date:20020924

DO NOT REPLY [Bug 12945] - JSP Compilation errors: jars in WEB-INF/lib and classes in WEB-INF/classes not in classpath

2002-09-24 Thread bugzilla


DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12945

JSP Compilation errors: jars in WEB-INF/lib and classes in WEB-INF/classes not in 
classpath





--- Additional Comments From [EMAIL PROTECTED]  2002-09-24 07:35 ---
FYI, the jasper-compiler.jar does not generate the
org.apache.catalina.jsp_classpath variable, but actually parses it. So the "/"
prefix (which is a valid Java file path, although it happened to be confusing
Ant in 4.1.10, which was causing bug 12387) is still already there no matter what.

I have Tomcat running as a service from my M: HD, and the admin webapp is
running fine (that uses /WEB-INF/lib) as well as the JSP examples (that uses
/WEB-INF/classes).

If you had it working fine with 4.1.10 + the fixed JAR, then it has to be an
installation error of some sort.

Note: 4.1.12 is not out yet; at this point they are still candidate binaries.

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Re: Re: Using a tomcat 4.0 connector with tomcat 4.1

2002-09-24 Thread h . buerger



Sounds helpful, thanks Amy, but introduces some issues.

In the last few weeks we developed three connectors and it will
be more in future.

1. My main question is, why isn't mbeans-descriptors.xml part of
   the configuration directory?

2. For me it looks like i have to rebuild tomcat to get my
   connector known.

Do i miss something?

Haug


>You can either add a mbean description for your connector similar to
>other Connectors in o.a.c.mbeans.mbeans-descriptors.xml or disable the
>two JMX supporting Listeners (ServerLifecycleListener and
>GlobalResourcesLifecycleListener)in server.xml if you don't want the JMX
>support.  I'd recommend adding something like this in
>mbeans-descriptors.xml so tomcat starts smoothly without complaining
>mbean not found for your connector.
>
>className="org.apache.catalina.mbeans.ConnectorMBean"
>   description="MyXyConnector"
>domain="Catalina"
> group="Connector"
>  type="org.apache.coyote.tomcat4.MyXyConnector">
>
>   
>
>Amy


--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Re: Using a tomcat 4.0 connector with tomcat 4.1

2002-09-24 Thread Remy Maucherat

[EMAIL PROTECTED] wrote:
> Sounds helpful, thanks Amy, but introduces some issues.
> 
> In the last few weeks we developed three connectors and it will
> be more in future.
> 
> 1. My main question is, why isn't mbeans-descriptors.xml part of
>the configuration directory?
> 
> 2. For me it looks like i have to rebuild tomcat to get my
>connector known.
> 
> Do i miss something?

Yes, you can specify using an external descriptors file (although this 
is undocumented).

Add a "descriptors" attribute to the ServerLifecycleListener element. 
The value should be the path (for the classloader, so put your file 
somewhere in server/classes) to your resource. You can specify multiple 
ones by using a ';' path separator. The file themselves should have the 
same DTD as mbeans-descriptors.xml.

Remy

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

cvs commit: jakarta-tomcat-connectors/jk/native2/common jk_uriEnv.c

2002-09-24 Thread mturk


mturk   2002/09/24 00:52:09

  Modified:jk/native2/common jk_uriEnv.c
  Log:
  Enable compiling withouth APR.
  
  Revision  ChangesPath
  1.29  +31 -26jakarta-tomcat-connectors/jk/native2/common/jk_uriEnv.c
  
  Index: jk_uriEnv.c
  ===
  RCS file: /home/cvs/jakarta-tomcat-connectors/jk/native2/common/jk_uriEnv.c,v
  retrieving revision 1.28
  retrieving revision 1.29
  diff -u -r1.28 -r1.29
  --- jk_uriEnv.c   23 Sep 2002 22:15:04 -  1.28
  +++ jk_uriEnv.c   24 Sep 2002 07:52:09 -  1.29
  @@ -69,9 +69,8 @@
   #include "jk_uriMap.h"
   #include "jk_registry.h"
   
  -#ifdef HAS_APR
  +#if HAS_APR
   #include "apr_uri.h"
  -
   /** Parse the name:
  VHOST/PATH
   
  @@ -119,45 +118,51 @@
   }
   return JK_ERR;
   }
  -
   #else
  -/* Old version, deprecated - used only if APR is not available
  - */
   static int jk2_uriEnv_parseName( jk_env_t *env, jk_uriEnv_t *uriEnv,
char *name)
   {
  -char *n=name;
  -char *slash=strchr( name, '/' );
  -
  -/* fprintf( stderr, "XXX parseURI %s\n", name ); */
  -
  -if( slash==NULL ) {
  +char *uri = NULL;
  +char *colon;
  +char host[1024];
  +char path[1024];
  +
  +strcpy(host, name);
  +colon = strchr(host, ':');
  +if (colon != NULL) {
  +++colon;
  +uri = strchr(colon, '/');
  +}
  +else
  +uri = strchr(host, '/');
  +if (!uri) {
   /* That's a virtual host definition ( no actual mapping, just global
* settings like aliases, etc
*/
  -uriEnv->match_type= MATCH_TYPE_HOST;
  -if( name[0]=='\0' ) {
  -uriEnv->virtual=NULL; /* "" for the default host */
  -} else {
  -uriEnv->virtual=name;
  -}
  +
  +uriEnv->match_type = MATCH_TYPE_HOST;
  +if (colon)
  +uriEnv->port = atoi(colon);
  +uriEnv->virtual = uriEnv->pool->pstrdup(env, uriEnv->pool, host);
   return JK_OK;
   }
  -
  +strcpy(path, uri);
  +if (colon) {
  +*uri = '\0';
  +uriEnv->port = atoi(colon);
  +}
   /* If it doesn't start with /, it must have a vhost */
  -if( *name != '/' ) {
  -uriEnv->virtual=uriEnv->pool->calloc( env, uriEnv->pool, slash - name + 2 );
  -strncpy( uriEnv->virtual, name, slash-name );
  +if (strlen(host)) {
  +uriEnv->virtual = uriEnv->pool->calloc( env, uriEnv->pool, strlen(host) + 1 
);
  +strncpy(uriEnv->virtual, name, strlen(host));
   }
  +else
  +uriEnv->virtual = "*";
   
  -n=slash;
  -
  -uriEnv->uri=uriEnv->pool->pstrdup(env, uriEnv->pool, n);
  -
   return JK_OK;
   }
  +#endif /* HAS_APR */
   
  -#endif
   
   static void * JK_METHOD jk2_uriEnv_getAttribute(jk_env_t *env, jk_bean_t *bean,
char *name )
  
  
  

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

cvs commit: jakarta-tomcat-connectors/jk/native2/common jk_uriEnv.c

2002-09-24 Thread mturk


mturk   2002/09/24 00:58:22

  Modified:jk/native2/common jk_uriEnv.c
  Log:
  Should be #ifdef HAS_APR not #if HAS_APR
  
  Revision  ChangesPath
  1.30  +1 -1  jakarta-tomcat-connectors/jk/native2/common/jk_uriEnv.c
  
  Index: jk_uriEnv.c
  ===
  RCS file: /home/cvs/jakarta-tomcat-connectors/jk/native2/common/jk_uriEnv.c,v
  retrieving revision 1.29
  retrieving revision 1.30
  diff -u -r1.29 -r1.30
  --- jk_uriEnv.c   24 Sep 2002 07:52:09 -  1.29
  +++ jk_uriEnv.c   24 Sep 2002 07:58:22 -  1.30
  @@ -69,7 +69,7 @@
   #include "jk_uriMap.h"
   #include "jk_registry.h"
   
  -#if HAS_APR
  +#ifdef HAS_APR
   #include "apr_uri.h"
   /** Parse the name:
  VHOST/PATH
  
  
  

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

cvs commit: jakarta-tomcat-4.0/webapps/ROOT index.html

2002-09-24 Thread remm


remm2002/09/24 01:32:43

  Modified:catalina/src/share/org/apache/catalina Tag: tomcat_40_branch
Globals.java
   catalina/src/share/org/apache/catalina/servlets Tag:
tomcat_40_branch InvokerServlet.java
   webapps/ROOT Tag: tomcat_40_branch index.html
  Added:   .Tag: tomcat_40_branch RELEASE-NOTES-4.0.5.txt
  Log:
  - Version update.
  
  Revision  ChangesPath
  No   revision
  
  
  No   revision
  
  
  1.1.2.1   +286 -0jakarta-tomcat-4.0/Attic/RELEASE-NOTES-4.0.5.txt
  
  
  
  
  No   revision
  
  
  No   revision
  
  
  1.39.2.24 +5 -5  
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/Globals.java
  
  Index: Globals.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/Globals.java,v
  retrieving revision 1.39.2.23
  retrieving revision 1.39.2.24
  diff -u -r1.39.2.23 -r1.39.2.24
  --- Globals.java  11 Jun 2002 05:00:40 -  1.39.2.23
  +++ Globals.java  24 Sep 2002 08:32:42 -  1.39.2.24
  @@ -219,7 +219,7 @@
   /**
* The descriptive information about this server and version.
*/
  -public static final String SERVER_INFO = "Apache Tomcat/4.0.5-dev";
  +public static final String SERVER_INFO = "Apache Tomcat/4.0.5";
   
   
   /**
  
  
  
  No   revision
  
  
  No   revision
  
  
  1.13.2.3  +11 -4 
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/InvokerServlet.java
  
  Index: InvokerServlet.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/InvokerServlet.java,v
  retrieving revision 1.13.2.2
  retrieving revision 1.13.2.3
  diff -u -r1.13.2.2 -r1.13.2.3
  --- InvokerServlet.java   16 Feb 2002 01:09:51 -  1.13.2.2
  +++ InvokerServlet.java   24 Sep 2002 08:32:43 -  1.13.2.3
  @@ -319,6 +319,13 @@
   } else {
   pathInfo = "";
   }
  +
  +if (servletClass.startsWith("org.apache.catalina")) {
  +response.sendError(HttpServletResponse.SC_NOT_FOUND,
  +   inRequestURI);
  +return;
  +}
  +
   if (debug >= 1)
   log("Processing servlet '" + servletClass +
   "' with path info '" + pathInfo + "'");
  
  
  
  No   revision
  
  
  No   revision
  
  
  1.29.2.23 +2 -2  jakarta-tomcat-4.0/webapps/ROOT/Attic/index.html
  
  Index: index.html
  ===
  RCS file: /home/cvs/jakarta-tomcat-4.0/webapps/ROOT/Attic/index.html,v
  retrieving revision 1.29.2.22
  retrieving revision 1.29.2.23
  diff -u -r1.29.2.22 -r1.29.2.23
  --- index.html11 Jun 2002 05:01:06 -  1.29.2.22
  +++ index.html24 Sep 2002 08:32:43 -  1.29.2.23
  @@ -44,7 +44,7 @@
   
   
   Tomcat
  -Version 4.0.5 Dev
  +Version 4.0.5
   
   
   http://jakarta.apache.org/";>
  @@ -138,7 +138,7 @@
   
   
    
  -Copyright © 1999-2001 Apache Software 
Foundation
  +Copyright © 1999-2002 Apache Software 
Foundation
   All Rights Reserved 
    
    
  
  
  

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Re: problems compiling tomcat-connectors w/ make

2002-09-24 Thread Henri Gomez


> Again, the first error message I get is:
> 
> configure: error: can't locate /usr/src/apache/apache_1.3.26/
> 
> Incidentally, I tried the native (not native2) and it works fine.

I'm sure JF will fix it quickly.

I'm using DSO (--with-apxs) and never tried static build ;[


--
To unsubscribe, e-mail:   
For additional commands, e-mail:

cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina Globals.java

2002-09-24 Thread remm


remm2002/09/24 01:34:40

  Modified:catalina/src/share/org/apache/catalina Tag: tomcat_40_branch
Globals.java
  Log:
  - Revert version number.
  
  Revision  ChangesPath
  No   revision
  
  
  No   revision
  
  
  1.39.2.25 +5 -5  
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/Globals.java
  
  Index: Globals.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/Globals.java,v
  retrieving revision 1.39.2.24
  retrieving revision 1.39.2.25
  diff -u -r1.39.2.24 -r1.39.2.25
  --- Globals.java  24 Sep 2002 08:32:42 -  1.39.2.24
  +++ Globals.java  24 Sep 2002 08:34:40 -  1.39.2.25
  @@ -219,7 +219,7 @@
   /**
* The descriptive information about this server and version.
*/
  -public static final String SERVER_INFO = "Apache Tomcat/4.0.5";
  +public static final String SERVER_INFO = "Apache Tomcat/4.0.6-dev";
   
   
   /**
  
  
  

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

cvs commit: jakarta-tomcat-4.0/webapps/ROOT index.html

2002-09-24 Thread remm


remm2002/09/24 01:35:10

  Modified:webapps/ROOT Tag: tomcat_40_branch index.html
  Log:
  - Revert version number.
  
  Revision  ChangesPath
  No   revision
  
  
  No   revision
  
  
  1.29.2.24 +1 -1  jakarta-tomcat-4.0/webapps/ROOT/Attic/index.html
  
  Index: index.html
  ===
  RCS file: /home/cvs/jakarta-tomcat-4.0/webapps/ROOT/Attic/index.html,v
  retrieving revision 1.29.2.23
  retrieving revision 1.29.2.24
  diff -u -r1.29.2.23 -r1.29.2.24
  --- index.html24 Sep 2002 08:32:43 -  1.29.2.23
  +++ index.html24 Sep 2002 08:35:09 -  1.29.2.24
  @@ -44,7 +44,7 @@
   
   
   Tomcat
  -Version 4.0.5
  +Version 4.0.6 Dev
   
   
   http://jakarta.apache.org/";>
  
  
  

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

cvs commit: jakarta-tomcat-4.0 RELEASE-NOTES-4.1.txt

2002-09-24 Thread remm


remm2002/09/24 01:35:49

  Modified:.RELEASE-NOTES-4.1.txt
  Log:
  - Update release notes.
  
  Revision  ChangesPath
  1.22  +29 -4 jakarta-tomcat-4.0/RELEASE-NOTES-4.1.txt
  
  Index: RELEASE-NOTES-4.1.txt
  ===
  RCS file: /home/cvs/jakarta-tomcat-4.0/RELEASE-NOTES-4.1.txt,v
  retrieving revision 1.21
  retrieving revision 1.22
  diff -u -r1.21 -r1.22
  --- RELEASE-NOTES-4.1.txt 23 Sep 2002 00:32:46 -  1.21
  +++ RELEASE-NOTES-4.1.txt 24 Sep 2002 08:35:48 -  1.22
  @@ -177,7 +177,9 @@
   [4.1.11] Administration Webapp:
Fix adding a context with the administration webapp.
   
  -[4.1.12] Fix SSL-cert authentication when using the Coyote Connector.
  +[4.1.12] Administration Webapp:
  + Complete support for DefaultContext.
  +
   
   --
   Catalina Bug Fixes:
  @@ -440,6 +442,17 @@
"caseSensitive" flag rather than on the path separator. Most Unix OSes
can set that to false.
   
  +[4.1.12] SSLAuthenticator:
  + Add back client authentication support.
  +
  +[4.1.12] SECURITY:
  + Disable InvokerServlet in the default webapp configuration, 
  + and restrict the servlets it can invoke.
  +
  +[4.1.12] #12286
  + JDBCStore:
  + Fix NPE on shutdown.
  +
   
   
   Jasper Bug Fixes:
  @@ -610,6 +623,9 @@
   [4.1.11] JspServletWrapper:
Fix Jasper when "development" option is set to "false".
   
  +[4.1.12] JspRuntimeContext:
  + Add permission to allow reading the work directory.
  +
   
   
   KNOWN ISSUES IN THIS RELEASE:
  @@ -626,6 +642,7 @@
   * Using Jasper 1 with Tomcat 4.1
   * Administrartion web application
   * Symlinking static resources
  +* Enabling invoker servlet
   
   
   -
  @@ -813,7 +830,15 @@
   Unix symlinks will not work when used in a web application to link resources 
   located outside the web application root directory.
   
  -This behavior will be made optional in an upcoming version of Tomcat 4.1, but
  -will be the default one.
  +This behavior is optional, and the "allowLinking" flag may be used to disable
  +the check.
   
   
  +
  +Enabling invoker servlet:
  +
  +
  +Starting with Tomcat 4.1.12, the invoker servlet is no longer available by 
  +default in all webapp. Enabling it for all webapps is possible by editing
  +$CATALINA_HOME/conf/web.xml to uncomment the "/servlet/*" servlet-mapping
  +definition.
  
  
  

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Re: [POLL] Tomcat 3.3.2 updates

2002-09-24 Thread Henri Gomez

Larry Isaacs wrote:
> Hi Henri,
> 
> I would prefer to minimize the impact of upgrading from
> 3.3.1 to 3.3.2.  I agree with Costin that using 4 with
> documentation on the steps to enable the MxInterceptor
> would be a resonable way to implement this.

So I'll have to take a look at MxInterceptor to see if
nothing is broken ...

BTW, I could spend sometimes to play ClassLoader,
making MxInterceptor loading mx4j/mx4-tools from
container ClassLoader but I need some advices.

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

cvs commit: jakarta-tomcat-connectors/jk/doc/jk2 config.html jk2.html

2002-09-24 Thread hgomez


hgomez  2002/09/24 01:46:51

  Removed: jk/doc/images banner.gif tomcat.gif tomcat.ico
   jk/doc   tomcat-apache-howto.html tomcat-ssl-howto.html
tomcat-netscape-howto.html AJPv13.html
tomcat-domino-howto.html tomcat-workers-howto.html
tomcat-iis-howto.html AJPv14.txt mod_jk-howto.html
   jk/doc/jk2 config.html jk2.html
  Log:
  Remove deprecated documentations, everything is now on xdocs

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

cvs commit: jakarta-tomcat-connectors/jk/native2/common jk_channel_socket.c

2002-09-24 Thread mturk


mturk   2002/09/24 02:05:50

  Modified:jk/native2/common jk_channel_socket.c
  Log:
  Resolve (I hope) the WIN32 reported bug 12346. Caused by the
  connection refusing on TC side during high load. If the TC refuses
  connection keep trying instead of returng error.
  
  Revision  ChangesPath
  1.39  +4 -3  jakarta-tomcat-connectors/jk/native2/common/jk_channel_socket.c
  
  Index: jk_channel_socket.c
  ===
  RCS file: /home/cvs/jakarta-tomcat-connectors/jk/native2/common/jk_channel_socket.c,v
  retrieving revision 1.38
  retrieving revision 1.39
  diff -u -r1.38 -r1.39
  --- jk_channel_socket.c   8 Jul 2002 13:41:30 -   1.38
  +++ jk_channel_socket.c   24 Sep 2002 09:05:50 -  1.39
  @@ -312,11 +312,12 @@
   
   #ifdef WIN32
   if(SOCKET_ERROR == ret) { 
  -errno = WSAGetLastError() - WSABASEERR;
  +errno = WSAGetLastError();
   }
  -#endif /* WIN32 */
  -
  +} while (ret == -1 && errno == WSAECONNREFUSED);
  +#else
   } while (-1 == ret && EINTR == errno);
  +#endif /* WIN32 */
   
   /* Check if we connected */
   if(ret != 0 ) {
  
  
  

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

DO NOT REPLY [Bug 12946] New: - parameter serverRoot from jk2.properties not read; workaround

2002-09-24 Thread bugzilla


DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12946

parameter serverRoot from jk2.properties not read; workaround

   Summary: parameter serverRoot from jk2.properties not read;
workaround
   Product: Tomcat 4
   Version: 4.1.10
  Platform: Sun
OS/Version: Solaris
Status: UNCONFIRMED
  Severity: Normal
  Priority: Other
 Component: Connector:Coyote JK 2
AssignedTo: [EMAIL PROTECTED]
ReportedBy: [EMAIL PROTECTED]


Despite jk2.properties contains line

serverRoot=/usr/local/apache2

catalina.out shows (at startup):

[Tue Sep 24 09:42:14 2002] (error ) [jk_config_file.c (261)]  config.update(): 
Can't find config file ${serverRoot}/conf/workers2.properties
[Tue Sep 24 09:42:14 2002] ( info ) [jk_config.c (246)]  config.setAttribute() 
Error setting config: file ${serverRoot}/conf/workers2.properties
[Tue Sep 24 09:42:14 2002] ( info ) [jk_workerEnv.c (403)]  workerEnv.init() ok 
${serverRoot}/conf/workers2.properties

Workaround as follows:

Set 

$ serverRoot=/usr/local/apache2; export serverRoot

in the Unix environment before startup.sh

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

DO NOT REPLY [Bug 12947] New: - #include in jk/native2/common/jk_channel_socket.c

2002-09-24 Thread bugzilla


DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12947

#include  in jk/native2/common/jk_channel_socket.c

   Summary: #include  in
jk/native2/common/jk_channel_socket.c
   Product: Tomcat 4
   Version: 4.1.10
  Platform: Sun
OS/Version: Solaris
Status: UNCONFIRMED
  Severity: Normal
  Priority: Other
 Component: Connector:Coyote JK 2
AssignedTo: [EMAIL PROTECTED]
ReportedBy: [EMAIL PROTECTED]


ioctl constant FIONBIO will not be found unless your include filio.h in
jk/native2/common/jk_channel_socket.c
like
#include 

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

DO NOT REPLY [Bug 12945] - JSP Compilation errors: jars in WEB-INF/lib and classes in WEB-INF/classes not in classpath

2002-09-24 Thread bugzilla


DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12945

JSP Compilation errors: jars in WEB-INF/lib and classes in WEB-INF/classes not in 
classpath





--- Additional Comments From [EMAIL PROTECTED]  2002-09-24 09:46 ---
Created an attachment (id=3189)
Files used to reproduce the failure, server configuration and server logs

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

DO NOT REPLY [Bug 12945] - JSP Compilation errors: jars in WEB-INF/lib and classes in WEB-INF/classes not in classpath

2002-09-24 Thread bugzilla


DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12945

JSP Compilation errors: jars in WEB-INF/lib and classes in WEB-INF/classes not in 
classpath

[EMAIL PROTECTED] changed:

   What|Removed |Added

 Status|RESOLVED|REOPENED
 Resolution|WORKSFORME  |



--- Additional Comments From [EMAIL PROTECTED]  2002-09-24 09:48 ---
In order to reproduce the failure with Tomcat 4.1.12 I followed these steps:

1.-  Downloaded file: jakarta-tomcat-4.1.12.tar.gz
 File size: 5.714.133 bytes

2.-  Extracted (unzipped) to folder: C:\Tomcat-4.1.12  [TOMCAT_HOME == 
CATALINA_HOME]

3.-  Created the following files into TOMCAT_HOME (C:\Tomcat-4.1.12):
 + environ.cmd
 + InstallTomcatAsWinNTService.cmd
 + shutdown.cmd
 + startup.cmd
 + UninstallTomcatAsWinNTService.cmd

4.-  Executed: InstallTomcatAsWinNTService.cmd
 + C:\Tomcat-4.1.12>InstallTomcatAsWinNTService.cmd
 + C:\Tomcat-4.1.12\bin\Tomcat.exe -install "Apache Tomcat 4.1.12" 
C:\j2sdk14\jre\bin\server\jvm.dll -Djava.class.path=C:\Tomcat-4.1.12
\bin\bootstrap.jar -Dcatalina.home=C:\Tomcat-4.1.12 -start 
org.apache.catalina.startup.BootstrapService -method main -params start -stop 
org.apache.catalina.startup.BootstrapService -method main -params stop -out 
C:\Tomcat-4.1.12\logs\stdout.log -err C:\Tomcat-4.1.12\logs\stderr.log
 + The service was successfully installed.
 + C:\Tomcat-4.1.12>

5.-  Started Tomcat with: "C:\Tomcat-4.1.12\startup.cmd"
 ( This first time execution created some extra folders, as you know :^)
 Tested its execution by accesing to a sample JSP (numberguess) 
under /examples context: Ok.
 Stopped Tomcat with: "C:\Tomcat-4.1.12\shutdown.cmd"

6.-  Started WinNT Service: "Apache Tomcat 4.1.12" with: net start "Apache 
Tomcat 4.1.12"
 Tested its execution by accesing to a sample JSP (date & snoop) 
under /examples context: FAIL.
 Stopped WinNT Service: "Apache Tomcat 4.1.12" with: net stop "Apache 
Tomcat 4.1.12"

7.-  Edited %TOMCAT_HOME%\conf\server.xml and set all "debug=0" values 
to: "debug=99"
 Edited %TOMCAT_HOME%\conf\web.xml and set all "debug" values to: "99"
 Deleted all log files
 Deleted all fles under: %TOMCAT_HOME%\work\Standalone\localhost

8.-  Started WinNT Service: "Apache Tomcat 4.1.12" with: net start "Apache 
Tomcat 4.1.12"
 Tested its execution by accesing to a sample JSP (carts & checkbox & 
error) under /examples context: FAIL.
 Stopped WinNT Service: "Apache Tomcat 4.1.12" with: net stop "Apache 
Tomcat 4.1.12"
 Moved log files to "NTService" folder under "logs".

9.-  Started Tomcat with: "C:\Tomcat-4.1.12\startup.cmd"
 Tested its execution by accesing to a sample JSP (carts & checkbox & 
error) under /examples context: FAIL.
 Stopped Tomcat with: "C:\Tomcat-4.1.12\shutdown.cmd"
 Moved log files to "StandAlone" folder under "logs".

10.- Generated: "Files.zip" with all files under \conf and \logs folders, and 
also the MSDOS scripts in %TOMCAT_HOME%.

It looks like the NT Service fails to find something to work fine.
Maybe that the "NT Service Install" command needs to be passed extra info 
regarding where is "ant", some library, or whatever, but started Tomcat as a 
Stand Alone task from command line, does not fails.


Attached I posted a ZIP file with all needed archives to test my installation.

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

DO NOT REPLY [Bug 12945] - JSP Compilation errors: jars in WEB-INF/lib and classes in WEB-INF/classes not in classpath

2002-09-24 Thread bugzilla


DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12945

JSP Compilation errors: jars in WEB-INF/lib and classes in WEB-INF/classes not in 
classpath

[EMAIL PROTECTED] changed:

   What|Removed |Added

 Status|REOPENED|RESOLVED
 Resolution||WORKSFORME



--- Additional Comments From [EMAIL PROTECTED]  2002-09-24 09:56 ---
Sorry, but I simply do not have time to help you debug or check whether or not
your configuration. The idea is that a similar configuration is working fine for
me (XP / JDK 1.4 / Tomcat installed through the installer). Could you please try
the default configuration and installation ?
Do NOT use the .tar.gz when using Windows, unless you know what you are doing.

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

cvs commit: jakarta-tomcat-connectors/jk/xdocs faq.xml

2002-09-24 Thread hgomez


hgomez  2002/09/24 03:23:51

  Modified:jk/xdocs faq.xml
  Log:
  Add information about MMNB (Magic Module Number bump) of Apache 2.0
  
  Revision  ChangesPath
  1.4   +2 -2  jakarta-tomcat-connectors/jk/xdocs/faq.xml
  
  Index: faq.xml
  ===
  RCS file: /home/cvs/jakarta-tomcat-connectors/jk/xdocs/faq.xml,v
  retrieving revision 1.3
  retrieving revision 1.4
  diff -u -r1.3 -r1.4
  --- faq.xml   20 Sep 2002 21:35:31 -  1.3
  +++ faq.xml   24 Sep 2002 10:23:51 -  1.4
  @@ -220,7 +220,7 @@
   
   
   Since Apache 2.0 API still change often, the Apache 2.0 teams decide to put in 
headers of compiled modules the 
  -Apache 2.0 version used to compile the module. 
  +Apache 2.0 version used to compile the module. This check is called Magic Module 
Number bump.
   
   
   At start time Apache 2.0 check that version in modules headers and stop if it 
detect that a module was compiled 
  
  
  

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

DO NOT REPLY [Bug 12926] - java.net.URLEncoder.encode problem with JDK 1.4.1

2002-09-24 Thread bugzilla


DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12926

java.net.URLEncoder.encode problem with JDK 1.4.1





--- Additional Comments From [EMAIL PROTECTED]  2002-09-24 10:32 ---
I have also checked it with tomcat 4.1.10 on Windows XP, this time using JDK
1.4.0. It's the same problem.

org.apache.jasper.JasperException: Unable to compile class for JSP

An error occurred at line: 12 in the jsp file: /planets/index.jsp

Generated servlet error:
 [javac] Compiling 1 source file
D:\Apll2000\Dev\Tomcat 
4.1\work\Standalone\localhost\modwars\planets\index_jsp.java:226: cannot 
resolve symbol
symbol  : method encode  (int)
location: class java.net.URLEncoder
 pageContext.forward("view.jsp" + "?" + "pid=" + 
java.net.URLEncoder.encode( planetlist[0].getPid() ));
 
 ^
1 error

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

cvs commit: jakarta-tomcat-connectors/jk/xdocs/jk aphowto.xml

2002-09-24 Thread hgomez


hgomez  2002/09/24 03:49:03

  Modified:jk/xdocs/jk aphowto.xml
  Log:
  Use MOD_JK SVRPGM as mod_jk module for iSeries when 
  rebuilding it from Apache sources (IBM use QZTCJK).
  
  Revision  ChangesPath
  1.11  +1 -1  jakarta-tomcat-connectors/jk/xdocs/jk/aphowto.xml
  
  Index: aphowto.xml
  ===
  RCS file: /home/cvs/jakarta-tomcat-connectors/jk/xdocs/jk/aphowto.xml,v
  retrieving revision 1.10
  retrieving revision 1.11
  diff -u -r1.10 -r1.11
  --- aphowto.xml   20 Sep 2002 21:35:30 -  1.10
  +++ aphowto.xml   24 Sep 2002 10:49:03 -  1.11
  @@ -858,7 +858,7 @@
   Launch the build
   CALL MOD_JK/BLDJK
   If the build if successfull, copy the new mod_jk module
  -CRTDUPOBJ OBJ(MOD_JK) FROMLIB(MOD_JK) OBJTYPE(*SRVPGM) TOLIB(QHTTPSVR) 
NEWOBJ(MODJK)
  +CRTDUPOBJ OBJ(MOD_JK) FROMLIB(MOD_JK) OBJTYPE(*SRVPGM) TOLIB(QHTTPSVR) 
NEWOBJ(MOD_JK)
   
   
   Next, you should restart your Apache 2.0 server and enjoy this piece of OpenSource 
on iSeries.
  
  
  

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

JK 1.2.0 tag

2002-09-24 Thread Henri Gomez


JTC will be tagged JK_1_2_0 by 17h CET.

Regards



--
To unsubscribe, e-mail:   
For additional commands, e-mail:

JK2 2.0.0 Release proposal

2002-09-24 Thread Mladen Turk


Hi,

Since there is no major showstoppers and
a) The vhosts should work now
b) Socket BUG 12346 is solved

Here is the release plan:

1. 09/25/2002  - Freeze the further development.

2. 09/26/2002  - If there is no major bugs tag the release as JK2_2_0_0

3. 09/26/2002  - Prepare the source release (zip and tar.gz)
Start building binaries (What platforms?)

Platform WIN32 (I can do that):
mod_jk2/Apache2.0.40 (or 2.0.42 if released).
mod_jk2/Apache1.3.26/APR&APR_UTIL from 2.0.40
i_r2.dll/APR&APR-UTIL from 2.0.40

Any one wish to make binaries for other platforms?  

4. 09/27/2002 - Should be all over at
http://jakarta.apache.org/builds/jakarta-tomcat-connectors/jk2/release/v
2.0.0/

Comments and thoughts?

MT.


--
To unsubscribe, e-mail:   
For additional commands, e-mail:

how many committers?

2002-09-24 Thread Vincent Massol


Hi,

Can someone tell me how many committers there are on:

- Tomcat 3.x
- Tomcat 4.x
- Tomcat 5.x

Thanks
-Vincent

Note: I have not found a way to access the CVS avail file in /home/cvs
(it seems I don't have the rights).


--
To unsubscribe, e-mail:   
For additional commands, e-mail:

[SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability

2002-09-24 Thread Remy Maucherat


A security vulnerability has been confirmed to exist in all Apache 
Tomcat 4.x releases (including Tomcat 4.0.4 and Tomcat 4.1.10), which 
allows to use a specially crafted URL to return the unprocessed source 
of a JSP page, or, under special circumstances, a static resource which 
would otherwise have been protected by security constraint, without the 
need for being properly authenticated.

The cause
-

Using the invoker servlet in conjunction with the default servlet 
(responsible for handling static content in Tomcat) triggers this 
vulnerability. This particular configuration is available in the default 
Tomcat configuration.

Workarounds
---

An easy workaround exists for existing Tomcat installations, by 
disabling the invoker servlet in the default webapp configuration.

In the $CATALINA_HOME/conf/web.xml file (on Windows, 
%CATALINA_HOME%\conf\web.xml), comment out or remove the following XML 
fragment:

 
 invoker
 /servlet/*
 

Releases


The Apache Tomcat Team announces the immediate availability of new 
releases which include a fix to the invoker servlet.

Apache Tomcat 4.1.12 Stable:
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.1.12/

Apache Tomcat 4.0.5:
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/

Remy


--
To unsubscribe, e-mail:   
For additional commands, e-mail:

DO NOT REPLY [Bug 12952] New: - Documentation error for Tyrex Connection Pooling

2002-09-24 Thread bugzilla


DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12952

Documentation error for Tyrex Connection Pooling

   Summary: Documentation error for Tyrex Connection Pooling
   Product: Tomcat 4
   Version: 4.1.10
  Platform: Other
OS/Version: Other
Status: NEW
  Severity: Normal
  Priority: Other
 Component: Webapps:Documentation
AssignedTo: [EMAIL PROTECTED]
ReportedBy: [EMAIL PROTECTED]




  
name
myDataSource
  


Notice the "value" is closed by "name" rather than "value"

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

cvs commit: jakarta-tomcat-4.0/webapps/tomcat-docs jndi-datasource-examples-howto.xml

2002-09-24 Thread remm


remm2002/09/24 05:12:22

  Modified:webapps/tomcat-docs jndi-datasource-examples-howto.xml
  Log:
  - Fix incorrect XML.
  - Submitted by matt at raibledesigns.com
  
  Revision  ChangesPath
  1.6   +1 -1  
jakarta-tomcat-4.0/webapps/tomcat-docs/jndi-datasource-examples-howto.xml
  
  Index: jndi-datasource-examples-howto.xml
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-4.0/webapps/tomcat-docs/jndi-datasource-examples-howto.xml,v
  retrieving revision 1.5
  retrieving revision 1.6
  diff -u -r1.5 -r1.6
  --- jndi-datasource-examples-howto.xml30 Aug 2002 13:41:25 -  1.5
  +++ jndi-datasource-examples-howto.xml24 Sep 2002 12:12:22 -  1.6
  @@ -613,7 +613,7 @@
   
 
   name
  -myDataSource
  +myDataSource
 
   
   
  
  
  

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Re: JK2 2.0.0 Release proposal

2002-09-24 Thread Henri Gomez


Mladen Turk wrote:
> Hi,
> 
> Since there is no major showstoppers and
> a) The vhosts should work now
> b) Socket BUG 12346 is solved
> 
> Here is the release plan:
> 
> 1. 09/25/2002  - Freeze the further development.
> 
> 2. 09/26/2002  - If there is no major bugs tag the release as JK2_2_0_0
> 
> 3. 09/26/2002  - Prepare the source release (zip and tar.gz)
>   Start building binaries (What platforms?)

+1

> Platform WIN32 (I can do that):
>   mod_jk2/Apache2.0.40 (or 2.0.42 if released).
>   mod_jk2/Apache1.3.26/APR&APR_UTIL from 2.0.40
>   i_r2.dll/APR&APR-UTIL from 2.0.40

> Any one wish to make binaries for other platforms?

Linux i386 and may be cygwin also

> 4. 09/27/2002 - Should be all over at
> http://jakarta.apache.org/builds/jakarta-tomcat-connectors/jk2/release/v
> 2.0.0/
> 
> Comments and thoughts?

Let's go, JK 1.2.0 should be out tomorrow




--
To unsubscribe, e-mail:   
For additional commands, e-mail:

cvs commit: jakarta-tomcat-catalina/webapps/docs jndi-datasource-examples-howto.xml

2002-09-24 Thread remm


remm2002/09/24 05:13:17

  Modified:webapps/docs jndi-datasource-examples-howto.xml
  Log:
  - Fix incorrect XML.
  - Submitted by matt at raibledesigns.com
  
  Revision  ChangesPath
  1.3   +1 -1  
jakarta-tomcat-catalina/webapps/docs/jndi-datasource-examples-howto.xml
  
  Index: jndi-datasource-examples-howto.xml
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-catalina/webapps/docs/jndi-datasource-examples-howto.xml,v
  retrieving revision 1.2
  retrieving revision 1.3
  diff -u -r1.2 -r1.3
  --- jndi-datasource-examples-howto.xml30 Jul 2002 03:58:28 -  1.2
  +++ jndi-datasource-examples-howto.xml24 Sep 2002 12:13:16 -  1.3
  @@ -485,7 +485,7 @@
   
 
   name
  -myDataSource
  +myDataSource
 
   
   
  
  
  

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

DO NOT REPLY [Bug 12952] - Documentation error for Tyrex Connection Pooling

2002-09-24 Thread bugzilla


DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12952

Documentation error for Tyrex Connection Pooling

[EMAIL PROTECTED] changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution||FIXED



--- Additional Comments From [EMAIL PROTECTED]  2002-09-24 12:14 ---
Fixed (will be in 4.1.13).

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

System.out.println() calls in servlet init methods

2002-09-24 Thread John Trollinger


Can someone tell me why System.out.println() calls in the init methods
of servlets do not make it out to the console at all.  They will make it
into a log file but never print to the console itself.
System.out.println() calls in the doGet and doPost print out to the
console as expected.

Thanks,

John


--
To unsubscribe, e-mail:   
For additional commands, e-mail:

DO NOT REPLY [Bug 12953] New: - Taglib support broken

2002-09-24 Thread bugzilla


DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12953

Taglib support broken

   Summary: Taglib support broken
   Product: Tomcat 4
   Version: 4.1.9
  Platform: PC
OS/Version: Other
Status: NEW
  Severity: Critical
  Priority: Other
 Component: Jasper 2
AssignedTo: [EMAIL PROTECTED]
ReportedBy: [EMAIL PROTECTED]


It seems that the taglib support is totally broken in Tomcat 4.1. Tag setter 
methods are not correctly called prior to calling the startTag() method of the 
Tags. This worked seamlessly in Tomcat 4.0.4. See 
http://www.iternum.com/i3test for a web app that shows this behavior.

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Re: [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability

2002-09-24 Thread Tim Funk


Would the following be vulnerable?
1) Use Jk only
2) do NOT use --> JkMount /servlet/* loadbalancer
3) But the invoker mapping is enabled

Would they be vulnerable? I personally don't see a security flaw in this 
config. But does Jk also look for the text "jsessionid" being passed in 
the URL and automagically pass it along to tomcat? AFAIK - I thought a 
Rewrite rule needed to be added to have that behavior.


Remy Maucherat wrote:
> A security vulnerability has been confirmed to exist in all Apache 
> Tomcat 4.x releases (including Tomcat 4.0.4 and Tomcat 4.1.10), which 
> allows to use a specially crafted URL to return the unprocessed source 
> of a JSP page, or, under special circumstances, a static resource which 
> would otherwise have been protected by security constraint, without the 
> need for being properly authenticated.
> 
> The cause
> -
> 
> Using the invoker servlet in conjunction with the default servlet 
> (responsible for handling static content in Tomcat) triggers this 
> vulnerability. This particular configuration is available in the default 
> Tomcat configuration.
> 
> Workarounds
> ---
> 
> An easy workaround exists for existing Tomcat installations, by 
> disabling the invoker servlet in the default webapp configuration.
> 
> In the $CATALINA_HOME/conf/web.xml file (on Windows, 
> %CATALINA_HOME%\conf\web.xml), comment out or remove the following XML 
> fragment:
> 
> 
> invoker
> /servlet/*
> 
> 
> Releases
> 
> 
> The Apache Tomcat Team announces the immediate availability of new 
> releases which include a fix to the invoker servlet.
> 
> Apache Tomcat 4.1.12 Stable:
> http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.1.12/
> 
> Apache Tomcat 4.0.5:
> http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/
> 
> Remy
> 
> 
> -- 
> To unsubscribe, e-mail:   
> 
> For additional commands, e-mail: 
> 
> 
> 
> 


--
To unsubscribe, e-mail:   
For additional commands, e-mail:

DO NOT REPLY [Bug 12953] - Taglib support broken

2002-09-24 Thread bugzilla


DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12953

Taglib support broken

[EMAIL PROTECTED] changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution||INVALID



--- Additional Comments From [EMAIL PROTECTED]  2002-09-24 12:34 ---
Thhas been fixed already. Please try not to file obvious duplicates.

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Re: [VOTE] commit new Tomcat 4 SecurityManager XML Policy code toCVS

2002-09-24 Thread Glenn Nielsen

Comments intermixed below.

Costin Manolache wrote:
> Glenn Nielsen wrote:
> 
> 
>>Tomcat SecurityManager XML Policy configuration
>>---
>>
>>I have finished implementing support within Tomcat for using XML based
>>security policy
>>files.  This was proposed and discussed on the list back 3-4 months ago.
>>
>>I would like to commit this to the jakarta-tomcat-4.0 CVS HEAD and have it
>>included in future 4.1.x releases. Initially it could be listed as either
>>experimental, alpha, or beta. Whichever we decide.
>>
>>- This new feature is fully backward compatible with current methods
>>   of using catalina.policy.  Use of the XML based policy is
>>   invoked by using the -security-xml startup option instead of -security.
>>
>>- Catalina can be compiled without support for use of an XML policy.
>>   To build with support for an XML policy the Castor XML Schema
>>   jar file and the Jakarta ORO jar files must both be present.
>>
>>   http://castor.exolab.org/
>>   http://jakarta.apache.org/oro/
>>
>>Here is a URL to the updated Security Manager HOW-TO which documents
>>the new XML Policy features.
>>
>>
> 
> 
>http://duke.more.net/~glenn/tomcat-docs/security-manager-howto.html#Optional%20XML%20Policy%20Configuration
> 
>>Please review the above before voting.
>>
>>If you are interested in looking at the code before I commit I could
>>create a patch file with all the changes against jakarta-tomcat-4.0
>>CVS HEAD and make it available. Just let me know.
>>
>>Here is a ballot. I would prefer not creating a Tomcat 4.2 development
>>branch yet, that just adds more CVS branches to commit bug fixes to.
>>
>>
>>  [ ]  commit XML Policy source to jakarta-tomcat-4.0 HEAD
>>   and include it in future release of Tomcat 4.1.x
>>  [ ]  commit to CVS but don't add to the next release
>>  [ ]  create a Tomcat 4.2 development branch and commit there (Ugh!)
>>  [ ]  -1 Don't commit to CVS (Please explain why)
>>
> 
> 
> I'm -0 on adding yet another config file - WEB-INF/policy.xml is also
> strange as webapps ( which shouldn't be trusted ) get to set the security
> policy. This is very tricky - and will need a lot of review.
> 

Using Tomcat with the XML based policy file is optional, so it is another
config file only if it is being used.  And I tried to provide good documentation
on how to use it.

/WEB-INF/policy.xml works.  The code is pretty straightforward. Only those
permissions which the global policy.xml allow can be configured in the web app.
This is done using the Permissions.implies() method.
And the web app can only configure permissions for code sources
that exist within its context directory.

I plan on putting this into production and I am very paranoid when it comes to 
security.

> However I'm -1 on adding deps on castor and doing schema validations - at
> least at this stage ( and after the experience we had with web.xml 
> schemas ). Castor is very nice, but is also a big thing.
> 

What experience was it that "we" had with web.xml schemas?  I have used
Castor on other projects.  It does more than validation, it is also used
to generate Java source code when Tomcat is built for the XML Schema elements.

Tomcat on a production system already takes up a huge amount of resources
(memory), I don't think the extra memory required by Castor classes would be
noticed.  And those resources would only get used if you use the XML based
policy files.

> The current policy file is standard and likely to be understood by tools.
> XML may be in theory easier, however I doubt too many tools understand
> this particular DTD. So I prefer keeping the current file format as default,
> at least until a standard security policy DTD is defined ( standard == 
> we're not the only ones using it :-).
> 

The current policy file also has its limitations.  This new policy.xml is more
intutitive to configure. Any tool which understands XML can be used to configure
your XML Policy files, such as XML Spy.

The JVM itself anticipated a need for alternative application specific Policy
implementations and has the hooks for doing it.

Are you aware of anyone working on a new standard?  Is there a JSR?

> If you need this functionality - I would propose making it a separate 
> module ( sort of add-on to tomcat ), instead of bundling it with tomcat
> by default. 
> 

This isn't just for me.  The type of features the XML Policy code add
have been requested in discussions I have had about the Java SecurityManager
at ApacheCon and JavaOne.

There currently are no official Tomcat add on modules.  Everything comes
bundled with it. There have been discussions about this, the end result
being that it is easier for the user if everything is bundled together.
There are a number of Tomcat features that I don't use such as webdav,
ssi, and cgi to name a few. I just remove those things I don't need.
If you don't need to use the policy based XML, don't use it.

Regards,

Glenn

--
To unsubscribe, e-mail:

Re: [VOTE] commit new Tomcat 4 SecurityManager XML Policy code toCVS

2002-09-24 Thread Remy Maucherat


Costin Manolache wrote:
> Glenn Nielsen wrote:
> 
> 
>>
>>  [ ]  commit XML Policy source to jakarta-tomcat-4.0 HEAD
>>   and include it in future release of Tomcat 4.1.x
>>  [X]  commit to CVS but don't add to the next release
>>  [ ]  create a Tomcat 4.2 development branch and commit there (Ugh!)
>>  [ ]  -1 Don't commit to CVS (Please explain why)
>>
> 
> 
> I'm -0 on adding yet another config file - WEB-INF/policy.xml is also
> strange as webapps ( which shouldn't be trusted ) get to set the security
> policy. This is very tricky - and will need a lot of review.
> 
> However I'm -1 on adding deps on castor and doing schema validations - at
> least at this stage ( and after the experience we had with web.xml 
> schemas ). Castor is very nice, but is also a big thing.
> 
> The current policy file is standard and likely to be understood by tools.
> XML may be in theory easier, however I doubt too many tools understand
> this particular DTD. So I prefer keeping the current file format as default,
> at least until a standard security policy DTD is defined ( standard == 
> we're not the only ones using it :-).
> 
> If you need this functionality - I would propose making it a separate 
> module ( sort of add-on to tomcat ), instead of bundling it with tomcat
> by default. 

I'd commit it as a module for now, and work from there. If we could 
avoid having to use Castor XML for parsing, that would be nice.
I understand your point of adding a new non-standard configuration file.

Remy


--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Re: [VOTE] commit new Tomcat 4 SecurityManager XML Policy code toCVS

2002-09-24 Thread Glenn Nielsen


Remy Maucherat wrote:
> Costin Manolache wrote:
> 
>> Glenn Nielsen wrote:
>>
>>
>>> 
>>>  [ ]  commit XML Policy source to jakarta-tomcat-4.0 HEAD
>>>   and include it in future release of Tomcat 4.1.x
>>>  [X]  commit to CVS but don't add to the next release
>>>  [ ]  create a Tomcat 4.2 development branch and commit there (Ugh!)
>>>  [ ]  -1 Don't commit to CVS (Please explain why)
>>> 
>>
>>
>>
>> I'm -0 on adding yet another config file - WEB-INF/policy.xml is also
>> strange as webapps ( which shouldn't be trusted ) get to set the security
>> policy. This is very tricky - and will need a lot of review.
>>
>> However I'm -1 on adding deps on castor and doing schema validations - at
>> least at this stage ( and after the experience we had with web.xml 
>> schemas ). Castor is very nice, but is also a big thing.
>>
>> The current policy file is standard and likely to be understood by tools.
>> XML may be in theory easier, however I doubt too many tools understand
>> this particular DTD. So I prefer keeping the current file format as 
>> default,
>> at least until a standard security policy DTD is defined ( standard == 
>> we're not the only ones using it :-).
>>
>> If you need this functionality - I would propose making it a separate 
>> module ( sort of add-on to tomcat ), instead of bundling it with tomcat
>> by default. 
> 
> 
> I'd commit it as a module for now, and work from there. 

I'm not sure what it means to commit something as a module to Tomcat.  The support
for XML policy files is only built in if you configure your build.properties
to do so.  Is that what a module means?

> If we could avoid having to use Castor XML for parsing, that would be nice.

I have used Castor for XML Schema support in several projects.
I just find that Castor makes use of XML Schemas much easier. And XML Schemas
are a significantly better solution than DTD's for validating XML.

Regards,

Glenn


--
To unsubscribe, e-mail:   
For additional commands, e-mail:

RE: [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability

2002-09-24 Thread Marx, Mitchell E (Mitch), ALCNS



Evil question: does this vulnerability exist in Tomcat 3.2.3?

Mitchell Evan Marx[EMAIL PROTECTED]
AT&T IP Network Configuration & Provisioning Development



-Original Message-
From: Remy Maucherat [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 24, 2002 7:59 AM
To: Tomcat Developers List; Tomcat Users List; announcements
Subject: [SECURITY] Apache Tomcat 4.x JSP source disclosure
vulnerability


A security vulnerability has been confirmed to exist in all Apache 
Tomcat 4.x releases (including Tomcat 4.0.4 and Tomcat 4.1.10), which 
allows to use a specially crafted URL to return the unprocessed source 
of a JSP page, or, under special circumstances, a static resource which 
would otherwise have been protected by security constraint, without the 
need for being properly authenticated.

The cause
-

Using the invoker servlet in conjunction with the default servlet 
(responsible for handling static content in Tomcat) triggers this 
vulnerability. This particular configuration is available in the default

Tomcat configuration.

Workarounds
---

An easy workaround exists for existing Tomcat installations, by 
disabling the invoker servlet in the default webapp configuration.

In the $CATALINA_HOME/conf/web.xml file (on Windows, 
%CATALINA_HOME%\conf\web.xml), comment out or remove the following XML 
fragment:

 
 invoker
 /servlet/*
 

Releases


The Apache Tomcat Team announces the immediate availability of new 
releases which include a fix to the invoker servlet.

Apache Tomcat 4.1.12 Stable:
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.1.12/

Apache Tomcat 4.0.5:
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/

Remy


--
To unsubscribe, e-mail:

For additional commands, e-mail:



--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Re: [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability

2002-09-24 Thread Remy Maucherat


Tim Funk wrote:
> Would the following be vulnerable?
> 1) Use Jk only
> 2) do NOT use --> JkMount /servlet/* loadbalancer
> 3) But the invoker mapping is enabled
> 
> Would they be vulnerable? I personally don't see a security flaw in this 
> config. But does Jk also look for the text "jsessionid" being passed in 
> the URL and automagically pass it along to tomcat? AFAIK - I thought a 
> Rewrite rule needed to be added to have that behavior.

If you do end up passing any /servlet/* URLs to Tomcat, then 
you're safe. However, I would still edit conf/web.xml as explained in 
the advisory to make sure there are no problems in the future.

Remy


--
To unsubscribe, e-mail:   
For additional commands, e-mail:

cvs commit: jakarta-tomcat-site/xdocs index.xml

2002-09-24 Thread remm


remm2002/09/24 06:15:08

  Modified:docs index.html
   xdocsindex.xml
  Log:
  - Update numbers.
  
  Revision  ChangesPath
  1.28  +3 -3  jakarta-tomcat-site/docs/index.html
  
  Index: index.html
  ===
  RCS file: /home/cvs/jakarta-tomcat-site/docs/index.html,v
  retrieving revision 1.27
  retrieving revision 1.28
  diff -u -r1.27 -r1.28
  --- index.html10 Sep 2002 08:54:14 -  1.27
  +++ index.html24 Sep 2002 13:15:08 -  1.28
  @@ -175,7 +175,7 @@
   
   
   
  -4.1.10
  +4.1.12
   
   
   
  @@ -223,7 +223,7 @@
   Catalina) that is based on completely new architecture.  The 4.x releases
   implement the Servlet 2.3 and JSP 1.2
   specifications.
  -Tomcat 4.1.x.  
Tomcat 4.1.10 Stable is the latest release.
  +Tomcat 4.1.x.  
Tomcat 4.1.12 Stable is the latest release.
   Tomcat 4.1 is a refactoring of Tomcat 4.0.x, and contains significant 
   enhancements, including:
   
  @@ -238,7 +238,7 @@
   from build.xml scripts
   
   
  -Tomcat 4.0.x.  
Tomcat 4.0.4 is the old production
  +Tomcat 4.0.x.  
Tomcat 4.0.5 is the old production
   quality release.  Tomcat 4.0 is the next generation of Tomcat.  The 4.0 servlet
   container (Catalina) has been developed from the ground up for flexibility and
   performance.  Version 4.0 implements the final released versions of the Servlet
  
  
  
  1.24  +3 -3  jakarta-tomcat-site/xdocs/index.xml
  
  Index: index.xml
  ===
  RCS file: /home/cvs/jakarta-tomcat-site/xdocs/index.xml,v
  retrieving revision 1.23
  retrieving revision 1.24
  diff -u -r1.23 -r1.24
  --- index.xml 10 Sep 2002 08:54:14 -  1.23
  +++ index.xml 24 Sep 2002 13:15:08 -  1.24
  @@ -45,7 +45,7 @@
   
   
 2.3/1.2
  -  4.1.10
  +  4.1.12
   
   
   
  @@ -75,7 +75,7 @@
   implement the Servlet 2.3 and JSP 1.2
   specifications.
   
  -Tomcat 4.1.x.  Tomcat 4.1.10 Stable is the latest release.
  +Tomcat 4.1.x.  Tomcat 4.1.12 Stable is the latest release.
   Tomcat 4.1 is a refactoring of Tomcat 4.0.x, and contains significant 
   enhancements, including:
   
  @@ -91,7 +91,7 @@
   
   
   
  -Tomcat 4.0.x.  Tomcat 4.0.4 is the old production
  +Tomcat 4.0.x.  Tomcat 4.0.5 is the old production
   quality release.  Tomcat 4.0 is the next generation of Tomcat.  The 4.0 servlet
   container (Catalina) has been developed from the ground up for flexibility and
   performance.  Version 4.0 implements the final released versions of the Servlet
  
  
  

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Re: [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability

2002-09-24 Thread Remy Maucherat


Remy Maucherat wrote:
> Tim Funk wrote:
> 
>> Would the following be vulnerable?
>> 1) Use Jk only
>> 2) do NOT use --> JkMount /servlet/* loadbalancer
>> 3) But the invoker mapping is enabled
>>
>> Would they be vulnerable? I personally don't see a security flaw in 
>> this config. But does Jk also look for the text "jsessionid" being 
>> passed in the URL and automagically pass it along to tomcat? AFAIK - I 
>> thought a Rewrite rule needed to be added to have that behavior.
> 
> 
> If you do end up passing any /servlet/* URLs to Tomcat, then 
> you're safe. However, I would still edit conf/web.xml as explained in 
> the advisory to make sure there are no problems in the future.

Of course, this should read "If you do NOT end up" ;-)

Remy


--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Re: [SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability

2002-09-24 Thread Remy Maucherat


Marx, Mitchell E (Mitch), ALCNS wrote:
> Evil question: does this vulnerability exist in Tomcat 3.2.3?

No. At worst it would be vulnerable to a distant cousin of the exploit.

Remy


--
To unsubscribe, e-mail:   
For additional commands, e-mail:

cvs commit: jakarta-tomcat-connectors/jk/native2/server/apache2 mod_jk2.dsp

2002-09-24 Thread mturk


mturk   2002/09/24 06:22:14

  Modified:jk/native2/server/apache2 mod_jk2.dsp
  Log:
  Use MT DLL for debug build.
  
  Revision  ChangesPath
  1.5   +1 -1  jakarta-tomcat-connectors/jk/native2/server/apache2/mod_jk2.dsp
  
  Index: mod_jk2.dsp
  ===
  RCS file: /home/cvs/jakarta-tomcat-connectors/jk/native2/server/apache2/mod_jk2.dsp,v
  retrieving revision 1.4
  retrieving revision 1.5
  diff -u -r1.4 -r1.5
  --- mod_jk2.dsp   8 Aug 2002 18:21:41 -   1.4
  +++ mod_jk2.dsp   24 Sep 2002 13:22:14 -  1.5
  @@ -69,7 +69,7 @@
   # PROP Ignore_Export_Lib 0
   # PROP Target_Dir ""
   # ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D 
"_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "MOD_JK2_EXPORTS" /YX /FD /GZ /c
  -# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "..\..\include" /I 
"$(JAVA_HOME)\include" /I "$(JAVA_HOME)\include\win32" /I "$(APACHE2_HOME)\include" /I 
"$(APACHE2_HOME)\os\win32" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D 
"_USRDLL" /D "MOD_JK2_EXPORTS" /D "HAVE_JNI" /D "HAS_APR" /FR /YX /FD /GZ /c
  +# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\..\include" /I 
"$(JAVA_HOME)\include" /I "$(JAVA_HOME)\include\win32" /I "$(APACHE2_HOME)\include" /I 
"$(APACHE2_HOME)\os\win32" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D 
"_USRDLL" /D "MOD_JK2_EXPORTS" /D "HAVE_JNI" /D "HAS_APR" /FR /YX /FD /GZ /c
   # SUBTRACT CPP /X
   # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
   # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
  
  
  

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

cvs commit: jakarta-tomcat-connectors/jk/native2/server/apache13 mod_jk2.dsp

2002-09-24 Thread mturk


mturk   2002/09/24 06:27:03

  Added:   jk/native2/server/apache13 mod_jk2.dsp
  Log:
  Add mod_jk2.dsp to the repository
  
  Revision  ChangesPath
  1.1  jakarta-tomcat-connectors/jk/native2/server/apache13/mod_jk2.dsp
  
  Index: mod_jk2.dsp
  ===
  # Microsoft Developer Studio Project File - Name="mod_jk2" - Package Owner=<4>
  # Microsoft Developer Studio Generated Build File, Format Version 6.00
  # ** DO NOT EDIT **
  
  # TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102
  
  CFG=mod_jk2 - Win32 Debug
  !MESSAGE This is not a valid makefile. To build this project using NMAKE,
  !MESSAGE use the Export Makefile command and run
  !MESSAGE 
  !MESSAGE NMAKE /f "mod_jk2.mak".
  !MESSAGE 
  !MESSAGE You can specify a configuration when running NMAKE
  !MESSAGE by defining the macro CFG on the command line. For example:
  !MESSAGE 
  !MESSAGE NMAKE /f "mod_jk2.mak" CFG="mod_jk2 - Win32 Debug"
  !MESSAGE 
  !MESSAGE Possible choices for configuration are:
  !MESSAGE 
  !MESSAGE "mod_jk2 - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library")
  !MESSAGE "mod_jk2 - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library")
  !MESSAGE 
  
  # Begin Project
  # PROP AllowPerConfigDependencies 0
  # PROP Scc_ProjName ""
  # PROP Scc_LocalPath ""
  CPP=cl.exe
  MTL=midl.exe
  RSC=rc.exe
  
  !IF  "$(CFG)" == "mod_jk2 - Win32 Release"
  
  # PROP BASE Use_MFC 0
  # PROP BASE Use_Debug_Libraries 0
  # PROP BASE Output_Dir "Release"
  # PROP BASE Intermediate_Dir "Release"
  # PROP BASE Target_Dir ""
  # PROP Use_MFC 0
  # PROP Use_Debug_Libraries 0
  # PROP Output_Dir "Release"
  # PROP Intermediate_Dir "Release"
  # PROP Ignore_Export_Lib 0
  # PROP Target_Dir ""
  # ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D 
"_MBCS" /D "_USRDLL" /D "MOD_JK2_EXPORTS" /YX /FD /c
  # ADD CPP /nologo /MD /W3 /GX /O2 /I "..\..\include" /I "$(APACHE_HOME)\include" /D 
"NDEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SHARED_MODULE" /D 
"WIN32_LEAN_AND_MEAN" /YX /FD /c
  # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
  # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
  # ADD BASE RSC /l 0x41a /d "NDEBUG"
  # ADD RSC /l 0x41a /d "NDEBUG"
  BSC32=bscmake.exe
  # ADD BASE BSC32 /nologo
  # ADD BSC32 /nologo
  LINK32=link.exe
  # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib 
advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib 
/nologo /dll /machine:I386
  # ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib 
advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib 
ApacheCore.lib ws2_32.lib /nologo /dll /machine:I386 /libpath:"$(APACHE_HOME)\lib" 
/libpath:"$(APACHE2_HOME)\lib"
  
  !ELSEIF  "$(CFG)" == "mod_jk2 - Win32 Debug"
  
  # PROP BASE Use_MFC 0
  # PROP BASE Use_Debug_Libraries 1
  # PROP BASE Output_Dir "Debug"
  # PROP BASE Intermediate_Dir "Debug"
  # PROP BASE Target_Dir ""
  # PROP Use_MFC 0
  # PROP Use_Debug_Libraries 1
  # PROP Output_Dir "Debug"
  # PROP Intermediate_Dir "Debug"
  # PROP Ignore_Export_Lib 0
  # PROP Target_Dir ""
  # ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" 
/D "_MBCS" /D "_USRDLL" /D "MOD_JK2_EXPORTS" /YX /FD /GZ /c
  # ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\..\include" /I 
"$(APACHE_HOME)\include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" 
/D "SHARED_MODULE" /D "WIN32_LEAN_AND_MEAN" /YX /FD /GZ /c
  # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
  # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
  # ADD BASE RSC /l 0x41a /d "_DEBUG"
  # ADD RSC /l 0x41a /d "_DEBUG"
  BSC32=bscmake.exe
  # ADD BASE BSC32 /nologo
  # ADD BSC32 /nologo
  LINK32=link.exe
  # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib 
advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib 
/nologo /dll /debug /machine:I386 /pdbtype:sept
  # ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib 
advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib 
ApacheCore.lib wsock32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept 
/libpath:"$(APACHE_HOME)\lib" /libpath:"$(APACHE2_HOME)\lib"
  
  !ENDIF 
  
  # Begin Target
  
  # Name "mod_jk2 - Win32 Release"
  # Name "mod_jk2 - Win32 Debug"
  # Begin Group "Source Files"
  
  # PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
  # Begin Source File
  
  SOURCE=..\..\common\jk_channel.c
  # End Source File
  # Begin Source File
  
  SOURCE=..\..\common\jk_channel_apr_socket.c
  # End Source File
  # Begin Source File
  
  SOURCE=..\..\common\jk_channel_jni.c
  # End Source File
  # Begin Source File
  
  SOURCE=..\..\common\jk_channel_socket.c
  # End Source File
  # Begin Source File
  
  SOURCE=..\..\common\jk_channel_un.c
  # End Source File
  # Begin

Re: JK2 2.0.0 Release proposal

2002-09-24 Thread Costin Manolache

+1 and thanks for steping up :-)

Mladen Turk wrote:

> Hi,
> 
> Since there is no major showstoppers and
> a) The vhosts should work now
> b) Socket BUG 12346 is solved
> 
> Here is the release plan:
> 
> 1. 09/25/2002  - Freeze the further development.
> 
> 2. 09/26/2002  - If there is no major bugs tag the release as JK2_2_0_0

Let's call this a 'milestone' or 'build', as is done in 4.x and apache.

> 
> 3. 09/26/2002  - Prepare the source release (zip and tar.gz)
> Start building binaries (What platforms?)
> 
> Platform WIN32 (I can do that):
> mod_jk2/Apache2.0.40 (or 2.0.42 if released).
> mod_jk2/Apache1.3.26/APR&APR_UTIL from 2.0.40
> i_r2.dll/APR&APR-UTIL from 2.0.40
> 
> Any one wish to make binaries for other platforms?
> 
> 4. 09/27/2002 - Should be all over at
> http://jakarta.apache.org/builds/jakarta-tomcat-connectors/jk2/release/v
> 2.0.0/

Then have a vote on the 'label' - I personally prefer to call it 
'beta', not release. 

I'm very happy with the stability of the code, but for 4.1 I would like
to have jk1.2 considered the 'stable' connector and jk2.0 at beta level.
That reflects the big difference in testing and use they had so far.

After 1.2 is released and 2.0 is beta, we should froze 1.2 tree and 
start doing all work in 2.0, and eventually have 2.0 released shortly
after.

BTW, there are several features in 2.0 I wouldn't consider 'release quality'
yet - the shmem, unix channel, even jni had only little testing so
far ( compared with the very large amount of use jk1.2 had )

Costin

> 
> Comments and thoughts?
> 
> MT.

-- 
Costin

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Re: [VOTE] commit new Tomcat 4 SecurityManager XML Policy code toCVS

2002-09-24 Thread Jean-Francois Arcand




Glenn Nielsen wrote:

> Comments intermixed below.
>
> Costin Manolache wrote:
>
>> Glenn Nielsen wrote:
>>
>>
>>> Tomcat SecurityManager XML Policy configuration
>>> ---
>>>
>>> I have finished implementing support within Tomcat for using XML based
>>> security policy
>>> files.  This was proposed and discussed on the list back 3-4 months ago.
>>>
>>> I would like to commit this to the jakarta-tomcat-4.0 CVS HEAD and 
>>> have it
>>> included in future 4.1.x releases. Initially it could be listed as 
>>> either
>>> experimental, alpha, or beta. Whichever we decide.
>>>
>>> - This new feature is fully backward compatible with current methods
>>>   of using catalina.policy.  Use of the XML based policy is
>>>   invoked by using the -security-xml startup option instead of 
>>> -security.
>>>
>>> - Catalina can be compiled without support for use of an XML policy.
>>>   To build with support for an XML policy the Castor XML Schema
>>>   jar file and the Jakarta ORO jar files must both be present.
>>>
>>>   http://castor.exolab.org/
>>>   http://jakarta.apache.org/oro/
>>>
>>> Here is a URL to the updated Security Manager HOW-TO which documents
>>> the new XML Policy features.
>>>
>>>
>>
>> 
>http://duke.more.net/~glenn/tomcat-docs/security-manager-howto.html#Optional%20XML%20Policy%20Configuration
> 
>>
>>
>>> Please review the above before voting.
>>>
>>> If you are interested in looking at the code before I commit I could
>>> create a patch file with all the changes against jakarta-tomcat-4.0
>>> CVS HEAD and make it available. Just let me know.
>>>
>>> Here is a ballot. I would prefer not creating a Tomcat 4.2 development
>>> branch yet, that just adds more CVS branches to commit bug fixes to.
>>>
>>> 
>>>  [ ]  commit XML Policy source to jakarta-tomcat-4.0 HEAD
>>>   and include it in future release of Tomcat 4.1.x
>>>  [ ]  commit to CVS but don't add to the next release
>>>  [ ]  create a Tomcat 4.2 development branch and commit there (Ugh!)
>>>  [ ]  -1 Don't commit to CVS (Please explain why)
>>> 
>>
>>
>>
>> I'm -0 on adding yet another config file - WEB-INF/policy.xml is also
>> strange as webapps ( which shouldn't be trusted ) get to set the 
>> security
>> policy. This is very tricky - and will need a lot of review.
>>
>
> Using Tomcat with the XML based policy file is optional, so it is another
> config file only if it is being used.  And I tried to provide good 
> documentation
> on how to use it.
>
> /WEB-INF/policy.xml works.  The code is pretty straightforward. Only 
> those
> permissions which the global policy.xml allow can be configured in the 
> web app.
> This is done using the Permissions.implies() method.
> And the web app can only configure permissions for code sources
> that exist within its context directory.
>
> I plan on putting this into production and I am very paranoid when it 
> comes to security.
>
>> However I'm -1 on adding deps on castor and doing schema validations - at
>> least at this stage ( and after the experience we had with web.xml 
>> schemas ). Castor is very nice, but is also a big thing.
>>
>
> What experience was it that "we" had with web.xml schemas?  I have used
> Castor on other projects.  It does more than validation, it is also used
> to generate Java source code when Tomcat is built for the XML Schema 
> elements.
>
> Tomcat on a production system already takes up a huge amount of resources
> (memory), I don't think the extra memory required by Castor classes 
> would be
> noticed.  And those resources would only get used if you use the XML 
> based
> policy files.
>
>> The current policy file is standard and likely to be understood by tools.
>> XML may be in theory easier, however I doubt too many tools understand
>> this particular DTD. So I prefer keeping the current file format as 
>> default,
>> at least until a standard security policy DTD is defined ( standard 
>> == we're not the only ones using it :-).
>>
>
> The current policy file also has its limitations.  This new policy.xml 
> is more
> intutitive to configure. Any tool which understands XML can be used to 
> configure
> your XML Policy files, such as XML Spy.
>
> The JVM itself anticipated a need for alternative application specific 
> Policy
> implementations and has the hooks for doing it.
>
> Are you aware of anyone working on a new standard?  Is there a JSR?


[FYI]
JSR 115 
(http://jcp.org/aboutJava/communityprocess/first/jsr115/index.html) Java 
Authorization Contract for Container is in that direction (for 
expressing Web Permissions and for moving away from the *.policy file 
format). The spec doesn't say anything about the way policy file are 
represented (open the door to n