Re: cross context info
Alain Gaeremynck wrote: I have 2 webapps living on the same server and they are linked to the same user experiance.. Now both apps require login but i don't want my users to have to login on both apps. Also while they are browsing in one context i don't want the session to expire for the other context. so the question is Is there a way to do session.setAtribute in one context and retrieve it from another and also to link the 2 session so that they don't expire or expire at the same time? i'd like not to have to use hidden iframe and stuff like that thanks! with tomcat there's also a different approach to this problem using the SSOValve (org.liland.tomcat.valve.sso.SingleSignOn). however, in order to use this valve, the webapps need to let tomcat handle the authentication (see http://jakarta.apache.org/tomcat/tomcat-5.0-doc/realm-howto.html or http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html). depending on your webapps this kind of setup may be anything from simply a matter of configuration to impossible. Edmund - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: getRealPath() returns real path plus context path
Franz-Josef Herpers wrote: Hi, I've a problem when using ServletContext#getRealPath() with Tomcat 5.5.9. My web application resides under the name tool in the webapps directory. When I call servletContext.getRealPath(request.getContextPath() I get the real path but always with the context path added at the end. That means a path like C:\path\to\tomcat\webapps\tool\tool. Is there any explanation for this behaviour? Or am I doing something wrong? Thanks for any hints in advance Regards Franz the getRealPath method simply returns a path inside the webapp's directory. eg. you can do getRealPath(images/someimg.jpg) and get the actual filesystem path for that file, so you can access it using java.io.File and do something with it. getRealPath(/) should give you the webapp directory itself. note that you probably should not use this method, if you ever want to be able to run your webapp directly from a .war file. Edmund - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Making a Database Image Show Up on a Jsp Page
Philip Cote wrote: I'm trying to write to binary data from a MySQL database into a jpeg file so I can show it on a jsp page but I'm not having much luck. My bean can create files outside the servlet / jsp context using the usual java.io classes. As I understand it, java.io classes aren't allowed for EJBs. Does this apply to plain java beans as well? If so, what are the alternatives for doing what I'm trying to do? your java classes can do anything the VM process is permitted to do, unless you have restricted using a security manager and the catalina.policy file (i think eg. debian tomcat packages do that by default). i'm not sure just jow exactly you are trying to serve those images to the client and why you want to write them (temporarily) to the file system. i would probably want to send them back directly from memory after reading them from the DB as a blob (much like Larry Meadors just suggested while i was writing this ...). Edmund - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
howto configure JAAS+SSO
hello! I'm trying to configure two webapps (slide and jetspeed2) for single-sign-on in the same tomcat instance. Both apps use JAAS and come with their own JAAS login modules. Is it possible to configure these (any?) two apps to share login info with JAAS. I started reading the JAAS docs recently and I tried putting the two login modules into one JAAS login context, but that does not seem to work, because the login module classes won't instantiate properly due to dependencies to their respective webapps. Can SSO be achieved without having the apps share one login context? Will I have to write my own login module(s)? Should I use a (completely) different approach to get SSO? Thanks for any help/advice. Edmund - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: howto configure JAAS+SSO
Mark Benussi wrote: Hi Edmund. I am sorry but I don't know much about SSO. However I can tell you about JAAS in Tomcat. In 5 certainly there are issues. Essentially when you call the LoginModule to invoke your JAAS config it works but it does not authenticate the proper session Subject. What you end up doing (Or what I did) was place a request filter in the app that wraps the request with an overridden RequestWrapper and you write your own inUserInRole against the Subject that the LoginModule returns (By placing it in the session) If you want some code, taken from Wendy Smoak and others I can provide. thanks. I'm currently considering to write my own login module in order to share authentication data across login contexts. i would need to access session cookies from the module and i'm not sure how/if this can be done yet. i've never written a requestwrapper myself, so i can't really tell how hard/complicated that would be. i'd be glad, if you could provide me with some code to look at. that could certainly help me decide on how to go on about that SSO requirement. Edmund - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: howto configure JAAS+SSO [Apologies code attached]
Mark Benussi wrote:
1.Filter to go in web.xml
/**
* [EMAIL PROTECTED] javax.servlet.Filter Filter} to overide the
HttpServletRequest and
* overide isUserInRole() using the
* [EMAIL PROTECTED] com.ibt.framework.security.tomcat.HttpServletRequestWrapper
HttpServletRequestWrapper}
*
* @author Mark Benussi
*/
public class HttpServletRequestFilter implements Filter {
/**
* @see javax.servlet.Filter#destroy()
*/
public void destroy() {
}
/**
* @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest,
* javax.servlet.ServletResponse, javax.servlet.FilterChain)
*/
public void doFilter(ServletRequest request, ServletResponse
response,
FilterChain chain) throws IOException,
ServletException {
HttpServletRequest httpServletRequest = (HttpServletRequest)
request;
HttpServletRequestWrapper wrappedRequest = new
HttpServletRequestWrapper(
httpServletRequest);
chain.doFilter(wrappedRequest, response);
}
/**
* @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
*/
public void init(FilterConfig config) throws ServletException {
}
}
2. Request wrapper
/**
* Wraps the [EMAIL PROTECTED] javax.servlet.http.HttpServletRequest
HttpServletRequest}
* @author Mark Benussi
*/
public class HttpServletRequestWrapper extends
javax.servlet.http.HttpServletRequestWrapper {
/**
* The original [EMAIL PROTECTED] javax.servlet.http.HttpServletRequest
HttpServletRequest}
*/
private HttpServletRequest request = null;
/**
* Helper to manage any common security methods
*/
private static SecurityHelper jaasHelper = null;
/**
* Default constructor
*
* @param request
*The original [EMAIL PROTECTED]
javax.servlet.http.HttpServletRequest HttpServletRequest}
*/
public HttpServletRequestWrapper(HttpServletRequest request) {
super(request);
if (jaasHelper == null) {
jaasHelper = new SecurityHelper();
}
this.request = request;
}
/**
* @see
javax.servlet.http.HttpServletRequestWrapper#isUserInRole(java.lang.String)
*/
public boolean isUserInRole(String role) {
Subject subject = jaasHelper.getSessionSubject(request,
false);
return jaasHelper.isSubjectInRole(subject, role);
}
}
3. When you call youre LoginModule get the Subject and place in the session
and then write your own code to validate the Subject has the role required.
4. As for passing the session to your LoginModule, which I wouldn't do in a
puristic way as the LoginModule should be able to be used by a wing app just
as much as a web app.
well. my login module would be for the very special purpose of making
SSO of webapps possible, so i wouldn't have much of a problem with this.
Contstruct a CallBackHandler with the username and password but also with
the session or request. Then in your loginmodule you will have access to the
request/session when you invoke handle callback
wow. thanks a lot!
the code looks much simpler than i would have expected.
i think this will do nicely. :)
Edmund
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: can I prevent DoS (Denial of Service) Attacks in JSP?
Larry Meadors wrote: Hmm, that is like asking how to avoid automobile accidents. Larry On 8/2/05, Ben Bookey [EMAIL PROTECTED] wrote: Dear List, I have been asked if its possible to prevent DoS attacks inside Java (JSP/Servlet). I guess it is ... is this something however that TC would be configured to deal with, or must I do something myself. Whats normal ? Many thanks in advance! Best wishes Ben Bookey i guess one could attempt to write a filter that rejects requests that *look like* they are part of a DoS attack, but there's always the risk of eliminating legitimate traffic with this. and it probably won't help at all if the attacker found a weak spot specific to your web application. Edmund BTW don't forget to fasten your seatbelt. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat SSL Cipher Configuration
Jojo Paderes wrote: Hi, I'm looking for some decent documentation and technical reference on how to configure Tomcat's SSL cipher. Say for example I want Tomcat to support a specific SSL cipher suite like Triple DES. Hope someone has done something like this already. I'm using Tomcat 5.5 btw. Thanks, Jojo I may be mistaken here, but I don't think Tomcat does provide config options for the actual ciphers used - at least not in server.xml. It relies on the ciphers provided by the JDK. I think those can be configured in the policy file. This might be useful for you: http://java.sun.com/j2se/1.5.0/docs/guide/security/CryptoSpec.html Edmund - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: how do i prevent tomcat5 from adding trailing slash?
Bill Barker wrote: Edmund Urbani [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] hi! i ran into some trouble with tomcat5 and its slash adding behaviour. there's this MS WebFolder client (M$ for WebDAV), that does not seem to be able to cope with status 302 redirects in some situations. in order to work around this problem i modified the class org.apache.tomcat.util.http.mapper.Mapper, so it would not add a trailing slash for an URL like http://host:8080/slide. But since I really don't want to (and usually don't need to) change anything about tomcat, I'd rather have a configuration option for this. I know that the old tomcat4 did not do redirects for this either, so I thought maybe someone would add a config option to revert to that old behaviour. if not, is there a any way to prevent this redirect without modifying tomcat5's source? I'm too lazy to look at the commit log to see what TC 5 version it was changed in, but if you use url-pattern/*/url-pattern for your webdav servlet instead of url-pattern//url-pattern, Tomcat will not send the 302 response for a directory request. thank you, thank you, thank you, thank you!! it works. that's the kind of mail i like to see in my inbox when i get into the office monday morning :) i also had to change slide's default-servlet parameter to false to make it work. Edmund - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
how do i prevent tomcat5 from adding trailing slash?
hi! i ran into some trouble with tomcat5 and its slash adding behaviour. there's this MS WebFolder client (M$ for WebDAV), that does not seem to be able to cope with status 302 redirects in some situations. in order to work around this problem i modified the class org.apache.tomcat.util.http.mapper.Mapper, so it would not add a trailing slash for an URL like http://host:8080/slide. But since I really don't want to (and usually don't need to) change anything about tomcat, I'd rather have a configuration option for this. I know that the old tomcat4 did not do redirects for this either, so I thought maybe someone would add a config option to revert to that old behaviour. if not, is there a any way to prevent this redirect without modifying tomcat5's source? Cheers, Edmund - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: how do i prevent tomcat5 from adding trailing slash?
actually i'm currently using a standalone tomcat with its own http connector. working around the problem by using the apache httpd would be helpful in some production environments, but it's at least as important to get this to work with a standalone configuration for development/testing and other httpd-less configurations. besides. are you sure this would work? I mean, it looks like apache would pass the request to tomcat nicely, but i don't see why tomcat would change it's behaviour and NOT send back a status 302 redirect response. Sheets, Jerald wrote: Greetings... In your mod_jk.conf, you have JkMount directives like so: JkMount /servlet/* ajp13 JkMount /jsp-examples/* ajp13 JkMount /servlets-examples/* ajp13 I find that in your mounts that if you simply remove the trailing slash in these, you can then call those URIs without the slash: JkMount /servlet* ajp13 JkMount /jsp-examples* ajp13 JkMount /servlets-examples* ajp13 So, you can call http://your.server.com:8080/servlet http://your.server.com:8080/jsp-examples http://your.server.com:8080/servlets-examples Or, if you've mapped those guys through a connector to the parent web server: http://your.server.com/servlet http://your.server.com/jsp-examples http://your.server.com/servlets-examples I hope that helps. Jerald Sheets Systems Administrator The Weather Channel Interactive -Original Message- From: Edmund Urbani [mailto:[EMAIL PROTECTED] Sent: Friday, July 01, 2005 9:43 AM To: tomcat-user@jakarta.apache.org Subject: how do i prevent tomcat5 from adding trailing slash? hi! i ran into some trouble with tomcat5 and its slash adding behaviour. there's this MS WebFolder client (M$ for WebDAV), that does not seem to be able to cope with status 302 redirects in some situations. in order to work around this problem i modified the class org.apache.tomcat.util.http.mapper.Mapper, so it would not add a trailing slash for an URL like http://host:8080/slide. But since I really don't want to (and usually don't need to) change anything about tomcat, I'd rather have a configuration option for this. I know that the old tomcat4 did not do redirects for this either, so I thought maybe someone would add a config option to revert to that old behaviour. if not, is there a any way to prevent this redirect without modifying tomcat5's source? Cheers, Edmund - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
sharing objects between webapps
Hi! I'm currently working on two webapps that run in the same Tomcat (4.0.1) and share some common data. To do so efficiently, I would need them to actually access the same java objects in memory (really the instances, not just same classes). So, is it possible for one webapp to make an object accessible to another? If so, how? Edmund -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
