Access to shared classloader from common classes
Hi, We have a realm implementation that authenticates against a user repository in an EJB container. To do this it uses some proxy classes to connect to the EJB container. These proxies are also used by web applications. Thus, these proxy class are in the common/lib directory. However, this means that a lot of the webapp client framework has to go in the common/lib directory and not in the shared webapp directory where it should be. I need to change but am not sure how the small authentication component (called by the realm implementation) which is in common/lib can find the webapp shared classloader to load the relevant proxy classes. Is there any (legal) way I can get the webapp shared classloader from the catalina startup classes. Rgds Antony -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Tomcat ClassloaderLoaderFactory skips jar files
Hi, I found out today that not all jar files in a directory are added to a classloader by tomcat at startup. When tomcat bootstrap creates Classloaders it ignores jar files that contain certain classes. We are using Borland Enterprise Server and need to add the Borland jar files to access their EJB and orb components. However, putting asrt.jar in /lib is useless because it fails the validateJarFile() test in ClassLoaderFactory because it contains 2777 Fri Nov 09 12:14:26 EET 2001 javax/naming/Context.class 520 Fri Nov 09 12:14:36 EET 2001 javax/sql/DataSource.class So, if tomcat is ignoring these classes, what are the implications for adding asrt.jar to the classpath in catalina.bat|sh. It does not seem to cause problems (yet) but does tomcat have certain reliance on these and the other trigger classes? Rgds Antony -- Antony Bowesman Teamware Group [EMAIL PROTECTED] phone: +358 9 5128 2562 fax : +358 9 5128 2705 intra / extra / Internet solutions at www.teamware.com -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: Sense of realm element in login-config
[EMAIL PROTECTED] wrote: Hi, Can anyone explain the use of realms in basic authentication. One can specify the name of a realm in the login-config of the web.xml but apparently this is not used since there is no standard JAVA API to pass this the servlet container. What is the sense of having it when it is not really used? This is the realm name shown in the browser. See section 'SRV.12.5.1 HTTP Basic Authentication' and 'SRV.13 Deployment Descriptor' of servlet spec. Rgds Antony -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: Client Certificate IIS+Tomcat
Gianluca D'Introno wrote: I'm using Tomcat 4.0 and IIS 5.0 for an https site. I need to use into a JSP page the Client Certificate sent by the Client to the Server IIS during SSL Hanshake. Someone know how I can do it? Think it's exposed by the certificate valve as an attribute in session javax.servlet.request.X509Certificate Antony -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: jaas login module integration with tomcat
Davis wrote: Hi All. Right now, I am facing one problem integrating my jaas login module to servlet or JSP using tomcat. I don't find a way to configure the jaas.config file into the server so that the loginContext can find the login module to instantiate from the config file. We can specify this for application using -Doption (-Djava.security.auth.login.config==jaas.config ). Any one did this before ?.. Can you please share with me. You can set the environment variable CATALINA_OPTS (tomcat 4) or TOMCAT_OPTS (tomcat 3) e.g. (NT) set CATALINA_OPTS=-Djava.security.auth.login.config=%CATALINA_HOME%\conf\jaas_config but there are other issues with Tomcat 4 which relate to loading the config concernihng classloaders, search the archives for JAAS if you get problems. Antony -- Teamware Group [EMAIL PROTECTED] phone: +358 9 5128 2562 fax : +358 9 5128 2705 intra / extra / Internet solutions at www.teamware.com -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: Fixed - Repost:HELP! Security question - grant entries
Hi, Got it to work, permissions for JSPs can only be given at the context root level. I was trying to be more fine grained which is not possible. Antony Antony Bowesman wrote: Hi, How can you assign permissions to code compiled from a JSP, it is possible or do you have to put all code that performs actions that may encounter security checks inside a bean and then allocate permissions to the bean class? I tried adding grant codeBase file:${catalina.home}/work/localhost/examples/jsp/security/protected/- { permission java.security.AllPermission; }; to the conf/catalina.policy but I get an AccessControlException because the compiled code in the stack frame org.apache.jsp.index$jsp._jspService(index$jsp.java:116) does not have permission. It's tomcat 4.0 Any ideas? Antony -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- Antony Bowesman Teamware Group [EMAIL PROTECTED] phone: +358 9 5128 2562 fax : +358 9 5128 2705 intra / extra / Internet solutions at www.teamware.com -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Security question - grant entries
Hi, How do you grant permissions in the policy file to jsp pages. I've tried grant codeBase file:${catalina.home}/work/localhost/examples/jsp/security/protected/- { permission java.security.AllPermission; }; but I get an AccessControlException when some code in the jsp tries to do something that requires certain permission. It's tomcat 4.0 Any ideas? Antony -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: Help with multiple security domains
Trever M. Shick wrote: Thanks.. Do you know if this works with previous versions of tomcat (3.2.3)? It's not a requirement, I just don't feel like upgrading now. It can be done with 3.2.x but you have to modify/extend the JDBC realm to read parameters from the context. In the realm authenticate() method just do something like ctx.getInitParameter(namedParameter); and in your web.xml for the webapp add context-param param-namenamedParameter/param-name param-valueYourValue/param-value /context-param You can then extend the logic to do what you want for your specific context. Rgds Antony Trever - Original Message - From: Craig R. McClanahan [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, November 15, 2001 12:06 PM Subject: Re: Help with multiple security domains On Thu, 15 Nov 2001, Trever M. Shick wrote: Date: Thu, 15 Nov 2001 09:52:39 -0700 From: Trever M. Shick [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Help with multiple security domains I'd like to have two different JDBC realms within my server.xml and then I'd like to reference those within my web.xml file. I already have one JDBC realm working, I would like to add a second one. Is there some sort of name or key that can be set for a JDBC realm and then referenced by the security constraints within the web.xml? For Tomcat 4, you can use a different realm per webapp by nesting the Realm element inside a Context element for that webapp in server.xml. That way, you don't need any special key or anything like that. Thanks for any help. Craig -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Repost:HELP! Security question - grant entries
Hi, How can you assign permissions to code compiled from a JSP, it is possible or do you have to put all code that performs actions that may encounter security checks inside a bean and then allocate permissions to the bean class? I tried adding grant codeBase file:${catalina.home}/work/localhost/examples/jsp/security/protected/- { permission java.security.AllPermission; }; to the conf/catalina.policy but I get an AccessControlException because the compiled code in the stack frame org.apache.jsp.index$jsp._jspService(index$jsp.java:116) does not have permission. It's tomcat 4.0 Any ideas? Antony -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: Got him...
Endre Stølsvik wrote: On Wed, 14 Nov 2001, Pier Fumagalli wrote: | On 14/11/2001 01:01 am, Pier Fumagalli [EMAIL PROTECTED] wrote: | | On 14/11/2001 12:42 am, Martin van den Bemt [EMAIL PROTECTED] wrote: | | nice job ;)) | Why don't you put the subcriber email address in by default (in the text | footer of the mail or something).. Saves you working late ;)) | | I don't think it's possible with EZMLM to modify the content per each | subscriber... I'll see, though! | | Oh... One more thing... That's kinda impossible also because messages are | prepared once and then sent to the email delivery service with one message | copy and a list of addresses... Changing this behavior would mean greatly | increasing the size of the queue, adding a bunch of overhead (since for | every subscriber, the message needs to be parsed and prepared individually), | and so on... Not a good idea... Patch that sending part of the program to just include the address at the bottom? Or as a extra header? Just chuck it in there, kind of.. It already have to handle the address anyways, since it talks to the MTA. Presumably there's only a single message when it starts to talk to the MTA. The message only splits further down the series of hops so it can't be possible to add an address because it no longer is in control of the original message. Antony -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Last straw - AccessControlException problem
Hi, I'm getting an AccessControlException when trying to read the file H:\Apache\jakarta-tomcat-4.0\bin\user.txt Top part of stack trace is java.security.AccessControlException: access denied (java.io.FilePermission user.txt read) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:272) at java.security.AccessController.checkPermission(AccessController.java:399) at java.lang.SecurityManager.checkPermission(SecurityManager.java:545) at java.lang.SecurityManager.checkRead(SecurityManager.java:890) at java.io.FileInputStream.init(FileInputStream.java:61) at java.io.FileReader.init(FileReader.java:38) at com.teamware.phoenix.security.auth.spi.TestLoginModule.login(Unknown Source) at com.teamware.phoenix.security.auth.spi.ProxyLoginModule.login(ProxyLoginModule.java:152) My ProxyLoginModule is in file:${catalina.home}/bin/jaasproxylogin.jar and catalina.policy has the following grant entry grant codeBase file:${catalina.home}/bin/jaasproxylogin.jar { permission java.lang.RuntimePermission getClassLoader; permission java.util.PropertyPermission log4j.configuration, read; permission java.util.PropertyPermission log4j.configDebug, read; permission java.util.PropertyPermission user.dir, read; permission java.util.FilePermission H:\\Apache\\jakarta-tomcat-4.0\\bin\\user.txt, read; permission java.util.FilePermission user.txt, read; }; The code does String fileName = user.txt; File f = new File(fileName); System.out.println(Path= + f.getAbsolutePath()); BufferedReader br = new BufferedReader(new FileReader(fileName)); The output is Path=H:\Apache\jakarta-tomcat-4.0\bin\user.txt If I remove the PropertyPermission for user.dir I get an ACE on the getAbsolutePath() call, this shows it is taking the grant entry. Can anyone see what's wrong with the grant entry. I've tried the same with no codebase and it does not work. I've tried permission java.util.FilePermission ALL FILES, read; still doesn't work. I'm running 4.0 on WinXP. Antony -- Antony Bowesman Teamware Group [EMAIL PROTECTED] phone: +358 9 5128 2562 fax : +358 9 5128 2705 intra / extra / Internet solutions at www.teamware.com -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: Last straw - AccessControlException problem
Aargh, Problem solved, I had java.util.FilePermission in my policy not java.io.FilePermission... Can't see the wood for the trees. Antony -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: Can't get SecurityRoleRef/Tomcat4 working
Hi Craig, Craig R. McClanahan wrote: Unless you have changed something in tomcat-users.xml, the role assigned to the tomcat user is tomcat, not Tomcat. Role names, like pretty much everything else in servlets and JSPs, are case sensitive. Sorry, I should have mentioned, I am using my own Jaas realm and have my own login modules. I am currently assigning 'Tomcat' as the role in my test login. The question still applies, how do you get the role-ref mapping configured in web.xml when the servlet is a JSP? Rgds Antony
Re: JAAS not working any more with Tomcat 4.0 (!?)
Markus, Markus Kerber wrote: I saw this mailing but I don't think it is related to (at least) my problem. I don't use a security manager and even though checked the proposed solution without any result. The problem described in this mailing was solved by simply putting the JAAS config file into the CLASSPATH. However, I set the path to the config file explicitly by the according system property. Hence this should not be the problem. That post was about the problem, nothing to do with security manager, the problem is due to JAAS using the system classpath to load its config and login modules. I have now got my JAAS realm working doing the following * Add jaas.jar to the system classpath in catalina.bat * Put all the login module classes and additional classes they require into some location and ensure that the classpath in catalina.bat points to them too. The error you had java.lang.SecurityException: unable to instantiate LoginConfiguration is because it cannot find the sun ConfigFile class. See the class loader Tomcat 4 doc http://jakarta.apache.org/tomcat/tomcat-4.0-doc/class-loader-howto.html Rgds -- Antony Bowesman Teamware Group [EMAIL PROTECTED] phone: +358 9 5128 2562 fax : +358 9 5128 2705 intra / extra / Internet solutions at www.teamware.com
Can't get SecurityRoleRef/Tomcat4 working
Hi, I can't get the security-role-ref to work in Tomcat 4 with the security JSP. I have added the following % if (request.isUserInRole(Admin)) { % User is in Admin role % } else { % User is NOT in Admin role % } % to jsp/security/protected/index.jsp in the distribution to Tomcat 4. As security-role-ref is part of a servlet element of web.xml how do you specify this with a JSP. I tried adding the following to web.xml servlet servlet-name Protected /servlet-name jsp-file/jsp/security/protected/index.jsp/jsp-file security-role-ref descriptionLink between Admin and sysadmin/description role-nameAdmin/role-name role-linkTomcat/role-link /security-role-ref /servlet My user authenticates and is given the role 'Tomcat' but the Realm hasRole() method is called with 'Admin'. The code in HttpRequestBase does public boolean isUserInRole(String role) { ... if (wrapper != null) { String realRole = wrapper.findSecurityReference(role); if ((realRole != null) realm.hasRole(userPrincipal, realRole)) return (true); } to map the servlet role to security-role so I guess I have not got web.xml set up properly. Any ideas? Antony -- Antony Bowesman Teamware Group [EMAIL PROTECTED] phone: +358 9 5128 2562 fax : +358 9 5128 2705 intra / extra / Internet solutions at www.teamware.com
Re: JAAS not working any more with Tomcat 4.0 (!?)
Markus Kerber wrote: Hi all, when trying to perfom a JAAS authentification from within servlets I get the attached error message. Funny enough the same code works with Tomcat 3.2.x but not with Tomcat 4.0! The code snippet I use for the authentification is: I just happened to be doing the same thing today and have found the same problem. The following post on the Java-security group shows the problem and why it is probably not working. http://archives.java.sun.com/cgi-bin/wa?A2=ind0108L=java-securityP=R4789 Haven't got around to looking at it but if you beat me to getting it working let me know and I'll do the same. Rgds -- Antony Bowesman [EMAIL PROTECTED]
Re: Interceptors
Wesley, Wesley Gamble wrote: Where is the best info. on using Tomcat interceptors with 3.2.x? I've looked for quite a while, and can't find much documentation at all on them. Should I just print whatever source I can find and try and puzzle it together from that? I need to be able to modify the value of a cookie before the session info. is processed so that Tomcat will be able to recognize the JSESSIONID. I have a user agent which formats cookies incorrectly. Does anyone know which kind of Interceptor I would use to manipulate the cookie PRIOR to session identification and processing? Try http://tomcatbook.sourceforge.net There was some interceptor information earlier. Rgds Antony
Re: Access protected
Nicolas Preget wrote: Hi I would like to protect (using password for instance) the access to parts on my Tomcat installation. Do you know how I can make it ? Have a look for 'Realm' in the archive. Realms give access to user repositories for authentication and access control information. Access is protected through web.xml Antony
Re: User login logging (JDBC authentication)
Mark, Antony Many thanks for the suggestion, but where can I find this - I've looked through the jar files in the common and container directories of $TOMCAT_HOME/lib, but nothing stands out. Maybe I've missed it? Any help appreciated. Perhaps I should have elucidated a little more... I'm assuming you have configured JDBCRealm as your interceptor in conf/server.xml and we are talking about tomcat 3.x. The JDBCRealm is part of webserver.jar. You can either modify the source of JDBCRealm.java which is (org.apache.tomcat.request.JDBCRealm) to implement your own specific logging or set the debug level of the JDBCRealm to 2 or greater. At least the existing JDBCRealm with tomcat 3.2.2 supports logging success and failures by setting the debug level to 2 or greater. If you want to implement your own then modify the source, rebuild the class and add it to the $TOMCAT_HOME/classes HTH. Antony - Original Message - From: Antony Bowesman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 28, 2001 4:58 PM Subject: Re: User login logging (JDBC authentication) Mark Muffett wrote: Any ideas how best to log succesful (or unsuccesful) logins via JDBC authentication. The big problem is that the user may have bookmarked any one of a number of protected pages, and it isn't practical to put code on each of them. Just change the JDBC realm authenticate() method to log the result of the authentication. Antony -- Antony Bowesman Teamware Group [EMAIL PROTECTED] tel: +358 9 5128 2562 fax: +358 9 5128 2705
Re: conflict between jaxp.jar, parser.jar (tomcat lib) and xalan.jar, xerces.jar?
JAXP shipped with tc3 is 1.0. If this jar gets on the classpath before xerces then it won't work. Either removing jaxp or updating it to 1.1 will solve the problem. Antony Markus Are you suggesting that the jars are loaded in alphabetical order? I would have said you should either move parser.jar to the end of the class path or remove it entirely since xerces.jar contains the necessary jaxp interfaces. Tomcat 3.2 does not access the parser directly but through jaxp so you can safely remove parser.jar and jaxp.jar and use only xerces.jar. Pete -Original Message- From: Markus Strickler [mailto:[EMAIL PROTECTED]] Sent: 04 July 2001 08:57 To: [EMAIL PROTECTED] Subject: Re: conflict between jaxp.jar, parser.jar (tomcat lib) and xalan.jar, xerces.jar? Betty- The problem is with the order the jars are loaded. There is a version confilict with some classes. A common workaround is to rename parser.jar into zparser.jar, so it is loaded after xalan.jar and xerces.jar. This worked for me. -markus - Original Message - From: Betty Chang mailto:[EMAIL PROTECTED] To: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Sent: Wednesday, July 04, 2001 5:34 AM Subject: conflict between jaxp.jar, parser.jar (tomcat lib) and xalan.jar, xerces.jar? Hi -- I'm running a servlet application that uses the apache-XML xalan.jar and xerces.jar files for handling XML/XSL stuff. With tomcat 3.2.1, when I run my servlet, I get NoSuchMethodError on getNamespaceURI(), called by org.apache.xpath.DOM2Helper.getNamespaceOfNode(). I solved this problem by removing the jaxp.jar and parser.jar files that come with the tomcat installation and sit under the lib directory. The servlet still runs without those jar files, so the xalan.jar and xerces.jar must do the trick. Is there some kind of version conflict that causes the NoSuchMethodError? Thanks Betty
Re: Programmatic security with servlet mappings in tomcat
Pete, pete wrote: Tim, there are several ways to implement this kind of security check. If you want a fullblown MVC model, you might consider looking at Struts or one of the other Apache-driven frameworks (Struts is the only one i have personal experience with). with the example you give, i don't understand the need for a 'controller' jsp in this context. The way i handle security in one of my apps is that i have a method in a session-bean (public void isAuthenticated()) that checks the user has a valid login, so all my jsps (except login.jsp) are wrapped in a statement like jsp:useBean id=Authentication scope=session class=com.mycompany.authentication/jsp:useBean %if (Authentication.isAuthenticated()) {% rest of JSP goes here %} else { response.sendRedirect(./login.jsp); } % If a valid session key is already assigned, the method returns true. If username and password are supplied in request scope, isAuthenticated does a lookup to our authentication database, and if successful, sets a valid session key, and returns true. If neither of these are true, isAuthenticated sets a 'you are not authenticated' message to be displayed by login.jsp, returns false, and the user is redirected back to login.jsp Interesting that you don't use the container's authentication mechanism to protect pages. What if someone writes an app that doesn't protect the page. Any reason why you chose this route? Rgds Antony
Re: Programmatic security with servlet mappings in tomcat
pete wrote: Sure, one is that i want custom login screens, another is that we store all our authentication details centrally and query for them via an XML data service. Various user and domain-specific data, including user preferences, roles etc. is stored in this repository, not just 'yes, this user has blanket access to the site'. You mean custom login screens per JSP? We had the same issue about how to protect the site and eventually went for getting the container to handle the security. Now we have optionally different login screens for different webapps and a tomcat realm that authenticates users against a user repository running in an EJB container. Permissions are then checked using JAAS and realm loads groups,roles etc from the user realm into the JAAS context. In addition J2EE roles are also mapped from roles in the user realm so we can use J2EE security and roles are dynamic rather than having to redeploy apps. We opted against the JSP approach because it means that the onus was on the developer to think about security :)) At least from the presentation point of view, but for the business logic there has to be some thought... Antony Our permissions-management tools are all written to work with this, so i have an existing system i must fit my tomcat-based solutions into here. I do use tomcat's basic authentication facilities for some unrelated services, but for us it makes a lot of sense to centralize authentication and preference data this way. If someone writes an app that doesn't protect the page? well, then the page is unprotected. Security never comes completely for 'free', and in my experience it is beneficial to place some onus on the developer to at least think about security during the course of development. YMMV, of course, but this approach has worked well for us. -Pete Pete, Interesting that you don't use the container's authentication mechanism to protect pages. What if someone writes an app that doesn't protect the page. Any reason why you chose this route? Rgds Antony
Re: User login logging (JDBC authentication)
Mark Muffett wrote: Any ideas how best to log succesful (or unsuccesful) logins via JDBC authentication. The big problem is that the user may have bookmarked any one of a number of protected pages, and it isn't practical to put code on each of them. Just change the JDBC realm authenticate() method to log the result of the authentication. Antony
Re: How do I get context-params that are set in the web.xml file?
[EMAIL PROTECTED] wrote: I hope the subject says it all but here's a reiteration. The sample web.xml in TOMCAT_HOME/doc/appdev shows how to set and access context-params. The current docs on ServletContext do not seem to have a method to get context params. init-params on a per servlet basis work as described but I have several values that all servlets must access. e.g. in TC3.x core/BaseInterceptor.java implementation public void contextInit(Context ctx) throws TomcatException { ... String className = ctx.getInitParameter(RoleMapper); ... } Would get the following param from webapps/xx/WEB-INF/web.xml context-param param-nameRoleMapper/param-name param-value com.teamware.phoenix.security.auth.TomcatFixedRoleMapper /param-value /context-param Antony
Re: una pregunta
mazzen al-najjar wrote: Martin Mauri wrote: Ni hao ma? :) SPEAK FINNISH OR DIE! Terve, puhun Suomea, en halua kuolla :)
Re: una pregunta
Milt Epstein wrote: Thanks Milt for some insight into the Mandarin/Cantonese. BTW, Mandarin is also the official language in Singapore and I think the Malay Chinese also speak it. Also in Shanghai they speak Shanghai-hua. Plus in China there are of course the other tens of languages spoken by the hill tribes in the south west, Tibetan, Mongolian, and those turkik languages in the western province of Xinjiang. -- Antony Bowesman Teamware Group [EMAIL PROTECTED] tel: +358 9 5128 2562 fax: +358 9 5128 2705
Re: MultiThreadModel-Problem?
Sebastian Schulz wrote: [...] the second question is: data-container like HashMap or HashSet are considered to be not Thread-save. Can i use such containers in a MultiThreadModel-Servlet or must i use only slower structures like Vector? your help is realy needed, many thanks in advance! basti Came across a very useful class developed by Doug Lea, author of Concurrent programming in Java in version 1.3.0 of his concurrent package. This package contains ConcurrentHashMap which provides concurrent reads, writes and iterations (including removal during iteration) over the Map. See the package pages http://gee.cs.oswego.edu/dl/classes/EDU/oswego/cs/dl/util/concurrent/intro.html Doug says that a class of this sort is likely to be included in JDK1.5 and is looking for feedback on good/bad experiences with the new class. Antony
Jaxp.jar 1.0 and 1.1
Does anyone know of any problems or implications of replacing the jaxp.jar shipped with tomcat 3.2.2 with jaxp 1.1 Tomcat seems to work with 1.1. Antony
Re: Per-context authentication database
Hi, My comments relate to tomcat 3, not 4 but the same principles apply. Twylite wrote: Hi, It is possible to have a per-context authentication database, especially one that does not have to be configured using server.xml ? This is the sort of scenario I am looking at: A WAR file is added to the webapps directory, and on restarting Tocmat will be deployed. It contains all of the information necessary for it to function, including its own password database (and maybe even the database drivers). There is no need to modify the server.xml in any way. Can this be done? I have written a JAAS Realm which is configured in the usual way in server.xml. e.g. RequestInterceptor className=com.teamware.phoenix.security.JAASRealm JAASConfigEntry=other debug=99 / The server.xml attributes specify defaults for all contexts. However, specific attributes can be configured in web.xml for each web app, such as context-param param-nameJAASConfigEntry/param-name param-valuetest/param-value /context-param to override the default. In the realm implementation authenticate() I just do stuff like Context ctx = req.getContext(); String jaasConfigEntry = ctx.getInitParameter(jaasConfigKey); which allows context specific authentication. I guess it's easy enough to modify the JDBC realm so that you can use different databases per context using this mechanism or write your own realm. The very important catch here is that I want to use Tomcat's support for form logon - that is, the form-logon-page and logon-error-page in the web.xml, and all that jazz. I do not intend writing my own logic to handle the authentication! I'm not sure what you mean by not wanting to write your own logic to handle the authentication. JDBC realm simply does string comparison between two passwords. Authentication in the JAAS Realm is handled by the JAAS Login module. The form login support is not really relevant, I think all the realm implementations I've seen support both form/basic auth. Rgds -- Antony Bowesman Teamware Group [EMAIL PROTECTED] tel: +358 9 5128 2562 fax: +358 9 5128 2705
What are 'notes' all about
Hello, For Tomcat 3, is there any information on 'notes', what they are and what they do. There are various references to these notes in the source but I'd like to see concrete examples of their usage as the comments are fairly abstract and don't give much clue. Rgds Antony -- Antony Bowesman Teamware Group [EMAIL PROTECTED] tel: +358 9 5128 2562 fax: +358 9 5128 2705
Re: Per-context authentication database
Hi, Twylite wrote: Context ctx = req.getContext(); String jaasConfigEntry = ctx.getInitParameter(jaasConfigKey); Interestingly I'm doing something almost exactly like that ... but no matter what page/context I'm accessing I appear to be getting the root context from req.getContext() . Any suggestions? Have you got the different contexts defined in server.xml? I'm not sure what you mean by not wanting to write your own logic to handle the authentication. JDBC realm simply does string comparison Many in the Great Unwashed Masses seem oblivious to the existance of Tomcat's logon handling, and write their own code in JSPs with lots of If...Thens to check if the person is logged on, and authenticate in their own way against their own database(s). i.e. not using Realms at all. Given the paucity of documentation, it's not surprising! Antony
Re: Tomcat policy file being ignored
Problem solved. Just renaming the ${java.home}/lib/ext/jaas.jar to some random name does not stop JVM from attempting to load it as a jar file so the classes were still being loaded from there. The file must be removed. Antony Antony Bowesman wrote: Hi, I am running tomcat and using JAAS for authentication and authorization. If I have jaas.jar installed as an installed extension in ${java.home}/lib/ext and I have the following entries in the tomcat policy file grant codeBase file:${java.home}/lib/ext/jaas.jar { permission java.security.AllPermission; }; then all is OK. However, if I put jaas.jar in ${tomcat.home}/lib and remove it from ${java.home}/lib/ext and change the grant entry to say grant codeBase file:${tomcat.home}/lib/jaas.jar { permission java.security.AllPermission; }; then I get an access control exception when instantiating my LoginContext. java.security.AccessControlException: access denied (java.util.PropertyPermission java.security.auth.debug read) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:272) Any ideas why the tomcat policy is being ignored? Rgds Antony -- Antony Bowesman Teamware Group [EMAIL PROTECTED] tel: +358 9 5128 2562 fax: +358 9 5128 2705 -- Antony Bowesman Teamware Group [EMAIL PROTECTED] tel: +358 9 5128 2562 fax: +358 9 5128 2705
Multiple VMs on NT
Hello, Does anyone know how to force tomcat 3.2* to run each webapp in a separate VM on NT? Rgds Antony
Re: AW: java.lang.NullPointerException......Plz Help Me
Ralph Einfeldt wrote: Have a look at line 123 in the generated source file _0002fjsp_0002fNew_0002fdyeing_0002ejspdyeing_jsp_0.java to see which statement causes the exception. If you found the region and can't see the error, try to reduce the page to the bare minimum that reproduces the error and post the source for that. I have seen a similar problem which I posted to tomcat dev. The generated source code is ... } finally { if (out != null) out.flush(); if (_jspxFactory != null) _jspxFactory.releasePageContext(pageContext); } ... and the error came from the releasePageContext method which tried to do something with pageContext. It seems quite repeatable if tomcat is run with security. e.g. standard 3.2 examples/numguess. My case is when I have access controls turned on and am doing authentication. No answer in the dev list. This always occurs if you have no permissions when compiling the login page which is the result of a redirection from the protected resource. This is in 3.2.2b4 Seems to be a general problem when run with security. -Ursprüngliche Nachricht- Von: Naeem Malik [mailto:[EMAIL PROTECTED]] Gesendet: Donnerstag, 17. Mai 2001 09:10 An: [EMAIL PROTECTED] Betreff: java.lang.NullPointerException..Plz Help Me snip/ Error: 500 Location: /examples/jsp/New/dyeing.jsp Internal Servlet Error: java.lang.NullPointerException at jsp.New._0002fjsp_0002fNew_0002fdyeing_0002ejspdyeing_jsp_0._j spService(_0002fjsp_0002fNew_0002fdyeing_0002ejspdyeing_jsp_0. java:123)
Bug in runtime/JspFactoryImpl.java
Hi, Excuse the cross post to User/Dev but this problem has been reported by others in user. Further to yesterday's message re jasper/tomcat exceptions, it seems that there is either a bug in the coed generation or the JspFactoryImpl. If the generated code gets an exception pageContext is never set so in the finally clause the releasePageContext will be passed null. Seems to me the releasePageContext should either check for null or the generated code should check for null. In the generated number guess code from the examples there is --- } catch (Exception ex) { if (out != null out.getBufferSize() != 0) out.clearBuffer(); if (pageContext != null) pageContext.handlePageException(ex); } finally { if (out != null) out.flush(); if (_jspxFactory != null) _jspxFactory.releasePageContext(pageContext); } --- the exception checks for null but not the finally. Who might be the best person to decide where the fix should go?? This causes big problems if security is turned on because any access control failure makes this problem occur. Rgds -- Antony Bowesman Teamware Group [EMAIL PROTECTED] tel: +358 9 5128 2562 fax: +358 9 5128 2705
Re: Supid errors gone but another internal error with JDBC Realm
[EMAIL PROTECTED] wrote: Hello, the error I posted in JDBCRealm/Tomcat do not not protect Web Pages!?... is solved. Stupid I was I forgot to rename the *.html files to *.jsp. Tomcat obviously totally ignores the html-File and doesn't protect it. Ok seems to work. But now when accessing the protected source I get an error like this one: Tomcat's behavious is strange re html files. If one is protected via url-pattern it redirects to the configured login form. So, you type in the user name/password but tomcat never calls the realm/authenticate() method, it just then shows the html page regardless of what you type in on the login form...
AccessControlExceptions
Hi, I get an AccessControlException when running secure tomcat. The relevant part of the log shows - java.lang.ExceptionInInitializerError: java.security.AccessControlException: access denied (java.util.PropertyPermission line.separator read) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:272) - However, the default tomcat.policy says // Example webapp policy // By default Tomcat grants read access on webapp dir and read of the // line.separator, path.separator, and file.separator PropertyPermissions. // Any permissions you grant here are in addition to the default. grant codeBase file:${tomcat.home}/webapps/examples { // Allow the example web application to read all java properties permission java.util.PropertyPermission *, read; }; but this exception says it cannot read line.separator. If I try the num guess example it fails with this exception. Running tomcat 3.2.2b4 Anyone managed to get this working? Rgds Antony -- Antony Bowesman Teamware Group [EMAIL PROTECTED] tel: +358 9 5128 2562 fax: +358 9 5128 2705
Re: Tomcat and JAAS
PARDEY Meaghan wrote: I haven't heard any reply yet...does anyone know if you can use JAAS 1.0 (which is part of the standard extensions of JDK 1.3) with the latest release build of Tomcat? You can use JAAS Authentication in TC by writing a JAAS Realm. JAAS authorisation can also be done inside the realm. Neither TC 3 or 4, nor in fact does the servlet API spec support the idea of multiple principals as does JAAS. Security context propagation to other containers, such as EJB is a problem. I have a working JAAS Realm but not sure if it will be made public. Rgds -- Antony Bowesman Teamware Group [EMAIL PROTECTED] tel: +358 9 5128 2562 fax: +358 9 5128 2705
j_security_check not working on web pages
Hi, In the security example when I try to access the protected directory it redirects me to the login.jsp page. It shows in the log 2001-05-07 02:38:37 - ContextManager: AccessInterceptor: checking /jsp/security/protected/index.jsp 2001-05-07 02:38:37 - ContextManager: AccessInterceptor: matched /jsp/security/protected/* DELETE GET POST PUT null tomcat role1 2001-05-07 02:38:37 - ContextManager: AccessInterceptor: checking /jsp/security/login/login.jsp Realm.authenticate() is called but there is nothing to authenticate. I then enter username/password and hit login. I am then shown the index.jsp from the example. The log shows 2001-05-07 02:39:29 - ContextManager: AccessInterceptor: checking /jsp/security/login/j_security_check 2001-05-07 02:39:29 - ContextManager: AccessInterceptor: checking /jsp/security/protected/index.jsp 2001-05-07 02:39:29 - ContextManager: AccessInterceptor: matched /jsp/security/protected/* DELETE GET POST PUT null tomcat role1 The realm.authenticate() is called and my realm authenticates OK. However, if my protected resource is a simple web page then tomcat first redirects to the login form as above and the log shows 2001-05-07 02:50:40 - ContextManager: AccessInterceptor: checking /HelloWorld.html 2001-05-07 02:50:40 - ContextManager: AccessInterceptor: matched /HelloWorld.html DELETE GET POST PUT null tomcat role1 sysadmin 2001-05-07 02:50:40 - ContextManager: AccessInterceptor: checking /jsp/security/login/login.jsp When I hit the login button the realm.authenticate() mechanism is not called and all that is shown in the log is 2001-05-07 02:50:48 - ContextManager: AccessInterceptor: checking /jsp/security/login/j_security_check Whatever I type in the username/password fields is not used. Why is it not calling the realm.authenicate(). Rgds -- Antony Bowesman Teamware Group [EMAIL PROTECTED] tel: +358 9 5128 2562 fax: +358 9 5128 2705
Re: JaasRealm / LdapRealm
Hi, I came across a JAAS Realm implementation done for cataline by * @author a href="mailto:[EMAIL PROTECTED]"Kyle F. Downey/a Can't remember how I found it but I think it was from ML (probably tomcat-dev. I have a JAAS implementation which has been made outside Tomcat and I'm looking at making it fit into 3.x. However, I received a reply from Costin in the dev list who said all you need to do is implement authenticate() and authorise() hooks in Realm class. As Servlet API does not support JAAS or allow for more than a single Principal it looks like the approach has to be along the lines taken by K.F.D above. i.e. wrap a JAAS Subject in a Principal class. Rgds -- Antony Bowesman Teamware Group [EMAIL PROTECTED] tel: +358 9 5128 2562 fax: +358 9 5128 2705 Torgeir Veimo wrote: I tried to find info on any possible implementation of one of these in the ML archive, but didn't find anything except a pointer to Interceptor sources from a wrox book example. Are there anyone currently working on this? -- - Torgeir