[Win32] Tomcat 5.0.7 no longer autostart in Apache 2
Hi, Tomcat 4.1.x could be autostarted from Apache2 with these lines in workers2.properties: [worker.jni:onStartup] class=org/apache/jk/apr/TomcatStarter ARG=start disabled=0 [worker.jni:onShutdown] class=org/apache/jk/apr/TomcatStarter ARG=stop disabled=0 Tomcat 5.0.7 doesn't do this autostart: [error] workerEnv.initWorkers() init failed for worker.jni:onStartup [notice] jni.validate() class= org/apache/jk/apr/TomcatStarter [error] Can't find class org/apache/jk/apr/TomcatStarter I did not found a solution in the documents :-( -- Juergen Heckel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Getting mod_jk2 : Slackware FreeBSD and Tomcat
Has anyone built a mod_jk2.so file for FreeBSD5.1 and Linux (Slackware)? I got the mod_jk2.so file in Slackware with sucessful but NOT with FreeBSD 5.1. I have libtool 1.4.3 in Slackware and 1.4.2 in FreeBSD and the package jakarta-tomcat-connectors-4.1.27. Any idea? Thanks! Decio - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
About server.xml
Hello all, I am new to Tomcat, so can anybody explain or advice an article about this elements. Specially I cant understand the meaning of elements: Logger, Ejb, Environment, Parameter, Resource, ResourceParams, ResourceLink. Thanks in advance. Context path=/examples docBase=examples debug=0 reloadable=true crossContext=true Logger className=org.apache.catalina.logger.FileLogger prefix=localhost_examples_log. suffix=.txt timestamp=true/ Ejb name=ejb/EmplRecord type=Entity home=com.wombat.empl.EmployeeRecordHome remote=com.wombat.empl.EmployeeRecord/ Environment name=maxExemptions type=java.lang.Integer value=15/ Parameter name=context.param.name value=context.param.value override=false/ Resource name=jdbc/EmployeeAppDb auth=SERVLET type=javax.sql.DataSource/ ResourceParams name=jdbc/EmployeeAppDb parameternameuser/namevaluesa/value/parameter parameternamepassword/namevalue/value/parameter parameternamedriverClassName/name valueorg.hsql.jdbcDriver/value/parameter parameternamedriverName/name valuejdbc:HypersonicSQL:database/value/parameter /ResourceParams Resource name=mail/Session auth=Container type=javax.mail.Session/ ResourceParams name=mail/Session parameter namemail.smtp.host/name valuelocalhost/value /parameter /ResourceParams ResourceLink name=linkToGlobalResource global=simpleValue type=java.lang.Integer/ /Context -- Best regards, Alexander mailto:[EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: About server.xml
Hi, The Wrox Professional Tomcat book does a pretty good job disecting this file. If you don't find your answers in the docs or on the list you might want to look there. -e On Sun, 17 Aug 2003, Alexander Vavilin wrote: Hello all, I am new to Tomcat, so can anybody explain or advice an article about this elements. Specially I cant understand the meaning of elements: Logger, Ejb, Environment, Parameter, Resource, ResourceParams, ResourceLink. Thanks in advance. Context path=/examples docBase=examples debug=0 reloadable=true crossContext=true Logger className=org.apache.catalina.logger.FileLogger prefix=localhost_examples_log. suffix=.txt timestamp=true/ Ejb name=ejb/EmplRecord type=Entity home=com.wombat.empl.EmployeeRecordHome remote=com.wombat.empl.EmployeeRecord/ Environment name=maxExemptions type=java.lang.Integer value=15/ Parameter name=context.param.name value=context.param.value override=false/ Resource name=jdbc/EmployeeAppDb auth=SERVLET type=javax.sql.DataSource/ ResourceParams name=jdbc/EmployeeAppDb parameternameuser/namevaluesa/value/parameter parameternamepassword/namevalue/value/parameter parameternamedriverClassName/name valueorg.hsql.jdbcDriver/value/parameter parameternamedriverName/name valuejdbc:HypersonicSQL:database/value/parameter /ResourceParams Resource name=mail/Session auth=Container type=javax.mail.Session/ ResourceParams name=mail/Session parameter namemail.smtp.host/name valuelocalhost/value /parameter /ResourceParams ResourceLink name=linkToGlobalResource global=simpleValue type=java.lang.Integer/ /Context -- Best regards, Alexander mailto:[EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Getting mod_jk2 : Slackware FreeBSD and Tomcat
Try using the 2.0.2 JK2 source: http://jakarta.apache.org/builds/jakarta-tomcat-connectors/jk2/release/v2.0.2/src/ -e On Sun, 17 Aug 2003, Decio Jr. wrote: Has anyone built a mod_jk2.so file for FreeBSD5.1 and Linux (Slackware)? I got the mod_jk2.so file in Slackware with sucessful but NOT with FreeBSD 5.1. I have libtool 1.4.3 in Slackware and 1.4.2 in FreeBSD and the package jakarta-tomcat-connectors-4.1.27. Any idea? Thanks! Decio - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Can't find startup scripts after installing Linux RPM
I'm running RedHat 8.0. Following the instructions in Tomcat: The Definitive Guide, I downloaded and installed tomcat4-4.1.24-full.2jpp.noarch.rpm. Under Starting Up and Shutting Down (page 13), the book says I should be able to find startup scripts in the bin subdirectory, by which I assume they mean /var/tomcat4/bin/. However, in that directory, all I see are: bootstrap.jar commons-daemon.jar tomcat-jni.jar In fact, I don't see the catalina.sh startup script anywhere: [EMAIL PROTECTED] tomcat4]# find / -name '*catalina*' -print /var/tomcat4/server/lib/catalina-ant.jar /var/tomcat4/server/lib/catalina.jar /var/tomcat4/webapps/tomcat-docs/catalina /var/tomcat4/webapps/tomcat-docs/catalina/docs/api/org/apache/catalina /etc/tomcat4/catalina.policy What am I doing wrong? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How To Build mod_jk?????
Eric J. Pinnell wrote: Hi, I don't use ant. I use make. It appears that you are trying to build JK2. In the native2 directory: ./configure --with-apxs2=/path/to/apache/bin/apxs make Yes, that was exactly what I was trying. configure and make both complete fine, however I never get the 2 resulting .so files anywhere in the filesystem. ??? -CC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can't find startup scripts after installing Linux RPM
On Sunday 17 August 2003 10:05, Roy Smith wrote: I'm running RedHat 8.0. Following the instructions in Tomcat: The Definitive Guide, I downloaded and installed tomcat4-4.1.24-full.2jpp.noarch.rpm. Under Starting Up and Shutting Down (page 13), the book says I should be able to find startup scripts in the bin subdirectory, by which I assume they mean /var/tomcat4/bin/. However, in that directory, all I see are: bootstrap.jar commons-daemon.jar tomcat-jni.jar In fact, I don't see the catalina.sh startup script anywhere: [EMAIL PROTECTED] tomcat4]# find / -name '*catalina*' -print /var/tomcat4/server/lib/catalina-ant.jar /var/tomcat4/server/lib/catalina.jar /var/tomcat4/webapps/tomcat-docs/catalina /var/tomcat4/webapps/tomcat-docs/catalina/docs/api/org/apache/catalina /etc/tomcat4/catalina.policy What am I doing wrong? Using an RPM. I have several servers running Redhat 8.0 and Tomcat (4.1.24 and 5.07) and it is a breeze to setup using a tarball (e.g. jakarta-tomcat-4.1.24.tar.gz). Just copy it to /usr/local (or whereever you want) and type tar xvfz jakarta-tomcat-4.1.24.tar.gz and you have installed it. Whenever I have tried the RPM approach (and looking at the submitted problems in the list I am not the only one) I have had problem. At least for tomcat (or Apache), I recommend staying away from the RPM distributions. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat and Static Variables
I've got a book (extra credit to who can name it) which uses a Counter servlet as an example of how servlet containers handle static variables. It claims that aliases (I may be wrong on this, it's hard to decipher the difference between JWS and Tomcat lingo) will create different instances to the target Servlet, but static variables are recognized. So access to one servlet instance might result in: My Counter = 5, Global Counter = 8 While access to the other counter might have given you: My Counter = 4, Global Counter = 8 The global counter would be a count for the two instances combined (via the *static* field) and the my counter would be for the instance via a stanard fiield. I've tried pointing to the same WebApp via two different Context's, but the two apps are treated as completely separate, and the static variable doesn't hold. This is correct...two contexts should never interfere. The question is how I can replicate the above behavior so static variables are spanned across more than one instance? Can anyone point me at a Tomcat scoping document? -- - John Blanco - Code Guru @ Rapture In Venice - http://members.bbnow.net/jblanco - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat 5 and well-formed XHTML
I want to run this code on tomcat 5, on port 8080 in Internet Explorer, but something strange happens: When I run the following code ::: CODE ::: ?xml version=1.0 encoding=ISO-8859-1 ? jsp:root xmlns:jsp=http://java.sun.com/JSP/Page; version=1.2 jsp:directive.page language=java contentType=text/html ; charset=ISO-8859-1 pageEncoding=ISO-8859-1 / html xmlns=http://www.w3.org/1999/xhtml; xml:lang=en lang=en head titleTest2/title /head body div Test2 /div /body /html /jsp:root ::: END CODE ::: You will expect a nice XHTML page from it. In Netscape and Mozilla it is exactly this, but when running in IE6, I get a XML-tree instead of a page, which I expected. Also when I look at the properties, I note a strange value, the Type value of the page contains JavaServer Page, which shouldn't be filled at all. So how can I change this, so I get IE6 working? Thanks in advance, Sjoerd van Leent - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can't find startup scripts after installing Linux RPM
On Sunday, August 17, 2003, at 12:50 PM, Richard Dunn wrote: What am I doing wrong? Using an RPM. I should have learned by now that RPM's are evil. I'm not sure what made me pick that option this time. Anyway, I grabbed the tar file, installed it that way, and all is well. Thanks! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Session Security
Is there any block against someone stealing someone else's session id and using it for nefarious purposes? In other words, if I write a grade book program, could a sharp student write down the session id from a web address (if cookies are off) or look in the teacher's cookie file, and then go to a computer in the library and use the same session id to connect to the grade book page before the teacher logs out? Does the session id check itself against the issuing computer's IP address or anything to prevent such a thing from happening? I realize it's a stretch that someone might leave their computer unattended long enough for such a thing to happen, but I just want to be sure. Also, could someone listening in to the net traffic grab the session id and then use it? Thanks, Todd - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How to trigger events from tomcat?
Use the java.util.Timer class. It has been around since Java 1.3. -Original Message- From: Sjoerd van Leent [mailto:[EMAIL PROTECTED] Sent: Saturday, August 16, 2003 8:04 AM To: 'Tomcat Users List' Subject: RE: How to trigger events from tomcat? It seems the best way to do it is in a process or a thread, running aside the regular web-application. This indeed uses an infinite loop to check on times. You should be able to set this process as a low-priority process, so it doesn't consume too much processor time. I don't know if there is anything like a Timer in Java which you could use, where it triggers on a timer interrupt. This should make it even more lightweight. Regards, Sjoerd -Original Message- From: Prince [mailto:[EMAIL PROTECTED] Sent: donderdag 25 juli 2002 16:41 To: Tomcat Users List Subject: How to trigger events from tomcat? hi, I am developing a web based appointment sheduler. the data is stored in xml format. i am using tomcat/jsp/servlet for example if i added a new appointment , the program will ask for a reminder time. I am giving 08/08/2003 10:30 so at 08/08/2003 10:30 an email should be sent to me saying that u have an appointment. how can i trigger for appointments. ie some method should be ther to check if the appointment time is due on each second. Can i put an infinite loop some how? thanks n regds Prince - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Session Security
On Sunday 17 August 2003 12:44, Todd O'Bryan wrote: Is there any block against someone stealing someone else's session id and using it for nefarious purposes? In other words, if I write a grade book program, could a sharp student write down the session id from a web address (if cookies are off) or look in the teacher's cookie file, and then go to a computer in the library and use the same session id to connect to the grade book page before the teacher logs out? Does the session id check itself against the issuing computer's IP address or anything to prevent such a thing from happening? I realize it's a stretch that someone might leave their computer unattended long enough for such a thing to happen, but I just want to be sure. Also, could someone listening in to the net traffic grab the session id and then use it? Thanks, Todd I am not a security expert, but if someone with my limited knowledge on security can use a tool like tcpdump and do some of what your saying (and I have), a nefarious type whose primary interest is doing this type of thing certainly can. The number of possible exploits are endless, but for a start I would suggest using SSL to encrypt the login info and data going over the wire. There are things you can do programatically to check for the computer's IP, but this can also be spoofed by someone with even a little knowledge. I would recommend getting a good book on security. There are things you can do at the system admin level to decrease the chance of a security breach, but you also have to put the right stuff in your programs. Holes on either one can negate the other. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Session Security
An easy workaround is to save the client IP-address in the session, and look each page if this IP-address is the address the client has. It's not waterproof, but it makes it far more difficult (ensure that a good router is available) Sjoerd van Leent -Original Message- From: Richard Dunn [mailto:[EMAIL PROTECTED] Sent: zondag 17 augustus 2003 21:02 To: Tomcat Users List Subject: Re: Session Security On Sunday 17 August 2003 12:44, Todd O'Bryan wrote: Is there any block against someone stealing someone else's session id and using it for nefarious purposes? In other words, if I write a grade book program, could a sharp student write down the session id from a web address (if cookies are off) or look in the teacher's cookie file, and then go to a computer in the library and use the same session id to connect to the grade book page before the teacher logs out? Does the session id check itself against the issuing computer's IP address or anything to prevent such a thing from happening? I realize it's a stretch that someone might leave their computer unattended long enough for such a thing to happen, but I just want to be sure. Also, could someone listening in to the net traffic grab the session id and then use it? Thanks, Todd I am not a security expert, but if someone with my limited knowledge on security can use a tool like tcpdump and do some of what your saying (and I have), a nefarious type whose primary interest is doing this type of thing certainly can. The number of possible exploits are endless, but for a start I would suggest using SSL to encrypt the login info and data going over the wire. There are things you can do programatically to check for the computer's IP, but this can also be spoofed by someone with even a little knowledge. I would recommend getting a good book on security. There are things you can do at the system admin level to decrease the chance of a security breach, but you also have to put the right stuff in your programs. Holes on either one can negate the other. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
How To Build mod_jk2 with JNI Support
I get this error during configure: need to check for Perl first, apxs depends on it... checking for perl... /usr/bin/perl building connector for apache-2.0 configure: error: valid apr source dir location required Here is my configure command: ./configure --with-apxs2=/usr/local/apache2/bin/apxs --with-tomcat41=/usr/local/jakarta-tomcat-4.1.27 --with-java-home=/usr/local/jakarta-tomcat-4.1.27/j2sdk1.4.2 --with-jni --with-apache13=no --with-apr=/usr/local/src/httpd-2.0.47/srclib/apr Any ideas? Thx, CC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Cannot Solve jdbc is not bound is this Context problem
We have been trying for over a week to solve this problem. It doesn't help
that we haven't used tomcat before, but our application works fine on
WebSphere. So I guess that it some configuration that we are missing.
We are trying to configure tomcat (4.1.24) to do a jndi lookup of a
DataSource which is a db2 jdbc app driver.
The Tomcat server.xml had a sample jdbc configuration which was modified to
the following...
Resource name=jdbc/SURESWIT auth=Container
type=javax.sql.DataSource/
ResourceParams name=jdbc/SURESWIT
parameternameuser/namevalue/value/parameter
parameternamepassword/namevalue/value/parameter
parameternamedriverClassName/name
valueCOM.ibm.db2.jdbc.app.DB2Driver/value/parameter
parameternamedriverName/name
valuejdbc:db2:SWPPDB2/value/parameter
/ResourceParams
The web.xml includes
resource-ref
res-ref-namejdbc/SURESWIT/res-ref-name
res-typejavax.sql.DataSource/res-type
res-authContainer/res-auth
/resource-ref
The Java code performs the following :-
if (ds == null)
{
try {
Context ctx = new InitialContext();
ds = (javax.sql.DataSource) ctx.lookup((jdbc/SURESWIT);
ctx.close();
}
catch (Exception e)
{
logger.text( IRecordType.TYPE_ERROR_EXC,
className,
init(ServletConfig),
Naming service exception: + e.toString());
}
}
When the above code runs it throws the following exception
init(ServletConfig) Naming service
exception:javax.naming.NameNotFoundException:
Name jdbc is not bound in this Context
I have copied the DB2 jdbc driver file to $CATALINA_HOME/common/lib (I
copied it both as .zip and .tar as some web resources suggested tomcat would
only recognise it as .tar)
ANY and I mean ANY help would be greatly appreciated. Even if it's to say it
doesn't work with tomcat.
Many thanks Alan
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Cannot Solve jdbc is not bound is this Context problem
Of course I did mean .jar
I have copied the DB2 jdbc driver file to $CATALINA_HOME/common/lib (I
copied it both as .zip and .tar as some web resources suggested tomcat
would
only recognise it as .tar)
- Original Message -
From: Alan Nesbitt [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Sunday, August 17, 2003 8:25 PM
Subject: Cannot Solve jdbc is not bound is this Context problem
We have been trying for over a week to solve this problem. It doesn't help
that we haven't used tomcat before, but our application works fine on
WebSphere. So I guess that it some configuration that we are missing.
We are trying to configure tomcat (4.1.24) to do a jndi lookup of a
DataSource which is a db2 jdbc app driver.
The Tomcat server.xml had a sample jdbc configuration which was modified
to
the following...
Resource name=jdbc/SURESWIT auth=Container
type=javax.sql.DataSource/
ResourceParams name=jdbc/SURESWIT
parameternameuser/namevalue/value/parameter
parameternamepassword/namevalue/value/parameter
parameternamedriverClassName/name
valueCOM.ibm.db2.jdbc.app.DB2Driver/value/parameter
parameternamedriverName/name
valuejdbc:db2:SWPPDB2/value/parameter
/ResourceParams
The web.xml includes
resource-ref
res-ref-namejdbc/SURESWIT/res-ref-name
res-typejavax.sql.DataSource/res-type
res-authContainer/res-auth
/resource-ref
The Java code performs the following :-
if (ds == null)
{
try {
Context ctx = new InitialContext();
ds = (javax.sql.DataSource) ctx.lookup((jdbc/SURESWIT);
ctx.close();
}
catch (Exception e)
{
logger.text( IRecordType.TYPE_ERROR_EXC,
className,
init(ServletConfig),
Naming service exception: + e.toString());
}
}
When the above code runs it throws the following exception
init(ServletConfig) Naming service
exception:javax.naming.NameNotFoundException:
Name jdbc is not bound in this Context
I have copied the DB2 jdbc driver file to $CATALINA_HOME/common/lib (I
copied it both as .zip and .tar as some web resources suggested tomcat
would
only recognise it as .tar)
ANY and I mean ANY help would be greatly appreciated. Even if it's to say
it
doesn't work with tomcat.
Many thanks Alan
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Session Security
Todd, Putting the IP address of the user in the session won't work too well. An AOL user for example may have a different IP address every time they send in a request. And, it's obviously possible for someone to spoof an IP address. The best solution I've found to prevent sessions from being stolen is to use a one time access token. The token, which I usually create by doing MD5(ip + timestamp + random #), gets stored in a cookie and in the session itself. So, say a user logs in, they get a token and when they come back with their next request they send in that token. Your authentication logic checks the token in the cookie against the token in the session and handles accepting or denying the request. When the response is processed, you give them a new token and continue this cycle for all requests to follow. Now, lets say someone manages to steal the session. That person is going to get a different token than the legitimate user that's logged in currently has. So, when the legitimate user sends in their next request with a wrong token, you should catch that the session has been compromised and invalidate it immediately. This will result in the malicious user being kicked out. Still, this isn't a perfect solution because most users forget to logout. Using a low timeout value for the session is the only way I know of to deal with this scenario. You could run your application under HTTPS instead of HTTP too if that's an option :) Hope that helps, Mike -Original Message- From: Todd O'Bryan [mailto:[EMAIL PROTECTED] Sent: Sunday, August 17, 2003 2:45 PM To: [EMAIL PROTECTED] Subject: Session Security Is there any block against someone stealing someone else's session id and using it for nefarious purposes? In other words, if I write a grade book program, could a sharp student write down the session id from a web address (if cookies are off) or look in the teacher's cookie file, and then go to a computer in the library and use the same session id to connect to the grade book page before the teacher logs out? Does the session id check itself against the issuing computer's IP address or anything to prevent such a thing from happening? I realize it's a stretch that someone might leave their computer unattended long enough for such a thing to happen, but I just want to be sure. Also, could someone listening in to the net traffic grab the session id and then use it? Thanks, Todd - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Any WebObjects users?
Hi, I've deployed WebObjects 5.1. cheers peter On Friday, August 15, 2003, at 10:35 AM, Randall Perry wrote: I'm trying to deploy some test WebObjects apps in Tomcat servlet containers and am having problems. Very few people on the WO lists seems to be using Tomcat for deployment. If any one here has had success deploying either WAR files or SSDD please let me know. -- Randall Perry sysTame Xserve Web Hosting/Co-location Website Development/Promotion Mac Consulting/Sales http://www.systame.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Session Security
Here is a question to do the same without cookies, so storing something in a cookie just won't work at al. I know that an IP address is not the best solution at all, but when you're using an internal network, it will work. I agree that using an IP address is by far not the best solution, but the odds are low... Sjoerd -Original Message- From: Mike Cherichetti (Renegade Internet) [mailto:[EMAIL PROTECTED] Sent: zondag 17 augustus 2003 22:29 To: Tomcat Users List Subject: RE: Session Security Todd, Putting the IP address of the user in the session won't work too well. An AOL user for example may have a different IP address every time they send in a request. And, it's obviously possible for someone to spoof an IP address. The best solution I've found to prevent sessions from being stolen is to use a one time access token. The token, which I usually create by doing MD5(ip + timestamp + random #), gets stored in a cookie and in the session itself. So, say a user logs in, they get a token and when they come back with their next request they send in that token. Your authentication logic checks the token in the cookie against the token in the session and handles accepting or denying the request. When the response is processed, you give them a new token and continue this cycle for all requests to follow. Now, lets say someone manages to steal the session. That person is going to get a different token than the legitimate user that's logged in currently has. So, when the legitimate user sends in their next request with a wrong token, you should catch that the session has been compromised and invalidate it immediately. This will result in the malicious user being kicked out. Still, this isn't a perfect solution because most users forget to logout. Using a low timeout value for the session is the only way I know of to deal with this scenario. You could run your application under HTTPS instead of HTTP too if that's an option :) Hope that helps, Mike -Original Message- From: Todd O'Bryan [mailto:[EMAIL PROTECTED] Sent: Sunday, August 17, 2003 2:45 PM To: [EMAIL PROTECTED] Subject: Session Security Is there any block against someone stealing someone else's session id and using it for nefarious purposes? In other words, if I write a grade book program, could a sharp student write down the session id from a web address (if cookies are off) or look in the teacher's cookie file, and then go to a computer in the library and use the same session id to connect to the grade book page before the teacher logs out? Does the session id check itself against the issuing computer's IP address or anything to prevent such a thing from happening? I realize it's a stretch that someone might leave their computer unattended long enough for such a thing to happen, but I just want to be sure. Also, could someone listening in to the net traffic grab the session id and then use it? Thanks, Todd - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 5 and well-formed XHTML
Sjoerd, I had the selfsame problem last week. The solution (thanks to Bill Barker) is to add: jsp:directive.page contentType=text/html; charset=iso-8859-1 / to the page. Graham I want to run this code on tomcat 5, on port 8080 in Internet Explorer, but something strange happens: When I run the following code ::: CODE ::: ?xml version=1.0 encoding=ISO-8859-1 ? jsp:root xmlns:jsp=http://java.sun.com/JSP/Page; version=1.2 jsp:directive.page language=java contentType=text/html ; charset=ISO-8859-1 pageEncoding=ISO-8859-1 / html xmlns=http://www.w3.org/1999/xhtml; xml:lang=en lang=en head titleTest2/title /head body div Test2 /div /body /html /jsp:root ::: END CODE ::: You will expect a nice XHTML page from it. In Netscape and Mozilla it is exactly this, but when running in IE6, I get a XML-tree instead of a page, which I expected. Also when I look at the properties, I note a strange value, the Type value of the page contains JavaServer Page, which shouldn't be filled at all. So how can I change this, so I get IE6 working? Thanks in advance, Sjoerd van Leent - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Graham Stark, Virtual Worlds phone: (+044) 01908 618239 mobile: 07952 633185 Homepage http://www.virtual-worlds.biz Virtual Learning Arcade http://www.bized.ac.uk/virtual/vla Virtual Economy http://www.bized.ac.uk/virtual/economy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat 5 and well-formed XHTML
OK I'm baffeled, I did use: jsp:directive.page language=java contentType=text/html ; charset=ISO-8859-1 pageEncoding=ISO-8859-1 / But reading the example it says that the ; sign between text/html and charset must contain no spaces at the front, so you'll get: jsp:directive.page language=java contentType=text/html; charset=ISO-8859-1 pageEncoding=ISO-8859-1 / Why always such a stupidity? Sjoerd van Leent -Original Message- From: Graham Stark [mailto:[EMAIL PROTECTED] Sent: zondag 17 augustus 2003 23:45 To: Tomcat Users List Subject: Re: Tomcat 5 and well-formed XHTML Sjoerd, I had the selfsame problem last week. The solution (thanks to Bill Barker) is to add: jsp:directive.page contentType=text/html; charset=iso-8859-1 / to the page. Graham I want to run this code on tomcat 5, on port 8080 in Internet Explorer, but something strange happens: When I run the following code ::: CODE ::: ?xml version=1.0 encoding=ISO-8859-1 ? jsp:root xmlns:jsp=http://java.sun.com/JSP/Page; version=1.2 jsp:directive.page language=java contentType=text/html ; charset=ISO-8859-1 pageEncoding=ISO-8859-1 / html xmlns=http://www.w3.org/1999/xhtml; xml:lang=en lang=en head titleTest2/title /head body div Test2 /div /body /html /jsp:root ::: END CODE ::: You will expect a nice XHTML page from it. In Netscape and Mozilla it is exactly this, but when running in IE6, I get a XML-tree instead of a page, which I expected. Also when I look at the properties, I note a strange value, the Type value of the page contains JavaServer Page, which shouldn't be filled at all. So how can I change this, so I get IE6 working? Thanks in advance, Sjoerd van Leent - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Graham Stark, Virtual Worlds phone: (+044) 01908 618239 mobile: 07952 633185 Homepage http://www.virtual-worlds.biz Virtual Learning Arcade http://www.bized.ac.uk/virtual/vla Virtual Economy http://www.bized.ac.uk/virtual/economy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Can't post to wiki
I've tried editing http://nagoya.apache.org/wiki/apachewiki.cgi?Tomcat/Jk2Connector and also the sandbox, but the wiki just times out. There doesn't seem to be any way of notifying the owner of the wiki. I tried IE 6 and Opera, every day for a week, in case the problem was temporary. It's not. Any ideas? Anyone know who to contact? Mike - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with Tomcat4.1.24 rpm service script in RH8.0
Hi John,
Found the problem.
Somehow the latest /etc/tomcat4/tomcat4.conf
files have a variable missing(SHUTDOWN_WAIT) that used to be there.
Also note that I now export my java memory variables(export JAVA_OPTS=
-Xms64m -Xmx128m )
as the current code no longer works in tomcat 4. (I remember that it
used to work in Tomcat 3.3).
I just tried
JAVACMD=$JAVA_HOME/bin/java -Xms64m -Xmx128m {which is in the latest
script}
and that didn't seem to work either. (Using ps axl --cols 1500 | grep
tomcat4)
Regards
Peter
My working script follows.
# tomcat /etc/rc.d script example configuration file
# Use with version 1.07 of the scripts or later
# Use Jpackage utils if present
if [ -x /usr/bin/java-functions ]; then
. /usr/bin/java-functions
set_jvm
fi
# Source Java system configuration if exist
if [ -r /etc/java/java.conf ]; then
. /etc/java/java.conf
fi
# you could also override JAVA_HOME here
# Where your java installation lives
# JAVA_HOME=/usr/java/jdk
JAVA_HOME=/opt/IBMJava2-13
# You can pass some parameters to java
# here if you wish to
#JAVA_OPTS=-Xminf0.1 -Xmaxf0.3
# Where your tomcat installation lives
# That change from previous RPM where TOMCAT_HOME
# used to be /var/tomcat.
# Now /var/tomcat will be the base for webapps only
CATALINA_HOME=/var/tomcat4
JASPER_HOME=/var/tomcat4
CATALINA_TMPDIR=/var/tomcat4/temp
# What user should run tomcat
TOMCAT_USER=tomcat4
# You can change your tomcat locale here
#LANG=en_US
# Time to wait in seconds, before killing process
SHUTDOWN_WAIT=30
# Set the TOMCAT_PID location
CATALINA_PID=/var/run/tomcat4.pid
# If you wish to further customize your tomcat environment,
# put your own definitions here
# (i.e. LD_LIBRARY_PATH for some jdbc drivers)
# Just do not forget to export them :)
export JAVA_OPTS= -Xms64m -Xmx128m
On Wednesday, August 13, 2003, at 12:08 AM, John Turner wrote:
Just debug the script. The line numbers are given. Patches welcome.
John
peter mcgregor wrote:
Hi,
Whenever I restart tomcat4 in RedHat 8 I get
# service tomcat4 restart
/etc/init.d/tomcat4: line 105: let: kwait=: syntax error: operand
expected (error token is =)
/etc/init.d/tomcat4: line 107: [: 0: unary operator expected
waiting for processes to exit
/etc/init.d/tomcat4: line 107: [: 1: unary operator expected
waiting for processes to exit
The script used to work before some updates to redhat were applied.
This problem occurs on a number of our machines.
Is there a fix to this problem. Also will the 4.1.27 rpm's be out
soon?
thank you
peter McGregor
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Cannot Solve jdbc is not bound is this Context problem
If you copy the DB2 driver into $CATALINA_HOME/common/lib , then it
should be a jar rather than a zip or a tar file.
I think you should also change driverName to url.
Alan Nesbitt wrote:
We have been trying for over a week to solve this problem. It doesn't help
that we haven't used tomcat before, but our application works fine on
WebSphere. So I guess that it some configuration that we are missing.
We are trying to configure tomcat (4.1.24) to do a jndi lookup of a
DataSource which is a db2 jdbc app driver.
The Tomcat server.xml had a sample jdbc configuration which was modified to
the following...
Resource name=jdbc/SURESWIT auth=Container
type=javax.sql.DataSource/
ResourceParams name=jdbc/SURESWIT
parameternameuser/namevalue/value/parameter
parameternamepassword/namevalue/value/parameter
parameternamedriverClassName/name
valueCOM.ibm.db2.jdbc.app.DB2Driver/value/parameter
parameternamedriverName/name
valuejdbc:db2:SWPPDB2/value/parameter
/ResourceParams
The web.xml includes
resource-ref
res-ref-namejdbc/SURESWIT/res-ref-name
res-typejavax.sql.DataSource/res-type
res-authContainer/res-auth
/resource-ref
The Java code performs the following :-
if (ds == null)
{
try {
Context ctx = new InitialContext();
ds = (javax.sql.DataSource) ctx.lookup((jdbc/SURESWIT);
ctx.close();
}
catch (Exception e)
{
logger.text( IRecordType.TYPE_ERROR_EXC,
className,
init(ServletConfig),
Naming service exception: + e.toString());
}
}
When the above code runs it throws the following exception
init(ServletConfig) Naming service
exception:javax.naming.NameNotFoundException:
Name jdbc is not bound in this Context
I have copied the DB2 jdbc driver file to $CATALINA_HOME/common/lib (I
copied it both as .zip and .tar as some web resources suggested tomcat would
only recognise it as .tar)
ANY and I mean ANY help would be greatly appreciated. Even if it's to say it
doesn't work with tomcat.
Many thanks Alan
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
about restart strut,and do any one send me 'Tomca definitvie guide pdf ?
Hello, tomcat-user, Do any command restart the strut service by specified folder? Everytime,I restart the full application to restart my strutct,it would affect other web applicaion in other folder,do any idea can slove this? Best regards. MaFai [EMAIL PROTECTED] 2003-08-18 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
port 8009 security (ajp13)
Hi, everyone I have a question about port 8009. I'm using Tomcat 4.1.27, Apache 2.0.47, mod_jk2/2.0.3-dev. When Tomcat starts, Tomcat says, "INFO: JK2: ajp13 listening on /0.0.0.0:8009". (This message is in catalina.out) How do you control access to port 8009 ? I guess I have to do something for the Tomcat security... but can't find any configurations about that in server.xml. Any help is highly appreciated. thanks and regards -- yo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat 4.1.24 12 minute startup
Just recently I'm finding each time i start tomcat 4.1.24 it takes longer
and longer to start.
It starts fast, but after a few stop/starts it 'spins' with CPU usage at
99%. First for like 90seconds then for a couple minutes, the example below
shows it took 12 minutes to start. I have no clue what it's trying to do,
and have found no info in the logs to account for this. I have no reason to
believe it relates to my app at all, and everything works fine when it
eventually starts.
The 'spin' happens just after printing the last servletMapping info for my
app and before the Protocol is declared started.
Any thoughts are appreciated.
-STARTUP OUTPUT---
Aug 17, 2003 7:47:19 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on port 8080
Starting service Tomcat-Standalone
Apache Tomcat/4.1.24
register('-//Apache Software Foundation//DTD Struts Configuration 1.0//EN',
'jar
:file:/C:/home/insitesw/tomcat/build/webapps/insite/WEB-INF/lib/struts.jar!/
org/
apache/struts/resources/struts-config_1_0.dtd'
register('-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN',
'jar:file:/C:
/home/insitesw/tomcat/build/webapps/insite/WEB-INF/lib/struts.jar!/org/apach
e/st
ruts/resources/web-app_2_2.dtd'
register('-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN',
'jar:file:/C:
/home/insitesw/tomcat/build/webapps/insite/WEB-INF/lib/struts.jar!/org/apach
e/st
ruts/resources/web-app_2_3.dtd'
resolveEntity('-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN',
'http://
java.sun.com/j2ee/dtds/web-app_2_2.dtd')
Resolving to alternate DTD
'jar:file:/C:/home/insitesw/tomcat/build/webapps/ins
ite/WEB-INF/lib/struts.jar!/org/apache/struts/resources/web-app_2_2.dtd'
Call
Insites.theSystem.Facilitator.addServletMapping(action/java.lang.String,*.d
o/java.lang.String)
register('-//Apache Software Foundation//DTD Struts Configuration 1.0//EN',
'jar
:file:/C:/home/insitesw/tomcat/build/webapps/insite/WEB-INF/lib/struts.jar!/
org/
apache/struts/resources/struts-config_1_0.dtd'
register('-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN',
'jar:file:/C:
/home/insitesw/tomcat/build/webapps/insite/WEB-INF/lib/struts.jar!/org/apach
e/st
ruts/resources/web-app_2_2.dtd'
register('-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN',
'jar:file:/C:
/home/insitesw/tomcat/build/webapps/insite/WEB-INF/lib/struts.jar!/org/apach
e/st
ruts/resources/web-app_2_3.dtd'
resolveEntity('-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN',
'http://
java.sun.com/j2ee/dtds/web-app_2_2.dtd')
Resolving to alternate DTD
'jar:file:/C:/home/insitesw/tomcat/build/webapps/ins
ite/WEB-INF/lib/struts.jar!/org/apache/struts/resources/web-app_2_2.dtd'
Call
Insites.theSystem.Facilitator.addServletMapping(action/java.lang.String,*.d
o/java.lang.String)
[SPINS]
Aug 17, 2003 7:59:46 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on port 8080
Loren Hall
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
JSP Custom tag and XML/XSL transformation
Assuming that a custom tag outputs an XML formatted data structure, do we have to use a temporary file for an XSL transformation? What we did so far is to: 1- define a random file name from the JSP page, 2- call the tag from the JSP page (with the random file name as parameter), 3- have the tag export the XML in a temporary file (filename defined above), 4- load the XML file and execute the XSL transformation from the JSP page, 5- delete the file after transformation in the JSP page. Is that a good practice (using a temporary file)? Or is there a way to have the XML directly returned in a String/Stream. Regards, Thierry Thelliez - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat NT service hangs when using -config
Hi, I am using Tomcat 4.1.27 and have encountered the following problem. In my configuration, server.xml is located outside the common CATALINA_BASE directory. (Test.0)If I start the server with the following command: C:\j2re1.4.1_01\bin\java.exe -jar -Duser.dir=C:\Program Files\Tomcat C:\Program Files\Tomcat\bin\bootstrap.jar -config C:\data\server.xml start everything works fine and I can access the webapplications regularly. (Test.1)If I try to start it as a service, where the following values are in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Apache Tomcat 4.1\Parameters: Start Class org.apache.catalina.startup.BootstrapService Start Method main Start Param Count 3 Start Param Number 0-config Start Param Number 1C:\data\server.xml Start Param Number 2start (There are others, but they are the standard) then when I start the service tomcat start, no errors are reported in stdout.log and stderr.log, but the webapplication is not started. When I try to connect to the server, the connection hangs (i.e. is established, but the browser hangs waiting for the server to send back some data). (Test.2)If I don't set a custom location for server.xml: Start Param Count 1 Start Param Number 0start and leave server.xml in the conf directory, everything works fine again. (Test.3)But if I test with server.xml in conf directory, and the following parameters: Start Param Count 2 Start Param Number 0-debug Start Param Number 1start then the server hangs exaclty like in the first case (only more info is written to stdout.log). This leads me thinking that it has to do with some parameter count thing, but I recompiled CatalinaService.java with some logging info and it appears that it always get passed the correct number of arguments. And indeed, the -debug is picked up correctly in Test.3 because the logging increases. And if, in Test.1, I specify a non-existing location for server.xml, I get an error in the logs. Finally, I also tried to apply the suggested synchronization patch that solved a problem with the same symptoms (http://issues.apache.org/bugzilla/show_bug.cgi?id=15693), but it made no difference. And it wouldn't explain why if I use only one parameter (start) it works fine... Note that the service, configured as I described in Test.1, was working fine with Tomcat 4.0.4 Ah, I tested all of this on my 2 PCs (XP and w2000), with the same results. I pretty much exhausted my research... has anyone got an idea? Thanks in advance Dan Get advanced SPAM filtering on Webmail or POP Mail ... Get Lycos Mail! http://login.mail.lycos.com/r/referral?aid=27005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
