Re: Configuration for both protected and public URLs in a web application
Thanks for your response. I tried your suggestion, unfortunately it did not work. There must be a solution for this as most web applications have both public and protected URLs. On Fri, Oct 14, 2011 at 5:50 PM, sailendra karthik karthiksailen...@gmail.com wrote: On 10/15/11, Yogesh Shankarappa yogsb...@gmail.com wrote: Hello All, I am trying to configure web.xml to have both protected and public URLs but still the app authenticates the public URLs. Protected URLs works fine. I would greatly appreciate if you can help to configure the whole application has protected except for few URLs which should be public and without authentication. I could have added each URL for protected but there are plenty hence using /* for protected. *protected URLs* security-constraint web-resource-collection web-resource-nameProtected/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameAUTHENTICATED_USERS/role-name /auth-constraint /security-constraint *public URLs* security-constraint web-resource-collection web-resource-nameUnprotected/web-resource-name url-pattern/public/welcome.html/url-pattern /web-resource-collection /security-constraint Thanks in advance. Thanks Yogesh Try to do like this for public urls Put an empty auth-constraint Tag *public URLs* security-constraint web-resource-collection web-resource-nameUnprotected/web-resource-name url-pattern/public/welcome.html/url-pattern /web-resource-collection auth-constraint / /security-constraint Reference:- http://java.dzone.com/articles/understanding-web-security - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Configuration for both protected and public URLs in a web application
On 15/10/11 14:47, Yogesh Shankarappa wrote: Thanks for your response. I tried your suggestion, unfortunately it did not work. There must be a solution for this as most web applications have both public and protected URLs. *public URLs* security-constraint web-resource-collection web-resource-nameUnprotected/web-resource-name url-pattern/public/welcome.html/url-pattern /web-resource-collection /security-constraint Thanks in advance. Thanks Yogesh Try to do like this for public urls Put an empty auth-constraint Tag *public URLs* security-constraint web-resource-collection web-resource-nameUnprotected/web-resource-name url-pattern/public/welcome.html/url-pattern /web-resource-collection auth-constraint / /security-constraint Reference:- http://java.dzone.com/articles/understanding-web-security - Here is an extract from a web.xml that does what you want... it is the presence of a security constraint WITHOUT an auth constraint AT ALL that denotes public, unauthenticated access. (Note... don't forget to permit access to the webapp base url if you have turned off directory browsing and you want the default servlet to redirect to your welcome page). security-constraint display-nameFree Access/display-name web-resource-collection web-resource-nameunauthed users can GET only/web-resource-name !-- Define the context-relative URLs to be unprotected -- !-- must unprotect base url to permit redirect to welcome! -- url-pattern//url-pattern url-pattern/myAccessControl.html/url-pattern url-pattern/myError.jsp/url-pattern http-methodGET/http-method /web-resource-collection !-- absence of auth-constraint means anyone at all can access this area -- user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint security-constraint display-nameRestricted Access/display-name web-resource-collection web-resource-nameProtected web application/web-resource-name !-- Define the context-relative URL(s) to be protected -- url-pattern/*/url-pattern !-- no list of http methods, so ALL methods are protected -- /web-resource-collection auth-constraint !-- Only someone authenticated with one of these roles can access this area -- role-namemanager/role-name role-namefamily/role-name /auth-constraint /security-constraint Hope this sorts out your problem - when I had something similar it drove me nuts reading the servlet specs and the tomcat docs to work out exactly how to do it. Brian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Configure tomcat using init.d
On 14/10/2011 16:31, Mark Thomas wrote: On 14/10/2011 16:15, Mark H. Wood wrote: This I can agree with. They don't allow application managers access to Tomcat's config., but anyone can drop stuff into /etc/init.d, whence it will run as root? Really? Something is not right here. +1 These support guys need firing... Is it just me, or is the simple privilege escalation attack that this makes possible the quickest way to solve this? :) Granted, it isn't the best way to solve it but boy would I be tempted in your shoes. Yes, quite. p signature.asc Description: OpenPGP digital signature
Re: appbase directory deleted partically
On 14/10/2011 04:07, Osamu Ochiai wrote: Hello The problem: Tomcat started successfully but the deployed webapp did not work because the appbase directory was deleted partially. Maybe the directory was deletedby mistake without user's intention. Can Tomcat delete appbase directory except in the case of webapp WAR. updated (deploy)? The environment: Tomcat6.0.29, Java SE6, Windows7 The appBase directory was partially deleted? What does that mean, the contents of it were deleted or the directory itself? p signature.asc Description: OpenPGP digital signature
Re: filters on j_security_check
On 13/10/2011 20:53, Caldarale, Charles R wrote: If you want to do programmatic security in addition to declarative security, Or use the Servlet 3.0 APIs, supported by Tomcat. p signature.asc Description: OpenPGP digital signature
Re: Session across Realm and Servlet
On 14/10/2011 22:36, sailendra karthik wrote: I need to maintain a session object between Realm and Servlet. I have written a CustomRealm and every thing working fine and now it is required to send an object to servlets (possibly by HttpRequestServlet ) But i know/think Servlet is not yet Initiated. So how it is possible to access HttpRequestServlet and set some session attribute in my Custom Realm which extends RealmBase. Or else it should be a different Procedure. Waiting for some clue. This is clear, but so are we. Which version of Tomcat for example? p signature.asc Description: OpenPGP digital signature
Re: Help with mixed SSL and non-SSL pages in Tomcat 7.0
On 14/10/2011 21:09, Janet Preston wrote: I have a web site with a login page that has to be accessed using SSL so that the password is not sent as clear text. That's good. The rest of the site is non-SSL. Oh. Why not? p signature.asc Description: OpenPGP digital signature
Re: Classloaders in catalina.properties
On 14/10/2011 17:52, spr...@gmx.eu wrote: Hi, in catalina.properties I can define paths for common, server and shared loaders. Where do I find them here in the docs?: http://tomcat.apache.org/tomcat-7.0-doc/class-loader-howto.html Here we have only system and common... Because, while the functionality remains, it's no longer the default. See: http://tomcat.apache.org/tomcat-5.5-doc/class-loader-howto.html p signature.asc Description: OpenPGP digital signature
Re: Tomcat 7 won't run as Windows service
On 14/10/2011 13:16, Konstantin Kolinko wrote: 2011/10/14 David Rush da...@rushtone.com: I've been running Tomcat 6.0.18 for a long time, and am now trying to upgrade to 7.0.22 (64 bit .zip download). I can start Tomcat 7 with startup.bat and it's working fine. The script to install it as a service worked without complaint, and the service is there. Did you uninstall the old service first? p signature.asc Description: OpenPGP digital signature
Re: Problem in spring-tomcat project
On 14/10/2011 17:41, Anisha Karki wrote: I am following the tutorial: http://static.springsource.org/docs/Spring-MVC-step-by-step/part2.html on developing and configuring the views and the controller. But i am getting following error: org.apache.jasper.JasperException: /index.jsp (line: 1, column: 1) The absolute uri: http://java.sun.com/jsp/jstl/core cannot be resolved in either web.xml or the jar files deployed I have already copied jstl.jar and jsltl-standard.jar to WEB-INF folder but the problem is not solved. How to solve this problem ?any help would be appreciated. Is this a Spring tutorial question or a Tomcat question? You don't mention anything about Tomcat. p signature.asc Description: OpenPGP digital signature
WebApp access to a LAN share
Hello, Thank you for reading my post. Here is my problem: - I have two machines S and M on the same LAN. - S is a Debian machine running a Tomcat server. - And I have a WebApp W deployed on this Tomcat server. - M is a Windows machine which hosts some files for W. - S and M belong to the same Samba domain. - On M, the WebApp files are stored in a directory: C:\p1\p2\. - p2 is a share. - Somewhere in the WebApp Java code, I have declared a final to store the files path. Here is what I wrote: public static final String s_path = //M/p2/; - Now, when I manipulate the WebApp in such a way a file f.xml located in C:\p1\p2\p3\ has to be opened and read, I get the following error: java.io.FileNotFoundException: /M/p2/p3/f.xml (No such file or directory) My question is: how do I have to declare s_path to properly access, from S (W), those files which are stored on M? (I basically want to have the data on one machine and Tomcat on another machine). Can you help me? Best regards, -- Léa -- View this message in context: http://old.nabble.com/WebApp-access-to-a-LAN-share-tp32658680p32658680.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: WebApp access to a LAN share
On 15/10/11 19:38, Léa Massiot wrote: Hello, Thank you for reading my post. Here is my problem: - I have two machines S and M on the same LAN. - S is a Debian machine running a Tomcat server. - And I have a WebApp W deployed on this Tomcat server. - M is a Windows machine which hosts some files for W. - S and M belong to the same Samba domain. - On M, the WebApp files are stored in a directory: C:\p1\p2\. - p2 is a share. - Somewhere in the WebApp Java code, I have declared a final to store the files path. Here is what I wrote: public static final String s_path = //M/p2/; - Now, when I manipulate the WebApp in such a way a file f.xml located in C:\p1\p2\p3\ has to be opened and read, I get the following error: java.io.FileNotFoundException: /M/p2/p3/f.xml (No such file or directory) My question is: how do I have to declare s_path to properly access, from S (W), those files which are stored on M? (I basically want to have the data on one machine and Tomcat on another machine). Can you help me? Best regards, -- Léa Well, for a start a webapp is not normally allowed to access files outside its own container... this is usually only the {catalina.base}/webapps/yourWebapp/ directory and its contents. You can get outside that container with a context.xml docbase element, but I can see that won't work for you because you are talking as if you have/need most of your webapp within the container. The only way I know to access data outside the container (under linux) is to define a linux symlink from inside the container to a directory path outside the container. You also need to permit the webapp to follow the symlink, because that is not normally allowed. I //think// you should be able to symlink to a samba share - I do that successfully, but haven't tried to hang the whole thing together for a webapp under tomcat, so I can't promise it will work. Tomcat docs tell you how to do this, but I have a more newbie-friendly explanation for a jspwiki plugin that I wrote. You can read it here: http://www.jspwiki.org/wiki/PhotoCollectionPlugin Good luck! Brian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: WebApp access to a LAN share
On 15/10/2011 19:38, Léa Massiot wrote: Hello, Thank you for reading my post. Here is my problem: - I have two machines S and M on the same LAN. - S is a Debian machine running a Tomcat server. - And I have a WebApp W deployed on this Tomcat server. - M is a Windows machine which hosts some files for W. - S and M belong to the same Samba domain. - On M, the WebApp files are stored in a directory: C:\p1\p2\. - p2 is a share. - Somewhere in the WebApp Java code, I have declared a final to store the files path. Here is what I wrote: public static final String s_path = //M/p2/; - Now, when I manipulate the WebApp in such a way a file f.xml located in C:\p1\p2\p3\ has to be opened and read, I get the following error: java.io.FileNotFoundException: /M/p2/p3/f.xml (No such file or directory) My question is: how do I have to declare s_path to properly access, from S (W), those files which are stored on M? (I basically want to have the data on one machine and Tomcat on another machine). Can you help me? Yes. If there's a way to avoid this strategy, you should do. Why do you need to access this file across the network and is there more than one file? Are you sure that the Tomcat user actually has permission to access the file? p signature.asc Description: OpenPGP digital signature
Re: filters on j_security_check
This is one of the reasons I switched to SecurityFilter: there is a FlexibleRealmInterface that passes-in the HttpServletRequest that was used to attempt authentication. That allows you to get nice things like the ip address of the request for logging. I'm interested on what are talking about , where I can find info about SecurityFilter ? I've used Spring Security for reasons like you but I want try another options Thanks
Virtual Hosts, SSL, Tomcat
I potentially have the need to support multiple virtual hosts with SSL on a single IP address / port combination. This is called named virtual hosts on Apache HTTPD, and virtual hosts with a single connector on Tomcat. With a late version of Apache HTTPD / OpenSSL / mod_ssl, I can accomplish this using SNI ( server name indication - RFC 4366). IE (7 and 8) will fail on Windows/XP, but all other reasonable browser / OS combinations are reported to work. I can then tie these named virtual hosts to the appropriate Tomcat virtual hosts via mod_jk. I'm also trying to do this natively on Tomcat (either 6.0.33 or 7.0.22). Unfortunately this doesn't look to be easily possible. Based on the brief discussions on the mailing list and some other reading, I've come up with the following possible solutions. 1. Use the APR connector for SSL This will get me the OpenSSL support for SNI. Unfortunately there doesn't seem to be a way to enter more than one certificate file. 2. Use Java 7 Java 7 has support for SNI. I think I would have to do the following in order to be successful. Please correct me if I'm wrong. a. Build the appropriate Tomcat using Java 7 JDK b. Replace Eclipse JDT with Java 7 JDK c. Build web applications with Java 7 JDK d. Run Tomcat under Java 7 JRE e. Ensure that JSSE is being used f. Add multiple certificates to the keystore 3. Use wildcard certificates If I restrict the virtual hosts on a physical host to a single domain or subdomain, I should be able to use *.some.domain.com as a way of providing a certificate. The easiest (and most generally usable) mechanisms still seem to be the standard unique address/port combination or a wildcard certificate. Have I missed (or misunderstood) the current state of SSL affairs? Are there other practical solutions for running Tomcat virtual hosts with SSL? Thanks in advance. /mde/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Virtual Hosts, SSL, Tomcat
On 15/10/2011 21:26, Mark Eggers wrote: I potentially have the need to support multiple virtual hosts with SSL on a single IP address / port combination. This is called named virtual hosts on Apache HTTPD, and virtual hosts with a single connector on Tomcat. With a late version of Apache HTTPD / OpenSSL / mod_ssl, I can accomplish this using SNI ( server name indication - RFC 4366). IE (7 and 8) will fail on Windows/XP, but all other reasonable browser / OS combinations are reported to work. I can then tie these named virtual hosts to the appropriate Tomcat virtual hosts via mod_jk. That is the way I would recommend right now. I'm also trying to do this natively on Tomcat (either 6.0.33 or 7.0.22). Unfortunately this doesn't look to be easily possible. Based on the brief discussions on the mailing list and some other reading, I've come up with the following possible solutions. 1. Use the APR connector for SSL This will get me the OpenSSL support for SNI. Unfortunately there doesn't seem to be a way to enter more than one certificate file. Correct. There is no code in the APR/native connector to handle this. It should be possible to implement but it isn't there yet. 2. Use Java 7 Java 7 has support for SNI. Only on the client side, not the server side so this is not an option. 3. Use wildcard certificates If I restrict the virtual hosts on a physical host to a single domain or subdomain, I should be able to use *.some.domain.com as a way of providing a certificate. Yep, that should work. The easiest (and most generally usable) mechanisms still seem to be the standard unique address/port combination or a wildcard certificate. Have I missed (or misunderstood) the current state of SSL affairs? They are a little worse than you thought. Are there other practical solutions for running Tomcat virtual hosts with SSL? Not that I can think of. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 won't run as Windows service
No, I did not uninstall the old service. I'd like to be able to keep multiple Tomcat instances going at once. Normally I do keep multiple instances, each installed as a service (on different ports with different service names), but they've always been of the exact same version. Would there be an issue with different Tomcat versions installed at once? On my development box I did get the Tomcat Windows service to run after moving back to Java 6. But my last attempt to install and run a Windows service on our staging machine is now failing to run as a service as well, although I'm not getting the commons-daemon error like before. Again I can run it fine from startup.bat, and can install the service, but starting the service fails. Nothing notable in stdout or stderr logs, either. Event viewer says The david2 Tomcat 7 service terminated with service-specific error 0 (0x0). Bah. What exactly is needed for the Tomcat bootstrapping to find the Java install that it's to use? I thought that setting JAVA_HOME in setenv.bat was a way, but apparently that's not used when it runs as a service. Is it a matter of having JAVA_HOME set at the time that the service is created, and it keeps that value in the service configuration somehow? Or does the JAVA_HOME env var have to be set in the environment of the service that's trying to run, every time it starts? David On 10/15/2011 10:31 AM, Pid wrote: On 14/10/2011 13:16, Konstantin Kolinko wrote: 2011/10/14 David Rushda...@rushtone.com: I've been running Tomcat 6.0.18 for a long time, and am now trying to upgrade to 7.0.22 (64 bit .zip download). I can start Tomcat 7 with startup.bat and it's working fine. The script to install it as a service worked without complaint, and the service is there. Did you uninstall the old service first? p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: WebApp access to a LAN share
From: Brian Burch [mailto:br...@pingtoo.com] Subject: Re: WebApp access to a LAN share Well, for a start a webapp is not normally allowed to access files outside its own container... Unless you've configured Tomcat to use a security manager, that's simply false; webapps run under the same userid and access rights that all of Tomcat does. Even if you have a security manager, it's fairly trivial to configure it to allow a given webapp to access whatever it needs to. You can get outside that container with a context.xml docbase element, but I can see that won't work for you because you are talking as if you have/need most of your webapp within the container. This has nothing to do with what the OP was asking; what you're describing is how to locate a _webapp_ outside of the Tomcat directory structure, not just data the webapp wants to access. The only way I know to access data outside the container (under linux) is to define a linux symlink from inside the container to a directory path outside the container. I think you're confusing client access to resources on the server with webapp access to data files; they are completely independent. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Re: Virtual Hosts, SSL, Tomcat
Mark, Thanks for the weekend reply. Too bad SNI in Java 7 is only client side for the time being. So it looks like: 1. Wildcard certs and restrict server architecture 2. Apache mod_ssl SNI / mod_jk and restrict clients (may not be possible) 3. Traditional one cert per IP-based virtual host on Apache HTTPD and chew up IP address space. . . . . just my two cents. /mde/ ( a new record in short messages from me ;-) ) - Original Message - From: Mark Thomas ma...@apache.org To: Tomcat Users List users@tomcat.apache.org Cc: Sent: Saturday, October 15, 2011 1:32 PM Subject: Re: Virtual Hosts, SSL, Tomcat On 15/10/2011 21:26, Mark Eggers wrote: I potentially have the need to support multiple virtual hosts with SSL on a single IP address / port combination. This is called named virtual hosts on Apache HTTPD, and virtual hosts with a single connector on Tomcat. With a late version of Apache HTTPD / OpenSSL / mod_ssl, I can accomplish this using SNI ( server name indication - RFC 4366). IE (7 and 8) will fail on Windows/XP, but all other reasonable browser / OS combinations are reported to work. I can then tie these named virtual hosts to the appropriate Tomcat virtual hosts via mod_jk. That is the way I would recommend right now. I'm also trying to do this natively on Tomcat (either 6.0.33 or 7.0.22). Unfortunately this doesn't look to be easily possible. Based on the brief discussions on the mailing list and some other reading, I've come up with the following possible solutions. 1. Use the APR connector for SSL This will get me the OpenSSL support for SNI. Unfortunately there doesn't seem to be a way to enter more than one certificate file. Correct. There is no code in the APR/native connector to handle this. It should be possible to implement but it isn't there yet. 2. Use Java 7 Java 7 has support for SNI. Only on the client side, not the server side so this is not an option. 3. Use wildcard certificates If I restrict the virtual hosts on a physical host to a single domain or subdomain, I should be able to use *.some.domain.com as a way of providing a certificate. Yep, that should work. The easiest (and most generally usable) mechanisms still seem to be the standard unique address/port combination or a wildcard certificate. Have I missed (or misunderstood) the current state of SSL affairs? They are a little worse than you thought. Are there other practical solutions for running Tomcat virtual hosts with SSL? Not that I can think of. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: filters on j_security_check
From: Chema [mailto:demablo...@gmail.com] Subject: Re: filters on j_security_check where I can find info about SecurityFilter ? The first hit on Google... - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Session across Realm and Servlet
On 10/15/11, Pid p...@pidster.com wrote: On 14/10/2011 22:36, sailendra karthik wrote: I need to maintain a session object between Realm and Servlet. I have written a CustomRealm and every thing working fine and now it is required to send an object to servlets (possibly by HttpRequestServlet ) But i know/think Servlet is not yet Initiated. So how it is possible to access HttpRequestServlet and set some session attribute in my Custom Realm which extends RealmBase. Or else it should be a different Procedure. Waiting for some clue. This is clear, but so are we. Which version of Tomcat for example? p Tomcat 6.0.22 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Session across Realm and Servlet
On 10/16/11, sailendra karthik karthiksailen...@gmail.com wrote: On 10/15/11, Pid p...@pidster.com wrote: On 14/10/2011 22:36, sailendra karthik wrote: I need to maintain a session object between Realm and Servlet. I have written a CustomRealm and every thing working fine and now it is required to send an object to servlets (possibly by HttpRequestServlet ) But i know/think Servlet is not yet Initiated. So how it is possible to access HttpRequestServlet and set some session attribute in my Custom Realm which extends RealmBase. Or else it should be a different Procedure. Waiting for some clue. This is clear, but so are we. Which version of Tomcat for example? p Tomcat 6.0.22 As you asked about version of Tomcat, Is it possible in some tomcat version, if yes, can you tell me that version and which portion in that tomcat version(like few classes) makes it possible. Thanks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org