RE: [ANNOUNCE] Tomcat 4.0 Beta 2
Bonza job guys, thank you :-) Kevin Jones DevelopMentor www.develop.com -Original Message- From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]] Sent: 31 March 2001 08:27 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [ANNOUNCE] Tomcat 4.0 Beta 2 I'm pleased to announce the availability of the Beta 2 release of the next generation of the Tomcat servlet container, at: http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0-b2/ Tomcat 4.0 beta 2 has many new features, including: * Tomcat 4.0 can now run web applications out of an unpacked directory or directly from a WAR file. * Web applications are now run under the control of a Java SecurityManager that can support fine-grained control over each web-app's access to system resources. * You can now specify a DefaultContext element in the server configuration file (server.xml) that defines default configuration information for contexts that are automatically configured. * An example Filter implementation that supports on-the-fly GZIP compression for clients that support it. * A servlet that implements all of the NCSA documented functionality for server side includes (*.shtml) except for the "exec" capability. * Standard resource factories for JavaMail related resources accessible via a JNDI InitialContext, compatible with J2EE Specification requirements. * Reflects the most up-to-date changes in the Servlet 2.3 and JSP 1.2 APIs that have been approved by the JSR-053 expert group, and will appear in the next published version of the corresponding specifications. In addition, the following major bug fixes are included: * Fixes for two reported security vulnerabilities (a "cross site scripting vulnerability" plus a "URL decoding vulnerability") * The JSP servlet (Jasper) that compiles and executes JSP pages now uses its own classloader its associated XML parser, which avoids potential conflicts with parsers included with a web application. * Bug fix updates for directory listings, the WebDAV support, binding to a single IP address (if requested), incorrectly named access log files, URL decoding improvements, form-based authentication, HTTP/1.1 chunking, isUserInRole(), JSP page parsing problems, and many other patches. See the Tomcat 4.0 Beta 2 Release Notes (RELEASE-NOTES-4.0-B2.txt) that are included in the top-level directory of the release for more detailed information. Craig McClanahan
Response.sendError in TC4
Can I configure the way that TC interprets this API? I was thinking I'd like to fully format the output of the error, but TC4 builds an HTML response and includes whatever I write as part of that string. Is there a way to override this? Kevin Jones DevelopMentor www.develop.com
RE: Bugs or what ???
If you don't want this behaviour you need to run Tomcat under a security manager and disallow web-apps the authority to do this, Kevin Jones DevelopMentor www.develop.com -Original Message- From: Daniel K [mailto:[EMAIL PROTECTED]] Sent: 29 March 2001 04:37 To: [EMAIL PROTECTED] Subject: Bugs or what ??? Hi, I put "% System.exit(0); % in my jsp file and my tomcat stop working ( I have to start it again ). Is this bugs or ?? spec : - Tomcat 3.2.1 -RH 7 -jdk 1.3 (Sun)
Tomcat 4 service
I have tomcat 3.2 running as a service under W2K. I seem to remember that this wasn't available for Tomcat 4 (running it as a service that is), or is the code now available? Thanks, Kevin Jones DevelopMentor www.develop.com
Login
I have a web-app that I want people to logon to. If the web-app is call foo, I put a constraint in web.xml stopping GET access to /foo/*. I then specify /foo/login.jsp and /foo/error.jsp as the login/error pages. Under TC4 this all works, I browse to http://localhost/foo, get re-directed to the login page and off we go. However, this configuration causes TC 3.2 to go into an infinite loop. The browsers asks for login.jsp and keeps getting re-directed to login.jsp because everything under /foo is protected. Kevin Jones DevelopMentor www.develop.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
RE: Login
And your question would be - patronising already. I am assuming that you are wanting a work-around. Well, if you get No I don't want a workaround - I've already got it working. I was pointing this out because a) it is conflicting behaviour in the two current versions of Tomcat (3.2.1 and TC 4) and b) the spec is silent on the behaviour and I was wondering if Craig or any of the other Tomcat authors would comment Your problem stems from the fact that when users type in URLs the request is made as a get, which you have disallowed. (This part you probably knew) This is then sent to the error page, as a get, which generates an error, which sends it to the error page as a get, and so on. Yes, and TC4 doesn't show this behaviour! Kevin Jones DevelopMentor www.develop.com -Original Message- From: Randy Layman [mailto:[EMAIL PROTECTED]] Sent: 19 February 2001 14:21 To: [EMAIL PROTECTED] Subject: RE: Login And your question would be I am assuming that you are wanting a work-around. Well, if you get Tomcat 3.2.2 (I think you still have to get it from CVS, but it should be release shortly) you will start getting 404 errors instead of infinte loops, I believe. Two work arounds: 1. What you probably want to do it to move everything in /foo to /foo/protected, except for login and error. Then disallow GET on /foo/protected/*. 2. What you probably don't want to do (but might) is to allow GET on /foo/login.jsp and /foo/error.jsp and disallow everything else (a hassle because you have to explictly disallow everything else and you must maintain the list in order to keep your site secure). Randy -Original Message- From: Kevin Jones [mailto:[EMAIL PROTECTED]] Sent: Monday, February 19, 2001 9:42 AM To: Tomcat-User Subject: Login I have a web-app that I want people to logon to. If the web-app is call foo, I put a constraint in web.xml stopping GET access to /foo/*. I then specify /foo/login.jsp and /foo/error.jsp as the login/error pages. Under TC4 this all works, I browse to http://localhost/foo, get re-directed to the login page and off we go. However, this configuration causes TC 3.2 to go into an infinite loop. The browsers asks for login.jsp and keeps getting re-directed to login.jsp because everything under /foo is protected. Kevin Jones DevelopMentor www.develop.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
RE: Login
Thanks Craig, I've e-mailed the JSR53 group One note on your original example, however -- if "/foo" is the context path to your application, and you wish to protect the entire webapp, you would use "/*" as the URL pattern inside your security constraint. My example was wrong, my logic right bar is the application, foo a sub-directory, I disallow access to /foo/* Kevin Jones DevelopMentor www.develop.com -Original Message- From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]] Sent: 19 February 2001 20:56 To: [EMAIL PROTECTED] Subject: Re: Login Kevin Jones wrote: No I don't want a workaround - I've already got it working. I was pointing this out because a) it is conflicting behaviour in the two current versions of Tomcat (3.2.1 and TC 4) and b) the spec is silent on the behaviour and I was wondering if Craig or any of the other Tomcat authors would comment It is a bug in 3.2.1. There is a bunch of special case logic in Tomcat 4.0 to let you see the form login (and error) page, even if it is within the set of URLs protected by a security constraint. This is likely to get clarified in the next round of the 2.3 specification. One note on your original example, however -- if "/foo" is the context path to your application, and you wish to protect the entire webapp, you would use "/*" as the URL pattern inside your security constraint. Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
RE: problem with init-param
You have two instances of the servlet executing. One with the name (/servlet/Init-Test) and one without (/servlet/Test)(this is expected). The firstone gets initialised and the init-params get set. The container hjas no info. about the second, apart from the fact that you are calling it through /servlet. Try browsing to http://localhost:8080/mytest/servlet/Init-Test, you should get the first instance, init-params and all Kevin Jones DevelopMentor www.develop.com -Original Message- From: ms [mailto:ms]On Behalf Of Martin Schmidt Sent: 02 February 2001 13:31 To: [EMAIL PROTECTED] Subject: problem with init-param Hi, my init-params were set if i enable load-on-startup (got some System.outs in the init()). But if i invoke a request, first the init is called again (hm?) and second the init-params are null!!! Here's my web.xml (taken from WEB-INF): ?xml version="1.0" encoding="ISO-8859-1"? !DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd" web-app servlet servlet-name Init-Test /servlet-name servlet-classtest /servlet-class load-on-startup 10/load-on-startup init-param param-name configFile /param-name param-value /usr/local/myapps/test/test.conf /param-value /init-param /servlet session-config session-timeout 30 /session-timeout /session-config /web-app My system consists of 2 linux-pcs (suse 7.0) one with apache and mod_jk, the other without apache but with tomcat. This shouldn't matter (a direct request to tomcat, like http://tcworker:8080/mytest/servlet/test, doesn't get the init-params too) but who knows Any suggestions, hints or other helpful statements? Thanks in advance. Martin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
RE: include jsp:forward
The problem is not using forward and include on the same page. The problem is the way forward works. The logic of forward is '"I'm done processing, and I haven't written any ouput back to the client, let somebody else do that" This means you cannot forward AFTER you've written anything the the ouput stream. Your include does a flush=true (it has to in the current spec.). What you really want to do here (I would guess), is a %@ include file="header.html" %, i.e. a static include not a dynamic include, Kevin Jones DevelopMentor www.develop.com -Original Message- From: Doremieux, Olivier [mailto:[EMAIL PROTECTED]] Sent: 30 January 2001 23:20 To: '[EMAIL PROTECTED]' Subject: jsp:include jsp:forward Hello, Is there some way to have a jsp:include jsp:forward on the same page? I am trying to write some code like that : HTML HEAD TITLE foo /TITLE /HEAD BODY bgcolor="#CE" jsp:include page="header.html" flush="true"/ BRBR CENTERbUpdating the Database... Please WaitDone./b/CENTER % // Database Update here } % jsp:forward page="/NextPage.jsp"/ /BODY /HTML But I am getting the following error : Error: 500 Location: /processTask0.jsp Internal Servlet Error: java.io.IOException: Error: Attempt to clear a buffer that's already been flushed at org.apache.jasper.runtime.JspWriterImpl.clear(JspWriterImpl.java:180) at _0002fprocessTask_00030_0002ejspprocessTask0_jsp_2._jspService(_00 02fprocess Task_00030_0002ejspprocessTask0_jsp_2.java:90) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:119) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.jasper.servlet.JspServlet$JspServletWrapper.service(Jsp Servlet.ja va:177) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:318) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:391) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.tomcat.core.ServletWrapper.doService(ServletWrapper.java:404) at org.apache.tomcat.core.Handler.service(Handler.java:286) at org.apache.tomcat.core.ServletWrapper.service(ServletWrapper.java:372) at org.apache.tomcat.core.ContextManager.internalService(ContextManag er.java:79 7) at org.apache.tomcat.core.ContextManager.service(ContextManager.java:743) at org.apache.tomcat.service.http.HttpConnectionHandler.processConnec tion(HttpC onnectionHandler.java:210) at org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java:416) at org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java:498) at java.lang.Thread.run(Thread.java:484) Any idea how to fix that? Thank you, - Olivier Doremieux Senior Staff Engineer Celera Applied Genomics 384 Foster City Blvd., Foster City, CA 94404 Tel: 650-554-2243 FAX: 650-638-6222 e-mail: [EMAIL PROTECTED] - - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
RE: session variables in a server farm
The spec allows for web servers to exchange session state. To do this you need to mark your app as distributable, and make sure everything in the session is serializable. In all honesty (and I stand to be corrected) I'm not sure how many servers will implement this for load balancing. It just strikes me as being too expensive. One solution is to store the data in another server (usually a database) and keep a cached local copy on each server in the farm. Along with the cookie pass a timestamp so that you know if the cache is still valid. On each intitial hit to a server you retrieve the state from the DB and so incur a roundtrip, on subsequent hits you may incur a roundtrip depending on the state of the cache. Using the cache may or may not be a good idea depending on you usage profile. If the session is usually read, then the cache is a good idea. If you do lots of writes then the cache will just slow things down. Kevin Jones DevelopMentor www.develop.com -Original Message- From: Ferguson, Doug [mailto:[EMAIL PROTECTED]] Sent: 31 January 2001 15:35 To: '[EMAIL PROTECTED]' Subject: session variables in a server farm Is there an elegant way to implement session variables in a load balancing senario? If I understand correcty everything is stored on the server and a sessionID is store in the users browser so that the server can look it up. But what happens when the user gets routed to another server which doesn't have their info stored in the session, we wouldn't want them to log in again. We though about placing this info in our ejb layer. But we'd like to not have to do a remote call just for authentication purposes. d. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Writing Filters
Is there an easy way to create a ServletOutputStream in a Filter? What I want to do is get the result of a resource call getOutputStream.write(...). To do this I need to supply my own ServletOutputStream, but SOS is abstract, so it seems I must subclass and provide my own class. There must be a better way, is there? Kevin Jones DevelopMentor www.develop.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
RE: Tomcat on Linux
Thanks Marcus, I wanted to use it standalone, but I've come to the conclusion that the connector is the best way to go, Kevin Jones DevelopMentor www.develop.com -Original Message- From: Marcus Crafter [mailto:[EMAIL PROTECTED]] Sent: 07 December 2000 09:52 To: Tomcat-User Subject: Re: Tomcat on Linux Hi Kevin, Are you using the apache connector ? If so, then set up apache to run as nobody, or httpd (it probably is already) and set the connector port above 1024. Then you'll be able to run tomcat under a normal user account, and the connector will provide your link to port 80. Hope that helps. Cheers, Marcus On Wed, 6 Dec 2000, Kevin Jones wrote: From a Linux newbie! What's the best way of getting Tomcat to run on port 80 on Linux (without running it as root)? I've re-configured Apache to run on 8080, I can start Tomcat as su on 80, but I'd like it to run on my account on 80. Anyone? Kevin Jones DevelopMentor www.develop.com -- . ,,$, Marcus Crafter ;$' ':Computer Systems Engineer $: : Open Software Associates GmbH $ o_)$$$: 82-84 Mainzer Landstrasse ;$,_/\ :' 60327 Frankfurt Germany ' /( \_' Email : [EMAIL PROTECTED] .Business Hours : +49 69 9757 200 : After Hours: +49 69 49086750
Tomcat on Linux
From a Linux newbie! What's the best way of getting Tomcat to run on port 80 on Linux (without running it as root)? I've re-configured Apache to run on 8080, I can start Tomcat as su on 80, but I'd like it to run on my account on 80. Anyone? Kevin Jones DevelopMentor www.develop.com