DO NOT REPLY [Bug 13014] - OS/390/USS - Invalid url-pattern in servlet mapping
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13014. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13014 OS/390/USS - Invalid url-pattern in servlet mapping --- Additional Comments From [EMAIL PROTECTED] 2002-10-09 06:27 --- The idea is that maybe no member of the dev team has access to the appropriate machine and can reproduce this. The offending code looks like the StandardContext.validateURLPattern method (I have no idea what is wrong with it, though): private boolean validateURLPattern(String urlPattern) { if (urlPattern == null) return (false); if (urlPattern.startsWith(*.)) { if (urlPattern.indexOf('/') 0) return (true); else return (false); } if (urlPattern.startsWith(/)) return (true); else return (false); } -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
apps conversion from 3.3.1 to 4.1.12
Hi to all, While converting some applications from 3.3.1 to 4.1.12 I noticed some little problems. 1) We used to define our own default servlet, but 4.1.x definie its own default in conf/web.xml. Could we change from org.apache.catalina.servlets.DefaultServlet to our actual default servlet, knowing that all webapps use the same code base ? In that case should the jar containing the default servlet could be in common/lib ? 2) We also used to include external entities in web.xml which live outside webapp dir : ie : ?xml version=1.0 encoding=ISO-8859-1? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.2//EN http://java.sun.com/j2ee/dtds/web-app_2.2.dtd; [ !ENTITY % settings SYSTEM ../../../settings.xml %settings; ] ... Digester find settings.xml only when it's located in WEB-INF or webapp directories (ie ROOT/WEB-INF/settings.xml or ROOT/settings.xml). How could I make it find the settings.xml outside webapps area ? via conf/catalina.policy ? Thanks for you help. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: apps conversion from 3.3.1 to 4.1.12
Henri Gomez wrote: Hi to all, While converting some applications from 3.3.1 to 4.1.12 I noticed some little problems. 1) We used to define our own default servlet, but 4.1.x definie its own default in conf/web.xml. Could we change from org.apache.catalina.servlets.DefaultServlet to our actual default servlet, knowing that all webapps use the same code base ? In that case should the jar containing the default servlet could be in common/lib ? AFAIK, yes. You should be able to put it in shared/lib. The webapp settings also override the global settings. 2) We also used to include external entities in web.xml which live outside webapp dir : ie : ?xml version=1.0 encoding=ISO-8859-1? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.2//EN http://java.sun.com/j2ee/dtds/web-app_2.2.dtd; [ !ENTITY % settings SYSTEM ../../../settings.xml %settings; ] ... Digester find settings.xml only when it's located in WEB-INF or webapp directories (ie ROOT/WEB-INF/settings.xml or ROOT/settings.xml). How could I make it find the settings.xml outside webapps area ? via conf/catalina.policy ? This is likely the protection against reading anything outside the webapp root (see the allowLinking of FileDirContext), although I don't know how the digester will try to load the included file. Remy -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
DO NOT REPLY [Bug 13014] - OS/390/USS - Invalid url-pattern in servlet mapping
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13014. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13014 OS/390/USS - Invalid url-pattern in servlet mapping --- Additional Comments From [EMAIL PROTECTED] 2002-10-09 06:52 --- Remy, How can I help in correcting this bug ? I am no Java programmer. It is clumsy but can you give me instructions that I can carry out at my end to correct it ? My machine is currently running OS/390 v2.10 64 bit mode. and IBM SDK 1.3.1 going to 1.4 soon. Joseph -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-tomcat-connectors/jk/java/org/apache/jk/common ChannelSocket.java
hgomez 2002/10/08 23:58:31 Modified:jk/java/org/apache/jk/common ChannelSocket.java Log: tcpnodelay to true by default, but could be turned off by setting tcpnodelay=false from outside (howto in server.xml ?) Revision ChangesPath 1.23 +3 -3 jakarta-tomcat-connectors/jk/java/org/apache/jk/common/ChannelSocket.java Index: ChannelSocket.java === RCS file: /home/cvs/jakarta-tomcat-connectors/jk/java/org/apache/jk/common/ChannelSocket.java,v retrieving revision 1.22 retrieving revision 1.23 diff -u -r1.22 -r1.23 --- ChannelSocket.java4 Oct 2002 23:33:14 - 1.22 +++ ChannelSocket.java9 Oct 2002 06:58:31 - 1.23 @@ -105,7 +105,7 @@ int port=startPort; InetAddress inet; int serverTimeout; -boolean tcpNoDelay=false; +boolean tcpNoDelay=true; // nodelay to true by default int linger=100; int socketTimeout; @@ -259,8 +259,8 @@ s.setSoLinger( true, linger); if( socketTimeout 0 ) s.setSoTimeout( socketTimeout ); -if( tcpNoDelay ) -s.setTcpNoDelay( true ); + +s.setTcpNoDelay( tcpNoDelay ); // set socket tcpnodelay state requestCount++; -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: apps conversion from 3.3.1 to 4.1.12
Remy Maucherat wrote: Henri Gomez wrote: Hi to all, While converting some applications from 3.3.1 to 4.1.12 I noticed some little problems. 1) We used to define our own default servlet, but 4.1.x definie its own default in conf/web.xml. Could we change from org.apache.catalina.servlets.DefaultServlet to our actual default servlet, knowing that all webapps use the same code base ? In that case should the jar containing the default servlet could be in common/lib ? AFAIK, yes. You should be able to put it in shared/lib. The webapp settings also override the global settings. Great. 2) We also used to include external entities in web.xml which live outside webapp dir : ie : ?xml version=1.0 encoding=ISO-8859-1? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.2//EN http://java.sun.com/j2ee/dtds/web-app_2.2.dtd; [ !ENTITY % settings SYSTEM ../../../settings.xml %settings; ] ... Digester find settings.xml only when it's located in WEB-INF or webapp directories (ie ROOT/WEB-INF/settings.xml or ROOT/settings.xml). How could I make it find the settings.xml outside webapps area ? via conf/catalina.policy ? This is likely the protection against reading anything outside the webapp root (see the allowLinking of FileDirContext), although I don't know how the digester will try to load the included file. I'll check for it, thanks. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-connectors/jk/java/org/apache/jk/commonChannelSocket.java
[EMAIL PROTECTED] wrote: hgomez 2002/10/08 23:58:31 Modified:jk/java/org/apache/jk/common ChannelSocket.java Log: tcpnodelay to true by default, but could be turned off by Only ChannelSocket need to be updated. Ajp14Interceptor allready called tcpnodelay(true), and other java parts set tcpdelay var to true by default. Regards -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
DO NOT REPLY [Bug 13014] - OS/390/USS - Invalid url-pattern in servlet mapping
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13014. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13014 OS/390/USS - Invalid url-pattern in servlet mapping --- Additional Comments From [EMAIL PROTECTED] 2002-10-09 07:13 --- I posted the apparently offending code to see if anyone would have an idea (I don't). It would look like the test .startsWith(/) is failing. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: apps conversion from 3.3.1 to 4.1.12
- Original Message - From: Henri Gomez [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, October 08, 2002 11:33 PM Subject: apps conversion from 3.3.1 to 4.1.12 Hi to all, While converting some applications from 3.3.1 to 4.1.12 I noticed some little problems. Wot? 3.3.1 isn't good enough for you any more. ;-) 1) We used to define our own default servlet, but 4.1.x definie its own default in conf/web.xml. Could we change from org.apache.catalina.servlets.DefaultServlet to our actual default servlet, knowing that all webapps use the same code base ? In that case should the jar containing the default servlet could be in common/lib ? Without testing, in theory you can put your jar in common/lib, and change the classname for default in conf/web.xml and the only bugs will be yours. :) Note, that this is more than you can do with 3.3.1. 2) We also used to include external entities in web.xml which live outside webapp dir : ie : ?xml version=1.0 encoding=ISO-8859-1? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.2//EN http://java.sun.com/j2ee/dtds/web-app_2.2.dtd; [ !ENTITY % settings SYSTEM ../../../settings.xml %settings; ] ... Digester find settings.xml only when it's located in WEB-INF or webapp directories (ie ROOT/WEB-INF/settings.xml or ROOT/settings.xml). How could I make it find the settings.xml outside webapps area ? via conf/catalina.policy ? This has always been a headache for me on all Tomcat versions. However, I don't think that internal-entities can be used at all (usefully). Thanks for you help. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
UML Class Diagram
Hi, I was wondering if I can get the Catalina class diagram to help me understand how it works, or if it is available online. Thanks, budi -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
DO NOT REPLY [Bug 13443] New: - request.getRequestURI() problem with jsp:include tag
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13443. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13443 request.getRequestURI() problem with jsp:include tag Summary: request.getRequestURI() problem with jsp:include tag Product: Tomcat 4 Version: 4.1.12 Platform: PC OS/Version: Windows NT/2K Status: NEW Severity: Major Priority: Other Component: Unknown AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] the script: file test.jsp: jsp:include page=include.jsp flush=true %=request.getRequestURI()%br / %=request.getRequestURL()% file include.jsp: psimple text/p When I run test.jsp, instead of writing the good URI and URL (with the path to file), it writes piece of headers like :E HTML PUBLIC -//W3C It works well only if the test.jsp file is forwarded by a servlet. In the other cases, inserting a code like %request.getRequestURI();% resolve the problem. It seems that this bug doesn't appear in Tomcat 4.0.x release -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core DummyRequest.java DummyResponse.java ApplicationContext.java StandardWrapper.java MappingRequest.java
remm2002/10/09 01:01:12 Modified:catalina/src/share/org/apache/catalina/core ApplicationContext.java StandardWrapper.java Added: catalina/src/share/org/apache/catalina/core DummyRequest.java DummyResponse.java Removed: catalina/src/share/org/apache/catalina/core MappingRequest.java Log: - Remove dependency on deprecated components. Revision ChangesPath 1.3 +6 -12 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/ApplicationContext.java Index: ApplicationContext.java === RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/ApplicationContext.java,v retrieving revision 1.2 retrieving revision 1.3 diff -u -r1.2 -r1.3 --- ApplicationContext.java 5 Sep 2002 12:06:08 - 1.2 +++ ApplicationContext.java 9 Oct 2002 08:01:11 - 1.3 @@ -149,7 +149,7 @@ } public Object run() { -HttpRequest request = new MappingRequest +HttpRequest request = new DummyRequest (context.getPath(), contextPath + relativeURI, queryString); Wrapper wrapper = (Wrapper) context.map(request, true); if (wrapper == null) @@ -604,14 +604,8 @@ // The remaining code is duplicated in PrivilegedGetRequestDispatcher, // we need to make sure they stay in sync -HttpRequest request = new MappingRequest +HttpRequest request = new DummyRequest (context.getPath(), contextPath + relativeURI, queryString); -/* -request.setContext(context); -request.setContextPath(context.getPath()); -request.setRequestURI(contextPath + relativeURI); -request.setQueryString(queryString); -*/ Wrapper wrapper = (Wrapper) context.map(request, true); if (wrapper == null) return (null); 1.5 +6 -8 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/StandardWrapper.java Index: StandardWrapper.java === RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/StandardWrapper.java,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- StandardWrapper.java 27 Sep 2002 07:13:05 - 1.4 +++ StandardWrapper.java 9 Oct 2002 08:01:11 - 1.5 @@ -93,8 +93,6 @@ import org.apache.catalina.Wrapper; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; -import org.apache.catalina.connector.HttpRequestBase; -import org.apache.catalina.connector.HttpResponseBase; import org.apache.catalina.loader.StandardClassLoader; import org.apache.catalina.util.Enumerator; import org.apache.catalina.util.InstanceSupport; @@ -941,10 +939,10 @@ // Invoke jspInit on JSP pages if ((loadOnStartup = 0) (jspFile != null)) { // Invoking jspInit -HttpRequestBase req = new HttpRequestBase(); -HttpResponseBase res = new HttpResponseBase(); +DummyRequest req = new DummyRequest(); req.setServletPath(jspFile); req.setQueryString(jsp_precompile=true); +DummyResponse res = new DummyResponse(); if( System.getSecurityManager() != null) { Class[] classType = new Class[]{ServletRequest.class, 1.1 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/DummyRequest.java Index: DummyRequest.java === /* * $Header: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/DummyRequest.java,v 1.1 2002/10/09 08:01:11 remm Exp $ * $Revision: 1.1 $ * $Date: 2002/10/09 08:01:11 $ * * * * The Apache Software License, Version 1.1 * * Copyright (c) 1999 The Apache Software Foundation. All rights * reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright *notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright *notice, this list of conditions and the following disclaimer in *the documentation and/or other materials provided with the *distribution. * * 3. The
DO NOT REPLY [Bug 13445] New: - Installing without the examples makes Tomcat startup fail
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13445. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13445 Installing without the examples makes Tomcat startup fail Summary: Installing without the examples makes Tomcat startup fail Product: Tomcat 4 Version: 4.1.12 Platform: PC OS/Version: Windows NT/2K Status: NEW Severity: Minor Priority: Other Component: Catalina AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] Using Sun JDK and JRE 1.4.1. Using jakarta-tomcat-4.1.12.exe not the Light Edition. Everything is installed in default directories. The only change I make is that I don't select the Example Web Applications when given the choice under the install. After installing and setting the JAVA_HOME variable, I try to start it and I get this error: java.lang.IllegalArgumentException: Document base C:\Programmer\Apache Group\Tomcat 4.1\webapps\examples does not exist or is not a readable directory at org.apache.naming.resources.FileDirContext.setDocBase(FileDirContext.java:193) at org.apache.catalina.core.StandardContext.start(StandardContext.java:3397) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1188) at org.apache.catalina.core.StandardHost.start(StandardHost.java:738) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1188) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:347) at org.apache.catalina.core.StandardService.start(StandardService.java:497) at org.apache.catalina.core.StandardServer.start(StandardServer.java:2189) at org.apache.catalina.startup.Catalina.start(Catalina.java:510) at org.apache.catalina.startup.Catalina.execute(Catalina.java:400) at org.apache.catalina.startup.Catalina.process(Catalina.java:180) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:203) -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
DO NOT REPLY [Bug 13445] - Installing without the examples makes Tomcat startup fail
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13445. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13445 Installing without the examples makes Tomcat startup fail [EMAIL PROTECTED] changed: What|Removed |Added Status|NEW |RESOLVED Resolution||WONTFIX --- Additional Comments From [EMAIL PROTECTED] 2002-10-09 09:08 --- Well, yes, sorry, this is a limitation of the updated and less hackish installer. Edit server.xml to fix it. The bug which causes Tomcat to crash on startup in that particular case has been fixed (so in 4.1.13, you'll get an error in the logs, but nothing more serious). -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
[5.0] [VOTE] Remove deprecated and unsupported components
The connectors which depend on the org.apache.catalina.connector package (including JK 1, webapp, and the old HTTP connectors) will either need to be updated or removed. The Coyote family of connectors is well supported and provides a suitable replacement (IMO). Coyote is the default connector in the current Tomcat 4.1.x releases, and should be reaching maturity by the time Tomcat 5 is released. I'd like to remove the deprecated org.apache.catalina.connector classes (and move the remaining facade and wrapper classes to other new packages). Even if they are removed from the main tree, the deprecated components could also be distributed with updated versions of the affected connectors should it is decided they should be made available for Tomcat 5 (but in any case, some work will be needed). ballot [ ] Remove deprecated org.apache.catalina.connector components from the j-t-catalina module [ ] Leave them in /ballot In case the second option is voted, volunteers will be needed to update and maintain the components (right now, I don't think the connectors based on them would even build against the new API). Remy -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
DO NOT REPLY [Bug 13446] New: - Invalide error page with request attribute.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13446. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13446 Invalide error page with request attribute. Summary: Invalide error page with request attribute. Product: Tomcat 4 Version: 4.0.1 Final Platform: PC OS/Version: Windows NT/2K Status: NEW Severity: Normal Priority: Other Component: Catalina AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] In a servlet, i want to forward to a JSP error page. For transmit the current exception, i set the attribute javax.servlet.error.exception in the request, and i forward to the error page. This page initialise the exception variable with the exception. Then, in the error page, i call response.sendRedirect (/index.jsp); Because the variable javax.servlet.error.exception live when i call the sendRedirect, i receive the Tomcat error page and the sendRedirect can't work. I make a sample for check that. Create to JSP file in a webapp. Test.jsp %@ page errorPage=TestError.jsp % Test.jsp % System.out.println(Test.jsp); request.setAttribute(javax.servlet.error.exception,new Throwable()); Object n=null; n.toString(); // This statement generate a null pointer exception % TestError.jsp = TestError.jsp % System.out.println(TestError.jsp); // Next line for patch the bug // request.removeAttribute(javax.servlet.error.exception); response.sendRedirect(request.getContextPath()+/index.jsp); % Invoke the Test.jsp page. Because the NullPointerException was throw, the page TestError.jsp is called. This page want to send a redirect to the page index.jsp (must be present). But, you receive the Tomcat error page ! Because the servlet must be deconnected to JSP, normally, the JSP technique for manage the error can be deconnected to the servlet engine. I think, in the ErrorReportValve.java or ErrorDispatcherValve.c can detect this situation (reset this attribute AFTER the service() method, remember it's in error page, ...) Other servlet engine haven't this problem. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: [5.0] [VOTE] Remove deprecated and unsupported components
Remy Maucherat wrote: The connectors which depend on the org.apache.catalina.connector package (including JK 1, webapp, and the old HTTP connectors) will either need to be updated or removed. The Coyote family of connectors is well supported and provides a suitable replacement (IMO). Coyote is the default connector in the current Tomcat 4.1.x releases, and should be reaching maturity by the time Tomcat 5 is released. I'd like to remove the deprecated org.apache.catalina.connector classes (and move the remaining facade and wrapper classes to other new packages). Even if they are removed from the main tree, the deprecated components could also be distributed with updated versions of the affected connectors should it is decided they should be made available for Tomcat 5 (but in any case, some work will be needed). ballot [X] Remove deprecated org.apache.catalina.connector components from the j-t-catalina module [ ] Leave them in /ballot In case the second option is voted, volunteers will be needed to update and maintain the components (right now, I don't think the connectors based on them would even build against the new API). -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-tomcat-5/resources welcome.bin.html welcome.main.html INSTALLLICENSE
remm2002/10/09 03:06:07 Modified:.build.xml resources INSTALLLICENSE Added: .CHANGELOG RELEASE-NOTES resources welcome.bin.html welcome.main.html Log: - Improve release target, so that it will create a ready to upload package. Revision ChangesPath 1.38 +46 -5 jakarta-tomcat-5/build.xml Index: build.xml === RCS file: /home/cvs/jakarta-tomcat-5/build.xml,v retrieving revision 1.37 retrieving revision 1.38 diff -u -r1.37 -r1.38 --- build.xml 8 Oct 2002 09:36:39 - 1.37 +++ build.xml 9 Oct 2002 10:06:07 - 1.38 @@ -44,6 +44,7 @@ property name=servlet.home value=../jakarta-servletapi-4/dist/ property name=tomcat.build value=${basedir}/build/ property name=tomcat.dist value=${basedir}/dist/ + property name=tomcat.release value=${basedir}/release/ property name=webapps.buildvalue=${catalina.home}/webapps/build/ property name=webapps.dist value=${catalina.home}/webapps/dist/ @@ -129,6 +130,8 @@ delete dir=${tomcat.dist}/ +delete dir=${tomcat.release}/ + /target @@ -418,7 +421,42 @@ !-- RELEASE: Create Release === -- target name=release depends=prepare-release,clean,dist,dist-source,installer,package-zip,package-tgz,package-src-zip,package-src-tgz - description=Create a Tomcat 5 packaged distribution / + description=Create a Tomcat 5 packaged distribution if=full-dist + +mkdir dir=${tomcat.release}/ +mkdir dir=${tomcat.release}/v${version}/ +mkdir dir=${tomcat.release}/v${version}/bin/ +mkdir dir=${tomcat.release}/v${version}/src/ + +move file=${tomcat.dist}/${final.name}.tar.gz + todir=${tomcat.release}/v${version}/bin/ +move file=${tomcat.dist}/${final.name}.zip + todir=${tomcat.release}/v${version}/bin/ +move file=${tomcat.dist}/${final.name}.exe + todir=${tomcat.release}/v${version}/bin/ + +move file=${tomcat.dist}/${final-src.name}.tar.gz + todir=${tomcat.release}/v${version}/src/ +move file=${tomcat.dist}/${final-src.name}.zip + todir=${tomcat.release}/v${version}/src/ + +filter token=VERSION value=${version}/ +copy file=KEYS + todir=${tomcat.release}/v${version}/ +copy file=RELEASE-NOTES + todir=${tomcat.release}/v${version} + filtering=true/ +copy file=CHANGELOG + todir=${tomcat.release}/v${version} + filtering=true/ +copy file=resources/welcome.main.html +tofile=${tomcat.release}/v${version}/README.html + filtering=true/ +copy file=resources/welcome.bin.html +tofile=${tomcat.release}/v${version}/bin/README.html + filtering=true/ + + /target target name=package-zip zip zipfile=${tomcat.dist}/${final.name}.zip @@ -445,11 +483,13 @@ zipfileset dir=${tomcat.dist} prefix=${final.name} includes=README.txt / zipfileset dir=${tomcat.dist} prefix=${final.name} - includes=RELEASE-NOTES-* / + includes=RELEASE-NOTES / zipfileset dir=${tomcat.dist} prefix=${final.name} - includes=RELEASE-PLAN-* / + includes=CHANGELOG / zipfileset dir=${tomcat.dist} prefix=${final.name} includes=RUNNING.txt / + zipfileset dir=${tomcat.dist} prefix=${final.name} + includes=BENCHMARKS.txt / /zip /target @@ -479,9 +519,10 @@ include name=temp/** / include name=LICENSE / include name=README.txt / -include name=RELEASE-NOTES-* / -include name=RELEASE-PLAN-* / +include name=RELEASE-NOTES / +include name=CHANGELOG / include name=RUNNING.txt / +include name=BENCHMARKS.txt / /fileset /copy fixcrlf srcdir=${tomcat.dist}/${final.name} 1.1 jakarta-tomcat-5/CHANGELOG Binary file 1.1 jakarta-tomcat-5/RELEASE-NOTES Index: RELEASE-NOTES === Apache Tomcat Version @VERSION@ Release Notes $Id: RELEASE-NOTES,v 1.1 2002/10/09 10:06:07 remm Exp $ KNOWN ISSUES IN THIS RELEASE: * Tomcat 5.0 and JNI Based Applications * Tomcat 5.0 Standard APIs Available * Tomcat 5.0 and XML Parsers * Web application reloading and static fields in shared libraries * JAVAC leaking memory * Linux and Sun JDK 1.2.x - 1.3.x * Enabling SSI and CGI Support * Security manager URLs * Symlinking static resources * Enabling invoker servlet
cvs commit: jakarta-tomcat-5 .cvsignore
remm2002/10/09 03:06:34 Modified:..cvsignore Log: - Update .cvsignore. Revision ChangesPath 1.3 +1 -0 jakarta-tomcat-5/.cvsignore Index: .cvsignore === RCS file: /home/cvs/jakarta-tomcat-5/.cvsignore,v retrieving revision 1.2 retrieving revision 1.3 diff -u -r1.2 -r1.3 --- .cvsignore26 Jul 2002 16:28:50 - 1.2 +++ .cvsignore9 Oct 2002 10:06:34 - 1.3 @@ -1,3 +1,4 @@ build dist +release build.properties -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-tomcat-5 build.xml
remm2002/10/09 03:07:48 Modified:.build.xml Log: - No reason to clean the release folder. Revision ChangesPath 1.39 +0 -2 jakarta-tomcat-5/build.xml Index: build.xml === RCS file: /home/cvs/jakarta-tomcat-5/build.xml,v retrieving revision 1.38 retrieving revision 1.39 diff -u -r1.38 -r1.39 --- build.xml 9 Oct 2002 10:06:07 - 1.38 +++ build.xml 9 Oct 2002 10:07:48 - 1.39 @@ -130,8 +130,6 @@ delete dir=${tomcat.dist}/ -delete dir=${tomcat.release}/ - /target -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: [5.0] [VOTE] Remove deprecated and unsupported components
ballot [X] Remove deprecated org.apache.catalina.connector components from the j-t-catalina module [ ] Leave them in /ballot IAS Jakarta-Seoul Project Coordinator http://jakarta.apache-korea.org -Original Message- From: Remy Maucherat [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 09, 2002 6:11 PM To: Tomcat Developers List Subject: [5.0] [VOTE] Remove deprecated and unsupported components The connectors which depend on the org.apache.catalina.connector package (including JK 1, webapp, and the old HTTP connectors) will either need to be updated or removed. The Coyote family of connectors is well supported and provides a suitable replacement (IMO). Coyote is the default connector in the current Tomcat 4.1.x releases, and should be reaching maturity by the time Tomcat 5 is released. I'd like to remove the deprecated org.apache.catalina.connector classes (and move the remaining facade and wrapper classes to other new packages). Even if they are removed from the main tree, the deprecated components could also be distributed with updated versions of the affected connectors should it is decided they should be made available for Tomcat 5 (but in any case, some work will be needed). ballot [ ] Remove deprecated org.apache.catalina.connector components from the j-t-catalina module [ ] Leave them in /ballot In case the second option is voted, volunteers will be needed to update and maintain the components (right now, I don't think the connectors based on them would even build against the new API). Remy -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
[GUMP] Build Failure - jakarta-tomcat-util
This email is autogenerated from the output from: http://jakarta.apache.org/builds/gump/2002-10-09/jakarta-tomcat-util.html Buildfile: build.xml detect: build-prepare: [mkdir] Created dir: /home/rubys/jakarta/jakarta-tomcat-connectors/util/build [mkdir] Created dir: /home/rubys/jakarta/jakarta-tomcat-connectors/util/build/classes [mkdir] Created dir: /home/rubys/jakarta/jakarta-tomcat-connectors/util/build/lib build-main: [echo] - Java-utils - [echo] -- puretls.present = ${puretls.present} [echo] -- jsse.present = true [echo] -- commons-logging = true [echo] -- jmx = true /opt/jmx-1_0_1-ri_bin/jmx/lib/jmxri.jar [javac] Compiling 59 source files to /home/rubys/jakarta/jakarta-tomcat-connectors/util/build/classes [javac] /home/rubys/jakarta/jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESupport.java:225: cannot resolve symbol [javac] symbol : class SocketTimeoutException [javac] location: class org.apache.tomcat.util.net.jsse.JSSESupport [javac] } catch (SocketTimeoutException e) { [javac] ^ [javac] /home/rubys/jakarta/jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESupport.java:235: cannot resolve symbol [javac] symbol : class SocketTimeoutException [javac] location: class org.apache.tomcat.util.net.jsse.JSSESupport [javac] throw new SocketTimeoutException(SSL Cert handshake timeout); [javac] ^ [javac] 2 errors BUILD FAILED file:/home/rubys/jakarta/jakarta-tomcat-connectors/util/build.xml:49: Compile failed; see the compiler error output for details. Total time: 3 seconds -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: [5.0] [VOTE] Remove deprecated and unsupported components
ballot [ ] Remove deprecated org.apache.catalina.connector components from the j-t-catalina module [X ] Leave them in /ballot Atleast untill all the excessive log messages are removed from the coyote connectors (ie the socket error messages) or there is a way to disable them (ie give them a log level) -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: apps conversion from 3.3.1 to 4.1.12
This is likely the protection against reading anything outside the webapp root (see the allowLinking of FileDirContext), although I don't know how the digester will try to load the included file. Digester code is derived from XmlMapper which is able to locate entities in ../../../ directories. My concern here is : Specs didn't mentions restriction on use of external entities outside the webapp. So it should be granted by default isn't it ? I take a look at FileDirContext but I didn't understand what allowLinking is ? So my question is : bug or feature ? -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
commons-daemon release ?
I wonder if a release of commons-daemon is planned. JF ? -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: commons-daemon release ?
Henri Gomez wrote: I wonder if a release of commons-daemon is planned. No, because promoting it to commons proper got vetoed. At the moment, it looks like a split between daemon and launcher will happen. (like Costin, I'd really like to get rid of the Java code in daemon - the o.a.c.daemon package -, BTW) Remy -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-tomcat-5/resources INSTALLLICENSE
remm2002/10/09 05:20:40 Modified:.build.xml tomcat.nsi resources INSTALLLICENSE Log: - Cleanups and small fixes. Revision ChangesPath 1.40 +1 -1 jakarta-tomcat-5/build.xml Index: build.xml === RCS file: /home/cvs/jakarta-tomcat-5/build.xml,v retrieving revision 1.39 retrieving revision 1.40 diff -u -r1.39 -r1.40 --- build.xml 9 Oct 2002 10:07:48 - 1.39 +++ build.xml 9 Oct 2002 12:20:40 - 1.40 @@ -419,7 +419,7 @@ !-- RELEASE: Create Release === -- target name=release depends=prepare-release,clean,dist,dist-source,installer,package-zip,package-tgz,package-src-zip,package-src-tgz - description=Create a Tomcat 5 packaged distribution if=full-dist + description=Create a Tomcat 5 packaged distribution mkdir dir=${tomcat.release}/ mkdir dir=${tomcat.release}/v${version}/ 1.9 +26 -25jakarta-tomcat-5/tomcat.nsi Index: tomcat.nsi === RCS file: /home/cvs/jakarta-tomcat-5/tomcat.nsi,v retrieving revision 1.8 retrieving revision 1.9 diff -u -r1.8 -r1.9 --- tomcat.nsi8 Oct 2002 09:36:39 - 1.8 +++ tomcat.nsi9 Oct 2002 12:20:40 - 1.9 @@ -12,6 +12,11 @@ ; ;Configuration + !define MUI_LICENSEPAGE + !define MUI_COMPONENTPAGE + !define MUI_DIRSELECTPAGE + !define MUI_UNINSTALLER + ;Language ;English LoadLanguageFile ${NSISDIR}\Contrib\Language files\English.nlf @@ -31,28 +36,18 @@ !insertmacro MUI_INTERFACE modern.exe adni18-installer-C-no48xp.ico adni18-uninstall-C-no48xp.ico modern.bmp smooth $9 ;License dialog - LicenseText Press Page Down to see the rest of the agreement. LicenseData INSTALLLICENSE - ;Component-select dialog - ComponentText Check the components you want to install and uncheck the components you don't want to install. Click Next to continue. - ;Folder-select dialog - !insertmacro MUI_ENGLISH_DIRTEXT InstallDir $PROGRAMFILES\Apache Group\Tomcat 5.0 - ;Uninstaller - !insertmacro MUI_ENGLISH_UNINSTALLTEXT + ;Install types + InstType Normal + InstType Minimum + InstType Full -InstType Normal -InstType Minimum -InstType Full -AutoCloseWindow false -ShowInstDetails show -SetOverwrite on -SetDateSave on - -InstallDirRegKey HKLM SOFTWARE\Apache Group\Tomcat\5.0 + ; Main registry key + InstallDirRegKey HKLM SOFTWARE\Apache Group\Tomcat\5.0 SubSection Tomcat SecTomcat @@ -66,6 +61,7 @@ File /r bin Delete $INSTDIR\bin\tomcat.exe File /r common + File /r conf File /r shared File /r logs File /r server @@ -79,6 +75,7 @@ Pop $2 CopyFiles $2\lib\tools.jar $INSTDIR\common\lib 4500 + BringToFront SectionEnd @@ -94,6 +91,7 @@ ExecWait '$INSTDIR\bin\tomcat.exe -install Apache Tomcat 5.0 $2 -Djava.class.path=$INSTDIR\bin\bootstrap.jar -Dcatalina.home=$INSTDIR -Djava.endorsed.dirs=$INSTDIR\common\endorsed -start org.apache.catalina.startup.BootstrapService -params start -stop org.apache.catalina.startup.BootstrapService -params stop -out $INSTDIR\logs\stdout.log -err $INSTDIR\logs\stderr.log' + BringToFront ClearErrors SectionEnd @@ -172,12 +170,6 @@ WriteUninstaller $INSTDIR\Uninstall.exe - SetOverwrite off - SetOutPath $INSTDIR - File /r conf - - SetOverwrite on - Call startService WriteRegStr HKLM SOFTWARE\Apache Group\Tomcat\5.0 $INSTDIR @@ -412,6 +404,9 @@ StrCpy $R4 'port=$R0' StrCpy $R5 'user name=$R1 password=$R2 roles=admin,manager /' + DetailPrint 'HTTP/1.1 Connector configured on port $R0' + DetailPrint 'Admin user added: $R1' + SetOutPath $TEMP File /r confinstall @@ -427,6 +422,8 @@ FileClose $R9 + DetailPrint server.xml written + ; Build final tomcat-users.xml Delete $INSTDIR\conf\tomcat-users.xml FileOpen $R9 $INSTDIR\conf\tomcat-users.xml w @@ -439,6 +436,8 @@ FileClose $R9 + DetailPrint tomcat-users.xml written + ; Creating a few shortcuts IfFileExists $SMPROGRAMS\Apache Tomcat 5.0 0 NoLinks @@ -499,7 +498,8 @@ IfFileExists $INSTDIR\bin\tomcat.exe 0 NoService ExecWait 'net start Apache Tomcat 5.0' - Sleep 4000 + Sleep 3000 + BringToFront NoService: @@ -516,7 +516,8 @@ IfFileExists $INSTDIR\bin\tomcat.exe 0 NoService ExecWait 'net stop Apache Tomcat 5.0' - Sleep 2000 + Sleep 1000 + BringToFront NoService: 1.3 +4 -4 jakarta-tomcat-5/resources/INSTALLLICENSE Index: INSTALLLICENSE
Re: [5.0] [VOTE] Remove deprecated and unsupported components
ballot [X] Remove deprecated org.apache.catalina.connector components from the j-t-catalina module [ ] Leave them in /ballot Cheers Jean-frederic -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core StandardWrapperValve.java
remm2002/10/09 05:40:53 Modified:catalina/src/share/org/apache/catalina/core StandardWrapperValve.java Log: - The decoded URI should be used there. Revision ChangesPath 1.5 +15 -10 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/StandardWrapperValve.java Index: StandardWrapperValve.java === RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/StandardWrapperValve.java,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- StandardWrapperValve.java 12 Sep 2002 00:09:27 - 1.4 +++ StandardWrapperValve.java 9 Oct 2002 12:40:53 - 1.5 @@ -248,16 +248,21 @@ String contextPath = hreq.getContextPath(); if (contextPath == null) contextPath = ; -String requestURI = hreq.getRequestURI(); +String requestURI = ((HttpRequest) hreq).getDecodedRequestURI(); if (requestURI.length() = contextPath.length()) requestPath = requestURI.substring(contextPath.length()); } -sreq.setAttribute(ApplicationFilterFactory.DISPATCHER_TYPE_ATTR, -new Integer(ApplicationFilterFactory.REQUEST)); -sreq.setAttribute(ApplicationFilterFactory.DISPATCHER_REQUEST_PATH_ATTR, requestPath); +sreq.setAttribute +(ApplicationFilterFactory.DISPATCHER_TYPE_ATTR, + new Integer(ApplicationFilterFactory.REQUEST)); +sreq.setAttribute +(ApplicationFilterFactory.DISPATCHER_REQUEST_PATH_ATTR, + requestPath); // Create the filter chain for this request -ApplicationFilterFactory factory = ApplicationFilterFactory.getInstance(); -ApplicationFilterChain filterChain = factory.createFilterChain(sreq, wrapper, servlet); +ApplicationFilterFactory factory = +ApplicationFilterFactory.getInstance(); +ApplicationFilterChain filterChain = +factory.createFilterChain(sreq, wrapper, servlet); // Call the filter chain for this request // NOTE: This also calls the servlet's service() method -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: commons-daemon release ?
Henri Gomez wrote: I wonder if a release of commons-daemon is planned. JF ? -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] I am using it in a product named openIS. The FSC QA are still complaining about small problems. I have to fix them... Then that will be time to make a release. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/valves ErrorReportValve.java
remm2002/10/09 05:42:51 Modified:catalina/src/share/org/apache/catalina/valves ErrorReportValve.java Log: - Port patch. Revision ChangesPath 1.3 +6 -9 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/valves/ErrorReportValve.java Index: ErrorReportValve.java === RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/valves/ErrorReportValve.java,v retrieving revision 1.2 retrieving revision 1.3 diff -u -r1.2 -r1.3 --- ErrorReportValve.java 12 Sep 2002 06:44:25 - 1.2 +++ ErrorReportValve.java 9 Oct 2002 12:42:51 - 1.3 @@ -250,11 +250,8 @@ if (message == null) message = ; -// Do nothing on a 1xx and 2xx status -if (statusCode 300) -return; -// Do nothing on a NOT MODIFIED status -if (statusCode == HttpServletResponse.SC_NOT_MODIFIED) +// Do nothing on a 1xx, 2xx and 3xx status +if (statusCode 400) return; // FIXME: Reset part of the request -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core StandardWrapperValve.java
remm2002/10/09 05:52:40 Modified:catalina/src/share/org/apache/catalina/core StandardWrapperValve.java Log: - Oops, not the right object. Revision ChangesPath 1.6 +5 -5 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/StandardWrapperValve.java Index: StandardWrapperValve.java === RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/StandardWrapperValve.java,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- StandardWrapperValve.java 9 Oct 2002 12:40:53 - 1.5 +++ StandardWrapperValve.java 9 Oct 2002 12:52:40 - 1.6 @@ -248,7 +248,7 @@ String contextPath = hreq.getContextPath(); if (contextPath == null) contextPath = ; -String requestURI = ((HttpRequest) hreq).getDecodedRequestURI(); +String requestURI = ((HttpRequest) request).getDecodedRequestURI(); if (requestURI.length() = contextPath.length()) requestPath = requestURI.substring(contextPath.length()); } -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-tomcat-connectors/jk/xdocs/jk2 confighowto.xml
mturk 2002/10/09 06:01:29 Modified:jk/xdocs/jk2 confighowto.xml Log: Add the JNI Minimum configuration. Revision ChangesPath 1.2 +57 -1 jakarta-tomcat-connectors/jk/xdocs/jk2/confighowto.xml Index: confighowto.xml === RCS file: /home/cvs/jakarta-tomcat-connectors/jk/xdocs/jk2/confighowto.xml,v retrieving revision 1.1 retrieving revision 1.2 diff -u -r1.1 -r1.2 --- confighowto.xml 8 Oct 2002 17:59:25 - 1.1 +++ confighowto.xml 9 Oct 2002 13:01:29 - 1.2 @@ -58,4 +58,60 @@ /p /section +section name=Minimum JNI Configuration +p +Minimum JNI configuration is the simplest one to make the Tomcat working +from inside the web server as inprocess. The only comunication channel used +is JNI. The JK2 will register all the native calls by itself, so there is +no need to specify the native library on Java side. +/p +p +jk2.properties: +source +# Add the apr and channelJni to the list of handlers +handler.list=apr,request,container,channelJni +# The native libraries will be registered by JK2 +apr.jniModeSo=inprocess +/source +/p +p +workers2.properties: +source +# Define the comunication channel +[channel.jni:jni] +info=The jni channel, used if tomcat is started inprocess + +# Define the parameters for the Java Virtual Machine +[vm:] +info=Parameters used to load a JVM in the server process +OPT=-Djava.class.path=${TOMCAT_HOME}/lib/tomcat-jni.jar;${TOMCAT_HOME}/lib/tomcat.jar +OPT=-Dtomcat.home=${TOMCAT_HOME} +OPT=-Dcatalina.home=${TOMCAT_HOME} +OPT=-Xmx128M + +# JNI worker startup handler +[worker.jni:onStartup] +info=Command to be executed by the VM on startup. This one will start tomcat. +class=org/apache/jk/apr/TomcatStarter +ARG=start +stdout=${serverRoot}/logs/stdout.log +stderr=${serverRoot}/logs/stderr.log + +# JNI worker shutdown handler +[worker.jni:onShutdown] +info=Command to be executed by the VM on shutdown. This one will stop tomcat. +class=org/apache/jk/apr/TomcatStarter +ARG=stop + +# Map the Tomcat examples webapp to the Web server uri space +[uri:/examples/*] +info=Map the whole webapp +/source +/p +p +Start the Web server and browse to the ahttp://localhost/examples//a +/p + +/section + /document -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: commons-daemon release ?
Remy Maucherat wrote: Henri Gomez wrote: I wonder if a release of commons-daemon is planned. No, because promoting it to commons proper got vetoed. And the reasons why have not been changed... I had no time to write the needed code (and I was on holidays at the time of the veto: it was in mid-august). At the moment, it looks like a split between daemon and launcher will happen. Because a release of launcher is needed. (like Costin, I'd really like to get rid of the Java code in daemon - the o.a.c.daemon package -, BTW) -1 I am using it. And I need time to write the corresponding C code. Remy -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: [5.0] [VOTE] Remove deprecated and unsupported components
ballot [ X ] Remove deprecated org.apache.catalina.connector components from the j-t-catalina module [ ] Leave them in /ballot -- Jeanfrancois -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: administration-howto.html
jean-frederic clere wrote: Hi, I am willing to use the administration tools of Tomcat but I am wondering where the administration-howto.html is located. If it is not existing I will create one similar to the existing manager-howto.xml. Any comments? I know that Amy has been working on taking care of some of the problems I posted about the Tomcat 4.1 configuration admin application. A help document was one of the issues. This is really needed, thanks! Glenn -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
DO NOT REPLY [Bug 13456] New: - allowChuncking=false not working
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13456. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13456 allowChuncking=false not working Summary: allowChuncking=false not working Product: Tomcat 4 Version: 4.0 Final Platform: PC OS/Version: Other Status: NEW Severity: Major Priority: Other Component: Connector:Coyote HTTP/1.1 AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] allowChunking=false in Coyoute connector still give chunked responses. simply changed to the catalina Connector and the problem was solved. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: [5.0] [VOTE] Remove deprecated and unsupported components
ballot [X] Remove deprecated org.apache.catalina.connector components from the j-t-catalina module [ ] Leave them in /ballot Saludos, Ignacio J. Ortega -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
DO NOT REPLY [Bug 13365] - JSP source disclosure vulnerability not fixed when invoking servlets by name
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13365. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13365 JSP source disclosure vulnerability not fixed when invoking servlets by name [EMAIL PROTECTED] changed: What|Removed |Added Status|NEW |RESOLVED Resolution||FIXED --- Additional Comments From [EMAIL PROTECTED] 2002-10-09 14:23 --- Ok, this is fixed in all branches, and Tomcat 4.0.6 has been released (the default Tomcat 4.0.5 installation was vulnerable). However, NEVER EVER DISCUSS A POTENTIAL SECURITY PROBLEM ON A PUBLIC COMMUNICATION CHANNEL, because this puts all Tomcat users at risk. The Tomcat Team also cannot release a new version within minutes a security problem is published. Thanks. There are *private* mailing lists for that (security at apache.org), and you will be given all the credit you want or deserve. I used the patch submitted as a patch which can be applied to Tomcat 4.0.5 to resolve the problem without upgrading to 4.0.6. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
DO NOT REPLY [Bug 13456] - allowChuncking=false not working
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13456. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13456 allowChuncking=false not working [EMAIL PROTECTED] changed: What|Removed |Added Status|NEW |RESOLVED Resolution||WONTFIX Version|4.0 Final |4.1.12 --- Additional Comments From [EMAIL PROTECTED] 2002-10-09 14:26 --- FYI, this is not supported (and will never be supported) in Coyote HTTP/1.1. The documentation does not specify this flag is allowed. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse JSSESupport.java
bobh2002/10/09 08:03:21 Modified:util/java/org/apache/tomcat/util/net/jsse JSSESupport.java Log: - make gump happy by getting rid of 1.4 only class java.net.SocketTimeoutException Revision ChangesPath 1.3 +3 -3 jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESupport.java Index: JSSESupport.java === RCS file: /home/cvs/jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESupport.java,v retrieving revision 1.2 retrieving revision 1.3 diff -u -r1.2 -r1.3 --- JSSESupport.java 8 Oct 2002 16:49:43 - 1.2 +++ JSSESupport.java 9 Oct 2002 15:03:21 - 1.3 @@ -222,8 +222,8 @@ for (int i = 0; i maxTries; i++) { try { int x = in.read(b); -} catch (SocketTimeoutException e) { -// ignore +} catch (IOException e) { +// ignore - presumably the timeout } if (listener.completed) { break; @@ -232,7 +232,7 @@ socket.removeHandshakeCompletedListener(listener); socket.setSoTimeout(oldTimeout); if (listener.completed == false) { -throw new SocketTimeoutException(SSL Cert handshake timeout); +throw new SocketException(SSL Cert handshake timeout); } } -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
DO NOT REPLY [Bug 13014] - OS/390/USS - Invalid url-pattern in servlet mapping
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13014. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13014 OS/390/USS - Invalid url-pattern in servlet mapping --- Additional Comments From [EMAIL PROTECTED] 2002-10-09 15:11 --- The USS environment is somewhat unusual...perhaps no one at apache.org has ready access to such a system for testing and debugging this issue. Attachmate would be happy to provide such access to anyone involved with Tomcat development at apache.org if it would help speed resolution. Please email me, and we can discuss details of this. -Ned -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: apps conversion from 3.3.1 to 4.1.12
Remy Maucherat wrote: Henri Gomez wrote: This is likely the protection against reading anything outside the webapp root (see the allowLinking of FileDirContext), although I don't know how the digester will try to load the included file. Digester code is derived from XmlMapper which is able to locate entities in ../../../ directories. My concern here is : Specs didn't mentions restriction on use of external entities outside the webapp. So it should be granted by default isn't it ? I take a look at FileDirContext but I didn't understand what allowLinking is ? So my question is : bug or feature ? There's a pretty strict check on the canonical path of a resource which I added. I consider it a security feature. I think a webapp should be self contained, so I think it's reasonable to have the check as the default. allowLinking disables the check. Don't be lazy, just do a search in FileDirContext ;-) I take a look at this but but digester didn't use FileDirContext so the allowLinking didn't fit. The problem seems be only in Digester which fail to load ../../../settings.xml What could we do ? PS: I tried with TC 4.1.x and all commons from CVS. at org.apache.naming.resources.DirContextURLConnection.getInputStream(DirContextURLConnection.java:344) at java.net.URL.openStream(URL.java:793) at org.apache.xerces.impl.XMLEntityManager.startEntity(XMLEntityManager.java:807) at org.apache.xerces.impl.XMLEntityManager.startEntity(XMLEntityManager.java:738) at org.apache.xerces.impl.XMLDTDScannerImpl.startPE(XMLDTDScannerImpl.java:609) at org.apache.xerces.impl.XMLDTDScannerImpl.skipSeparator(XMLDTDScannerImpl.java:1927) at org.apache.xerces.impl.XMLDTDScannerImpl.scanDecls(XMLDTDScannerImpl.java:1889) at org.apache.xerces.impl.XMLDTDScannerImpl.scanDTDInternalSubset(XMLDTDScannerImpl.java:359) at org.apache.xerces.impl.XMLDocumentScannerImpl$DTDDispatcher.dispatch(XMLDocumentScannerImpl.java:808) at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:329) at org.apache.xerces.parsers.DTDConfiguration.parse(DTDConfiguration.java:525) at org.apache.xerces.parsers.DTDConfiguration.parse(DTDConfiguration.java:581) at org.apache.xerces.parsers.XMLParser.parse(XMLParser.java:152) at org.apache.xerces.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1175) at org.apache.commons.digester.Digester.parse(Digester.java:1542) at org.apache.catalina.startup.ContextConfig.applicationConfig(ContextConfig.java:282) at org.apache.catalina.startup.ContextConfig.start(ContextConfig.java:639) at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:243) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:166) at org.apache.catalina.core.StandardContext.start(StandardContext.java:3567) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1188) at org.apache.catalina.core.StandardHost.start(StandardHost.java:738) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1188) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:347) at org.apache.catalina.core.StandardService.start(StandardService.java:497) -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: [Proposal] Security Audit
I can't think of anything more boring and tedious (bug fixing?) but I am willing to help. Maybe we should divide up the classes. Cheers, -bob On Tue, 2002-10-08 at 16:36, Jean-Francois Arcand wrote: Hi, I'm looking to do a Security Audit on the current Tomcat 5.0 codebase. I would like to collect as more as information as where you think I should look at (code, security hole, etc.). I'm planning to do the audit using the default SecurityManager. Rigth now, I have started looking at: - doPrivilege blocks. Are they small enough? Can they be reduced? - JSP generated code. Are they secure? Can a malicious app uses the code to access o.a.catalina code? - Is catalina.policy restricted enough? - Is our Classloader secure? Any direction/ideas/recommendations will be appreciated. Thanks, -- Jeanfrancois -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- Bob Herrmann [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: apps conversion from 3.3.1 to 4.1.12
On Wed, 9 Oct 2002, Henri Gomez wrote: Date: Wed, 09 Oct 2002 17:39:00 +0200 From: Henri Gomez [EMAIL PROTECTED] Reply-To: Tomcat Developers List [EMAIL PROTECTED] To: Tomcat Developers List [EMAIL PROTECTED] Subject: Re: apps conversion from 3.3.1 to 4.1.12 Remy Maucherat wrote: Henri Gomez wrote: This is likely the protection against reading anything outside the webapp root (see the allowLinking of FileDirContext), although I don't know how the digester will try to load the included file. Digester code is derived from XmlMapper which is able to locate entities in ../../../ directories. My concern here is : Specs didn't mentions restriction on use of external entities outside the webapp. So it should be granted by default isn't it ? I take a look at FileDirContext but I didn't understand what allowLinking is ? So my question is : bug or feature ? There's a pretty strict check on the canonical path of a resource which I added. I consider it a security feature. I think a webapp should be self contained, so I think it's reasonable to have the check as the default. allowLinking disables the check. Don't be lazy, just do a search in FileDirContext ;-) I take a look at this but but digester didn't use FileDirContext so the allowLinking didn't fit. The problem seems be only in Digester which fail to load ../../../settings.xml What could we do ? Haven't looked at the code, but here's a couple of thoughts that might help: If your path above (../../../settings.xml) is attempting to go above the context root of the webapp, it's pretty much guaranteed to fail because of the security restrictions. Undoing that restriction would just create a bunch of CERT reports about Tomcat letting you browse the entire directory structure of your disk. One of the important enablers for using external entity files in Digester is to use the Digester.parse() that takes an InputSource (rather than an InputStream), and be sure you have configured your InputSource to include the source URL. That is necessary for the XML parser to be able to resolve relative system ids. The code in ContextConfig that parses web.xml and TLD files was modified (a while back) to do this kind of thing, if you need an example. PS: I tried with TC 4.1.x and all commons from CVS. Craig at org.apache.naming.resources.DirContextURLConnection.getInputStream(DirContextURLConnection.java:344) at java.net.URL.openStream(URL.java:793) at org.apache.xerces.impl.XMLEntityManager.startEntity(XMLEntityManager.java:807) at org.apache.xerces.impl.XMLEntityManager.startEntity(XMLEntityManager.java:738) at org.apache.xerces.impl.XMLDTDScannerImpl.startPE(XMLDTDScannerImpl.java:609) at org.apache.xerces.impl.XMLDTDScannerImpl.skipSeparator(XMLDTDScannerImpl.java:1927) at org.apache.xerces.impl.XMLDTDScannerImpl.scanDecls(XMLDTDScannerImpl.java:1889) at org.apache.xerces.impl.XMLDTDScannerImpl.scanDTDInternalSubset(XMLDTDScannerImpl.java:359) at org.apache.xerces.impl.XMLDocumentScannerImpl$DTDDispatcher.dispatch(XMLDocumentScannerImpl.java:808) at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:329) at org.apache.xerces.parsers.DTDConfiguration.parse(DTDConfiguration.java:525) at org.apache.xerces.parsers.DTDConfiguration.parse(DTDConfiguration.java:581) at org.apache.xerces.parsers.XMLParser.parse(XMLParser.java:152) at org.apache.xerces.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1175) at org.apache.commons.digester.Digester.parse(Digester.java:1542) at org.apache.catalina.startup.ContextConfig.applicationConfig(ContextConfig.java:282) at org.apache.catalina.startup.ContextConfig.start(ContextConfig.java:639) at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:243) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:166) at org.apache.catalina.core.StandardContext.start(StandardContext.java:3567) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1188) at org.apache.catalina.core.StandardHost.start(StandardHost.java:738) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1188) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:347) at org.apache.catalina.core.StandardService.start(StandardService.java:497) -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: apps conversion from 3.3.1 to 4.1.12
Henri Gomez wrote: Remy Maucherat wrote: Henri Gomez wrote: This is likely the protection against reading anything outside the webapp root (see the allowLinking of FileDirContext), although I don't know how the digester will try to load the included file. Digester code is derived from XmlMapper which is able to locate entities in ../../../ directories. My concern here is : Specs didn't mentions restriction on use of external entities outside the webapp. So it should be granted by default isn't it ? I take a look at FileDirContext but I didn't understand what allowLinking is ? So my question is : bug or feature ? There's a pretty strict check on the canonical path of a resource which I added. I consider it a security feature. I think a webapp should be self contained, so I think it's reasonable to have the check as the default. allowLinking disables the check. Don't be lazy, just do a search in FileDirContext ;-) I take a look at this but but digester didn't use FileDirContext so the allowLinking didn't fit. The problem seems be only in Digester which fail to load ../../../settings.xml What could we do ? PS: I tried with TC 4.1.x and all commons from CVS. at org.apache.naming.resources.DirContextURLConnection.getInputStream(DirContextURLConnection.java:344) at java.net.URL.openStream(URL.java:793) Well, that's exactly the same. Where do you think that weird URL connection goes ?? (hint: to the aforementioned FileDirContext, through some classloader binding) The place where it gets rejected should be the FileDirContext.file() method, as far as I can remember. Remy -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: apps conversion from 3.3.1 to 4.1.12
org.apache.naming.resources.DirContextURLConnection.getInputStream(DirContextURLConnection.java:344) at java.net.URL.openStream(URL.java:793) Well, that's exactly the same. Where do you think that weird URL connection goes ?? (hint: to the aforementioned FileDirContext, through some classloader binding) Well it's my initial diggs in TC 4.1.x, let me some time to discover it. The place where it gets rejected should be the FileDirContext.file() method, as far as I can remember. FileDirContext.file() is used to get webapps/ROOT/web.xml ref and validate access, but the external entity is grabbed from Digester so outside FileDirContext control (from my debug analyze). -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: apps conversion from 3.3.1 to 4.1.12
Haven't looked at the code, but here's a couple of thoughts that might help: If your path above (../../../settings.xml) is attempting to go above the context root of the webapp, it's pretty much guaranteed to fail because of the security restrictions. Undoing that restriction would just create a bunch of CERT reports about Tomcat letting you browse the entire directory structure of your disk. I agree but the ../../../settings.xml was set in web.xml, under administrator control, and tomcat can't even overwrite it. We've got another problem here since Tomcat 3.3.x allow this and but Tomcat 4.1.x prevent it. Should we fix Tomcat 3.3.2 ? One of the important enablers for using external entity files in Digester is to use the Digester.parse() that takes an InputSource (rather than an InputStream), and be sure you have configured your InputSource to include the source URL. That is necessary for the XML parser to be able to resolve relative system ids. The code in ContextConfig that parses web.xml and TLD files was modified (a while back) to do this kind of thing, if you need an example. Didn't have access on it since the external entity is set in web.xml so under org.apache.catalina.startup.ContextConfig.applicationConfig control, not application control. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: apps conversion from 3.3.1 to 4.1.12
On Wed, 9 Oct 2002, Henri Gomez wrote: Date: Wed, 09 Oct 2002 18:13:10 +0200 From: Henri Gomez [EMAIL PROTECTED] Reply-To: Tomcat Developers List [EMAIL PROTECTED] To: Tomcat Developers List [EMAIL PROTECTED] Subject: Re: apps conversion from 3.3.1 to 4.1.12 Haven't looked at the code, but here's a couple of thoughts that might help: If your path above (../../../settings.xml) is attempting to go above the context root of the webapp, it's pretty much guaranteed to fail because of the security restrictions. Undoing that restriction would just create a bunch of CERT reports about Tomcat letting you browse the entire directory structure of your disk. I agree but the ../../../settings.xml was set in web.xml, under administrator control, and tomcat can't even overwrite it. We've got another problem here since Tomcat 3.3.x allow this and but Tomcat 4.1.x prevent it. Should we fix Tomcat 3.3.2 ? One of the important enablers for using external entity files in Digester is to use the Digester.parse() that takes an InputSource (rather than an InputStream), and be sure you have configured your InputSource to include the source URL. That is necessary for the XML parser to be able to resolve relative system ids. The code in ContextConfig that parses web.xml and TLD files was modified (a while back) to do this kind of thing, if you need an example. Didn't have access on it since the external entity is set in web.xml so under org.apache.catalina.startup.ContextConfig.applicationConfig control, not application control. If this reference is in your web.xml file, then my suggestion is already being done. To test it, try temporarily copying the settings.xml file into the WEB-INF directory and changing the relative URL appropriately. I'd be -1 on removing the security check in 4.x/5.x. Fixing 3.3.2 sounds like a good idea. Craig -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: [Proposal] Security Audit
I'm looking to do a Security Audit on the current Tomcat 5.0 codebase. I would like to collect as more as information as where you think I should look at (code, security hole, etc.). I'm planning to do the audit using the default SecurityManager. Rigth now, I have started looking at: Although their goals and technology are different (an OS written in C), I believe anyone interested in helping might learn a lot by looking at OpenBSD (a free UNIX-like OS whose entire code base has been subjected to a careful (and ongoing!) security audit). They have some papers online; go to www.openbsd.org and look at press.html (which has links to various papers). Look for auditing. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: [5.0] [VOTE] Remove deprecated and unsupported components
ballot [X ] Remove deprecated org.apache.catalina.connector components from the j-t-catalina module [ ] Leave them in /ballot As long as it won't break builds of 4.1 :-) -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Tomcat 4.1.12: Xerces 2.2 problems - Struts 1.0.2 bug.
Hi, with Tomcat 4.1.12, Xerces 2.2 is throwing the following exception: org.xml.sax.SAXParseException: The string -- is not permitted within comments. at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source) This is a bug in the org.apache.struts.digester.Digester class. If you uses Struts 1.1 beta 2 jar file, the bug will not happen. Xerces 2.2 generates a lot of Warnings and the Digester version of Struts 1.0.2 logs an exception instead of a warning. This has been corrected in the current Digester (1.3) we are using. So we have to decide which combinaison we want to support with 4.1.x: Xerces 2.1 + Struts 1.0.2 or Xerces 2.2 + Struts 1.1b2 -- Jeanfrancois -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat 4.1.12: Xerces 2.2 problems - Struts 1.0.2 bug.
Jean-Francois Arcand wrote: Hi, with Tomcat 4.1.12, Xerces 2.2 is throwing the following exception: org.xml.sax.SAXParseException: The string -- is not permitted within comments. at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source) This is a bug in the org.apache.struts.digester.Digester class. If you uses Struts 1.1 beta 2 jar file, the bug will not happen. Xerces 2.2 generates a lot of Warnings and the Digester version of Struts 1.0.2 logs an exception instead of a warning. This has been corrected in the current Digester (1.3) we are using. So we have to decide which combinaison we want to support with 4.1.x: Xerces 2.1 + Struts 1.0.2 or Xerces 2.2 + Struts 1.1b2 For 4.1.x, I'll definitely package the stable releases (X 2.1 + S 1.0.x). For 5.0.0, I'll package S 1.1 beta + X 2.2 (nice explanation). (I still plan to tag 5.0.0 this week, as it's been relatively stable for some time now) Remy -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/xmlparser ParserUtils.java
luehe 2002/10/09 09:47:31 Modified:jasper2/src/share/org/apache/jasper/xmlparser ParserUtils.java Log: Removed dead code Revision ChangesPath 1.5 +1 -96 jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/xmlparser/ParserUtils.java Index: ParserUtils.java === RCS file: /home/cvs/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/xmlparser/ParserUtils.java,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- ParserUtils.java 16 Jul 2002 19:30:53 - 1.4 +++ ParserUtils.java 9 Oct 2002 16:47:31 - 1.5 @@ -124,17 +124,6 @@ // - Public Methods - -/** - * Return the class loader used to access our XML parser. - */ -// public ClassLoader getClassLoader() { - -// return (this.classLoader); - -// } - - /** * Parse the specified XML document, and return a codeTreeNode/code * that corresponds to the root node of the document tree. @@ -154,34 +143,12 @@ try { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); -/* -Class clazz = - classLoader.loadClass(javax.xml.parsers.DocumentBuilderFactory); -System.out.println(Loaded DBF from:); -System.out.println(clazz.getClassLoader()); -Method method = clazz.getMethod(newInstance, new Class[0]); -DocumentBuilderFactory factory = (DocumentBuilderFactory) -method.invoke(null, new Object[0]); -*/ factory.setNamespaceAware(true); factory.setValidating(validating); DocumentBuilder builder = factory.newDocumentBuilder(); builder.setEntityResolver(entityResolver); builder.setErrorHandler(errorHandler); document = builder.parse(is); -//System.out.println(Parsing + uri ); -/* -} catch (ClassNotFoundException ex) { -throw new JasperException(CNFE: + ex); // FIXME -} catch (IllegalAccessException ex) { -throw new JasperException(IACE: + ex); // FIXME -} catch (IllegalArgumentException ex) { -throw new JasperException(IARE: + ex); // FIXME -} catch (InvocationTargetException ex) { -throw new JasperException(ITE: + ex); // FIXME -} catch (NoSuchMethodException ex) { -throw new JasperException(NSME: + ex); // FIXME -*/ } catch (ParserConfigurationException ex) { throw new JasperException (Constants.getString(jsp.error.parse.xml, @@ -306,71 +273,10 @@ (ClassLoader parentLoader) { ParserUtils parserUtils = null; -/* -try { -Class clazz = parentLoader.loadClass -(org.apache.jasper.xmlparser.ParserUtils); -parserUtils = (ParserUtils) clazz.newInstance(); -System.out.println(ParserUtils loaded by ClassLoader:\r\n + - parserUtils.getClass().getClassLoader()); -parserUtils.setClassLoader(createClassLoader(parentLoader)); -} catch (ClassNotFoundException e) { -System.out.println(createParserUtils: ClassNotFoundException); -e.printStackTrace(System.out); -} catch (IllegalAccessException e) { -System.out.println(createParserUtils: IllegalAccessException); -e.printStackTrace(System.out); -} catch (InstantiationException e) { -System.out.println(createParserUtils: InstantiationException); -e.printStackTrace(System.out); -} catch (MalformedURLException e) { -System.out.println(createParserUtils: MalformedURLException); -e.printStackTrace(System.out); -} -*/ parserUtils = new ParserUtils(); parserUtils.setClassLoader(parentLoader); return (parserUtils); } - - -/** - * Construct (if necessary) and return a class loader that has been - * configured with the specified parent class loader, and repositories - * as needed to access the required XML parser. - * - * @param parentLoader The web application class loader - * - * @exception MalformedURLException if we cannot create a valid URL for - * one of the required repositories - */ -/* This doesn't work. - - public synchronized static ClassLoader createClassLoader -(ClassLoader parentLoader) throws MalformedURLException { - -// Return any existing class loader
cvs commit: jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/util StringManager.java
luehe 2002/10/09 09:55:14 Removed: jasper2/src/share/org/apache/jasper/util StringManager.java Log: Removed redundant org.apache.jasper.util.StringManager -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-tomcat-connectors/http11/src/java/org/apache/coyote/http11 Constants.java
remm2002/10/09 09:56:17 Modified:http11/src/java/org/apache/coyote/http11 Constants.java Log: - Increase a little bit buffer sizes. Revision ChangesPath 1.10 +1 -1 jakarta-tomcat-connectors/http11/src/java/org/apache/coyote/http11/Constants.java Index: Constants.java === RCS file: /home/cvs/jakarta-tomcat-connectors/http11/src/java/org/apache/coyote/http11/Constants.java,v retrieving revision 1.9 retrieving revision 1.10 diff -u -r1.9 -r1.10 --- Constants.java23 Jul 2002 15:27:24 - 1.9 +++ Constants.java9 Oct 2002 16:56:17 - 1.10 @@ -147,7 +147,7 @@ /** * Default HTTP header buffer size. */ -public static final int DEFAULT_HTTP_HEADER_BUFFER_SIZE = 32 * 1000; +public static final int DEFAULT_HTTP_HEADER_BUFFER_SIZE = 48 * 1024; /** -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
DO NOT REPLY [Bug 13223] - JSP pages in XML syntax do not compile properly
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13223. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13223 JSP pages in XML syntax do not compile properly --- Additional Comments From [EMAIL PROTECTED] 2002-10-09 16:57 --- Sorry, I mispoke. I checked with JSP spec lead and Andreas is right that jsp:attribut cannot be used in the way I described, per JSP.5.10. However, this can be used instead. jsp:element name=td jsp:attribute name=value: jsp:expressionfoo/jsp:expression /jsp:attribute /jsp:element -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-tomcat-connectors/jk/native2/common jk_uriMap.c
mturk 2002/10/09 10:08:10 Modified:jk/native2/common jk_uriMap.c Log: Fix the hostMap checking hostname:port then hostname Revision ChangesPath 1.51 +21 -14jakarta-tomcat-connectors/jk/native2/common/jk_uriMap.c Index: jk_uriMap.c === RCS file: /home/cvs/jakarta-tomcat-connectors/jk/native2/common/jk_uriMap.c,v retrieving revision 1.50 retrieving revision 1.51 diff -u -r1.50 -r1.51 --- jk_uriMap.c 3 Oct 2002 10:32:29 - 1.50 +++ jk_uriMap.c 9 Oct 2002 17:08:09 - 1.51 @@ -256,31 +256,40 @@ { int i, j, n; char *name; -char hostame[1024] = {0}; +char hostname[1024] = {0}; if (port) { if (vhost) { if (strchr(vhost, ':')) -strcpy(hostame, vhost); +strcpy(hostname, vhost); else - sprintf(hostame, %s:%d, vhost, port); + sprintf(hostname, %s:%d, vhost, port); } else -sprintf(hostame, *:%d, port); +sprintf(hostname, *:%d, port); } else if (vhost) -strcpy(hostame, vhost); +strcpy(hostname, vhost); else /* Return default host if vhost and port wasn't suplied */ return uriMap-vhosts-get(env, uriMap-vhosts, *); n = uriMap-vhosts-size(env, uriMap-vhosts); -/* Check the hostnames first */ +/* Check the exact hostname:port first */ for (i = 0 ; i n ; i++) { jk_uriEnv_t *uriEnv = uriMap-vhosts-valueAt(env, uriMap-vhosts, i); name = uriMap-vhosts-nameAt(env, uriMap-vhosts, i); /* Host name is not case sensitive */ -if (strcasecmp(name, hostame) == 0) { -if (port == 0 || port == uriEnv-port) +if (strcasecmp(name, hostname) == 0 port == uriEnv-port) +return uriEnv; +} + +if (vhost) { +/* Check the hostname */ +for (i = 0 ; i n ; i++) { +jk_uriEnv_t *uriEnv = uriMap-vhosts-valueAt(env, uriMap-vhosts, i); +name = uriMap-vhosts-nameAt(env, uriMap-vhosts, i); +/* Host name is not case sensitive */ +if (strcasecmp(name, vhost) == 0) return uriEnv; } } @@ -292,10 +301,8 @@ int m = uriEnv-aliases-size(env, uriEnv-aliases); for (j = 0; j m; j++) { name = uriEnv-aliases-nameAt(env, uriEnv-aliases, j); -if (strcasecmp(name, hostame) == 0) { -if (port == 0 || port == uriEnv-port) -return uriEnv; -} +if (strcasecmp(name, hostname) == 0) +return uriEnv; } } } @@ -574,7 +581,7 @@ const char *str_minus_one=str-1; const char *s=str+strlen(str); while(s!=str_minus_one ch!=*s) { - --s; +--s; } return (s-str); } @@ -632,7 +639,7 @@ */ if (uriMap == NULL || uri==NULL) - return NULL; +return NULL; if (uriMap-mbean-debug 1) env-l-jkLog(env, env-l, JK_LOG_DEBUG, -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-tomcat-connectors/jk/native2/server/apache13 mod_jk2.c
mturk 2002/10/09 10:10:24 Modified:jk/native2/server/apache13 mod_jk2.c Log: Skip the checking of default hostname and port. Using that scheme the same behaviour is on all web servers. Revision ChangesPath 1.25 +4 -8 jakarta-tomcat-connectors/jk/native2/server/apache13/mod_jk2.c Index: mod_jk2.c === RCS file: /home/cvs/jakarta-tomcat-connectors/jk/native2/server/apache13/mod_jk2.c,v retrieving revision 1.24 retrieving revision 1.25 diff -u -r1.24 -r1.25 --- mod_jk2.c 4 Oct 2002 16:23:42 - 1.24 +++ mod_jk2.c 9 Oct 2002 17:10:24 - 1.25 @@ -437,7 +437,6 @@ { jk_uriEnv_t *uriEnv; jk_env_t *env; -int port; if(r-proxyreq) { return DECLINED; @@ -450,13 +449,10 @@ /* get_env() */ env = workerEnv-globalEnv-getEnv( workerEnv-globalEnv ); -port = ap_get_server_port(r); -if (ap_is_default_port(port, r)) -port = 0; uriEnv = workerEnv-uriMap-mapUri(env, workerEnv-uriMap, -r-server-is_virtual ? ap_get_server_name(r) : NULL, -port, -r-uri); + ap_get_server_name(r), + ap_get_server_port(r), + r-uri); if(uriEnv==NULL || uriEnv-workerName==NULL) { workerEnv-globalEnv-releaseEnv( workerEnv-globalEnv, env ); -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-tomcat-connectors/jk/native2/server/apache2 mod_jk2.c
mturk 2002/10/09 10:10:52 Modified:jk/native2/server/apache2 mod_jk2.c Log: Skip the checking of default hostname and port. Using that scheme the same behaviour is on all web servers. Revision ChangesPath 1.54 +3 -7 jakarta-tomcat-connectors/jk/native2/server/apache2/mod_jk2.c Index: mod_jk2.c === RCS file: /home/cvs/jakarta-tomcat-connectors/jk/native2/server/apache2/mod_jk2.c,v retrieving revision 1.53 retrieving revision 1.54 diff -u -r1.53 -r1.54 --- mod_jk2.c 23 Sep 2002 17:40:17 - 1.53 +++ mod_jk2.c 9 Oct 2002 17:10:52 - 1.54 @@ -629,7 +629,6 @@ { jk_uriEnv_t *uriEnv; jk_env_t *env; -int port; if(r-proxyreq || workerEnv==NULL) { return DECLINED; @@ -679,12 +678,9 @@ the real mapping. */ -port = ap_get_server_port(r); -if (ap_is_default_port(port, r)) -port = 0; uriEnv = workerEnv-uriMap-mapUri(env, workerEnv-uriMap, -r-server-is_virtual ? ap_get_server_name(r) : NULL, -port, +ap_get_server_name(r), +ap_get_server_port(r), r-uri); if( uriEnv== NULL || uriEnv-workerName == NULL) { -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-tomcat-connectors/jk/native2/server/isapi jk_isapi_plugin.c
mturk 2002/10/09 10:11:22 Modified:jk/native2/server/isapi jk_isapi_plugin.c Log: Skip the checking of default hostname and port. Using that scheme the same behaviour is on all web servers. Revision ChangesPath 1.50 +5 -6 jakarta-tomcat-connectors/jk/native2/server/isapi/jk_isapi_plugin.c Index: jk_isapi_plugin.c === RCS file: /home/cvs/jakarta-tomcat-connectors/jk/native2/server/isapi/jk_isapi_plugin.c,v retrieving revision 1.49 retrieving revision 1.50 diff -u -r1.49 -r1.50 --- jk_isapi_plugin.c 25 Sep 2002 07:36:48 - 1.49 +++ jk_isapi_plugin.c 9 Oct 2002 17:11:22 - 1.50 @@ -270,6 +270,7 @@ DWORD szHost = sizeof(Host); DWORD szTranslate = sizeof(Translate); DWORD szPort = sizeof(Port); +int nPort; #ifdef SF_NOTIFY_AUTH_COMPLETE if (auth_notification_flags == SF_NOTIFY_AUTH_COMPLETE) { GetHeader=((PHTTP_FILTER_AUTH_COMPLETE_INFO)pvNotification)-GetHeader; @@ -341,13 +342,11 @@ Port[szPort-1] = '\0'; } } -szPort = atoi(Port); -if (szPort == 80 || szPort == 443) -szPort = 0; +nPort = atoi(Port); env-l-jkLog(env, env-l, JK_LOG_DEBUG, -In HttpFilterProc Virtual Host redirection of %s : %d\n, +In HttpFilterProc Virtual Host redirection of %s : %s\n, Host, Port); -uriEnv = workerEnv-uriMap-mapUri(env, workerEnv-uriMap,Host, szPort, uri ); +uriEnv = workerEnv-uriMap-mapUri(env, workerEnv-uriMap,Host, nPort, uri ); if( uriEnv!=NULL ) { char *forwardURI; -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: tomcat4 write in conf files which is not FHS compliant
I'm not sure about this. AFAIK on RedHat and Mandrake ( and probably any other distro ) there are tools that are modifying config files ( in etc ). I don't know how the FHS can request 'read only' status. jk2.properties saving can be disabled. Right now the feature is not completely implemented - we still need the java interface ( JMX proxy ) and documentation. So disabling it for now is fine. But from all I know, the configuration is RW. Costin jean-frederic clere wrote: Henri Gomez wrote: Hi to all, Tomcat 4 make write access to 2 files in the conf directory, jk2.properties and tomcat-users.xml (and may be others). The problem is that FHS indicate that a conf directory should be read only. I have the same problem with /opt where I am installing Tomcat. For instance, tomcat4 rpm install the conf directory in /etc/tomcat4 and use symlink to map it to /var/tomcat4/conf. What could be done to have a behaviour following FHS recommandations ? Could we imagine having jk2.properties and tomcat-users.xml (and other files in conf which may be updated by tomcat4) in another directory, ie work/conf ? I am using catalina-home and catalina-base. catalina-home contains the fixed data. catalina-base contains the instance data. I have the following (opt/SMAWoIS/jakarta-tomcat-4.1.12 is catalina-home): +++ # ls -l /opt/SMAWoIS/jakarta-tomcat total 12 drwxr-xr-x 2 root other512 Oct 8 11:34 bin drwxr-xr-x 2 nobody other512 Oct 8 11:31 conf drwxr-xr-x 4 root other512 Oct 3 10:32 conf.save drwxr-xr-x 2 nobody other512 Oct 8 11:31 logs lrwxrwxrwx 1 root other 42 Oct 8 11:31 webapps - /opt/SMAWoIS/jakarta-tomcat-4.1.12/webapps drwxr-xr-x 3 nobody other512 Oct 3 12:04 work +++ The user nobody needs to write in conf because of these 2 files. That is the same for logs because the log files are not created at the right place in time (I am using daemon to start the Tomcat). conf.save is a save of the conf directory. Regards -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- Costin -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: [5.0] [VOTE] Remove deprecated and unsupported components
Remy Maucherat wrote: ballot [X] Remove deprecated org.apache.catalina.connector components from the j-t-catalina module [ ] Leave them in /ballot -- Costin -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: commons-daemon release ?
Remy Maucherat wrote: Henri Gomez wrote: I wonder if a release of commons-daemon is planned. No, because promoting it to commons proper got vetoed. At the moment, it looks like a split between daemon and launcher will happen. For the record - nobody can 'veto' a promotion to commons or a release. It is a majority vote. If it gets 3 +1 and more +1 than -1 - then it'll pass. I'm willing to change my vote to -0 if the API is fixed to not require applications to implement the daemon interfaces ( I don't like the split init any more than I did - and so I don't plan to use it any time soon ). I remain -1 on tomcat having dependecies on daemon, and probably -0 on bundling daemon with tomcat. As I said, for 'chuid' functionality I prefer using a direct call - I have most of it implemented using jk2, I'll finish this well before 5.0 is released. -- Costin -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-servletapi-5/jsr154/src/share/dtd jsp_2_0.xsd
kinman 2002/10/09 10:38:49 Modified:jsr152/src/share/dtd jsp_2_0.xsd jsr152/src/share/javax/servlet/jsp/el Expression.java jsr154/src/share/dtd jsp_2_0.xsd Log: - Patch by Mark Roth jsr152/src/share/javax/serlvet/jsp/el/Expression.java - Removed null as a return value for error - method must throw an exception to signal an error. jsr152/src/share/dtd/jsp_2_0.xsd: jsr154/src/share/dtd/jsp_2_0.xsd: - As per the Expert Group's decision, changed scripting-enabled to scripting-invalid and el-enabled to el-ignored. Jasper2 needs to be updated accordingly. Revision ChangesPath 1.4 +9 -8 jakarta-servletapi-5/jsr152/src/share/dtd/jsp_2_0.xsd Index: jsp_2_0.xsd === RCS file: /home/cvs/jakarta-servletapi-5/jsr152/src/share/dtd/jsp_2_0.xsd,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- jsp_2_0.xsd 20 Sep 2002 01:56:44 - 1.3 +++ jsp_2_0.xsd 9 Oct 2002 17:38:49 - 1.4 @@ -8,7 +8,7 @@ version=2.0 xsd:annotation xsd:documentation -@(#)jsp_2_0.xsds 1.12 09/18/02 +%W% %G% /xsd:documentation /xsd:annotation @@ -150,16 +150,17 @@ xsd:element name=url-pattern type=j2ee:url-patternType maxOccurs=unbounded/ -xsd:element name=el-enabled +xsd:element name=el-ignored type=j2ee:true-falseType minOccurs=0 xsd:annotation xsd:documentation -Can be used to easily set the isELEnabled +Can be used to easily set the isELIgnored property of a group of JSP pages. By default, the EL evaluation is enabled for Web Applications using -a Servlet 2.4 or greater web.xml. +a Servlet 2.4 or greater web.xml, and disabled + otherwise. /xsd:documentation /xsd:annotation @@ -181,15 +182,15 @@ /xsd:documentation /xsd:annotation /xsd:element -xsd:element name=scripting-enabled +xsd:element name=scripting-invalid type=j2ee:true-falseType minOccurs=0 xsd:annotation xsd:documentation -Can be used to easily set the isScriptingEnabled -property of a group of JSP pages. By default, -scripting is enabled. +Can be used to easily disable scripting in a +group of JSP pages. By default, scripting is + enabled. /xsd:documentation /xsd:annotation 1.2 +1 -1 jakarta-servletapi-5/jsr152/src/share/javax/servlet/jsp/el/Expression.java Index: Expression.java === RCS file: /home/cvs/jakarta-servletapi-5/jsr152/src/share/javax/servlet/jsp/el/Expression.java,v retrieving revision 1.1 retrieving revision 1.2 diff -u -r1.1 -r1.2 --- Expression.java 19 Aug 2002 16:29:50 - 1.1 +++ Expression.java 9 Oct 2002 17:38:49 - 1.2 @@ -81,7 +81,7 @@ * * @param vResolver A VariableResolver instance that can be used at runtime to * resolve the name of implicit objects into Objects. - * @return The result of the expression evaluation or null if errors were encountered. + * @return The result of the expression evaluation. * * @exception ELException Thrown if the expression evaluation failed. */ 1.4 +9 -8 jakarta-servletapi-5/jsr154/src/share/dtd/jsp_2_0.xsd Index: jsp_2_0.xsd === RCS file: /home/cvs/jakarta-servletapi-5/jsr154/src/share/dtd/jsp_2_0.xsd,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- jsp_2_0.xsd 20 Sep 2002 01:56:44 - 1.3 +++ jsp_2_0.xsd 9 Oct 2002 17:38:49 - 1.4 @@ -8,7 +8,7 @@ version=2.0 xsd:annotation xsd:documentation -@(#)jsp_2_0.xsds 1.12 09/18/02 +%W% %G% /xsd:documentation /xsd:annotation @@ -150,16 +150,17 @@ xsd:element name=url-pattern type=j2ee:url-patternType maxOccurs=unbounded/ -xsd:element name=el-enabled +xsd:element name=el-ignored type=j2ee:true-falseType minOccurs=0 xsd:annotation xsd:documentation -Can be used to easily set the isELEnabled +Can be used to easily set the isELIgnored property of a group of JSP pages. By default, the EL evaluation is enabled for Web Applications using -a Servlet 2.4 or greater web.xml. +
Re: [5.0] [VOTE] Remove deprecated and unsupported components
ballot [X] Remove deprecated org.apache.catalina.connector components from the j-t-catalina module [ ] Leave them in /ballot Amy -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/compiler Compiler.java Generator.java JspConfig.java PageInfo.java TagFileProcessor.java Validator.java
kinman 2002/10/09 10:41:13 Modified:jasper2/src/share/org/apache/jasper/compiler Compiler.java Generator.java JspConfig.java PageInfo.java TagFileProcessor.java Validator.java Log: - Modified because of spec changes syntax and semantic of turning on and off scripting and EL. Revision ChangesPath 1.36 +5 -2 jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/compiler/Compiler.java Index: Compiler.java === RCS file: /home/cvs/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/compiler/Compiler.java,v retrieving revision 1.35 retrieving revision 1.36 diff -u -r1.35 -r1.36 --- Compiler.java 24 Sep 2002 21:24:58 - 1.35 +++ Compiler.java 9 Oct 2002 17:41:13 - 1.36 @@ -210,10 +210,13 @@ if (jspProperty.isXml() != null) { pageInfo.setIsXmlSpecified(true); } + if (jspProperty.isELIgnored() != null) { + pageInfo.setELIgnoredSpecified(true); + } pageInfo.setIsXml(JspUtil.booleanValue(jspProperty.isXml())); pageInfo.setPageEncoding(jspProperty.getPageEncoding()); - pageInfo.setELEnabled(JspUtil.booleanValue(jspProperty.isELEnabled())); - pageInfo.setScriptingEnabled(JspUtil.booleanValue(jspProperty.isScriptingEnabled())); + pageInfo.setELIgnored(JspUtil.booleanValue(jspProperty.isELIgnored())); + pageInfo.setScriptingInvalid(JspUtil.booleanValue(jspProperty.isScriptingInvalid())); pageInfo.setIncludePrelude(jspProperty.getIncludePrelude()); pageInfo.setIncludeCoda(jspProperty.getIncludeCoda()); } 1.109 +4 -4 jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/compiler/Generator.java Index: Generator.java === RCS file: /home/cvs/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/compiler/Generator.java,v retrieving revision 1.108 retrieving revision 1.109 diff -u -r1.108 -r1.109 --- Generator.java8 Oct 2002 00:45:23 - 1.108 +++ Generator.java9 Oct 2002 17:41:13 - 1.109 @@ -826,7 +826,7 @@ public void visit(Node.ELExpression n) throws JasperException { n.setBeginJavaLine(out.getJavaLine()); -if ( pageInfo.isELEnabled() ) { +if ( !pageInfo.isELIgnored() ) { out.printil( out.write( + JspUtil.interpreterCall(this.isTagFile, 1.4 +51 -51 jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/compiler/JspConfig.java Index: JspConfig.java === RCS file: /home/cvs/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/compiler/JspConfig.java,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- JspConfig.java24 Aug 2002 21:42:34 - 1.3 +++ JspConfig.java9 Oct 2002 17:41:13 - 1.4 @@ -90,8 +90,8 @@ private boolean initialized = false; private String defaultIsXml = null; // unspecified -private String defaultIsELEnabled = true; -private String defaultIsScriptingEnabled = true; +private String defaultIsELIgnored = null;// unspecified +private String defaultIsScriptingInvalid = false; public JspConfig(ServletContext ctxt) { this.ctxt = ctxt; @@ -109,7 +109,7 @@ ParserUtils pu = ParserUtils.createParserUtils(cl); TreeNode webApp = pu.parseXMLDocument(WEB_XML, is); if (webApp == null || !2.4.equals(webApp.findAttribute(version))) { - defaultIsELEnabled = false; + defaultIsELIgnored = true; return; } TreeNode jspConfig = webApp.findChild(jsp-config); @@ -126,8 +126,8 @@ Vector urlPatterns = new Vector(); String pageEncoding = null; - String scriptingEnabled = null; - String elEnabled = null; + String scriptingInvalid = null; + String elIgnored = null; String isXml = null; Vector includePrelude = new Vector(); Vector includeCoda = new Vector(); @@ -143,10 +143,10 @@ pageEncoding = element.getBody(); else if (is-xml.equals(tname)) isXml = element.getBody(); - else if (el-enabled.equals(tname)) - elEnabled = element.getBody(); - else if (scripting-enabled.equals(tname)) - scriptingEnabled = element.getBody(); + else if (el-ignored.equals(tname)) + elIgnored = element.getBody(); + else if
Re: administration-howto.html
Glenn Nielsen wrote: jean-frederic clere wrote: Hi, I am willing to use the administration tools of Tomcat but I am wondering where the administration-howto.html is located. If it is not existing I will create one similar to the existing manager-howto.xml. Any comments? I know that Amy has been working on taking care of some of the problems I posted about the Tomcat 4.1 configuration admin application. A help document was one of the issues. There is also Tomcat Administration tool tutorial for the Java Web Services at http://java.sun.com/webservices/docs/1.0/tutorial/doc/Admintool.html. It doesn't have the latest admin addition but I'm sure you can reference to the documentation as you write the administration-howto.html in Tomcat. Perhaps, you can add a link to it as well. Thanks for good suggestion! Amy This is really needed, thanks! Glenn -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
DO NOT REPLY [Bug 13084] - jsp compilation with jikes fails
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13084. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13084 jsp compilation with jikes fails --- Additional Comments From [EMAIL PROTECTED] 2002-10-09 18:03 --- My apologies. I'm still getting used to bugzilla, and thought the OS version was only related to the comment that I was posting. I'll open a new bug. Matt -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
JNDI Initial Context, outside webapp
Hi, I noticed that is pratically impossible to retrieve a JNDI resource outside a webapp.If I need to access my resourse in some classes istantiated outside a single webapp, I always get an exception. Name jdbc/myDS is not bound in this Context I read the docs. If I understand well, the initialContext is read-only, (for this reason I cannot published a resource there), then the only context available is java:comp/env, available only insdie a webapp. I think that a solution could be: since initialContext for sure is initialized before webapps, if I can publish a resource there, then I can access this resource outside a webapp. have I understood well, is it so impossible to publish in the initialContext, like in other Application servers? is there a way to access a JNDI resource outside a webapp? or is it a limitation of the JNDI implementation in Tomcat? Thank you in advance for suggestions or explanation. -- Luca Zago Senior IT Developer _ E-TREE S.p.a. Via Fonderia 43 - 31100 Treviso (Italy) phone +39.0422.3107 fax +39.0422.310888 http://www.e-tree.com http://www.webanana.com _ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
DO NOT REPLY [Bug 13466] New: - Jikes compilation fails
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13466. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13466 Jikes compilation fails Summary: Jikes compilation fails Product: Tomcat 4 Version: 4.1.12 Platform: Sun OS/Version: Solaris Status: NEW Severity: Critical Priority: Other Component: Jasper 2 AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] Solaris 8, Tomcat 4.1.12, Jikes 1.17, JDK 1.2.2_06 Following the instructions for using jikes instead of javac, I am getting the following error: org.apache.jasper.JasperException: Unable to compile class for JSP An error occurred at line: -1 in the jsp file: null Generated servlet error: [javac] jsp/error500_jsp.java added as /export/home/mpark/jakarta-tomcat- 4.1.12/work/Standalone/localhost/memento/jsp/error500_jsp.class doesn't exist. [javac] Compiling 1 source file [javac] Using jikes compiler dropping /usr/java1.2/jre/jre/lib/rt.jar from path as it doesn't exist dropping /usr/java1.2/Classes/classes.jar from path as it doesn't exist dropping /usr/java1.2/Classes/ui.jar from path as it doesn't exist [javac] Compilation arguments: [javac] '-classpath' [javac] '/usr/java1.2/jre/lib/ext/iiimp.jar:/usr/java/lib/tools.jar:/export/home /mpark/jakarta-tomcat-4.1.12/bin/bootstrap.jar:/export/home/mpark/jakarta- tomcat-4.1.12/webapps/memento/WEB-INF/classes:/export/home/mpark/jakarta-tomcat- 4.1.12/webapps/memento/WEB-INF/lib/log4j-1.2.6.jar:/export/home/mpark/jakarta- tomcat-4.1.12/webapps/memento/WEB- INF/lib/memento.jar:/export/home/mpark/jakarta-tomcat- 4.1.12/webapps/memento/WEB-INF/lib/webapp.jar:/export/home/mpark/jakarta-tomcat- 4.1.12/shared/classes:/export/home/mpark/jakarta-tomcat- 4.1.12/common/classes:/export/home/mpark/jakarta-tomcat- 4.1.12/common/endorsed/xercesImpl.jar:/export/home/mpark/jakarta-tomcat- 4.1.12/common/endorsed/xmlParserAPIs.jar:/export/home/mpark/jakarta-tomcat- 4.1.12/common/lib/jasper-compiler.jar:/export/home/mpark/jakarta-tomcat- 4.1.12/common/lib/commons-logging-api.jar:/export/home/mpark/jakarta-tomcat- 4.1.12/common/lib/naming-factory.jar:/export/home/mpark/jakarta-tomcat- 4.1.12/common/lib/ant.jar:/export/home/mpark/jakarta-tomcat- 4.1.12/common/lib/naming-common.jar:/export/home/mpark/jakarta-tomcat- 4.1.12/common/lib/naming-resources.jar:/export/home/mpark/jakarta-tomcat- 4.1.12/common/lib/commons-collections.jar:/export/home/mpark/jakarta-tomcat- 4.1.12/common/lib/activation.jar:/export/home/mpark/jakarta-tomcat- 4.1.12/common/lib/jta.jar:/export/home/mpark/jakarta-tomcat- 4.1.12/common/lib/commons-dbcp.jar:/export/home/mpark/jakarta-tomcat- 4.1.12/common/lib/mail.jar:/export/home/mpark/jakarta-tomcat- 4.1.12/common/lib/jasper-runtime.jar:/export/home/mpark/jakarta-tomcat- 4.1.12/common/lib/jdbc2_0-stdext.jar:/export/home/mpark/jakarta-tomcat- 4.1.12/common/lib/jndi.jar:/export/home/mpark/jakarta-tomcat- 4.1.12/common/lib/commons-pool.jar:/export/home/mpark/jakarta-tomcat- 4.1.12/common/lib/servlet.jar:/usr/java1.2/jre/lib/rt.jar:/export/home/mpark/jak arta-tomcat-4.1.12/work/Standalone/localhost/memento' [javac] '-encoding' [javac] 'ISO-8859-1' [javac] '-g' [javac] [javac] The ' characters around the executable and arguments are [javac] not part of the command. [javac] File to be compiled: [javac] /export/home/mpark/jakarta-tomcat- 4.1.12/work/Standalone/localhost/memento/jsp/error500_jsp.java web.xml snippet: servlet servlet-namejsp/servlet-name servlet-classorg.apache.jasper.servlet.JspServlet/servlet-class init-param param-namelogVerbosityLevel/param-name param-valueDEBUG/param-value /init-param init-param param-namecompiler/param-name param-valuejikes/param-value /init-param init-param param-namejavaEncoding/param-name param-valueISO-8859-1/param-value /init-param load-on-startup3/load-on-startup /servlet # uname -a SunOS osiris 5.8 Generic_108528-06 sun4u sparc SUNW,Ultra-5_10 # java -version java version 1.2.2 Solaris VM (build Solaris_JDK_1.2.2_06, native threads, sunwjit) # jikes -version Jikes Compiler - Version 1.17 - 27 September 2002 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/xmlparser ParserUtils.java
luehe 2002/10/09 11:25:39 Modified:jasper2/src/share/org/apache/jasper/compiler JspConfig.java TagLibraryInfoImpl.java TldLocationsCache.java jasper2/src/share/org/apache/jasper/xmlparser ParserUtils.java Log: Removed redundant code Revision ChangesPath 1.5 +4 -5 jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/compiler/JspConfig.java Index: JspConfig.java === RCS file: /home/cvs/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/compiler/JspConfig.java,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- JspConfig.java9 Oct 2002 17:41:13 - 1.4 +++ JspConfig.java9 Oct 2002 18:25:39 - 1.5 @@ -105,8 +105,7 @@ return; } - ClassLoader cl = this.getClass().getClassLoader(); - ParserUtils pu = ParserUtils.createParserUtils(cl); + ParserUtils pu = new ParserUtils(); TreeNode webApp = pu.parseXMLDocument(WEB_XML, is); if (webApp == null || !2.4.equals(webApp.findAttribute(version))) { defaultIsELIgnored = true; 1.16 +4 -5 jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/compiler/TagLibraryInfoImpl.java Index: TagLibraryInfoImpl.java === RCS file: /home/cvs/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/compiler/TagLibraryInfoImpl.java,v retrieving revision 1.15 retrieving revision 1.16 diff -u -r1.15 -r1.16 --- TagLibraryInfoImpl.java 27 Sep 2002 20:18:32 - 1.15 +++ TagLibraryInfoImpl.java 9 Oct 2002 18:25:39 - 1.16 @@ -258,8 +258,7 @@ Vector functionVector = new Vector(); // Create an iterator over the child elements of our taglib element -ClassLoader cl = ctxt.getClassLoader(); -ParserUtils pu = ParserUtils.createParserUtils(cl); +ParserUtils pu = new ParserUtils(); TreeNode tld = pu.parseXMLDocument(uri, in); Iterator list = tld.findChildren(); 1.8 +12 -13 jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/compiler/TldLocationsCache.java Index: TldLocationsCache.java === RCS file: /home/cvs/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/compiler/TldLocationsCache.java,v retrieving revision 1.7 retrieving revision 1.8 diff -u -r1.7 -r1.8 --- TldLocationsCache.java7 Oct 2002 22:52:22 - 1.7 +++ TldLocationsCache.java9 Oct 2002 18:25:39 - 1.8 @@ -118,7 +118,7 @@ public static final int ROOT_REL_URI = 1; public static final int NOROOT_REL_URI = 2; -static private final String WEB_XML = /WEB-INF/web.xml; +private static final String WEB_XML = /WEB-INF/web.xml; /** * The mapping of the 'global' tag library URI to the location @@ -128,17 +128,21 @@ *[1] If the location is a jar file, this is the location *of the tld. */ -private Hashtable mappings = new Hashtable(); +private Hashtable mappings; -private Hashtable tlds = new Hashtable(); +private Hashtable tlds; + +private boolean initialized; +private ServletContext ctxt; -private boolean initialized=false; -ServletContext ctxt; //* // Constructor and Initilizations public TldLocationsCache(ServletContext ctxt) { -this.ctxt=ctxt; +this.ctxt = ctxt; + mappings = new Hashtable(); + tlds = new Hashtable(); + initialized = false; } private void init() { @@ -168,10 +172,7 @@ } // Parse the web application deployment descriptor -ClassLoader cl = -// (ClassLoader) ctxt.getAttribute(Constants.SERVLET_CLASS_LOADER); -this.getClass().getClassLoader(); -ParserUtils pu = ParserUtils.createParserUtils(cl); +ParserUtils pu = new ParserUtils(); TreeNode webtld = pu.parseXMLDocument(WEB_XML, is); // Allow taglib be an element of the root or jsp-config (JSP2.0) @@ -286,7 +287,6 @@ private String parseTldForUri(String resourcePath, InputStream in) throws JasperException { - // Parse the tag library descriptor at the specified resource path ParserUtils pu = new ParserUtils(); TreeNode tld = pu.parseXMLDocument(resourcePath, in); @@ -297,7 +297,6 @@ return body; } return null; // No uri element is present - }
Re: Tomcat4: Persistent http connection problem
I also have been surfing the web to find out how to implement an applet-to-servlet communication link over a persistent http connection. There is a working implementation available for download at http://www.ustobe.com/ After clicking on the 'news' item in the menu, there are links available to download HttpKeepalive.java, with javadoc explaining how to use this class. Mike _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
mod_jk crash, please help
I am running apache 1.3 with mod_jk, my apache has apxs. I compiled and installed mod_jk from source, tag TOMCAT_4_1_12, configured it using the following options: ./configure --with-gnu-ld --with-apxs=/myapxpath/bin/apxs --enable-EAPI --with-java-home=/usr/java/jdk1.3.1 ran make installed mod_jk into the module directory, loaded fine. I created a virtual host in apache and added the following JkMount: JkMount /*.jsp wwwuser_wk My workers.properties looks as follows: workers.java_home=/usr/java/jdk1.3.1 workers.tomcat_home=/var/tomcat4 worker.list=wwwuser_wk worker.wwwuser_wk.host=localhost worker.wwwuser_wk.port=5266 worker.wwwuser_wk.type=ajp13 worker.wwwuser_wk.lbfactor=50 worker.wwwuser_wk.cachesize=10 worker.wwwuser_wk.cache_timeout=600 worker.wwwuser_wk.socket_keepalive=1 worker.wwwuser_wk.socket_timeout=300 I startup apache and tomcat, then i point my browser to xyz.com/index.jsp I get nothing back on the browser, and the following in error_log [notice] child pid 19817 exit signal Segmentation fault (11) I added debugging code to mod_jk and traced it to the following line in mod_jk.c s-remote_host = (char *)ap_get_remote_host(r-connection, r-per_dir_config, REMOTE_HOST); REMOTE_HOST seems to be NULL for that since i printed all the stuff from there. Please help. How can i trace this further? How do i get apache to generate a core file so i can see where in apache code this is? Any pointers for help here at all? Eugene -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: [Proposal] Security Audit
FYI, Just to start off, I am going to review these classes. If someone else also reviews them, thats probably a good thing... # classes, package name 17 o.a.c.deploy 9 o.a.c.users 44 o.a.c.* 34 o.a.jk.* 15 j.s.http Briefly, I am going to look for - How/if a ClassLoader is used - privilege blocks (are they small, use trusted values) - look for non-final static variables (can they be abused) - can methods/fields be made private? - are mutable objects returned to caller (especially arrays) think about returning clones - non final equals/hashcode methods? (accessing sensitive stuff?) - Serializable (exposes private stuff?) Does anyone publish a security checklist list like this? Blah Blah, -bob On Tue, 2002-10-08 at 16:36, Jean-Francois Arcand wrote: Hi, I'm looking to do a Security Audit on the current Tomcat 5.0 codebase. I would like to collect as more as information as where you think I should look at (code, security hole, etc.). I'm planning to do the audit using the default SecurityManager. Rigth now, I have started looking at: - doPrivilege blocks. Are they small enough? Can they be reduced? - JSP generated code. Are they secure? Can a malicious app uses the code to access o.a.catalina code? - Is catalina.policy restricted enough? - Is our Classloader secure? Any direction/ideas/recommendations will be appreciated. Thanks, -- Jeanfrancois -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- Bob Herrmann [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
[JK2] make hostMap cache
Hi, I would like to make the hostMap cache for hostname:port combination. Right now we doing hostMap over and over again for each request, so I would like to make a table that will save the once found hostEnv for requested hostname:port combination, skipping hostMap when already resolved. Any objections to that? Also I would like to extend the jk2_map to use the precomputed key checksum value, similar to the apr's table. That will give us significant speedup for table processing. MT. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: [Proposal] Security Audit
AFAIK, the most important check is doPriviledged(). What we need to look for is if any of those blocks could be used by untrusted code to do something. The second very important check is the facades - making sure untrusted code can't get access to the real objects. We should also make sure that the facades are not reused or are reused only inside a context. It is nice to review all code for security and bugs ( and general quality ) - but IMO it is more important to review first the critical areas. The ClassLoader shouldn't create any major problems ( at least in delegating mode - in non delegating mode we can only trust the servlet experts that they did the resarch and can guarantee there's no security implications. I haven't heard anything convincing on this, but they should have this knowledge - otherwise it wouldn't be in the spec :-) Costin Bob Herrmann wrote: FYI, Just to start off, I am going to review these classes. If someone else also reviews them, thats probably a good thing... # classes, package name 17 o.a.c.deploy 9 o.a.c.users 44 o.a.c.* 34 o.a.jk.* 15 j.s.http Briefly, I am going to look for - How/if a ClassLoader is used - privilege blocks (are they small, use trusted values) - look for non-final static variables (can they be abused) - can methods/fields be made private? - are mutable objects returned to caller (especially arrays) think about returning clones - non final equals/hashcode methods? (accessing sensitive stuff?) - Serializable (exposes private stuff?) Does anyone publish a security checklist list like this? Blah Blah, -bob On Tue, 2002-10-08 at 16:36, Jean-Francois Arcand wrote: Hi, I'm looking to do a Security Audit on the current Tomcat 5.0 codebase. I would like to collect as more as information as where you think I should look at (code, security hole, etc.). I'm planning to do the audit using the default SecurityManager. Rigth now, I have started looking at: - doPrivilege blocks. Are they small enough? Can they be reduced? - JSP generated code. Are they secure? Can a malicious app uses the code to access o.a.catalina code? - Is catalina.policy restricted enough? - Is our Classloader secure? Any direction/ideas/recommendations will be appreciated. Thanks, -- Jeanfrancois -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- Costin -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: [5.0] [VOTE] Remove deprecated and unsupported components
ballot [X] Remove deprecated org.apache.catalina.connector components from the j-t-catalina module [ ] Leave them in /ballot -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
DO NOT REPLY [Bug 13467] New: - getResource() URL doesn't know the content type
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13467. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13467 getResource() URL doesn't know the content type Summary: getResource() URL doesn't know the content type Product: Tomcat 4 Version: 4.0.4 Final Platform: All OS/Version: All Status: NEW Severity: Normal Priority: Other Component: Unknown AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] the URL object returned by the ServletContext's getResource() method doesn't figure out the content-type of the wrapped resource strictly speaking this is maybe not a bug but shurely is a low-quality implementation the javadoc for ServletContext's getResourceAsStream() method says: Meta-information such as content length and CONTENT TYPE that is available via getResource method is lost when using this method. so it implicitly states, that the content type should be available from the getResource() method -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: [JK2] make hostMap cache
+1 One question - do you think it's a good idea to extend the jk2_map to do the full mapping ? ( actually, all the code is there, but it's not used ). By full mapping I mean setting/sending the 'servletPath', 'pathInfo', 'wrapperName' and all the extra information that is needed - and bypassing the normal mapper in java. In order for this to work we need to add the extra info to the [uri] and make sure it is sent - and then find how to bypass catalina mapper ( for 3.3 it's quite easy ). Costin Mladen Turk wrote: Hi, I would like to make the hostMap cache for hostname:port combination. Right now we doing hostMap over and over again for each request, so I would like to make a table that will save the once found hostEnv for requested hostname:port combination, skipping hostMap when already resolved. Any objections to that? Also I would like to extend the jk2_map to use the precomputed key checksum value, similar to the apr's table. That will give us significant speedup for table processing. MT. -- Costin -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Axis1.0 and chains/handlers
This is just FYI, in case you don't know all this already. I'm sure some of you are already using axis. One thing it would be worth looking at is the basic architecture they use for request processing. I think the model they're using is more powerfull than both 3.3 Interceptor and 4.0 Valve, and it may be worth understanding it better. They use multiple named 'chains' - request chain, transport chain, etc. Each chain consist of Handlers - and the config explicitely specifies the order of handlers in each chain. That's an improvement over 3.3 - the system is more extensible ( instead of few dozens hardcoded callbacks in BaseInterceptor ). It also allow fine control over the order of handlers - which is one of the big pain points. It provide benefits over 4.0 - where all processing happens in a single chain ( with some additional 'chains' in listeners ). It is also better than ActionCode - again, it is extensible ( we hardcode all the chains ) and provides more control. The code is quite messy ( again IMO ), but as I said it is well worth learning and using some of the ideas in future tomcats. -- Costin -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: [Proposal] Security Audit
Costin Manolache wrote: AFAIK, the most important check is doPriviledged(). What we need to look for is if any of those blocks could be used by untrusted code to do something. The second very important check is the facades - making sure untrusted code can't get access to the real objects. We should also make sure that the facades are not reused or are reused only inside a context. It is nice to review all code for security and bugs ( and general quality ) - but IMO it is more important to review first the critical areas. I will start looking at the doPrivilege block. One thing that I have found is most Tomcat's doPrivilege block contains more operations that they should. Minimizing what we put inside the doPrivilege is very important. As an example (need to be optimized), I made some change to the WebappClassLoader (see the diff.txt). The ClassLoader shouldn't create any major problems ( at least in delegating mode - in non delegating mode we can only trust the servlet experts that they did the resarch and can guarantee there's no security implications. I haven't heard anything convincing on this, but they should have this knowledge - otherwise it wouldn't be in the spec :-) Other areas we can look first are: - Admin Tool. Is the tool secure enougth? - Invoker/Defaut Servlet ;-) - The code Jasper generates. This is one place where facade will get accessed. -- Jeanfrancois Costin Bob Herrmann wrote: FYI, Just to start off, I am going to review these classes. If someone else also reviews them, thats probably a good thing... # classes, package name 17 o.a.c.deploy 9 o.a.c.users 44 o.a.c.* 34 o.a.jk.* 15 j.s.http Briefly, I am going to look for - How/if a ClassLoader is used - privilege blocks (are they small, use trusted values) - look for non-final static variables (can they be abused) - can methods/fields be made private? - are mutable objects returned to caller (especially arrays) think about returning clones - non final equals/hashcode methods? (accessing sensitive stuff?) - Serializable (exposes private stuff?) Does anyone publish a security checklist list like this? Blah Blah, -bob On Tue, 2002-10-08 at 16:36, Jean-Francois Arcand wrote: Hi, I'm looking to do a Security Audit on the current Tomcat 5.0 codebase. I would like to collect as more as information as where you think I should look at (code, security hole, etc.). I'm planning to do the audit using the default SecurityManager. Rigth now, I have started looking at: - doPrivilege blocks. Are they small enough? Can they be reduced? - JSP generated code. Are they secure? Can a malicious app uses the code to access o.a.catalina code? - Is catalina.policy restricted enough? - Is our Classloader secure? Any direction/ideas/recommendations will be appreciated. Thanks, -- Jeanfrancois -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] Index: WebappClassLoader.java === RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java,v retrieving revision 1.6 diff -u -r1.6 WebappClassLoader.java --- WebappClassLoader.java 5 Sep 2002 11:38:59 - 1.6 +++ WebappClassLoader.java 9 Oct 2002 19:23:07 - @@ -154,16 +154,16 @@ protected class PrivilegedFindResource implements PrivilegedAction { -private String name; +private int filePointer; private String path; -PrivilegedFindResource(String name, String path) { -this.name = name; +PrivilegedFindResource(int filePointer, String path) { +this.filePointer = filePointer; this.path = path; } public Object run() { -return findResourceInternal(name, path); +return findResourceInternal(filePointer, path); } } @@ -895,13 +895,7 @@ ResourceEntry entry = (ResourceEntry) resourceEntries.get(name); if (entry == null) { -if (securityManager != null) { -PrivilegedAction dp = -new PrivilegedFindResource(name, name); -entry = (ResourceEntry)AccessController.doPrivileged(dp); -} else { -entry = findResourceInternal(name, name); -} +entry = findResourceInternal(name, name); } if (entry != null) { url = entry.source; @@ -1479,13 +1473,7 @@ ResourceEntry entry = null; -if (securityManager != null) { -PrivilegedAction dp = -new PrivilegedFindResource(name, classPath); -entry = (ResourceEntry)AccessController.doPrivileged(dp); -} else { -entry = findResourceInternal(name, classPath); -} +entry =
DO NOT REPLY [Bug 11730] - build fails - can't find jni_md.h
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11730. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11730 build fails - can't find jni_md.h [EMAIL PROTECTED] changed: What|Removed |Added Status|NEW |RESOLVED Resolution||FIXED --- Additional Comments From [EMAIL PROTECTED] 2002-10-09 19:57 --- You need a -Dlinux=1 as param. ( and we need to either automate the os detection or document this better ). -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
DO NOT REPLY [Bug 13419] - Weird seg fault on Mac OS X for mod_jk2 + Apache2
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13419. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13419 Weird seg fault on Mac OS X for mod_jk2 + Apache2 --- Additional Comments From [EMAIL PROTECTED] 2002-10-09 20:03 --- That's very strange. First - make sure you compile with -O0 - it may be something wrong with the line numbers due to reordering by the compiler. It seems obvious that the NPE is in the printf implementation - that's common in many OSes if a param is NULL. However the code fragment seems to check for null. I would sugest double checking the -O flag and the printf params. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
DO NOT REPLY [Bug 11678] - JNDIRealm times out/prompts for password with BASIC authentication
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11678. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11678 JNDIRealm times out/prompts for password with BASIC authentication --- Additional Comments From [EMAIL PROTECTED] 2002-10-09 20:21 --- I've noticed this bug with tomcat 4.1.12 as well. I believe this is because the ldap server timesout the connection after some time if there is no activity from the ldap client. Once the timeout occurs, if a user tries to browse a url that requires authentication, the bind operation in ldap fails as ldap connection is invalid and JNDIRealm class throws a javax.naming.CommunicationException. This results in authentication failure and user is prompted for authentication again. This is quite irritating to the user. When user types in uid/password second time, a new ldap connection is created and authentication succeeds. I think the solution is to detect ldap connection timeout in JNDIRealm and make a new connection if necessary and then perform the bind for authentication. Hope this bug gets fixed. -nagraj -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/runtime JspRuntimeLibrary.java
luehe 2002/10/09 13:21:52 Modified:jasper2/src/share/org/apache/jasper/resources messages.properties messages_es.properties messages_ja.properties jasper2/src/share/org/apache/jasper/runtime JspRuntimeLibrary.java Log: Fixed 13206: Invalid java bean property error message could be reported better. Revision ChangesPath 1.45 +2 -2 jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/resources/messages.properties Index: messages.properties === RCS file: /home/cvs/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/resources/messages.properties,v retrieving revision 1.44 retrieving revision 1.45 diff -u -r1.44 -r1.45 --- messages.properties 8 Oct 2002 23:22:57 - 1.44 +++ messages.properties 9 Oct 2002 20:21:52 - 1.45 @@ -94,7 +94,7 @@ jsp.error.beans.nobeaninfo=No BeanInfo for the bean of type ''{0}'' could be found, the class likely does not exist. jsp.error.beans.introspection=An exception occurred while introspecting the read method of property ''{0}'' in a bean of type ''{1}'':\n{2} jsp.error.beans.nomethod=Cannot find a method to read property ''{0}'' in a bean of type ''{1}'' -jsp.error.beans.nomethod.setproperty=Can''t find a method to write property ''{0}'' in a bean of type ''{1}'' +jsp.error.beans.nomethod.setproperty=Can''t find a method to write property ''{0}'' of type ''{1}'' in a bean of type ''{2}'' jsp.error.beans.noproperty=Cannot find any information on property ''{0}'' in a bean of type ''{1}'' jsp.error.beans.setproperty.noindexset=Cannot set indexed property jsp.error.include.tag=Invalid jsp:include tag 1.16 +2 -2 jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/resources/messages_es.properties Index: messages_es.properties === RCS file: /home/cvs/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/resources/messages_es.properties,v retrieving revision 1.15 retrieving revision 1.16 diff -u -r1.15 -r1.16 --- messages_es.properties8 Oct 2002 23:22:57 - 1.15 +++ messages_es.properties9 Oct 2002 20:21:52 - 1.16 @@ -73,7 +73,7 @@ jsp.error.beans.nobeaninfo=No se puede encontrar BeanInfo para el bean ''{0}'' seguramente la clase no existe jsp.error.beans.introspection=Una excepcion a ocurrido mientras se leia el metodo de lectura de la propiedad ''{0}'' en un bean del tipo ''{1}'':\n{2} jsp.error.beans.nomethod=No puedo encontrar un metodo para leer la propiedad ''{0}'' en un bean del tipo ''{1}'' -jsp.error.beans.nomethod.setproperty=No puedo encontrar un metodo para write de la propiedad ''{0}'' en un bean del tipo ''{1}'' +jsp.error.beans.nomethod.setproperty=No puedo encontrar un metodo para write de la propiedad ''{0}'' en un bean del tipo ''{2}'' jsp.error.beans.noproperty=No puedo encontrar informacion de la propiedad ''{0}'' en un bean del tipo ''{1}'' jsp.error.beans.setproperty.noindexset=No puedo hacer set de la propiedad indexada jsp.error.include.tag=Tag jsp:include no valido 1.16 +2 -2 jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/resources/messages_ja.properties Index: messages_ja.properties === RCS file: /home/cvs/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/resources/messages_ja.properties,v retrieving revision 1.15 retrieving revision 1.16 diff -u -r1.15 -r1.16 --- messages_ja.properties8 Oct 2002 23:22:57 - 1.15 +++ messages_ja.properties9 Oct 2002 20:21:52 - 1.16 @@ -84,7 +84,7 @@ jsp.error.beans.nobeaninfo=\u30bf\u30a4\u30d7 ''{0}'' \u306eBean\u306bBeanInfo\u304c\u306a\u3044\u306e\u3092\u691c\u51fa\u3057\u307e\u3057\u305f, \u30af\u30e9\u30b9\u304c\u5b58\u5728\u3057\u306a\u3044\u304b\u3082\u3057\u308c\u307e\u305b\u3093 jsp.error.beans.introspection=\u30bf\u30a4\u30d7 ''{1}'' \u306eBean\u4e2d\u306e\u5c5e\u6027 ''{0}'' \u306eread\u30e1\u30bd\u30c3\u30c9\u3092\u5185\u7701\u4e2d\u306b\u4f8b\u5916\u304c\u767a\u751f\u3057\u307e\u3057\u305f:\n{2} jsp.error.beans.nomethod=\u30bf\u30a4\u30d7 ''{1}'' \u306eBean\u4e2d\u306e\u5c5e\u6027 ''{0}'' \u3092\u8aad\u307f\u8fbc\u3080\u30e1\u30bd\u30c3\u30c9\u3092\u767a\u898b\u3067\u304d\u307e\u305b\u3093\u3067\u3057\u305f -jsp.error.beans.nomethod.setproperty=\u30bf\u30a4\u30d7 ''{1}'' \u306eBean\u4e2d\u306e\u5c5e\u6027 ''{0}'' \u3092\u66f8\u304d\u8fbc\u3080\u30e1\u30bd\u30c3\u30c9\u3092\u767a\u898b\u3067\u304d\u307e\u305b\u3093\u3067\u3057\u305f +jsp.error.beans.nomethod.setproperty=\u30bf\u30a4\u30d7 ''{2}'' \u306eBean\u4e2d\u306e\u5c5e\u6027 ''{0}''
DO NOT REPLY [Bug 13206] - Invalid java bean property error message could be reported better.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13206. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13206 Invalid java bean property error message could be reported better. [EMAIL PROTECTED] changed: What|Removed |Added Status|NEW |RESOLVED Resolution||FIXED -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
DO NOT REPLY [Bug 11678] - JNDIRealm times out/prompts for password with BASIC authentication
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11678. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11678 JNDIRealm times out/prompts for password with BASIC authentication --- Additional Comments From [EMAIL PROTECTED] 2002-10-09 20:33 --- Another problem is that I'm pretty sure that if you use BASIC authentication rather than session based authentication, it doesn't do any caching which means that everytime you access a protected resource, it authenticates against the LDAP directory which isn't a very efficient thing to do. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
[SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability;Apache Tomcat 4.0.6 released
A security vulnerability has been confirmed to exist in Apache Tomcat 4.0.x releases (including Tomcat 4.0.5), which allows to use a specially crafted URL to return the unprocessed source of a JSP page, or, under special circumstances, a static resource which would otherwise have been protected by security constraint, without the need for being properly authenticated. This is based on a variant of the exploit that was disclosed on 09/24/2002. The cause - Using the invoker servlet in conjunction with the default servlet (responsible for handling static content in Tomcat) triggers this vulnerability. Who is vulnerable - - All Tomcat 4.0.x releases, except those in which the invoker servlet is disabled (this is not the default setting). - All Tomcat 4.1.x releases before 4.1.12, except those in which the invoker servlet is disabled (this is not the default setting), as well as 4.1.12 if and only if the invoker servlet has been enabled. The default Tomcat 4.1.12 installation is not vulnerable. Fixes and workarounds - Doing either of the following will resolve the security problem: A) Disabling the invoker servlet In the $CATALINA_HOME/conf/web.xml file (on Windows, %CATALINA_HOME%\conf\web.xml), comment out or remove the following XML fragment: servlet-mapping servlet-nameinvoker/servlet-name url-pattern/servlet/*/url-pattern /servlet-mapping B) If running any Tomcat 4.0.x releases, download and install the following binary patch: http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/bin/hotfix/13365.zip Simply unzip the archive in the $CATALINA_HOME folder (on Windows %CATALINA_HOME%). Make sure paths are preserved when unzipping. The patch will overwrite the default webapp configuration file ($CATALINA_HOME/conf/web.xml) to add a workaround to protect against the security vulnerability. C) If running Tomcat 4.1.12 and the invoker servlet was enabled, it must be disabled at this time. A new Tomcat 4.1.x release incorporating the fix to the invoker servlet will be made available shortly. D) If running any Tomcat 4.0.x release, download and install Tomcat 4.0.6. New release --- The Apache Tomcat Team announces the immediate availability of a new release which includes a fix to the invoker servlet. Apache Tomcat 4.0.6: http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.6/ Remy -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-servletapi-5/jsr152/examples/jsp2/misc config.jsp config.txt
kinman 2002/10/09 14:31:24 Modified:jsr152/examples/WEB-INF web.xml jsr152/examples/jsp2/misc config.jsp config.txt Log: - Modified the examples to use el-ignore and scripting-invalid Revision ChangesPath 1.4 +2 -2 jakarta-servletapi-5/jsr152/examples/WEB-INF/web.xml Index: web.xml === RCS file: /home/cvs/jakarta-servletapi-5/jsr152/examples/WEB-INF/web.xml,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- web.xml 7 Oct 2002 18:09:58 - 1.3 +++ web.xml 9 Oct 2002 21:31:24 - 1.4 @@ -202,9 +202,9 @@ /description display-nameJSPConfiguration/display-name url-pattern/jsp2/misc/config.jsp/url-pattern - el-enabledfalse/el-enabled + el-ignoredtrue/el-ignored page-encodingISO-8859-1/page-encoding - scripting-enabledfalse/scripting-enabled + scripting-invalidtrue/scripting-invalid include-prelude/jsp2/misc/prelude.jspf/include-prelude include-coda/jsp2/misc/coda.jspf/include-coda /jsp-property-group 1.2 +2 -2 jakarta-servletapi-5/jsr152/examples/jsp2/misc/config.jsp Index: config.jsp === RCS file: /home/cvs/jakarta-servletapi-5/jsr152/examples/jsp2/misc/config.jsp,v retrieving revision 1.1 retrieving revision 1.2 diff -u -r1.1 -r1.2 --- config.jsp7 Sep 2002 00:48:00 - 1.1 +++ config.jsp9 Oct 2002 21:31:24 - 1.2 @@ -7,9 +7,9 @@ ul liUses lt;include-preludegt; to include the top banner./li liUses lt;include-codagt; to include the bottom banner./li - liUses lt;scripting-enabledgt; false to disable + liUses lt;scripting-invalidgt; true to disable lt;% scripting %gt; elements/li - liUses lt;el-enabledgt; false to disable ${EL} elements/li + liUses lt;el-ignoredgt; true to disable ${EL} elements/li liUses lt;page-encodinggt; ISO-8859-1 to set the page encoding (though this is the default anyway)/li /ul There are various other configuration options that can be used. 1.2 +2 -2 jakarta-servletapi-5/jsr152/examples/jsp2/misc/config.txt Index: config.txt === RCS file: /home/cvs/jakarta-servletapi-5/jsr152/examples/jsp2/misc/config.txt,v retrieving revision 1.1 retrieving revision 1.2 diff -u -r1.1 -r1.2 --- config.txt7 Sep 2002 00:48:00 - 1.1 +++ config.txt9 Oct 2002 21:31:24 - 1.2 @@ -7,9 +7,9 @@ ul liUses lt;include-preludegt; to include the top banner./li liUses lt;include-codagt; to include the bottom banner./li - liUses lt;scripting-enabledgt; false to disable + liUses lt;scripting-invalidgt; true to disable lt;% scripting %gt; elements/li - liUses lt;el-enabledgt; false to disable ${EL} elements/li + liUses lt;el-ignoredgt; true to disable ${EL} elements/li liUses lt;page-encodinggt; ISO-8859-1 to set the page encoding (though this is the default anyway)/li /ul There are various other configuration options that can be used. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/runtime JspRuntimeLibrary.java
luehe 2002/10/09 14:59:08 Modified:jasper2/src/share/org/apache/jasper/resources Tag: tomcat_4_branch messages.properties messages_es.properties messages_ja.properties jasper2/src/share/org/apache/jasper/runtime Tag: tomcat_4_branch JspRuntimeLibrary.java Log: Fixed 13206: Invalid java bean property error message could be reported better. Revision ChangesPath No revision No revision 1.9.2.4 +2 -2 jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/resources/messages.properties Index: messages.properties === RCS file: /home/cvs/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/resources/messages.properties,v retrieving revision 1.9.2.3 retrieving revision 1.9.2.4 diff -u -r1.9.2.3 -r1.9.2.4 --- messages.properties 8 Oct 2002 23:42:06 - 1.9.2.3 +++ messages.properties 9 Oct 2002 21:59:08 - 1.9.2.4 @@ -88,7 +88,7 @@ jsp.error.beans.nobeaninfo=No BeanInfo for the bean of type ''{0}'' could be found, the class likely does not exist. jsp.error.beans.introspection=An exception occurred while introspecting the read method of property ''{0}'' in a bean of type ''{1}'':\n{2} jsp.error.beans.nomethod=Cannot find a method to read property ''{0}'' in a bean of type ''{1}'' -jsp.error.beans.nomethod.setproperty=Can''t find a method to write property ''{0}'' in a bean of type ''{1}'' +jsp.error.beans.nomethod.setproperty=Can''t find a method to write property ''{0}'' of type ''{1}'' in a bean of type ''{2}'' jsp.error.beans.noproperty=Cannot find any information on property ''{0}'' in a bean of type ''{1}'' jsp.error.beans.setproperty.noindexset=Cannot set indexed property jsp.error.include.tag=Invalid jsp:include tag 1.3.2.3 +2 -2 jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/resources/messages_es.properties Index: messages_es.properties === RCS file: /home/cvs/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/resources/messages_es.properties,v retrieving revision 1.3.2.2 retrieving revision 1.3.2.3 diff -u -r1.3.2.2 -r1.3.2.3 --- messages_es.properties8 Oct 2002 23:42:06 - 1.3.2.2 +++ messages_es.properties9 Oct 2002 21:59:08 - 1.3.2.3 @@ -73,7 +73,7 @@ jsp.error.beans.nobeaninfo=No se puede encontrar BeanInfo para el bean ''{0}'' seguramente la clase no existe jsp.error.beans.introspection=Una excepcion a ocurrido mientras se leia el metodo de lectura de la propiedad ''{0}'' en un bean del tipo ''{1}'':\n{2} jsp.error.beans.nomethod=No puedo encontrar un metodo para leer la propiedad ''{0}'' en un bean del tipo ''{1}'' -jsp.error.beans.nomethod.setproperty=No puedo encontrar un metodo para write de la propiedad ''{0}'' en un bean del tipo ''{1}'' +jsp.error.beans.nomethod.setproperty=No puedo encontrar un metodo para write de la propiedad ''{0}'' en un bean del tipo ''{2}'' jsp.error.beans.noproperty=No puedo encontrar informacion de la propiedad ''{0}'' en un bean del tipo ''{1}'' jsp.error.beans.setproperty.noindexset=No puedo hacer set de la propiedad indexada jsp.error.include.tag=Tag jsp:include no valido 1.2.2.2 +2 -2 jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/resources/messages_ja.properties Index: messages_ja.properties === RCS file: /home/cvs/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/resources/messages_ja.properties,v retrieving revision 1.2.2.1 retrieving revision 1.2.2.2 diff -u -r1.2.2.1 -r1.2.2.2 --- messages_ja.properties8 Oct 2002 23:42:06 - 1.2.2.1 +++ messages_ja.properties9 Oct 2002 21:59:08 - 1.2.2.2 @@ -84,7 +84,7 @@ jsp.error.beans.nobeaninfo=\u30bf\u30a4\u30d7 ''{0}'' \u306eBean\u306bBeanInfo\u304c\u306a\u3044\u306e\u3092\u691c\u51fa\u3057\u307e\u3057\u305f, \u30af\u30e9\u30b9\u304c\u5b58\u5728\u3057\u306a\u3044\u304b\u3082\u3057\u308c\u307e\u305b\u3093 jsp.error.beans.introspection=\u30bf\u30a4\u30d7 ''{1}'' \u306eBean\u4e2d\u306e\u5c5e\u6027 ''{0}'' \u306eread\u30e1\u30bd\u30c3\u30c9\u3092\u5185\u7701\u4e2d\u306b\u4f8b\u5916\u304c\u767a\u751f\u3057\u307e\u3057\u305f:\n{2} jsp.error.beans.nomethod=\u30bf\u30a4\u30d7 ''{1}'' \u306eBean\u4e2d\u306e\u5c5e\u6027 ''{0}'' \u3092\u8aad\u307f\u8fbc\u3080\u30e1\u30bd\u30c3\u30c9\u3092\u767a\u898b\u3067\u304d\u307e\u305b\u3093\u3067\u3057\u305f -jsp.error.beans.nomethod.setproperty=\u30bf\u30a4\u30d7 ''{1}'' \u306eBean\u4e2d\u306e\u5c5e\u6027 ''{0}''
DO NOT REPLY [Bug 13392] - When tag pooling is enabled, release() is not called on tag instances
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13392. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13392 When tag pooling is enabled, release() is not called on tag instances [EMAIL PROTECTED] changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution||INVALID --- Additional Comments From [EMAIL PROTECTED] 2002-10-09 22:21 --- Not a bug. See description of release() method in JSP.10.1.1.2 (JSP 1.2): Called on a Tag handler to release state. The page compiler guarantees that JSP page implementation objects will invoke this method on all tag handlers, but there may be multiple invocations on doStartTag() and doEndTag() in between. Also, see http://jakarta.apache.org/taglibs/guidelines.html Item 2: Private, invocation-specific state must be managed manually. Implications include that: release() is not necessarily called between invocations, which means that tag logic should not count on private invocation- specific state being reset by release() -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/compiler JspUtil.java
luehe 2002/10/09 15:46:41 Modified:jasper2/src/share/org/apache/jasper/compiler JspUtil.java Log: Removed redundant methods Revision ChangesPath 1.18 +3 -87 jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/compiler/JspUtil.java Index: JspUtil.java === RCS file: /home/cvs/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/compiler/JspUtil.java,v retrieving revision 1.17 retrieving revision 1.18 diff -u -r1.17 -r1.18 --- JspUtil.java 19 Sep 2002 23:21:39 - 1.17 +++ JspUtil.java 9 Oct 2002 22:46:41 - 1.18 @@ -235,60 +235,6 @@ } /** - * Parses the XML document contained in the InputStream. - * - * @deprecated Use ParserUtils.parseXMLDocument() instead - */ -public static Document parseXMLDoc(String uri, InputStream in) - throws JasperException -{ - return parseXMLDocJaxp(uri, in); -} - -/** - * Parses the XML document contained in the InputStream. - * This XML document is either web.xml or a tld. - * [The TLD has to be cached internally (see MyEntityResolver)] - * - * @deprecated Use ParserUtils.parseXMLDocument() instead - */ -public static Document parseXMLDocJaxp(String uri, InputStream in) - throws JasperException -{ - try { - Document doc; - DocumentBuilderFactory docFactory = - DocumentBuilderFactory.newInstance(); - docFactory.setValidating(true); - docFactory.setNamespaceAware(true); - DocumentBuilder builder = docFactory.newDocumentBuilder(); - builder.setEntityResolver(entityResolver); - builder.setErrorHandler(errorHandler); - doc = builder.parse(in); - return doc; - } catch (ParserConfigurationException ex) { -throw new JasperException( - Constants.getString(jsp.error.parse.xml, - new Object[]{uri, ex.getMessage()})); - } catch (SAXParseException ex) { -throw new JasperException( - Constants.getString(jsp.error.parse.xml.line, - new Object[]{uri, - new Integer(ex.getLineNumber()), - new Integer(ex.getColumnNumber()), - ex.getMessage()})); - } catch (SAXException sx) { -throw new JasperException( -Constants.getString(jsp.error.parse.xml, - new Object[]{uri, sx.getMessage()})); -} catch (IOException io) { -throw new JasperException( -Constants.getString(jsp.error.parse.xml, - new Object[]{uri, io.toString()})); - } -} - -/** * Checks if all mandatory attributes are present and if all attributes * present have valid names. Checks attributes specified as XML-style * attributes as well as attributes specified using the jsp:attribute @@ -477,36 +423,6 @@ } } -public static Hashtable attrsToHashtable(Attributes attrs) { -int len = attrs.getLength(); -Hashtable table = new Hashtable(len); -for (int i=0; ilen; i++) { -table.put(attrs.getQName(i), attrs.getValue(i)); -} -return table; -} - -/** - * Get the data for the first child associated with the - * Element provided as argument. It is assumed that this - * first child is of type Text. - * - * @param e the DOM Element to read from - * @return the data associated with the first child of the DOM - * element. - */ -public static String getElementChildTextData(Element e) { - String s = null; - Text t = (Text)e.getFirstChild(); - if (t != null) { - s = t.getData(); - if (s != null) { - s = s.trim(); - } - } - return s; -} - /** * Convert a String value to 'boolean'. * Besides the standard conversions done by -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/compiler JspReader.java
luehe 2002/10/09 17:49:21 Modified:jasper2/src/share/org/apache/jasper JspC.java JspCompilationContext.java jasper2/src/share/org/apache/jasper/compiler JspReader.java Log: Changed visibility of o.a.j.c.JspReader to package scope, and the visibility of some of its methods to private. Revision ChangesPath 1.15 +3 -4 jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/JspC.java Index: JspC.java === RCS file: /home/cvs/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/JspC.java,v retrieving revision 1.14 retrieving revision 1.15 diff -u -r1.14 -r1.15 --- JspC.java 21 Aug 2002 17:56:03 - 1.14 +++ JspC.java 10 Oct 2002 00:49:21 - 1.15 @@ -65,7 +65,6 @@ import java.net.*; import java.util.*; -import org.apache.jasper.compiler.JspReader; import org.apache.jasper.compiler.ServletWriter; import org.apache.jasper.compiler.Compiler; import org.apache.jasper.compiler.TldLocationsCache; 1.22 +3 -16 jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/JspCompilationContext.java Index: JspCompilationContext.java === RCS file: /home/cvs/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/JspCompilationContext.java,v retrieving revision 1.21 retrieving revision 1.22 diff -u -r1.21 -r1.22 --- JspCompilationContext.java11 Sep 2002 19:07:32 - 1.21 +++ JspCompilationContext.java10 Oct 2002 00:49:21 - 1.22 @@ -68,7 +68,6 @@ import javax.servlet.jsp.tagext.TagInfo; import javax.servlet.jsp.tagext.TagData; import org.apache.jasper.compiler.JspRuntimeContext; -import org.apache.jasper.compiler.JspReader; import org.apache.jasper.compiler.ServletWriter; import org.apache.jasper.compiler.Compiler; import org.apache.jasper.servlet.JspServletWrapper; @@ -100,7 +99,6 @@ protected String jspPath; protected String classFileName; protected String contentType; -protected JspReader reader; protected ServletWriter writer; protected Options options; protected JspServletWrapper jsw; @@ -491,17 +489,6 @@ public void setContentType(String contentType) { this.contentType = contentType; -} - -/** - * Get the input reader for the JSP text. - */ -public JspReader getReader() { -return reader; -} - -public void setReader(JspReader reader) { -this.reader = reader; } /** 1.10 +148 -137 jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/compiler/JspReader.java Index: JspReader.java === RCS file: /home/cvs/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/compiler/JspReader.java,v retrieving revision 1.9 retrieving revision 1.10 diff -u -r1.9 -r1.10 --- JspReader.java28 Aug 2002 23:50:10 - 1.9 +++ JspReader.java10 Oct 2002 00:49:21 - 1.10 @@ -80,137 +80,50 @@ * @author Mark Roth */ -public class JspReader { +class JspReader { -protected Mark current = null; -String master = null; - -Vector sourceFiles = new Vector(); -int currFileId = 0; -int size = 0; - +private Mark current; +private String master; +private Vector sourceFiles; +private int currFileId; +private int size; private JspCompilationContext context; private ErrorDispatcher err; +private Logger.Helper loghelper; /* * Set to true when using the JspReader on a single file where we read up * to the end and reset to the beginning many times. * (as in ParserCtl.figureOutJspDocument(). */ -boolean singleFile = false; +private boolean singleFile; -Logger.Helper loghelper = new Logger.Helper(JASPER_LOG, JspReader); - -public String getFile(int fileid) { - return (String) sourceFiles.elementAt(fileid); -} - -/** - * Register a new source file. - * This method is used to implement file inclusion. Each included file - * gets a uniq identifier (which is the index in the array of source files). - * @return The index of the now registered file. - */ -protected int registerSourceFile(String file) { -if (sourceFiles.contains(file)) -return -1; - sourceFiles.addElement(file); - this.size++; - return sourceFiles.size() - 1; -} - - -/** - * Unregister the source file. - * This method is used to implement file inclusion. Each included file - * gets a uniq identifier (which is the index in the array of source -
Re: mod_jk crash, please help
Quoting Eugene Gluzberg [EMAIL PROTECTED]: Please help. How can i trace this further? How do i get apache to generate a core file so i can see where in apache code this is? Any pointers for help here at all? Have a look at this: http://httpd.apache.org/dev/debugging.html Bojan -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
DO NOT REPLY [Bug 13477] New: - tomcat 4.1.2 installed from rpms fails to start
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13477. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13477 tomcat 4.1.2 installed from rpms fails to start Summary: tomcat 4.1.2 installed from rpms fails to start Product: Tomcat 4 Version: 4.1.12 Platform: Other OS/Version: Linux Status: NEW Severity: Normal Priority: Other Component: Installable Packages AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] I installed the current version of tomcat (4.1.2) from RPMs using the version as of 9 October (tomcat4-4.1.12-full.2jpp.noarch.rpm). The install worked after I removed all traces of the prior tomcat install (user and group, etc). When I try to start tomcat from /etc/init.d/tomcat4 I get an OK but tomcat does not start. When I start tomcat using /usr/bin/dtomcat4 as root, tomcat starts. When I su - tomcat4 and start tomcat using /usr/bin/dtomcat4 I get: -bash-2.05b$ /usr/bin/dtomcat4 start Using CATALINA_BASE: /var/tomcat4 Using CATALINA_HOME: /var/tomcat4 Using CATALINA_TMPDIR: /var/tomcat4/temp Using JAVA_HOME: /usr/java/j2sdk1.4 touch: creating `/var/tomcat4/logs/catalina.out': Permission denied -bash-2.05b$ /usr/bin/dtomcat4: line 205: /var/tomcat4/logs/catalina.out: Permission denied q In /var/tomcat4/logs I see: -rw-r--r--1 root tomcat4 1731 Oct 9 20:44 catalina.out In order for tomcat to touch catalina.out, permissions need to be changed for the group tomcat4. Once this is done, then tomcat4 will start as expected. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: [Proposal] Security Audit
The more who review/audit tomcat for security, the better. :-) Comments intermixed below. Jean-Francois Arcand wrote: Hi, I'm looking to do a Security Audit on the current Tomcat 5.0 codebase. I would like to collect as more as information as where you think I should look at (code, security hole, etc.). I'm planning to do the audit using the default SecurityManager. Rigth now, I have started looking at: - doPrivilege blocks. Are they small enough? Can they be reduced? I don't think there are more than a dozen doPrivileged() blocks in all of catalina and jasper. They are relatively few and restricted to a few specific methods in catalina which may get executed by some action a servlet or jsp performs. For example, when a jsp page does a forward. - JSP generated code. Are they secure? Can a malicious app uses the code to access o.a.catalina code? Class restrictions are implemented in two ways. First, the catalina core API's are in server/lib so that they are not one of the parent class loaders visible to a web app. Second, the WebappClassLoader implements checkPackageAccess() and checkPackageDefinition(). These are only implemented if Tomcat was started with the SecurityManager. One change we considered with Tomcat 4 was whether it should require using the Java SecurityManager. You may want to open up that debate again with Tomcat 5. - Is catalina.policy restricted enough? Not for my needs, my security policies are much more restrictive. But restrictive enough for some users. Perhaps there should be a second more restrictive example catalina.policy. - Is our Classloader secure? Any direction/ideas/recommendations will be appreciated. I don't have time right now to particpate in the security audit, but I will make sure I review any findings. One item that has been on my todo list for a while is a document on how to write SecurityManager and web application friendly code. I find numerous packages, frameworks, etc. which perform things in ways which are not friendly to the SecurityManager or a web application. I have been known to file bug reports with other jakarta projects when I run across these issues. :-) Regards, Glenn -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: apps conversion from 3.3.1 to 4.1.12
If this reference is in your web.xml file, then my suggestion is already being done. To test it, try temporarily copying the settings.xml file into the WEB-INF directory and changing the relative URL appropriately. Putting the file in WEB-INF works, even if I use ../settings, ie directly in webapps/ROOT. I'd be -1 on removing the security check in 4.x/5.x. Fixing 3.3.2 sounds like a good idea. I'll be -1 to fix the 3.3.2 for many reasons : - It will brake all deployment strategy - I'm still not sure it's a security problem since nobody prevent you to change to PUBLIC and goes outside : !ENTITY % settings SYSTEM ../../../settings.xml %settings; to !ENTITY % settings PUBLIC hackme http://hackme.com/settings.xml; %settings; That's more than insecure isn't it ? I take a look in specs and didn't see anything preventing you to have entities located outside WEBAPP so I feel it's a regression and not a security feature. Ad minima, in TC 4.x and 5.x, there should be a setting in web.xml, or server.xml to enable this behaviour even if it's prevented by default. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]