Re: making security constraints configureable
Hello Konstantin, On Mon, Nov 7, 2011 at 4:30 AM, Konstantin Kolinko knst.koli...@gmail.com wrote: 2011/11/3 Leon Rosenberg rosenberg.l...@gmail.com: I have a situation where an application is accessable from outside in staging and production environment, but shouldn't be open for public in staging environment. Put it behind Apache HTTPD (or any other proxy) and let HTTPD handle authentication authorization instead of Tomcat. That would be the last and least acceptable choice... I'd advise against using BASIC auth in public internet, unless the channel is protected with HTTPS. What we did so far was, that we excluded everyone via web.xml: You can automate the above. If you pack your war file using Ant, you can use replaceregexp task. This doesn't work, cause we use exactly the same war in prod and preprod. But thanx for suggestions anyway! thanx Leon Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: making security constraints configureable
Leon Rosenberg wrote: Hello Konstantin, On Mon, Nov 7, 2011 at 4:30 AM, Konstantin Kolinko knst.koli...@gmail.com wrote: 2011/11/3 Leon Rosenberg rosenberg.l...@gmail.com: I have a situation where an application is accessable from outside in staging and production environment, but shouldn't be open for public in staging environment. Put it behind Apache HTTPD (or any other proxy) and let HTTPD handle authentication authorization instead of Tomcat. That would be the last and least acceptable choice... I'd advise against using BASIC auth in public internet, unless the channel is protected with HTTPS. What we did so far was, that we excluded everyone via web.xml: You can automate the above. If you pack your war file using Ant, you can use replaceregexp task. This doesn't work, cause we use exactly the same war in prod and preprod. But thanx for suggestions anyway! What kind of user authentication is being used in the background ? And how many authenticated users can there be ? If there are not that many, the idea : in your auth constraints, specify that the application is accessible by the role myapp. Then depending on who should be able to access at any particular time, update your users database to only give this role to whoever can access at that time, and not to the others. If some users can access this all the time, then add another role to the auth-constraints (e.g. testers), and add this role only to the permanent users. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Catalina.policy file for security option
Dear tomcat users,
I have try to configure my really old tomcat5 configuration (for using
-security).
but tomcat is not running. On my system tomcat5 is run only as servlet
engine and not as web server.
Do you have any example catalina.policy file?
My catalina.policy file is:
// == SYSTEM CODE PERMISSIONS =
// These permissions apply to javac
grant codeBase file:${java.home}/lib/- {
permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions
grant codeBase file:${java.home}/jre/lib/ext/- {
permission java.security.AllPermission;
};
// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre
grant codeBase file:${java.home}/../lib/- {
permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions when
// ${java.home} points at $JAVA_HOME/jre
grant codeBase file:${java.home}/lib/ext/- {
permission java.security.AllPermission;
};
// == CATALINA CODE PERMISSIONS ===
// These permissions apply to the launcher code
grant codeBase file:${catalina.home}/bin/commons-launcher.jar {
permission java.security.AllPermission;
};
// These permissions apply to the daemon code
grant codeBase file:${catalina.home}/bin/commons-daemon.jar {
permission java.security.AllPermission;
};
// These permissions apply to the commons-logging API
grant codeBase file:${catalina.home}/bin/commons-logging-api-1.1.1.jar {
permission java.security.AllPermission;
};
// These permissions apply to the server startup code
grant codeBase file:${catalina.home}/bin/bootstrap.jar {
permission java.security.AllPermission;
};
// These permissions apply to the JMX server
grant codeBase file:${catalina.home}/bin/jmx.jar {
permission java.security.AllPermission;
};
// These permissions apply to JULI
grant codeBase file:${catalina.home}/bin/tomcat-juli.jar {
permission java.util.PropertyPermission
java.util.logging.config.class, read;
permission java.util.PropertyPermission
java.util.logging.config.file, read;
permission java.io.FilePermission
${java.home}${file.separator}lib${file.separator}logging.properties,
read;
permission java.lang.RuntimePermission shutdownHooks;
permission java.io.FilePermission
${catalina.base}${file.separator}conf${file.separator}logging.properties,
read;
permission java.util.PropertyPermission catalina.base, read;
permission java.util.logging.LoggingPermission control;
permission java.io.FilePermission
${catalina.base}${file.separator}logs, read, write;
permission java.io.FilePermission
${catalina.base}${file.separator}logs${file.separator}*, read,
write;
permission java.lang.RuntimePermission getClassLoader;
// To enable per context logging configuration, permit read
access to the appropriate file.
// Be sure that the logging configuration is secure before
enabling such access
// eg for the examples web application:
// permission java.io.FilePermission
${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties,
read;
};
// These permissions apply to the servlet API classes
// and those that are shared across all class loaders
// located in the common directory
grant codeBase file:${catalina.home}/common/- {
permission java.security.AllPermission;
};
// These permissions apply to the container's core code, plus any additional
// libraries installed in the server directory
grant codeBase file:${catalina.home}/server/- {
permission java.security.AllPermission;
};
// The permissions granted to the balancer WEB-INF/classes and
WEB-INF/lib directory
grant codeBase file:${catalina.home}/webapps/balancer/- {
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.tomcat.util.digester;
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.tomcat.util.digester.*;
};
// == WEB APPLICATION PERMISSIONS =
// These permissions are granted by default to all web applications
// In addition, a web application will be given a read FilePermission
// and JndiPermission for all files and directories in its document root.
grant {
// Required for JNDI lookup of named JDBC DataSource's and
// javamail named MimePart DataSource used to send mail
permission java.util.PropertyPermission java.home, read;
permission java.util.PropertyPermission java.naming.*, read;
permission java.util.PropertyPermission javax.sql.*, read;
// OS Specific properties to allow read access
permission java.util.PropertyPermission os.name, read;
permission java.util.PropertyPermission os.version, read;
permission java.util.PropertyPermission os.arch, read;
Re: Catalina.policy file for security option
Petr Hracek wrote:
Dear tomcat users,
I have try to configure my really old tomcat5 configuration (for using
-security).
but tomcat is not running.
Petr,
can you be a bit more specific ? what is not running ? does it start ? does it crash after
starting ? is it just not answering requests ? are there error messages anywhere ?
On my system tomcat5 is run only as servlet
engine and not as web server.
Do you mean for example that it runs as a back-end server (through AJP e.g.), with a
front-end webserver serving all static content ?
Do you have any example catalina.policy file?
My catalina.policy file is:
// == SYSTEM CODE PERMISSIONS =
// These permissions apply to javac
grant codeBase file:${java.home}/lib/- {
permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions
grant codeBase file:${java.home}/jre/lib/ext/- {
permission java.security.AllPermission;
};
// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre
grant codeBase file:${java.home}/../lib/- {
permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions when
// ${java.home} points at $JAVA_HOME/jre
grant codeBase file:${java.home}/lib/ext/- {
permission java.security.AllPermission;
};
// == CATALINA CODE PERMISSIONS ===
// These permissions apply to the launcher code
grant codeBase file:${catalina.home}/bin/commons-launcher.jar {
permission java.security.AllPermission;
};
// These permissions apply to the daemon code
grant codeBase file:${catalina.home}/bin/commons-daemon.jar {
permission java.security.AllPermission;
};
// These permissions apply to the commons-logging API
grant codeBase file:${catalina.home}/bin/commons-logging-api-1.1.1.jar {
permission java.security.AllPermission;
};
// These permissions apply to the server startup code
grant codeBase file:${catalina.home}/bin/bootstrap.jar {
permission java.security.AllPermission;
};
// These permissions apply to the JMX server
grant codeBase file:${catalina.home}/bin/jmx.jar {
permission java.security.AllPermission;
};
// These permissions apply to JULI
grant codeBase file:${catalina.home}/bin/tomcat-juli.jar {
permission java.util.PropertyPermission
java.util.logging.config.class, read;
permission java.util.PropertyPermission
java.util.logging.config.file, read;
permission java.io.FilePermission
${java.home}${file.separator}lib${file.separator}logging.properties,
read;
permission java.lang.RuntimePermission shutdownHooks;
permission java.io.FilePermission
${catalina.base}${file.separator}conf${file.separator}logging.properties,
read;
permission java.util.PropertyPermission catalina.base, read;
permission java.util.logging.LoggingPermission control;
permission java.io.FilePermission
${catalina.base}${file.separator}logs, read, write;
permission java.io.FilePermission
${catalina.base}${file.separator}logs${file.separator}*, read,
write;
permission java.lang.RuntimePermission getClassLoader;
// To enable per context logging configuration, permit read
access to the appropriate file.
// Be sure that the logging configuration is secure before
enabling such access
// eg for the examples web application:
// permission java.io.FilePermission
${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties,
read;
};
// These permissions apply to the servlet API classes
// and those that are shared across all class loaders
// located in the common directory
grant codeBase file:${catalina.home}/common/- {
permission java.security.AllPermission;
};
// These permissions apply to the container's core code, plus any additional
// libraries installed in the server directory
grant codeBase file:${catalina.home}/server/- {
permission java.security.AllPermission;
};
// The permissions granted to the balancer WEB-INF/classes and
WEB-INF/lib directory
grant codeBase file:${catalina.home}/webapps/balancer/- {
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.tomcat.util.digester;
permission java.lang.RuntimePermission
accessClassInPackage.org.apache.tomcat.util.digester.*;
};
// == WEB APPLICATION PERMISSIONS =
// These permissions are granted by default to all web applications
// In addition, a web application will be given a read FilePermission
// and JndiPermission for all files and directories in its document root.
grant {
// Required for JNDI lookup of named JDBC DataSource's and
// javamail named MimePart DataSource used to send mail
permission java.util.PropertyPermission java.home, read;
permission
Not able to access applications using contextroot
Hi, We are getting the following error in Catalina log file while starting tomcat server and not able to access manager web page but getting 404 error. SEVERE: Context [/manager] startup failed due to previous errors SEVERE: Context [/host-manager] startup failed due to previous errors And also some issues related to filter in localhost log file org.apache.catalina.core.StandardContext filterStart SEVERE: Exception starting filter authFilter We are using Tomcat Version: 6.0 OS: windows server 2003 R2 enterprise Edition Could you please advice what we need to do for correcting this behavior? Thanks, Maruti. The information contained in this email message and its attachments is intended only for the private and confidential use of the recipient(s) named above, unless the sender expressly agrees otherwise. Transmission of email over the Internet is not a secure communications medium. If you are requesting or have requested the transmittal of personal data, as defined in applicable privacy laws by means of email or in an attachment to email, you must select a more secure alternate means of transmittal that supports your obligations to protect such personal data. If the reader of this message is not the intended recipient and/or you have received this email in error, you must take no action based on the information in this email and you are hereby notified that any dissemination, misuse or copying or disclosure of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email and delete the original message.
Re: Not able to access applications using contextroot
Gangumolu, Maruti wrote: Hi, We are getting the following error in Catalina log file while starting tomcat server and not able to access manager web page but getting 404 error. SEVERE: Context [/manager] startup failed due to previous errors SEVERE: Context [/host-manager] startup failed due to previous errors And also some issues related to filter in localhost log file org.apache.catalina.core.StandardContext filterStart SEVERE: Exception starting filter authFilter What is authFilter ? We are using Tomcat Version: 6.0 OS: windows server 2003 R2 enterprise Edition Could you please advice what we need to do for correcting this behavior? Thanks, Maruti. The information contained in this email message and its attachments is intended only for the private and confidential use of the recipient(s) named above, unless the sender expressly agrees otherwise. Transmission of email over the Internet is not a secure communications medium. If you are requesting or have requested the transmittal of personal data, as defined in applicable privacy laws by means of email or in an attachment to email, you must select a more secure alternate means of transmittal that supports your obligations to protect such personal data. If the reader of this message is not the intended recipient and/or you have received this email in error, you must take no action based on the information in this email and you are hereby notified that any dissemination, misuse or copying or disclosure of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email and delete the original message. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Not able to access applications using contextroot
Hi Andre, It is .class file and used for authentication purpose. Thanks, Maruti. -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Monday, November 07, 2011 6:45 PM To: Tomcat Users List Subject: Re: Not able to access applications using contextroot Gangumolu, Maruti wrote: Hi, We are getting the following error in Catalina log file while starting tomcat server and not able to access manager web page but getting 404 error. SEVERE: Context [/manager] startup failed due to previous errors SEVERE: Context [/host-manager] startup failed due to previous errors And also some issues related to filter in localhost log file org.apache.catalina.core.StandardContext filterStart SEVERE: Exception starting filter authFilter What is authFilter ? We are using Tomcat Version: 6.0 OS: windows server 2003 R2 enterprise Edition Could you please advice what we need to do for correcting this behavior? Thanks, Maruti. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this email message and its attachments is intended only for the private and confidential use of the recipient(s) named above, unless the sender expressly agrees otherwise. Transmission of email over the Internet is not a secure communications medium. If you are requesting or have requested the transmittal of personal data, as defined in applicable privacy laws by means of email or in an attachment to email, you must select a more secure alternate means of transmittal that supports your obligations to protect such personal data. If the reader of this message is not the intended recipient and/or you have received this email in error, you must take no action based on the information in this email and you are hereby notified that any dissemination, misuse or copying or disclosure of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email and delete the original message. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Not able to access applications using contextroot
From: Gangumolu, Maruti [mailto:maruti.gangum...@ironmountain.com] Subject: RE: Not able to access applications using contextroot It is .class file and used for authentication purpose. authFilter appears to be your code, not Tomcat's, and is broken - hence the exception. Look at the logs in more detail to find the cause, and fix your code. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
contextFile does not work with profiles?
Hi All,
I am trying to use tomcat maven plugin with different profiles to get
different JNDI parameters so I can connect to different database. But the
plugin seems to ignore the contextFile on the profile section. Here is
some snapshots of my configuration:
profiles
profile
idproduction/id
activationactiveByDefaulttrue/activeByDefault/activation
build
plugins
plugin
groupIdorg.apache.maven.plugins/groupId
artifactIdmaven-war-plugin/artifactId
configuration
containerConfigXML${basedir}WebContent/META-INF/production/context.xml/containerConfigXML
/configuration
/plugin
plugin
groupIdorg.apache.tomcat.maven/groupId
artifactIdtomcat6-maven-plugin/artifactId
configuration
contextFileWebContent/WEB-INF/production/context.xml/contextFile
/configuration
/plugin
/plugins
/build
/profile
profile
idstaging/id
build
plugins
plugin
groupIdorg.apache.maven.plugins/groupId
artifactIdmaven-war-plugin/artifactId
configuration
containerConfigXMLWebContent/META-INF/staging/context.xml/containerConfigXML
/configuration
/plugin
plugin
groupIdorg.apache.tomcat.maven/groupId
artifactIdtomcat6-maven-plugin/artifactId
configuration
contextFileWebContent/WEB-INF/staging/context.xml/contextFile
/configuration
/plugin
/plugins
/build
/profile
profile
iddevelopment/id
build
plugins
plugin
groupIdorg.apache.maven.plugins/groupId
artifactIdmaven-war-plugin/artifactId
configuration
containerConfigXMLWebContent/META-INF/development/context.xml/containerConfigXML
/configuration
/plugin
plugin
groupIdorg.apache.tomcat.maven/groupId
artifactIdtomcat6-maven-plugin/artifactId
configuration
contextFileWebContent/WEB-INF/development/context.xml/contextFile
/configuration
/plugin
/plugins
/build
/profile
/profiles
Here is for tomcat plugin:
plugin
groupIdorg.apache.tomcat.maven/groupId
artifactIdtomcat6-maven-plugin/artifactId
version2.0-SNAPSHOT/version
configuration
warSourceDirectory${basedir}/WebContent/warSourceDirectory
contextReloadabletrue/contextReloadable
/configuration
/plugin
Any suggestions?
Regards
Bin
Re: making security constraints configureable
Leon, One possible way to work around this would be to use an SSH tunnel or a VPN (like OpenVPN) to access your network from the remote locations. Dan On Sat, 2011-11-05 at 08:53 -0700, Leon Rosenberg wrote: Hello Daniel, I can't use IP-Adresses, because it is possible that we show the preproduction system in a starbucks to some customers for user testing purposes. I have no means to know which adresses are allowed and which not. regards Leon On Thu, Nov 3, 2011 at 7:09 PM, Daniel Mikusa dmik...@vmware.com wrote: Leon, Is it a requirement for you to use BASIC auth? or could you use something like the Remote Address Filter to restrict by IP address? https://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Remote_Address_Filter If you configure this valve in the restricted environment you can then control who can access to just that environment. Dan On Thu, 2011-11-03 at 10:10 -0700, Leon Rosenberg wrote: Hello, I have a situation where an application is accessable from outside in staging and production environment, but shouldn't be open for public in staging environment. What we did so far was, that we excluded everyone via web.xml: !-- security configuration -- login-config auth-methodBASIC/auth-method /login-config security-role role-namemy-access/role-name /security-role security-constraint display-nameblub/display-name web-resource-collection web-resource-namemyres/web-resource-name url-pattern*.html/url-pattern /web-resource-collection auth-constraint role-namemy-access/role-name /auth-constraint /security-constraint !-- /security configuration -- Is there any possibility to make this conditional, depending on an environment property? Is there any other opportunity to achieve the same? Currently we have to kill the above lines from web.xml after each deployment and this sucks ;-( regards Leon - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: contextFile does not work with profiles?
Hi All,
Sorry, please ignore this, the option is working. I put the wrong path.
Regards
Bin
On Mon, Nov 7, 2011 at 9:18 AM, Bin Lan lan...@gmail.com wrote:
Hi All,
I am trying to use tomcat maven plugin with different profiles to get
different JNDI parameters so I can connect to different database. But the
plugin seems to ignore the contextFile on the profile section. Here is
some snapshots of my configuration:
profiles
profile
idproduction/id
activationactiveByDefaulttrue/activeByDefault/activation
build
plugins
plugin
groupIdorg.apache.maven.plugins/groupId
artifactIdmaven-war-plugin/artifactId
configuration
containerConfigXML${basedir}WebContent/META-INF/production/context.xml/containerConfigXML
/configuration
/plugin
plugin
groupIdorg.apache.tomcat.maven/groupId
artifactIdtomcat6-maven-plugin/artifactId
configuration
contextFileWebContent/WEB-INF/production/context.xml/contextFile
/configuration
/plugin
/plugins
/build
/profile
profile
idstaging/id
build
plugins
plugin
groupIdorg.apache.maven.plugins/groupId
artifactIdmaven-war-plugin/artifactId
configuration
containerConfigXMLWebContent/META-INF/staging/context.xml/containerConfigXML
/configuration
/plugin
plugin
groupIdorg.apache.tomcat.maven/groupId
artifactIdtomcat6-maven-plugin/artifactId
configuration
contextFileWebContent/WEB-INF/staging/context.xml/contextFile
/configuration
/plugin
/plugins
/build
/profile
profile
iddevelopment/id
build
plugins
plugin
groupIdorg.apache.maven.plugins/groupId
artifactIdmaven-war-plugin/artifactId
configuration
containerConfigXMLWebContent/META-INF/development/context.xml/containerConfigXML
/configuration
/plugin
plugin
groupIdorg.apache.tomcat.maven/groupId
artifactIdtomcat6-maven-plugin/artifactId
configuration
contextFileWebContent/WEB-INF/development/context.xml/contextFile
/configuration
/plugin
/plugins
/build
/profile
/profiles
Here is for tomcat plugin:
plugin
groupIdorg.apache.tomcat.maven/groupId
artifactIdtomcat6-maven-plugin/artifactId
version2.0-SNAPSHOT/version
configuration
warSourceDirectory${basedir}/WebContent/warSourceDirectory
contextReloadabletrue/contextReloadable
/configuration
/plugin
Any suggestions?
Regards
Bin
Re: making security constraints configureable
@Leon : I think I misunderstood your requirement, so disregard my previous response. @Dan : an SSH tunnel for HTTP is a (mild) pain, because of the hostname. To make it work, you need to add an entry to your local hosts file (I assume a laptop), so that it resolves myhost.mycompany.com as 127.0.0.1, to connect to the local side of the tunnel. @Leon (trying to do better this time) : I presume that you have a separate Tomcat server (or instance) for staging. If so, the easiest solution would be to leave the production one as it is, and your app as it is, and put an apache httpd front-end before only the staging Tomcat, and only for external accesses. The filtering/authentication would happen on the front-end, and it would only pass the external requests to the back-end staging Tomcat if the access conditions are met. Internal accesses can still go to the staging Tomcat directly, and access the app without authentication. That should be easy to set up, easy being a function of how easily you can set up this Apache front-end with a separate hostname on the Internet, and allow it to proxy-pass requests to your internal Tomcat staging server. As you probably do not have a plethora of external staging user-ids, the type of authentication setup could be very simple (basic auth, file-based). If basic auth is too insecure, you can run the browser/front-end part over HTTPS, still without changing anything on Tomcat. Daniel Mikusa wrote: Leon, One possible way to work around this would be to use an SSH tunnel or a VPN (like OpenVPN) to access your network from the remote locations. Dan On Sat, 2011-11-05 at 08:53 -0700, Leon Rosenberg wrote: Hello Daniel, I can't use IP-Adresses, because it is possible that we show the preproduction system in a starbucks to some customers for user testing purposes. I have no means to know which adresses are allowed and which not. regards Leon On Thu, Nov 3, 2011 at 7:09 PM, Daniel Mikusa dmik...@vmware.com wrote: Leon, Is it a requirement for you to use BASIC auth? or could you use something like the Remote Address Filter to restrict by IP address? https://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Remote_Address_Filter If you configure this valve in the restricted environment you can then control who can access to just that environment. Dan On Thu, 2011-11-03 at 10:10 -0700, Leon Rosenberg wrote: Hello, I have a situation where an application is accessable from outside in staging and production environment, but shouldn't be open for public in staging environment. What we did so far was, that we excluded everyone via web.xml: !-- security configuration -- login-config auth-methodBASIC/auth-method /login-config security-role role-namemy-access/role-name /security-role security-constraint display-nameblub/display-name web-resource-collection web-resource-namemyres/web-resource-name url-pattern*.html/url-pattern /web-resource-collection auth-constraint role-namemy-access/role-name /auth-constraint /security-constraint !-- /security configuration -- Is there any possibility to make this conditional, depending on an environment property? Is there any other opportunity to achieve the same? Currently we have to kill the above lines from web.xml after each deployment and this sucks ;-( regards Leon - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Catalina logs error
12:09:50,399 ERROR [ThreadLocalFilter] Error with web request.org.apache.jasper.JasperException: javax.servlet.ServletException: javax.servlet.jsp.JspException: Wildcard term count limit exceeded What needs to be done ?? -- View this message in context: http://old.nabble.com/Catalina-logs-error-tp32788740p32788740.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Catalina logs error
From: celtic man [mailto:dheerajman...@hotmail.com] Subject: Catalina logs error 12:09:50,399 ERROR [ThreadLocalFilter] Error with web request.org.apache.jasper.JasperException: javax.servlet.ServletException: javax.servlet.jsp.JspException: Wildcard term count limit exceeded What needs to be done ?? Read this: http://www.catb.org/~esr/faqs/smart-questions.html Then provide appropriate contextual information. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL connect to APR fails - bad version
The following works as expected on my config (6.0.26) using the default protocols and cipher suite as in your config: $ openssl s_client -connect eiger:443 -debug -ssl3 CONNECTED(0003) ... Something in your SSL version jumped out at me: OpenSSL 0.9.8e-fips-rhel5 Looks like you're running OpenSSL with the FIPS compliance features enabled, which may impose additional requirements on SSL negotiation. I can't provide any further insight, but hopefully it might point to an area for further investigation. M - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: making security constraints configureable
On 1:59 PM, Konstantin Kolinko wrote: 2011/11/3 Leon Rosenbergrosenberg.l...@gmail.com: I have a situation where an application is accessable from outside in staging and production environment, but shouldn't be open for public in staging environment. Put it behind Apache HTTPD (or any other proxy) and let HTTPD handle authentication authorization instead of Tomcat. I'd advise against using BASIC auth in public internet, unless the channel is protected with HTTPS. What we did so far was, that we excluded everyone via web.xml: You can automate the above. If you pack your war file using Ant, you can usereplaceregexp task. Best regards, Konstantin Kolinko I'm not sure what open for public means above. What about using a system property (e.g. myorg.myapp.isStagingEnv=true) in a filter or valve to accept or reject requests? -Terence Bandoian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: making security constraints configureable
Terence M. Bandoian wrote: On 1:59 PM, Konstantin Kolinko wrote: 2011/11/3 Leon Rosenbergrosenberg.l...@gmail.com: I have a situation where an application is accessable from outside in staging and production environment, but shouldn't be open for public in staging environment. Put it behind Apache HTTPD (or any other proxy) and let HTTPD handle authentication authorization instead of Tomcat. I'd advise against using BASIC auth in public internet, unless the channel is protected with HTTPS. What we did so far was, that we excluded everyone via web.xml: You can automate the above. If you pack your war file using Ant, you can usereplaceregexp task. Best regards, Konstantin Kolinko I'm not sure what open for public means above. What about using a system property (e.g. myorg.myapp.isStagingEnv=true) in a filter or valve to accept or reject requests? If I (belatedly) understand the requirements properly, Leon does not not want to reject /all/ requests (that, he could do by undeploying the application). It is more something like this : - requests originating from a range of IP addresses (e.g. the internal LAN) should be accepted, without authentication - requests originating from anywhere else should be submitted to authentication. Practical case : the application is in a testing state, and should not be available to the public at large, only to inside testers. The inside testers should not have to login for that. However, occasionally, someone may be sitting in an Internet Cafe and want to do a demo for a customer from there. He should be able to access the application, but only after logging in. Leon, if the above is not the right description, please correct it. In such matters, the devil is in the details. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Deploying .war files
Tomcat 6.0.32 When you add a new .war file to the webapps directory (by dragging the file in there from another directory) and it automatically expands the web archive, is that any different than what the manager application does when it deploys the .war file? Likewise when you delete the .war file from the webapps directory, the expanded web archive will shortly remove itself as well. Is there some amount of time that is required if you want to redeploy the same .war file you just removed/undeployed with a newer version (same name)? I can't get a consistent response from either physically adding the .war file to the web apps directory and then deleting it/replacing it with a newer version of the .war file, or whether I use the manager application to deploy/undeploy/deploy. It seems as if I try to redeploy the newer version of the war file I just deleted too soon everything hangs and while the newer .war file will expand, it gives a 404 response when I access that web app. If I wait about 30 or 40 seconds between undeploying the old and redeploying the new it works although I didn't actually record the time in between. Leo
Clustering and session persistence across restarts?
Hello, I am currently configuring a sandbox development environment with two clustered Tomcat 6.0.32 instances running on the same Windows XP SP3 (32-bit) hosts. I have a question regarding whether or not the Manager implementations available for a Tomcat 6 Cluster (i.e. the Delta Manager or the Backup Manager) supports Restart Persistence for sessions that enables the web application's session data to be serialized prior to shutdown or application reload and then restored when the web application is restarted as a result of the Tomcat restart or reloading of the web application. The availability of this behavior for the Standard Manager is documented quite clearly at http://tomcat.apache.org/tomcat-6.0-doc/config/manager.html . This is a very useful feature. My review of the Tomcat documentation at http://tomcat.apache.org/tomcat-6.0-doc/config/cluster-manager.html makes no mention of that behavior being available for the Delta Manager or the Backup Manager - but I want to be certain whether or not it is available. I am happy to provide additional information if my question is not clear. Many thanks! -Al
Re: Deploying .war files
Leo Donahue - PLANDEVX leodona...@mail.maricopa.gov wrote: Tomcat 6.0.32 When you add a new .war file to the webapps directory (by dragging the file in there from another directory) and it automaticallyp expands the web archive, is that any different than what the manager application does when it deploys the .war file? Yes. The manager ensures that the war is fully copied. Manual copy has some tricks to try and ensure this but can't guarantee it. Likewise when you delete the .war file from the webapps directory, the expanded web archive will shortly remove itself as well. Is there some amount of time that is required if you want to redeploy the same .war file you just removed/undeployed with a newer version (same name)? I can't get a consistent response from either physically adding the .war file to the web apps directory and then deleting it/replacing it with a newer version of the .war file, or whether I use the manager application to deploy/undeploy/deploy. Better to just overwrite the old war with the new one. Tomcat will handle the rest. It seems as if I try to redeploy the newer version of the war file I just deleted too soon everything hangs and while the newer .war file will expand, it gives a 404 response when I access that web app. If I wait about 30 or 40 seconds between undeploying the old and redeploying the new it works although I didn't actually record the time in between. The check for deleted / new wars runs once every 15s. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
HTTP Status 404 - /manager/html
Hi, When i hit http://IP:8080/manager/html, I get HTTP Status 404 - /manager/html, Tomcat Version 7.0.19, Any clue ? Regards Kaushal - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: HTTP Status 404 - /manager/html
From: Kaushal Shriyan [mailto:kaushalshri...@gmail.com] Subject: HTTP Status 404 - /manager/html When i hit http://IP:8080/manager/html, I get HTTP Status 404 - /manager/html, Tomcat Version 7.0.19, Any clue ? Is the manager webapp deployed? Where did you get this Tomcat? If you used a 3rd-party repackaged version of Tomcat rather than a real one from tomcat.apache.org, it could easily be missing normally included components. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Catalina logs error
2011/11/7 celtic man dheerajman...@hotmail.com: 12:09:50,399 ERROR [ThreadLocalFilter] Error with web request.org.apache.jasper.JasperException: javax.servlet.ServletException: javax.servlet.jsp.JspException: Wildcard term count limit exceeded What needs to be done ?? There is no such message in Tomcat code. You should search for the cause elsewhere. And please read the document referenced in Chuck's response. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HTTP Status 404 - /manager/html
On Tue, Nov 8, 2011 at 8:42 AM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Kaushal Shriyan [mailto:kaushalshri...@gmail.com] Subject: HTTP Status 404 - /manager/html When i hit http://IP:8080/manager/html, I get HTTP Status 404 - /manager/html, Tomcat Version 7.0.19, Any clue ? Is the manager webapp deployed? Where did you get this Tomcat? If you used a 3rd-party repackaged version of Tomcat rather than a real one from tomcat.apache.org, it could easily be missing normally included components. - Chuck Hi Chuck, I did downloaded it from http://archive.apache.org/dist/tomcat/tomcat-7/v7.0.19/bin/ and i do have manager webapps root@:/opt/tomcat0/webapps# du -hsc * 19M clients 8.0Kclients.war 3.3Mdocs 2.0Mexamples 92K host-manager 40M invite 40M invite-bk-2 40M invite-nov-1 116Kmanager 2.4Mrac 2.0Mrac.war 208KROOT 148Mtotal root@:/opt/tomcat0/webapps# Please suggest further. Regards Kaushal THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: HTTP Status 404 - /manager/html
From: Kaushal Shriyan [mailto:kaushalshri...@gmail.com] Subject: Re: HTTP Status 404 - /manager/html I did downloaded it from http://archive.apache.org/dist/tomcat/tomcat-7/v7.0.19/bin/ Good. For curiosity's sake, why didn't you use the most recent release? i do have manager webapps So noted. Are you sure you're accessing that Tomcat? Have you changed anything in conf/server.xml (e.g., disabling deployOnStartup)? Look in the Tomcat logs to see if there are any errors regarding deployment of or access to the manager webapp. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
