Re: Performace problem when invoking RMI call from Tomcat Servlet
Barak, can you extract a use case so we can try it at home? :-) I'm really interested, since i'm switching some services from corba to rmi right now. thanx leon On Feb 6, 2008 8:36 PM, Barak Yaish [EMAIL PROTECTED] wrote: The first request takes much longer (~100 ms) the than the other requests (~25-30 ms), but still, the duration of the method running on H2 is only 5 ms. Again, invoking the method remotely by junit gives 10 ms. Is there something I'm doing wrong? In addition, when accessing the servlet more than one concurrent request, the times of invocation getting worse, while the duration of the method its keeps being ~5 ms... -Original Message- From: Leon Rosenberg [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 06, 2008 9:25 PM To: Tomcat Users List Subject: Re: Performace problem when invoking RMI call from Tomcat Servlet is it only the first request that lasts longer, or each request? regards leon On Feb 6, 2008 7:01 PM, Barak Yaish [EMAIL PROTECTED] wrote: Hello all, I'm running a Servlet under Tomcat 5.5.23 (CentOS 5), reside on host H1. This servlet invokes a RMI method ( f() ) on an object found on remote host (H2). The duration of f() when running on H1 is about 5 ms. Somehow, the duration of the invocation in the servlet is about 30ms. Invoking the remote method by Junit from the same machine the servlet resides on (H1), gave result of about 10ms, which I guess include the latency of the network itself. Can someone help me please with any direction how can I track down the problem? Any configuration issue I missed? Thanks, Barak. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: QUESTION: How do I change JSESSIONID to something else?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greg, Gregory Gerard wrote: | A follow up question for 100: why does the spec define this at all I think they explicitly set the session id parameter and cookie name so that different implementations would be compatible. In some cases, you may need to hand-code a URL and preserve the jsessionid parameter. If you switched servlet containers, you'd have to go back and find all those references and change them. I don't find that too compelling of a reason, though. | and why does Tomcat not let me work around it when it happily lets me | violate other parts of the spec? Can you provide a few examples of how Tomcat allows you to violate other parts of the specification? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkerHBkACgkQ9CaO5/Lv0PAyagCcDSsop9crxgDcU3hxHyYdVgJg JS0An0YabcqZMULmH8JF+ghVWXA7HCXE =bpY0 -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Application Realm in Tomcat
Hi, I am doing a Java code. This code have to access to the realm that an application in Tomcat is using, after that the code have to access to that realm and look for the roles that exist in that database. If someone can help me i would be very grateful. Thanks a lot -- View this message in context: http://www.nabble.com/Application-Realm-in-Tomcat-tp15334971p15334971.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat SSL for multiple domains
Hi I am running JBoss w/tomcat on a Linux machine. the machine has one IP address. But there are two top-level domains (not subdomains) mapping to the ip address. www.domain1.com www.domain2.com I need to setup SSL. As far as I know, SSL certificate is set up for one domain only. Using the different domains will get a security warning from web browser. (domain name does not match) Can SSL certificate be ip address based? Or Tomcat support SSL multiple domains(prevent warnings from browser)? Thanks, Dave - Looking for last minute shopping deals? Find them fast with Yahoo! Search.
RE: Tomcat Security Problem
From: alee amin [mailto:[EMAIL PROTECTED] Subject: Tomcat Security Problem Application 2 has form based security and for some enhanced security i have added the realm for the database in conf/server.xml file. Where in server.xml? A Realm element may be nested inside of an Engine, Host, or Context, depending on the desired scope of the realm. Sounds like you need to put it inside the Context of your application 2, not inside the Host or Engine where you now have it. Doc reference: http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Putting java packages as web applications on tomcat
Tomcat only deploys (dot).war files. Or if you want to manually deploy you can create the application directory yourself under the Tomcat webapps directory and upzip the (dot).war or populate the directory structure with the right classes, jars, html and jsp yourself: TOMCAT_HOME\webapps\yourwebapp\WEB-INF\classes\lib There's more: you need to take a look at the tomcat.jarakta.apache.org doco. where TOMCAT_HOME may or may not be an environment variable depending on platform that is the root of the Tomcat installation. HTH. polock wrote .. Dear all, I have few java packages that I would like to put on Tomcat, I was searching intensively on the web how one does this but I could not find concrete consrtuction. Code within packages contains servlets that process get requests, so I do not need to change anything in the code all I need to do is to put in the right place in tomcat. Could you reffer me to some web - source where this is explained or can you give me some tipps as to how I should proceed. Thanks -- View this message in context: http://www.nabble.com/%22Putting-java-packages-as-web-applications-on-tomcat%22-tp15337583p15337583.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Putting java packages as web applications on tomcat
No, tomcat doesn't only deply .war files. It can also deploy an expanded web application as long as the layout conforms to the spec. Regarding the OPs original question, the servlet spec is the best place for the info. http://jcp.org/aboutJava/communityprocess/final/jsr154/index.html --David David Brown wrote: Tomcat only deploys (dot).war files. Or if you want to manually deploy you can create the application directory yourself under the Tomcat webapps directory and upzip the (dot).war or populate the directory structure with the right classes, jars, html and jsp yourself: TOMCAT_HOME\webapps\yourwebapp\WEB-INF\classes\lib There's more: you need to take a look at the tomcat.jarakta.apache.org doco. where TOMCAT_HOME may or may not be an environment variable depending on platform that is the root of the Tomcat installation. HTH. polock wrote .. Dear all, I have few java packages that I would like to put on Tomcat, I was searching intensively on the web how one does this but I could not find concrete consrtuction. Code within packages contains servlets that process get requests, so I do not need to change anything in the code all I need to do is to put in the right place in tomcat. Could you reffer me to some web - source where this is explained or can you give me some tipps as to how I should proceed. Thanks -- View this message in context: http://www.nabble.com/%22Putting-java-packages-as-web-applications-on-tomcat%22-tp15337583p15337583.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Application Realm in Tomcat
Via the spec - you can't query all the roles a user has. But you can say request.isUserInRole(rolename) If you *need* access to the realm, things start to get ugly. You need to start coding against Tomcat internal specific classes. -Tim maux wrote: Hi, I am doing a Java code. This code have to access to the realm that an application in Tomcat is using, after that the code have to access to that realm and look for the roles that exist in that database. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
tomcat 5.5.9 aliases
Is it possible to give an alias to an application like you can with a servlet? I have a war named myWar-1.2.3.4.war located in my webapps directory. In my web.xml within the war directory WEB-INF/web.xml I have the servlet appropriately mapped to '/'. All that said (and hopefully understood) above I can access the servlet @ http://localhost/myWar-1.2.3.4/ now my question is, is there a way to give that war an alias so I can access is @ http://localhost/alias/ I would like to maintain the name and version number on the actual war file, but just exclude it from the url. Thank You, tadamski -- View this message in context: http://www.nabble.com/tomcat-5.5.9-aliases-tp15341478p15341478.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: QUESTION: How do I change JSESSIONID to something else?
There usually isn't much happiness in the spec violations. Most of the time, the violations are due - optimizations - contradictions - better use case where not following the spec is a good idea (but in those cases, the ability to follow the spec is still there) -Tim Gregory Gerard wrote: that fits with what I saw as well. A follow up question for 100: why does the spec define this at all and why does Tomcat not let me work around it when it happily lets me violate other parts of the spec? - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Facing problem in integration of PHP and tomcat
I looked on google and it looks like these shared libraries mysql.so, mcrypt.so, and mbstring.so are php extensions for communicating with mysql, doing encryption and decryption, etc. You probably need to download these extensions and follow some kind of installation to use them. Thank you, Barry -Original Message- From: YogeshArora [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 05, 2008 10:57 AM To: users@tomcat.apache.org Subject: Re: Facing problem in integration of PHP and tomcat Hi, Thanks for the response ! I tried the below URL sent by you. I have successfully setup the JSR 223 reference implementation on my Linux, but when I tried to deploy the WAR fille containing the PHP code, I am getting the errors in the following environment. Here are the environment details Operation System - Red Hat Enterprise Edition Linux Version 4 JDK - jdk1.5.0_14 Tomcat - version 6.0.14 PHP - Version 5.2.5 Errors Encountered === Warning: main(./config.inc.php) [function.main]: failed to open stream: No such file or directory in /collabo/sns/public_html/index.php on line 7 Fatal error: main() [function.require]: Failed opening required './config.inc.php' (include_path='.:') in /collabo/sns/public_html/index.php on line 7 Please help in resolving the issue. Thanks, Yogesh I have tried the David Delbecq-2 wrote: Did you try this? http://www.alexander-merz.com/21.html En l'instant précis du 05/02/08 06:57, puneetjain s'exprimait en ces termes: Hi, I am trying to integrate PHP with tomcat server i.e. trying to running PHP in servlet container. Environment: = Operating System: RedHat Enterprize Linux 3 Tomcat Version: 6 PHP version: 5.2.5 Java: 1.5 Steps Performed: 1. Install the tomcat. 2. Install the php 3. Create a web project. 4. Place the php5servlet.jar in the WEB_INF/lib directory. 5. Add the below entry in my web.xml. ?xml version=1.0 encoding=ISO-8859-1? web-app xmlns=http://java.sun.com/xml/ns/j2ee; version=2.3 xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http:/java.sun.com/dtd/web-app_2_3.dtd servlet servlet-namephp/servlet-name servlet-classnet.php.servlet/servlet-class /servlet servlet servlet-namephp-formatter/servlet-name servlet-classnet.php.formatter/servlet-class /servlet servlet-mapping servlet-namephp/servlet-name url-pattern*.php/url-pattern /servlet-mapping servlet-mapping servlet-namephp-formatter/servlet-name url-pattern*.phps/url-pattern /servlet-mapping /web-app 6. Create a war file and deployed on the tomcat. Exception: === When I tried to deploy this war file it says that the libphp5servlet.so and libphp5.so libraries are missing. I have tried these steps on Windows XP and used php5servlet.dll. PHP is working on tomcat in windows. I am unable to find the procedure to create/get the libphp5servlet.so and libphp5.so library to run PHP in Tomcat container in Linux Environment. Please help me to resolve this problem. Thanks, Puneet -- http://www.devlog.be (a belgian developer's logs) - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Facing-problem-in-integration-of-PHP-and-tomcat-tp15283840p15292920.html Sent from the Tomcat - User mailing list archive at Nabble.com. *** The information contained in this message may be privileged and/or confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. Note that any views or opinions presented in this message are solely those of the author and do not necessarily represent those of Ameren. All emails are subject to monitoring and archival. Finally, the recipient should check this message and any attachments for the presence of viruses. Ameren accepts no liability for any damage caused by any virus transmitted by this email. If you have received this in error, please notify the sender immediately by replying to the message and deleting the material from any computer. Ameren Corporation *** - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Problem with Unix script to start remote Tomcat
I have Tomcat installed on a Unix box and I need to start it remotely from another Unix box. Tomcat is started using a script. When this script is run locally everything is fine. When I run the same script from remote box, tomcat starts but the command running the script does not terminate. I need it to terminate and return the result. Please help. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Application Realm in Tomcat
If you purpose is to find the roles in the database wouldn't it be better just to query the database? What kind of realm are you using? If its something like the 'memory' realm then you can just read the file. If its a RDBM then a few lines of JDBC code or the use of a persistence manager would work. Regards Alan Tim Funk wrote: Via the spec - you can't query all the roles a user has. But you can say request.isUserInRole(rolename) If you *need* access to the realm, things start to get ugly. You need to start coding against Tomcat internal specific classes. -Tim maux wrote: Hi, I am doing a Java code. This code have to access to the realm that an application in Tomcat is using, after that the code have to access to that realm and look for the roles that exist in that database. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] !DSPAM:47ab5f13234141497319589! - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Putting java packages as web applications on tomcat
Yes, but I did not want to say that... Caldarale, Charles R wrote .. From: David Brown [mailto:[EMAIL PROTECTED] Subject: Re: Putting java packages as web applications on tomcat There's more: you need to take a look at the tomcat.jarakta.apache.org doco. Should also look at the servlet spec, which defines the structure and content of a webapp: http://jcp.org/aboutJava/communityprocess/mrel/jsr154/index2.html Since the OP referred to packages rather than webapps, I suspect he or she is unfamiliar the underlying concepts. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Putting java packages as web applications on tomcat
From: David Brown [mailto:[EMAIL PROTECTED] Subject: Re: Putting java packages as web applications on tomcat There's more: you need to take a look at the tomcat.jarakta.apache.org doco. Should also look at the servlet spec, which defines the structure and content of a webapp: http://jcp.org/aboutJava/communityprocess/mrel/jsr154/index2.html Since the OP referred to packages rather than webapps, I suspect he or she is unfamiliar the underlying concepts. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Putting java packages as web applications on tomcat
Dear all, I have few java packages that I would like to put on Tomcat, I was searching intensively on the web how one does this but I could not find concrete consrtuction. Code within packages contains servlets that process get requests, so I do not need to change anything in the code all I need to do is to put in the right place in tomcat. Could you reffer me to some web - source where this is explained or can you give me some tipps as to how I should proceed. Thanks -- View this message in context: http://www.nabble.com/%22Putting-java-packages-as-web-applications-on-tomcat%22-tp15337583p15337583.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: how to auto redirect to https from http
Chris, The url is not changed when I point to http://www.mydomain.com/login.html in browser. The .html is mapped to servlet. I expected it to change to https:// So it is not secure to start as http and then switch to https to use the same http session because session id to visible to man-in-the-middle. Am I right? If not secure, why is it allowed to be working this way? Even start with https, if url-rewriting is used for session tracking(sessionid in url), it is not secure anymore, right? Thanks, Dave Christopher Schultz [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dave, Dave wrote: | I moved the inside the as the following: | | | | Automatic SLL Forwarding | /login.html | | CONFIDENTIAL | | | | | But http://www.mydomain.com/login.html did not redirect to secure URL. :( It's possible that Tomcat ignores that setting during its own authentication process (which would suck if it were the case). What the the URL say when you are being asked to login? | As you mentioned, If I start as http, then redirect to https when | login, and keep https after login. Does that mean https is using the | http session? Well, it's not a http session per-se... it's the session that was created while you were in http mode. The answer is yes: Tomcat will continue to use that session. If, however, you kill any sessions (yourself) as you switch to https, then any fallback to http will lose the session (because the browser will refuse to send a secure cookie through a non-secure channel. | Is there any security hole? If a man-in-the-middle knows the session | id from http and the same session id is used by https? This does not require man-in-the-middle. It's just plain-old session hijacking. This can happen whether you are using SSL or not -- if someone can guess your session id, you're pwned. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkerLLYACgkQ9CaO5/Lv0PBSbQCgs51ON7Uwam/6mMs+5w4e0dv4 AwgAoK//OfuOISynFSbnV+jU6kqI2N6N =14Kp -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.
Re: how to auto redirect to https from http
Hello Dave, this is not exactly the answer you are looking for but I have been concerned with public web security for a long time and I have finally resigned myself to the fact that if you are using login pages that process user ids and passwords and other confidential info that man-in-the-middle and any type of network traffic sniffing is extremely dangerous. I run several Java apps publicly and all are 100% https/SSL all the time. It is a performance hit but I just up the hardware to match: multi-core Linux boxes with smp and 4+ gigs mem and other virtualization tricks as afforded by XEN and even Tomcat itself (6.0). Also please note: JBoss is very good at multi-instance web application servers on multiple ports with only a single machine install. If you have very serious Java web application concerns and full-time https encryption is warrented then you might give the folks at: www.azulsystems.com a call. HTH, David. Dave wrote .. Hi Chris, I moved the user-data-constraint inside the web-resource-collection as the following: security-constraint web-resource-collection web-resource-nameAutomatic SLL Forwarding/web-resource-name url-pattern/login.html/url-pattern user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /web-resource-collection /security-constraint But http://www.mydomain.com/login.html did not redirect to secure URL. As you mentioned, If I start as http, then redirect to https when login, and keep https after login. Does that mean https is using the http session? Is there any security hole? If a man-in-the-middle knows the session id from http and the same session id is used by https? Thanks for help. Dave Christopher Schultz [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dave, Dave wrote: | I tried the method, it worked. | But when I tried to protect login page only, | | | protected pages | /login.jsp | | | restarted tomcat, and went to http://www.mydomain.com | | it was redirected to secure URL. It should stay insecure until going to login page. | | anything I was missing? Is that your entire configuration? If you've told Tomcat that /* should be CONFIDENTIAL, then all traffic will be redirected to HTTPS. Move the CONFIDENTIAL part into the that represents your login page, and leave the rest of the app non-CONFIDENTIAL. Remember that Tomcat will not automatically go from HTTPS to HTTP, so you'll have to make that happen yourself. Also remember that if your session id cookie was created in HTTPS mode, your browser will not send it back to the server when you're in HTTP mode. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkerHyAACgkQ9CaO5/Lv0PClgACfRQm66ro0lctDvrEnA0paYC0Y ziIAn35jRaXBkefSfaz6l1cn9fOokmfe =0RZ/ -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - Looking for last minute shopping deals? Find them fast with Yahoo! Search. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: how to auto redirect to https from http
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dave, Dave wrote: | I moved the user-data-constraint inside the web-resource-collection as the following: | |security-constraint | web-resource-collection | web-resource-nameAutomatic SLL Forwarding/web-resource-name | url-pattern/login.html/url-pattern | user-data-constraint | transport-guaranteeCONFIDENTIAL/transport-guarantee | /user-data-constraint | /web-resource-collection | /security-constraint | | But http://www.mydomain.com/login.html did not redirect to secure URL. :( It's possible that Tomcat ignores that setting during its own authentication process (which would suck if it were the case). What the the URL say when you are being asked to login? | As you mentioned, If I start as http, then redirect to https when | login, and keep https after login. Does that mean https is using the | http session? Well, it's not a http session per-se... it's the session that was created while you were in http mode. The answer is yes: Tomcat will continue to use that session. If, however, you kill any sessions (yourself) as you switch to https, then any fallback to http will lose the session (because the browser will refuse to send a secure cookie through a non-secure channel. | Is there any security hole? If a man-in-the-middle knows the session | id from http and the same session id is used by https? This does not require man-in-the-middle. It's just plain-old session hijacking. This can happen whether you are using SSL or not -- if someone can guess your session id, you're pwned. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkerLLYACgkQ9CaO5/Lv0PBSbQCgs51ON7Uwam/6mMs+5w4e0dv4 AwgAoK//OfuOISynFSbnV+jU6kqI2N6N =14Kp -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: how to auto redirect to https from http
Hi Chris, I moved the user-data-constraint inside the web-resource-collection as the following: security-constraint web-resource-collection web-resource-nameAutomatic SLL Forwarding/web-resource-name url-pattern/login.html/url-pattern user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /web-resource-collection /security-constraint But http://www.mydomain.com/login.html did not redirect to secure URL. As you mentioned, If I start as http, then redirect to https when login, and keep https after login. Does that mean https is using the http session? Is there any security hole? If a man-in-the-middle knows the session id from http and the same session id is used by https? Thanks for help. Dave Christopher Schultz [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dave, Dave wrote: | I tried the method, it worked. | But when I tried to protect login page only, | | | protected pages | /login.jsp | | | restarted tomcat, and went to http://www.mydomain.com | | it was redirected to secure URL. It should stay insecure until going to login page. | | anything I was missing? Is that your entire configuration? If you've told Tomcat that /* should be CONFIDENTIAL, then all traffic will be redirected to HTTPS. Move the CONFIDENTIAL part into the that represents your login page, and leave the rest of the app non-CONFIDENTIAL. Remember that Tomcat will not automatically go from HTTPS to HTTP, so you'll have to make that happen yourself. Also remember that if your session id cookie was created in HTTPS mode, your browser will not send it back to the server when you're in HTTP mode. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkerHyAACgkQ9CaO5/Lv0PClgACfRQm66ro0lctDvrEnA0paYC0Y ziIAn35jRaXBkefSfaz6l1cn9fOokmfe =0RZ/ -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - Looking for last minute shopping deals? Find them fast with Yahoo! Search.
Re: in Tomcat container-based authN is there a way to redirect logins to a URL?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gary, Gary Weaver wrote: | I get the following error, because those two page elements are relative | to the webapp and not to the host part of the URL: | | HTTP Status 404 - /caladmin/Shibboleth.sso/Login :( Yeah, the spec says: The form-login-page element defines the location in the web ~app where the page that can be used for login can be ~found. The path begins with a leading / and is interpreted ~relative to the root of the WAR. Okay, there's one more trick you can try. Keep the form-login-config the way you have it in web.xml and add a filter (which may not work, either). Write a filter that always redirects to /Shibboleth.sso/Login (without adding the webapp's context path) no matter what, and install it so that it intercepts requests to /Shibboleth.sso/Login (which will include the context path). If it works, it will take a request to /caladmin/Shibboleth.sso/Login (which is what Tomcat's authenticator generates) and perform a redirtect to the URL that you really want. A little hack-y, but it might work. Another non-filter option would be to create a JSP for the login that performs the redirect. That might be a bit cleaner because the logic will be easier to follow (rather than having to simply know that there's a filter out there doing evil things). Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkerK0UACgkQ9CaO5/Lv0PADVACgjSUmiRY024lWZohxeG1UuHtI cfMAoKGEct0vIG6Cnh5WJNMmyTyyi6R9 =nuVm -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat SSL for multiple domains
From: Dave [mailto:[EMAIL PROTECTED] the machine has one IP address. But there are two top-level domains (not subdomains) mapping to the ip address. www.domain1.com www.domain2.com I need to setup SSL. As far as I know, SSL certificate is set up for one domain only. Using the different domains will get a security warning from web browser. (domain name does not match) Can SSL certificate be ip address based? Or Tomcat support SSL multiple domains(prevent warnings from browser)? Tomcat can support multiple SSL domains. *But* there is a fundamental point about SSL: the secure connection is negotiated before the HTTP host header is sent. That means that _no web server, of any kind, can successfully host SSL for multiple domains on the same port on the same IP address_. You have two possible workarounds: - Get a second IP address assigned to the machine. This is often easier than it sounds. Map one domain to each IP address, and bind each of your two SSL connectors to one IP. At this point, everything Just Works for the user. - Run SSL for one domain on port 443, and for the other domain on a different port - say 8443. This gives a slightly messy user experience, as you have https://www.domain1.com but https://www.domain2.com:8443. This is a limitation of SSL; it is not Tomcat-specific. - Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat SSL for multiple domains
On Feb 7, 2008 7:25 AM, Dave [EMAIL PROTECTED] wrote: Hi I am running JBoss w/tomcat on a Linux machine. the machine has one IP address. But there are two top-level domains (not subdomains) mapping to the ip address. I need to setup SSL. As far as I know, SSL certificate is set up for one domain only. Yep, you need two IPs, and a cert for each domain. That's just the way it works. :-) -- Hassan Schroeder [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat Security Problem
Yeah i guess so. I want realm thing only for application 2. How can i make it available for it and at the same time i want application 1 BASIC AUTHENTICATION based on tomcat-users.xml file. I am going throgh the page u sent but still not able to get some working solution. Need it urgent. On Feb 7, 2008 8:08 PM, Caldarale, Charles R [EMAIL PROTECTED] wrote: From: alee amin [mailto:[EMAIL PROTECTED] Subject: Tomcat Security Problem Application 2 has form based security and for some enhanced security i have added the realm for the database in conf/server.xml file. Where in server.xml? A Realm element may be nested inside of an Engine, Host, or Context, depending on the desired scope of the realm. Sounds like you need to put it inside the Context of your application 2, not inside the Host or Engine where you now have it. Doc reference: http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Muhammad Ali http://techboard.wordpress.com Software Engineer - E2ESP muhammadaliamin(at)gmail(dot)com
Re: in Tomcat container-based authN is there a way to redirect logins to a URL?
Chris, In the version of Tomcat I'm using 5.5.25, when I do what you are suggesting, and set the config to: login-config auth-methodFORM/auth-method realm-namedemo/realm-name form-login-config form-login-page/Shibboleth.sso/Login/form-login-page form-error-page/Shibboleth.sso/Login/form-error-page /form-login-config /login-config I get the following error, because those two page elements are relative to the webapp and not to the host part of the URL: HTTP Status 404 - /caladmin/Shibboleth.sso/Login *type* Status report *message* _/caladmin/Shibboleth.sso/Login_ *description* _The requested resource (/caladmin/Shibboleth.sso/Login) is not available._ Apache Tomcat/5.5.25 I need it to redirect to /Shibboleth.sso/Login instead of /(webapp)/Shibboleth.sso/Login. Any idea how I could do that in Tomcat 5.5.x? Thanks! Gary Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gary, Gary Weaver wrote: | I'm having trouble finding a way (maybe it is because it isn't | possible?) of making Tomcat send users to the relative URL | /Shibboleth.sso/Login (not served by Tomcat) in order to login if | the Tomcat session times out, etc. Does it work to simply make your application's form-login-page point to /Shibboleth.sso/Login? If you do that, what happens? | Does anyone know of a way to redirect Tomcat to point at some other | URL, specifically the relative URL /Shibboleth.sso/Login (not | served by Tomcat)? I think some versions of Tomcat do a server-side forward when the login form is required, while other versions will do a redirect. If you can get Tomcat to do a redirect, this ought to work. If it's attempting to do a server-side forward, you may have to take other steps. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkerHjgACgkQ9CaO5/Lv0PDEewCgsaWxeBEsPBa8VLQ4Ut8Y687c 5gYAn2IC0OWh7LTtZMq01y5jB07YI+Xp =cEAC -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Gary Weaver Internet Framework Services Office of Information Technology Duke University - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: how to auto redirect to https from http
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dave, Dave wrote: | I tried the method, it worked. | But when I tried to protect login page only, | | web-resource-collection | web-resource-nameprotected pages/web-resource-name | url-pattern/login.jsp/url-pattern | /web-resource-collection | | restarted tomcat, and went to http://www.mydomain.com | | it was redirected to secure URL. It should stay insecure until going to login page. | | anything I was missing? Is that your entire web-resource-collection configuration? If you've told Tomcat that /* should be CONFIDENTIAL, then all traffic will be redirected to HTTPS. Move the CONFIDENTIAL part into the web-resource-collection that represents your login page, and leave the rest of the app non-CONFIDENTIAL. Remember that Tomcat will not automatically go from HTTPS to HTTP, so you'll have to make that happen yourself. Also remember that if your session id cookie was created in HTTPS mode, your browser will not send it back to the server when you're in HTTP mode. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkerHyAACgkQ9CaO5/Lv0PClgACfRQm66ro0lctDvrEnA0paYC0Y ziIAn35jRaXBkefSfaz6l1cn9fOokmfe =0RZ/ -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: in Tomcat container-based authN is there a way to redirect logins to a URL?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gary, Gary Weaver wrote: | I'm having trouble finding a way (maybe it is because it isn't | possible?) of making Tomcat send users to the relative URL | /Shibboleth.sso/Login (not served by Tomcat) in order to login if | the Tomcat session times out, etc. Does it work to simply make your application's form-login-page point to /Shibboleth.sso/Login? If you do that, what happens? | Does anyone know of a way to redirect Tomcat to point at some other | URL, specifically the relative URL /Shibboleth.sso/Login (not | served by Tomcat)? I think some versions of Tomcat do a server-side forward when the login form is required, while other versions will do a redirect. If you can get Tomcat to do a redirect, this ought to work. If it's attempting to do a server-side forward, you may have to take other steps. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkerHjgACgkQ9CaO5/Lv0PDEewCgsaWxeBEsPBa8VLQ4Ut8Y687c 5gYAn2IC0OWh7LTtZMq01y5jB07YI+Xp =cEAC -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: how to auto redirect to https from http
Hi Hazem, Thanks, I tried the method, it worked. But when I tried to protect login page only, web-resource-collection web-resource-nameprotected pages/web-resource-name url-pattern/login.jsp/url-pattern /web-resource-collection restarted tomcat, and went to http://www.mydomain.com it was redirected to secure URL. It should stay insecure until going to login page. anything I was missing? Thanks Dave Hazem DAOUD [EMAIL PROTECTED] wrote: Hi Dave, Try to add this to web.xml under tomcat_install_dir/conf: / Protected Context /* CONFIDENTIAL / That works for me. Regards. --Hazem. Dave a écrit : Hi, when user types http://www.mydomain.com, how to redirect to secure url https://www.mydomain.com? I know that a servlet filter can do that. Is there an easier way? In server.xml, redirectPort=8443 for port 80, it did not work as I expected. maxThreads=250 strategy=ms maxHttpHeaderSize=8192 emptySessionPath=true enableLookups=false redirectPort=8443 acceptCount=100 connectionTimeout=2 disableUploadTimeout=true/ maxThreads=100 strategy=ms maxHttpHeaderSize=8192 emptySessionPath=true scheme=https secure=true clientAuth=false keystoreFile=${jboss.server.home.dir}/keystore keystorePass=123456 sslProtocol = TLS / Thanks for help. Dave - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. - Looking for last minute shopping deals? Find them fast with Yahoo! Search.
Re: how to auto redirect to https from http
Hi Dave, Try to add this to web.xml under tomcat_install_dir/conf: /security-constraint web-resource-collection web-resource-nameProtected Context/web-resource-name url-pattern/*/url-pattern /web-resource-collection !-- auth-constraint goes here if you requre authentication -- user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint/ That works for me. Regards. --Hazem. Dave a écrit : Hi, when user types http://www.mydomain.com, how to redirect to secure url https://www.mydomain.com? I know that a servlet filter can do that. Is there an easier way? In server.xml, redirectPort=8443 for port 80, it did not work as I expected. Connector port=80 address=${jboss.bind.address} maxThreads=250 strategy=ms maxHttpHeaderSize=8192 emptySessionPath=true enableLookups=false redirectPort=8443 acceptCount=100 connectionTimeout=2 disableUploadTimeout=true/ Connector port=8443 address=${jboss.bind.address} maxThreads=100 strategy=ms maxHttpHeaderSize=8192 emptySessionPath=true scheme=https secure=true clientAuth=false keystoreFile=${jboss.server.home.dir}/keystore keystorePass=123456 sslProtocol = TLS / Thanks for help. Dave - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.
Re: Problem with Unix script to start remote Tomcat
called 'No Hangup' wbbrev is nohup http://www.ss64.com/bash/nohup.html cwd $TOMCAT_HOME\bin nohup startup.sh M-- - Original Message - From: Sharmila R [EMAIL PROTECTED] To: users@tomcat.apache.org Sent: Thursday, February 07, 2008 3:35 PM Subject: Problem with Unix script to start remote Tomcat I have Tomcat installed on a Unix box and I need to start it remotely from another Unix box. Tomcat is started using a script. When this script is run locally everything is fine. When I run the same script from remote box, tomcat starts but the command running the script does not terminate. I need it to terminate and return the result. Please help. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Application Realm in Tomcat
Hello, i happened in the past to be coding a specific real that had to provide extra informations to webapp (like user fullname, email, roles, etc). I could only do this using the userprincipal (created own subclass then typcasted it at webapp level). You simple CAN't query the realm, because the realm is in a different classloader (server/lib) that is not accessible from webapp classloader. Your webapp has no way to see the realm. What you can do, however, is to use the security filter (google for it) that is a webapp level implemented J2EE security specs implementation. It run the realms at webapp level (so it's not tomcat anymore that handle authentifcation) and allows you to cross the line between webapp and authentification mecanisms. However, the easiest and cleanest solution would be to just configure you webapp so it so it knows what db to use :/ maux a écrit : As Alan says, my purpose would be to query the database all the roles that it contains. But i can´t do that if i don´t know what database an application uses. So, my question is how can i know what database does an application use? Maybe if i could know which realm the application is using, i could access to the database. But how can i do this?? Thank you for all your help!! mgainty wrote: yes..Tough call without knowing what type of realm you will be implementing for (specifically would the realm be Memory or JDBC) I found this jsp code for which will take the parameters role from the request /verify / and output encoded string % String role = request.getParameter(role); if (role == null) role = ; if (role.length() 0) { if (request.isUserInRole(role)) { % You have been granted role %= util.HTMLFilter.filter(role) % % } which will output something like lt;admingt; assuming your are requesting admin access HTH/ Martin-- - Original Message - Wrom: YZUNNYCGPKYLEJGDGVCJVTLBXFGGMEP To: Tomcat Users List users@tomcat.apache.org Sent: Thursday, February 07, 2008 2:40 PM Subject: Re: Application Realm in Tomcat Via the spec - you can't query all the roles a user has. But you can say request.isUserInRole(rolename) If you *need* access to the realm, things start to get ugly. You need to start coding against Tomcat internal specific classes. -Tim maux wrote: Hi, I am doing a Java code. This code have to access to the realm that an application in Tomcat is using, after that the code have to access to that realm and look for the roles that exist in that database. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat Security Problem
From: alee amin [mailto:[EMAIL PROTECTED] Subject: Re: Tomcat Security Problem How can i make it available for it and at the same time i want application 1 BASIC AUTHENTICATION based on tomcat-users.xml file. I already answered that question: Sounds like you need to put it inside the Context of your application 2, not inside the Host or Engine where you now have it. Leave the original tomcat-users.xml Realm where it is, and put your more secure Realm inside the Context element of application 2. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat access logs
Is there a way to specify how many days access logs should be retained by tomcat so that old access logs (for e.g. more than a month old) are automatically deleted? I am using Tomcat 5.5.15. ++Vamsi
Re: Application Realm in Tomcat
As Alan says, my purpose would be to query the database all the roles that it contains. But i can´t do that if i don´t know what database an application uses. So, my question is how can i know what database does an application use? Maybe if i could know which realm the application is using, i could access to the database. But how can i do this?? Thank you for all your help!! mgainty wrote: yes..Tough call without knowing what type of realm you will be implementing for (specifically would the realm be Memory or JDBC) I found this jsp code for which will take the parameters role from the request /verify / and output encoded string % String role = request.getParameter(role); if (role == null) role = ; if (role.length() 0) { if (request.isUserInRole(role)) { % You have been granted role %= util.HTMLFilter.filter(role) % % } which will output something like lt;admingt; assuming your are requesting admin access HTH/ Martin-- - Original Message - Wrom: YZUNNYCGPKYLEJGDGVCJVTLBXFGGMEP To: Tomcat Users List users@tomcat.apache.org Sent: Thursday, February 07, 2008 2:40 PM Subject: Re: Application Realm in Tomcat Via the spec - you can't query all the roles a user has. But you can say request.isUserInRole(rolename) If you *need* access to the realm, things start to get ugly. You need to start coding against Tomcat internal specific classes. -Tim maux wrote: Hi, I am doing a Java code. This code have to access to the realm that an application in Tomcat is using, after that the code have to access to that realm and look for the roles that exist in that database. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Application-Realm-in-Tomcat-tp15334971p15343799.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat access logs
Apache HTTP Server (httpd.conf) rotate every 24 hoursCustomLog |/usr/local/apache/bin/rotatelogs/var/log/access_log 86400 common Postgres rotate every 24 hourspg_ctl start | rotatelogs /var/log/pgsql_log 86400 HTHMartin__Disclaimer and confidentiality noteEverything in this e-mail and any attachments relates to the official business of Sender. This transmission is of a confidential nature and Sender does not endorse distribution to any party other than intended recipient. Sender does not necessarily endorse content contained within this transmission. Date: Fri, 8 Feb 2008 03:06:42 +0530 Wrom: XCAXZOWCONEUQZAAFXISHJEXXIMQZUIVOTQNQEMSFDULHPQQWOYIYZUNNYCGPKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXUWLSZLKBRNVWWCUFPEGAUTFJMVRESKPNKMBIPBARHDMNNSKVFVWRKJVZCMHVIBGDADRZFSQHYUCDDJBLVLMHAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBOHMKHJYFMYXOEAIJJPHSCRTNHGSWZIDREXCAXZOWCONEUQZAAFXISHJEXXIMQZUIVOTQNQEMSFDULHPQQWOYIYZUNNYCGPKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTW _ Connect and share in new ways with Windows Live. http://www.windowslive.com/share.html?ocid=TXT_TAGHM_Wave2_sharelife_012008
Re: Application Realm in Tomcat
I just need to know the roles that an application uses. I thougth i could look for the context.xml of the application and read the file searching for Realm to see if the application has its own realm or if i have to look for a Realm of an upper level. I was looking for Realm because i thougth it was the only way to know what roles an application could use, but my purpose is to know the roles (not the roles for a specific user, i want all the roles that there are in the database). So, what is the best i can do? Could you give more information about the userPrincipal? I don´t know exactly what i could do with it. Thank you very much for all!! David Delbecq-2 wrote: Hello, i happened in the past to be coding a specific real that had to provide extra informations to webapp (like user fullname, email, roles, etc). I could only do this using the userprincipal (created own subclass then typcasted it at webapp level). You simple CAN't query the realm, because the realm is in a different classloader (server/lib) that is not accessible from webapp classloader. Your webapp has no way to see the realm. What you can do, however, is to use the security filter (google for it) that is a webapp level implemented J2EE security specs implementation. It run the realms at webapp level (so it's not tomcat anymore that handle authentifcation) and allows you to cross the line between webapp and authentification mecanisms. However, the easiest and cleanest solution would be to just configure you webapp so it so it knows what db to use :/ maux a écrit : As Alan says, my purpose would be to query the database all the roles that it contains. But i can´t do that if i don´t know what database an application uses. So, my question is how can i know what database does an application use? Maybe if i could know which realm the application is using, i could access to the database. But how can i do this?? Thank you for all your help!! mgainty wrote: yes..Tough call without knowing what type of realm you will be implementing for (specifically would the realm be Memory or JDBC) I found this jsp code for which will take the parameters role from the request /verify / and output encoded string % String role = request.getParameter(role); if (role == null) role = ; if (role.length() 0) { if (request.isUserInRole(role)) { % You have been granted role %= util.HTMLFilter.filter(role) % % } which will output something like lt;admingt; assuming your are requesting admin access HTH/ Martin-- - Original Message - Wrom: YZUNNYCGPKYLEJGDGVCJVTLBXFGGMEP To: Tomcat Users List users@tomcat.apache.org Sent: Thursday, February 07, 2008 2:40 PM Subject: Re: Application Realm in Tomcat Via the spec - you can't query all the roles a user has. But you can say request.isUserInRole(rolename) If you *need* access to the realm, things start to get ugly. You need to start coding against Tomcat internal specific classes. -Tim maux wrote: Hi, I am doing a Java code. This code have to access to the realm that an application in Tomcat is using, after that the code have to access to that realm and look for the roles that exist in that database. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Application-Realm-in-Tomcat-tp15334971p15346386.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Out of Memory Errors when upgrading from 5.0.27 to 6.0.14
It is entirely possible that this environment isn't setup in a optimal way, and also that I may be messing up some of the proper names. To provide a real world example (names and paths have been changed, but all information is the same), here is the Host entry for a domain (same in both TC5 and 6 currently) that we are using, as well as the work directories for each: server.xml entry: Host name='www.domain.com' debug='0' appBase='/home/user/html' unpackWARs='true' autoDeploy='false' Aliasdomain.com/Alias Context path='' docBase='' debug='0' reloadable='false'/ Valve className='org.apache.catalina.authenticator.SingleSignOn' debug='0'/ Valve className='org.apache.catalina.valves.AccessLogValve' directory='/var/log/user' prefix='tomcat_access.' suffix='.log' pattern='common' resolveHosts='false'/ /Host Work directory under Tomcat 5: [EMAIL PROTECTED] www.domain.com]# pwd; find . /web/tomcat/work/hosting/www.domain.com . ./_ ./_/tldCache.ser Work directory under Tomcat 6: [EMAIL PROTECTED] www.domain.com]# pwd ; find . /web/tomcat/work/hosting/www.domain.com . ./_ ./stats ./files ./includes ./misc ./modules ./profiles ./scripts ./sites ./themes ./forum ./lists ./members ./staging As for why the WEB-INF is at the same level as a war file, it is a shared hosting environment, and that is their document root. It allows the user to have an application at http://domain.com as well as upload a war file for additional applications they wish to run from say, http://domain.com/blog. It sounds as though this should be done differently? I'm more or less rebuilding the environment with the upgrade, so any recommendations are very welcome. Thanks, Dan - Original Message - From: Caldarale, Charles R [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Thursday, February 07, 2008 2:46 PM Subject: RE: Out of Memory Errors when upgrading from 5.0.27 to 6.0.14 From: Dan D. [mailto:[EMAIL PROTECTED] Subject: Re: Out of Memory Errors when upgrading from 5.0.27 to 6.0.14 Customer has the following directory structure: /home/user/html \_ WEB-INF/ |\_ classes/ |\_ lib/ \_ images/ \_ movies/ \_ mp3s/ \_ blog/ \_ new_application.war That looks very wrong. Why is there a .war file at the same level as WEB-INF? Now, in Tomcat 5, they would have a work directory structure of the following: /{tomcat.home}/work/{engine.name}/ \_ ./application_name \_ _ (the directory name is simply _) | \_ tldCache.ser \_ new_application \_ tldCache.ser That also looks wrong; all tldCache.ser files should be at the same level - immediately under the respective work/Catalina/[host]/[appname] directories. Even if you're confusing application_name with the name on a Host element, something seems very broken with your appBase and/or docBase settings. Until that's straightened out, all bets are off. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Out of Memory Errors when upgrading from 5.0.27 to 6.0.14
From: Dan D. [mailto:[EMAIL PROTECTED] Subject: Re: Out of Memory Errors when upgrading from 5.0.27 to 6.0.14 Host name='www.domain.com' appBase='/home/user/html' Context path='' docBase='' debug='0' reloadable='false'/ /Host Right there is the first problem: docBase and appBase must never be the same - lots of things go wrong internally when they both refer to the same directory. You need to remove the Context entry for the default webapp from server.xml and place the default webapp files under /home/user/html/ROOT. If you want to specify attributes for the default webapp, put the Context element in /home/user/html/ROOT/META-INF/context.xml, without the path or docBase attributes. This works on all levels from 5.0 on up. When that's straightened out, delete everything under the work directory before restarting Tomcat. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat access logs
Add this to cron: (use google to decode) 0 0 * * * find /TCLOG_DIR/localhost_access_log* ! -mtime -30|xargs rm -Tim Vamsavardhana Reddy wrote: Is there a way to specify how many days access logs should be retained by tomcat so that old access logs (for e.g. more than a month old) are automatically deleted? I am using Tomcat 5.5.15. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: how to auto redirect to https from http
Christopher Schultz [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dave, Dave wrote: | I moved the user-data-constraint inside the web-resource-collection as the following: | |security-constraint | web-resource-collection | web-resource-nameAutomatic SLL Forwarding/web-resource-name | url-pattern/login.html/url-pattern | user-data-constraint | transport-guaranteeCONFIDENTIAL/transport-guarantee | /user-data-constraint | /web-resource-collection | /security-constraint | | But http://www.mydomain.com/login.html did not redirect to secure URL. :( It's possible that Tomcat ignores that setting during its own authentication process (which would suck if it were the case). What the the URL say when you are being asked to login? Well, the first problem is that the user-data-constraint has to come after the /web-resource-collection according to the spec. If you nest it in the web-resource-collection, Tomcat will quietly ignore it (there are enough xml validators for you to check your web.xml syntax). However, this won't work at all in Tomcat if you are using Container auth. The reason is that Tomcat (at least 5.5 and higher) does a forward to the login page, not a redirect. As a result, Tomcat never checks the security permissions for the /login.html URL. | As you mentioned, If I start as http, then redirect to https when | login, and keep https after login. Does that mean https is using the | http session? Well, it's not a http session per-se... it's the session that was created while you were in http mode. The answer is yes: Tomcat will continue to use that session. If, however, you kill any sessions (yourself) as you switch to https, then any fallback to http will lose the session (because the browser will refuse to send a secure cookie through a non-secure channel. | Is there any security hole? If a man-in-the-middle knows the session | id from http and the same session id is used by https? This does not require man-in-the-middle. It's just plain-old session hijacking. This can happen whether you are using SSL or not -- if someone can guess your session id, you're pwned. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkerLLYACgkQ9CaO5/Lv0PBSbQCgs51ON7Uwam/6mMs+5w4e0dv4 AwgAoK//OfuOISynFSbnV+jU6kqI2N6N =14Kp -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: in Tomcat container-based authN is there a way to redirect logins to a URL?
Christopher Schultz [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gary, Gary Weaver wrote: | I get the following error, because those two page elements are relative | to the webapp and not to the host part of the URL: | | HTTP Status 404 - /caladmin/Shibboleth.sso/Login :( Yeah, the spec says: The form-login-page element defines the location in the web ~app where the page that can be used for login can be ~found. The path begins with a leading / and is interpreted ~relative to the root of the WAR. But more importantly, TC 5.5.x will do a forward to the login page, so it has to be served by Tomcat. Okay, there's one more trick you can try. Keep the form-login-config the way you have it in web.xml and add a filter (which may not work, either). Write a filter that always redirects to /Shibboleth.sso/Login (without adding the webapp's context path) no matter what, and install it so that it intercepts requests to /Shibboleth.sso/Login (which will include the context path). This should work, but you need to configure it so that it intercepts forwards as well as top-level requests. If it works, it will take a request to /caladmin/Shibboleth.sso/Login (which is what Tomcat's authenticator generates) and perform a redirtect to the URL that you really want. A little hack-y, but it might work. Another non-filter option would be to create a JSP for the login that performs the redirect. That might be a bit cleaner because the logic will be easier to follow (rather than having to simply know that there's a filter out there doing evil things). Actually, this is a little hack-y too. Shibboleth would need to redirect to j_security_check if the app ever POSTs to a restricted page in order to replay the request with the original request body. Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkerK0UACgkQ9CaO5/Lv0PADVACgjSUmiRY024lWZohxeG1UuHtI cfMAoKGEct0vIG6Cnh5WJNMmyTyyi6R9 =nuVm -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Fwd: can't get servlets to run
--- ilene m [EMAIL PROTECTED] wrote: Date: Thu, 7 Feb 2008 19:50:18 -0800 (PST) From: ilene m [EMAIL PROTECTED] Subject: can't get servlets to run To: users@tomcat.apache.org Hi, I cannot get servlets to run outside of the servlet examples link off of the main page. I'm getting the ole 404 The requested resource - servlet - is not available. I have tried the 6.0.14 zip file and a preconfigured 6.0.10 version of of the coreservlets.com site. i've tried loading 6.0.14 twice. Everything else runs but the servlets. In the first iteration of 6.0.14 i had html, jsp, php, php accessing mysql running happily. Thought it might have been something i did to make php happy so i took a clean version but it didn't help. When i loaded 6.0.14 i tried to run servlets by using the invoker servlet. Uncommented the invoker servlet and it's mapping in web.xml and added privileged=true to context.xml and threw a HelloWorld.class file into webapps\Root\WEB-INF\classes dir accessing via http:\\localhost:8080\servlet\HelloWorld. I also tried my own app dir and a context fragment file. Tried putting the context fragment file in tomcat\conf\Catalina\localhost\myApp.xml, tomcat\conf\Catalina\localhost\myApp\myApp.xml and tomcat\webapps\myApp\META-INF\context.xml. Tried changing up the docbase. Tried raising the logging level to see if anything useful would pop out. NADA Wondering if I'm missing an environment var. Any help would be GREATLY appreciated. Thanks for your time. Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Facing problem in integration of PHP and tomcat
Hi, Thanks for the reply ! Actually, I am not able to find these dependencies on the internet. Could you please help me in finding these dependencies or provide some links from where I can download it. Thanks, Yogesh Goldstein, Barry A wrote: I looked on google and it looks like these shared libraries mysql.so, mcrypt.so, and mbstring.so are php extensions for communicating with mysql, doing encryption and decryption, etc. You probably need to download these extensions and follow some kind of installation to use them. Thank you, Barry -Original Message- From: YogeshArora [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 05, 2008 10:57 AM To: users@tomcat.apache.org Subject: Re: Facing problem in integration of PHP and tomcat Hi, Thanks for the response ! I tried the below URL sent by you. I have successfully setup the JSR 223 reference implementation on my Linux, but when I tried to deploy the WAR fille containing the PHP code, I am getting the errors in the following environment. Here are the environment details Operation System - Red Hat Enterprise Edition Linux Version 4 JDK - jdk1.5.0_14 Tomcat - version 6.0.14 PHP - Version 5.2.5 Errors Encountered === Warning: main(./config.inc.php) [function.main]: failed to open stream: No such file or directory in /collabo/sns/public_html/index.php on line 7 Fatal error: main() [function.require]: Failed opening required './config.inc.php' (include_path='.:') in /collabo/sns/public_html/index.php on line 7 Please help in resolving the issue. Thanks, Yogesh I have tried the David Delbecq-2 wrote: Did you try this? http://www.alexander-merz.com/21.html En l'instant précis du 05/02/08 06:57, puneetjain s'exprimait en ces termes: Hi, I am trying to integrate PHP with tomcat server i.e. trying to running PHP in servlet container. Environment: = Operating System: RedHat Enterprize Linux 3 Tomcat Version: 6 PHP version: 5.2.5 Java: 1.5 Steps Performed: 1. Install the tomcat. 2. Install the php 3. Create a web project. 4. Place the php5servlet.jar in the WEB_INF/lib directory. 5. Add the below entry in my web.xml. ?xml version=1.0 encoding=ISO-8859-1? web-app xmlns=http://java.sun.com/xml/ns/j2ee; version=2.3 xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http:/java.sun.com/dtd/web-app_2_3.dtd servlet servlet-namephp/servlet-name servlet-classnet.php.servlet/servlet-class /servlet servlet servlet-namephp-formatter/servlet-name servlet-classnet.php.formatter/servlet-class /servlet servlet-mapping servlet-namephp/servlet-name url-pattern*.php/url-pattern /servlet-mapping servlet-mapping servlet-namephp-formatter/servlet-name url-pattern*.phps/url-pattern /servlet-mapping /web-app 6. Create a war file and deployed on the tomcat. Exception: === When I tried to deploy this war file it says that the libphp5servlet.so and libphp5.so libraries are missing. I have tried these steps on Windows XP and used php5servlet.dll. PHP is working on tomcat in windows. I am unable to find the procedure to create/get the libphp5servlet.so and libphp5.so library to run PHP in Tomcat container in Linux Environment. Please help me to resolve this problem. Thanks, Puneet -- http://www.devlog.be (a belgian developer's logs) - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Facing-problem-in-integration-of-PHP-and-tomcat-tp15283840p15292920.html Sent from the Tomcat - User mailing list archive at Nabble.com. *** The information contained in this message may be privileged and/or confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. Note that any views or opinions presented in this message are solely those of the author and do not necessarily represent those of Ameren. All emails are subject to monitoring and archival. Finally, the recipient should check this message and any attachments for the presence of viruses. Ameren accepts no liability for any damage caused by any virus transmitted by this email. If you have received this in error, please notify the sender immediately by replying to the message and deleting the material from any computer.
Re: Tomcat Security Problem
actually i am not able to get what you mean by context? should i insert it in conf/server.xml or somewhere else. It is confusing me. On Feb 7, 2008 8:59 PM, Caldarale, Charles R [EMAIL PROTECTED] wrote: From: alee amin [mailto:[EMAIL PROTECTED] Subject: Re: Tomcat Security Problem How can i make it available for it and at the same time i want application 1 BASIC AUTHENTICATION based on tomcat-users.xml file. I already answered that question: Sounds like you need to put it inside the Context of your application 2, not inside the Host or Engine where you now have it. Leave the original tomcat-users.xml Realm where it is, and put your more secure Realm inside the Context element of application 2. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Muhammad Ali http://techboard.wordpress.com Software Engineer - E2ESP muhammadaliamin(at)gmail(dot)com
Re: Tomcat Security Problem
I have placed the following configuration in server.xml file after reading from tomcat site Host ... ... context path=/application2-web Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=org.gjt.mm.mysql.Driver connectionURL=jdbc:mysql://localhost:3306/application2 connectionName=root connectionPassword=mypassword userTable=user userNameCol=user_name userCredCol=user_password userRoleTable=user_role roleNameCol=role_name digest=MD5/ /context /Host But it is not allowing me to log in. On Feb 8, 2008 11:26 AM, alee amin [EMAIL PROTECTED] wrote: actually i am not able to get what you mean by context? should i insert it in conf/server.xml or somewhere else. It is confusing me. On Feb 7, 2008 8:59 PM, Caldarale, Charles R [EMAIL PROTECTED] wrote: From: alee amin [mailto:[EMAIL PROTECTED] Subject: Re: Tomcat Security Problem How can i make it available for it and at the same time i want application 1 BASIC AUTHENTICATION based on tomcat-users.xml file. I already answered that question: Sounds like you need to put it inside the Context of your application 2, not inside the Host or Engine where you now have it. Leave the original tomcat-users.xml Realm where it is, and put your more secure Realm inside the Context element of application 2. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Muhammad Ali http://techboard.wordpress.com Software Engineer - E2ESP muhammadaliamin(at)gmail(dot)com -- Muhammad Ali http://techboard.wordpress.com Software Engineer - E2ESP muhammadaliamin(at)gmail(dot)com