Re: Propagation of Subject with JAAS and SecurityManager enabled
Well, if there are no hints, here is my view. I checked the code for locations where org.apache.catalina.Globals.SUBJECT_ATTR (or the String "javax.security.auth.subject") is used. There are seemingly two locations: - org.apache.catalina.connector.Request.setUserPrincipal(...) - org.apache.catalina.security.SecurityUtil.execute(...) the way they are using the SUBJECT_ATTR key to put a Subject in the Session practically excludes the possibility of using the Subject from the JAAS login module. Beyond that, org.apache.catalina.realm.JAASRealm.authenticate(String username, CallbackHandler callbackHandler) does effectively throw away the Subject gained after having extracted the user and role for creating a GenericPrincipal - so even a workaround with passing the subject between the JAAS LoginModule and a Valve in ThreadContext to smuggle it into the Session under SUBJECT_ATTR would not work. I am new here, and do not know how things work, but beyond a few questions I would also make a proposal for a fix, and would be ready to deliver it if I get it approved :) So: - Is this intentional not to allow a Subject from a JAAS LoginModule to be used when switching to privileged mode using Subject.doAsPrivileged at a later point in the code? (I would doubt, but I may not know) - What is the purpose of putting the subject into the Session? As I understand (though haven't extensively studied), in JAAS a LoginModule has the responsibility to provide a Subject per request - so it could decide on its own if it wants to cache or not (though it does not have access to the Session) - would it be a good idea to remove the subject field from org.apache.catalina.connector.Request and move it into GenericPrincipal as a "reference to parent"? As the principal is reliably passed around, it could be used. Thanks, Gabor kommersz <komme...@freemail.hu> írta: >Hi, > >I am playing around with the following things: > - X.509 authentication >- Security Manager enabled >- Custom JAAS login module via JAASRealm > >My custom JAAS login module properly propagates a javax.security.auth.Subject >instance at commit() back. My aim is to use this javax.security.auth.Subject >as a basis for authorization checks - expect >org.apache.catalina.security.SecurityUtil to take this over. >Curiously, by the time it comes to >org.apache.catalina.security.SecurityUtil.execute(...) applying >Subject.doAsPrivileged, it is done with another javax.security.auth.Subject >instance. > >Having looked a bit into it what is happening, I see the followings >- org.apache.catalina.security.SecurityUtil.execute(...) looks for a subject >to be present in the session object with key Globals.SUBJECT_ATTR >("javax.security.auth.subject"). >- if it is not present, it will create a new blank Subject containing only one >Principal, which is extracted from the requests >org.apache.catalina.connector.Request object (and store it in the session >afterwards under Globals.SUBJECT_ATTR) >- org.apache.catalina.connector.Requests setUserPrincipal(Principal >principal) sets the session object with key Globals.SUBJECT_ATTR to a newly >initialized javax.security.auth.Subject with a single Principal. > >Summary: to me it seems that the mechanism currently used to propagate the >Subject to org.apache.catalina.security.SecurityUtil.execute(...) _always_ >creates a new empty Subject and adds a single user principal into it. > >Questions: >- do I miss something about Subject propagation? >If not: >- is this intentionally planned like this? >- would it not make sense to allow Subjects to be propagated to SecurityUtil >1:1 from JAAS Login modules to be used as the Subject for privileged execution? > >Btw, I am on 7.0.68, but seems that the relevant pieces of code has not been >changed by 7.0.75 - most recent version checked. > >Thank you for any help upfront! > >Regards, >Gabor > > > >- >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >For additional commands, e-mail: users-h...@tomcat.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Propagation of Subject with JAAS and SecurityManager enabled
Hi, I am playing around with the following things: - X.509 authentication - Security Manager enabled - Custom JAAS login module via JAASRealm My custom JAAS login module properly propagates a javax.security.auth.Subject instance at commit() back. My aim is to use this javax.security.auth.Subject as a basis for authorization checks - expect org.apache.catalina.security.SecurityUtil to take this over. Curiously, by the time it comes to org.apache.catalina.security.SecurityUtil.execute(...) applying Subject.doAsPrivileged, it is done with another javax.security.auth.Subject instance. Having looked a bit into it what is happening, I see the followings - org.apache.catalina.security.SecurityUtil.execute(...) looks for a subject to be present in the session object with key Globals.SUBJECT_ATTR ("javax.security.auth.subject"). - if it is not present, it will create a new blank Subject containing only one Principal, which is extracted from the requests org.apache.catalina.connector.Request object (and store it in the session afterwards under Globals.SUBJECT_ATTR) - org.apache.catalina.connector.Requests setUserPrincipal(Principal principal) sets the session object with key Globals.SUBJECT_ATTR to a newly initialized javax.security.auth.Subject with a single Principal. Summary: to me it seems that the mechanism currently used to propagate the Subject to org.apache.catalina.security.SecurityUtil.execute(...) _always_ creates a new empty Subject and adds a single user principal into it. Questions: - do I miss something about Subject propagation? If not: - is this intentionally planned like this? - would it not make sense to allow Subjects to be propagated to SecurityUtil 1:1 from JAAS Login modules to be used as the Subject for privileged execution? Btw, I am on 7.0.68, but seems that the relevant pieces of code has not been changed by 7.0.75 - most recent version checked. Thank you for any help upfront! Regards, Gabor - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Propagation of Subject with JAAS and SecurityManager enabled
Thank you, Martin, for answering despite of the messed up email! A short point to clarify: I am using JAASRealm, and a custom jaas.config file which does not refer to AASMemoryLoginModule. So JAASMemoryLoginModule is also not called. As for my custom login module, I checked it, and it does use the same Subject that is passed to it upon initialize(...), it just adds Principals to it, so it shall be imho ok. My gut feeling still tells me that the current construct might not work, as it seems that the session (with the key Globals.SUBJECT_ATTR) is used for passing the Subject between different parts of the code - but at all the places where Globals.SUBJECT_ATTR is used to access the session, a new Subject is created, and put into the session under this key... Martin Gainty <mgai...@hotmail.com> wrote: >> >//in org.apache.catalina.security.SecurityUtil subject comes from the session >here is code from execute: > > >// first argument is always the HttpServletRequest object > if (targetArguments != null && targetArguments[0] instanceof > HttpServletRequest){HttpServletRequest request = >(HttpServletRequest)targetArguments[0]; > boolean hasSubject = false; //get the session but dont create the session if > already invalidatedHttpSession session = > request.getSession(false); if (session != null){ > subject = > (Subject)session.getAttribute(Globals.SUBJECT_ATTR); > hasSubject = (subject != null); } //IF subject was null to > begin with AND//IF subject was not previously stored in session then create a > new Subject if (subject == null){subject = > new Subject(); //if principal parameter is not null then add it to subject > if (principal != null){ subject.getPrincipals().add(principal);} } //store subject for further referenceif (session != null && !hasSubject) { session.setAttribute(Globals.SUBJECT_ATTR, subject);} } Subject.doAsPrivileged(subject, pea, null);//end SecurityUtil //org.apache.el.catalina.realm.JAASMemoryLoginModule.java://notice that it is responsibility of developer to pass in a valid subject to initialize method of JAASMemoryLoginModule public void initialize(Subject subject, CallbackHandler callbackHandler,Map<String,?> sharedState, Map<String,?> options) {log.debug("Init"); // Save configuration values this.subject = subject; did you verify you are passing valid subject to initialize method of JAASMemoryLoginModule > ? >Martin >__ From: kommersz ><komme...@freemail.hu> >Sent: Wednesday, February 22, 2017 5:17 AM >To: users@tomcat.apache.org >Subject: Propagation of Subject with JAAS and SecurityManager enabled > >(noticed that my previous post on the same was somewhat garbled - reposting >reformatted) > >Hi, > >I am playing around with the following things: > - X.509 authentication >- Security Manager enabled >- Custom JAAS login module via JAASRealm > >My custom JAAS login module properly propagates a javax.security.auth.Subject >instance at commit() back. My aim is to use this javax.security.auth.Subject >as a basis for authorization checks - expect >org.apache.catalina.security.SecurityUtil to take this over. >Curiously, by the time it comes to >org.apache.catalina.security.SecurityUtil.execute(...) applying >Subject.doAsPrivileged, it is done with another javax.security.auth.Subject >instance. > >Having looked a bit into it what is happening, I see the followings >- org.apache.catalina.security.SecurityUtil.execute(...) looks for a subject >to be present in the session object with key Globals.SUBJECT_ATTR >("javax.security.auth.subject"). >- if it is not present, it will create a new blank Subject containing only one >Principal, which is extracted from the requests >org.apache.catalina.connector.Request object (and store it in the session >afterwards under Globals.SUBJECT_ATTR) >- org.apache.catalina.connector.Requests setUserPrincipal(Principal >principal) sets the session object with key Globals.SUBJECT_ATTR to a newly >initialized javax.security.auth.Subject with a single Principal. > >Summary: to me it seems that the mechanism currently used to propagate the >Subject to org.apache.catalina.security.SecurityUtil.execute(...) _always_ >creates a new empty Subject and adds a single user principal into it. >
Propagation of Subject with JAAS and SecurityManager enabled
(noticed that my previous post on the same was somewhat garbled - reposting reformatted) Hi, I am playing around with the following things: - X.509 authentication- Security Manager enabled- Custom JAAS login module via JAASRealm My custom JAAS login module properly propagates a javax.security.auth.Subject instance at commit() back. My aim is to use this javax.security.auth.Subject as a basis for authorization checks - expect org.apache.catalina.security.SecurityUtil to take this over. Curiously, by the time it comes to org.apache.catalina.security.SecurityUtil.execute(...) applying Subject.doAsPrivileged, it is done with another javax.security.auth.Subject instance. Having looked a bit into it what is happening, I see the followings:- org.apache.catalina.security.SecurityUtil.execute(...) looks for a subject to be present in the session object with key Globals.SUBJECT_ATTR ("javax.security.auth.subject").- if it is not present, it will create a new blank Subject containing only one P rincipal, which is extracted from the requests org.apache.catalina.connector.Request object (and store it in the session afterwards under Globals.SUBJECT_ATTR)- org.apache.catalina.connector.Requests setUserPrincipal(Principal principal) sets the session object with key Globals.SUBJECT_ATTR to a newly initialized javax.security.auth.Subject with a single Principal. Summary: to me it seems that the mechanism currently used to propagate the Subject to org.apache.catalina.security.SecurityUtil.execute(...) _always_ creates a new empty Subject and adds a single user principal into it. Questions:- do I miss something about Subject propagation?If not:- is this intentionally planned like this?- would it not make sense to allow Subjects to be propagated to SecurityUtil 1:1 from JAAS Login modules to be used as the Subject for privileged execution? Btw, I am on 7.0.68, but seems that the relevant pieces of code has not been changed by 7.0.75 - most recent version checked. Thank you for any help upfront! Regards,Gabor
Propagation of Subject with JAAS and SecurityManager enabled
Hi, I am playing around with the following things:- X.509 authentication- Security Manager enabled- Custom JAAS login module via JAASRealm My custom JAAS login module properly propagates a javax.security.auth.Subject instance at commit() back. My aim is to use this javax.security.auth.Subject as a basis for authorization checks expect org.apache.catalina.security.SecurityUtil to take this over. Curiously, by the time it comes to org.apache.catalina.security.SecurityUtil.execute() applying Subject.doAsPrivileged, it is done with another javax.security.auth.Subject instance. Having looked a bit into it what is happening, I see the followings:- org.apache.catalina.security.SecurityUtil.execute() looks for a subject to be present in the session object with key Globals.SUBJECT_ATTR ("javax.security.auth.subject").- if it is not present, it will create a new blank Subject containing only one Principal, which is extracted from the requests org.apache.catalina. connector.Request object (and store it in the session afterwards under Globals.SUBJECT_ATTR)- org.apache.catalina.connector.Requests setUserPrincipal(Principal principal) sets the session object with key Globals.SUBJECT_ATTR to a newly initialized javax.security.auth.Subject with a single Principal. Summary: to me it seems that the mechanism currently used to propagate the Subject to org.apache.catalina.security.SecurityUtil.execute() _always_ creates a new empty Subject and adds a single user principal into it. Questions:- do I miss something about Subject propagationIf not:- is this intentionally planned like this?- would it not make sense to allow Subjects to be propagated to SecurityUtil 1:1 from JAAS Login modules to be used as the Subject for privileged execution? Btw, I am on 7.0.68, but seems that the relevant pieces of code has not been changed by 7.0.75 most recent version checked. Thank you for any help upfront! Regards,Gabor
[no subject]
X-zuka-RWMailScanner-ID: 22D9E53828A.AD1D4 X-zuka-rw-MailScanner-Information: Please contact the ISP for more information Received: from Magnolia.local (unknown [70.48.209.168]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: dave.filc...@zuka.net) by rosewood.zuka.net (Postfix) with ESMTP id 22D9E53828A for users@tomcat.apache.org; Thu, 6 May 2010 11:46:27 -0400 (EDT) Message-ID: 4be2e408.8090...@zuka.net Date: Thu, 06 May 2010 11:45:12 -0400 From: Dave Filchak sub...@zuka.net User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4 MIME-Version: 1.0 To: Tomcat Users List users@tomcat.apache.org Subject: Re: Re: error with jk_module References: 4be1ea75.2020...@christopherschultz.net In-Reply-To: 4be1ea75.2020...@christopherschultz.net Content-Type: multipart/alternative; boundary=070302070406020309060004 X-Virus-Checked: Checked by ClamAV on apache.org X-Old-Spam-Status: No X-pstn-neptune: 0/0/0.00/0 X-pstn-levels: (S:99.9/99.9 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 ) X-pstn-settings: 4 (1.5000:1.5000) s cv gt3 gt2 gt1 r p m c X-pstn-addresses: from sub...@zuka.net [294/10] --070302070406020309060004 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit I will implement the IfModule stuff (thanks also to Andre) but I think I finally figured it out. First, it turns out I had another version of apache on the server I did not realize. (this server was managed by someone else before me and I did not know exactly what was on it). There was the 2.0.53 version, which was a yum install. Then there was the 2.2.3 version, a separate instance of Apache I installed which is listening on a different IP. But there was also a third instance of 2.2.3 installed but was not running. However, the modules in question were actually compile for that version, hence the complaining. so I stopped the 2.0.53 version and cranked up the 2.2.3 version. Still complained a bit so I recompiled a fresh module for that version and voila, there she works! Why don't EVER have to stop learning ;-) Thanks again to those who took the time to try and answer my questions. Regards to all. Dave On 22/07/64 2:59 PM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dave, On 5/5/2010 3:05 PM, Dave Filchak wrote: Actually, the server version for this instance is 2.0.52 and I have the following now in my config: LoadModule jk_module /usr/local/apache2/modules/mod_jk.so and when I test the config I get: API module structure `jk_module' in file /usr/local/apache2/modules/mod_jk.so is garbled - perhaps this is not an Apache module DSO? What happens when you do: $ file /usr/local/apache2/modules/mod_jk.so Did you check the md5sum from the mirror you used to download? I made sure I downloaded the .so for Apache 2.0.x so I think that is right. I have a tomcat app running so I am wondering, do I have to shut it down before trying to restart the server or testing the config? No, you can (re)start Apache and Tomcat in any order. If I comment the LoadModule out, then it starts complaining about the JkWorkersFile and if I comment that, the the JkShmFile ... and on it goes. It is very annoying. Try doing this: IfModule mod_jk.c JkLogFile /var/log/apache2/mod_jk.log JkLogLevel Info JkShmFile /var/log/apache2/jk-runtime-status JkWorkersFile /etc/apache2/jk_workers.properties /IfModule The IfModule will have Apache skip the mod_jk configuration if the module isn't loaded. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvh6nUACgkQ9CaO5/Lv0PDJLwCaAqeaw+0BcvExFTc+LQuetmTf qbsAnj/7H3tTjdR4yaynOprElZlxwbdD =zVQn -END PGP SIGNATURE- --070302070406020309060004--
[no subject]
X-zuka-RWMailScanner-ID: 22D9E53828A.AD1D4 X-zuka-rw-MailScanner-Information: Please contact the ISP for more information Received: from Magnolia.local (unknown [70.48.209.168]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: dave.filc...@zuka.net) by rosewood.zuka.net (Postfix) with ESMTP id 22D9E53828A for users@tomcat.apache.org; Thu, 6 May 2010 11:46:27 -0400 (EDT) Message-ID: 4be2e408.8090...@zuka.net Date: Thu, 06 May 2010 11:45:12 -0400 From: Dave Filchak sub...@zuka.net User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4 MIME-Version: 1.0 To: Tomcat Users List users@tomcat.apache.org Subject: Re: Re: error with jk_module References: 4be1ea75.2020...@christopherschultz.net In-Reply-To: 4be1ea75.2020...@christopherschultz.net Content-Type: multipart/alternative; boundary=070302070406020309060004 X-Virus-Checked: Checked by ClamAV on apache.org X-Old-Spam-Status: No X-pstn-neptune: 0/0/0.00/0 X-pstn-levels: (S:99.9/99.9 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 ) X-pstn-settings: 4 (1.5000:1.5000) s cv gt3 gt2 gt1 r p m c X-pstn-addresses: from sub...@zuka.net [294/10] --070302070406020309060004 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit I will implement the IfModule stuff (thanks also to Andre) but I think I finally figured it out. First, it turns out I had another version of apache on the server I did not realize. (this server was managed by someone else before me and I did not know exactly what was on it). There was the 2.0.53 version, which was a yum install. Then there was the 2.2.3 version, a separate instance of Apache I installed which is listening on a different IP. But there was also a third instance of 2.2.3 installed but was not running. However, the modules in question were actually compile for that version, hence the complaining. so I stopped the 2.0.53 version and cranked up the 2.2.3 version. Still complained a bit so I recompiled a fresh module for that version and voila, there she works! Why don't EVER have to stop learning ;-) Thanks again to those who took the time to try and answer my questions. Regards to all. Dave On 22/07/64 2:59 PM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dave, On 5/5/2010 3:05 PM, Dave Filchak wrote: Actually, the server version for this instance is 2.0.52 and I have the following now in my config: LoadModule jk_module /usr/local/apache2/modules/mod_jk.so and when I test the config I get: API module structure `jk_module' in file /usr/local/apache2/modules/mod_jk.so is garbled - perhaps this is not an Apache module DSO? What happens when you do: $ file /usr/local/apache2/modules/mod_jk.so Did you check the md5sum from the mirror you used to download? I made sure I downloaded the .so for Apache 2.0.x so I think that is right. I have a tomcat app running so I am wondering, do I have to shut it down before trying to restart the server or testing the config? No, you can (re)start Apache and Tomcat in any order. If I comment the LoadModule out, then it starts complaining about the JkWorkersFile and if I comment that, the the JkShmFile ... and on it goes. It is very annoying. Try doing this: IfModule mod_jk.c JkLogFile /var/log/apache2/mod_jk.log JkLogLevel Info JkShmFile /var/log/apache2/jk-runtime-status JkWorkersFile /etc/apache2/jk_workers.properties /IfModule The IfModule will have Apache skip the mod_jk configuration if the module isn't loaded. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvh6nUACgkQ9CaO5/Lv0PDJLwCaAqeaw+0BcvExFTc+LQuetmTf qbsAnj/7H3tTjdR4yaynOprElZlxwbdD =zVQn -END PGP SIGNATURE- --070302070406020309060004--
[no subject]
X-zuka-RWMailScanner-ID: DEFBF538263.AD9A5 X-zuka-rw-MailScanner-Information: Please contact the ISP for more information Received: from Magnolia.local (unknown [70.48.209.168]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: dave.filc...@zuka.net) by rosewood.zuka.net (Postfix) with ESMTP id DEFBF538263; Wed, 5 May 2010 15:06:29 -0400 (EDT) Message-ID: 4be1c16d.5010...@zuka.net Date: Wed, 05 May 2010 15:05:17 -0400 From: Dave Filchak sub...@zuka.net User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4 MIME-Version: 1.0 To: Tomcat Users List users@tomcat.apache.org CC: =?ISO-8859-1?Q?Andr=E9_Warnier?= a...@ice-sa.com Subject: Re: Re: error with jk_module References: 4be0a632.8010...@ice-sa.com In-Reply-To: 4be0a632.8010...@ice-sa.com Content-Type: multipart/alternative; boundary=000205080009000906020401 X-Virus-Checked: Checked by ClamAV on apache.org X-Old-Spam-Status: No X-pstn-neptune: 0/0/0.00/0 X-pstn-levels: (S:99.9/99.9 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 ) X-pstn-settings: 4 (1.5000:1.5000) s cv gt3 gt2 gt1 r p m c X-pstn-addresses: from sub...@zuka.net [294/10] --000205080009000906020401 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Actually, the server version for this instance is 2.0.52 and I have the following now in my config: LoadModule jk_module /usr/local/apache2/modules/mod_jk.so and when I test the config I get: API module structure `jk_module' in file /usr/local/apache2/modules/mod_jk.so is garbled - perhaps this is not an Apache module DSO? I made sure I downloaded the .so for Apache 2.0.x so I think that is right. I have a tomcat app running so I am wondering, do I have to shut it down before trying to restart the server or testing the config? I really need to restart the server because it was listening on all interfaces to port 443 and I needed to stop that happening. But I do not want to restart until I figure out why the hell I am getting this error. If I comment the LoadModule out, then it starts complaining about the JkWorkersFile and if I comment that, the the JkShmFile ... and on it goes. It is very annoying. Dave On 22/07/64 2:59 PM, André Warnier wrote: Dave Filchak wrote: ... this : httpd: Syntax error on line 439 of /usr/local/apache2/conf/httpd.conf: API module structure `jk_module' in file /usr/local/apache2/modules/mod_jk-1.2.28-httpd-2.0.X.so is garbled - perhaps this is not an Apache module DSO? ... and this : LoadModule jk_module /usr/local/apache2/modules/mod_jk.so do not seem to match (the filename), unless mod_jk.so is a link to the other one. Are you sure it is ? Also, if it is a link, and if your Apache is a 2.2 version, then it would appear that you may have downloaded a wrong version of the mod_jk.so. The end of the version says httpd-2.0.X.so, which would appear to make it a version for Apache 2.0.x, not 2.2.x. --000205080009000906020401--
[no subject]
X-zuka-RWMailScanner-ID: DEFBF538263.AD9A5 X-zuka-rw-MailScanner-Information: Please contact the ISP for more information Received: from Magnolia.local (unknown [70.48.209.168]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: dave.filc...@zuka.net) by rosewood.zuka.net (Postfix) with ESMTP id DEFBF538263; Wed, 5 May 2010 15:06:29 -0400 (EDT) Message-ID: 4be1c16d.5010...@zuka.net Date: Wed, 05 May 2010 15:05:17 -0400 From: Dave Filchak sub...@zuka.net User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4 MIME-Version: 1.0 To: Tomcat Users List users@tomcat.apache.org CC: =?ISO-8859-1?Q?Andr=E9_Warnier?= a...@ice-sa.com Subject: Re: Re: error with jk_module References: 4be0a632.8010...@ice-sa.com In-Reply-To: 4be0a632.8010...@ice-sa.com Content-Type: multipart/alternative; boundary=000205080009000906020401 X-Virus-Checked: Checked by ClamAV on apache.org X-Old-Spam-Status: No X-pstn-neptune: 0/0/0.00/0 X-pstn-levels: (S:99.9/99.9 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 ) X-pstn-settings: 4 (1.5000:1.5000) s cv gt3 gt2 gt1 r p m c X-pstn-addresses: from sub...@zuka.net [294/10] --000205080009000906020401 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Actually, the server version for this instance is 2.0.52 and I have the following now in my config: LoadModule jk_module /usr/local/apache2/modules/mod_jk.so and when I test the config I get: API module structure `jk_module' in file /usr/local/apache2/modules/mod_jk.so is garbled - perhaps this is not an Apache module DSO? I made sure I downloaded the .so for Apache 2.0.x so I think that is right. I have a tomcat app running so I am wondering, do I have to shut it down before trying to restart the server or testing the config? I really need to restart the server because it was listening on all interfaces to port 443 and I needed to stop that happening. But I do not want to restart until I figure out why the hell I am getting this error. If I comment the LoadModule out, then it starts complaining about the JkWorkersFile and if I comment that, the the JkShmFile ... and on it goes. It is very annoying. Dave On 22/07/64 2:59 PM, André Warnier wrote: Dave Filchak wrote: ... this : httpd: Syntax error on line 439 of /usr/local/apache2/conf/httpd.conf: API module structure `jk_module' in file /usr/local/apache2/modules/mod_jk-1.2.28-httpd-2.0.X.so is garbled - perhaps this is not an Apache module DSO? ... and this : LoadModule jk_module /usr/local/apache2/modules/mod_jk.so do not seem to match (the filename), unless mod_jk.so is a link to the other one. Are you sure it is ? Also, if it is a link, and if your Apache is a 2.2 version, then it would appear that you may have downloaded a wrong version of the mod_jk.so. The end of the version says httpd-2.0.X.so, which would appear to make it a version for Apache 2.0.x, not 2.2.x. --000205080009000906020401--
[no subject]
X-zuka-RWMailScanner-ID: AEE69538190.ABB3E X-zuka-rw-MailScanner-Information: Please contact the ISP for more information Received: from Magnolia.local (unknown [70.48.209.168]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: dave.filc...@zuka.net) by rosewood.zuka.net (Postfix) with ESMTP id AEE69538190 for users@tomcat.apache.org; Tue, 4 May 2010 18:43:50 -0400 (EDT) Message-ID: 4be0a2de.5080...@zuka.net Date: Tue, 04 May 2010 18:42:38 -0400 From: Dave Filchak sub...@zuka.net User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4 MIME-Version: 1.0 To: users@tomcat.apache.org Subject: error with jk_module Content-Type: multipart/alternative; boundary=040106080009080709090308 X-Virus-Checked: Checked by ClamAV on apache.org X-Old-Spam-Status: No X-pstn-neptune: 0/0/0.00/0 X-pstn-levels: (S:73.05954/99.9 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 ) X-pstn-settings: 4 (1.5000:1.5000) s cv gt3 gt2 gt1 r p m c X-pstn-addresses: from sub...@zuka.net [294/10] --040106080009080709090308 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Can somebody enlighten me on what this means? I have been struggling with this for a while and need to restart my server but keep getting this config error. httpd: Syntax error on line 439 of /usr/local/apache2/conf/httpd.conf: API module structure `jk_module' in file /usr/local/apache2/modules/mod_jk-1.2.28-httpd-2.0.X.so is garbled - perhaps this is not an Apache module DSO? I have the following compiled in modules in Apache 2.2.3, 64-bit. Compiled in modules: core.c mod_authn_file.c mod_authn_dbd.c mod_authn_default.c mod_authz_host.c mod_authz_groupfile.c mod_authz_user.c mod_authz_default.c mod_auth_basic.c mod_cache.c mod_disk_cache.c mod_dbd.c mod_echo.c mod_include.c mod_filter.c mod_log_config.c mod_env.c mod_mime_magic.c mod_expires.c mod_headers.c mod_usertrack.c mod_setenvif.c mod_ssl.c worker.c http_core.c mod_mime.c mod_dav.c mod_status.c mod_autoindex.c mod_asis.c mod_info.c mod_cgid.c mod_cgi.c mod_dav_fs.c mod_negotiation.c mod_dir.c mod_imagemap.c mod_actions.c mod_userdir.c mod_alias.c mod_rewrite.c mod_so.c I am using Tomcat 6.0.18 and am trying to load this module like so: LoadModule jk_module /usr/local/apache2/modules/mod_jk.so I really am not sure what is the problem here. Is the module actually garbled or is it something else that produces this very misleading error? Regards, Dave --040106080009080709090308--
[no subject]
X-zuka-RWMailScanner-ID: AEE69538190.ABB3E X-zuka-rw-MailScanner-Information: Please contact the ISP for more information Received: from Magnolia.local (unknown [70.48.209.168]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: dave.filc...@zuka.net) by rosewood.zuka.net (Postfix) with ESMTP id AEE69538190 for users@tomcat.apache.org; Tue, 4 May 2010 18:43:50 -0400 (EDT) Message-ID: 4be0a2de.5080...@zuka.net Date: Tue, 04 May 2010 18:42:38 -0400 From: Dave Filchak sub...@zuka.net User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4 MIME-Version: 1.0 To: users@tomcat.apache.org Subject: error with jk_module Content-Type: multipart/alternative; boundary=040106080009080709090308 X-Virus-Checked: Checked by ClamAV on apache.org X-Old-Spam-Status: No X-pstn-neptune: 0/0/0.00/0 X-pstn-levels: (S:73.05954/99.9 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 ) X-pstn-settings: 4 (1.5000:1.5000) s cv gt3 gt2 gt1 r p m c X-pstn-addresses: from sub...@zuka.net [294/10] --040106080009080709090308 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Can somebody enlighten me on what this means? I have been struggling with this for a while and need to restart my server but keep getting this config error. httpd: Syntax error on line 439 of /usr/local/apache2/conf/httpd.conf: API module structure `jk_module' in file /usr/local/apache2/modules/mod_jk-1.2.28-httpd-2.0.X.so is garbled - perhaps this is not an Apache module DSO? I have the following compiled in modules in Apache 2.2.3, 64-bit. Compiled in modules: core.c mod_authn_file.c mod_authn_dbd.c mod_authn_default.c mod_authz_host.c mod_authz_groupfile.c mod_authz_user.c mod_authz_default.c mod_auth_basic.c mod_cache.c mod_disk_cache.c mod_dbd.c mod_echo.c mod_include.c mod_filter.c mod_log_config.c mod_env.c mod_mime_magic.c mod_expires.c mod_headers.c mod_usertrack.c mod_setenvif.c mod_ssl.c worker.c http_core.c mod_mime.c mod_dav.c mod_status.c mod_autoindex.c mod_asis.c mod_info.c mod_cgid.c mod_cgi.c mod_dav_fs.c mod_negotiation.c mod_dir.c mod_imagemap.c mod_actions.c mod_userdir.c mod_alias.c mod_rewrite.c mod_so.c I am using Tomcat 6.0.18 and am trying to load this module like so: LoadModule jk_module /usr/local/apache2/modules/mod_jk.so I really am not sure what is the problem here. Is the module actually garbled or is it something else that produces this very misleading error? Regards, Dave --040106080009080709090308--
[no subject]
X-zuka-RWMailScanner-ID: 5186753823B.AD285 X-zuka-rw-MailScanner-Information: Please contact the ISP for more information Received: from Magnolia.local (unknown [70.48.209.168]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: dave.filc...@zuka.net) by rosewood.zuka.net (Postfix) with ESMTP id 5186753823B; Mon, 3 May 2010 18:42:10 -0400 (EDT) Message-ID: 4bdf50fa.70...@zuka.net Date: Mon, 03 May 2010 18:40:58 -0400 From: Dave Filchak sub...@zuka.net User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4 MIME-Version: 1.0 To: Smithan John smithantechsp...@gmail.com CC: Tomcat Users List users@tomcat.apache.org Subject: Re: Re: Tomcat on a machine with multiple ip addresses References: j2u9f392cb11005021246u17d06b6en44160a49f664f...@mail.gmail.com In-Reply-To: j2u9f392cb11005021246u17d06b6en44160a49f664f...@mail.gmail.com Content-Type: multipart/alternative; boundary=090903060903010408070801 X-Virus-Checked: Checked by ClamAV on apache.org X-Old-Spam-Status: No X-pstn-neptune: 0/0/0.00/0 X-pstn-levels: (S:99.9/99.9 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 ) X-pstn-settings: 4 (1.5000:1.5000) s cv gt3 gt2 gt1 r p m c X-pstn-addresses: from sub...@zuka.net [294/10] --090903060903010408070801 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Humm ... sorry it has taken a while to get back to you with this. I have been busy trying to get all my clients up. There is not a lot of them but it is very time consuming. Before I get to all the configs, does Tomcat, by default, take over ALL the ips' on port 443 i.e. 0.0.0.0:443? If so, where would/could I set this to only listen on one IP or even do not listen for 443 as I have another app that I will need for that port. Thanks in advance. Dave On 22/07/64 2:59 PM, Smithan John wrote: Hi Dave, Please provide below information: - The port on which the old Apache instance is running. - The port on which the new Apache instance is configured. - Does the whole setup use only DNS resolution or do we have a CSS(Secure Switch) layer. Regards, Smithan. On Mon, May 3, 2010 at 1:05 AM, Dave Filchaksub...@zuka.net wrote: Due to a hard drive failure, I am needing to move some websites to a machine that has Tomcat already running on it with Apache as the front end. I was unable to get the sites working using the Apache instance that was already there so, I installed a second instance on the machine, with a separate pid and listening on a different ip. ( it would have been better to just use the same Apache instance but I could not get it to work. The default Tomcat page kept coming up) I added the address attribute to the server.xml files so that it would not listen on all interfaces. So, I have the new instance sort of working but for some reason, on all but two virtual sites, I cannot access them if I use www.somedomain.com. Only if I use somedomain.com. As I said, two of the sites work fine. The dns resolves correctly to either www.somedomain.com or somedomain.com. So, can tomcat or could tomcat be screwing this up somehow (actually, I guess it would have been me who screwed it up somewhere). I am not well versed in tomcat at this point so some help would be greatly appreciated. Either just to solve this issue or help on how I could have simply used the original instance to server my non-tomcat php sites. Thanks in advance. Dave --090903060903010408070801--
[no subject]
X-zuka-RWMailScanner-ID: 5186753823B.AD285 X-zuka-rw-MailScanner-Information: Please contact the ISP for more information Received: from Magnolia.local (unknown [70.48.209.168]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: dave.filc...@zuka.net) by rosewood.zuka.net (Postfix) with ESMTP id 5186753823B; Mon, 3 May 2010 18:42:10 -0400 (EDT) Message-ID: 4bdf50fa.70...@zuka.net Date: Mon, 03 May 2010 18:40:58 -0400 From: Dave Filchak sub...@zuka.net User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4 MIME-Version: 1.0 To: Smithan John smithantechsp...@gmail.com CC: Tomcat Users List users@tomcat.apache.org Subject: Re: Re: Tomcat on a machine with multiple ip addresses References: j2u9f392cb11005021246u17d06b6en44160a49f664f...@mail.gmail.com In-Reply-To: j2u9f392cb11005021246u17d06b6en44160a49f664f...@mail.gmail.com Content-Type: multipart/alternative; boundary=090903060903010408070801 X-Virus-Checked: Checked by ClamAV on apache.org X-Old-Spam-Status: No X-pstn-neptune: 0/0/0.00/0 X-pstn-levels: (S:99.9/99.9 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 ) X-pstn-settings: 4 (1.5000:1.5000) s cv gt3 gt2 gt1 r p m c X-pstn-addresses: from sub...@zuka.net [294/10] --090903060903010408070801 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Humm ... sorry it has taken a while to get back to you with this. I have been busy trying to get all my clients up. There is not a lot of them but it is very time consuming. Before I get to all the configs, does Tomcat, by default, take over ALL the ips' on port 443 i.e. 0.0.0.0:443? If so, where would/could I set this to only listen on one IP or even do not listen for 443 as I have another app that I will need for that port. Thanks in advance. Dave On 22/07/64 2:59 PM, Smithan John wrote: Hi Dave, Please provide below information: - The port on which the old Apache instance is running. - The port on which the new Apache instance is configured. - Does the whole setup use only DNS resolution or do we have a CSS(Secure Switch) layer. Regards, Smithan. On Mon, May 3, 2010 at 1:05 AM, Dave Filchaksub...@zuka.net wrote: Due to a hard drive failure, I am needing to move some websites to a machine that has Tomcat already running on it with Apache as the front end. I was unable to get the sites working using the Apache instance that was already there so, I installed a second instance on the machine, with a separate pid and listening on a different ip. ( it would have been better to just use the same Apache instance but I could not get it to work. The default Tomcat page kept coming up) I added the address attribute to the server.xml files so that it would not listen on all interfaces. So, I have the new instance sort of working but for some reason, on all but two virtual sites, I cannot access them if I use www.somedomain.com. Only if I use somedomain.com. As I said, two of the sites work fine. The dns resolves correctly to either www.somedomain.com or somedomain.com. So, can tomcat or could tomcat be screwing this up somehow (actually, I guess it would have been me who screwed it up somewhere). I am not well versed in tomcat at this point so some help would be greatly appreciated. Either just to solve this issue or help on how I could have simply used the original instance to server my non-tomcat php sites. Thanks in advance. Dave --090903060903010408070801--
[no subject]
X-zuka-RWMailScanner-ID: 66C1153823B.AFC52 X-zuka-rw-MailScanner-Information: Please contact the ISP for more information Received: from Magnolia.local (unknown [70.48.209.168]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: dave.filc...@zuka.net) by rosewood.zuka.net (Postfix) with ESMTP id 66C1153823B; Mon, 3 May 2010 18:49:29 -0400 (EDT) Message-ID: 4bdf52b1.6020...@zuka.net Date: Mon, 03 May 2010 18:48:17 -0400 From: Dave Filchak sub...@zuka.net User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4 MIME-Version: 1.0 To: Smithan John smithantechsp...@gmail.com CC: Tomcat Users List users@tomcat.apache.org Subject: Re: Re: Tomcat on a machine with multiple ip addresses References: j2u9f392cb11005021246u17d06b6en44160a49f664f...@mail.gmail.com In-Reply-To: j2u9f392cb11005021246u17d06b6en44160a49f664f...@mail.gmail.com Content-Type: multipart/alternative; boundary=050206000901070405080803 X-Virus-Checked: Checked by ClamAV on apache.org X-Old-Spam-Status: No X-pstn-neptune: 0/0/0.00/0 X-pstn-levels: (S:99.9/99.9 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 ) X-pstn-settings: 4 (1.5000:1.5000) s cv gt3 gt2 gt1 r p m c X-pstn-addresses: from sub...@zuka.net [294/10] --050206000901070405080803 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Smithan On 22/07/64 2:59 PM, Smithan John wrote: Hi Dave, Please provide below information: - The port on which the old Apache instance is running. Both instances run on port 80 but are on different IP numbers. - The port on which the new Apache instance is configured. - Does the whole setup use only DNS resolution or do we have a CSS(Secure Switch) layer. DNS only Regards, Smithan. On Mon, May 3, 2010 at 1:05 AM, Dave Filchaksub...@zuka.net wrote: Due to a hard drive failure, I am needing to move some websites to a machine that has Tomcat already running on it with Apache as the front end. I was unable to get the sites working using the Apache instance that was already there so, I installed a second instance on the machine, with a separate pid and listening on a different ip. ( it would have been better to just use the same Apache instance but I could not get it to work. The default Tomcat page kept coming up) I added the address attribute to the server.xml files so that it would not listen on all interfaces. So, I have the new instance sort of working but for some reason, on all but two virtual sites, I cannot access them if I use www.somedomain.com. Only if I use somedomain.com. As I said, two of the sites work fine. The dns resolves correctly to either www.somedomain.com or somedomain.com. So, can tomcat or could tomcat be screwing this up somehow (actually, I guess it would have been me who screwed it up somewhere). I am not well versed in tomcat at this point so some help would be greatly appreciated. Either just to solve this issue or help on how I could have simply used the original instance to server my non-tomcat php sites. Thanks in advance. Dave --050206000901070405080803--
[no subject]
X-zuka-RWMailScanner-ID: 66C1153823B.AFC52 X-zuka-rw-MailScanner-Information: Please contact the ISP for more information Received: from Magnolia.local (unknown [70.48.209.168]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: dave.filc...@zuka.net) by rosewood.zuka.net (Postfix) with ESMTP id 66C1153823B; Mon, 3 May 2010 18:49:29 -0400 (EDT) Message-ID: 4bdf52b1.6020...@zuka.net Date: Mon, 03 May 2010 18:48:17 -0400 From: Dave Filchak sub...@zuka.net User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4 MIME-Version: 1.0 To: Smithan John smithantechsp...@gmail.com CC: Tomcat Users List users@tomcat.apache.org Subject: Re: Re: Tomcat on a machine with multiple ip addresses References: j2u9f392cb11005021246u17d06b6en44160a49f664f...@mail.gmail.com In-Reply-To: j2u9f392cb11005021246u17d06b6en44160a49f664f...@mail.gmail.com Content-Type: multipart/alternative; boundary=050206000901070405080803 X-Virus-Checked: Checked by ClamAV on apache.org X-Old-Spam-Status: No X-pstn-neptune: 0/0/0.00/0 X-pstn-levels: (S:99.9/99.9 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 ) X-pstn-settings: 4 (1.5000:1.5000) s cv gt3 gt2 gt1 r p m c X-pstn-addresses: from sub...@zuka.net [294/10] --050206000901070405080803 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Smithan On 22/07/64 2:59 PM, Smithan John wrote: Hi Dave, Please provide below information: - The port on which the old Apache instance is running. Both instances run on port 80 but are on different IP numbers. - The port on which the new Apache instance is configured. - Does the whole setup use only DNS resolution or do we have a CSS(Secure Switch) layer. DNS only Regards, Smithan. On Mon, May 3, 2010 at 1:05 AM, Dave Filchaksub...@zuka.net wrote: Due to a hard drive failure, I am needing to move some websites to a machine that has Tomcat already running on it with Apache as the front end. I was unable to get the sites working using the Apache instance that was already there so, I installed a second instance on the machine, with a separate pid and listening on a different ip. ( it would have been better to just use the same Apache instance but I could not get it to work. The default Tomcat page kept coming up) I added the address attribute to the server.xml files so that it would not listen on all interfaces. So, I have the new instance sort of working but for some reason, on all but two virtual sites, I cannot access them if I use www.somedomain.com. Only if I use somedomain.com. As I said, two of the sites work fine. The dns resolves correctly to either www.somedomain.com or somedomain.com. So, can tomcat or could tomcat be screwing this up somehow (actually, I guess it would have been me who screwed it up somewhere). I am not well versed in tomcat at this point so some help would be greatly appreciated. Either just to solve this issue or help on how I could have simply used the original instance to server my non-tomcat php sites. Thanks in advance. Dave --050206000901070405080803--
[no subject]
X-zuka-RWMailScanner-ID: B0236538235.AD627 X-zuka-rw-MailScanner-Information: Please contact the ISP for more information Received: from Magnolia.local (unknown [70.48.209.168]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: dave.filc...@zuka.net) by rosewood.zuka.net (Postfix) with ESMTP id B0236538235; Tue, 4 May 2010 00:13:25 -0400 (EDT) Message-ID: 4bdf9e9d.4040...@zuka.net Date: Tue, 04 May 2010 00:12:13 -0400 From: Dave Filchak sub...@zuka.net User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4 MIME-Version: 1.0 To: Mark Thomas ma...@apache.org CC: Tomcat Users List users@tomcat.apache.org Subject: Re: Re: Tomcat on a machine with multiple ip addresses References: 4bdf5246.3040...@apache.org In-Reply-To: 4bdf5246.3040...@apache.org Content-Type: multipart/alternative; boundary=000501090100060602030207 X-Old-Spam-Status: No X-pstn-neptune: 0/0/0.00/0 X-pstn-levels: (S:99.9/99.9 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 ) X-pstn-settings: 4 (1.5000:1.5000) s cv gt3 gt2 gt1 r p m c X-pstn-addresses: from sub...@zuka.net [294/10] --000501090100060602030207 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Thanks for this. I did use the address attribute for port 80. No check that. I think what I did was pit address=XXX.XXX.XXX.XXX but did not specify the port ... just the address as it also listens on ports up in the 8000 range I believe. How do I stop it from listening on port 443? I will need to have another site (non tomcat) listening on 443 on the same IP under Apache. This machine basically has three IP numbers assigned to it. Dave On 22/07/64 2:59 PM, Mark Thomas wrote: On 03/05/2010 23:40, Dave Filchak wrote: Humm ... sorry it has taken a while to get back to you with this. I have been busy trying to get all my clients up. There is not a lot of them but it is very time consuming. Before I get to all the configs, does Tomcat, by default, take over ALL the ips' on port 443 i.e. 0.0.0.0:443? If so, where would/could I set this to only listen on one IP or even do not listen for 443 as I have another app that I will need for that port. By default, Tomcat will listen to all IPv4 and IPv6 addressed on the specified port. Use the address attribute of the connector to limit this to all IPv4 only, all IPv6 only or a apecific IPv4 or IPv6 address. Mark --000501090100060602030207--
[no subject]
X-zuka-RWMailScanner-ID: B0236538235.AD627 X-zuka-rw-MailScanner-Information: Please contact the ISP for more information Received: from Magnolia.local (unknown [70.48.209.168]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: dave.filc...@zuka.net) by rosewood.zuka.net (Postfix) with ESMTP id B0236538235; Tue, 4 May 2010 00:13:25 -0400 (EDT) Message-ID: 4bdf9e9d.4040...@zuka.net Date: Tue, 04 May 2010 00:12:13 -0400 From: Dave Filchak sub...@zuka.net User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4 MIME-Version: 1.0 To: Mark Thomas ma...@apache.org CC: Tomcat Users List users@tomcat.apache.org Subject: Re: Re: Tomcat on a machine with multiple ip addresses References: 4bdf5246.3040...@apache.org In-Reply-To: 4bdf5246.3040...@apache.org Content-Type: multipart/alternative; boundary=000501090100060602030207 X-Old-Spam-Status: No X-pstn-neptune: 3/1/0.33/70 X-pstn-levels: (S:99.9/99.9 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 ) X-pstn-settings: 4 (1.5000:1.5000) s cv gt3 gt2 gt1 r p m c X-pstn-addresses: from sub...@zuka.net [294/10] --000501090100060602030207 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Thanks for this. I did use the address attribute for port 80. No check that. I think what I did was pit address=XXX.XXX.XXX.XXX but did not specify the port ... just the address as it also listens on ports up in the 8000 range I believe. How do I stop it from listening on port 443? I will need to have another site (non tomcat) listening on 443 on the same IP under Apache. This machine basically has three IP numbers assigned to it. Dave On 22/07/64 2:59 PM, Mark Thomas wrote: On 03/05/2010 23:40, Dave Filchak wrote: Humm ... sorry it has taken a while to get back to you with this. I have been busy trying to get all my clients up. There is not a lot of them but it is very time consuming. Before I get to all the configs, does Tomcat, by default, take over ALL the ips' on port 443 i.e. 0.0.0.0:443? If so, where would/could I set this to only listen on one IP or even do not listen for 443 as I have another app that I will need for that port. By default, Tomcat will listen to all IPv4 and IPv6 addressed on the specified port. Use the address attribute of the connector to limit this to all IPv4 only, all IPv6 only or a apecific IPv4 or IPv6 address. Mark --000501090100060602030207--
[no subject]
X-zuka-RWMailScanner-ID: 49AB853821E.AE729 X-zuka-rw-MailScanner-Information: Please contact the ISP for more information Received: from Magnolia.local (unknown [70.48.209.168]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: dave.filc...@zuka.net) by rosewood.zuka.net (Postfix) with ESMTP id 49AB853821E for users@tomcat.apache.org; Sun, 2 May 2010 15:36:36 -0400 (EDT) Message-ID: 4bddd3f9.3080...@zuka.net Date: Sun, 02 May 2010 15:35:21 -0400 From: Dave Filchak sub...@zuka.net User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4 MIME-Version: 1.0 To: users@tomcat.apache.org Subject: Tomcat on a machine with multiple ip addresses Content-Type: multipart/alternative; boundary=060208010707020700080002 X-Virus-Checked: Checked by ClamAV on apache.org X-Old-Spam-Status: No X-pstn-neptune: 0/0/0.00/0 X-pstn-levels: (S:26.44926/99.9 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 ) X-pstn-settings: 4 (1.5000:1.5000) s cv gt3 gt2 gt1 r p m c X-pstn-addresses: from sub...@zuka.net [294/10] --060208010707020700080002 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Due to a hard drive failure, I am needing to move some websites to a machine that has Tomcat already running on it with Apache as the front end. I was unable to get the sites working using the Apache instance that was already there so, I installed a second instance on the machine, with a separate pid and listening on a different ip. ( it would have been better to just use the same Apache instance but I could not get it to work. The default Tomcat page kept coming up) I added the address attribute to the server.xml files so that it would not listen on all interfaces. So, I have the new instance sort of working but for some reason, on all but two virtual sites, I cannot access them if I use www.somedomain.com. Only if I use somedomain.com. As I said, two of the sites work fine. The dns resolves correctly to either www.somedomain.com or somedomain.com. So, can tomcat or could tomcat be screwing this up somehow (actually, I guess it would have been me who screwed it up somewhere). I am not well versed in tomcat at this point so some help would be greatly appreciated. Either just to solve this issue or help on how I could have simply used the original instance to server my non-tomcat php sites. Thanks in advance. Dave --060208010707020700080002--
[no subject]
X-zuka-RWMailScanner-ID: 49AB853821E.AE729 X-zuka-rw-MailScanner-Information: Please contact the ISP for more information Received: from Magnolia.local (unknown [70.48.209.168]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: dave.filc...@zuka.net) by rosewood.zuka.net (Postfix) with ESMTP id 49AB853821E for users@tomcat.apache.org; Sun, 2 May 2010 15:36:36 -0400 (EDT) Message-ID: 4bddd3f9.3080...@zuka.net Date: Sun, 02 May 2010 15:35:21 -0400 From: Dave Filchak sub...@zuka.net User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4 MIME-Version: 1.0 To: users@tomcat.apache.org Subject: Tomcat on a machine with multiple ip addresses Content-Type: multipart/alternative; boundary=060208010707020700080002 X-Virus-Checked: Checked by ClamAV on apache.org X-Old-Spam-Status: No X-pstn-neptune: 0/0/0.00/0 X-pstn-levels: (S:26.44926/99.9 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 ) X-pstn-settings: 4 (1.5000:1.5000) s cv gt3 gt2 gt1 r p m c X-pstn-addresses: from sub...@zuka.net [294/10] --060208010707020700080002 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Due to a hard drive failure, I am needing to move some websites to a machine that has Tomcat already running on it with Apache as the front end. I was unable to get the sites working using the Apache instance that was already there so, I installed a second instance on the machine, with a separate pid and listening on a different ip. ( it would have been better to just use the same Apache instance but I could not get it to work. The default Tomcat page kept coming up) I added the address attribute to the server.xml files so that it would not listen on all interfaces. So, I have the new instance sort of working but for some reason, on all but two virtual sites, I cannot access them if I use www.somedomain.com. Only if I use somedomain.com. As I said, two of the sites work fine. The dns resolves correctly to either www.somedomain.com or somedomain.com. So, can tomcat or could tomcat be screwing this up somehow (actually, I guess it would have been me who screwed it up somewhere). I am not well versed in tomcat at this point so some help would be greatly appreciated. Either just to solve this issue or help on how I could have simply used the original instance to server my non-tomcat php sites. Thanks in advance. Dave --060208010707020700080002--
How to programmatically set the JAAS Subject in Tomcat 5.5
We have an implementation of a J2EE servlet filter that we use in Tomcat that restricts connections based on either a list of trusted source IP addresses, or a secret header value, or a combination of both. This servlet filter is currently used with perimeter authentication / authorization occurring in an Apache proxy that is enabled with a 3rd Party agent. When the agent allows the HTTP request through (to Tomcat or a J2EE application server), it adds HTTP request headers. One header is the authenticated user and the other is a list of comma-separated groups that the authenticated user belongs to. Our goal is to add code to this J2EE servlet filter to use these HTTP request headers to create a JAAS subject from these headers so that applications using the filter can then make use of the JAAS subject programatically or via declarative security (e.g., via security-constraint, annotations, etc.) Note that we ideally would like to do all of this without implementing / defining a JAAS LoginModule and CallbackHandler if at all possible. (The perimeter authentication ensures that the user has already properly authenticated; the trusted source IP and/or secret header ensures that the request came via the Apache proxy where the 3rd Party agent is enabled.) We have implemented similar code with Oracle's WebLogic Server using code something like this (most of this is WebLogic specific code): public void doSetJAASSubject(final Subject subject, HttpServletRequest request) throws Exception { if (admin == null) { AuthenticatedSubject authAdmin = (AuthenticatedSubject) AccessController.doPrivileged(PrivilegedActions.getKernelIdentityAction()); admin = authAdmin.getSubject(); } weblogic.security.Security.runAs(admin, new PrivilegedAction() { public Object run() { PrincipalValidatorImpl validator = new PrincipalValidatorImpl(); Iterator it = subject.getPrincipals().iterator(); while (it.hasNext()) { Principal principal = (Principal)it.next(); validator.sign(principal); } return null; } }); ServletAuthentication.runAs(subject, request); } So, the questions are; is it possible to do this in Tomcat? And if so, how do we do it so that the JAAS subject is available programatically, for use with security-constraint, etc. without requiring the development teams lots of additional configuration or any additional implementation. Thank you, -- View this message in context: http://www.nabble.com/How-to-programmatically-set-the-JAAS-Subject-in-Tomcat-5.5-tp24698094p24698094.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to programmatically set the JAAS Subject in Tomcat 5.5
tbalent wrote: ... authorization occurring in an Apache proxy that is enabled with a 3rd Party agent. When the agent allows the HTTP request through (to Tomcat or a J2EE ... This may or may not be relevant to your issue : The AJP protocol used between Apache and Tomcat, allows Apache to pass an authenticated user-id to Tomcat in the request. I do not remember precisely at what level this parameter lives, but it is invoked as tomcatAuthentication=false either in the connector (mod_jk in my case) or in the Connector in Tomcat. You may want to look this up, to see if it applies in your case. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to programmatically set the JAAS Subject in Tomcat 5.5
André Warnier wrote: tbalent wrote: ... authorization occurring in an Apache proxy that is enabled with a 3rd Party agent. When the agent allows the HTTP request through (to Tomcat or a J2EE ... This may or may not be relevant to your issue : The AJP protocol used between Apache and Tomcat, allows Apache to pass an authenticated user-id to Tomcat in the request. I do not remember precisely at what level this parameter lives, but it is invoked as tomcatAuthentication=false either in the connector (mod_jk in my case) or in the Connector in Tomcat. You may want to look this up, to see if it applies in your case. Complement : http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html (at end of page) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Accessing User subject or User principal
Hey, Tomcat 6.0.14, Vista BE I'm trying to implement a JAAS Realm solution, I'm unable to after setting the subject/principal figure out how I'm supposed to programmatically access either of these values after they've been set in my LoginModule's commit() call? I verify that my custom login modules' commit is called (see below). My question is how do I access the principal that's stored here? public boolean commit() throws LoginException { if (succeeded) { if (subject.isReadOnly()){ throw new LoginException(Subject is readonly!); } // add a Principal (authenticated identity) // to the Subject userPrincipal = new UserPrincipal(username); assignPrincipal(userPrincipal); assignPrincipal(new UserPrincipal(AccountRole.PATIENT.getCode())); // in any case, clean out state username = null; for (int i = 0; i password.length; i++) password[i] = ' '; password = null; commitSucceeded = true; } return true; } Then, somewhere else in the code (say on a page), I try to figure out who's calling the code? And the getSubject() line returns null. try { LoginContext lc2 = new LoginContext(Jaas); lc2.getSubject(); } catch(LoginException le ){ le.printStackTrace(); } Rob
Re: Accessing User subject or User principal
Rob Mercer schrieb am 16.11.2008 um 12:24:00 (-0800): I'm trying to implement a JAAS Realm solution, I'm unable to after setting the subject/principal figure out how I'm supposed to programmatically access either of these values after they've been set in my LoginModule's commit() call? You're supposed to access these values by calling getUserPrincipal() on the HttpServletRequest object. http://java.sun.com/products/servlet/2.5/docs/servlet-2_5-mr2/ Michael Ludwig - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Accessing User subject or User principal
First off, thanks for the quick response! I've tried to make that call but keep getting null values back for both the getUerPrincipal and getRemoteUser on the HttpServletRequest... do I need to wait until the next request to make these calls or is it ok to check them immediately after the commit is called? -Rob -Original Message- From: Michael Ludwig [mailto:[EMAIL PROTECTED] Sent: Sunday, November 16, 2008 3:48 PM To: Tomcat Users List Subject: Re: Accessing User subject or User principal Rob Mercer schrieb am 16.11.2008 um 12:24:00 (-0800): I'm trying to implement a JAAS Realm solution, I'm unable to after setting the subject/principal figure out how I'm supposed to programmatically access either of these values after they've been set in my LoginModule's commit() call? You're supposed to access these values by calling getUserPrincipal() on the HttpServletRequest object. http://java.sun.com/products/servlet/2.5/docs/servlet-2_5-mr2/ Michael Ludwig - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Accessing User subject or User principal
Rob Mercer wrote: First off, thanks for the quick response! I've tried to make that call but keep getting null values back for both the getUerPrincipal and getRemoteUser on the HttpServletRequest... do I need to wait until the next request to make these calls or is it ok to check them immediately after the commit is called? It should work immediately. You might want to try a build from trunk as there have been a number of JAAS fixes that will be in 6.0.19. Mark -Rob -Original Message- From: Michael Ludwig [mailto:[EMAIL PROTECTED] Sent: Sunday, November 16, 2008 3:48 PM To: Tomcat Users List Subject: Re: Accessing User subject or User principal Rob Mercer schrieb am 16.11.2008 um 12:24:00 (-0800): I'm trying to implement a JAAS Realm solution, I'm unable to after setting the subject/principal figure out how I'm supposed to programmatically access either of these values after they've been set in my LoginModule's commit() call? You're supposed to access these values by calling getUserPrincipal() on the HttpServletRequest object. http://java.sun.com/products/servlet/2.5/docs/servlet-2_5-mr2/ Michael Ludwig - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Get Security subject from Tomcat
Christopher Schultz wrote: Arash, Arash Bizhan zadeh wrote: Sure [reading the servlet API] might help. Reading my mail would have helped too. I need the Subject not the principal. Ouch. You're gonna get the cold shoulder with that kind of snarkiness. Your original message said authenticated user in the body. A quick look through Tomcat's source code shows: $ grep SUBJECT_ATTR `find java/ -name *.java` java/org/apache/catalina/connector/Request.java: session.getAttribute(Globals.SUBJECT_ATTR) == null) { java/org/apache/catalina/connector/Request.java: session.setAttribute(Globals.SUBJECT_ATTR, subject); java/org/apache/catalina/security/SecurityUtil.java: (Subject)session.getAttribute(Globals.SUBJECT_ATTR); java/org/apache/catalina/security/SecurityUtil.java: session.setAttribute(Globals.SUBJECT_ATTR, subject); java/org/apache/catalina/session/StandardSession.java: Globals.SUBJECT_ATTR java/org/apache/catalina/Globals.java:public static final String SUBJECT_ATTR = Taking a quick look at these classes shows that this: getSession().getAttribute(Globals.SUBJECT_ATTR); should work. Of course, there's always a chance that the subject is null. In most cases in the code, when the Subject is null, a new Subject object is created with no arguments and thrown into the session under the Globals.SUBJECT_ATTR key. The logical questions that follow are: what is your login config, which Realm are you using and which type of Authenticator? p -chris - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Get Security subject from Tomcat
Pid wrote: Christopher Schultz wrote: Arash, Arash Bizhan zadeh wrote: Sure [reading the servlet API] might help. Reading my mail would have helped too. I need the Subject not the principal. Ouch. You're gonna get the cold shoulder with that kind of snarkiness. Your original message said authenticated user in the body. A quick look through Tomcat's source code shows: $ grep SUBJECT_ATTR `find java/ -name *.java` java/org/apache/catalina/connector/Request.java: session.getAttribute(Globals.SUBJECT_ATTR) == null) { java/org/apache/catalina/connector/Request.java: session.setAttribute(Globals.SUBJECT_ATTR, subject); java/org/apache/catalina/security/SecurityUtil.java: (Subject)session.getAttribute(Globals.SUBJECT_ATTR); java/org/apache/catalina/security/SecurityUtil.java: session.setAttribute(Globals.SUBJECT_ATTR, subject); java/org/apache/catalina/session/StandardSession.java: Globals.SUBJECT_ATTR java/org/apache/catalina/Globals.java:public static final String SUBJECT_ATTR = Taking a quick look at these classes shows that this: getSession().getAttribute(Globals.SUBJECT_ATTR); should work. Of course, there's always a chance that the subject is null. In most cases in the code, when the Subject is null, a new Subject object is created with no arguments and thrown into the session under the Globals.SUBJECT_ATTR key. The logical questions that follow are: what is your login config, which Realm are you using and which type of Authenticator? ignore: as my mail client has now downloaded the rest of the overnight mail. p -chris - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Get Security subject from Tomcat
Hi, Is there is was I can get the authenticated User from inside my servlet/filter? IT seems none of the assumed ways work : getSession().getAttribute(Globals.SUBJECT_ATTR); Subject.getSubject(AccessController.getContext()); Please reply directly, I am not subscribed. -thanks, -arash -- The dirtiest book of all is the expurgated book. Walt Whitman
RE: Get Security subject from Tomcat
From: Arash Bizhan zadeh [mailto:[EMAIL PROTECTED] Subject: Get Security subject from Tomcat Is there is was I can get the authenticated User from inside my servlet/filter? Perhaps reading the Servlet spec or the APIs would help: http://java.sun.com/products/servlet/2.5/docs/servlet-2_5-mr2/javax/servlet/http/HttpServletRequest.html#getUserPrincipal() Please reply directly, I am not subscribed. Then I guess you won't see the response... - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Get Security subject from Tomcat
On Wed, Nov 12, 2008 at 4:06 PM, Caldarale, Charles R [EMAIL PROTECTED] wrote: From: Arash Bizhan zadeh [mailto:[EMAIL PROTECTED] Subject: Get Security subject from Tomcat Is there is was I can get the authenticated User from inside my servlet/filter? Perhaps reading the Servlet spec or the APIs would help: http://java.sun.com/products/servlet/2.5/docs/servlet-2_5-mr2/javax/servlet/http/HttpServletRequest.html#getUserPrincipal()http://java.sun.com/products/servlet/2.5/docs/servlet-2_5-mr2/javax/servlet/http/HttpServletRequest.html#getUserPrincipal%28%29 Sure it might help. Reading my mail would have helped too. I need the Subject not the principal. Please reply directly, I am not subscribed. Then I guess you won't see the response... - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- The dirtiest book of all is the expurgated book. Walt Whitman
RE: Get Security subject from Tomcat
From: Arash Bizhan zadeh [mailto:[EMAIL PROTECTED] Subject: Re: Get Security subject from Tomcat Sure it might help. Reading my mail would have helped too. I need the Subject not the principal. O.k., I'm confused. If you're looking for the user name, then the java.security.Principal returned by getUserPrincipal() has a getName() method. If that's not what you mean by Subject, what is? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Get Security subject from Tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Arash, Arash Bizhan zadeh wrote: Sure [reading the servlet API] might help. Reading my mail would have helped too. I need the Subject not the principal. Ouch. You're gonna get the cold shoulder with that kind of snarkiness. Your original message said authenticated user in the body. A quick look through Tomcat's source code shows: $ grep SUBJECT_ATTR `find java/ -name *.java` java/org/apache/catalina/connector/Request.java: session.getAttribute(Globals.SUBJECT_ATTR) == null) { java/org/apache/catalina/connector/Request.java: session.setAttribute(Globals.SUBJECT_ATTR, subject); java/org/apache/catalina/security/SecurityUtil.java: (Subject)session.getAttribute(Globals.SUBJECT_ATTR); java/org/apache/catalina/security/SecurityUtil.java: session.setAttribute(Globals.SUBJECT_ATTR, subject); java/org/apache/catalina/session/StandardSession.java: Globals.SUBJECT_ATTR java/org/apache/catalina/Globals.java:public static final String SUBJECT_ATTR = Taking a quick look at these classes shows that this: getSession().getAttribute(Globals.SUBJECT_ATTR); should work. Of course, there's always a chance that the subject is null. In most cases in the code, when the Subject is null, a new Subject object is created with no arguments and thrown into the session under the Globals.SUBJECT_ATTR key. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkkbWgUACgkQ9CaO5/Lv0PB7ywCfWsw8lOmT2rg85wddJ+n3C6xL PWsAn1KdKrcv+mErYjOjaNMAonGYE/yS =nnOG -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Get Security subject from Tomcat
On Wed, Nov 12, 2008 at 5:34 PM, Christopher Schultz [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Arash, Arash Bizhan zadeh wrote: Sure [reading the servlet API] might help. Reading my mail would have helped too. I need the Subject not the principal. Ouch. You're gonna get the cold shoulder with that kind of snarkiness. Your original message said authenticated user in the body. A quick look through Tomcat's source code shows: $ grep SUBJECT_ATTR `find java/ -name *.java` java/org/apache/catalina/connector/Request.java: session.getAttribute(Globals.SUBJECT_ATTR) == null) { java/org/apache/catalina/connector/Request.java: session.setAttribute(Globals.SUBJECT_ATTR, subject); java/org/apache/catalina/security/SecurityUtil.java: (Subject)session.getAttribute(Globals.SUBJECT_ATTR); java/org/apache/catalina/security/SecurityUtil.java: session.setAttribute(Globals.SUBJECT_ATTR, subject); java/org/apache/catalina/session/StandardSession.java: Globals.SUBJECT_ATTR java/org/apache/catalina/Globals.java:public static final String SUBJECT_ATTR = Taking a quick look at these classes shows that this: getSession().getAttribute(Globals.SUBJECT_ATTR); Tomcat 5.5.26, returns null as subject. I have security constraints on web.xml and developed a JAAS module to login, so I guess the subject is not null. Any suggestions? should work. Of course, there's always a chance that the subject is null. In most cases in the code, when the Subject is null, a new Subject object is created with no arguments and thrown into the session under the Globals.SUBJECT_ATTR key. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkkbWgUACgkQ9CaO5/Lv0PB7ywCfWsw8lOmT2rg85wddJ+n3C6xL PWsAn1KdKrcv+mErYjOjaNMAonGYE/yS =nnOG -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- The dirtiest book of all is the expurgated book. Walt Whitman
Re: Get Security subject from Tomcat
Arash Bizhan zadeh wrote: On Wed, Nov 12, 2008 at 4:06 PM, Caldarale, Charles R [EMAIL PROTECTED] wrote: From: Arash Bizhan zadeh [mailto:[EMAIL PROTECTED] Subject: Get Security subject from Tomcat Is there is was I can get the authenticated User from inside my servlet/filter? Perhaps reading the Servlet spec or the APIs would help: http://java.sun.com/products/servlet/2.5/docs/servlet-2_5-mr2/javax/servlet/http/HttpServletRequest.html#getUserPrincipal()http://java.sun.com/products/servlet/2.5/docs/servlet-2_5-mr2/javax/servlet/http/HttpServletRequest.html#getUserPrincipal%28%29 Sure it might help. Reading my mail would have helped too. I need the Subject not the principal. As much as some of us would sometimes enjoy someone being able to (figuratively) slap the Servlet Spec in Chuck's face, it being justified does not happen very often. Isn't what he indicated above, what you were requesting in the first place ? java.security.Principal principal = request.getUserPrincipal(); String userId = principal.getName(); - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Setting The REMOTE_USER Environment Variable By The Client's Subject DN Using Tomcat 5.5
Hi, We’re using Tomcat 5.5 as our Web server and intend to implement SSO for our application. As a part of the requirement, we need to set the REMOTE_USER environment variable with the Subject DN retrieved from the client certificate (We’ve edited conf\server.xml, so that Tomcat listens to https requests on port 8443 and the client certificate is validated against the one stored in the tomcat truststoreFile). The corresponding part of the server.xml is: Connector port=8443 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true clientAuth=true sslProtocol=SSL keystoreFile=C:/cert/tomcat.keystore keystorePass=password truststoreFile=C:/cert/tomcat.keystore truststorePass=password/ !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 enableLookups=false redirectPort=8443 protocol=AJP/1.3 / We need to set this environment variable from the web server only (Tomcat 5.5 in this case) and not from our application. The value of this environment variable (REMOTE_USER) i.e. the Subject DN of the client certificate will be read by the application. We’re unable to configure Tomcat to setup the REMOTE_USER environment variable with the Subject DN of the client certificate. Any input/help/suggestion would be highly appreciated. Thanks and Regards, Sameek Bhaumik Download prohibited? No problem. CHAT from any browser, without download. Go to http://in.webmessenger.yahoo.com/
RE: problem I don't know how to summarize for this subject line
| From: Steve Sweet [mailto:[EMAIL PROTECTED] | Sent: Wednesday, 11 July, 2007 15:02 | | The original developer does | not experience this on his system which limits his ability to help me | figure it out. | | I am not a complete newbie with Tomcat but my experience to date has | been pretty straightforward. Does anything about this ring any bells to | anyone? Even any suggestions about where to look would be appreciated. Ask the other developer for a copy of his /etc/hosts file. He may have an entry for 'mydomain.org' or something that causes his references to succeed. Maybe it's misspelled in both his hosts file and his code, so it works OK on his box. - The information contained in this message is confidential proprietary property of Nelnet, Inc. and its affiliated companies (Nelnet) and is intended for the recipient only. Any reproduction, forwarding, or copying without the express permission of Nelnet is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to this e-mail. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
problem I don't know how to summarize for this subject line
I have a web app written by another developer that I am trying to deploy with Tomcat. The app utilizes jsp and jsf elements. I am experiencing strange behavior with a portion of the application, however only when it is run through the public domain name; when I run it on the server through the http://localhost/; URL it all works flawlessly. Overall with the public URL 98% of the app works fine. However there are two functions of the app that experience a strange behavior. When I attempt to submit the page the forwarded URL becomes http://edit.jsf/; instead of http://mydomain.org/edit.jsf; -- but only when run through the public URL and only those two pages. When I am doing it on the server using localhost the troublesome pages properly forward to http://localhost:8080/edit.jsf; and every other page in the app forwards properly with both public and localhost URLs. I have been back and forth through the source code and spent a fair amount of time trying to determine if it is a Javaserver Faces problem and can find no evidence that it is. The fact that it works with localhost seems (to me) to point away from a jsf problem, however this is my first real experience with jsf. I have asked on some jsf lists and gotten no input. I have also tried with Tomcat 5.5.17, 5.5.23, and 6.0.10 and experienced identical behavior. The original developer does not experience this on his system which limits his ability to help me figure it out. I am not a complete newbie with Tomcat but my experience to date has been pretty straightforward. Does anything about this ring any bells to anyone? Even any suggestions about where to look would be appreciated. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: how to set JAAS Subject in HTTPSession
Hi shahab, Here's : http://forum.java.sun.com/category.jspa?categoryID=15 for JAAS related questions. To set any object into HTTP Session use the setAttribute method: http://java.sun.com/javaee/5/docs/api/ , and removeAttribute. Regards -Rashmi On 4/25/07, shahab [EMAIL PROTECTED] wrote: Hi: I would need help with the following - I am trying to implement JAAS authentication using struts2. I have implemented the following flow - user request - struts action - login() - loginModule (implements LoginModule) this login module validates userid, password and in the commit(), it creates a Principal and adds the principal in the Subject. My qn is how do I set this Subject in the HttpSession so that I can retrieve it later, like below - HttpServletRequest request = ServletActionContext.getRequest(); Principal principal = request.getUserPrincipal(); Please help. thanx Shahahb -- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
how to set JAAS Subject in HTTPSession
Hi: I would need help with the following - I am trying to implement JAAS authentication using struts2. I have implemented the following flow - user request - struts action - login() - loginModule (implements LoginModule) this login module validates userid, password and in the commit(), it creates a Principal and adds the principal in the Subject. My qn is how do I set this Subject in the HttpSession so that I can retrieve it later, like below - HttpServletRequest request = ServletActionContext.getRequest(); Principal principal = request.getUserPrincipal(); Please help. thanx Shahahb -- View this message in context: http://www.nabble.com/how-to-set-JAAS-Subject-in-HTTPSession-tf3642977.html#a10173947 Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Subject: Re: Custom Error page when Tomcat is down?
If you are using Apache to Tomcat try using mod_security module to accomplish this. Mod security has setting for hiding the server error output: http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/modsecurity-manual.html#N1057D as well as purposly missrepresenting the Apache (like show IIS instead of Apache). http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/modsecurity-manual.html#N108B5 On 7/24/06, Eric B. [EMAIL PROTECTED] wrote: Thanks for the pointer, but the problem that I see is that Apache is returning the status code 200 to the browser. If Apache is generating an internal server error as you indicated, it should be returning a 5xx status, I'd think. I'd think so too. But I put in ErrorDocument 500 directives, and got nothing out of it. In fact, I even went one step further and put in ErrorDocument directives for error codes 500-510 (just in case I was missing something) and none made a difference. I tried putting them in the main body of the httpd.conf file (to ensure I wasn't having problems with VirtualHosts, etc), but still nothing. -- Thank you, Edmon Begoli http://blogs.ittoolbox.com/eai/software
Subject: Single sign-on with multiple Tomcats served via one Apache httpd server
Hi there! Configuration: a. Apache httpd 2.0 server (IP0, port 80) with some content served from /cms b. Worker to a Tomcat 4.1 running on a separate box (IP1:8080) mapped to /app1 c. Anpother worker to another Tomcat 5.5 running on separate box (IP2:8080) mapped to /app2 Both Tomcats are using the same configuration for security realm (pointing to the same DataSource parameters of course): Realm className=org.apache.catalina.realm.DataSourceRealm dataSourceName=jdbc/default debug=99 userTable=corporate.dbo.t_userlogin userNameCol=c_username userCredCol=c_password userRoleTable=corporate.dbo.t_userpermission roleNameCol=c_rolename digest=md5/ and have their Single Sign-on valve turned on: Valve className=org.apache.catalina.authenticator.SingleSignOn debug=0/ However, if you're required to authenticate to access say, /app1/aSecure.jsp, you will be asked to authenticate again to access say, /app2/anotherSecure.jsp, though from the user point of view, this is the same username/password on the same URL. Is there a way to carry over the single sign-on from each Tomcat to the Apache server, so that /app2/anotherSecure.jsp can trust the authentication done while visiting /app1/aSecure.jsp, or should this be done in a completely different way? We have to keep those two separate Tomcats (distinct hardware, different versions, performance issues). Thanks for your help! Nic