RE: Why does JDBC application logging SQL instructions in Apache Tomcat lists 545 repeatedly
This is now resolved. Thanks anyway. -Original Message- From: app...@dsl.pipex.com [mailto:app...@dsl.pipex.com] Sent: 06 Aug 2013 00 30 To: users@tomcat.apache.org Subject: Why does JDBC application logging SQL instructions in Apache Tomcat lists 545 repeatedly I'm not sure of this is an Apache Tomcat issue or not but here goes: I am currently running a number of programs in batch which dynamically create and populate a number of tables in MySQL Server Version 5.5. When I do this, I am logging the SQL to an Apache Tomcat log file. Sometimes the SQL listings will list a particular series of queries reading the title elements of RSS feeds one by one such as: SELECT TITLE FROM _rss_172_917617_01012011_1293889632011 WHERE CreatedDateTime BETWEEN '2011-07-01 00:00:00' AND '2011-07-31 23:59:00'; SELECT TITLE FROM _rss_173_353205_01012011_1293889643042 WHERE CreatedDateTime BETWEEN '2011-07-01 00:00:00' AND '2011-07-31 23:59:00'; Then the name of the system will be printed as follows in the log file: [myApp] And then there will be a series of lines reading: 545 Before the next series of queries run. And when the next series of queries does run, the text of each query is listed, and then another line lists the system name. SELECT TITLE FROM _rss_121_298920_24122010_1293174184748 WHERE CreatedDateTime BETWEEN '2011-07-01 00:00:00' AND '2011-07-01 23:59:00'; [myApp] MyApp is written in Java and running under Tomcat 6.0.26. I should add that sometimes the number of queries producing the data for one table, which may number in the hundreds, appear to be fine. Other times the 545 message is listed: this appears to be sporadic with no apparent pattern. Though the queries appear to be running, can anyone tell me what 545 might mean? It seems to happen on two separate servers running the same programs but over different data. -- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Why does JDBC application logging SQL instructions in Apache Tomcat lists 545 repeatedly
Apologies, I should have explained. This issue was caused by as pair of rogue System.out.println statements which had been used for debugging. They were erroneously retained when the code went live. -Original Message- From: cjder...@gmail.com [mailto:cjder...@gmail.com] On Behalf Of chris derham Sent: 06 Aug 2013 12 20 To: Tomcat Users List Subject: Re: Why does JDBC application logging SQL instructions in Apache Tomcat lists 545 repeatedly On Tue, Aug 6, 2013 at 7:52 AM, Martin O'Shea app...@dsl.pipex.com wrote: This is now resolved. Thanks anyway. For the benefit of anybody else that hits this issue, care to explain how it was resolved? Thanks Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Authentication from a REST service
Sorry Chris, I'm not sure what I'm looking for here. Can you elaborate? -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 29 Jul 2013 17 21 To: Tomcat Users List Subject: Re: Authentication from a REST service -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martin, On 7/28/13 10:40 AM, Martin O'Shea wrote: Have you an example at all? At the moment, I've simply rigged a simple authentication method of my own . Have you a code example of container-provided authentication system, or could you refer me to one? Container-provided authentication can be done without writing any code at all: http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJR9pZtAAoJEBzwKT+lPKRYEcQP+wd5ky4aJGl4waVhZyt3akVR RfAZml9Lk2D4I1CUdq5dyuLyVK5viekgw2OlpwYgKkmSeHWj8tDW5aqhzlf3XX/p ZLlw8327ro3rDeuhoj0tQaebe8VIoW0ubFcoEp8uWkMU5tZjBuq9LkjLTkhVbvoR 2cZBi6gP8Pt9ePWVQAmKtA8+hMZ6o37dWC+8jAey014H7CpSJhxsRHAv7zrE87nT f3qzdJXjoAW1PuXJ3Fsdrs7Tk0ABQmE+WbtLzQP5e56MVzTKJrDwlv6t90uog/LY krIyi4OzJ58oHJUgZGAE2g45jXOxYL6RBWbEXS4LQZS/R05VUc1rMt9yA6myWx4b qN8jfW7/C1d2VPGSW5e3CH0WS298X3HI+9Yqn5sjn3icp7+UFyHpAH7SAIx+BFjl l73Q+3r/D9IQirCAnLqNEvY8NbZDWfxvxkzggHQkXTLqpSUoslw+9xNZCZ9A2SrK TrKnTEO3f2Uviap+PWxlC+fBJ3zEcBL1COnuhLVlGveP/AqjCoBxrV4bdaSEi/Q5 a2O1dlBINtqv0zbdpTKHbiplxNFDghRdUTkLDmE5FLQnAf1JLfVlNr4kkjml4iqD t0wxt8LE8MUat5mm08OnOjPAWdqe2KNmniUBAQ1nYTvfKSsvL+sfYJGPX8bArGMF +iXZF8ULpPyc+HzisZUF =eqkF -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Authentication from a REST service
Chris Have you an example at all? At the moment, I've simply rigged a simple authentication method of my own . Have you a code example of container-provided authentication system, or could you refer me to one? Thanks Martin O'Shea. -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 28 Jul 2013 15 37 To: Tomcat Users List Subject: Re: Authentication from a REST service -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martin, On 7/27/13 12:00 PM, Martin O'Shea wrote: Are there any suggestions if I'm not using servlet 3? Any reason the container-provided authentication system (e.g. HTTP BASIC) isn't acceptable? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJR9Sx/AAoJEBzwKT+lPKRYnNwP/jkKNS3GAgciwXh7nkdBsVnd eengy++YrJNLpEABkJDWY635EvX2fksZH/2ALufepybuyY9pkYehhtC/v971JFtW p63fvsNA+4t4a8HFkU19AB0HJuz+nvQxyDD741oZUM/5853ATY6OPUX+JCYGcDR4 tQrSH3dWriwTNVHpVw2WOU+FPB2V73jN4WOW2wcr5R5Y2nX5ad+HhMIwfzr20UTa ZDuVvuYw18v7XQ+ghc3DsDc2XJCAUlfIci6T5v7YuW/5xbbpxcjZuXUbXNgX4O74 7/gH7UNXXCKbzaDsrIF95gT68hXGQ0g63tDCcikohv9lJbH94pNgqMt27SivAt5c Ht5K4t0VZ6Lv9kPYi2c/mUdBL51I8QYsHwix4ot+T69iwW8Lt5jrryrtxdSKiTZh bygF5bGAg44/VHWisyhIjzjAOzychzw1D9MCC3wM+oMep/XTKEwyNHUC6h4cTlQg TwqSSjwJ2vBXvsOWFOCJ7SwEdS1NOa2HoEpqtMWwlXJBIHYk2RuCN1UC3NlBytW3 jz92C0ERVcvA39fb8+EvOP2yT8M3adBdqVOvLSOmhixvZd4l4rhxfrzNmfUtJSZQ emzbkvO4JVRP+Lf8bGiDiUrIqV0/6L+YoB4GVSNqnJbh6xP7yZ9AY7G/z6+tAHEk AE+WCdC4cDVn9G58vo7l =Na0c -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Authentication from a REST service
Are there any suggestions if I'm not using servlet 3? -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 18 Jul 2013 18 52 To: Tomcat Users List Subject: Re: Authentication from a REST service -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martin, On 7/18/13 1:08 PM, Martin O'Shea wrote: OK. So let me see if I understand what you’re suggesting: I already have client and server communicating with each other by sending XML requests via Jersey with a servlet implemented in web.xml. So in addition to this, I would need a filter set to intercept request with a url pattern /rest/*. This filter can then call HttpServletRequest.login? Yes, this is exactly what I'm suggesting. I'm sure there are other ways to do it. I'm assuming that Jersey is using ServletRequest.getPrincipal to get authentication information from the caller (which is a reasonable assumption IMO). If it's being done in some other way, then this technique may not work. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJR6Cs4AAoJEBzwKT+lPKRY+s8QAKL/f+wrnbsFQT+9sS6Yyx5i lIlKhNbM1/Ns7y363DoWD7fXUMWIalop83YCuAi0+Sldr0vlppvDmoBH5S6QRk4i ExEjOlRggZD5jLRTb2bQvWQec4b+9RoJvKM1Hq4HUbZ8Bal56a37mxb7yBxMz+Rn Xe3wD+E+AD3ux5Qig4GApDl0OMoufKuSS8LrA5AXGhbG4EFVuGZz141v6ildSh4S 5P8B3p3mPjO2UyeqbA/wUsXr8TOfFWRQEuiHCj1bTt+MAvp+XgcxbJpLxSSZ06Hq SFRo0CUOGjcv1vP/CziFnY/OtGlrduOnW7p52TJhYLq7uxVTZgEchANVi9ztL1TZ /2r9VLeftuszjVbEwTR4JwE5ZNdVPqdCrz2q9TLO1Cr+kMaw2sAhoiL2TLbtZZLW gUSgcXgB/zOipxMa9t3D7ZenUg09n2T22qTNmSGrpjBHwazisceyZLhsZXcUdDFF I89GqkdeSzHDWiyOdMcDPAQios2Bxe8z+LiDc+qfAyhT0VEEVXAG/ucsyHBGTUdN unJ22t3XLulCuON941XV0AcUm+lhVOuyMjsbxD/L0fFosVtoPH/zGEUf2ZVsTMC1 jq6qVSCJlLwccCOoMPeSd1MLQCgDgftJ6UYKune6JhVZ3l3ro5At4cpyYxxiOJbi t7VKPMLheCZvqZXO4AXa =O44G -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Authentication from a REST service
Hello I am in the process of setting up a web service between an android app and Tomcat 6.0.26 implemented with Jersey. I already have client and server communicating with each other by sending XML requests. But I would like the user of the client to be authenticated by the server for a set period of time and then have to re-authenticate after that time has expired. Can anyone suggest anything? Thanks Martin O'Shea.
RE: Authentication from a REST service
Thanks Andre. I have already done so. I thought to ask it on both just in case. -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: 18 Jul 2013 14 16 To: Tomcat Users List Subject: Re: Authentication from a REST service Martin O'Shea wrote: Hello I am in the process of setting up a web service between an android app and Tomcat 6.0.26 implemented with Jersey. I already have client and server communicating with each other by sending XML requests. But I would like the user of the client to be authenticated by the server for a set period of time and then have to re-authenticate after that time has expired. Can anyone suggest anything? It may be better to ask this on the Jersey user's list. I would imagine that Jersey provides a way to force the client to be authenticated. This would work via a session, and there is probably a way to set the session timeout. After the last interaction + the timeout, the session will expire, and this should automatically force the client to re-authenticate at the next access. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Authentication from a REST service
Chris It's a case of considering options at the moment. It doesn't matter too much about the actual expiration time of the session. But a question arises concerning use of a realm: if I have the following code in a realm in context.xml for existing browser-based logging in: Realm className = org.apache.catalina.realm.DataSourceRealm digest=MD5 debug = 99 dataSourceName = jdbc/MyApp localDataSource = true userTable = User userNameCol = UserName userCredCol = Password userRoleTable = User roleNameCol = RoleName / Could it be used also for the REST service? And would a servlet be required to handle authentication? Thanks Martin O'Shea. -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 18 Jul 2013 15 05 To: Tomcat Users List Subject: Re: Authentication from a REST service -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martin, On 7/18/13 5:34 AM, Martin O'Shea wrote: I am in the process of setting up a web service between an android app and Tomcat 6.0.26 implemented with Jersey. I already have client and server communicating with each other by sending XML requests. But I would like the user of the client to be authenticated by the server for a set period of time and then have to re-authenticate after that time has expired. If you are using Servlet 3.0, you can use HttpServletRequest.login to authenticate the user using a realm configured for the context. If you use FORM authentication, then the session's expiration time becomes the duration of the login (a caveat being that the timeout is reset for every request the client makes). If you want fixed-login times (like 30-minutes max regardless of how many requests are made), then stuff your own expiration date into the user's session and then check that timeout with each request. This could all be done in a Filter to keep things orthogonal to your servlet code. Or were you looking for something more elaborate? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJR5/YeAAoJEBzwKT+lPKRYoxwQALmCJCd2ZnPVPY2YB219GnZz FysWbmNIxHENt3ZVif+7qjtRwa7WIlXlD8imfEDPgKCUoxH38biN8EBgaM39U6OY 6kRB+GsT9OcrfQV2A6bm1fOPmNdCSzNyFr418AP6knumyMGoqHEjdAP4OqD89W2Y 2O75E3qmXDdL/1e5QfvnyObfbF9rrQXk9Y5lcVdZP1NJAVG+N7JHNu5OpKCjkyXM RlB9/gD3ar7sa06NL8dTdNfUPbPVHcqKyGFFPLMJGca7gfOc9aZuqEdp18M1OhVN s4TarQn0MukQSlHAyc443uXvpJzr5ZJ5eofCeLacMgyV5C2oD6MOMC374OlLGU3i J0iAkfN65haUIkQTMjAk7EdApBsqw97nvYsXD79w2Zxlr6qAaoC2Q5PNOvxnZBt+ +G86swCz3dbasI3Lh6qQr6VKVaQUl0/qXnnE+/RrURCupzbImzwVktZ9NUHPyEO3 LwWLa5bR/y+UM7jv/umsYhBdpTkJ/r0QauTdUXC8RUWXY1YjXCj7w7XY6NQOOgxC K36vsMVgSm9cce51VgfpG0d1gyHIBfBejBArVe49G6UrbowAylAGN2e4iLGcP/aw V8QWOQDaa98+YjPItWRmOS0aSoi06m/fTfaFP2fdPkAN6iNPD9yqraiJieJ+8Gh9 JFMNdCl4mZQF7yt17yh1 =i2aK -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Authentication from a REST service
OK. So let me see if I understand what you’re suggesting: I already have client and server communicating with each other by sending XML requests via Jersey with a servlet implemented in web.xml. So in addition to this, I would need a filter set to intercept request with a url pattern /rest/*. This filter can then call HttpServletRequest.login? -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 18 Jul 2013 15 39 To: Tomcat Users List Subject: Re: Authentication from a REST service -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martin, On 7/18/13 10:32 AM, Martin O'Shea wrote: It's a case of considering options at the moment. It doesn't matter too much about the actual expiration time of the session. But a question arises concerning use of a realm: if I have the following code in a realm in context.xml for existing browser-based logging in: Realm className = org.apache.catalina.realm.DataSourceRealm digest=MD5 FWIW, MD5 is basically deprecated at this point. I would use at least SHA-256 for password-hashing. Honestly, I'd use a password-mangling algorithm and not a straight-up hash (like bcrypt, scrypt, PBKDF2, etc.). (I've been toying-around with modifications to Tomcat's Realms and underlying code to help support such things, but I haven't come up with a good patch, yet). debug = 99 This should be removed: it must have come from an old configuration. dataSourceName = jdbc/MyApp localDataSource = true userTable = User userNameCol = UserName userCredCol = Password userRoleTable = User roleNameCol = RoleName / Could it be used also for the REST service? You can use it for anything you'd like. And would a servlet be required to handle authentication? No, you can use a Filter. I'm not sure how Jersey is implemented, but I suspect that you configured either a Servlet or a Filter at some point in WEB-INF/web.xml. Just make sure that your own Filter performs whatever is necessary to authenticate (e.g. calling HttpServletRequest.login) and then sets-up the request so that Jersey knows that the user has been successfully authenticated (it probably just checks ServletRequest.getPrincipal, which will be set up correctly after a successful call to HttpServletRequest.login). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJR5/4EAAoJEBzwKT+lPKRYvWoQALyBVTxUYWCvLCqBPdG5jTsZ B+KnQVuqA3NBVLOgTmxH8UDZjeOgbACsdt+F/VUNL5Fdek4U0kF0GSQgOI18t9Tn Fp76pNd8AWshkLp49YWmpsbuHDSUZtVruISWlVMlD1D/e7doK6r6HjXeuv7NA+5X ni5j2ZaaWJ/blpB3gGymnQsNz+L2JNjCrqrxuty6Og0D7BeHJojSVTnJRdAvCDjo PGtoXTGbJmPNJLfwzgwlbqe1BN0ynZlDPnuqLbxmA1qXH8mlY8Iecegy3AbgQODn fRixy5rrMf7c3nafivGzEYYsttIJTAT9mb9/6GnmmcCDZ9lhoP34QJutEacAvNw/ 126yaXy6z2ix6d3ARq7bVFRbaXv8fUHMBZws0y3PAdgwBhbGPw1ReALeyL1qsQ3s 3Ahoi1jToceglgTVxAghmQ0241f62kVqv32LKQ3GaMp31AxLe7QYz0IXFeb8DGWL XnAd42JNipbRnB7Jzsm7XMrsDJp1+XnvToMMeXoiXE0PkpJAX1lpLMJd88hT6Diw neTDLIXY6hgyXCn/qBQiZTH8a8MB9n7efU1mevnL532QYsfvJaLzyRjQ+naoeT99 PALvtnewBY2sKN8GE0MYR0lvXt1eUiqSL6tcDh4xxvr6w4sZNDQfNLN1X2zirOKw o7zzBwgHpk4/Ec8raBXT =i5Uc -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Authentication from a REST service
Chris I'm checking this with Jersey. Thanks Martin O'Shea. -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 18 Jul 2013 18 52 To: Tomcat Users List Subject: Re: Authentication from a REST service -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martin, On 7/18/13 1:08 PM, Martin O'Shea wrote: OK. So let me see if I understand what you’re suggesting: I already have client and server communicating with each other by sending XML requests via Jersey with a servlet implemented in web.xml. So in addition to this, I would need a filter set to intercept request with a url pattern /rest/*. This filter can then call HttpServletRequest.login? Yes, this is exactly what I'm suggesting. I'm sure there are other ways to do it. I'm assuming that Jersey is using ServletRequest.getPrincipal to get authentication information from the caller (which is a reasonable assumption IMO). If it's being done in some other way, then this technique may not work. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJR6Cs4AAoJEBzwKT+lPKRY+s8QAKL/f+wrnbsFQT+9sS6Yyx5i lIlKhNbM1/Ns7y363DoWD7fXUMWIalop83YCuAi0+Sldr0vlppvDmoBH5S6QRk4i ExEjOlRggZD5jLRTb2bQvWQec4b+9RoJvKM1Hq4HUbZ8Bal56a37mxb7yBxMz+Rn Xe3wD+E+AD3ux5Qig4GApDl0OMoufKuSS8LrA5AXGhbG4EFVuGZz141v6ildSh4S 5P8B3p3mPjO2UyeqbA/wUsXr8TOfFWRQEuiHCj1bTt+MAvp+XgcxbJpLxSSZ06Hq SFRo0CUOGjcv1vP/CziFnY/OtGlrduOnW7p52TJhYLq7uxVTZgEchANVi9ztL1TZ /2r9VLeftuszjVbEwTR4JwE5ZNdVPqdCrz2q9TLO1Cr+kMaw2sAhoiL2TLbtZZLW gUSgcXgB/zOipxMa9t3D7ZenUg09n2T22qTNmSGrpjBHwazisceyZLhsZXcUdDFF I89GqkdeSzHDWiyOdMcDPAQios2Bxe8z+LiDc+qfAyhT0VEEVXAG/ucsyHBGTUdN unJ22t3XLulCuON941XV0AcUm+lhVOuyMjsbxD/L0fFosVtoPH/zGEUf2ZVsTMC1 jq6qVSCJlLwccCOoMPeSd1MLQCgDgftJ6UYKune6JhVZ3l3ro5At4cpyYxxiOJbi t7VKPMLheCZvqZXO4AXa =O44G -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat memory allocation
Hello Following advice found elsewhere on the internet, I've just added the following line to the catalina.bat file in my installation of tomcat 6.0.26: set JAVA_OPTS=%JAVA_OPTS% -Xms128m -Xmx512m -XX:MaxPermSize=128m I know that settings: Xms128m -Xmx512m Control the initial heap size and what it can expand to. But what exactly is: -XX:MaxPermSize=128m Should it be set to an addition of the other settings, or the other settings to an addition of it? Thanks Martin O'Shea - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat memory allocation
Thanks for this Chuck. I realise now what is happening. I thought the PermGen space was used in the heap when now I see it as just storing class definitions. So I could reduce it below 128Mb if I choose. Is there a default value? As to setting Xms and Xmx to the same, I will do that. A job hung earlier and I wonder if memory was to blame although there is nothing in the system or server logs to say so. -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: 09 Dec 2011 14 46 To: Tomcat Users List Subject: RE: Tomcat memory allocation From: Martin O'Shea [mailto:app...@dsl.pipex.com] Subject: Tomcat memory allocation Following advice found elsewhere on the internet Always to be taken with large chunks of salt. set JAVA_OPTS=%JAVA_OPTS% -Xms128m -Xmx512m -XX:MaxPermSize=128m You would be better off using CATALINA_OPTS, since setting JAVA_OPTS pointlessly affects the shutdown script as well as the startup one. I know that settings: Xms128m -Xmx512m Control the initial heap size and what it can expand to. In a server environment, you normally want Xms and Xmx set to the same value to avoid heap thrashing. The exact size is completely dependent on what your webapps need. But what exactly is: -XX:MaxPermSize=128m It's the amount of space to which the so-called permanent generation can expand. PermGen holds primarily instances of java.lang.Class, so it only needs to be specified if you have a large number of classes in your environment. Should it be set to an addition of the other settings, or the other settings to an addition of it? What does that question mean? PermGen size is completely independent of the heap size. Make sure you have enough RAM available on the system to support the Xmx + PermGen + a_lot_of_other_stuff. Monitor the system to make sure you're not getting into paging. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat memory allocation
Sorry to belabour this but if I create a setenv.bat file with settings: set CATALINA_OPTS=%CATALINA_OPTS% -Xms128m -Xmx768m -XX:MaxPermSize=128m where should the file go and does it need to be called from anywhere? -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: 09 Dec 2011 15 29 To: Tomcat Users List Subject: RE: Tomcat memory allocation From: Martin O'Shea [mailto:app...@dsl.pipex.com] Subject: RE: Tomcat memory allocation But if I change the settings in catalina.bat to: Don't make changes to catalina.bat; create a setenv.bat to hold all your local settings. set CATALINA_OPTS=%CATALINA_OPTS% -Xms128m -Xmx768m -XX:MaxPermSize=128m In Tomcat Manager I see: Use a real JVM analysis tool (e.g., JConsole, VisualVM), not the manager webapp. Free memory: 97.90 MB Total memory: 122.68 MB Max memory: 227.56 MB Shouldn't total or max memory have a higher reading? No, since the heap size is sliding around between Xms and Xmx. You might want to take a look at the papers here: http://www.oracle.com/technetwork/java/javase/tech/index-jsp-140228.html Especially interesting are the ergonomics and tuning ones. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat memory allocation
I should add that Tomcat is running as a Windows service, it isn't started manually. -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: 09 Dec 2011 15 29 To: Tomcat Users List Subject: RE: Tomcat memory allocation From: Martin O'Shea [mailto:app...@dsl.pipex.com] Subject: RE: Tomcat memory allocation But if I change the settings in catalina.bat to: Don't make changes to catalina.bat; create a setenv.bat to hold all your local settings. set CATALINA_OPTS=%CATALINA_OPTS% -Xms128m -Xmx768m -XX:MaxPermSize=128m In Tomcat Manager I see: Use a real JVM analysis tool (e.g., JConsole, VisualVM), not the manager webapp. Free memory: 97.90 MB Total memory: 122.68 MB Max memory: 227.56 MB Shouldn't total or max memory have a higher reading? No, since the heap size is sliding around between Xms and Xmx. You might want to take a look at the papers here: http://www.oracle.com/technetwork/java/javase/tech/index-jsp-140228.html Especially interesting are the ergonomics and tuning ones. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat memory allocation
This gets weirder. I believe I should be looking in the Windows Registry under: HKEY_LOCAL_MACHINE SOFTWARE Apache Software Foundation Procrun 2,0 But I have no such settings. I simply have: (Default) InstallPath Version But I have: JvmMS (set to 128) jvmMX (set to 256) Under HKEY_LOCAL_MACHINE SOFTWARE Wow6432Node Apache Software Foundation Procrun 2.0 Tomcat 6 Parameters Java If I want to increase Xmx memory, is jvmMX the one to edit? Or both to set them to the same value. -Original Message- From: David kerber [mailto:dcker...@verizon.net] Sent: 09 Dec 2011 16 02 To: users@tomcat.apache.org Subject: Re: Tomcat memory allocation On 12/9/2011 10:49 AM, Caldarale, Charles R wrote: From: Martin O'Shea [mailto:app...@dsl.pipex.com] Subject: RE: Tomcat memory allocation I should add that Tomcat is running as a Windows service, it isn't started manually. In that case, nothing that we've been discussing about JAVA_OPTS, CATALINA_OPTS, startup.bat, catalina.bat, and setenv.bat is relevant. All JVM config settings need to be done with the tomcat?w.exe program. Or directly in the registry (tomcat?w just changes those entries). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Connection pooling issue with MySQLNonTransientConnectionException and Java webapp
Usually the connection is initialised as null and then assigned inside
the try block. What happens if the method above throws an error after
a connection is removed from the pool?
To try to answer this, the sample code provided is illustrative of my DAO
classes generally. The following is a listing of my connection pool class:
package visualRSS.database;
import java.sql.*;
import javax.sql.DataSource;
import javax.naming.InitialContext;
import org.apache.log4j.Logger;
import visualRSS.entity_misc_classes.PropertiesFile;
public class ConnectionPool_DB {
static final Logger logger =
Logger.getLogger(ConnectionPool_DB.class.getName());
private static ConnectionPool_DB pool = null;
private static DataSource dataSource = null;
public synchronized static ConnectionPool_DB getInstance() {
if (pool == null) {
pool = new ConnectionPool_DB();
}
return pool;
}
private ConnectionPool_DB() {
try {
InitialContext ic = new InitialContext();
dataSource = (DataSource)
ic.lookup(PropertiesFile.getProperty(visualRSS, DATASOURCE));
// dataSource = (DataSource)
ic.lookup(java:/comp/env/jdbc/visualRSS);
}
catch(Exception ex) {
logger.error(Error getting a connection pool's datasource\n,
ex);
}
}
public void freeConnection(Connection c) {
try {
c.close();
}
catch (Exception ex) {
logger.error(Error terminating a connection pool connection\n,
ex);
}
}
public Connection getConnection() {
try {
return dataSource.getConnection();
}
catch (Exception ex) {
logger.error(Error getting a connection pool connection\n,
ex);
return null;
}
}
}
For a typical error, I get a chain of stacktrace as follows:
ERROR|21 11 2011|12 49 53|http-8080-7|visualRSS.database.ConnectionPool_DB|
- Error getting a connection pool connection
com.mysql.jdbc.exceptions.jdbc4.MySQLNonTransientConnectionException: Could
not create connection to database server. Attempted reconnect 3 times.
Giving up.
at
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAcces
sorImpl.java:39)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstruc
torAccessorImpl.java:27)
at
java.lang.reflect.Constructor.newInstance(Constructor.java:513)
at com.mysql.jdbc.Util.handleNewInstance(Util.java:409)
at com.mysql.jdbc.Util.getInstance(Util.java:384)
at
com.mysql.jdbc.SQLError.createSQLException(SQLError.java:1015)
at
com.mysql.jdbc.SQLError.createSQLException(SQLError.java:989)
at
com.mysql.jdbc.SQLError.createSQLException(SQLError.java:984)
at
com.mysql.jdbc.SQLError.createSQLException(SQLError.java:929)
at
com.mysql.jdbc.ConnectionImpl.connectWithRetries(ConnectionImpl.java:2226)
at
com.mysql.jdbc.ConnectionImpl.createNewIO(ConnectionImpl.java:2127)
at
com.mysql.jdbc.ConnectionImpl.init(ConnectionImpl.java:774)
at
com.mysql.jdbc.JDBC4Connection.init(JDBC4Connection.java:49)
at
sun.reflect.GeneratedConstructorAccessor11.newInstance(Unknown Source)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstruc
torAccessorImpl.java:27)
at
java.lang.reflect.Constructor.newInstance(Constructor.java:513)
at com.mysql.jdbc.Util.handleNewInstance(Util.java:409)
at
com.mysql.jdbc.ConnectionImpl.getInstance(ConnectionImpl.java:375)
at
com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:289)
at
org.apache.tomcat.dbcp.dbcp.DriverConnectionFactory.createConnection(DriverC
onnectionFactory.java:38)
at
org.apache.tomcat.dbcp.dbcp.PoolableConnectionFactory.makeObject(PoolableCon
nectionFactory.java:294)
at
org.apache.tomcat.dbcp.pool.impl.GenericObjectPool.borrowObject(GenericObjec
tPool.java:1148)
at
org.apache.tomcat.dbcp.dbcp.AbandonedObjectPool.borrowObject(AbandonedObject
Pool.java:84)
at
org.apache.tomcat.dbcp.dbcp.PoolingDataSource.getConnection(PoolingDataSourc
e.java:96)
at
org.apache.tomcat.dbcp.dbcp.BasicDataSource.getConnection(BasicDataSource.ja
va:880)
at
visualRSS.database.ConnectionPool_DB.getConnection(ConnectionPool_DB.java:47
)
at visualRSS.database.User_DB.get(User_DB.java:127)
at
visualRSS.database.Dataset_DB.mapDataset(Dataset_DB.java:580)
RE: Connection pooling issue with MySQLNonTransientConnectionException and Java webapp
Thanks Terence. Yes, I have been. Increasing the number of connections in MySQL, the max_connections parameter, seems to have helped somewhat. Is there an optimum number of connections that the 'equivalent' Tomcat maxActive should have? -Original Message- From: Terence M. Bandoian [mailto:tere...@tmbsw.com] Sent: 21 Nov 2011 16 11 To: Tomcat Users List Subject: Re: Connection pooling issue with MySQLNonTransientConnectionException and Java webapp On 1:59 PM, Martin O'Shea wrote: Caused by: com.mysql.jdbc.exceptions.jdbc4.MySQLNonTransientConnectionException: Data source rejected establishment of connection, message from server: Too many connections I'd check into this. -Terence Bandoian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
FW: Re: Connection pooling issue with MySQLNonTransientConnectionException and Java webapp
Are you able to provide any more information about what I am actually looking for in VisualVM?
Re: Connection pooling issue with MySQLNonTransientConnectionException and Java webapp
Well, I hope I'm reading VisualVM correctly, because when I run the JMeter test first time around, I see 40 'connector' threads created in VisualVM, all of which run for so long and then return to a wait state. And if I run the test again several times in succession, the number of connector threads remains the same: they run, and then wait. JMeter also indicates a clean run with no errors reported.
RE: Trying to get Tomcat 6 running as a Windows service
suggestions would be welcome before I try to debug this. It does not happen on a 32-bit seat. -Original Message- From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] Sent: 17 Nov 2011 18 49 To: 'Tomcat Users List' Subject: RE: Trying to get Tomcat 6 running as a Windows service -Original Message- From: app...@dsl.pipex.com [mailto:app...@dsl.pipex.com] Subject: Trying to get Tomcat 6 running as a Windows service Hello ... but I find that although Tomcat will start / stop via the batch files in the /bin folder, when set as a Windows service, I get a message that: Windows could not start the service on the Local Computer. Have you any iseas at all? The Tomcat logs display nothing when the above happens. Martin O'Shea. I run Windows 7. I just downloaded Tomcat 6.0.26 from the archives, using this zip file: http://archive.apache.org/dist/tomcat/tomcat-6/v6.0.26/bin/apache-tomcat-6.0 .26-windows-x64.zip I have the 64 bit Java sdk installed: jdk-6u29-windows-x64.exe JAVA_HOME environment variable is set. When I issue from the command line: service install Tomcat6 ... the service is created but not started. When I start the service and view http://localhost:8080 I get the Tomcat welcome page. Perhaps you could try removing the windows service using: service remove Tomcat6 and then try the install command a second time? Leo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Trying to get Tomcat 6 running as a Windows service
Thanks Leo. Will investigate and advise. -Original Message- From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] Sent: 17 Nov 2011 18 49 To: 'Tomcat Users List' Subject: RE: Trying to get Tomcat 6 running as a Windows service -Original Message- From: app...@dsl.pipex.com [mailto:app...@dsl.pipex.com] Subject: Trying to get Tomcat 6 running as a Windows service Hello ... but I find that although Tomcat will start / stop via the batch files in the /bin folder, when set as a Windows service, I get a message that: Windows could not start the service on the Local Computer. Have you any iseas at all? The Tomcat logs display nothing when the above happens. Martin O'Shea. I run Windows 7. I just downloaded Tomcat 6.0.26 from the archives, using this zip file: http://archive.apache.org/dist/tomcat/tomcat-6/v6.0.26/bin/apache-tomcat-6.0 .26-windows-x64.zip I have the 64 bit Java sdk installed: jdk-6u29-windows-x64.exe JAVA_HOME environment variable is set. When I issue from the command line: service install Tomcat6 ... the service is created but not started. When I start the service and view http://localhost:8080 I get the Tomcat welcome page. Perhaps you could try removing the windows service using: service remove Tomcat6 and then try the install command a second time? Leo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Trying to get Tomcat 6 running as a Windows service
I've been trying to get the service running as per the attachment. The account I am using does have admin rights. The Jakarta Service log file reports: [2011-11-16 11:54:30] [info] Commons Daemon procrun (1.0.2.0) started [2011-11-16 11:54:30] [80 service.c] [error] Access is denied. [2011-11-16 11:54:30] [524 prunsrv.c] [error] Unable to open the Service Manager [2011-11-16 11:54:30] [info] Commons Daemon procrun finished. When I try to set the service up as displayed in the attachment. -Original Message- From: Ilya Kazakevich [mailto:ilya.kazakev...@jetbrains.com] Sent: 16 Nov 2011 11 40 To: 'Tomcat Users List' Subject: RE: Trying to get Tomcat 6 running as a Windows service Which file do you run? service.bat ? What do you have in your event logs? Which account do you use for service? Does it have requried rights? Ilya Kazakevich, Developer JetBrains Inc http://www.jetbrains.com Develop with pleasure! -Original Message- From: app...@dsl.pipex.com [mailto:app...@dsl.pipex.com] Sent: Wednesday, November 16, 2011 3:36 PM To: users@tomcat.apache.org Subject: Trying to get Tomcat 6 running as a Windows service Hello I'm trying to get Tomcat 6.0.26 running as a service on a Windows 7 64 bit PC but everytime I try I get message: Failed installing 'Tomcat6' service. As far as I'm aware, all relevant system settings are good and the installation displays settings for CATALINA_HOME, CATALINA_BASE, JAVA_HOME and JVM. I'm running the batch file with adminstrator authorities. Has anyone any idea? I should also add, that this version of Tomcat runs perfectly if called from NetBeans 7.0.1 which is deployed on the same PC. Martin O'Shea. -- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Trying to get Tomcat 6 running as a Windows service
I've been trying to run: service.bat install From the Windows command line in folder: C:\Program Files\Apache Software Foundation\Apache Tomcat 6.0.26\bin -Original Message- From: Ilya Kazakevich [mailto:ilya.kazakev...@jetbrains.com] Sent: 16 Nov 2011 11 40 To: 'Tomcat Users List' Subject: RE: Trying to get Tomcat 6 running as a Windows service Which file do you run? service.bat ? What do you have in your event logs? Which account do you use for service? Does it have requried rights? Ilya Kazakevich, Developer JetBrains Inc http://www.jetbrains.com Develop with pleasure! -Original Message- From: app...@dsl.pipex.com [mailto:app...@dsl.pipex.com] Sent: Wednesday, November 16, 2011 3:36 PM To: users@tomcat.apache.org Subject: Trying to get Tomcat 6 running as a Windows service Hello I'm trying to get Tomcat 6.0.26 running as a service on a Windows 7 64 bit PC but everytime I try I get message: Failed installing 'Tomcat6' service. As far as I'm aware, all relevant system settings are good and the installation displays settings for CATALINA_HOME, CATALINA_BASE, JAVA_HOME and JVM. I'm running the batch file with adminstrator authorities. Has anyone any idea? I should also add, that this version of Tomcat runs perfectly if called from NetBeans 7.0.1 which is deployed on the same PC. Martin O'Shea. -- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Trying to get Tomcat 6 running as a Windows service
Thanks. Will try this later. -Original Message- From: Ilya Kazakevich [mailto:ilya.kazakev...@jetbrains.com] Sent: 16 Nov 2011 12 15 To: 'Tomcat Users List' Subject: RE: Trying to get Tomcat 6 running as a Windows service http://www.coderanch.com/t/450781/Tomcat/Tomcat-Windows-Server-Permissions Ilya Kazakevich, Developer JetBrains Inc http://www.jetbrains.com Develop with pleasure! -Original Message- From: Martin O'Shea [mailto:app...@dsl.pipex.com] Sent: Wednesday, November 16, 2011 3:59 PM To: 'Tomcat Users List' Subject: RE: Trying to get Tomcat 6 running as a Windows service I've been trying to get the service running as per the attachment. The account I am using does have admin rights. The Jakarta Service log file reports: [2011-11-16 11:54:30] [info] Commons Daemon procrun (1.0.2.0) started [2011-11-16 11:54:30] [80 service.c] [error] Access is denied. [2011-11-16 11:54:30] [524 prunsrv.c] [error] Unable to open the Service Manager [2011-11-16 11:54:30] [info] Commons Daemon procrun finished. When I try to set the service up as displayed in the attachment. -Original Message- From: Ilya Kazakevich [mailto:ilya.kazakev...@jetbrains.com] Sent: 16 Nov 2011 11 40 To: 'Tomcat Users List' Subject: RE: Trying to get Tomcat 6 running as a Windows service Which file do you run? service.bat ? What do you have in your event logs? Which account do you use for service? Does it have requried rights? Ilya Kazakevich, Developer JetBrains Inc http://www.jetbrains.com Develop with pleasure! -Original Message- From: app...@dsl.pipex.com [mailto:app...@dsl.pipex.com] Sent: Wednesday, November 16, 2011 3:36 PM To: users@tomcat.apache.org Subject: Trying to get Tomcat 6 running as a Windows service Hello I'm trying to get Tomcat 6.0.26 running as a service on a Windows 7 64 bit PC but everytime I try I get message: Failed installing 'Tomcat6' service. As far as I'm aware, all relevant system settings are good and the installation displays settings for CATALINA_HOME, CATALINA_BASE, JAVA_HOME and JVM. I'm running the batch file with adminstrator authorities. Has anyone any idea? I should also add, that this version of Tomcat runs perfectly if called from NetBeans 7.0.1 which is deployed on the same PC. Martin O'Shea. -- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Application not logging out properly
Hello
I'm using Apache Tomcat 6.0.26 for an application where the majority of the
content is hidden behind a page requiring authenticated login. This appears
to work fine but upon logout, I find I am able to browse back through some
of the pages visited in the session.
As far as I'm aware, and in other applications I've seen and worked on, this
shouldn't happen.
I'm using a listener to detect sessions created and destroyed and this seems
to be fine because I'm recording events in the database when these happen.
My log out instruction is present on most pages as follows:
a href = /myApp/jsp/index/index.jsp?logoff=true title = Log out.
And in the index.jsp cited above, I have code:
%
// Log out.
if (request.getParameter(logoff) != null) {
session.invalidate();
response.sendRedirect(/myApp/);
return;
}
%
Which returns a user to the login page.
The problem is only occasional and I can see no pattern to it, but it
happens under two different installations of version 6.0.26 on different
machines. So either this version is the cause which I don't believe because
other applications seems unaffected, or my application has an issue which I
can't find.
Any ideas?
Thanks
Martin O'Shea.
RE: Application not logging out properly
I'm using form based authentication as follows: h2 style = text-align: lefta name = loginLogin/a/h2 form method = POST action='%= response.encodeURL(j_security_check) %' table border=0 tr td align = rightName:/td td align = leftinput type=text name=j_username/td /tr tr td align = rightPassword:/td td align = leftinput type=password name=j_password/td /tr tr td align = rightinput class = button type=submit value=Log in/td td align = leftinput class = button type=reset value = Clear/td /tr /table /form And the code in web.xml is as follows: login-config auth-methodFORM/auth-method realm-nameForm-Based Authentication Area/realm-name form-login-config form-login-page/jsp/security/protected/login.jsp/form-login-page form-error-page/jsp/security/protected/error.jsp/form-error-page /form-login-config /login-config security-role description/ role-nameADMIN/role-name /security-role I also have MD5 digest specified in context.xml. -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: 12 Oct 2011 22 19 To: Tomcat Users List Subject: Re: Application not logging out properly Martin O'Shea wrote: Hello I'm using Apache Tomcat 6.0.26 for an application where the majority of the content is hidden behind a page requiring authenticated login. This appears to work fine but upon logout, I find I am able to browse back through some of the pages visited in the session. What authentication type (scheme) are you using ? HTTP Basic, form-based, .. ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Application not logging out properly
I would rather avoid forcing the browser to reload each page via the appropriate headers. -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: 12 Oct 2011 22 18 To: Tomcat Users List Subject: RE: Application not logging out properly From: Martin O'Shea [mailto:app...@dsl.pipex.com] Subject: Application not logging out properly upon logout, I find I am able to browse back through some of the pages visited in the session. Are you sure it's not the browser simply displaying previously cached pages? If so, then have your webapp (or a filter) set the appropriate no-caching headers. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Application not logging out properly
This is true of the current application, but also true of the other Tomcat applications I have. But the others don't seem to have this problem. I know the sessions are invalidating because if I try to do something on one of the pages visited in the session, the login page appears automatically. Using a filter to prevent caching does seem a sledgehammer approach. But I have set one up to do just that but I would prefer another solution. -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: 12 Oct 2011 22 31 To: Tomcat Users List Subject: RE: Application not logging out properly From: Martin O'Shea [mailto:app...@dsl.pipex.com] Subject: RE: Application not logging out properly I would rather avoid forcing the browser to reload each page via the appropriate headers. Then they're going to be available in the browser cache until the browser chooses to discard them. You can't have it both ways. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Application not logging out properly
I'm not disagreeing and have set a filter to this end. But it doesn't explain why I can see the pages after session invalidation. -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 12 Oct 2011 22 59 To: Tomcat Users List Subject: Re: Application not logging out properly -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck, On 10/12/2011 5:30 PM, Caldarale, Charles R wrote: From: Martin O'Shea [mailto:app...@dsl.pipex.com] Subject: RE: Application not logging out properly I would rather avoid forcing the browser to reload each page via the appropriate headers. Then they're going to be available in the browser cache until the browser chooses to discard them. You can't have it both ways. The OP could set expires headers that are relatively short-lived. That way, the client /should/ request a fresh page after, say, 30 minutes or whatever the session timeout is set to. But Martin, I agree with Chuck: you can't have it both ways. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6WDZsACgkQ9CaO5/Lv0PCtGwCfdNJLAT8arkYg3n5TNrgtoFne wFQAnAhmK2MqMBEMacc4a6zRAyTfKC/1 =s6fC -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Application not logging out properly
But I can see these pages visited in the session just invalidated by using the browser's back button after logging out. By other Tomcat applications, I mean other applications which have the same arrangements and run under 6.0.26. But when I log out from one of these, I can't see pages just visited. -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 12 Oct 2011 23 01 To: Tomcat Users List Subject: Re: Application not logging out properly -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin, On 10/12/2011 5:58 PM, Martin O'Shea wrote: This is true of the current application, but also true of the other Tomcat applications I have. But the others don't seem to have this problem. Which others? I know the sessions are invalidating because if I try to do something on one of the pages visited in the session, the login page appears automatically. You're getting all you can get out of the server-side of this equation. You'll either have to use expires or other cache-control headers or just trust your clients not to browse their caches. Using a filter to prevent caching does seem a sledgehammer approach. But I have set one up to do just that but I would prefer another solution. I can't think of one. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6WDgQACgkQ9CaO5/Lv0PCVzgCeIl7RJkNgbXxNGFj7uJ671fXS MQIAn2SH+d1iK3DumlNIOmMYAWsIF4f4 =MXp5 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Application not logging out properly
Well, there's no intermediary: I'm seeing this in NetBeans 7.0.1 with AT 6.0.26. and if my NoCache_Filter contains this: // Force browser not to cache pages. HttpServletResponse hsr = (HttpServletResponse) response; hsr.setHeader(Cache-Control, no-cache, no-store, must-revalidate); // HTTP 1.1. hsr.setHeader(Pragma, no-cache); // HTTP 1.0. hsr.setDateHeader(Expires, 0); // Proxies. With the settings in web.xml as follows: filter-mapping filter-nameNoCacheFilter/filter-name url-pattern/*/url-pattern dispatcherREQUEST/dispatcher dispatcherFORWARD/dispatcher dispatcherINCLUDE/dispatcher dispatcherERROR/dispatcher /filter-mapping So be it. I can always edit the url-pattern to exclude certain pages anyway. Thanks. -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: 12 Oct 2011 23 05 To: Tomcat Users List Subject: RE: Application not logging out properly From: Martin O'Shea [mailto:app...@dsl.pipex.com] Subject: RE: Application not logging out properly But it doesn't explain why I can see the pages after session invalidation. It certainly does. If the browser (or some other intermediary) is caching the pages, they will be available for display. Try sniffing the network traffic at both the browser and Tomcat ends to see who has the data. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Application not logging out properly
Not HTTPS but it worth me checking as you advise. -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: 12 Oct 2011 23 16 To: Tomcat Users List Subject: RE: Application not logging out properly From: Martin O'Shea [mailto:app...@dsl.pipex.com] Subject: RE: Application not logging out properly But I can see these pages visited in the session just invalidated by using the browser's back button after logging out. The session state is completely irrelevant - the browser knows nothing about it. Again, it looks like the browser is caching the pages. By other Tomcat applications, I mean other applications which have the same arrangements and run under 6.0.26. But when I log out from one of these, I can't see pages just visited. Sniff the network traffic or use one of the plugins Chris suggested to see what's different about the pages that aren't getting cached. (Using HTTPS, perhaps?) - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Application not logging out properly
Well, it seems that using a no cache filter works for Chrome, Firefox and IE. But Opera and Safari don't obey the rules at all. -Original Message- From: cjder...@gmail.com [mailto:cjder...@gmail.com] On Behalf Of chris derham Sent: 12 Oct 2011 23 22 To: Tomcat Users List Subject: Re: Application not logging out properly Then they're going to be available in the browser cache until the browser chooses to discard them. You can't have it both ways. The OP could set expires headers that are relatively short-lived. That way, the client /should/ request a fresh page after, say, 30 minutes or whatever the session timeout is set to. But Martin, I agree with Chuck: you can't have it both ways. I was going to suggest that you could use the ETag to create tags composed of the last edit time and the session-id. That way the pages will be cached for the current user's session, but are freshed once the user logs out/original page is updated. Its not true caching in that the browser will still ask the server if it has changed, but at least it won't have to send the whole file down each time. Seems that the thread has moved on now though. If I understood correctly you have turned off all caching, yet the pages are still cached. I agree with the others - try using some tools to sniff the actual network traffic. I find fiddler very useful for this kind of work Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Using multiple login pages
Ok. I think, I think I have it now to my satisfaction although much work remains. Thanks Chris and Charles. -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 06 Oct 2011 01 45 To: Tomcat Users List Subject: Re: Using multiple login pages -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin, On 10/5/2011 6:50 PM, Martin O'Shea wrote: If I understand you correctly, I think I should have this: login-config auth-methodFORM/auth-method realm-nameForm-Based Authentication Area/realm-name form-login-config form-login-page/login/form-login-page form-error-page/jsp/security/protected/error.jsp/form-error-page /form-login-config /login-config But when called I receive a page not found exception. /login maps to a servlet I've been using to test my own logging in outside of j_security_check It's important to understand that the form-login-page is the resource returned when the user tries to access a protected resource but is not yet authenticated. The form-login-page does *not* perform any authentication itself. It merely requests credentials from the user (i.e. it contains a form with j_username and j_password fields). Should the servlet mapped to /login receive j_username and j_password? No. It should produce a page which contains a login form. Tomcat will handle the actual processing of j_username/j_password for you, and then send the user onto the originally-requested page. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6M+fwACgkQ9CaO5/Lv0PCf7QCgiEzUtizqst/nDb0F9qrLeeb8 sbAAn0R85xOID9LtrPCSwIk54uZgssT3 =ssS3 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Detecting a login or logoff event
I need to be able to intercept a successful authentication of a login / logout
request which can then be used to make a series of system updates to record the
fact.
So, if John Doe has just logged in successfully, an update is made to his
session like:
session.setAttribute(loggedIntoSession, true);
Or an update made to the database?
Conversely, upon logout:
session.setAttribute(loggedIntoSession, false);
At the moment, I am thinking about scriptlets in the pages served testing the
request's servlet path after login is successful but is a filter better? But if
so, what might a filter check for?
-Original Message-
From: Martin O'Shea [mailto:app...@dsl.pipex.com]
Sent: 05 Oct 2011 23 06
To: 'Tomcat Users List'
Subject: RE: Using multiple login pages
Thanks for this Chris. It is food for thought.
I was under the impression that form-login-page was static, because that's
how I seen it used in apps I've worked on.
But I am curious to try a filter as well, something like this mapped to the
login:
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws java.io.IOException, ServletException {
HttpServletRequest req = (HttpServletRequest)request;
HttpServletResponse res = (HttpServletResponse)response;
// pre login action
// get username
String username = req.getParameter(j_username);
// if user is in revoked list send error
if ( revokeList.contains(username) ) {
res.sendError(javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED);
return;
}
// call next filter in the chain : let j_security_check authenticate
// user
chain.doFilter(request, response);
// post login action
}
I wouldn't mind seeing a servlet specified as form-login-page if you know of
an example.
-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: 05 Oct 2011 22 08
To: Tomcat Users List
Subject: Re: Using multiple login pages
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Martin,
On 10/5/2011 1:59 PM, Martin O'Shea wrote:
I have it now. There was a redirection going on in a method called
from a scriptlet in the login page. It now seems to be OK.
Glad you got it going.
But one thing bugs me still: you said that you can have 'different
login pages for different types of resources you're trying to
reach.' Can you give any pointers about this?
A page is defined as whatever the server responds when you request a
resource. The form-login-page you configure in your web.xml can be
dynamic: you can do whatever you want in that page. It doesn't have to
be a static form that always looks the same. You can
include/forward/etc from that page. It doesn't even have to be a JSP.
You can configure the login-form-page to be a servlet that makes
decisions and forwards to some other .jsp file.
Use your imagination.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6MxyEACgkQ9CaO5/Lv0PByHACfZL9ykx3wPGApX1yyzjxYwkQR
Rf4AoJG5DnnBtbIFYzZsKSLzPJOjJq2j
=A5GW
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Detecting a login or logoff event
Unfortunately I'm not using spring in my application but thanks anyway.
-Original Message-
From: Chema [mailto:demablo...@gmail.com]
Sent: 06 Oct 2011 15 02
To: Tomcat Users List
Subject: Re: Detecting a login or logoff event
For logout, you can implement a HttpSessionListener .
It has got a method:
public void sessionDestroyed(HttpSessionEvent se)
It's invoked when http session is invalidated. ( session.invalidated() )
So, you have to invalidate http session when user makes logout ( i.e, user
clicks a logout button and calls a servlet ) To capture when user is closing
the browser , you need use javascript events and throw a call to the server.
Maybe, a filter can be use to capture this event
For login, you can use Spring Security
Maybe for logout too, but I don't know it Or your use your own filters
2011/10/6 Martin O'Shea app...@dsl.pipex.com
I need to be able to intercept a successful authentication of a login
/ logout request which can then be used to make a series of system
updates to record the fact.
So, if John Doe has just logged in successfully, an update is made to
his session like:
session.setAttribute(loggedIntoSession, true);
Or an update made to the database?
Conversely, upon logout:
session.setAttribute(loggedIntoSession, false);
At the moment, I am thinking about scriptlets in the pages served
testing the request's servlet path after login is successful but is a
filter better?
But if so, what might a filter check for?
-Original Message-
From: Martin O'Shea [mailto:app...@dsl.pipex.com]
Sent: 05 Oct 2011 23 06
To: 'Tomcat Users List'
Subject: RE: Using multiple login pages
Thanks for this Chris. It is food for thought.
I was under the impression that form-login-page was static, because
that's how I seen it used in apps I've worked on.
But I am curious to try a filter as well, something like this mapped
to the
login:
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws java.io.IOException, ServletException {
HttpServletRequest req = (HttpServletRequest)request;
HttpServletResponse res = (HttpServletResponse)response;
// pre login action
// get username
String username = req.getParameter(j_username);
// if user is in revoked list send error
if ( revokeList.contains(username) ) {
res.sendError(javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED);
return;
}
// call next filter in the chain : let j_security_check authenticate
// user
chain.doFilter(request, response);
// post login action
}
I wouldn't mind seeing a servlet specified as form-login-page if you
know of an example.
-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: 05 Oct 2011 22 08
To: Tomcat Users List
Subject: Re: Using multiple login pages
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Martin,
On 10/5/2011 1:59 PM, Martin O'Shea wrote:
I have it now. There was a redirection going on in a method called
from a scriptlet in the login page. It now seems to be OK.
Glad you got it going.
But one thing bugs me still: you said that you can have 'different
login pages for different types of resources you're trying to
reach.' Can you give any pointers about this?
A page is defined as whatever the server responds when you request a
resource. The form-login-page you configure in your web.xml can be
dynamic: you can do whatever you want in that page. It doesn't have to
be a static form that always looks the same. You can
include/forward/etc from that page. It doesn't even have to be a JSP.
You can configure the login-form-page to be a servlet that makes
decisions and forwards to some other .jsp file.
Use your imagination.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6MxyEACgkQ9CaO5/Lv0PByHACfZL9ykx3wPGApX1yyzjxYwkQR
Rf4AoJG5DnnBtbIFYzZsKSLzPJOjJq2j
=A5GW
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Detecting a login or logoff event
I had thought to use scriptlets. But I've rigged a filter on the server which tests for the mappings of the few protected pages which require logins. It seems to work and update session variables which is what I'm after. My issue is that a session may well have been created prior to login so using a listener here via sessionCreated may not be useful. Detecting a logoff is easier using the sessionDestroyed method. -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: 06 Oct 2011 15 05 To: Tomcat Users List Subject: RE: Detecting a login or logoff event From: Martin O'Shea [mailto:app...@dsl.pipex.com] Subject: Detecting a login or logoff event I need to be able to intercept a successful authentication of a login / logout request which can then be used to make a series of system updates to record the fact. I am thinking about scriptlets in the pages served testing the request's servlet path after login is successful If the integrity of your information is dependent on actions of the client, you have no data integrity. There's nothing stopping a client from disabling scripts, running their own scripts, or doing anything else by accident or intent - you cannot control that. Anything you do for tracking must be done on the server side. You probably can use a filter, but a Listener might be more appropriate. See section 10 of the servlet spec. (Make sure you're looking at the current spec for the Tomcat version you're using; the 2.2 spec you referenced earlier is badly out of date.) - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Using multiple login pages
This follows on from yesterday's discussion about whether in my application, I can have more than one page with an embedded login form or not. I've been looking over the servlet spec (V2.2) and it seems that I can't actually do this which is a shame. So I'm now looking at a more conventional log in from a login page. But can anyone explain to me why I dont see my login page when I run the application? Login.jsp contains the following: form action = c:url value = 'j_security_check' / method = post table align = center border = 0 cellspacing = 0 tr th align = rightfont class = labelUsername/font/th td align = leftinput class = textInput name = j_username type = text/td /tr tr th align = rightfont class = labelPassword/font/th td align = leftinput class = textInput name = j_password type = password/td /tr tr td/td td input class = button type = submit value = Log in input class = button type = reset value = Clear /td /tr /table /form Which corresponds to the following in web.xml: welcome-file-list welcome-file/jsp/about/concept.jsp/welcome-file /welcome-file-list security-constraint display-nameSecurity Constraint/display-name web-resource-collection web-resource-namemyApp/web-resource-name description/ url-pattern/aboutConcept/url-pattern /web-resource-collection auth-constraint description/ role-nameADMIN/role-name /auth-constraint user-data-constraint description/ transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method realm-nameForm-Based Authentication Area/realm-name form-login-config form-login-page/jsp/security/protected/login.jsp/form-login-page form-error-page/jsp/security/protected/error.jsp/form-error-page /form-login-config /login-config security-role description/ role-nameADMIN/role-name /security-role But when I run the application, all I get is the html of the page specified in the welcome file list? But if I then invoke a link from the welcome file, I get the login page. Surely it should be the other way around? -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: 04 Oct 2011 19 56 To: Tomcat Users List Subject: Re: Using multiple login pages app...@dsl.pipex.com wrote: Not sure about which version of security I will use but I would like to accommodate MD5 verification into things. There's no sensitive or confidential info in the system either so protected page access may not be required. I don't know what you have in mind, but there are some basic principles to avoid wasting your time : 1) In Tomcat (and other servlet engines), there are 2 different ways of doing authentication : - declarative, as per web.xml. In that case Tomcat, /before it evens calls the webapp or any filter in it/, intercepts a non-authenticated call and returns *the* login form to the browser. It then (later) intercepts the submit of that form by the browser, checks the credentials, and if they pass muster, it allows the call to proceed to the webapp which the user wanted in the first place. - application- or filter-based authentication : in this case, Tomcat is not aware that there is an authentication taking place. It forwards the call to the webapp, and a filter /in the webapp/ intercepts the call and does whatever is needed to check the authentication, return a login form etc.. This second authentication scheme is probably more flexible for doing the kind of thing you seem to want to do (but also more complex to do). 2) There already exist a number of authentication systems on the market. Unless this is considered as an exercise, re-use an existing one instead of rolling you own. Web authentication looks deceptively simple, but is in fact quite complex and delicate, and open to many mistakes which completely defeat the purpose. (This being said, if it is an exercise, it is an interesting area). 3) anything that your server sends to a browser should be considered open and lost. Once you send something out there, the recipient can do with it what he wants : save it, analyse it, copy it, decompile it, falsify it, re-send it to your server and whatnot. There is no practical way to avoid that. (You don't even know that it is really a browser out there). 4) the only good way to secure things if you do form authentication, is to work over HTTPS. The customer is going to type a
Login or index page or vice-versa
This follows on from yesterday's discussion about whether in my application, I can have more than one page with an embedded login form or not. I've been looking over the servlet spec (V2.2) and it seems that I can't actually do this which is a shame. So I'm now looking at a more conventional log in from a login page. But can anyone explain to me why I dont see my login page when I run the application? Login.jsp contains the following: form action = c:url value = 'j_security_check' / method = post table align = center border = 0 cellspacing = 0 tr th align = rightfont class = labelUsername/font/th td align = leftinput class = textInput name = j_username type = text/td /tr tr th align = rightfont class = labelPassword/font/th td align = leftinput class = textInput name = j_password type = password/td /tr tr td/td td input class = button type = submit value = Log in input class = button type = reset value = Clear /td /tr /table /form Which corresponds to the following in web.xml: welcome-file-list welcome-file/jsp/about/concept.jsp/welcome-file /welcome-file-list security-constraint display-nameSecurity Constraint/display-name web-resource-collection web-resource-namemyApp/web-resource-name description/ url-pattern/aboutConcept/url-pattern /web-resource-collection auth-constraint description/ role-nameADMIN/role-name /auth-constraint user-data-constraint description/ transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method realm-nameForm-Based Authentication Area/realm-name form-login-config form-login-page/jsp/security/protected/login.jsp/form-login-page form-error-page/jsp/security/protected/error.jsp/form-error-page /form-login-config /login-config security-role description/ role-nameADMIN/role-name /security-role But when I run the application, all I get is the html of the page specified in the welcome file list? But if I then invoke a link from the welcome file, I get the login page. Surely it should be the other way around? -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: 04 Oct 2011 19 56 To: Tomcat Users List Subject: Re: Using multiple login pages app...@dsl.pipex.com wrote: Not sure about which version of security I will use but I would like to accommodate MD5 verification into things. There's no sensitive or confidential info in the system either so protected page access may not be required. I don't know what you have in mind, but there are some basic principles to avoid wasting your time : 1) In Tomcat (and other servlet engines), there are 2 different ways of doing authentication : - declarative, as per web.xml. In that case Tomcat, /before it evens calls the webapp or any filter in it/, intercepts a non-authenticated call and returns *the* login form to the browser. It then (later) intercepts the submit of that form by the browser, checks the credentials, and if they pass muster, it allows the call to proceed to the webapp which the user wanted in the first place. - application- or filter-based authentication : in this case, Tomcat is not aware that there is an authentication taking place. It forwards the call to the webapp, and a filter /in the webapp/ intercepts the call and does whatever is needed to check the authentication, return a login form etc.. This second authentication scheme is probably more flexible for doing the kind of thing you seem to want to do (but also more complex to do). 2) There already exist a number of authentication systems on the market. Unless this is considered as an exercise, re-use an existing one instead of rolling you own. Web authentication looks deceptively simple, but is in fact quite complex and delicate, and open to many mistakes which completely defeat the purpose. (This being said, if it is an exercise, it is an interesting area). 3) anything that your server sends to a browser should be considered open and lost. Once you send something out there, the recipient can do with it what he wants : save it, analyse it, copy it, decompile it, falsify it, re-send it to your server and whatnot. There is no practical way to avoid that. (You don't even know that it is really a browser out there). 4) the only good way to secure things if you do form authentication, is to work over HTTPS. The customer is going to type a
RE: Using multiple login pages
Maybe I've misunderstood something but I'm having a lot of trouble getting the login page to display with the following: welcome-file-list welcome-file/jsp/index/newjsp.jsp/welcome-file /welcome-file-list !-- Error pages. -- error-page error-code403/error-code location/jsp/error/error403.jsp/location /error-page error-page error-code404/error-code location/jsp/error/error404.jsp/location /error-page error-page error-code408/error-code location/jsp/error/error408.jsp/location /error-page error-page exception-typejava.lang.Throwable/exception-type location/jsp/error/error500.jsp/location /error-page !-- Accessibility. -- security-constraint display-nameSecurity Constraint/display-name web-resource-collection web-resource-namemyApp/web-resource-name description/ url-pattern/*/url-pattern /web-resource-collection auth-constraint description/ role-nameADMIN/role-name /auth-constraint user-data-constraint description/ transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method realm-nameForm-Based Authentication Area/realm-name form-login-config form-login-page/jsp/security/protected/login.jsp/form-login-page form-error-page/jsp/security/protected/error.jsp/form-error-page /form-login-config /login-config security-role description/ role-nameADMIN/role-name /security-role All that newjsp.jsp in the welcome list contains is 'Hello World'. But running it in several browsers, all I get is a warning about redirection. Other applications of mine using a single log in page are fine. I can't see where this one is wrong. -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 05 Oct 2011 18 39 To: Tomcat Users List Subject: Re: Using multiple login pages -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin, On 10/5/2011 11:41 AM, Martin O'Shea wrote: This follows on from yesterday's discussion about whether in my application, I can have more than one page with an embedded login form or not. I've been looking over the servlet spec (V2.2) and it seems that I can't actually do this which is a shame. Do what, have different login pages for different types of resources you're trying to reach? Sure you can: try reading my responses. So I'm now looking at a more conventional log in from a login page. But can anyone explain to me why I don’t see my login page when I run the application? Login.jsp contains the following: This isn't relevant if you're not seeing it. Which corresponds to the following in web.xml: welcome-file-list welcome-file/jsp/about/concept.jsp/welcome-file /welcome-file-list security-constraint web-resource-collection url-pattern/aboutConcept/url-pattern /web-resource-collection auth-constraint description/ role-nameADMIN/role-name /auth-constraint /security-constraint login-config form-login-config form-login-page/jsp/security/protected/login.jsp/form-login-page form-error-page/jsp/security/protected/error.jsp/form-error-page /form-login-config /login-config But when I run the application, all I get is the html of the page specified in the welcome file list? Is that a question or a statement? But if I then invoke a link from the welcome file, I get the login page. Surely it should be the other way around? Your welcome file is not protected in any way, so you are not challenged for credentials. If you want to login to see every page on your site, you should have url-pattern/*/url-pattern in your web-resource-collection. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6MlkYACgkQ9CaO5/Lv0PB3nQCfRf0g/erXaD2kOPyaBCMJW/h0 Ce0An0EbOElkSImGQYK8y+JkZdtcrIqL =wbh5 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Using multiple login pages
I have it now. There was a redirection going on in a method called from a scriptlet in the login page. It now seems to be OK. Thanks Chris. But one thing bugs me still: you said that you can have 'different login pages for different types of resources you're trying to reach.' Can you give any pointers about this? .-Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 05 Oct 2011 18 39 To: Tomcat Users List Subject: Re: Using multiple login pages -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin, On 10/5/2011 11:41 AM, Martin O'Shea wrote: This follows on from yesterday's discussion about whether in my application, I can have more than one page with an embedded login form or not. I've been looking over the servlet spec (V2.2) and it seems that I can't actually do this which is a shame. Do what, have different login pages for different types of resources you're trying to reach? Sure you can: try reading my responses. So I'm now looking at a more conventional log in from a login page. But can anyone explain to me why I don’t see my login page when I run the application? Login.jsp contains the following: This isn't relevant if you're not seeing it. Which corresponds to the following in web.xml: welcome-file-list welcome-file/jsp/about/concept.jsp/welcome-file /welcome-file-list security-constraint web-resource-collection url-pattern/aboutConcept/url-pattern /web-resource-collection auth-constraint description/ role-nameADMIN/role-name /auth-constraint /security-constraint login-config form-login-config form-login-page/jsp/security/protected/login.jsp/form-login-page form-error-page/jsp/security/protected/error.jsp/form-error-page /form-login-config /login-config But when I run the application, all I get is the html of the page specified in the welcome file list? Is that a question or a statement? But if I then invoke a link from the welcome file, I get the login page. Surely it should be the other way around? Your welcome file is not protected in any way, so you are not challenged for credentials. If you want to login to see every page on your site, you should have url-pattern/*/url-pattern in your web-resource-collection. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6MlkYACgkQ9CaO5/Lv0PB3nQCfRf0g/erXaD2kOPyaBCMJW/h0 Ce0An0EbOElkSImGQYK8y+JkZdtcrIqL =wbh5 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Using multiple login pages
Thanks for this Chris. It is food for thought.
I was under the impression that form-login-page was static, because that's
how I seen it used in apps I've worked on.
But I am curious to try a filter as well, something like this mapped to the
login:
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws java.io.IOException, ServletException {
HttpServletRequest req = (HttpServletRequest)request;
HttpServletResponse res = (HttpServletResponse)response;
// pre login action
// get username
String username = req.getParameter(j_username);
// if user is in revoked list send error
if ( revokeList.contains(username) ) {
res.sendError(javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED);
return;
}
// call next filter in the chain : let j_security_check authenticate
// user
chain.doFilter(request, response);
// post login action
}
I wouldn't mind seeing a servlet specified as form-login-page if you know of
an example.
-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: 05 Oct 2011 22 08
To: Tomcat Users List
Subject: Re: Using multiple login pages
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Martin,
On 10/5/2011 1:59 PM, Martin O'Shea wrote:
I have it now. There was a redirection going on in a method called
from a scriptlet in the login page. It now seems to be OK.
Glad you got it going.
But one thing bugs me still: you said that you can have 'different
login pages for different types of resources you're trying to
reach.' Can you give any pointers about this?
A page is defined as whatever the server responds when you request a
resource. The form-login-page you configure in your web.xml can be
dynamic: you can do whatever you want in that page. It doesn't have to
be a static form that always looks the same. You can
include/forward/etc from that page. It doesn't even have to be a JSP.
You can configure the login-form-page to be a servlet that makes
decisions and forwards to some other .jsp file.
Use your imagination.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6MxyEACgkQ9CaO5/Lv0PByHACfZL9ykx3wPGApX1yyzjxYwkQR
Rf4AoJG5DnnBtbIFYzZsKSLzPJOjJq2j
=A5GW
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Using multiple login pages
That's a shame. It looked promising. I wouldn't mind seeing a servlet specified as form-login-page if you know of an example. -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 05 Oct 2011 23 13 To: Tomcat Users List Subject: Re: Using multiple login pages -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin, On 10/5/2011 6:06 PM, Martin O'Shea wrote: Thanks for this Chris. It is food for thought. I was under the impression that form-login-page was static, because that's how I seen it used in apps I've worked on. But I am curious to try a filter as well, something like this mapped to the login: That's not going to work: the authentication stuff happens before your Filter can get it's hands on the request. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6M1nQACgkQ9CaO5/Lv0PAbvQCgsXcZD/J1FWCKl/LzuQOCEXr0 0qgAoJgNHrsZoD03AvFcDw0J6Euqaz3s =py59 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Using multiple login pages
If I understand you correctly, I think I should have this: login-config auth-methodFORM/auth-method realm-nameForm-Based Authentication Area/realm-name form-login-config form-login-page/login/form-login-page form-error-page/jsp/security/protected/error.jsp/form-error-page /form-login-config /login-config But when called I receive a page not found exception. /login maps to a servlet I've been using to test my own logging in outside of j_security_check Should the servlet mapped to /login receive j_username and j_password? -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: 05 Oct 2011 23 41 To: Tomcat Users List Subject: RE: Using multiple login pages From: Caldarale, Charles R Subject: RE: Using multiple login pages If you're already using a .jsp for the login, you have all the dynamic content capability you need. If instead you want the login to be handled by a servlet, just make the form-login-page setting target a previously defined url-pattern for some appropriate servlet of the webapp. In the interest of full disclosure, I have to say that I haven't actually tried doing that... - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Session management issue with Tomcat
I should have mentioned that as only one user can be logged into a browser session at any one time, they do have to log out for another user to log on. But the logging out process does not do any cookie handling or server-session invalidation. This last step maybe the missing link. -Original Message- From: Martin O'Shea [mailto:app...@dsl.pipex.com] Sent: 22 Sep 2011 19 49 To: 'Tomcat Users List' Subject: RE: Session management issue with Tomcat To answer your questions: Is there a reason this data is in a custom cookie, rather than the session, via setAttribute()? The cookie is dedicated and meant to be persistent. The idea is that a user is recognised by the system upon returning to the website after having been away for some time. Hence, the userid is stored in the cookie, so that when the user returns to the homepage, the homepage can read the cookie, and present that user's recent list on the page. What is the expiry time of the custom cookie? The cookie is set for a year. How exactly are you invalidating this other cookie, when you invalidate the session? I assume you mean Tomcat's session and not the browser's sessions. The Tomcat sessions are not being invalidated at the moment. The underlying principle here is that if multiple users use the same PC, and maybe even the same session in a browser, a single cookie is used to store a userid. Various system pages have a login facility and if invoked, the cookie is rewritten with the current user's id. But this is where the Back button issue occurs so it may be that session invalidation solve my problem. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Session management issue with Tomcat
Shanti
I was thinking that this was the problem and at the moment I have been
trying to force the pages to reload from the server by using a filter to
prevent browser caching as follows:
try {
HttpServletResponse hsr = (HttpServletResponse) response;
hsr.setHeader(Cache-Control, no-cache, no-store,
must-revalidate); // HTTP 1.1.
hsr.setHeader(Pragma, no-cache); // HTTP 1.0.
hsr.setDateHeader(Expires, 0); // Proxies.
chain.doFilter(request, response);
} catch (Throwable t) {
...
}
But the results are imperfect.
Is this the sort of thing you mean?
http://www.koelnerwasser.de/?p=11
Or can you tell me what to do if I am wrong?
Thanks
Martin O'Shea.
-Original Message-
From: Shanti Suresh [mailto:sha...@umich.edu]
Sent: 22 Sep 2011 13 57
To: Tomcat Users List
Subject: Re: Session management issue with Tomcat
Hi Martin,
You will have to expire/invalidate the session in the code upon user logout.
This way when the cookie comes in, there is no corresponding session-ID and
the system will create a new session. Are you doing that already? Does
that help?
-Shanti
On Sep 20, 2011, at 1:20 PM, Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Martin,
On 9/18/2011 11:05 AM, Martin O'Shea wrote:
I have a situation where I'm using Tomcat 6.0.26 but the logging in /
out of the application is not authenticated via Tomcat's:
action='%= response.encodeURL(j_security_check) %'
method.
You mean to say that you are using your own authentication mechanism,
right?
The current system allows cookies to store userids which are used to
show recent lists on the homepage of the application. So for a
session, a user's userid can be read from the cookie and used to
retrieve their details from the database and store them in the
session, and render the hompage with its personalised recent list.
So, any remote user can provide a forged cookie to read anyone's
recent list if they want? You might want to encrypt those cookies.
The user's id can also then be placed in the login username box with
the password stored in the session.
So, you use an untrusted user id coming from a remote cookie to
populate the user's username and password on a login page? Sounds like
that's a problem.
But, in a single browser session, if the first user logs out, and
another user logs in, the cookie is re-written with the new user's
userid. But, because this is all in one browser session, use of the
browser's back button allows the new user to access the profile
details of the first user if the first user visited the page before
logging off.
So, what you are saying is that the design of the web browser allows a
second user to observe what the first user did by looking at the
history and/or cache? There's not a lot you can do about that. You can
send no-cache response headers to the browser, etc. but there's
always a chance that the browser doesn't respect them, etc. and the
history can be viewed.
I'm not sure there's a way around that. Even if you use javascript to
kill the window/tab, many browsers have a re-open closed window/tab
that will resurrect the window/tab with the history in-tact, so you
haven't bought anything there.
I guess this is why you should be careful what you do from as public
terminal, eh?
No secure data is held in the system.
That's good, given the shaky security you've described here.
Can anyone suggest a way to change this? I am no expert on session
management.
It's the browser that is the problem, not your session management. I
think you need to instruct your users to completely exit the browser
after they use your site if they value their privacy.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk54y0IACgkQ9CaO5/Lv0PAmLwCfRB69FXn1XUhPbMHQKD/Q/xAd
QssAoJMKQk4xudqoGJlf0vkhdLZCkFkp
=rYmn
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
!DSPAM:4e78cb6c11371347337680!
--
Shanti Suresh
App Systems Analyst Lead
Web Services, LSA Development
University of Michigan
Office: 734-763-4807
sha...@umich.edu
http://lsa.umich.edu/cms
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Session management issue with Tomcat
OK. This is what the contents of a typical cookie on the system look like:
978937_19082010_1282218386857
localhost/
1024
2913476352
30544688
1374261013
30177561
*
Where userid is 978937_19082010_1282218386857 matching the key of the user
table in the database.
The cookie is not encrypted.
Code in the system to retrieve the cookie is:
// Gets the value of a cookie.
public static String getCookieValue(Cookie[] cookies, String cookieName)
{
String cookieValue = ();
Cookie cookie;
boolean found = false;
if (cookies != null) {
for (int i = 0; i cookies.length; i++) {
cookie = cookies[i];
if (cookieName.equals(cookie.getName())) {
cookieValue = cookie.getValue();
found = true;
break;
}
if (found) {
return cookieValue;
}
}
}
return cookieValue;
}
The cookieName parameter here is the name of the cookie which is myAppUser
This all seems to work fine.
-Original Message-
From: Martin O'Shea [mailto:app...@dsl.pipex.com]
Sent: 22 Sep 2011 14 03
To: 'Tomcat Users List'
Subject: RE: Session management issue with Tomcat
Shanti
I was thinking that this was the problem and at the moment I have been
trying to force the pages to reload from the server by using a filter to
prevent browser caching as follows:
try {
HttpServletResponse hsr = (HttpServletResponse) response;
hsr.setHeader(Cache-Control, no-cache, no-store,
must-revalidate); // HTTP 1.1.
hsr.setHeader(Pragma, no-cache); // HTTP 1.0.
hsr.setDateHeader(Expires, 0); // Proxies.
chain.doFilter(request, response);
} catch (Throwable t) {
...
}
But the results are imperfect.
Is this the sort of thing you mean?
http://www.koelnerwasser.de/?p=11
Or can you tell me what to do if I am wrong?
Thanks
Martin O'Shea.
-Original Message-
From: Shanti Suresh [mailto:sha...@umich.edu]
Sent: 22 Sep 2011 13 57
To: Tomcat Users List
Subject: Re: Session management issue with Tomcat
Hi Martin,
You will have to expire/invalidate the session in the code upon user logout.
This way when the cookie comes in, there is no corresponding session-ID and
the system will create a new session. Are you doing that already? Does
that help?
-Shanti
On Sep 20, 2011, at 1:20 PM, Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Martin,
On 9/18/2011 11:05 AM, Martin O'Shea wrote:
I have a situation where I'm using Tomcat 6.0.26 but the logging in /
out of the application is not authenticated via Tomcat's:
action='%= response.encodeURL(j_security_check) %'
method.
You mean to say that you are using your own authentication mechanism,
right?
The current system allows cookies to store userids which are used to
show recent lists on the homepage of the application. So for a
session, a user's userid can be read from the cookie and used to
retrieve their details from the database and store them in the
session, and render the hompage with its personalised recent list.
So, any remote user can provide a forged cookie to read anyone's
recent list if they want? You might want to encrypt those cookies.
The user's id can also then be placed in the login username box with
the password stored in the session.
So, you use an untrusted user id coming from a remote cookie to
populate the user's username and password on a login page? Sounds like
that's a problem.
But, in a single browser session, if the first user logs out, and
another user logs in, the cookie is re-written with the new user's
userid. But, because this is all in one browser session, use of the
browser's back button allows the new user to access the profile
details of the first user if the first user visited the page before
logging off.
So, what you are saying is that the design of the web browser allows a
second user to observe what the first user did by looking at the
history and/or cache? There's not a lot you can do about that. You can
send no-cache response headers to the browser, etc. but there's
always a chance that the browser doesn't respect them, etc. and the
history can be viewed.
I'm not sure there's a way around that. Even if you use javascript to
kill the window/tab, many browsers have a re-open closed window/tab
that will resurrect the window/tab with the history in-tact, so you
haven't bought anything there.
I guess this is why you should be careful what you do from as public
terminal, eh?
No secure data is held in the system.
That's good, given the shaky security you've described here.
Can anyone suggest a way to change this? I am no expert on session
management.
It's the browser that is the problem, not your session management. I
think you need
RE: Session management issue with Tomcat
To answer your questions: Is there a reason this data is in a custom cookie, rather than the session, via setAttribute()? The cookie is dedicated and meant to be persistent. The idea is that a user is recognised by the system upon returning to the website after having been away for some time. Hence, the userid is stored in the cookie, so that when the user returns to the homepage, the homepage can read the cookie, and present that user's recent list on the page. What is the expiry time of the custom cookie? The cookie is set for a year. How exactly are you invalidating this other cookie, when you invalidate the session? I assume you mean Tomcat's session and not the browser's sessions. The Tomcat sessions are not being invalidated at the moment. The underlying principle here is that if multiple users use the same PC, and maybe even the same session in a browser, a single cookie is used to store a userid. Various system pages have a login facility and if invoked, the cookie is rewritten with the current user's id. But this is where the Back button issue occurs so it may be that session invalidation solve my problem. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Session management issue with Tomcat
Hello I have a situation where I'm using Tomcat 6.0.26 but the logging in / out of the application is not authenticated via Tomcat's: action='%= response.encodeURL(j_security_check) %' method. The current system allows cookies to store userids which are used to show recent lists on the homepage of the application. So for a session, a user's userid can be read from the cookie and used to retrieve their details from the database and store them in the session, and render the hompage with its personalised recent list. The user's id can also then be placed in the login username box with the password stored in the session. But, in a single browser session, if the first user logs out, and another user logs in, the cookie is re-written with the new user's userid. But, because this is all in one browser session, use of the browser's back button allows the new user to access the profile details of the first user if the first user visited the page before logging off. No secure data is held in the system. Can anyone suggest a way to change this? I am no expert on session management. Thanks.
Logging in options in Tomcat 6.0.26
Hello I wonder if anyone can advise? I am using Tomcat 6.0.26 in an application with a MySQL 5.* back end database. Currently my users' username and userrole details are stored in the User table of the database. At the moment though, there is no actual logging in facility in the application. What I want is for users to be able to log in only when they have to create content, and then for the login facility to be embedded in the relevant pages, e.g. if a user posts a comment, they log in and then return to the comment posting page. I can do this using my own look-up process to check a user's name and password, but can this be done through the j_username and j_password combination as part of Tomcat's: form method = POST action='%= response.encodeURL(j_security_check) %' Process? I do not want the application in question to be accessible only through a log in page. There is no secure information held in the database and the users' passwords are encrypted using MD5. Thanks Martin.
RE: java.lang.ClassNotFoundException: org.apache.catalina.valves.FastCommonAccessLogValve in Java web application
Thanks Konstantin. It seems fine now. -Original Message- From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Sent: 23 Apr 2011 18 17 To: Tomcat Users List Subject: Re: java.lang.ClassNotFoundException: org.apache.catalina.valves.FastCommonAccessLogValve in Java web application 2011/4/23 Martin Gainty mgai...@hotmail.com: i found the class missing in the Tomcat7 distro my guess is the big todo on london on monday may temporarily delay inserting this valve class into Tomcat7 distros Martin Gainty, your link is unrelated to Tomcat 7. That is some old crap, that does not match latest 5.5 as well. Do you not know where the Apache svn is? Hint: http://svn.apache.org/viewvc/tomcat/ http://svn.apache.org/repos/asf/tomcat/ Martin O'Shea, FastCommonAccessLogValve was deprecated in Tomcat 6 and is completely removed from Tomcat 7. Just use the AccessLogValve class. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
java.lang.ClassNotFoundException: org.apache.catalina.valves.FastCommonAccessLogValve in Java web application
Hello I've just upgraded Apache Tomcat to version 7.0.11 and running an application of mine through NetBeans 7 gives me the following error: 23-Apr-2011 16:18:56 org.apache.catalina.startup.ContextConfig processContextConfig SEVERE: Parse error in context.xml for /visualRSS java.lang.ClassNotFoundException: org.apache.catalina.valves.FastCommonAccessLogValve And so on. The code in my context.xml file for the valve is as follows: Valve className = org.apache.catalina.valves.FastCommonAccessLogValve directory = logs pattern = combined prefix = visualRSS_access_log. resolveHosts = true suffix = .txt/ And this worked well under the older version of Apache Tomcat used, i.e. 6.0.26. I have disabled the valve code because the log files are not very important to me at this time but can you advise? Thanks Martin O'Shea.
RE: Tomcat memory leak error launching web app in NetBeans 6.9.1
Thanks for this. I've copied the logs over to an incident in Quartz's forum so hopefully, I can get to the bottom of this issue. http://forums.terracotta.org/forums/posts/list/4341.page -Original Message- From: Pid [mailto:p...@pidster.com] Sent: 20 Oct 2010 16 37 To: Tomcat Users List Subject: Re: Tomcat memory leak error launching web app in NetBeans 6.9.1 On 20/10/2010 12:41, Martin O'Shea wrote: And then when I terminate the Quartz application, but leave Tomcat running, the second dump appears to be show no trace of these messages at all. So does this indicate that Quartz has shut down but only after my application has stopped within Tomcat, i.e. that Tomcat monitors my application's demise and reports the threads as extant because Quartz has not yet ended? The memory leak detection activates when a web app stops. The question is whether the Quartz scheduler blocks and waits for its worker threads to finish before it reports that it's shutdown. I don't believe it does, which isn't your fault. p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat memory leak error launching web app in NetBeans 6.9.1
You're probably correct and assuming this is to do with Quartz which it seems to be, are you aware of any similar cases or remedies? -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 18 Oct 2010 13 49 To: Tomcat Users List Subject: Re: Tomcat memory leak error launching web app in NetBeans 6.9.1 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin, On 10/16/2010 11:11 AM, Martin O'Shea wrote: Definitely seems to be when the web application in question is terminated, rather than Tomcat itself. And all indications are the listener that handles the scheduler. And I've tried another similar application which gives messages of the same kind. And yet both apps have worked under other environments. Note that the leak detection has been added and improved in recent Tomcat versions. It's possible that this problem has always been there, you're just never been notified about it. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAky8QkkACgkQ9CaO5/Lv0PAwNACfVwsejeJhSe3CajEWqQraiXTf amwAoI8Kl+4V07E7Tv4Axn8ASiJRq8Pm =9dxR -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat memory leak error launching web app in NetBeans 6.9.1
Well, I've upgraded to Quartz 1.8.3 and the two SLF4J files that seem to be needed. I believe Quartz's config is correct with regards to the two scheduled jobs I have. But upon terminating my web app in Tomcat or terminating Tomcat, I still find a number of messages: -Oct-2010 14:40:52 org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: A web application appears to have started a thread named [DefaultQuartzScheduler_Worker-1] but has failed to stop it. This is very likely to create a memory leak. Any clues? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat memory leak error launching web app in NetBeans 6.9.1
Hello I wonder if anyone can help here? I am developing a web application written in Java servlets and JSPs which uses Quartz 1.6.1 to submit two jobs when Apache Tomcat 6.0.26 is started and hourly after that. But what I'm finding is that a message is issued several times as the server is started in NetBeans 6.9.1. The message is: 16-Oct-2010 12:20:18 org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: A web application appears to have started a thread named [DefaultQuartzScheduler_Worker-1] but has failed to stop it. This is very likely to create a memory leak. Has anyone any idea? It seems to be causing Tomcat to stop every so often requiring a PC reboot. And I've found very little about this so far. I don't know if it is a problem with Tomcat or Quartz so any help is welcome Thanks Martin O'Shea.
Re: Connecting Tomcat 6.0.26 to MySQL 5.1
It turned out to be MS Internet Explorer security settings.
RE: Connecting Tomcat 6.0.26 to MySQL 5.1
To do with the use of cookies and Trusted sites within IE 8. -Original Message- From: Martin Gainty [mailto:mgai...@hotmail.com] Sent: 16 Oct 2010 13 09 To: Tomcat Users List Subject: RE: Connecting Tomcat 6.0.26 to MySQL 5.1 how did misconfiguration for IE browser cause these problems? Martin __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. From: app...@dsl.pipex.com To: users@tomcat.apache.org Subject: Re: Connecting Tomcat 6.0.26 to MySQL 5.1 Date: Sat, 16 Oct 2010 12:52:56 +0100 It turned out to be MS Internet Explorer security settings. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat memory leak error launching web app in NetBeans 6.9.1
OK. So the error is happening as the application is closed, not as it started. My mistake. But Tomcat restarts occur frequently as I have NetBeans's Deploy on Save set. This seems to restart the server with the current objects. But what I don't understand is why the ServletContextListener which handles Quartz jobs should be going wrong? It is set to start and stop Quartz at contextInitialized and contextDestroyed times where the former creates an instance of a SchedulerController class which submits the two jobs. This problem never appeared to happen under NetBeans 6.9 with an earlier version of Tomcat which I was using recently. And I wonder if this may have anything to do with the Tomcat out of memory messages I've been receiving? Do I need to increase the memory allocated to the JVM for Tomcat at all? -Original Message- From: Pid * [mailto:p...@pidster.com] Sent: 16 Oct 2010 15 06 To: Tomcat Users List Subject: Re: Tomcat memory leak error launching web app in NetBeans 6.9.1 On 16 Oct 2010, at 12:45, Martin O'Shea app...@dsl.pipex.com wrote: Hello I wonder if anyone can help here? I am developing a web application written in Java servlets and JSPs which uses Quartz 1.6.1 to submit two jobs when Apache Tomcat 6.0.26 is started and hourly after that. But what I'm finding is that a message is issued several times as the server is started in NetBeans 6.9.1. The message is: 16-Oct-2010 12:20:18 org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: A web application appears to have started a thread named [DefaultQuartzScheduler_Worker-1] but has failed to stop it. This is very likely to create a memory leak. Yes. So, umm, your webapp uses quartz - which is starting threads and not stopping them. Has anyone any idea? It seems to be causing Tomcat to stop every so often requiring a PC reboot. And I've found very little about this so far. The error message is issued by Tomcat when an app is stopped and it finds resources that haven't been properly terminated. The message itself is doesn't cause a leak, the source of the problem might - as the message itself states. I don't know if it is a problem with Tomcat or Quartz so any help is welcome Quartz, or the way you've configured it. p Thanks Martin O'Shea. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat memory leak error launching web app in NetBeans 6.9.1
I know that the ServletContextListener is running when the application starts because of messages issued from it. It is also calling the two Quartz jobs which appear to be running normally as well. When the application is terminated, e.g. when the server is stopped, appropriate messages are issued to confirm that the scheduler has stopped. Then come the messages about the memory leak. And the configuration is the only one on this PC, Tomcat 6.0.26 using JVM 1.6.0_21-b07. I'm using JDK 1.6.0_21. -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: 16 Oct 2010 15 30 To: Tomcat Users List Subject: RE: Tomcat memory leak error launching web app in NetBeans 6.9.1 From: Martin O'Shea [mailto:app...@dsl.pipex.com] Subject: RE: Tomcat memory leak error launching web app in NetBeans 6.9.1 I have NetBeans's Deploy on Save set. This seems to restart the server with the current objects. No, it restarts the webapp, not the server. But what I don't understand is why the ServletContextListener which handles Quartz jobs should be going wrong? Time to add some debugging info to it and find out. Is your ServletContextListener even being called? Are you really running the configuration you think you are? (IDEs tend to obfuscate the situation, which is why a lot of us will not attempt to run Tomcat under an IDE.) And I wonder if this may have anything to do with the Tomcat out of memory messages I've been receiving? Sounds like a separate topic for a separate thread. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat memory leak error launching web app in NetBeans 6.9.1
Definitely seems to be when the web application in question is terminated, rather than Tomcat itself. And all indications are the listener that handles the scheduler. And I've tried another similar application which gives messages of the same kind. And yet both apps have worked under other environments. -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: 16 Oct 2010 15 53 To: Tomcat Users List Subject: RE: Tomcat memory leak error launching web app in NetBeans 6.9.1 From: Martin O'Shea [mailto:app...@dsl.pipex.com] Subject: RE: Tomcat memory leak error launching web app in NetBeans 6.9.1 When the application is terminated, e.g. when the server is stopped, appropriate messages are issued to confirm that the scheduler has stopped. What about when it's just the webapp being stopped, not the whole server? Try stopping just the webapp, then take a thread dump of Tomcat to see if the quartz threads are really still there. If they are, then the shutdown logic in the listener isn't working. And the configuration is the only one on this PC, Tomcat 6.0.26 using JVM 1.6.0_21-b07. I'm using JDK 1.6.0_21. IDEs have a nasty habit of substituting their own Tomcat and webapp configurations rather than using the ones you think you've set up. You won't find additional Tomcat or JDK installations, just behavior that's not consistent with what you configured. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat memory leak error launching web app in NetBeans 6.9.1
This answers a few questions. I thought also that I had the most recent version of Quartz running but I only have version 1.6.1. They are up to 1.8.3 so I will try this out. Thanks. -Original Message- From: Pid [mailto:p...@pidster.com] Sent: 16 Oct 2010 17 33 To: Tomcat Users List Subject: Re: Tomcat memory leak error launching web app in NetBeans 6.9.1 On 16/10/2010 15:24, Martin O'Shea wrote: OK. So the error is happening as the application is closed, not as it started. My mistake. But Tomcat restarts occur frequently as I have NetBeans's Deploy on Save set. This seems to restart the server with the current objects. But what I don't understand is why the ServletContextListener which handles Quartz jobs should be going wrong? It is set to start and stop Quartz at contextInitialized and contextDestroyed times where the former creates an instance of a SchedulerController class which submits the two jobs. Is the Quartz lib the latest version? This problem never appeared to happen under NetBeans 6.9 with an earlier version of Tomcat which I was using recently. The memory leak detection was released in 6.0.24. So the problem might have existed, you just might not have known about it. And I wonder if this may have anything to do with the Tomcat out of memory messages I've been receiving? Do I need to increase the memory allocated to the JVM for Tomcat at all? Some of the detection just results in a log message, some of it results in a message and an attempt to clean up. p -Original Message- From: Pid * [mailto:p...@pidster.com] Sent: 16 Oct 2010 15 06 To: Tomcat Users List Subject: Re: Tomcat memory leak error launching web app in NetBeans 6.9.1 On 16 Oct 2010, at 12:45, Martin O'Shea app...@dsl.pipex.com wrote: Hello I wonder if anyone can help here? I am developing a web application written in Java servlets and JSPs which uses Quartz 1.6.1 to submit two jobs when Apache Tomcat 6.0.26 is started and hourly after that. But what I'm finding is that a message is issued several times as the server is started in NetBeans 6.9.1. The message is: 16-Oct-2010 12:20:18 org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: A web application appears to have started a thread named [DefaultQuartzScheduler_Worker-1] but has failed to stop it. This is very likely to create a memory leak. Yes. So, umm, your webapp uses quartz - which is starting threads and not stopping them. Has anyone any idea? It seems to be causing Tomcat to stop every so often requiring a PC reboot. And I've found very little about this so far. The error message is issued by Tomcat when an app is stopped and it finds resources that haven't been properly terminated. The message itself is doesn't cause a leak, the source of the problem might - as the message itself states. I don't know if it is a problem with Tomcat or Quartz so any help is welcome Quartz, or the way you've configured it. p Thanks Martin O'Shea. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Use of error page in Tomcat
Hello I have a /myApp/displayDatasetPage which is used to display content. In this page, I incorporate the default Tomcat login code as follows: div id = login form action='%= response.encodeURL(/myApp/loginPage) %' method = post table border = 0 tr th align = rightUsername/th td align = leftinput type = text name = userName/td /tr tr th align = rightPassword/th td align = leftinput type = password name = password/td /tr tr td align = rightinput type = submit value = Log In/td td align = leftinput type = reset/td /tr /table /form /div And path /myApp/loginPage is protected in web.xml. This seems to be alright but if a user doesn't enter login details, or enters incorrect login details, and then presses 'Log in' the page simply reloads. I am assuming that this is because I have no login error page working alongside use /myApp/displayDatasetPage to catch login exceptions. Is it possible to use /myApp/displayDatasetPage to display login errors? Or can anyone say tell me if I catch Tomcat's login verification process to do this? Thanks Mr Morgan.
Use of error page in Tomcat
Hello I have a /myApp/displayDatasetPage which is used to display content. In this page, I incorporate the default Tomcat login code as follows: div id = login form action='%= response.encodeURL(/myApp/loginPage) %' method = post table border = 0 tr th align = rightUsername/th td align = leftinput type = text name = userName/td /tr tr th align = rightPassword/th td align = leftinput type = password name = password/td /tr tr td align = rightinput type = submit value = Log In/td td align = leftinput type = reset/td /tr /table /form /div And path /myApp/loginPage is protected in web.xml. This seems to be alright but if a user doesn't enter login details, or enters incorrect login details, and then presses 'Log in' the page simply reloads. I am assuming that this is because I have no login error page working alongside use /myApp/displayDatasetPage to catch login exceptions. Is it possible to use /myApp/displayDatasetPage to display login errors? Or can anyone say tell me if I catch Tomcat's login verification process to do this? Thanks Mr Morgan.
RE: Use of error page in Tomcat
Apologies re the duplicate posting; email trouble with my ISP. Relevant part of web.xml reads: security-constraint display-nameSecurity Constraint/display-name web-resource-collection web-resource-name/ description/ url-pattern/login/url-pattern /web-resource-collection !--auth-constraint role-nameUSER/role-name role-nameADMIN/role-name /auth-constraint-- /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/jsp/security/protected/login.jsp/form-login-page form-error-page/jsp/security/protected/error.jsp/form-error-page /form-login-config /login-config At the moment I am trying things manually by checking the user table regardless of Tomcat but is this necessary? -Original Message- From: Pid [mailto:p...@pidster.com] Sent: 23 Sep 2010 12 57 To: Tomcat Users List Subject: Re: Use of error page in Tomcat On 23/09/2010 12:22, Martin O'Shea wrote: Hello I have a /myApp/displayDatasetPage which is used to display content. In this page, I incorporate the default Tomcat login code as follows: div id = login form action='%= response.encodeURL(/myApp/loginPage) %' method = post table border = 0 Tables for layout. How very 1997. tr th align = rightUsername/th td align = leftinput type = text name = userName/td /tr tr th align = rightPassword/th td align = leftinput type = password name = password/td /tr tr td align = rightinput type = submit value = Log In/td td align = leftinput type = reset/td /tr /table /form /div How is this 'the default Tomcat logic code'? And path /myApp/loginPage is protected in web.xml. How is it protected in web.xml? This seems to be alright but if a user doesn't enter login details, or enters incorrect login details, and then presses 'Log in' the page simply reloads. I am assuming that this is because I have no login error page working alongside use /myApp/displayDatasetPage to catch login exceptions. You tell us. You haven't posted your web.xml, so we can't know. Is it possible to use /myApp/displayDatasetPage to display login errors? Or can anyone say tell me if I catch Tomcat's login verification process to do this? If you're using the Servlet Specification container managed authentication mechanism, it's possible. It doesn't look like you are though. If you've written your own login component, you can of course make that happen too. Thanks Mr Morgan. Are you Martin O'Shea or Mr Morgan? I'm confused. p P.S. Please send one message to the list and then wait for a response. Two messages in 30 mins is a little pushy. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Use of error page in Tomcat
I'm currently using a DataSourceRealm and Tomcat 6.0.20. So if I wanted to pick up an error that Tomcat's authentication throws, how best can I do it to avoid manual verification of the user (which is now working adequately when I check the database)? -Original Message- From: Pid [mailto:p...@pidster.com] Sent: 23 Sep 2010 13 17 To: Tomcat Users List Subject: Re: Use of error page in Tomcat On 23/09/2010 13:04, Martin O'Shea wrote: Apologies re the duplicate posting; email trouble with my ISP. Relevant part of web.xml reads: security-constraint display-nameSecurity Constraint/display-name web-resource-collection web-resource-name/ description/ url-pattern/login/url-pattern /web-resource-collection !--auth-constraint role-nameUSER/role-name role-nameADMIN/role-name /auth-constraint-- /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/jsp/security/protected/login.jsp/form-login-page form-error-page/jsp/security/protected/error.jsp/form-error-page /form-login-config /login-config So you've protected just the /login URL, meaning that authentication will be required before accessing that URL which probably checks the DB for a username or something. The config above doesn't do what you probably think it does; you've got half a container managed authentication solution and half a roll-your-own. At the moment I am trying things manually by checking the user table regardless of Tomcat but is this necessary? Not if you configure it properly. I'll guess that you're using Tomcat 6.0.29 and suggest that you find and read the Servlet Spec v2.5, Section SRV.12.1 paying particular attention to paragraphs which mention 'j_security_check'. Have you configured a Realm (usually a DataSourceRealm)? http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html p -Original Message- From: Pid [mailto:p...@pidster.com] Sent: 23 Sep 2010 12 57 To: Tomcat Users List Subject: Re: Use of error page in Tomcat On 23/09/2010 12:22, Martin O'Shea wrote: Hello I have a /myApp/displayDatasetPage which is used to display content. In this page, I incorporate the default Tomcat login code as follows: div id = login form action='%= response.encodeURL(/myApp/loginPage) %' method = post table border = 0 Tables for layout. How very 1997. tr th align = rightUsername/th td align = leftinput type = text name = userName/td /tr tr th align = rightPassword/th td align = leftinput type = password name = password/td /tr tr td align = rightinput type = submit value = Log In/td td align = leftinput type = reset/td /tr /table /form /div How is this 'the default Tomcat logic code'? And path /myApp/loginPage is protected in web.xml. How is it protected in web.xml? This seems to be alright but if a user doesn't enter login details, or enters incorrect login details, and then presses 'Log in' the page simply reloads. I am assuming that this is because I have no login error page working alongside use /myApp/displayDatasetPage to catch login exceptions. You tell us. You haven't posted your web.xml, so we can't know. Is it possible to use /myApp/displayDatasetPage to display login errors? Or can anyone say tell me if I catch Tomcat's login verification process to do this? If you're using the Servlet Specification container managed authentication mechanism, it's possible. It doesn't look like you are though. If you've written your own login component, you can of course make that happen too. Thanks Mr Morgan. Are you Martin O'Shea or Mr Morgan? I'm confused. p P.S. Please send one message to the list and then wait for a response. Two messages in 30 mins is a little pushy. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Use of error page in Tomcat
Well, that's the code in the 6.0.20 samples I have. -Original Message- From: Darryl Lewis [mailto:darryl.le...@unsw.edu.au] Sent: 23 Sep 2010 14 04 To: Tomcat Users List Subject: Re: Use of error page in Tomcat On 23/09/10 9:56 PM, Pid p...@pidster.com wrote: Tables for layout. How very 1997. meow - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Use of error page in Tomcat
Please advise how I'm not using the DSR because my config is wrong and parameters have been corrected as ? form action='%= response.encodeURL(/myApp/login) %' method = post table border = 0 tr th align = rightUsername/th td align = leftinput type = text name = j_username/td /tr tr th align = rightPassword/th td align = leftinput type = password name = j_password/td /tr tr td align = rightinput type = submit value = Log in/td td align = leftinput type = reset/td /tr /table /form And where the web.xml file needs to be corrected? -Original Message- From: Pid [mailto:p...@pidster.com] Sent: 23 Sep 2010 14 00 To: Tomcat Users List Subject: Re: Use of error page in Tomcat On 23/09/2010 13:27, Martin O'Shea wrote: I'm currently using a DataSourceRealm and Tomcat 6.0.20. Well, you aren't actually using the DSR because your config is wrong. Why use 6.0.20 when 6.0.29 is out? So if I wanted to pick up an error that Tomcat's authentication throws, how best can I do it to avoid manual verification of the user (which is now working adequately when I check the database)? Stop trying to solve the little problem you think you're stuck on and start paying attention to the massive problem you're ignoring. Your login form is simply not going to work, it doesn't point to the right URL, doesn't send the correct parameters and your web.xml config is wrong. I could elaborate but it would be much easier if you actually read my emails more carefully, and read the Servlet Spec - given that it's already explained long-hand there. p -Original Message- From: Pid [mailto:p...@pidster.com] Sent: 23 Sep 2010 13 17 To: Tomcat Users List Subject: Re: Use of error page in Tomcat On 23/09/2010 13:04, Martin O'Shea wrote: Apologies re the duplicate posting; email trouble with my ISP. Relevant part of web.xml reads: security-constraint display-nameSecurity Constraint/display-name web-resource-collection web-resource-name/ description/ url-pattern/login/url-pattern /web-resource-collection !--auth-constraint role-nameUSER/role-name role-nameADMIN/role-name /auth-constraint-- /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/jsp/security/protected/login.jsp/form-login-page form-error-page/jsp/security/protected/error.jsp/form-error-page /form-login-config /login-config So you've protected just the /login URL, meaning that authentication will be required before accessing that URL which probably checks the DB for a username or something. The config above doesn't do what you probably think it does; you've got half a container managed authentication solution and half a roll-your-own. At the moment I am trying things manually by checking the user table regardless of Tomcat but is this necessary? Not if you configure it properly. I'll guess that you're using Tomcat 6.0.29 and suggest that you find and read the Servlet Spec v2.5, Section SRV.12.1 paying particular attention to paragraphs which mention 'j_security_check'. Have you configured a Realm (usually a DataSourceRealm)? http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html p -Original Message- From: Pid [mailto:p...@pidster.com] Sent: 23 Sep 2010 12 57 To: Tomcat Users List Subject: Re: Use of error page in Tomcat On 23/09/2010 12:22, Martin O'Shea wrote: Hello I have a /myApp/displayDatasetPage which is used to display content. In this page, I incorporate the default Tomcat login code as follows: div id = login form action='%= response.encodeURL(/myApp/loginPage) %' method = post table border = 0 Tables for layout. How very 1997. tr th align = rightUsername/th td align = leftinput type = text name = userName/td /tr tr th align = rightPassword/th td align = leftinput type = password name = password/td /tr tr td align = rightinput type = submit value = Log In/td td align = leftinput type = reset/td /tr /table /form /div How
Issue with logging in to Tomcat 6.0
Hello I have a Java / Tomcat application which creates a cookie for a user when they visit the homepage. This cookie is used to recognize that user on subsequent visits and generate recent lists. These are working well and so far without any type of authentication of the user using Tomcat itself. Which brings me to my issue. On certain pages of my application, users have the option to post comments or save content created, and of course to maintain their profiles. So what I'm trying to do is have users login on these pages so that the relevant operation can be carried out, e.g. if posting a comment, the user must first login from the current page which is not specifically intended as a login page, rather it displays content created. Or to access a profile page, login must have occurred. I can then record the login in a session variable. But when I try to login to Tomcat, I am given message 'Invalid direct reference to form login page' but do not quite see why. In my pages, I'm using login code provided with Tomcat, i.e.: div id = login form method = POST action='%= response.encodeURL(j_security_check) %' table border=0 tr th align = rightUsername/th td align = leftinput type=text name=j_username/td /tr tr th align = rightPassword/th td align = leftinput type=password name=j_password/td /tr tr td align = rightinput type=submit value=Log In/td td align = leftinput type=reset/td /tr /table /form /div I've also tried using a default login page with an HTML iframe but the same message occurs. What I want is for the login to work from the current above, authenticate the user, and then return the user to the page. Is anyone able to advise? Do I need to use realms in Tomcat or write my own servlet to read the user table of the database? I'm using Tomcat 6.X. Thanks Mr Morgan.
RE: Issue with logging in to Tomcat 6.0
Because you haven't told Tomcat that those pages need to be protected by authentication. Do that, and Tomcat will handle the whole process for you. But won't the authentication apply to the whole page in question? I'm only looking to have a user log in when they seek to do something, like post a comment, on the page. -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: 22 Sep 2010 15 43 To: Tomcat Users List Subject: Re: Issue with logging in to Tomcat 6.0 On 22/09/2010 06:27, Martin O'Shea wrote: But when I try to login to Tomcat, I am given message 'Invalid direct reference to form login page' but do not quite see why. Because you haven't told Tomcat that those pages need to be protected by authentication. Do that, and Tomcat will handle the whole process for you. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Issue with logging in to Tomcat 6.0
It appears to be working. Many thanks. -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: 22 Sep 2010 16 06 To: Tomcat Users List Subject: Re: Issue with logging in to Tomcat 6.0 On 22/09/2010 07:50, Martin O'Shea wrote: Because you haven't told Tomcat that those pages need to be protected by authentication. Do that, and Tomcat will handle the whole process for you. But won't the authentication apply to the whole page in question? I'm only looking to have a user log in when they seek to do something, like post a comment, on the page. Then protect the URL that the comment is POSTed to. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
