RE: HOWTO obtain UserDatabase from a servlet? [SOLVED]

2003-07-24 Thread Andrew Liles 
I am going to answer my own question, for the benefit of anyone else who has
the same question.

The question arose because I wanted to permit a webapp to change password in
the Memory database that backed the authentication scheme I was using.

server.xml:
in the context your code will run in, add this link to a global resource...

  

  

this assumes you have this Global resource:
  




  
factory
org.apache.catalina.users.MemoryUserDatabaseFactory
  
  
pathname
conf/tomcat-users.xml
  

  

java code:
Context initCtx = new InitialContext();
Context envCtx = (Context) initCtx.lookup("java:comp/env");
UserDatabase db = (UserDatabase) envCtx.lookup("glbUserDatabase");

Then the next issue, is that you need to get hold of the interface
"UserDatabase".  This is in catalina.jar but this resides in a Classloader
that is not normally allowed to be seen by Web Applications.

The issues:
1) the Web Apps don't normally get permission to see the internal Tomcat
Server classes
2) if you place your class where it CAN see the Tomcat Server classes then
your class cannot see the rest of your application 

A really ugly and security-prone solution is to   
   Move all jars from tomcat/server/lib to tomcat/common/lib
   Move any jars of yours to tomcat/common/lib or classes to
tomcat/common/classes

The security risk is that webapps now have unfettered access to the Tomcat
server code; which in my case is not a problem.

[Request for feature: could the Tomcat team create a .jar with the just the
wrapper interfaces in them??? Then I think you could put in code for
UserDatabase manipulation in tomcat/common/lib without needing to move and
expose the full server code.]

> -----Original Message-
> From: Andrew Liles [mailto:[EMAIL PROTECTED]
> Sent: 10 July 2003 16:30
> To: '[EMAIL PROTECTED]'
> Subject: HOWTO obtain UserDatabase from a servlet?
> 
> 
> I wish to secure a website with a simple realm/user database
> setup for a low usage site with low numbers of users.
> 
> UserDatabaseRealm (underpinned by MemoryUserDatabase) would
> seem to be ideally suited.
> 
> How do I access the MemoryUserDatabase from a regular
> application to be able to SET passwords, etc.
> 
> Once I have got a UserDatabase interface I know I can then
> use findUser(..), but how do I get something implementing
> the interface in the first case?  Is it some JNDI lookup or
> ServletContext access?
> 
> I would appreciate your pointing me to some HOWTO
> documentation.
> 
> Andrew.

_
This e-mail has been scanned for viruses by MessageLabs.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [Q] Form-based authentication with DatasourceRealm

2003-07-24 Thread Andrew Liles 
This is a three part problem.

First you have a process that does the challenging of access.  In the case
of Form Based Authentication this means 
redirecting the user to a login page.

Second you have a scheme to take the credentials the user provides and
validate them.  This is the job of the realm.  You should simply need to
replace the Realm element in Server.xml that currently refers to your
MemoryRealm and put in place the 

element which is provided in the default server.xml (but commented out).  

Next this Realm is dependent on the 3rd part of the equation - the
UserDatabase resource.

This may be of some use:
http://www.servlets.com/jservlet2/examples/ch08/index.html

> -Original Message-
> From: Riaan Oberholzer [mailto:[EMAIL PROTECTED]
> Sent: 24 July 2003 09:51
> To: [EMAIL PROTECTED]
> Subject: [Q] Form-based authentication with DatasourceRealm
> 
> 
> Hi,
> 
> I'm trying to use Realms for the first time. The
> documentation of Tomcat is pretty straight foward and
> everything is clear (and surprisingly simple), except
> how I must name the "action=???" paramaters for my
> form in which the authentication is done.
> 
> The Tomcat example is:
> 
> 
> for a MemoryRealm
> 
> Is this standard for all Realms and can/should I use
> it as is, or how does it look for a Datasource Realm?
> 
> Thanks!
> 
> 
> __
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site design software
> http://sitebuilder.yahoo.com
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
> 
> _
> This e-mail has been scanned for viruses by MessageLabs.
> 

_
This e-mail has been scanned for viruses by MessageLabs.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: tomcat startup problem - tomcat window disappears

2003-07-24 Thread Andrew Liles 
Edit 
tomcat/bin/startup.bat

in one of the last lines change the keyword "start" to "run".  Then go into
a DOS box and run startup.bat.  This time any faults will remain on the
screen and you can start debugging from there.

> -Original Message-
> From: Gayathrie Gunawardene [mailto:[EMAIL PROTECTED]
> Sent: 21 July 2003 19:15
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]; 
> [EMAIL PROTECTED];
> [EMAIL PROTECTED]
> Subject: tomcat startup problem
> 
> 
> Hi,
> 
> I get the following message when I run startup command.  
> Using CATALINA_BASE:   E:\TomCat4.1
> 
> Using CATALINA_HOME:   E:\TomCat4.1
> 
> Using CATALINA_TMPDIR: E:\TomCat4.1\temp
> 
> Using JAVA_HOME:   E:\jdk1.4
> 
> I see a tomcat window open and suddenly disappear. No matter 
> how hard I tried to run, the result is the same all the time. 
> I use tomcat4.1 and JDK1.4 on Windows 2000 adv. server platform.
> 
> Pls Help
> 
> GG
> 
> [EMAIL PROTECTED]
> 
> 
> 
> _
> This e-mail has been scanned for viruses by MessageLabs.
> 

_
This e-mail has been scanned for viruses by MessageLabs.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Creating a custom realm (I don't know how?)

2003-07-24 Thread Andrew Liles 
There are some tricky issues due to do with scope of classes that Tomcat
needs to see (to operate your Realm for you) and what normal web
applications can see (they normally don't need to see the internals of the
Servlet/JSP implementation).  It is described here:
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/class-loader-howto.html
but if you are looking for a quick fix 

1) and your Realm DOES NOT need to interact with classes in the application
space then just move your custom realm class into  tomcat/server/classes (or
../lib)

2) and you Realm DOES require interaction with classes in the application
space then here is a really ugly and security-prone issue (security of rogue
apps that is).  
   Move all jars from tomcat/server/lib to tomcat/common/lib
   Move any jars of yours to tomcat/common/lib or classes to
tomcat/common/classes

Andrew.

> -Original Message-
> From: Hung San [mailto:[EMAIL PROTECTED]
> Sent: 23 July 2003 02:01
> To: [EMAIL PROTECTED]
> Subject: Creating a custom realm (I don't know how?)
> 
> 
> Hi there,
> 
> How do I create my own custom realm and plug it into
> Tomcat for my web application?  I created CustomRealm
> that implements Realm.  But when I added a 
> element in my context.xml and loaded up my
> application, it complained that CustomRealm could not
> be found (ClassNotFoundException).  
> 
> My CustomRealm class is in my /WEB-INF/classes
> directory so I'm sure (as far as my application is
> concerned) that the class is in the proper classpath. 
> I also placed the file in tomcat.home/common/lib but
> the error still persists.
> 
> Any help would be appreciated.
> 
> By the way, I'm using Tomcat 4.1.24
> 
> __
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site design software
> http://sitebuilder.yahoo.com
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
> 
> _
> This e-mail has been scanned for viruses by MessageLabs.
> 

_
This e-mail has been scanned for viruses by MessageLabs.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: tomcat startup

2003-07-16 Thread Andrew Liles 
You have probably already looked for "java.net.SocketException: Network is
down" on Google and found nothing.  This suggests you have a very obscure
problem.  Therefore you should try to establish what is unusual about your
machine.

The fact your machine acts as some kind of gateway, I think is the place to
look.  Windows-gateway machines running Tomcat are going to be far less
common; and hence less tried and tested.  

Your machine being a gateway implies you have more than 1 IP address.  It
could be that Tomcat is trying to bind to the wrong IP address (or network
adapter).  I am not quite sure how you direct Tomcat to pick a particular
network stack/adapter/etc but in a multi-IPd machine I have, it is necessary
to add an address parameter, so my Connector XML fragment is:



I think you should also comment out any other Connectors you have (there is
more than 1 setup by default).


-Original Message-
From: Souren Sinha [mailto:[EMAIL PROTECTED]
Sent: 15 July 2003 12:05
To: Tomcat Users List
Subject: Re: tomcat startup


Hi,
I am trying to run it on a desktop that is on a network...in fact it acts as
the gateway to the net too.
As per my network settings, I have TCP/IP installed and after having done a
netstat I can confirm that nothing else is listening on port 8080. Just for
the sake of it, I tried running on port 9090 too with the same resulting
exceptions!
I am not sure what else to try...any help would be appreciated.
Regards
Souren

> -Original Message-
> From: Souren Sinha [mailto:[EMAIL PROTECTED]
> Sent: 16 July 2003 02:21
> To: [EMAIL PROTECTED]
> Subject: Re: tomcat startup
> 
> 
> Hi,
> Could you please help me out a bit more...I had to unscribe 
> from the Tomcat
> list coz I was getting way too many messages and since I am 
> on a dial-up
> it's becoming a problem...!
> Regards
> Souren
> 
> 
> - Original Message -
> From: "Andrew Liles" <[EMAIL PROTECTED]>
> To: "'Tomcat Users List'" <[EMAIL PROTECTED]>
> Sent: Monday, July 14, 2003 11:56 PM
> Subject: RE: tomcat startup
> 
> 
> > Are you trying this on a laptop/standalone machine that has 
> no network
> > stack?  You need a TCP/IP stack.
> >
> > (It could be another process is listening on the same 
> IP/port; but the
> usual
> > symptom in that case is a different error)
> >
> > > -Original Message-
> > > From: Souren Sinha [mailto:[EMAIL PROTECTED]
> > > Sent: 14 July 2003 13:30
> > > To: Tomcat Users List
> > > Subject: tomcat startup
> > >
> > >
> > > Hi,
> > > I am having trouble starting up tomcat from the Start menu.
> > > I get the following exception:
> > >
> > > Using CATALINA_BASE:   ..
> > > Using CATALINA_HOME:   ..
> > > Using CATALINA_TMPDIR: ..\temp
> > > Using JAVA_HOME:   C:\j2sdk1.4.0_03
> > > Jul 14, 2003 10:28:26 PM org.apache.commons.modeler.Registry
> > > loadRegistry
> > > INFO: Loading registry information
> > > Jul 14, 2003 10:28:27 PM org.apache.commons.modeler.Registry
> > > getRegistry
> > > INFO: Creating new Registry instance
> > > Jul 14, 2003 10:28:28 PM 
> org.apache.commons.modeler.Registry getServer
> > > INFO: Creating MBeanServer
> > > Jul 14, 2003 10:28:29 PM 
> org.apache.coyote.http11.Http11Protocol init
> > > SEVERE: Error initializing endpoint
> > > java.net.SocketException: Network is down: listen failed
> > > at java.net.PlainSocketImpl.socketListen(Native Method)
> > > at 
> java.net.PlainSocketImpl.listen(PlainSocketImpl.java:333)
> > > at java.net.ServerSocket.bind(ServerSocket.java:309)
> > > at java.net.ServerSocket.bind(ServerSocket.java:266)
> > > at java.net.ServerSocket.(ServerSocket.java:182)
> > > at java.net.ServerSocket.(ServerSocket.java:138)
> > >
> > > Can someone please help me out.
> > > Regards
> > > Souren
> > >
> > >
> > > - Original Message -
> > > From: "Agarwal, Naresh" <[EMAIL PROTECTED]>
> > > To: <[EMAIL PROTECTED]>
> > > Sent: Monday, July 14, 2003 10:09 PM
> > > Subject: Do we have any control on Tomcat threads?
> > >
> > >
> > > Hi
> > >
> > > Web apps in tomcat run in threads spawned by Tomcat. Do we
> > > have any control
> > > on these threads?
> > >
> > > I want to perform some Init and UnInit operations at the time
> > > creation and
> > > destruction of these threads. Is it po

RE: tomcat startup

2003-07-14 Thread Andrew Liles 
Are you trying this on a laptop/standalone machine that has no network
stack?  You need a TCP/IP stack.

(It could be another process is listening on the same IP/port; but the usual
symptom in that case is a different error)

> -Original Message-
> From: Souren Sinha [mailto:[EMAIL PROTECTED]
> Sent: 14 July 2003 13:30
> To: Tomcat Users List
> Subject: tomcat startup
> 
> 
> Hi,
> I am having trouble starting up tomcat from the Start menu.
> I get the following exception:
> 
> Using CATALINA_BASE:   ..
> Using CATALINA_HOME:   ..
> Using CATALINA_TMPDIR: ..\temp
> Using JAVA_HOME:   C:\j2sdk1.4.0_03
> Jul 14, 2003 10:28:26 PM org.apache.commons.modeler.Registry 
> loadRegistry
> INFO: Loading registry information
> Jul 14, 2003 10:28:27 PM org.apache.commons.modeler.Registry 
> getRegistry
> INFO: Creating new Registry instance
> Jul 14, 2003 10:28:28 PM org.apache.commons.modeler.Registry getServer
> INFO: Creating MBeanServer
> Jul 14, 2003 10:28:29 PM org.apache.coyote.http11.Http11Protocol init
> SEVERE: Error initializing endpoint
> java.net.SocketException: Network is down: listen failed
> at java.net.PlainSocketImpl.socketListen(Native Method)
> at java.net.PlainSocketImpl.listen(PlainSocketImpl.java:333)
> at java.net.ServerSocket.bind(ServerSocket.java:309)
> at java.net.ServerSocket.bind(ServerSocket.java:266)
> at java.net.ServerSocket.(ServerSocket.java:182)
> at java.net.ServerSocket.(ServerSocket.java:138)
> 
> Can someone please help me out.
> Regards
> Souren
> 
> 
> - Original Message -
> From: "Agarwal, Naresh" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Monday, July 14, 2003 10:09 PM
> Subject: Do we have any control on Tomcat threads?
> 
> 
> Hi
> 
> Web apps in tomcat run in threads spawned by Tomcat. Do we 
> have any control
> on these threads?
> 
> I want to perform some Init and UnInit operations at the time 
> creation and
> destruction of these threads. Is it possible to do with 
> Tomcat threads?
> 
> thanks & regards,
> Naresh Agarwal
> 
> 
> 
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
> 
> _
> This e-mail has been scanned for viruses by MessageLabs.
> 

_
This e-mail has been scanned for viruses by MessageLabs.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Exception:getOutputStream() has already been called for this response

2003-07-13 Thread Andrew Liles 
I suspect the problem is your use of the include method.
You need to be quite careful about flushing stuff to the output stream...
(include() may cause this)

If you then get an error in a JSP page, the page processor tries to output a
meaningful error but tries to do first discard the outputstream that has
already been built up so that you get a clean error page.  If the o/s has
already been flushed then you will get a secondary IllegalStateException
caused by the page processor's trying to mess with the outputstream.  In all
of this the error message and stacks that will lead you to where the first
error is gets lost.

So I suggest you can back the includes/forwards and try some unit testing on
the individual elements.

-Original Message-
From: Abid Ali Teepo
To: Tomcat Users List
Sent: 13/07/2003 11:56
Subject: SV: Exception:getOutputStream() has already been called for this
response

Yes, i'm using 4.1.24  how come ???
 
Abid

-Opprinnelig melding- 
Fra: Tim Funk [mailto:[EMAIL PROTECTED] 
Sendt: fr 11.07.2003 18:06 
Til: Tomcat Users List 
Kopi: 
Emne: Re: Exception:getOutputStream() has already been called
for this response



Doh! I don't see anything obvious from my point of view. My last
chance
question (then I'm out of ideas for now): Are you using 4.1.24?

-Tim

Abid Ali Teepo wrote:
> Hi Tim
>
> No, the rd.include doesn't write anything.
>
> I'm pasting the root cause stack trace that refers to line
number 69 in my jasper produced file that i'm attaching ... sure hope
you can have a look at it ...
>
> Abid
>
> java.lang.IllegalStateException: getOutputStream() has already
been called for this response
>   at
org.apache.coyote.tomcat4.CoyoteResponse.getWriter(CoyoteResponse.java:6
14)
>   at
org.apache.coyote.tomcat4.CoyoteResponseFacade.getWriter(CoyoteResponseF
acade.java:173)
>   at
org.apache.jasper.runtime.JspWriterImpl.initOut(JspWriterImpl.java:173)
>   at
org.apache.jasper.runtime.JspWriterImpl.flushBuffer(JspWriterImpl.java:1
66)
>   at
org.apache.jasper.runtime.PageContextImpl.release(PageContextImpl.java:1
84)
>   at
org.apache.jasper.runtime.JspFactoryImpl.internalReleasePageContext(JspF
actoryImpl.java:198)
>   at
org.apache.jasper.runtime.JspFactoryImpl.releasePageContext(JspFactoryIm
pl.java:193)
>   at
org.apache.jsp.netbid_done_jsp._jspService(netbid_done_jsp.java:69)
>   at
org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:137)
>   at
javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
>
> -Original Message-
> From: Tim Funk [mailto:[EMAIL PROTECTED]
> Sent: 11. juli 2003 17:49
> To: Tomcat Users List
> Subject: Re: Exception:getOutputStream() has already been
called for
> this response
>
>
> Does "rd.include(request, response);" do anything?
>
> What will really help is to look at the stacktraces produced -
then go back
> to the jasper generated files to get a better idea of
narrowing down when the
> excpetion gets thrown.
>
> -Tim
>
> Abid Ali Teepo wrote:
>
>>I don't understand Tim
>>
>>As far as i can see, i make no call to getOutputStream()
>>
>>And how come the exact same jsp-page will forward to my
"menu.jsp" but not to "safe.html". When i request the latter i get this
exception.
>>
>>Here is my JSP :
>><%@ page import="Bid.BidSession"%>
>><%   
>>BidSession bidSession = BidSession.readParameters(request,
"AUTHCLIENT");
>>RequestDispatcher rd =
request.getRequestDispatcher("BidProxy");
>>rd.include(request, response);
>>session.setAttribute("bid.authenticated",new
String("true"));
>> 
>>String pageWanted =
(String)session.getAttribute("bid.pageWanted");
>>   
>>  if(pageWanted!=null && !"".equals(pageWanted)) {
>>  System.out.println("PageWanted in netbid_done:"
+pageWanted);
>>  rd = request.getRequestDispatcher(pageWanted);
>>  rd.forward(request, response);
>>  } else {
>>  rd =
request.getRequestDispatcher("/secure/menu.jsp");
>>  rd.forward(request, response);
>>}
>>%>
>>
>>Could you please pinpoint my error ?
>>
>>Abid
>>
>>
>>-Original Message-
>>From: Tim Funk [mailto:[EMAIL PROTECTED]
>>Sent: 11. juli 2003 17:13
>>To: Tomcat Users List
>>Subject: Re: Exception:getOutputStream() has

HOWTO obtain UserDatabase from a servlet?

2003-07-10 Thread Andrew Liles 
I wish to secure a website with a simple realm/user database
setup for a low usage site with low numbers of users.

UserDatabaseRealm (underpinned by MemoryUserDatabase) would
seem to be ideally suited.

How do I access the MemoryUserDatabase from a regular
application to be able to SET passwords, etc.

Once I have got a UserDatabase interface I know I can then
use findUser(..), but how do I get something implementing
the interface in the first case?  Is it some JNDI lookup or
ServletContext access?

I would appreciate your pointing me to some HOWTO
documentation.

Andrew.

_
This e-mail has been scanned for viruses by MessageLabs.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Tomcat bug? (PropertyResourceBundle)

2001-09-17 Thread Andrew Liles 

This fault is caused by declaring two Beans with the same local variable,
e.g.

...


...



To: [EMAIL PROTECTED] 
Subject: Re: Tomcat bug? (PropertyResourceBundle) 
From: Ryan Schutt <[EMAIL PROTECTED]> 
Date: Mon, 17 Jul 2000 15:55:59 -0400 
Delivered-To: mailing list [EMAIL PROTECTED] 
list-help:  
list-post:  
list-unsubscribe:  
Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm 
References: <80F5674514B4D311BAFC0040F6A45EEE045FB9@ntserver> 
Reply-To: [EMAIL PROTECTED] 




Running tomcat 3.1, java version 1.2.1_03a on solaris 2.7.  This exception
is thrown when I try to access the page:

Unhandled error! You might want to consider having an error page to report
such errors more gracefully
java.lang.Error: Fatal Error: missing resource:
java.util.PropertyResourceBundle
at java.lang.Throwable.fillInStackTrace(Native Method)
at java.lang.Throwable.fillInStackTrace(Compiled Code)
at java.lang.Throwable.(Compiled Code)
at java.lang.Error.(Compiled Code)
at org.apache.jasper.Constants.getString(Compiled Code)
at
org.apache.jasper.compiler.BeanGenerator.checkSyntax(BeanGenerator.java:115)
at
org.apache.jasper.compiler.BeanGenerator.generate(BeanGenerator.java:93)
at
org.apache.jasper.compiler.JspParseEventListener$GeneratorWrapper.generate(J
spParseEventListener.java:730)
at
org.apache.jasper.compiler.JspParseEventListener.generateAll(Compiled Code)
at
org.apache.jasper.compiler.JspParseEventListener.generateHeader(Compiled
Code)
at
org.apache.jasper.compiler.JspParseEventListener.endPageProcessing(JspParseE
ventListener.java:167)
at org.apache.jasper.compiler.Compiler.compile(Compiled Code)
at org.apache.jasper.runtime.JspServlet.loadJSP(JspServlet.java:413)
at
org.apache.jasper.runtime.JspServlet$JspServletWrapper.loadIfNecessary(JspSe
rvlet.java:149)
at
org.apache.jasper.runtime.JspServlet$JspServletWrapper.service(JspServlet.ja
va:161)
at
org.apache.jasper.runtime.JspServlet.serviceJspFile(JspServlet.java:261)
at org.apache.jasper.runtime.JspServlet.service(Compiled Code)
at javax.servlet.http.HttpServlet.service(Compiled Code)
at org.apache.tomcat.core.ServletWrapper.handleRequest(Compiled
Code)
at org.apache.tomcat.core.ContextManager.service(Compiled Code)
at
org.apache.tomcat.service.http.HttpConnectionHandler.processConnection(Compi
led Code)
at org.apache.tomcat.service.TcpConnectionThread.run(Compiled Code)
at java.lang.Thread.run(Compiled Code)


I can post more code if you need it.  The actual bean itself does nothing
fancy, just a bunch of get and set methods..


- Original Message -
From: Nacho <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, July 17, 2000 3:42 PM
Subject: RE: Tomcat bug? (PropertyResourceBundle)


> > > >Fatal Error: missing resource: java.util.PropertyResourceBundle
>
> Please send any more info about this,
> do you have any logs ?
>
> Saludos ,
> Ignacio J. Ortega
>
>
>

_
This message has been checked for all known viruses by UUNET delivered 
through the MessageLabs Virus Control Centre. For further information visit
http://www.uk.uu.net/products/security/virus/