Re: Tomcat, iis connector and case sensitivity
Hello all, I'm trying to add redirect rules to the tomcat connector. I've been reading Tomcat connector documentation, and what I've done till the moment is this: 1.- I've created a rewrite_rules.properties with this content: /myapplication/=/MyApplication/ /MYAPPLICATION/=/MyApplication/ /MYAP/=/MyApplication/ 2.- I've added this to isapi_redirect.properties: # Full path to the rewrite_rules.properties file rewrite_rule_file=c:\apache-tomcat-6.0.14\conf\rewrite_rules.properties ... but it only works with /MyApplication/ (the name in webapps in tomcat). Any other form (myapplication, MYAPPLICATION or MYAP) returns a 404 error. Does somebody what I'm doing wrong? Thank you all Regards
Re: Tomcat, iis connector and case sensitivity
Hello André, thanks for your answer, My configuration is: - tomcat 6 - IIS 6 - Windows 2003 server SP1 - tomcat connector 1.2.26 When I ask for MYAP, it doesn't appear a IIS screen, but a Tomcat error. So, I assumed the connector was correctly deriving the requests from IIS to Tomcat. 2008/6/16 André Warnier [EMAIL PROTECTED]: Luis Villa wrote: Hello all, I'm trying to add redirect rules to the tomcat connector. I've been reading Tomcat connector documentation, and what I've done till the moment is this: 1.- I've created a rewrite_rules.properties with this content: /myapplication/=/MyApplication/ /MYAPPLICATION/=/MyApplication/ /MYAP/=/MyApplication/ 2.- I've added this to isapi_redirect.properties: # Full path to the rewrite_rules.properties file rewrite_rule_file=c:\apache-tomcat-6.0.14\conf\rewrite_rules.properties ... but it only works with /MyApplication/ (the name in webapps in tomcat). Any other form (myapplication, MYAPPLICATION or MYAP) returns a 404 error. Hi. It might be a good idea to provide a bit of detail about your configuration, it would help the people trying to help you. One can kind of guess from the above that you are running under Windows, with Tomcat 6.0.14, and are using an isapi connector, thus from IIS or the like, but it requires some effort. I don't really know that precise environment, but I'll take a pot-shot anyway : is it not that your rewrite rules are being run too late, and they never see requests with /myapplication/, /MYAPPLICATION/ or /MYAP/ ? Presumably, before they get to the isapi connector, requests go to the front-end HTTPD server. If that one does not know that it should redirect /myapplication/, /MYAPPLICATION/ or /MYAP/ to the connector, then the connector never gets to see them. Instead, the HTTPD server will try to serve those requests itself, and since it doesn't have those documents, respond with 404. Does the 404 error page look like a Tomcat page, or else ? André - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat, iis connector and case sensitivity
Ok, I found the problem :) What was misconfigured was the virtual directory in IIS. There was a mess of configuration files and the one I was changing was not the one the previous system admin configured :S The thing is, there was configuration in the registry, and 3 folders with the isapi redirector. I catched it when, setting log_level to debug did nothing. Now it works perfectly. Thank you all :) Regards
Re: Tomcat, iis connector and case sensitivity
Hello Christopher, First for all, thank you for your answer :) I understand the standart is case-sensitive URLs, but the truth is that the customer doesn't care about standarts, and that's the case. The application I'm working in is targeted to basic users. They simply won't be careful about the casing of the url. What happened in the organization I'm working when deployed applications with case sensitive URLs in the past, is that tech support received hundreds of telephone calls claming the application simply doesn't work. So users are unhappy and the people of technical support are really unhappy. So, I think the answer to 'why do I need it?' is: because the customer really wants it :) They want it so badly that it could be a blocking issue in the project I'm working in. They could even prescribe a change of technology for that matter :S Thanks again, Christopher 2008/5/22 Christopher Schultz [EMAIL PROTECTED]: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Luis, Luis Villa wrote: | I'm using IIS 6 with Tomcat 6, and I need to use case insensitive urls. I'm pretty sure that breaks the URI specification. The only part of the URI which is considered case-insensitive is the scheme (protocol). Since hostnames are, by definition, case-insensitive, they are also treated as case-insensitive. Since case-insensitivity is explicitly mentioned in several cases, but not anywhere for the remainder for the URI, it implies that the rest of the URI is supposed to be case-sensitive. See http://www.ietf.org/rfc/rfc2396.txt | I've been able to do it with the document part, but not with the | context name, so: | | http://MyDomain/index.html --loads | http://MyDomain/INDEX.html --loads | http://MYDOMAIN/INDEX.html--does not load ! | | How could I fix this? Why do you need it in the first place? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkg1emsACgkQ9CaO5/Lv0PCYFQCfTreZgfocoe1UjkWNNtd2DhNc DjIAn27VP90xHpXH7gsAKY/xj9bXxGIC =sy80 -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat, iis connector and case sensitivity
Hello all, I'm using IIS 6 with Tomcat 6, and I need to use case insensitive urls. I've been able to do it with the document part, but not with the context name, so: http://MyDomain/index.html --loads http://MyDomain/INDEX.html --loads http://MYDOMAIN/INDEX.html--does not load ! How could I fix this? Thank you all :)
Re: Tomcat SSL, Windows 2003 and Windows-My Provider
Hello all, I've been looking what the problem could be in the sources, and I've found that the only keystore other than a file that tomcat supports is PKCS11. So, I've modified org.apache.tomcat.util.net.jsse.JSSESocketFactory and it works! It is a simple modification. Now, I'd like to share it, so Tomcat developers could include it in next releases. How could I send the changes to them? Thanks 2008/2/10, Luis Villa [EMAIL PROTECTED]: Hello, Windows-MY is a java 6 provider that wraps the MSCAPI to access certificates in the keystore of Windows (the store used when you go to OptionsContentCertificates in Internet Explorer). This store has the advantage that allows you to use certificates based on your user but, at the same time, this certificates can be impossible to copy (export). So, there is no place of the store (the same happens when you use PKCS11, there is no location of the store in the hard disk, you even specify keystore NONE). So, there is not a problem of *where* is the store, as the store is really in the registry of Windows. Java is able to open it (the keys appears when using keytool), but Tomcat seems unable to do it, so I suspect Tomcat uses some method to open it that is not exactly delegating in the provider. Somebody has found a workaround or a solution? Thanks, John, for your answers, and thanks all of you 2008/2/8, Johnny Kewl [EMAIL PROTECTED]: --- HARBOR: http://coolharbor.100free.com/index.htm The most powerful application server on earth. The only real POJO Application Server. Making the Java dream come true. --- - Original Message - From: Luis Villa [EMAIL PROTECTED] To: users@tomcat.apache.org Sent: Friday, February 08, 2008 12:46 PM Subject: Tomcat SSL, Windows 2003 and Windows-My Provider Hello all, I'm trying to configure a Tomcat 6 server with SSL using the Windows-My provider from java 6. I've been able to do it in Windows XP and it works perfectly, but when executing in Windows 2003, tomcat is not able to open the keystore (it says it cannot find .keystore file, althought the configuration is completely the same as in WindowsXP). Hi... listen I think its because the .ketstore file is stored in the user folder... and that is changing... So when you logon its in Docs and Settings/Username... but when the service starts as system user, that location is now under C:/ I think... So, either try change the service configuraion to run in your user name, or figure out where its looking for it and move the keystore there IF you start tomcat from the BAT file... it will run in your user name... if that works, then you can eliminate configurations problems and just try figure out where 2003 is hiding the user location... I think I'm using the following connector: Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=true sslProtocol=TLS keystoreType=Windows-MY keyAlias=myKey / On our sytems we seem to be using the default stuff... I actually dont know what Windows-MY is ;) Connector port=443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false keystorePass=xx sslProtocol=TLS / I've accessed the store with 'keytool -list -storetype Windows-MY' and it works (it shows myKey). Is there more configuration needed in W2003 (permissions, policies, etc)? has someone found this problem before? Thanks in advance - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat SSL, Windows 2003 and Windows-My Provider
Hello, Windows-MY is a java 6 provider that wraps the MSCAPI to access certificates in the keystore of Windows (the store used when you go to OptionsContentCertificates in Internet Explorer). This store has the advantage that allows you to use certificates based on your user but, at the same time, this certificates can be impossible to copy (export). So, there is no place of the store (the same happens when you use PKCS11, there is no location of the store in the hard disk, you even specify keystore NONE). So, there is not a problem of *where* is the store, as the store is really in the registry of Windows. Java is able to open it (the keys appears when using keytool), but Tomcat seems unable to do it, so I suspect Tomcat uses some method to open it that is not exactly delegating in the provider. Somebody has found a workaround or a solution? Thanks, John, for your answers, and thanks all of you 2008/2/8, Johnny Kewl [EMAIL PROTECTED]: --- HARBOR: http://coolharbor.100free.com/index.htm The most powerful application server on earth. The only real POJO Application Server. Making the Java dream come true. --- - Original Message - From: Luis Villa [EMAIL PROTECTED] To: users@tomcat.apache.org Sent: Friday, February 08, 2008 12:46 PM Subject: Tomcat SSL, Windows 2003 and Windows-My Provider Hello all, I'm trying to configure a Tomcat 6 server with SSL using the Windows-My provider from java 6. I've been able to do it in Windows XP and it works perfectly, but when executing in Windows 2003, tomcat is not able to open the keystore (it says it cannot find .keystore file, althought the configuration is completely the same as in WindowsXP). Hi... listen I think its because the .ketstore file is stored in the user folder... and that is changing... So when you logon its in Docs and Settings/Username... but when the service starts as system user, that location is now under C:/ I think... So, either try change the service configuraion to run in your user name, or figure out where its looking for it and move the keystore there IF you start tomcat from the BAT file... it will run in your user name... if that works, then you can eliminate configurations problems and just try figure out where 2003 is hiding the user location... I think I'm using the following connector: Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=true sslProtocol=TLS keystoreType=Windows-MY keyAlias=myKey / On our sytems we seem to be using the default stuff... I actually dont know what Windows-MY is ;) Connector port=443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false keystorePass=xx sslProtocol=TLS / I've accessed the store with 'keytool -list -storetype Windows-MY' and it works (it shows myKey). Is there more configuration needed in W2003 (permissions, policies, etc)? has someone found this problem before? Thanks in advance - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat SSL, Windows 2003 and Windows-My Provider
Hello all, I'm trying to configure a Tomcat 6 server with SSL using the Windows-My provider from java 6. I've been able to do it in Windows XP and it works perfectly, but when executing in Windows 2003, tomcat is not able to open the keystore (it says it cannot find .keystore file, althought the configuration is completely the same as in WindowsXP). I'm using the following connector: Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=true sslProtocol=TLS keystoreType=Windows-MY keyAlias=myKey / I've accessed the store with 'keytool -list -storetype Windows-MY' and it works (it shows myKey). Is there more configuration needed in W2003 (permissions, policies, etc)? has someone found this problem before? Thanks in advance
Re: PKCS11 in Windows
Is there a way to avoid the \0 problem? (XML does not allow to specify this character) Can you do: alias=tomcat#00; ? Hello Chris, No, it is not possible to use this character in XML (so I have read in the XML specification). Anyway, I tried and, if you write that, Tomcat responds with an error: org.xml.sax.SAXParseException: Character reference #00; is an invalid XML character. it is almost funny how a little detail can cause so many troubles. Thanks for your answer Chris, Regards
PKCS11 in Windows
Hello all, In order to secure communications between a browser and the web server I'm using tomcat with a SSL connector. This connector takes the server certificate from a Smartcard (so I'm using a PKCS11 keystore type). The problem is that, as I'm accessing it in Windows, I have to link it to a dll file, and this causes troubles. I have found a little but really annoying one. When accessing the Smartcard, java can take all keys, but then alias name is not, for example, tomcat but tomcat\0 (where \0 is the char 0). I suppose this is because the dll uses pchar or something like this. So, when I configure Tomcat to use keyalias=tomcat, it cannot find it (internally, what the keystore contains is tomcat\0). I'm forced to not specify a keyalias so it uses the first one in the card. But I cannot assure the first one is the one tomcat has to use (it is possible someone is going to import more certificates in the card in the future). Is there a way to avoid the \0 problem? (XML does not allow to specify this character) Thank you all :)
Re: Problems with clientAuth
Hello all ! Someone can throw a little light in this problem? I am not able to solve it, and I've tried anything I've found searching in google :S Thank all! 2007/4/2, Luis Villa [EMAIL PROTECTED]: Ok, now I'm getting mad :S IExplorer keeps saying the page can't be found (it doesn't ask for the certificate), and Firefox throws a -12271 error (I don't know if that is close enought to the error you said, Antoine. Anyway, nothing has changed since the last 12229 error (I left the computer off in the weekend because it's in my workplace). Martin, the behavior of Tomcat in your case (I think) is correct. You put clientAuth=true, so you are forcing the client to send the certificate to allow connection. You should install a certificate in IExplorer and Firefox. Thank you, Antoine and Martin :) 2007/4/2, Mirou, Antoine [EMAIL PROTECTED]: The problem appears when changing clientAuth to true. Then, when using iexplorer the browser simply can't find the page (or this is what it says), and when using firefox it warns about the certificate, but after accepting the certification it says that 'localhost has received an unexpected or incorrect message. Error code: -12229'. I've been googling for two days and I can't find a clue about what is failing nor what means this error code. I guess it's a -12227 error, and not 12229. This error appears when Firefox doesn't have any client certificate to give to the server. You should install a client certificate issued by the same CA on your browser. Regards, Antoine Afin de preserver l'environnement, merci de n'imprimer ce courriel qu'en cas de necessite. Please consider the environment before printing this mail. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problems with clientAuth
Hello Martin, Well, at least you are lucky Internet Explorer asks for the certificate, this is what it's supposed to do when using clientAuth=true. What is happening to me is that all works well with clientAuth = false, when changing it to clientAuth=true, Firefox throws this error and IExplorer just can't find the page. About secure=true, I'm not sure what it does, I copied it from the Tomcat 5.5. SSL Howto :S I must confess I have no clue on how to make this work 2007/3/30, Martin Cavanagh [EMAIL PROTECTED]: Hi Luis. I'm pretty sure I'm having exactly the same problem as you - maybe we can solve it together:) When I enable client authentification in my config clientAuth=true for you, since your using the Java KeyStore (I'm trying to use OpenSSL), I get exactly the same error in Firefox! (except in German ;) ) In Internet Explorer I get a message, that the Server requires a certificate and I need to provide one and that I should select one (I don't have any installed in Internet Explorer). Are you sure that you don't have Client Authenification turned on? What does the setting secure=true actually do? Good luck - let me know how you go. Martin Luis Villa wrote: Hello all, I' a newbie un the list, so first of all I'd like to say hello to everyone :) After this, I'd like to ask for help with a problem I have configuring Tomcat for digital certifications. I've followed all the steps in the Tomcat SSL HOWTO and my tomcat now has a secure connector in port 8443. So, I've no error when trying to enter http://localhost:8443 The key in server.xml is the following: Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=conf\.keystore keystorePass=changeit/ The problem appears when changing clientAuth to true. Then, when using iexplorer the browser simply can't find the page (or this is what it says), and when using firefox it warns about the certificate, but after accepting the certification it says that 'localhost has received an unexpected or incorrect message. Error code: -12229'. I've been googling for two days and I can't find a clue about what is failing nor what means this error code. I'd be very grateful if somebody can help me with this, so my boss could stop cleaning this gun of his... :P Thanks in advance for your help :) Greetings! -- Con-Sense-GmbH __ _Martin Cavanagh_ Tel.: +49541 800 83 0 Fax: +49541 800 83 99 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Con-Sense GmbH Neuer Graben 25 49074 Osnabrück www.con-sense-group.com http://www.con-sense-group.com Geschäftsführer Eckhard Schulz Amtsgericht Hildesheim HRB 3341 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problems with clientAuth
Ok, I forgot! I used both keytool and openssl, it seems the problem is not there as Tomcat gives the same error with both. Greetings! 2007/4/2, Luis Villa [EMAIL PROTECTED]: Hello Martin, Well, at least you are lucky Internet Explorer asks for the certificate, this is what it's supposed to do when using clientAuth=true. What is happening to me is that all works well with clientAuth = false, when changing it to clientAuth=true, Firefox throws this error and IExplorer just can't find the page. About secure=true, I'm not sure what it does, I copied it from the Tomcat 5.5. SSL Howto :S I must confess I have no clue on how to make this work 2007/3/30, Martin Cavanagh [EMAIL PROTECTED]: Hi Luis. I'm pretty sure I'm having exactly the same problem as you - maybe we can solve it together:) When I enable client authentification in my config clientAuth=true for you, since your using the Java KeyStore (I'm trying to use OpenSSL), I get exactly the same error in Firefox! (except in German ;) ) In Internet Explorer I get a message, that the Server requires a certificate and I need to provide one and that I should select one (I don't have any installed in Internet Explorer). Are you sure that you don't have Client Authenification turned on? What does the setting secure=true actually do? Good luck - let me know how you go. Martin Luis Villa wrote: Hello all, I' a newbie un the list, so first of all I'd like to say hello to everyone :) After this, I'd like to ask for help with a problem I have configuring Tomcat for digital certifications. I've followed all the steps in the Tomcat SSL HOWTO and my tomcat now has a secure connector in port 8443. So, I've no error when trying to enter http://localhost:8443 The key in server.xml is the following: Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=conf\.keystore keystorePass=changeit/ The problem appears when changing clientAuth to true. Then, when using iexplorer the browser simply can't find the page (or this is what it says), and when using firefox it warns about the certificate, but after accepting the certification it says that 'localhost has received an unexpected or incorrect message. Error code: -12229'. I've been googling for two days and I can't find a clue about what is failing nor what means this error code. I'd be very grateful if somebody can help me with this, so my boss could stop cleaning this gun of his... :P Thanks in advance for your help :) Greetings! -- Con-Sense-GmbH __ _Martin Cavanagh_ Tel.: +49541 800 83 0 Fax: +49541 800 83 99 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Con-Sense GmbH Neuer Graben 25 49074 Osnabrück www.con-sense-group.com http://www.con-sense-group.com Geschäftsführer Eckhard Schulz Amtsgericht Hildesheim HRB 3341 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problems with clientAuth
Ok, now I'm getting mad :S IExplorer keeps saying the page can't be found (it doesn't ask for the certificate), and Firefox throws a -12271 error (I don't know if that is close enought to the error you said, Antoine. Anyway, nothing has changed since the last 12229 error (I left the computer off in the weekend because it's in my workplace). Martin, the behavior of Tomcat in your case (I think) is correct. You put clientAuth=true, so you are forcing the client to send the certificate to allow connection. You should install a certificate in IExplorer and Firefox. Thank you, Antoine and Martin :) 2007/4/2, Mirou, Antoine [EMAIL PROTECTED]: The problem appears when changing clientAuth to true. Then, when using iexplorer the browser simply can't find the page (or this is what it says), and when using firefox it warns about the certificate, but after accepting the certification it says that 'localhost has received an unexpected or incorrect message. Error code: -12229'. I've been googling for two days and I can't find a clue about what is failing nor what means this error code. I guess it's a -12227 error, and not 12229. This error appears when Firefox doesn't have any client certificate to give to the server. You should install a client certificate issued by the same CA on your browser. Regards, Antoine Afin de preserver l'environnement, merci de n'imprimer ce courriel qu'en cas de necessite. Please consider the environment before printing this mail. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Problems with clientAuth
Hello all, I' a newbie un the list, so first of all I'd like to say hello to everyone :) After this, I'd like to ask for help with a problem I have configuring Tomcat for digital certifications. I've followed all the steps in the Tomcat SSL HOWTO and my tomcat now has a secure connector in port 8443. So, I've no error when trying to enter http://localhost:8443 The key in server.xml is the following: Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=conf\.keystore keystorePass=changeit/ The problem appears when changing clientAuth to true. Then, when using iexplorer the browser simply can't find the page (or this is what it says), and when using firefox it warns about the certificate, but after accepting the certification it says that 'localhost has received an unexpected or incorrect message. Error code: -12229'. I've been googling for two days and I can't find a clue about what is failing nor what means this error code. I'd be very grateful if somebody can help me with this, so my boss could stop cleaning this gun of his... :P Thanks in advance for your help :) Greetings!