RE: TC 4 / mod_jk
Oups didn't view your reply in the list. Tomcat 4.0 did not select mod_jk for several reasons. The most important ones are at the top: * MOD_JK (like MOD_JSERV before it) has no clue what a web application is. This forces you to configure many items twice -- once in the web.xml file and once in the Apache configuration, which is a pretty serious imposition on people trying to administer the combination. Why not implemented such feature in mod_jk (extending ajp13 to ajp14 with news commands ?) * While the 2.2 spec was silent in many areas, the 2.3 spec will require an Apache+Tomcat combination to obey *all* the requirements of the spec (same rules as for any other container). This means that the things in web.xml *must* be respected. For example, a security constraint in a web.xml file must be enforced, even on a static resource that is served by Apache instead of Tomcat. Substantial modifications to MOD_JK would be needed to make this work (primarily in adding a two-way exchange of configuration information). I'm sorry to say that this stuff may be added to mod_jk. Still the syndrom of the wheel. * MOD_JK had no committers interested in maintaining it, at the time that the decision was made. Subsequent to that time, several volunteers have surfaced, including at least one person interested in supporting MOD_JK under Tomcat 4.0. That would be fine with me, as long as the result obeys all the rules. Sorry but mod_jk as at minima 3 commiters (Dan, Costin and I) ;) And many users as provided some patches. Let me resume : mod_jk : functionnal connector, load-balancing, TC 3.2 and 3.3 compatibility mod_webapp : connector (with bug in cookies - no session possibles), no load-balancing, strictly restrited to 4.x I've reported the cookie problem at least 2 times but still no answer : http://w4.metronet.com/~wjm/tomcat/2000/Dec/msg01064.html http://w4.metronet.com/~wjm/tomcat/2001/Jan/msg00204.html The pragmatic approach will to add mod_webapp stuff (related to 2.3) to mod_jk, eventually by deriving ajp13 to ajp14. Adding two-ways exchange may be a real need for centralized admin (apache admin from tomcat or tomcat from apache) I didn't remember there was a vote or poll on mod_jk/mod_webapp ?-) (No polemic) A+ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
NEWBIE PROBLEM: JSP files under htdocs in Apache
Hi I do not know if I am to junior for this list. I am running apache and tomcat. I got apache to pass requests for servlets and jsp files to tomcat, but only the default example JSP pages in the /examples directory under tomcat. The problem is that I cannot get tomcat to look at JSP files under my htdocs(apache) dir, it can only process stuff under the examples dir. How do I configure tomcat to process(compile) JSP pages to servlets located elsewhere from the default directories. A Newbie -Original Message- From: GOMEZ Henri [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 17, 2001 13:08 To: [EMAIL PROTECTED] Subject: RE: TC 4 / mod_jk Oups didn't view your reply in the list. Tomcat 4.0 did not select mod_jk for several reasons. The most important ones are at the top: * MOD_JK (like MOD_JSERV before it) has no clue what a web application is. This forces you to configure many items twice -- once in the web.xml file and once in the Apache configuration, which is a pretty serious imposition on people trying to administer the combination. Why not implemented such feature in mod_jk (extending ajp13 to ajp14 with news commands ?) * While the 2.2 spec was silent in many areas, the 2.3 spec will require an Apache+Tomcat combination to obey *all* the requirements of the spec (same rules as for any other container). This means that the things in web.xml *must* be respected. For example, a security constraint in a web.xml file must be enforced, even on a static resource that is served by Apache instead of Tomcat. Substantial modifications to MOD_JK would be needed to make this work (primarily in adding a two-way exchange of configuration information). I'm sorry to say that this stuff may be added to mod_jk. Still the syndrom of the wheel. * MOD_JK had no committers interested in maintaining it, at the time that the decision was made. Subsequent to that time, several volunteers have surfaced, including at least one person interested in supporting MOD_JK under Tomcat 4.0. That would be fine with me, as long as the result obeys all the rules. Sorry but mod_jk as at minima 3 commiters (Dan, Costin and I) ;) And many users as provided some patches. Let me resume : mod_jk : functionnal connector, load-balancing, TC 3.2 and 3.3 compatibility mod_webapp : connector (with bug in cookies - no session possibles), no load-balancing, strictly restrited to 4.x I've reported the cookie problem at least 2 times but still no answer : http://w4.metronet.com/~wjm/tomcat/2000/Dec/msg01064.html http://w4.metronet.com/~wjm/tomcat/2001/Jan/msg00204.html The pragmatic approach will to add mod_webapp stuff (related to 2.3) to mod_jk, eventually by deriving ajp13 to ajp14. Adding two-ways exchange may be a real need for centralized admin (apache admin from tomcat or tomcat from apache) I didn't remember there was a vote or poll on mod_jk/mod_webapp ?-) (No polemic) A+ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
BugRat Report #788 has been filed.
Bug report #788 has just been filed. You can view the report at the following URL: http://znutar.cortexity.com/BugRatViewer/ShowReport/788 REPORT #788 Details. Project: Tomcat Category: Bug Report SubCategory: New Bug Report Class: swbug State: received Priority: high Severity: serious Confidence: public Environment: Release: Tomcat 3.2.1 JVM Release: JDK 1.3 Operating System: Windows OS Release: 2000 Platform: windoze Synopsis: Ctx( /examples ): IOException in: R( /examples + + null) Not an ISO 8859_1 character:? Description: When trying to view the following url: http://localhost:8080/examples or http://localhost:8080/examples/ I get the upmentioned error message, and the JSP crashes in the middle :( This is the response: html head titleDirectory Listing for:/examples/title /headbody bgcolor=white table width=90% cellspacing=0 cellpadding=5 align=centertrtd colspan=3font size=+2strongDirectory Listing for:/examples/strong/td/tr trtd colspan=3 bgcolor=#ffa href="/"ttUp to://tt/a/td/tr trtd colspan=3 bgcolor=#ccfont size=+2strongSubdirectories:/strong /font/td/tr trtdnbsp;nbsp;nbsp;nbsp;nbsp;nbsp;tta href="/examples/images"images//anbsp;nbsp;nbsp;nbsp;nbsp;nbsp;/tt /tdtdttnbsp;nbsp;/tt/tdtd align=righttth1Error: 500/h1 h2Location: /examples/h2bInternal Servlet Error:/bbrprejava.io.IOException: Not an ISO 8859_1 character:? at org.apache.tomcat.core.BufferedServletOutputStream.print(BufferedServletOutputStream.java:221) at org.apache.tomcat.request.DirHandler.doService(StaticInterceptor.java:642) at org.apache.tomcat.core.Handler.service(Handler.java:286) at org.apache.tomcat.core.ServletWrapper.service(ServletWrapper.java:372) at org.apache.tomcat.core.ContextManager.internalService(ContextManager.java:797) at org.apache.tomcat.core.ContextManager.service(ContextManager.java:743) at org.apache.tomcat.service.http.HttpConnectionHandler.processConnection(HttpConnectionHandler.java:210) at org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java:416) at org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java:498) at java.lang.Thread.run(Thread.java:484) /pre Why? I don't know. I'm not so good at JSPs. The files in the binary 3.2.1 distro are unix-type... Maybe that's a problem? Title: BugRat Report # 788 Directory Listing for:/examples Up to:/ Subdirectories: images/ Error: 500 Location: /examplesInternal Servlet Error:java.io.IOException: Not an ISO 8859_1 character:? at org.apache.tomcat.core.BufferedServletOutputStream.print(BufferedServletOutputStream.java:221) at org.apache.tomcat.request.DirHandler.doService(StaticInterceptor.java:642) at org.apache.tomcat.core.Handler.service(Handler.java:286) at org.apache.tomcat.core.ServletWrapper.service(ServletWrapper.java:372) at org.apache.tomcat.core.ContextManager.internalService(ContextManager.java:797) at org.apache.tomcat.core.ContextManager.service(ContextManager.java:743) at org.apache.tomcat.service.http.HttpConnectionHandler.processConnection(HttpConnectionHandler.java:210) at org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java:416) at org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java:498) at java.lang.Thread.run(Thread.java:484) Why? I don't know. I'm not so good at JSPs. The files in the binary 3.2.1 distro are unix-type... Maybe that's a problem? Workaround: null View this report online... - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
BugRat Report #789 has been filed.
Bug report #789 has just been filed. You can view the report at the following URL: http://znutar.cortexity.com/BugRatViewer/ShowReport/789 REPORT #789 Details. Project: Jasper Category: Feature Requests SubCategory: Enhancement Class: swbug State: received Priority: high Severity: critical Confidence: public Environment: Release: aa JVM Release: aa Operating System: aa OS Release: aa Platform: aa Synopsis: a Description: Title: BugRat Report # 789 BugRat Report # 789 Project: Jasper Release: aa Category: Feature Requests SubCategory: Enhancement Class: swbug State: received Priority: high Severity: critical Confidence: public Submitter: Alexey Yakovets ([EMAIL PROTECTED]) Date Submitted: Jan 17 2001, 05:27:35 CST Responsible: Z_Tomcat Alias ([EMAIL PROTECTED]) Synopsis: a Environment: (jvm, os, osrel, platform) aa, aa, aa, aa Additional Environment Description: Report Description: View this report online... - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
BugRat Report #789 - a
Report #789 Details Project: Jasper Category: Feature Requests SubCategory: Enhancement Class: swbug State: received Priority: high Severity: critical Confidence: public Environment: Release: aa JVM Release: aa Operating System: aa OS Release: aa Platform: aa Synopsis: a Description: Title: BugRat Report # 789 BugRat Report # 789 Project: Jasper Release: aa Category: Feature Requests SubCategory: Enhancement Class: swbug State: received Priority: high Severity: critical Confidence: public Submitter: Alexey Yakovets ([EMAIL PROTECTED]) Date Submitted: Jan 17 2001, 05:27:35 CST Responsible: Z_Tomcat Alias ([EMAIL PROTECTED]) Synopsis: a Environment: (jvm, os, osrel, platform) aa, aa, aa, aa Additional Environment Description: Report Description: View this Report online... - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
BugRat Report #790 has been filed.
Bug report #790 has just been filed. You can view the report at the following URL: http://znutar.cortexity.com/BugRatViewer/ShowReport/790 REPORT #790 Details. Project: Catalina Category: Bug Report SubCategory: New Bug Report Class: docbug State: received Priority: low Severity: non-critical Confidence: public Environment: Release: 4.0 b1 JVM Release: 1.3 Operating System: redhat linux OS Release: 6.2 Platform: x86 Synopsis: Incomplete Documentation in server.xml for apache connector Description: The server.xml file must have the line "AddModule mod_webapp.c" In its description on howto get apache working with tomcat. !-- The MOD_WEBAPP connector is used to connect Apache 1.3 with Tomcat 4.0 as its servlet container. This is built by following these steps: To configure the Apache side, you must ensure that you have a "ServerName" directive defined in "httpd.conf". Then, lines like these to the bottom of your "httpd.conf" file: LoadModule webapp_module libexec/mod_webapp.so WebAppConnection warpConnection warp localhost:8008 WebAppMount examples warpConnection /examples/ -- ADD THIS LINE AddModule mod_webapp.c Title: BugRat Report # 790 BugRat Report # 790 Project: Catalina Release: 4.0 b1 Category: Bug Report SubCategory: New Bug Report Class: docbug State: received Priority: low Severity: non-critical Confidence: public Submitter: Alexander Terrill ([EMAIL PROTECTED]) Date Submitted: Jan 17 2001, 06:07:49 CST Responsible: Z_Tomcat Alias ([EMAIL PROTECTED]) Synopsis: Incomplete Documentation in server.xml for apache connector Environment: (jvm, os, osrel, platform) 1.3, redhat linux, 6.2, x86 Additional Environment Description: Report Description: The server.xml file must have the line "AddModule mod_webapp.c" In its description on howto get apache working with tomcat.
Webdav Servlet
Hi, today I looked through the webdav servlet. Now I have two questions: On an OPTIONS request the header is not containing the "MS-Author-Via: DAV" line. So the MS webdav tools will try the frontpage extensions first. If this header line would be added to (unneeded) requests would be omitted. Second question: The second frontpage query is a POST request. This request is handled by the default implementation of the DefaultServlet. The default implementation is empty, so a "200 OK" response is generated. Should the default implementation not deliver something like a SC_FORBIDDEN? Bye, Ulf - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Urgent issue!
Hello, sorry for posting this issue on the dev list, but on the user list no one has an idea about a solution and so I thought you guys should take care and provide an answer to the user list. This is the error message on the console: 2001-01-17 01:29:59 - Ctx( ): IOException in: R( + cocoon/back.gif + null)socket write error (code=10053) The page is displayed correctly so what is wrong? See the attached files. Configuration: WinNT, Tomcat 3.2.1 (stand alone), Cocoon 1.8 Thanks for your help!! Kai @echo off rem - rem tomcat.bat - Start/Stop Script for the TOMCAT Server rem rem Environment Variable Prerequisites: rem rem TOMCAT_HOME (Optional) May point at your Tomcat distribution remdirectory. If not present, the current working remdirectory is assumed. remNote: This batch file does not function properly remif TOMCAT_HOME contains spaces. rem rem TOMCAT_OPTS (Optional) Java runtime options used when the "start", rem"stop", or "run" command is executed rem rem CLASSPATH(Optional) This batch file will automatically add remwhat Tomcat needs to the CLASSPATH. This consists remof TOMCAT_HOME\classes and all the jar files in remTOMCAT_HOME\lib. This will include the "jaxp.jar" remand "parser.jar" files from the JAXP Reference remimplementation, and the "tools.jar" from the JDK. rem rem JAVA_HOMEMust point at your Java Development Kit installation. rem rem $Id: tomcat.bat,v 1.24.2.4 2000/09/23 21:52:56 larryi Exp $ rem - rem - Save Environment Variables That May Change set _CP=%CP% set _TOMCAT_HOME=%TOMCAT_HOME% set _CLASSPATH=%CLASSPATH% rem - Verify and Set Required Environment Variables - if not "%JAVA_HOME%" == "" goto gotJavaHome echo You must set JAVA_HOME to point at your Java Development Kit installation goto cleanup :gotJavaHome if not "%TOMCAT_HOME%" == "" goto gotTomcatHome set TOMCAT_HOME=. :gotTomcatHome if exist "%TOMCAT_HOME%\lib\servlet.jar" goto okTomcatHome echo Unable to locate servlet.jar, check the value of TOMCAT_HOME. goto cleanup :okTomcatHome rem - Prepare Appropriate Java Execution Commands --- if not "%OS%" == "Windows_NT" goto noTitle set _SECSTARTJAVA=start "Secure Tomcat 3.2" "%JAVA_HOME%\bin\java" set _STARTJAVA=start "Tomcat 3.2" "%JAVA_HOME%\bin\java" set _RUNJAVA="%JAVA_HOME%\bin\java" goto setClasspath :noTitle set _SECSTARTJAVA=start "%JAVA_HOME%\bin\java" set _STARTJAVA=start "%JAVA_HOME%\bin\java" set _RUNJAVA="%JAVA_HOME%\bin\java" rem - Set Up The Runtime Classpath -- :setClasspath set CP=%TOMCAT_HOME%\classes rem Try to determine if TOMCAT_HOME contains spaces if exist %TOMCAT_HOME%\lib\servlet.jar goto dynClasspath echo Your TOMCAT_HOME appears to contain spaces. echo Unable to set CLASSPATH dynamically. goto staticClasspath :dynClasspath set _LIBJARS= for %%i in (%TOMCAT_HOME%\lib\*.jar) do call %TOMCAT_HOME%\bin\cpappend.bat %%i if not "%_LIBJARS%" == "" goto gotLibJars echo Unable to set CLASSPATH dynamically. if "%OS%" == "Windows_NT" goto staticClasspath echo Note: To set the CLASSPATH dynamically on Win9x systems echo only DOS 8.3 names may be used in TOMCAT_HOME! goto staticClasspath :gotLibJars echo Including all jars in %TOMCAT_HOME%\lib in your CLASSPATH. rem Note: _LIBJARS already contains a leading semicolon set CP=%CP%%_LIBJARS% goto chkClasspath :staticClasspath echo Setting your CLASSPATH statically. if exist "%TOMCAT_HOME%\lib\xerxes_1_2.jar" set CP=%CP%;%TOMCAT_HOME%\lib\xerces_1_2.jar if exist "%TOMCAT_HOME%\lib\xalan_1_2_D02.jar" set CP=%CP%;%TOMCAT_HOME%\lib\xalan_1_2_D02.jar if exist "%TOMCAT_HOME%\lib\fop_0_13_0.jar" set CP=%CP%;%TOMCAT_HOME%\lib\fop_0_13_0.jar if exist "%TOMCAT_HOME%\lib\cocoon.jar" set CP=%CP%;%TOMCAT_HOME%\lib\cocoon.jar if exist "%TOMCAT_HOME%\lib\logicsheet.jar" set CP=%CP%;%TOMCAT_HOME%\lib\logicsheets.jar if exist "%TOMCAT_HOME%\lib\webserver.jar" set CP=%CP%;%TOMCAT_HOME%\lib\webserver.jar if exist "%TOMCAT_HOME%\lib\jasper.jar" set CP=%CP%;%TOMCAT_HOME%\lib\jasper.jar if exist "%TOMCAT_HOME%\lib\jaxp.jar" set CP=%CP%;%TOMCAT_HOME%\lib\jaxp.jar if exist "%TOMCAT_HOME%\lib\parser.jar" set CP=%CP%;%TOMCAT_HOME%\lib\parser.jar if exist "%TOMCAT_HOME%\lib\servlet.jar" set CP=%CP%;%TOMCAT_HOME%\lib\servlet.jar if exist "%TOMCAT_HOME%\lib\db2java.zip.jar" set CP=%CP%;%TOMCAT_HOME%\lib\db2java.zip if exist "%TOMCAT_HOME%\lib\tools.jar" set CP=%CP%;%TOMCAT_HOME%\lib\tools.jar if exist "%TOMCAT_HOME%\lib\turbine-pool.jar" set CP=%CP%;%TOMCAT_HOME%\lib\turbine-pool.jar if exist "%TOMCAT_HOME%\lib\bsf.jar" set CP=%CP%;%TOMCAT_HOME%\lib\bsf.jar if exist
Bug in tomcat 4.0b1
There seems to be a bug in
org.apache.catalina.loader.StandardClassLoader.addRepositoryInternal
At line 1062 jarFile.getManifest() is called but there is no check for
a returned null. In the case of the Oracle 8i thin JDBC driver there
is no manifest so depending on where the jar is located tomcat will
not start or the context will not start.
The exiting code is:
Manifest manifest = jarFile.getManifest();
Iterator extensions =
Extension.getAvailable(manifest).iterator();
while (extensions.hasNext())
available.add(extensions.next());
extensions =
Extension.getRequired(manifest).iterator();
while (extensions.hasNext())
required.add(extensions.next());
and should be replaced with:
Manifest manifest = jarFile.getManifest();
if (manifest != null) {
Iterator extensions =
Extension.getAvailable(manifest).iterator();
while (extensions.hasNext())
available.add(extensions.next());
extensions =
Extension.getRequired(manifest).iterator();
while (extensions.hasNext())
required.add(extensions.next());
}
Donnchadh
--
// Donnchadh Donnabhin mailto:[EMAIL PROTECTED]
// Vistech Software Ltd. http://www.vistechsoftware.com
// Building 7, Cork Airport Business Park, Cork, Ireland
// Ph. +353-21-4315007 Fax +353-21-4315066
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
Re: Webdav Servlet
Hi, Hi there ! today I looked through the webdav servlet. Now I have two questions: On an OPTIONS request the header is not containing the "MS-Author-Via: DAV" line. I just had a brief look at ftp://ftp.isi.edu/in-notes/rfc2518.txt and guess what I could not find any reference for an "MS-Author-Via: DAV" HTTP header field being required by a WebDAV implementation. Could you please provide a reference to where in the WebDAV related standards this has been defined ? Section 9.1 of rfc2518 though very clearly describes a required DAV: Header that could be used by WebDAV clients to detect wether a resource is a WebDAV resource. So the MS webdav tools will try the frontpage extensions first. That's a problem of the MS webdav tools, not using the "DAV:" header for detection but instead expecting a Microsoft Products only non standardized header parameter, isn't it ? If this header line would be added to (unneeded) requests would be omitted. [...] Bye, Ulf Bye, Bernd - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Forming an opinion
Hi all! I've seen a lot of discussion here on Tomcat 3.3 vs 4.0. Without some knowledge about the inside workings of each version, it's very hard to follow it -- I mean, find out the actual issues behind the "politics" -- or the politics behind the actual issues. The article linked by cmanolache, 'Internal Tomcat', is very good IMHO. But then it's all words; there's nothing like studying the way it's implemented. So I was trying to at least take a look at the code and the way it's organized. But the link to the 3.x nightly builds is broken, so no code for 3.3. Do I need CVS to get it? (Don't get used to those weird commands.) And, by the way, has PMC made any important decision about Tomcat 3.3? Thanks a lot, Alex. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
[PATCH]: WAP mime types
Hello, Here is mime mappings required for delivering WAP content from Tomcat. mime-mapping !-- WML Source -- extensionwml/extension mime-typetext/vnd.wap.wml/mime-type /mime-mapping mime-mapping !-- Compiled WML -- extensionwmlc/extension mime-typeapplication/vnd.wap.wmlc/mime-type /mime-mapping mime-mapping !-- WML Script Source -- extensionwmls/extension mime-typetext/vnd.wap.wmls/mime-type /mime-mapping mime-mapping !-- Compiled WML Script -- extensionwmlscriptc/extension mime-typeapplication/vnd.wap.wmlscriptc/mime-type /mime-mapping mime-mapping !-- Wireless Bitmap -- extensionwbmp/extension mime-typeimage/vnd.wap.wbmp/mime-type /mime-mapping Cheers, Kare 8^) -- Kare Nuorteva, Software Engineer Satama UK Ltd mobile +44 7989 852 865 http://www.satama.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: Webdav Servlet
Hi, and guess what I could not find any reference for an "MS-Author-Via: DAV" HTTP header field being required by a WebDAV implementation. I think it is just an MS extension. So it's not required. But it also should not cause any harm if you add it. Could you please provide a reference to where in the WebDAV related standards this has been defined ? I have seen it the first time in the webdav module in apache. That's a problem of the MS webdav tools, not using the "DAV:" header for detection but instead expecting a Microsoft Products only non standardized header parameter, isn't it ? Yes, I agree entirely with you. Especially since MS was involved in the webdav standardization process... But unfortunately most of the current webdav clients are MS products and these programs expect this additional header. If you can reduce useless requests to the server by adding this line, don't you think it would be a good thing? Bye, Ulf - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-4.1/catalina/src/conf web.xml
remm01/01/17 07:21:08 Modified:catalina/src/conf web.xml Log: - Add some WAP related MIME types. Submitted by Kare Nuorteva. Revision ChangesPath 1.13 +20 -0 jakarta-tomcat-4.1/catalina/src/conf/web.xml Index: web.xml === RCS file: /home/cvs/jakarta-tomcat-4.1/catalina/src/conf/web.xml,v retrieving revision 1.12 retrieving revision 1.13 diff -u -r1.12 -r1.13 --- web.xml 2001/01/15 04:26:40 1.12 +++ web.xml 2001/01/17 15:21:08 1.13 @@ -441,6 +441,26 @@ extensionrm/extension mime-typeapplication/vnd.rn-realmedia/mime-type /mime-mapping + mime-mapping !-- WML Source -- +extensionwml/extension +mime-typetext/vnd.wap.wml/mime-type + /mime-mapping + mime-mapping !-- Compiled WML -- +extensionwmlc/extension +mime-typeapplication/vnd.wap.wmlc/mime-type + /mime-mapping + mime-mapping !-- WML Script Source -- +extensionwmls/extension +mime-typetext/vnd.wap.wmls/mime-type + /mime-mapping + mime-mapping !-- Compiled WML Script -- +extensionwmlscriptc/extension +mime-typeapplication/vnd.wap.wmlscriptc/mime-type + /mime-mapping + mime-mapping !-- Wireless Bitmap -- +extensionwbmp/extension +mime-typeimage/vnd.wap.wbmp/mime-type + /mime-mapping !-- Establish the default list of welcome files -- welcome-file-list - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-4.0/catalina/src/conf web.xml
remm01/01/17 07:27:25 Modified:catalina/src/conf web.xml Log: - Add some WAP related MIME types. Submitted by Kare Nuorteva. Revision ChangesPath 1.12 +20 -0 jakarta-tomcat-4.0/catalina/src/conf/web.xml Index: web.xml === RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/conf/web.xml,v retrieving revision 1.11 retrieving revision 1.12 diff -u -r1.11 -r1.12 --- web.xml 2000/12/22 01:31:03 1.11 +++ web.xml 2001/01/17 15:27:25 1.12 @@ -417,6 +417,26 @@ extensionmpv2/extension mime-typevideo/mpeg2/mime-type /mime-mapping + mime-mapping !-- WML Source -- + extensionwml/extension + mime-typetext/vnd.wap.wml/mime-type + /mime-mapping + mime-mapping !-- Compiled WML -- + extensionwmlc/extension + mime-typeapplication/vnd.wap.wmlc/mime-type + /mime-mapping + mime-mapping !-- WML Script Source -- + extensionwmls/extension + mime-typetext/vnd.wap.wmls/mime-type + /mime-mapping + mime-mapping !-- Compiled WML Script -- + extensionwmlscriptc/extension + mime-typeapplication/vnd.wap.wmlscriptc/mime-type + /mime-mapping + mime-mapping !-- Wireless Bitmap -- + extensionwbmp/extension + mime-typeimage/vnd.wap.wbmp/mime-type + /mime-mapping !-- Establish the default list of welcome files -- welcome-file-list - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/loader StandardClassLoader.java
remm01/01/17 07:33:46
Modified:catalina/src/share/org/apache/catalina/loader
StandardClassLoader.java
Log:
- Add a null check for the manifest file when loading a JAR file.
A similar patch has already been applied in TC 4.1 for different reasons.
Patch submitted by Donnchadh Ó Donnabháin [EMAIL PROTECTED]
Revision ChangesPath
1.6 +14 -12
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/loader/StandardClassLoader.java
Index: StandardClassLoader.java
===
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/loader/StandardClassLoader.java,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- StandardClassLoader.java 2000/10/09 21:04:02 1.5
+++ StandardClassLoader.java 2001/01/17 15:33:46 1.6
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/loader/StandardClassLoader.java,v
1.5 2000/10/09 21:04:02 craigmcc Exp $
- * $Revision: 1.5 $
- * $Date: 2000/10/09 21:04:02 $
+ * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/loader/StandardClassLoader.java,v
1.6 2001/01/17 15:33:46 remm Exp $
+ * $Revision: 1.6 $
+ * $Date: 2001/01/17 15:33:46 $
*
*
*
@@ -99,7 +99,7 @@
* independently.
*
* @author Craig R. McClanahan
- * @version $Revision: 1.5 $ $Date: 2000/10/09 21:04:02 $
+ * @version $Revision: 1.6 $ $Date: 2001/01/17 15:33:46 $
*/
public class StandardClassLoader
@@ -1060,14 +1060,16 @@
repository + "'");
}
Manifest manifest = jarFile.getManifest();
-Iterator extensions =
-Extension.getAvailable(manifest).iterator();
-while (extensions.hasNext())
-available.add(extensions.next());
-extensions =
-Extension.getRequired(manifest).iterator();
-while (extensions.hasNext())
-required.add(extensions.next());
+if (manifest != null) {
+Iterator extensions =
+Extension.getAvailable(manifest).iterator();
+while (extensions.hasNext())
+available.add(extensions.next());
+extensions =
+Extension.getRequired(manifest).iterator();
+while (extensions.hasNext())
+required.add(extensions.next());
+}
jarFile.close();
} catch (Throwable t) {
throw new IllegalArgumentException("addRepositoryInternal: " + t);
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
Re: Webdav Servlet
Hi, Hi there ! today I looked through the webdav servlet. Now I have two questions: On an OPTIONS request the header is not containing the "MS-Author-Via: DAV" line. I just had a brief look at ftp://ftp.isi.edu/in-notes/rfc2518.txt and guess what I could not find any reference for an "MS-Author-Via: DAV" HTTP header field being required by a WebDAV implementation. It's definitely not a standard header. However, that's a very interesting explanation. I also noticed that the latest versions of the Webfolders didn't try to access Frontpage style URLs anymore, so apparently MS adopted a more standard behavior. Remy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: Forming an opinion
Hi Alex, I'm doing nightly builds and source packages at: http://jakarta.apache.org/builds/tomcat/nightly-3.3 Regarding the PMC meeting - it seems all depends on the support and votes that a 3.3 release proposal can get. The main concern ( or at least my understanding of it ) was that 3.3 doesn't have enough support, and I'm ... well, you can read Jon's and Pier's postings so far to get a feeling what kind of person I am. I'll be posting a release plan this evening, that will be voted - and 3.3 will happen if enough people are willing to vote it _and_ help make it happen. I'm still working on the plan, but there are 2 big problems to be resolved: 1. Bug fixes. Tomcat 3.3 will be released _only_ if it'll have all the known bugs fixed, and at least 3 commiters are willing to help fix further bugs. 2. Code review and documentation. I'm not going to propose a release unless and until there is a reasonable amount of documentation ( architecture and comments ) and enough eyeballs read the code and send their comments. Since this will going to be the last version of 3.x( only major bug fixes after - any further development can happen only in revolutions or in another place ) it'll have to basically finish the job and achieve the goals of tomcat 3. I can't stress enough how critical it'll be to get your help. Either bugs or comments on the code or architecture. I'll try to get some time off and I'll spend all my free time in the next months to make it happen - but regardless of what I do, tomcat 3.3 will not happen if you don't help. It doesn't matter how small the bug is - what's important is that _you_ help fixing it. Please don't get involved into any flame - and please ignore Jon and Pier - just don't answer to any provocations. For my health I'm going to filter them out, since I'm not that good at ignoring. Costin P.S. the other conclusion of the PMC ( as I understand it ) was that I'm a bad person that can't be trusted, and all work for 3.2 was done by Craig alone ( my apologies to Larry, Henri and Nacho ). P.P.S. My sincere apologies to Roy and Brian and Hans and Sam and James - I said bad things about the PMC ( that I don't trust it and it's one-sided ), listening you make me believe there is hope. Hi all! I've seen a lot of discussion here on Tomcat 3.3 vs 4.0. Without some knowledge about the inside workings of each version, it's very hard to follow it -- I mean, find out the actual issues behind the "politics" -- or the politics behind the actual issues. The article linked by cmanolache, 'Internal Tomcat', is very good IMHO. But then it's all words; there's nothing like studying the way it's implemented. So I was trying to at least take a look at the code and the way it's organized. But the link to the 3.x nightly builds is broken, so no code for 3.3. Do I need CVS to get it? (Don't get used to those weird commands.) And, by the way, has PMC made any important decision about Tomcat 3.3? Thanks a lot, Alex. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] -- Costin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
session timeout
Hi, I need to do some work when tomcat session gets timed out. Could anyone of you suggest how I can do it. Changing invalidate/expire method would be the last thing I like to do. Is there any other way (call back method??). Thanks, Jayesh _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
[PROPOSAL] Tomcat 4 Java Security Manager, rev 2
Tomcat 4 Java SecurityManager Proposal (rev 2)
Use of the Java SecurityManager will be optional. The default
will be to start Tomcat with security to keep the folks at
bugtraq happy. Use without security at your own risk.
Currently the policy file is named catalina.policy,
Catalina is more of an internal development name for
Tomcat 4. To be consistent with Tomcat 3.x the policy
file will be named tomcat.policy instead of the current
catalina.policy.
Which raises a point, alot of environment variables in
Tomcat4 use CATALINA_ instead of TOMCAT_. Since Catalina
will be Tomcat 4, shouldn't these names be changed to
TOMCAT_ instead of Catalina?
Setting policies for internal Tomcat classes
Security policies will be set using the tomcat.policy file. Security
checks will be based only on the codeSource of the class matching the
codeBase for JVM and Tomcat internal classes.
Example tomcat.policy entries affecting Tomcat internals
// javac
grant codeBase "file:${java.home}/lib/-" {
permission java.security.AllPermission;
};
// java
grant codeBase "file:${java.home}/jre/lib/-" {
permission java.security.AllPermission;
};
// Tomcat core
grant codeBase="file:${tomcat.home}/server/-" {
permission java.security.AllPermission;
};
// Tomcat core common to both web apps and Tomcat
grant codeBase="file:${tomcat.home}/bin/-" {
permission java.security.AllPermission;
};
Setting policies for web application contexts
-
A web application has its security based on either the default grant in
tomcat.policy or an entry for the context which uses the Context path
file URL as the codeBase. This policy will be in affect for any Class running
within the Context thread no matter which ClassLoader loaded the class
which triggered a security check. A default permission to read files in
the Context path is granted.
Tomcat 4 will come with a variety of example policy files,
policy files configured for unix and windows, example policy
files for lax and secure usage. The permissions in those
policy files have not yet been determined. What follows
is an example of how security for web applications are
configured.
// Permissions configured here are the maximum set of
// permissions that will be delegated to any web app
grant codeBase="file:${tomcat.home}/bin/servlet.jar" {
// To be determined
};
// Default permissions for a Context, all contexts have these permissions
grant {
permission java.util.PropertyPermission "file.separator", "read";
permission java.util.PropertyPermission "path.separator", "read";
permission java.util.PropertyPermission "line.separator", "read";
};
// Additional Permissions for tomcat examples context
grant codeBase="file:${tomcat.home}/webapps/examples/- {
permission java.util.PropertyPermission "*", "read";
permission java.net.SocketPermission "*:80" "connect,resolve";
permission java.io.FilePermission
"${tomcat.home}/webapps/examples/WEB-INF/data/-","read,write,delete";
};
// Special permissions within a web app,
// This would contain a subset of the context permissions
grant codeBase="file:${tomcat.home}/webapps/examples/WEB-INF/lib/someHTTPpackage.jar" {
permission java.net.SocketPermission "some.host.com:80" "connect,resolve";
};
// Special permissions within a web app,
// This would contain a subset of the context permissions
grant
codeBase="file:${tomcat.home}/webapps/examples/WEB-INF/lib/someFileIOpackage.jar" {
permission java.util.PropertyPermission "*", "read";
permission java.io.FilePermission
"${tomcat.home}/webapps/examples/WEB-INF/data/-","read,write,delete";
};
In the above example the someHTTPpackage.jar would be allowed to make an
HTTP connection to "some.host.com", but not write files. And the
someFileIOpackage.jar would be allowed to write files in the
/WEB-INF/data directory but not make an HTTP connection.
This is because the security permissions allowed for the current class
are based on the intersection of its permissions with the permissions of
all the parent classes on the stack.
Security
Re: Forming an opinion
Costin Manolache wrote: 1. Bug fixes. Tomcat 3.3 will be released _only_ if it'll have all the known bugs fixed, and at least 3 commiters are willing to help fix further bugs. It does not need to be all. A significant dent would be sufficient. P.S. the other conclusion of the PMC ( as I understand it ) was that I'm a bad person that can't be trusted, and all work for 3.2 was done by Craig alone ( my apologies to Larry, Henri and Nacho ). Flamebait such as the above does not help your cause. Craig filled a void in 3.2 that you, Larry, Henri, Nacho and most signifcantly myself left. Any 3.3 proposal will need to include provisions to address this void. - Sam Ruby - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: session timeout
Jayesh typed the following on 08:00 AM 1/17/2001 -0800 I need to do some work when tomcat session gets timed out. Could anyone of you suggest how I can do it. With servlet 2.2 (Tomcat 3.x) you should make sure one of the attributes you're adding to the session implements HttpSessionBindingListener. When the session gets timed out, the container will call valueUnbound() on that object. As long as you know you're not the one unbinding the object (e.g. by calling removeAttribute() or replacing the attribute by calling setAttribute() with the same name), you can assume the session is being expired or invalidated. With servlet 2.3 (Tomcat 4.x) you can also create an object which implements HttpSessionListener, and configure it in your web.xml like this: web-app listener listener-classcom.foo.SessionAttributeSnoop/listener-class /listener /web-app This object will have its sessionDestroyed() method called when it is destroyed for any reason. Of course, if the server goes down in a bad way none of these events will be called, so there are no guarantees. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
RE: Forming an opinion
I agree Costin. Avoid the flame bait. I am willing to help on code review and - if/when I know the beast better - documentation. My schedule gets a bit lighter next week. I will, of course, ask loads of things. But I hope I will mostly need pointers to things. Have fun, Paulo Gaspar -Original Message- From: Sam Ruby [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 17, 2001 17:17 P.S. the other conclusion of the PMC ( as I understand it ) was that I'm a bad person that can't be trusted, and all work for 3.2 was done by Craig alone ( my apologies to Larry, Henri and Nacho ). Flamebait such as the above does not help your cause. Craig filled a void in 3.2 that you, Larry, Henri, Nacho and most signifcantly myself left. Any 3.3 proposal will need to include provisions to address this void. - Sam Ruby - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: Forming an opinion
[EMAIL PROTECTED] wrote: [...] Regarding the PMC meeting - it seems all depends on the support and votes that a 3.3 release proposal can get. That's exactly right. The main concern ( or at least my understanding of it ) was that 3.3 doesn't have enough support, and I'm ... well, you can read Jon's and Pier's postings so far to get a feeling what kind of person I am. [...] P.S. the other conclusion of the PMC ( as I understand it ) was that I'm a bad person that can't be trusted, and all work for 3.2 was done by Craig alone ( my apologies to Larry, Henri and Nacho ). It saddens me to see this type of comment after the meeting. I'm only going to say this once and I will not get into a discussion about it again. *No one* has said anything about you being a bad person in these discussions, or that the code is bad, or anything like that. As was clear in the meeting yesterday, the whole issue is about the fact that major refactoring work has continued on the HEAD without a release plan and agreed upon goals, and a concern that releasing the result without guarantees that there are committers willing to supporting it can tarnish Tomcat's reputation. It's *not* personal, it's about making sure that the development is done in a way supported by the committers in the project and in line with our guidelines. Hans -- Hans Bergsten [EMAIL PROTECTED] Gefion Software http://www.gefionsoftware.com Author of JavaServer Pages (O'Reilly), http://TheJSPBook.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: Forming an opinion
I totally agree with Hans. I attended the meeting yesterday and would hate to see this kind of misunderstanding. Costin, I really don't think that anyone is after you personally. No one is saying that you're a bad person. I personally think that the passon you have about what you do is very admirable. It's just that the many people in the group are concerned about the main issues that were discussed in the meeting. (support, bug fixes, etc.) And I think these concerns are fair based on the history that I have been told at the meeting. I hope that everyone's interest focuses on what's best for this project and how we can make it better not just on their personal issues. Warm Regards, Amy Quoting Hans Bergsten [EMAIL PROTECTED]: [EMAIL PROTECTED] wrote: [...] Regarding the PMC meeting - it seems all depends on the support and votes that a 3.3 release proposal can get. That's exactly right. The main concern ( or at least my understanding of it ) was that 3.3 doesn't have enough support, and I'm ... well, you can read Jon's and Pier's postings so far to get a feeling what kind of person I am. [...] P.S. the other conclusion of the PMC ( as I understand it ) was that I'm a bad person that can't be trusted, and all work for 3.2 was done by Craig alone ( my apologies to Larry, Henri and Nacho ). It saddens me to see this type of comment after the meeting. I'm only going to say this once and I will not get into a discussion about it again. *No one* has said anything about you being a bad person in these discussions, or that the code is bad, or anything like that. As was clear in the meeting yesterday, the whole issue is about the fact that major refactoring work has continued on the HEAD without a release plan and agreed upon goals, and a concern that releasing the result without guarantees that there are committers willing to supporting it can tarnish Tomcat's reputation. It's *not* personal, it's about making sure that the development is done in a way supported by the committers in the project and in line with our guidelines. Hans -- Hans Bergsten [EMAIL PROTECTED] Gefion Software http://www.gefionsoftware.com Author of JavaServer Pages (O'Reilly), http://TheJSPBook.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: Forming an opinion
without guarantees that there are committers willing to supporting it can tarnish Tomcat's reputation. It's *not* personal, it's about making sure that the development is done in a way supported by the committers in the project and in line with our guidelines. Sorry for taking it as a personal thing, I'll stop discussing that. Costin ( believe me, it was one of my worst days, I hope you understand a bit my feelings. ) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: TC 4 / mod_jk
Dan Milstein wrote:
Craig,
I assume I'm the person interested in porting mod_jk to TC 4 (if there's anyone
else, please get in touch with me ;-).
Thank you for clarifying the issue about the difference between the 2.2 and 2.3
specs -- I hadn't realized that.
I do have a question: how would you feel about including mod_jk in TC 4 before it
became totally 2.3 compliant? In other words, if I managed to write ajp13 and/or
ajp12 connectors for TC 4, how would you feel about that being committed to cvs
immediately, so that people could start using it (and using TC with various web
servers), *before* making the extensive additions which would be necessary to bring
it into 2.3 compliance?
To my mind this would be worthwhile, and in keeping with TC 4 development in general
-- there is the doc specifying the various degrees of "doneness" of 2.3 compliance.
I see it as a very pragmatic path -- I believe that adding a functional web server
connector would give many, many more people reason to start using TC 4, which can
only be a good thing. And, I hope, that increased usage would bring more volunteer
resources to bear on the connectors -- which could be mod_webapp or mod_jk.
I ask this because I am honestly not sure how much time I can devote to the project
-- I am hoping to write the ajp13 connector, but I am not sure if I will have the
time to rewrite all the C code (something I'm not as expert at) to bring mod_jk into
2.3 compliance. If I can only offer the code for the current ajp13, would that be
something you would be comfortable with merging into the TC 4 codebase?
I am OK with (as opposed to enthusiastic about -- I'd personally prefer to see people
fixing mod_webapp than doing this) someone wanting to write a Tomcat 4 connector for
MOD_JK, as long as:
* Everyone understands that it's there simply for porting
and won't be compliant with the final specs
* Enough people are willing to do support for it so that it
doesn't just collect bug reports (like MOD_JK did until
you and others started working on it again)
The quickest way to accomplish this would be to mimic the organizational structure of
org.apache.catalina.connector.http.Http{Connector,Processor}, and change the way that
request properties get sent. Everything that happens to a request after that point
(i.e. after you call invoke() on the Engine) does not care where the request came from.
NOTE: In terms of timing, I'd rather see this work in the 4.1 repository so it
doesn't destabilize anything in the 4.0 beta cycle, or delay it.
Thanks,
-Dan
Craig
"Craig R. McClanahan" wrote:
GOMEZ Henri wrote:
[finally ... a technical issue!]
I still didn't understand why TC 4.0 didn't select mod_jk as
their connector to WebServer. The code is clean and many bugs
are removed. A web server connector is not an easy piece of cake
so why reinvent the whell ?-(
Tomcat 4.0 did not select mod_jk for several reasons. The most important ones
are at the top:
* MOD_JK (like MOD_JSERV before it) has no clue what a web
application is. This forces you to configure many items twice --
once in the web.xml file and once in the Apache configuration,
which is a pretty serious imposition on people trying to administer
the combination.
* While the 2.2 spec was silent in many areas, the 2.3 spec will
require an Apache+Tomcat combination to obey *all* the requirements
of the spec (same rules as for any other container). This means that
the things in web.xml *must* be respected. For example, a security
constraint in a web.xml file must be enforced, even on a static resource
that is served by Apache instead of Tomcat. Substantial modifications
to MOD_JK would be needed to make this work (primarily in adding a
two-way exchange of configuration information).
* MOD_JK had no committers interested in maintaining it, at the time
that the decision was made. Subsequent to that time, several
volunteers have surfaced, including at least one person interested in
supporting MOD_JK under Tomcat 4.0. That would be fine with me,
as long as the result obeys all the rules.
Craig McClanahan
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
--
Dan Milstein // [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
Re: Urgent issue!
[EMAIL PROTECTED] wrote: Hello, sorry for posting this issue on the dev list, but on the user list no one has an idea about a solution and so I thought you guys should take care and provide an answer to the user list. This is the error message on the console: 2001-01-17 01:29:59 - Ctx( ): IOException in: R( + cocoon/back.gif + null)socket write error (code=10053) The page is displayed correctly so what is wrong? See the attached files. Configuration: WinNT, Tomcat 3.2.1 (stand alone), Cocoon 1.8 I have seen this when using Internet Explorer (IE) and the resource is cached by IE. It seems like IE closes the connection before reading the complete response in this case, so Tomcat complains that it couldn't write the full response. I don't see a way to fix this at the Tomcat end. Hans -- Hans Bergsten [EMAIL PROTECTED] Gefion Software http://www.gefionsoftware.com Author of JavaServer Pages (O'Reilly), http://TheJSPBook.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: mod_jk ACL - next
GOMEZ Henri wrote: Hi, I'm busy these days and didn't have many time on ACL for mod_jk. Before investing too many times, just want to describe the plan : 1) Create stuff to handle InetMask a l hosts.allow / hosts.deny. Data initialized via config in server.xml From 3.2 server.xml Connector className="org.apache.tomcat.service.PoolTcpConnector" Parameter name="handler" value="org.apache.tomcat.service.connector.Ajp13ConnectionHandler"/ Parameter name="port" value="8009"/ Parameter name="deny" value="ALL"/ Parameter name="allow" value="172.168.1.0/24"/ Parameter name="allow" value="127.0.0.1"/ /Connector After connection, ACL is checked and connection closed (and warned) if rules not meet Just out of curiousity, can't you use Apache's standard filtering directives in conjunction with MOD_JK? Why do you need to implement it here as well? 2) The ACL stuff could also be used in a Realm ? Thanks for more Lights ;-) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
RE: TC4's classloader choking on xerces.jar (maybe)
Bob, I don't really understand it but what I heard was that any xml jar that you want to add to your context will need to go in the $TOMCAT_HOME/lib dir rather that your context's WEB-INF/lib dir. XML apparently is considered differently that your other .jar files. Again, I don't know exactly why but that seesm to be the case. I have my xerces.jar in the $TOMCAT_HOME/lib and the rest of my jars in the WEB-INF/lib and everything is fine. FYI: Tomcat 3.2 comes with a jaxp.jar file for its own use. If you just drop your xerces.jar file in that lib directory you may encounter problems (as I had) because the jaxp.jar will come before the xerces.jar file in the CLASSPATH. I renamed my xerces.jar to a_xerces.jar so that I know it gets loaded first and that I won't run into a conflict with the same classes listed in both jar files. Peter Len - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: NEWBIE PROBLEM: JSP files under htdocs in Apache
Robert, This kind of question is much better addressed to the TOMCAT-USER mailing list. TOMCAT-DEV is for discussions about how to build Tomcat itself, not how to use it. You can subscribe by sending an empty message to [EMAIL PROTECTED] or follow the link on the Jakarta web site. Thanks, Craig McClanahan Robert Adams wrote: Hi I do not know if I am to junior for this list. I am running apache and tomcat. I got apache to pass requests for servlets and jsp files to tomcat, but only the default example JSP pages in the /examples directory under tomcat. The problem is that I cannot get tomcat to look at JSP files under my htdocs(apache) dir, it can only process stuff under the examples dir. How do I configure tomcat to process(compile) JSP pages to servlets located elsewhere from the default directories. A Newbie -Original Message- From: GOMEZ Henri [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 17, 2001 13:08 To: [EMAIL PROTECTED] Subject: RE: TC 4 / mod_jk Oups didn't view your reply in the list. Tomcat 4.0 did not select mod_jk for several reasons. The most important ones are at the top: * MOD_JK (like MOD_JSERV before it) has no clue what a web application is. This forces you to configure many items twice -- once in the web.xml file and once in the Apache configuration, which is a pretty serious imposition on people trying to administer the combination. Why not implemented such feature in mod_jk (extending ajp13 to ajp14 with news commands ?) * While the 2.2 spec was silent in many areas, the 2.3 spec will require an Apache+Tomcat combination to obey *all* the requirements of the spec (same rules as for any other container). This means that the things in web.xml *must* be respected. For example, a security constraint in a web.xml file must be enforced, even on a static resource that is served by Apache instead of Tomcat. Substantial modifications to MOD_JK would be needed to make this work (primarily in adding a two-way exchange of configuration information). I'm sorry to say that this stuff may be added to mod_jk. Still the syndrom of the wheel. * MOD_JK had no committers interested in maintaining it, at the time that the decision was made. Subsequent to that time, several volunteers have surfaced, including at least one person interested in supporting MOD_JK under Tomcat 4.0. That would be fine with me, as long as the result obeys all the rules. Sorry but mod_jk as at minima 3 commiters (Dan, Costin and I) ;) And many users as provided some patches. Let me resume : mod_jk : functionnal connector, load-balancing, TC 3.2 and 3.3 compatibility mod_webapp : connector (with bug in cookies - no session possibles), no load-balancing, strictly restrited to 4.x I've reported the cookie problem at least 2 times but still no answer : http://w4.metronet.com/~wjm/tomcat/2000/Dec/msg01064.html http://w4.metronet.com/~wjm/tomcat/2001/Jan/msg00204.html The pragmatic approach will to add mod_webapp stuff (related to 2.3) to mod_jk, eventually by deriving ajp13 to ajp14. Adding two-ways exchange may be a real need for centralized admin (apache admin from tomcat or tomcat from apache) I didn't remember there was a vote or poll on mod_jk/mod_webapp ?-) (No polemic) A+ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
BugRat Report #791 has been filed.
Bug report #791 has just been filed. You can view the report at the following URL: http://znutar.cortexity.com/BugRatViewer/ShowReport/791 REPORT #791 Details. Project: Tomcat Category: Feature Requests SubCategory: Enhancement Class: swbug State: received Priority: medium Severity: critical Confidence: public Environment: Release: Tomcat 3.2.1 JVM Release: NA Operating System: NA OS Release: NA Platform: NA Synopsis: JDBCRealm: authenticating a user that is not in any groups results in ArrayIndexOutOfBoundException if logging is on Description: After JDBCRealm.authorize calls userRoles = getUserRoles( user ); It calls if( debug 0 ) log( "Auth ok, first role=" + userRoles[0] ); If debug is turned on, and the current user has no roles, this results in an ArrayIndexOutOfBoundsException Title: BugRat Report # 791 BugRat Report # 791 Project: Tomcat Release: Tomcat 3.2.1 Category: Feature Requests SubCategory: Enhancement Class: swbug State: received Priority: medium Severity: critical Confidence: public Submitter: Adam Rabung ([EMAIL PROTECTED]) Date Submitted: Jan 17 2001, 12:48:26 CST Responsible: Z_Tomcat Alias ([EMAIL PROTECTED]) Synopsis: JDBCRealm: authenticating a user that is not in any groups results in ArrayIndexOutOfBoundException if logging is on Environment: (jvm, os, osrel, platform) NA, NA, NA, NA Additional Environment Description: Report Description: After JDBCRealm.authorize calls userRoles = getUserRoles( user ); It calls if( debug > 0 ) log( "Auth ok, first role=" + userRoles[0] ); If debug is turned on, and the current user has no roles, this results in an ArrayIndexOutOfBoundsException How To Reproduce: null Workaround: null View this report online... - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: mod_jk ACL - next
Connector className="org.apache.tomcat.service.PoolTcpConnector" Parameter name="handler" value="org.apache.tomcat.service.connector.Ajp13ConnectionHandler"/ Parameter name="port" value="8009"/ Parameter name="deny" value="ALL"/ Parameter name="allow" value="172.168.1.0/24"/ Parameter name="allow" value="127.0.0.1"/ /Connector After connection, ACL is checked and connection closed (and warned) if rules not meet Just out of curiousity, can't you use Apache's standard filtering directives in conjunction with MOD_JK? Why do you need to implement it here as well? The goal is to protect the tomcat instance - the apache directives are protecting the apache server. ( it is needed to prevent possible security problems ) Costin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: Forming an opinion
on 1/17/01 10:28 AM, "[EMAIL PROTECTED]" [EMAIL PROTECTED] wrote: Costin ( believe me, it was one of my worst days, I hope you understand a bit my feelings. ) Why was it one of your worst days? I don't see how it could have been bad, nor do I see how that could influence your actions here by starting to send yet more flame bait. Also, I'm going to ask YET AGAIN and which we ALL agreed on in the meeting... Do not refer to Tomcat 3.3 as a version number. Tomcat 3.3 does not exist before the proposal that you still need to make and should not be referred to at all. Pick another name, it will confuse people by referring to it as Tomcat 3.3 because you are setting expectations that may or may not ever materialize (depending on the majority committer consensus here according to the rules). Where are those meeting notes Sam? thanks, -jon - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
BugRat Report #792 has been filed.
Bug report #792 has just been filed. You can view the report at the following URL: http://znutar.cortexity.com/BugRatViewer/ShowReport/792 REPORT #792 Details. Project: Tomcat Category: Bug Report SubCategory: New Bug Report Class: webbug State: received Priority: medium Severity: critical Confidence: public Environment: Release: Tomcat 3.2.1 JVM Release: 1.2.2 Operating System: Solaris OS Release: Solaris 2.7 Platform: Unix Synopsis: Server throws an request exception for every request Description: When a JSP page is Requestes the page gets displayed well, but on the server console this error is thrown. 2001-01-17 02:06:09 - ContextManager: SocketException reading request, ignored - java.net.SocketException: Connection reset by peer at java.net.PlainSocketImpl.socketAvailable(Native Method) at java.net.PlainSocketImpl.socketAvailable(Compiled Code) at java.net.PlainSocketImpl.available(Compiled Code) at java.net.SocketInputStream.available(Compiled Code) at org.apache.tomcat.service.http.HttpConnectionHandler.processConnection(Compiled Code) at org.apache.tomcat.service.TcpWorkerThread.runIt(Compiled Code) at org.apache.tomcat.util.ThreadPool$ControlRunnable.run(Compiled Code) at java.lang.Thread.run(Compiled Code) Title: BugRat Report # 792 BugRat Report # 792 Project: Tomcat Release: Tomcat 3.2.1 Category: Bug Report SubCategory: New Bug Report Class: webbug State: received Priority: medium Severity: critical Confidence: public Submitter: Rajesh Rao ([EMAIL PROTECTED]) Date Submitted: Jan 17 2001, 01:33:24 CST Responsible: Z_Tomcat Alias ([EMAIL PROTECTED]) Synopsis: Server throws an request exception for every request Environment: (jvm, os, osrel, platform) 1.2.2, Solaris, Solaris 2.7, Unix Additional Environment Description: I have installed only tomcat and no apache , just using tomcat at 8080 port. Report Description: When a JSP page is Requestes the page gets displayed well, but on the server console this error is thrown. 2001-01-17 02:06:09 - ContextManager: SocketException reading request, ignored - java.net.SocketException: Connection reset by peer at java.net.PlainSocketImpl.socketAvailable(Native Method) at java.net.PlainSocketImpl.socketAvailable(Compiled Code) at java.net.PlainSocketImpl.available(Compiled Code) at java.net.SocketInputStream.available(Compiled Code) at org.apache.tomcat.service.http.HttpConnectionHandler.processConnection(Compiled Code) at org.apache.tomcat.service.TcpWorkerThread.runIt(Compiled Code) at org.apache.tomcat.util.ThreadPool$ControlRunnable.run(Compiled Code) at java.lang.Thread.run(Compiled Code) Workaround: null View this report online... - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: IM LOST, ERROR 500????
Delivery failure: javax.mail.MessagingException: 452 Filesystem error - message not accepted Delivery failure: javax.mail.MessagingException: 452 Filesystem error - message not accepted Delivery failure: javax.mail.MessagingException: 452 Filesystem error - message not accepted Delivery failure: javax.mail.MessagingException: 452 Filesystem error - message not accepted Hi Im writing my first little program that will welcome a user once she enters and submits her details into a web page.There is no problem Writing the JSP files but I cannot start a new .java file in Jbuilder, so I write it in Homesite, save it as .java and attempt to compile it to .class in Jbuilder. Im having difficulty converting the .javafile to .class I have tried compiling the .java file to a .class in JBuilder, but I keep getting the following warning: "Warning #908: check sourcepath; source c:\jakarta-tomcat\webapps\mary\Web-inf\Classes\namehandler.java cannot be found on source pathby appending \mary\namehandler.java to each sourcepath entry." (mary is the name of the package) When I try to view the program in my browser at http:// localhost etc etc I get the following error Error: 500 Location: /Mary/hellouser.jsp Internal Servlet Error:org.apache.jasper.JasperException: Bad file argument to include at org.apache.jasper.compiler.JspParseEventListener.handleDirective(JspParseEventListener.java, Compiled Code) at org.apache.jasper.compiler.DelegatingListener.handleDirective(DelegatingListener.java:116) at org.apache.jasper.compiler.Parser$Directive.accept(Parser.java, Compiled Code) at org.apache.jasper.compiler.Parser.parse(Parser.java, Compiled Code) at org.apache.jasper.compiler.Parser.parse(Parser.java:1038) at org.apache.jasper.compiler.Parser.parse(Parser.java:1034) at org.apache.jasper.compiler.Compiler.compile(Compiler.java, Compiled Code) at org.apache.jasper.runtime.JspServlet.loadJSP(JspServlet.java:413) at org.apache.jasper.runtime.JspServlet$JspServletWrapper.loadIfNecessary(JspServlet.java:149) at org.apache.jasper.runtime.JspServlet$JspServletWrapper.service(JspServlet.java:161) at org.apache.jasper.runtime.JspServlet.serviceJspFile(JspServlet.java:261) at org.apache.jasper.runtime.JspServlet.service(JspServlet.java, Compiled Code) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.tomcat.core.ServletWrapper.handleRequest(ServletWrapper.java, Compiled Code) at org.apache.tomcat.core.ContextManager.service(ContextManager.java:559) at org.apache.tomcat.service.http.HttpConnectionHandler.processConnection(HttpConnectionHandler.java:160) at org.apache.tomcat.service.TcpConnectionThread.run(SimpleTcpEndpoint.java:338) at java.lang.Thread.run(Thread.java:479)PLEASE PLEASE PLEASE, anyone with help?Get your FREE download of MSN Explorer at http://explorer.msn.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
RE: TOMCAT ENCRYPTION OF CREDIT CARD NUMS???????
The only thing you probably need to do is make sure nobody can look at the credit card information while it's being sent from the client to the server. Regular HTTP is text based so everything going over the wire can actually be read by a person, that person could be mr. Evil Man and he could therefore see the credit card number in plain text. So what you would need to do is encrypt the credit card number before it leaves the client browser. The only (IMHO) decent way of doing this is to set up an SSL connection with the client. What that means is you encrypt everything that's going from the client and the server. This is done by setting the webserver up to support SSL (HTTP over SSL is called HTTPS and all urls begin with https://yadiyadiya.bla). I can't really give you much more information about how you would set that up since I'm not very familiar with how to set up parts of websites with https and other parts with http. I could tell you how to encrypt all connections coming in to your website but that is probably a big overhead since you probably don't need to encrypt everything the user does on the web (what he/she puts in his/her shopping cart or whatever) but just need to encrypt the credit card number. You can find info on Tomcat SSL in http://jakarta.apache.org/tomcat/jakarta-tomcat/src/doc/tomcat-ssl-howto .html. Now if you need to store the credit card encrypted in a database once the server receives it then you should look at: http://www.javasoft.com/products/jce/index.html The recommended encrypt/decrypt algorithm would be an algorithm called Tripple DES and you should probably be able to find something about it somewhere on that site. Look at the API docs and especially at the javax.crypto.Cipher class. Hope this helps at all. Regards, Stefan p.s. it would be interesting to know exactly what you were meaning though... do you need to encrypt the card number to store it in a database or do you just need to encrypt the communication between client/server? -Original Message- From: Mary McCarthy [mailto:[EMAIL PROTECTED]] Sent: 17. janar 2001 02:35 To: [EMAIL PROTECTED] Subject: TOMCAT ENCRYPTION OF CREDIT CARD NUMS??? Hi all, Help badly needed by anyone with ANY information on the foollowing: I am designing an online booking system using JSP, Java Beans and Tomcat for a project at uni. Does anyone have any information on how to encrypt a credit card number with Tomcat in mind. Surely there is some code I code take from somewhere to help me. Credit card security is a side project on top of my booking system. If anyone knows of any documentation or code available on the web, please mail me as all I can seeem to find is companys offering to selll me their security systems for $500! A big thanks in advance!! _ Get your FREE download of MSN Explorer at http://explorer.msn.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
denial of service attack
I must apologize first by saying that I originally found this bug with
Jserv not Tomcat, but those of you who are familiar with Tomcat
internals can probably tell fairly quickly if this would still be an
issue.
=
This bug deals with an out of memory condition within Jserv which is
more a design/security issue. The scenario is that when a session is
created by a servlet; memory is allocated by the JVM for that session
and stays allocated until these two conditions occur 1) the servlet
invalidates the session or the session timeout is reached which
invalidates the session and 2) JVM garbage collection returns that
allocated memory back to the heap.
The reason this is a design/security issue is because any normal Java
Servlet application can be used for a denial of service attack. The
Java Servlet specification encourages applications to use sessions if
they wish to maintain state. A hacker can easily discover if any
application is a Java Servlet which uses sessions by checking to see if
the JSESSIONID cookie is defined; if the hacker finds one then a simple
program can be used to increase the memory usage on the server and crash
the JVM.
while (server is still up)
send an HTTP request to the servlet URL which creates the session
The timeout variable and the maximum java heap size are the only two
ways that the application can attempt to avoid this attack; by setting a
short timeout and a large heap size, one can hope that there is a
sufficient span to handle all of the requests (i.e. the timeout kicks in
before the memory has max'ed out). But there are problems with this:
* Set a timeout too short and normal users get their session invalidated
before they are able to complete normal usage of the application.
* Java heap size reserves memory which cannot be swapped out (on solaris
at least), so a large heap size puts a strain on the server's memory.
* The hacker can always deploy additional clients to generate more
concurrent requests.
=
I have been writing stress tests for Jserv, Tomcat, and our own servlet
engine; when I brought this issue up with the developers here, I
essentially got my hand slapped (*sigh*) and told "application
developers must deal with this, it is not the servlet engines
responsibility". Which I think is a highly unfortunate answer because
HttpSession is a core servlet API and telling developers that they
cannot use it and should use an alternate mechansim, just seems wrong to
me. So, I figured I would post a message to this list for discussion.
I did have an idea for how this issue can be resolved; I've not totally
thought it through, but it may be a good start.
=
Given a parameter (num_of_sessions) which is the maximum number of new
sessions.
Given a parameter (time_period) which is a time interval.
Implement a verification such that maximum number of new sessions that
can be created from the same client within a time interval. This would
require that you maintain a creation date and client identifier with
each session.
if (creating a new session)
{
session_count = 0
Loop through set of sessions for that client
{
/* Was this session created within the time period */
if ((current_date - creation_date_of_session) time_period)
++session_count;
}
if ((session_count + 1) num_of_sessions)
/* Good possibility we are being attacked */
else
/* create the new session */
}
=
Presumably default values could be given to the num_of_session and
time_period parameters which still allow the problem user (somebody
opening up multiple browser windows, stoppng/starting browser, etc) to
gain access to the application, yet small enough to prevent the JVM from
consuming large amounts of memory before the attack is discovered. Once
an attack is discovered, the servlet engine could be proactive and
delete all of the sessions created by the client to free up the memory,
log messages, etc.
cheers
Scott
/* Thankfully Oracle doesn't speak for me, nor vice-versa */
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
Re: Jakarta PMC Meeting Agenda / Info
Peter, Amazingly expensive. Calling from the US to Australia is incredibly cheap by comparison. Check out: http://1010phonerates.com/aus_etc.html As for the openness of the meetings, I have a few suggestions. This is the internet age. We are internet kinds of guys. How about using it: 1) Record the meetings for WAV or MPEG download afterward. Then people can go back and find out what decisions were made and why. 2) Have a live feed for those whose connections are high enough. Heck, even put in a camera or three and feed them live as well. 3) Allow people to use internet phone chat s/w to add their comments in some parts of the meeting set aside for remote participants. On Mon, 15 Jan 2001 13:42:36 +1100, Peter Donald wrote: $1000 for a couple hour phone call? I find that impossible to believe. What phone company are you using? Either $4 or $8 a minute from Melbourne, Australia during daytime using telstra (Australias main provider). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
RE: denial of service attack
What's a client? For instance, if it's truly an attack, it would be
trivial to spoof IP addresses. And with entire corporations behind
NAT firewalls, simply setting the number of sessions per IP addresses
to a `small' number would not work.
Or, are you saying, don't initiate a session until the client
authenticates himself? That's great, except it still breaks for
things like account creation sequences.
Which can be implemented with hidden fields instead of sessions or
some such . . .
-tom
-Original Message-
From: Scott Christley [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 17, 2001 10:54 AM
To: [EMAIL PROTECTED]
Subject: denial of service attack
I must apologize first by saying that I originally found this bug with
Jserv not Tomcat, but those of you who are familiar with Tomcat
internals can probably tell fairly quickly if this would still be an
issue.
=
This bug deals with an out of memory condition within Jserv which is
more a design/security issue. The scenario is that when a session is
created by a servlet; memory is allocated by the JVM for that session
and stays allocated until these two conditions occur 1) the servlet
invalidates the session or the session timeout is reached which
invalidates the session and 2) JVM garbage collection returns that
allocated memory back to the heap.
The reason this is a design/security issue is because any normal Java
Servlet application can be used for a denial of service attack. The
Java Servlet specification encourages applications to use sessions if
they wish to maintain state. A hacker can easily discover if any
application is a Java Servlet which uses sessions by checking to see if
the JSESSIONID cookie is defined; if the hacker finds one then a simple
program can be used to increase the memory usage on the server and crash
the JVM.
while (server is still up)
send an HTTP request to the servlet URL which creates the session
The timeout variable and the maximum java heap size are the only two
ways that the application can attempt to avoid this attack; by setting a
short timeout and a large heap size, one can hope that there is a
sufficient span to handle all of the requests (i.e. the timeout kicks in
before the memory has max'ed out). But there are problems with this:
* Set a timeout too short and normal users get their session invalidated
before they are able to complete normal usage of the application.
* Java heap size reserves memory which cannot be swapped out (on solaris
at least), so a large heap size puts a strain on the server's memory.
* The hacker can always deploy additional clients to generate more
concurrent requests.
=
I have been writing stress tests for Jserv, Tomcat, and our own servlet
engine; when I brought this issue up with the developers here, I
essentially got my hand slapped (*sigh*) and told "application
developers must deal with this, it is not the servlet engines
responsibility". Which I think is a highly unfortunate answer because
HttpSession is a core servlet API and telling developers that they
cannot use it and should use an alternate mechansim, just seems wrong to
me. So, I figured I would post a message to this list for discussion.
I did have an idea for how this issue can be resolved; I've not totally
thought it through, but it may be a good start.
=
Given a parameter (num_of_sessions) which is the maximum number of new
sessions.
Given a parameter (time_period) which is a time interval.
Implement a verification such that maximum number of new sessions that
can be created from the same client within a time interval. This would
require that you maintain a creation date and client identifier with
each session.
if (creating a new session)
{
session_count = 0
Loop through set of sessions for that client
{
/* Was this session created within the time period */
if ((current_date - creation_date_of_session) time_period)
++session_count;
}
if ((session_count + 1) num_of_sessions)
/* Good possibility we are being attacked */
else
/* create the new session */
}
=
Presumably default values could be given to the num_of_session and
time_period parameters which still allow the problem user (somebody
opening up multiple browser windows, stoppng/starting browser, etc) to
gain access to the application, yet small enough to prevent the JVM from
consuming large amounts of memory before the attack is discovered. Once
an attack is discovered, the servlet engine could be proactive and
delete all of the sessions created by the client to free up the memory,
log messages, etc.
cheers
Scott
/* Thankfully Oracle doesn't speak for me, nor vice-versa */
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional
Re: denial of service attack
Scott Christley typed the following on 10:54 AM 1/17/2001 -0800 I must apologize first by saying that I originally found this bug with Jserv not Tomcat, but those of you who are familiar with Tomcat internals can probably tell fairly quickly if this would still be an issue. It could potentially be an issue, but can be controlled to some extent. The PersistentManager class I have submitted for Tomcat 4 offers a bit more control. I can offer a few comments on Tomcat 4 with and without this class. The nature of the possible attack, as I understand it, is that a bad guy can make a rapid series of requests to the web app, causing the generation of a large number of session objects thereby eating up available memory. The current StandardSession implementation has a parameter called maxActiveSessions which, if set (it's disabled by default), limits the number of sessions which the server will create. A request which tries to create any sessions after the limit is reached throws an IllegalStateException. This isn't ideal for the user experience, but if it is set according to the likely session memory usage and the heap size, it should occur just before memory runs out, so it's better than the alternative. PersistentManager, which would be an optional replacement for StandardSession, allows you to have sessions swapped out of memory (to a file or DB most likely) based on configurable parameters: idle time and the number of active sessions. Sessions over a certain number would be swapped out, as would sessions idle for a configurable time. The caveat on this is that there is a danger of thrashing when the site is very active - sessions could be constantly swapped in and out of memory, exacerbating performance problems. So there is an option to set a minimum idle time - sessions which are idle for less than this time won't be swapped out even if there are more than maxActiveSessions in memory. This effectively turns maxActiveSessions into a soft limit rather than a hard limit. I did have an idea for how this issue can be resolved; I've not totally thought it through, but it may be a good start. = Given a parameter (num_of_sessions) which is the maximum number of new sessions. Given a parameter (time_period) which is a time interval. Implement a verification such that maximum number of new sessions that can be created from the same client within a time interval. This would require that you maintain a creation date and client identifier with each session. As Tomas pointed out, identifying a client is problematic: the entire purpose of using the cookie is to get around the difficulty in reliably identifying a client. Perhaps this could be done on a system-wide level instead - limit the number of new sessions created in a certain time period. I tend to think that the PersistentManager options I outlined above can be used to prevent this attack if configured correctly. maxActiveSessions can be set as a hard limit to keep the active sessions to a number which can be safely supported by the heap size. This doesn't prevent an attacker from eating up most of the available sessions and creating a bad situation for legitimate users, but it should avoid an outright system crash. Kief - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
RE: Proposed name encoding patch
Hi Costin, I looked at the code at (one long line) http://jakarta.apache.org/cvsweb/index.cgi/jakarta-tomcat/src/share/org/apac he/jasper/compiler/CommandLineCompiler.java?rev=1.6content-type=text/vnd.vi ewcvs-markup The mangleChar() method seems to have the old code that encodes as _x where x is an hex digit. If I understand the code correctly, this is where we need to make the patch. If this is solved somewhere else, please send me pointer so I can give it a try. In case we need to write a new encoding method, here are some possible requirements, I am not sure which of them are relevant and which are not. 1. The encoding of any path should be unique. 2. The file name without the '.class' extension) should be a valid Java class name. 3. The encoding should be intuitive. 4. The encoding should be compact, at least for common chars. 5. The encoding should support JSP name with Unicode chars. 6. Runtime efficiency. The current encoding for example creates 3 object for each mangled char. Any comment from members of the list will be greatly appreciated. Tal -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 16, 2001 11:40 AM To: [EMAIL PROTECTED] Subject: Re: Proposed name encoding patch It's worth to mention that both JSP encoding and work dir encoding are resolved/improved in 3.3 - and the code can be easily ported back / reused. I'll take a look at both patches and try to integrate them into 3.3 also ( what is not covered already ) -- Costin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
RE: Proposed name encoding patch
Hi Kim, That's great. I have few questions: 1. Have you submitted the patch to the Tomcat repository ? If so, do you know in what version it will be released ? 2. Also, the encoding that you use is of the form %hh where 'hh' is an hex value. I had the implression that for public classes, the .class file name should match the file name. Don't you have a problem with that (since a class name cannot contain '%') ? 3. In what part of the code did you made the change, was it in mangleChar() method ? Thanks Tal -Original Message- From: Pilho Kim [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 16, 2001 11:06 AM To: [EMAIL PROTECTED] Subject: Re: Proposed name encoding patch Hi, Tal I have ever solved the problem already. Try to check http://w4.metronet.com/~wjm/tomcat/2000/Aug/msg00595.html Thanks, Kim On Tue, 16 Jan 2001, Tal Dayan wrote: Hello, This is my first posting to this list so please bare with me. We are having problems with the jsp name mangling (bug 330 at http://znutar.cortexity.com/BugRatViewer/ShowReport/330). Every '/' or '_' char in the jsp path is converted to 6 chars which easily extend the file path beyond Win NT limitation of 256 chars. As a result, the JSP compilation fails with the following error: org.apache.jasper.JasperException: Unable to compile class for JSPerror: Can't write: D:\tomcat\appserv\work\localhost_8080\system\admin\modes\start\acc ount\_0002 fsystem_0002fadmin_0002fmodes_0002fstart_0002faccount_0002fpage_00 05fadmin_0 005fstart_0005faccount_0005fpassword_0002ejsppage_0005fadmin_0005f start_0005 faccount_0005fpassword_jsp_0.class A quick look at the code reveals that the mangling is done by the method CommandLineCompiler.mangleChar() so we plan to modify the method to generate a more compact encoding, especially for common chars such as '/', '_', and '.'. What is the view of the list regarding the proposed modification and how should we proceed to maximize the changes that our patch will be included in the official Tomcat code ? Thanks, Tal - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
RE: Forming an opinion
-Original Message- From: Jon Stevens [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 17, 2001 20:17 on 1/17/01 10:28 AM, "[EMAIL PROTECTED]" [EMAIL PROTECTED] wrote: Why was it one of your worst days? I don't see how it could have been bad, nor do I see how that could influence your actions here by starting to send yet more flame bait. And, of course, you are biting the bait, the hook, the line... Enough was already said about that. Sam, Hans, Amy and I managed to talk about it with no flames and Costin already apologized. What are you missing? Also, I'm going to ask YET AGAIN and which we ALL agreed on in the meeting... Do not refer to Tomcat 3.3 as a version number. Tomcat 3.3 does not exist before the proposal that you still need to make and should not be referred to at all. Pick another name, it will confuse people by referring to it as Tomcat 3.3 because you are setting expectations that may or may not ever materialize (depending on the majority committer consensus here according to the rules). It might be a bit too late for that, since we all have been referring to it as Tomcat 3.3 during the last weeks (you included and a lot). Whomever has to become confused, already is. Anyway, this is not the User list. Have fun, Paulo Gaspar - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Jasper Bug 652 (do*Body not called): not a bug?
Hi, Having a look through bug 652: BodyTag doInitBody and doAfterBody called on tags without body (http://znutar.cortexity.com/BugRatViewer/ShowReport/652) I don't think this is a bug. The JSP spec, p88, says: "If an action element can have a non-empty body and is interested in the content of that body, the methods doInitBody() and doAfterBody(), defined in the BodyTag interface are involved." Note, "can have", not "if it does have". So an element without a body, but that *could* have a body according to the TLD, still has do*Body methods called. So: my:tagfoo/my:tag has do*Body() called (obviously). my:tag/my:tag has do*Body() called (the body will just be blank) my:tag/ has do*Body() called, because according to the XML spec, this is shorthand for the my:tag/my:tag notation, and therefore processes equivalently. Interestingly, JRun3.0 has the opposite bug, and doesn't call setBodyContent if the tag doesn't have a body but could. Eg, in JRun the following action breaks: util:include url="foo.html"/ But this works: util:include url="foo.html"/util:include The taglib in question is from the Jakarta Taglibs project. Regards, --Jeff - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
BugRat Report #794 has been filed.
Bug report #794 has just been filed. You can view the report at the following URL: http://znutar.cortexity.com/BugRatViewer/ShowReport/794 REPORT #794 Details. Project: Tomcat Category: Bug Report SubCategory: New Bug Report Class: swbug State: received Priority: high Severity: critical Confidence: public Environment: Release: Tomcat 3.2 JVM Release: 1.3.0rc3 Operating System: Win 2K OS Release: 5.00.2195 SP1 Platform: Win 2K Synopsis: Waiting 1 minute for response after Netscape issue a POST method to Tomcat Description: I experience a slow problem with POST using netscape 4.7. (It doesn't happen with GET method which response back immediately) The POST method seems take forever so slow . to give me back a response. However if I click on the title bar of the netscape (or other windows), it will give back the response immediately. Strange ??? Here is some comments from another observers: From: http://mikal.org/interests/java/tomcat_users/msg03421.html From: Andreas Junghans [EMAIL PROTECTED] Subject: Re: Slow POST? Date: Wed, 26 Jul 2000 16:15:19 +0200 When I access a JSP via GET, I get an immediate response. When the same page is requested via POST, there is random delay up to about 30 seconds (also when reloading the page, so it's not the time needed to compile the JSP). I wonder where this delay comes from? My configuration: Tomcat 3.1 Apache 1.3.12 (Win32) Windows NT 4.0 SP5 Netscape Navigator 4.7 The delay mentioned only occurs with Navigator (4.7) as client, not with IE. I've browsed through the Tomcat sources and some servlet resources on the net, and I found something about Navigator adding extra CR-LFs after a POST request that are not allowed by HTTP. Could this be causing the delay (maybe when reading from the ServletInputStream)? Has anybody else experienced the same problem? Is this Tomcat specific? I would really appreciate any help. Thanks in advance. Title: BugRat Report # 794 BugRat Report # 794 Project: Tomcat Release: Tomcat 3.2 Category: Bug Report SubCategory: New Bug Report Class: swbug State: received Priority: high Severity: critical Confidence: public Submitter: test ([EMAIL PROTECTED]) Date Submitted: Jan 17 2001, 05:51:26 CST Responsible: Z_Tomcat Alias ([EMAIL PROTECTED]) Synopsis: Waiting 1 minute for response after Netscape issue a POST method to Tomcat Environment: (jvm, os, osrel, platform) 1.3.0rc3, Win 2K, 5.00.2195 SP1, Win 2K Additional Environment Description: My configuration: Tomcat 3.2, Apache 1.3.12 (Win32), JVM 1.3, Win 2K, Netscape 4.7 Report Description: I experience a slow problem with POST using netscape 4.7. (It doesn't happen with GET method which response back immediately) The POST method seems take forever so slow . to give me back a response. However if I click on the title bar of the netscape (or other windows), it will give back the response immediately. Strange ??? Here is some comments from another observers: From: http://mikal.org/interests/java/tomcat_users/msg03421.html >From: Andreas Junghans <[EMAIL PROTECTED]> >Subject: Re: Slow POST? >Date: Wed, 26 Jul 2000 16:15:19 +0200 > >>> When I access a JSP via GET, I get an immediate response. When the same >>> page is requested via POST, there is random delay up to about 30 seconds >>> (also when reloading the page, so it's not the time needed to compile >>> the JSP). I wonder where this delay comes from? >>> My configuration: >>> Tomcat 3.1 >>> Apache 1.3.12 (Win32) >>> Windows NT 4.0 SP5 >>> Netscape Navigator 4.7 > > >The delay mentioned only occurs with Navigator (4.7) as client, not with >IE. I've browsed through the Tomcat sources and some servlet resources >on the net, and I found something about Navigator adding extra CR-LFs >after a POST request that are not allowed by HTTP. Could this be causing >the delay (maybe when reading from the ServletInputStream)? Has anybody >else experienced the same problem? Is this Tomcat specific? > >I would really appreciate any help. Thanks in advance. How To Reproduce: null View this report online... - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: Forming an opinion
on 1/17/01 3:33 PM, "Paulo Gaspar" [EMAIL PROTECTED] wrote: And, of course, you are biting the bait, the hook, the line... Enough was already said about that. Sam, Hans, Amy and I managed to talk about it with no flames and Costin already apologized. He apologized for taking things personally and not actually what he did and then attempted to get us to feel sorry for him because it was a hard day. I don't buy it at all. It might be a bit too late for that, since we all have been referring to it as Tomcat 3.3 during the last weeks (you included and a lot). Whomever has to become confused, already is. Anyway, this is not the User list. Right and I'm asking that references to 3.3 stop and we agreed upon that in the meeting. Yet again, I'm having to repeat myself to Costin because he refuses to listen. In fact, right after the discussion about stopping calling it 3.3 (which he agreed to), Costin turned around and referred to it as 3.3. Then he did it again on this list. I just don't get it. If you agree to something STICK TO IT. Period. Now I get flamed (again) for trying to enforce what we agreed on in the meeting. WTF? p.s. The phone dialin attendance was dismal. No one from this list who has been directly concerned with what is going on and having commented on things bothered to dial in. Obviously all of you who *really* care about this whole matter don't care *that* much. So, Paulo (who also didn't bother to dial in), I suggest that you stop discussing this any further and wait for the meeting notes to be published. -jon - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
HOW TO Apache+ Tomcat
Title: HOW TO Apache+ Tomcat Hi, I have downloaded apache and tomcat latest version on windows 2000 pro. I have apache running and tomcat running but integration of both doesn't work. I have tried all the ways suggested on jakarta.apache.org web pages. It doesn't work. When I included C:/Program Files/Apache Group/jakarta-tomcat/conf/tomcat.conf or Include Include C:/Program Files/Apache Group/jakarta-tomcat/conf/tomcat-apache.conf it gives an error message saying FILE NOT FOUND. Please post the latest HOW TO APACHE+TOMCAT Configuration user guide... Please help me out. Thanks in advance Regards, Srinivas Vaidya
RE: Forming an opinion
-Original Message- From: Jon Stevens [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 18, 2001 01:01 Enough was already said about that. Sam, Hans, Amy and I managed to talk about it with no flames and Costin already apologized. He apologized for taking things personally and not actually what he did and then attempted to get us to feel sorry for him because it was a hard day. I don't buy it at all. Sure! Kick him harder! It might be a bit too late for that, since we all have been referring to it as Tomcat 3.3 during the last weeks (you included and a lot). Whomever has to become confused, already is. Right and I'm asking that references to 3.3 stop and we agreed upon that in the meeting. Yet again, I'm having to repeat myself to Costin because he refuses to listen. In fact, right after the discussion about stopping calling it 3.3 (which he agreed to), Costin turned around and referred to it as 3.3. Which, of course, would confuse the people in the room that just had eard about it. Then he did it again on this list. I just don't get it. If you agree to something STICK TO IT. Period. Other people already use the "3.3" forbiden expression and that didn't disturb you that much. So, what about being a bit constructive (for a change) and tell us what are we supposed to call to Tomcat 3.3? (Oops! I did again!) Now I get flamed (again) for trying to enforce what we agreed on in the meeting. WTF? I didn't flame you. It was a quite polite remark! If my posting was a flame, how shoud I call yours? p.s. The phone dialin attendance was dismal. No one from this list who has been directly concerned with what is going on and having commented on things bothered to dial in. Obviously all of you who *really* care about this whole matter don't care *that* much. Or we have another kind of jobs and so. (-"Hey boss, can I call the US just for some hours?") So, Paulo (who also didn't bother to dial in) Should I show you my Agenda? Do you want to organize my schedule for me too? I suggest that you stop discussing this any further and wait for the meeting notes to be published. Man, I am just answering to you! If you are able to stop, I am sure I can do it too! Have fun, Paulo Gaspar - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: Forming an opinion
on 1/17/01 4:42 PM, "Paulo Gaspar" [EMAIL PROTECTED] wrote: Sure! Kick him harder! Lets see, he started out his *first* email after the meeting with flame bait, his next email was a pseudo apology, his third email is asking for censorship. Sure. I'm going to kick back. I'm tired of putting up with his bullshit. Other people already use the "3.3" forbiden expression and that didn't disturb you that much. I'm going to quote my original email on this: Subject: [MY_OPINION] Tomcat 3.x In fact, I'm pretty strongly -1 on Tomcat 3.3. If anything it would need to be suggested as Tomcat 5.0 because as far as I can tell, we have already come to the conclusion that Catalina will be Tomcat 4.0. Notice the subject was NOT 3.3, it was 3.x. So, what about being a bit constructive (for a change) and tell us what are we supposed to call to Tomcat 3.3? (Oops! I did again!) I don't care what you call it. Propose a name! That is what myself and others have been asking Costin to do all along! In fact, look at what Craig did...he called his revolution "Catalina". Why is this such a difficult concept for you to understand? Or we have another kind of jobs and so. (-"Hey boss, can I call the US just for some hours?") However you can spend time on this list sending email and arguing over the same points over and over again? Lets see, I spent 8+ hours in a meeting yesterday over crap that you are trying to back Costin on. How about supporting Costin when he really needed it? So, Paulo (who also didn't bother to dial in) Should I show you my Agenda? Do you want to organize my schedule for me too? No, I expect that if you are going to spend time on this list sending email all day long and responding to me that you would have enough of a care in this project to actually dial in and express your opinions in the forum where it mattered the most. You might have also gotten a chance to listen to the same things that I have been saying all along repeated to Costin by many other people in a room. Maybe the real facts of this whole mess would have then sunk in to your brain as well. thanks, -jon - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
RE: Forming an opinion
First, you write too much about a name when the question has always been having or not a 3.3 in the 3.x branch. Most of us (for whom having a 3.3 is interesting) are still not concerned about having or not a revolution and a Tomcat 5. It is too soon to be concerned about when our main priority is to have something better than 3.2 for production _real soon_. 3.3 is the obvious name and the discussion has always been around having it or not. Catalina was a revolution, a proposal on following a different path. At the moment, for me (and possibly others) 3.3 is an evolution. Maybe (or maybe not) some people already see Costin's work as 5.0 but I think that most of us don't go that far. I will not be thinking about what 5.0 should be in the near future. -Original Message- From: Jon Stevens [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 18, 2001 01:47 did...he called his revolution "Catalina". Why is this such a difficult concept for you to understand? Answered above. Maybe you feel happy has the beholder of the Truth but I do not feel I have understanding problems when I do not agree with you. Or we have another kind of jobs and so. (-"Hey boss, can I call the US just for some hours?") However you can spend time on this list sending email and arguing over the same points over and over again? Man, I already pointed out that I am mostly answering to something you say. If you can stop, I can stop too. - My answers are short; - I type fast; - It is not your damn business. Lets see, I spent 8+ hours in a meeting yesterday over crap that you are trying to back Costin on. How about supporting Costin when he really needed it? My main motivation in life is not supporting Costin. My main motivation here is scratching my itches and I think that 3.3 will help. Supporting him is important, but I have other priorities too. Besides, while you are nagging me, you are not nagging him. Maybe he can work a bit better that way. In the meantime, you arguments are so poor that I do not have to spend so much brain power has if I was coding or something. It is kind of having a break - I need breaks too you know? You know nothing about me, my life and my schedule. It would be polite if you would refrain to judge how I should spend my time. So, Paulo (who also didn't bother to dial in) Should I show you my Agenda? Do you want to organize my schedule for me too? No, I expect that if you are going to spend time on this list sending email all day long and responding to me that you would have enough of a care in this project to actually dial in and express your opinions in the forum where it mattered the most. Not your business why I did or did not. - Maybe Boss wouldn't like if I was connected to the USA for such a long time (I am in Europe, in case you didn't notice); - Maybe I was at a customer; - Maybe I had a dead line. You might have also gotten a chance to listen to the same things that I have been saying all along repeated to Costin by many other people in a room. Maybe the real facts of this whole mess would have then sunk in to your brain as well. I have seen other people defending the usefulness of 3.3 and that didn't sink anything in your brain. Beholder of the truth syndrome again? thanks, -jon You're welcome, Paulo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector HttpRequestBase.java
remm01/01/17 17:39:53
Modified:catalina/src/share/org/apache/catalina/connector
HttpRequestBase.java
Log:
- Don't try to read parameters if stream has been opened before.
Should fix bug #783.
Revision ChangesPath
1.14 +7 -6
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/HttpRequestBase.java
Index: HttpRequestBase.java
===
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/HttpRequestBase.java,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- HttpRequestBase.java 2000/11/15 00:52:35 1.13
+++ HttpRequestBase.java 2001/01/18 01:39:53 1.14
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/HttpRequestBase.java,v
1.13 2000/11/15 00:52:35 remm Exp $
- * $Revision: 1.13 $
- * $Date: 2000/11/15 00:52:35 $
+ * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/HttpRequestBase.java,v
1.14 2001/01/18 01:39:53 remm Exp $
+ * $Revision: 1.14 $
+ * $Date: 2001/01/18 01:39:53 $
*
*
*
@@ -98,7 +98,7 @@
* be implemented.
*
* @author Craig R. McClanahan
- * @version $Revision: 1.13 $ $Date: 2000/11/15 00:52:35 $
+ * @version $Revision: 1.14 $ $Date: 2001/01/18 01:39:53 $
*/
public class HttpRequestBase
@@ -594,8 +594,9 @@
int semicolon = contentType.indexOf(";");
if (semicolon = 0)
contentType = contentType.substring(0, semicolon).trim();
- if ("POST".equals(getMethod()) (getContentLength() 0)
- "application/x-www-form-urlencoded".equals(contentType)) {
+ if ("POST".equals(getMethod()) (getContentLength() 0)
+ (this.stream == null)
+ "application/x-www-form-urlencoded".equals(contentType)) {
try {
int max = getContentLength();
int len = 0;
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets WebdavServlet.java
remm01/01/17 17:43:10
Modified:catalina/src/share/org/apache/catalina/servlets
WebdavServlet.java
Log:
- Add a Microsoft specific header in response to OPTIONS request, mirroring
what mod_dav is doing.
Should enhance compatibility with older MS clients.
Revision ChangesPath
1.8 +6 -4
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java
Index: WebdavServlet.java
===
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- WebdavServlet.java2001/01/08 20:57:11 1.7
+++ WebdavServlet.java2001/01/18 01:43:10 1.8
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java,v
1.7 2001/01/08 20:57:11 remm Exp $
- * $Revision: 1.7 $
- * $Date: 2001/01/08 20:57:11 $
+ * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java,v
1.8 2001/01/18 01:43:10 remm Exp $
+ * $Revision: 1.8 $
+ * $Date: 2001/01/18 01:43:10 $
*
*
*
@@ -121,7 +121,7 @@
* are handled by the DefaultServlet.
*
* @author Remy Maucherat
- * @version $Revision: 1.7 $ $Date: 2001/01/08 20:57:11 $
+ * @version $Revision: 1.8 $ $Date: 2001/01/18 01:43:10 $
*/
public class WebdavServlet
@@ -369,6 +369,8 @@
}
resp.addHeader("Allow", methodsAllowed);
+
+resp.addHeader("MS-Author-Via", "DAV");
}
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
BugRat Report #797 has been filed.
Bug report #797 has just been filed. You can view the report at the following URL: http://znutar.cortexity.com/BugRatViewer/ShowReport/797 REPORT #797 Details. Project: Tomcat Category: Bug Report SubCategory: New Bug Report Class: swbug State: received Priority: high Severity: critical Confidence: public Environment: Release: Tomcat 3.2 JVM Release: Tomcat 3.2 Operating System: windows NT OS Release: 4.0 Platform: PC Synopsis: Problem using jk_nt_service (with a blank space in tomcat_home directory path) Description: Hi, I am trying to make Tomcat as NT service. It works fine when tomcat_home directory(in wrapper.properties file) is a continuous string. But, it does not work when I use the directory name with a blank space in between. For example, it works if the tomcat_home directory path is c: \jakartatomcathome\ but causes problem if it is c: \jakarta tomcat home\ Can somebody please suggest me a solution. Thanks, Amit Sarkar Title: BugRat Report # 797 BugRat Report # 797 Project: Tomcat Release: Tomcat 3.2 Category: Bug Report SubCategory: New Bug Report Class: swbug State: received Priority: high Severity: critical Confidence: public Submitter: Amit Sarkar ([EMAIL PROTECTED]) Date Submitted: Jan 17 2001, 07:40:55 CST Responsible: Z_Tomcat Alias ([EMAIL PROTECTED]) Synopsis: Problem using jk_nt_service (with a blank space in tomcat_home directory path) Environment: (jvm, os, osrel, platform) Tomcat 3.2, windows NT, 4.0, PC Additional Environment Description: Windows NT4.0 Report Description: Hi, I am trying to make Tomcat as NT service. It works fine when tomcat_home directory(in wrapper.properties file) is a continuous string. But, it does not work when I use the directory name with a blank space in between. For example, it works if the tomcat_home directory path is c: \jakartatomcathome\ but causes problem if it is c: \jakarta tomcat home\ Can somebody please suggest me a solution. Thanks, Amit Sarkar View this report online... - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-4.1/catalina/src/share/org/apache/catalina/servlets WebdavServlet.java
remm01/01/17 17:45:45
Modified:catalina/src/share/org/apache/catalina/servlets
WebdavServlet.java
Log:
- Add a Microsoft specific header in response to OPTIONS request, mirroring
what mod_dav is doing.
Should enhance compatibility with older MS clients.
- Enhance robustness of PROPFIND (new exceptions can be raised because of
the switch to JNDI contexts).
Revision ChangesPath
1.10 +9 -10
jakarta-tomcat-4.1/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java
Index: WebdavServlet.java
===
RCS file:
/home/cvs/jakarta-tomcat-4.1/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- WebdavServlet.java2001/01/13 21:24:48 1.9
+++ WebdavServlet.java2001/01/18 01:45:45 1.10
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat-4.1/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java,v
1.9 2001/01/13 21:24:48 remm Exp $
- * $Revision: 1.9 $
- * $Date: 2001/01/13 21:24:48 $
+ * $Header:
/home/cvs/jakarta-tomcat-4.1/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java,v
1.10 2001/01/18 01:45:45 remm Exp $
+ * $Revision: 1.10 $
+ * $Date: 2001/01/18 01:45:45 $
*
*
*
@@ -124,7 +124,7 @@
* are handled by the DefaultServlet.
*
* @author Remy Maucherat
- * @version $Revision: 1.9 $ $Date: 2001/01/13 21:24:48 $
+ * @version $Revision: 1.10 $ $Date: 2001/01/18 01:45:45 $
*/
public class WebdavServlet
@@ -384,6 +384,8 @@
resp.addHeader("Allow", methodsAllowed);
+resp.addHeader("MS-Author-Via", "DAV");
+
}
@@ -511,7 +513,7 @@
generatedXML.writeElement(null, "multistatus"
+ generateNamespaceDeclarations(),
XMLWriter.OPENING);
-
+
if (depth == 0) {
parseProperties(req, resources, generatedXML, path, type,
properties);
@@ -532,10 +534,7 @@
try {
object = resources.lookup(currentPath);
} catch (NamingException e) {
-e.printStackTrace();
-resp.sendError
-(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, path);
-return;
+continue;
}
if (object instanceof DirContext) {
try {
@@ -584,7 +583,7 @@
}
}
-
+
generatedXML.writeElement(null, "multistatus",
XMLWriter.CLOSING);
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
Re: Forming an opinion
on 1/17/01 5:50 PM, "Paulo Gaspar" [EMAIL PROTECTED] wrote: First, you write too much about a name when the question has always been having or not a 3.3 in the 3.x branch. Nope. No proposal for that has been made yet. Most of us (for whom having a 3.3 is interesting) are still not concerned about having or not a revolution and a Tomcat 5. It is too soon to be concerned about when our main priority is to have something better than 3.2 for production _real soon_. How do you know that what is in the cvs HEAD is better than 3.2? I have yet to see proof of that other than Costin's claims. 3.3 is the obvious name and the discussion has always been around having it or not. It may be obvious to you, however there has never been a proposal to make it so. Catalina was a revolution, a proposal on following a different path. At the moment, for me (and possibly others) 3.3 is an evolution. No it isn't. That is where you are 100% wrong. 3.3 is a complete refactor of the core code and is therefore much more than just an evolution. If you had listened in on the conversation yesterday, like you should have, you would have had this clarified for you. Maybe (or maybe not) some people already see Costin's work as 5.0 but I think that most of us don't go that far. I will not be thinking about what 5.0 should be in the near future. Again, you simply don't understand how development models work. Maybe you feel happy has the beholder of the Truth but I do not feel I have understanding problems when I do not agree with you. It is clear you don't understand things and now you are being left behind because you *choose* to not participate in the meeting where these things where clarified and discussed. My main motivation in life is not supporting Costin. My main motivation here is scratching my itches and I think that 3.3 will help. You *think*. What concrete evidence do you have to support that thought? What proposals have been made here suggesting that the CVS head of Tomcat be released as 3.3? None! In case you missed it, there will be NO release of the CVS HEAD of Tomcat until there is a proposal made, the support issues have been resolved and that there is majority committeer consensus that it be so. Period. This was agreed on in the meeting. Therefore, it is in your best interest to quit emailing me and to figure out how you are going to prove that Tomcat 3.x will continue to be properly supported. Supporting him is important, but I have other priorities too. Like? In the meantime, you arguments are so poor that I do not have to spend so much brain power has if I was coding or something. It is kind of having a break - I need breaks too you know? What part of my argument is poor? You know nothing about me, my life and my schedule. It would be polite if you would refrain to judge how I should spend my time. I haven't made any suggestions about how you should spend your time. Not your business why I did or did not. - Maybe Boss wouldn't like if I was connected to the USA for such a long time (I am in Europe, in case you didn't notice); Phone rates are cheap and you could have used a calling card and also asked your boss for approval. - Maybe I was at a customer; The meeting was planned well ahead of time and you could have scheduled yourself. - Maybe I had a dead line. Go borrow a phone line. Your reasons are seriously undermining everything that you give as an argument. I have seen other people defending the usefulness of 3.3 and that didn't sink anything in your brain. THAT ISN'T THE QUESTION! Fuck! how many times does that need to be repeated to you? Beholder of the truth syndrome again? Beholder of a complete lack of ability to understand basic concepts syndrome? thanks, -jon - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-4.1/webapps/webdav index.html
remm01/01/17 18:04:13 Modified:webapps/webdav index.html Log: - Updated compatibility list, links and version numbers. Revision ChangesPath 1.4 +14 -11jakarta-tomcat-4.1/webapps/webdav/index.html Index: index.html === RCS file: /home/cvs/jakarta-tomcat-4.1/webapps/webdav/index.html,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- index.html2000/12/16 19:05:21 1.3 +++ index.html2001/01/18 02:04:12 1.4 @@ -1,16 +1,13 @@ !doctype html public "-//w3c//dtd html 4.0 transitional//en" html head -meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" -meta name="GENERATOR" content="Mozilla/4.72 [en] (WinNT; U) [Netscape]" -meta name="Author" content="Anil K. Vijendran" -titleTomcat v4.0 dev/title +titleTomcat v4.1 dev/title /head body bgcolor="#FF" img SRC="tomcat.gif" height=92 width=130 align=LEFTbfont face="Arial, Helvetica, sans-serif"font size=+3Tomcat/font/font/b br bfont face="Arial, Helvetica, sans-serif"font size=-1Version -4.0 dev/font/font/b +4.1 dev/font/font/b pThis is the home page for the webdav context. This page is located at: ul li @@ -20,8 +17,8 @@ pTomcat 4.0 includes built-in support for WebDAV level 2, which enables remote authoring of the website. You can test these capabilities using a WebDAV client like MS WebFolders (included with IE 4.0 and up), MS Office 2000, DAV -Explorer (others are listed on the webpages linked below), and point to the -b/webdav/b path of the server. +Explorer (others are listed below), and point to the b/webdav/b path of +the server. pThis test context is DAV enabled, but has been set up in read-only mode for safety reasons. It can be put in read-write mode by editing the web @@ -29,12 +26,15 @@ pWorking WebDAV clients include : ul +liAdobe GoLive 5.0 (and other WebDAV-enabled Adobe products, like + Photoshop)/li +liCadaver 0.15/li +liDAV Explorer 0.60 and 0.70/li liInternet Explorer 5 (Windows 2000)/li liInternet Explorer 5.5 (Windows 2000)/li +liJakarta Slide 1.0 WebDAV client library/li liOffice 2000 (Windows 2000)/li -liDAV Explorer 0.60/li -liAdobe GoLive 5.0/li -liJakarta Slide 1.0 WebDAV client/li +liSkunkDAV 1.0/li /ul pIncompatible WebDAV clients include : @@ -50,13 +50,16 @@ liba href="http://www.ics.uci.edu/pub/ietf/webdav/"WebDAV working group/a/b/li liba href="http://www.webdav.org/projects/"WebDAV clients/a/b/li +lib +a href="http://jakarta.apache.org/slide/"The Jakarta Slide Project/a +/b/li /ul hr p align="right"font size=-1img src="tomcat-power.gif" width="77" height="80"/fontbr nbsp; -font size=-1Copyright copy; 1999-2000 Apache Software Foundation/fontbr +font size=-1Copyright copy; 1999-2001 Apache Software Foundation/fontbr font size=-1All Rights Reserved/font br nbsp;/p p align="right"nbsp;/p - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
BugRat Report #798 has been filed.
Bug report #798 has just been filed. You can view the report at the following URL: http://znutar.cortexity.com/BugRatViewer/ShowReport/798 REPORT #798 Details. Project: Tomcat Category: Bug Report SubCategory: New Bug Report Class: swbug State: received Priority: high Severity: serious Confidence: public Environment: Release: 4.0-b1 JVM Release: JDK1.2.2 Operating System: NT OS Release: 4.0 Platform: Windows NT Synopsis: A nonfatal internal JIT 3.10.107x error: NULL relocation target' has occurred in: 'org/apache/crimson/parser/Paser2.maybeComment ZZ': Interpreting method. Description: This error occurred when I start Tomcat. And I cant view the examples for servlet and JSP. Title: BugRat Report # 798 BugRat Report # 798 Project: Tomcat Release: 4.0-b1 Category: Bug Report SubCategory: New Bug Report Class: swbug State: received Priority: high Severity: serious Confidence: public Submitter: _Anonymous ([EMAIL PROTECTED]) Date Submitted: Jan 17 2001, 08:01:18 CST Responsible: Z_Tomcat Alias ([EMAIL PROTECTED]) Synopsis: A nonfatal internal JIT <3.10.107> error: NULL relocation target' has occurred in: 'org/apache/crimson/parser/Paser2.maybeComment Z': Interpreting method. Environment: (jvm, os, osrel, platform) JDK1.2.2, NT, 4.0, Windows NT Additional Environment Description: Report Description: This error occurred when I start Tomcat. And I cant view the examples for servlet and JSP. View this report online... - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Problem using jk_nt_service (with a blank in tomcat_home directory path)
Hi, I am trying to make Tomcat as NT service. It works fine when tomcat_home directory is a continuous string. But, it does not work when I use the directory name with a blank. For example, if the tomcat_home directorypath is c:\jakartatomcathome\ but causes problem if it is c:\jakarta tomcat home\ Can somebody please suggest me a solution. Thanks, Amit Sarkar [EMAIL PROTECTED]
RE: Forming an opinion
-Original Message- From: Jon Stevens [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 18, 2001 02:58 on 1/17/01 5:50 PM, "Paulo Gaspar" [EMAIL PROTECTED] wrote: Nope. No proposal for that has been made yet. I am talking about names and you are throwing bureaucracy at me. How do you know that what is in the cvs HEAD is better than 3.2? I have yet to see proof of that other than Costin's claims. And the other committers and Larry and... 3.3 is the obvious name and the discussion has always been around having it or not. It may be obvious to you, however there has never been a proposal to make it so. I am talking about names and you are throwing bureaucracy at me. Catalina was a revolution, a proposal on following a different path. At the moment, for me (and possibly others) 3.3 is an evolution. No it isn't. That is where you are 100% wrong. 3.3 is a complete refactor of the core code and is therefore much more than just an evolution. If you had listened in on the conversation yesterday, like you should have, you would have had this clarified for you. If you are happier that way, I am glad you keep telling what I should do. I may have different ideas and still consider that to be an evolution. Even if the majority of the PMC thinks one way, I still have the right to think otherwise and talk accordingly. Again, you simply don't understand how development models work. Sure! I went trough 12 years of software development without having a clue. Maybe you feel happy has the beholder of the Truth but I do not feel I have understanding problems when I do not agree with you. It is clear you don't understand things and now you are being left behind because you *choose* to not participate in the meeting where these things where clarified and discussed. I am glad you are so happy for thinking you know what I understand or not. Copy/Paste from my previous posting: Not your business why I did or did not. (participate in the meeting) - Maybe Boss wouldn't like if I was connected to the USA for such a long time (I am in Europe, in case you didn't notice); - Maybe I was at a customer; - Maybe I had a dead line. My main motivation in life is not supporting Costin. My main motivation here is scratching my itches and I think that 3.3 will help. You *think*. What concrete evidence do you have to support that thought? What concrete evidence to you have to support yours? [... a lot of bureaucracy crap that Jon uses when he has nothing more constructive to argument (i.e.: quite often) ...] Therefore, it is in your best interest to quit emailing me ... I can stop when you stop. Give the example! Remember: I only answer. ...and to figure out how you are going to prove that Tomcat 3.x will continue to be properly supported. I will help several other people proving that. Supporting him is important, but I have other priorities too. Like? Are you my mother? In the meantime, you arguments are so poor that I do not have to spend so much brain power has if I was coding or something. It is kind of having a break - I need breaks too you know? What part of my argument is poor? What do you mean with "What part"? You know nothing about me, my life and my schedule. It would be polite if you would refrain to judge how I should spend my time. I haven't made any suggestions about how you should spend your time. You did several. (Loss of short term memory again!) [... Some crap about how I should have done things! ...] - Maybe I had a dead line. Go borrow a phone line. Project dead line. Know the concept? Your reasons are seriously undermining everything that you give as an argument. The idea is not giving you reasons. The idea is to tell you that I may have a life outside Tomcat and other troubles to take care. And it is not of you business. Maybe you should not judge the people that weren't there so lightly. I have seen other people defending the usefulness of 3.3 and that didn't sink anything in your brain. THAT ISN'T THE QUESTION! Fuck! how many times does that need to be repeated to you? For me, it is the main point. Keep repeating. Beholder of the truth syndrome again? Beholder of a complete lack of ability to understand basic concepts syndrome? LOL thanks, -jon You're welcome, Paulo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: Forming an opinion
on 1/17/01 6:44 PM, "Paulo Gaspar" [EMAIL PROTECTED] wrote: -Original Message- From: Jon Stevens [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 18, 2001 02:58 on 1/17/01 5:50 PM, "Paulo Gaspar" [EMAIL PROTECTED] wrote: Nope. No proposal for that has been made yet. I am talking about names and you are throwing bureaucracy at me. Because that is where we are at! Duh! If the PMC group (including Costin) agrees on something then that should be respected. The fact of the matter is that the previous proposals have not been respected and I'm standing up to fix that. How do you know that what is in the cvs HEAD is better than 3.2? I have yet to see proof of that other than Costin's claims. And the other committers and Larry and... Give me concrete evidence, not claims. 3.3 is the obvious name and the discussion has always been around having it or not. It may be obvious to you, however there has never been a proposal to make it so. I am talking about names and you are throwing bureaucracy at me. Yes. I am. Catalina was a revolution, a proposal on following a different path. At the moment, for me (and possibly others) 3.3 is an evolution. No it isn't. That is where you are 100% wrong. 3.3 is a complete refactor of the core code and is therefore much more than just an evolution. If you had listened in on the conversation yesterday, like you should have, you would have had this clarified for you. If you are happier that way, I am glad you keep telling what I should do. Yes. I am going to tell you what what decided and what you should follow. I may have different ideas and still consider that to be an evolution. Fine. Even if the majority of the PMC thinks one way, I still have the right to think otherwise and talk accordingly. Unlike Costin, I am fully against censorship and therefore am not going to disagree with you. However, when something is *decided* and *agreed* upon at the PMC level, it needs to be taken seriously and respected. This is what you are *not* doing. Again, you simply don't understand how development models work. Sure! I went trough 12 years of software development without having a clue. Open Source Software Development != Closed Source Software Development. My assertion is that you are lacking a clue with regards to OSS development. Maybe you feel happy has the beholder of the Truth but I do not feel I have understanding problems when I do not agree with you. It is clear you don't understand things and now you are being left behind because you *choose* to not participate in the meeting where these things where clarified and discussed. I am glad you are so happy for thinking you know what I understand or not. Then word your statements in such a way to make me believe that you do understand. So far, you haven't done that. My main motivation in life is not supporting Costin. My main motivation here is scratching my itches and I think that 3.3 will help. You *think*. What concrete evidence do you have to support that thought? What concrete evidence to you have to support yours? Costin and others have no been providing any sort of support for others on the mailing list. That is clear. Read the archives of this list. Now, what concrete evidence do you have that releasing CVS head as 3.3 "will help"? Project dead line. Know the concept? You seem to have plenty of time to answer my emails. -jon - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: Forming an opinion
-Original Message- From: Jon Stevens [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 17, 2001 20:17 on 1/17/01 10:28 AM, "[EMAIL PROTECTED]" [EMAIL PROTECTED] wrote: Why was it one of your worst days? I don't see how it could have been bad, nor do I see how that could influence your actions here by starting to send yet more flame bait. And, of course, you are biting the bait, the hook, the line... Enough was already said about that. Sam, Hans, Amy and I managed to talk about it with no flames and Costin already apologized. What are you missing? I have almost no bad personnal feelings against Costin. At some point, I was a bit upset about him because : - he did stuff which I personnally took offense of, and for which he did apologize to me (so it's past history) - I feel like he could be more willing to accept compromises Really, I'm fine with him, and I've been really impressed by him at the meeting (there were a lot of misunderstandings before, which hopefully were clarified). However, I cannot say the same thing about you. Frankly, could you just *stop* that ? I don't think you fully realize it, but you're not helping either Costin or this project in any way by getting into this pointless discussion (other than proving to me that you are way more childish than what you think Jon is). I'll not veto his proposal just because I'm a TC 4 developer. Actually, depending on how he presents it and what he plans to do, I'll +0 or +1 it. I had been looking at the HEAD of jakarta-tomcat and I have to say that : - last time I tested it, it was faster than TC 3.2 (good) - it was also very buggy (bad, but that may have changed since I last tried it), so I think the support issue is essential - the code organization looked cleaner (good) Remy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: Forming an opinion
on 1/17/01 7:43 PM, "Paulo Gaspar" [EMAIL PROTECTED] wrote: 1. You are flaming Costin again (is that harassment?); I don't see a flame there. I'm simply speaking truth. Costin's actions and statements have clearly shown that he believes in censorship. He even tried to bring up motions in the meeting to create censorship over what people say on the list. 2. Whatever the PMC decided was not published yet. How can I disrespect that. The PMC was attended by ~25 people and had open phone lines for which you could have listened in on. I have also told you what has been decided on. That is what you are disrespecting. What do you know about what my experience is? If you have experience then show it by acting like you do. So far, you haven't done any of that, therefore, I can conclude that you either cannot act like you have experience or you don't have any. My judgement call on that is that you don't have much experience. "Costin and others"? Give names, dates and complete the police work with some hard evidence that allows you to proceed to an arrest! Ok, all of the people actively sending commits to Tomcat 3.x. AGAIN: What concrete evidence do you have that it will not? I have seen releases made in the past that have been buggy. For example 3.0. That actually hurt this project quite a bit by increasing the amount of support that was needed as well as the fact that in many people's mind, it set a precedent that people have been trying to combat for a long time...that Tomcat is slow and buggy and that the code is hard to understand and read. -jon - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: Forming an opinion
ok guys, this has got a little bit out of hand. I'm sure I am not alone on saying this, but could we focus on the core issues, the development of tomcat. if this list is to enhance the development and the communication of and around tomcat, then we are not really doing it right. and if you want to attract new developers, then we need to improve the way we communicate. here are a few books, worth to take a look at http://www.amazon.com/exec/obidos/ASIN/0749424044/qid=979792228/sr=1-1/ref=s c_b_1/107-5367122-9735704 http://www.amazon.com/exec/obidos/ASIN/0943233127/qid=979792092/sr=1-2/ref=s c_b_2/107-5367122-9735704 Filip ~ Namaste - I bow to the divine in you. ~ Filip Hanik Technical Architect [EMAIL PROTECTED] - Original Message - From: "Jon Stevens" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, January 17, 2001 7:41 PM Subject: Re: Forming an opinion on 1/17/01 7:43 PM, "Paulo Gaspar" [EMAIL PROTECTED] wrote: 1. You are flaming Costin again (is that harassment?); I don't see a flame there. I'm simply speaking truth. Costin's actions and statements have clearly shown that he believes in censorship. He even tried to bring up motions in the meeting to create censorship over what people say on the list. 2. Whatever the PMC decided was not published yet. How can I disrespect that. The PMC was attended by ~25 people and had open phone lines for which you could have listened in on. I have also told you what has been decided on. That is what you are disrespecting. What do you know about what my experience is? If you have experience then show it by acting like you do. So far, you haven't done any of that, therefore, I can conclude that you either cannot act like you have experience or you don't have any. My judgement call on that is that you don't have much experience. "Costin and others"? Give names, dates and complete the police work with some hard evidence that allows you to proceed to an arrest! Ok, all of the people actively sending commits to Tomcat 3.x. AGAIN: What concrete evidence do you have that it will not? I have seen releases made in the past that have been buggy. For example 3.0. That actually hurt this project quite a bit by increasing the amount of support that was needed as well as the fact that in many people's mind, it set a precedent that people have been trying to combat for a long time...that Tomcat is slow and buggy and that the code is hard to understand and read. -jon - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-4.1/catalina/src/share/org/apache/catalina/connector HttpResponseBase.java
remm01/01/17 22:14:18
Modified:catalina/src/share/org/apache/catalina/connector
HttpResponseBase.java
Log:
- Add a null check to the isEncodable method.
Revision ChangesPath
1.24 +7 -4
jakarta-tomcat-4.1/catalina/src/share/org/apache/catalina/connector/HttpResponseBase.java
Index: HttpResponseBase.java
===
RCS file:
/home/cvs/jakarta-tomcat-4.1/catalina/src/share/org/apache/catalina/connector/HttpResponseBase.java,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -r1.23 -r1.24
--- HttpResponseBase.java 2001/01/04 19:49:16 1.23
+++ HttpResponseBase.java 2001/01/18 06:14:18 1.24
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat-4.1/catalina/src/share/org/apache/catalina/connector/HttpResponseBase.java,v
1.23 2001/01/04 19:49:16 remm Exp $
- * $Revision: 1.23 $
- * $Date: 2001/01/04 19:49:16 $
+ * $Header:
/home/cvs/jakarta-tomcat-4.1/catalina/src/share/org/apache/catalina/connector/HttpResponseBase.java,v
1.24 2001/01/18 06:14:18 remm Exp $
+ * $Revision: 1.24 $
+ * $Date: 2001/01/18 06:14:18 $
*
*
*
@@ -97,7 +97,7 @@
*
* @author Craig R. McClanahan
* @author Remy Maucherat
- * @version $Revision: 1.23 $ $Date: 2001/01/04 19:49:16 $
+ * @version $Revision: 1.24 $ $Date: 2001/01/18 06:14:18 $
*/
public class HttpResponseBase
@@ -446,6 +446,9 @@
* @param location Absolute URL to be validated
**/
private boolean isEncodeable(String location) {
+
+if (location == null)
+return (false);
// Is this an intra-document reference?
if (location.startsWith("#"))
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector HttpResponseBase.java
remm01/01/17 22:32:38
Modified:catalina/src/share/org/apache/catalina/connector
HttpResponseBase.java
Log:
- Add a null check to the isEncodable method.
This may resolve bug #766 if it was caused by a programmer error.
Revision ChangesPath
1.24 +7 -4
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/HttpResponseBase.java
Index: HttpResponseBase.java
===
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/HttpResponseBase.java,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -r1.23 -r1.24
--- HttpResponseBase.java 2001/01/04 19:49:16 1.23
+++ HttpResponseBase.java 2001/01/18 06:32:38 1.24
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/HttpResponseBase.java,v
1.23 2001/01/04 19:49:16 remm Exp $
- * $Revision: 1.23 $
- * $Date: 2001/01/04 19:49:16 $
+ * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/HttpResponseBase.java,v
1.24 2001/01/18 06:32:38 remm Exp $
+ * $Revision: 1.24 $
+ * $Date: 2001/01/18 06:32:38 $
*
*
*
@@ -97,7 +97,7 @@
*
* @author Craig R. McClanahan
* @author Remy Maucherat
- * @version $Revision: 1.23 $ $Date: 2001/01/04 19:49:16 $
+ * @version $Revision: 1.24 $ $Date: 2001/01/18 06:32:38 $
*/
public class HttpResponseBase
@@ -446,6 +446,9 @@
* @param location Absolute URL to be validated
**/
private boolean isEncodeable(String location) {
+
+if (location == null)
+return (false);
// Is this an intra-document reference?
if (location.startsWith("#"))
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
PATCH: JSP Source Disclosure Vulnerability (Re: Bug Report #649)
From: [EMAIL PROTECTED] (Kazuhiro Kazama)
Subject: Re: Bug Report #649
Date: Fri, 22 Dec 2000 11:43:01 +0900
Message-ID: [EMAIL PROTECTED]
This bug may be system dependent. Would you describe your OS and its
release?
I analyzed this problem in cooperation with JavaHouse-Brewers mailing
list (Java technical discussions in Japan) and found there are two
bugs.
These bugs resembles ServletExec JSP source disclosure vulnerability
(http://www.securityfocus.com/bid/1970) in situation.
1, When you adds "%20" (in fact, URL encoded character or its
sequences from %01 to %20) to an URL's end, Tomcat returns a JSP
source code instead of its result.
When you uses mod_jk and delegates all HTTP requests under the
directory specified by a "JkMount" directive to Tomcat, this bug comes
out.
Example:
http://localhost/examples/jsp/num/numguess.jsp%20
Workaround:
Apply an atached patch to your Tomcat 3.2.1. This patch removes extra
trim() which is remove U+ - U+0020 characters from an URL.
2, When you adds '.' or "%2E" (= '.') to an URL's end, Apache server
(not Tomcat) returns a JSP source code of JSP files.
This is a Windows bug and I confirmed it on Windows 98 and Windows
2000. But a security measure is needed to Apache server.
When you uses mod_jk on Windows and JSP files is accessible from your
apache server by adding an "Alias" directive, This bug comes out.
Example:
http://localhost/examples/jsp/num/numguess.jsp.
http://localhost/examples/jsp/num/numguess.jsp%2E
Workaround:
On Windows platform, don't use "Alias" directive for mounting your Web
application directory. Tomcat generates "mod_jk.conf-auto" has "Alias"
directives so that you should fix it on Windows.
This bug may be correctable but I have no time to fix Apache server. I
hope someone will inform better solution.
By the way, these bugs don't happen on Tomcat mod_jserv. But I don't
think that it is a good idea to use a mod_jserv module on Tomcat 3.2.1
because this behavior may depend anothor mod_jserv bugs.
Kazuhiro Kazama ([EMAIL PROTECTED]) NTT Network Innovation Laboratories
--- src/share/org/apache/tomcat/util/FileUtil.java.orig Sun Jan 14 16:25:12 2001
+++ src/share/org/apache/tomcat/util/FileUtil.java Thu Jan 18 11:46:39 2001
@@ -228,21 +228,19 @@
}
public static String patch(String path) {
- String patchPath = path.trim();
-
// Move drive spec to the front of the path
- if (patchPath.length() = 3
- patchPath.charAt(0) == '/'
- Character.isLetter(patchPath.charAt(1))
- patchPath.charAt(2) == ':') {
- patchPath=patchPath.substring(1,3)+"/"+patchPath.substring(3);
+ if (path.length() = 3
+ path.charAt(0) == '/'
+ Character.isLetter(path.charAt(1))
+ path.charAt(2) == ':') {
+ path=path.substring(1,3)+"/"+path.substring(3);
}
// Eliminate consecutive slashes after the drive spec
- if (patchPath.length() = 2
- Character.isLetter(patchPath.charAt(0))
- patchPath.charAt(1) == ':') {
- char[] ca = patchPath.replace('/', '\\').toCharArray();
+ if (path.length() = 2
+ Character.isLetter(path.charAt(0))
+ path.charAt(1) == ':') {
+ char[] ca = path.replace('/', '\\').toCharArray();
char c;
StringBuffer sb = new StringBuffer();
@@ -264,14 +262,14 @@
}
}
- patchPath = sb.toString();
+ path = sb.toString();
}
// fix path on NetWare - all '/' become '\\' and remove duplicate '\\'
if (System.getProperty("os.name").startsWith("NetWare")
path.length() =3
path.indexOf(':') 0) {
-char ca[] = patchPath.replace('/', '\\').toCharArray();
+char ca[] = path.replace('/', '\\').toCharArray();
StringBuffer sb = new StringBuffer();
for (int i = 0; i ca.length; i++) {
if ((ca[i] != '\\') ||
@@ -279,9 +277,9 @@
sb.append(ca[i]);
}
}
-patchPath = sb.toString();
+path = sb.toString();
}
- return patchPath;
+ return path;
}
public static boolean isAbsolute( String path ) {
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
Multiple Set-Cookie headers ignored?
I have a problem. I am using Tomcat 3.2/Apache 1.3.12 on Linux Redhat 6.2 Whenever I try to send more than one Set-Cookie: header I get "ERROR: ERROR" instead. The first Set-Cookie works the rest are replaced with ERROR: ERROR Any help appreciated. Log fragment from mod_jk.log [jk_ajp13.c (576)]: ajp13_unmarshal_response: Header[1] [Set-Cookie] = [cookie1=hello;Domain=kuru.its.deakin.edu.au;Path=/connect/se rvlet] [jk_ajp13.c (576)]: ajp13_unmarshal_response: Header[2] [ERROR] = [ERROR] [jk_ajp13.c (576)]: ajp13_unmarshal_response: Header[3] [ERROR] = [ERROR] [jk_ajp13.c (576)]: ajp13_unmarshal_response: Header[4] [ERROR] = [ERROR] [jk_ajp13.c (576)]: ajp13_unmarshal_response: Header[5] [ERROR] = [ERROR] [jk_ajp13.c (576)]: ajp13_unmarshal_response: Header[6] [ERROR] = [ERROR] -- Jason Pell Senior Analyst/Programmer - Web Developer Callista Software Services Pty Ltd 12 Gheringhap St, Geelong Victoria 3220 Australia Phone: 03 5227 8858 International: +61 3 5227 8858 Fax: 03 5227 8907 International: +61 3 5227 8907 E-mail [EMAIL PROTECTED] http://www.dssonline.com.au Customer Support Hotline: 1800 620 497 "Callista - the brightest solution in university management" --- Important Notice: The contents of this email transmission, including attachments, may be privileged and confidential. Any unauthorised use of the contents is expressly prohibited. If you have received this transmission in error, please advise the sender by return email or telephone immediately and destroy all versions. --- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets WebdavServlet.java
In general, I hope we are cautious about adding non-standard headers like this. It is not a precedent I particularly like, but I can see the reasoning for doing it this time. Agreed, but apprently mod_dav (ie, Apache 2.0) is doing the same. It's such an insignificant change that I couldn't find a valid reason to justify why we shouldn't include it. If it was more significant (like MS proprietary property types), I wouldn't even think about adding it. Remy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: Forming an opinion
Paulo Gaspar wrote: First, you write too much about a name when the question has always been having or not a 3.3 in the 3.x branch. Most of us (for whom having a 3.3 is interesting) are still not concerned about having or not a revolution and a Tomcat 5. It is too soon to be concerned about when our main priority is to have something better than 3.2 for production _real soon_. 3.3 is the obvious name and the discussion has always been around having it or not. Paulo (and others), an important thing to remember is that Apache projects (as opposed to an arbitrary open source project) operate under a set of rules and conventions that, in effect, are the "Apache culture". Many of those rules and conventions are documented (such as the rules on voting), but some are not. One of the things I took away from the PMC meeting yesterday is the need to better articulate those rules. However, one of them is that there is no such thing as a "version" of any Apache project until there is a vote to go that way, and elect a particular code base to be that version. See below for more. Catalina was a revolution, a proposal on following a different path. It was, until it was elected as the code base for 4.0. Now, it's the established direction for 4.x. Note that there was no "jakarta-tomcat-4.1" branch, or any such thing as "Tomcat 4.1", until the vote that took place last week. Now, there is. Such a thing hasn't happened for 3.3. It is obvious why this hasn't happened -- this is one of those "culture things" that wasn't clearly spelled out within Jakarta. Costin agreed to rectify this, so a "3.3" version proposal is likely to be forthcoming shortly. At the moment, for me (and possibly others) 3.3 is an evolution. Regardless of whether or not this is true, it's still a new version, and still needs to follow the same proposal and voting procedures. NOTE: When this proposal is made, people who vote on it should remember the following: * Electing a code base needs at least three +1 votes and no -1 votes. * Only votes of committers on Tomcat (*all* versions -- it is all one project until someone forks it to a separate name) are binding. * A +1 vote on electing a code base implies an *obligation* on the part of the voter to actively support the code base. Among other things, that includes someone taking on the role of release manager, all +1-ers being actively involved in fixing remaining bugs, *and* (after the release ultimately happens, if and when it does) supporting users of the release -- in our environment, that means answering user questions on TOMCAT-USER. (FYI: I am on record -- see the PMC Meeting Minutes that will be published shortly -- that I will *not* veto a release plan for 3.3 that meets my concerns about support.) Maybe (or maybe not) some people already see Costin's work as 5.0 but I think that most of us don't go that far. I will not be thinking about what 5.0 should be in the near future. So far (to my knowledge), Costin has not proposed it for this purpose. However, it is important to note that no vote is necessary to declare a revolution (starting with the code currently in the HEAD branch of "jakarta-tomcat") and working towards that goal. The only restriction is that no one can call it "Tomcat" in the mean time. This principle was actually articulated in the "Rules for Revolutionaries" document, which was triggered when I (incorrectly) tried to use the name "Tomcat.Next" before there had been any such agreement by the development community. The result was the creation of the name Catalina, which did not become "Tomcat 4.0" until the vote that made it so. Names are important -- for a variety of reasons, including legal ones (because the name "Tomcat" belongs to the Apache Software Foundation, not to the individual committers). Therefore, we as developers need to respect those reasons and become more careful a out our use of those names. Craig McClanahan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat RELEASE-PLAN-3.3
costin 01/01/17 23:38:24 Added: .RELEASE-PLAN-3.3 Log: Initial checkin for the release proposal. Revision ChangesPath 1.1 jakarta-tomcat/RELEASE-PLAN-3.3 Index: RELEASE-PLAN-3.3 === NOTE: This document is the first cut at a release plan for the next dot release of Tomcat. Nothing in this document should be considered authoritative until it has been discussed and approved on the TOMCAT-DEV mailing list. Tomcat 3.3 Release Plan === Objective: The objective of the proposed 3.3 release is to complete the development of jakarta-tomcat 3.x and achieve the stated goals of providing a production quality 2.2/1.1 servlet container. Goals: The following goals should be met in executing this plan: 1. No regressions compared with 3.2. 2. Fixing the bugs found after and during 3.2 release cycle. 3. Full review of the code, making sure the modularity and extensibility goals have been achieved. 4. Make sure that the refactoring is clean, and maintainance will be easier that 3.2 5. Ensure that the performance is (significantly) better than 3.2 Tomcat 3.3 Milestone 1 Release: Code Freeze/Tag Date: Feb 1, 2001 (?) Release Manager:??? The build must pass all watchdog and all existing test suites. It should work on both JDK1.1 and JDK1.2. After the build of Milestone 1, work should start in reviewing all the classes and interfaces in tomcat.core, and any feedback should be discussed and incorporated. Also, the documentation will be reviewed and improved. In paralel, work will start on fixing a significant number ( most ? ) of bugs that were reported and fixed in 3.2 and post 3.2. This work will continue during the beta period. Whenever possible, we should try to create a self-test case ( using the current self-test application and GTest ). More documentations should be added on running GTest and simplify the test application. Tomcat 3.3 BiWeekly milestones: After the first milestone, we will periodically build milestones in order to track the evolution. ( see also the testing plan at the end ). Tomcat 3.3 Beta: Code Freeze/Tag Date: March 15, 2001 (?) Release Manager:??? No major change will be done after the Beta is build without a vote. No major bug ( spec compliance or stability ) should be open in order to enter beta. During the beta period we will fix all remaining bugs and run the manual tests for the bugs that have no automated test case. Tomcat 3.3 Final Release Code Freeze Date: Apr 5, 2001 (?) Release Manager:??? The final build. The pre-requisite for the release is having no bugs in the test suite, resolution for all known bugs and aproval by the community. Release criteria Given that this will be proposed as the final release of tomcat3.x the standards of quality and testing will be significantly higher than in previous releases. 1. Tomcat 3.3 should have no regression compared with 3.2. Any reported regression is a show-stopper and a release can't be made before it is resovled. 2. Open bugs should be resolved. 3. Tomcat 3.3 should be tested with existing, complex applications ( cocoon, bugrat, etc ). Platorms. We must make sure that tomcat is tested ( at least watchdog + self-test ) with at least Linux, Solaris, Windows 9x, Windows NT/2000. JDK. We must test tomcat with at least JDK1.1 and Java2 (multiple versions if possible) . The tests should also include a stress test ( a high load "ab" running for a long time ) Configurations Tomcat must be tested standalone, with Apache 1.3, Apache 2.0 and ( possibly ) with IIS and NES ( low priority ). Maintainance Plan = After tomcat 3.3 is released, no major development should go on into the main branch. The release team should consist of at least 3 people, and will fix any major bugs that will be found after the 3.3 release, and propose to the group minor releases, if absolutely needed ( security or stability bugs ). In any case, no backward-incompatible or major changes should be made. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Release plan for 3.3 ( first draft )
Hi, I checked in the initial draft of the "release plan for 3.3" proposal: http://jakarta.apache.org/cvsweb/index.cgi/~checkout~/jakarta-tomcat/RELEASE-PLAN-3.3 I'll publish the final version and propose it for vote after any concerns are addressed and at least 3 commiters will volunteer to help making it happen. All votes are important - but in order for this to happen at least 3 commiters should vote +1. Anyone can volunteer to help - with bug fixing, comments on the code, bug reports, running the tests on different platforms, building and running it in different environments. The proposed Tomcat 3.3 will not have any new major functionality compared with tomcat 3.2. Most of the work has been put in finishing up the modularization and reorganization of code, plus a significant increase in performance. Most of the changes that would have delayed 3.2 are also included in 3.3. Costin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Problem with apj13/jk_mod and multiple cookies!
Hi,
I have been having heaps of problems with multiple cookies not being set
with tomcat.
I have managed to track the problem down, but do not have enough
understanding of
the APJ13/mod_jk C source to fix.
First of all multiple cookies work when I access tomcat directly
(bypassing apache), but then
as I have stated previously they all fail to be set, bar the first one.
This fragment of jakarta-tomcat-3.2-src/src/native/jk/jk_apj13.c
} else {
d-header_names[i] = (char *)jk_b_get_string(msg);
if(!d-header_names[i]) {
jk_log(l, JK_LOG_ERROR,
"Error ajp13_unmarshal_response - Null
header name\n");
return JK_FALSE;
}
}
d-header_values[i] = (char *)jk_b_get_string(msg);
if(!d-header_values[i]) {
jk_log(l, JK_LOG_ERROR,
"Error ajp13_unmarshal_response - Null header
value\n");
is where the headers are processed, and jk_b_get_string(msg); is
returning "ERROR" for
all but my first cookie, as demonstrated by the log I obtained.
Log fragment from mod_jk.log
[jk_ajp13.c (576)]: ajp13_unmarshal_response: Header[1] [Set-Cookie] =
[cookie1=hello;Domain=kuru.its.deakin.edu.au;Path=/connect/se
rvlet]
[jk_ajp13.c (576)]: ajp13_unmarshal_response: Header[2] [ERROR] =[ERROR]
[jk_ajp13.c (576)]: ajp13_unmarshal_response: Header[3] [ERROR] =[ERROR]
[jk_ajp13.c (576)]: ajp13_unmarshal_response: Header[4] [ERROR] =[ERROR]
[jk_ajp13.c (576)]: ajp13_unmarshal_response: Header[5] [ERROR] =[ERROR]
[jk_ajp13.c (576)]: ajp13_unmarshal_response: Header[6] [ERROR] =[ERROR]
Please, Please, Please help me I do not know what to do. I am desperate
now!!!
Thankyou
Jason Pell
--
Jason Pell
Senior Analyst/Programmer - Web Developer
Callista Software Services Pty Ltd
12 Gheringhap St, Geelong Victoria 3220 Australia
Phone: 03 5227 8858 International: +61 3 5227 8858
Fax: 03 5227 8907 International: +61 3 5227 8907
E-mail [EMAIL PROTECTED]
http://www.dssonline.com.au
Customer Support Hotline: 1800 620 497
"Callista - the brightest solution in university management"
---
Important Notice: The contents of this email transmission,
including attachments, may be privileged and confidential.
Any unauthorised use of the contents is expressly prohibited.
If you have received this transmission in error, please advise
the sender by return email or telephone immediately and
destroy all versions.
---
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
