Bump: Loss of Subject/AccessControlContext in JSTL
Hi All, Is the below issue completely and utterly uninteresting and boring, or should I just go ahead and file a bugreport? Regards, Michiel We've been tracking a nasty issue in our web application when using Tomcat 5.0.28 and JSTL. If we call a method from JSTL, any code that tries to access the AccessControlContext behaves differently than it would if called directly in a JSP using plain java. e.g. If we have a utility method in our dataBean that returns the (JAAS) Subject using Subject.getSubject(AccessController.getContext()), the syntax: %= dataBean.getSubjectFromContext() % returns the Subject whereas: ${dataBean.subjectFromContext} returns null This is quite unexpected behaviour and seems to be caused by the call to: org.apache.jasper.runtime.PageContextImpl.proprietaryEvaluate(PageContextImpl.java:880) which uses AccessController.doPrivileged(PrivilegedExceptionAction) rather than AccessController.doPrivileged(PrivilegedExceptionAction, AccessControlContext) to evaluate the EL syntax. I think that changing: retValue = AccessController.doPrivileged( new PrivilegedExceptionAction(){ . } ); To: retValue = AccessController.doPrivileged( new PrivilegedExceptionAction(){ . }, AccessController.getContext() ); should solve this. Can someone please have a look at this? Cheers, Michiel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Loss of Subject/AccessControlContext in JSTL
We've been tracking a nasty issue in our web application when using Tomcat 5.0.28 and JSTL. If we call a method from JSTL, any code that tries to access the AccessControlContext behaves differently than it would if called directly in a JSP using plain java. e.g. If we have a utility method in our dataBean that returns the (JAAS) Subject using Subject.getSubject(AccessController.getContext()), the syntax: %= dataBean.getSubjectFromContext() % returns the Subject whereas: ${dataBean.subjectFromContext} returns null This is quite unexpected behaviour and seems to be caused by the call to: org.apache.jasper.runtime.PageContextImpl.proprietaryEvaluate(PageContextImpl.java:880) which uses AccessController.doPrivileged(PrivilegedExceptionAction) rather than AccessController.doPrivileged(PrivilegedExceptionAction, AccessControlContext) to evaluate the EL syntax. I think that changing: retValue = AccessController.doPrivileged( new PrivilegedExceptionAction(){ . } ); To: retValue = AccessController.doPrivileged( new PrivilegedExceptionAction(){ . }, AccessController.getContext() ); should solve this. Can someone please have a look at this? Cheers, Michiel -- Michiel Toneman Software Engineer Bibit Global Payment Services Regulierenring 10 3981 LB Bunnik [EMAIL PROTECTED] Tel. +31-30-6595168 Fax +31-30-6564464 http://www.bibit.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: percent 0008 exploit
I've just been trying to confrm the vulnerability without any luck. Any place in the wild where we could find such a problem? I've tried replacing: http://www.server.dom/jsp/test.jsp with: http://www.server.dom/jsp/test.jsp%0008 in a number of setups without any results. Cheers, Michiel Norris Shelton wrote: A co-worker that supports a federal sight just got an e-mail from their admins indicating that his site is exposing jsp source code when they appent %0008 to the end of their URLs. The view source shows his exact pages. He is using Tomcat 4.1.30 and JDK 1.4.2_05 I tired it on my servers (TC 4.1.30 and JDK 1.4.2_06). Is this a JRE vulnerability? = Norris Shelton Software Engineer Sun Certified Java 1.1 Programmer Appriss, Inc. ICQ# 26487421 AIM NorrisEShelton YIM norrisshelton __ Do you Yahoo!? Meet the all-new My Yahoo! - Try it today! http://my.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Michiel Toneman Software Engineer Bibit Global Payment Services Regulierenring 10 3981 LB Bunnik [EMAIL PROTECTED] Tel. +31-30-6595168 Fax +31-30-6564464 http://www.bibit.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat 5.0.28 on iseries
Hi Wouter, I have no idea what an iseries vr5r2 is, but if it runs a halfway-recent java ( 1.3.x) and has a relatively conventional filesystem, Tomcat should run just fine. Cheers, Michiel Roux, Wouter wrote: Hi, Does anybody know where I can find help to run Tomcat 5.0.28 on iseries vr5r2? Thanks Wouter Roux -- Michiel Toneman Software Engineer Bibit Global Payment Services Regulierenring 10 3981 LB Bunnik [EMAIL PROTECTED] Tel. +31-30-6595168 Fax +31-30-6564464 http://www.bibit.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat 5.0.28 on iseries
halfway-recent java ( 1.3.x) Sorry, that should read = Michiel -- Michiel Toneman Software Engineer Bibit Global Payment Services Regulierenring 10 3981 LB Bunnik [EMAIL PROTECTED] Tel. +31-30-6595168 Fax +31-30-6564464 http://www.bibit.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: euro sign tomcat 4 - 5
IIRC you need 8859-15 for the EURO symbol if you are using the 8859 family of encodings. Better would be to use UTF-8. I'm guessing you were using UTF-8 before? Regards, Michiel Dale, Matt wrote: Sounds like your character set is set to 8859-1 instead of 8859-2. I'm not sure how or where to change this though. -Original Message- From: Xavier Frisaye [mailto:[EMAIL PROTECTED] Sent: 11 October 2004 13:50 To: Tomcat Users List Subject: euro sign tomcat 4 - 5 Hi all, I've ugraded from Tomcat 4.1.24 to 5.0.28 and i'm encountering problem with euro sign when i try to write it from a servlet : it appears as ? instead of , certainly charset problem. Is there any change made to tomcat 5 wich could explain this problem? (It works perfectly with Tomcat 4.1.24) Regards Xavier Frisaye Any opinions expressed in this E-mail may be those of the individual and not necessarily the company. This E-mail and any files transmitted with it are confidential and solely for the use of the intended recipient. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this E-mail in error and that any use or copying is strictly prohibited. If you have received this E-mail in error please notify the beCogent postmaster at [EMAIL PROTECTED] Unless expressly stated, opinions in this email are those of the individual sender and not beCogent Ltd. You must take full responsibility for virus checking this email and any attachments. Please note that the content of this email or any of its attachments may contain data that falls within the scope of the Data Protection Acts and that you must ensure that any handling or processing of such data by you is fully compliant with the terms and provisions of the Data Protection Act 1984 and 1998. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Michiel Toneman Software Engineer Bibit Global Payment Services Regulierenring 10 3981 LB Bunnik [EMAIL PROTECTED] Tel. +31-30-6595168 Fax +31-30-6564464 http://www.bibit.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: One urgent help needed
-classcom.sabratec.applinx.server.runtime.servlet.GXApplinxServlet/servlet-class init-param id=InitParam_1 param-namecom.sabratec.gxhome/param-name param-valueC:\Program Files\Sabratec\ApplinX/param-value /init-param init-param id=InitParam_2 param-namecom.sabratec.logger/param-name param-valueappserver/param-value /init-param load-on-startup1/load-on-startup /servlet servlet id=execmethod_servlet servlet-nameexecmethod/servlet-name servlet-classcom.sabratec.applinx.server.runtime.servlet.GXExecMethodServlet/servlet-class /servlet servlet id=metadata_servlet servlet-namemetadata/servlet-name servlet-classcom.sabratec.applinx.server.runtime.servlet.GXMetaDataServlet/servlet-class /servlet servlet id=execmethodform_servlet servlet-nameexecmethodform/servlet-name servlet-classcom.sabratec.applinx.server.runtime.servlet.GXExecMethodFormServlet/servlet-class /servlet servlet id=execmethodxmlform_servlet servlet-nameexecmethodxmlform/servlet-name servlet-classcom.sabratec.applinx.server.runtime.servlet.GXExecMethodXmlForm/servlet-class /servlet servlet id=oldbaseobj_servlet servlet-nameoldbaseobj/servlet-name servlet-classcom.sabratec.applinx.server.runtime.servlet.GXOldBaseObjectServlet/servlet-class /servlet servlet-mapping id=execmethod_servletmapping servlet-nameexecmethod/servlet-name url-pattern/host-app/*/url-pattern /servlet-mapping servlet-mapping id=metadata_servletmapping servlet-namemetadata/servlet-name url-pattern/metadata/url-pattern /servlet-mapping servlet-mapping id=execmethodform_servletmapping servlet-nameexecmethodform/servlet-name url-pattern/execmethodform/url-pattern /servlet-mapping servlet-mapping id=execmethodxmlform_servletmapping servlet-nameexecmethodxmlform/servlet-name url-pattern/execmethodxmlform/url-pattern /servlet-mapping servlet-mapping id=oldbaseobj_servletmapping servlet-nameoldbaseobj/servlet-name url-pattern/applinx/url-pattern /servlet-mapping servlet-mapping id=oldbaseobj_servletmapping1 servlet-nameoldbaseobj/servlet-name url-pattern/applinx-basobj/url-pattern /servlet-mapping welcome-file-list !-- welcome-fileindex.jsp/welcome-file -- welcome-filesplash.html/welcome-file welcome-fileindex.htm/welcome-file /welcome-file-list resource-ref descriptionOracle Datasource example/description res-ref-nameS2SOra/res-ref-name res-typejavax.sql.DataSource/res-type res-authContainer/res-auth /resource-ref session-config session-timeout60/session-timeout !-- 30 minutes -- /session-config !-- Listeners -- /web-app - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Michiel Toneman Software Engineer Bibit Global Payment Services Regulierenring 10 3981 LB Bunnik [EMAIL PROTECTED] Tel. +31-30-6595168 Fax +31-30-6564464 http://www.bibit.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat Question - HELP
Let me summarise this thread: 1. You hate all those open source stuff 2. You are not a big fan of tomcat 3. You think we are not educated and professional 4. You will trust your web engineer over our judgement 5. You really don't care what your personal views are 6. You seem to know exactly what this forum is for an how we should run it and behave on it 6. You won't do what you are asked (i.e. post a simple logfile) 7. You seem to think as a Unix admin that killing a process that has an obvious, documented and non-trivial shutdown sequence is a good idea (I'm sure DBA's will love you for this) 8. You publicly admitted to mailing Rick Moen directly for help (great autoreply though ;-) ) What gets me is that everyone who replied to you was civil and helpful. Really, you guys are the greatest! I'm mostly a lurker and I've totally lost control (yes I know: YHBT. YHL. HAND.) Daniel, I just hope for your sake that no potential future employer ever finds this thread on Google (or that you are wisely using an alias). Have a good weekend, Michiel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: too many JAAS...
Hi Rene, You can have a look at http://www.kopz.org/public/documents/tomcat/jaasintomcat.html It contains a known-good approach so it may be of some use to you. Michiel Rene Paulokat wrote: hi again, fiddled araound with JAASRealm in tomcat 5.0.28 but still did not succeed. so i`ll ask a few simple questions: (which actually seemed already answered to me while reading tons of faq/documentation - but it still does not work) is it possible to authenticate users via servlet, when the actual page does not include action-url 'j_security_check' e.g. form action=myservlet.do method=POST i need to do so, because 'MyCallbackHandler' needs more specific data if so, is it fuerthermore possible to do smthng like: LoginContext ctx = new LoginContext(logonDef, new MyCallbackHandler(user,pass,object)); ctx.login(); if so, why do i have loads of problems when i try to retrieve MyCallbackHandler in my custom LoginModule when simple doin: public class MyLoginModule implements LoginModule { private Subject subject; private CallbackHandler handler; private Map sharedState; private Map options; private Logger logger; public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState,Map options) { this.subject = subject; this.handler = callbackHandler; this.sharedState = sharedState; this.options = options; this.logger = Logger.getLogger(MyLoginModule.class); } pubic boolean login() { MyCallbackHandler myhandler = (MyCallbackHandler) this.handler; // do something with it.. // but here the ClassCastException shows up ... } ... } thanks in advance.. insanely rene -- Michiel Toneman Software Engineer Bibit Global Payment Services Regulierenring 10 3981 LB Bunnik [EMAIL PROTECTED] Tel. +31-30-6595168 Fax +31-30-6564464 http://www.bibit.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: beware: stackTrace was: Re: RE : too many JAAS...
Just checking, but in your original post you described your loginmodule as: public class MyLoginModule implements LoginModule { however, your ClassCastException mentions: com.warenform.ima_frontend.interf.DabLoginModule.login Can you check if you really are referring to the same classes (also in login.conf)? Michiel On Wed, Sep 22, 2004 at 03:33:27PM -0400, Shapira, Yoav wrote: Hi, What's the stack trace for the ClassCastException? here it comes: rene -- javax.security.auth.login.LoginException: java.lang.ClassCastException at com.warenform.ima_frontend.interf.DabLoginModule.login(DabLoginModule.java:56) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607) at javax.security.auth.login.LoginContext.login(LoginContext.java:534) at com.warenform.ima_frontend.action.DabLoginAction.execute(DabLoginAction.java:185) at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:484) at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274) at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482) at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:525) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at javax.servlet.http.HttpServlet.service(HttpServlet.java:810) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:214) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:407) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:106) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:825) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:717) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:576) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684) at java.lang.Thread.run(Thread.java:534) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:730) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607) at javax.security.auth.login.LoginContext.login(LoginContext.java:534) at com.warenform.ima_frontend.action.DabLoginAction.execute(DabLoginAction.java:185) at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:484) at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274) at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482) at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:525) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at javax.servlet.http.HttpServlet.service(HttpServlet.java:810) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:214) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:407) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126) at
Re: jsp:useBean problem (bug?) with Jasper
Just replying to myself here, upgrading to 5.0.28 solved the problem. If anyone else is having this problem with 5.0.25, please note that the jasper that comes with that release is 'borken'. Sing with me: happy, happy, happy, joy, joy, joy Michiel Michiel Toneman wrote: We are using an ant task to precompile our JSP's. Since we have switched from 5.0.19 to 5.0.25 on our development environment, many JSP files that use the jsp:useBean tag no longer compile. The error I'm getting is: BUILD FAILED: /compile/project/build.xml:209: org.apache.jasper.JasperException: file:/tmp/output/ROOT/jsp/monitor/monitor.jsp(6,0) The value for the useBean class attribute com.example.AccountingBean is invalid. I know that this kind of error occurs when there is no no-argument constructor in the Bean. The AccountingBean does have a constructor, but it is a no-argument constructor. If I remove the constructor from the Bean, the JSP can be compiled normally. If I use the jasper-compiler.jar from 5.0.19 instead of the one that comes with 5.0.25, everything compiles normally. Am I right to conclude that this is a bug in jasper-compiler? Michiel Example code: monitor.jsp -- jsp:useBean id=widget scope=request class=nl.bibit.internal.accounting.admin.AccountingWidgetBean / -- com.example.AccountingBean.java - public class AccountingBean { public AccountingBean() { isTest = true; } ... } - -- Michiel Toneman Software Engineer Bibit Global Payment Services Regulierenring 10 3981 LB Bunnik [EMAIL PROTECTED] Tel. +31-30-6595168 Fax +31-30-6564464 http://www.bibit.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OFFTOPIC] Removing attribute from all HttpSessions
Bad caching strategy. Try using a singleton cache backed by a HashMap. Have an invalidation method that takes a pagekey as argument. Create a simple get(pagekey) that checks for invalidation and refills the cache entry when necessary. No need to go iterating over sessions... Just my $0.02 :-) Michiel Allistair Crossley wrote: Hey, I am putting a page caching stategy into place per user session. However, there are times when I need to refresh all the caches for all users. For example, let's say 5 users have a cached version of page 5. An external event causes page 5 to invalidate. I need an effective strategy to flush all sessions with page 5 cached. Thoughts appreciated, Allistair. FONT SIZE=1 FACE=VERDANA,ARIAL COLOR=BLUE --- QAS Ltd. Developers of QuickAddress Software a href=http://www.qas.com;www.qas.com/a Registered in England: No 2582055 Registered in Australia: No 082 851 474 --- /FONT - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Michiel Toneman Software Engineer Bibit Global Payment Services Regulierenring 10 3981 LB Bunnik [EMAIL PROTECTED] Tel. +31-30-6595168 Fax +31-30-6564464 http://www.bibit.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: java.lang.OutOfMemoryError
In addition to Yoav's comment, you may also want to check on the number of sessions that get created. I know that JRun3 didn't create a session when it wasn't necessary to do so, Tomcat 5 (as per servlet spec.) always creates a session. Typically webcrawlers don't 'do' cookies, so a new session gets created for each request. This can of course have a significant effect on memory. Regards, Michiel Matt He wrote: Hi, We upgraded our Tomcat server from 3.0 to 5.1.19 about two months ago (linux machine). Since then it frequently crashed (twice a week). It seems like the crash was caused a web crawler. This web crawler generate many threads and quickly drained server memory. The log file showed java.lang.OutOfMemoryError. When we use Tomcat 3, this crawler didn't cause this problem. Does anyone have any suggestion on how to solve this problem (we don't want to block this crawler)? Thanks. Matt - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Michiel Toneman Software Engineer Bibit Global Payment Services Regulierenring 10 3981 LB Bunnik [EMAIL PROTECTED] Tel. +31-30-6595168 Fax +31-30-6564464 http://www.bibit.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: java.lang.OutOfMemoryError
True, there is a definite memory leak when using a connector and a front-end webserver (e.g. mod_jk, mod_jk2) You can try fixing this by putting: # Fix memory leak bug in tomcat 5.0.19: request.registerRequests=false in $TOMCAT_HOME/conf/jk2.properties Cheers, Michiel Allistair Crossley wrote: We had memory loss with 5.0.19. We profiled a 5.0.19 web app and found that memory was not being garbage collected too well. As soon as we upgraded this went away and was proven by th profiling. Start by trying out 5.0.27 and see how it goes. If it still happens then take Yoav's advice and profile you app using the (now freeware and excellent) JProbe (www.quest.com) and go from there. ADC -Original Message- From: Matt He [mailto:[EMAIL PROTECTED] Sent: 05 August 2004 15:43 To: Tomcat Users List Subject: java.lang.OutOfMemoryError Hi, We upgraded our Tomcat server from 3.0 to 5.1.19 about two months ago (linux machine). Since then it frequently crashed (twice a week). It seems like the crash was caused a web crawler. This web crawler generate many threads and quickly drained server memory. The log file showed java.lang.OutOfMemoryError. When we use Tomcat 3, this crawler didn't cause this problem. Does anyone have any suggestion on how to solve this problem (we don't want to block this crawler)? Thanks. Matt - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] FONT SIZE=1 FACE=VERDANA,ARIAL COLOR=BLUE --- QAS Ltd. Developers of QuickAddress Software a href=http://www.qas.com;www.qas.com/a Registered in England: No 2582055 Registered in Australia: No 082 851 474 --- /FONT - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Michiel Toneman Software Engineer Bibit Global Payment Services Regulierenring 10 3981 LB Bunnik [EMAIL PROTECTED] Tel. +31-30-6595168 Fax +31-30-6564464 http://www.bibit.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: jspc
A good reason to precompile your JSP files is to make sure you don't accidentally have broken JSP files on production. You then know *before* deployment if any changes to your JSP files or the java classes they belong to cause breakage. Michiel Paul Wallace wrote: Hi, Yes..that is what I thought, but I learned from a 'reliable' source I could accomplish this on saving overhead. So rather than looking into the whys and whats, I looked into how to do it, and look into the performance benefits later. I will provide the list with my sources reasoning, when it becomes available! A thought..and to answer a question with a question (Why would you precompile jsp files?), why is jspc there? If only to increase performance on the first hit? Thanks Paul. It will increase speed on the first viewing of the jsp, but after that I can't see how there will be any difference. How much memory can you save if any? And how would that work? Thanks On Fri, 25 Jun 2004 11:12:44 +1000, Paul Wallace [EMAIL PROTECTED] wrote: In an effort to increase speed/free up memory that otherwise might be consumed by Tomcat otherwise Why would you precompile jsp files? On Fri, 25 Jun 2004 09:32:38 +1000, Paul Wallace [EMAIL PROTECTED] wrote: (sorry, wrong key!) Hi Jason, Thanks for that. Yes, it does make sense. A couple of things though, I just ran it with -compile - great. But my query about the work directory and was more towards what I am being 'encouraged' to do from the powers that be. I.e not WAR the app., but put it in the work directory. Is this ill-advised/poor practice? To accomplish this, is it as simple as dragging the compiled source under my work directory, and modifying my web.xml as advised? Why does -compile work, but not appear in the usage?! Also, can I specify a path for the compilation, rather than the classes be placed in the same dirs as the source? (I tried adding a path after the -compile switch, but it constructed and compiled a file with the same name as the class directory destination). Do I make sense?! Paul. Paul, I just use the -compile option and have jspc do the compilation from .java to .class for me. It seems to work fairly well. Once all the fully compiled (ie .class) files are placed in you applications WEB-INF/classes directory you just need to place the generated web.xml file in WEB-INF. There is an option to create a complete web.xml file that you can place in WEB-INF or, if you already have a web.xml file you want to keep, you can have jspc create an xml fragment that just contains the servlet definitions and mappings that you then add (in the appropriate place) to your existing web.xml. Then just war up you application directory in the normal way (you can even delete the jsps once your certain the servlet mappings are working). If you try to put the generated files in your working directory you won't be able to war them up and deploy them in the normal put war file under webapps directory and tomcat will expand it when it starts way. You'd have to ship a complete tomcat directory structure with the work directory already filled in with your compiled jsps. Does that make sense? Jason --- Paul Wallace [EMAIL PROTECTED] wrote: Hello, I have compiled my JSPs thus: jspc -webapp C:\src\site -d C:\src\site\classes -s -l -uriroot C:\src\site this builds the Java source files to the specified location, but how might I deploy them? What is a typical deployment after a JSP compilation? Compilation of Java source files, then WAR/JAR? Can I not define the JSP compile to go under my work directory? The purpose of my efforts is to try and speed up / make TC less memory consumptive. cheers Paul. -- Michiel Toneman Software Engineer Bibit Global Payment Services Regulierenring 10 3981 LB Bunnik [EMAIL PROTECTED] Tel. +31-30-6595168 Fax +31-30-6564464 http://www.bibit.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
jsp:useBean problem (bug?) with Jasper
We are using an ant task to precompile our JSP's. Since we have switched from 5.0.19 to 5.0.25 on our development environment, many JSP files that use the jsp:useBean tag no longer compile. The error I'm getting is: BUILD FAILED: /compile/project/build.xml:209: org.apache.jasper.JasperException: file:/tmp/output/ROOT/jsp/monitor/monitor.jsp(6,0) The value for the useBean class attribute com.example.AccountingBean is invalid. I know that this kind of error occurs when there is no no-argument constructor in the Bean. The AccountingBean does have a constructor, but it is a no-argument constructor. If I remove the constructor from the Bean, the JSP can be compiled normally. If I use the jasper-compiler.jar from 5.0.19 instead of the one that comes with 5.0.25, everything compiles normally. Am I right to conclude that this is a bug in jasper-compiler? Michiel Example code: monitor.jsp -- jsp:useBean id=widget scope=request class=nl.bibit.internal.accounting.admin.AccountingWidgetBean / -- com.example.AccountingBean.java - public class AccountingBean { public AccountingBean() { isTest = true; } ... } - -- Michiel Toneman Software Engineer Bibit Global Payment Services Regulierenring 10 3981 LB Bunnik [EMAIL PROTECTED] Tel. +31-30-6595168 Fax +31-30-6564464 http://www.bibit.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Upgrading tomcat 5 on Windows
Hi Tim, Without giving any specific advice: Rule 1 of system administration: Always back up configuration files. Michiel Tim Penhey wrote: Hi All, I have Tomcat 5.0.18 running on one machine with a number of configured webapps. If I install the 5.0.25 over the top will all the configuration files stay or should I back them up? Tim -- Michiel Toneman Software Engineer Bibit Global Payment Services Regulierenring 10 3981 LB Bunnik [EMAIL PROTECTED] Tel. +31-30-6595168 Fax +31-30-6564464 http://www.bibit.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Programmatic Authentication?
I've done something similar and written a little tutorial about it at: http://www.kopz.org/public/documents/tomcat/jaasintomcat.html Maybe it helps. Michiel Annie Guo wrote: Victor: I would greatly appreciate it. -Original Message- From: Victor R. Cardona [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 02, 2004 11:56 PM To: Tomcat Users List Subject: Re: Programmatic Authentication? -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Annie Guo wrote: | Mind sharing your code? Not at all. I will post it tomorrow. Victor -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAvqE/8MW+BaXrmuERAhybAKCAijJnR/09NmI4GaPMoVaPHlgAFACeM2aL sOKKrL/5FysdzIvQx8W4VTY= =C7EW -END PGP SIGNATURE- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Michiel Toneman Software Engineer Bibit Global Payment Services Regulierenring 10 3981 LB Bunnik [EMAIL PROTECTED] Tel. +31-30-6595168 Fax +31-30-6564464 http://www.bibit.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Programmatic Authentication?
Hi Annie, The authentication is completely separate from my example. In my example, I already assume that the user has authenticated itself succesfully to Tomcat (either through a frontend webserver like Apache or in Tomcat itself). The code in the example only deals with what you can do after that (i.e. assigning Permissions based on Principals in the Java security framework). The Filter is simply used to establish a security context in which the servlets are run. In short, you should first get your authentication set up... Cheers, Michiel Annie Guo wrote: Thank you Michiel. I did read your tutorial. I am new to JAAS and security stuff. I am still strugling with it. I have followed all your code and setup in web.xml. My problem is even though from my LoginModule debug statements that the login and LoginModule commit is successful (I just check the username equals password), my resources are still protected and I keep getting the 'Enter Network Password' popup. Would yuo please shed some light on that? Thank you. -Original Message- From: Michiel Toneman [mailto:[EMAIL PROTECTED] Sent: Thursday, June 03, 2004 9:53 AM To: Tomcat Users List Subject: Re: Programmatic Authentication? I've done something similar and written a little tutorial about it at: http://www.kopz.org/public/documents/tomcat/jaasintomcat.html Maybe it helps. Michiel -- Michiel Toneman Software Engineer Bibit Global Payment Services Regulierenring 10 3981 LB Bunnik [EMAIL PROTECTED] Tel. +31-30-6595168 Fax +31-30-6564464 http://www.bibit.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat5/mod_jk Memory Leak/mod_jk bypass
Adrian Barnett wrote: Ran out of memory last night again Set to 512m and ran out at 284m Maybe I am missing a paramater in the tomcat setup on windows or something Frustrating James I was having a memory leak using mod_jk2, and it was fixed by adding request.registerRequests=false to tomcat/conf/jk2.properties. I don't know if this would work with mod_jk, but it might be worth a try. Adrian I can confirm that this works with mod_jk too. I'm a little surprised that fixing this rather horrible memory leak doesn't appear to be a high priority. We were almost at a point of abandoning Tomcat altogether since we couldn't keep our test environment running for more than 2 days without OutOfMemory problems while it would run for weeks on end with JRun3. Adding this line made all our problems go away, and we are now well on our way to completing our migration to Tomcat. Michiel -- Michiel Toneman Software Engineer Bibit Global Payment Services Regulierenring 10 3981 LB Bunnik [EMAIL PROTECTED] Tel. +31-30-6595168 Fax +31-30-6564464 http://www.bibit.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Memory leak with Tomcat 5.0.19
wsedio wrote: On 20-05-2004 11:58, wsedio wrote: On 19-05-2004 23:15, Michiel Toneman wrote: We were having severe memory problems too with 5.0.19. Does Tomcat 5.0.24 fix this problem? I have no idea, haven't tried it out yet. No plans as yet to test/roll-out 5.0.24, so it will be a while before I know. We added this to the jk2.properties: request.registerRequests=false and the memory usage was normal again. Somewhat non-obvious, I agree. It also gets rid of Error registering request messages in catalina.out. We are using mod_jk (1.2) with Apache 1.3.x on Sun Solaris and Linux. Do you have to add the setting even if you are using jk 1.2 (not jk 2)? Apparently so. Somewhat weird that it is in jk2.properties. Any Guru care to explain? Below is the memory profile of one of our servers before and after the change (old generation memory refers to the memory buckets in the garbage collector. For more information, see jvmstat. At 100% you will start getting OutOfMemory errors): How do you get the memory profile? Is it a Tomcat command? No, it is just a bit of messing around with jvmstat in a script. First we get the Tomcat PID with jvmps. Then we use jvmsnap $TOMCAT_PID to get (grep) hotspot.gc.generation.1.space.0.capacity and hotspot.gc.generation.1.space.0.used The script then calculates the percentage in use and total amount in Mb. The old generation space usage is (as far as I know) a good place to look if you are experiencing memory problems (assuming you set -Xmx and -Xms memory the same, otherwise it isn't all that meaningful!!!). In my experience, if it fills up above 70% the garbage collector (+ you) is in trouble. Cheers, Michiel -- Michiel Toneman Software Engineer Bibit Global Payment Services Regulierenring 10 3981 LB Bunnik [EMAIL PROTECTED] Tel. +31-30-6595168 Fax +31-30-6564464 http://www.bibit.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Memory leak with Tomcat 5.0.19
Hmm, signal 11's are bad news and usually not related to OutOfMemory problems. There is a dated, but pretty good explanation at: http://www.bitwizard.nl/sig11/ Michiel Brian Beckham wrote: Sorry bout that...got a little flustered :) Some more details...tomcat non-responsive, but JVM still running ps -ef showed several java processes still running, several defunct - Running with following: LD_ASSUME_KERNEL=2.2.5 CATALINA_HOME=/opt/jakarta-tomcat-5.0.19 JAVA_HOME=/opt/j2sdk1.4.2_04 CATALINA_OPTS=-server -Xms256m -Xmx1024m -Djava.awt.headless=true error file created (attached): Unexpected Signal : 11 occurred at PC=0x3FC6AC09 Function=(null)+0x3FC6AC09 Library=/opt/j2sdk1.4.2_04/jre/lib/i386/server/libjvm.so NOTE: We are unable to locate the function name symbol for the error just occurred. Please refer to release documentation for possible reason and solutions. Current Java thread: at java.net.PlainSocketImpl.socketAccept(Native Method) at java.net.PlainSocketImpl.accept(PlainSocketImpl.java:353) - locked 0x7b528488 (a java.net.PlainSocketImpl) at java.net.ServerSocket.implAccept(ServerSocket.java:448) at java.net.ServerSocket.accept(ServerSocket.java:419) at org.apache.catalina.core.StandardServer.await(StandardServer.java:551) at org.apache.catalina.startup.Catalina.await(Catalina.java:657) at org.apache.catalina.startup.Catalina.start(Catalina.java:617) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:297) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:398) System was at about 128 MB when crash occurred. Brian Beckham [EMAIL PROTECTED] Office: 770.924.6444 ext. 203 Mobile: 404.406.8355 -Original Message- From: Remy Maucherat [mailto:[EMAIL PROTECTED] Sent: Friday, May 21, 2004 10:21 AM To: Tomcat Users List Subject: Re: Memory leak with Tomcat 5.0.19 Brian Beckham wrote: Ok, after adding that setting in jk2.properties I have had 2 lockups of tomcat on my production siteany help!!?!!? lockup doesn't mean anything to me. Details please :) Also, this property cannot possibly cause that (look in the code if in doubt). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Michiel Toneman Software Engineer Bibit Global Payment Services Regulierenring 10 3981 LB Bunnik [EMAIL PROTECTED] Tel. +31-30-6595168 Fax +31-30-6564464 http://www.bibit.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Memory leak with Tomcat 5.0.19
We were having severe memory problems too with 5.0.19. We added this to the jk2.properties: request.registerRequests=false and the memory usage was normal again. Somewhat non-obvious, I agree. It also gets rid of Error registering request messages in catalina.out. We are using mod_jk (1.2) with Apache 1.3.x on Sun Solaris and Linux. Below is the memory profile of one of our servers before and after the change (old generation memory refers to the memory buckets in the garbage collector. For more information, see jvmstat. At 100% you will start getting OutOfMemory errors): before: 20040427-01:03: Using 0% of available old generation memory (853 Mb total) 20040427-13:03: Using 11% of available old generation memory (853 Mb total) 20040428-01:03: Using 13% of available old generation memory (853 Mb total) 20040428-13:03: Using 18% of available old generation memory (853 Mb total) 20040429-01:03: Using 20% of available old generation memory (853 Mb total) 20040429-13:03: Using 25% of available old generation memory (853 Mb total) 20040430-01:03: Using 26% of available old generation memory (853 Mb total) 20040430-13:03: Using 30% of available old generation memory (853 Mb total) 20040501-01:03: Using 32% of available old generation memory (853 Mb total) 20040501-13:03: Using 37% of available old generation memory (853 Mb total) 20040502-01:03: Using 44% of available old generation memory (853 Mb total) 20040502-13:03: Using 51% of available old generation memory (853 Mb total) 20040503-01:03: Using 57% of available old generation memory (853 Mb total) 20040503-13:03: Using 64% of available old generation memory (853 Mb total) 20040504-01:03: Using 65% of available old generation memory (853 Mb total) 20040504-13:03: Using 70% of available old generation memory (853 Mb total) 20040505-01:03: Using 72% of available old generation memory (853 Mb total) 20040505-13:03: Using 76% of available old generation memory (853 Mb total) 20040506-01:03: Using 78% of available old generation memory (853 Mb total) Tomcat restarted at 81% after: 20040506-13:03: Using 0% of available old generation memory (853 Mb total) 20040507-01:03: Using 2% of available old generation memory (853 Mb total) 20040507-13:03: Using 2% of available old generation memory (853 Mb total) 20040508-01:03: Using 2% of available old generation memory (853 Mb total) 20040508-13:03: Using 2% of available old generation memory (853 Mb total) 20040509-01:03: Using 2% of available old generation memory (853 Mb total) 20040509-13:03: Using 2% of available old generation memory (853 Mb total) 20040510-01:03: Using 2% of available old generation memory (853 Mb total) 20040510-13:03: Using 2% of available old generation memory (853 Mb total) 20040511-01:03: Using 3% of available old generation memory (853 Mb total) 20040511-11:03: Using 3% of available old generation memory (853 Mb total) 20040512-01:03: Using 4% of available old generation memory (853 Mb total) Tomcat restarted due to system upgrade. Cheers, Michiel Brian Beckham wrote: I have a site that gets a fair amount of traffic - roughly 300,000 page views per day - a mix of servlets and JSP The site runs on 3 separate servers - one of which we upgraded to Tomcat 5.0.19. We have been running the site successfully for the past year using Tomcat 4.1.x, and 2 of the servers are still running Tomcat 4.1.x and are fine. Other differences between the two 4.1.x machines and the Tomcat 5.0.19 machine include: - Tomcat 5.0.19 machine uses jk2 / tomcat 4.1.x servers use mod_jk - Tomcat 5.0.19 machine using jsvc The Tomcat 5.0.19 machine is leaking memory at an alarming rate. I am using the following options on all: -Xms256 -Xmx1024 The Tomcat 4.1.x machines all run the site and stay around 350MB, but the Tomcat 5.x machine grows until the JVM runs out of memory. The sites are using DBCP, and connecting to an Oracle 10g RAC cluster using the newest JDBC Thin drivers from Oracle (same on all 3). I plan on running a profiler on the system, but thought I would perform a sanity check and make sure I am not missing something obvious (to someone else). Thanks, Brian Beckham [EMAIL PROTECTED] Office: 770.924.6444 ext. 203 Mobile: 404.406.8355 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Using JAAS as for authorisation in Tomcat 5 tutorial
As promised a while back, I've written a small tutorial for getting JAAS working as an authorisation mechanism (rather than an authentication mechanism like in JAASRealm). The initial version van be found here: http://www.kopz.org/public/documents/tomcat/jaasintomcat.html It does assume you can get a full JAAS implementation up and running outside of Tomcat (i.e. not for the faint-of-heart). If you have any comments or suggestions, please let me know! Cheers, Michiel P.S. This could also be interesting in regards to the thread javax.security.auth.subject disappears - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat having strange 'hickups'
Are you sure this isn't related to heavy garbage collection in the JVM? jvmstat has some good tools to monitor memory usage an garbage collection in your app. Michiel Wojciech Sobczuk wrote: Hello, I'm running Tomcat 5.0.18 on RedHat 9, started with the following commandline: /usr/java/j2sdk1.4.2_01//bin/java -Xmx256m -server -Djava.endorsed.dirs=/usr/java/jakarta-tomcat/common/endorsed -classpath /usr/java/j2sdk1.4.2_01//lib/tools.jar:/usr/java/jakarta-tomcat/bin/bootstrap.jar:/usr/java/jakarta-tomcat/bin/commons-logging-api.jar -Dcatalina.base=/usr/java/jakarta-tomcat -Dcatalina.home=/usr/java/jakarta-tomcat -Djava.io.tmpdir=/usr/java/jakarta-tomcat/temp org.apache.catalina.startup.Bootstrap start and with development=false and fork=true in the jsp servlet configuration. This installation is serving around 20 hits per day, much of it is DB intensive. Before i set development=false and fork=true I had big hangups when I changed the JSPs and Tomcat started recompiling them - the whole engine practically stopped for a few minutes and the load went up to 16 on the server. Now development and fork variables are set correctly for deployment, but I am still having a strange problem. Every now and then (probably every few hours, I can't tell exactly) Tomcat stops for around 20 seconds. I noticed it when browsing one of my sites, everything was working fast, and then at a certain point, after I clicked on a link, the browser started connecting to the server and waited for the response for a long time. When I checked the load on the box it was 1-2 (normally it's 0.5), but didn't notice any processes hogging the CPU with 'top'. I already fixed all DB connection leaks I had so that can't be the issue here. Traffic peaks can't be it either, I have constant traffic. I know that this isn't a precise description of the error I'm encountering but I don't have any more information at this point. I'm hoping that someone encountered this already and can help me, or perhaps you can give me directions how to figure out what's wrong. Best regards, W. Sobczuk - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Michiel Toneman Software Engineer Bibit Global Payment Services Regulierenring 10 3981 LB Bunnik [EMAIL PROTECTED] Tel. +31-30-6595168 Fax +31-30-6564464 http://www.bibit.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: another problem with JAAS
Oops, missed the How ;-) Subject subject = (Subject)session.getAttribute(javax.security.auth.subject); if (subject == null) { subject = new Subject(); } else { System.out.println(According to the Filter, the subject is: + subject); } and once we have logged in our subject: session.setAttribute(javax.security.auth.subject, subject); I'll write this up over the weekend Cheers, Michiel Alan Weissman wrote: Yes but how? :) What is the key that you use in the session? -Original Message- From: Michiel Toneman [mailto:[EMAIL PROTECTED] Sent: Thursday, April 22, 2004 12:51 PM To: Tomcat Users List Subject: Re: another problem with JAAS Hi Alan, That's correct, I overwrite the subject. Michiel Alan Weissman wrote: Hey Michiel - How did you overwrite Tomcat's Subject in the Session with your own? Thanks, Alan -Original Message- From: Michiel Toneman [mailto:[EMAIL PROTECTED] Sent: Thursday, April 22, 2004 9:51 AM To: Tomcat Users List Subject: Re: another problem with JAAS Hi Beloglazov, I was running into the same problem. As far as I can tell (anyone on the list, please correct me if I'm wrong), Tomcat primarily uses JAAS for authentication, but it is pretty useless for authorisation. I have no idea why the JAASRealm goes to all the trouble of setting up a Subject etc... when you can't use them in your own policy. All you can do is use isUserInRole() to check for the *name* of your role Principal. This totally defeats the point of using JAAS IMHO. I am using a JAAS implementation with is custom Policy that assigns Permission(s) based on various types of Principal that I assign to the Subject. My webapps can then do proper java Permission checks (AccessController.checkPermission(perm)). The way to go in Tomcat is using a filter, setting up (LoginContext) your Subject and use a doAsPrivileged() to wrap the servlet call. (see my earlier post on the list). However, this does not work on Tomcat (works fine on JRun4) because the filter and servlet are evaluated by Tomcat in different security contexts. The solution was to overwrite Tomcat's Subject in the session by my own Subject. I'm writing a tutorial on this, but it isn't ready yet. If you need an implementation fast, and the above is not enough to go on, I can speed up the writing ;-) Cheers, Michiel Beloglazov Maksim wrote: Hello, I've written a JAAS LoginModule and my web application successfully authorizes with it. But! While the authorization is successful, Tomcat does not recognize user Principals and roles which I assign in login module and returns that I have logged as a *null* user with no roles assigned to it. server.xml: Realm className=org.apache.catalina.realm.JAASRealm appName=merx userClassNames=ru.mb.security.jaas.RdbmsPrincipal roleClassNames=ru.mb.security.jaas.RdbmsRole debug=99/ ru.mb.security.jaas.RdbmsPrincipal and ru.mb.security.jaas.RdbmsRole are implementations of java.security.Principal interface. How can I force Tomcat recognize these Principals in a proper way? Can be the problem with moving javax.security.Principal of earlier JDKs to java.security.Principal in modern ones? Any help is greatly appreciated. Beloglazov Maksim. -- Michiel Toneman Software Engineer Bibit Global Payment Services Regulierenring 10 3981 LB Bunnik [EMAIL PROTECTED] Tel. +31-30-6595168 Fax +31-30-6564464 http://www.bibit.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: another problem with JAAS
Hi Beloglazov, I was running into the same problem. As far as I can tell (anyone on the list, please correct me if I'm wrong), Tomcat primarily uses JAAS for authentication, but it is pretty useless for authorisation. I have no idea why the JAASRealm goes to all the trouble of setting up a Subject etc... when you can't use them in your own policy. All you can do is use isUserInRole() to check for the *name* of your role Principal. This totally defeats the point of using JAAS IMHO. I am using a JAAS implementation with is custom Policy that assigns Permission(s) based on various types of Principal that I assign to the Subject. My webapps can then do proper java Permission checks (AccessController.checkPermission(perm)). The way to go in Tomcat is using a filter, setting up (LoginContext) your Subject and use a doAsPrivileged() to wrap the servlet call. (see my earlier post on the list). However, this does not work on Tomcat (works fine on JRun4) because the filter and servlet are evaluated by Tomcat in different security contexts. The solution was to overwrite Tomcat's Subject in the session by my own Subject. I'm writing a tutorial on this, but it isn't ready yet. If you need an implementation fast, and the above is not enough to go on, I can speed up the writing ;-) Cheers, Michiel Beloglazov Maksim wrote: Hello, I've written a JAAS LoginModule and my web application successfully authorizes with it. But! While the authorization is successful, Tomcat does not recognize user Principals and roles which I assign in login module and returns that I have logged as a *null* user with no roles assigned to it. server.xml: Realm className=org.apache.catalina.realm.JAASRealm appName=merx userClassNames=ru.mb.security.jaas.RdbmsPrincipal roleClassNames=ru.mb.security.jaas.RdbmsRole debug=99/ ru.mb.security.jaas.RdbmsPrincipal and ru.mb.security.jaas.RdbmsRole are implementations of java.security.Principal interface. How can I force Tomcat recognize these Principals in a proper way? Can be the problem with moving javax.security.Principal of earlier JDKs to java.security.Principal in modern ones? Any help is greatly appreciated. Beloglazov Maksim. -- Michiel Toneman Software Engineer Bibit Global Payment Services Regulierenring 10 3981 LB Bunnik [EMAIL PROTECTED] Tel. +31-30-6595168 Fax +31-30-6564464 http://www.bibit.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Verification of Sun JRE1.4.2
Asif Chowdhary wrote: Is there a specific file which I can check to verify if the client has JRE 1.4.2 installed on its machine? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] java -version ;-) -- Michiel Toneman Software Engineer Bibit Global Payment Services Regulierenring 10 3981 LB Bunnik [EMAIL PROTECTED] Tel. +31-30-6595168 Fax +31-30-6564464 http://www.bibit.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: another problem with JAAS
Hi Alan, That's correct, I overwrite the subject. Michiel Alan Weissman wrote: Hey Michiel - How did you overwrite Tomcat's Subject in the Session with your own? Thanks, Alan -Original Message- From: Michiel Toneman [mailto:[EMAIL PROTECTED] Sent: Thursday, April 22, 2004 9:51 AM To: Tomcat Users List Subject: Re: another problem with JAAS Hi Beloglazov, I was running into the same problem. As far as I can tell (anyone on the list, please correct me if I'm wrong), Tomcat primarily uses JAAS for authentication, but it is pretty useless for authorisation. I have no idea why the JAASRealm goes to all the trouble of setting up a Subject etc... when you can't use them in your own policy. All you can do is use isUserInRole() to check for the *name* of your role Principal. This totally defeats the point of using JAAS IMHO. I am using a JAAS implementation with is custom Policy that assigns Permission(s) based on various types of Principal that I assign to the Subject. My webapps can then do proper java Permission checks (AccessController.checkPermission(perm)). The way to go in Tomcat is using a filter, setting up (LoginContext) your Subject and use a doAsPrivileged() to wrap the servlet call. (see my earlier post on the list). However, this does not work on Tomcat (works fine on JRun4) because the filter and servlet are evaluated by Tomcat in different security contexts. The solution was to overwrite Tomcat's Subject in the session by my own Subject. I'm writing a tutorial on this, but it isn't ready yet. If you need an implementation fast, and the above is not enough to go on, I can speed up the writing ;-) Cheers, Michiel Beloglazov Maksim wrote: Hello, I've written a JAAS LoginModule and my web application successfully authorizes with it. But! While the authorization is successful, Tomcat does not recognize user Principals and roles which I assign in login module and returns that I have logged as a *null* user with no roles assigned to it. server.xml: Realm className=org.apache.catalina.realm.JAASRealm appName=merx userClassNames=ru.mb.security.jaas.RdbmsPrincipal roleClassNames=ru.mb.security.jaas.RdbmsRole debug=99/ ru.mb.security.jaas.RdbmsPrincipal and ru.mb.security.jaas.RdbmsRole are implementations of java.security.Principal interface. How can I force Tomcat recognize these Principals in a proper way? Can be the problem with moving javax.security.Principal of earlier JDKs to java.security.Principal in modern ones? Any help is greatly appreciated. Beloglazov Maksim. -- Michiel Toneman Software Engineer Bibit Global Payment Services Regulierenring 10 3981 LB Bunnik [EMAIL PROTECTED] Tel. +31-30-6595168 Fax +31-30-6564464 http://www.bibit.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: the pain of choice
Parsons Technical Services wrote: At this point it looks like tomcat 5 will handle your needs Look at this for cgi: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/cgi-howto.html Although it could be done like this, if you have some Apache experience, I'd recommend Apache in front of Tomcat 5.0.19. The simplest way to deploy Tomcat from this scenario is to ProxyPass it from Apache. I doubt from your requirements that configuring a connector is necessary. For ProxyPass documentation, see: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/proxy-howto.html basically it comes down to this: 1. make sure the following module is uncommented in httpd.conf: LoadModule proxy_module {path-to-modules}/mod_proxy.so AddModule mod_proxy.c 2. add the following to httpd.conf ProxyPass /myapp http://localhost:8080/myapp ProxyPassReverse /myapp http://localhost:8080/myapp (I'm using 8080 as the Tomcat port, since that is the default for Tomcat). Good luck. Michiel What JDK are you developing against? -- 1.4.2 But not crucial What is you platform? -- What do you mean by that? What is your OS? -- FreeBSD Is this for production or development? -- Production How many users?-- 2 How many deployers?-- 1 How many apps? -- 1 How big are the apps? -- very small How much static? -- ?please explain CGI, servlets, jsp etc are all dynamic. HTML, HTM, etc are static. If you have a large amount of static pages some people will use Apache to serve it and Tomcat for the dynamic. Although as Tomcat evolves it is no longer a neccesity as it was in the past. Do you want or need Apache?-- need cgi-scripting See above. (Virtual hosting?) -- absolutely not necessary Nothing here stands out that would suggest that you need anything other than Tomcat 5 running alone. But to qualify, I have not done any cgi and only did a quick take on the documentation. Read it carefully before proceeding. You may also want to start a new thread and ask the list about any limitations or concerns that are not addressed in the docs. -- Michiel Toneman Software Engineer Bibit Global Payment Services Regulierenring 10 3981 LB Bunnik [EMAIL PROTECTED] Tel. +31-30-6595168 Fax +31-30-6564464 http://www.bibit.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: the pain of choice
Great, let's use JK2 My experience: rant-mode tar -xvzf jakarta-tomcat-connectors-jk2-src-current.tar.gz cd jakarta-tomcat-connectors-jk2-2.0.4-src/ less README.txt - gibberish, doesn't help me much less RELEASE-NOTES.txt -- Tomcat Connectors Version @VERSION@ Release Notes This version matches the version included with tomcat-5.0.2, and supports tomcat 3.3, 4.0, 4.1, 5.0. Bugs and issues will be tracked with tomcat5 - this file will list only issues related with older versions. -- 5.0.2??? my confidence is growing. ls doc/* doc/install_tomcat33.html doc/install_tomcat40.html doc/install_tomcat41.html Hmmm, I want to install it for tomcat 5.0.19. Ok, I'll read the most current (install_tomcat41.html). Try it, it's quite amusing... Not helpful. ant Buildfile: build.xml build: BUILD FAILED file:/data/michiel/jakarta-tomcat-connectors-jk2-2.0.4-src/build.xml:45: Basedir /data/michiel/jakarta-tomcat-connectors-jk2-2.0.4-src/util does not exist Total time: 1 second -- Ok, it can't find it's own files Great cd jk See if this works. ant -- Buildfile: build.xml detect: [echo] jakarta-tomcat-connectors prepare: BUILD FAILED file:/data/michiel/jakarta-tomcat-connectors-jk2-2.0.4-src/jk/build.xml:142: Warning: Could not find file /data/michiel/jakarta-tomcat-connectors-jk2-2.0.4-src/coyote/build/lib/tomcat-coyote.jar to copy. Total time: 1 second -- lets read the README.txt blablabla Tomcat 4.1. No mention of Tomcat 5.x This feels like abandoned alpha software all the way, there is NO WAY I'm putting this on a production machine. /rant-mode Summary: if you package and distribute software like this, how on earth do you expect your users to build, let alone use it? Cheers, Michiel P.S. Compare this to the Tomcat release on UNIX: tar xvzf jakarta-tomcat-xxx.tgz cd jakarta-tomcat-xxx bin/startup.sh it works Angus Mezick wrote: Jk vs jk2. JK is dead STOP USING IT. JK2 all the way!! (sorry, jk2 is the prefered way to link apache2 to tomcat[45]) I would suggest using tomcat 4 for now if you are going immediately into a production environment where you have to abide by a server level agreement. Otherwise use tomcat 5. Tomcat 5 is listed as stable but seems a bit shakey right now with the bugs that keep popping up. There is no reason that I know of not to use Apache2. You will be using worker2.properties. Since I know nothing about JK I can't comment on the rest. -Original Message- From: C. Kukulies [mailto:[EMAIL PROTECTED] Sent: Monday, April 19, 2004 5:33 PM To: [EMAIL PROTECTED] Subject: the pain of choice Can someone give me an advice which way to go WRT to using a tomcat/apache combo on a Unix (not Linux) system? There are so many options, jk, jk2, tomcat 3-4-5, apache 1.3, apache2. worker.properties worker2.properties, jk2.properties in tomcat/conf, mod_jk.conf in etc/apache, mod_jk, mod_jk2. Then I see constructs in brackets [] in worker.properties and without these. What is workers.host=jsp-hostname? Is it an IP host? Or is it some placeholder which must be in workers.list? -- Chris Christoph P. U. Kukulies kuku_at_physik.rwth-aachen.de - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Michiel Toneman Software Engineer Bibit Global Payment Services Regulierenring 10 3981 LB Bunnik [EMAIL PROTECTED] Tel. +31-30-6595168 Fax +31-30-6564464 http://www.bibit.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: quick question when getting started
Hi Stephen, You've been tricked by the web.xml. The JSP's are pre-compiled to servlets and a mapping for the URL /index.jsp to this servlet has been inserted into web.xml. If you delete the servlet mapping in the web.xml, everything should be as normal, and your changes will be visible. (this caught me out the first time too... ;-) ) Michiel Stephen Charles Huey wrote: I'm upgrading from Tomcat 4 to 5 and I just installed Tomcat 5 on a dev machine to play with it, and I know a couple things are organized a bit differently, but the provided index page is weirding me out. I tried to add a line of text to the index.jsp in webapps\ROOT and when I reload the page (that I browse to by going to localhost on my Win 2K Server machine), that line of text isn't appearing. I've tried adding other bits, too, and I've tried restarting Tomcat, and I found a catalina-root.jar in the WEB-INF\lib folder and deleted that in an effort to get it to recompile the index.jsp, but nothing seems to be working! Why? Here's an example of what I've modified in the HTML: pcenterbIf you're seeing this page via a web browser, it means Stephen has setup Tomcat successfully. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Michiel Toneman Software Engineer Bibit Global Payment Services Regulierenring 10 3981 LB Bunnik [EMAIL PROTECTED] Tel. +31-30-6595168 Fax +31-30-6564464 http://www.bibit.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat for FreeBSD
Hi Shawn, There is nothing OS specific about a binary build of tomcat. It is all java and a few shell scripts (the shell scripts are for unix/linux and win32). Just get the jakarta-tomcat-5.0.19.tar.gz from the nearest mirror, make sure you have a recent Java SDK installed (1.4.2), tar xvzf and you are all set to bin/startup.sh and go. Cheers, Michiel Toneman On Sat, 2004-04-10 at 17:43, Shawn Zernik wrote: Tomcat Gurus: Is their a *current* version of Java/Tomcat that been assembled for FreeBSD 5.0? Shawn Zernik Internetwork Consulting - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JAAS problems migrating from JRun
Adam, I've been at this all day, and I seem to be banging my head against a really well-constructed wall. I followed your advice by going the security-constraints/Realm route. I've build a minimal JAAS implementation which, in combination with JAASRealm, works fine for *authentication*. However, when I want to access the Principals I've assigned in my LoginModule within my CustomPolicy for *authorization*, I get nothing. i.e. in my CustomPolicy: getPermissions(ProtectionDomain domain) { PermissionCollection pc = deferredPolicy.getPermissions(domain); // get principals associated with domain Principal[] principals = domain.getPrincipals(); . } domain.getPrincipals() returns no policies. Ok, so I go to the Subject (using a PrivilegedAction): Subject.getSubject(AccessController.getContext()).getPrincipals(); and again no Principals. The Subject is empty. I've confirmed this by calling a JSP which includes %= Subject.getSubject(AccessController.getContext()) % this just prints: Subject:, so it seems that the Subject I've worked so hard to create is lost. How can I get this to work? I need to access the Principals in my CustomPolicy, so that I can assign custom permissions to the PermissionCollection of the domain. Thanks, Michiel P.S. Just to show that the LoginModule / JAASRealm seem to be working: catalina_log: 2004-04-06 16:51:02 JAASRealm[Catalina]: Returning username bluppie catalina.out: Assigned principal bluppie of type security.UserPrincipal to user bluppie Assigned principal authenticateduser of type security.RolePrincipal to user bluppie Assigned principal developer of type security.CustomPrincipal to user bluppie Adam Hardy wrote: Michiel, you are programming your own login trigger in a filter - I don't this this will work (although I'm happy to be wrong). I think tomcat is only going to adopt your principals as authenticated if you protect whichever pages necessary via security-constraints in the deployment descriptor. You must set up a LoginModule that tomcat will find, and in this LoginModule tomcat gives you a call-back-handler which you use to do the authentication. You must then set your Subject, which is also passed to you by tomcat. Adam On 04/06/2004 01:39 AM Michiel Toneman wrote: Hi All, The company I work for is attempting to move from JRun 3/4 to Tomcat 5.0.19. So far it has been smooth sailing, and the migration is going better than expected. However, before the migration we were about to deploy a JAAS framework on JRun 4. This framework doesn't seem to work at all well in Tomcat 5. I've implemented a tailored JAAS framework with various types of Principals that grant certain (custom) Permissions in my own Policy. To enforce this onto the webapp, I used a Filter to establish a LoginContext and then wrap the servlet in a Subject.doAsPrivileged call. To clarify: I'm not looking for authentication through JAAS (I've imlemented this in a minimal way), but I'm looking to JAAS for some more elaborate authorization tricks. In my doFilter (simplified): LoginContext lc = new LoginContext(MyJaas, new MyHttpAuthCallbackHandler(request)); lc.login(); Subject.doAsPrivileged(lc.getSubject(),new FilteredAction(request,response,chain) , null); where FilteredAction is an inner class: --- class FilteredAction implements PrivilegedAction { ServletRequest faRequest; ServletResponse faResponse; FilterChain faChain; public FilteredAction(ServletRequest request, ServletResponse response, FilterChain chain) { this.faRequest=request; this.faResponse=response; this.faChain=chain; } public Object run() { try { faChain.doFilter(faRequest, faResponse); } catch (Exception e) { e.printStackTrace(); } return null; } } --- I replace the default Policy with my own policy that adds permissions based on principals assigned in the LoginContext. This is done in the Filter's init: --- public void init(FilterConfig config) throws ServletException { Policy orgPolicy = Policy.getPolicy
JAAS problems migrating from JRun
Hi All, The company I work for is attempting to move from JRun 3/4 to Tomcat 5.0.19. So far it has been smooth sailing, and the migration is going better than expected. However, before the migration we were about to deploy a JAAS framework on JRun 4. This framework doesn't seem to work at all well in Tomcat 5. I've implemented a tailored JAAS framework with various types of Principals that grant certain (custom) Permissions in my own Policy. To enforce this onto the webapp, I used a Filter to establish a LoginContext and then wrap the servlet in a Subject.doAsPrivileged call. To clarify: I'm not looking for authentication through JAAS (I've imlemented this in a minimal way), but I'm looking to JAAS for some more elaborate authorization tricks. In my doFilter (simplified): LoginContext lc = new LoginContext(MyJaas, new MyHttpAuthCallbackHandler(request)); lc.login(); Subject.doAsPrivileged(lc.getSubject(),new FilteredAction(request,response,chain) , null); where FilteredAction is an inner class: --- class FilteredAction implements PrivilegedAction { ServletRequest faRequest; ServletResponse faResponse; FilterChain faChain; public FilteredAction(ServletRequest request, ServletResponse response, FilterChain chain) { this.faRequest=request; this.faResponse=response; this.faChain=chain; } public Object run() { try { faChain.doFilter(faRequest, faResponse); } catch (Exception e) { e.printStackTrace(); } return null; } } --- I replace the default Policy with my own policy that adds permissions based on principals assigned in the LoginContext. This is done in the Filter's init: --- public void init(FilterConfig config) throws ServletException { Policy orgPolicy = Policy.getPolicy(); if (orgPolicy instanceof MyPolicy) { // we already did this once upon a time.. } else { Policy.setPolicy(new MyPolicy(orgPolicy)); } } --- This works like a charm on JRun (it's a textbook example on the web). However, it fails miserably on Tomcat 5. It looks like the Filter is being evaluated in a different security context by Tomcat than the Servlet itself (based on evaluation of stacktraces generated in my custom Policy class). Therefore, none of the Principals assigned to the Subject in the Filter are available in the Servlet (when MyPolicy.getPermissions() is called). Does anyone have an idea how I should go about getting (something like) this to work on Tomcat? Any help would very much appreciated. Cheers, Michiel Toneman - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]