RE: Apache2 SSL with client authentication jk2 tomcat 5 - no user certificate in request
I tried to get that working but failed so I went back to mod_jk which does pass the cert. Directory /webapps/myapp SSLVerifyClient optional SSLVerifyDepth 5 SSLRequireSSL SSLOptions +FakeBasicAuth +ExportCertData +StdEnvVars Options Indexes FollowSymLinks DirectoryIndex index.jsp /Directory -Original Message- From: Radu Radutiu [mailto:[EMAIL PROTECTED] Sent: Friday, July 02, 2004 7:49 AM To: Tomcat Users List Subject: Apache2 SSL with client authentication jk2 tomcat 5 - no user certificate in request Hi, I'm running Tomcat 5 + jdk 1.4.2_02 + Apache 2.0.49 (Fedora 1) with mod_jk2. I can access the web app through SSL (with client authentication enabled in Apache) but the following attributes are not set in the request: javax.servlet.request.cipher_suite, javax.net.ssl.peer_certificates and javax.servlet.request.X509Certificate If I access the Tomcat server directly on a port configured with SSL with client authentication, javax.servlet.request.cipher_suite and javax.servlet.request.X509Certificate are set correctly. I've tried different versions of tomcat (5.0.25 and 4.1.27), mod_jk2 from the binary distribution and self compiled and get the same result. Running a traffic sniffer it seems that the certificate information is never sent to the tomcat server. The jk2 configuration (in httpd.conf) is the following: LoadModule jk2_module modules/mod_jk2.so JkSet config.file /etc/httpd/conf/workers2.properties # default value JkSet2 workerEnv sslEnable 1 JkSet2 workerEnv forwardKeySize 1 The workers2.properties is the default file from the binary distribution with the updated uri for the web application. Is it possible to get the user certificate in Tomcat when using Apache + mod_jk2 as a front end? Regards, Radu - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SingleSignOn
Looking at SingleSignOn sessionEvent code it seems that if you invalidate a
session it does kill all the sessions.
Only if the session died from timeout do other sessions survive.
This is from TC5.0.25
// Was the session destroyed as the result of a timeout?
// If so, we'll just remove the expired session from the
// SSO. If the session was logged out, we'll log out
// of all session associated with the SSO.
if (System.currentTimeMillis() - session.getLastAccessedTime() =
session.getMaxInactiveInterval() * 1000) {
removeSession(ssoId, session);
} else {
// The session was logged out.
// Deregister this single session id, invalidating
// associated sessions
deregister(ssoId);
}
-Original Message-
From: Mike Fowler [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 24, 2004 1:59 AM
To: Tomcat Users List
Subject: Re: SingleSignOn
Hi Thomas,
The reason you can't log off from the second app is that web apps can not
talk to one another. Additionally, with the SingleSignOn feature when you
leave a web app with out invalidating the session, it remains attached to
the SingleSignOn session. The SingleSignOn session does not expire until all
attached sessions are invalid.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Denial Service Attack Prevention apache-tomcat modjk2
And server side you can use a token match from a form hidden element and session attribute. -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 7:56 AM To: Tomcat Users List Subject: RE: Denial Service Attack Prevention apache-tomcat modjk2 Hi, You can use JavaScript to disable form elements, thereby graying them out and preventing the user from clicking again. Yoav Shapira Millennium Research Informatics -Original Message- From: Steve [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 10:52 AM To: Tomcat Users List Subject: Denial Service Attack Prevention apache-tomcat modjk2 Looking for a solution to prevent a user from click multiply times on a function in which the application is still performing from the first click. The user thinkgs the app is not responding where in fact it is, then causing the app to take a dump from multiply request. Using cisco css LB into -- Apache, mod_jk2 into tomcat 4.1.29 any tips or pointers greatly appr -s - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Opening a pdf from IE via apache-jk-tc5
I am really starting to hate IE. First my site. Running apache 2.0.49. mod_ssl to mod_jk to TC 5.0.19. Apache is doing all of my PKI work, passes the cert to TC which handles user auth. My site has a lot of PDF documents. Some are downloaded via a servlet. The problem: It all worked great for quite some time, then suddenly nobody using IE can get the docs via the servlet (assume the directory broke the same time). Had to tell IE to use cache as it does not want to cache anything from an SSL site. (It seems that IE downloads the file first then asks if you want to open it or save it, then tries to get it again but wont because of SSL) response.setHeader(Pragma, cache); response.setHeader(Cache-Control, cache); Got that part to work. Now it seems that IE can not get a pdf or doc file from straight directory browsing. IE gives the error not able to open this Internet site, blah blah blah Please try again later This is the same error I got from my servlet. Of course Mozilla does not have a problem at all. The Question: With out writing a servlet to return all of the files that are currently retrieved by direct url is there a way for tomcat to tell IE to use the one in cache, similar to the setHeaders above?
RE: Opening a pdf from IE via apache-jk-tc5
After searching the archives it seems that it is not possible. Just to note. I added JkMount /MyApp/* ajp13 to http.conf. That is what caused the direct url problem. Apache does not set the header but tomcat does, strange. Guess I will have to write my servlet as I need user access control to the files.
RE: Bug in Tomcat 5 realm example (j_security_check, again)
From other comments on the list I added this to the top of my login.jsp
if (session.isNew())
{
String referer = request.getHeader(Referer);
if (referer == null)
{
response.sendRedirect(index.jsp);
}
else
{
response.sendRedirect(referer);
}
return;
}
Then I had a problem that people would login, view some stuff and the go to
another web site.
Of course they book marked the login page (I know they should not, but they
do).
After visiting other web pages they hit the bookmark back to the login page.
This caused the first if to fail, so I added this part. (I put a user
object in the session)
// now check remote user and session user
User u = (User)session.getAttribute(USER);
String remoteUser = request.getRemoteUser();
if(remoteUser != null u != null)
{
if(remoteUser.equals(u.getUsername()))
{
response.sendRedirect(index.jsp);
return;
}
else
{
// seems the user does not match
session.invalidate();
response.sendRedirect(index.jsp);
return;
}
}
For my site my failed page is also login.jsp. I created my own custom login
which does some checks and uses attributes in the request to give feedback
to the users (bad password, expired account, etc).
-Original Message-
From: Barnet Wagman [mailto:[EMAIL PROTECTED]
Sent: Monday, May 24, 2004 2:24 PM
To: Tomcat Users List
Subject: Bug in Tomcat 5 realm example (j_security_check, again)
This really concerns using j_security_check. (I know there have been many
posts on this subject but I haven't seen the answer I need and I haven't
found much in the way of documentation on j_security_check).
Tomcat 5 comes with a simple example of how to use j_security_check for
form based login ( http://localhost:8080/jsp-examples/security/protected/,
as referred to in the Realm Configuration HOW-TO);
The example fails to redirect correctly after a failed login.
That is, if the user enter a valid username/password combination on the
first try, everything is fine.
If not, the user gets the error page, which has link back to the login page.
If she then enters the correct username/password, she is redirected to the
/login page/. It appears that the user now is logged in. I.e. she can now
access protected pages.
In other words, the login page - error page - login page redirection is
'losing' the url of the originally requested page. I suspect that a simple
modification to login.jsp and error.jsp would fix this, but that requires
knowing where j_security_check put the url of the originally requested page.
I haven't founded any documentation on that.
If you know, or have any other ideas on fixing this, please let me know.
Thanks,
bw
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Streaming pdf document fails
Added
response.setHeader(Pragma, cache);
response.setHeader(Cache-Control, cache);
And now it works.
I was not adding the cache-control, something else must have but did not
override my setting to cache.
Mozilla still double downloads, but then 90% of my users are IE.
Thanks.
-Original Message-
From: Sasha Borodin [mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 11, 2004 2:23 PM
To: Tomcat Users List
Subject: Re: Streaming pdf document fails
Bert,
I just ran across something similar today, read this document:
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:
80/support/kb/articles/q316/4/31.aspNoWebContent=1
The way I understand it, IE wants to save the file in cache before letting
you view it; if you're requesting something via SSL (https://...) IE
actually honors the cache defeating tags, which I noticed you have; hence
the error. Removing the...
Pragma: No-cache
Cache-Control: no-cache
...headers should fix your problem, I think. It worked for me, let me know
if this words for you too.
-Sasha
From: Summers, Bert W. [EMAIL PROTECTED]
Reply-To: Tomcat Users List [EMAIL PROTECTED]
Date: Tue, 11 May 2004 12:32:49 -0700
To: Tomcat Users List [EMAIL PROTECTED]
Subject: RE: Streaming pdf document fails
This is what tcptrace tells me is being sent back to the browser
HTTP/1.1 200 OK
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-disposition: attachment; filename=N77-NTSP-E-70-0203.pdf
Content-Type: application/pdf
Content-Length: 443928
Date: Tue, 11 May 2004 19:29:37 GMT
Server: Apache-Coyote/1.1
If I remove the Content-disposition then the PDF opens in the browser
ok, but that is not what I want. Secondly Mozilla still asks for the
file twice and gets it, but only displays one of them.
-Original Message-
From: Christoph Meier [mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 11, 2004 12:28 PM
To: Tomcat Users List
Subject: Re: Streaming pdf document fails
As far as i remeber, IE wants to know the content-length to show a
PDF. = put the appopriate content-length into your Response-Header,
ensure to have set the right content-type and i would expect that the
PDF-stream should work then for IE, too.
_christoph
I have a problem that just came up. I have PDF documents located out
side of my webapps directory. When the user wants one they go to my
servlet which streams it back. This use to work just fine, but now is
broke.
In IE I get Error opening document on TC4.1.30 and unable to open
this Internet site in TC 5.0.19
Mozilla 1.6 does not have a problem opening the file.
What is odd is that Mozilla seems to request the servlet twice from
one click, the first tends to throw this
ClientAbortException: java.net.SocketException: Software caused
connection
abort: socket write error
at
org.apache.coyote.tomcat4.OutputBuffer.realWriteBytes(OutputBuffer.ja
va:410
)
at org.apache.tomcat.util.buf.ByteChunk.append(ByteChunk.java:332)
at
org.apache.coyote.tomcat4.OutputBuffer.writeBytes(OutputBuffer.java:438)
at
org.apache.coyote.tomcat4.OutputBuffer.write(OutputBuffer.java:425)
at
org.apache.coyote.tomcat4.CoyoteOutputStream.write(CoyoteOutputStream
.java:
1
08)
at GetPDFDoc.outputFile(GetPDFDoc.java:128)
at GetPDFDoc.processRequest(GetPDFDoc.java:86)
at GetPDFDoc.doGet(GetPDFDoc.java:147)
Is there anything wrong with what I am doing?
response.setContentType(application/pdf);
response.setDateHeader(Expires, 0);
// open pdf outside of browser
response.addHeader(Content-disposition, attachment;
filename=
+ ntspNo + .pdf);
response.setContentLength((int)f.length());
java.io.OutputStream out = response.getOutputStream(); // f is
the pdf on the file system and it does exist
java.io.FileInputStream in = new java.io.FileInputStream(f);
int size = 0;
byte[] buffer = new byte[8192];
while( (size = in.read(buffer, 0, buffer.length)) != -1)
{
out.write(buffer, 0, size);
}
in.close();
out.close();
Thanks
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Streaming pdf document fails
I have a problem that just came up. I have PDF documents located out side
of my webapps directory.
When the user wants one they go to my servlet which streams it back.
This use to work just fine, but now is broke.
In IE I get Error opening document on TC4.1.30 and unable to open this
Internet site in TC 5.0.19
Mozilla 1.6 does not have a problem opening the file.
What is odd is that Mozilla seems to request the servlet twice from one
click, the first tends to throw this
ClientAbortException: java.net.SocketException: Software caused connection
abort: socket write error
at
org.apache.coyote.tomcat4.OutputBuffer.realWriteBytes(OutputBuffer.java:410)
at org.apache.tomcat.util.buf.ByteChunk.append(ByteChunk.java:332)
at
org.apache.coyote.tomcat4.OutputBuffer.writeBytes(OutputBuffer.java:438)
at
org.apache.coyote.tomcat4.OutputBuffer.write(OutputBuffer.java:425)
at
org.apache.coyote.tomcat4.CoyoteOutputStream.write(CoyoteOutputStream.java:1
08)
at GetPDFDoc.outputFile(GetPDFDoc.java:128)
at GetPDFDoc.processRequest(GetPDFDoc.java:86)
at GetPDFDoc.doGet(GetPDFDoc.java:147)
Is there anything wrong with what I am doing?
response.setContentType(application/pdf);
response.setDateHeader(Expires, 0);
// open pdf outside of browser
response.addHeader(Content-disposition, attachment; filename= +
ntspNo + .pdf);
response.setContentLength((int)f.length());
java.io.OutputStream out = response.getOutputStream();
// f is the pdf on the file system and it does exist
java.io.FileInputStream in = new java.io.FileInputStream(f);
int size = 0;
byte[] buffer = new byte[8192];
while( (size = in.read(buffer, 0, buffer.length)) != -1)
{
out.write(buffer, 0, size);
}
in.close();
out.close();
Thanks
RE: Streaming pdf document fails
This is what tcptrace tells me is being sent back to the browser
HTTP/1.1 200 OK
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-disposition: attachment; filename=N77-NTSP-E-70-0203.pdf
Content-Type: application/pdf
Content-Length: 443928
Date: Tue, 11 May 2004 19:29:37 GMT
Server: Apache-Coyote/1.1
If I remove the Content-disposition then the PDF opens in the browser ok,
but that is not what I want.
Secondly Mozilla still asks for the file twice and gets it, but only
displays one of them.
-Original Message-
From: Christoph Meier [mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 11, 2004 12:28 PM
To: Tomcat Users List
Subject: Re: Streaming pdf document fails
As far as i remeber, IE wants to know the content-length to show a PDF. =
put the appopriate content-length into your Response-Header, ensure
to have set the right content-type and i would expect that the
PDF-stream should work then for IE, too.
_christoph
I have a problem that just came up. I have PDF documents located out
side of my webapps directory. When the user wants one they go to my
servlet which streams it back. This use to work just fine, but now is
broke.
In IE I get Error opening document on TC4.1.30 and unable to open this
Internet site in TC 5.0.19
Mozilla 1.6 does not have a problem opening the file.
What is odd is that Mozilla seems to request the servlet twice from one
click, the first tends to throw this
ClientAbortException: java.net.SocketException: Software caused
connection
abort: socket write error
at
org.apache.coyote.tomcat4.OutputBuffer.realWriteBytes(OutputBuffer.java:410
)
at org.apache.tomcat.util.buf.ByteChunk.append(ByteChunk.java:332)
at
org.apache.coyote.tomcat4.OutputBuffer.writeBytes(OutputBuffer.java:438)
at
org.apache.coyote.tomcat4.OutputBuffer.write(OutputBuffer.java:425)
at
org.apache.coyote.tomcat4.CoyoteOutputStream.write(CoyoteOutputStream.java:
1
08)
at GetPDFDoc.outputFile(GetPDFDoc.java:128)
at GetPDFDoc.processRequest(GetPDFDoc.java:86)
at GetPDFDoc.doGet(GetPDFDoc.java:147)
Is there anything wrong with what I am doing?
response.setContentType(application/pdf);
response.setDateHeader(Expires, 0);
// open pdf outside of browser
response.addHeader(Content-disposition, attachment; filename=
+ ntspNo + .pdf);
response.setContentLength((int)f.length());
java.io.OutputStream out = response.getOutputStream(); // f is
the pdf on the file system and it does exist
java.io.FileInputStream in = new java.io.FileInputStream(f);
int size = 0;
byte[] buffer = new byte[8192];
while( (size = in.read(buffer, 0, buffer.length)) != -1)
{
out.write(buffer, 0, size);
}
in.close();
out.close();
Thanks
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat and Windows 2003 Server
Running 4.1.29 on 2003. Had problems with IIS6 and DoD PKI client authentication. Went to Apache to fixed that problem. -Original Message- From: Anderson Boechat Lopes [mailto:[EMAIL PROTECTED] Sent: Friday, May 07, 2004 12:12 PM To: Tomcat Users List Subject: Tomcat and Windows 2003 Server Hi. Sorry.I don´t know if this is the right email to answer my question. I´m new here. I have a web-application running with Tomcat on Win 2000 Server and I need to move to Win 2003 Server. However, I have already listened that there are some problems running Tomcat on win 2003. It´s true? Thanks. []'s __ Anderson Boechat Lopes - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
SingleSignOn timeout
I am using the SingleSignOn class from Tomcat. It is working good in that I have three webapps that I can be between without a problem. My issue that when one of the sessions expire it kills all the sessions in the other webapps and I get redirected to the login screen again. That is not supposed to happen is it? I am keeping one webapps session active and then it dies. Is there some setting? Thanks.
RE: SingleSignOn timeout
I would agree with your perspective. However, After I have been in my trading account for 30 minutes my boa session time's out and my trading session is killed. That I do not expect. -Original Message- From: Peter Lin [mailto:[EMAIL PROTECTED] Sent: Monday, April 12, 2004 12:27 PM To: Tomcat Users List Subject: Re: SingleSignOn timeout that would depend on the type of single-signon you want right. a restrictive single-signon mechanism would consider the user logged out of all webapps once the user logs out of one webapp. if you don't want the login to be symmetic, when do you decide a login is invalid? Is it based on timeouts, or some other mechanism? In my mind, single-signon also means single-signout. But that's my biased perspective. the reason for this way of thinking is, say I login to my BOA checking account and I go to view my savings account. Then I jump to my trading account. When I log off, I expect to log off BOA and not just the section I'm on. Other people might have different expectations, but that's how I tend to think of single signon. peter lin Summers, Bert W. [EMAIL PROTECTED] wrote: I am using the SingleSignOn class from Tomcat. It is working good in that I have three webapps that I can be between without a problem. My issue that when one of the sessions expire it kills all the sessions in the other webapps and I get redirected to the login screen again. That is not supposed to happen is it? I am keeping one webapps session active and then it dies. Is there some setting? Thanks. - Do you Yahoo!? Yahoo! Tax Center - File online by April 15th - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SingleSignOn timeout
How deep is this restriction? Can I change the SSO class? I have already subclassed it to add some client PKI checking. Why would one webapp's timeout kill a current session, seems it should kill itself then each session would die a natural death, unless I call invalidate session. Bert -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Monday, April 12, 2004 12:27 PM To: Tomcat Users List Subject: RE: SingleSignOn timeout Hi, And Tomcat's SingleSignOn valve is restrictive. So the behavior you're seeing is by design. Yoav Shapira Millennium Research Informatics -Original Message- From: Peter Lin [mailto:[EMAIL PROTECTED] Sent: Monday, April 12, 2004 3:27 PM To: Tomcat Users List Subject: Re: SingleSignOn timeout that would depend on the type of single-signon you want right. a restrictive single-signon mechanism would consider the user logged out of all webapps once the user logs out of one webapp. if you don't want the login to be symmetic, when do you decide a login is invalid? Is it based on timeouts, or some other mechanism? In my mind, single-signon also means single-signout. But that's my biased perspective. the reason for this way of thinking is, say I login to my BOA checking account and I go to view my savings account. Then I jump to my trading account. When I log off, I expect to log off BOA and not just the section I'm on. Other people might have different expectations, but that's how I tend to think of single signon. peter lin Summers, Bert W. [EMAIL PROTECTED] wrote: I am using the SingleSignOn class from Tomcat. It is working good in that I have three webapps that I can be between without a problem. My issue that when one of the sessions expire it kills all the sessions in the other webapps and I get redirected to the login screen again. That is not supposed to happen is it? I am keeping one webapps session active and then it dies. Is there some setting? Thanks. - Do you Yahoo!? Yahoo! Tax Center - File online by April 15th This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SingleSignOn timeout
Let me see if I have this straight. SingleSignOn registers itself with each session. When a session dies it calls sessionEvent Which then gets the ssoId and calls deregister Which then iterates through all sessions for that ssoId and kills them Now, if I change deregister and check the number of sessions and if there is only one then remove the ssoId from the cache. Seems that will fix my problem. Are there any security problems I should be aware of? Bert -Original Message- From: Summers, Bert W. [mailto:[EMAIL PROTECTED] Sent: Monday, April 12, 2004 12:51 PM To: Tomcat Users List Subject: RE: SingleSignOn timeout How deep is this restriction? Can I change the SSO class? I have already subclassed it to add some client PKI checking. Why would one webapp's timeout kill a current session, seems it should kill itself then each session would die a natural death, unless I call invalidate session. Bert -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Monday, April 12, 2004 12:27 PM To: Tomcat Users List Subject: RE: SingleSignOn timeout Hi, And Tomcat's SingleSignOn valve is restrictive. So the behavior you're seeing is by design. Yoav Shapira Millennium Research Informatics -Original Message- From: Peter Lin [mailto:[EMAIL PROTECTED] Sent: Monday, April 12, 2004 3:27 PM To: Tomcat Users List Subject: Re: SingleSignOn timeout that would depend on the type of single-signon you want right. a restrictive single-signon mechanism would consider the user logged out of all webapps once the user logs out of one webapp. if you don't want the login to be symmetic, when do you decide a login is invalid? Is it based on timeouts, or some other mechanism? In my mind, single-signon also means single-signout. But that's my biased perspective. the reason for this way of thinking is, say I login to my BOA checking account and I go to view my savings account. Then I jump to my trading account. When I log off, I expect to log off BOA and not just the section I'm on. Other people might have different expectations, but that's how I tend to think of single signon. peter lin Summers, Bert W. [EMAIL PROTECTED] wrote: I am using the SingleSignOn class from Tomcat. It is working good in that I have three webapps that I can be between without a problem. My issue that when one of the sessions expire it kills all the sessions in the other webapps and I get redirected to the login screen again. That is not supposed to happen is it? I am keeping one webapps session active and then it dies. Is there some setting? Thanks. - Do you Yahoo!? Yahoo! Tax Center - File online by April 15th This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [OT] getBlob() error in Tomcat
You need to cast the ResultSet to the Oracle specify ResultSet
-Original Message-
From: Kumar Abhay-CAK203C [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 06, 2004 11:01 AM
To: Tomcat Users List
Subject: [OT] getBlob() error in Tomcat
Importance: High
Hi,
Any idea why this error is coming in runtime?
Servlet) - FileDisplayServlet.doPost()
java.lang.AbstractMethodError:
oracle.jdbc.driver.OracleResultSetImpl.getBlob(Ljava/lang/String;)Ljava/sql/
Blob;
at
org.apache.commons.dbcp.DelegatingResultSet.getBlob(DelegatingResultSet.java
:318)
at
com.mot.iDEN.webapp.oes.servlet.FileDisplayServlet.readBlob(FileDisplayServl
et.java:169)
I am trying to display a image that is stored in a BLOB field in Oracle. I
am using connection pooling and classes12.jar
Servlet Code
private void readBlob
(
HttpServletRequest request,
HttpServletResponse response,
long aFeatureId,
String aFileName,
String aUserId
)
throws SQLException,IOException
{
Connection conn = null;
ResultSet result = null;
PreparedStatement prepStmt = null;
java.io.InputStream in = null;
java.sql.Blob myBlob = null;
FileUploadFactory uploadFactory = new FileUploadFactory();
try
{
conn = config_.getEstimationConnection(false);
String sql = ;
sql =
SELECT +
FILE_IMAGE +
FROM +
OES_FEATURE_DETAILS +
WHERE +
FEATURE_ID = +aFeatureId;
log_.debug(SQL:===+sql);
log_.debug(result= + result);
prepStmt = conn.prepareStatement(sql);
result = prepStmt.executeQuery();
if (result != null result.next())
{
//get the file ext
String strDocExt = ;
try
{
strDocExt =
uploadFactory.getFileType(aFileName, aUserId);
}
catch(Exception e)
{
log_.debug(Exception is+e);
}
//get the file length
int intCountBytes = 0;
String strPrpValue = null;
//set the mimetype
ResourceBundle mimetype =
ResourceBundle.getBundle(mimes);
strPrpValue =
mimetype.getString(strDocExt.toLowerCase());
log_.debug(Value= + strPrpValue);
if (strPrpValue != null)
{
response.setContentType(strPrpValue);
response.setHeader(Content-Disposition, inline; filename= + aFileName);
}
myBlob = result.getBlob(FILE_IMAGE);
//get the inputStream
in = myBlob.getBinaryStream();
/*Get the Output Stream*/
if (in != null)
{
generatePresentation(in, response);
in.close();
}
}
}
catch (SQLException sqle)
{
throw new
SQLException(FileDisplayServlet.readBlob, + sqle.getErrorCode());
}
catch (IOException io)
{
throw new
IOException(FileDisplayServlet.readBlob);
}
finally
{
try
{
if (result != null)
{
result.close();
}
if (prepStmt != null)
RE: [OT] getBlob() error in Tomcat
Unjar the classes12.jar file and look for it.
There should be some ResultSet class in there.
The jdbc class that come with Java do not implement the getBLOB method,
hence the abstract violation.
The Oracle driver in the case has the implemented method, of course you are
now tied to Oracle in your code.
-Original Message-
From: Kumar Abhay-CAK203C [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 06, 2004 12:15 PM
To: 'Tomcat Users List'
Subject: RE: [OT] getBlob() error in Tomcat
Importance: High
Thanks for the suggestions,
My question is how I can check that both the versions are same, I have
classes12.jar in common/lib and that is set in system classpath.
How to find the OracleResultSEt class to cast result?
Best Regards
Abhay Kumar
-Original Message-
From: Mike Curwen [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 06, 2004 1:59 PM
To: 'Tomcat Users List'
Subject: RE: [OT] getBlob() error in Tomcat
The javadoc for that error suggests:
this error can only occur at run time if the definition of some class has
incompatibly changed since the currently executing method was last
compiled.
So is the version of classes12.jar that you used to compile the code, the
exact same version that is being used to run it ?
As for casting..
OracleResultSetClass foo = (OracleResultSetClass)result;
obviously, you'd need to replace 'OracleResultSetClass' with the actual name
of the class.
-Original Message-
From: Kumar Abhay-CAK203C [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 06, 2004 1:43 PM
To: 'Tomcat Users List'
Subject: RE: [OT] getBlob() error in Tomcat
Importance: High
I will appreciate you if you can tell me how ?
Best Regards
Abhay Kumar
-Original Message-
From: Summers, Bert W. [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 06, 2004 1:05 PM
To: Tomcat Users List
Subject: RE: [OT] getBlob() error in Tomcat
You need to cast the ResultSet to the Oracle specify ResultSet
-Original Message-
From: Kumar Abhay-CAK203C [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 06, 2004 11:01 AM
To: Tomcat Users List
Subject: [OT] getBlob() error in Tomcat
Importance: High
Hi,
Any idea why this error is coming in runtime?
Servlet) - FileDisplayServlet.doPost()
java.lang.AbstractMethodError:
oracle.jdbc.driver.OracleResultSetImpl.getBlob(Ljava/lang/Stri
ng;)Ljava/sql/
Blob;
at
org.apache.commons.dbcp.DelegatingResultSet.getBlob(Delegating
ResultSet.java
:318)
at
com.mot.iDEN.webapp.oes.servlet.FileDisplayServlet.readBlob(Fi
leDisplayServl
et.java:169)
I am trying to display a image that is stored in a BLOB field in
Oracle. I am using connection pooling and classes12.jar
Servlet Code
--
--
--
--
private void readBlob
(
HttpServletRequest request,
HttpServletResponse response,
long aFeatureId,
String aFileName,
String aUserId
)
throws SQLException,IOException
{
Connection conn = null;
ResultSet result = null;
PreparedStatement prepStmt = null;
java.io.InputStream in = null;
java.sql.Blob myBlob = null;
FileUploadFactory uploadFactory = new
FileUploadFactory();
try
{
conn = config_.getEstimationConnection(false);
String sql = ;
sql =
SELECT +
FILE_IMAGE +
FROM +
OES_FEATURE_DETAILS +
WHERE +
FEATURE_ID =
+aFeatureId;
log_.debug(SQL:===+sql);
log_.debug(result= + result);
prepStmt = conn.prepareStatement(sql);
result = prepStmt.executeQuery();
if (result != null result.next())
{
//get the file ext
String strDocExt = ;
try
{
strDocExt =
uploadFactory.getFileType(aFileName, aUserId);
}
catch(Exception e)
{
log_.debug(Exception is+e
RE: Post processing on form authentication
I just completed doing something similar. You need to write a custom authenticator. I got hung up an having to change my web.xml security constraint from FORM to MYFORM(or whatever you put in Authenticators.properties) -Original Message- From: Brett Spell [mailto:[EMAIL PROTECTED] Sent: Sunday, April 04, 2004 4:23 PM To: 'mailing list' Subject: Post processing on form authentication Hi, Please pardon my questions if they've already been asked and answered, but I've spent the better part of the past two days looking for answers in Google (including the Usenet archives) and the archives of this list. I'm using Tomcat 5.0 with form-based authentication and there are two features I'd like to implement: first, I'd like to be able to store some user preference information (retrieved from a database) into the HttpSession after a successful logon. Second, I'd like to be able to include a remember my logon information option (checkbox) on the logon form and keep the session from expiring if it's checked. Both of these would seem to require some sort of interaction with the form-based authentication process, but I don't know how to make that happen. During the time I've spent researching how to accomplish these two things, I saw suggestions or proposed solutions, but I have questions about what I saw. For storing user preference information in the session, someone suggested using a session listener. I understand how to do that, but how will I know which user has logged on when the session is created? I'm accustomed to finding out the user name from getRemoteUser() in the HttpServletRequest, but there is no such request (that I'm aware of, at least) associated with the event message that's generated by session creation. Is this the right solution to my problem and if so, what am I missing? Another suggestion I saw is to create a filter, which I'm pretty sure would work, but it seems like a lot of overhead to add to my application (to filter each request) for something that only needs to be done once at the initial logon. The remember me problem seems to be one that others have struggled with and I did see where someone had developed a solution, but I also saw comments on that solution that led me to believe that the person was essentially exploiting a bug in Tomcat. Is there a correct way to intercept the post to j_security_check and modify the session that it won't expire if the user has checked a box? Both of these things seem pretty basic and are things I've seen done on many web sites, so I'm surprised that I haven't found a straightforward way to do either one with Tomcat. Again, I apologize if these are questions that have been answered many times before, but I would appreciate any feedback on how to accomplish them. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
tomcat security constraint with jk and apache
I have Apache2 running as the front end handling all the client PKI authentication. Then Tomcat 4.1 using security constraints in the web.xml. Now I use jk to connect them together and it works fine, sort of. I can access protected files inside of Tomcat from Apache. Specifically any file that is not mapped with a JkMount entry is served up by Apache which ignores my web.xml. Do I have to use Apache to protect them as well as Tomcat? Or should I just make tomcat serve all the files? Does anybody have this issue? How do you deal with it? Thanks
form base auth with custom messages
I am using form base authentication with web.xml security constraints. It works fine in that if you enter the correct username and password you get in. What I want to do is provide feedback to the user for certain conditions, such as password is expired and they can not login or about to expire and take them to the change password page. The password expire feature is done by tracking how long it has been since they changed it. Is there an easy way to make some extra checks and then control which page is shown after authentication or failed authentication? I am starting down the path of rewriting FormAuthenticator. The problem with this is that all my web apps must conform to this same approach. Prior to using the web.xml to enforce security my login servlet would make these checks and then redirect to the correct page. Thanks
RE: form base auth with custom messages
I would like to but there are two problems: 1. On the error page I don't know who tried to login, so I can not do any checks with the db. 2. I will have to a custom Realm to check for my date and not auth the user. How can you get info from the FormAuthenticator? It seems to be a sendRedirect so all request parameters are gone. -Original Message- From: Koes, Derrick [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 31, 2004 8:53 AM To: 'Tomcat Users List' Subject: RE: form base auth with custom messages You should be able to control this from your form-error-page. -Original Message- From: Summers, Bert W. [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 31, 2004 11:48 AM To: [EMAIL PROTECTED] Subject: form base auth with custom messages I am using form base authentication with web.xml security constraints. It works fine in that if you enter the correct username and password you get in. What I want to do is provide feedback to the user for certain conditions, such as password is expired and they can not login or about to expire and take them to the change password page. The password expire feature is done by tracking how long it has been since they changed it. Is there an easy way to make some extra checks and then control which page is shown after authentication or failed authentication? I am starting down the path of rewriting FormAuthenticator. The problem with this is that all my web apps must conform to this same approach. Prior to using the web.xml to enforce security my login servlet would make these checks and then redirect to the correct page. Thanks This electronic transmission is strictly confidential to Smith Nephew and intended solely for the addressee. It may contain information which is covered by legal, professional or other privilege. If you are not the intended addressee, or someone authorized by the intended addressee to receive transmissions on behalf of the addressee, you must not retain, disclose in any form, copy or take any action in reliance on this transmission. If you have received this transmission in error, please notify the sender as soon as possible and destroy this message. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: form base auth with custom messages
Is it possible to specify which form authenticator to use per web app or is it a one shot deal? Where does tomcat decide that j_security_check is FormAuthenticator? Can I change that? -Original Message- From: Koes, Derrick [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 31, 2004 9:48 AM To: 'Tomcat Users List' Subject: RE: form base auth with custom messages Ah, I misunderstood the problem. Your best bet is to write a custom form authentication. It's more work, but you'll have access to everything you need because you are in control. -Original Message- From: Summers, Bert W. [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 31, 2004 11:57 AM To: Tomcat Users List Subject: RE: form base auth with custom messages I would like to but there are two problems: 1. On the error page I don't know who tried to login, so I can not do any checks with the db. 2. I will have to a custom Realm to check for my date and not auth the user. How can you get info from the FormAuthenticator? It seems to be a sendRedirect so all request parameters are gone. -Original Message- From: Koes, Derrick [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 31, 2004 8:53 AM To: 'Tomcat Users List' Subject: RE: form base auth with custom messages You should be able to control this from your form-error-page. -Original Message- From: Summers, Bert W. [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 31, 2004 11:48 AM To: [EMAIL PROTECTED] Subject: form base auth with custom messages I am using form base authentication with web.xml security constraints. It works fine in that if you enter the correct username and password you get in. What I want to do is provide feedback to the user for certain conditions, such as password is expired and they can not login or about to expire and take them to the change password page. The password expire feature is done by tracking how long it has been since they changed it. Is there an easy way to make some extra checks and then control which page is shown after authentication or failed authentication? I am starting down the path of rewriting FormAuthenticator. The problem with this is that all my web apps must conform to this same approach. Prior to using the web.xml to enforce security my login servlet would make these checks and then redirect to the correct page. Thanks This electronic transmission is strictly confidential to Smith Nephew and intended solely for the addressee. It may contain information which is covered by legal, professional or other privilege. If you are not the intended addressee, or someone authorized by the intended addressee to receive transmissions on behalf of the addressee, you must not retain, disclose in any form, copy or take any action in reliance on this transmission. If you have received this transmission in error, please notify the sender as soon as possible and destroy this message. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This electronic transmission is strictly confidential to Smith Nephew and intended solely for the addressee. It may contain information which is covered by legal, professional or other privilege. If you are not the intended addressee, or someone authorized by the intended addressee to receive transmissions on behalf of the addressee, you must not retain, disclose in any form, copy or take any action in reliance on this transmission. If you have received this transmission in error, please notify the sender as soon as possible and destroy this message. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat 5.0.18 with connector to IIS?
I have used the redirector2 on IIS6 and Tomcat 4.1.29 Had problems with the redirector failing about 5% of the time. Found that my reg entries were missing a couple of keys defined in the source download. Specifically, authComplete and threadPool Added those, tweaked the connector in server.xml and have not had a problem yet and that was two days ago. Of course now that I think about it I don't know if my redirector2.dll is from apache or not, but the one I have is working. Mine is Sep 26, 2003 192512bytes and apache has Nov 27, 2002 192512, so I guess mine is not from apache. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Win2003 + IIS6 + Tomcat 4.1.29 redirector doesn't call tomcat
I have moved my Tomcat from 4.0.6 on NT4 with IIS4 to Win2003 IIS6 and Tomcat 4.1.29. I have configured everything correctly, I believe. The problem is that sometimes the redirector does not seem to pass the request to Tomcat. I have tried isapi_redirect.dll (which worked great on NT4 and 4.0.6) and it works in the current setup. I have tried isapi_redirector2.dll and it seems to work also. Even tried isapi_redirector_1.2.5.dll which also works. However all of the above will sometimes not respond. The end user gets a page can not be displayed error. Then they hit back and click the link or button again and it works. The IIS log file shows xxx.xxx.xxx.xxx - - [28/Jan/2004:09:39:47 -0800] GET /jakarta/isapi_redirect.dll HTTP/1.1 200 0 and the tomcat localhost_access file has nothing. Then the user hits back and the same action again and I get xxx.xxx.xxx.xxx - - [28/Jan/2004:09:39:47 -0800] GET /jakarta/isapi_redirect.dll HTTP/1.1 200 11443 and this time the tomcat log file shows xxx.xxx.xxx.xxx - - [28/Jan/2004:09:39:47 -0800] GET /NTSP/TOC.jsp HTTP/1.1 200 11274 Also to note is that sometimes I get the 200 with a return size of 0 on more than just the redirector. Out of 788 200 0 entries 381 are to jakarta but most of them are to / entries not actual files. Has anyone else experienced this problem? Thanks.
