Re: unauthenticated 304s - final try
Mark Leone sez: It's still worth investigating IMO. One could argue that returning to an unauthorized client even the info that a resource has not changed since an authenticated request was returned successfully violates the authentication protection. that's pretty much what *i* thought, anyway... This may have more to do with the server's authentication requirements than the HTTP spec. Does anyone know if the Servlet spec addresses this? from the 2.4 Servlet spec: If the user is authenticated using form login and has created an HTTP session, the timeout or invalidation of that session leads to the user being logged out in the sense that subsequent requests must cause the user to be re-authenticated. seems fairly straightforward to me. i agree that the HTTP spec is less than optimally clear, and that this isn't a huge issue - it's just that it excercises a MSIE6 misfeature that html pages are cached, but included .js .css files are not, resulting in the display of ugly broken pages when this happens. --alex. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
unauthenticated 304s - final try
before i post this as a bug possibly make a complete idiot of myself, please have a look... Tomcat 5.5.7 on Win2k, MSIE6 1. load an authenticated page (JDBCRealm or DataSourceRealm w/SHA, FORM login-config, SingleSignOn valve) 2. wait until authentication timeout OR close browser window reopen 3. perform a conditional GET (i.e. reload WITHOUT ctl-shift) Result: Tomcat returns 304 Not Modified. relevant bit of access_log: #.#.#.# - - [datetime] GET /home HTTP/1.0 304 - ^ no user! which is IMHO in violation of the HTTP spec (http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html) relevant bit: If the client has performed a conditional GET request and *access is allowed*, but the document has not been modified, the server SHOULD respond with this status code. comments? --alex. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Exception on JDBCRealm Authorization
Jerry, for definitive answers you'll probably want one of the developers - but here's my take, with big doses of IMHO YMMV... Has Tomcat acknowledged this and agreed that it will be fixed in 5.5.8? M. Maucherat suggests, in the thread i referenced earlier, that he has fixed it in 5.5.8 Any ETA for 5.5.8? Unless I'm missing something, this seems like it was be a pretty high severity bug. Or are you and I the only two people using JDBC Realms with 5.5.7? bit of a culture issue here, that took me a while to get used to as well. when *i* grew up, software with known broken functionality wouldn't rate a final version number, but the Tomcat team (and, in my experience, Open Source software in general) is a bit more relaxed about it: http://jakarta.apache.org/tomcat/faq/version.html#when Is there no mechanism for putting out patch jar files? ... is it possible to extract a JDBCRealm jar file from 5.5.4 without having to completely uninstall and reinstall all of Tomcat? will need to defer to the list on this one... FYI, and this is something i just learned recently as well, using the $CATALINA_BASE trick to separate out your site-specific stuff from the core server code makes it *way* easier to uninstall and reinstall all of Tomcat. --alex. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Why doesn't JSP precompilation solve this problem?
When I deploy the application, and I newly visit each page, all of the text is displayed but the other visual elements (such as font-sizes, table layouts, colours, and other formatting set by CSS)appear broken. are you using container-managed security? are your .css files in a different application context than the page? is your browser MSIE6? if so, this *might* be similar to a problem i'm having, which stems from the fact that tomcat will serve unauthenticated http 304s (Not Modified). so IE will render the page content it has cached, but if the .css files come from a different context (or maybe even the same one, i haven't tried it like that) IE won't reload them - and apparently it doesn't cache them like it does the page. and you get non-styled ugliness. haven't got a solution, short of filing the 403s thing as a bug, but this might help explain what you're seeing... --alex. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Exception on JDBCRealm Authorization
J Malcolm [EMAIL PROTECTED] sez: Just moved to 5.5.7. After the server runs for several hours, I start getting the following exception on JDBCRealm access. hello. i've just worked through the same problem in the past week, and with the help of the list (thanks Remy Maucherat Hassan Schroeder!) solved it - so to save them some repetition... what is happening is mysql is dropping the unused connection, and JDBCRealm (since 5.5.4) isn't picking it up again. solutions are to go back to 5.5.4 JDBCRealm, or use DataSourceRealm in 5.5.7, or wait for 5.5.8. see the thread http://marc.theaimsgroup.com/?t=11103082883r=1w=2 for more details. share and enjoy, alex. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JDBCRealm changes from Tomcat 5.0.x to 5.5.x
Phillip Qin [EMAIL PROTECTED]: Could any one who has tested it post his result? I am really frustrated by the sometime buggy 5.5 releases and I had to revert to 5.0.28. here's a summation of my experiences interpretations of answers from the list, so far: JDBCRealm (5.5.4): worked i think, but no longer available on tomcat website that i can find JDBCRealm (5.5.7, 5.5.8a): doesn't reopen dropped connections DataSourceRealm (5.5.4): doesn't support digest authentication DataSourceRealm (5.5.7): doesn't work or is unconfigurable by me - i've got a Server GlobalNamingResources Resource type=javax.sql.DataSource name=UserDatabase and an Engine Realm className=org.apache.catalina.realm.DataSourceRealm name=UserDatabase and i get java.lang.NullPointerException at javax.naming.NameImpl.init at javax.naming.CompositeName.init at org.apache.naming.NamingContext.lookup (etc.) so please accept my application to the Frustration Club. :( --alex. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JDBCRealm changes from Tomcat 5.0.x to 5.5.x
Hassan Schroeder makes my day: How about something like: (the correct answer) YES, thank you. i had a resourceName instead of a dataSourceName in my DataSourceRealm, left over from trying to use a UserDatabaseRealm, which i didn't really understand and isn't even in the docs anymore anyway. duh. *and* this method *is* reopening connections, which JDBCRealm didn't. yay! dream. code. no, thank you. had an awk dream once. i don't recommend it. ;-) --alex. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
re: JDBCRealm changes from Tomcat 5.0.x to 5.5.x
i'm getting the same problem, w/MySQL 4.1.8 3.1.6 connector (except my error is Software caused connection abort rather than broken pipe - but same underlying cause, MySQL timing out the connection). autoReconnect doesn't work for me either. sounds like perhaps i should bail on 5.5.* go to 5.0 for a while? We upgraded from Tomcat 5.0.19 to Tomcat 5.5.7 in production and are now getting JDBC connection errors when the site has not been accessed for a while. This is happening when a user tries to login - we use a JDBCRealm to authenticate the user. We had this problem a while back but fixed it by adding the autoReconnect parm, but now with Tomcat 5.5. we are having the problem again. We are using MySQL 4.1.7 and version 3.1.7 of the MySQL JDBC connector. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JDBCRealm changes from Tomcat 5.0.x to 5.5.x
I'd be extremely glad if you could test this possibly fixed realm. Replace the existing class in server/lib/catalina-optional.jar. ... you have to either build it from CVS (which is easy) or get it from a nightly build. M. Maucherat, thank you for the suggestion, but i'm not sufficiently (i.e. at all) CVS-savvy to get the nightly build - and there's either no web access or cvs.apache.org/builds/jakarta-timcat-5/nightly/ is in fact empty. i tried upgrading the whole server to 5.5.8-alpha in case your changes were already there, but i still get the same error. if you'd care to send me the updated catalina-optional.jar directly i'd be happy to try to test it again, and will also look into the DataSource realm as you suggest. thanks, alex. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: application can not reconnect when database restarts
Problem: when datbase restarts connection is not established. i have a very similar problem, with tomcat 5.5.7 mysql-connector 3.1.6 - when mysql drops the connection after 8 hours (it's a *very* low-traffic site) JDBCRealm can't or won't reconnect (the underlying exception is java.net.socketException: software caused connection abort: recv failed). any workarounds (besides the obvious one of increasing the mysql timeout)? would turning on connection pooling help? TIA, alex. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat serves unauthenticated 304s. yuck.
Hi all, I have what is mainly an IE6 problem, but Tomcat is contributing by serving up 304s to requests whose authentication (FORM or BASIC) has expired. This seems to me to be in violation of the HTTP/1.1 spec: If the client has performed a conditional GET request /and access is allowed/, but the document has not been modified, the server SHOULD respond with this status code. Specifically, the problem is arising because Tomcat is serving a 304 for the *page*, but 403s for the page's linked stylesheet javascript files (in a separate webapp but under the same access control, single-signon turned on), which causes ugliness. This is almost certainly IE's fault, for issuing different sorts of GETs, but Tomcat *still* (IMHO) shouldn't be doing *anything* with an unauthenticated request for a protected resource other than trying to authenticate the user. B*g, or user error? Comments appreciated, alex. -- ___ | Alexander Dosher...Proletarian Intellectual, American Art Fascism | | S.J. Earthquakes...Chelsea FC...Ukraine...Neue Slowenische Kunst | | | | There was port later. - Arthur Machen, _The Bright Boy_ | |___| - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
