RE: Serialization
This has nothing to do with Tomcat it has to do with Java,
serialization and OO.
What are you trying to persist because it looks like you are persisting
what amounts to be an inner class to a JSP? Consider changing that to a
simple JavaBean not considered an inner class to the compiled JSP and
you'll be fine. You'll never be able to cast w4a$ddm2 into w4b$ddm2 or
vice-versa, but you can cast an instance of w4a$ddm2 or w4b$ddm2 to
their common type, if they have one. Just having the same code does not
make then the same class when compiled.
-Original Message-
From: Wolfgang Orthuber [mailto:orthu...@kfo-zmk.uni-kiel.de]
Sent: Monday, October 04, 2010 8:10 AM
To: Tomcat Users List
Subject: Serialization
Hello,
my tomcat version is 5.5.17, my question concerns serialization of
objects, below is a code section for writing and reading an object. If I
call write immediately before read:
d5.write();
d5.read();
then all works fine, but if I use only read (on an formerly written
file) with the same code included in another program module, I got the
exceptions like this:
java.lang.ClassCastException: org.apache.jsp.w.w4a_jsp$1ddm2 cannot be
cast to org.apache.jsp.w.w4b_jsp$1ddm2
in which w4a.jsp and w4b.jsp are two different modules which include the
same code for read and write. The name of the program module is stored
in the serialized object, but the name of the program module does not
matter, because both modules include the same code.
Do you know a simple solution which avoids the exception?
Wolfgang
The code section with read and write:
class dm5t implements Serializable {
public ArrayListddm2v5;
public dm5t () { v5 = new ArrayListddm2 (); }
public String topicpath(){return
getServletContext().getRealPath()+/tp/;}
public synchronized boolean write () {
String fn=fntopics;
boolean ok=true;
try {
String spath = topicpath();
FileOutputStreamfs = new FileOutputStream (spath+fn);
ObjectOutputStreamos = new ObjectOutputStream(fs);
os.writeObject (v5);
os.close ();}
catch (IOException e) {ok=false;} return ok;}
public synchronized booleanread () {
String fn=fntopics;
boolean ok=true;
ArrayListddm2v5tmp=null;
try {
String spath = topicpath();
FileInputStreamfs = new FileInputStream (spath+fn);
ObjectInputStreamos = new ObjectInputStream(fs);
v5tmp = (ArrayListddm2) os.readObject ();
os.close ();
} catch (IOException e) {ok=false;}
catch (ClassNotFoundException e) {ok=false;}
if (ok)if (v5tmp != null) v5=v5tmp;
return ok;}
}
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Serialization
If I understand correctly both ddm2 and dm5t are defined in .jsp files?
If so, you could separate class definitions from .jsp files.
-Ognjen
On 4.10.2010 15:38, Wolfgang Orthuber wrote:
w4a.jsp and w4b.jsp are the names of two different jsp files. Both contain
%@ include file=wtovedi.jsp %
and the file wtovedi.jsp contains the listed read and write code with
the definitions of ddm2. ddm2 is a rather complex object of objects, but
it contains no reference to w4a.jsp or w4b.jsp which are just filenames.
Wolfgang
Am 04.10.2010 13:08, schrieb Ronald Klop:
What does ddm2 look like? Does it have a reference to the jsp object?
Ronald.
Op maandag, 4 oktober 2010 15:10 schreef Wolfgang Orthuber
orthu...@kfo-zmk.uni-kiel.de:
Hello,
my tomcat version is 5.5.17, my question concerns serialization of
objects, below is a code section for writing and reading an object.
If I call write immediately before read:
d5.write();
d5.read();
then all works fine, but if I use only read (on an formerly written
file) with the same code included in another program module, I got
the exceptions like this:
java.lang.ClassCastException: org.apache.jsp.w.w4a_jsp$1ddm2 cannot
be cast to org.apache.jsp.w.w4b_jsp$1ddm2
in which w4a.jsp and w4b.jsp are two different modules which include
the same code for read and write. The name of the program module is
stored in the serialized object, but the name of the program module
does not matter, because both modules include the same code.
Do you know a simple solution which avoids the exception?
Wolfgang
The code section with read and write:
class dm5t implements Serializable {
public ArrayListddm2 v5;
public dm5t () { v5 = new ArrayListddm2 (); }
public String topicpath(){return
getServletContext().getRealPath()+/tp/;}
public synchronized boolean write () {
String fn=fntopics;
boolean ok=true;
try {
String spath = topicpath();
FileOutputStream fs = new FileOutputStream (spath+fn);
ObjectOutputStream os = new ObjectOutputStream (fs);
os.writeObject (v5);
os.close ();}
catch (IOException e) {ok=false;} return ok;}
public synchronized boolean read () {
String fn=fntopics;
boolean ok=true;
ArrayListddm2 v5tmp=null;
try {
String spath = topicpath();
FileInputStream fs = new FileInputStream (spath+fn);
ObjectInputStream os = new ObjectInputStream (fs);
v5tmp = (ArrayListddm2) os.readObject ();
os.close ();
} catch (IOException e) {ok=false;}
catch (ClassNotFoundException e) {ok=false;}
if (ok) if (v5tmp != null) v5=v5tmp;
return ok;}
}
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tabbed browsers sharing session - work around.
Hi Ronald, Thanks for the prompt response but I am not sure I fully understand your suggestion. Would that approach require knowing the available environments before hand and registering these somehow so that the names get resolved to the machine. If so this is not really an option as our application dynamically creates these environments. The application is not internet facing if that makes a difference. Regards Rob -Original Message- From: Ronald Klop [mailto:ronald-mailingl...@base.nl] Sent: 04 October 2010 11:12 To: Tomcat Users List Subject: Re: Tabbed browsers sharing session - work around. You can run your test environment on another hostname. live.example.com test.example.com train.example.com Maybe use a login.example.com to redirect you to the right url after login. Ronald. Op maandag, 4 oktober 2010 11:03 schreef Rob Gregory rob.greg...@ibsolutions.com: Hi Tomcat community, I'm after advice on some session frigging I have recently bespoke'd into Tomcat (version 6.0.29) to resolve an issue with the recent changes in tabbed browsers where they now share the same session across multiple browser tabs/instances. I have googled the issue and the following post seems to be asking the same question, and suggestions come very close to what I have implemented:- http://old.nabble.com/Want-to-customise-the-tomcat's-session-logic-td261 61430.html The problem:- I have a web application that supports multiple environments (database) such as live, test, train, etc. from a single code base/web application. Example scenario is as follows:- * User Bob logs into the application and selects the TEST environment and starts entering some data. * Bob then opens up another browser or tab and logs into the LIVE environment. * Behind the scenes the browser has shared the session and has in fact switched the first browser from TEST into the LIVE environment without Bob being aware. * Bob hits save within what he thinks is the TEST environment and the LIVE environment is actually updated. The solution:- I have introduced what is basically a sub context into our url's and changed the path of the jsession cookie to limit each generated session to the 'virtual' context it was issued within. E.g. cookie.setPath(contextPath + / + unique-id); where unique-id is just a unique generated number. The Implementation:- I have bespoked the org.apache.catalina.connector.Request class to include a unique id as the context to the cookie path and prior to creating the session I redirect the user to this context e.g. http://localhost/webapp/unique-id/page.jsp. The unique-id is then removed by the Request class before returning the path from getServletPath() and getRequestURI() so the actual web application is unaware of this context switching. The Question:- While this seems to be working well and the multiple browser tabs/instances do indeed have unique sessions I would like to ask if anyone can see any potential issues with what I have done or how I have implemented it. I did have one serious issue where I could type in http://localhost/webapp/unique-id/WEB-INF/lib/application.jar and it bypassed Tomcat built in security and actually downloaded the .jar but this was quickly resolved. Any input or criticisms would be greatly appreciated if you can see a flaw in this design or know of a better approach to bypass this shared session behaviour of recent browsers. Many thanks for your time. Rob Gregory - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Serialization
Hello,
my tomcat version is 5.5.17, my question concerns serialization of
objects, below is a code section for writing and reading an object. If I
call write immediately before read:
d5.write();
d5.read();
then all works fine, but if I use only read (on an formerly written
file) with the same code included in another program module, I got the
exceptions like this:
java.lang.ClassCastException: org.apache.jsp.w.w4a_jsp$1ddm2 cannot be
cast to org.apache.jsp.w.w4b_jsp$1ddm2
in which w4a.jsp and w4b.jsp are two different modules which include the
same code for read and write. The name of the program module is stored
in the serialized object, but the name of the program module does not
matter, because both modules include the same code.
Do you know a simple solution which avoids the exception?
Wolfgang
The code section with read and write:
class dm5t implements Serializable {
public ArrayListddm2v5;
public dm5t () { v5 = new ArrayListddm2 (); }
public String topicpath(){return
getServletContext().getRealPath()+/tp/;}
public synchronized boolean write () {
String fn=fntopics;
boolean ok=true;
try {
String spath = topicpath();
FileOutputStreamfs = new FileOutputStream (spath+fn);
ObjectOutputStreamos = new ObjectOutputStream(fs);
os.writeObject (v5);
os.close ();}
catch (IOException e) {ok=false;} return ok;}
public synchronized booleanread () {
String fn=fntopics;
boolean ok=true;
ArrayListddm2v5tmp=null;
try {
String spath = topicpath();
FileInputStreamfs = new FileInputStream (spath+fn);
ObjectInputStreamos = new ObjectInputStream(fs);
v5tmp = (ArrayListddm2) os.readObject ();
os.close ();
} catch (IOException e) {ok=false;}
catch (ClassNotFoundException e) {ok=false;}
if (ok)if (v5tmp != null) v5=v5tmp;
return ok;}
}
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tabbed browsers sharing session - work around.
Hi Ronald, Using the hostname doesn't really guarantee a unique session for example if I click new tab and paste the URL into the new window I suspect the browser will see the same session from the first tab. In our application the user can then change the environment with disastrous consequences when updating the database. Did you implement anything to stop the session sharing at this level. What I did was to use the window.name attribute to allow tracking of browser instances and compare this when doing the session timeout checking and this way I am able to redirect any further browser opens into new sessions. With the exception of WEB-INF (which was due to tomcat no longer seeing that as a WEB-INF call because I have my unique-id in the path) do you see any security faults in what I am doing? Again thanks for the suggestion and I will look into maybe using the host over a virtual context as part of the final solution. Kind Regards, Rob -Original Message- From: Ronald Klop [mailto:ronald-mailingl...@base.nl] Sent: 04 October 2010 12:15 To: Tomcat Users List Subject: RE: Tabbed browsers sharing session - work around. Hi, Ok. I didn't understand that somebody chooses an environment dynamicly. The JSESSION cookie is tight to a hostname. So if you make unique hostnames for every login you have unique sessions. For our helpdesk I made a wildcard DNS entry *.example.com IN CNAME tomcat.example.com and a button which redirects you to timestamp.example.com, so a login goes to something like 1286190607.example.com and the next user will go to 1286190608.example.com and has its own session. It is about the same as you do with your virtual context, but you don't have to do tricks to org.apache.catalina.connector.Request and it keeps all the safety of WEB-INF, etc. Ronald. Op maandag, 4 oktober 2010 12:58 schreef Rob Gregory rob.greg...@ibsolutions.com: Hi Ronald, Thanks for the prompt response but I am not sure I fully understand your suggestion. Would that approach require knowing the available environments before hand and registering these somehow so that the names get resolved to the machine. If so this is not really an option as our application dynamically creates these environments. The application is not internet facing if that makes a difference. Regards Rob -Original Message- From: Ronald Klop [mailto:ronald-mailingl...@base.nl] Sent: 04 October 2010 11:12 To: Tomcat Users List Subject: Re: Tabbed browsers sharing session - work around. You can run your test environment on another hostname. live.example.com test.example.com train.example.com Maybe use a login.example.com to redirect you to the right url after login. Ronald. Op maandag, 4 oktober 2010 11:03 schreef Rob Gregory rob.greg...@ibsolutions.com: Hi Tomcat community, I'm after advice on some session frigging I have recently bespoke'd into Tomcat (version 6.0.29) to resolve an issue with the recent changes in tabbed browsers where they now share the same session across multiple browser tabs/instances. I have googled the issue and the following post seems to be asking the same question, and suggestions come very close to what I have implemented:- http://old.nabble.com/Want-to-customise-the-tomcat's-session-logic-td261 61430.html The problem:- I have a web application that supports multiple environments (database) such as live, test, train, etc. from a single code base/web application. Example scenario is as follows:- * User Bob logs into the application and selects the TEST environment and starts entering some data. * Bob then opens up another browser or tab and logs into the LIVE environment. * Behind the scenes the browser has shared the session and has in fact switched the first browser from TEST into the LIVE environment without Bob being aware. * Bob hits save within what he thinks is the TEST environment and the LIVE environment is actually updated. The solution:- I have introduced what is basically a sub context into our url's and changed the path of the jsession cookie to limit each generated session to the 'virtual' context it was issued within. E.g. cookie.setPath(contextPath + / + unique-id); where unique-id is just a unique generated number. The Implementation:- I have bespoked the org.apache.catalina.connector.Request class to include a unique id as the context to the cookie path and prior to creating the session I redirect the user to this context e.g. http://localhost/webapp/unique-id/page.jsp. The unique-id is then removed by the Request class before returning the path from getServletPath() and getRequestURI() so the actual web application is unaware of this context switching. The Question:- While this seems to be
Fwd: Re: Serialization
Thanks to all for the quick response! I will compile ddm2 to a standalone class and import (and not include) it. Wolfgang
Tabbed browsers sharing session - work around.
Hi Tomcat community, I'm after advice on some session frigging I have recently bespoke'd into Tomcat (version 6.0.29) to resolve an issue with the recent changes in tabbed browsers where they now share the same session across multiple browser tabs/instances. I have googled the issue and the following post seems to be asking the same question, and suggestions come very close to what I have implemented:- http://old.nabble.com/Want-to-customise-the-tomcat's-session-logic-td261 61430.html The problem:- I have a web application that supports multiple environments (database) such as live, test, train, etc. from a single code base/web application. Example scenario is as follows:- * User Bob logs into the application and selects the TEST environment and starts entering some data. * Bob then opens up another browser or tab and logs into the LIVE environment. * Behind the scenes the browser has shared the session and has in fact switched the first browser from TEST into the LIVE environment without Bob being aware. * Bob hits save within what he thinks is the TEST environment and the LIVE environment is actually updated. The solution:- I have introduced what is basically a sub context into our url's and changed the path of the jsession cookie to limit each generated session to the 'virtual' context it was issued within. E.g. cookie.setPath(contextPath + / + unique-id); where unique-id is just a unique generated number. The Implementation:- I have bespoked the org.apache.catalina.connector.Request class to include a unique id as the context to the cookie path and prior to creating the session I redirect the user to this context e.g. http://localhost/webapp/unique-id/page.jsp. The unique-id is then removed by the Request class before returning the path from getServletPath() and getRequestURI() so the actual web application is unaware of this context switching. The Question:- While this seems to be working well and the multiple browser tabs/instances do indeed have unique sessions I would like to ask if anyone can see any potential issues with what I have done or how I have implemented it. I did have one serious issue where I could type in http://localhost/webapp/unique-id/WEB-INF/lib/application.jar and it bypassed Tomcat built in security and actually downloaded the .jar but this was quickly resolved. Any input or criticisms would be greatly appreciated if you can see a flaw in this design or know of a better approach to bypass this shared session behaviour of recent browsers. Many thanks for your time. Rob Gregory
Re: Serialization
What does ddm2 look like? Does it have a reference to the jsp object?
Ronald.
Op maandag, 4 oktober 2010 15:10 schreef Wolfgang Orthuber
orthu...@kfo-zmk.uni-kiel.de:
Hello,
my tomcat version is 5.5.17, my question concerns serialization of objects,
below is a code section for writing and reading an object. If I call write
immediately before read:
d5.write();
d5.read();
then all works fine, but if I use only read (on an formerly written file) with
the same code included in another program module, I got the exceptions like
this:
java.lang.ClassCastException: org.apache.jsp.w.w4a_jsp$1ddm2 cannot be cast to
org.apache.jsp.w.w4b_jsp$1ddm2
in which w4a.jsp and w4b.jsp are two different modules which include the same
code for read and write. The name of the program module is stored in the
serialized object, but the name of the program module does not matter, because
both modules include the same code.
Do you know a simple solution which avoids the exception?
Wolfgang
The code section with read and write:
class dm5t implements Serializable {
public ArrayListddm2v5;
public dm5t () { v5 = new ArrayListddm2 (); }
public String topicpath(){return
getServletContext().getRealPath()+/tp/;}
public synchronized boolean write () {
String fn=fntopics;
boolean ok=true;
try {
String spath = topicpath();
FileOutputStreamfs = new FileOutputStream (spath+fn);
ObjectOutputStreamos = new ObjectOutputStream(fs);
os.writeObject (v5);
os.close ();}
catch (IOException e) {ok=false;} return ok;}
public synchronized booleanread () {
String fn=fntopics;
boolean ok=true;
ArrayListddm2v5tmp=null;
try {
String spath = topicpath();
FileInputStreamfs = new FileInputStream (spath+fn);
ObjectInputStreamos = new ObjectInputStream(fs);
v5tmp = (ArrayListddm2) os.readObject ();
os.close ();
} catch (IOException e) {ok=false;}
catch (ClassNotFoundException e) {ok=false;}
if (ok)if (v5tmp != null) v5=v5tmp;
return ok;}
}
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tabbed browsers sharing session - work around.
Hi, Ok. I didn't understand that somebody chooses an environment dynamicly. The JSESSION cookie is tight to a hostname. So if you make unique hostnames for every login you have unique sessions. For our helpdesk I made a wildcard DNS entry *.example.com IN CNAME tomcat.example.com and a button which redirects you to timestamp.example.com, so a login goes to something like 1286190607.example.com and the next user will go to 1286190608.example.com and has its own session. It is about the same as you do with your virtual context, but you don't have to do tricks to org.apache.catalina.connector.Request and it keeps all the safety of WEB-INF, etc. Ronald. Op maandag, 4 oktober 2010 12:58 schreef Rob Gregory rob.greg...@ibsolutions.com: Hi Ronald, Thanks for the prompt response but I am not sure I fully understand your suggestion. Would that approach require knowing the available environments before hand and registering these somehow so that the names get resolved to the machine. If so this is not really an option as our application dynamically creates these environments. The application is not internet facing if that makes a difference. Regards Rob -Original Message- From: Ronald Klop [mailto:ronald-mailingl...@base.nl] Sent: 04 October 2010 11:12 To: Tomcat Users List Subject: Re: Tabbed browsers sharing session - work around. You can run your test environment on another hostname. live.example.com test.example.com train.example.com Maybe use a login.example.com to redirect you to the right url after login. Ronald. Op maandag, 4 oktober 2010 11:03 schreef Rob Gregory rob.greg...@ibsolutions.com: Hi Tomcat community, I'm after advice on some session frigging I have recently bespoke'd into Tomcat (version 6.0.29) to resolve an issue with the recent changes in tabbed browsers where they now share the same session across multiple browser tabs/instances. I have googled the issue and the following post seems to be asking the same question, and suggestions come very close to what I have implemented:- http://old.nabble.com/Want-to-customise-the-tomcat's-session-logic-td261 61430.html The problem:- I have a web application that supports multiple environments (database) such as live, test, train, etc. from a single code base/web application. Example scenario is as follows:- * User Bob logs into the application and selects the TEST environment and starts entering some data. * Bob then opens up another browser or tab and logs into the LIVE environment. * Behind the scenes the browser has shared the session and has in fact switched the first browser from TEST into the LIVE environment without Bob being aware. * Bob hits save within what he thinks is the TEST environment and the LIVE environment is actually updated. The solution:- I have introduced what is basically a sub context into our url's and changed the path of the jsession cookie to limit each generated session to the 'virtual' context it was issued within. E.g. cookie.setPath(contextPath + / + unique-id); where unique-id is just a unique generated number. The Implementation:- I have bespoked the org.apache.catalina.connector.Request class to include a unique id as the context to the cookie path and prior to creating the session I redirect the user to this context e.g. http://localhost/webapp/unique-id/page.jsp. The unique-id is then removed by the Request class before returning the path from getServletPath() and getRequestURI() so the actual web application is unaware of this context switching. The Question:- While this seems to be working well and the multiple browser tabs/instances do indeed have unique sessions I would like to ask if anyone can see any potential issues with what I have done or how I have implemented it. I did have one serious issue where I could type in http://localhost/webapp/unique-id/WEB-INF/lib/application.jar and it bypassed Tomcat built in security and actually downloaded the .jar but this was quickly resolved. Any input or criticisms would be greatly appreciated if you can see a flaw in this design or know of a better approach to bypass this shared session behaviour of recent browsers. Many thanks for your time. Rob Gregory - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: jsp-examples sessions
On 04/10/2010 10:42, rujin raj wrote: Dear Support, This is a community of users, not a technical support help-line. There is a big difference. Try reading this: http://www.catb.org/esr/faqs/smart-questions.html I installed some applications in tomcat 5.5.When i m monitoring through the Lambda probe,I noticed that the /jsp-examples sessions are increased invariably. Please guide me in which circumstances these /jsp-examples sessions will increase Read the Servlet and JSP specs. and whether it will affect my server performance. Affect it positively? Affect it negatively? What do you mean by performance. To answer the question as written: Yes. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tabbed browsers sharing session - work around.
You can run your test environment on another hostname. live.example.com test.example.com train.example.com Maybe use a login.example.com to redirect you to the right url after login. Ronald. Op maandag, 4 oktober 2010 11:03 schreef Rob Gregory rob.greg...@ibsolutions.com: Hi Tomcat community, I'm after advice on some session frigging I have recently bespoke'd into Tomcat (version 6.0.29) to resolve an issue with the recent changes in tabbed browsers where they now share the same session across multiple browser tabs/instances. I have googled the issue and the following post seems to be asking the same question, and suggestions come very close to what I have implemented:- http://old.nabble.com/Want-to-customise-the-tomcat's-session-logic-td261 61430.html The problem:- I have a web application that supports multiple environments (database) such as live, test, train, etc. from a single code base/web application. Example scenario is as follows:- * User Bob logs into the application and selects the TEST environment and starts entering some data. * Bob then opens up another browser or tab and logs into the LIVE environment. * Behind the scenes the browser has shared the session and has in fact switched the first browser from TEST into the LIVE environment without Bob being aware. * Bob hits save within what he thinks is the TEST environment and the LIVE environment is actually updated. The solution:- I have introduced what is basically a sub context into our url's and changed the path of the jsession cookie to limit each generated session to the 'virtual' context it was issued within. E.g. cookie.setPath(contextPath + / + unique-id); where unique-id is just a unique generated number. The Implementation:- I have bespoked the org.apache.catalina.connector.Request class to include a unique id as the context to the cookie path and prior to creating the session I redirect the user to this context e.g. http://localhost/webapp/unique-id/page.jsp. The unique-id is then removed by the Request class before returning the path from getServletPath() and getRequestURI() so the actual web application is unaware of this context switching. The Question:- While this seems to be working well and the multiple browser tabs/instances do indeed have unique sessions I would like to ask if anyone can see any potential issues with what I have done or how I have implemented it. I did have one serious issue where I could type in http://localhost/webapp/unique-id/WEB-INF/lib/application.jar and it bypassed Tomcat built in security and actually downloaded the .jar but this was quickly resolved. Any input or criticisms would be greatly appreciated if you can see a flaw in this design or know of a better approach to bypass this shared session behaviour of recent browsers. Many thanks for your time. Rob Gregory
Re: jsp-examples sessions
Do you use /jsp-examples for something? In production (or on all your systems) remove the jsp-examples context/webapp if you don't need it. In fact... remove all webapps which you don't use. Ronald. Op maandag, 4 oktober 2010 11:42 schreef rujin raj rujin...@gmail.com: Dear Support, I installed some applications in tomcat 5.5.When i m monitoring through the Lambda probe,I noticed that the /jsp-examples sessions are increased invariably. Please guide me in which circumstances these /jsp-examples sessions will increase and whether it will affect my server performance. Regards, rujinraj - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Serialization
w4a.jsp and w4b.jsp are the names of two different jsp files. Both
contain
%@ include file=wtovedi.jsp %
and the file wtovedi.jsp contains the listed read and write code with
the definitions of ddm2. ddm2 is a rather complex object of objects, but
it contains no reference to w4a.jsp or w4b.jsp which are just filenames.
Wolfgang
Am 04.10.2010 13:08, schrieb Ronald Klop:
What does ddm2 look like? Does it have a reference to the jsp object?
Ronald.
Op maandag, 4 oktober 2010 15:10 schreef Wolfgang Orthuber
orthu...@kfo-zmk.uni-kiel.de:
Hello,
my tomcat version is 5.5.17, my question concerns serialization of
objects, below is a code section for writing and reading an object.
If I call write immediately before read:
d5.write();
d5.read();
then all works fine, but if I use only read (on an formerly written
file) with the same code included in another program module, I got
the exceptions like this:
java.lang.ClassCastException: org.apache.jsp.w.w4a_jsp$1ddm2 cannot
be cast to org.apache.jsp.w.w4b_jsp$1ddm2
in which w4a.jsp and w4b.jsp are two different modules which include
the same code for read and write. The name of the program module is
stored in the serialized object, but the name of the program module
does not matter, because both modules include the same code.
Do you know a simple solution which avoids the exception?
Wolfgang
The code section with read and write:
class dm5t implements Serializable {
public ArrayListddm2v5;
public dm5t () { v5 = new ArrayListddm2 (); }
public String topicpath(){return
getServletContext().getRealPath()+/tp/;}
public synchronized boolean write () {
String fn=fntopics;
boolean ok=true;
try {
String spath = topicpath();
FileOutputStreamfs = new FileOutputStream (spath+fn);
ObjectOutputStreamos = new ObjectOutputStream(fs);
os.writeObject (v5);
os.close ();}
catch (IOException e) {ok=false;} return ok;}
public synchronized booleanread () {
String fn=fntopics;
boolean ok=true;
ArrayListddm2v5tmp=null;
try {
String spath = topicpath();
FileInputStreamfs = new FileInputStream (spath+fn);
ObjectInputStreamos = new ObjectInputStream(fs);
v5tmp = (ArrayListddm2) os.readObject ();
os.close ();
} catch (IOException e) {ok=false;}
catch (ClassNotFoundException e) {ok=false;}
if (ok)if (v5tmp != null) v5=v5tmp;
return ok;}
}
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Unit testing a CometProcessor Servlet
Thank you for taking the time to reply Chris! Yes, I understand that I could just make direct calls to events. However, since we are talking about long blocking requests that don't return until some action is taken by other users (or the connection times out of course) I was curious to see what other people do to test these situations. A unit test that spawns multiple threads? Again, I appreciate your response. On Fri, Oct 1, 2010 at 11:45 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 To whom it may concern, (FYI: It's usually polite to identify yourself) On 9/27/2010 3:59 PM, Nabble User wrote: Does anyone have tips for unit testing a servlet that implements CometProcessor? Can't you synthesize all the events you need? It should be as simple as calling the methods on your Comet-enabled servlet, right? I highly recommend the use of mock objects for this type of thing. JMock is a great library that can masquerade as a particular object and allow you to intercept the messages, take some action, and return whatever you want. So, examples for testing that servlet code would be beneficial. HttpServlet myServlet = new MyServlet(); myServlet.init(); MockEvent event = ...; myServlet.event(event); // Now, observe the event to see if you got what you expected ?? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEUEARECAAYFAkymAhEACgkQ9CaO5/Lv0PD7CACeN3v36Q6AzJte4dAgQczlpkrO jc0AmLama9PY7Up54PUsDmS32yQxxeg= =YUCL -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tabbed browsers sharing session - work around.
if (session.environment != newEnvironment) {
logoutUser(You cannot change a running environment.);
}
Something like that.
Ronald.
Op maandag, 4 oktober 2010 13:27 schreef Rob Gregory
rob.greg...@ibsolutions.com:
Hi Ronald,
Using the hostname doesn't really guarantee a unique session for example
if I click new tab and paste the URL into the new window I suspect the
browser will see the same session from the first tab. In our application
the user can then change the environment with disastrous consequences
when updating the database. Did you implement anything to stop the
session sharing at this level. What I did was to use the window.name
attribute to allow tracking of browser instances and compare this when
doing the session timeout checking and this way I am able to redirect
any further browser opens into new sessions.
With the exception of WEB-INF (which was due to tomcat no longer seeing
that as a WEB-INF call because I have my unique-id in the path) do you
see any security faults in what I am doing?
Again thanks for the suggestion and I will look into maybe using the
host over a virtual context as part of the final solution.
Kind Regards,
Rob
-Original Message-
From: Ronald Klop [mailto:ronald-mailingl...@base.nl]
Sent: 04 October 2010 12:15
To: Tomcat Users List
Subject: RE: Tabbed browsers sharing session - work around.
Hi,
Ok. I didn't understand that somebody chooses an environment dynamicly.
The JSESSION cookie is tight to a hostname. So if you make unique
hostnames for every login you have unique sessions.
For our helpdesk I made a wildcard DNS entry *.example.com IN CNAME
tomcat.example.com and a button which redirects you to
timestamp.example.com, so a login goes to something like
1286190607.example.com and the next user will go to
1286190608.example.com and has its own session.
It is about the same as you do with your virtual context, but you don't
have to do tricks to org.apache.catalina.connector.Request and it keeps
all the safety of WEB-INF, etc.
Ronald.
Op maandag, 4 oktober 2010 12:58 schreef Rob Gregory
rob.greg...@ibsolutions.com:
Hi Ronald,
Thanks for the prompt response but I am not sure I fully understand
your
suggestion. Would that approach require knowing the available
environments before hand and registering these somehow so that the
names
get resolved to the machine. If so this is not really an option as our
application dynamically creates these environments. The application is
not internet facing if that makes a difference.
Regards
Rob
-Original Message-
From: Ronald Klop [mailto:ronald-mailingl...@base.nl]
Sent: 04 October 2010 11:12
To: Tomcat Users List
Subject: Re: Tabbed browsers sharing session - work around.
You can run your test environment on another hostname.
live.example.com
test.example.com
train.example.com
Maybe use a login.example.com to redirect you to the right url after
login.
Ronald.
Op maandag, 4 oktober 2010 11:03 schreef Rob Gregory
rob.greg...@ibsolutions.com:
Hi Tomcat community,
I'm after advice on some session frigging I have recently bespoke'd
into
Tomcat (version 6.0.29) to resolve an issue with the recent changes
in
tabbed browsers where they now share the same session across
multiple
browser tabs/instances.
I have googled the issue and the following post seems to be asking
the
same question, and suggestions come very close to what I have
implemented:-
http://old.nabble.com/Want-to-customise-the-tomcat's-session-logic-td261
61430.html
The problem:-
I have a web application that supports multiple environments
(database)
such as live, test, train, etc. from a single code base/web
application.
Example scenario is as follows:-
* User Bob logs into the application and selects the
TEST
environment and starts entering some data.
* Bob then opens up another browser or tab and logs into
the
LIVE environment.
* Behind the scenes the browser has shared the session
and
has in fact switched the first browser from TEST into the LIVE
environment without Bob being aware.
* Bob hits save within what he thinks is the TEST
environment and the LIVE environment is actually updated.
The solution:-
I have introduced what is basically a sub context into our url's and
changed the path of the jsession cookie to limit each generated
session
to the 'virtual' context it was issued within. E.g.
cookie.setPath(contextPath + / + unique-id); where unique-id
is
just a unique generated number.
The Implementation:-
I have bespoked the org.apache.catalina.connector.Request class to
include a unique id as the context to the cookie path and prior to
creating the session I redirect the user to this context e.g.
http://localhost/webapp/unique-id/page.jsp. The
jsp-examples sessions
Dear Support, I installed some applications in tomcat 5.5.When i m monitoring through the Lambda probe,I noticed that the /jsp-examples sessions are increased invariably. Please guide me in which circumstances these /jsp-examples sessions will increase and whether it will affect my server performance. Regards, rujinraj - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Unit testing a CometProcessor Servlet
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 To whom it may concern, On 10/4/2010 7:43 AM, Nabble User wrote: Thank you for taking the time to reply Chris! No problem. I wish I knew your name, though! Yes, I understand that I could just make direct calls to events. However, since we are talking about long blocking requests that don't return until some action is taken by other users (or the connection times out of course) I was curious to see what other people do to test these situations. A unit test that spawns multiple threads? I think multiple threads would be your only option. You could download the Tomcat source and look at the unit tests for the Comet code itself. Perhaps that would give you an idea of how to write your own tests. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyqC6MACgkQ9CaO5/Lv0PC+twCfazcf57HtLa6jAa4H/yh5niem PzEAn2mEo2jVgZjIVInm/kEuByvw19nH =Swcx -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tabbed browsers sharing session - work around.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ronald, On 10/4/2010 6:11 AM, Ronald Klop wrote: You can run your test environment on another hostname. live.example.com test.example.com train.example.com Or under another context: http://www.example.com/live http://www.example.com/test http://www.example.com/train The real question is why there's any confusion: your hostnames and/or URLs ought to be unique enough already. Otherwise, this sort of foolishness can affect your real users and you'll leak data all over the place. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyqDDQACgkQ9CaO5/Lv0PDWRACgrlgU+jY+n8nMCZ2WTO63UHDh 10UAoJdyNWqu0nlRGcWbJ6Mcc7zbsGy+ =JP4k -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tabbed browsers sharing session - work around.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rob, On 10/4/2010 7:27 AM, Rob Gregory wrote: Using the hostname doesn't really guarantee a unique session for example if I click new tab and paste the URL into the new window I suspect the browser will see the same session from the first tab. Note that you haven't changed the hostname in this case: you've just cloned a browser window (or tab if you prefer to call it that). In our application the user can then change the environment with disastrous consequences when updating the database. Sounds like you need to be pretty careful. Is it possible you've built a fragile application? Did you implement anything to stop the session sharing at this level. What I did was to use the window.name attribute to allow tracking of browser instances and compare this when doing the session timeout checking and this way I am able to redirect any further browser opens into new sessions. That's pretty fragile: relying on client-side javascript for anything security-related is very foolish. With the exception of WEB-INF (which was due to tomcat no longer seeing that as a WEB-INF call because I have my unique-id in the path) do you see any security faults in what I am doing? Many: disabling javascript on the client side will break your security. An attacker overriding the javascript will break your security. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyqDOQACgkQ9CaO5/Lv0PBbSACfVhscYMSd4q13ivnaz4k6LdeQ ZmgAoKSUg6VkjFxyFr47j1260++fjhre =ct/x -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re:[OT] Serialization
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Wolfgang,
(Marking off-topic because this is a Java/JSP issue and not
Tomcat-related. See below for responses.)
On 10/4/2010 9:10 AM, Wolfgang Orthuber wrote:
my tomcat version is 5.5.17
Upgrade.
then all works fine, but if I use only read (on an formerly written
file) with the same code included in another program module, I got the
exceptions like this:
java.lang.ClassCastException: org.apache.jsp.w.w4a_jsp$1ddm2 cannot be
cast to org.apache.jsp.w.w4b_jsp$1ddm2
That funny error message occurs because you are trying to write one
class object and read it in as another class object. You should read-up
on serialization for more information:
http://java.sun.com/developer/technicalArticles/Programming/serialization/
in which w4a.jsp and w4b.jsp are two different modules which include the
same code for read and write.
That means that they are different classes, and are therefore
incompatible. You should use a class defined in a .java file and not in
a .jsp file.
Your other option is to provide customized serialization that can read
and write data without relying on Java's serialization mechanism (which
mandates that the classes be the same in order to work).
The name of the program module is stored
in the serialized object, but the name of the program module does not
matter, because both modules include the same code.
No, the fact that they are the same code is irrelevant. Only the data
and the metadata are relevant, and the metadata doesn't match between
these two distinct classes.
Do you know a simple solution which avoids the exception?
Use the same class for both reading and writing.
The code section with read and write:
Is this inside a .jsp? If so, create a separate class. What are you
doing putting Java code into a JSP file, anyway? More comments below...
class dm5t implements Serializable {
public ArrayListddm2v5;
public dm5t () { v5 = new ArrayListddm2 (); }
public String topicpath(){return
getServletContext().getRealPath()+/tp/;}
Note that getRealPath isn't guaranteed to return a non-null value: a
filesystem isn't guaranteed by the servlet specification, but temporary
storage is guaranteed using the temp dir. See the servlet spec for
details.
public synchronized boolean write () {
Why synchronized?
String fn=fntopics;
boolean ok=true;
try {
String spath = topicpath();
FileOutputStreamfs = new FileOutputStream (spath+fn);
ObjectOutputStreamos = new ObjectOutputStream(fs);
os.writeObject (v5);
os.close ();}
catch (IOException e) {ok=false;} return ok;}
public synchronized booleanread () {
String fn=fntopics;
boolean ok=true;
ArrayListddm2v5tmp=null;
try {
String spath = topicpath();
FileInputStreamfs = new FileInputStream (spath+fn);
ObjectInputStreamos = new ObjectInputStream(fs);
v5tmp = (ArrayListddm2) os.readObject ();
os.close ();
} catch (IOException e) {ok=false;}
catch (ClassNotFoundException e) {ok=false;}
if (ok)if (v5tmp != null) v5=v5tmp;
return ok;}
}
Why do you catch exceptions and return error codes? You like C-style
return codes instead of the elegance and clarity of exceptions?
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkyqD2AACgkQ9CaO5/Lv0PCg4gCgni4RiDBJpyernjkWo48ENrCL
Pz4AoLu28l17XZwK22+sGW7AVQZcM19/
=B03Y
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: jsp-examples sessions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ronald, On 10/4/2010 6:15 AM, Ronald Klop wrote: Do you use /jsp-examples for something? In production (or on all your systems) remove the jsp-examples context/webapp if you don't need it. Good point: this is probably a (blind) attack by a script kiddie. Undeploy the example webapp. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyqD/EACgkQ9CaO5/Lv0PCjJgCcC+HbFHr75jQKf7D0mL7qJrxy RCoAn2i7iV0FhCAtQZ3h36QzyHcUVVJv =vqZ+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Unit testing a CometProcessor Servlet
No problem. I wish I knew your name, though! Thanks - The name is Homer :-) On Mon, Oct 4, 2010 at 1:15 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 To whom it may concern, On 10/4/2010 7:43 AM, Nabble User wrote: Thank you for taking the time to reply Chris! No problem. I wish I knew your name, though! Yes, I understand that I could just make direct calls to events. However, since we are talking about long blocking requests that don't return until some action is taken by other users (or the connection times out of course) I was curious to see what other people do to test these situations. A unit test that spawns multiple threads? I think multiple threads would be your only option. You could download the Tomcat source and look at the unit tests for the Comet code itself. Perhaps that would give you an idea of how to write your own tests. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyqC6MACgkQ9CaO5/Lv0PC+twCfazcf57HtLa6jAa4H/yh5niem PzEAn2mEo2jVgZjIVInm/kEuByvw19nH =Swcx -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: session won't timeout
Regardless whether the user leave the browser idle or close the browser, as
long
as the user access the site from an IP that is inside of client's network, the
seesion won't time out. By doing the same thing from outside IP, the session
timeout correctly.
In both cases, the access log does NOT have anything logged other than the
those
actions when user were actually accessing the site. So I think there is no
extra traffic being sent. If you are talking about any other possibilities to
reset the session time out, could you please be more specific?
Thank you!
Jing
From: Rainer Jung rainer.j...@kippdata.de
To: Tomcat Users List users@tomcat.apache.org
Sent: Thu, September 30, 2010 2:16:53 AM
Subject: Re: session won't timeout
On 30.09.2010 07:13, Caldarale, Charles R wrote:
From: Jing Chen [mailto:jin...@yahoo.com]
Subject: Re: session won't timeout
The results are different - in one case, the session is
destroyed after 30 minutes; but in another case, the
session stay active.
First, look in Tomcat's logs to see if there's anything interesting in there
regarding failures that might affect the session. Second, use Tomcat's
manager
app (or JConsole) to see what the timeout value of the sessions really is;
something in your webapp might have changed it from the default. Third, turn
on
Tomcat's AccessLogValve to find out if the supposedly closed browsers are
still
sending in requests. Fourth, use Wireshark or equivalent on the client
systems
to see if any traffic is being sent to the Tomcat server, resetting the
session
timer.
Yes, active the access log for Tomcat and change the default pattern to
also include %S and maybe even
%S quot;%{Set-Cookie}oquot; quot;%{Cookie}iquot;.
That way you can easily track the sessions.
Regards,
Rainer
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
