Re: Dynamically Create Subdomains - Tomcat 7x

2015-09-04 Thread Kiran Badi 
Hi Andre,

I need something like,

My main landing page  www.mysite.com

Subdomains I am looking for

myfeature1.mysite.com

myfeature2.mysite.com

myfeature3.mysite.com

etc

myfeature is  a cookie value which comes from www.mysite.com(this is
landing page which drops myfeature cookie)..

- Kiran




On Fri, Sep 4, 2015 at 3:34 AM, André Warnier (tomcat) 
wrote:

> On 04.09.2015 05:31, Kiran Badi wrote:
>
>> Hi,
>>
>> I need some help, I need to create subdomains dynamically, Is this
>> possible
>> ?
>>
>> I have a site, www.mymainsite.com
>>
>> on this main site, I drop the zipcode and city cookie and then I forward
>> it
>> to front controller, and it's this front controller  which will point it
>> to
>> city subdomain.
>>
>> Can we create subdomains on the fly in tomcat ?
>>
>>
> Kiran,
> Can you try to re-phrase your question in terms which people without a
> crystal ball would understand ?
>
>
>
> Ce qui se conçoit bien s'énonce clairement - Et les mots pour le dire
> arrivent aisément.
> L'Art poétique (1674)
> Nicolas Boileau-Despréaux
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Tomcat 8 Session Timeout

2015-09-04 Thread Theo . Sweeny 
Hi Chris - the servlet spec states "If the time out is 0 or less, the 
container ensures the default behavior of sessions is never to time out."

Currently the timeout value is set to 2 minutes.

However the problem is persisting - the environment is using Jersery 
Servlet 1.3 for REST.

If we look inside web service stats -

Longest session alive time: 183 s / Processing time: 625 ms
Longest session alive time: 207 s / Processing time: 232 ms

The current session timeout is set to 120 seconds, so neither of these 
above session times make any sense, unless a dependency is hanging?

Theo



From:   Christopher Schultz 
To: Tomcat Users List , 
Date:   03/09/2015 16:43
Subject:Re: Tomcat 8 Session Timeout



-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Theo,

On 9/3/15 8:28 AM, theo.swe...@avios.com wrote:
> Thanks Chris - that pointer is very helpful.
> 
> Can you clarify by setting session-timeout to 0, implies after 60
> seconds the session will expire or does it imply the same as -1,
> that sessions will not timeout?
> 
>  0 
> 

What does the servlet specification say about the values used there?
Hint: your assumptions are already wrong.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJV6GptAAoJEBzwKT+lPKRYNC4P/0cuUR+RAyAHmWXcaQXIExai
VgACUHVxqajMxaBPwVjfap/DRH25COmqzvMo2Bj8KtviL3wIRR5CDxySUObVx14A
4skSKdO8L0MvYaSmx2GDFRNTQkRKRe2EoNivbuCwuT06W0dKr1V2gPXyqp2f9Hm8
GIOOiToU43MONBR2n0IM+F/UvbFxaHVLJoWEIXZ3PoGIcVk6scmGVrS8fp6BvXmw
xIWa0VWZuVTnJ0E32vVEuWNBnNSdwpnvQyR4dz5r+Ty/OATNeeYi9JiloBGlKPg0
j02bR8to+vZokGgRz+A1qxQZdmGFHxbsxgrWFNGRJz4MVuBT1kimBs4mq6yDWCg4
kC/lBEO/8QWGag2zuNW1s1oCI0jskEqTWd+PipNYAQSv/GGu7Tvpa5N6CUriePmH
3se/rJdiNlcI0S4AVJpnJ3d8kaxzOltlImP8VgBG5ep2FJH5kZ2biTtQRiHxXjUI
FCw+hR5mNKauTGiUKfwc4BVswD0QMa3ncDONtKmOcyirpEZDEapTk5Un1bKZ7pso
ZrmhcdhLO8BuK0EKyK4IoTiysyA43CJ+4Uu7MK8X8weJR74FyTKGBmg/5OqAypk+
QSc1BcEDv9JMH7tPI1Fcb412jGc0B9y/zMdQDcpSXp9Aw4CKl9bhJXY60GnjcxOH
LgyxvMq/UZnoYRAFGRxX
=//Bk
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

-
The Mileage Company Limited is a limited company registered in England under 
company number 2260073 whose registered office address is at
Astral Towers, Betts Way, London Road, Crawley, West Sussex, RH10 9XY.

This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify the 
system manager.

This footnote also confirms that this email message has been swept by Mimecast 
for the presence of computer viruses. 
-

Re: Dynamically Create Subdomains - Tomcat 7x

2015-09-04 Thread chris derham 
> I need something like,
>
> My main landing page  www.mysite.com
>
> Subdomains I am looking for
>
> myfeature1.mysite.com
>
> myfeature2.mysite.com
>
> myfeature3.mysite.com
>
> etc
>
> myfeature is  a cookie value which comes from www.mysite.com(this is
> landing page which drops myfeature cookie)..
>
> - Kiran

so if you map *.mysite.com DNS name to a single server, it can do all of that.

You are asking a very generic high level question, without providing
details of what you have tried, and what isn't working. Hence you
really need to open up more and explain. Can a single site handle all
of these "features" or do you need isolation between them? Is this a
"how can I setup DNS?" or a "how can I setup websesrvers against host
names?" kind of question. It really is worded very openly so people
will be hard pushed to help

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat client certificate based authorization

2015-09-04 Thread juls 

Dear Christoph,

thanks, I guess that was the right hint.
I now implemented a custom X509UsernameRetriever, created a jar and 
placed it in $CATALINA_HOME/lib.


***
import java.security.cert.X509Certificate;


public class X509UsernameRetrieverClass implements 
org.apache.catalina.realm.X509UsernameRetriever {


@Override
public String getUsername(X509Certificate cert) {
//String name = cert.getSubjectDN().getName();
String name = String.valueOf(cert.getSerialNumber());
return name;
}


}

***

Then I changed the realm configuration in $CATALINA_HOME/conf/server.xml


***

X509UsernameRetrieverClassName="xx.xx.xx.X509UsernameRetrieverClass" />


***

When starting Tomcat I get a ClassNotFoundException for my custom class.
According to the Class Loader Documentation the Common Loader should 
load all jars in the lib folder.
Is there something else I need to pack into the jar for Tomcat to load 
the class?



kind regards





Am 03.09.2015 23:44 schrieb Christopher Schultz:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Juls,

On 9/3/15 9:41 AM, juls wrote:

I need to restrict users to access different resources based on
attributes of their client certificate.

I found this tutorial which describes the basic idea:
http://krishnasblog.com/2012/12/01/enabling-client-cert-based-authoriz

ation-on-tomcat/


 Apart from not beeing able the get it working as described in the
tutorial my question is whether it is possible to use different
attributes than just the subject DN. I am thinking of certificate
serial number and/or authority key identifier/subject key
identifier.


While the SubjectDN is the default "username" obtained from the
certificate, you can use something else instead. Take a look a the
 configuration guide and especially at the
"X509UsernameRetrieverClassName" attribute for that configuration.

http://tomcat.apache.org/tomcat-8.0-doc/config/realm.html

You can write a class that uses whatever field (or mixture of fields)
you want to identify the user.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJV6L9TAAoJEBzwKT+lPKRYPsoP/iAT/1gLy64gZzfsFCt1fNP0
hAtArWqJCAUiyIz6V/DrZSI2Okh501777Kx/kbZWBH1Sg9qb6hrfjSU7NLYeky0+
rmKlO0voAXlFwL7un7OWp4VebSw1gLxS6Qz966KodnOcDuMKfFwSD7WcZ6BOsyop
W1T/9pO9JBHy3G9/VB+Qgx61Ufr++ZEA5g3MhygPczivopU8JriL7WRa8SH0qvQX
mAVIBwGmcgNuATXlKFW5wycf1gjV9NbOr6wF5r342x8JL12Afz+UX12nVo7rFyfN
hJyYzlZp/6KUJKuMVQFx5FrGnpJr5JhKlXeK4CpRT2nf8e1baHrc3f6oxAJHN4QF
QJKNckA7Qucv7NybGzFXtIYD6JoCjE+JqokEvxaE0q4w9OwpJq++yr0Ypa6R0eFm
+wrdx6HhCPNaiA7GsYTrFtUrLGA1fDmjAZhqvEImtUHpngR+3ZsUOhr/WKzxESLP
fXFrF76s2tbzfO5u0JglW91xYm2EyKO7+2MCZocJBhtu7eCdnpigh+rHcKSeVSG1
+2YeHG0/ahRfJgeb/fTwcFH9FeiYnhIMhqYtUmrNtA0ck2nZy2O65ZresB3orMg1
tD2cUsR1R9P9iu8RGfrgDsOGk1/pwTzPCwgTkEoJxMkDxGMybLdn6W8aat8Kmxt4
/63mA5DBXX8xfCKZ/X2K
=hCnD
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Dynamically Create Subdomains - Tomcat 7x

2015-09-04 Thread Kiran Badi 
Let me try again Chris, I have this site www.mysite.com  ready with some x
amount of features in it

Now I need to customize this site based on regions,states, and cities.I
will most likely go with cities.

So I need my main site to redirect to city1.mysite.com  etc based on
cookie value which I create on mysite.com(This is landing page)



what i need  is similar to as what  www.blogger.com or craiglist does.Ex
http://www.quikr.com/all-cities,https://geo.craigslist.org/iso/us

when we add a blog, it creates user.blogger.com and for another user, it
creates user1.blogger.com

I am looking something similar ?

Can this be done with just tomcat or I need to front end tomcat with apache
?

Is it required to spend extra money on DNS or creating different
folder/subdirectory for each region ?

I have a single war file, and I intent to do this isolation service
layer/DB layer.

Does this make sense ?

I know its high level generic ask,but I really need some direction. Maybe I
am again vague,but I hope examples will give some direction as what I am
looking for.

- Kiran





On Fri, Sep 4, 2015 at 9:03 AM, chris derham  wrote:

> > I need something like,
> >
> > My main landing page  www.mysite.com
> >
> > Subdomains I am looking for
> >
> > myfeature1.mysite.com
> >
> > myfeature2.mysite.com
> >
> > myfeature3.mysite.com
> >
> > etc
> >
> > myfeature is  a cookie value which comes from www.mysite.com(this is
> > landing page which drops myfeature cookie)..
> >
> > - Kiran
>
> so if you map *.mysite.com DNS name to a single server, it can do all of
> that.
>
> You are asking a very generic high level question, without providing
> details of what you have tried, and what isn't working. Hence you
> really need to open up more and explain. Can a single site handle all
> of these "features" or do you need isolation between them? Is this a
> "how can I setup DNS?" or a "how can I setup websesrvers against host
> names?" kind of question. It really is worded very openly so people
> will be hard pushed to help
>
> Chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Multiple JSESSIONID cookies being presented.

2015-09-04 Thread Jeffrey Janner 
Hi folks,
I'm running Tomcat 8.0.24 on Ubuntu 14.04 with Java 8u45, but I'm also seeing 
this on Windows (version doesn't matter), with Tomcat 7.0.57 and Java 7u71, and 
Tomcat 6.0.43 and Java 7U51.
I have 2 contexts installed in Tomcat, one is ROOT, the other APP2.  Both 
contexts start off at a login screen unique to the context and provided by it 
(not using container auth).
When I connect to ROOT, no problem, but when I connect to APP2, I get 2 
JSESSIONID cookies, one with the path "/" and the other with the path "/APP2/".
On the Windows implementations, we are not seeing a problem, at least not one 
being reported.
On the Linux implementation, the end user will occasionally get immediately 
kicked out with an invalid session immediately after providing credentials. The 
access logs show a single jsessionid=xxx being provided on the POST URL.  
Amazingly, sometimes that goes through and lets the user login, so my theory is 
that the browser is sometimes picking the wrong path.  (Also, theory, the "/" 
cookie is being generated by a request for "/favicon.ico" just before the 
request for the login page.)

So my question is:  Is there anything I can do from a configuration perspective 
to get it to NOT send the "/" cookie for APP2?

Deployment details:
Linux is being fronted by an HaProxy server, but the traffic appears to be 
staying on one host.
Server.xml is essentially the basic one provided with install.  Port # and 
access log information is modified and has RemoteIpValve setup so we can log 
the end user's IP.
Apps are deployed as war files with static context.xml files in 
Catalina/localhost.  Those files all look like:

  
  

War files do get exploded.  I can't find anything in the web.xml files that 
have anything to do with cookies.

Any help here would be appreciated.

Jeffrey Janner

Re: Tomcat client certificate based authorization

2015-09-04 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Juls,

On 9/4/15 10:01 AM, juls wrote:
> thanks, I guess that was the right hint.

I hope so!

> I now implemented a custom X509UsernameRetriever, created a jar
> and placed it in $CATALINA_HOME/lib.
> 
> import java.security.cert.X509Certificate;
> 
> public class X509UsernameRetrieverClass implements 
> org.apache.catalina.realm.X509UsernameRetriever {
> 
> @Override public String getUsername(X509Certificate cert) { 
> //String name = cert.getSubjectDN().getName(); String name =
> String.valueOf(cert.getSerialNumber()); return name; } }
> 
> Then I changed the realm configuration in
> $CATALINA_HOME/conf/server.xml
> 
>  X509UsernameRetrieverClassName="xx.xx.xx.X509UsernameRetrieverClass"
> />
> 
> 
> When starting Tomcat I get a ClassNotFoundException for my custom
> class. According to the Class Loader Documentation the Common
> Loader should load all jars in the lib folder.

Correct.

> Is there something else I need to pack into the jar for Tomcat to
> load the class?

You shouldn't need anything else. Can you show the output of:

$ unzip -v lib/your-jar.jar

?

Also, what's the full stack trace of the CNFE?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJV6dZwAAoJEBzwKT+lPKRYEgkQAJe5hI+5XF+9ty11l/XKNrSR
ypXeGSAOaeGMcjuUrWc+NUJdzPrd3riQ/98VssjKJMG8i4NmAvX4XczibzL2M3xp
3O5V1ywPaKY4piuTs1LDxqqL8s2j1qmDojkZe3oIslr0sVL1XlHthlGV+vfPobIX
ARa0FuLBqrhxtaYUxa7qnudBjslvyixpuWQMQnk6uU573+L7Ngyz9SWn2QXDBxag
P9QYHWQnYhiANlZ4CNHpWP+RLm1uRIJ8qry/5CyKgPZCeVMKtxoXF4LBu4UBdtKn
gTyDpBVmy1VQM6i3yDWEFMob8N1Rw1FWkriR2Ve+E36QN9nNj93jeaSKvWF1ByGj
yn/msEitIG5MWLwRySlJpR6h45zY5FojU42vFMhIN2iDbqMt+f2ReCQziDdyiEcL
O71IGjT/UFVAVd00W/BCC15auMKH3c4H6ju21GgLRuYU6qTGC27ZjujTuBjpCGU7
KoWFsn/+skW+DqyRjZ+BYqf7NH5sseXfWfw8rpKh3S+M5qqR7BSB4rYtUQFbkhuv
r9movEctAn/ZxCRpHGSjfJMLGf4ywtfdl1ZjQuCzN2F89p+tGTjFIRBp7E9YwiuQ
6JEyXVpBeyll4P1lnq/E7aiYaY+DDhjJumjhPmn86sYOqLR8EAEYUyJ7/nX8Ii2S
FOF/0sEIwLzucd6f7hUE
=dq03
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Dynamically Create Subdomains - Tomcat 7x

2015-09-04 Thread Kiran Badi 
Thanks Chris,

I have running tomcat with mysite hosted on it.I am trying to extend it and
get some extra mileage from my app.

I think I can go with hostname approach and see how it goes.

I have another query for which I will open another discussion.

Thanks everyone.

- Kiran


On Fri, Sep 4, 2015 at 1:49 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Kiran,
>
> On 9/4/15 12:25 PM, Kiran Badi wrote:
> > Let me try again Chris, I have this site www.mysite.com  ready with
> > some x amount of features in it
> >
> > Now I need to customize this site based on regions,states, and
> > cities.I will most likely go with cities.
> >
> > So I need my main site to redirect to city1.mysite.com  etc
> > based on cookie value which I create on mysite.com(This is landing
> > page)
> >
> >
> >
> > what i need  is similar to as what  www.blogger.com or craiglist
> > does.Ex
> > http://www.quikr.com/all-cities,https://geo.craigslist.org/iso/us
> >
> > when we add a blog, it creates user.blogger.com and for another
> > user, it creates user1.blogger.com
> >
> > I am looking something similar ?
> >
> > Can this be done with just tomcat or I need to front end tomcat
> > with apache ?
> >
> > Is it required to spend extra money on DNS or creating different
> > folder/subdirectory for each region ?
> >
> > I have a single war file, and I intent to do this isolation
> > service layer/DB layer.
> >
> > Does this make sense ?
> >
> > I know its high level generic ask,but I really need some direction.
> > Maybe I am again vague,but I hope examples will give some direction
> > as what I am looking for.
>
> I agree with Chris Derham: if you have DNS set up to send *.mysite.com
> to your service, then all of those requests will go to your Tomcat
> server; it's up to you to decide what to do at that point.
>
> You *could* add an  (programmatically) for every single prefix
> you might think of to auto-generate, OR you could just use the default
> host for everything and then detect the hostname the user is using in
> order to customize some part of your application.
>
> I wouldn't bother trying to modify the configuration of the running
> Tomcat... instead, I'd just use the hostname to decide what to do once
> inside the application.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJV6dm/AAoJEBzwKT+lPKRYRkwQAJab8C/me3Uc46+w/8mSy+sH
> E25uNcbG5Inkz3X4cFOsjjPMbgPzMBFCY2rGaguO9nAfAt17gfAFyxwWoa+tI/HW
> i0US92kJwmlHWCTMgJKGBKQl7ca6BgwffzSvJuyfbdHHbLPeWH4CdgXSHCpgoX/8
> +gdi7Fawnq2elxvC2/xtWLSHfFBW7HkbJ6zKAD/U+zJPd2wh410sB0rZtm4yuFdt
> KYKAhOw1lzQ2zTKM2L7PWSLKjYfBtP08Mdi09f5u22yqGG7S63YOUkHZZXfg3+ui
> SowpRSuYe8KIfP+wgJxFxspyQ4xYVltaXeitZTgV1TWV760cGx3qbTYuAG6muf5e
> xd+QheLD2hWnbRRqLhplJAvlxKgKA8FmqZ8iFR3h9WNiXLePXpEYZlZpNWOSOaQE
> ju7lhP9BsNOWPidPv39i3YuOopnk5wyGaRivBwkgNLEzGwxmXkCEePnDf1kWumYQ
> 8T6l2OjSw7owkMtDJI97DPs8jSUIYJMCPbxR+PlNXiMs2SzZV+KIiLYPVNwU+IMe
> AjHYIOtgmH5G1nivu5tupjDutO4OY2gu66QDi7SzSFpZ0XvXAbml7asU3dwlppoq
> RldOZ01zEI8Z6yu0RRlxer1jPaDExZBkGIxin2ILdpxd562yWOUFbGYgBpdOjhI1
> ldoTCter5Kxa0U6CaS1l
> =USc4
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Dynamically Create Subdomains - Tomcat 7x

2015-09-04 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Kiran,

On 9/4/15 12:25 PM, Kiran Badi wrote:
> Let me try again Chris, I have this site www.mysite.com  ready with
> some x amount of features in it
> 
> Now I need to customize this site based on regions,states, and
> cities.I will most likely go with cities.
> 
> So I need my main site to redirect to city1.mysite.com  etc
> based on cookie value which I create on mysite.com(This is landing
> page)
> 
> 
> 
> what i need  is similar to as what  www.blogger.com or craiglist
> does.Ex 
> http://www.quikr.com/all-cities,https://geo.craigslist.org/iso/us
> 
> when we add a blog, it creates user.blogger.com and for another
> user, it creates user1.blogger.com
> 
> I am looking something similar ?
> 
> Can this be done with just tomcat or I need to front end tomcat
> with apache ?
> 
> Is it required to spend extra money on DNS or creating different 
> folder/subdirectory for each region ?
> 
> I have a single war file, and I intent to do this isolation
> service layer/DB layer.
> 
> Does this make sense ?
> 
> I know its high level generic ask,but I really need some direction.
> Maybe I am again vague,but I hope examples will give some direction
> as what I am looking for.

I agree with Chris Derham: if you have DNS set up to send *.mysite.com
to your service, then all of those requests will go to your Tomcat
server; it's up to you to decide what to do at that point.

You *could* add an  (programmatically) for every single prefix
you might think of to auto-generate, OR you could just use the default
host for everything and then detect the hostname the user is using in
order to customize some part of your application.

I wouldn't bother trying to modify the configuration of the running
Tomcat... instead, I'd just use the hostname to decide what to do once
inside the application.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJV6dm/AAoJEBzwKT+lPKRYRkwQAJab8C/me3Uc46+w/8mSy+sH
E25uNcbG5Inkz3X4cFOsjjPMbgPzMBFCY2rGaguO9nAfAt17gfAFyxwWoa+tI/HW
i0US92kJwmlHWCTMgJKGBKQl7ca6BgwffzSvJuyfbdHHbLPeWH4CdgXSHCpgoX/8
+gdi7Fawnq2elxvC2/xtWLSHfFBW7HkbJ6zKAD/U+zJPd2wh410sB0rZtm4yuFdt
KYKAhOw1lzQ2zTKM2L7PWSLKjYfBtP08Mdi09f5u22yqGG7S63YOUkHZZXfg3+ui
SowpRSuYe8KIfP+wgJxFxspyQ4xYVltaXeitZTgV1TWV760cGx3qbTYuAG6muf5e
xd+QheLD2hWnbRRqLhplJAvlxKgKA8FmqZ8iFR3h9WNiXLePXpEYZlZpNWOSOaQE
ju7lhP9BsNOWPidPv39i3YuOopnk5wyGaRivBwkgNLEzGwxmXkCEePnDf1kWumYQ
8T6l2OjSw7owkMtDJI97DPs8jSUIYJMCPbxR+PlNXiMs2SzZV+KIiLYPVNwU+IMe
AjHYIOtgmH5G1nivu5tupjDutO4OY2gu66QDi7SzSFpZ0XvXAbml7asU3dwlppoq
RldOZ01zEI8Z6yu0RRlxer1jPaDExZBkGIxin2ILdpxd562yWOUFbGYgBpdOjhI1
ldoTCter5Kxa0U6CaS1l
=USc4
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 8 Session Timeout

2015-09-04 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Theo,

On 9/4/15 6:14 AM, theo.swe...@avios.com wrote:
> Hi Chris - the servlet spec states "If the time out is 0 or less,
> the container ensures the default behavior of sessions is never to
> time out."
> 
> Currently the timeout value is set to 2 minutes.
> 
> However the problem is persisting - the environment is using
> Jersery Servlet 1.3 for REST.
> 
> If we look inside web service stats -
> 
> Longest session alive time: 183 s / Processing time: 625 ms Longest
> session alive time: 207 s / Processing time: 232 ms
> 
> The current session timeout is set to 120 seconds, so neither of
> these above session times make any sense, unless a dependency is
> hanging?

Remember that the session timeout is not session age. If you have a
process which is touching the session more often than every 2 minutes
or so, then the session will live indefinitely.

Is the background processing thread still running? If it dies, your
sessions will never time out. Also, the background processing thread
is the thread that reaps old sessions... if you have the background
processor thread set to run infrequently, you'll see the behavior you
describe.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJV6dciAAoJEBzwKT+lPKRYyogP+wfP5lNV8SxFTNDmiwLYxG/9
GnUxSQN8rQmWI6r1pl4UpWU+WFoUtL2BCTfnUuH2qP6Pg0KWn46P4Lon5XnThEqk
4mnHNCe4NYdGlw4rvVYgdy4zTP62hFvSm3ECb/QkZ1gcO1f8w4+0wqZh5k1g+0PQ
HkOg9SYSHRAUUKtG2YBPZWbEMnjKnkQKeKO3WjNBDLTbEU9mMyyJgZCsJCC4fmZa
sJN8yFW7JcG0jhhsEoBzYznT1dLxNliNs9kMiINoS1wWmIjHLHnHvaTDqDCE4Npd
VQh/ZrI7paRdVI4wOJ299CuZ4cpB9lxWEKi4vQAP5Jg/EgZrACrmZFnPMJG5np/v
lR2g+KCNxIvIpIlaGLbUOn4Ah0QMrfPEDFsLXHlYjfixdIrDjugbqdNnVYRvSOSt
LsR+xZcPOJ/ZiJCnD+2MK8dy8QYgq62oW8xpvald58x/gUk/uR8IuwdvswTIUVTV
+5k2YUcL+xcH1uEKHyMK3KCjty8aC+Rq+oEpkJjyFKJA1K0x161PIAdFq8P50VLn
rcJUjxTIcMP7hgg3BCQzdXH5qucVnFTlHNwKrX4MoT9LsGiraTOqhRt5EJLWBy+/
oYg3k/Vgkm2HzmRBuMGydv8RMNCq2hZaEXWDKoMtWRRvmYTOKcNC4nUiE/V8Dbr0
KaYwkgTvycLJzzohkMIn
=9riB
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Multiple JSESSIONID cookies being presented.

2015-09-04 Thread Jeffrey Janner 
> -Original Message-
> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Sent: Friday, September 04, 2015 12:46 PM
> To: Tomcat Users List 
> Subject: Re: Multiple JSESSIONID cookies being presented.
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Jeffrey,
> 
> On 9/4/15 12:37 PM, Jeffrey Janner wrote:
> > I'm running Tomcat 8.0.24 on Ubuntu 14.04 with Java 8u45, but I'm
> > also seeing this on Windows (version doesn't matter), with Tomcat
> > 7.0.57 and Java 7u71, and Tomcat 6.0.43 and Java 7U51.
> >
> > I have 2 contexts installed in Tomcat, one is ROOT, the other
> > APP2. Both contexts start off at a login screen unique to the
> > context and provided by it (not using container auth).
> >
> > When I connect to ROOT, no problem, but when I connect to APP2, I
> > get 2 JSESSIONID cookies, one with the path "/" and the other with
> > the path "/APP2/".
> 
> I would expect this behavior: you have one ROOT app (cookie path=/)
> and one APP2 app (cookie path=/APP2). Your browser will send both
> cookies to /APP2 because / is a prefix of /APP2.
> 
> > On the Windows implementations, we are not seeing a problem, at
> > least not one being reported.
> >
> > On the Linux implementation, the end user will occasionally get
> > immediately kicked out with an invalid session immediately after
> > providing credentials. The access logs show a single
> > jsessionid=xxx being provided on the POST URL.
> 
> The POST to j_security_check?
> 
No

> Are you using request.encodeURL() to build the  action URL, or
> are you building it manually?
> 
EncodeUrl.  And a check of a couple of sites, both linux and windows, shows 
that the jsessionid is being added to the action by EncodeUrl, regardless of 
cookie settings. So far, it is always the APP2 sessionID.

> I believe Tomcat prefers the Cookie-based session id to anything
> coming-in from the URL, and I do know it will search all JSESSIONID
> cookies for any that match a valid session (not just the first one) in
> the current application. So logging-in should ... always work.
> 
> > Amazingly, sometimes that goes through and lets the user login, so
> > my theory is that the browser is sometimes picking the wrong path.
> > (Also, theory, the "/" cookie is being generated by a request for
> > "/favicon.ico" just before the request for the login page.)
> 
> You should make sure that anything that doesn't require authentication
> specifically mentions that in web.xml, otherwise you'll get weird
> things happening like that.
> 
We don't actually use Tomcat container authentication at all.

> > So my question is:  Is there anything I can do from a
> > configuration perspective to get it to NOT send the "/" cookie for
> > APP2?
> 
> Not really... other than changing from ROOT to APP1 or whatever.
> Overlapping URL spaces for applications leads to tears.
> 
I could do that, though we'd like to keep it so that if no context is specified 
we still go to APP1, so the user's don't have to change all of their bookmarks. 
 Perhaps with a redirect?

> > Deployment details:
> 
> I think there's nothing in here that would change anything.
> 
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> 
> iQIcBAEBCAAGBQJV6di6AAoJEBzwKT+lPKRY77QQAKzjMEDTVHYzqeFfhS9F9XUO
> qrIwlcXlxolclLO2CYaBNoYgcPm1CM8UPMc88s3ysmjLU37dohR8rd1Ukkyp9hdG
> 0hRV7siKip3t2sj/EDBmslJOKyShlURAqLne14MkQaVvYz/i985MUDrRnlx9zujf
> VjR5T0SV+M20ZOXoMN8S1ME09GMJktRajSs5T8rllwvMg+YtdmTo+hWfuerJNrj0
> yRBVFkAVs1UOH64RvHud+M3lYleb2UrrE/ZxofDihBcmipKWNEV6W/fu/7uEQVLc
> Hysc6CDh90L7xmoV8ndR6QoqNr4gX04mghRaU+PZiB6uPuPgYpJDaJ1wDITOrFnf
> BVkXYRh1KICMzSyW1T2K8ZU+NkG4dp0RVI++IzjOuDy+i/EJ9opnNyRols8NkC0w
> QLOueV6EbWZFbo9tZxJmaRS7Y7RObcbg/uk5JE9trK4KGcB/MtJQXWhk4Su5ZokS
> 5+knrgBbWbPcgH5x/1ten/BGkndp28C85FDci0AgsAFCbmim7KuuSL1oRRtLM5kw
> WNOeWpJzOQ3FAHV6TqPWLiAclo9/1gTMJZKQtxH+sW5OWYEa/9Ch2ZCArewy5Z+m
> KaNMfnXBrXlL9MGYyIQKiFVRUCyn/cyKKAlj9nLVbIBIsHeslCE7zq8zE15EOHVn
> 7v5mbzif9Ira1ZGLFBjC
> =5N0l
> -END PGP SIGNATURE-
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

doDelete Servlet

2015-09-04 Thread Kiran Badi 
Hi ,

I have CRUD Multipart request and I have implemented it correctly works
fine at my local host.

I have upload upload pdf and tiff files, all this implemented via ajax call
using onchange handler on file input multiple tag.

The challenge I am having is that doDelete just deletes the file with the
request on server, but their is no protection.

How do I protect doDelete call from getting misused ?

Is their something in Tomcat I can use to protect doDelete vals from
getting misused ?

- Kiran

Re: doDelete Servlet

2015-09-04 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Kiran,

On 9/4/15 3:19 PM, Kiran Badi wrote:
> I have CRUD Multipart request and I have implemented it correctly
> works fine at my local host.
> 
> I have upload upload pdf and tiff files, all this implemented via
> ajax call using onchange handler on file input multiple tag.
> 
> The challenge I am having is that doDelete just deletes the file
> with the request on server, but their is no protection.
> 
> How do I protect doDelete call from getting misused ?
> 
> Is their something in Tomcat I can use to protect doDelete vals
> from getting misused ?

How do you do user authentication and authorization? The doDelete
method should be protected by default if you have enabled
container-managed authentication and authorization.

Also, the default doDelete method should be a no-op and therefore
safe. If you have implemented your own doDelete method, you can use
whatever safety-checks you with in order to prevent misuse.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJV6fSSAAoJEBzwKT+lPKRYa60QAJMiKXcobGQ0RK/7e515DKEz
DEa34PrMGaiLvrFlw0Y9UwiS3wnUl1isRXycTTuIVFGr6uFUkRvWFcT7d1QM0s2M
mm3kIEPbtMQR54Exr0r9zGE1Ds+wWzPz12s/F4B3Wt1WKdqaobPLMTucD1Mvha/M
uAOFUBCGNhH7hQnu2w0Vcj9vNoEQnezSrgj8DtovxOT/lfDugJ6P3ToJEIG/tlEn
m3qMEkeIqZvGP+fRYHdAxNYoSrOJ3EDvKMxjIOFHWzHNZ/eVBQCn7qg8TaiOPf4f
h7q6bS2p0XZzzyXG9vamaMDepVCffXAfiC7Me6gDuPWd+J7/iabAgd8r1qhbKW4B
RbzTXKQ7yETYxqIVg3wzTUsCKJ8w/mzmKBz7VierYvrWOI0fu/14MbynZUSySnuq
8fr+tTmAmQddJ34vmiCBfYhhYGBQgNXQM/cL5wS5gpdUufnA5Lzr93rJFEBcAajF
DLiOYEkfm+I8XPxP8ih25wceMvdf+y7NCBRu6c6zPb+/aCrjZEMyofS7+b92gK8B
AuwK3o2Xhb/vU/NThJXGW/vbzkCQTMJpZuePSP6yMpSjkPuTb7mysKIfqFsmC3dW
6ctigwiYJYkK3xzP8RV4pdNGJTdjxMnWtvx0cDYQ1Zee+55UhJXp5LvKvwTeB8b1
D45cr+g1BxpWZxe4r0Wx
=wWvm
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Multiple JSESSIONID cookies being presented.

2015-09-04 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Jeffrey,

On 9/4/15 3:31 PM, Jeffrey Janner wrote:
>> -Original Message- From: Christopher Schultz
>> [mailto:ch...@christopherschultz.net] Sent: Friday, September 04,
>> 2015 12:46 PM To: Tomcat Users List  
>> Subject: Re: Multiple JSESSIONID cookies being presented.
>> 
> Jeffrey,
> 
> On 9/4/15 12:37 PM, Jeffrey Janner wrote:
 I'm running Tomcat 8.0.24 on Ubuntu 14.04 with Java 8u45, but
 I'm also seeing this on Windows (version doesn't matter),
 with Tomcat 7.0.57 and Java 7u71, and Tomcat 6.0.43 and Java
 7U51.
 
 I have 2 contexts installed in Tomcat, one is ROOT, the
 other APP2. Both contexts start off at a login screen unique
 to the context and provided by it (not using container
 auth).
 
 When I connect to ROOT, no problem, but when I connect to
 APP2, I get 2 JSESSIONID cookies, one with the path "/" and
 the other with the path "/APP2/".
> 
> I would expect this behavior: you have one ROOT app (cookie
> path=/) and one APP2 app (cookie path=/APP2). Your browser will
> send both cookies to /APP2 because / is a prefix of /APP2.
> 
 On the Windows implementations, we are not seeing a problem,
 at least not one being reported.
 
 On the Linux implementation, the end user will occasionally
 get immediately kicked out with an invalid session
 immediately after providing credentials. The access logs show
 a single jsessionid=xxx being provided on the POST URL.
> 
> The POST to j_security_check?
> 
>> No

So... where does the POST go?

> Are you using request.encodeURL() to build the  action URL,
> or are you building it manually?
> 
>> EncodeUrl.  And a check of a couple of sites, both linux and 
>> windows, shows that the jsessionid is being added to the action
>> by EncodeUrl, regardless of cookie settings. So far, it is always
>> the APP2 sessionID.

I'm not surprised that the session id is being added to the URL
regardless of cookie settings, because at that point, Tomcat might not
know for sure if the client can support cookies. (I'm sure there are
cases where it's obvious that cookies are in fact supported, but
Tomcat is not detecting it.)

I'm surprised that Tomcat would use the "wrong" session id for
URL-rewriting when presenting the login screen. Are you saying that,
when showing the login page for /APP2, Tomcat will:

a. Place a session identifier in the URL with value X
b. Return a Set-Cookie response header for JSESSIONID with value Y

Where X != Y?

> I believe Tomcat prefers the Cookie-based session id to anything 
> coming-in from the URL, and I do know it will search all
> JSESSIONID cookies for any that match a valid session (not just the
> first one) in the current application. So logging-in should ...
> always work.
> 
 Amazingly, sometimes that goes through and lets the user
 login, so my theory is that the browser is sometimes picking
 the wrong path. (Also, theory, the "/" cookie is being
 generated by a request for "/favicon.ico" just before the
 request for the login page.)
> 
> You should make sure that anything that doesn't require
> authentication specifically mentions that in web.xml, otherwise
> you'll get weird things happening like that.
> 
>> We don't actually use Tomcat container authentication at all.

Okay, that's good information to have. But you do use Tomcat's
session-tracking mechanisms, right?

 So my question is:  Is there anything I can do from a 
 configuration perspective to get it to NOT send the "/"
 cookie for APP2?
> 
> Not really... other than changing from ROOT to APP1 or whatever. 
> Overlapping URL spaces for applications leads to tears.
> 
>> I could do that, though we'd like to keep it so that if no
>> context is specified we still go to APP1, so the user's don't
>> have to change all of their bookmarks. Perhaps with a redirect?

That kind of thing is tough to do, but possible. Something like this:

# Ignore requests to /APP1
RewriteCond %{REQUEST_URI} ^/APP1
RewriteRule .* - [L]

# Ignore requests to /APP2
RewriteCond %{REQUEST_URI} ^/APP2
RewriteRule .* - [L]

# Re-write other requests
RewriteRule (.*) /APP1\1 [R,L]

Be very careful with the above: it's completely untested and can put
your clients into a redirect loop if you aren't careful and test all
cases. Also, the [R] flag will do odd things with POST requests, so
either make sure nobody POSTs to one of those URLs or expand the
configuration to properly-handle POSTs.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJV6fcrAAoJEBzwKT+lPKRY38QP/26NhBIE6C9QodiEfzrWpH2O
7oPAIvCNjBb2uDD/gZI6QEMR7es0FHfk/8N0/DsS6PJTO8UIOQP4QBrorviUxBQv
Xowwv2rBIfARfYXYUdTAzZemnqYLDAV7eTZVYvnGvXvIpb5C7hInq3TTmMC7KKwh
swB2TauBNiLbHRI2TITq51+1c6CBJAp8/sCAA4i/TBkUPJFxareuyhmKNOJKhikK
bmQcbe30jkz/G9uRaft1byS/JCJot84qiuDBuW/N2y3xMZDOW/nvKUyzhaC+YrC+

RE: Multiple JSESSIONID cookies being presented.

2015-09-04 Thread Jeffrey Janner 
> -Original Message-
> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Sent: Friday, September 04, 2015 2:55 PM
> To: Tomcat Users List 
> Subject: Re: Multiple JSESSIONID cookies being presented.
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Jeffrey,
> 
> On 9/4/15 3:31 PM, Jeffrey Janner wrote:
> >> -Original Message- From: Christopher Schultz
> >> [mailto:ch...@christopherschultz.net] Sent: Friday, September 04,
> >> 2015 12:46 PM To: Tomcat Users List 
> >> Subject: Re: Multiple JSESSIONID cookies being presented.
> >>
> > Jeffrey,
> >
> > On 9/4/15 12:37 PM, Jeffrey Janner wrote:
>  I'm running Tomcat 8.0.24 on Ubuntu 14.04 with Java 8u45, but
>  I'm also seeing this on Windows (version doesn't matter),
>  with Tomcat 7.0.57 and Java 7u71, and Tomcat 6.0.43 and Java
>  7U51.
> 
>  I have 2 contexts installed in Tomcat, one is ROOT, the
>  other APP2. Both contexts start off at a login screen unique
>  to the context and provided by it (not using container
>  auth).
> 
>  When I connect to ROOT, no problem, but when I connect to
>  APP2, I get 2 JSESSIONID cookies, one with the path "/" and
>  the other with the path "/APP2/".
> >
> > I would expect this behavior: you have one ROOT app (cookie
> > path=/) and one APP2 app (cookie path=/APP2). Your browser will
> > send both cookies to /APP2 because / is a prefix of /APP2.
> >
>  On the Windows implementations, we are not seeing a problem,
>  at least not one being reported.
> 
>  On the Linux implementation, the end user will occasionally
>  get immediately kicked out with an invalid session
>  immediately after providing credentials. The access logs show
>  a single jsessionid=xxx being provided on the POST URL.
> >
> > The POST to j_security_check?
> >
> >> No
> 
> So... where does the POST go?
Direct to back-end processing in the app (as far as I know).

> 
> > Are you using request.encodeURL() to build the  action URL,
> > or are you building it manually?
> >
> >> EncodeUrl.  And a check of a couple of sites, both linux and
> >> windows, shows that the jsessionid is being added to the action
> >> by EncodeUrl, regardless of cookie settings. So far, it is always
> >> the APP2 sessionID.
> 
> I'm not surprised that the session id is being added to the URL
> regardless of cookie settings, because at that point, Tomcat might not
> know for sure if the client can support cookies. (I'm sure there are
> cases where it's obvious that cookies are in fact supported, but
> Tomcat is not detecting it.)
> 
That actually makes sense. 

> I'm surprised that Tomcat would use the "wrong" session id for
> URL-rewriting when presenting the login screen. Are you saying that,
> when showing the login page for /APP2, Tomcat will:
> 
> a. Place a session identifier in the URL with value X
> b. Return a Set-Cookie response header for JSESSIONID with value Y
> 
> Where X != Y?
So far, it looks like it is maintaining an X=Y philosophy.
So that's a non-starter.

> 
> > I believe Tomcat prefers the Cookie-based session id to anything
> > coming-in from the URL, and I do know it will search all
> > JSESSIONID cookies for any that match a valid session (not just the
> > first one) in the current application. So logging-in should ...
> > always work.
> >
>  Amazingly, sometimes that goes through and lets the user
>  login, so my theory is that the browser is sometimes picking
>  the wrong path. (Also, theory, the "/" cookie is being
>  generated by a request for "/favicon.ico" just before the
>  request for the login page.)
> >
> > You should make sure that anything that doesn't require
> > authentication specifically mentions that in web.xml, otherwise
> > you'll get weird things happening like that.
> >
> >> We don't actually use Tomcat container authentication at all.
> 
> Okay, that's good information to have. But you do use Tomcat's
> session-tracking mechanisms, right?
> 
Yes, and the problem only rears its ugly head on a successful login (app 
expires old cookie, creates a new one).
User never even sees a new page, just an app-generated "session expired" error. 
Trying to see things in access logs, but nothing there I can see.

>  So my question is:  Is there anything I can do from a
>  configuration perspective to get it to NOT send the "/"
>  cookie for APP2?
> >
> > Not really... other than changing from ROOT to APP1 or whatever.
> > Overlapping URL spaces for applications leads to tears.
> >
> >> I could do that, though we'd like to keep it so that if no
> >> context is specified we still go to APP1, so the user's don't
> >> have to change all of their bookmarks. Perhaps with a redirect?
> 
> That kind of thing is tough to do, but possible. Something like this:
> 
> # Ignore requests to /APP1
> RewriteCond %{REQUEST_URI} ^/APP1
> RewriteRule .* - [L]
> 
> #

RE: seeking help with stabilizing the persistence of a JSESSIONID

2015-09-04 Thread Pottinger, Hardy J. 
> Are you using AJP or HTTP as your proxy protocol? If AJP, are you
> using tomcatAuthentication="false" on your ? I'm not
> exactly sure what happens when you do that... you might get a
> NonLoginAuthenticator.

in our Vhost file, we have this:


  ProxyPass ajp://127.0.0.1:8009/xmlui retry=1 keepalive=on
  ProxyPassReverse  ajp://127.0.0.1:8009/xmlui
  ShibUseHeaders On
  SetEnv proxy-sendchunked 1


in our server.xml file, we have this:



So, we're using tomcatAuthentication="false"

I will try your suggestion of using NonLoginAuthenticator and see what I get. 
If it doesn't work, I'll try your suggestion of setting a breakpoint and using 
a debugger to look at the stack.

--Hardy

From: Christopher Schultz [ch...@christopherschultz.net]
Sent: Thursday, September 03, 2015 4:31 PM
To: Tomcat Users List
Subject: Re: seeking help with stabilizing the persistence of a JSESSIONID

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hardy,

On 9/3/15 2:32 PM, Pottinger, Hardy J. wrote:
>> Are you actually using HTTP Basic authentication? You may be
>> configuring the wrong authenticator. (I know nothing about
>> Shibboleth)
>
> I'm using Apache HTTPD as a front-end (via mod_proxy) for Tomcat,
> since Shibboleth works (mostly) with Apache HTTPD. So, the
> authentication happens on the HTTPD side.

Are you using AJP or HTTP as your proxy protocol? If AJP, are you
using tomcatAuthentication="false" on your ? I'm not
exactly sure what happens when you do that... you might get a
NonLoginAuthenticator.

You could cause any error to occur in your application and then look
at the stack trace to find out what kind of authenticator you got (the
Valve will be in the stack trace).

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJV6Lw8AAoJEBzwKT+lPKRYw44QAKJO9pb/0iH1JtQPO1MmRAdE
/NbcpF6wKZ1xnDOE41JmP1rf8KymoO0pv0CNKgdrQdFyFCARQMasEN6ujcW/KTpR
A3N1zdSnAeM/rW7yoh6JqBjJ14+sw65Ve5lZXVuxebJFXvLZePtTMzxV6Obgx4Tm
or+FXM7z7Kl1KsPv0ghYb65/iScpg5Dyi0o+WsOReZjkAivG1Sz0Oz7vHofN/nb+
SpvJD5g8mdQ630Creszmo4vlAUHS6ndvxKdR1xJVCCNwVFKqnAelKa1VUiWRZmb8
529fEh/KHU/GHr1gJ/WXfV5AQXJtMmgGVq+s7jfiyqfHK4b8zmiRgnmJf2M+ItAP
QVCIAhKFmA5BXsulcFoZXXduaBEGjtttD7pfOMcglH5kjm5HN0/0O7PoHKce815U
JHGSoqnsxjmxNa/s6X2CoTpBYdE2k8sGsr0CqWCMOvn++U9SrXW/l7ppi3TXqW5y
I4mlEvfgVG65/Oz2vxmTznTXSXiz+TBf8bcYQf1azKo7wJymxdN7k2qeNuuC7Tp1
p8pUPTF7LQ3u++z02esIP4+BVG6gwjh2Pvj/ghtlGu2wtZVmuSC1L5BvnV6+utgn
ybFrSXJvnxgeC1opUQyn9wQlDibH46MC6WLFWPwkgexKWUk2c5pOAQUn599EMKSn
UmrliKbkSJw81JWylVcc
=7pMV
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Multiple JSESSIONID cookies being presented.

2015-09-04 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Jeffrey,

On 9/4/15 12:37 PM, Jeffrey Janner wrote:
> I'm running Tomcat 8.0.24 on Ubuntu 14.04 with Java 8u45, but I'm 
> also seeing this on Windows (version doesn't matter), with Tomcat 
> 7.0.57 and Java 7u71, and Tomcat 6.0.43 and Java 7U51.
> 
> I have 2 contexts installed in Tomcat, one is ROOT, the other
> APP2. Both contexts start off at a login screen unique to the
> context and provided by it (not using container auth).
> 
> When I connect to ROOT, no problem, but when I connect to APP2, I
> get 2 JSESSIONID cookies, one with the path "/" and the other with
> the path "/APP2/".

I would expect this behavior: you have one ROOT app (cookie path=/)
and one APP2 app (cookie path=/APP2). Your browser will send both
cookies to /APP2 because / is a prefix of /APP2.

> On the Windows implementations, we are not seeing a problem, at
> least not one being reported.
> 
> On the Linux implementation, the end user will occasionally get 
> immediately kicked out with an invalid session immediately after 
> providing credentials. The access logs show a single
> jsessionid=xxx being provided on the POST URL.

The POST to j_security_check?

Are you using request.encodeURL() to build the  action URL, or
are you building it manually?

I believe Tomcat prefers the Cookie-based session id to anything
coming-in from the URL, and I do know it will search all JSESSIONID
cookies for any that match a valid session (not just the first one) in
the current application. So logging-in should ... always work.

> Amazingly, sometimes that goes through and lets the user login, so
> my theory is that the browser is sometimes picking the wrong path. 
> (Also, theory, the "/" cookie is being generated by a request for 
> "/favicon.ico" just before the request for the login page.)

You should make sure that anything that doesn't require authentication
specifically mentions that in web.xml, otherwise you'll get weird
things happening like that.

> So my question is:  Is there anything I can do from a
> configuration perspective to get it to NOT send the "/" cookie for
> APP2?

Not really... other than changing from ROOT to APP1 or whatever.
Overlapping URL spaces for applications leads to tears.

> Deployment details:

I think there's nothing in here that would change anything.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJV6di6AAoJEBzwKT+lPKRY77QQAKzjMEDTVHYzqeFfhS9F9XUO
qrIwlcXlxolclLO2CYaBNoYgcPm1CM8UPMc88s3ysmjLU37dohR8rd1Ukkyp9hdG
0hRV7siKip3t2sj/EDBmslJOKyShlURAqLne14MkQaVvYz/i985MUDrRnlx9zujf
VjR5T0SV+M20ZOXoMN8S1ME09GMJktRajSs5T8rllwvMg+YtdmTo+hWfuerJNrj0
yRBVFkAVs1UOH64RvHud+M3lYleb2UrrE/ZxofDihBcmipKWNEV6W/fu/7uEQVLc
Hysc6CDh90L7xmoV8ndR6QoqNr4gX04mghRaU+PZiB6uPuPgYpJDaJ1wDITOrFnf
BVkXYRh1KICMzSyW1T2K8ZU+NkG4dp0RVI++IzjOuDy+i/EJ9opnNyRols8NkC0w
QLOueV6EbWZFbo9tZxJmaRS7Y7RObcbg/uk5JE9trK4KGcB/MtJQXWhk4Su5ZokS
5+knrgBbWbPcgH5x/1ten/BGkndp28C85FDci0AgsAFCbmim7KuuSL1oRRtLM5kw
WNOeWpJzOQ3FAHV6TqPWLiAclo9/1gTMJZKQtxH+sW5OWYEa/9Ch2ZCArewy5Z+m
KaNMfnXBrXlL9MGYyIQKiFVRUCyn/cyKKAlj9nLVbIBIsHeslCE7zq8zE15EOHVn
7v5mbzif9Ira1ZGLFBjC
=5N0l
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

WebappClassLoaderBase.addTransformer and servlet 3.0

2015-09-04 Thread Bryn Cooke 

Hi,
I've recently been looking at using the class transformer functionality 
in Tomcat 8.0.26 and came across a subtle interaction with servlet 3.0. 
I am registering my transformer in a ServletContainerInitializer via 
InstrumentableClassLoader.addTransformer, but couldn't understand why 
some classes appeared to not undergo transformation. It turned out they 
were annotated and were being passed in to another 
ServletContextInitializer by virtue of it using @HandlesTypes. This 
meant that the class had already been loaded before I had a chance to 
register the transformer.


I can't think of a nice way around this, but was wondering if there 
there was any appetite for creating a mechanism to register transformers 
directly after WebAppClassLoader is set up, perhaps via the 
ServiceLoader mechanism?

Or perhaps there is another way of registering the transformer earlier?

Ideally I would like to avoid the javaagent route as it will interfere 
with other wep apps that are deployed on the same tomcat instance and 
make deployment less easy.


Many thanks,

Bryn



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Dynamically Create Subdomains - Tomcat 7x

2015-09-04 Thread tomcat 

On 04.09.2015 05:31, Kiran Badi wrote:

Hi,

I need some help, I need to create subdomains dynamically, Is this possible
?

I have a site, www.mymainsite.com

on this main site, I drop the zipcode and city cookie and then I forward it
to front controller, and it's this front controller  which will point it to
city subdomain.

Can we create subdomains on the fly in tomcat ?



Kiran,
Can you try to re-phrase your question in terms which people without a crystal ball would 
understand ?




Ce qui se conçoit bien s'énonce clairement - Et les mots pour le dire arrivent 
aisément.
L'Art poétique (1674)
Nicolas Boileau-Despréaux



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: seeking help with stabilizing the persistence of a JSESSIONID

2015-09-04 Thread tomcat 

On 03.09.2015 23:31, Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hardy,

On 9/3/15 2:32 PM, Pottinger, Hardy J. wrote:

Are you actually using HTTP Basic authentication? You may be
configuring the wrong authenticator. (I know nothing about
Shibboleth)


I'm using Apache HTTPD as a front-end (via mod_proxy) for Tomcat,
since Shibboleth works (mostly) with Apache HTTPD. So, the
authentication happens on the HTTPD side.


Are you using AJP or HTTP as your proxy protocol? If AJP, are you
using tomcatAuthentication="false" on your ? I'm not
exactly sure what happens when you do that... you might get a
NonLoginAuthenticator.

You could cause any error to occur in your application and then look
at the stack trace to find out what kind of authenticator you got (the
Valve will be in the stack trace).



I believe there may be some confusion here.
The things to find out would be :

1) if *all* accesses to the application, go through httpd first. And if yes, by what 
mechanism does httpd proxy them to Tomcat ? (choices : mod_proxy_http / mod_proxy_ajp / 
mod_jk)
2) if yes to the above, then : does httpd do the authentication before proxying these 
calls to Tomcat ?


(because if yes to both above, then the issue looks to be more at the httpd level, than at 
the Tomcat level)


In other words, it may be helpful to paste a copy of the httpd configuration 
here.
(Do not attach it, paste it in (after removing anything irrelevant or confidential); the 
list strips most attachments).




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: WebappClassLoaderBase.addTransformer and servlet 3.0

2015-09-04 Thread Mark Thomas 
On 04/09/2015 08:22, Bryn Cooke wrote:
> Hi,
> I've recently been looking at using the class transformer functionality
> in Tomcat 8.0.26 and came across a subtle interaction with servlet 3.0.
> I am registering my transformer in a ServletContainerInitializer via
> InstrumentableClassLoader.addTransformer, but couldn't understand why
> some classes appeared to not undergo transformation. It turned out they
> were annotated and were being passed in to another
> ServletContextInitializer by virtue of it using @HandlesTypes. This
> meant that the class had already been loaded before I had a chance to
> register the transformer.
> 
> I can't think of a nice way around this, but was wondering if there
> there was any appetite for creating a mechanism to register transformers
> directly after WebAppClassLoader is set up, perhaps via the
> ServiceLoader mechanism?

You aren't the first to hit this problem:
https://bz.apache.org/bugzilla/show_bug.cgi?id=58143

> Or perhaps there is another way of registering the transformer earlier?

Only if you provide a custom class loader implementation (which is also
non-trivial for deployment).

> Ideally I would like to avoid the javaagent route as it will interfere
> with other wep apps that are deployed on the same tomcat instance and
> make deployment less easy.

The cleanest way to do this would be to add an option to the Context to
list the transformer classes that should be applied. I'd suggest
re-opening BZ 58143 as an enhancement, documenting your proposal and
adding something to the references Spring issue asking for input from
the Spring community.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org