RE: Invalid no-cache http headers
Adam,
Your solution should work fine.
However, I consider this is a bug, and therefore I wondered if other people agree with
me on this point.
I used a simple Filter to work around the Tomcat bug;
/**
* pTitle: /p
* pDescription: Reset cache-control headers set by Tomcat.
* These headers are set by newer Tomcat versions in the case
* the request is for a protected URL. We consider this a bug
* in Tomcat. If we do not reset these headers nothing will be
* cached, so the back-button will not work properly, and also
* in the 'open/save'-dialog, open will not work./p
* @author Dennis van den Berg
* @version 1.0
*/
public class CacheControlFilter implements Filter {
FilterConfig filterConfig = null;
public void init(FilterConfig filterConfig) throws ServletException {
this.filterConfig = filterConfig;
}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain
chain) throws IOException, ServletException {
/** reset headers set by new Tomcat Connector to enable caching
*/
HttpServletResponse httpResponse = (HttpServletResponse)response;
httpResponse.setHeader(Pragma,null);
httpResponse.setHeader(Cache-Control,null);
chain.doFilter(request, response);
}
public void destroy() {
filterConfig = null;
}
}
Thanks for any replies,
Dennis
-Original Message-
From: Szwajkajzer Adam [mailto:[EMAIL PROTECTED]
Sent: donderdag 27 februari 2003 8:30
To: Dennis van den Berg
Subject: RE: Invalid no-cache http headers
I've found in previouse discussions that no-cache feature was added on purpose to
avoid possible security problems.
I was told to use JBeans to maintain on server site JSP state.
There is no way to switch the feature of.
For my current project (intranet application) I just removed setHeader instructions
from AuthenticatiorBase, recompiled and had a prevoius behaviour.
Hope it helps.
Adam Szwajkajzer
-Original Message-
From: Dennis van den Berg [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 26, 2003 4:30 PM
To: [EMAIL PROTECTED]
Subject: Invalid no-cache http headers
Hi all,
I encountered problems with the newer Tomcat 4 versions.
There are caching-headers set on the response, in case of
URL's with security constraints, which are not set in older
Tomcat 4 versions versions.
This results in 2 things;
- The user is not able to use the back-button anymore (This
page has expired, in IE6 anyway)
- When you send a file as an attachement to the browser the
user gets an open/save dialog.
When the user presses open, the file is first put into the
cache and then opened (by IE6 anyway)
So this results in an 'file not found' message, because
caching is disabled.
In the following method in
org.apache.catalina.authenticator.AuthenticatorBase:
public void invoke(Request request, Response response,
ValveContext context)
throws IOException, ServletException {
I found the following code-fragment:
// Make sure that constrained resources are not
cached by web proxies
// or browsers as caching can provide a security hole
if (disableProxyCaching
!(((HttpServletRequest)
hrequest.getRequest()).isSecure())) {
HttpServletResponse sresponse =
(HttpServletResponse) response.getResponse();
sresponse.setHeader(Pragma, No-cache);
sresponse.setHeader(Cache-Control, no-cache);
sresponse.setDateHeader(Expires, 1);
}
I think this piece of code is the source of the problem.
When I read the specs for HTTP, I think I can conclude there
are more applicable values for the Cache-Control header in
this case. For example private or no-store.
Did anyone else encounter any problems of this kind, or did I
overlook something?
Thanks for any replies,
Dennis
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Invalid no-cache http headers
Hi all,
I encountered problems with the newer Tomcat 4 versions.
There are caching-headers set on the response, in case of URL's with security
constraints, which are not set in older Tomcat 4 versions versions.
This results in 2 things;
- The user is not able to use the back-button anymore (This page has expired, in IE6
anyway)
- When you send a file as an attachement to the browser the user gets an open/save
dialog.
When the user presses open, the file is first put into the cache and then opened (by
IE6 anyway)
So this results in an 'file not found' message, because caching is disabled.
In the following method in org.apache.catalina.authenticator.AuthenticatorBase:
public void invoke(Request request, Response response,
ValveContext context)
throws IOException, ServletException {
I found the following code-fragment:
// Make sure that constrained resources are not cached by web proxies
// or browsers as caching can provide a security hole
if (disableProxyCaching
!(((HttpServletRequest) hrequest.getRequest()).isSecure())) {
HttpServletResponse sresponse =
(HttpServletResponse) response.getResponse();
sresponse.setHeader(Pragma, No-cache);
sresponse.setHeader(Cache-Control, no-cache);
sresponse.setDateHeader(Expires, 1);
}
I think this piece of code is the source of the problem.
When I read the specs for HTTP, I think I can conclude there are more applicable
values for the Cache-Control header in this case. For example private or
no-store.
Did anyone else encounter any problems of this kind, or did I overlook something?
Thanks for any replies,
Dennis
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Initialisation on the first request
Or perhaps with a filter? -Original Message- From: Heligon Sandra [mailto:[EMAIL PROTECTED]] Sent: woensdag 11 september 2002 13:15 To: '[EMAIL PROTECTED]' Subject: Initialisation on the first request I am working with a distributed system. I chose to start Apache-Tomcat as NT service. I want to get the ORB's request on the first request. How do I know that it is the first request ? How can I do this ? in the servlet controller ? or with Listener ? Thanks a lot. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: set content type to text/pdf
Hi, I think when you make the request go to Tiparire.pdf it should open in your browser. It somehow also has something to do with the extension. Dennis. -Original Message- From: Alex [mailto:[EMAIL PROTECTED]] Sent: vrijdag 21 juni 2002 9:37 To: [EMAIL PROTECTED] Subject: set content type to text/pdf I have a servlet that generates pdf content. In the initData method, I use: httpservletresponse.setContentType(text/pdf); When i access the servlet from the browser (i'm using win2k), it opens a small window asking me what to do with the file (open, save, cancel..), and then, when i choose open, it asks me which application should i use to open that file (it is called Tiparire[1], because my servlet is called Tiparire), and then i choose acrobat reader. What can i do so my browser automatically opens the pdf content generated by the servlet ? Thanks in advance... Alex. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: AW: set content type to text/pdf
You could also map your servlet to the pattern *.pdf Dennis. -Original Message- From: Liam Morley [mailto:[EMAIL PROTECTED]] Sent: vrijdag 21 juni 2002 9:57 To: Tomcat Users List Subject: Re: AW: set content type to text/pdf I'm sure there's a better way, but in case there's not, there's always mod_rewrite. You could rewrite the url so that /(*).pdf goes to /$1. Liam Morley Alex wrote: Hello Ralph, I can't point my browser to a location that ends with .pdf, because i have to point it to my servlet, for ex: document.location.href=/servlet/Tiparire Is there any trick to do this ? Alex. Friday, June 21, 2002, 10:44:00 AM, you wrote: RE MS IE has sometimes his own opinion what to open and RE ignores the content type. RE The safest way to convince IE to open PDF is to set the RE content type to load the file from a url that has the RE extension .pdf. RE Additional hint: RE Make shure that your servlet supports Byte range RE requests (HTTP 1.1). The acrobat reader sometimes RE uses this. (Have a look at the source for the RE servlet that implements the fileserving for tomcat) -Ursprüngliche Nachricht- Von: Alex [mailto:[EMAIL PROTECTED]] Gesendet: Freitag, 21. Juni 2002 09:37 An: [EMAIL PROTECTED] Betreff: set content type to text/pdf What can i do so my browser automatically opens the pdf content generated by the servlet ? Thanks in advance... RE -- RE To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] RE For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Way to remove index page file name from URL?
Hi, You can make it work by mapping your default servlet to / and make this one forward to your homepage using requestdispatcher. A disadvantage of this solution is that this overides the default mappings for your static image/js files etc. You can solve this by mapping each of these files to the default servlet provided by tomcat (which is named default) which just serves files by using extension mapping. I don't know if there is a better solution but this works fine for me. Dennis. -Original Message- From: Chris Bailey [mailto:[EMAIL PROTECTED]] Sent: woensdag 19 juni 2002 1:19 To: Tomcat Mailing List Subject: Way to remove index page file name from URL? I have a web app with a few servlets. One of these servlets I'd like to be the default servlet - basically it should handle any request that the other servlets don't handle, or that isn't for an image file or other resource. So far, I've set this up by mapping a special index/welcome page name to the servlet. i.e. with url-mapping*.mypage/url-mapping, and then setting index.mypage as one of the welcome files. This works nicely, but the only problem is that on Tomcat (and maybe others), index.mypage now shows up in the URL. For example, if the original URL the user typed in was http://www.foo.com/;, their browser will now show http://www.foo.com/index.mypage;. Is there any way to have Tomcat not set the location to the URL with the index.mypage in it? I should note, this shall be the only webapp for this instance of Tomcat, so if I need to redo my context somehow to achieve this, that's fine. Currently the context looks like: Context path= docBase=foo ... I will need to be able to deploy it as both a WAR, and an expanded webapp/non-WAR (for development). Chris Bailey mailto:[EMAIL PROTECTED] Code Intensity http://www.codeintensity.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Default Website -- Still not working -- Thanks!
I think what you want is this in your server.xml: Context path= docBase=webapps/Test debug=0 Dennis -Original Message- From: S W [mailto:[EMAIL PROTECTED]] Sent: vrijdag 14 juni 2002 9:35 To: [EMAIL PROTECTED] Subject: Default Website -- Still not working -- Thanks! Hi Everyone, I know I've previously asked this question, but I'm still having issues with it, I'm still a new to Tomcat. I would really appreciate further guidance on this issue. I'm trying to setup Tomcat so the default directory is something else other then Examples when I type in the IP address. I know where to change the welcome documents, but I can't figure out how to change the default path. Here are things which I have tried changing in the server.xml file. Changed from Examples to Test Context path=/Test docBase=webapps/Test debug=0 I've also tried changing every reference from Examples to Test but Tomcat wouldn't startup after that. If someone could tell me what I'm missing I would really appreciate it. My environment: Windows 2000 SP2, Tomcat 4.0.3 Thank you! __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: changing default home page
You probably have something like this: Context path= docBase=ROOT debug=0/ In your server.xml This means if a user does not specify anything after /path/to/tomcat it takes ROOT as the default webapp. Furthermore you can specify welcome-pages for each webapp in your web.xml's (see the DTD). If you specify nothing it looks for index.html in the target webapp. Hope this is of help, Dennis. -Original Message- From: Altug B. Altintas [mailto:[EMAIL PROTECTED]] Sent: donderdag 13 juni 2002 14:31 To: Tomcat Users List Subject: changing default home page How can i change Tomcat's default home page ? Now it looks at a.. /path/to/tomcat/webapps/ROOT/index.html Regards Altug. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
security-constraints
Hi all, According to the servlet 2.3 specs, the longest path-prefix is used when determining which servlet-mapping or which security-constraint is to be used. However when I specify the following security-constraint's: security-constraint web-resource-collection web-resource-nameCollection1/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namerole1/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint security-constraint web-resource-collection web-resource-nameCollection2/web-resource-name url-pattern/view/*/url-pattern /web-resource-collection auth-constraint role-namerole2/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint A user which is in role2 is denied access to url's which start with /view/*, and it seems that the order in which I specify the security-constraint's mathers? Am I missing something? Thanks, -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: how can I close a session
Try session.invalidate(); Dennis. -Original Message- From: Anibal Constante Brito [mailto:[EMAIL PROTECTED]] Sent: zaterdag 8 juni 2002 10:06 To: Tomcat Subject: how can I close a session how can I close a session in JSP? or something like this. to desconect the user, that the user have to log again. Best Regards. Owen. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Newbie help
One important difference would be that tomcat does not implement an EJB-container. Dennis. -Original Message- From: Srinivas N. Battula [mailto:[EMAIL PROTECTED]]On Behalf Of sbattul Sent: zaterdag 8 juni 2002 0:39 To: [EMAIL PROTECTED] Subject: Newbie help Hi all, Can any one tell me the difference between an Application server such as IBM websphere and Tomcat.I want to know what IBM websphere can do that Tomcat cant do and what Tomcat can do and IBM web sphere cant do. Thanks Srinivas -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: secure aplications with JDBCRealm
Just to be sure, probably did that already. Did you set put the MySQL dirver in your classpath? For example in the /lib dir of tomcat? Dennis. -Original Message- From: Urtzi Larrazabal [mailto:[EMAIL PROTECTED]] Sent: vrijdag 7 juni 2002 12:41 To: Tomcat Users List (E-mail) Subject: secure aplications with JDBCRealm Hi ! I am trying to secure my application thought JDBCRealm # 2002-06-07 12:24:05 - Ctx(/Myaplication) : Exception in R( /Myaplication + + null) - java.lang.RuntimeException: JDBCRealm.checkConnection: java.lang.ClassNotFoundException: org.gjt.mm.mysql.Driver at org.apache.tomcat.modules.aaa.JDBCRealm.checkConnection(JDBCRealm.java:307) at org.apache.tomcat.modules.aaa.JDBCRealm.getCredentials(JDBCRealm.java:239) at org.apache.tomcat.modules.aaa.RealmBase.checkPassword(RealmBase.java:212) at org.apache.tomcat.modules.aaa.RealmBase.authenticate(RealmBase.java:193) at org.apache.tomcat.core.Request.getRemoteUser(Request.java:575) at org.apache.tomcat.modules.aaa.AccessInterceptor.authorize(AccessInterceptor. java:359) at org.apache.tomcat.core.ContextManager.internalService(ContextManager.java:90 2) at org.apache.tomcat.core.ContextManager.service(ContextManager.java:833) at org.apache.tomcat.modules.server.Ajp13Interceptor.processConnection(Ajp13Int erceptor.java:341) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:494) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav a:516) at java.lang.Thread.run(Thread.java:479) server.xml JDBCRealm debug=99 driverName=org.gjt.mm.mysql.Driver connectionURL=jdbc:mysql://myhost.dec.es/tomcat userTable=user userNameCol=user_name userCredCol=user_pass userRoleTable=user_roles roleNameCol=role_name / -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Any way to tell how many sessions exist?
You can use javax.sevlet.http.HttpSessionListener for this purpose. Dennis. -Original Message- From: Rick Mann [mailto:[EMAIL PROTECTED]] Sent: maandag 3 juni 2002 13:20 To: tomcat user jakarta.apache.org Subject: Any way to tell how many sessions exist? I wanted to write a JSP to display server stats. I was hoping to be able to get all the sessions, show how many there were, what their ages were, etc. But it appears that access to the collection of sessions has been deprecated from the Servlet 2.3 API. Is there a way to get at this info, preferrably in a container-independent manner? I will settle for a Tomcat-specific solution. TIA, -- Rick -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Compression Filter
I have experienced a problem with the 'Compression Filter' which is part of the 'examples'-webapplication of tomcat. The filter mapping; filter-mapping filter-nameCompression Filter/filter-name url-pattern/CompressionTest/url-pattern /filter-mapping Is commented out by default, when it is commented out and I invoke a request for the '/CompressionTest' url-pattern I get the following result; gzip, deflate gzip supported -- able to compress Compression Filter Test Servlet When I activate the filter mapping, I get the following result; ate gzip supported -- able to compress Compression Filter Test Servlet gzip, defl Depending on the 'compressionThreshold' I configure, I get different results. It seems that the filter puts the first number of bytes which go in to the buffer at the end of the response. Does anyone know if I'm doing something wrong? -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
