Re: Ignore or Trust any certificate
I know about catching the exception. I just want to know if there is a way to tell tomcat to ignoring or trusting any third party certificates. Do you have idea on that? Hassan Schroeder-2 wrote: On Fri, Jul 10, 2009 at 9:36 PM, kareem_s_mkareemud...@gmail.com wrote: So when my site connects to a site through HTTPS protocol, tomcat tires to Whoa. Your site doesn't connect to anything. And Tomcat doesn't tire (sic) anything. Your *application* is, wait, what? Caught unhandled exception: javax.net.ssl.SSLHandshakeException: apparently *not* handling a predictable exception. Fix your application. -- Hassan Schroeder hassan.schroe...@gmail.com twitter: @hassan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://www.nabble.com/Ignore--or-Trust-any-certificate-tp24432691p24438023.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Running schduled jobs
Ravi Sharma wrote: Hi All, I need to run some threads at particular time during the day, does Tomcat provide any such facility? If not then whats the other best way to go for it. Well for scheduled jobs Quartz is a common tool, if java.util.Timer is not sufficient. Certainly not Tomcat-related however as only full JEE containers have buildt-in timer support. Basically i recalculate my site's visitor data every 30 minute and keep in cahce and then display to users, 30 minute delay for my data is fine but atleast i dont need to run queries to find those data for each request. Now every 30 minute i want to run those query and update the cache. How can i achive it.? Trying to use java.util.Timer or Quartz for this particular problem appears architecturally questionable however. Preferably you would have an O/R mapper like Hibernate an rely on some second level cache like EHCache to do thus common DB query caching stuff via configuration instead of implementing such common tasks on your own. Maybe you want to rethink that from an architectural point of view to get things right for all DB queries, unless the problem described is very focused on that particular caching problem. Sometimes OSCache's JSP-based caching can also be a valid solution, if all you want to do is to cache some view results: http://www.opensymphony.com/oscache/wiki/JSP%20Tags.html Thanks, Ravi. Cheers, Michael -- TNG Technology Consulting GmbH, Betastr. 13a, D-85774 Unterföhring Geschäftsführer: Henrik Klagges, Eike Reinel, Christoph Stock Amtsgericht München, HRB 135082 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problems downloading files. How to identify the CANCEL butto n?
What is the business requirement that forces you to log such information? What is the cost of a false positive? Some time ago I experimented with AccessLogValve, trying to download some large file, to see how it logs aborted downloads. I used Firefox and pressed cancel as soon as Save As dialog was displayed. The result is that the log showed about 40-50 Mb of transfered data by that time (the whole file was about 70 Mb), thus the browser was caching the result while displaying the dialog. Also, are you going to support resuming aborted downloads? Are you dealing with download accelerators (that try to download the same file in several pieces). You will know which byte ranges were requested, but the size of each piece will be less than the whole file. 2009/7/8 siom...@portosdobrasil.gov.br: The buttons I see [OPEN], [SAVE] and [CANCEL] are not created and controlled by me. They belong to the download manager window that comes automatically with a certain command. The problem I noticed is that by the time this download manager window shows up the entire code on the servlet has been already executed. The messages bellow that I included are displayed before any click on any of those buttons. here 1 here 2 here 3 here 4 here 5 here 6 Any help is welcome. I am looking so hard for a solution but I am not finding anything on the web. Siomara -Mensagem original- De: Martin Gainty [mailto:mgai...@hotmail.com] Enviada em: terça-feira, 7 de julho de 2009 19:51 Para: Tomcat Users List Assunto: RE: Problems downloading files. How to identify the CANCEL button? at least 2 ways to determine the button selected 1)set a boolean property which is enabled on or off based on executed button class MyAction extends ActionSupport { private boolean submit; private boolean clear; public void setSubmit(boolean submit) { this.submit = submit; } public void setClear(boolean clear) { this.clear = clear; } public String execute() { if (submit) { doSubmit(); return submitResult; } if (clear) { doClear(); return clearResult; } return super.execute(); } }2)check the name of the button as indicated here class MyAction extends ActionSupport { private String buttonName; public void setButtonName(String buttonName) { this.buttonName = buttonName; } public String execute() { if (Submit.equals(buttonName)) { doSubmit(); return submitResult; } if (Clear.equals(buttonName)) { doClear(); return clearResult; } return super.execute(); } }http://cwiki.apache.org/WW/multiple-submit-buttons.html many other solutions are available from devs Martin __ Verzicht und Vertraulichkeitanmerkung Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. From: siom...@portosdobrasil.gov.br To: users@tomcat.apache.org Subject: Problems downloading files. How to identify the CANCEL button? Date: Tue, 7 Jul 2009 15:09:05 -0300 Dear all, I need to log some information only after a user downloads or opens a file. I am using a servlet for that and the download part works fine. However I need to identify which button was clicked because in case the user clicks [CANCEL] I am not supposed to register any information. I put lots of messages on the code to understand how it works and even if I click [CANCEL] the messages will be printed showing that all commands will be executed no matter which button was clicked. Can someone help me to identify which button was clicked? Thanks Siomara === package servlets.comum; import java.io.*; import javax.servlet.*; import javax.servlet.http.*; /** * Definition of class DownloadFile. */ public class DownloadFile extends HttpServlet { private String original_filename = MYFILE.txt; private String filename=C:\\ABC.txt; /** * Processes requests for both HTTP GET and POST methods. * @param request servlet request * @param response servlet response */ protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { File f = new File(filename); int length = 0; ServletOutputStream op = response.getOutputStream(); ServletContext context = getServletConfig().getServletContext(); String mimetype =
Re: Problems downloading files. How to identify the CANCEL button?
Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 7/8/2009 6:40 AM, André Warnier wrote: The /only/ way, from a design perspective, to make sure, is some architecture whereby, at the user browser side, something checks that everything has been received, and then sends back some OK signal to your webapp, to acknowledge the full data reception. +1 That could be, for example, a Java applet running at the browser side, or maybe some Java code using XMLHttpRequest (usually referred to as Ajax). s/some Java/some Javascript/ - -chris s/\-\s\-chris/Ooops.\nAndré/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problems downloading files. How to identify the CANCEL butto n?
Konstantin Kolinko wrote: What is the business requirement that forces you to log such information? What is the cost of a false positive? A usual example is when the customer is paying for some downloaded document. At the server side, you would want an absolute, no-complaints-possible, trace that the download did occur succesfully. Something you can wiggle under the customer's nose when they complain about the bill. All the more reason to have some active component at the client side, acknowledging the download back to the server, with some unique timestamp, id, etc.. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Ignore or Trust any certificate
On 11-Jul-2009, at 00:36, kareem_s_m wrote: So when my site connects to a site through HTTPS protocol, tomcat tires to validate the server certificate with the cacerts keystore in my JDK. Now if the server certificate is signed by a trusted authority then the connection is successful. But if the certificate is a test one (not signed by any trusted authority) and when tomcat tries to validate the certificate, the validation fails and the connection fails. The error I get it as follows: Caught unhandled exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. So to avoid this, I want to know if tomcat can ignore or trust any server certificate with out validating it. What API are you using to connect to the server? For example the default java.net.URL or HttpClient? If you are using HttpClient, you may want to look at this thread: http://forums.sun.com/thread.jspa?threadID=411937messageID=1886339 André-John - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Ignore or Trust any certificate
On Sat, Jul 11, 2009 at 12:44 AM, kareem_s_mkareemud...@gmail.com wrote: I know about catching the exception. I just want to know if there is a way to tell tomcat to ignoring or trusting any third party certificates. And I'm saying that Tomcat has *nothing to do with it*. It's your application making the request, not Tomcat. And it's up to your application to handle the result of that request. FWIW, -- Hassan Schroeder hassan.schroe...@gmail.com twitter: @hassan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: request.setCharacterEncoding() request.getParameter()
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 7/8/2009 12:14 PM, André Warnier wrote: 2) find out the available locales on the Linux host where you run this Tomcat. locale -a | more Pick one locale that has utf8 in the name, note its name. In the system script that starts Tomcat, add export LC_ALL=pt_pt.u...@euro (or whichever locale you have chosen) That sets the system locale for the JVM that runs Tomcat, and is a way to make it independent from whatever may be the system's configured default locale. This shouldn't really matter: the default locale for the JVM does not affect the encoding used for reading request URIs and bodies: the body is always decoded using the Content-Type request header (or ISO-8859-1 if none is provided) and the URI is always decoded using ISO-8859-1 unless you have overridden it using the appropriate Connector attribute. Reading files off the disk /is/ usually done using the default encoding. I haven't read the spec wrt JSP files, but I would hesitate to use any non-ASCII characters in these files - just like you should when saving .java files. Any non-ASCII characters can be expressed using \u syntax. Another poster mentioned using native2ascii with .properties files, which can be used for this purpose as well. 3) All your html pages should have a declaration like : meta http-equiv=content-type value=text/html; charset=UTF-8 / This is debatable :) 10) If you want to really make sure, include in all your forms some hidden input value, containing a known string with accented characters (áàéèÜÖ and such). Since you mentioned that you had done this at some point, I've been thinking about a way to do this in an automated way, so you could sort of turn it on for your entire site. I think the only way to wave a magic wand and have this work is if you were already using some kind of custom xyz:form JSP tag library, and you were to subclass and replace the class that implements the xyz:form tag to add a hidden input parameter. A corresponding Filter would need to be written to check for the proper decoding of the GET parameter, but this could be used site-wide with no further invasiveness. (Of course, using xyz:form is probably relatively invasive unless you are already using a tag library such as Struts's). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkpY7OQACgkQ9CaO5/Lv0PA63wCfbqpsFootgsI6Ok5KSndiYJsT 97cAoIJz97sXME1IZL90execVYaISf5B =mrSL -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Ignore or Trust any certificate
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kareem, On 7/10/2009 2:46 PM, kareem_s_m wrote: Is there a way in tomcat to ignore or trust any SSL certificate when connecting to a site through https? I know there is some JAVA code for it. But can we do it through tomcat or JVM settings too? As others have said, this is not an issue with Tomcat; it is an issue with the way you are connecting to the remote server. To /actually/ answer your question, allow me to post a README (written by me) that we keep lying around our development servers for just this purpose. You'll find the text following my signature. I hope it helps: we use these techniques all the time in order to avoid SSL handshake errors. I realize that some of the items mentioned might not be useful to you, but others may learn something. Enjoy. - -chris Getting Java to Play Nice with SSL Connections This README serves to instruct the user in the fine art of dealing with Java and SSL certificates. These instructions will help most when you are trying to make an SSL connection to a remote host when that host has an SSL certificate that is either self-signed, used for demo or testing purpuses, or is signed by a certificate authority (CA) that you do not trust. If you do not trust the CA, you might want to think again about doing business with the server. In any case, read on for how to install such a certificate. First of all, if the server to which you are connecting has a valid certificate that has been signed by a well-known CA, then you probably don't have to do anything. Try your connection to see if it works. If you get an exception like this, then keep reading: sun.security.validator.ValidatorException: No trusted certificate found at sun.security.validator.SimpleValidator.buildTrustedChain(SimpleValidator.java:304) at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:107) at sun.security.validator.Validator.validate(Validator.java:202) This exception is thrown because you do not trust the certificate that has been handed to you by the server. Assuming that you want the connection to work properly, you have several options. Import the certificate into your own keystore, making it trusted. Here is one way to do it: 1. Visit your site in SSL mode with a browser that allows you to save a copy of the certificate to a file (Microsoft Internet Explorer will allow you to do this). 2. Save the certificate to a file. With MSIE, you can go to File | Properties and then click the Certificates button. From there, choose the details tab and then click the Copy to File button. This will launch a short wizard to export the cert. Choose DER encoded binary X.509 and save the file somewhere. 3. Import that cert into your keystore. $ keytool -import -file [the cert file] -keystore [the key store] Although you should be able to use the keystore of the user that is running the Java process (~/.keystore), I've found that it doesn't always work that way. You might have to modify the keystore for the JRE itself, which is usually located in $JAVA_HOME/jre/lib/security/cacerts. You might want to save a backup copy of the cacerts file before you start messing with it. Steps 1 and 2 can be replaced with a single openssl invocation if you have access to the server's private key: $ openssl x509 -pubkey -in [server cert] -out [public cert] -outform DER Use the resulting file ([public cert]) in step #3. Openssl will also dump a public key to standard output, which can be ignored. Disable Certification Validation, Avoiding the Problem Note that this will disable certificate checking for all SSL connections, and not just those for which validation should be skipped. Actually, you can modify this technique for use on a per-connection basis if you have access to the HttpURLConnection object used for the connection itself. This code was written and tested on JDK 1.4.2_09. You need to execute this code before you attempt to make an SSL connection. import java.security.KeyManagementException; import java.security.NoSuchAlgorithmException; import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManager; import javax.net.ssl.X509TrustManager; import javax.net.ssl.HttpsURLConnection; public static void disableSSLCertificateChecking() { TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() { public X509Certificate[] getAcceptedIssuers() { return null; }
Re: Running schduled jobs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ravi, On 7/10/2009 10:32 PM, Ravi Sharma wrote: I need to run some threads at particular time during the day, does Tomcat provide any such facility? If not then whats the other best way to go for it. Other than webapp-oriented options, I'd like to remind you (and others) that any decent server OS has the ability to schedule jobs outside of any request-oriented server like Tomcat. Consider using cron on *NIX or the Task Scheduler on Windows or whatever. You can still write your code in Java is you want. I just find that running scheduled jobs from a webapp to be inappropriate at best and inconvenient and unreliable at worst. Schedulers such as cron have the ability to run jobs at strange intervals (such as every day, but only on weekdays), to run jobs missed during system downtime, etc. Basically i recalculate my site's visitor data every 30 minute and keep in cahce and then display to users, 30 minute delay for my data is fine but atleast i dont need to run queries to find those data for each request. Now every 30 minute i want to run those query and update the cache. How can i achive it.? You could write a component that updates visitor data on demand at intervals instead of proactively scheduling it: it's just an expiring cache. Your component returns the cached data unless some time limit has been exceeded, at which point all clients wait while the new set of visitor data is loaded into the cache. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkpY9d4ACgkQ9CaO5/Lv0PC/vACgiHAiV9InIcNcHtIbgszTZ6qm ZY4An26rZiSGInknLAJjzCToU9WqTf0L =/oX1 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Filter RequestWrapper
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pid, On 7/8/2009 1:06 PM, Pid wrote: Filters are not applied during the RequestDispatcher.forward() operation. They can be, if configured with dispatcherFORWARD/dispatcher in web.xml when using a Servlet 2.5-compliant webapp. You would need to wrap any unwrapped requests before passing a modified request to the forward method. If the request has already been wrapped, the wrapped request should be passed-on to the forwarded page. The original request shouldn't be unwrapped from the new request object. It may not even be available, since HttpServletRequest doesn't expose an unwrapRequest method. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkpY+A4ACgkQ9CaO5/Lv0PDFMQCfXrwvPDxF8IoOgIUvkBQOMwX+ W+wAn0UV//pPVTxYuI9RQ6mFY6benrNs =zde9 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Filter RequestWrapper
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ivo, On 7/9/2009 6:32 AM, Ivo Silva wrote: To both browser and Tomcat it's only one session. My filter is what manages the nested sessions distribution and that's why an identifier is required. Each iframe should have it's own session since the application stores data on session. If I do not provide different sessions the variables would overwrite each other and each iframe would have the same information. What if you used a request parameter instead of request path info? So, to re-state, you want to take the following URLs and make them serve a single page, after unwrapping a special session that is stored in the main session: /context/X/page_1.jsp /context/Y/page_1.jsp /context/Z/page_1.jsp ?? I still don't understand why the URL rewriting is necessary, though I *do* understand the session multiplexing (which is a total PITA, BTW). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkpY+gEACgkQ9CaO5/Lv0PBBSgCePoHoEKENfgUJGLdQe4O90Zjr xcYAn11zYGYzlnlWHwib0bA8O7O8RtYy =XEcl -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: RemoteAddressValve
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Leo, On 7/8/2009 10:01 AM, Leo Donahue - PLANDEVX wrote: If I put the following nested in the Host element of my server.xml, is that the right way to do it? Context path=/mywebapp docBase=mywebapp debug=0 privileged=true Valve className=org.apache.catalina.valves.RemoteAddrValve allow=176.24.*.*/ / Note that it inappropriate to put Context elements in server.xml in versions of Tomcat after the 5.0.x series. Assuming you are using something more recent (and you should be!), you want to use a META-INF/context.xml file within your webapp's WAR file (or WAR-like directory structure). The XML is the same, it's just in a separate file. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkpY+60ACgkQ9CaO5/Lv0PBOgACeO5MS8Kv4Kr4V50UNBvAh+BeG 6f0An1jnv/CdHiyqh6yln6usFXeFQCvj =2/mG -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Strange delays after about 800 users on a server -- tomcat 4.1.27, apache 2.0.54, LB/SSL on a Cisco ACE
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Shaun, On 7/8/2009 1:35 PM, Shaun Qualheim wrote: *Tomcat 4.1.27-LE You might consider upgrading at some point. 4.1 is getting ready to be retired, and the 3 (yes 3!) versions since then all have significant performance improvements that may help your situation. Apache is listening on ports 80 and 81 using http. Port 80 immediately rewrites everything to an https:// url. That https:// url goes to the load balancer on 443 and is passed to the appliance on port 81. Wait... what? client -- http:80 -- httpd -- https:443 -- lb -- http:81 -- Tomcat? You said you have 3 TC instances. Is that 1 instance on each of 3 separate physical servers, so port 81 is used on them all? Why bother with SSL after the request is within your network? Also, why have httpd forward all traffic to a load-balancer instead of just doing the load-balancing itself? Maybe I have misunderstood your setup, but it seems overly complicated. When we use the our application with all http (port 80 doesn't rewrite,) the system works fine when we run a load test. We can push 2100 concurrent users out of each server. Okay. However... using the same setup beyond the load balancer, we are only about to get to about 2500 concurrent users across the three servers (about 800 per server) before we start seeing very long delays (1-2 minutes where we should be seeing a few seconds) on miscellaneous functions throughout the application. Does the load-balancer have any kind of traffic shaping or bandwidth/connection limiting configured? What do your Connector elements look like in Tomcat's server.xml? We're pretty perplexed on why the sudden slowdown happens at about 800 users per server. It works fine when we're http only. We don't see anything that stands out in the apache or catalina logs that would seem to be concerning (broken pipes, abnormal timeouts, etc.) I would greatly appreciate any help anyone can offer us. So, does it look like you are hitting a wall (like there aren't enough connections allowed) or does the application/server start to experience an actual slowdown (like high CPU load, lots of paging, etc.)? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkpY/oEACgkQ9CaO5/Lv0PDlnwCgn1wLVEtYDVZiAc3JIDVL9LQY ZLIAoIwDuDf8tP1UAthX1aYxzk0xjC6n =NJun -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Ignore or Trust any certificate
Thank You. I was aware of importing the certificate using keytool and the java code to trust all certificates. I was just wondering if there was a way to do the latter at tomcat level. Looks like thats not possible. Thank you all for your replies. Christopher Schultz-2 wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kareem, On 7/10/2009 2:46 PM, kareem_s_m wrote: Is there a way in tomcat to ignore or trust any SSL certificate when connecting to a site through https? I know there is some JAVA code for it. But can we do it through tomcat or JVM settings too? As others have said, this is not an issue with Tomcat; it is an issue with the way you are connecting to the remote server. To /actually/ answer your question, allow me to post a README (written by me) that we keep lying around our development servers for just this purpose. You'll find the text following my signature. I hope it helps: we use these techniques all the time in order to avoid SSL handshake errors. I realize that some of the items mentioned might not be useful to you, but others may learn something. Enjoy. - -chris Getting Java to Play Nice with SSL Connections This README serves to instruct the user in the fine art of dealing with Java and SSL certificates. These instructions will help most when you are trying to make an SSL connection to a remote host when that host has an SSL certificate that is either self-signed, used for demo or testing purpuses, or is signed by a certificate authority (CA) that you do not trust. If you do not trust the CA, you might want to think again about doing business with the server. In any case, read on for how to install such a certificate. First of all, if the server to which you are connecting has a valid certificate that has been signed by a well-known CA, then you probably don't have to do anything. Try your connection to see if it works. If you get an exception like this, then keep reading: sun.security.validator.ValidatorException: No trusted certificate found at sun.security.validator.SimpleValidator.buildTrustedChain(SimpleValidator.java:304) at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:107) at sun.security.validator.Validator.validate(Validator.java:202) This exception is thrown because you do not trust the certificate that has been handed to you by the server. Assuming that you want the connection to work properly, you have several options. Import the certificate into your own keystore, making it trusted. Here is one way to do it: 1. Visit your site in SSL mode with a browser that allows you to save a copy of the certificate to a file (Microsoft Internet Explorer will allow you to do this). 2. Save the certificate to a file. With MSIE, you can go to File | Properties and then click the Certificates button. From there, choose the details tab and then click the Copy to File button. This will launch a short wizard to export the cert. Choose DER encoded binary X.509 and save the file somewhere. 3. Import that cert into your keystore. $ keytool -import -file [the cert file] -keystore [the key store] Although you should be able to use the keystore of the user that is running the Java process (~/.keystore), I've found that it doesn't always work that way. You might have to modify the keystore for the JRE itself, which is usually located in $JAVA_HOME/jre/lib/security/cacerts. You might want to save a backup copy of the cacerts file before you start messing with it. Steps 1 and 2 can be replaced with a single openssl invocation if you have access to the server's private key: $ openssl x509 -pubkey -in [server cert] -out [public cert] -outform DER Use the resulting file ([public cert]) in step #3. Openssl will also dump a public key to standard output, which can be ignored. Disable Certification Validation, Avoiding the Problem Note that this will disable certificate checking for all SSL connections, and not just those for which validation should be skipped. Actually, you can modify this technique for use on a per-connection basis if you have access to the HttpURLConnection object used for the connection itself. This code was written and tested on JDK 1.4.2_09. You need to execute this code before you attempt to make an SSL connection. import java.security.KeyManagementException; import java.security.NoSuchAlgorithmException; import javax.net.ssl.SSLContext;
RE: RES: Problems downloading files. How to identify the CANCEL b utto n?
Sure: package servlets.comum; import java.io.*; import javax.servlet.*; import javax.servlet.http.*; import comum.ArquivoGestor; /** * Definition of class DownloadFile. */ public class DownloadFile extends HttpServlet { private String original_filename = MYFILE.txt; private String filename=C:\\ABC.txt; ArquivoGestor arquivoGestor; /** * Processes requests for both HTTP GET and POST methods. * @param request servlet request * @param response servlet response */ protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { Filef= new File(filename); int length = 0; ServletOutputStream op = response.getOutputStream(); ServletContext context = getServletConfig().getServletContext(); String mimetype = context.getMimeType( filename ); // // Set the response and go! // response.setContentType( (mimetype != null) ? mimetype : application/octet-stream ); response.setContentLength( (int)f.length() ); response.setHeader( Content-Disposition, attachment; filename=\ + original_filename + \ ); // // Stream to the requester. // byte[] bbuf = new byte[filename.length()]; DataInputStream in = new DataInputStream(new FileInputStream(f)); while ((in != null) ((length = in.read(bbuf)) != -1)) { op.write(bbuf,0,length); } in.close(); op.flush(); op.close(); // The lines bellow will retrieve information from request and // register them into the database (interested user ID/file ID/ and // licitation ID). The problem, as I said, is that by the time the // download manager window (that this code displays) shows up the // entire code has been already executed. int interessadoID = Integer.parseInt(request.getParameter(int)); int arquivoID = Integer.parseInt(request.getParameter(arq)); int licitacaoID = Integer.parseInt(request.getParameter(lic)); arquivoGestor = new ArquivoGestor(); arquivoGestor.registerLicitacaoDownoad(interessadoID, arquivoID, licitacaoID); } /** * Handles the HTTP GET method. * @param request servlet request * @param response servlet response */ protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { processRequest(request, response); } /** * Handles the HTTP POST method. * @param request servlet request * @param response servlet response */ protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { processRequest(request, response); } } -Mensagem original- De: Martin Gainty Para: Tomcat Users List Enviada em: 10/07/2009 22:45 Assunto: RE: RES: Problems downloading files. How to identify the CANCEL butto n? yes Op: could you display the jsp ? Martin Gainty
RE: [OT] Ignore or Trust any certificate
-Original Message- From: kareem_s_m Sent: Saturday, July 11, 2009 17:38 Thank You. I was aware of importing the certificate using keytool and the java code to trust all certificates. I was just wondering if there was a way to do the latter at tomcat level. Looks like thats not possible. Thank you all for your replies. So is your question: If a connection is made, and the certificate is not trusted, can it be added (maybe temporarily) to the trusted list at runtime? The other option of ignoring the missing trust at runtime was decribed in the README, very well I may add. Christopher Schultz-2 wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kareem, On 7/10/2009 2:46 PM, kareem_s_m wrote: Is there a way in tomcat to ignore or trust any SSL certificate when connecting to a site through https? I know there is some JAVA code for it. But can we do it through tomcat or JVM settings too? As others have said, this is not an issue with Tomcat; it is an issue with the way you are connecting to the remote server. To /actually/ answer your question, allow me to post a README (written by me) that we keep lying around our development servers for just this purpose. You'll find the text following my signature. I hope it helps: we use these techniques all the time in order to avoid SSL handshake errors. I realize that some of the items mentioned might not be useful to you, but others may learn something. Enjoy. - -chris Getting Java to Play Nice with SSL Connections This README serves to instruct the user in the fine art of dealing with Java and SSL certificates. These instructions will help most when you are trying to make an SSL connection to a remote host when that host has an SSL certificate that is either self-signed, used for demo or testing purpuses, or is signed by a certificate authority (CA) that you do not trust. If you do not trust the CA, you might want to think again about doing business with the server. In any case, read on for how to install such a certificate. First of all, if the server to which you are connecting has a valid certificate that has been signed by a well-known CA, then you probably don't have to do anything. Try your connection to see if it works. If you get an exception like this, then keep reading: sun.security.validator.ValidatorException: No trusted certificate found at sun.security.validator.SimpleValidator.buildTrustedChain(Simpl eValidator.java:304) at sun.security.validator.SimpleValidator.engineValidate(SimpleVa lidator.java:107) at sun.security.validator.Validator.validate(Validator.java:202) This exception is thrown because you do not trust the certificate that has been handed to you by the server. Assuming that you want the connection to work properly, you have several options. Import the certificate into your own keystore, making it trusted. Here is one way to do it: 1. Visit your site in SSL mode with a browser that allows you to save a copy of the certificate to a file (Microsoft Internet Explorer will allow you to do this). 2. Save the certificate to a file. With MSIE, you can go to File | Properties and then click the Certificates button. From there, choose the details tab and then click the Copy to File button. This will launch a short wizard to export the cert. Choose DER encoded binary X.509 and save the file somewhere. 3. Import that cert into your keystore. $ keytool -import -file [the cert file] -keystore [the key store] Although you should be able to use the keystore of the user that is running the Java process (~/.keystore), I've found that it doesn't always work that way. You might have to modify the keystore for the JRE itself, which is usually located in $JAVA_HOME/jre/lib/security/cacerts. You might want to save a backup copy of the cacerts file before you start messing with it. Steps 1 and 2 can be replaced with a single openssl invocation if you have access to the server's private key: $ openssl x509 -pubkey -in [server cert] -out [public cert] -outform DER Use the resulting file ([public cert]) in step #3. Openssl will also dump a public key to standard output, which can be ignored. Disable Certification Validation, Avoiding the Problem Note that this will disable certificate checking
RE: Problems downloading files. How to identify the CANCEL butto n?
Andre came up with a good reason and here is mine: I work for the brazilian government that wants to keep track of people who download certain specific files. It also wants to send emails to the ones that at least started the download procces of these files. So, for this reason, there is no interest at all to send emails for those that canceled the download process. I am looking forward for a solution because the way my code is now is wrong. It is logging everybody no matter which button they pressed (open, save or cancel). Once more, any suggestion is more than welcome. Siomara -Mensagem original- De: André Warnier Para: Tomcat Users List Enviada em: 11/07/2009 06:24 Assunto: Re: Problems downloading files. How to identify the CANCEL butto n? Konstantin Kolinko wrote: What is the business requirement that forces you to log such information? What is the cost of a false positive? A usual example is when the customer is paying for some downloaded document. At the server side, you would want an absolute, no-complaints-possible, trace that the download did occur succesfully. Something you can wiggle under the customer's nose when they complain about the bill. All the more reason to have some active component at the client side, acknowledging the download back to the server, with some unique timestamp, id, etc.. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org