Re: How to solve this bug
Ranjith wrote: Hi all, I created a war using ant and deployed and got this error how can i solve it. HTTP Status 500 - -- *type* Exception report *message*** *description* *The server encountered an internal error () that prevented it from fulfilling this request.* *exception* java.security.AccessControlException: access denied (java.util.PropertyPermission unicorn.home read) java.security.AccessControlContext.checkPermission(AccessControlContext.java:342) java.security.AccessController.checkPermission(AccessController.java:553) java.lang.SecurityManager.checkPermission(SecurityManager.java:549) ... Have a look at http://tomcat.apache.org/tomcat-6.0-doc/security-manager-howto.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Is there a better way to disable JSESSIONID in the URLs?
On 20/08/2010 22:40, Wesley Acheson wrote: I'm a bit lost with this thread. Are people suggesting I should submit a patch. I really wouldn't know where to begin looking. That's where the discussion was heading. Tomcat is Open Source. The first place to look would be SVN. http://svn.apache.org/repos/asf/tomcat/tc6.0.x/trunk/ p On Fri, Aug 20, 2010 at 7:47 PM, Pid p...@pidster.com wrote: On 20/08/2010 17:35, Christopher Schultz wrote: Pid, On 8/20/2010 8:33 AM, Pid wrote: On 19/08/2010 20:41, Wesley Acheson wrote: On Thu, Aug 19, 2010 at 6:25 PM, Len Popp len.p...@gmail.com wrote: On Thu, Aug 19, 2010 at 12:01, Christopher Schultz ch...@christopherschultz.net wrote: The servlet specification mandates this behavior. Tomcat simply must support it. The spec says nothing of configurability, so Tomcat does not provide any. Hence the need to write a filter to achieve your desired behavior. That's not inviolable dogma. Tomcat does have some settings that make it operate out-of-spec, e.g. non-standard cookie parsing. I don't see why an option couldn't be added to disable JSESSIONID in URLs, if enough people would find it useful. -- Len Is there anywhere we could vote for such a feature? I know Resin has it as I've stated before. You could file an enhancement request in Bugzilla, but it would be more likely to get attention if it came with a patch. I can't comment as to whether it would be approved or not. This sounds like something that could easily be implemented as a Valve. My understanding is that the only place where the jsessionid can't be removed from URLs by a Filter is during the authentication process. A Valve can be inserted /before/ the authentication/authorization Valve(s) and therefore override the encodeURL behavior to perform /no/ URL rewriting. Maybe one of the TC devs can tell us how to insert a Valve /before/ the AAA valves that are automatically set up by the security configuration in web.xml, but never explicitly defined using a Valve element anywhere. Maybe look to see how it's implemented in v7.0 and hack something up. Taking Mark's hint and setting something on the Context, with effect on StandardContextValve maybe... p -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
On Sat, Aug 21, 2010 at 6:54 AM, Yawar Khan khanya...@yahoo.com wrote:
Chris, you identified a possible sql injection in my code and declaring it
a
very bad piece of code. Despite the fact that jdbc does not allow more than
1
query on this execute function and I am doing fields validation before
submission of the form.
Javascript / ECMAScript and any client side scripting are completely
by-passable and offer no security.
http://www.xs4all.nl/~sbpoley/webmatters/formval.html
So field validation doesn't help you. Also anyone can post to your servlets.
Are you using bindings for your SQL? I see security holes here but don't
have time for a usecase.
Is there another genuine threat or bug that you identified and would like
to
share? Please do, I am sharing the udac source code as well,
Wesley you comments are also welcome; somebody also asked that what will
happen
in case udac.login throws an exception, well exception handling is inside
this
class. Sorry but i missed that email so i am unable to name that gentleman
friend.
package org.mcb.services;
import java.text.*;
import java.util.*;
import java.sql.*;
import javax.servlet.http.HttpSession;
public class udac
{
static Connection currentCon = null;
static ResultSet rs = null;
public static userbean login(userbean bean) {
//preparing some objects for connection
Statement stmt = null;
String userid = bean.getUserId();
String password = bean.getPassword();
String epass = null;
String name = null;
String user_id = null;
String role_id = null;
String branch_code = null;
String last_login = null;
String role_desc = null;
try{
epass = passwordservices.getInstance().encrypt(password);
//passwordservices is a class which has functions to ecrypt a
string and return back the string.
}catch(Exception e){
System.out.println(e);
}
String searchQuery = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE,
a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM
LOGIN_INFORMATION a,
ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ;
searchQuery = searchQuery + AND LOWER(a.USER_ID) = LOWER('+
userid
+ ') AND a.PASSWORD = '+epass+';
try{
//connect to DB: connectionmanager is a class which
contains
connection functions
currentCon = connectionmanager.scgm_conn();
stmt=currentCon.createStatement();
rs = stmt.executeQuery(searchQuery);
boolean hasdata=false;
while(rs.next()) {
hasdata=true;
name = rs.getString(NAME);
user_id = rs.getString(USER_ID);
branch_code = rs.getString(BRANCH_CODE);
role_id = rs.getString(ROLE_ID);
last_login = rs.getString(LAST_LOGIN_DATE);
role_desc = rs.getString(ROLE_DESC);
bean.setName(name);
bean.setUserId(user_id);
bean.setBranch(branch_code);
bean.setRole(role_id);
bean.setLastLogin(last_login);
bean.setRoleDesc(role_desc);
bean.setValid(true);
}
if(!hasdata) {
System.out.println(Sorry, you are not a registered
user!
Please sign up first + searchQuery);
bean.setValid(false);
}
}catch (Exception ex){
System.out.println(Log In failed: An Exception has occurred!
+
ex);
}
//some exception handling
finally{
if (rs != null) {
try {
rs.close();
} catch (Exception e) {}
rs = null;
}
if (stmt != null) {
try {
stmt.close();
} catch (Exception e) {}
stmt = null;
}
if (currentCon != null) {
try {
currentCon.close();
} catch (Exception e) {
}
currentCon = null;
}
}
return bean;
}
}
ysk
-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Friday, August 20, 2010 3:43 AM
To: Tomcat Users List
Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Wesley,
On 8/19/2010 5:04 PM, Wesley Acheson wrote:
Maybe its just be but I still don't see where uadc is declared or even
imported.
...or even used.
I'm guessing that the bad code
Re: [OT] Sessions mix-up on Tomcat 6.0.26 on Linux
On 21/08/2010 05:42, Yawar Khan wrote: chris, i had a look at container managed authentication and its quite handy. but i couldnt see how i can add extra functionality like calling an encryption function on password text field before tomcat does its authentication on it. The Tomcat Documentation is an excellent resource and is worth the time you'll spend reading it. See the 'digest' attribute of the DataSourceRealm. (You are using a DataSource, aren't you?) http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html#Standard_Implementation for js, my client side authentication is done on form submit button click event, if the hackers do disable javascripts, how will my html form be submitted? By pushing the button? By constructing a URL and posting to it using a non-browser script in an automated attack client? however, i will add some server side validation as well, i agree thats important. Don't bother, just use the container auth. That way you don't have to worry about SQL injection attacks, because the SQL isn't poorly cobbled together using String concatenation. p -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, August 20, 2010 3:41 AM To: Tomcat Users List Subject: Re: [OT] Sessions mix-up on Tomcat 6.0.26 on Linux Yawar, On 8/19/2010 3:27 PM, Yawar Saeed Khan/ITG/Karachi wrote: your comments on my current code tells me that this code is not bad, but I should check out tomcat's container managed logins... right? This code seems to be doing more work than necessary. Container-managed authentication and authorization is a useful service provided by the container. I highly recommend taking a look at using it, but it may be ... disruptive to your existing workflows. plus I would like to mention that I have client side form validations (js) to stop query busters. I'm sure that hackers will be sure to leave javascript enabled when they visit your site. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
RE: Sessions mix-up on Tomcat 6.0.26 on Linux
Am Freitag, den 20.08.2010, 21:54 -0700 schrieb Yawar Khan:
Chris, you identified a possible sql injection in my code and declaring it a
very bad piece of code. Despite the fact that jdbc does not allow more than 1
query on this execute function and I am doing fields validation before
submission of the form.
Is there another genuine threat or bug that you identified and would like to
share? Please do, I am sharing the udac source code as well,
Wesley you comments are also welcome; somebody also asked that what will
happen
in case udac.login throws an exception, well exception handling is inside
this
class. Sorry but i missed that email so i am unable to name that gentleman
friend.
package org.mcb.services;
import java.text.*;
import java.util.*;
import java.sql.*;
import javax.servlet.http.HttpSession;
public class udac
{
static Connection currentCon = null;
static ResultSet rs = null;
This seems to be really problematic. Having ResultSet and Connection
shared by many users is a bad idea.
Imagine what happens when two requests come in at the same time:
Request A Request B
login(beanA)
|
currentCon=new Connection()
|login(beanB)
| |
| currentCon=new Connection() # BOOM you are
overwriting the class wide variable currentCon.
Same thing can happen to rs too. So better place currentCon and rs as
method variables inside of login.
public static userbean login(userbean bean) {
//preparing some objects for connection
Statement stmt = null;
String userid = bean.getUserId();
String password = bean.getPassword();
String epass = null;
String name = null;
String user_id = null;
String role_id = null;
String branch_code = null;
String last_login = null;
String role_desc = null;
try{
epass = passwordservices.getInstance().encrypt(password);
//passwordservices is a class which has functions to ecrypt a
string and return back the string.
}catch(Exception e){
System.out.println(e);
I find it very useful to use a logging framework for reporting errors.
And adding information about the state in which the error occured might
help finding the root cause more easily.
}
String searchQuery = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE,
a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION
a,
ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ;
searchQuery = searchQuery + AND LOWER(a.USER_ID) = LOWER('+
userid
+ ') AND a.PASSWORD = '+epass+';
If your are using prepared Statements with parameters, you don't have to
worry, if someone has forgotten to check those parameters for
sql-injection. But you were told so already.
Bye
Felix
try{
//connect to DB: connectionmanager is a class which contains
connection functions
currentCon = connectionmanager.scgm_conn();
stmt=currentCon.createStatement();
rs = stmt.executeQuery(searchQuery);
boolean hasdata=false;
while(rs.next()) {
hasdata=true;
name = rs.getString(NAME);
user_id = rs.getString(USER_ID);
branch_code = rs.getString(BRANCH_CODE);
role_id = rs.getString(ROLE_ID);
last_login = rs.getString(LAST_LOGIN_DATE);
role_desc = rs.getString(ROLE_DESC);
bean.setName(name);
bean.setUserId(user_id);
bean.setBranch(branch_code);
bean.setRole(role_id);
bean.setLastLogin(last_login);
bean.setRoleDesc(role_desc);
bean.setValid(true);
}
if(!hasdata) {
System.out.println(Sorry, you are not a registered user!
Please sign up first + searchQuery);
bean.setValid(false);
}
}catch (Exception ex){
System.out.println(Log In failed: An Exception has occurred!
+
ex);
}
//some exception handling
finally{
if (rs != null) {
try {
rs.close();
} catch (Exception e) {}
rs = null;
}
if (stmt != null) {
try {
stmt.close();
} catch (Exception e) {}
stmt = null;
}
if (currentCon != null) {
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
wesley, no i am not using sql bindings, what are the security holes?
you havent told me why my sessions are getting mixed up here?
From: Wesley Acheson wesley.ache...@gmail.com
To: Tomcat Users List users@tomcat.apache.org
Sent: Sat, August 21, 2010 3:16:23 PM
Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux
On Sat, Aug 21, 2010 at 6:54 AM, Yawar Khan khanya...@yahoo.com wrote:
Chris, you identified a possible sql injection in my code and declaring it
a
very bad piece of code. Despite the fact that jdbc does not allow more than
1
query on this execute function and I am doing fields validation before
submission of the form.
Javascript / ECMAScript and any client side scripting are completely
by-passable and offer no security.
http://www.xs4all.nl/~sbpoley/webmatters/formval.html
So field validation doesn't help you. Also anyone can post to your servlets.
Are you using bindings for your SQL? I see security holes here but don't
have time for a usecase.
Is there another genuine threat or bug that you identified and would like
to
share? Please do, I am sharing the udac source code as well,
Wesley you comments are also welcome; somebody also asked that what will
happen
in case udac.login throws an exception, well exception handling is inside
this
class. Sorry but i missed that email so i am unable to name that gentleman
friend.
package org.mcb.services;
import java.text.*;
import java.util.*;
import java.sql.*;
import javax.servlet.http.HttpSession;
public class udac
{
static Connection currentCon = null;
static ResultSet rs = null;
public static userbean login(userbean bean) {
//preparing some objects for connection
Statement stmt = null;
String userid = bean.getUserId();
String password = bean.getPassword();
String epass = null;
String name = null;
String user_id = null;
String role_id = null;
String branch_code = null;
String last_login = null;
String role_desc = null;
try{
epass = passwordservices.getInstance().encrypt(password);
//passwordservices is a class which has functions to ecrypt a
string and return back the string.
}catch(Exception e){
System.out.println(e);
}
String searchQuery = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE,
a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM
LOGIN_INFORMATION a,
ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ;
searchQuery = searchQuery + AND LOWER(a.USER_ID) = LOWER('+
userid
+ ') AND a.PASSWORD = '+epass+';
try{
//connect to DB: connectionmanager is a class which
contains
connection functions
currentCon = connectionmanager.scgm_conn();
stmt=currentCon.createStatement();
rs = stmt.executeQuery(searchQuery);
boolean hasdata=false;
while(rs.next()) {
hasdata=true;
name = rs.getString(NAME);
user_id = rs.getString(USER_ID);
branch_code = rs.getString(BRANCH_CODE);
role_id = rs.getString(ROLE_ID);
last_login = rs.getString(LAST_LOGIN_DATE);
role_desc = rs.getString(ROLE_DESC);
bean.setName(name);
bean.setUserId(user_id);
bean.setBranch(branch_code);
bean.setRole(role_id);
bean.setLastLogin(last_login);
bean.setRoleDesc(role_desc);
bean.setValid(true);
}
if(!hasdata) {
System.out.println(Sorry, you are not a registered
user!
Please sign up first + searchQuery);
bean.setValid(false);
}
}catch (Exception ex){
System.out.println(Log In failed: An Exception has occurred!
+
ex);
}
//some exception handling
finally{
if (rs != null) {
try {
rs.close();
} catch (Exception e) {}
rs = null;
}
if (stmt != null) {
try {
stmt.close();
} catch (Exception e) {}
stmt = null;
}
if (currentCon != null) {
try {
currentCon.close();
} catch (Exception e) {
}
currentCon = null;
}
}
return bean;
}
}
ysk
-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Friday, August 20, 2010 3:43 AM
To: Tomcat Users List
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
On 21/08/2010 13:04, Yawar Khan wrote:
wesley, no i am not using sql bindings, what are the security holes?
you havent told me why my sessions are getting mixed up here?
Felix has.
p
From: Wesley Acheson wesley.ache...@gmail.com
To: Tomcat Users List users@tomcat.apache.org
Sent: Sat, August 21, 2010 3:16:23 PM
Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux
On Sat, Aug 21, 2010 at 6:54 AM, Yawar Khan khanya...@yahoo.com wrote:
Chris, you identified a possible sql injection in my code and declaring it
a
very bad piece of code. Despite the fact that jdbc does not allow more than
1
query on this execute function and I am doing fields validation before
submission of the form.
Javascript / ECMAScript and any client side scripting are completely
by-passable and offer no security.
http://www.xs4all.nl/~sbpoley/webmatters/formval.html
So field validation doesn't help you. Also anyone can post to your servlets.
Are you using bindings for your SQL? I see security holes here but don't
have time for a usecase.
Is there another genuine threat or bug that you identified and would like
to
share? Please do, I am sharing the udac source code as well,
Wesley you comments are also welcome; somebody also asked that what will
happen
in case udac.login throws an exception, well exception handling is inside
this
class. Sorry but i missed that email so i am unable to name that gentleman
friend.
package org.mcb.services;
import java.text.*;
import java.util.*;
import java.sql.*;
import javax.servlet.http.HttpSession;
public class udac
{
static Connection currentCon = null;
static ResultSet rs = null;
public static userbean login(userbean bean) {
//preparing some objects for connection
Statement stmt = null;
String userid = bean.getUserId();
String password = bean.getPassword();
String epass = null;
String name = null;
String user_id = null;
String role_id = null;
String branch_code = null;
String last_login = null;
String role_desc = null;
try{
epass = passwordservices.getInstance().encrypt(password);
//passwordservices is a class which has functions to ecrypt a
string and return back the string.
}catch(Exception e){
System.out.println(e);
}
String searchQuery = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE,
a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM
LOGIN_INFORMATION a,
ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ;
searchQuery = searchQuery + AND LOWER(a.USER_ID) = LOWER('+
userid
+ ') AND a.PASSWORD = '+epass+';
try{
//connect to DB: connectionmanager is a class which
contains
connection functions
currentCon = connectionmanager.scgm_conn();
stmt=currentCon.createStatement();
rs = stmt.executeQuery(searchQuery);
boolean hasdata=false;
while(rs.next()) {
hasdata=true;
name = rs.getString(NAME);
user_id = rs.getString(USER_ID);
branch_code = rs.getString(BRANCH_CODE);
role_id = rs.getString(ROLE_ID);
last_login = rs.getString(LAST_LOGIN_DATE);
role_desc = rs.getString(ROLE_DESC);
bean.setName(name);
bean.setUserId(user_id);
bean.setBranch(branch_code);
bean.setRole(role_id);
bean.setLastLogin(last_login);
bean.setRoleDesc(role_desc);
bean.setValid(true);
}
if(!hasdata) {
System.out.println(Sorry, you are not a registered
user!
Please sign up first + searchQuery);
bean.setValid(false);
}
}catch (Exception ex){
System.out.println(Log In failed: An Exception has occurred!
+
ex);
}
//some exception handling
finally{
if (rs != null) {
try {
rs.close();
} catch (Exception e) {}
rs = null;
}
if (stmt != null) {
try {
stmt.close();
} catch (Exception e) {}
stmt = null;
}
if (currentCon != null) {
try {
currentCon.close();
} catch (Exception e) {
}
currentCon = null;
}
}
return bean;
}
}
ysk
-Original
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
thanks felix, very nicely explained!
but do you think that declaring connection and rs variables outside the login
function is causing the sessions mixup issue?
From: Felix Schumacher felix.schumac...@internetallee.de
To: Tomcat Users List users@tomcat.apache.org
Sent: Sat, August 21, 2010 4:13:52 PM
Subject: RE: Sessions mix-up on Tomcat 6.0.26 on Linux
Am Freitag, den 20.08.2010, 21:54 -0700 schrieb Yawar Khan:
Chris, you identified a possible sql injection in my code and declaring it a
very bad piece of code. Despite the fact that jdbc does not allow more than 1
query on this execute function and I am doing fields validation before
submission of the form.
Is there another genuine threat or bug that you identified and would like to
share? Please do, I am sharing the udac source code as well,
Wesley you comments are also welcome; somebody also asked that what will
happen
in case udac.login throws an exception, well exception handling is inside
this
class. Sorry but i missed that email so i am unable to name that gentleman
friend.
package org.mcb.services;
import java.text.*;
import java.util.*;
import java.sql.*;
import javax.servlet.http.HttpSession;
public class udac
{
static Connection currentCon = null;
static ResultSet rs = null;
This seems to be really problematic. Having ResultSet and Connection
shared by many users is a bad idea.
Imagine what happens when two requests come in at the same time:
Request A Request B
login(beanA)
|
currentCon=new Connection()
| login(beanB)
| |
| currentCon=new Connection() # BOOM you are
overwriting the class wide variable currentCon.
Same thing can happen to rs too. So better place currentCon and rs as
method variables inside of login.
public static userbean login(userbean bean) {
//preparing some objects for connection
Statement stmt = null;
String userid = bean.getUserId();
String password = bean.getPassword();
String epass = null;
String name = null;
String user_id = null;
String role_id = null;
String branch_code = null;
String last_login = null;
String role_desc = null;
try{
epass = passwordservices.getInstance().encrypt(password);
//passwordservices is a class which has functions to ecrypt a
string and return back the string.
}catch(Exception e){
System.out.println(e);
I find it very useful to use a logging framework for reporting errors.
And adding information about the state in which the error occured might
help finding the root cause more easily.
}
String searchQuery = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE,
a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION
a,
ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ;
searchQuery = searchQuery + AND LOWER(a.USER_ID) = LOWER('+
userid
+ ') AND a.PASSWORD = '+epass+';
If your are using prepared Statements with parameters, you don't have to
worry, if someone has forgotten to check those parameters for
sql-injection. But you were told so already.
Bye
Felix
try{
//connect to DB: connectionmanager is a class which contains
connection functions
currentCon = connectionmanager.scgm_conn();
stmt=currentCon.createStatement();
rs = stmt.executeQuery(searchQuery);
boolean hasdata=false;
while(rs.next()) {
hasdata=true;
name = rs.getString(NAME);
user_id = rs.getString(USER_ID);
branch_code = rs.getString(BRANCH_CODE);
role_id = rs.getString(ROLE_ID);
last_login = rs.getString(LAST_LOGIN_DATE);
role_desc = rs.getString(ROLE_DESC);
bean.setName(name);
bean.setUserId(user_id);
bean.setBranch(branch_code);
bean.setRole(role_id);
bean.setLastLogin(last_login);
bean.setRoleDesc(role_desc);
bean.setValid(true);
}
if(!hasdata) {
System.out.println(Sorry, you are not a registered user!
Please sign up first + searchQuery);
bean.setValid(false);
}
}catch (Exception ex){
System.out.println(Log In failed: An Exception has occurred!
+
ex);
}
//some exception handling
finally{
if (rs != null) {
try {
How stable is Tomcat?
Guys, is tomcat stable enough to host large scale production applications getting 1500+ hits everyday? and as much concurrent database connections. I know alot depends on the applications architecture but just how good is tomcat?
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
Yawar Khan khanya...@yahoo.com schrieb:
thanks felix, very nicely explained!
but do you think that declaring connection and rs variables outside the login
function is causing the sessions mixup issue?
Yes. But I think it is not messing with sessions, but rather messing with the
values of your user beans.
Hth
Felix
From: Felix Schumacher felix.schumac...@internetallee.de
To: Tomcat Users List users@tomcat.apache.org
Sent: Sat, August 21, 2010 4:13:52 PM
Subject: RE: Sessions mix-up on Tomcat 6.0.26 on Linux
Am Freitag, den 20.08.2010, 21:54 -0700 schrieb Yawar Khan:
Chris, you identified a possible sql injection in my code and declaring it a
very bad piece of code. Despite the fact that jdbc does not allow more than
1
query on this execute function and I am doing fields validation before
submission of the form.
Is there another genuine threat or bug that you identified and would like to
share? Please do, I am sharing the udac source code as well,
Wesley you comments are also welcome; somebody also asked that what will
happen
in case udac.login throws an exception, well exception handling is inside
this
class. Sorry but i missed that email so i am unable to name that gentleman
friend.
package org.mcb.services;
import java.text.*;
import java.util.*;
import java.sql.*;
import javax.servlet.http.HttpSession;
public class udac
{
static Connection currentCon = null;
static ResultSet rs = null;
This seems to be really problematic. Having ResultSet and Connection
shared by many users is a bad idea.
Imagine what happens when two requests come in at the same time:
Request A Request B
login(beanA)
|
currentCon=new Connection()
| login(beanB)
| |
| currentCon=new Connection() # BOOM you are
overwriting the class wide variable currentCon.
Same thing can happen to rs too. So better place currentCon and rs as
method variables inside of login.
public static userbean login(userbean bean) {
//preparing some objects for connection
Statement stmt = null;
String userid = bean.getUserId();
String password = bean.getPassword();
String epass = null;
String name = null;
String user_id = null;
String role_id = null;
String branch_code = null;
String last_login = null;
String role_desc = null;
try{
epass = passwordservices.getInstance().encrypt(password);
//passwordservices is a class which has functions to ecrypt a
string and return back the string.
}catch(Exception e){
System.out.println(e);
I find it very useful to use a logging framework for reporting errors.
And adding information about the state in which the error occured might
help finding the root cause more easily.
}
String searchQuery = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE,
a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION
a,
ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ;
searchQuery = searchQuery + AND LOWER(a.USER_ID) = LOWER('+
userid
+ ') AND a.PASSWORD = '+epass+';
If your are using prepared Statements with parameters, you don't have to
worry, if someone has forgotten to check those parameters for
sql-injection. But you were told so already.
Bye
Felix
try{
//connect to DB: connectionmanager is a class which contains
connection functions
currentCon = connectionmanager.scgm_conn();
stmt=currentCon.createStatement();
rs = stmt.executeQuery(searchQuery);
boolean hasdata=false;
while(rs.next()) {
hasdata=true;
name = rs.getString(NAME);
user_id = rs.getString(USER_ID);
branch_code = rs.getString(BRANCH_CODE);
role_id = rs.getString(ROLE_ID);
last_login = rs.getString(LAST_LOGIN_DATE);
role_desc = rs.getString(ROLE_DESC);
bean.setName(name);
bean.setUserId(user_id);
bean.setBranch(branch_code);
bean.setRole(role_id);
bean.setLastLogin(last_login);
bean.setRoleDesc(role_desc);
bean.setValid(true);
}
if(!hasdata) {
System.out.println(Sorry, you are not a registered user!
Please sign up first + searchQuery);
bean.setValid(false);
}
}catch (Exception ex){
System.out.println(Log In failed: An Exception has
Re: How stable is Tomcat?
I think that maybe you are mixing up stability and scalability. While they are connected, an unstable system can fail at low volume. Also, I don't think that 1500 hits a day is that much. Michel - Original Message - From: Yawar Khan khanya...@yahoo.com To: Tomcat Users users@tomcat.apache.org Sent: Saturday, August 21, 2010 8:59 AM Subject: How stable is Tomcat? Guys, is tomcat stable enough to host large scale production applications getting 1500+ hits everyday? and as much concurrent database connections. I know alot depends on the applications architecture but just how good is tomcat? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How stable is Tomcat?
I totally agree with Michel. We developed a JSF 2.0 application using Tomcat as the web container. Tomcat is as stable as the application you develop. The system we develop hosts a RIA application based on ICEFaces for almost 5000 users and after a lot of debugging and jvm fine tunning, we now have an almost rock solid product. Note that the debugging was done over the app, and the jvm fine tunning is a most for this kind of application. Tomcat works fine with just some modifications in the config files. Actually we use the latest tomcat 6 running over linux CentOS. Also we use Tomcat 6 for a landing page for a Telco Operator. The landing page was developed using JSP technology and implements Google SSO. This applications actually serves 2 users, with almost 15000 hits on a daily basis. Again, the main stabilization process was done in the application, not Tomcat, and Tomcat works just fine. Hope this information was helpful. Regards Ing. Marco Antonio Castillo Chief Design Engineer Van Der Kaaden IT Consulting Guatemala, Guatemala C.A. tel: +502 22382710 mobile: +502 59186971 e-mail: mabcasti...@vdkit.net sip: mabcasti...@sip.vdkit.net On Sat, Aug 21, 2010 at 7:07 AM, michel compu...@videotron.ca wrote: I think that maybe you are mixing up stability and scalability. While they are connected, an unstable system can fail at low volume. Also, I don't think that 1500 hits a day is that much. Michel - Original Message - From: Yawar Khan khanya...@yahoo.com To: Tomcat Users users@tomcat.apache.org Sent: Saturday, August 21, 2010 8:59 AM Subject: How stable is Tomcat? Guys, is tomcat stable enough to host large scale production applications getting 1500+ hits everyday? and as much concurrent database connections. I know alot depends on the applications architecture but just how good is tomcat? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: How stable is Tomcat?
From: Yawar Khan [mailto:khanya...@yahoo.com] Subject: How stable is Tomcat? is tomcat stable enough to host large scale production applications http://wiki.apache.org/tomcat/PoweredBy getting 1500+ hits everyday? As others have stated, 1500 hits a day is down in the noise level. and as much concurrent database connections Concurrent with what? One normally utilizes database connection pooling to avoid creating a connection on each request. But with such a low level of activity, it probably won't matter. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How stable is Tomcat?
thank you marco for your insight and sharing your experience. From: Marco Castillo mabcasti...@vdkit.net To: Tomcat Users List users@tomcat.apache.org Sent: Sat, August 21, 2010 7:09:09 PM Subject: Re: How stable is Tomcat? I totally agree with Michel. We developed a JSF 2.0 application using Tomcat as the web container. Tomcat is as stable as the application you develop. The system we develop hosts a RIA application based on ICEFaces for almost 5000 users and after a lot of debugging and jvm fine tunning, we now have an almost rock solid product. Note that the debugging was done over the app, and the jvm fine tunning is a most for this kind of application. Tomcat works fine with just some modifications in the config files. Actually we use the latest tomcat 6 running over linux CentOS. Also we use Tomcat 6 for a landing page for a Telco Operator. The landing page was developed using JSP technology and implements Google SSO. This applications actually serves 2 users, with almost 15000 hits on a daily basis. Again, the main stabilization process was done in the application, not Tomcat, and Tomcat works just fine. Hope this information was helpful. Regards Ing. Marco Antonio Castillo Chief Design Engineer Van Der Kaaden IT Consulting Guatemala, Guatemala C.A. tel: +502 22382710 mobile: +502 59186971 e-mail: mabcasti...@vdkit.net sip: mabcasti...@sip.vdkit.net On Sat, Aug 21, 2010 at 7:07 AM, michel compu...@videotron.ca wrote: I think that maybe you are mixing up stability and scalability. While they are connected, an unstable system can fail at low volume. Also, I don't think that 1500 hits a day is that much. Michel - Original Message - From: Yawar Khan khanya...@yahoo.com To: Tomcat Users users@tomcat.apache.org Sent: Saturday, August 21, 2010 8:59 AM Subject: How stable is Tomcat? Guys, is tomcat stable enough to host large scale production applications getting 1500+ hits everyday? and as much concurrent database connections. I know alot depends on the applications architecture but just how good is tomcat? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How stable is Tomcat?
Yawar Khan wrote: Guys, is tomcat stable enough to host large scale production applications getting 1500+ hits everyday? and as much concurrent database connections. I know alot depends on the applications architecture but just how good is tomcat? My app has approx 550 - 600 simultaneous users, and processes ~4 - 5 million transactions per day from them, split across two tomcat instances running on the same server. It's been months since I've had to restart a tomcat service, let alone reboot the server. D - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How stable is Tomcat?
My company has run Tomcat apps on Amazon's EC2 that have exceeded 1,500 hits per *second*. We use Amazon's load balancer in front of a variable number of Tomcat instances (each on their own EC2 instance). For 1,500 hits per day you probably only need one small EC2 instance running a single Tomcat. We had some database scaling problems due to a misunderstanding of how Amazon throttling works--at about 3,000 hits per second the traffic we were sending to SimpleDB caused Amazon to fail every request. Tomcat continued to run very well at that load. We do not have a web tier in front of Tomcat, but we do use Akamai for caching (as a vanilla CDN). Given your low traffic numbers, you probably don't need a web tier or a CDN in front of Tomcat. You can get by even without a load balancer, but I'd recommend using one to give yourself more options for rolling code and adding capacity. - Ken On Sat, Aug 21, 2010 at 8:59 AM, Yawar Khan khanya...@yahoo.com wrote: Guys, is tomcat stable enough to host large scale production applications getting 1500+ hits everyday? and as much concurrent database connections. I know alot depends on the applications architecture but just how good is tomcat?
Mapping REST requests across multiple app contexts
I'm looking for advice on the best way to map REST requests onto a
collection of Tomcat apps all running in the same JVM. The REST name space
was designed for client use and doesn't reflect how the apps implement it.
For example, the resource /v1/x/123 is implemented by app X, but the
resource /v1/x/123/y is implemented by app Y.
A proxy (e.g. Apache mod_proxy or Squid) in front of Tomcat can rewrite the
URLs to go to the correct app, but this gives us some pretty ugly proxy
configurations which have to be kept in lock-step with the Tomcat apps.
Relying on a proxy also makes it a bit harder to use Amazon's load balancer
because it doesn't do rewrites (I think we'd have to run a proxy on each
Tomcat instance).
I'm trying to implement the rewrite as a Valve (code outline below)
registered with the Engine which will run before any Hosts or Contexts. This
seems like a good approach and may even let me grab the JAX-RS annotations
from the apps to dynamically build the rewrite rules.
Does anyone have advice for REST name spaces in Tomcat in general?
Has anyone had good experiences with a rewrite proxy in front of Tomcat on
Amazon EC2 with Amazon's ELB?
Has anybody tried a rewrite Valve similar to this? It has to modify the
CoyoteRequest and generate new Request.mappingData which seems kind of
risky. (Though I think it will work in Tomcat 7, I've only tried Tomcat 6.)
This is my favorite approach so far.
Thanks,
- Ken
public void invoke(Request request, Response response) {
if (/v1.equals(request.getContextPath())) {
// map the in-bound REST URI to the app handling it
String newRequestURI = /new-app/some/derived/uri;
org.apache.coyote.Request req = request.getCoyoteRequest();
req.requestURI().setString(newRequestURI);
req.decodedURI().setString(newRequestURI);
MessageBytes uriMB = MessageBytes.newInstance();
uriMB.duplicate(req.decodedURI());
MessageBytes hostMB = MessageBytes.newInstance();
hostMB.setString(request.getHost().getName());
MappingData mappingData = request.getMappingData();
mappingData.recycle();
request.getConnector().getMapper().map(hostMB, uriMB, mappingData);
request.setContext((Context) mappingData.context);
request.setWrapper((Wrapper) mappingData.wrapper);
}
getNext().invoke(request, response);
}
Re: How stable is Tomcat?
On 21 Aug 2010, at 18:09, Ken Fox k...@vulpes.com wrote: My company has run Tomcat apps on Amazon's EC2 that have exceeded 1,500 hits per *second*. We use Amazon's load balancer in front of a variable number of Tomcat instances (each on their own EC2 instance). For 1,500 hits per day you probably only need one small EC2 instance running a single Tomcat. We don't usually count web traffic in hits any more, because a single page could easily cause 100 hits. You could probably use pigeons to send data as quickly. 1500 hits per day is ~1 hit per minute. p We had some database scaling problems due to a misunderstanding of how Amazon throttling works--at about 3,000 hits per second the traffic we were sending to SimpleDB caused Amazon to fail every request. Tomcat continued to run very well at that load. We do not have a web tier in front of Tomcat, but we do use Akamai for caching (as a vanilla CDN). Given your low traffic numbers, you probably don't need a web tier or a CDN in front of Tomcat. You can get by even without a load balancer, but I'd recommend using one to give yourself more options for rolling code and adding capacity. - Ken On Sat, Aug 21, 2010 at 8:59 AM, Yawar Khan khanya...@yahoo.com wrote: Guys, is tomcat stable enough to host large scale production applications getting 1500+ hits everyday? and as much concurrent database connections. I know alot depends on the applications architecture but just how good is tomcat? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How stable is Tomcat?
On Sat, Aug 21, 2010 at 2:42 PM, Pid * p...@pidster.com wrote: We don't usually count web traffic in hits any more, because a single page could easily cause 100 hits. I think hits to your app servers is still an appropriate way to think about your server load. If a page view generates 100 hits to your Tomcat instances, your CDN is probably busted. Marketing and ad revenue talk a lot about page views, but that's a useless stat for sizing your Tomcat servers. Don't give in to the dark side. ;) On a related topic, anybody have trouble scaling Comet-based sites with Tomcat? It seems like ad revenue could be at least as big a hurdle as server scaling. - Ken - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Mapping REST requests across multiple app contexts
From: Ken Fox [mailto:k...@vulpes.com] Subject: Mapping REST requests across multiple app contexts I'm trying to implement the rewrite as a Valve If you place the standard rewrite filter in the ROOT context, you can catch any requests that do not directly map to the appropriate webapp and forward or redirect them appropriately. http://www.tuckey.org/urlrewrite/ No reason to reinvent the wheel, especially in a fashion that's not very portable. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 7.0 embedded usage
This was blogged earlier this week..
http://copperykeenclaws.wordpress.com/2010/08/19/embedding-tomcat-7/
I'll be using this info for the Red5 plugin very soon..
http://copperykeenclaws.wordpress.com/2010/08/19/embedding-tomcat-7/Paul
On Wed, Aug 4, 2010 at 2:34 AM, David Calavera david.calav...@gmail.comwrote:
Hi,
I don't know if that's your problem but I use the method server.await to
allow the server to wait.
On Mon, Aug 2, 2010 at 2:32 PM, Marzia Forli marzia.fo...@yahoo.com
wrote:
Can somebody please help me to setup a hello world example of embedded
usage of tomcat 7 with servlet 3.0 support...
I have a simple annotated HelloWorld servlet and would like to launch it
from my eclipse environment. I have:
tomcat-catalina.jar
tomcat-servlet-api.jar
tomcat-juli.jar
tomcat-annotations-api.jar
tomcat-api.jar
tomcat-util.jar
tomcat-coyote.jar
on my test classpath which is target/test-classes and have my project
on
target/classes... I am using latest eclipse, java releases. Below is
the
code of where I am now...
Thanks
import java.io.*;
import org.apache.catalina.startup.*;
public class EmbeddedTomcat {
private final Tomcat server;
public EmbeddedTomcat (final String host, final int port, final String
contextPath, final String... classPaths) {
final String tempPath = System.getProperty(java.io.tmpdir);
final File tempDirectory = new File(tempPath);
System.setProperty(catalina.base,
tempDirectory.getAbsolutePath());
final File appBase = new File(tempDirectory, webapps);
appBase.mkdir();
server = new Tomcat();
server.setBaseDir(tempDirectory.getAbsolutePath());
server.getHost().setAppBase(appBase.getAbsolutePath());
server.setHostname(host);
server.setPort(port);
final File appDirectory = new File(target/test-classes,
webapps
+ contextPath);
server.addWebapp(null, contextPath,
appDirectory.getAbsolutePath());
}
public void start () throws Exception {
server.start();
}
public void stop () throws Exception {
server.stop();
}
public static void main (final String[] args) {
final EmbeddedTomcat container = new EmbeddedTomcat(localhost,
8080, /, target/classes, target/test-classes);
try {
container.start();
System.in.read();
container.stop();
} catch (final Exception problem) {
System.exit(100);
}
}
}
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
--
http://gregoire.org/
http://code.google.com/p/red5/
http://code.google.com/p/blue5/
