Re: Problems with tomcat-connectors-1.2.41 on 32bit linux
On Wed, Aug 26, 2015 at 8:13 PM, Rainer Jung rainer.j...@kippdata.de wrote: I added a configure check in http://svn.apache.org/viewvc?view=revisionrevision=1697985 and documented the problem in https://bz.apache.org/bugzilla/show_bug.cgi?id=58285 You might want to cross check. After successfully applying the patches to a fresh copy of 1.2.41 (not trunk) and figuring out how to rebuild the configure script I successfully built mod_jk with disabled gcc atomics [1]. So I guess the patch works as intended. [1] I saw this message in the configure output, so the changes were applied, I guess: on 32bit SLES11 SP3: checking whether the compiler provides atomic builtins... no on 64bit SLES11 SP3: checking whether the compiler provides atomic builtins... yes Again, thank you for your help and the patch. Regards, Falco
Re: Problems with tomcat-connectors-1.2.41 on 32bit linux
On Tue, Aug 25, 2015 at 5:13 PM, Rainer Jung rainer.j...@kippdata.de wrote: Am 25.08.2015 um 14:58 schrieb Falco Schwarz: If I try to startup httpd though the following error occurs: httpd: Syntax error on line 88 of /opt/apache/conf/alles/httpd.conf: Cannot load /opt/apache/modules/mod_jk.so into server: /opt/apache/modules/mod_jk.so: undefined symbol: __sync_add_and_fetch_4 simply change the #elif line 436 e.g. to #elif defined(JK_USE_GCC_ATOMICS) defined(__GNUC__) (__GNUC__ 4 || (__GNUC__ == 4 __GNUC_MINOR__ = 1)) Since JK_USE_GCC_ATOMICS is not defined, the elif will be skipped and the next option (APR atomics) will be used, but you can later switch back to the GCC version by compiling with -DJK_USE_GCC_ATOMICS. We might add something like this and make the define be chosen according to configure flags (--disable-gcc-atomics). Or maybe we should even use a configure check to detect real support for GCC atomics on the target platform. users-h...@tomcat.apache.org I switched the logic to better suit my needs, but that works: #elif !defined(JK_NO_GCC_ATOMICS) defined(__GNUC__) (__GNUC__ 4 || (__GNUC__ == 4 __GNUC_MINOR__ = 1)) So on our 32bit systems jk is built with: CFLAGS='-DJK_NO_GCC_ATOMICS' ./configure --with-apxs=/opt/apache/bin/apxs It would be nice if something like that (preferably a configure option) would be built in. It would of course be even better if configure could detect if gcc atomics work and decide whether to use them or not. Anyways, thank you for your quick and very helpful response. Falco
Problems with tomcat-connectors-1.2.41 on 32bit linux
Hi there, I tried to update the connectors to the most recent update but I am stuck with error messages. Just a few background information on the infrastructure used: httpd: 2.2.31 OpenSSL: 1.0.2.d mod_jk: 1.2.41 Kernel: 3.0.101-0.47.52-pae OS: SLES 11 SP3 (32bit) gcc: (SUSE Linux) 4.3.4 [gcc-4_3-branch revision 152973] httpd configure: ./configure --prefix=/opt/apache --sysconfdir=/opt/apache/build --enable-mods-shared=all ssl ldap cache proxy authn_alias authnz_ldap dav_lock --with-mpm=prefork --with-included-apr --with-pcre --with-ldap --with-ssl=/opt/apache/openssl jk configure: ./configure --with-apxs=/opt/apache/bin/apxs configure, make and install runs without any errors. If I try to startup httpd though the following error occurs: httpd: Syntax error on line 88 of /opt/apache/conf/alles/httpd.conf: Cannot load /opt/apache/modules/mod_jk.so into server: /opt/apache/modules/mod_jk.so: undefined symbol: __sync_add_and_fetch_4 It seems to be related to the atomic changes with 1.2.41, yet I cannot figure out what I am missing here. Could anyone point me in the right direction? Regards, Falco
Re: web.xml processing order of directives - filter vs security-constraint
Konstantin, On Sat, Jul 5, 2014 at 3:26 PM, Konstantin Kolinko knst.koli...@gmail.com wrote: You can either perform IP filtering in a Valve (that will be in the pipeline before an Authenticator), or you can remove security-constraint and implement authentication and authorization in a filter (such as Security Filter, or using Spring Security framework) . http://wiki.apache.org/tomcat/AddOns#Filters in search of something simpler than Spring Security I stumbled upon Apache Shiro. I quite like the way it is set up and it gets the job done. Perhaps you might want to add this to the 3rd party filters in the Wiki, too? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: web.xml processing order of directives - filter vs security-constraint
On Sun, Jul 6, 2014 at 1:35 PM, Konstantin Kolinko knst.koli...@gmail.com wrote: I think you can inject RemoteAddrFilter into Spring Security filter chain (that is if you do not want to configure it separately in web.xml), You are right, I did not think of that. FWIW this is easily doable using custom filters [1] with Shiro, so it should be possible with Spring Security as well. Thanks again for your help, Falco [1] http://shiro.apache.org/web.html#Web-AvailableFilters - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: web.xml processing order of directives - filter vs security-constraint
I should add that the IP restriction is applied via filter, not with a tomcat Valve. Essentially the question breaks down to this: Is it possible in any way for a filter to be applied before the evaluation of the security-constraint? Or is there any other way of setting up an IP filter combined with authentication given the order from above? Any hint for the right direction would be greatly appreciated. Thanks, Falco On Fri, Jul 4, 2014 at 4:37 PM, Falco Schwarz hid...@falco.me wrote: All, I am trying to set up the jmx proxy servlet and am kinda stuck on security. I would like to: - restrict access to localhost - restrict access to require basic authentication Currently it works, though in the wrong order. This is how the request is being processed right now: 1) user accesses /infra/jmx 2) user has to authenticate 3) user is being denied Is it possible to switch step 2 and 3? Relevant parts of web.xml, webapp is called infra: servlet servlet-nameJMXProxy/servlet-name servlet-classorg.apache.catalina.manager.JMXProxyServlet/servlet-class /servlet servlet-mapping servlet-nameJMXProxy/servlet-name url-pattern/jmx/*/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-nameJMX Proxy interface/web-resource-name url-pattern/jmx/*/url-pattern /web-resource-collection auth-constraint role-namejmx/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameJMX Proxy/realm-name /login-config security-role description The role that is required to access the JMX Proxy /description role-namejmx/role-name /security-role
Re: web.xml processing order of directives - filter vs security-constraint
On Sat, Jul 5, 2014 at 12:39 PM, Mark Thomas m...@homeinbox.net wrote:
Maybe look at a third party security plugin like Spring Security? Not sure if
this is supported but worth a look.
Mark
Thanks Mark and Konstantin for your quick replies. I tried to
accomplish this only using Spring Security and I also got kinda stuck
with the processing ordering. It is possible to use expressions like:
security:http
security:intercept-url pattern=/**
hasIpAddress('127.0.0.1') and hasRole('ROLE_JMX') /
security:http-basic /
/security:http
... but yet again, because of the http-basic tag, the user is always
presented with an authentication instead of being denied.
In the end I found a solution which suits my needs: combining the
RemoteAddrFilter with Spring Security. This way the RemoteAddrFilter
always prevents access if the client is not localhost. If the client
is localhost then Spring Security kicks in and finally authenticates
the User.
Quite complicated for such a simple task and I really did not expect
to find so little information regarding such an issue on the internet.
From a systems administrator perspective there is no way I would
present a login form first and then deny via ip filters, but I guess
that is just how the servlet spec is defined.
Anyway, thanks again and keep up the good work.
Falco
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: web.xml processing order of directives - filter vs security-constraint
On Sat, Jul 5, 2014 at 6:17 PM, Hassan Schroeder hassan.schroe...@gmail.com wrote: (Sorry, late to the thread but ...) if you just want to restrict access to a resource to localhost, why not os-level e.g. an iptables rule? Well, the reason behind the restriction is that I would like to use tomcats jmxproxy for our production systems, as our current monitoring solution is quite limited. Therefore I am planning to deploy an additional webapp to each tomcat. I would also restrict the access to our real web applications if I would restrict the whole connector. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
web.xml processing order of directives - filter vs security-constraint
All, I am trying to set up the jmx proxy servlet and am kinda stuck on security. I would like to: - restrict access to localhost - restrict access to require basic authentication Currently it works, though in the wrong order. This is how the request is being processed right now: 1) user accesses /infra/jmx 2) user has to authenticate 3) user is being denied Is it possible to switch step 2 and 3? Relevant parts of web.xml, webapp is called infra: servlet servlet-nameJMXProxy/servlet-name servlet-classorg.apache.catalina.manager.JMXProxyServlet/servlet-class /servlet servlet-mapping servlet-nameJMXProxy/servlet-name url-pattern/jmx/*/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-nameJMX Proxy interface/web-resource-name url-pattern/jmx/*/url-pattern /web-resource-collection auth-constraint role-namejmx/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameJMX Proxy/realm-name /login-config security-role description The role that is required to access the JMX Proxy /description role-namejmx/role-name /security-role
