Issue while configuring CSRFPreventionFilter !
Hi all, I am trying to configure the Tomcat inbuilt filter (tomcat.valves.CiscoResponseHeaderFilter) into my $TOMCAT_HOME/conf/web.xml filter filter-nameCSRF/filter-name filter-classorg.apache.catalina.filters.CsrfPreventionFilter/filter-class init-param param-nameentryPoints/param-name param-value/index.jsp/param-value /init-param /filter filter-mapping filter-nameCSRF/filter-name url-pattern/*/url-pattern /filter-mapping But after doing this Tomcat server stuck in starting status and do not starts completely. If I comment out the filter, Tomcat starts properly. I verified the web.xml of Tomcat manager ( $TOMCAT_HOME/webapps/manager/WEB-INF/web.xml) where this filter is configured by default and found that in below is used in filter mapping filter-mapping filter-nameCSRF/filter-name servlet-nameHTMLManager/servlet-name servlet-namejsp/servlet-name /filter-mapping So when use the same in $TOMCAT_HOME/conf/web.xml, Tomcat works properly. Why i am not able to map the filter to /* url? What is the difference between using servlet name and url pattern ? Can anyone provide the inputs and help in this regard. Thanks for your time in advance. -Utkarsh
Re: Issue while configuring CSRFPreventionFilter !
2014-03-21 10:09 GMT+04:00 Utkarsh Dave utkarshkd...@gmail.com: Hi all, I am trying to configure the Tomcat inbuilt filter (tomcat.valves.CiscoResponseHeaderFilter) into my $TOMCAT_HOME/conf/web.xml 1. The above file provides defaults for all web applications. It is unwise to modify it. E.g. with such configuration you wouldn't be able to access ROOT/index.html or any of the images, css or js files. ... But after doing this Tomcat server stuck in starting status and do not starts completely. 2. Read the logs. 3. If it is stuck, take several thread dumps to see what exactly it is doing. If you do not know how to take thread dumps, see Howto page in Tomcat FAQ. If I comment out the filter, Tomcat starts properly. ... 4. As mentioned on the page below, what is your version of Tomcat? http://tomcat.apache.org/lists.html#tomcat-users Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issue while configuring CSRFPreventionFilter !
Thanks Konstantin. My version of TOMCAT is 7.0.41 you said with this configuration i will not be able to access ROOT/index.html or any of the images, css or js files. What can i do to overcome this if i still want to go ahead configuring the $TOMCAT_HOME/conf/web.xml. Can i add them in entryPoints. ? I want to do it in this file because i dont want my 50 + webapps to modify there respective web.xml file. Rather we can configure them at 1 common place. -Thanks Utkarsh On Fri, Mar 21, 2014 at 12:17 PM, Konstantin Kolinko knst.koli...@gmail.com wrote: 2014-03-21 10:09 GMT+04:00 Utkarsh Dave utkarshkd...@gmail.com: Hi all, I am trying to configure the Tomcat inbuilt filter (tomcat.valves.CiscoResponseHeaderFilter) into my $TOMCAT_HOME/conf/web.xml 1. The above file provides defaults for all web applications. It is unwise to modify it. E.g. with such configuration you wouldn't be able to access ROOT/index.html or any of the images, css or js files. ... But after doing this Tomcat server stuck in starting status and do not starts completely. 2. Read the logs. 3. If it is stuck, take several thread dumps to see what exactly it is doing. If you do not know how to take thread dumps, see Howto page in Tomcat FAQ. If I comment out the filter, Tomcat starts properly. ... 4. As mentioned on the page below, what is your version of Tomcat? http://tomcat.apache.org/lists.html#tomcat-users Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Maven Plugin: Documentation error?
Referencing http://tomcat.apache.org/maven-plugin-trunk/executable-war-jar.html The question I find most obvious when reading this is about the packaging. The war module apparently needs to be war or jar; the pom module apparently needs to be war. Confused! Also, having both listed on the same page. Some might infer you need both. Perhaps it is missing an all-important _or_? Thanks, James
RE: HttpServletRequest Tomcat 5.5.29 to 7.0.52
Thanks for the explanation Chris. Seema Date: Thu, 20 Mar 2014 14:34:05 -0400 From: ch...@christopherschultz.net To: users@tomcat.apache.org Subject: Re: HttpServletRequest Tomcat 5.5.29 to 7.0.52 -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Seems, On 3/20/14, 1:52 PM, Seema Patel wrote: Date: Thu, 20 Mar 2014 21:12:09 +0400 Subject: Re: HttpServletRequest Tomcat 5.5.29 to 7.0.52 From: knst.koli...@gmail.com To: users@tomcat.apache.org 2014-03-20 20:55 GMT+04:00 Seema Patel seema...@hotmail.com: I think I have fixed the error I had. I have downgraded to Java 6 update 45, to see if it worked on there, but it didn't. I stayed with Java 6 to try and resolve the issue. Basically in my WEB-INF/web.xml file I have the following: filter-mapping filter-nameAuth Filter/filter-name url-pattern*.jsp/url-pattern url-pattern*.do/url-pattern dispatcherREQUEST/dispatcher /filter-mapping All requests go to the doFilter() function. In Java 5.5.29 it wasn't sending .jsp requests to the the doFilter, even though the above is in the web.xml file. In Java 6 and above, it sends the .jsp file to be processed as well. So if I comment out or take out the url-pattern*.jsp/url-pattern line, my code works. I don't know what's changed in the Java 6 code for this to not work. Does anyone know why this is so I have an understanding of it? Thanks again to all that have helped with this, I know I threw out multiple questions, just didn't want to leave anything out :) I guess s/Java/Tomcat/ in several places above. Support for multiple url-patterns did not exist in old versions of Servlet Specification, so only one of the patterns would work. Support for dispatcher also did not exist in old versions, but REQUEST is the default value here, so there is no difference. If dispatcher didn't exist and support for multiple url-patterns did not exist in older versions, then I don't know why the previous developers used it (I know this is nothing to do with you all). You can validate your web.xml file against DTD or schema it uses in any decent XML editor. My knowledge of all this isn't very good, could you please tell me what you mean by DTD or schema and could you give me an example of some XML editors I could use? Thanks XML uses DTDs or Schemas for semantic validation. http://en.wikipedia.org/wiki/Document_type_definition http://en.wikipedia.org/wiki/XML_Schema_%28W3C%29 Your XML files should either have a !DOCTYPE at the top indicating which DTD to use for validation or an xmlns[:namespace] definition at the top to use for Schema validation. Example of DTD: !DOCTYPE mbeans-descriptors PUBLIC -//Apache Software Foundation//DTD Model MBeans Configuration File http://jakarta.apache.org/commons/dtds/mbeans-descriptors.dtd; (Note that the SYSTEM id above -- the URL -- actually does not point to a valid DTD, so it may not work. Tomcat's mbeans-descriptors.xml files do not actually declare any DTD, but this is the DTD to which those files are expected to adhere.) Example of Schema: web-app xmlns=http://java.sun.com/xml/ns/javaee; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd; version=2.5 metadata-complete=true Many XML editors will already know how to validate as long as the definitions are in the files. Eclipse already does this, but sometimes it's just stupid and tells you there is no DTD/Schema even though there clearly is one. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTKzSdAAoJEBzwKT+lPKRYjVEP/3/sP9tCM/pL+7H7Ani8GKdk bYGCMbO08+VBVHr8eoU8dc33ScQ7jwqw86fGmvTjzJEtsZQyHtL1jkouTxiSMd9U Qsv/sZcnR/JlY9rixo4wO05Oh/pqX6QQ3QSlaKTvKYELS0dN2RFTRcHYfWB99tll wdHE5mgytreUG8wpURGjCroftQLvrw+NxlD1GqAL6x+tt9kScEe1skWO2E95QKjG 5VtabDQJusfPzjCA0vj4bRILJdFPf5q9hEpBumvqXoMC2pJbYXdLWCtTB8JbVRtn FKex92ygdZhnIhzVgjAFNNbc/QacXgwdT33FmhpLBeMm9ZVOhQWehLtRBu/Ugdni 6af60lU6ScGJ7cDZZS1uVvGdXsnlg3up9Fy9GXokHlI91GoBE5sar7BzdsA+OMzb At+evpXwuhbyiyDbumoqdLZFb7xIXur4diw04UeSIaFNJVUdtkF2VoOrNW0+8W/V vEzj0b2V5CPJTPgg3AIuuF//2r0FLdRSZMUVaF0/idneyujtH4o3Uc5jBWcVZqCU 2eDNuDVUdTXwUlwOmL6jgF4C8dC9REJ5Lw5A9scwiaFaXt+c70UCKIXfI0LCdBsT k19KaBjbyRJyb5u9qE2bQQBQETvz4iCTJ/lUj3GDVtnsjeoeQxzJx0AtzAgSyVL5 U+Gxnbt3JejhsCmkGfib =tcq7 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
covert a JSP with tag libs into a servlet using JspC class in apache tomcat
Hello everyone, I have a requirement where I need to convert a JSP with tag libraries into a plain servlet. I know the Jspc class in Tomcat does conversion of a plain JSP into a servlet. Im trying to figure out how to convert the JSP WITH tag libs into a servlet as well. Any help appreciated. Thank you for your time! Sunitha
Re: Trouble registering an MBean with mbeans-descriptors.xml
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Konstantin, On 3/20/14, 6:38 PM, Konstantin Kolinko wrote: 2014-03-19 20:24 GMT+04:00 Christopher Schultz ch...@christopherschultz.net: I'm trying to write my own MBean, and I have it working: the bean is registered and I can browse it using jconsole, etc., call methods, etc. At one point during the process, I believe I had the beans-descriptors.xml file actually being loaded, so that my customized descriptions of attributes and methods were being shown in jconsole. At some point, I changed something and they are no longer showing up. It looks like I'm getting an introspected MBean description instead of the declared one I want. All the attributes for example are described as Attribute exposed for management. I've set org.apache.tomcat.util.modeler.level=ALL and the same for the Console logger, so I'm getting a steady stream of output from the modeler package, including a whole bunch of messages like this: FINER [main] org.apache.tomcat.util.modeler.Registry.loadDescriptors Finding descriptor org/apache/catalina/authenticator Great. What I don't see is a similar message for my own MBean. It doesn't look like Tomcat is ever trying to load the mbeans-descriptors.xml file for my MBean. Here's what I've got: 0. Tomcat 8.0-trunk 1. A JAR file in CATALINA_BASE/lib containing my MBean interface, class, and mbeans-descriptors.xml, all in the same package (imaginatively called mbeans), and a Filter class that creates the bean and registers it with the MBean server. 2. The Tomcat examples webapp, with modifications to WEB-INF/web.xml to load the aforementioned Filter. Here's the whole mbeans-descriptors.xml file: 1. Does your web application start, at all? Does you filter start? Yes to both. 2. How exactly are you registering your MBean? This code in the Filter's init() method: import javax.management.MBeanServer; ... MBeanServer server = getServer(); server.registerMBean(_stats, new ObjectName(Example:RequestStats=RequestStats,name= + filterName;)); Are you using Modeler API for that? (Registry.registerComponent()) No, I'm using JMX API. Maybe I wasn't clear enough initially: every single thing is working correctly: the Filter runs, registers the bean, and collects data properly. I can see everything in jconsole, etc. The only thing that is missing is all the descriptions for the operations and attributes that I have put into my mbeans-descriptors.xml file. All the descriptions say (Operation|Attribute) exposed for management. 3. Maybe run with a debugger? Yes, this is the conclusion I'm coming to. I've never run Tomcat under the Eclipse debugger before. Time to learn. ?xml version=1.0? mbeans-descriptors mbean name=RequestStats className=org.apache.catalina.mbeans.ClassNameMBean description=Server statistics and configuration domain=Catalina type=mbeans.RequestStats 4. I see that many mbeans have a group attribute. Yours does not have one. (Actually it seems that this attribute is optional and is ignored. There are no calls to ManagedBean.getGroup() except in ManagedBean.toString()). +1 I'm writing an example MBean for ApacheCon and I didn't want to include things that weren't absolutely necessary. 5. I hope that you do not have the second copy of your jar inside of your webapp. So that it shadows the one in the lib/ directory. I do not in fact have a second copy of that JAR in my web application. I'm using Tomcat's examples web application with only a modified web.xml to deploy the Filter. The Filter class itself is packaged in the JAR along with the MBean and exists only in CATALINA_BASE/lib. 6. Apparently many mbean descriptors are pre-loaded when Tomcat starts - in o.a.c.mbeans.MBeanUtils.createRegistry() I could swear that it was working when I started with my initial implementation. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTLINbAAoJEBzwKT+lPKRYgIsQAJ/HXcznaL+P/SqUEGeN0vsO esWi7O9m3LoCRze4vMsYPZ9RfsWzq/Bu4kxGg2Z0oVUnXniGF2sJytZGjwu6URcj iSLFGvBon4vGqoy3f6K2BPlo+34GvTdX7L4p0hlTby+Db/7uGxpiK94P4vSMPVgJ 4HJUS9HkIYdM40I/tvyy3YnWxGCY2mXUcPSgyrCuHzjWEcD46BRY8gUFyFyFbRUh Lqd/qNY9ASBf2xY6M4Jr7i0kjO58sjc6Gfltb9nvAmnDDjf657kZXAj4qgY/GXKG 4sLgjvhJb1ZHYATgw/bkwSuPkRpIilv9gqpE7+OT8XMN3wXrFD/KPvWThMj6QxT9 xrVmoQbCTuCNoOp6ncHWa7ZSsueMbKPx1hNeNVusHD+vuJinGmb4sTuONYc4oCCU 7nL95I2/9pjA8tGVCiuXxKUc7e4eR6/7ZkJ3ag7uo8MnvGIVQX4pDJT1lImJky2T TmHujlmhkO7KDqxSqtFhoBuD9ChJPwK4Qa3PjIWvj+8AYXrlOZQMcDaE2we7QsbN w8yTaSSxWypIe/gQyZu22A5a7NHs5JEI9YytvVdBYZUKBGT+GSvc8Oq8CYr8hRxP +1Dzxun0G9QKd/L/VNnZ213WECC+a+LLSBWWoazM6qstPA/wjJ2s+IR7DhhMpr6s xxCKscJgPjbkW+4kiZSO =3bzv -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For
Re: Issue while configuring CSRFPreventionFilter !
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Utkarsh, On 3/21/14, 3:01 AM, Utkarsh Dave wrote: Thanks Konstantin. My version of TOMCAT is 7.0.41 you said with this configuration i will not be able to access ROOT/index.html or any of the images, css or js files. What can i do to overcome this if i still want to go ahead configuring the $TOMCAT_HOME/conf/web.xml. Stop right here. Remove your Tomcat installation: you have corrupted it. Re-install a new one. Then, without editing anything in TOMCAT_HOME/conf, install your web application. Now, edit the file TOMCAT_HOME/webapps/yourwebapp/WEB-INF/web.xml instead and add your Filter. Can i add them in entryPoints. ? I want to do it in this file because i dont want my 50 + webapps to modify there respective web.xml file. Rather we can configure them at 1 common place. You do not want to do this, because the configuration for the Filter is likely to be different in all of your web apps. If you want CSRF protection in each web application, then you should configure them appropriately. Your web applications should be self-contained. If you don't want to hand-modify your individual web.xml files, then write a deployment procedure that does it for you. If you tinker around with conf/web.xml you are more likely to break things than solve anything. As you say, Tomcat won't even start up right now due to your edits. I am trying to configure the Tomcat inbuilt filter (tomcat.valves.CiscoResponseHeaderFilter) into my $TOMCAT_HOME/conf/web.xml Is that a typo? Did you mean CSRF instead of Cisco? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTLISxAAoJEBzwKT+lPKRYnesP/R/IlCCfjarAYzEORcXB/wkw 0//Ew5ky3bnEOMRwPuE6loov2toyQ7KDqlfNFItw4CZcq0XrXHLHcIY2dE7Yz9j7 rDqDgLEl7Gh53LrFitvjnwryyY4I11gqKPxdpa/Mm9z2DhsltUuKKYgALcLKre4K hYf6z36SBrpDUSsJBa6ALxLCrLliCs41K/3WjIdtICRZhkHx+4subgtKTyZu1d4n Fngw2IShCXxf8Ai5w12P0hoZtk1SP4TZumV77YmtvEMbjSbYJEIzYiul6YTWTq9b PtTIikZHq3qgUpHSCrj++hqxROVseHi0BouRSJs8ku8DxYNPhhNFEt5rKq6cw67x BiX6scnZmhb3wZBKUF/R4nzH+6WBLbKwJdfPHOAOFInTEMYpEJwcjK8h7IeCvaLJ VRaL8zbuDjNqCzfuJG42gVs3dVDFVv9cuYUOHaBCi3vPhUcRQGPRYdLlxoZIkvIm uSCNqC4eoD3E7INKkrLexjmTzEF37eFWa43K8CgLlIolo/G9lRrxCMO7uGRBM+OV WbTIogfxRrtojq5uAdWfDNwn7sg0rQhhJ4OG1MBLM8gOBSwcWGMBNHysviiaeYiN GDGGClm7t3LQqIAoi5eKoE8ZE6RadF1D7wFTjT6/RkpZbzNpZZL+DgrPGM/kNOEo 80ijs0neNnq52gxmjcO9 =0kf8 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: covert a JSP with tag libs into a servlet using JspC class in apache tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sunitha, On 3/21/14, 8:49 AM, Sunitha Thummala wrote: Hello everyone, I have a requirement where I need to convert a JSP with tag libraries into a plain servlet. I know the Jspc class in Tomcat does conversion of a plain JSP into a servlet. Im trying to figure out how to convert the JSP WITH tag libs into a servlet as well. Jspc can handle JSPs that use tag libraries. What is the problem? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTLITaAAoJEBzwKT+lPKRYzfMQAKl2EAiQKiyXEwmNMSvjCO/u gr5Ug4Bli8i6o9QazZFkP9fJdKnR3Mse6nZGMss7u3Ng9xvj4u4cuNd4i1XjlwwC M2pxeaVosbsnyKHcVX5ghrSGQEL8gStoBATaFpuiXJqnj+U3+OodYgQJcNMxDGzW /lVdBcS5TVlsRiZL8l8h+qCMCmImlq9sfeJOGj3QchWaiBArYqiPrFjxuiZ8cLje AR1kMXFtvCTFbRjEl0imX4/ZNDG2WVANG8B/7GXD1U5mN/KzyId61g/+CkB489VD 6+14ym63Hwe1mO1X9JeFypC0+VNQUxJ5Y6+Gfc0rOLWPlQPd2m3TAv6ufrVU+VgU 7eDpKu9l2krwEtZDCAtaFy4hFVvefSGJnZlMPMJ3c8ZM0UbSUmvrkvC/Enz8fghB LdkkZEZXK/oYKt20JyCiiifAiw5v4qNgr+jx9jyA8PsoHdjTjTiLwotBJntShHxb wqfdA77oI34X3pYyQNBozS4+0qXhbiy9E1zJCWUG49xGTTk4hOlyvT/hOU5iU1dE DugU5Inl2c/gbritf0q0ZU6cdXXX7GdNpcZbKKCPZmYVaPsc9WxTnZE4FptDCWBT SWr3chyLjzzhFmqutfT19Y8ZeRSgKb5Kpk3mj5s394AYI7fYM3H/kumLC2jbGlZr LkAOeqZl4ZdjuEgM7qfN =GzYJ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: 回复: 回复: tomcat 5 logs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 改变自己, On 3/20/14, 10:24 AM, 改变自己 wrote: thank you very much for your detailed explanation , now i just resolved it with another way, i used a cronlog.exe which is a executable file and can be used for produce daily files; Does it actually work? You are just using it in a piped-way like this, right? java (options) | cronolog.exe (options) For some reason, I've never trusted long-running pipes on Windows... and other configration is the same as my primary way. Glad you solved your issue. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTLIW2AAoJEBzwKT+lPKRYFrEQAMh8qgx8zR7tNvH84qI924WL ya7v1Sw3hoT5H805YIUznyR4ystq9M66dXfJrykftaeffqcl183qrBbCfO6GziqO HoQyt/l3G2wEBU5Dd5Qary17n5/di7hl0WmjQuyHu3Tyh4sxEYHAh3OOe9T5OYxO Cg1JiMoYQV25jwOYkGT8kQyTXirpP4gXJ7IiVK8x7CSNfH1QraA/8PdRWPo5w42s yJpEjNsWt+SQhWgDa/g6ACn7QcPk0vyPfxxO1v9XrFA5JHnRvWJMziRKAJ4WA3Fq YDHPzBrqjp0d11nhW1hn5KnYjFoUfdro8ez4lMqv+3vntbijQMd5Nx8oEHEKMAmA cN+ZouuEElDIduUiBRRXmFShm/9UdZGH/GI2t0E+xJMKtJkJrG5UrbgNvusVVo3A GT9i4ImsvwwG6P1QLKaRu2Zceyv6LpLvID1hVuMnNsS+eWX2cO1vGrWhG+7pJlq3 xg6zm+72LHH3b+CS/u4eS+J6HeZ6qBxtHdszH45h804bm6QS0l8xEOroFEfTfYaD aSb4Ngu3g9KvWNYPwe1B0ANPXn/dLz97vIzW84KXK96zvuyJCSgoguQvJGcTpIxS hLmhBtaJSaszuGj3E47nn5ZmnhQQDU3fLy3W7HnL4Ka0hYde97tldXGlPHNTL88S maUWwlWYH8LZ+B3625Wn =zujf -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
