Hello Dies,
the working directory would be fine, but my images need to be accessible
via a url(which is not the case if they are located inside the temp dir)
In fact when an image is generated, I push the url inside the client
browser, the new url automatically replaces the previous one in a
Eclipse 3.2 and
java version 1.5.0_06
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_06-b05)
Java HotSpot(TM) Client VM (build 1.5.0_06-b05, mixed mode)
regards
--
View this message in context:
http://www.nabble.com/Hot-code-replace-tf2078792.html#a5738944
Sent from the
Hi Rainer,
really good idea to fix the worker logging
++1...
=== Peter
Rainer Jung schrieb:
Hi,
thanks for the feedback. Good info!
fredk2 schrieb:
issue 1:
With mod_jk 1.2.15 i set my jk log level:
JkLogFile logs/mod_jk.log
#JkLogLevel info
JkRequestLogFormat %w
Hi All,
I have a basic doubt on precompilation .I am doing precompilation using the
scripts(jspc.sh) .
Its giving the Exception in thread main java.lang.NoClassDefFoundError:
org/apache/tools/ant/util/FileUtils
at org.apache.jasper.JspC.resolveFile(JspC.java:1395)
at
Unfortunately, the fundamentally bad security scheme is how the JS API
specification is implemented in Tomcat (when using form-based
authentication).
When processing a form-based authetication request under HTTPS, Tomcat
retains the session ID allocated under HTTP.
We have tried invalidating
Hi.
I need to measure the traffic pr. month/year for each virtualhost. How
can I do that with Apache/Tomcat?
Lars Nielsen Lind
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
Romain Quilici wrote:
Hello Dies,
the working directory would be fine, but my images need to be accessible
via a url(which is not the case if they are located inside the temp dir)
In fact when an image is generated, I push the url inside the client
browser, the new url automatically replaces
Tomas Hulek wrote:
Any hints how to fix it?
Again, do all access to your app under https.
Mark
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail:
Right. Tomcat stores the original request info in the session before
redirecting to the login page. Invalidate the session and the original
request url is gone.
You could try (and I haven't tried this) is to find the original request
info stored in the old session, pull it out of the old
I believe in BASIC auth, the client already has the auth failed page
during authentication. Once authentication fails, that page is
displayed. Short of the images and other resources the error page
needs, there is not another request to the server hence no filter call.
--David
Dhiraj
If you're using a JDBC realm then you are using Tomcats authentication,
which operates at a higher level than Filters and Servlets, so you can't
insert anything into the chain there.
With Basic Auth, the browser does the submission of credentials, based
on the error codes that the server sends.
When using JDBCRealm, where should I put my driver jars?
Push a url to a servlet which then serves the images from the working
directory?
In which you could also set the headers (images are temporary, so maybe
set Cache-Control, Expires?).
Regards,
Dies
Mark Thomas wrote:
Romain Quilici wrote:
Hello Dies,
the working directory would be fine,
A little googling confirmed my earlier suspicion. The 401 response
contains the error page. This is why you can't redirect a 401 error
like a 404 or other error responses.
-David
Pid wrote:
If you're using a JDBC realm then you are using Tomcats authentication,
which operates at a higher
Well HTTP Cookies have a solution to this problem. They have a Secure
keyword in the Set-Cookie line. This stops the client leaking the
cookie outside of a secure channel.
The problem is I dont think Tomcat keeps track and flags if a session
has been exposed via a non-secure channel or
common/lib
Zohar wrote:
When using JDBCRealm, where should I put my driver jars?
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.10.8/415 - Release Date:
Hi Mark,
currently it's pretty busy here, therefore I couldn't try your suggestion
yet.
However, what I've tried so far is:
I've subclassed *all* Authenticators from
org.apache.catalina.authenticator(Digest, Form and SSL) since I
thought that maybe some other Authenticator
is being triggered
After successfuly connecting to the databases through JDBC drivers over a
proxool pool,
I tried to configure JNDI datasources so that my dbforms webapp could
cleanly call
and implement connections through the JNDI space.
In tomcat 5.5 the web context file looks like :
Resource
Hello,
my application runs on Tomcat 4.1.18 and I have implemented a context listener
for it implementing the ServletContextListener interface.
The contextDestroyed method runs after 30 minutes of inactivity. Why? I would
have thought that the contextDestroyed method would run only at Context or
Hi all,
I have a sun server with these specifications:
Server Information
Tomcat Version
JVM Version
JVM Vendor
OS Name
OS Version
OS Architecture
Apache Tomcat/4.1.31
1.4.1_02a-b01
Sun Microsystems Inc.
SunOS
5.9
sparc
And the logs dir has all users permissions. Tomcat
We have tried it, but the internal session attributes where Tomcat stores
the original request are hidden to application, and are certainly not
accessible to javax.servlet.* API (and we do try to write PORTABLE
application, relying on the specification and not on the internals of one
particular
Unfortunately, filters are skipped (ie. not called at all) when form-based
login page is processed as a result of client requesting a secure area.
We tried that too...
By the way, the original URL that the client requested is hidden in the
session in a way which prevents the web app from
I wonder if associating (and checking) the request IP with the session
would reduce the problem to some acceptable level. What is
the chance of a session being hijacked from the same network (face-ip)?
Another question is can the original request IP be spoofed?
Long
- Original Message -
can any one tellme how do i implement this using
tomcat
tomcat would be running on a server.a user would log
into the server using ftp and he has his own version
of server.xml.he some how starts the tomcat runs his
application and shuts it down.when other user logs
into the server he should be
ftp? You mean telnet or rsh or ssh or something right?
Anyhow, create a different instance of tomcat for each user:
Recursively copy the following directories from CATALINA_HOME to a new
location (say /usr/tomcat/instance_n) to create a new instance:
webapps
temp
shared
conf
logs
Then change
Better to change my question:
When a session associated with a client is created?
Hi,
I have a filter (for /*) in which I'm caching something in the
session. Here is a piece of code:
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) {
In this case the chances are relatively high - imagine a company using a
proxy to connect to the Internet. The client IP does not change, a someone
in the company sniffing can easily hijack sessions from his/her colleagues.
Tomas
Ive tried this before so let me rephrase this.
I am using Tomcat to perform the authentication and I have
an app that is adding new users to the tomcat-users database just fine. The
problem is that Id like to get the role and group attributes back. I
would rather not keep the
I wonder if associating (and checking) the request IP with the
session would reduce the problem to some acceptable level. What is
the chance of a session being hijacked from the same network
(face-ip)?
Another question is can the original request IP be spoofed?
In this case the chances are
This is from the javax.servlet.Servlet class (service method) documentation-
Servlets typically run inside multithreaded servlet containers that can handle
multiple requests concurrently. Developers must be aware to synchronize access
to any shared resources such as files, network connections,
I can also imagine this company gives employees the go-a-head and
hijack each others session. It would also reward the idiot(s) that can
do it best with double pay...
Your imaginary company example doesn't really happen within a real
company, does it? Usually there are codes of conduct and
Hi ,
Thanks for the replies, really appreciate that.
I am using BASIC because i am authenticating webservice calls. I
already have FORM for a sister application which provides web based access.
I want to log authentication failures.
Is the only option i have is
Hello David, Tomas:
About two months ago, I tried using the getRemoteAddr() for doing IP
check as an addtional auth metric, but found exactly than on local
net, this did not discriminate in many cases and only a single IP
was returned for hosts on LAN. So I decided that there was too
much
Long:
Thanks for adding this thought. As per my previous note on this
subject, in light of your (relative) confidence in using IP, maybe
I _should_ reconsider the getRemoteAddr() and simply use it as an
addt'l advisory for making session auth decision on successive
pages as they transit
Supposing that your secure area is using a constantly
different URL path than your non-secure pages you
could create a filter to modify the default path for
the jsessionid cookie to be valid only for non-secure
pages.
For example, if your non-secure site is at
http://mysite.com/public/...
and
Sorry,
in my previous message, I did not mean the working dir but the temp
dir(obtained with javax.servlet.context.tempdir).
Romain
Mark Thomas wrote:
Romain Quilici wrote:
Hello Dies,
the working directory would be fine, but my images need to be accessible
via a url(which is not the case
here is the situation.there would be one tomcat
running on a server.multiple users log into the server
.each user should be able to start the tomcat and shut
it down without interfering others.they would have
their own version of sever.xml.so they loginto the
server using telnet start the tomcat
When implementing a tomcat cluster, we can monitor the cluster via JMX.
So, if we implement tomcat clustering under the Geronimo hood, what JMX
components are available as GBeans to allow us to monitor the tomcat
cluster running with Geronimo?
Have all the necessary JMX components been made
Tomas Hulek wrote:
Unfortunately, filters are skipped (ie. not called at all) when form-based
login page is processed as a result of client requesting a secure area.
We tried that too...
By the way, the original URL that the client requested is hidden in the
session in a way which prevents the
Maurice Yarrow wrote:
Thanks for adding this thought. As per my previous note on this
subject, in light of your (relative) confidence in using IP, maybe
I _should_ reconsider the getRemoteAddr() and simply use it as an
addt'l advisory for making session auth decision on successive
pages as
40 matches
Mail list logo
