tomcat-user.xml re-writing - bug?
Hi, I'm using the new UserDatabase (org.apache.catalina.UserDatabase / org.apache.catalina.users.MemoryUserDatabaseFactory) as configured by default with Tomcat 4.1.27. Our System admin made a basic XML error, and in tomcat-users.xml put and entry in like... user username=tomcat password=tomcat roles=tomcat / Obviously the '' makes this invalid XML, and tomcat doesn't start... We changed the to amp; the XML was then valid, the user account worked, life was good A few days later, after he restarted the server, it was broke again... Seems that when Tomcat re-wrote out the tomcat-users.xml file, instead of escaping the and writing it back out as amp; it just put it out a , so we were back to square one! Question: 1) Is this a bug? 2) Can I stop the 're-writing' part of this as a work around? 3) Are XML entities not allowed in tomcat-users.xml? Thanx PaulE - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: tomcat-user.xml re-writing - bug?
Bug 22715 posted BTW, what makes you think UserDatabase is new? ;) As opposed to the old MemoryRealm from Tomcat 4.0.x, which is now commented out by default in server.xml :-) !-- Comment out the old realm but leave here for now in case we need to go back quickly -- !-- Realm className=org.apache.catalina.realm.MemoryRealm / -- PaulE -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Monday, August 25, 2003 10:44 AM To: Tomcat Users List Subject: RE: tomcat-user.xml re-writing - bug? Howdy, It looks like a bug -- file it in Bugzilla. You can't stop the file being re-written, and if you have any comments in the file they'll be removed. I'm not sure if XML entities are allowed or not. It's really intended to be a simple, get started quickly mechanism. Not a complete enterprise user database solution ;) BTW, what makes you think UserDatabase is new? ;) Yoav Shapira Millennium ChemInformatics -Original Message- From: Extance, Paul [mailto:[EMAIL PROTECTED] Sent: Monday, August 25, 2003 1:20 PM To: 'Tomcat Users List' Subject: tomcat-user.xml re-writing - bug? Hi, I'm using the new UserDatabase (org.apache.catalina.UserDatabase / org.apache.catalina.users.MemoryUserDatabaseFactory) as configured by default with Tomcat 4.1.27. Our System admin made a basic XML error, and in tomcat-users.xml put and entry in like... user username=tomcat password=tomcat roles=tomcat / Obviously the '' makes this invalid XML, and tomcat doesn't start... We changed the to amp; the XML was then valid, the user account worked, life was good A few days later, after he restarted the server, it was broke again... Seems that when Tomcat re-wrote out the tomcat-users.xml file, instead of escaping the and writing it back out as amp; it just put it out a , so we were back to square one! Question: 1) Is this a bug? 2) Can I stop the 're-writing' part of this as a work around? 3) Are XML entities not allowed in tomcat-users.xml? Thanx PaulE - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Threading Question
We have had similar issues with wanting some objects to be accessible by any classes executing in a thread that is processing the response. Our solution was to use ThreadLocal to create a thread variable, if you are using either a FrontController (like Struts) or a Filter that each request must pass through, you can create the thread variable on entry, and unset it in the 'finally' block of your controller... For an example of this here is... a) a modified version of Struts controller that sets the variable via our SecurityManager http://jaffa.sourceforge.net/javadoc/1_2_0/src-html/org/jaffa/presentation/p ortlet/PortletServlet.html#line.205 b) The class that actually manages the variable and uses it. http://jaffa.sourceforge.net/javadoc/1_2_0/src-html/org/jaffa/security/Secur ityManager.html#line.358 The core of this is simply... 364// Attach the security context to the thread 365bindToThread(ctx); 366try { 367// Now invoke the method 368return method.invoke(obj, args); 369} finally { 370// As the last thing to do before returning either an object or an exception 371// Remove the current context from the thread 372unbindFromThread(); 373} If you want to use a filter, just replace the above 'return' with a chain.doFilter( request, response ) inside your doFilter() method. I think the concern with a static Map, it that it could give one thread access to another threads data. I guess this is why things like java.servlet.http.HttpSessionContext were deprecated in v2.2 because of cross request access. Paul Extance -Original Message- From: Bill Barker [mailto:[EMAIL PROTECTED] Sent: Thursday, July 31, 2003 9:54 PM To: [EMAIL PROTECTED] Subject: Re: Threading Question Roggeveen, Brian P [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hello, I was wondering if it is safe to assume that when using the multithreaded model, a single unique thread will handle each incoming request? In other words, does the servlet container implement a thread per connection model or is there a way to specify this configuration? The thread-per-connection model is mandated in the Servlet spec, so Tomcat (and any other compliant Servlet-Container) will behave this way. The reason I ask is that at any given point within my servlets' supporting code/beans, I would like to have access to the HttpSession instance that corresponds to the client for whom the current line of code is being executed. Another way of looking at the situation would be at any given point within my servlets' supporting code/beans, I would like to have access to the HttpRequest that caused this particular line of code to be executed. In order to accomplish this, I envisioned using a Map that contained thread keys and HttpSession values. As requests came in, the Map would be updated appropriately such that supporting code need only look up an HttpSession using the current thread. Maybe I'm making this more complex than it needs to be. You are most definitely making this more complex than it needs to be ;-). Thanks! Brian Roggeveen EDS - Work Force Management Voice: (314) 264-8991 Fax:(314) 264-8901 Email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: load testing tomcat
We use the load tester from the Jaffa project (http://jaffa.sourceforge.net/documentation/tools/testing/) which is based on HttpUnitTest (http://httpunit.sourceforge.net) we're able to reuse our unit tests for load testing, which saves some development time. It provides some nice default features for authentication and provides random log-ins from given user sets. I've not tried it will SSL, but as httpunittest supports SSL (see http://httpunit.sourceforge.net/doc/sslfaq.html) I'm sure it will work. Paul Extance -Original Message- From: Mark W. Webb [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 29, 2003 7:30 AM To: Tomcat Users List Subject: load testing tomcat does anyone have experience load testing tomcat? I am especially interested in mutually authenticate SSL load testing where tomcat runs in conjunction with apache 2.0.47. What tools are people using to test tomcat/apache? thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Logging off container authenticated user
We use a filter to cache other data about a user in the session once they have authenticated. (see http://jaffa.sourceforge.net/documentation/presentation/sessions.html or the code @ http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/jaffa/JaffaCore/source/java/o rg/jaffa/presentation/portlet/session/UserSessionFilter.java?rev=HEADconten t-type=text/vnd.viewcvs-markup) As you can see if we fail to get the extra data for the user we invalidate the session, (ie log out) and redirect to an error page. If you want a more complex version of the JDBC realm to add extra clauses for security look at http://jaffa.sourceforge.net/documentation/security/web/#realm Paul Extance -Original Message- From: Christian J. Dechery - ACCENTURE [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 15, 2003 6:54 AM To: Tomcat Users List (E-mail) Subject: Logging off container authenticated user I finally got a FORM-based authentication from the container (in this case, Tomcat) working. But I have a little doubt, how can I logoff this user? Cuz in my system, the login doesn't deppend only on authenticating him for username and password, I must validate some other stuff, so it would be interesting if I could authenticate him, and if I could not validate the other stuff, log him off and present a message. Thanks. ___ :: Christian J. Dechery :: Accenture do Brasil :: CHT - Solutions Operations :: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Alternate password encyption code? [UPDATED]
With reference to the tomcat JDBC Encryption realm, a new version is available which includes the necessary MBeans stuff for tomcat 4.1.24 The jar is available @ http://prdownloads.sourceforge.net/jaffa/jaffa-tomcat_1_2_0.jar?download And at last some proper documentation @ http://jaffa.sourceforge.net/documentation/security/web/ Paul Extance -Original Message- From: Extance, Paul Sent: Tuesday, June 03, 2003 11:40 AM To: 'Tomcat Users List' Cc: Extance, Paul Subject: RE: Alternate password encyption code? We've already done this as part of the Jaffa (jaffa.sourceforge.net) open source project. For more details see... The Source Code @ http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/jaffa/JaffaCore/source/java/o rg/jaffa/tomcat/realm/JDBCEncryptionRealm.java?rev=HEADcontent-type=text/vn d.viewcvs-markup The Jaffa Site @ http://jaffa.sf.net The JAR, if you want the easy way... is attached! This has been tested with most tomcat releases from 3.3a upto 4.1.24 and works. It supports two types of encryption signatures String xxx(String password) and String xxx(String password, String Userid) in case you want to use their user id as part of the key for the encryption You provide the class name and the method name in server.xml, and it looks for either method 1 or 2 and uses that to encrypt the password, before comparing it with the one in the database. It does not try to decrypt the database password, so a one way encryption algorithm can be supported. This Realm also allow you some other features like extending the where clause for the retrieve on user records, and the select for how to read the roles (incase you don't want to create additional views!) An example of how it can be used in server.xml is... Realm className = org.jaffa.tomcat.realm.JDBCEncryptionRealm debug = 0 driverName = oracle.jdbc.driver.OracleDriver connectionURL = jdbc:oracle:thin:@myhost.mydomain.com:1521:mydb connectionName = mydbuser connectionPassword = mydbpass userTable = users userNameCol= user_id userCredCol= password userClause = password is not null and user_status='Active' userRoleTable = user_roles roleNameCol= role_name encryptionClass= com.mycompany.services.Encryption encryptionMethod = encrypt / Just make sure you but the attached JAR, and your JAR in the /server/lib directory, and put the database driver JAR(s) in the same place or in /common/lib Hope this helps... Paul Extance -Original Message- From: Phil Steitz [mailto:[EMAIL PROTECTED] Sent: Saturday, May 31, 2003 9:25 AM To: Tomcat Users List Subject: Re: Alternate password encyption code? Jeff Sexton wrote: On Thu, 29 May 2003, Raible, Matt wrote: Why don't you just have the JDBCRealm do it - add digest=SHA. I need something other than SHA, I need to use my own custom code for an encyrption method of my own that is not provided by JDBCRealm To programmatically do it using form-based authentication, I've used a LoginServlet that's mapped to auth in my login.jsp's form. In this servlet, I encrypt the password and redirect to j_security_check - is that what you're looking for? Maybe. I'll do some reading about form-based authentication. I'm not sure. I'm after this because I already have set up a JDBCRealm based system, with BASIC authentication, and SHA, under Tomcat for both servlets and cocoon stuff. Now I want to tie this together with another application that encypts passwords differently from any method available in JDBCRealm. I have the code for the encyption. If I could simply drop this code into the user validation JDBCRealm does for me in Tomcat, it'd be great because the security would all work and I wouldn't have to create any user/password management pages of my own. Based on the documentation here http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html#Digested%20 Passwords and a quick look at the sources here http://cvs.apache.org/viewcvs.cgi/*checkout*/jakarta-tomcat-4.0/catalina/src / share/org/apache/catalina/realm/JDBCRealm.java?rev=HEADcontent-type=text/pl ain it does not look to me like you are going to be able to do this without hacking the JDBC Realm implementation. The tomcat JDBC Realm implementation supports digested (*not* encrytped) passwords using java.security.MessageDigest to do the hashing. This means that the hashing must be performed using one of the standard algorithms specified here http://java.sun.com/j2se/1.4.1/docs/guide/security/CryptoSpec.html#AppA You are probably best off going with one of the approaches that Matt has outlined if you want to serve login pages from the tomcat nodes. Phil If I can do this, I can tie Tomcat authentication to the password system my company has on other systems. Any tips are helpful! I'm a little lost
RE: Alternate password encyption code?
We've already done this as part of the Jaffa (jaffa.sourceforge.net) open source project. For more details see... The Source Code @ http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/jaffa/JaffaCore/source/java/o rg/jaffa/tomcat/realm/JDBCEncryptionRealm.java?rev=HEADcontent-type=text/vn d.viewcvs-markup The Jaffa Site @ http://jaffa.sf.net The JAR, if you want the easy way... is attached! This has been tested with most tomcat releases from 3.3a upto 4.1.24 and works. It supports two types of encryption signatures String xxx(String password) and String xxx(String password, String Userid) in case you want to use their user id as part of the key for the encryption You provide the class name and the method name in server.xml, and it looks for either method 1 or 2 and uses that to encrypt the password, before comparing it with the one in the database. It does not try to decrypt the database password, so a one way encryption algorithm can be supported. This Realm also allow you some other features like extending the where clause for the retrieve on user records, and the select for how to read the roles (incase you don't want to create additional views!) An example of how it can be used in server.xml is... Realm className = org.jaffa.tomcat.realm.JDBCEncryptionRealm debug = 0 driverName = oracle.jdbc.driver.OracleDriver connectionURL = jdbc:oracle:thin:@myhost.mydomain.com:1521:mydb connectionName = mydbuser connectionPassword = mydbpass userTable = users userNameCol= user_id userCredCol= password userClause = password is not null and user_status='Active' userRoleTable = user_roles roleNameCol= role_name encryptionClass= com.mycompany.services.Encryption encryptionMethod = encrypt / Just make sure you but the attached JAR, and your JAR in the /server/lib directory, and put the database driver JAR(s) in the same place or in /common/lib Hope this helps... Paul Extance -Original Message- From: Phil Steitz [mailto:[EMAIL PROTECTED] Sent: Saturday, May 31, 2003 9:25 AM To: Tomcat Users List Subject: Re: Alternate password encyption code? Jeff Sexton wrote: On Thu, 29 May 2003, Raible, Matt wrote: Why don't you just have the JDBCRealm do it - add digest=SHA. I need something other than SHA, I need to use my own custom code for an encyrption method of my own that is not provided by JDBCRealm To programmatically do it using form-based authentication, I've used a LoginServlet that's mapped to auth in my login.jsp's form. In this servlet, I encrypt the password and redirect to j_security_check - is that what you're looking for? Maybe. I'll do some reading about form-based authentication. I'm not sure. I'm after this because I already have set up a JDBCRealm based system, with BASIC authentication, and SHA, under Tomcat for both servlets and cocoon stuff. Now I want to tie this together with another application that encypts passwords differently from any method available in JDBCRealm. I have the code for the encyption. If I could simply drop this code into the user validation JDBCRealm does for me in Tomcat, it'd be great because the security would all work and I wouldn't have to create any user/password management pages of my own. Based on the documentation here http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html#Digested%20 Passwords and a quick look at the sources here http://cvs.apache.org/viewcvs.cgi/*checkout*/jakarta-tomcat-4.0/catalina/src / share/org/apache/catalina/realm/JDBCRealm.java?rev=HEADcontent-type=text/pl ain it does not look to me like you are going to be able to do this without hacking the JDBC Realm implementation. The tomcat JDBC Realm implementation supports digested (*not* encrytped) passwords using java.security.MessageDigest to do the hashing. This means that the hashing must be performed using one of the standard algorithms specified here http://java.sun.com/j2se/1.4.1/docs/guide/security/CryptoSpec.html#AppA You are probably best off going with one of the approaches that Matt has outlined if you want to serve login pages from the tomcat nodes. Phil If I can do this, I can tie Tomcat authentication to the password system my company has on other systems. Any tips are helpful! I'm a little lost with this. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Servlet Containers J2EE Frameworks
In a nutshell, if its not in the J2EE Spec, you can't assume is part of the available architecture of a J2EE compliant app server, even if 50% of the containers provide it. So if your looking for 'job scheduling', for example, and some have it, and other don't, you basically need to build one your self to use in the containers that don't have it, and for the ones that do, build custom wrappers for each implementations. I think your question of whether you should use JNDI to decide which implementation to invoke on a given container is just the tip of the iceburg. How you decided on the implementation to use in a given case can be as simple as a 'Factory Pattern', which may read web.xml, any other .xml or .properties config file you dream up. In web.xml you could use servlet parameters, env-entry, or even context-param But by taking this task on, you are almost doing single handed what the J2EE Spec team and the community are all the app server providers are trying to do which is ... 1) Define the common interface for the feature (like scheduling) 2) write a reference implementation (keeping to J2EE specs) for containers that don't have this feature 3) For each container that has this feature already, write a custom bridge between there API's and your generic Interface(s). The dilemma then comes when/if that feature is included in the next j2ee spec, and all vendors now support it. I'll guess your interfaces will not be an exact match and you're left with the choice of 1) throw away everything above and refactor your app to the new J2EE spec, or 2) Keep your 'proprietary' non-J2EE spec compliant version or 3) Implement a wrapper between your original API your app is coded against, and the new J2EE app, assuming there is a match. It just a hard problem to solve! I think your goals for a framework are similar to ours, which is why we started the JAFFA open source (http://jaffa.sf.net). A J2EE based solution (EJB's optional), utilizing the best of what's already been built, and adding on bits where we can't find existing solutions that fit. We took the above 'interface/factory' approach with our persistence layer, we implemented a standard interface, with the view to have different 'engines' based on different evolving technologies (JDBC, O/R Engines, JDO, Entity Beans), so that the application code and business logic could stay the same even if we change the underlying technology. All this abstraction comes at a price, with many compromises along the way. We had a CastorJDO implementation, we move to a more basic JDBC O/R implementation, and are now considering an implementation base on Jakarta OJB project for JDO compliance... The only thing you need to be certain of with frameworks is that they meet the relevant parts of the J2EE specs that you care about, beyond that pick existing frameworks that you believe meet you technical needs and that are supported by a community that have the same beliefs and vision for the architecture and you do. Choice is a great thing and with Java there a plenty of open/commercial ones to pick from. Choose wisely as you will be investing lots of time and effort learning it. In my opinion 'real' applications will always need more features that what comes in an 'out the box' container or architecture, as its the real world solutions that drive the next iterations of what should be in the J2EE specs and what new patterns and features are needs in the frameworks. It's a cycle. Paul Extance -Original Message- From: Robert Biernat [mailto:[EMAIL PROTECTED] Sent: Thursday, May 22, 2003 8:42 PM To: 'Tomcat Users List' Subject: RE: Servlet Containers J2EE Frameworks I suggest you take a look at the J2EE patterns and blueprints on the SUN website. Theyre are numerous patterns and techniques that go along way in helping you architect a distributed J2EE system that is both flexible and portable. -Original Message- From: Steve Garcia [mailto:[EMAIL PROTECTED] Sent: Friday, 23 May 2003 1:41 PM To: Tomcat Users List Cc: [EMAIL PROTECTED] Subject: RE: Servlet Containers J2EE Frameworks It is interesting that you are doing what I wish to achieve. I have an application that we need to rewrite and make more portable, we want to design it such that it supports multiple app servers and databases, just like your organization/company. Sorry this is a long e-mail, but I would like to hear your thoughts, and anybody elses, on this topic. Re: the database layer. We are consigned to exclusively use an O/R Mapping tool. Frankly, if we want to support numerous RDBMS, then I don't see any other way around it. I suppose we could write custom SQL for each provider and use JDBC but that sucks big time. I've looked into Jakarta OJB, and I think it will do the job. What are your thoughts on this? There is still some work for configuring the datasources/configuration files, but theoretically it should only be an issue of configuration files, not source. (at
RE: Using JAXB in a Servlet (class loader prob?)
We are using Tomcat 4.0.6 and JDK 1.4.0 with just use the vanilla install of tomcat, and we don't put the xerces.jar in the WEB-INF/lib either, and all this works fine. We use JDOM in the web app, its probably because the Crimson XML parser is include in 1.4.0, and it uses that? The vanilla install of TC 4.0.6 also puts xerces in common\lib, so it's maybe using that. PS we are using the FULL version of Tomcat not the 'Lite' version for JDK 1.4.0. Hope that helps PaulE -Original Message- From: Steve Slatcher [mailto:steve_slatcher;scientia.com] Sent: Thursday, October 31, 2002 2:13 AM To: Tomcat Users List Subject: Re: Using JAXB in a Servlet (class loader prob?) Thanks for that. If it is a Tomcat bug that has been addressed, I'll put the issue on the back burner for a while. Can you remember if you noticed the xerces issue I mentioned? Extance, Paul wrote: Upgrade to tomcat 4.0.4 - 4.0.6, then you can put the jaxb-rt.jar into the WEB-INF/lib directory. I think 4.0.3 has some class loader issues with packages that start with java and javax in the WEB- INF/lib folders This solved the problem for us. PaulE -Original Message- From: Nick Lombard (VSP) [mailto:nick.lombard;vcontractor.co.za] Sent: Wednesday, October 30, 2002 5:05 AM To: Tomcat Users List Subject: RE: Using JAXB in a Servlet (class loader prob?) Hi Steve My half a cent comment. Can anone shed more light on this? Specifically I would be interested in any ways to avoid using the /common/lib directory. We are successfully using shared jar files accross applications by placing them in the $TOMCAT_HOME/shared/lib directory. This will help to not use the common/lib directory. Hope it helps. Nick. -Original Message- From: Steve Slatcher [mailto:steve_slatcher;scientia.com] Sent: Wednesday, October 30, 2002 2:54 PM To: Tomcat Users List Subject: Using JAXB in a Servlet (class loader prob?) Hi all I have some code that uses JAXB that works fine in a standalone app with the jars I expect it to need. When I put the same code in a webapp I got a couple of problems initialising the Sevlet (see log file below). I managed to get rid of one problem (javax.xml.bind.JAXBContext) by putting a copy of jaxb-api.jar in /common/lib (before it was only in app/WEB-INF/lib). The second problem was solved by copying a xerces.jar into my app/WEB-INF/lib directory (as far as I can tell my standalone app did not need org.w3c.dom.ls.DocumentLS at all). Can anone shed more light on this? Specifically I would be interested in any ways to avoid using the /common/lib directory. I'm using Tomcat 4.0.3, JAXB 1.0 beta (currently the latest version), and the magic Xerces that came to the rescue was 1.4.4. Despite the name of my webapp I am NOT intent on spamming! Cheers Steve Slatcher 2002-10-30 11:33:14 WebappLoader[/spam]: Deploying class repositories to work directory C:\jakarta-tomcat-4.0.3\work\localhost\spam 2002-10-30 11:33:14 WebappLoader[/spam]: Deploy JAR /WEB-INF/lib/activation.jar to C:\jakarta-tomcat-4.0.3\bin\..\webapps\spam\WEB-INF\lib\activation.jar 2002-10-30 11:33:14 WebappLoader[/spam]: Deploy JAR /WEB- INF/lib/dom.jar to C:\jakarta-tomcat-4.0.3\bin\..\webapps\spam\WEB- INF\lib\dom.jar 2002-10-30 11:33:15 WebappLoader[/spam]: Deploy JAR /WEB-INF/lib/jax-qname.jar to C:\jakarta-tomcat-4.0.3\bin\..\webapps\spam\WEB-INF\lib\jax-qname.jar 2002-10-30 11:33:15 WebappLoader[/spam]: Deploy JAR /WEB-INF/lib/jaxb-api.jar to C:\jakarta-tomcat-4.0.3\bin\..\webapps\spam\WEB-INF\lib\jaxb-api.jar 2002-10-30 11:33:15 WebappLoader[/spam]: Deploy JAR /WEB-INF/lib/jaxb-libs.jar to C:\jakarta-tomcat-4.0.3\bin\..\webapps\spam\WEB-INF\lib\jaxb-libs.jar 2002-10-30 11:33:15 WebappLoader[/spam]: Deploy JAR /WEB-INF/lib/jaxb-ri.jar to C:\jakarta-tomcat-4.0.3\bin\..\webapps\spam\WEB-INF\lib\jaxb-ri.jar 2002-10-30 11:33:15 WebappLoader[/spam]: Deploy JAR /WEB-INF/lib/jaxb-xjc.jar to C:\jakarta-tomcat-4.0.3\bin\..\webapps\spam\WEB-INF\lib\jaxb-xjc.jar 2002-10-30 11:33:15 WebappLoader[/spam]: Deploy JAR /WEB-INF/lib/jaxp-api.jar to C:\jakarta-tomcat-4.0.3\bin\..\webapps\spam\WEB-INF\lib\jaxp-api.jar 2002-10-30 11:33:15 WebappLoader[/spam]: Deploy JAR /WEB-INF/lib/log4j-1.2.6.jar to C:\jakarta-tomcat-4.0.3\bin\..\webapps\spam\WEB-INF\lib\log4j- 1.2.6.jar 2002-10-30 11:33:15 WebappLoader[/spam]: Deploy JAR /WEB- INF/lib/mail.jar to C:\jakarta-tomcat-4.0.3\bin\..\webapps\spam\WEB- INF\lib\mail.jar 2002-10-30 11:33:15 WebappLoader[/spam]: Deploy JAR /WEB-INF/lib/sax.jar to C:\jakarta-tomcat- 4.0.3\bin\..\webapps\spam\WEB-INF\lib\sax.jar 2002-10-30 11:33:15 WebappLoader[/spam]: Deploy JAR /WEB-INF/lib/xercesImpl.jar to C:\jakarta-tomcat-4.0.3\bin\..\webapps\spam\WEB-INF\lib\xercesImpl.jar 2002-10-30 11:33:15 WebappLoader[/spam]: Reloading checks are enabled for this Context 2002-10-30 11:33:15 StandardManager[/spam]: Seeding random number generator class
RE: JDBC / ThreadLocal pattern.
I use the same pattern to bind a security context to a thread, which is set/unset in a common controller for all Servlet request. So the theory of binding the stuff to a thread works well, even in an EJB context, as they are single threaded too. So the theory is good, but if you going to have a connection pool anyhow, this is just a lazy way to pass the connection around. Still seems like overkill if many calls don't need to use the database for anything... I guess you could be lazy and only get the connection from the pool and bind it to the threadlocal just before you use it for the first time. You'd still need to go straight to the connection pool, if you needed to use a second connection in the same thread. We use a pattern similar to the Fowler UOW pattern (Unit Of Work) and pass that around where needed Seems to me that this is the simple question of 'global variables' or 'passing parameters' style of coding. The 'global variables' approach seems some what less object orientated in my opinion (Coming from a 4GL background where I was haunted by global variables :-) ) PaulE. -Original Message- From: Brett Neumeier [mailto:brett.neumeier;ualloyalty.com] Sent: Thursday, October 31, 2002 9:19 AM To: 'Tomcat Users List' Subject: RE: JDBC / ThreadLocal pattern. If the connection is available for more than one request depends on the way the container handles threads. If each request is a new Thread you will win nothing. Instead you will loose performace as each request would create a new connection to the database. Yes that is true, there for we've thought of a way to have the ThreadLocal get its connection from a pool. The notion of binding a Connection to a particular Thread using a ThreadLocal is a pretty good idea. The big advantage to my mind is that you can use the Connection from any level of the call tree without passing it around as a parameter. What you need to keep in mind is that you must reset the ThreadLocal before the Thread leaves your control. In other words: - At the beginning of your processing, check out a Connection from a connection pool and bind it to the ThreadLocal. - Throughout processing, the ThreadLocal can be used to obtain access to the Connection. - At the end of your processing, close the connection (which returns it to the connection pool) and reset the ThreadLocal. If you need to maintain database state across multiple HTTP requests, a slight modification is needed: before you check a Connection out from the connection pool, look in the HttpSession to see whether there is a Connection there already. If there is, bind that Connection to the ThreadLocal. Otherwise, obtain a new Connection and put it both in the HttpSession and in the ThreadLocal. In the context of servlets, one good way to structure this would be to create a ServletWithConnection class (extending HttpServlet), and have its service() method look something like this: protected static ThreadLocal tl = new ThreadLocal(); protected void service (..) { Connection conn = connPool.getConnection(); tl.set(conn); super.service(); tl.set(null); conn.close(); } Then you can extend this servlet whenever you need a database connection, override doGet, doPost, whatever, as normal, and access the Connection via tl.get() whenever you need it. Incidentally, Martin Fowler talks about this in his new book on enterprise architecture patterns -- look at the registry pattern. http://search.barnesandnoble.com/booksearch/isbnInquiry.asp?isbn=0321127420 Cheers, bn -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Help: Custom Error Page Wild Card?
Is there a more efficent way to get the web.xml to point to an common error page for all errors? I currently have in web.xml !-- Error pages for different reasons -- error-page error-code400/error-code location/errorpage/error.jsp/location /error-page error-page error-code401/error-code location/errorpage/error.jsp/location /error-page error-page error-code403/error-code location/aura4d/security/logon/jsp/noAccess.jsp/location /error-page error-page error-code404/error-code location/errorpage/error.jsp/location /error-page error-page error-code405/error-code location/errorpage/error.jsp/location /error-page error-page error-code409/error-code location/errorpage/error.jsp/location /error-page error-page error-code412/error-code location/errorpage/error.jsp/location /error-page error-page error-code413/error-code location/errorpage/error.jsp/location /error-page error-page error-code415/error-code location/errorpage/error.jsp/location /error-page error-page error-code500/error-code location/errorpage/error.jsp/location /error-page error-page error-code501/error-code location/errorpage/error.jsp/location /error-page error-page error-code502/error-code location/errorpage/error.jsp/location /error-page error-page error-code503/error-code location/errorpage/error.jsp/location /error-page error-page exception-typejava.lang.Throwable/exception-type location/errorpage/error.jsp/location /error-page I tried a wildcard for a default but that didn't work !-- Error pages for different reasons -- error-page error-code403/error-code location/aura4d/security/logon/jsp/noAccess.jsp/location /error-page error-page exception-typejava.lang.Throwable/exception-type location/errorpage/error.jsp/location /error-page error-page error-code*/error-code location/errorpage/error.jsp/location /error-page The problem i have is that our users keep seeing the default 'Tomcat' error page, and keep reporting 'Tomcat' errors, of course Tomcat is fine, its normally the application or the end user that is the problem, so i don't want any scenarios to bring up the tomcat error page. PS: I'm currently using Tomcat 4.0.6 Thanx PaulE -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
RE: JDBC / ThreadLocal pattern.
2 Cents... Not all threads need to do things with the database? kind of a waste to use the thread with the connection sitting idle, if it is a limited resource. I'm guessing the worker thread pool in tomcat typically needs to be higher that that of the connection pool its classes would use, in which case your hogging/wasting a valuable resource. This alone would probably justify not using it for me. We sometimes using multiple connections in a single thread if our business process need two isolated transactions, one to do the work (which could rollback) and the other to do the logging to the database, which should not be rolled back with the main transaction. Could this be supported with a single connection per thread? If you have stateful form beans (say with STRUTS) that want to maintain connection state, can you guarantee that the same thread will service the same request associated to this stateful bean. I know in a web/stateless environment you probably don't want to leave connections open across successive calls...so maybe this is not a real issue.. PaulE -Original Message- From: Reynir Hübner [mailto:reynir;hugsmidjan.is] Sent: Wednesday, October 30, 2002 11:06 AM To: Tomcat Users List Subject: JDBC / ThreadLocal pattern. Hi all, This email is a little bit off topic, as it's more about JDBC-related stuff than tomcat. I'm really looking for comments on the approach for JDBC connection pooling described in the article at : http://www-106.ibm.com/developerworks/java/library/j-threads3.html In (very) short: the idea here is to have one jdbc-connection for each thread, instead of a pool with connections. I've got few ideas on the subject, for example this may be cool because : 1. I will never have to worrie about not returning connections anymore, as they will always be garbage collected as soon as the thread is dead. 2. The connection will be available for more than one request so I can lazy load resultsets. 3. This might make transaction-service implementation easyer 4. many other great things I realise there must be some kind of problems by doing it this way, but I only came up with these : 1. can this approach cause too many connections to the database (75 threads in Tomcat is the default means 75 connections) ? 2. can it be to heavy for the garbagecollector to collect all the dead connections lying around when a thread dies ? 3. anything more negative stuff ? I am looking for comments on the pattern.. Please respons if you have any. Thanx alot! [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
RE: Using JAXB in a Servlet (class loader prob?)
Upgrade to tomcat 4.0.4 - 4.0.6, then you can put the jaxb-rt.jar into the WEB-INF/lib directory. I think 4.0.3 has some class loader issues with packages that start with java and javax in the WEB-INF/lib folders This solved the problem for us. PaulE -Original Message- From: Nick Lombard (VSP) [mailto:nick.lombard;vcontractor.co.za] Sent: Wednesday, October 30, 2002 5:05 AM To: Tomcat Users List Subject: RE: Using JAXB in a Servlet (class loader prob?) Hi Steve My half a cent comment. Can anone shed more light on this? Specifically I would be interested in any ways to avoid using the /common/lib directory. We are successfully using shared jar files accross applications by placing them in the $TOMCAT_HOME/shared/lib directory. This will help to not use the common/lib directory. Hope it helps. Nick. -Original Message- From: Steve Slatcher [mailto:steve_slatcher;scientia.com] Sent: Wednesday, October 30, 2002 2:54 PM To: Tomcat Users List Subject: Using JAXB in a Servlet (class loader prob?) Hi all I have some code that uses JAXB that works fine in a standalone app with the jars I expect it to need. When I put the same code in a webapp I got a couple of problems initialising the Sevlet (see log file below). I managed to get rid of one problem (javax.xml.bind.JAXBContext) by putting a copy of jaxb-api.jar in /common/lib (before it was only in app/WEB-INF/lib). The second problem was solved by copying a xerces.jar into my app/WEB-INF/lib directory (as far as I can tell my standalone app did not need org.w3c.dom.ls.DocumentLS at all). Can anone shed more light on this? Specifically I would be interested in any ways to avoid using the /common/lib directory. I'm using Tomcat 4.0.3, JAXB 1.0 beta (currently the latest version), and the magic Xerces that came to the rescue was 1.4.4. Despite the name of my webapp I am NOT intent on spamming! Cheers Steve Slatcher 2002-10-30 11:33:14 WebappLoader[/spam]: Deploying class repositories to work directory C:\jakarta-tomcat-4.0.3\work\localhost\spam 2002-10-30 11:33:14 WebappLoader[/spam]: Deploy JAR /WEB-INF/lib/activation.jar to C:\jakarta-tomcat-4.0.3\bin\..\webapps\spam\WEB-INF\lib\activation.jar 2002-10-30 11:33:14 WebappLoader[/spam]: Deploy JAR /WEB-INF/lib/dom.jar to C:\jakarta-tomcat-4.0.3\bin\..\webapps\spam\WEB-INF\lib\dom.jar 2002-10-30 11:33:15 WebappLoader[/spam]: Deploy JAR /WEB-INF/lib/jax-qname.jar to C:\jakarta-tomcat-4.0.3\bin\..\webapps\spam\WEB-INF\lib\jax-qname.jar 2002-10-30 11:33:15 WebappLoader[/spam]: Deploy JAR /WEB-INF/lib/jaxb-api.jar to C:\jakarta-tomcat-4.0.3\bin\..\webapps\spam\WEB-INF\lib\jaxb-api.jar 2002-10-30 11:33:15 WebappLoader[/spam]: Deploy JAR /WEB-INF/lib/jaxb-libs.jar to C:\jakarta-tomcat-4.0.3\bin\..\webapps\spam\WEB-INF\lib\jaxb-libs.jar 2002-10-30 11:33:15 WebappLoader[/spam]: Deploy JAR /WEB-INF/lib/jaxb-ri.jar to C:\jakarta-tomcat-4.0.3\bin\..\webapps\spam\WEB-INF\lib\jaxb-ri.jar 2002-10-30 11:33:15 WebappLoader[/spam]: Deploy JAR /WEB-INF/lib/jaxb-xjc.jar to C:\jakarta-tomcat-4.0.3\bin\..\webapps\spam\WEB-INF\lib\jaxb-xjc.jar 2002-10-30 11:33:15 WebappLoader[/spam]: Deploy JAR /WEB-INF/lib/jaxp-api.jar to C:\jakarta-tomcat-4.0.3\bin\..\webapps\spam\WEB-INF\lib\jaxp-api.jar 2002-10-30 11:33:15 WebappLoader[/spam]: Deploy JAR /WEB-INF/lib/log4j-1.2.6.jar to C:\jakarta-tomcat-4.0.3\bin\..\webapps\spam\WEB-INF\lib\log4j-1.2.6.jar 2002-10-30 11:33:15 WebappLoader[/spam]: Deploy JAR /WEB-INF/lib/mail.jar to C:\jakarta-tomcat-4.0.3\bin\..\webapps\spam\WEB-INF\lib\mail.jar 2002-10-30 11:33:15 WebappLoader[/spam]: Deploy JAR /WEB-INF/lib/sax.jar to C:\jakarta-tomcat-4.0.3\bin\..\webapps\spam\WEB-INF\lib\sax.jar 2002-10-30 11:33:15 WebappLoader[/spam]: Deploy JAR /WEB-INF/lib/xercesImpl.jar to C:\jakarta-tomcat-4.0.3\bin\..\webapps\spam\WEB-INF\lib\xercesImpl.jar 2002-10-30 11:33:15 WebappLoader[/spam]: Reloading checks are enabled for this Context 2002-10-30 11:33:15 StandardManager[/spam]: Seeding random number generator class java.security.SecureRandom 2002-10-30 11:33:15 StandardManager[/spam]: Seeding of random number generator has been completed 2002-10-30 11:33:15 ContextConfig[/spam]: Added certificates - request attribute Valve 2002-10-30 11:33:15 StandardWrapper[/spam:Mailer]: Marking servlet Mailer as unavailable 2002-10-30 11:33:15 StandardContext[/spam]: Servlet /spam threw load() exception javax.servlet.ServletException: Error instantiating servlet class com.scientia.spam.MailerServlet at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:8 93) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:808) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java :3266) at org.apache.catalina.core.StandardContext.start(StandardContext.java:3395) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1123) at org.apache.catalina.core.StandardHost.start(StandardHost.java:614) at
Java Connectors in Tomcat?
Is there plans to allow the Tomcat container to support the JCA part of the J2EE Spec. I have a JSP(Struts)/JDO based app, that runs on Tomcat, no EJB's in site. If i want to use a 3rd party connector (like SAP) do i now need a EJB type container like JBoss, or is Tomcat planning to support JCA some time in the future? If this is a stupid question i apologies, just trying to get my head round the JCA stuff and what it means to my deployment! Thanx PaulE -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
RE: Tomcat, JAXB and SecurityManager
We have had a problem with JAXB under Tomcat 4.0.3, as it couldn't find the jaxb-rt.jar in the WEB-INF/lib folder. We also put it in the %catalina_home%/common/lib, and it still couldn't find it. We then put the jar in the %java_home%/jre/lib/ext and then it worked. We then upgraded to Tomcat 4.0.4 and the problem went away. So if your getting a 'ClassNotFound' exception this may help. PaulE -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED]] Sent: Friday, August 09, 2002 7:09 AM To: Tomcat Users List Subject: RE: Tomcat, JAXB and SecurityManager Bonjour! ;) If i launch it from a servlet, i failed. Can you please provide more details? The stack trace would be helpful. Any suspicious or error messages in the tomcat logs? One more point, if the same code is run under Tomcat 4.0.1, it work !!! Then I would look at the release notes for 4.0.3 to see what changes were made to the security manager between 4.0.1 and 4.0.3 ;) Cédric (very despited for two days). What does very despited mean? Yoav Shapira Millennium ChemInformatics -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: share session between webapps
We have the same requirements, and to agree with Craig, we use the request.getUserPrincipal()!=null to assert they are authenticated, and we also use the request.getUserPrincipal().getName() to get the User Id (or key) so we can use this in our application. In addition we've built a variant of the JDBC realm that allows an additional encryption class to be specified, it will use this class to encrypt the password before validating it with the database. (We decided not to add this to RealmBase, but I'm sure could if you wanted). Example Realm className = org.jaffa.tomcat.realm.JDBCEncryptionRealm debug = 99 driverName = oracle.jdbc.driver.OracleDriver connectionURL = jdbc:oracle:thin:@host.domain.com:1521:dbname connectionName = dummyuser connectionPassword = dummypass userTable = use1 userNameCol= userid userCredCol= password1 userRoleTable = usrl roleNameCol= role_name encryptionClass= com.domain.applications.user.services.Encryption encryptionMethod = customEncrypt / It also has some other nice features It is being released as part of the http://jaffa.sf.net project, but it you want an advanced copy of the source, class, jar ,docs etc let me know BTW: If I have webapp1 deployed on tomcat 4.0x on Linux, and another webapp2 on Tomcat on a W2K box, is there any way to implement single sign on across the two? Paul Extance [EMAIL PROTECTED] -Original Message- From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 31, 2002 9:39 AM To: Tomcat Users List Subject: Re: share session between webapps On Wed, 31 Jul 2002, Michael Remijan wrote: Date: Wed, 31 Jul 2002 08:34:34 -0500 From: Michael Remijan [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: share session between webapps ... Is there technique to share a session, or objects within the session between web applications? No. And it wouldn't work even if there was such a mechanism, because each webapp has its own class loader -- the classes in webapp A's /WEB-INF directory are not visible to webapp B (and vice versa). What I want to do is login or register at a site and if the user moves to a different webapp, I want to be able to determine, by looking for an object in the user's session, that they are already logged in. Using realms and single sign on doesn't appear to do what I want because it A) doesn't allow me to get me the primary key for the user, What's wrong with calling request.getRemoteUser() or request.getUserPrincipal(). B) doesn't allow me to write any special processing code, specifically to md5 encrypt the password before performing the query. IMHO, if you are using container managed security you have absolutely no business messing with passwords. Either let the container manage all of that or do it yourself. C) most importantly, it doesn't seem to allow me to carry information accross webapps. This is true for *all* information, not just for security credentials. If you want to share information across webapps, the standard approaches are: * Store it externally in a database, EJB, etc. that is accessed from each webapp * (Container-specific, so no portability guarantees) store it in a static variable of a class that is loaded from a parent class loader of the webapp class loaders. For Tomcat 4, that means putting the class in someplace like common/lib. mike/ Craig -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: How to abort the webapp load/deployment
I already use Struts, so i'll probably just put an extra check in the controller. I guess i'll wait to see what Servlet Spec 2.4 has to offer for disabling the app loading.. Thanks for all the replies PaulE -Original Message- From: Mike Jackson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 24, 2002 1:39 PM To: Tomcat Users List Subject: RE: How to abort the webapp load/deployment You could uild a MVC app where there are no page accesses that don't pass through the controller (i.e. index.form and form is mapped to a servlet which does a requestDispatcher to index.html or index.jsp). Have the controller only pass people through if the validation has occured successfully. If this is greek I can give you a better example. --mikej -=- mike jackson [EMAIL PROTECTED] -Original Message- From: Extance, Paul [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 24, 2002 12:13 PM To: '[EMAIL PROTECTED]' Subject: How to abort the webapp load/deployment Hello, Is it possible to write a 'validation' servlet, that does some basic checks, which if fail, cause the whole web application to be unavailable? This servlet would be flagged as load-on-startup such that it was the first one to execute. I'm trying to achive something similar to JBoss 2.x where if the verifier fails for an EAR, it does not deploy it at all. I want the similar concept but for my Web Application, such that critical initialization errors make the the whole application unavailable. I can't find anythingin in the Java Servlet Spec to indicate that this is possible, or anything in the tomcat documenation. Thoughts? Thanks PaulE -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
How to abort the webapp load/deployment
Hello, Is it possible to write a 'validation' servlet, that does some basic checks, which if fail, cause the whole web application to be unavailable? This servlet would be flagged as load-on-startup such that it was the first one to execute. I'm trying to achive something similar to JBoss 2.x where if the verifier fails for an EAR, it does not deploy it at all. I want the similar concept but for my Web Application, such that critical initialization errors make the the whole application unavailable. I can't find anythingin in the Java Servlet Spec to indicate that this is possible, or anything in the tomcat documenation. Thoughts? Thanks PaulE -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]