Re: SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-bio-443"]

[Jakub 1983]

James,

try to set tomcat port to 1443 and check, and write us if it starts than,

try to start knock knock server with default  port, than change it to
443 port -
http://docs.oracle.com/javase/tutorial/networking/sockets/examples/KnockKnockServer.java
(link and explanation is here
http://docs.oracle.com/javase/tutorial/networking/sockets/clientServer.html)

write about the results

regards
Jakub





On Wed, Apr 24, 2013 at 11:23 PM, James H. H. Lampert <
jam...@touchtonecorp.com> wrote:

> Neven Cvetkovic wrote:
>
>  Btw in your log "" is actual real IP address, you just removed it
>> for
>> the mailing list, correct?
>>
>
> That's the actual message from CATALINA.OUT, verbatim. Perhaps we're not
> specifying an IP address in the configuration files (how would one do
> that?), and (with several IP addresses assigned to the box) it's having
> trouble deciding which one we want?
>
> And as I said, earlier today, I did find *something* else listening on 443
> (incidentally, on an AS/400, NETSTAT has a synonym, more idiomatically
> native to the OS, of WRKTCPSTS), but now there's no trace of that something
> else, and even when it was there, it was kind of elusive.
>
> --
> JHHL
>
> --**--**-
> To unsubscribe, e-mail: 
> users-unsubscribe@tomcat.**apache.org
>
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Policy files

[Christian Beikov]

Well I understand that there is only one SecurityManager per JVM, but as 
you mentioned I can restrict actions for specific CodeBases. This is 
what I am actually trying to do. I want the student web applications to 
have only a hand full of permissions defined in a policy file. I think I 
explained my self wrong earlier. The policy file I am speaking of, the 
one I want to apply to student projects, is more like a set of 
permissions that I want to give the web applications. I mainly want my 
testsuite and everything packaged with it to have all permissions.  
Generally the student projects should have no permissions. I want to 
give these applications only a minimal set of permissions, only the ones 
they actually would need to fullfil their tasks.


The WebappClassLoader supports the method addPermission(Permission) 
which is nice somehow, but I don't want to hard code the permissions but 
rather have them in a policy file or so. The reason for having the 
permissions in a policy file is mainly because I thought I can configure 
something in context.xml so that the policy file gets picked up by tomcat.


I just don't want to have these applications running on my computer not 
knowing what they actually do. To be honest I couldn't think of any 
permission I would give a student application. The libraries that can be 
used are predefined, so I give these jar files the permissions for 
reflection or whatever they need to work properly.


Am I simplifying the whole thing and is what I want much harder to 
achive than I think?



Am 24.04.2013 22:20, schrieb Christopher Schultz:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Christian,

On 4/24/13 1:51 PM, Christian Beikov wrote:

Yes we are talking about security manager policies.

Good :)

There's a lot about Spring that I don't know about, so I was just
checking that you weren't talking about some crazy IoC thing or
annotation-driven magic that no mere mortal can follow.


So there is no possibility to just push the policy file to the
WebappClassLoader?

Nope: the SecurityManager applies to the whole JVM. But, the policy
can bless certain JARs, etc. as being privileged. So, you make Tomcat
and whatever code you wrote privileged and then leave all the student
code to run under the heavy-handed security policy.


As stated in the reply to Matrin Gainty there do exist methods to
restrict the webapp, but unfortunately no method for supplying a
policy file.

Right: you can control the deployment descriptor(s) but not really
much else.


So this means I have to parse the policy file myself and add the
permissions manually to the classloader?

Uh... I don't think that's possible. I must admit I'm no ClassLoader
ninja, but I don't think there's a way to tell a ClassLoader anything
about security policies.

What kinds of operations are you trying to restrict?


Are there any options in the context.xml I could set for specifying
a webapp local policy so that I don't have to fiddle around with
how tomcat is called? I know how to apply a policy at runtime, but
don't know how this affects tomcat when I apply it e.g. in a
ServletContextListener.

I think I'd have to understand more about what you are trying to do in
order to be helpful. The SecurityManager applies its policies globally
and you can't customize anything on a per-ClassLoader basis. You can
do it on a per-codebase basis, but you have to know the URL(s) of the
codebase(s) in advance.


Would be cool if there was an option to do that kind of stuff.

Yes, I rather think it would be cool to specify a security policy on a
per-ClassLoader basis, but there are definitely some thorny issues
there otherwise I think Sun/Oracle would have implemented that
capability by now.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJReD6oAAoJEBzwKT+lPKRYDGAP/R9SjzcX0ENxQ5A7/N+S26M8
Jd5sNOisQ9mdVowygJAwppYDqtUalmMZ5qZTtsyYZYWKn3QpiML10Qr36elFZsA5
zoCA1JRB+hwC/vhNgJGdhhNxDOEQo66mfiJlfQ0rHpOGwVrGppAuSV4kVfX5aZCQ
9Ssq2HZvfLE7tL0pg+qnBT1AA9/HU+hAmk4GkCETSMR16jB8NrwI10ejU7gt1F4F
BaUCULZvYtLRelbsAQTfz4ZOQL0FZq2zD85BeZ+hey0koinpr+nY1aRGy4ASbmrM
Eke8ruYKW5xbVmSyQ0A4JmaYmMrYFfc7SgdR7UOkD21wbHA87fSHF9oNhhom2Tqd
Qsdn89swuBwp6XkS1akbfRc6RJ4WPCxNfxBWceGWlJewtgY8XRD8lPYOsHCSiVN/
SOSVnmCaa8Fs6ygk75wo6IKI+VlLRJqFSK5pr1iGK9hVC+xgBGB5APrhMhvSCUmO
SuP6IxFMSRDhghlxUbDhd7hW7KZnpXGQCJZjSoEsW/ysjhwy0hfhLbkEGTyYV8Az
wCap5r3eHc5KsHP0FK9F283DbiUhV8oHoLK0ddzKd9KrHbxap4Vekk2tqbUA52Vn
gpcRk5vodI88w0mvtdc9b57luHPedmY87bqmayjqzh6VHixlT/O8+CQhmJLRrln3
Wf6YgQg1Li6p//YLwHpo
=TJPJ
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




Mit freundlichen Grüßen,

*Christian Be

Re: SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-bio-443"]

[James H. H. Lampert]

Neven Cvetkovic wrote:


Btw in your log "" is actual real IP address, you just removed it for
the mailing list, correct?


That's the actual message from CATALINA.OUT, verbatim. Perhaps we're not 
specifying an IP address in the configuration files (how would one do 
that?), and (with several IP addresses assigned to the box) it's having 
trouble deciding which one we want?


And as I said, earlier today, I did find *something* else listening on 
443 (incidentally, on an AS/400, NETSTAT has a synonym, more 
idiomatically native to the OS, of WRKTCPSTS), but now there's no trace 
of that something else, and even when it was there, it was kind of elusive.


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-bio-443"]

[Neven Cvetkovic]

James,

Something else is listening on port 443 (SSL port). I am no AS/400 expert,
but you should be able to see listening processes, e.g.

Linux:  netstat -vatpn | grep 443
Windows: netstat -aon | findstr "443"

Did you try connecting to the port 443?

Btw in your log "" is actual real IP address, you just removed it for
the mailing list, correct?




On Wed, Apr 24, 2013 at 4:50 PM, James H. H. Lampert <
jam...@touchtonecorp.com> wrote:

> We're trying to bring up SSL in Tomcat on a customer AS/400 (an E4C at
> V7R1, using the /QOpenSys/QIBM/ProdData/**JavaVM/jdk60/64bit JVM), and
> every time we launch CATALINA, we get
>
>  SEVERE: Failed to initialize end point associated with ProtocolHandler
>> ["http-bio-443"]
>> Throwable occurred: java.net.BindException: The socket name is already in
>> use. :443
>>
>
> Earlier today, I found something (I couldn't tell WHAT, because there were
> no jobs associated with the port) listening (and idle for 16 hours) on 443,
> on one of the IP addresses, but now, nothing on that port. I also looked
> for restrictions on that port, and there aren't any.
>
> Any ideas of where to look next?
>
> --
> JHHL
>
> --**--**-
> To unsubscribe, e-mail: 
> users-unsubscribe@tomcat.**apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

RE: in web.xml

[Jeffrey Janner]

> -Original Message-
> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Sent: Wednesday, April 24, 2013 3:28 PM
> To: Tomcat Users List
> Subject: Re:  in web.xml
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Jeff,
> 
> On 4/24/13 2:22 PM, Jeffrey Janner wrote:
> >> -Original Message- From: Jeffrey Janner
> >> [mailto:jeffrey.jan...@polydyne.com] Sent: Wednesday, April 24,
> >> 2013 1:12 PM To: Tomcat Users List Subject: RE:  in
> >> web.xml
> >>
> >>> -Original Message- From: Christopher Schultz
> >>> [mailto:ch...@christopherschultz.net] Sent: Wednesday, April 24,
> >>> 2013 12:28 PM To: Tomcat Users List Subject: Re:
> >>>  in web.xml
> >>>
> >>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
> >>>
> >>> Jeff,
> >>>
> >>> On 4/23/13 11:40 AM, Jeffrey Janner wrote:
> > -Original Message- From: Christopher Schultz
> > [mailto:ch...@christopherschultz.net] Sent: Thursday, April 18,
> > 2013 5:01 PM To: Tomcat Users List Subject: Re:
> >  in web.xml
> >
> > -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
> >
> > Jakub,
> >
> > On 4/17/13 9:22 PM, Jakub 1983 wrote:
> >> can I define database connection only in web.xml, without using
> >> context.xml files ?
> >>
> >> can I pass database url, login and password into 
> ?
> >>
> >> when I define database conn in context.xml, resource-ref is not
> > needed
> >> at all, so what is it actually for ?
> >
> > If you define your database configuration in server.xml, you'll
> > have to map from global to local scope. You don't need to do this
> > with context.xml because the scope is -- by definition -- already
> >> local.
> >
> > - -chris
> 
>  Chris - Am I reading that correctly?  If in my context.xml file, I
>  define a DB resource as:   type="oracle.ucp.jdbc.PoolDataSource"
>  factory="oracle.ucp.jdbc.PoolDataSourceImpl"
>  auth="Container"
>  connectionFactoryClassName="oracle.jdbc.pool.OracleDataSource"
>  ... obviously redacted stuff ... /> I DO NOT need to add these
>  lines to
> >>> my
>  web.xml?  Oracle Universal Connection
>  Pool jdbc/oracleUCPPool
>  javax.sql.DataSource
>  Container 
> >>>
> >>> I believe this is correct. It should be easy to try :)
> >>>
>  That also brings up another, related, question. In my old web.xml,
> >> I
>  had this entry: 
>  LOG4J_PROPS >> name>
>  /WEB-INF/Log4j.properties
>   Which I removed and replaced with an entry in the
>  context.xml file:   value="/WEB-INF/Log4j.properties" override="false" /> However,
> that
>  didn't work. I had to provide the full path to the file in the
> >> value
>  parameter. Is there a particular reason why?
> >>>
> >>> The two above are documented to be equivalent, assuming no other
> >>> factors are at work (e.g. Tomcat wasn't reading your new
> >>> META- INF/context.xml file because there was one already in
> >>> conf/[Engine]/[Host]/[app].xml.
> >>>
> >>> If it's not working, start a new thread to make sure you understand
> >>> how it's all supposed to work and possibly follow-up with a bug
> >> report.
> >>>
>  Or would it be something inside our code?
> >>>
> >>> Tomcat doesn't use that value for anything, so it must be your code
> >>> reading it and interpreting it (hopefully using
> >>> ServletContext.getResource()).
> >>>
> >>> - -chris
> >>
> >> Actually, there is no META-INF file, we maintain the context.xml
> >> manually, since we multi-tenant and don't want to build
> >> tenant-specific wars.  So it was definitely reading the latest
> >> version. Code uses context.getInitParameter("LOG4J_PROPS") which is
> >> passed directly to the log4j init routine (I think, still checking
> >> one reference).
> >
> > Yes, the returned string is passed unmolested to log4j's
> > PropertyConfigurator.
> >
> >> The error was being reported in the catalina logs and specifically
> >> mentioned the string in the error message.  Simply switching to the
> >> FQPath did the trick.
> 
> I wouldn't expect Tomcat to modify the value you were passing. Are you
> *sure* it was working in web.xml before you moved it into context.xml?
> 

For the last 8 years or so.

> Using the fully-qualified path should pretty much always work, but if
> you know that the log4j configuration will be bundled as part of the
> web application, then you may as well make it context-relative. You
> should also use ServletContext.getResource and not read directly from
> the filesystem for a number of reasons.
> 
> >> Of course, part of the reason for the change is that we'll be moving
> >> the file out of the WEB-INF directory in the future. Part of that
> >> multi-tenancy thing, so I'll be using FQPs in the future anyway.  It
> >> was just a curiosity that expected behavior did not occur.
> 
> Hmm. So, you'll be storing both context.xml *and* log4j.properties
> outside of the webapp?

Re: Tomcat 7.0.39 windows service setenv not used

[Satyendra Singh]

Thanks!, so there is no other way to set these except to put in registry
via tomcat7w.exe.


On Wed, Apr 24, 2013 at 4:50 PM, Konstantin Kolinko
wrote:

> 2013/4/25 Satyendra Singh :
> > I have created multiple windows services and for one of the service, i
> have
> > -Dcatalina.base=C:\servers\applications\service1
> > -Dcatalina.home=C:\servers\apache-tomcat-7.0.39
> >
> > i have C:\servers\applications\service1\bin\setenv.bat where i have
> >
> > set JAVA_HOME= C:\
> >
> > Set JAVA_OPTS=-D..
> >
> > set CATALINA_OPTS=-Xms.
> >
> > running service1 does not seem to use these values, it only use those
> that
> > i can see at  tomcat7w.exe on this service.
> >
>
>
> As documented,
> [quote]
> All the environment variables described here and the "setenv" script are
> used only if you use the standard scripts to launch Tomcat. For example, if
> you have installed Tomcat as a service on Windows, the service wrapper
> launches Java directly and does not use the script files.
> [/quote]
>
> http://tomcat.apache.org/tomcat-7.0-doc/RUNNING.txt
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

RE: Tomcat 7.0.39 windows service setenv not used

[Caldarale, Charles R]

> From: Satyendra Singh [mailto:satya...@gmail.com] 
> Subject: Tomcat 7.0.39 windows service setenv not used

> running service1 does not seem to use these values, it only use those that
> i can see at  tomcat7w.exe on this service.

Services do not use _any_ .bat scripts, nor any environment variables.  All 
properties must be configured in the tomcat7w.exe program associated with each 
service, which then stores the values in the Windows registry for use when the 
service is started.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-bio-443"]

[James H. H. Lampert]

We're trying to bring up SSL in Tomcat on a customer AS/400 (an E4C at 
V7R1, using the /QOpenSys/QIBM/ProdData/JavaVM/jdk60/64bit JVM), and 
every time we launch CATALINA, we get



SEVERE: Failed to initialize end point associated with ProtocolHandler 
["http-bio-443"]
Throwable occurred: java.net.BindException: The socket name is already in use. 
:443


Earlier today, I found something (I couldn't tell WHAT, because there 
were no jobs associated with the port) listening (and idle for 16 hours) 
on 443, on one of the IP addresses, but now, nothing on that port. I 
also looked for restrictions on that port, and there aren't any.


Any ideas of where to look next?

--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 7.0.39 windows service setenv not used

[Konstantin Kolinko]

2013/4/25 Satyendra Singh :
> I have created multiple windows services and for one of the service, i have
> -Dcatalina.base=C:\servers\applications\service1
> -Dcatalina.home=C:\servers\apache-tomcat-7.0.39
>
> i have C:\servers\applications\service1\bin\setenv.bat where i have
>
> set JAVA_HOME= C:\
>
> Set JAVA_OPTS=-D..
>
> set CATALINA_OPTS=-Xms.
>
> running service1 does not seem to use these values, it only use those that
> i can see at  tomcat7w.exe on this service.
>


As documented,
[quote]
All the environment variables described here and the "setenv" script are
used only if you use the standard scripts to launch Tomcat. For example, if
you have installed Tomcat as a service on Windows, the service wrapper
launches Java directly and does not use the script files.
[/quote]

http://tomcat.apache.org/tomcat-7.0-doc/RUNNING.txt

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat 7.0.39 windows service setenv not used

[Satyendra Singh]

I have created multiple windows services and for one of the service, i have
-Dcatalina.base=C:\servers\applications\service1
-Dcatalina.home=C:\servers\apache-tomcat-7.0.39

i have C:\servers\applications\service1\bin\setenv.bat where i have

set JAVA_HOME= C:\

Set JAVA_OPTS=-D..

set CATALINA_OPTS=-Xms.

running service1 does not seem to use these values, it only use those that
i can see at  tomcat7w.exe on this service.

any help would be appreciated.

Thank You

Re: Question on servlet determination

[Konstantin Kolinko]

2013/4/25 Christopher Schultz :
>
> Konstantin,
>
> On 4/24/13 3:56 PM, Konstantin Kolinko wrote:
>> 2013/4/24 Christopher Schultz :
>>>
>>> On 4/23/13 11:35 PM, Caldarale, Charles R wrote:
> From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com]
> Subject: Question on servlet determination

> /Servlet1
> /Servlet2

 What happens if you try this instead:

 /Servlet1/*
 /Servlet2/*
>>>
>>> While that should work, the original mapping should work, too.
>>> The request for /Servlet1 (plus a slash on the end) should be
>>> sent to Servlet1 with pathInfo="/".
>>>
>>
>> No. An URL that does not end with "/*" is used for exact matching
>> only.
>>
>> /foo and /foo/* are two different mappings.
>>
>> BTW, 1. in the examples webapp of Tomcat 6 and Tomcat 7 there is
>> RequestInfoExample servlet that you can play around with. E.g.
>>
>> http://localhost:8080/examples/servlets/servlet/RequestInfoExample/foo/bar
>>
>>  Adding an extra "/" works correctly.
>
> I notice that, although the  is
> "/servlets/servlet/RequestInfoExample/*", the trailing "/" is not
> required in order to get the request mapped properly. That's
> surprising to me given that "/foo" and "/foo/*" should be two
> different mappings.
>
> I'm specifically looking at the examples in Tomcat 7.0.39.
>

No. With the following pattern requesting the "../foo/bar" URI above
results in 404 for me.
(In current 7.0.x, should not be different from 7.0.39).
/servlets/servlet/RequestInfoExample

>> Adding an extra "/" works correctly.

My "adding" here is "adding to request URI in web browser",
.
http://localhost:8080/examples/servlets/servlet/RequestInfoExample
http://localhost:8080/examples/servlets/servlet/RequestInfoExample/

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Question on servlet determination

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Konstantin,

On 4/24/13 3:56 PM, Konstantin Kolinko wrote:
> 2013/4/24 Christopher Schultz :
>> 
>> On 4/23/13 11:35 PM, Caldarale, Charles R wrote:
 From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] 
 Subject: Question on servlet determination
>>> 
 /Servlet1 
 /Servlet2
>>> 
>>> What happens if you try this instead:
>>> 
>>> /Servlet1/* 
>>> /Servlet2/*
>> 
>> While that should work, the original mapping should work, too.
>> The request for /Servlet1 (plus a slash on the end) should be
>> sent to Servlet1 with pathInfo="/".
>> 
> 
> No. An URL that does not end with "/*" is used for exact matching
> only.
> 
> /foo and /foo/* are two different mappings.
> 
> BTW, 1. in the examples webapp of Tomcat 6 and Tomcat 7 there is 
> RequestInfoExample servlet that you can play around with. E.g.
> 
> http://localhost:8080/examples/servlets/servlet/RequestInfoExample/foo/bar
>
>  Adding an extra "/" works correctly.

I notice that, although the  is
"/servlets/servlet/RequestInfoExample/*", the trailing "/" is not
required in order to get the request mapped properly. That's
surprising to me given that "/foo" and "/foo/*" should be two
different mappings.

I'm specifically looking at the examples in Tomcat 7.0.39.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJReEIQAAoJEBzwKT+lPKRYtLUP/jdO4O/smOvVPL96PJdyk21T
4JPm7qFLk4dNHDnwr0NUwdeEoJBaKwmVSyTMrvLu1FbhUpaUv4jhQtgV5480k27e
fnQhF4vwuyQaR1dOWb3j69m+soqukQHaU9TEVdl70i++gPrez6vra6mlc+FqOhXV
r6/JSPucCHl8zvAeeNBqui5XY4hVgk7HeIO9ko8Jj8qjvLRpUhaaEHuqeL6lI14B
MohH8CALTyRAvTRtsxmJZr/bb7w8nd274c1UkC/X93qBSNoIponck3SVYMaGFmxQ
HzTCnfpIhX60xAOETh3ltbxzXG4/uyW/ay/WkAFst8uOvgXB5BclE4OAOHYHI13k
opCGxg4vuP8ts9OcOTJG1UGa9cMTWwtHnUbbcvY76Y674nMfC45eP1CKXdTRD0AI
sPPnARL6RRfcX7/jsVdF6I+rzKkjq+7mOQhYOJL02PgB/ccfS8ryHHxU5dWNRsmG
OBcKnSHjtgesjb8nq2d35nOKTs9YCxdOoyrS44CGTWWzbEJb5SN/6JNdTYNfV5pJ
6hsUjdylhtnUixxs08QTqonNQJWEB6RjxWFU2neGgk1ytWpBsNMEARPb4CEWs1Do
FVmBDeNsGOYVgW/DloSndUwtig8TP3z0uAsochLUx/8SJg4bkkzm9WP46Enzmog/
3dazWAjtzWd8sy+2mtmS
=c5IT
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: in web.xml

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Jeff,

On 4/24/13 2:22 PM, Jeffrey Janner wrote:
>> -Original Message- From: Jeffrey Janner
>> [mailto:jeffrey.jan...@polydyne.com] Sent: Wednesday, April 24,
>> 2013 1:12 PM To: Tomcat Users List Subject: RE:  in
>> web.xml
>> 
>>> -Original Message- From: Christopher Schultz
>>> [mailto:ch...@christopherschultz.net] Sent: Wednesday, April
>>> 24, 2013 12:28 PM To: Tomcat Users List Subject: Re:
>>>  in web.xml
>>> 
>>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
>>> 
>>> Jeff,
>>> 
>>> On 4/23/13 11:40 AM, Jeffrey Janner wrote:
> -Original Message- From: Christopher Schultz 
> [mailto:ch...@christopherschultz.net] Sent: Thursday, April
> 18, 2013 5:01 PM To: Tomcat Users List Subject: Re:
>  in web.xml
> 
> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
> 
> Jakub,
> 
> On 4/17/13 9:22 PM, Jakub 1983 wrote:
>> can I define database connection only in web.xml, without
>> using context.xml files ?
>> 
>> can I pass database url, login and password into
>>  ?
>> 
>> when I define database conn in context.xml, resource-ref
>> is not
> needed
>> at all, so what is it actually for ?
> 
> If you define your database configuration in server.xml,
> you'll have to map from global to local scope. You don't
> need to do this with context.xml because the scope is -- by
> definition -- already
>> local.
> 
> - -chris
 
 Chris - Am I reading that correctly?  If in my context.xml
 file, I define a DB resource as: >>> name="jdbc/oracleUCPPool" 
 type="oracle.ucp.jdbc.PoolDataSource" 
 factory="oracle.ucp.jdbc.PoolDataSourceImpl"
 auth="Container" 
 connectionFactoryClassName="oracle.jdbc.pool.OracleDataSource"
 ... obviously redacted stuff ... /> I DO NOT need to add
 these lines to
>>> my
 web.xml?  Oracle Universal
 Connection Pool
 jdbc/oracleUCPPool 
 javax.sql.DataSource 
 Container 
>>> 
>>> I believe this is correct. It should be easy to try :)
>>> 
 That also brings up another, related, question. In my old
 web.xml,
>> I
 had this entry: 
 LOG4J_PROPS> name>
 /WEB-INF/Log4j.properties 
  Which I removed and replaced with an entry
 in the context.xml file: >>> value="/WEB-INF/Log4j.properties" override="false" />
 However, that didn't work. I had to provide the full path to
 the file in the
>> value
 parameter. Is there a particular reason why?
>>> 
>>> The two above are documented to be equivalent, assuming no
>>> other factors are at work (e.g. Tomcat wasn't reading your new
>>> META- INF/context.xml file because there was one already in 
>>> conf/[Engine]/[Host]/[app].xml.
>>> 
>>> If it's not working, start a new thread to make sure you
>>> understand how it's all supposed to work and possibly follow-up
>>> with a bug
>> report.
>>> 
 Or would it be something inside our code?
>>> 
>>> Tomcat doesn't use that value for anything, so it must be your
>>> code reading it and interpreting it (hopefully using 
>>> ServletContext.getResource()).
>>> 
>>> - -chris
>> 
>> Actually, there is no META-INF file, we maintain the context.xml 
>> manually, since we multi-tenant and don't want to build
>> tenant-specific wars.  So it was definitely reading the latest
>> version. Code uses context.getInitParameter("LOG4J_PROPS") which
>> is passed directly to the log4j init routine (I think, still
>> checking one reference).
> 
> Yes, the returned string is passed unmolested to log4j's
> PropertyConfigurator.
> 
>> The error was being reported in the catalina logs and
>> specifically mentioned the string in the error message.  Simply
>> switching to the FQPath did the trick.

I wouldn't expect Tomcat to modify the value you were passing. Are you
*sure* it was working in web.xml before you moved it into context.xml?

Using the fully-qualified path should pretty much always work, but if
you know that the log4j configuration will be bundled as part of the
web application, then you may as well make it context-relative. You
should also use ServletContext.getResource and not read directly from
the filesystem for a number of reasons.

>> Of course, part of the reason for the change is that we'll be
>> moving the file out of the WEB-INF directory in the future. Part
>> of that multi-tenancy thing, so I'll be using FQPs in the future
>> anyway.  It was just a curiosity that expected behavior did not
>> occur.

Hmm. So, you'll be storing both context.xml *and* log4j.properties
outside of the webapp? Sounds like your deployments are going to
become more and more complex. Are you hosting your own webapp(s) on
your own servers? Or are you hosting clients' (potentially customized)
webapps on your servers? If you have full control, I'd put everything
possible into the webapp just for convenience.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0

Re: Policy files

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Christian,

On 4/24/13 1:51 PM, Christian Beikov wrote:
> Yes we are talking about security manager policies.

Good :)

There's a lot about Spring that I don't know about, so I was just
checking that you weren't talking about some crazy IoC thing or
annotation-driven magic that no mere mortal can follow.

> So there is no possibility to just push the policy file to the 
> WebappClassLoader?

Nope: the SecurityManager applies to the whole JVM. But, the policy
can bless certain JARs, etc. as being privileged. So, you make Tomcat
and whatever code you wrote privileged and then leave all the student
code to run under the heavy-handed security policy.

> As stated in the reply to Matrin Gainty there do exist methods to
> restrict the webapp, but unfortunately no method for supplying a
> policy file.

Right: you can control the deployment descriptor(s) but not really
much else.

> So this means I have to parse the policy file myself and add the 
> permissions manually to the classloader?

Uh... I don't think that's possible. I must admit I'm no ClassLoader
ninja, but I don't think there's a way to tell a ClassLoader anything
about security policies.

What kinds of operations are you trying to restrict?

> Are there any options in the context.xml I could set for specifying
> a webapp local policy so that I don't have to fiddle around with
> how tomcat is called? I know how to apply a policy at runtime, but
> don't know how this affects tomcat when I apply it e.g. in a 
> ServletContextListener.

I think I'd have to understand more about what you are trying to do in
order to be helpful. The SecurityManager applies its policies globally
and you can't customize anything on a per-ClassLoader basis. You can
do it on a per-codebase basis, but you have to know the URL(s) of the
codebase(s) in advance.

> Would be cool if there was an option to do that kind of stuff.

Yes, I rather think it would be cool to specify a security policy on a
per-ClassLoader basis, but there are definitely some thorny issues
there otherwise I think Sun/Oracle would have implemented that
capability by now.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJReD6oAAoJEBzwKT+lPKRYDGAP/R9SjzcX0ENxQ5A7/N+S26M8
Jd5sNOisQ9mdVowygJAwppYDqtUalmMZ5qZTtsyYZYWKn3QpiML10Qr36elFZsA5
zoCA1JRB+hwC/vhNgJGdhhNxDOEQo66mfiJlfQ0rHpOGwVrGppAuSV4kVfX5aZCQ
9Ssq2HZvfLE7tL0pg+qnBT1AA9/HU+hAmk4GkCETSMR16jB8NrwI10ejU7gt1F4F
BaUCULZvYtLRelbsAQTfz4ZOQL0FZq2zD85BeZ+hey0koinpr+nY1aRGy4ASbmrM
Eke8ruYKW5xbVmSyQ0A4JmaYmMrYFfc7SgdR7UOkD21wbHA87fSHF9oNhhom2Tqd
Qsdn89swuBwp6XkS1akbfRc6RJ4WPCxNfxBWceGWlJewtgY8XRD8lPYOsHCSiVN/
SOSVnmCaa8Fs6ygk75wo6IKI+VlLRJqFSK5pr1iGK9hVC+xgBGB5APrhMhvSCUmO
SuP6IxFMSRDhghlxUbDhd7hW7KZnpXGQCJZjSoEsW/ysjhwy0hfhLbkEGTyYV8Az
wCap5r3eHc5KsHP0FK9F283DbiUhV8oHoLK0ddzKd9KrHbxap4Vekk2tqbUA52Vn
gpcRk5vodI88w0mvtdc9b57luHPedmY87bqmayjqzh6VHixlT/O8+CQhmJLRrln3
Wf6YgQg1Li6p//YLwHpo
=TJPJ
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Question on servlet determination

[Konstantin Kolinko]

2013/4/24 Christopher Schultz :
>
> On 4/23/13 11:35 PM, Caldarale, Charles R wrote:
>>> From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com]
>>> Subject: Question on servlet determination
>>
>>> /Servlet1
>>> /Servlet2
>>
>> What happens if you try this instead:
>>
>> /Servlet1/*
>> /Servlet2/*
>
> While that should work, the original mapping should work, too. The
> request for /Servlet1 (plus a slash on the end) should be sent to
> Servlet1 with pathInfo="/".
>

No. An URL that does not end with "/*" is used for exact matching only.

/foo and /foo/* are two different mappings.

BTW,
1. in the examples webapp of Tomcat 6 and Tomcat 7 there is
RequestInfoExample servlet that you can play around with. E.g.

http://localhost:8080/examples/servlets/servlet/RequestInfoExample/foo/bar

Adding an extra "/" works correctly.

2.Handling of welcome files in Tomcat 7 depends on "strict servlet
compliance" setting (see Migration guide and system properties page in
Configuration reference).

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 7.0.33 manager - 403 Access Denied

[Konstantin Kolinko]

2013/4/24 Shanti Suresh :
> Hi Konstantin,
>
> On Tue, Apr 23, 2013 at 6:48 PM, Konstantin Kolinko
> wrote:
>
>>
>> >
>> > I can't tell what I'm missing.  Also, steps #2 and #3 are not even
>> required
>> > if I am using the RemoteAddrValve, correct?
>>
>> No. They are not related to RemoteAddrValve.
>>
>
> Thanks!
>
>
>>
>>
>> I would say that you should be stopped by CsrfPreventionFilter,
>> because your heapused.jsp is not in the list of configured entry
>> points.
>>
>
> Bingo!
>
>>
>> Shanti wrote:
>> > The funny thing is that I gather the JMX metrics in an identical manner
>> on
>> > Tomcat 7.0.23 and JDK 1.6 on several  other RedHat Linux servers.
>>
>> CVE-2012-4431
>>
>
> Thanks so much!
>
> I am now able to get heapused.jsp to work.  I only had to add heapused.jsp
> into web.xml.  I did not need to add "/jmxroxy/".
>
> -manager/WEB-INF/web.xml:-
> 
> CSRF
>
> org.apache.catalina.filters.CsrfPreventionFilter
> 
>   entryPoints
>
> /html,/html/,/html/list,/heapused.jsp,/index.jsp
> 
>   
> 
>
> curl http://localhost:6090/manager/heapused.jsp  ==>  gives me the value.
>
> One question I have though is that I have other JSP pages for gathering
> other JMX metrics.  I would like to not have to list these individually as
> entry points.  I tried to put these JSPs into a jmx/ sub-directory under
> manager/.  I added: "/jmx/*" both individually
> as well as in conjunction with  in web.xml.
>
> 
> CSRF
>
> org.apache.catalina.filters.CsrfPreventionFilter
> 
>   entryPoints
>
> /html,/html/,/html/list,/jmx/,/heapused.jsp,/index.jsp
> 
> /jmx/*
>   
>
> But I got a 403 upon accessing:
>
> curl http://localhost:6090/manager/jmx/heapused.jsp
>
> The CSRF filter documentation did not mention "url-pattern":
> http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html
>
> Is there a way to achieve what I'd like?
>

The source code is out there. You can subclass the filter, implement
your own, or propose a patch.

This feature was not needed, thus nobody implemented it.

Alternatively, it is possible to change filter mapping so that it is
not mapped to jsp servlet as a whole but to "/index.jsp" only (the
only publicly callable jsp page there).

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: in web.xml

[Jeffrey Janner]

> -Original Message-
> From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com]
> Sent: Wednesday, April 24, 2013 1:12 PM
> To: Tomcat Users List
> Subject: RE:  in web.xml
> 
> > -Original Message-
> > From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> > Sent: Wednesday, April 24, 2013 12:28 PM
> > To: Tomcat Users List
> > Subject: Re:  in web.xml
> >
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> >
> > Jeff,
> >
> > On 4/23/13 11:40 AM, Jeffrey Janner wrote:
> > >> -Original Message- From: Christopher Schultz
> > >> [mailto:ch...@christopherschultz.net] Sent: Thursday, April 18,
> > >> 2013 5:01 PM To: Tomcat Users List Subject: Re:  in
> > >> web.xml
> > >>
> > >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
> > >>
> > >> Jakub,
> > >>
> > >> On 4/17/13 9:22 PM, Jakub 1983 wrote:
> > >>> can I define database connection only in web.xml, without using
> > >>> context.xml files ?
> > >>>
> > >>> can I pass database url, login and password into  ?
> > >>>
> > >>> when I define database conn in context.xml, resource-ref is not
> > >> needed
> > >>> at all, so what is it actually for ?
> > >>
> > >> If you define your database configuration in server.xml, you'll
> > >> have to map from global to local scope. You don't need to do this
> > >> with context.xml because the scope is -- by definition -- already
> local.
> > >>
> > >> - -chris
> > >
> > > Chris - Am I reading that correctly?  If in my context.xml file, I
> > > define a DB resource as:  > > type="oracle.ucp.jdbc.PoolDataSource"
> > > factory="oracle.ucp.jdbc.PoolDataSourceImpl" auth="Container"
> > > connectionFactoryClassName="oracle.jdbc.pool.OracleDataSource" ...
> > > obviously redacted stuff ... /> I DO NOT need to add these lines to
> > my
> > > web.xml?  Oracle Universal Connection
> > > Pool jdbc/oracleUCPPool
> > > javax.sql.DataSource
> > > Container 
> >
> > I believe this is correct. It should be easy to try :)
> >
> > > That also brings up another, related, question. In my old web.xml,
> I
> > > had this entry:  LOG4J_PROPS name>
> > > /WEB-INF/Log4j.properties
> > >  Which I removed and replaced with an entry in the
> > > context.xml file:  > > value="/WEB-INF/Log4j.properties" override="false" /> However, that
> > > didn't work. I had to provide the full path to the file in the
> value
> > > parameter. Is there a particular reason why?
> >
> > The two above are documented to be equivalent, assuming no other
> > factors are at work (e.g. Tomcat wasn't reading your new META-
> > INF/context.xml file because there was one already in
> > conf/[Engine]/[Host]/[app].xml.
> >
> > If it's not working, start a new thread to make sure you understand
> > how it's all supposed to work and possibly follow-up with a bug
> report.
> >
> > > Or would it be something inside our code?
> >
> > Tomcat doesn't use that value for anything, so it must be your code
> > reading it and interpreting it (hopefully using
> > ServletContext.getResource()).
> >
> > - -chris
> 
> Actually, there is no META-INF file, we maintain the context.xml
> manually, since we multi-tenant and don't want to build tenant-specific
> wars.  So it was definitely reading the latest version.
> Code uses context.getInitParameter("LOG4J_PROPS") which is passed
> directly to the log4j init routine (I think, still checking one
> reference).

Yes, the returned string is passed unmolested to log4j's PropertyConfigurator.

> The error was being reported in the catalina logs and specifically
> mentioned the string in the error message.  Simply switching to the
> FQPath did the trick.
> Of course, part of the reason for the change is that we'll be moving
> the file out of the WEB-INF directory in the future. Part of that
> multi-tenancy thing, so I'll be using FQPs in the future anyway.  It
> was just a curosity that expected behavior did not occur.
> Jeff
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

Re: AsyncListener.onError and disconnected client

[Mark Thomas]

On 24/04/2013 18:38, Rossen Stoyanchev wrote:


- Original Message -

From: "Mark Thomas" 
To: "Tomcat Users List" 
Sent: Wednesday, April 24, 2013 12:47:54 PM
Subject: Re: AsyncListener.onError and disconnected client

On 24/04/2013 16:33, Rossen Stoyanchev wrote:

Hi,

I've seen various discussions here and on the web but I haven't
found
a conclusive answer. Why does an AsyncListener not receive onError
notifications when a client disconnects?


Because the Servlet EG says that is the required behaviour. The EG is
currently revisiting that decision. See
https://java.net/jira/browse/SERVLET_SPEC-44


Thanks for that reference. Is there something in the spec that explicitly makes 
requires this?


Not that I am aware of which why I said "EG" rather than "specification".


The JIRA ticket is about adding a "disconnect" callback but I can imagine in 
the very least, onComplete can be called. After the connection is over.


onComplete should be called once the connection times out.


To my knowledge there is nothing inherent in NIO and TCP that
prevents the server from detecting that the client has
disconnected.
The WebSocket implementation detects disconnected clients
immediately
and other HTTP servers (e.g. node) seem to be able to do this. What
is it about the Servlet async support that prevents it from knowing
when a client has disconnected?


It would mean having to ditch the BIO connector / or not being able
to pass the TCK (assuming the TCK tested this) when using the BIO
connector.


I guess this goes back to the previous question about whether there is an 
explicit requirement and therefore test. Why would a TCK test explicitly check 
that disconnects are not communicated to AsyncListeners? Or is it a more 
indirect consequence of some other requirement?


My point was that if a disconnect event was added to the spec then the 
BIO connector could never be spec compliant.


On reflection, it might not be that bad. The event could be fired just 
not when the client disconnects. It would have to wait until an attempt 
was made to read from / write to the socket.


Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: in web.xml

[Jeffrey Janner]

> -Original Message-
> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Sent: Wednesday, April 24, 2013 12:28 PM
> To: Tomcat Users List
> Subject: Re:  in web.xml
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Jeff,
> 
> On 4/23/13 11:40 AM, Jeffrey Janner wrote:
> >> -Original Message- From: Christopher Schultz
> >> [mailto:ch...@christopherschultz.net] Sent: Thursday, April 18,
> >> 2013 5:01 PM To: Tomcat Users List Subject: Re:  in
> >> web.xml
> >>
> >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
> >>
> >> Jakub,
> >>
> >> On 4/17/13 9:22 PM, Jakub 1983 wrote:
> >>> can I define database connection only in web.xml, without using
> >>> context.xml files ?
> >>>
> >>> can I pass database url, login and password into  ?
> >>>
> >>> when I define database conn in context.xml, resource-ref is not
> >> needed
> >>> at all, so what is it actually for ?
> >>
> >> If you define your database configuration in server.xml, you'll have
> >> to map from global to local scope. You don't need to do this with
> >> context.xml because the scope is -- by definition -- already local.
> >>
> >> - -chris
> >
> > Chris - Am I reading that correctly?  If in my context.xml file, I
> > define a DB resource as:  > type="oracle.ucp.jdbc.PoolDataSource"
> > factory="oracle.ucp.jdbc.PoolDataSourceImpl" auth="Container"
> > connectionFactoryClassName="oracle.jdbc.pool.OracleDataSource" ...
> > obviously redacted stuff ... /> I DO NOT need to add these lines to
> my
> > web.xml?  Oracle Universal Connection
> > Pool jdbc/oracleUCPPool
> > javax.sql.DataSource
> > Container 
> 
> I believe this is correct. It should be easy to try :)
> 
> > That also brings up another, related, question. In my old web.xml, I
> > had this entry:  LOG4J_PROPS
> > /WEB-INF/Log4j.properties
> >  Which I removed and replaced with an entry in the
> > context.xml file:  > value="/WEB-INF/Log4j.properties" override="false" /> However, that
> > didn't work. I had to provide the full path to the file in the value
> > parameter. Is there a particular reason why?
> 
> The two above are documented to be equivalent, assuming no other
> factors are at work (e.g. Tomcat wasn't reading your new META-
> INF/context.xml file because there was one already in
> conf/[Engine]/[Host]/[app].xml.
> 
> If it's not working, start a new thread to make sure you understand how
> it's all supposed to work and possibly follow-up with a bug report.
> 
> > Or would it be something inside our code?
> 
> Tomcat doesn't use that value for anything, so it must be your code
> reading it and interpreting it (hopefully using
> ServletContext.getResource()).
> 
> - -chris

Actually, there is no META-INF file, we maintain the context.xml manually, 
since we multi-tenant and don't want to build tenant-specific wars.  So it was 
definitely reading the latest version.
Code uses context.getInitParameter("LOG4J_PROPS") which is passed directly to 
the log4j init routine (I think, still checking one reference).
The error was being reported in the catalina logs and specifically mentioned 
the string in the error message.  Simply switching to the FQPath did the trick.
Of course, part of the reason for the change is that we'll be moving the file 
out of the WEB-INF directory in the future. Part of that multi-tenancy thing, 
so I'll be using FQPs in the future anyway.  It was just a curosity that 
expected behavior did not occur.
Jeff

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 7.0.33 manager - 403 Access Denied

[Shanti Suresh]

Hi Konstantin,

On Tue, Apr 23, 2013 at 6:48 PM, Konstantin Kolinko
wrote:

>
> >
> > I can't tell what I'm missing.  Also, steps #2 and #3 are not even
> required
> > if I am using the RemoteAddrValve, correct?
>
> No. They are not related to RemoteAddrValve.
>

Thanks!


>
>
> I would say that you should be stopped by CsrfPreventionFilter,
> because your heapused.jsp is not in the list of configured entry
> points.
>

Bingo!

>
> Shanti wrote:
> > The funny thing is that I gather the JMX metrics in an identical manner
> on
> > Tomcat 7.0.23 and JDK 1.6 on several  other RedHat Linux servers.
>
> CVE-2012-4431
>

Thanks so much!

I am now able to get heapused.jsp to work.  I only had to add heapused.jsp
into web.xml.  I did not need to add "/jmxroxy/".

-manager/WEB-INF/web.xml:-

CSRF

org.apache.catalina.filters.CsrfPreventionFilter

  entryPoints

/html,/html/,/html/list,/heapused.jsp,/index.jsp

  


curl http://localhost:6090/manager/heapused.jsp  ==>  gives me the value.

One question I have though is that I have other JSP pages for gathering
other JMX metrics.  I would like to not have to list these individually as
entry points.  I tried to put these JSPs into a jmx/ sub-directory under
manager/.  I added: "/jmx/*" both individually
as well as in conjunction with  in web.xml.


CSRF

org.apache.catalina.filters.CsrfPreventionFilter

  entryPoints

/html,/html/,/html/list,/jmx/,/heapused.jsp,/index.jsp

/jmx/*
  

But I got a 403 upon accessing:

curl http://localhost:6090/manager/jmx/heapused.jsp

The CSRF filter documentation did not mention "url-pattern":
http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html

Is there a way to achieve what I'd like?

Thanks!
  -Shanti

Re: Policy files

[Christian Beikov]

Yes we are talking about security manager policies.

So there is no possibility to just push the policy file to the 
WebappClassLoader? As stated in the reply to Matrin Gainty there do 
exist methods to restrict the webapp, but unfortunately no method for 
supplying a policy file.


So this means I have to parse the policy file myself and add the 
permissions manually to the classloader?
Are there any options in the context.xml I could set for specifying a 
webapp local policy so that I don't have to fiddle around with how 
tomcat is called? I know how to apply a policy at runtime, but don't 
know how this affects tomcat when I apply it e.g. in a 
ServletContextListener. Would be cool if there was an option to do that 
kind of stuff.


Mit freundlichen Grüßen,

*Christian Beikov*
Am 24.04.2013 19:13, schrieb Christopher Schultz:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Christian,

On 4/24/13 2:29 AM, Christian Beikov wrote:

I am using tomcat as an embedded container for a while now, it is
really amazing, but now I got stuck on a topic. I am implementing a
testsuite for automatic testing of uploaded solutions by students.
The deployment works like a charm, I also found your
StuckThreadDetectionValve very useful to kill threads of the
students applications. The next assignment will involve some areas
where I would like to specify a policy file so that the students
can't do anything they aren't supposed to. Now to my problem.

Cool.


One thing is that I want a policy file to be in the students
projects, so that they actually get the exceptions when they are
doing something wrong. What do I have to configure in these student
web projects so that they can e.g. deploy the project directly from
netbeans to tomcat and have the policy applied?

I assume you are talking about SecurityManager policies.

Unfortunately, the SecurityManager applies to the entire JVM, so you
can't do something cool like allow one ClassLoader to run amok while
classes loaded from another one are constrained. Instead, you can
place limits on the entire JVM (e.g. no System.exit) and then poke
holes in those protections for trusted content -- usually a specific
JAR file, etc.

If you are going to do that, you need to attempt privileged "actions"
everywhere your driver code is going to do something that requires
such privileges. If the student code tries to do something forbidden
(e.g. System.exit), they'll get a SecurityException. If you try to do
it without a privileged action, you'll also get an exception.


The other thing is that I want the policy file to be in my
testsuite project and configure it on demand when deploying the
student solutions. Currently I create an instance of
StandardContext for each student web application, then I configure
the context and finally add it to the host of the server. What do I
need to configure, to apply the policy in this case?

You have to apply the policy when you launch the JVM via system
properties on the command-line. Fortunately, all of your privileged
code should be known in advance, so you shouldn't have to adjust
anything for student-submitted code: all their stuff is limited by
your policy.

Remember that you have to give Tomcat all the privileges *it* needs as
well as your own code. Check the catalina.policy file to see what
privileges are necessary to properly run Tomcat under a SecurityManager.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJReBLUAAoJEBzwKT+lPKRYzOAP/iEB1IPyKjSSY/74IjYqR31G
wzF6/HuEzwauYgdCxugxFhiogskUsHGnbgKtd4I0hGRtXwfLQf02c5foR6pV04F3
dy4ViYvXTvTLgM6YqcqDEClFigfJdRZdqb26bRUvbrSacTAgp6ifm2Tc7yBpkcR2
rWo0/zdCQTATHlryKnAtfpx0jngoXmyMxrNVH1efw36zN/C50zq26ri9VMG9vEcE
TOy8w8lscj8PaCKj5e0skgvwKWjGrH4gplLOW07STK0Mtpb4rfSL5iua73CoaPsD
PvnzlfgJsYWhlzWF6mExKlTDP+9UmC1195VSfVb3yPdSREf+Lk+PcpAIRnqj4Zma
ZAQys1LcM5CUPzq4y6T4dokGDIXpwsBaphN7S4MKDp+vgb2W0Z6UbidjkUHiZ25r
1dPbt67f3Ro6gYRO/ggorc9y5/0yYs6xjaA9SuM7xvm4uGG4lEn092f6FBnd0+OZ
7t/6IylDSP5+CxCmXrPBu9TeJppq42biVz8VJaM+BJjlDKU6BIn+P2qPR/N1C2QK
wR8aSbcxzKWekSkLv5VCnErCDbx+YekMWVfVfuQobQkMIha977cBHlqc+jhioG2g
QIHaMAPA6JQMEQdSHrob98QirBI9FfZSDDdWQ/w9BuaAT3+bXXPKvUvgbLz14vN+
CLya7aynTMumUFHBnnv2
=MeqU
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Question on servlet determination

[Jeffrey Janner]

> -Original Message-
> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Sent: Wednesday, April 24, 2013 12:20 PM
> To: Tomcat Users List
> Subject: Re: Question on servlet determination
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Jeff,
> 
> On 4/23/13 5:45 PM, Jeffrey Janner wrote:
> >> -Original Message- From: Propes, Barry L
> >> [mailto:barry.l.pro...@citi.com] Sent: Tuesday, April 23, 2013
> >> 4:34 PM To: 'Tomcat Users List' Subject: RE: Question on servlet
> >> determination
> >>
> >> I'm tempted to say no.
> >>
> >> Because you might be adding a "/" in front of your servlet mapping.
> >>
> >> In other words, changing the path of the folder slightly, with a
> >> different relative path.
> >>
> >
> > I went back and read the servlet spec for 2.5, and according to it,
> > Tomcat should be redirecting the URI ending "/Servlet2" to
> > "/Servlet2/" and then applying welcome files (I do have some defined,
> > just didn't include it below).  Amazingly, this appears to be what
> > happens.  However, if the ending "/" already exists, it doesn't just
> > go looking for welcome files.
> 
> If you have a servlet mapped to /Servlet1 (and /Servlet2), why should
> there be any redirecting at all? That should only happen if the
> DefaultServlet is handling the request and /Servlet1 refers to a
> directory (or something that looks like one).
> 
> - -chris

I was specifically using the terminology in the 2.5 spec.  To quote from page 
72, the section on Welcome Files:

Consider a Web application where:
• The deployment descriptor lists the following welcome files.

index.html
default.jsp

• The static content in the WAR is as follows
/foo/index.html
/foo/default.jsp
/foo/orderform.html
/foo/home.gif
/catalog/default.jsp
/catalog/products/shop.jsp
/catalog/products/register.jsp
• A request URI of /foo will be redirected to a URI of /foo/.
• A request URI of /foo/ will be returned as /foo/index.html.
• A request URI of /catalog will be redirected to a URI of /catalog/.
• A request URI of /catalog/ will be returned as /catalog/default.jsp.
• A request URI of /catalog/index.html will cause a 404 not found
• A request URI of /catalog/products will be redirected to a URI of /
catalog/products/.
• A request URI of /catalog/products/ will be passed to the “default” servlet,
if any. If no “default” servlet is mapped, the request may cause a 404 not
found, may cause a directory listing including shop.jsp and register.jsp, or
may cause other behavior defined by the container. See Section SRV.11.2,
“Specification of Mappings” for the definition of “default” servlet.

But then, I could have been interpreting that incorrectly, since I think it's 
referring to requests into directories, not Servlets.

The more I think about it, the more I'm sure it's our code.  There are no 
directories that match the servlet names.  Tomcat is correctly matching the 
servlet name, and passing the rest of the request string to the servlet, null 
in the first case, and "/" in the second. Our code assumes a null string means 
put up a specific page but doesn't know what to do with a "/" (have not 
researched, but probable).  It's not really relying on the welcome-list at all.
That makes even more sense when you understand that both servlets have the same 
document base (the Web directory), and both welcome files are in that 
directory, yet each servlet manages to put up the servlet-specific welcome file.

Does that start to make sense, Chris?
Jeff

Fwd: Re: Policy files

[Christian Beikov]

Accidently mailed on tomee-list before ><

Thanks for the quick answer but it seems I didn't explain my situation 
completely.
We use Maven for all assignments, I can control what base project they 
have to use for a specific assignment. Also in my testsuite I 
automatically build these projects and deploy the artifacts to my 
embedded tomcat.


The problem is when it comes to the policy files. Where do I need to add 
the path to the policy file for the base maven projects of the students? 
Is there any option in context.xml or so that I can use?


The second problem is that I want to configure the policy for each 
student project when deploying on embedded tomcat(since the students 
could change the file in their projects). Where do I have to configure 
the policy when instantiating the StandardContext myself? I saw that the 
Loader of the context is of the type WebappLoader and the ClassLoader is 
a WebappClassLoader. I also found a method addPermission in 
WebappClassLoader, but I don't want to parse the policy file myself and 
add the permissions one by one. Isn't there an attribute to set the 
policy for that class loader?


So to summarize it a bit, I want to know what to configure in e.g. 
context.xml(if that is the place where to configure the policy) to have 
a specific policy applied.


Mit freundlichen Grüßen,

*Christian Beikov*
Am 24.04.2013 12:48, schrieb Martin Gainty:
Sooner or later your students will need to stop playing with IDEs and 
get serious about creating a real war


Maven provides maven-war-plugin for creating deployable web archives

as far as applying differing policies (or configurations) you can use
archetypes for initial creation of the war
http://www.sonatype.com/books/mvnex-book/reference/web-sect-creating-project.html

properties for deployment configuration changes can be manipulated by 
passing attributes to MANIFEST.MF


bash>mvn Dmaven.war.containerConfigXML=MYContextXML.xml
org.apache.maven.plugins:maven-war-plugin:2.3:manifest

http://maven.apache.org/plugins/maven-war-plugin/manifest-mojo.html#containerConfigXML

bash>mvn org.apache.maven.plugins:maven-war-plugin:2.3:war

the first command copies to META-INF your customised MYContextXML.xml 
(context)

the second command builds out the war in \target folder

http://maven.apache.org/plugins/maven-war-plugin/war-mojo.html

*Viel Gluck*
Martin

__
Thank the general and tell him I have no desire to drink with him or 
any other Russian *** ** * *

General George Patton



> Date: Wed, 24 Apr 2013 08:29:27 +0200
> From: christian.bei...@gmail.com
> To: users@tomcat.apache.org
> Subject: Policy files
>
> Hello there!
>
> I am using tomcat as an embedded container for a while now, it is 
really

> amazing, but now I got stuck on a topic.
> I am implementing a testsuite for automatic testing of uploaded
> solutions by students. The deployment works like a charm, I also found
> your StuckThreadDetectionValve very useful to kill threads of the
> students applications.
> The next assignment will involve some areas where I would like to
> specify a policy file so that the students can't do anything they 
aren't

> supposed to. Now to my problem.
>
> One thing is that I want a policy file to be in the students projects,
> so that they actually get the exceptions when they are doing something
> wrong. What do I have to configure in these student web projects so 
that

> they can e.g. deploy the project directly from netbeans to tomcat and
> have the policy applied?
>
> The other thing is that I want the policy file to be in my testsuite
> project and configure it on demand when deploying the student 
solutions.

> Currently I create an instance of StandardContext for each student web
> application, then I configure the context and finally add it to the 
host

> of the server. What do I need to configure, to apply the policy in this
> case?
>
> I hope someone can help me with that, thanks in advance!
> --
>
> Mit freundlichen Grüßen,
> 
> *Christian Beikov*

Re: AsyncListener.onError and disconnected client

[Rossen Stoyanchev]

- Original Message -
> From: "Mark Thomas" 
> To: "Tomcat Users List" 
> Sent: Wednesday, April 24, 2013 12:47:54 PM
> Subject: Re: AsyncListener.onError and disconnected client
> 
> On 24/04/2013 16:33, Rossen Stoyanchev wrote:
> > Hi,
> >
> > I've seen various discussions here and on the web but I haven't
> > found
> > a conclusive answer. Why does an AsyncListener not receive onError
> > notifications when a client disconnects?
> 
> Because the Servlet EG says that is the required behaviour. The EG is
> currently revisiting that decision. See
> https://java.net/jira/browse/SERVLET_SPEC-44

Thanks for that reference. Is there something in the spec that explicitly makes 
requires this? The JIRA ticket is about adding a "disconnect" callback but I 
can imagine in the very least, onComplete can be called. After the connection 
is over.
 
> > To my knowledge there is nothing inherent in NIO and TCP that
> > prevents the server from detecting that the client has
> > disconnected.
> > The WebSocket implementation detects disconnected clients
> > immediately
> > and other HTTP servers (e.g. node) seem to be able to do this. What
> > is it about the Servlet async support that prevents it from knowing
> > when a client has disconnected?
> 
> It would mean having to ditch the BIO connector / or not being able
> to pass the TCK (assuming the TCK tested this) when using the BIO
> connector.

I guess this goes back to the previous question about whether there is an 
explicit requirement and therefore test. Why would a TCK test explicitly check 
that disconnects are not communicated to AsyncListeners? Or is it a more 
indirect consequence of some other requirement?

> Not sure about APR/native. I'd need to look at the docs and probably
> run some tests.

Thanks,
Rossen

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: in web.xml

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Jeff,

On 4/23/13 11:40 AM, Jeffrey Janner wrote:
>> -Original Message- From: Christopher Schultz
>> [mailto:ch...@christopherschultz.net] Sent: Thursday, April 18,
>> 2013 5:01 PM To: Tomcat Users List Subject: Re:  in
>> web.xml
>> 
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
>> 
>> Jakub,
>> 
>> On 4/17/13 9:22 PM, Jakub 1983 wrote:
>>> can I define database connection only in web.xml, without
>>> using context.xml files ?
>>> 
>>> can I pass database url, login and password into 
>>> ?
>>> 
>>> when I define database conn in context.xml, resource-ref is
>>> not
>> needed
>>> at all, so what is it actually for ?
>> 
>> If you define your database configuration in server.xml, you'll
>> have to map from global to local scope. You don't need to do this
>> with context.xml because the scope is -- by definition -- already
>> local.
>> 
>> - -chris
> 
> Chris - Am I reading that correctly?  If in my context.xml file, I
> define a DB resource as:  type="oracle.ucp.jdbc.PoolDataSource" 
> factory="oracle.ucp.jdbc.PoolDataSourceImpl" auth="Container" 
> connectionFactoryClassName="oracle.jdbc.pool.OracleDataSource" ...
> obviously redacted stuff ... /> I DO NOT need to add these lines to
> my web.xml?  Oracle Universal Connection
> Pool jdbc/oracleUCPPool 
> javax.sql.DataSource 
> Container 

I believe this is correct. It should be easy to try :)

> That also brings up another, related, question. In my old web.xml,
> I had this entry:  
> LOG4J_PROPS 
> /WEB-INF/Log4j.properties 
>  Which I removed and replaced with an entry in the
> context.xml file:  value="/WEB-INF/Log4j.properties" override="false" /> However, that
> didn't work. I had to provide the full path to the file in the
> value parameter. Is there a particular reason why?

The two above are documented to be equivalent, assuming no other
factors are at work (e.g. Tomcat wasn't reading your new
META-INF/context.xml file because there was one already in
conf/[Engine]/[Host]/[app].xml.

If it's not working, start a new thread to make sure you understand
how it's all supposed to work and possibly follow-up with a bug report.

> Or would it be something inside our code?

Tomcat doesn't use that value for anything, so it must be your code
reading it and interpreting it (hopefully using
ServletContext.getResource()).

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJReBYiAAoJEBzwKT+lPKRYsTwQAIx2p8gxjFKeeOnVx/UewP5O
nOAtrYovqbVCwC13P5hgrFPqjvmFtsGcCOeqJuij1GZODIg9OU4Z6Vs5pUISaiDC
p1CFaYEL0PxBtl7wr7KC4A7k7WNnpxCnYauhgOWMR1xJXeXz40Hux32HCK9mNkhL
RP5BYpJqXuO6L53U5lUhA/o0rgKoJVttRt+oqn1tPMBxatZU4MRUrt88zuEk+3va
eQJfGZ05aQv+I6wRQDooQvAtbvhal7vnIx3PBMs40GG1shjkRy9jCz5b4o5BJCuv
bAeeB73Dv/APXs/a4/6fVfzv/wq8l7nxRCod1xYga8q/4o39oJKrJmlVgyTOgbOS
h04raAVhys95pQa8BLfSWr65Vh6wdAufduocS3sL75M09AouUUu4APB0Yt6JrMIH
3z7bbAN4kLXZ+4NfcvYbJtLNh+jFNwbf/B+ZsjXS/t0OUemZ0JXHPN3SvI0mLHPI
NoIgaAi6skAGotYSIXL4Lvr8J9UCuFZZBXb1r7L2tvWyMaMI92Uy2AuYFK3Jdn7E
0p1R8ABhznuN3gbT5pOSiGqNolAeiOAnCMhzQLCJk9LD9srUB/Y1K5H3KQzX9RMa
uralof0w70G3k6bZCVTy3gq726c7D7b//7WtzEHm/bfQK3RIb/E9Ete7b0Loposi
ZwTpY6etPPckA6gsXRa0
=rAMP
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Question on servlet determination

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Chuck,

On 4/23/13 11:35 PM, Caldarale, Charles R wrote:
>> From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] 
>> Subject: Question on servlet determination
> 
>> /Servlet1 
>> /Servlet2
> 
> What happens if you try this instead:
> 
> /Servlet1/* 
> /Servlet2/*

While that should work, the original mapping should work, too. The
request for /Servlet1 (plus a slash on the end) should be sent to
Servlet1 with pathInfo="/".

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJReBS1AAoJEBzwKT+lPKRYmUEQALFahIXLw0D5N4hPQ+KmWHsv
MxERJGJCMVD8QAc7EXK1FatSauRiy1cB13Ae5SVRdIvlwC1nbQLgTA9bDrVZHX/R
Ut8LvWlxPCTfihOPOQpPN4upGWOM7VyC4uDo6pXXF70TiBAvL1JuRVQvoBkF8u4X
2m0biF8qEa8gJXeWf0+m7GgbC7ytLQLQa/l5LGeBwnMq5gbvjP9QrbNr517PQhp4
dsDnP72feP0HP5nk3tVtLuPab3Gz7zwWY1kbW/8UsBNchioBIvkCDzBfK1WcJaYi
F2JdA0NsbssR02jy/i+L+RlXtvuyUR2SlfLIwIg/vaCMUA3bjLfHW0QFB7P6/Qjc
+cTgckryIDzU1tI+eyALDn5pcKoR/agl1N7EU3kAQ7L9Al+ONnTkE18lHDnoBHtc
q7LWS5GXDDqvZO/iA713d+xGYgDm+W6SYXLhErK8N7P+ze0hI2/l4gKV0aBtLT5e
gOa+tFrQEJDiHg/RE4N0l4hKhZFJ4kp+/cE/Q59ul4FFTuJhUf574sPBDq2aRcv4
q0degEfLxnfFtP1oxwjpviAfdN2ZccBpHTlwZ4CL5kQ2K7d5y7G96ldQSEeJksrS
HDDNfohwQVJN62Wo29Ld3W7zJ0v5xgLDn+E6aJq+zldBjRu8iTlnli20nWTHnVRq
apntFNgcpDZCpWXoWLuj
=GhL+
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Question on servlet determination

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Jeff,

On 4/23/13 5:45 PM, Jeffrey Janner wrote:
>> -Original Message- From: Propes, Barry L
>> [mailto:barry.l.pro...@citi.com] Sent: Tuesday, April 23, 2013
>> 4:34 PM To: 'Tomcat Users List' Subject: RE: Question on servlet
>> determination
>> 
>> I'm tempted to say no.
>> 
>> Because you might be adding a "/" in front of your servlet
>> mapping.
>> 
>> In other words, changing the path of the folder slightly, with a 
>> different relative path.
>> 
> 
> I went back and read the servlet spec for 2.5, and according to
> it, Tomcat should be redirecting the URI ending "/Servlet2" to 
> "/Servlet2/" and then applying welcome files (I do have some
> defined, just didn't include it below).  Amazingly, this appears to
> be what happens.  However, if the ending "/" already exists, it
> doesn't just go looking for welcome files.

If you have a servlet mapped to /Servlet1 (and /Servlet2), why should
there be any redirecting at all? That should only happen if the
DefaultServlet is handling the request and /Servlet1 refers to a
directory (or something that looks like one).

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJReBQ/AAoJEBzwKT+lPKRYnVUP/A32hsNrCKupzCtQSHeolP9X
WsWWP7Vy1svMG/9aFPbbvMmpV4YPDp+lxUy615q2jiP7o5Ys/Ovu5SemCqoZRhYh
1Aj/vgESnUQtQDCQwny7XUMErWkWsC8C6TWpQ+SNoD+iQlNnXgArztQS2Ufl0rRX
h4FjF+/6R8+mcfPUlpOmSOwFl45DjQEocOuWdfYewtlZkzNu0dZxZ7S10RBq0ATu
loaMKC/dFvgSa/vqf5wwVW69zqlMVVh0/y7JFgN71zyv7i2VJCGqDHEPPBEFV5/O
el4b5Q3wjb6Bk99sv4sDOyC85eUcN0SaDkb9ygTkkuamI3sdZxl06ej/AJU/TIOn
5bLBn89N8DKqLu6t7qI5M4yQ+dqGx6SmqGtGgG71+MoJ+BpcmQKciJf9wC2kh6nA
JYdOXxRb7297guzZxL9gw7uz9asVV7TVWH1SHm2jzXkxaezu2OXpWX3FRocQU66q
+/PlH0gry9bjGyWfM6KKAb1rRRYKF6r5NxKMjDVKIwPIYmPpeFeSZ78koGAMhruS
k+T0N/iTQ8nLsM0qBkiMffZv8Mgr1AMygP0v7NB407S0q4HF28y5v5ZpwqnRU1Cu
fgO76UgnHYkZkegO3pQkwfzzIIO9HoPxk2pqKTzi9ttgI9QXeVvWJxcj65SSjshL
71xkuFIhbmh/9Pc5AlW4
=c7ZG
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Policy files

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Christian,

On 4/24/13 2:29 AM, Christian Beikov wrote:
> I am using tomcat as an embedded container for a while now, it is
> really amazing, but now I got stuck on a topic. I am implementing a
> testsuite for automatic testing of uploaded solutions by students.
> The deployment works like a charm, I also found your
> StuckThreadDetectionValve very useful to kill threads of the 
> students applications. The next assignment will involve some areas
> where I would like to specify a policy file so that the students
> can't do anything they aren't supposed to. Now to my problem.

Cool.

> One thing is that I want a policy file to be in the students
> projects, so that they actually get the exceptions when they are
> doing something wrong. What do I have to configure in these student
> web projects so that they can e.g. deploy the project directly from
> netbeans to tomcat and have the policy applied?

I assume you are talking about SecurityManager policies.

Unfortunately, the SecurityManager applies to the entire JVM, so you
can't do something cool like allow one ClassLoader to run amok while
classes loaded from another one are constrained. Instead, you can
place limits on the entire JVM (e.g. no System.exit) and then poke
holes in those protections for trusted content -- usually a specific
JAR file, etc.

If you are going to do that, you need to attempt privileged "actions"
everywhere your driver code is going to do something that requires
such privileges. If the student code tries to do something forbidden
(e.g. System.exit), they'll get a SecurityException. If you try to do
it without a privileged action, you'll also get an exception.

> The other thing is that I want the policy file to be in my
> testsuite project and configure it on demand when deploying the
> student solutions. Currently I create an instance of
> StandardContext for each student web application, then I configure
> the context and finally add it to the host of the server. What do I
> need to configure, to apply the policy in this case?

You have to apply the policy when you launch the JVM via system
properties on the command-line. Fortunately, all of your privileged
code should be known in advance, so you shouldn't have to adjust
anything for student-submitted code: all their stuff is limited by
your policy.

Remember that you have to give Tomcat all the privileges *it* needs as
well as your own code. Check the catalina.policy file to see what
privileges are necessary to properly run Tomcat under a SecurityManager.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJReBLUAAoJEBzwKT+lPKRYzOAP/iEB1IPyKjSSY/74IjYqR31G
wzF6/HuEzwauYgdCxugxFhiogskUsHGnbgKtd4I0hGRtXwfLQf02c5foR6pV04F3
dy4ViYvXTvTLgM6YqcqDEClFigfJdRZdqb26bRUvbrSacTAgp6ifm2Tc7yBpkcR2
rWo0/zdCQTATHlryKnAtfpx0jngoXmyMxrNVH1efw36zN/C50zq26ri9VMG9vEcE
TOy8w8lscj8PaCKj5e0skgvwKWjGrH4gplLOW07STK0Mtpb4rfSL5iua73CoaPsD
PvnzlfgJsYWhlzWF6mExKlTDP+9UmC1195VSfVb3yPdSREf+Lk+PcpAIRnqj4Zma
ZAQys1LcM5CUPzq4y6T4dokGDIXpwsBaphN7S4MKDp+vgb2W0Z6UbidjkUHiZ25r
1dPbt67f3Ro6gYRO/ggorc9y5/0yYs6xjaA9SuM7xvm4uGG4lEn092f6FBnd0+OZ
7t/6IylDSP5+CxCmXrPBu9TeJppq42biVz8VJaM+BJjlDKU6BIn+P2qPR/N1C2QK
wR8aSbcxzKWekSkLv5VCnErCDbx+YekMWVfVfuQobQkMIha977cBHlqc+jhioG2g
QIHaMAPA6JQMEQdSHrob98QirBI9FfZSDDdWQ/w9BuaAT3+bXXPKvUvgbLz14vN+
CLya7aynTMumUFHBnnv2
=MeqU
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Question regarding tomcat upgrade from 7.0.23. to 7.0.37

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Madhu,

On 4/24/13 1:33 AM, Madhu Purohit wrote:
> Hi We have recently upgraded tomcat fom 7.0.23 to 7.037 and also
> Java from 1.6.0_21 to 1.7.0_15. When we run the load runner
> testcases we get the following error
> 
> “content was blocked because it was not signed by a valid
> certificate”

This is not an error message I recognize from Tomcat: it must be
coming from your load runner test cases (or from load runner itself).

> But other normal browser testing goes through. Do we need to
> install new certificates?

What kind of certificates are you using?

> There has been no change in the code of our application. With
> tomcat 7.0.23 we do not get this error. Appreciate your inputs
> regarding why we are getting this error.

If you installed a new version of Tomcat and your SSL certificates
were in a keystore somewhere Tomcat-version-specific (like in
CATALINA_HOME instead of CATALINA_BASE), then you may not have set up
your keystore properly.

I'm not even sure if you are talking about SSL certificates, but
that's the only kind of certificate Tomcat handles, so I figured I'd
mention it.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJReBFeAAoJEBzwKT+lPKRYmmAQAJZUiB37EtGkDMNAwbQbwALr
WNAP5NxxjhRAk4nqtGG+vjt6RbEyyrUerHBhqubKvWpPdmYG6wHHw6xUQBYxwjB9
c6XGqvOT0S9vVfeKOtmgRTFF4MPWwv1mh6DuUMJlTX+ORYJEmr9JczQcyMRn61zM
xP4QwpMljRsFeAcLV0HN4bcLYx8ly8u7B6Bs0Idp/bd7W2GKgq9EQT8s12KjJtXI
JyVOSFOCC0tCW9iVP7S2p1mdbaDGLs5t3fEqREF5I7fozWCi8zox3+P6M09eE9FN
R4p9REX1awtuczoE4mb7vyByPmJUTTFHzEIqPZUwxbTPvfhOVIaRKCxIKxGM/qru
LtNpJayb0UaywFGJyONycIXd5TueKqKDnacrwB/FmJsKZMLV1ZEecmrb9z8YDKz7
Iys+zqYgANWW9ZQ/8qKCz3CXZSOjwaBEOAZE9zYsCebE9B7XDvMPE4XIiZEixoql
5vHNMLfeldfb1KbfUgY5kQX+zrx1mAFbpi4vi8GXH8mQqqpMFCFHoJlK9dUAEAlp
CoR4mzD1BcQVEb4KK18I5WnlWqDdkS93Q6G3WKR1xvTCvec7wqAuS6+uhR0WH1yq
GcTHkQ+aWwKTkB7H4Hd4RksrIZKS6CdU1gymjEJJswdXO76IQ18uw31eeGJpwFXC
7GPO6tlWyMWynIg0OUn6
=mSQ7
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: two responses from one request - how is it possible ?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Jeffrey,

On 4/23/13 11:24 AM, Jeffrey Janner wrote:
>> -Original Message- From: Christopher Schultz
>> [mailto:ch...@christopherschultz.net] Sent: Monday, April 22,
>> 2013 4:31 PM To: Tomcat Users List Subject: Re: two responses
>> from one request - how is it possible ?
>> 
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
>> 
>> Jeffrey,
>> 
>> On 4/22/13 4:18 PM, Jeffrey Janner wrote:
>>> 
>>> 
 -Original Message- From: André Warnier
 [mailto:aw@ice-
>> sa.com]
 Sent: Sunday, April 21, 2013 7:03 PM To: Tomcat Users List
 Subject: Re: two responses from one request - how is it
 possible ?
 
 Jakub 1983 wrote:
> http://www.mulesoft.com/tomcat-connector states:
> 
> Using the current arrangement, both Connectors will pass
> all requests to the same Engine, which will in turn pass
> all these requests to
 both
> of its contained web applications.  This means that each
> request will potentially generate two responses, one from
> each application.    port="8443"/> > port="8444"/>
>    path="/webapp1"/>  
>   
> 
> Is it really true what they write ?
> 
 
 (For anyone else reading this, I did look at the indicated
 webpage, and it is really what they say there)
 
 To me, it sounds like utter nonsense. Or else, I need to
 revise my whole understamding of HTTP and Tomcat.
 
 It even looks like nonsense squared, since :
 
 - each request is sent by one client on one connection to one
 port (meaning one Tomcat Connector), and the (single)
 response to that request will also come back on that same
 connection - each request should have a target URL (like
 /webapp1 OR /webapp2, but not both), and will be processed
 (once) by the application (context) corresponding to that
 URL, and will generate only one response
 
 Maybe we should ask the author of that page for more details.
 He
>> may
 have invented the amplifier version of Tomcat.
 
 Additionally, it is really bad practice to put 
 elements in the server.xml file.
 
>>> 
 From the article:
>>> " Using the current arrangement, both Connectors will pass all 
>>> requests to the same Engine, which will in turn pass all these 
>>> requests to both of its contained web applications.  This means
>>> that each request will potentially generate two responses, one
>>> from each application."
>>> 
>>> Well, after noting some of the bad grammar in the opening few 
>>> paragraphs (listen to vs. listen on), I was going to give the
>>> author
>> a
>>> pass on the use of "both" in the first sentence, instead of
>>> "either" or "one of".  But then he goes onto the second
>>> sentence and proves that he meant both.
>>> 
>>> In actuality, he should have stopped the first sentence at
>>> "Engine", and then continued with a new sentence (keeping in
>>> mind the
>> simplified
>>> structure): "The Engine will then see if the first string after
>>> the hostname portion of the request URL matches any of the
>>> defined contexts. If a match is found, then the request is
>>> passed to that context and the response is sent back via the
>>> original connector.  If a match is not found, then an error is
>>> returned."
>>> 
>>> Of course, after reading the original, I now understand why I
>>> was never tempted to even try this company's version of Tomcat,
>>> despite the number of times they've promoted themselves on the
>>> list.
>> 
>> Jason Brittain used to work at MuleSoft: they /are/ legit, though
>> this particular post seems to require some serious editing, or
>> even deletion.
>> 
>> - -chris
> 
> OH, I was never worried about /legit/ status, but this page and
> others probably made me skeptical on the quality issue. You know,
> first impressions and all.  Wouldn't mind hearing from some who
> found reason to use their product over standard release.

We use Mirth Connect which is a product bundled with Mule ESB. They
have moved away from Mule for their upcoming product version, but I
think that was more because they simply didn't need everything Mule
was providing (kind of like discovering that Tomcat will work when you
started out with Weblogic).

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJReBALAAoJEBzwKT+lPKRY/coP/R1jQxUOEZlN+ueK5tEUa70V
pb5poHBodRXtwfX3GJF0pS95igYQIzVMhi95BVO13eQnYxqbwoN+MAxdDaDfh+mU
ySOml1eUh7Zb0v2U60ZDtHcCBqGV6K34zptDevzzEMXZ1ansoIpBEXkt57oGB2BB
7fZs0ShRe1N4AiBIpq0k0zbfV90W6HRkgfjHZalCbP1ZuBWZ7YKbo2bJk1Z1R7J5
ynur/pLGNZfWpZ13VFME8i5yw8GoRYPmQHkp2scE5oTyfH6p6LIjOhWmTJ3QLgVq
1HFT7dbfoqhp/BPv4tyChr70q+BwfT2oKs/8f5ssCOVKOophmDdBBGUZ5+aaFxyt
gozjgVcHKmzq7E5++MarhkeyVCN9/ub0wC+2qnCCcI8k2xfFBg3zOHu3iN65Q5X+
VjhKF6LT4JmpWQlkwQE2Q2k0xEOCVvMycFj/kH8qvTDQ9oTo2iFP

Re: AsyncListener.onError and disconnected client

[Mark Thomas]

On 24/04/2013 16:33, Rossen Stoyanchev wrote:

Hi,

I've seen various discussions here and on the web but I haven't found
a conclusive answer. Why does an AsyncListener not receive onError
notifications when a client disconnects?


Because the Servlet EG says that is the required behaviour. The EG is 
currently revisiting that decision. See 
https://java.net/jira/browse/SERVLET_SPEC-44



To my knowledge there is nothing inherent in NIO and TCP that
prevents the server from detecting that the client has disconnected.
The WebSocket implementation detects disconnected clients immediately
and other HTTP servers (e.g. node) seem to be able to do this. What
is it about the Servlet async support that prevents it from knowing
when a client has disconnected?


It would mean having to ditch the BIO connector / or not being able to 
pass the TCK (assuming the TCK tested this) when using the BIO connector.


Not sure about APR/native. I'd need to look at the docs and probably run 
some tests.


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configuring IIS to use the JK ISAPI redirector plugin when URL paths are different

[Rainer Jung]

Hi Katy,

On 24.04.2013 16:38, Beavers, Melinda K (Kay) wrote:
> Rainer, thank you for that link!!  I have put this line in my 
> isapi_redirect.properties file: 
> "rewrite_rule_file=C:\Avaya\TomcatFilter\rewrite.properties" and put my 
> rewrite.properties file in place with just a single line in it:  
> "/apps/cepv/website/=/website/" and reset IIS.  It is not working but in the 
> debug log I never see any reference to using the rewrite file.  
> 
> I never see entries like described below: 
> 
> "During startup, you should see
> 
>  Using rewrite rule file YOURRULESFILE
> 
> in the log file, and later
> 
>  Loaded rewrite rule file YOURRULESFILE
> 
> Between those two, you should also see lines indicating, that the 
> contents of the file got parsed."
> 
> Do you know if there's some other step I'm missing or if it has to be a 
> certain version in order to recognize the rewrite file?

First: which version are you using?

Then: I assume we already know that your entries to
isapi_redirect.properties work in principle, i.e. that you can confirm
that some of the entries did work, just not the rewrite_rule_file entry.
Correct?

Next I assume you could correctly set a log file using the log_file
entry and that you can now set the log level to "debug" using
log_level=debug.

When you now start up, you should get a couple of log lines containing
the word "Using". Post at least them or even better all startup log
messages, excluding any confidential stuff.

Regards,

Rainer

> -Original Message-
> From: Rainer Jung [mailto:rainer.j...@kippdata.de] 
> Sent: Wednesday, April 24, 2013 2:03 AM
> To: users@tomcat.apache.org
> Subject: Re: Configuring IIS to use the JK ISAPI redirector plugin when URL 
> paths are different
> 
> On 24.04.2013 06:53, Beavers, Melinda K (Kay) wrote:
>> We have installed the IIS-Tomcat redirector (isapi_redirect.dll) on an IIS 6 
>> server so that http://iis.company.com/website/myfile.jsp  will correctly 
>> redirect according to our 'isapi_redirect.properties', 'workers.properties', 
>> and 'uriworkermap.properties ' and serve the JSP page from  
>> http://tomcat.company.com/website/myfile.jsp . That appears to be working 
>> just fine. But we actually need to have a different IIS URL. What we are 
>> trying to figure out is if we can configure it so that 
>> http://iis.company.com/apps/cepv/website/myfile.jsp will redirect and serve 
>> the JSP content at http://tomcat.company.com/website/myfile.jsp. The path on 
>> the IIS server is has two extra levels (/apps/cepv) in the URL path and does 
>> not match the path on the tomcat server where the JSP content is. We have to 
>> have those two extra levels in the IIS URL path for other technical reasons 
>> and we cannot match or include those two extra levels on the tomcat side. 
>>
>> We have tried the following but cannot get it to work.   
>>
>>  website.worker=website_ajp13 
>>  /apps/cepv/website/*.jsp=$(website.worker) 
>>
>> Is there anything we can do to map this correctly?   
> 
> Have a look at
> 
> https://tomcat.apache.org/connectors-doc/generic_howto/proxy.html#URL%20Rewriting
> 
> starting from "If you are using Microsoft IIS as a web server...".
> 
> Regards,
> 
> Rainer

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configuring IIS to use the JK ISAPI redirector plugin when URL paths are different

[André Warnier]

Beavers, Melinda K (Kay) wrote:
Rainer, thank you for that link!!  I have put this line in my isapi_redirect.properties file: "rewrite_rule_file=C:\Avaya\TomcatFilter\rewrite.properties" and put my rewrite.properties file in place with just a single line in it:  "/apps/cepv/website/=/website/" and reset IIS.  It is not working but in the debug log I never see any reference to using the rewrite file.  

I never see entries like described below: 


"During startup, you should see

 Using rewrite rule file YOURRULESFILE

in the log file, and later

 Loaded rewrite rule file YOURRULESFILE

Between those two, you should also see lines indicating, that the 
contents of the file got parsed."


Do you know if there's some other step I'm missing or if it has to be a certain 
version in order to recognize the rewrite file?

Regards,

Katy

-Original Message-
From: Rainer Jung [mailto:rainer.j...@kippdata.de] 
Sent: Wednesday, April 24, 2013 2:03 AM

To: users@tomcat.apache.org
Subject: Re: Configuring IIS to use the JK ISAPI redirector plugin when URL 
paths are different

On 24.04.2013 06:53, Beavers, Melinda K (Kay) wrote:
We have installed the IIS-Tomcat redirector (isapi_redirect.dll) on an IIS 6 server so that http://iis.company.com/website/myfile.jsp  will correctly redirect according to our 'isapi_redirect.properties', 'workers.properties', and 'uriworkermap.properties ' and serve the JSP page from  http://tomcat.company.com/website/myfile.jsp . That appears to be working just fine. But we actually need to have a different IIS URL. What we are trying to figure out is if we can configure it so that http://iis.company.com/apps/cepv/website/myfile.jsp will redirect and serve the JSP content at http://tomcat.company.com/website/myfile.jsp. The path on the IIS server is has two extra levels (/apps/cepv) in the URL path and does not match the path on the tomcat server where the JSP content is. We have to have those two extra levels in the IIS URL path for other technical reasons and we cannot match or include those two extra levels on the tomcat side. 

We have tried the following but cannot get it to work.   

	website.worker=website_ajp13 
	/apps/cepv/website/*.jsp=$(website.worker) 

Is there anything we can do to map this correctly?   


Have a look at

https://tomcat.apache.org/connectors-doc/generic_howto/proxy.html#URL%20Rewriting

starting from "If you are using Microsoft IIS as a web server...".



Melinda,
in addition to what Rainer writes above, and if you determine later that you need more 
powerful URL-rewriting capabilities under IIS later, have a look at :

http://www.helicontech.com/isapi_rewrite/

Also, on this list, try to not "top-post" your reponses, it makes it more difficult for 
everyone to follow the conversation (scrolling up and down etc..)




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AsyncListener.onError and disconnected client

[Rossen Stoyanchev]

Hi,

I've seen various discussions here and on the web but I haven't found a 
conclusive answer. Why does an AsyncListener not receive onError notifications 
when a client disconnects? The scenario is that async processing starts (via 
request.startAsync), the Servlet container thread is exited, and then at some 
point before the async request completes, the client goes away (e.g. browser 
tab is closed). The only way I've found to detect the client has gone away is 
to write to and flush the servlet response buffer.

To my knowledge there is nothing inherent in NIO and TCP that prevents the 
server from detecting that the client has disconnected. The WebSocket 
implementation detects disconnected clients immediately and other HTTP servers 
(e.g. node) seem to be able to do this. What is it about the Servlet async 
support that prevents it from knowing when a client has disconnected?

Thanks,
Rossen

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Configuring IIS to use the JK ISAPI redirector plugin when URL paths are different

[Beavers, Melinda K (Kay)]

Rainer, thank you for that link!!  I have put this line in my 
isapi_redirect.properties file: 
"rewrite_rule_file=C:\Avaya\TomcatFilter\rewrite.properties" and put my 
rewrite.properties file in place with just a single line in it:  
"/apps/cepv/website/=/website/" and reset IIS.  It is not working but in the 
debug log I never see any reference to using the rewrite file.  

I never see entries like described below: 

"During startup, you should see

 Using rewrite rule file YOURRULESFILE

in the log file, and later

 Loaded rewrite rule file YOURRULESFILE

Between those two, you should also see lines indicating, that the 
contents of the file got parsed."

Do you know if there's some other step I'm missing or if it has to be a certain 
version in order to recognize the rewrite file?

Regards,

Katy

-Original Message-
From: Rainer Jung [mailto:rainer.j...@kippdata.de] 
Sent: Wednesday, April 24, 2013 2:03 AM
To: users@tomcat.apache.org
Subject: Re: Configuring IIS to use the JK ISAPI redirector plugin when URL 
paths are different

On 24.04.2013 06:53, Beavers, Melinda K (Kay) wrote:
> We have installed the IIS-Tomcat redirector (isapi_redirect.dll) on an IIS 6 
> server so that http://iis.company.com/website/myfile.jsp  will correctly 
> redirect according to our 'isapi_redirect.properties', 'workers.properties', 
> and 'uriworkermap.properties ' and serve the JSP page from  
> http://tomcat.company.com/website/myfile.jsp . That appears to be working 
> just fine. But we actually need to have a different IIS URL. What we are 
> trying to figure out is if we can configure it so that 
> http://iis.company.com/apps/cepv/website/myfile.jsp will redirect and serve 
> the JSP content at http://tomcat.company.com/website/myfile.jsp. The path on 
> the IIS server is has two extra levels (/apps/cepv) in the URL path and does 
> not match the path on the tomcat server where the JSP content is. We have to 
> have those two extra levels in the IIS URL path for other technical reasons 
> and we cannot match or include those two extra levels on the tomcat side. 
> 
> We have tried the following but cannot get it to work.   
> 
>   website.worker=website_ajp13 
>   /apps/cepv/website/*.jsp=$(website.worker) 
> 
> Is there anything we can do to map this correctly?   

Have a look at

https://tomcat.apache.org/connectors-doc/generic_howto/proxy.html#URL%20Rewriting

starting from "If you are using Microsoft IIS as a web server...".

Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Question on servlet determination

[Jeffrey Janner]

> -Original Message-
> From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com]
> Sent: Tuesday, April 23, 2013 10:35 PM
> To: Tomcat Users List
> Subject: RE: Question on servlet determination
> 
> > From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com]
> > Subject: Question on servlet determination
> 
> >   /Servlet1
> >   /Servlet2
> 
> What happens if you try this instead:
> 
>   /Servlet1/*
>   /Servlet2/*
> 
>  - Chuck
> 

Thanks for the hint Chuck, but no change.
I still get the 404 error page.
Jeff


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Question on servlet determination

[Jeffrey Janner]

> -Original Message-
> From: Neven Cvetkovic [mailto:neven.cvetko...@gmail.com]
> Sent: Tuesday, April 23, 2013 5:29 PM
> To: Tomcat Users List
> Subject: Re: Question on servlet determination
> 
> > > 
> > > From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com]
> > > 
> > >   
> > > 
> > >   Everything
> > >   *.jsp
> > >   *.html
> > >   *.js
> > >   /Servlet1
> > >   /Servlet2
> > > 
> >
> 
> Jeffrey, why don't you just use "catch all" url pattern?
> 
> Is there anything that you don't want to be part of the same security
> constraint? In this case security constraint just enforces SSL, but
> could do other things, check roles, etc. In that case you might want to
> split secure and non-secure resources ... (e.g. login page should not
> be secure and login action should be secure, etc...)
> 
> What are you trying to achieve?
> 
> Cheers!
> Neven
> 
IIRC, I originally had the "/*" entry, back in Tomcat 4.x, but it wouldn't 
force the move to https for any files directly asked for in the top level.  For 
example, http://myhost/login.jsp would not switch to https until after you 
entered your login information.
If I get some free time, I'll probably be retesting, but, yes, I'm also going 
to be adding a section that will be using a different auth method for a third 
servlet. 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Setting Nio connector in embedded tomcat7

[Praveen Peddi]

Hi,
Not sure if anyone has used NIO connector in embedded tomcat 7 but I am
out of luck so far. It seems so simple but I could not get it work. I am
wondering if this is a bug in embedded version of tomcat because it works
fine on standalone version. If this turns out to be a bug in tomcat 7
embedded, then I may have to think about moving to Jetty but it would be
ideal if I can figure this out with tomcat 7 itself.

I am pasting the complete method that create Tomcat instance with NIO
connector and starts it. If I don't have NIO connector all rest requests
works perfectly. But with this NIO connector I can't connect to server. I
looked at the tomcat unit tests and they don't seem to be doing anything
special for NIO connector. Any help would be appreciated.

public void init() throws LifecycleException, IOException {

log.debug("Initializing Tomcat");

final File base = createBaseDirectory();
log.info("Using base folder: " + base.getAbsolutePath());

final Tomcat tomcat = new Tomcat();
tomcat.setPort(TOMCAT_PORT);
tomcat.setBaseDir(base.getAbsolutePath());

Context context = tomcat.addContext("/perfmon", 
base.getAbsolutePath());
//handle rest requests
Wrapper cxfServlet = Tomcat.addServlet(context, "CXFServlet", 
new
CXFServlet());

cxfServlet.addInitParameter("config-location",
"classpath:perfmon-rest-server.xml");
cxfServlet.setLoadOnStartup(1);

context.addServletMapping("/rest/*", "CXFServlet");

context.addApplicationListener(ContextLoaderListener.class.getName());
context.setLoader(new
WebappLoader(Thread.currentThread().getContextClassLoader()));

//atmosphere websocket support
Wrapper atmosphereServlet = Tomcat.addServlet(context,
"AtmosphereServlet", new TomcatAtmosphereServlet());
atmosphereServlet
.addInitParameter("org.atmosphere.cpr.packages",
"com.kiva.perfmon.prototype.pubsub.websocket");
atmosphereServlet.setLoadOnStartup(0);
context.addServletMapping("/pubsub/*", "AtmosphereServlet");

context.addParameter("contextConfigLocation",
"classpath:perfmon-context.xml");

// add nio connector for websocket support
Connector nioConnector = new
Connector(Http11NioProtocol.class.getName());
nioConnector.setPort(TOMCAT_PORT);
nioConnector.setProperty("address",
InetAddress.getByName("localhost").getHostAddress());
tomcat.setConnector(nioConnector);

tomcat.start();
tomcat.getServer().await();
}


Thanks in advance.
Praveen

On 4/23/13 Apr 23, 12:21 PM, "Praveen Peddi" 
wrote:

>Sorry I meant "nio" connector not bio connector. Outlook auto-correct is
>not smart enough :)
>
>On 4/23/13 Apr 23, 12:08 PM, "Praveen Peddi" 
>wrote:
>
>>I am not sure if this is the same issue I am having but apparently I am
>>also using atmosphere for web sockets and make it work in embedded
>>tomcat.
>>
>>I looked at the tomcat unit tests for bio connector and the tests are not
>>doing anything special. They set the address to localhost. I tried the
>>below code similar to the unit tests but I still can't connect to tomcat
>>when I use this connector.
>>
>>Connector nioConnector = new
>>Connector(Http11NioProtocol.class.getName());
>>  nioConnector.setPort(TOMCAT_PORT);
>>  nioConnector.setProperty("address",
>>InetAddress.getByName("localhost").getHostAddress());
>>tomcat.setConnector(nioConnector);
>>
>>
>>Unit test I saw is here:
>>http://svn.apache.org/repos/asf/tomcat/trunk/test/org/apache/catalina/non
>>b
>>l
>>ocking/TestNonBlockingAPI.java
>>And 
>>http://svn.apache.org/repos/asf/tomcat/trunk/test/org/apache/catalina/sta
>>r
>>t
>>up/TomcatBaseTest.java
>>
>>
>>Thanks
>>Praveen
>>
>>On 4/23/13 Apr 23, 10:40 AM, "Tribon Cheng"  wrote:
>>
>>>Just like this issue:
>>>
>>>http://atmosphere-framework.2306103.n4.nabble.com/WebSocket-not-working-
>>>o
>>>n
>>>-Tomcat-7-With-NIO-connector-was-WebSocket-not-working-on-Tomcat-7-td465
>>>2
>>>3
>>>51.html
>>>
>>>
>>>On Tue, Apr 23, 2013 at 10:16 PM, Mark Thomas  wrote:
>>>
 On 23/04/2013 15:11, Praveen Peddi wrote:
 > Hi all, I am trying to set Nio connector in tomcat7 so I can use
 > WebSocket support. I did the following (as simple as it can get) but
 > it doesn't seem to work. When I do this I can't connect to the
 > server. For example I have a GET REST request that should work but I
 > get connection refused. Same with WebSocket request.
 >
 >
 > Connector nioConnector = new Connector();
 >
 > nioConnector.setPort(TOMCAT_PORT);
 >
 > nioConnector.setProtocol(Http11NioProtocol.class.getName());
 >
 > tomcat.setConnector(nioCo

Re: two responses from one request - how is it possible ?

[Shanti Suresh]

Hi André,

Those notes are very succinct.  Appreciate it.  Thank you for sharing.

 -Shanti


On Wed, Apr 24, 2013 at 4:45 AM, André Warnier  wrote:

> André Warnier wrote:
>
>> Shanti Suresh wrote:
>>
>>> André
>>>
>>> Please kindly share the half-page that you have written up so far.
>>> Actually, would you please finish it up and then post?
>>>
>>>
>> Well, here you go. Luckily, it was still in my drafts folder.
>> Remember that it was a draft, and that a more accurate explanation is
>> available in the Servlet Spec.
>>
>>
>>
>> A HTTP request looks like this :
>>
>> GET /the_url.. HTTP/1.1
>> Host: somehost.company.com
>> ..
>>
>> The "Host:" header is examined first, to find out to which configured
>> Tomcat  this request is addressed. If a matching Host is found, then
>> this will be the one which processes this request further.  If none is
>> found, then the request will be processed by Tomcat's default  (the
>> one named in the  tag).
>>
>> Then comes the evaluation of the URL ("/the_url..").
>> Within the selected , Tomcat will first attempt to match the first
>> part of the URL with (the path of) one of the (non-ROOT) defined contexts.
>>  If a match is found, the request will be passed to that context for
>> processing (*).
>> If no match is found, and there is no default context defined, then
>> Tomcat will return an error to the client.
>> If there is a default context defined, then Tomcat will pass this request
>> to the default context (the one under (appBase)/ROOT) for processing.
>>  Within that default context, a match will then be attempted with any of
>> the  elements of that default context. If a mapping is found,
>> the request will be passed to the corresponding servlet for processing.
>> If no mapping is found, the request will be passed to the default servlet
>> of the default context for processing.  That one attempts to find a file on
>> disk within the default context, which matches the path indicated by the
>> URL. If it finds one, the file will be returned as the response. If no such
>> file is found, a 404 error will be returned.
>>
>> (*) within a matching context, there will be further matching of the
>> second part of the URL, with one the defined servlet's 
>> elements.
>>
>>  addendum : and (as this was an unfunished draft)
> I should have added that each non-ROOT context also has a default servlet,
> inherited from the default (catalina_base)/conf/web.xml.
> So if within a context no appropriate  can be found for this
> request to this context, the request will be processed by the default
> servlet of that context, which will look for a file on disk to satisfy the
> request.  And if it doesn't find one, it will return a 404 error.
>
> I should also have added that the URL-mapping as described above is a bit
> rough, and that the Servlet Spec explains more accurately how this is done.
>
>
> --**--**-
> To unsubscribe, e-mail: 
> users-unsubscribe@tomcat.**apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: two responses from one request - how is it possible ?

[André Warnier]

André Warnier wrote:

Shanti Suresh wrote:

André

Please kindly share the half-page that you have written up so far.
Actually, would you please finish it up and then post?



Well, here you go. Luckily, it was still in my drafts folder.
Remember that it was a draft, and that a more accurate explanation is 
available in the Servlet Spec.




A HTTP request looks like this :

GET /the_url.. HTTP/1.1
Host: somehost.company.com
..

The "Host:" header is examined first, to find out to which configured 
Tomcat  this request is addressed. If a matching Host is found, 
then this will be the one which processes this request further.  If none 
is found, then the request will be processed by Tomcat's default  
(the one named in the  tag).


Then comes the evaluation of the URL ("/the_url..").
Within the selected , Tomcat will first attempt to match the first 
part of the URL with (the path of) one of the (non-ROOT) defined 
contexts.  If a match is found, the request will be passed to that 
context for processing (*).
If no match is found, and there is no default context defined, then 
Tomcat will return an error to the client.
If there is a default context defined, then Tomcat will pass this 
request to the default context (the one under (appBase)/ROOT) for 
processing.  Within that default context, a match will then be attempted 
with any of the  elements of that default context. If a 
mapping is found, the request will be passed to the corresponding 
servlet for processing.
If no mapping is found, the request will be passed to the default 
servlet of the default context for processing.  That one attempts to 
find a file on disk within the default context, which matches the path 
indicated by the URL. If it finds one, the file will be returned as the 
response. If no such file is found, a 404 error will be returned.


(*) within a matching context, there will be further matching of the 
second part of the URL, with one the defined servlet's  
elements.



addendum : and (as this was an unfunished draft)
I should have added that each non-ROOT context also has a default servlet, inherited from 
the default (catalina_base)/conf/web.xml.
So if within a context no appropriate  can be found for this request to this 
context, the request will be processed by the default servlet of that context, which will 
look for a file on disk to satisfy the request.  And if it doesn't find one, it will 
return a 404 error.


I should also have added that the URL-mapping as described above is a bit rough, and that 
the Servlet Spec explains more accurately how this is done.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: two responses from one request - how is it possible ?

[André Warnier]

Shanti Suresh wrote:

André

Please kindly share the half-page that you have written up so far.
Actually, would you please finish it up and then post?



Well, here you go. Luckily, it was still in my drafts folder.
Remember that it was a draft, and that a more accurate explanation is available in the 
Servlet Spec.




A HTTP request looks like this :

GET /the_url.. HTTP/1.1
Host: somehost.company.com
..

The "Host:" header is examined first, to find out to which configured Tomcat  this 
request is addressed. If a matching Host is found, then this will be the one which 
processes this request further.  If none is found, then the request will be processed by 
Tomcat's default  (the one named in the  tag).


Then comes the evaluation of the URL ("/the_url..").
Within the selected , Tomcat will first attempt to match the first part of the URL 
with (the path of) one of the (non-ROOT) defined contexts.  If a match is found, the 
request will be passed to that context for processing (*).
If no match is found, and there is no default context defined, then Tomcat will return an 
error to the client.
If there is a default context defined, then Tomcat will pass this request to the default 
context (the one under (appBase)/ROOT) for processing.  Within that default context, a 
match will then be attempted with any of the  elements of that default 
context. If a mapping is found, the request will be passed to the corresponding servlet 
for processing.
If no mapping is found, the request will be passed to the default servlet of the default 
context for processing.  That one attempts to find a file on disk within the default 
context, which matches the path indicated by the URL. If it finds one, the file will be 
returned as the response. If no such file is found, a 404 error will be returned.


(*) within a matching context, there will be further matching of the second part of the 
URL, with one the defined servlet's  elements.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configuring IIS to use the JK ISAPI redirector plugin when URL paths are different

[Rainer Jung]

On 24.04.2013 06:53, Beavers, Melinda K (Kay) wrote:
> We have installed the IIS-Tomcat redirector (isapi_redirect.dll) on an IIS 6 
> server so that http://iis.company.com/website/myfile.jsp  will correctly 
> redirect according to our 'isapi_redirect.properties', 'workers.properties', 
> and 'uriworkermap.properties ' and serve the JSP page from  
> http://tomcat.company.com/website/myfile.jsp . That appears to be working 
> just fine. But we actually need to have a different IIS URL. What we are 
> trying to figure out is if we can configure it so that 
> http://iis.company.com/apps/cepv/website/myfile.jsp will redirect and serve 
> the JSP content at http://tomcat.company.com/website/myfile.jsp. The path on 
> the IIS server is has two extra levels (/apps/cepv) in the URL path and does 
> not match the path on the tomcat server where the JSP content is. We have to 
> have those two extra levels in the IIS URL path for other technical reasons 
> and we cannot match or include those two extra levels on the tomcat side. 
> 
> We have tried the following but cannot get it to work.   
> 
>   website.worker=website_ajp13 
>   /apps/cepv/website/*.jsp=$(website.worker) 
> 
> Is there anything we can do to map this correctly?   

Have a look at

https://tomcat.apache.org/connectors-doc/generic_howto/proxy.html#URL%20Rewriting

starting from "If you are using Microsoft IIS as a web server...".

Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org