In the case of DoS, I don't believe a bit on trusted tags and such
stuff. Why monitoring the tags at all if while(true) is so easy.
I mean, the front door is wide open, why care about that little
window?
The only way to close everything is by monitoring the Servlets and
allow setting some
Jon Stevens wrote:
on 5/17/01 12:47 PM, Glenn Nielsen [EMAIL PROTECTED] wrote:
But now that both Tomcat 3.2 and Tomcat 4 support the Java SecurityManager
you can control security at the container level regardless of whether someone
is using the CFM servlet, velocity, CoCoon, JSP, etc.
[this has also been entered as bug #1808]
Both Tomcat and Apache have the string '8859_1' hard-coded and as a public
static final String in several places.
Although Java accepts '8859_1' as an alias for the ISO-8859-1 character set,
this isn't a valid name anywhere else; the valid aliases are
Hi,
I am using TOMCAT 3.3 and the following code within servlet1 to forward a request
String url;
ServletContext sc = getServletContext();
RequestDispatcher rd = sc.getRequestDispatcher(url);
rd.forward(request,response);
servlet1 is called as follows:
http://IP-adress/test/servlet/servlet1
At 07:51 AM 5/18/01, Geir wrote:
Those aren't comparable, 'Velocity templates' and 'general purpose
servlet container', because Velocity is just a template tool - you still
need the servlet and servlet container.
That was exactly my point when I said Velocity doesn't really do anything
to
Dennis Doubleday wrote:
At 07:51 AM 5/18/01, Geir wrote:
Those aren't comparable, 'Velocity templates' and 'general purpose
servlet container', because Velocity is just a template tool - you still
need the servlet and servlet container.
That was exactly my point when I said Velocity
In tomcat-3.2.2b5 and earlier, the tomcat.bat and tomcat.sh have inconsistent
behavior as tomcat.sh loads all files in the tomcat lib folder and tomcat.bat
only loads the ones with .jar extension. I think they should be changed to
behave consistently so lib files don't need to be renamed when
hgomez 01/05/18 07:18:07
Modified:jk/src/doc AJPv14.txt
Log:
Updated AJP14 documentation
Revision ChangesPath
1.2 +452 -437 jakarta-tomcat-connectors/jk/src/doc/AJPv14.txt
Index: AJPv14.txt
On Mon, 14 May 2001 [EMAIL PROTECTED] wrote:
Salut Mihai,
Salut.
How can I have the same session for many web sites?
By default, for the first request tomcat creates a implicit session and
sends a cookie with domain=servername. What I wanna do is setting this
cookie for
HI
I was mailed about problem on tomcat-user but no any
relay able answer i recived know i m maling on
tomcat-dev, and hope for + reply.
I am webdevloper developing one website and using
tools JSP, Servlet,
and working on Jakarta-Tomcat version 3.1. I am the
old user of jakarta-tomcat,
so i
hgomez 01/05/18 07:31:27
Modified:jk/src/native configure.in
Log:
Updated configure.in which handle :
apxs path, java home, java include...
Provided by JF Clere
Revision ChangesPath
1.2 +179 -0jakarta-tomcat-connectors/jk/src/native/configure.in
The null check is simple enough and its already been tested in 3.3 so I feel
comfortable making the change without a beta. I'll commit the change today.
Another question regarding using the security manager and JSP. If I use the
default tomcat.policy file I can't access any JSP pages because I
hgomez 01/05/18 07:38:55
Modified:jk/src/native/apache-2.0 Makefile.in Makefile.linux
mod_jk.dsp
Log:
add ajp14 stuff to build files
Revision ChangesPath
1.2 +4 -3 jakarta-tomcat-connectors/jk/src/native/apache-2.0/Makefile.in
marcsaeg01/05/18 07:40:38
Modified:src/share/org/apache/jasper/runtime Tag: tomcat_32
JspFactoryImpl.java
Log:
Added test for null page context in releasePageContext.
Submitted by: Antony Bowesman [[EMAIL PROTECTED]]
Revision ChangesPath
No
hgomez 01/05/18 07:47:47
Modified:jk/src/native/apache-1.3 Makefile.freebsd Makefile.in
Makefile.linux Makefile.nw mod_jk.dsp
Log:
updated build files for ajp14 stuff
Revision ChangesPath
1.2 +2 -1
hgomez 01/05/18 07:48:24
Modified:jk/src/native/apache-1.3 mod_jk.c
Log:
Jk directive added for ajp14
Revision ChangesPath
1.2 +69 -1 jakarta-tomcat-connectors/jk/src/native/apache-1.3/mod_jk.c
Index: mod_jk.c
hgomez 01/05/18 07:49:26
Modified:jk/src/native/apache-2.0 mod_jk.c
Log:
mod_jk report version 1.1a1
Revision ChangesPath
1.2 +1 -1 jakarta-tomcat-connectors/jk/src/native/apache-2.0/mod_jk.c
Index: mod_jk.c
hgomez 01/05/18 07:55:10
Modified:jk/src/native/netscape Makefile.nw Makefile.solaris
Log:
updated build stuff for ajp14
Revision ChangesPath
1.2 +3 -0 jakarta-tomcat-connectors/jk/src/native/netscape/Makefile.nw
Index: Makefile.nw
hgomez 01/05/18 07:58:41
Modified:jk/src/native/nt_service nt_service.dsp
Log:
updated build stuff for ajp14
Revision ChangesPath
1.2 +26 -0
jakarta-tomcat-connectors/jk/src/native/nt_service/nt_service.dsp
Index: nt_service.dsp
Hello,
I just installed Tomcat3.3-m3 with ajpv13 behind Apache 1.3.19 on Win2000.
While setting up mod_jk with ajp1.3, I noticed a bug in the
mod_jk-howto.html
It states:
Add the following block to your TOMCAT_HOME/conf/server.xml file.
Connector
On Fri, 18 May 2001, Paulo Gaspar wrote:
In the case of DoS, I don't believe a bit on trusted tags and such
stuff. Why monitoring the tags at all if while(true) is so easy.
I mean, the front door is wide open, why care about that little
window?
Well, what I said was trusted tags and only
Velocity does do a lot to minimize the risk you mention, but while we're
using stupid coding tricks, couldn't you do the following in Velocity?
#* assume strings is a Vector *#
#set ($strings = $request.getParameter(strings)))
#foreach ($string in $strings)
This _is_ interesting... For Craig, so that you can try it out under your
RedHat (you won't believe it, but I can't find a Linux copy in London in any
store! And downloading it will take a couple of days from BTInternet. Any
hint?)
Pier
-- Forwarded Message
From: jean-frederic clere
i believe i saw a problem similar to this in tomcat 3.2b4. the problem
turned out to be a bug in org.apache.tomcat.util.SimplePool.
i believe this particular problem has been fixed in later versions. if
you have the source, you might want to compare your version of this
class to a more recent
Title: RE: Problems with APR under Linux...
Umm, a passive watcher; but couldn't help responding to you not being able to find a copy of Redhat in London?!
You'll find lots of book shops sell it, try Foyles down Charing Cross road...
James
-Original Message-
From: Pier P.
hgomez 01/05/18 09:30:18
Modified:jk/src/doc mod_jk-howto.html
Log:
updated mod_jk-howto.html
Provided by Hans Schmid
Revision ChangesPath
1.2 +6 -7 jakarta-tomcat-connectors/jk/src/doc/mod_jk-howto.html
Index: mod_jk-howto.html
hgomez 01/05/18 09:32:44
Modified:src/doc mod_jk-howto.html
Log:
corrected ajp13 setup info
Obtained from: Hans Schmid
Revision ChangesPath
1.8 +6 -7 jakarta-tomcat/src/doc/mod_jk-howto.html
Index: mod_jk-howto.html
Commited,
Thanks...
-Original Message-
From: Hans Schmid [mailto:[EMAIL PROTECTED]]
Sent: Friday, May 18, 2001 5:00 PM
To: [EMAIL PROTECTED]
Subject: [PATCH] Tomcat 3.3 m3 mod_jk-howto.html (new Bug #1809)
Hello,
I just installed Tomcat3.3-m3 with ajpv13 behind Apache 1.3.19
on
It isn't concurrent.
-Original Message-
From: Geir Magnusson Jr. [mailto:[EMAIL PROTECTED]]
Sent: Friday, May 18, 2001 10:52 AM
To: [EMAIL PROTECTED]
Subject: Re: Jasper performance
Jef Newsom wrote:
Velocity does do a lot to minimize the risk you mention, but while
we're
using
hgomez 01/05/18 09:46:23
Modified:jk/src/native/common jk_global.h jk_map.c jk_service.h
jk_uri_worker_map.c jk_worker_list.h
Log:
Misc cleanup and ajp14 preparation
Revision ChangesPath
1.2 +3 -1
hgomez 01/05/18 09:47:06
Added: jk/src/native/common jk_ajp14.c jk_ajp14.h
Log:
AJP14 marshal/unmarshal initial
Revision ChangesPath
1.1 jakarta-tomcat-connectors/jk/src/native/common/jk_ajp14.c
Index: jk_ajp14.c
hgomez 01/05/18 09:47:32
Added: jk/src/native/common jk_ajp14_worker.c jk_ajp14_worker.h
Log:
Prep of ajp14 worker
Revision ChangesPath
1.1 jakarta-tomcat-connectors/jk/src/native/common/jk_ajp14_worker.c
Index: jk_ajp14_worker.c
hgomez 01/05/18 09:49:47
Added: jk/src/native/common jk_md5.c jk_md5.h
Log:
md5 support :
- Under Apache we use the ap_md5 functions
- Under IIS/NES, use code grabbed from apache web-server until someone
map it to equivalent WebServer APIs
Revision ChangesPath
the problem is the first file doesn't match the dtd for web.xml. i
believe tomcat 3 silently ignored this, whereas tomcat 4 doesn't.
Marjou Xavier wrote:
Hello
For information :
I got a problem with web.xml (attached File1 file) and Tomcat Milestone 4.0 b5:
PARSE error at line 18
I wrote a test script, and assuming (which the docs say it does) that
Velocity uses the iterator() instead of elements() when it runs up
against a vector, then all is well. If elements() is used, it goes into
infinite loop land. My mistake.
-Original Message-
From: Jef Newsom
Sent:
On Fri, 18 May 2001, Pier P. Fumagalli wrote:
This _is_ interesting... For Craig, so that you can try it out under your
RedHat (you won't believe it, but I can't find a Linux copy in London in any
store! And downloading it will take a couple of days from BTInternet. Any
hint?)
I (or
On Fri, 18 May 2001, Marjou Xavier wrote:
Hello
For information :
I got a problem with web.xml (attached File1 file) and Tomcat Milestone 4.0 b5:
PARSE error at line 18 column -1
org.xml.sax.SAXParseException: org.apache.crimson.parser/V-036 web-app servlet
This same file was
For problems like this download an XML editor like XMLSpy and have it check
the file
against the DTD.
-Original Message-
From: kevin seguin [mailto:[EMAIL PROTECTED]]
Sent: Friday, May 18, 2001 9:53 AM
To: [EMAIL PROTECTED]
Subject: Re: SAXParseException with web.xml
the problem
Hi to all,
I updated the CVS with preliminary code for ajp14,
just for review since it's not working now.
One question who how to access md5 functions under
IIS/NETSCAPE ? (APR is not yet a solution :)
-
Henri Gomez ___[_]
EMAIL : [EMAIL PROTECTED](. .)
OK, I'll update tomcat.policy to include them. It might be a version
difference (I'm using JDK1.2.2) but I can't see any harm with them being
there in any case.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of Glenn Nielsen
Sent: Friday, May 18, 2001
marcsaeg01/05/18 10:41:11
Modified:src/etc Tag: tomcat_32 tomcat.policy
Log:
Added read permission to line.separator and file.separator.
Revision ChangesPath
No revision
No revision
1.5.2.3 +3 -0
One question who how to access md5 functions under
IIS/NETSCAPE ? (APR is not yet a solution :)
it looks you added md5 support (copied out of apache) directly into jk -
is this correct? i think this is probably the best solution for md5
functions in iis/netscape. i'm pretty sure there's
larryi 01/05/18 12:20:24
Modified:src/etc server.xml
src/share/org/apache/tomcat/modules/server
Ajp12Interceptor.java
src/share/org/apache/tomcat/util IntrospectionUtils.java
src/share/org/apache/tomcat/util/net
The latest beta cycle for Tomcat 3.2.2 has completed with no new bugs
identified. As the release manager I propose that we release the tomcat_32
branch as Tomcat 3.2.2. Please indicate your vote for the release using the
ballot below.
I will tabulate and post the results of this vote on
craigmcc01/05/18 12:31:43
jakarta-tomcat-4.0/catalina/docs/dev/xdocs - New directory
craigmcc01/05/18 12:32:04
jakarta-tomcat-4.0/catalina/docs/dev/xdocs/stylesheets - New directory
Vote to release the tomcat_32 branch as Tomcat 3.2.2.
[X] +1. I agree with the proposal and I will help support
the release.
[ ] +0. I agree with the proposal but I will not be able
to help support the release.
[ ] -0. I don't agree with the proposal but I won't
+1
Great job pulling it all together Marc!
Mike Anderson
[EMAIL PROTECTED] 05/18/01 01:30PM
The latest beta cycle for Tomcat 3.2.2 has completed with no new bugs
identified. As the release manager I propose that we release the tomcat_32
branch as Tomcat 3.2.2. Please indicate your vote for
It is my understanding that '8859_1' is an alias for a Java encoding
which maps to the 'ISO-8859-1' character set. The Java encoding and
the character set name are not always the same.
Furthermore, while it's not readily apparent using 'ISO8859_1' for
the Java encoding is far preferable to
Vote to release the tomcat_32 branch as Tomcat 3.2.2.
[X] +1. I agree with the proposal and I will help support
the release.
[ ] +0. I agree with the proposal but I will not be able
to help support the release.
[ ] -0. I don't agree with the proposal but I won't stop
Marc you rock!!
-
Vote to release the tomcat_32 branch as Tomcat 3.2.2.
[X] +1. I agree with the proposal and I will help support
the release.
[ ] +0. I agree with the proposal but I will not be able
to help
Hey, guys,
I am new to tomcat... using Tomcat v4.0-b3/b5.
I am trying to include other jsps output in one main jsp and getting an
IllegalStateException: with error message:
Cannot forward after response has been committed.
This is what I am doing:
% for(int i = 0; i typeNames.length; i++) {
Marc Saegesser wrote:
The latest beta cycle for Tomcat 3.2.2 has completed with no new bugs
identified. As the release manager I propose that we release the tomcat_32
branch as Tomcat 3.2.2. Please indicate your vote for the release using the
ballot below.
I will tabulate and post the
larryi 01/05/18 13:39:46
Modified:src/native/mod_jk/apache1.3 Makefile.nw
src/native/mod_jk/jni Makefile.nw
src/native/mod_jk/netscape Makefile.nw
Added: src/doc Tomcat-on-NetWare-HowTo.html
Log:
Updates to connector make files for Netware.
larryi 01/05/18 13:53:26
Modified:jk/src/native/apache-1.3 Makefile.nw
jk/src/native/jni Makefile.nw
jk/src/native/netscape Makefile.nw
Log:
Updates to connector make files for Netware.
Submitted by: Mike Anderson
Revision ChangesPath
craigmcc01/05/18 13:58:12
Added: catalina/docs/dev/xdocs building.xml classloaders.xml
fs-default.xml fs-invoker.xml index.xml
catalina/docs/dev/xdocs/stylesheets project.xml
Log:
Begin converting the Catalina developer docs to XML format,
+0 (due to time constraints, otherwise it would be +1).
Way to go Marc, and everyone who has contributed to this)!
Craig
On Fri, 18 May 2001, Marc Saegesser wrote:
The latest beta cycle for Tomcat 3.2.2 has completed with no new bugs
identified. As the release manager I propose that we
Vote to release the tomcat_32 branch as Tomcat 3.2.2.
[X] +1. I agree with the proposal and I will help support
the release.
[ ] +0. I agree with the proposal but I will not be able
to help support the release.
[ ] -0. I don't agree with the proposal but I won't stop
The 2.2 servlet spec errata says the uri from
HttpServletRequest.getRequestURI() should remain encoded.
[http://java.sun.com/products/servlet/errata_042700.html]
Tomcat 3.2 standalone handles this correctly, but the
mod_jk connector does not.
The connector uses the decoded uri from Apache
Seems correct to me.
BTW, with the jakarta-tomcat-connector,
this kind of native bugs fixes will appears
outside TC 3.2/3.3/4.0 soon.
I'll correct that on mod_jk in TC 3.3 and
jakarta-tomcat-connector
To be fixed also in mod_webapp.
-
Henri Gomez ___[_]
EMAIL : [EMAIL
Resin 1.2.5 and 2.0b2 also use uri instead of unparsed_uri.
So what ?
-
Henri Gomez ___[_]
EMAIL : [EMAIL PROTECTED](. .)
PGP KEY : 697ECEDD...oOOo..(_)..oOOo...
PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6
-Original
I just tried this and verified the orginal bug and that the proposed patch
does fix the problem. I'm OK with committing to the tomcat_32 branch.
DOES ANYONE ELSE OUT THERE HAVE ANYTHING THEY WANT TO TELL ME?
Resin would not appear to be compliant with the specification. The 4/27/00
errata
on 5/18/01 1:37 AM, Paulo Gaspar [EMAIL PROTECTED] wrote:
All Velocity has is a #foreach. This is a fully functional
looping construct
that prevents you from screwing things up and still gets the job done.
On the #foreach and DoS issues, I would use makes it harder instead
of prevents in
on 5/18/01 6:50 AM, Geir Magnusson Jr. [EMAIL PROTECTED] wrote:
Definitely. Agreed. There is no silver bullet.
I guess the point is that you remove a little of the risk, as a designer
can't
% while(true); %
(although as JSP compilers get better, I am sure this stuff can be found
I just tried this and verified the orginal bug and that the
proposed patch
does fix the problem. I'm OK with committing to the tomcat_32 branch.
DOES ANYONE ELSE OUT THERE HAVE ANYTHING THEY WANT TO TELL ME?
Resin would not appear to be compliant with the specification.
The 4/27/00
errata
(sorry for the response lag, unfortunatly I don't read tomcat very
frequently)
Hi Jon.
The problem with taglibs is that there is no restriction on the
ability to put Java code in the page. It is part of the JSP
specification to be able to do that. Sure, you can disable it (as
Costin said),
Great job.
See you at JavaOne.
-
Vote to release the tomcat_32 branch as Tomcat 3.2.2.
[X] +1. I agree with the proposal and I will help support
the release.
[ ] +0. I agree with the proposal but I will not be able
bip 01/05/18 16:39:22
Modified:catalina/src/share/org/apache/catalina/realm JDBCRealm.java
Log:
Added public final static Digest() and a main method to use when creating
digested passwords, this methods where accidently removed when the realm
package was refactored.
on 5/18/01 3:01 PM, Eduardo Pelegri-Llopart
[EMAIL PROTECTED] wrote:
I didn't see any follow-up clarifying this but apologies if I missed it.
JSP 1.2 has the notion of a TagLibraryValidator that is associated with
a tag library. This can be used to portably validate different
assertions
Craig R. McClanahan wrote:
It went away by accident during my refactoring. It'll get put back in (by
me) sometime, unless someone wants to beat me to it (hint, hint :-).
I put the static method back in along with the main() method.
I'd actually prefer to see a little stand-alone tool for
Williamson, James at [EMAIL PROTECTED] wrote:
Umm, a passive watcher; but couldn't help responding to you not being able
to find a copy of Redhat in London?!
You'll find lots of book shops sell it, try Foyles down Charing Cross
road...
That made the trick :) Thanks James :) :) :) (Noone
Craig R. McClanahan at [EMAIL PROTECTED] wrote:
On Fri, 18 May 2001, Pier P. Fumagalli wrote:
This _is_ interesting... For Craig, so that you can try it out under your
RedHat (you won't believe it, but I can't find a Linux copy in London in any
store! And downloading it will take a couple
Sorry, Jon, we disagree. TagLibraryValidators *are* part of the JSP 1.2
specification. They are quite flexible and one of the simplest uses is
to express that some tags cannot appear. Scriptlets are exposed as
jsp:scriptlet tags.
- eduard/o
Jon Stevens wrote:
on 5/18/01 3:01 PM,
on 5/18/01 4:55 PM, Eduardo Pelegri-Llopart
[EMAIL PROTECTED] wrote:
Sorry, Jon, we disagree. TagLibraryValidators *are* part of the JSP 1.2
specification.
Go back and read what I wrote again. I'm not saying that
TagLibraryValidators aren't part of the specification.
They are quite
There is also a bug in 3.3 ( where URI is also decoded ),
I'm working on it - should be ready this weekend.
( I'm also working on the bug, it has the most votes so far )
Costin
On Fri, 18 May 2001, Keith Wannamaker wrote:
The 2.2 servlet spec errata says the uri from
craigmcc01/05/18 17:39:38
jakarta-tomcat-4.0/catalina/docs/dev/xdocs/images - New directory
on 5/18/01 10:48 AM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
On Fri, 18 May 2001, Jon Stevens wrote:
Correct, however some bright monkey decided to add % % into the JSP
specification. So, if you disable that, you are breaking the specification.
In other words, it is a bad design in the
craigmcc01/05/18 18:07:54
Modified:catalina build.xml
catalina/docs/dev/xdocs building.xml classloaders.xml
fs-default.xml fs-invoker.xml
catalina/docs/dev/xdocs/stylesheets project.xml
Log:
Clean up miscellaneous XML typos.
craigmcc01/05/18 18:13:40
Added: catalina/docs/dev/xdocs/images jakarta-logo.gif
tomcat-power.gif tomcat.gif
Log:
Add some images for use by the developer docs. (Once we clarify the
overall documentation directory structure, these can be shared).
craigmcc01/05/18 18:14:33
Added: catalina/docs/dev/xdocs/stylesheets tempoarary.xsl
Log:
Add a temporary XSLT stylesheet (cribbed from the one in Struts) that can
be used until the overall documentation for Tomcat is Anakia-ized (or
whatever final choice we make).
Sounds like a good plan - go for it!
On Fri, 18 May 2001, Bip Thelin wrote:
Craig R. McClanahan wrote:
It went away by accident during my refactoring. It'll get put back in (by
me) sometime, unless someone wants to beat me to it (hint, hint :-).
I put the static method back in along
To quote Jon in another mailing list: less talk, more code.
Could you guys please take this conversation elsewhere? There are people
around here trying to get some work done on Tomcat. :-)
Craig
Hi,
I'm currently part of a project that is writing an open source Tomcat book,
http://sourceforge.net/projects/tomcatbook.
I have written a document that explains the Tomcat interceptor design and
how to build your own interceptors. I would be happy to receive feedback on
this document from the
keith 01/05/18 21:23:44
Modified:src/native/apache1.3 Tag: tomcat_32 mod_jk.c
src/native/apache2.0 Tag: tomcat_32 mod_jk.c
Log:
mod_jk should be passing the raw, possibly encoded URI to Tomcat;
see http://java.sun.com/products/servlet/errata_042700.html
for
The RPM are available with a new package, tomcat-webapps
which hold ADMIN, ROOT and EXAMPLES webapps as requested
by many on the user list :)
Also a big hi to Larry for this release :)
-
Henri Gomez ___[_]
EMAIL : [EMAIL PROTECTED](. .)
PGP KEY :
85 matches
Mail list logo
