage +
- CoyoteRequestFacade$GetCharacterEncodingPrivilegedAction);
+ RequestFacade$GetCharacterEncodingPrivilegedAction);
loader.loadClass
(basePackage +
- CoyoteRequestFacade$GetHeadersPrivilegedAction);
+ RequestFacade$GetHeadersPrivilegedAction);
loader.loadClass
(basePackage +
- CoyoteRequestFacade$GetHeaderNamesPrivilegedAction);
+ RequestFacade$GetHeaderNamesPrivilegedAction);
loader.loadClass
(basePackage +
- CoyoteRequestFacade$GetCookiesPrivilegedAction);
+ RequestFacade$GetCookiesPrivilegedAction);
loader.loadClass
(basePackage +
- CoyoteRequestFacade$GetLocalePrivilegedAction);
+ RequestFacade$GetLocalePrivilegedAction);
loader.loadClass
(basePackage +
- CoyoteRequestFacade$GetLocalesPrivilegedAction);
+ RequestFacade$GetLocalesPrivilegedAction);
loader.loadClass
(basePackage +
- CoyoteResponseFacade$SetContentTypePrivilegedAction);
+ ResponseFacade$SetContentTypePrivilegedAction);
loader.loadClass
(basePackage +
- CoyoteResponseFacade$DateHeaderPrivilegedAction);
+ ResponseFacade$DateHeaderPrivilegedAction);
loader.loadClass
(basePackage +
- CoyoteRequestFacade$GetSessionPrivilegedAction);
+ RequestFacade$GetSessionPrivilegedAction);
loader.loadClass
(basePackage +
- CoyoteResponseFacade$1);
+ ResponseFacade$1);
loader.loadClass
(basePackage +
OutputBuffer$1);
@@ -189,13 +189,13 @@
InputBuffer$1);
loader.loadClass
(basePackage +
- CoyoteResponse$1);
+ Response$1);
loader.loadClass
(basePackage +
- CoyoteResponse$2);
+ Response$2);
loader.loadClass
(basePackage +
- CoyoteResponse$3);
+ Response$3);
}
private final static void loadJkPackage(ClassLoader loader)
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security SecurityUtil.java
yoavs 2004/05/26 08:53:20
Modified:catalina/src/share/org/apache/catalina/security
SecurityUtil.java
Log:
Minor JavaDoc fixes (Bugzilla 28335)
Revision ChangesPath
1.11 +6 -6
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security/SecurityUtil.java
Index: SecurityUtil.java
===
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security/SecurityUtil.java,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- SecurityUtil.java 17 May 2004 17:59:39 - 1.10
+++ SecurityUtil.java 26 May 2004 15:53:20 - 1.11
@@ -98,7 +98,7 @@
* be called.
* @param targetType codeClass/code array used to instanciate a i
* codeMethod/code object.
- * @param targetObject codeObject/code array contains the runtime
+ * @param targetArguments codeObject/code array contains the runtime
* parameters instance.
*/
public static void doAsPrivilege(final String methodName,
@@ -124,7 +124,7 @@
* be called.
* @param targetType codeClass/code array used to instanciate a
* codeMethod/code object.
- * @param targetArgumentst codeObject/code array contains the
+ * @param targetArguments codeObject/code array contains the
* runtime parameters instance.
* @param principal the codePrincipal/code to which the security
* privilege apply..
@@ -183,7 +183,7 @@
* be called.
* @param targetType codeClass/code array used to instanciate a
* codeMethod/code object.
- * @param targetArgumentst codeObject/code array contains the
+ * @param targetArguments codeObject/code array contains the
* runtime parameters instance.
*/
public static void doAsPrivilege(final String methodName,
@@ -221,9 +221,7 @@
* @param methodName the method to apply the security restriction
* @param targetObject the codeServlet/code on which the method will
* be called.
- * @param targetType codeClass/code array used to instanciate a
- * codeMethod/code object.
- * @param targetArgumentst codeObject/code array contains the
+ * @param targetArguments codeObject/code array contains the
* runtime parameters instance.
* @param principal the codePrincipal/code to which the security
* privilege apply..
@@ -354,6 +352,8 @@
/**
* Remove the object from the cache.
+ *
+ * @param cachedObject The object to remove
*/
public static void remove(Object cachedObject){
objectCache.remove(cachedObject);
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 28857] New: - SSLServerSocketFactory needs earlier security provider setup
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
http://issues.apache.org/bugzilla/show_bug.cgi?id=28857.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=28857
SSLServerSocketFactory needs earlier security provider setup
Summary: SSLServerSocketFactory needs earlier security provider
setup
Product: Tomcat 4
Version: Unknown
Platform: All
OS/Version: All
Status: NEW
Severity: Minor
Priority: Other
Component: Catalina
AssignedTo: [EMAIL PROTECTED]
ReportedBy: [EMAIL PROTECTED]
CC: [EMAIL PROTECTED]
I found org.apache.catalina.net.SSLServerSocketFactory useful for another
project of mine. However, my keystore is PKCS12 format, and
Keystore.getInstance(PKCS12) fails unless the security provider is loaded first.
I am using java 1.3.1 and JSSE 1.0.3_03.
Here's a patch to look at.
-broc
Index: SSLServerSocketFactory.java
===
RCS file: /home/cvspublic/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalin
a/net/SSLServerSocketFactory.java,v
retrieving revision 1.10
diff -u -r1.10 SSLServerSocketFactory.java
--- SSLServerSocketFactory.java 30 Nov 2001 23:00:45 - 1.10
+++ SSLServerSocketFactory.java 7 May 2004 17:06:54 -
@@ -381,6 +381,7 @@
KeyManagementException
{
+ initSecurityProvider();
initHandler();
initKeyStore();
initProxy();
@@ -388,6 +389,20 @@
}
+ /**
+ * Register JSSE security provider.
+ */
+private void initSecurityProvider() {
+ // Register the JSSE security Provider (if it is not
already there)
+try {
+Security.addProvider((java.security.Provider)
+
Class.forName(com.sun.net.ssl.internal.ssl.Provider).newInstance());
+} catch (Throwable t) {
+;
+}
+}
+
+
/**
* Register our URLStreamHandler for the https: protocol.
*/
@@ -456,15 +471,6 @@
throws KeyStoreException, NoSuchAlgorithmException,
UnrecoverableKeyException, KeyManagementException
{
-
-// Register the JSSE security Provider (if it is not already
there)
-try {
-Security.addProvider((java.security.Provider)
- Class.forName(com.sun.net.ssl.internal.ssl.Provider).newInstance());
-} catch (Throwable t) {
-;
-}
-
// Create an SSL context used to create an SSL socket factory
SSLContext context = SSLContext.getInstance(protocol);
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 19202] - Security checks normally run for IIS causing NullPointerException in Tomcat
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=19202. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=19202 Security checks normally run for IIS causing NullPointerException in Tomcat [EMAIL PROTECTED] changed: What|Removed |Added Status|NEW |RESOLVED Resolution||WORKSFORME --- Additional Comments From [EMAIL PROTECTED] 2004-04-13 21:21 --- I have just tried the URLs you suggested (and various variations on a similar theme) and I do not see any NPEs. Please re-open if you still see this error with the latest version of tomcat. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 28129] - Classloading for the security-constraint / Realm
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=28129. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=28129 Classloading for the security-constraint / Realm --- Additional Comments From [EMAIL PROTECTED] 2004-04-06 08:32 --- I tested some more, and i'm somehow a little bit stupid. The problem is that i try to load the xml as URL (http://...) , which doesn't work because the URL is secured via the security-constraint and the Parser has no access to the xml, and tries to parse the login2.jsp, which in this case isn't a valid xml and he throws the Fatal Error. So its not a real bug, but now the question is, how can i give the Parser a role to get the access to the xml via URL ? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 28129] - Classloading for the security-constraint / Realm
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=28129. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=28129 Classloading for the security-constraint / Realm --- Additional Comments From [EMAIL PROTECTED] 2004-04-05 09:52 --- Hmmm, i just tested everything on a clean WinXP machine. Installed j2sdk1.4. 2_04, Tomcat 5.0.19, MySql 4.0.17, removed from the webapp the Xerces.jar, removed the two IBM Files, copied mysql-connector-java-3.0.10-stable-bin.jar and tools.jar (Tomcat said it needs for compilation, but was not installed in the java 1.4.2_04 ?) into common/lib and i still get this [Fatal Error] bAVTree.xml: 9:63: The element type input must be terminated by the matching end-tag /input. So you have tested my application and you've got the Alles OK. Everything perfect. message after the Security Login from Tomcat and the additional submit ??? When i remove the security-contraint from the web.xml, everything works. So for me its still a Tomcat problem, cause this security-thing is a Tomcat Feature, and its not compatible with my app. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 28129] - Classloading for the security-constraint / Realm
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=28129. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=28129 Classloading for the security-constraint / Realm --- Additional Comments From [EMAIL PROTECTED] 2004-04-05 10:25 --- Eh forget my note about the tools.jar,in a hurry i just clicked, when Tomcat has asked me about the java-path, and by default it uses the C:\Program..\j2re not the path to the sdk. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 28129] - Classloading for the security-constraint / Realm
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=28129. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=28129 Classloading for the security-constraint / Realm --- Additional Comments From [EMAIL PROTECTED] 2004-04-05 14:49 --- When do you get the exception? When you deploy the application or when you execute it? I've try under red hat 8.0, and everythings works fine (no exception trace). Ca you try to do a minimal test case that shows the failure? I can try to find a win2k machine Thanks -- Jeanfrancois - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 28129] - Classloading for the security-constraint / Realm
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=28129. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=28129 Classloading for the security-constraint / Realm --- Additional Comments From [EMAIL PROTECTED] 2004-04-05 15:48 --- I get the message when i execute the webapp. Deployment works fine. Tomorrow i'll try to build a smaller testcase directly in one jsp without the whole struts stuff. Unfortunately i don't have any working linux machine to test. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 28129] - Classloading for the security-constraint / Realm
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=28129. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=28129 Classloading for the security-constraint / Realm --- Additional Comments From [EMAIL PROTECTED] 2004-04-02 10:19 --- Well i tried to upload (attach) a simple test case, but i seems it doesn't work. So here is a link (http://www.gehmtec.de/bugzilla/securitytest.zip) to a zip file (~2 MB) with a securitytest.war and the server.xml. I don't get any ClassNotFound exceptions, that would be easy, i think the problem is that a wrong/old Class is loaded for the security. But i haven't found it yet. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 28129] - Classloading for the security-constraint / Realm
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=28129. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=28129 Classloading for the security-constraint / Realm [EMAIL PROTECTED] changed: What|Removed |Added Status|NEW |RESOLVED Resolution||INVALID --- Additional Comments From [EMAIL PROTECTED] 2004-04-02 15:38 --- I've just deployed your apps and it works fine for me using j2se 1.4.2_02. Your war also deploy fine in SJS AS 8 PE, and it works fine :-). INFO: Installing web application at context path /securitytest from URL file:/src/jakarta-tomcat-5/build/webapps/securitytest Apr 2, 2004 10:36:28 AM org.apache.commons.beanutils.MethodUtils getMatchingAccessibleMethod WARNING: Cannot use JVM pre-1.4 access bug workaround die to restrictive security manager. BTW, you should not bundle the Xerces jar file under /lib. Those will be ignored by the Tomcat classloader. Maybe that's because you are using an IBM product ;-) Try to use another VM to see if it fixes the problem. But this is clearly not a Tomcat bug. -- Jeanfrancois - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 28129] New: - Classloading for the security-constraint / Realm
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=28129. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=28129 Classloading for the security-constraint / Realm Summary: Classloading for the security-constraint / Realm Product: Tomcat 5 Version: 5.0.19 Platform: PC OS/Version: Windows NT/2K Status: NEW Severity: Blocker Priority: Other Component: Catalina AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] I have following problem, with the built-in security. When i use the security i get following error, when i try to parse an XML : [Fatal Error] bAVTree.xml:9:64: The element type input must be terminated by the matching end-tag /input. Well first this error message is complete mistaken, cause i don't have any element input at all. And i only get this message, when i use the security, when i don't use it the BAVTree.xml is parsed without problems, i use the following classes to parse : xercesImpl.jar,xmlParserAPIs.jar (2.6.1 the XML from tomcat\common\endorsed ) import org.apache.xerces.parsers.DOMParser; import org.w3c.dom.Document; import org.w3c.dom.NamedNodeMap; import org.w3c.dom.Node; import org.w3c.dom.NodeList; I assume the security manager somehow uses a different version of one of these classes, so when i try to parse my xml, Java doesn't load the correct classes above. BTW i use (j2re1.4.1_01). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 28129] - Classloading for the security-constraint / Realm
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=28129. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=28129 Classloading for the security-constraint / Realm --- Additional Comments From [EMAIL PROTECTED] 2004-04-01 15:25 --- Can you check you logs to see if you are geting some ClassNotFound exceptions? You should try to attach a test case, because It works fine for me right now. I will let the bug open for now, but if you can't reproduce it with a simple test case, I will unfortunatly close it as invalid. -- Jeanfrancois - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: container managed security
I searched for some time in various archives, bug databases, mailing lists etc trying to find this information but my searching basically always brings me back to here. All I want to do is set up container managed security to allow unencrypted sessions on protected resources, along with an SSL-based non-clear text form-based login. I discussed this partly with different people at different times but was not involved (or paying attention would be a better way to put it) when the servlet spec gurus and followers discussed the issue, and subsequently I have unanswered questions about the implementation of changes (in tomcat) that leave my requirement unattainable (almost). I have scoured the mailing list archives, google and sun for relevant info, but haven't found anything, even though that is the place to which people constantly refer me. I know this is old ground but I need to get the low-down on it. Thanks in advance for any tips, links, pointers or explanations! Adam On 03/12/2004 06:46 PM Adam Hardy wrote: In tomcat 4 I was able to to protect my app with non-SSL security-constraints while using SSL form-based authentication so that the passwords were not sent in clear text. This has been a specification of the last 3 projects I have worked on. In tomcat 5 this is impossible without coding a work-around. I logged this as a bug in tomcat but it was closed as 'invalid'. http://issues.apache.org/bugzilla/show_bug.cgi?id=23970 I remember 6 months ago someone saying that the tomcat developers had decided that due to the danger of session-hijacking, if it was worth encrypting the login, it was worth encrypting the whole session traffic. Due to the charges that the extra hardware brings when doing all logged-in sessions in SSL, amongst other reasons, I disagreed and developed a work-around to let me carry on using the Struts Tomcat security features. This took me a few days back then, and then this week something else cropped up which caused me to revisit the work-around code and spend 2 days adding to it (and documenting it - it's pretty arcane). It occurred to me that this will always happen. The work-around is vulnerable to any changes in the servlet spec of course, but also in tomcat and in struts. I would appreciate finding out the whole story on this - last time I just let it go through lack of time. If I'm in the wrong place - perhaps the JCP Servlet working group would be better - can someone point me in the right direction? Adam -- struts 1.1 + tomcat 5.0.16 + java 1.4.2 Linux 2.4.20 Debian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [Fwd: container managed security]
Is there any way of seeing how the servlet spec team reached their decisions, apart from sending an email to the address mentioned in the spec? (I've done that before without any result). Is there a mailing list for it? Looking around at java.sun.com doesn't bring much to light. Thanks Adam On 03/18/2004 09:38 PM Mark Thomas wrote: Adam, I thought that this was a spec issue and a quick review of the bugzilla postings confirms this. The best place to follow this up is with the servlet spec team. Mark -Original Message- From: Adam Hardy [mailto:[EMAIL PROTECTED] Sent: Thursday, March 18, 2004 10:46 AM To: [EMAIL PROTECTED] Subject: [Fwd: container managed security] Nobody responded to my previous message, but I am still searching for information on the subject. Any references to docs would be welcome. I have searched for threads on this list in the archives but had no joy either. Thanks Adam Original Message From: - Fri Mar 12 18:50:10 2004 To: [EMAIL PROTECTED] Subject: container managed security In tomcat 4 I was able to to protect my app with non-SSL security-constraints while using SSL form-based authentication so that the passwords were not sent in clear text. This has been a specification of the last 3 projects I have worked on. In tomcat 5 this is impossible without coding a work-around. I logged this as a bug in tomcat but it was closed as 'invalid'. http://issues.apache.org/bugzilla/show_bug.cgi?id=23970 I remember 6 months ago someone saying that the tomcat developers had decided that due to the danger of session-hijacking, if it was worth encrypting the login, it was worth encrypting the whole session traffic. Due to the charges that the extra hardware brings when doing all logged-in sessions in SSL, amongst other reasons, I disagreed and developed a work-around to let me carry on using the Struts Tomcat security features. This took me a few days back then, and then this week something else cropped up which caused me to revisit the work-around code and spend 2 days adding to it (and documenting it - it's pretty arcane). It occurred to me that this will always happen. The work-around is vulnerable to any changes in the servlet spec of course, but also in tomcat and in struts. I would appreciate finding out the whole story on this - last time I just let it go through lack of time. If I'm in the wrong place - perhaps the JCP Servlet working group would be better - can someone point me in the right direction? Adam - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- struts 1.1 + tomcat 5.0.16 + java 1.4.2 Linux 2.4.20 Debian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[Fwd: container managed security]
Nobody responded to my previous message, but I am still searching for information on the subject. Any references to docs would be welcome. I have searched for threads on this list in the archives but had no joy either. Thanks Adam Original Message From: - Fri Mar 12 18:50:10 2004 To: [EMAIL PROTECTED] Subject: container managed security In tomcat 4 I was able to to protect my app with non-SSL security-constraints while using SSL form-based authentication so that the passwords were not sent in clear text. This has been a specification of the last 3 projects I have worked on. In tomcat 5 this is impossible without coding a work-around. I logged this as a bug in tomcat but it was closed as 'invalid'. http://issues.apache.org/bugzilla/show_bug.cgi?id=23970 I remember 6 months ago someone saying that the tomcat developers had decided that due to the danger of session-hijacking, if it was worth encrypting the login, it was worth encrypting the whole session traffic. Due to the charges that the extra hardware brings when doing all logged-in sessions in SSL, amongst other reasons, I disagreed and developed a work-around to let me carry on using the Struts Tomcat security features. This took me a few days back then, and then this week something else cropped up which caused me to revisit the work-around code and spend 2 days adding to it (and documenting it - it's pretty arcane). It occurred to me that this will always happen. The work-around is vulnerable to any changes in the servlet spec of course, but also in tomcat and in struts. I would appreciate finding out the whole story on this - last time I just let it go through lack of time. If I'm in the wrong place - perhaps the JCP Servlet working group would be better - can someone point me in the right direction? Adam - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [Fwd: container managed security]
Adam, I thought that this was a spec issue and a quick review of the bugzilla postings confirms this. The best place to follow this up is with the servlet spec team. Mark -Original Message- From: Adam Hardy [mailto:[EMAIL PROTECTED] Sent: Thursday, March 18, 2004 10:46 AM To: [EMAIL PROTECTED] Subject: [Fwd: container managed security] Nobody responded to my previous message, but I am still searching for information on the subject. Any references to docs would be welcome. I have searched for threads on this list in the archives but had no joy either. Thanks Adam Original Message From: - Fri Mar 12 18:50:10 2004 To: [EMAIL PROTECTED] Subject: container managed security In tomcat 4 I was able to to protect my app with non-SSL security-constraints while using SSL form-based authentication so that the passwords were not sent in clear text. This has been a specification of the last 3 projects I have worked on. In tomcat 5 this is impossible without coding a work-around. I logged this as a bug in tomcat but it was closed as 'invalid'. http://issues.apache.org/bugzilla/show_bug.cgi?id=23970 I remember 6 months ago someone saying that the tomcat developers had decided that due to the danger of session-hijacking, if it was worth encrypting the login, it was worth encrypting the whole session traffic. Due to the charges that the extra hardware brings when doing all logged-in sessions in SSL, amongst other reasons, I disagreed and developed a work-around to let me carry on using the Struts Tomcat security features. This took me a few days back then, and then this week something else cropped up which caused me to revisit the work-around code and spend 2 days adding to it (and documenting it - it's pretty arcane). It occurred to me that this will always happen. The work-around is vulnerable to any changes in the servlet spec of course, but also in tomcat and in struts. I would appreciate finding out the whole story on this - last time I just let it go through lack of time. If I'm in the wrong place - perhaps the JCP Servlet working group would be better - can someone point me in the right direction? Adam - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
E-mail account security warning.
attachment: mqyhfvpvhj.bmp- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
container managed security
In tomcat 4 I was able to to protect my app with non-SSL security-constraints while using SSL form-based authentication so that the passwords were not sent in clear text. This has been a specification of the last 3 projects I have worked on. In tomcat 5 this is impossible without coding a work-around. I logged this as a bug in tomcat but it was closed as 'invalid'. http://issues.apache.org/bugzilla/show_bug.cgi?id=23970 I remember 6 months ago someone saying that the tomcat developers had decided that due to the danger of session-hijacking, if it was worth encrypting the login, it was worth encrypting the whole session traffic. Due to the charges that the extra hardware brings when doing all logged-in sessions in SSL, amongst other reasons, I disagreed and developed a work-around to let me carry on using the Struts Tomcat security features. This took me a few days back then, and then this week something else cropped up which caused me to revisit the work-around code and spend 2 days adding to it (and documenting it - it's pretty arcane). It occurred to me that this will always happen. The work-around is vulnerable to any changes in the servlet spec of course, but also in tomcat and in struts. I would appreciate finding out the whole story on this - last time I just let it go through lack of time. If I'm in the wrong place - perhaps the JCP Servlet working group would be better - can someone point me in the right direction? Adam -- struts 1.1 + tomcat 5.0.16 + java 1.4.2 Linux 2.4.20 Debian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 27581] New: - Version 2.4 web.xml security-constraint does not work
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=27581. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=27581 Version 2.4 web.xml security-constraint does not work Summary: Version 2.4 web.xml security-constraint does not work Product: Tomcat 5 Version: 5.0.19 Platform: PC OS/Version: Windows NT/2K Status: NEW Severity: Critical Priority: Other Component: Unknown AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] In my Servlet spec version 2.4 web.xml file, I have added the following section: security-constraint web-resource-collection web-resource-nameRestrict direct JSP access/web-resource-name url-pattern*.jsp/url-pattern /web-resource-collection /security-constraint This does not stop direct access of JSPs. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 27581] - Version 2.4 web.xml security-constraint does not work
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=27581. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=27581 Version 2.4 web.xml security-constraint does not work [EMAIL PROTECTED] changed: What|Removed |Added Status|NEW |RESOLVED Resolution||INVALID --- Additional Comments From [EMAIL PROTECTED] 2004-03-10 19:24 --- This is exactly what the spec requires in the case where no auth-constraint is specified. To do what you want, you must include an empty auth-constraint. Please follow up on [EMAIL PROTECTED] if you require more assistance. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [PATCH] JasperLoader - Security manager usage LoadClass concurrency problem fix
This account does not exist - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[PATCH] JasperLoader - Security manager usage LoadClass concurrency problem fix
Hi,
the patch below fixes a bug that occasionally causes a NullPointerException in
loadClass() method. The problem was caused by the way the system security
manager was used in this class. For checking if there is a security manager, and
then using the security manager for checking the access, two (potentially
different) security managers were used. Checking for the existence of a security
manager was done by System.getSecurityManager(). Then inside the if block, a
reference to a class private variable securityManager was used.
The private variable securityManager had been set in the constructor of the
JasperLoader instance, and was often different from the one used in the
loadClass() method for checking if there was a securityManager. More
specifically, the private attribute securityManager was often null, while
System.getSecurityManager() returned a non-null value in loadClass() method.
This in turn caused the loadClass() to throw a NullPointerException.
Mr Matti Haro
--- JasperLoader.java 2004-03-04 08:57:52.0 +0200
+++
./tomcat-5-0-19-src/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/servlet/JasperLoader.java
2004-03-04 08:59:43.0 +0200
@@ -75,6 +75,7 @@
* @author Anil K. Vijendran
* @author Harish Prabandham
* @author Jean-Francois Arcand
+ * @author Matti Haro
*/
public class JasperLoader extends URLClassLoader {
@@ -82,7 +83,6 @@
private CodeSource codeSource;
private String className;
private ClassLoader parent;
-private SecurityManager securityManager;
private PrivilegedLoadClass privLoadClass;
public JasperLoader(URL[] urls, ClassLoader parent,
@@ -93,7 +93,6 @@
this.codeSource = codeSource;
this.parent = parent;
this.privLoadClass = new PrivilegedLoadClass();
- this.securityManager = System.getSecurityManager();
}
/**
@@ -147,8 +146,9 @@
resolveClass(clazz);
return (clazz);
}
-
+
// (.5) Permission to access this class when using a SecurityManager
+SecurityManager securityManager = System.getSecurityManager();
if (securityManager != null) {
int dot = name.lastIndexOf('.');
if (dot = 0) {
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [PATCH] JasperLoader - Security manager usage LoadClass concurrency problem fix
This only occurs when Tomcat is started without a SecurityManager and
then later application code sets a SecurityManager.
Please see the following bug report for an explanation of why
that is not a good thing to do:
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7052
Thanks for taking the time to analyze how this works but the
behaviour will not be changed.
Glenn
On Thu, Mar 04, 2004 at 11:46:31AM +0200, Matti Härö wrote:
Hi,
the patch below fixes a bug that occasionally causes a NullPointerException in
loadClass() method. The problem was caused by the way the system security
manager was used in this class. For checking if there is a security manager, and
then using the security manager for checking the access, two (potentially
different) security managers were used. Checking for the existence of a security
manager was done by System.getSecurityManager(). Then inside the if block, a
reference to a class private variable securityManager was used.
The private variable securityManager had been set in the constructor of the
JasperLoader instance, and was often different from the one used in the
loadClass() method for checking if there was a securityManager. More
specifically, the private attribute securityManager was often null, while
System.getSecurityManager() returned a non-null value in loadClass() method.
This in turn caused the loadClass() to throw a NullPointerException.
Mr Matti Haro
--- JasperLoader.java 2004-03-04 08:57:52.0 +0200
+++
./tomcat-5-0-19-src/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/servlet/JasperLoader.java
2004-03-04 08:59:43.0 +0200
@@ -75,6 +75,7 @@
* @author Anil K. Vijendran
* @author Harish Prabandham
* @author Jean-Francois Arcand
+ * @author Matti Haro
*/
public class JasperLoader extends URLClassLoader {
@@ -82,7 +83,6 @@
private CodeSource codeSource;
private String className;
private ClassLoader parent;
-private SecurityManager securityManager;
private PrivilegedLoadClass privLoadClass;
public JasperLoader(URL[] urls, ClassLoader parent,
@@ -93,7 +93,6 @@
this.codeSource = codeSource;
this.parent = parent;
this.privLoadClass = new PrivilegedLoadClass();
- this.securityManager = System.getSecurityManager();
}
/**
@@ -147,8 +146,9 @@
resolveClass(clazz);
return (clazz);
}
-
+
// (.5) Permission to access this class when using a SecurityManager
+SecurityManager securityManager = System.getSecurityManager();
if (securityManager != null) {
int dot = name.lastIndexOf('.');
if (dot = 0) {
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Glenn Nielsen [EMAIL PROTECTED] | /* Spelin donut madder|
MOREnet System Programming | * if iz ina coment. |
Missouri Research and Education Network | */ |
--
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 25367] - SECURITY requests for jsp pages bypass apache AuthUserFile directive
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25367. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25367 SECURITY requests for jsp pages bypass apache AuthUserFile directive [EMAIL PROTECTED] changed: What|Removed |Added Component|Connector:JK/AJP|Connector:Coyote JK 2 |(deprecated)| --- Additional Comments From [EMAIL PROTECTED] 2004-03-05 05:57 --- This bug also occurs in jk2 2.0.2 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
E-mail account security warning.
Dear user of e-mail server Apache.org, Your e-mail account will be disabled because of improper using in next three days, if you are still wishing to use it, please, resign your account information. For more information see the attached file. Have a good day, The Apache.org teamhttp://www.apache.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
E-mail account security warning.
Dear user of Apache.org, Your e-mail account will be disabled because of improper using in next three days, if you are still wishing to use it, please, resign your account information. Advanced details can be found in attached file. Best wishes, The Apache.org team http://www.apache.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: E-mail account security warning.
What is this? Martin Gainty __ Disclaimer and confidentiality note Everything in this e-mail and any attachments relating to the official business of Laconia Data Systems (LDS) is proprietary to the company. It is confidential, legally privileged and protected by law. LDS does not own and endorse any other content. (cell) 617-852-7822 (e) [EMAIL PROTECTED] (http)www.laconiadatasystems.com From: [EMAIL PROTECTED] Reply-To: Tomcat Developers List [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: E-mail account security warning. Date: Wed, 03 Mar 2004 10:04:45 +0100 MIME-Version: 1.0 Received: from mail.apache.org ([208.185.179.12]) by mc2-f36.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Wed, 3 Mar 2004 01:05:07 -0800 Received: (qmail 41437 invoked by uid 500); 3 Mar 2004 09:04:33 - Received: (qmail 41305 invoked from network); 3 Mar 2004 09:04:32 - Received: from unknown (HELO prak2) (160.45.8.88) by daedalus.apache.org with SMTP; 3 Mar 2004 09:04:31 - X-Message-Info: 6sSXyD95QpV62tPx9nwKvfTXaa+XvvRA Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm Precedence: bulk List-Unsubscribe: mailto:[EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Post: mailto:[EMAIL PROTECTED] List-Id: Tomcat Developers List tomcat-dev.jakarta.apache.org Delivered-To: mailing list [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 03 Mar 2004 09:05:07.0432 (UTC) FILETIME=[9FB48E80:01C400FE] Dear user of e-mail server Apache.org, Your e-mail account will be disabled because of improper using in next three days, if you are still wishing to use it, please, resign your account information. For more information see the attached file. Have a good day, The Apache.org teamhttp://www.apache.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] _ Fast. Reliable. Get MSN 9 Dial-up - 3 months for the price of 1! (Limited-time Offer) http://click.atdmt.com/AVE/go/onm00200361ave/direct/01/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: E-mail account security warning.
Martin Gainty wrote: What is this? A new worm/viri attack, drop this message - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: E-mail account security warning.
Martin Gainty wrote: What is this? Some virus writer's idea of harvesting private information from the gullible. Your e-mail account will be disabled because of improper using in next three days, if you are still wishing to use it, please, resign your account information. Regards, Graham -- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
E-mail account security warning.
-- Virus Warning Message (on the network) Found virus WORM_BAGLE.J in file TextDocument.pif The file TextDocument.pif is moved to /var/spool/quarantine/virSQIGIGWVc. This is a machine-generated message, please do not reply via email. If you have questions, please contact the Lucent Help Desk at +1 888 300 0770. - Hello user of Apache.org e-mail server, Our antivirus software has detected a large ammount of viruses outgoing from your email account, you may use our free anti-virus tool to clean up your computer software. Advanced details can be found in attached file. Sincerely, The Apache.org teamhttp://www.apache.org -- Virus Warning Message (on the network) TextDocument.pif is removed from here because it contains a virus. - - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 27299] - Using -security and port 80 causes crash
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=27299. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=27299 Using -security and port 80 causes crash [EMAIL PROTECTED] changed: What|Removed |Added Status|NEW |RESOLVED Resolution||FIXED --- Additional Comments From [EMAIL PROTECTED] 2004-02-29 22:53 --- I committed an ugly fix for this issue (which, BTW, has a 100% rational explanation: try http://localhost:80/). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 27299] New: - Using -security and port 80 causes crash
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=27299. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=27299 Using -security and port 80 causes crash Summary: Using -security and port 80 causes crash Product: Tomcat 5 Version: 5.0.19 Platform: PC OS/Version: Windows XP Status: NEW Severity: Critical Priority: Other Component: Catalina AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] download and install jakarta-tomcat5.19.zip - feb 27 version Set environment CATALINA_HOME=C:\Servers\Tomcat-5.0.19 with port 8080 and no use of -security - ok with 8080 and -security in commandline - ok change server.xml to port 80 regular startup.bat http://localhost/- works fine continue with server.xml port 80 with -security in startup.bat command line try for http://localhost/ no response, extended bunch of errors in command prompt window, the total log is: 2004-02-27 11:20:49 StandardContext[/balancer]org.apache.webapp.balancer. BalancerFilter: init(): ruleChain: [org.apache.webapp.balancer.RuleChain: [org. apache.webapp.balancer.rules.URLStringMatchRule: Target string: News / Redirect URL: http://www.cnn.com], [org.apache.webapp.balancer.rules. RequestParameterRule: Target param name: paramName / Target param value: paramValue / Redirect URL: http://www.yahoo.com], [org.apache.webapp.balancer. rules.AcceptEverythingRule: Redirect URL: http://jakarta.apache.org]] 2004-02-27 11:20:50 StandardContext[/jsp-examples]ContextListener: contextInitialized() 2004-02-27 11:20:50 StandardContext[/jsp-examples]SessionListener: contextInitialized() 2004-02-27 11:20:50 StandardContext[/servlets-examples]ContextListener: contextInitialized() 2004-02-27 11:20:50 StandardContext[/servlets-examples]SessionListener: contextInitialized() 2004-02-27 11:21:04 StandardWrapperValve[org.apache.jsp.index_jsp]: Servlet. service() for servlet org.apache.jsp.index_jsp threw exception java.lang.NoClassDefFoundError: org/apache/tomcat/util/buf/HexUtils at org.apache.coyote.http11.filters.ChunkedOutputFilter. doWrite(ChunkedOutputFilter.java:163) at org.apache.coyote.http11.InternalOutputBuffer. doWrite(InternalOutputBuffer.java:612) at org.apache.coyote.Response.doWrite(Response.java:586) at org.apache.coyote.tomcat5.OutputBuffer.realWriteBytes(OutputBuffer.java: 411) at org.apache.tomcat.util.buf.ByteChunk.append(ByteChunk.java:332) at org.apache.tomcat.util.buf.IntermediateOutputStream.write(C2BConverter. java:274) at sun.nio.cs.StreamEncoder$CharsetSE.writeBytes(StreamEncoder.java:336) at sun.nio.cs.StreamEncoder$CharsetSE.implFlushBuffer(StreamEncoder.java: 404) at sun.nio.cs.StreamEncoder$CharsetSE.implFlush(StreamEncoder.java:408) at sun.nio.cs.StreamEncoder.flush(StreamEncoder.java:152) at java.io.OutputStreamWriter.flush(OutputStreamWriter.java:213) at org.apache.tomcat.util.buf.WriteConvertor.flush(C2BConverter.java:223) at org.apache.tomcat.util.buf.C2BConverter.flushBuffer(C2BConverter.java: 166) at org.apache.coyote.tomcat5.OutputBuffer.realWriteChars(OutputBuffer.java: 613) at org.apache.tomcat.util.buf.CharChunk.append(CharChunk.java:298) at org.apache.coyote.tomcat5.OutputBuffer.write(OutputBuffer.java:518) at org.apache.coyote.tomcat5.CoyoteWriter.write(CoyoteWriter.java:165) at org.apache.jasper.runtime.JspWriterImpl.flushBuffer(JspWriterImpl.java: 161) at org.apache.jasper.runtime.JspWriterImpl.write(JspWriterImpl.java:368) at org.apache.jasper.runtime.JspWriterImpl.write(JspWriterImpl.java:379) at org.apache.jsp.index_jsp._jspService(index_jsp.java:50) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:133) at javax.servlet.http.HttpServlet.service(HttpServlet.java:856) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl. java:39) at sun.reflect.DelegatingMethodAccessorImpl. invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:284) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:500) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:306) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil. java:200) at org.apache.catalina.core.ApplicationFilterChain. internalDoFilter(ApplicationFilterChain.java:278
DO NOT REPLY [Bug 27299] - Using -security and port 80 causes crash
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=27299. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=27299 Using -security and port 80 causes crash [EMAIL PROTECTED] changed: What|Removed |Added Severity|Critical|Normal --- Additional Comments From [EMAIL PROTECTED] 2004-02-27 17:53 --- This is indeed 100% specific to port 80. Other ports don't do that. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 15352] - Security violation while accessing web application with servlets
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15352. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15352 Security violation while accessing web application with servlets [EMAIL PROTECTED] changed: What|Removed |Added Status|NEW |RESOLVED Resolution||FIXED --- Additional Comments From [EMAIL PROTECTED] 2004-02-26 23:06 --- These permissions were added to catalina.policy in September 2002. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat/src/examples/jsp/security/protected index.jsp
billbarker2004/02/22 15:35:45 Modified:src/examples/jsp/security error.txt index.jsp index.txt login.txt policy.jsp security.html src/examples/jsp/security/login error.jsp login.jsp src/examples/jsp/security/protected index.jsp Log: Updating to the Apache License v2.0. Revision ChangesPath 1.3 +15 -0 jakarta-tomcat/src/examples/jsp/security/error.txt Index: error.txt === RCS file: /home/cvs/jakarta-tomcat/src/examples/jsp/security/error.txt,v retrieving revision 1.2 retrieving revision 1.3 diff -u -r1.2 -r1.3 --- error.txt 9 Oct 2000 02:38:14 - 1.2 +++ error.txt 22 Feb 2004 23:35:45 - 1.3 @@ -1,4 +1,19 @@ html +!-- +Copyright 1999-2004 The Apache Software Foundation + +Licensed under the Apache License, Version 2.0 (the License); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an AS IS BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +-- head titleLogin Error/title /head 1.2 +14 -3 jakarta-tomcat/src/examples/jsp/security/index.jsp Index: index.jsp === RCS file: /home/cvs/jakarta-tomcat/src/examples/jsp/security/index.jsp,v retrieving revision 1.1 retrieving revision 1.2 diff -u -r1.1 -r1.2 --- index.jsp 9 Mar 2001 22:54:06 - 1.1 +++ index.jsp 22 Feb 2004 23:35:45 - 1.2 @@ -1,7 +1,18 @@ html -!-- - Copyright (c) 1999 The Apache Software Foundation. All rights - reserved. +!-- +Copyright 1999-2004 The Apache Software Foundation + +Licensed under the Apache License, Version 2.0 (the License); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an AS IS BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. -- body bgcolor=white 1.3 +15 -0 jakarta-tomcat/src/examples/jsp/security/index.txt Index: index.txt === RCS file: /home/cvs/jakarta-tomcat/src/examples/jsp/security/index.txt,v retrieving revision 1.2 retrieving revision 1.3 diff -u -r1.2 -r1.3 --- index.txt 9 Oct 2000 02:38:14 - 1.2 +++ index.txt 22 Feb 2004 23:35:45 - 1.3 @@ -1,4 +1,19 @@ html +!-- +Copyright 1999-2004 The Apache Software Foundation + +Licensed under the Apache License, Version 2.0 (the License); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an AS IS BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +-- head titleProtected Area Page/title /head 1.3 +15 -0 jakarta-tomcat/src/examples/jsp/security/login.txt Index: login.txt === RCS file: /home/cvs/jakarta-tomcat/src/examples/jsp/security/login.txt,v retrieving revision 1.2 retrieving revision 1.3 diff -u -r1.2 -r1.3 --- login.txt 9 Oct 2000 02:38:14 - 1.2 +++ login.txt 22 Feb 2004 23:35:45 - 1.3 @@ -1,4 +1,19 @@ html +!-- +Copyright 1999-2004 The Apache Software Foundation + +Licensed under the Apache License, Version 2.0 (the License); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an AS IS BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License
DO NOT REPLY [Bug 10595] - Security Constraints not processed according to spec.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10595. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10595 Security Constraints not processed according to spec. [EMAIL PROTECTED] changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution||INVALID --- Additional Comments From [EMAIL PROTECTED] 2004-02-07 15:01 --- Based on the comments, this is a spec problem/interpretation of the spec. Closing based on Craig's comments since he very closey related to the spec team. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
