One solution to: How to hide files by extension under Tomcat 5?
Parsons Technical Services wrote: Since you don't like that you might try this. Set security-constraints for all the file types you want to protect. Then do NOT set an auth-constraint for it. Thus no one will be able to access it from outside. Thanks Doug, that's the ticket. Here's what I came up with: I created a page not found html doc. I then modified web.xml and a) created a security constraint for the url pattern *.jspsegment, with auth-constraint of blockaccess b) created the role block access with no users c) set login-config to use the FORM auth-method, specifying the custom page not found doc. for the login page - as it does not have any actual functionality, and no one has the blockaccess role, files with the extension jspsegments will never be served. Fun! (You can do this without the not found form, but then you see a tomcat-generated error rather than a more generic / app-specific message. Also, set this as your custom error page and any nosey types shouldn't be able to tell they've actually specified an existing page) PS Unless I am mistaken the file structure is controlled by the servlet spec. Thus Tomcat has no control over this feature. You are correct - I was just being cranky. thanks -Steve Here the additions to web.xml: --%- (snip) error-page error-code404/error-code location/PageNotFound.html/location /error-page security-constraint web-resource-collection web-resource-namejspsegment direct access/web-resource-name url-pattern*.jspsegment/url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-nameblockaccess/role-name /auth-constraint /security-constraint security-role role-nameblockaccess/role-name /security-role login-config auth-methodFORM/auth-method realm-namenotfound/realm-name form-login-config form-login-page/PageNotFound.html/form-login-page form-error-page/PageNotFound.html/form-error-page /form-login-config /login-config - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
How to hide files by extension under Tomcat 5?
Hello, I've got Tomcat 5 running standalone. Unfortunately I cannot discover how to prevent non-JSP files from being served. Specifically, I've got code sections (which aren't really appropriate to be written as beans) which I jsp:include into several pages. I end up giving all of these the extension .jspinclude. Provided you know the name of the file, you can request it and see the source. This is also be the case for other files I do not want visible. Previously I had Tomcat 3 connected to Apache and used Apache's config mechanism to deny access to files with certain extensions. Now I'm moving to Tomcat 5 and decided to give a standalone setup a try. Is there a way to configure TC5 so that it gives a 404 error for all files with a certain extension (or name-matching a reg exp string)? Or conversely, configuring it so that it only serves files with an extension in [jsp, html, gif]? thanks, Steve - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to hide files by extension under Tomcat 5?
Good idea. Unfortunately, I'd like to keep my file org as-is (it'd be a bit strange to put all sorts of resources in a directory struture starting with WEB-INF). Plus I'm not sure it's a good thing to rely on a product-specific feature (WEB-INF is hidden by Tomcat) for this. What happens if in the future they dir changes to WEB-INFO - then a bunch of pages would need re-doing. Surely there must be a configurable way? This would seem to be a general req. of any web-server. thanks, Steve Emerson Cargnin wrote: You can hide all this files inside the WEB-INF directory. It will be included when called by a JSP or servlet, but not served directly... - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: emergency - need to get into admin app
In general, you only use it to pass options that you might need. For example the X flag controls memory, so if your app requires it you can instruct tomcat to launch JVMs with a higher max (i.e. if it seems to be running out of memory). As an example I use: -Xmx128m to set the max at 128MB (i think the default is 64?) Note I'm using this under linux so it's in a shell script. In the Windows batch file, you'd just use: set JAVA_OPTS=-Xmx128m Which I would put after the line rem - Execute The Requested Command - but that's just me ;^) You could also use the control panel to set a system-wide env. variable, but you don't need everybody to have it defined, plus it may mess you up when running java apps other than tomcat. -Steve Stephen Charles Huey wrote: I see something in catalina.bat about a JAVA_OPTS environment variable. Do I need to set this in Windows? When I run java -X on the command line, I see something about a -Xms option for setting the heap size. Do I just type -Xms some number in the Windows environment variable or what? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Classpath problems with tomcat on Linux 9
Hi Andy, I'm porting over to TC5 and I've not had any problems with it finding my classes, *BUT* I don't put any classes into the base directory itself, but below that. So for example, my UserBean class is in myapp/WEB-INF/classes/AccessCtrl and it is part of the package AccessCtrl (i.e. first line of bean is package AccessCtrl;) The pages that use this include the directive: %@ page import=AccessCtrl.* % so that it can find them. Additionally, to avoid problems, I generally include the packagename anyways in my useBean tags: jsp:useBean id=beanUser class=AccessCtrl.UserBean scope=session / Which shouldn't be necessary, but I find it increases readability anyways. -Steve Andy Wadsworth wrote: Should I expect Tomcat to find my UserData.class file if I put it in webapps/myapp/WEB-INF/classes? Do I need to create a web.xml or should it find the class file without any web.xml customization? If anyone has a very simple example that I could drop in to see if it works, I'd appreciate it. I've already verified that the jsp-examples all work, but there is a lot of stuff in the web.xml that I shouldn't need for what I want to do, and finding what I need is probably where my problems lie. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Creating a Certificate Signing Request
On Thu, 2002-08-15 at 10:55, Gabe Sanchez wrote: Hi all, I am new to the list, so please bear with me. I am running a server with RedHat Linux 7.2, with Tomcat 4.0.3 as the web server. I am in the process of trying to buy a digital certificate from Verisign but am unable to find any information on how to create a Certificate Signing Request. I called Verisign, and they told me that they do not have any documentation on how to do this. Can someone please help. This is actually OS dependent, not really a tomcat thing. Verisign does indeed have instructions at: http://www.verisign.com/support/site/secure/install.html -Steve -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Writing files from a class
Thanks for the reply, I see that the spec mentions private temporary directory - I need a permananent directory - by temporary I take it to mean that I can't count on the files sticking around. Is my understanding here flawed? Also, I'd like to be able to specify the name and location. I had seen the javax.servlet.ServletContext.log() methods, but they seem to offer no control over where the output is placed. I'd rather have a debug file per class than have all messages sent to a single file. And finally, I have servlets that take data from a db and place it in a (text) file for the user to download - so once again a file creation issue where I need a general file i/o solution. thanks, -Steve On Tue, 2002-08-13 at 20:15, Sexton, George wrote: From the servlet 2.3 Specification: SRV.3.7.1 Temporary Working Directories A temporary storage directory is required for each servlet context. Servlet containers must provide a private temporary directory per servlet context, and make it available via the javax.servlet.context.tempdir context attribute. The objects associated with the attribute must be of type java.io.File. -Original Message- From: Stephen Bacon [mailto:[EMAIL PROTECTED]] Sent: 13 August, 2002 5:20 PM To: [EMAIL PROTECTED] Subject: Writing files from a class Hello, I'm trying to migrate from Tomcat 3 to Catalina (under Linux) and I've hit a snag. Several of my custom classes which I use from JSPs (e.g. ConnectionPool) print messages to debug files which I access via: snip -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Writing files from a class
On Wed, 2002-08-14 at 11:37, Shapira, Yoav wrote: Hi, I see that the spec mentions private temporary directory - I need a permananent directory - by temporary I take it to mean that I can't count on the files sticking around. Is my understanding here flawed? Your understanding as far as a temporary directory is correct. If you need a permanent directory, you can: - Specify one as a parameter (resource-ref, init-param to a servlet, context-param etc.). Right, this is what I tried (set an init-param, read it in the JSP, pass it to the object via a SetLogDirectory() method - but no files. - Use another storage medium, e.g. a database. Well, the problem then is debugging problems hitting the db - text files are the lowest common denominator and simplest way of dropping messages. If I log to a db, then if I can't hit the db then no logging ;^( I'm sorry, I don't have your original message in front of me. Are you using a logging solution e.g. log4j or commons-logging, or are you constricted to relying only on the ServletContext.log() methods? Log4j etc will let you configure the log files to whatever detail level you want, including path and separate log files per class. I'm just doing simple file I/O (via PrintWriter() class) I had looked at Log4j, but I wanted to port the existing code, not rewrite it. Plus I assume if I'm having trouble doing simple file I/O I'll have the same problem using an different class. Why can't you use the temporary directory for this? Unless you want to files to persist across server restarts, Yes, I need them to persist. in which case you would either put them in a DB In one case I have I *must* save the data to a file (it starts out in the db) - this is not a technical issue, but rather a legal issue we have (i.e. we must save to a file because that's what the user downloads, if we save it in a db then we can't say we've kept copies of all files, yada yada yada - typical CYA lawyer stuff) or tell your servlets what directory to use via the param methods mentioned above. Right, that's what I tried. But, the files don't appear - so I was wondering if this is a Tomcat4 issue (security / config / ???) as file I/O worked with these classes under Tomcat 3.2 -Steve -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Writing files from a class
Hello, I'm trying to migrate from Tomcat 3 to Catalina (under Linux) and I've hit a snag. Several of my custom classes which I use from JSPs (e.g. ConnectionPool) print messages to debug files which I access via: snip pwDebug = new PrintWriter(new FileOutputStream(m_sDebugFileName, true)); pwDebug.println(m_sdf.format(new java.util.Date()) + + sparMsg); snip Previously, it would create / append to the file in the location that Tomcat was started from (so I had made sure it was always done from a logs directory - a kludge yes, but it worked) Well, Tomcat 4 seems to have added security which is blocking this. I made a modification to pull the debug file name from the web.xml file and made sure the target directory specified (/var/tomcat4/webapps/appname/logs) was owned by the user tomcat4, and had the write flags turned on. No go - still no debug file (it writes an init message so there should be something) This of course is a big problem because my classes have now all become black boxes and I'm unable to debug problems. Is this something to do with security under T4? Is there a proper means by which messages should be logged? Have I configured something wrong? The app seems to be running OK, but I have no way to be sure without the ability to print debug messages. Any ideas? thanks, -Steve -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Configuring web.xml for HttpServlet - Solution!
Aha! never underestimate the power of just guessing. The solution was to hit the servlet by specifying "servlet" in the path, i.e.: http://servername/context/servlet/servlet-name If the servlet is installed under the ROOT webapp as Wyn Easton suggested, then you can skip specifying the context Does anyone know if there is a way to set up web.xml or something so that the "/servlet" portion of the URL can be skipped? Thanks, Steve - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]