Re: How to get Tomcat HTTP port during startup of the server
On 6 Oct 2011, at 19:22, Lahiru Gunathilake glah...@gmail.com wrote: Hi Charles, This is my usecase, I want to register my application URL to a repository and there is another remote application who reads that URL somewhere and invoke my application. So during the startup I need to register them before I get any request. Arguably, there's no rush as you won't get requests until the registry reports to its clients that your service is available. JMX is the best solution, connect JConsole to your Tomcat explore the Catalina domain. p On Thu, Oct 6, 2011 at 1:38 PM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Lahiru Gunathilake [mailto:glah...@gmail.com] Subject: How to get Tomcat HTTP port during startup of the server I have a requirement of getting the Tomcat HTTP port during startup of my application. The obvious first question is: why? Also, you must know that Tomcat may be listening on multiple ports, not just one. before getting any HttpRequest I need to talk tomcat HTTP port. What do you think you are going to say when you talk to one of the Tomcat ports? Can someone please tell me how to access the http port You can use JMX to query nearly all of the Tomcat configuration settings. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- System Analyst Programmer PTI Lab Indiana University - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Random error while xml xsl transformation
Im getting this error randomly in the web application which does the XML-XSL transformation. Same data when reloaded exception does not occur. --error 1 1. Caused by: java.lang.ArrayIndexOutOfBoundsException: 7 = 7 2. at java.util.Vector.elementAt(Vector.java:427) 3. at gnu.xml.aelfred2.SAXDriver.startElement(SAXDriver.java:804) 4. at gnu.xml.aelfred2.XmlParser.parseElement(XmlParser.java:1037) 5. at gnu.xml.aelfred2.XmlParser.parseDocument(XmlParser.java:416) 6. at gnu.xml.aelfred2.XmlParser.doParse(XmlParser.java:167) 7. at gnu.xml.aelfred2.SAXDriver.parse(SAXDriver.java:320) 8. at gnu.xml.aelfred2.XmlReader.parse(XmlReader.java:294) 9. at org.apache.xml.dtm.ref.DTMManagerDefault.getDTM(DTMManagerDefault.java: 437) 10. at org.apache.xalan.transformer.TransformerImpl.transform(TransformerImpl.java: 699) 11. at org.apache.xalan.transformer.TransformerImpl.transform(TransformerImpl.java: 1284) 12. at org.apache.xalan.transformer.TransformerImpl.transform(TransformerImpl.java: 1262) 13. at org.apache.taglibs.xtags.xslt.StyleTag.doEndTag(StyleTag.java: 157) 14. at org.apache.jsp.jsp.chart.newleafmodel.tabdetail_jsp._jspService(tabdetail_jsp.java: 698) 15. at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70 ) 16. at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) 17. at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java: 386) ---error 2 1. Caused by: java.lang.ArrayIndexOutOfBoundsException: 5 = 5 2. at java.util.Vector.elementAt(Vector.java:427) 3. at gnu.xml.aelfred2.SAXDriver.startElement(SAXDriver.java:804) 4. at gnu.xml.aelfred2.XmlParser.parseElement(XmlParser.java:1037) 5. at gnu.xml.aelfred2.XmlParser.parseDocument(XmlParser.java:416) 6. at gnu.xml.aelfred2.XmlParser.doParse(XmlParser.java:167) 7. at gnu.xml.aelfred2.SAXDriver.parse(SAXDriver.java:320) 8. at gnu.xml.aelfred2.XmlReader.parse(XmlReader.java:294) 9. at org.apache.xml.dtm.ref.DTMManagerDefault.getDTM(DTMManagerDefault.java: 437) 10. at org.apache.xalan.transformer.TransformerImpl.transform(TransformerImpl.java: 699) 11. at org.apache.xalan.transformer.TransformerImpl.transform(TransformerImpl.java: 1284) 12. at org.apache.xalan.transformer.TransformerImpl.transform(TransformerImpl.java: 1262) 13. at org.apache.taglibs.xtags.xslt.StyleTag.doEndTag(StyleTag.java: 157) 14. at org.apache.jsp.jsp.chart.newleafmodel.tabdetail_jsp._jspService(tabdetail_jsp.java: 698) 15. at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70 ) 16. at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) 17. at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java: 386) 18. ... 29 more Is it anyway related to the xml parser which we configured for our webapps? Arvind S Many of lifes failure are people who did not realize how close they were to success when they gave up. -Thomas Edison
Re: Regarding Catalina/Tomcat MBeans attributes/operations description
Hi Konstantin, Thanks for this, hope it will help, I'm using Tomcat version 7.0.20. Regards, Akshay From: Konstantin Kolinko knst.koli...@gmail.com To: Tomcat Users List users@tomcat.apache.org Sent: Wednesday, October 5, 2011 6:30 PM Subject: Re: Regarding Catalina/Tomcat MBeans attributes/operations description 2011/10/5 akshay hiremath akshay...@yahoo.com: Hi, Can anyone tell me where can I get the Catalina MBeans field description. I mean what exactly particular attribute of particular MBean is providing. e.g. In ThreadPool There are two attributes in Mbean http-8080 1. currentThreadCount 2. currentThreadsBusy I'm not able to understand what each of these is doing. Can I get any documentation related to this? I checked the Tomcat documentation but there is not description of MBeans. If it is not in the docs, then read the source code. MBeans are defined by mbeans-descriptors.xml files, and are implemented by properties in Java objects represented by those beans. You are not saying what Tomcat version you are using. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
JSESSIONID Stripping
Hi there, Simple question. If a client posts: POST /app/main%3bjsessionid=BF18D19ED62BB5F78E519018E618FB64 HTTP/1.1 whilst also specifying: Cookie: $Version=0; JSESSIONID=BF18D19ED62BB5F78E519018E618FB64; $Path=/app/ isn't Tomcat supposed to strip the jsessionid path param too? I'm seeing 'isRequestedSessionIdFromCookie()' evaluating to true within my app, but the app still sees the jsessionid which is messing up resource resolution. I guess I could strip the jsessionid path param but doesn't seem right. (This is seen on both Tomcat 6.0.29/7.0.12). Or is the client expected to remove the jsessionid before the request? Regards, Paul
Re: JSESSIONID Stripping
2011/10/7 Paul Wilson paulalexwil...@gmail.com: Hi there, Simple question. If a client posts: POST /app/main%3bjsessionid=BF18D19ED62BB5F78E519018E618FB64 HTTP/1.1 whilst also specifying: Cookie: $Version=0; JSESSIONID=BF18D19ED62BB5F78E519018E618FB64; $Path=/app/ isn't Tomcat supposed to strip the jsessionid path param too? I'm seeing 'isRequestedSessionIdFromCookie()' evaluating to true within my app, but the app still sees the jsessionid which is messing up resource resolution. I guess I could strip the jsessionid path param but doesn't seem right. (This is seen on both Tomcat 6.0.29/7.0.12). Or is the client expected to remove the jsessionid before the request? 1) %3b does not delimit path parameters. You need to literally write it as ; for it to be a delimiter. 2) There are two methods in Servlet API should return the path exactly as it was requested, preserving path parameters in it. There was some discussion about that recently. 3) If I remember correctly, if cookie is present the jsessionid in URL is ignored. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JSP page that will not update
Konstantin I have set meta tags for no cache, no pragma, etc., all to no avail. What do you mean? meta tags inside HTML document are useless for this. You have to set HTTP headers. OK, but can you point me to where I might learn how to do this? What is most interesting is that all of this worked in Tomcat 5.5.7, but now using Tomcat 5.5.34, re-opening a page does not automatically refresh content. What browser it is? Firefox and Safari on several different Mac OS X operating systems from 10.4 to 10.7. Can you point me to information concerning AccessLogValves, please. webapps/docs/config/index.html - see Valves Thank you, Stephen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JSESSIONID Stripping
On 7 October 2011 12:10, Konstantin Kolinko knst.koli...@gmail.com wrote: 2011/10/7 Paul Wilson paulalexwil...@gmail.com: Hi there, Simple question. If a client posts: POST /app/main%3bjsessionid=BF18D19ED62BB5F78E519018E618FB64 HTTP/1.1 whilst also specifying: Cookie: $Version=0; JSESSIONID=BF18D19ED62BB5F78E519018E618FB64; $Path=/app/ isn't Tomcat supposed to strip the jsessionid path param too? I'm seeing 'isRequestedSessionIdFromCookie()' evaluating to true within my app, but the app still sees the jsessionid which is messing up resource resolution. I guess I could strip the jsessionid path param but doesn't seem right. (This is seen on both Tomcat 6.0.29/7.0.12). Or is the client expected to remove the jsessionid before the request? 1) %3b does not delimit path parameters. You need to literally write it as ; for it to be a delimiter. Maybe this is the cause of all my problems; the POST path is being URL encoded by the client. :-/
Re: Should Form Authentication Valve restore request body on a PUT?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nicholas, On 10/6/2011 10:08 PM, Nicholas Sushkin wrote: I now reconfigured DefaultServlet in conf/web.xml with readonly=false. Now, an unauthenticated PUT (with or without a body) returns 204 No Content instead of the login form. Seems like a bug. Should I add this behavior to Bug #51940 or a new bug? I'll bet what is happening is that your PUT request is being forwarded without modification to the login page, and your login page is some static content. Is that right? If that's what's happening, the DefaultServlet is handling the request, seeing that it is a PUT, and then complaining that it's read-only. When you make the DefaultServlet read-write you tell the DefaultServlet to accept uploads, and you'll probably end up overwriting your login form with the request entity (oops). It looks like the authenticator code needs to transform the PUT request into a GET (or POST?) so that the DefaultServlet doesn't try to do an upload. I think you'd have similar problems if trying to use a JSP for your login-page, because JSPs can't accept PUT requests unless specifically configured to do so. Since you're just hacking, try setting the request method to GET when you detect a PUT request that requires authentication. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6PCOwACgkQ9CaO5/Lv0PB5lwCeNN0fxcnPVAZG7UaY6ywQsR/A xNQAn1TbTs0QqPT4FspU9yPFoNNL5PjO =mkME -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Random error while xml xsl transformation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Arvind, On 10/7/2011 3:42 AM, S Arvind wrote: Im getting this error randomly in the web application which does the XML-XSL transformation. Same data when reloaded exception does not occur. --error 1 1. Caused by: java.lang.ArrayIndexOutOfBoundsException: 7 = 7 2. at java.util.Vector.elementAt(Vector.java:427) 3. at gnu.xml.aelfred2.SAXDriver.startElement(SAX 4. at gnu.xml.aelfred2.XmlParser.parseElement(XmlParser.java:1037) Looks like you've got a buggy XML parser. Driver.java:804) 5. at gnu.xml.aelfred2.XmlParser.parseDocument(XmlParser.java:416) 6. at gnu.xml.aelfred2.XmlParser.doParse(XmlParser.java:167) 7. at gnu.xml.aelfred2.SAXDriver.parse(SAXDriver.java:320) 8. at gnu.xml.aelfred2.XmlReader.parse(XmlReader.java:294) 9. at org.apache.xml.dtm.ref.DTMManagerDefault.getDTM(DTMManagerDefault.java: 437) 10. at org.apache.xalan.transformer.TransformerImpl.transform(TransformerImpl.java: 699) Hmm... mixing Xalan with GNU XML parser? Why not use Xalan + Xerces? Is it anyway related to the xml parser which we configured for our webapps? That's seems like a good bet. Many of lifes failure are people who did not realize how close they were to success when they gave up. -Thomas Edison You should fix the grammar in that quote. Edison was smarter than your quote suggests. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6PCXIACgkQ9CaO5/Lv0PAtIACffNVpU28y3l/zbic1vLJKdWIe ZfkAnR1nMq8Bf3V5ttRAEHxtQiJWNf+e =hCy/ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: two questions about the session timeout in tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bill, On 10/6/2011 7:20 PM, Bill Wang wrote: Recently one of Tomcat application has performance issue, which get slow respond with high sessions. Can you give us some numbers? At what point do things slow down, and by how much do they slow down? One team member recommend me to adjust the session timeout from 60 minutes to 30 minutes. I will do that, but before change it, I'd like to understand how the performance related with the expire session timeout. session-timeout60/session-timeout I'm not sure performance will change at all when changing the session timeout. Tomcat runs session-expiration tasks periodically, and the performance of that has more to do with the number of total sessions than the timeout itself. If you have lots of sessions that must timeout instead of being explicitly invalidated (i.e. people close their browsers instead of logging-out), then you will have a lot of wasted memory that may prevent the garbage collector from working efficiently. It's best to destroy sessions as soon as they are not needed, so short session timeouts can help with that. On the other hand, you want to give users a reasonable amount of time to get a cup of coffee, etc. without forcing them to re-login every time. You'll have to determine what is an appropriate amount of time for your users. There is another option: selectively extend the session timeout for certain sessions, or for certain operations. If a user enters a flow that is expected to take a long time or the consequences of having the session time out are frustrating (i.e. you have to re-enter tons of data), you can change the session timeout for that one session to be longer than the default. When the flow is over, you can re-set it back to the default. We do that for a number of tasks in our webapp, for instance. Second, currently I monitor the session count by login the admin interface, Do you mean using the manager app? the manual way is not efficiency, can I run some commands to get the sessions number? With that I can set a cronjob and generate the session report easily. If you have the manager app deployed, you can use the text or XML interfaces from the command-line instead of the HTML interface. Simple use of wget, curl, etc. should allow you to do this kind of thing. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6PC2gACgkQ9CaO5/Lv0PBo3gCgvV7dAylXSz1vz3jRX2jmr1lE E9kAoMKnHUgOC5MEx31lz121tXT1aV8J =CGz3 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JSP page that will not update
On Fri, 2011-10-07 at 09:05 -0400, Stephen Caine wrote: OK, but can you point me to where I might learn how to do this? See JavaDocs for HttpServletResponse; also RFC2616 (HTTP 1.1) http://datatracker.ietf.org/doc/rfc2616/ But really, don't bother with this until you understand what the server is actually sending back to the client (i.e. you've configured AccessLogValve and examined and understood what it is telling you). In FireFox, you might also want to install FireBug and enable the Net tab so you can see what the browser is getting. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: two questions about the session timeout in tomcat
On 07/10/2011 00:20, Bill Wang wrote: Hi Tomcat Guru, Recently one of Tomcat application has performance issue, which get slow respond with high sessions. You should find out exactly why that is, rather than guessing. One team member recommend me to adjust the session timeout from 60 minutes to 30 minutes. I will do that, but before change it, I'd like to understand how the performance related with the expire session timeout. Performance will only be impacted as a side-effect of memory being consumed by the session for a shorter period of time. session-timeout60/session-timeout Second, currently I monitor the session count by login the admin interface, the manual way is not efficiency, can I run some commands to get the sessions number? With that I can set a cronjob and generate the session report easily. The session count per application can be read via a JMX connection and a request to the appropriate MBean. p signature.asc Description: OpenPGP digital signature
Re: Should Form Authentication Valve restore request body on a PUT?
Yup. The body of the POST got written into my login.html. Took me a while to notice that. Good one! On Friday, October 07, 2011 10:13:00 Christopher Schultz wrote: If that's what's happening, the DefaultServlet is handling the request, seeing that it is a PUT, and then complaining that it's read-only. When you make the DefaultServlet read-write you tell the DefaultServlet to accept uploads, and you'll probably end up overwriting your login form with the request entity (oops). -- Nicholas Sushkin, Senior Software Engineer, Manager of IT Operations Open Finance - Secure, Accurate, Industrial Strength Aggregation http://www.openfinance.com smime.p7s Description: S/MIME cryptographic signature
Adding Revisions
I apologise if this has been answered somewhere else but I just haven't been able to find it... Server is running Windows 2003 R2 SP2 Tomcat 6.0.33 I need to mitigate CVE-2011-3190. It appears revision 1162959 fixes it. I cannot find how to apply 1162959. Hopefully someone can tell me the steps or point me to documentation Thanks Brendan P Keenan Mainframe Automation CSC Home Office - Columbia, CT USA GOS | Global Enterprise Service Mgmt | 1.860.416.0251 | bkee...@csc.com | www.csc.com This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Should Form Authentication Valve restore request body on a PUT?
Charles, Thanks for the suggestion. I set request method to GET on all unauthenticated requests that forward to the login page. That tested well for all RESTful methods, POST, PUT, GET, and DELETE. Submitted a patch. https://issues.apache.org/bugzilla/show_bug.cgi?id=51940#c2 On Friday, October 07, 2011 10:13:00 Christopher Schultz wrote: Since you're just hacking, try setting the request method to GET when you detect a PUT request that requires authentication. -- Nicholas Sushkin, Senior Software Engineer, Manager of IT Operations Open Finance - Secure, Accurate, Industrial Strength Aggregation http://www.openfinance.com smime.p7s Description: S/MIME cryptographic signature
RE: Should Form Authentication Valve restore request body on a PUT?
From: Nicholas Sushkin [mailto:nsush...@openfinance.com] Subject: Re: Should Form Authentication Valve restore request body on a PUT? I set request method to GET on all unauthenticated requests that forward to the login page. I'm confused. If you turn a PUT into a GET, it would seem that the request will likely be badly mishandled once the login process is complete and the original request is sent on to the target servlet/JSP. Am I missing something? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to get Tomcat HTTP port during startup of the server
Hi On Fri, Oct 7, 2011 at 2:20 AM, Pid * p...@pidster.com wrote: On 6 Oct 2011, at 19:22, Lahiru Gunathilake glah...@gmail.com wrote: Hi Charles, This is my usecase, I want to register my application URL to a repository and there is another remote application who reads that URL somewhere and invoke my application. So during the startup I need to register them before I get any request. Arguably, there's no rush as you won't get requests until the registry reports to its clients that your service is available. JMX is the best solution, connect JConsole to your Tomcat explore the Catalina domain. Yes, I will have a look how to do that ! Thanks lot ! Lahiru p On Thu, Oct 6, 2011 at 1:38 PM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Lahiru Gunathilake [mailto:glah...@gmail.com] Subject: How to get Tomcat HTTP port during startup of the server I have a requirement of getting the Tomcat HTTP port during startup of my application. The obvious first question is: why? Also, you must know that Tomcat may be listening on multiple ports, not just one. before getting any HttpRequest I need to talk tomcat HTTP port. What do you think you are going to say when you talk to one of the Tomcat ports? Can someone please tell me how to access the http port You can use JMX to query nearly all of the Tomcat configuration settings. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- System Analyst Programmer PTI Lab Indiana University - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- System Analyst Programmer PTI Lab Indiana University
Re: Adding Revisions
- Original Message - From: Brendan P Keenan bkee...@csc.com To: users@tomcat.apache.org Cc: Sent: Friday, October 7, 2011 9:08 AM Subject: Adding Revisions I apologise if this has been answered somewhere else but I just haven't been able to find it... Server is running Windows 2003 R2 SP2 Tomcat 6.0.33 I need to mitigate CVE-2011-3190. It appears revision 1162959 fixes it. I cannot find how to apply 1162959. Hopefully someone can tell me the steps or point me to documentation Thanks Brendan P Keenan Mainframe Automation CSC Could you use one of the two mitigation recommendations? The announcement: http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.34_(not_yet_released) If you're using mod_jk, then the following two links gives you detailed configuration information. http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html http://tomcat.apache.org/connectors-doc/reference/workers.html If you're using mod_proxy_ajp or mod_jk earlier than 1.2.12 (upgrade), then you can change the AJP connector protocol to org.apache.jk.server.JkCoyoteHandler as per the announcement. . . . . just my two cents. /mde/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Adding Revisions
From: Brendan P Keenan [mailto:bkee...@csc.com] Subject: Adding Revisions I cannot find how to apply 1162959. Hopefully someone can tell me the steps or point me to documentation Have you read this? http://tomcat.apache.org/tomcat-6.0-doc/building.html - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Should Form Authentication Valve restore request body on a PUT?
Before being forwarded to login page, the request is saved and only then turned into GET, before dispatching the forward to the login page. After login form is submitted, the original request is restored from the saved state and is replayed. On Friday, October 07, 2011 12:51:48 Caldarale, Charles R wrote: I'm confused. If you turn a PUT into a GET, it would seem that the request will likely be badly mishandled once the login process is complete and the original request is sent on to the target servlet/JSP. Am I missing something? - Chuck -- Nicholas Sushkin, Senior Software Engineer, Manager of IT Operations Open Finance - Secure, Accurate, Industrial Strength Aggregation http://www.openfinance.com smime.p7s Description: S/MIME cryptographic signature
Re: Should Form Authentication Valve restore request body on a PUT?
The bug was that if you do an unauthenticated POST, PUT, or DELETE, the Form Authentication valve was trying to do a POST, PUT, or DELETE to the login form. The correct behaviour IMHO is to always GET the login form and return it as a response to the unauthenticated request of any kind. Then, once the form is POSTed and authentication is successful, the original request whatever it may have been, should be replayed. Right? On Friday, October 07, 2011 16:07:20 Nicholas Sushkin wrote: Before being forwarded to login page, the request is saved and only then turned into GET, before dispatching the forward to the login page. After login form is submitted, the original request is restored from the saved state and is replayed. -- Nicholas Sushkin, Senior Software Engineer, Manager of IT Operations Open Finance - Secure, Accurate, Industrial Strength Aggregation http://www.openfinance.com smime.p7s Description: S/MIME cryptographic signature
RE: Should Form Authentication Valve restore request body on a PUT?
From: Nicholas Sushkin [mailto:nsush...@openfinance.com] Subject: Re: Should Form Authentication Valve restore request body on a PUT? The correct behaviour IMHO is to always GET the login form and return it as a response to the unauthenticated request of any kind. Then, once the form is POSTed and authentication is successful, the original request whatever it may have been, should be replayed. Right? Yes, that sounds correct. It wasn't clear to me in what order things were being done. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org