Re: Session problem
Hi Chris, sorry for the late reply In your listener, why don't you dump a stack trace when a session attribute is removed? That will let you know where the code is that is removing your attributes. You may be surprised. This would be very useful, but how would i generate it since theres no exception that's been thrown? Do i just throw an exception? -h On Wed, Aug 25, 2010 at 2:50 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hisham, On 8/25/2010 11:07 AM, Hisham wrote: Let me rephrase what I said: I am not using any custom cookies, the JsessionID cookie gets created by default. That makes a lot more sense. So i created an HttpSessionAttributeListener listener. And what i observed is truly weird. Once i click on Messages tab, the request goes through fine, there are a couple of images that are requested that are delivered correctly. After all this has finished, 2 of the attributes i have stored in the session are removed. Mind you, i have more attributes that DON'T get removed. I did a complete hack that IF these other attributes are still present then go ahead and put the 2 attributes back into the session - and it works fine now! Er, that will sort of subvert your own authorization mechanism, right? In your listener, why don't you dump a stack trace when a session attribute is removed? That will let you know where the code is that is removing your attributes. You may be surprised. Of course i'm not gonna leave it like this, i still need to figure out what the hell is going on! Here is my filter code: public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { boolean authorized = false; HttpServletRequest req = (HttpServletRequest)request; HttpServletResponse res = (HttpServletResponse)response; HttpSession session = req.getSession(false); System.out.println(req.getRequestURL()); if (session != null session.getAttribute(ub) != null)) { authorized = true; System.out.println(setting authorized = true); chain.doFilter(request, response); } // forward the request to login page if (!authorized) { System.out.println(kicked someone from +request.getRemoteAddr()); res.setHeader(session, invalid); res.sendError(HttpServletResponse.SC_UNAUTHORIZED, Your session is invalid or have expired.); } } Aside from the odd logic above, this looks okay, except, I don't see a redirect to a login form anywhere, here. You also didn't say what the URL mapping was for this filter was. Is it /*? If so, then you'll probably not be able to serve your login page unless you're logged-in. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkx1Zg8ACgkQ9CaO5/Lv0PA6HACcDuDEppOaVSyuDrvYqjB68uD5 Em4AnjyHmIRgcO5ncOAV22CkAPOy18Vp =SOPc -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Session problem
Yeah i found that through google! Thanks pid and chuck! -h On Fri, Aug 27, 2010 at 1:25 PM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Hisham [mailto:mohis...@gmail.com] Subject: Re: Session problem how would i generate it since theres no exception that's been thrown? Standard API call: Thread.dumpStack(). - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Session problem
Chris, thanks for your reply! 1. Are you using cookies? If you don't properly encode all the URLs in your webapp, you could be losing session information when cookies are /not/ being used. It sounds like you are using cookies, though, given your statement about using Firebug to read the headers en route. I'm not using any cookies. Also i want to stress the fact that the app works fine in my local environment. 2. Even if your session id is okay, are you dumping the value of the test attribute for the session? Even though you aren't removing it, that attribute might have been damaged by something else. I've looked everywhere, and unless i missed something i don't think this is the issue. 3. You could write another filter that wraps your HttpSession when requested by the webapp and reports all modifications to it (that is, calls to setAttribute/removeAttribute/setValue/removeValue). How would I go about doing this? Is there a particular filter that listens to attributes being changed? 4. Any reason not to use the container-managed login and session management? Tomcat can take care of all this logic for you... Will eventually move to this, you're right. I am using Spring so will use Spring security/Acegi. -h On Wed, Aug 25, 2010 at 9:31 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hisham, On 8/24/2010 10:30 PM, Hisham wrote: Jason, you're right in that the tabs i was referring to were tabs within my application. I will verify tomorrow whether the domain is different, but i seriously doubt it. I have a few other things you could check out: 1. Are you using cookies? If you don't properly encode all the URLs in your webapp, you could be losing session information when cookies are /not/ being used. It sounds like you are using cookies, though, given your statement about using Firebug to read the headers en route. 2. Even if your session id is okay, are you dumping the value of the test attribute for the session? Even though you aren't removing it, that attribute might have been damaged by something else. 3. You could write another filter that wraps your HttpSession when requested by the webapp and reports all modifications to it (that is, calls to setAttribute/removeAttribute/setValue/removeValue). 4. Any reason not to use the container-managed login and session management? Tomcat can take care of all this logic for you... - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkx1GxQACgkQ9CaO5/Lv0PBChACfSn30308mX8fTcYDPFGnOHYYZ JlMAoIZ/d8ZpiJRwc+94pbwfDZAiaQWT =EiKI -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Session problem
Btw, Jason, I have verified that the domain is the same. -h On Wed, Aug 25, 2010 at 9:55 AM, Hisham mohis...@gmail.com wrote: Chris, thanks for your reply! 1. Are you using cookies? If you don't properly encode all the URLs in your webapp, you could be losing session information when cookies are /not/ being used. It sounds like you are using cookies, though, given your statement about using Firebug to read the headers en route. I'm not using any cookies. Also i want to stress the fact that the app works fine in my local environment. 2. Even if your session id is okay, are you dumping the value of the test attribute for the session? Even though you aren't removing it, that attribute might have been damaged by something else. I've looked everywhere, and unless i missed something i don't think this is the issue. 3. You could write another filter that wraps your HttpSession when requested by the webapp and reports all modifications to it (that is, calls to setAttribute/removeAttribute/setValue/removeValue). How would I go about doing this? Is there a particular filter that listens to attributes being changed? 4. Any reason not to use the container-managed login and session management? Tomcat can take care of all this logic for you... Will eventually move to this, you're right. I am using Spring so will use Spring security/Acegi. -h On Wed, Aug 25, 2010 at 9:31 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hisham, On 8/24/2010 10:30 PM, Hisham wrote: Jason, you're right in that the tabs i was referring to were tabs within my application. I will verify tomorrow whether the domain is different, but i seriously doubt it. I have a few other things you could check out: 1. Are you using cookies? If you don't properly encode all the URLs in your webapp, you could be losing session information when cookies are /not/ being used. It sounds like you are using cookies, though, given your statement about using Firebug to read the headers en route. 2. Even if your session id is okay, are you dumping the value of the test attribute for the session? Even though you aren't removing it, that attribute might have been damaged by something else. 3. You could write another filter that wraps your HttpSession when requested by the webapp and reports all modifications to it (that is, calls to setAttribute/removeAttribute/setValue/removeValue). 4. Any reason not to use the container-managed login and session management? Tomcat can take care of all this logic for you... - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkx1GxQACgkQ9CaO5/Lv0PBChACfSn30308mX8fTcYDPFGnOHYYZ JlMAoIZ/d8ZpiJRwc+94pbwfDZAiaQWT =EiKI -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Session problem
Chris, Let me rephrase what I said: I am not using any custom cookies, the JsessionID cookie gets created by default. So i created an HttpSessionAttributeListener listener. And what i observed is truly weird. Once i click on Messages tab, the request goes through fine, there are a couple of images that are requested that are delivered correctly. After all this has finished, 2 of the attributes i have stored in the session are removed. Mind you, i have more attributes that DON'T get removed. I did a complete hack that IF these other attributes are still present then go ahead and put the 2 attributes back into the session - and it works fine now! Of course i'm not gonna leave it like this, i still need to figure out what the hell is going on! Here is my filter code: public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { boolean authorized = false; HttpServletRequest req = (HttpServletRequest)request; HttpServletResponse res = (HttpServletResponse)response; HttpSession session = req.getSession(false); System.out.println(req.getRequestURL()); if (session != null session.getAttribute(ub) != null)) { authorized = true; System.out.println(setting authorized = true); chain.doFilter(request, response); } // forward the request to login page if (!authorized) { System.out.println(kicked someone from +request.getRemoteAddr()); res.setHeader(session, invalid); res.sendError(HttpServletResponse.SC_UNAUTHORIZED, Your session is invalid or have expired.); } } -h On Wed, Aug 25, 2010 at 10:11 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hisham, On 8/25/2010 9:55 AM, Hisham wrote: 1. Are you using cookies? If you don't properly encode all the URLs in your webapp, you could be losing session information when cookies are /not/ being used. It sounds like you are using cookies, though, given your statement about using Firebug to read the headers en route. I'm not using any cookies. Also i want to stress the fact that the app works fine in my local environment. Uh, then I'm confused by your original post, which included this: Which is strange because the session id is the same (i have verified by printing it out, and also seeing what is sent in the actual request headers via firebug). If you were observing the headers for your session id, then what other header would you be looking for besides the JSESSIONID cookie? IF you aren't using cookies for session id management, then are you properly encoding all your URLs? If you aren't, you'll lose your session when you click on one of those URLs. Please post the HTML code around the link to your Messages page. 2. Even if your session id is okay, are you dumping the value of the test attribute for the session? Even though you aren't removing it, that attribute might have been damaged by something else. I've looked everywhere, and unless i missed something i don't think this is the issue. You still didn't say that you actually observed the value you expect to be in the session, and your Filter still forces a login. Could you: 1. Post the code to your filter 2. Add a logging statement that prints the URL being accessed It's possible that there's some image being requested that's fouling things up. 3. You could write another filter that wraps your HttpSession when requested by the webapp and reports all modifications to it (that is, calls to setAttribute/removeAttribute/setValue/removeValue). How would I go about doing this? Is there a particular filter that listens to attributes being changed? No, which is why I said you could write one. I believe I've posted the full code for such a filter on this list in the past. Consider searching the archives. 4. Any reason not to use the container-managed login and session management? Tomcat can take care of all this logic for you... Will eventually move to this, you're right. I am using Spring so will use Spring security/Acegi. Maybe now would be a good time for that. You may spend less time implementing ACEGI than you would tracking-down whatever this problem is. I suspect that the Windows vs. Linux environment is not related to the problem you're experiencing (unless this is some kind of case-sensitive issue, which is entirely possible). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http
Session problem
Hello all, I have a problem that is driving me crazy. I don't even know if its a Tomcat issue but maybe someone out there can help me out. I have a webapp that I first developed locally. I tested this on my local environment (windows) and had no issues. I then deployed the same app to our QA environment (linux). There i am seeing something strange. There are three main tabs, Home, Messages and Admin. I can go between home and admin, no probs. But once i click on Messages, somehow the session on the server gets messed up. The way i check whether session is valid is not is that I have a filter that will check if a certain attribute is present in the session or not. If its not, i assume the session is invalid and forward to login page. As soon as i click on the Messages link, i cannot do anything else; anywhere else i click it takes me to the login page. I put print statements in my filter and verified that it is not able to find the attribute in the session. Which is strange because the session id is the same (i have verified by printing it out, and also seeing what is sent in the actual request headers via firebug). I am not removing the attribute from the session in any place; and in any case it works fine locally as i said before. Does any one have any clue as to what could be happening? I can post code if needed, but i don't know where to begin :) Any help appreciated! Thanks. -h - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Session problem
Jason, you're right in that the tabs i was referring to were tabs within my application. I will verify tomorrow whether the domain is different, but i seriously doubt it. Thanks for you reply. -h On Tue, Aug 24, 2010 at 8:06 PM, Jason Britton jbritto...@gmail.com wrote: Stephen - your statement doesn't really make sense in context to the problem he described or how I replied. From Hisham's first post I believe he's describing tabs within the context of a single web page interface, when he clicks on any of the three tabs a request is made (asynchronous or otherwise), request passes through a servlet filter that checks for existence of session attribute etc.. I was suggesting he check that he hadn't, for some unknown reason, hardcoded a different domain for the Messages link, if that were the case that domain (eg. localhost instead of dev2) would not have the same session as the other links and the session attribute value he was looking for might not be there, which would fit with what he's describing. Jason On Tue, Aug 24, 2010 at 3:37 PM, Stephen Caine step...@commongrnd.com wrote: Jason, As each window shares the same session, a change to the session value in one window will effect the session value in the others. Stephen Caine On Aug 24, 2010, at 5:21 PM, Jason Britton wrote: I would make sure that the link for your Messages tab is going to the same domain as that your session was established under and is hitting the same domain as your Home and Admin links. This doesn't seem to have anything to do with Tomcat though. On Tue, Aug 24, 2010 at 1:53 PM, Hisham mohis...@gmail.com wrote: Hello all, I have a problem that is driving me crazy. I don't even know if its a Tomcat issue but maybe someone out there can help me out. I have a webapp that I first developed locally. I tested this on my local environment (windows) and had no issues. I then deployed the same app to our QA environment (linux). There i am seeing something strange. There are three main tabs, Home, Messages and Admin. I can go between home and admin, no probs. But once i click on Messages, somehow the session on the server gets messed up. The way i check whether session is valid is not is that I have a filter that will check if a certain attribute is present in the session or not. If its not, i assume the session is invalid and forward to login page. As soon as i click on the Messages link, i cannot do anything else; anywhere else i click it takes me to the login page. I put print statements in my filter and verified that it is not able to find the attribute in the session. Which is strange because the session id is the same (i have verified by printing it out, and also seeing what is sent in the actual request headers via firebug). I am not removing the attribute from the session in any place; and in any case it works fine locally as i said before. Does any one have any clue as to what could be happening? I can post code if needed, but i don't know where to begin :) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Https forwarding problem
Thanks for your reply Chris. At first i did try to limit using address attribute, but later i removed it. The config snippets i have shown are complete. You are right, the exception is coming from the web service call. My concern is that because i have this security-constraint which makes any url pattern CONFIDENTIAL, that it's causing the web service call to be redirected as well. And its very frustrating why the following config is NOT working (where i specify that urls starting with axis2 should be ignored), and ws calls STILL get redirected: security-constraint web-resource-collection url-pattern/axis2/*/url-pattern url-pattern/axis2/rest/*/url-pattern /web-resource-collection user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint Any ideas? Thanks. -h On Tue, Mar 10, 2009 at 9:07 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hisham, On 3/6/2009 6:21 AM, Hisham wrote: url-pattern/*/url-pattern transport-guaranteeCONFIDENTIAL/transport-guarantee Good. Connector port=80 redirectPort=443 / Connector port=443 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=conf/keystore.jks keystorePass=xyz maxPostSize=15728640 / Good. I have created the certificates, etc. and it works fine and if i type http://localhost I am redirected to https://localhost and the login page is shown. Good. But, during login, I am making a web service call. These web services are deployed on the same Tomcat and are accessed via http://localhost/axis2/rest... When i try to login I am getting an exception: java.net.ConnectException: Connection refused at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:333) Presumably this happens to the web service call, not to your application, right? Your stack trace didn't include enough to show where your code comes in. Connection Refused indicates that you can't reach the correct service. Since you're connecting to localhost you're unlikely to be having firewall issues (though such access /could/ be blocked). My guess is that you've bound your Connector to a specific IP address using the address attribute. Did you post your entire server.xml file, or just the relevant parts? You might want to re-post with all the details. So i figured that the web service call is also being accessed via SSL and that is not supported by the caller. Anyway to get around this I have tried a NUMBER of things: 1. I added a second security-constraint in web.xml with url pattern as /axis2/* which has transport-guarantee as NONE. 2. I added a 2nd service to my server.xml that has the web services deployed on a different port. 3. And a whole lot of other things that were useless :( Is it even possible to do this, going from https - http (they are 2 separate applications mind you)? Does anyone have any suggestions on how to fix this? This is driving me nuts! Thanks! If you get the same error (connection refused) no matter what you try, then my conclusion is that you'd bound your Connector to specific address. That means that you can't make a connection to localhost:80 because nobody is listening. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkm2iTEACgkQ9CaO5/Lv0PCEewCfSTEb3+L3jl1tpa/2o5VGIvhl kzUAn1NK66mvK1uhyqXpUv4qsPj/Kv1z =FTFh -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [Problem]Tomcat 6.x with Active Directory on Windows Server 2003
org.apache.catalina.authenticator.FormAuthenticator - Authenticating username 'testuser1' DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - Authenticating username 'testuser1' DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - Authentication of 'testuser1' was successful DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - Authentication of 'testuser1' was successful DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - Redirecting to original '/adtest/session.jsp' DEBUG http-8080-1 org.apache.catalina.authenticator.FormAuthenticator - Redirecting to original '/adtest/session.jsp' DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - Failed authenticate() test ??/adtest/j_security_check DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - Failed authenticate() test ??/adtest/j_security_check .. DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - Username testuser1 does NOT have role TestGroup DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - Username testuser1 does NOT have role TestGroup DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - No role found: TestGroup DEBUG http-8080-1 org.apache.catalina.realm.RealmBase - No role found: TestGroup DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - Failed accessControl() test DEBUG http-8080-1 org.apache.catalina.authenticator.AuthenticatorBase - Failed accessControl() test I feel quite strange, as you can see in the attachment, the testuser1 is member of TestGroup, and TestGroup is already defined in web.xml, I wonder any further configuration or debug I shoule do? http://www.nabble.com/file/p20375746/adtest.rar adtest.rar -- View this message in context: http://www.nabble.com/-Problem-Tomcat-6.x-with-Active-Directory-on-Windows-Server-2003-tp20375746p20413691.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Hisham Farahat
Tomcat 6.0 problems with LDAP ( connection gets blocked for 10 min)
) at com.sun.jndi.url.ldap.ldapURLContextFactory.getObjectInstance(Unknown Source) at javax.naming.spi.NamingManager.getURLObject(Unknown Source) at javax.naming.spi.NamingManager.processURL(Unknown Source) at javax.naming.spi.NamingManager.processURLAddrs(Unknown Source) at javax.naming.spi.NamingManager.getObjectInstance(Unknown Source) ... 23 more Oct 29, 2008 8:30:15 AM org.apache.catalina.realm.JNDIRealm close FINE: Closing directory context Oct 29, 2008 8:30:15 AM org.apache.catalina.core.ApplicationDispatcher doForward FINE: Disabling the response for futher output == 2- Rebooting the machine wil solve the problem 3- Restarting Tomcat won't affect any thing 4- I can connect to the LDAP server using Soferra LDAP Administration during the 10 blocking minutes 5- The system admin checked the log of the AD and nothing there. 6- I have tried to put the realm configuration under the context.xml, and the same thing happens. 7- most probably when i leave the session to expire ( 5 min) and try to login again afterwords it gets blocked. Please help me in this issue, i need it working correctly ASAP. P.S Thanks for every one who helped and will help me in this issue. Regards, -- Hisham Farahat
Re:
I have used Softerra LDAP Admin and it worked while tomcat did not. How can i increase the verbosity ? i tried to configure log4j, but i could not build the extra component (extra.xml) because i'm on windows machine and i've installed tomcat using windows service installer. Any ideas? thanks for your help!! *using windows service instdalle**log4jl* On Mon, Oct 27, 2008 at 1:13 PM, Serge Fonville [EMAIL PROTECTED]wrote: Perhaps if you download Symas OpenLDAP 2.3 (CDS v3) Silver Editionjavascript:uiform_click('xanchor_2212_5') (Requires registration) (an ldap server for windows), you can use the accompanying uilities to try and do the same tomcat does.That way you can try to determine if there is anything related to the configuration that is incorrect. Also if you increase the verbosity of the logginghttp://tomcat.apache.org/tomcat-6.0-doc/logging.htmlyou might be able to determine what exactly went wrong. Hope this helps Regards, Serge Fonville Links: On Mon, Oct 27, 2008 at 10:33 AM, Hisham Farahat [EMAIL PROTECTED] wrote: It is on a separate server, running windows server 2003. And no wrong passwords attempts, it happens from the 1st attempt. Sorry for the title thing :) On Mon, Oct 27, 2008 at 12:20 PM, André Warnier [EMAIL PROTECTED] wrote: Hisham Farahat wrote: Dear All, I have a problem with my web application. I configured tomcat 6.0 to authenticate users through Realm ( LDAP), it connects to an active directory server. Everything seems OK, but sometimes the connection could not be established ( Connection refused ) and it continues with this state for ~ 10 minutes. Stopping and starting tomcat again won't affect anything, I should restart the machine so that users can access the web application normally ( or just wait for 10 minutes). How can I solve this problem? Regards, As someone else asked, you need to provide some additional details, such as : - is this Tomcat running on your workstation ? else on what ? With only the explanation above, I would guess that the LDAP server somehow (maybe after a few unsuccesful attempts with bad passwords ?), puts your Tomcat server on some blacklist, and refuses connections from it. Maybe when you reboot the machine, it gets a different IP address and is thus no longer on the blacklist at first ? It does not sound like a specific Tomcat issue though. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Hisham Farahat -- Hisham Farahat
Re:
Source) at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source) at com.sun.jndi.ldap.LdapCtx.init(Unknown Source) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source) at com.sun.jndi.url.ldap.ldapURLContextFactory.getObjectInstance(Unknown Source) at javax.naming.spi.NamingManager.getURLObject(Unknown Source) at javax.naming.spi.NamingManager.processURL(Unknown Source) at javax.naming.spi.NamingManager.processURLAddrs(Unknown Source) at javax.naming.spi.NamingManager.getObjectInstance(Unknown Source) ... 23 more Oct 28, 2008 2:33:26 PM org.apache.catalina.realm.JNDIRealm close FINE: Closing directory context Oct 28, 2008 2:33:26 PM org.apache.catalina.core.ApplicationDispatcher doForward FINE: Disabling the response for futher output The error 401 is very strange, because i did not access the the system that time. BTW the session expiration is 5 minuets. Please Help me in this. On Tue, Oct 28, 2008 at 1:39 PM, Serge Fonville [EMAIL PROTECTED]wrote: You can build it on windows, since ant for windows can be downloaded the same as for any other platform it is available for the fact tomcat was installed as a service has no impact on what can and can't be loaded inside tomcat since tomcat loads it's configuration file on startup and has all libraies in its classpath avaiable to it. the rest can be found on the tomcat website about logging (which yoiu clearly already found) Perhaps you got a specific error during building. If so, what was it and what steps did you take (before,during,after) Regards, Serge Fonville On Tue, Oct 28, 2008 at 11:17 AM, Hisham Farahat [EMAIL PROTECTED] wrote: I have used Softerra LDAP Admin and it worked while tomcat did not. How can i increase the verbosity ? i tried to configure log4j, but i could not build the extra component (extra.xml) because i'm on windows machine and i've installed tomcat using windows service installer. Any ideas? thanks for your help!! *using windows service instdalle**log4jl* On Mon, Oct 27, 2008 at 1:13 PM, Serge Fonville [EMAIL PROTECTED] wrote: Perhaps if you download Symas OpenLDAP 2.3 (CDS v3) Silver Editionjavascript:uiform_click('xanchor_2212_5') (Requires registration) (an ldap server for windows), you can use the accompanying uilities to try and do the same tomcat does.That way you can try to determine if there is anything related to the configuration that is incorrect. Also if you increase the verbosity of the logginghttp://tomcat.apache.org/tomcat-6.0-doc/logging.htmlyou might be able to determine what exactly went wrong. Hope this helps Regards, Serge Fonville Links: On Mon, Oct 27, 2008 at 10:33 AM, Hisham Farahat [EMAIL PROTECTED] wrote: It is on a separate server, running windows server 2003. And no wrong passwords attempts, it happens from the 1st attempt. Sorry for the title thing :) On Mon, Oct 27, 2008 at 12:20 PM, André Warnier [EMAIL PROTECTED] wrote: Hisham Farahat wrote: Dear All, I have a problem with my web application. I configured tomcat 6.0 to authenticate users through Realm ( LDAP), it connects to an active directory server. Everything seems OK, but sometimes the connection could not be established ( Connection refused ) and it continues with this state for ~ 10 minutes. Stopping and starting tomcat again won't affect anything, I should restart the machine so that users can access the web application normally ( or just wait for 10 minutes). How can I solve this problem? Regards, As someone else asked, you need to provide some additional details, such as : - is this Tomcat running on your workstation ? else on what ? With only the explanation above, I would guess that the LDAP server somehow (maybe after a few unsuccesful attempts with bad passwords ?), puts your Tomcat server on some blacklist, and refuses connections from it. Maybe when you reboot the machine, it gets a different IP address and is thus no longer on the blacklist at first ? It does not sound like a specific Tomcat issue though. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Hisham Farahat -- Hisham Farahat -- Hisham Farahat
Re:
I meant the errors you had when building commons for log4j (since you said you couldn't build it) I went to the easier way, using java.util.logger :) Have you tried manually connecting to the AD server with a commandline LDAP client yes, using a program called Softerra LDAP Admin. And it connects normally. is the tomcat host and the AD server the same system? No it is not. Looking at the AD logs, and verifying sockets needs the system admin authorization. I'll check with him. Thanks :) On Tue, Oct 28, 2008 at 3:31 PM, Serge Fonville [EMAIL PROTECTED]wrote: I would start looking at the logs of the AD server It seems the AD server has refused the connection, so maybe there is a more clear error there I meant the errors you had when building commons for log4j (since you said you couldn't build it) Have you tried manually connecting to the AD server with a commandline LDAP client Perhaps you can try to telnet to the address you connect to Since these errors at this time not yet make sense, perhaps it is advisable to run wireshark on the AD server and perform a netstat to verify sockets are listeneing as you would expect. Is the tomcat host and the AD server the same system (have you tried on another system) windows has it quirks(not being able to connecto to the local IP for example Regards, Serge Fonville On Tue, Oct 28, 2008 at 1:13 PM, Hisham Farahat [EMAIL PROTECTED] wrote: Ok, i used the normal logger with ALL messages showing out, here is the part of the log where the error occurred: Oct 28, 2008 2:21:07 PM org.apache.catalina.realm.JNDIRealm getRoles FINER: Found role Infonet-Admins Oct 28, 2008 2:24:07 PM org.apache.catalina.core.StandardHostValve custom FINE: Processing ErrorPage[errorCode=401, location=/401.jsp] Oct 28, 2008 2:24:13 PM org.apache.catalina.realm.JNDIRealm getUserBySearch FINER: entry found for tomcat with dn CN=tomcat,CN=Users,DC=company,DC=com Oct 28, 2008 2:24:13 PM org.apache.catalina.realm.JNDIRealm bindAsUser FINER: validating credentials by binding as the user Oct 28, 2008 2:24:13 PM org.apache.catalina.realm.JNDIRealm bindAsUser FINER: binding as CN=tomcat,CN=Users,DC=company,DC=com Oct 28, 2008 2:24:13 PM org.apache.catalina.realm.JNDIRealm checkCredentials FINER: Username tomcat successfully authenticated Oct 28, 2008 2:24:13 PM org.apache.catalina.realm.JNDIRealm getRoles FINER: getRoles(CN=tomcat,CN=Users,DC=company,DC=com) Oct 28, 2008 2:24:13 PM org.apache.catalina.realm.JNDIRealm addAttributeValues FINER: retrieving values for attribute description Oct 28, 2008 2:24:13 PM org.apache.catalina.realm.JNDIRealm addAttributeValues FINER: retrieving values for attribute description Oct 28, 2008 2:24:13 PM org.apache.catalina.realm.JNDIRealm addAttributeValues FINER: retrieving values for attribute description Oct 28, 2008 2:24:13 PM org.apache.catalina.realm.JNDIRealm getRoles FINER: Returning 3 roles Oct 28, 2008 2:24:13 PM org.apache.catalina.realm.JNDIRealm getRoles FINER: Found role admin Oct 28, 2008 2:24:13 PM org.apache.catalina.realm.JNDIRealm getRoles FINER: Found role manager Oct 28, 2008 2:24:13 PM org.apache.catalina.realm.JNDIRealm getRoles FINER: Found role Infonet-Admins Oct 28, 2008 2:33:22 PM org.apache.catalina.core.ApplicationDispatcher doForward FINE: Disabling the response for futher output Oct 28, 2008 2:33:26 PM org.apache.catalina.realm.JNDIRealm authenticate SEVERE: Exception performing authentication javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: company.com:389 [Root exception is java.net.ConnectException: Connection refused: connect]] at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(Unknown Source) at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(Unknown Source) at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(Unknown Source) at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(Unknown Source) at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(Unknown Source) at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(Unknown Source) at org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1097) at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:992) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:941) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:810) at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:258) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:417) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java
Re:
Dear All, I have a problem with my web application. I configured tomcat 6.0 to authenticate users through Realm ( LDAP), it connects to an active directory server. Everything seems OK, but sometimes the connection could not be established ( Connection refused ) and it continues with this state for ~ 10 minutes. Stopping and starting tomcat again won't affect anything, I should restart the machine so that users can access the web application normally ( or just wait for 10 minutes). How can I solve this problem? Regards, -- Hisham Farahat
Re:
Thanx for your reply 1- yes , the log has this exception each time i need to login : [Root exception is java.net.ConnectException: Connection refused: connect]] 2- What do you mean by functioning? 3- this is the realm in server.xml ( By the way i tried to put it in both server.xml and context.xml ,with both the same problem occured) Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL =ldap://company.com:389/; connectionName= CN=tomcat,CN=Users,DC=company,DC=com connectionPassword= *** alternateURL =ldap://192.168.205.2:389/; userSubtree = true referrals=follow userSearch=### userBase=DC=company,DC=com roleBase=CN=Users,DC=company,DC=com roleName=description roleSearch=member={0} roleSubtree = true allRolesMode=AuthOnly / 4- no, just 20% of the times when i logged in. sometimes it happens once a day and sometimes i could not even login it contuisly doing this issue. 5- no randomly 6- the whole server takes 500 MB, it 's not that much. 7- if with busy you mean, how frequent users use it. Then no it is not, im the only one it still in testing phase. 8- Windows server 2003 9- I think yes, if not then how users are logging to their domain using AD accounts On Mon, Oct 27, 2008 at 11:52 AM, Serge Fonville [EMAIL PROTECTED]wrote: I would need a little bit more information about your environment Have you looked at te loggingHow is your network functioning How is the realm configured Has it always been like this or at some point Are there specific times of day it occurs How is the memory usage of tomcat How busy is tomcat What OS is it running on Can you use ldap manually without errors Regards, Serge Fonville On Mon, Oct 27, 2008 at 9:18 AM, Hisham Farahat [EMAIL PROTECTED] wrote: Dear All, I have a problem with my web application. I configured tomcat 6.0 to authenticate users through Realm ( LDAP), it connects to an active directory server. Everything seems OK, but sometimes the connection could not be established ( Connection refused ) and it continues with this state for ~ 10 minutes. Stopping and starting tomcat again won't affect anything, I should restart the machine so that users can access the web application normally ( or just wait for 10 minutes). How can I solve this problem? Regards, -- Hisham Farahat -- Hisham Farahat
Re:
One more issue, most probably it occurs when i try to login after a previous timed out session On Mon, Oct 27, 2008 at 12:18 PM, Hisham Farahat [EMAIL PROTECTED]wrote: Thanx for your reply 1- yes , the log has this exception each time i need to login : [Root exception is java.net.ConnectException: Connection refused: connect]] 2- What do you mean by functioning? 3- this is the realm in server.xml ( By the way i tried to put it in both server.xml and context.xml ,with both the same problem occured) Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionURL =ldap://company.com:389/; connectionName= CN=tomcat,CN=Users,DC=company,DC=com connectionPassword= *** alternateURL =ldap://192.168.205.2:389/; userSubtree = true referrals=follow userSearch=### userBase=DC=company,DC=com roleBase=CN=Users,DC=company,DC=com roleName=description roleSearch=member={0} roleSubtree = true allRolesMode=AuthOnly / 4- no, just 20% of the times when i logged in. sometimes it happens once a day and sometimes i could not even login it contuisly doing this issue. 5- no randomly 6- the whole server takes 500 MB, it 's not that much. 7- if with busy you mean, how frequent users use it. Then no it is not, im the only one it still in testing phase. 8- Windows server 2003 9- I think yes, if not then how users are logging to their domain using AD accounts On Mon, Oct 27, 2008 at 11:52 AM, Serge Fonville [EMAIL PROTECTED] wrote: I would need a little bit more information about your environment Have you looked at te loggingHow is your network functioning How is the realm configured Has it always been like this or at some point Are there specific times of day it occurs How is the memory usage of tomcat How busy is tomcat What OS is it running on Can you use ldap manually without errors Regards, Serge Fonville On Mon, Oct 27, 2008 at 9:18 AM, Hisham Farahat [EMAIL PROTECTED] wrote: Dear All, I have a problem with my web application. I configured tomcat 6.0 to authenticate users through Realm ( LDAP), it connects to an active directory server. Everything seems OK, but sometimes the connection could not be established ( Connection refused ) and it continues with this state for ~ 10 minutes. Stopping and starting tomcat again won't affect anything, I should restart the machine so that users can access the web application normally ( or just wait for 10 minutes). How can I solve this problem? Regards, -- Hisham Farahat -- Hisham Farahat -- Hisham Farahat
Re:
It is on a separate server, running windows server 2003. And no wrong passwords attempts, it happens from the 1st attempt. Sorry for the title thing :) On Mon, Oct 27, 2008 at 12:20 PM, André Warnier [EMAIL PROTECTED] wrote: Hisham Farahat wrote: Dear All, I have a problem with my web application. I configured tomcat 6.0 to authenticate users through Realm ( LDAP), it connects to an active directory server. Everything seems OK, but sometimes the connection could not be established ( Connection refused ) and it continues with this state for ~ 10 minutes. Stopping and starting tomcat again won't affect anything, I should restart the machine so that users can access the web application normally ( or just wait for 10 minutes). How can I solve this problem? Regards, As someone else asked, you need to provide some additional details, such as : - is this Tomcat running on your workstation ? else on what ? With only the explanation above, I would guess that the LDAP server somehow (maybe after a few unsuccesful attempts with bad passwords ?), puts your Tomcat server on some blacklist, and refuses connections from it. Maybe when you reboot the machine, it gets a different IP address and is thus no longer on the blacklist at first ? It does not sound like a specific Tomcat issue though. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Hisham Farahat
Tomcat server with two websites with two different authentications
Dear All, Can i configure tomcat to host to different websites? How can i do it? any directions? Moreover i need to have two different authentication methods for the two websites, (e.g. one using LDAP and the other using normal tomcat user list ( tomcat-users.xml) I hope some one help me in this. regards, -- Hisham Farahat
Re: Tomcat server with two websites with two different authentications
Thanks for your reply. How can i configure the virtual hosts in tomcat? On Mon, Oct 27, 2008 at 1:49 PM, Tim Funk [EMAIL PROTECTED] wrote: You need to configure a Realm per Virtual Host (or if different webapps in the same vhost need different authentication schemes - the Realm element can be per context too) http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html -Tim Hisham Farahat wrote: Dear All, Can i configure tomcat to host to different websites? How can i do it? any directions? Moreover i need to have two different authentication methods for the two websites, (e.g. one using LDAP and the other using normal tomcat user list ( tomcat-users.xml) - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Hisham Farahat