tomcat stops when root ssh session ends
I'm running a tomcat server on a debian machine. I start the tomcat server through a ssh session. There has been no problems so far but just recently I became a Root on the machine. Whenever the ssh session ends tomcat stops... tomcat version 4.1.18 Morten Andersen - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Implementing Realm
Sorry if I'm being stupid, but it simply doesn't match my experiences. I'm using tomcat 4.1.30 as it is with standard MemoryRealm implementation. The username/passwords are created using the tomcat-users.xml, but If I change these without restarting tomcat the usernames and passwords are not being updated. Example: I enter a webapp with security constraints with my old password: xxx Then I change the user-role element in conf/tomcat-users.xml so that the password is now: yyy I start a new browser. In order to get a new client. Enter the new password... No entrance. Entering the old password gives a much better result though... in server.xml there is a userdatabase element, that is documented as a !-- Editable user database that can also be used by UserDatabaseRealm to authenticate users -- In the implementation (MemoryUserDatabase.java) there is no sign what so ever that it detects an update in the tomcat-users.xml file. The first method used is findUser(...) that just returns a value from a HashMap... Regards Morten At 14:50 07-12-2004, you wrote: Hi, Yeah, I'm sure. It's easy to see using the Admin webapp. Yoav Shapira http://www.yoavshapira.com -Original Message- From: Morten Andersen [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 07, 2004 4:50 AM To: Tomcat Users List Subject: RE: Implementing Realm At 16:10 17-11-2004, you wrote: Note that all of Tomcat's built-in Realms support runtime changes to the data store, be it a file or a database. Are you sure. MemoryRealm seems only to be updated as Tomcat is restarted. Morten Andersen Master of applied mathematics and computer science Associate professor The Maersk Institute of Production technology at Southern Danish University www.mip.sdu.dk Campusvej 55 DK-5230 Odense M Denmark +45 65 50 36 54 +45 61 71 11 03 Jabber id: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Morten Andersen Master of applied mathematics and computer science Associate professor The Maersk Institute of Production technology at Southern Danish University www.mip.sdu.dk Campusvej 55 DK-5230 Odense M Denmark +45 65 50 36 54 +45 61 71 11 03 Jabber id: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Implementing Realm
At 16:10 17-11-2004, you wrote: Note that all of Tomcat's built-in Realms support runtime changes to the data store, be it a file or a database. Are you sure. MemoryRealm seems only to be updated as Tomcat is restarted. Morten Andersen Master of applied mathematics and computer science Associate professor The Maersk Institute of Production technology at Southern Danish University www.mip.sdu.dk Campusvej 55 DK-5230 Odense M Denmark +45 65 50 36 54 +45 61 71 11 03 Jabber id: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: jstl.jar and standard.jar causes Digester, taglib error on st artup
I do not reference the jstl taglib's anywhere... The problems seems to be caused alone by the fact that jstl.jar and standard.jar is in the WEB-INF/lib directory. This is very strange... At 19:27 23-11-2004, you wrote: You may want to check you web.xml to make sure the taglib definition is matching what you have on your jsp pages. I am suggesting such because there were at one time a change in the jstl uri namespaces and it was causing a some problems for me. --- Phillip Qin [EMAIL PROTECTED] wrote: Where did you use digester and jstl? I mix jstl and struts tags on my pages and they worked fine. -Original Message- From: Morten Andersen [mailto:[EMAIL PROTECTED] Sent: November 23, 2004 10:38 AM To: [EMAIL PROTECTED] Subject: jstl.jar and standard.jar causes Digester, taglib error on startup Well Ive seen this error many times: -- org.apache.commons.digester.Digester error SEVERE: Parse Error at line 6 column 19: Document root element taglib , must match DOCTYPE root null . org.xml.sax.SAXParseException: Document root element taglib , must match DOCTYPE root null . -- So, I tryed finding the error looking through the tld files, googling a bit and so on, until I tryed removing the jstl.jar and standard.jar from my web-applications. Suddenly no error was reported. What caused the error? I can't use jstl on tomcat. This could be due to the same problem...? Tomcat version: 4.1.24 jstl version: 1.0 / 1.1 Regards Morten Andersen Master of applied mathematics and computer science Associate professor The Maersk Institute of Production technology at Southern Danish University www.mip.sdu.dk Campusvej 55 DK-5230 Odense M Denmark +45 65 50 36 54 +45 61 71 11 03 Jabber id: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] !DSPAM:41a3603d250343371989192! __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Morten Andersen Master of applied mathematics and computer science Associate professor The Maersk Institute of Production technology at Southern Danish University www.mip.sdu.dk Campusvej 55 DK-5230 Odense M Denmark +45 65 50 36 54 +45 61 71 11 03 Jabber id: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
jstl.jar and standard.jar causes Digester, taglib error on startup
Well Ive seen this error many times: -- org.apache.commons.digester.Digester error SEVERE: Parse Error at line 6 column 19: Document root element taglib , must match DOCTYPE root null . org.xml.sax.SAXParseException: Document root element taglib , must match DOCTYPE root null . -- So, I tryed finding the error looking through the tld files, googling a bit and so on, until I tryed removing the jstl.jar and standard.jar from my web-applications. Suddenly no error was reported. What caused the error? I can't use jstl on tomcat. This could be due to the same problem...? Tomcat version: 4.1.24 jstl version: 1.0 / 1.1 Regards Morten Andersen Master of applied mathematics and computer science Associate professor The Maersk Institute of Production technology at Southern Danish University www.mip.sdu.dk Campusvej 55 DK-5230 Odense M Denmark +45 65 50 36 54 +45 61 71 11 03 Jabber id: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Implementing Realm
I've implemented my own simple Realm that should make it possible to store user and passwords in one file and user-roles in another plus make it possible to change these while tomcat is running. So basically it should be straight forward to implement it, but I find it very difficult to find descent documentation on how to make it work with tomcat. I changed the realm in server.xml: Realm className=org.mortena.projectManagement.DynamicRealm debug=99/ Added the neccesary jar files to: server\lib and started tomcat. I get the error: Can't create mbean instance or something similar. As I then go to a restricted area on one of the webapps (like: manager) I get an empty screen. Can anyone guide me to an article on how to implement and deploy a Realm... Thanks Morten Andersen Master of applied mathematics and computer science Associate professor The Maersk Institute of Production technology at Southern Danish University www.mip.sdu.dk Campusvej 55 DK-5230 Odense M Denmark +45 65 50 36 54 +45 61 71 11 03 Jabber id: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Authentication - based on request parameters
I've developed a authentication mechanism on my own because I could not figure out how to make authentication based on some request - parameters. This is what I've implemented: Whenever the user makes a request, the site parameter plus the path is used to figure out whether the user has the rights to access the path on that site. If not I sent him to a login - page, and after that back to the initially requested page. For instance: 1) The user requests: myTomcat:8080/MyApp/saveEditedPage.action?site=MySite 2) I figure out whether saveEditedPage needs login. If it does, then I check whether the user has previously logged in. If not the user is sent to the login page. 3) When the user has logged in. The rights for the user for the site=MySite is checked. If the user may enter he is sent the request is carried out. I have finally got it to work, but then it stroke me that I maybe could use the built in security - mechanism in tomcat. Here is my idea: I make a subclass of - or wraps HttpServletRequest, with my own class that overwrites the isUserInRole(String) method. So that the isUserInRole method could use some of the parameters from the request to make the finegrained access-control. (That is to use the site parameter). Does that sound possible or can't HttpServletRequest be subclassed like that? Or am I just plain stupid and could have saved me from a lot of hours of work by using a built in mechanism? Ragards Morten Andersen Master of applied mathematics and computer science Amanuensis (in e-learning) The Maersk Institute of Production technology at Southern Danish University www.mip.sdu.dk Campusvej 55 DK-5230 Odense M Denmark +45 6550-3654 +45 6171-1103 Jabber id: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Authentication - based on request parameters
Why is that a security-issue? I wan't the user to enter the site by cliking on a link or whatever, so that the user enters the site using that request. It should be OK, that the user tryes to go to a restricted page by writing blabla:8080/MyApp/restrictedRequest.action?site=JustAGuess But if that is done and the user has not got rights to do it, then he is being rejected... Regards Morten Andersen PS: I did consider the role-based model form tomcat, but that is coarse-grained, in the sense that it is based on 1 role for one web-app, and that is not suficient. Something else that occurs to me is that your security model appears to depend on a GET parameter in the request (?site=MySite). A client could easily change this value to circumvent your security. A better model is that your logon page sets a value in the Session object to identify the user. Then the security depends on a very long, random session ID and it is vanishingly unlikely that a client will be able to change this ID (either in a URL or a cookie) and, by chance, hit on a valid session ID belonging to another user. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Morten Andersen Master of applied mathematics and computer science Amanuensis (in e-learning) The Maersk Institute of Production technology at Southern Danish University www.mip.sdu.dk Campusvej 55 DK-5230 Odense M Denmark +45 6550-3654 +45 6171-1103 Jabber id: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Authentication - based on request parameters
Here is my requirements for the security mechanism:
The whole thing is about making secured rooms for groups of user.
1) It should be possible to make new sites / groups while the application
is running.
2) The sites has members, and only these should be allowed to do some of
the restricted requests.
3) Some sites may be totally open, so that everyone can do anything without
logging in.
4) All of this is decided while the application is running.
5) One user may be administrator of 1 group and not allowed to do anything
in another.
So for instance
the request:
TomcatServer:8080/MyApp/restrictedRequest.action?site=closedSite
would result in that the user is required to login using a login-screen,
because closedSite is defined as closed.
while the request:
TomcatServer:8080/MyApp/restrictedRequest.action?site=openSite
Would not result in that the user has to login, because the openSite is
defined as total open.
At 11:06 26-09-2003 +0100, you wrote:
The problem is that your model does not seem to be based on a secret and
site names don't have a lot of entropy. I don't know enough about your
model to give you examples of possible attacks, but it seems to be similar
to an access control model where you ask to people to enter their user ID
but no password. Saying Oh, the client has to know a valid user name to
get in would not be enough to make this a secure model.
Why? knowing my hotmail address doesn't make it possible for other than me
to login to my hotmail account.
If you store the
remote site information in the Session, this information is stored-server
side and a client never even gets the chance to have a go at circumventing
it.
The role model can be made to work. You have a list of clients, or sites,
and you assign them roles. You create a table of role-to-permissions or
simply declare the required roles in your JSP. Then in your pages make the
following access check:
// This gives MyApp/saveEditedPage.action in your original example; you
may also use
// getServletPath() to give you saveEditedPage.action
String requestURI = request.getRequestURI();
// Implement this method yourself
String[] permittedRoles = getPermittedRoles(requestURI);
boolean accessAllowed = false;
for (int i = 0; i permittedRoles.length; i++)
{
if (request.isUserInRole(permittedRoles[i]))
{
accessAllowed = true;
break;
}
}
This is simply an example, of course, and I don't know whether such a scheme
would work for you.
- Original Message -
From: Morten Andersen [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Sent: Friday, September 26, 2003 10:33 AM
Subject: Re: Authentication - based on request parameters
Why is that a security-issue?
I wan't the user to enter the site by cliking on a link or whatever, so
that the user enters the site using that request. It should be OK, that
the
user tryes to go to a restricted page by writing
blabla:8080/MyApp/restrictedRequest.action?site=JustAGuess
But if that is done and the user has not got rights to do it, then he is
being rejected...
Regards
Morten Andersen
PS: I did consider the role-based model form tomcat, but that is
coarse-grained, in the sense that it is based on 1 role for one web-app,
and that is not suficient.
Something else that occurs to me is that your security model appears to
depend on a GET parameter in the request (?site=MySite). A client
could
easily change this value to circumvent your security. A better model is
that your logon page sets a value in the Session object to identify the
user. Then the security depends on a very long, random session ID and it
is
vanishingly unlikely that a client will be able to change this ID (either
in
a URL or a cookie) and, by chance, hit on a valid session ID belonging to
another user.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Morten Andersen
Master of applied mathematics and computer science
Amanuensis (in e-learning)
The Maersk Institute of Production technology at Southern Danish
University
www.mip.sdu.dk
Campusvej 55
DK-5230 Odense M
Denmark
+45 6550-3654
+45 6171-1103
Jabber id: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Morten Andersen
Master of applied mathematics and computer science
Amanuensis (in e-learning)
The Maersk Institute of Production technology at Southern Danish University
www.mip.sdu.dk
Campusvej 55
DK-5230 Odense M
Denmark
+45 6550-3654
+45 6171-1103
Jabber id: [EMAIL PROTECTED]
Using ParameterMap throws ClassCastException
I am using the ParameterMap in request in an authentication mechanism.
Therefore I need to do the following:
add a mapping of parameters to the request.getParameter(). I do the following:
import org.apache.catalina.util.ParameterMap;
...
System.out.println(ParameterMap is a: +
request.getParameterMap().getClass().getName());
try{
ParameterMap map = (ParameterMap)request.getParameterMap();
map.setLocked(false);
map.putAll(values.getParameterMap());
map.setLocked(true);
}catch(Exception e){
e.printStackTrace();
}
This gives the following output:
ParameterMap is a org.apache.catalina.util.ParameterMap
And a ClassCastException in this line:
ParameterMap map = (ParameterMap)request.getParameterMap();
So it seems that they reference to two different class-definitions, but I
am using the same catalina.jar everywhere. (included it in the WEB-INF/lib dir)
If I put catalina.jar in the WEB-INF/lib dir, then the above error is
reported, else a ClassNotFoundException is thrown.
I'm using tomcat-4.1 and found the class in the catalina.jar file. Where
else is it?
Thanks
Morten Andersen
Master of applied mathematics and computer science
Research assistant (in e-learning)
The Maersk Institute of Production technology at Southern Danish University
www.mip.sdu.dk
Campusvej 55
DK-5230 Odense M
Denmark
+45 6550-3654
+45 6171-1103
Jabber id: [EMAIL PROTECTED]
RE: limit on size of page
The thing is wriiten using struts and the code looks like this: bean:write name=exercise property=text filter=false/ The same happens if I use: % out.println(((ExerciseInterface)request.getSession().getAttribute(exercise)).getText()); % The odd thing about this is that if I delete some of the empty lines above this code more text is being rendered. I have checked that all of the text is present in the bean. Regards Morten Andersen Software developer and Football player At 08:57 09-09-2003 -0500, you wrote: I know a while back Tomcat used to have problems with large numbers of tags, which is I guess directly related to the 64k limit imposed on method bodies. (Is that still around with jdk 1.4.x ?) http://www.caucho.com/support/resin-interest/0207/0182.html There's also large but not infinite number of characters you can include in a querystring, which is imposed (implied?) by the HTTP standard. http://forum.java.sun.com/thread.jsp?thread=422460forum=54message=1880 628 Might either of those be a problem? Your experience of deleting some off the top, and more appearing at the bottom certainly sounds familiar! I wish google could read my mind for me. :) -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 09, 2003 7:48 AM To: Tomcat Users List Subject: RE: limit on size of page Howdy, There's certainly no such limit imposed by tomcat ;) We have many web pages containing more than 1MB of text, and we don't have any problems with this. Post the code you're using to write the output. As an aside, you happen to share a name with one of my favorite (American)football players: http://www.nfl.com/players/playerpage/1376 ;) Yoav Shapira Millennium ChemInformatics -Original Message- From: Morten Andersen [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 09, 2003 4:47 AM To: [EMAIL PROTECTED] Subject: limit on size of page I am writing a big bunch of text (27442 chars) out on a page. This seems to be a problem, since I can't see all the text as output. As I delete other parts of the page I can suddenly see more of the text. This could be caused by some upper limit of text sent from tomcat back to the browser. Is this the case or is there some other reasons for this. Regards Morten Andersen Master of applied mathematics and computer science Research assistant (in e-learning) The Maersk Institute of Production technology at Southern Danish University www.mip.sdu.dk Campusvej 55 DK-5230 Odense M Denmark +45 6550-3654 +45 6171-1103 Jabber id: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Morten Andersen Master of applied mathematics and computer science Research assistant (in e-learning) The Maersk Institute of Production technology at Southern Danish University www.mip.sdu.dk Campusvej 55 DK-5230 Odense M Denmark +45 6550-3654 +45 6171-1103 Jabber id: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Classloading - ClassNotFoundException: EntityProxy not found
I recently changed from Tomcat 4.1.12 to 4.1.24 and from Jboss 3.0.3 to Jboss 3.2.1 This has resulted in a Classloading failure, when I make dynamic Proxy copies of the beans from JBoss and sents them to Tomcat. I don't know whether JBoss changed something in there server, or there has been a change in the way Tomcat finds classes. How can I add the Class EntityProxy (from a jar file in JBoss) so that I can avoid the ClassNotFoundException in Tomcat. Regards Morten Andersen Morten Andersen Master of applied mathematics and computer science Research assistant (in e-learning) The Maersk Institute of Production technology at Southern Danish University www.mip.sdu.dk Campusvej 55 DK-5230 Odense M Denmark +45 6550-3654 +45 6171-1103 Jabber id: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Classloading - ClassNotFoundException: EntityProxy not found
I recently changed from Tomcat 4.1.12 to 4.1.24 and from Jboss 3.0.3 to Jboss 3.2.1 This has resulted in a Classloading failure, when I make dynamic Proxy copies of the beans from JBoss and sents them to Tomcat. I don't know whether JBoss changed something in there server, or there has been a change in the way Tomcat finds classes. How can I add the Class EntityProxy (from a jar file in JBoss) so that I can avoid the ClassNotFoundException in Tomcat. Regards Morten Andersen Morten Andersen Master of applied mathematics and computer science Research assistant (in e-learning) The Maersk Institute of Production technology at Southern Danish University www.mip.sdu.dk Campusvej 55 DK-5230 Odense M Denmark +45 6550-3654 +45 6171-1103 Jabber id: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
limit on size of page
I am writing a big bunch of text (27442 chars) out on a page. This seems to be a problem, since I can't see all the text as output. As I delete other parts of the page I can suddenly see more of the text. This could be caused by some upper limit of text sent from tomcat back to the browser. Is this the case or is there some other reasons for this. Regards Morten Andersen Master of applied mathematics and computer science Research assistant (in e-learning) The Maersk Institute of Production technology at Southern Danish University www.mip.sdu.dk Campusvej 55 DK-5230 Odense M Denmark +45 6550-3654 +45 6171-1103 Jabber id: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
limit on size of page
I am writing a big bunch of text (27442 chars) out on a page. This seems to be a problem, since I can't see all the text as output. As I delete other parts of the page I can suddenly see more of the text. This could be caused by some upper limit of text sent from tomcat back to the browser. Is this the case or is there some other reasons for this. Regards Morten Andersen Master of applied mathematics and computer science Research assistant (in e-learning) The Maersk Institute of Production technology at Southern Danish University www.mip.sdu.dk Campusvej 55 DK-5230 Odense M Denmark +45 6550-3654 +45 6171-1103 Jabber id: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
