Re: Configuration question

[Terence M. Bandoian]

On 4/17/2014 9:01 AM, Mark Murphy wrote:

Here is the configuration, as you can see the default host is set and the
IP is not aliased.

in server.xml
...
 
...
 
...
 
...
   
 www.torque-wrench-recalibration.com
 www.myerstorquetracker.com
   
...

in web.xml
...
 
   
 Entire App
 /*
   
   
 CONFIDENTIAL
   
 
...



On Thu, Apr 17, 2014 at 9:42 AM, Jeffrey Janner 
wrote:

-Original Message-
From: Mark Murphy [mailto:jmarkmur...@gmail.com]
Sent: Wednesday, April 16, 2014 12:42 PM
To: Tomcat Users List
Subject: Configuration question

How do I prevent Tomcat 6 from responding to a request to an IP
address, that is I only want my Tomcat server to respond to requests to
www.mydomain.com vs. 10.1.1.1.

Is this possible?


To address the question asked:
The easiest way may be to create a dummy  entry with an 
entry for the IP Address. Do not allocate any contexts to the host, or
perhaps one that points to an empty directory.  Haven't tested it, just a
thought.
However read rest of answer.


The problem is that our web security scanner is reporting "Web Server
Uses Basic Authentication Without HTTPS", and the infrastructure guys
think it is because Tomcat allows connection to the IP address.

Does this make sense?

No this does not make sense.  If the IP isn't returning HTTPS, then your
DNS name probably isn't either. Tomcat doesn't care about the supplied
name, except to match it to the  entry in server.xml.  You didn't
post your config, but I'm assuming that the default host is set to
www.mydomain.com, and the IP address isn't aliased. If it is not that
way, you should either correctly set your default host, or add an 
entry for the IP address to you  config.

You'd definitely get this response if your default host was still set at
the default of "localhost", instead of your  entry's name value,
there was no  entry for the IP, and the security tester was testing
against IP as well as name (though one would expect the report to indicate
this).



Is the manager app deployed?

-Terence Bandoian


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat @ Windows & Cyrillic

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

André,

On 4/15/14, 4:41 PM, André Warnier wrote:
> Petr Nemecek wrote:
>> Hi all,
>> 
>> I need to use cyrillic in my webapp.
>> 
>> What I did: * Added -Dfile.encoding=utf-8 to the Java options *
>> Added URIEncoding="UTF-8" to the connector in server.xml
>> 
>> What I achieved: * When I send a request with cyrillic chars to
>> the Tomcat, it's properly received. * When I send response with
>> cyrillic chars out of the Tomcat, it's properly sent.
>> 
>> What I did not achieved (and asking you kindly for help): * When
>> my webapp, sitting in the Tomcat, sends a request containing 
>> cyrillic chars, these don't go out. So when I try to send out
>> e.g. "PrahaСимферополь", just "Praha" goes out. By sending out I
>> mean calling cxf web service. When I call that webservice
>> directly (from jar, not from Tomcat), everything works fine.
>> 
>> Any idea?
>> 
> 
> When an application (running under tomcat or not) "sends a request"
> to some external service, it uses some code to do that, which is
> not part of the tomcat code. Which code/library are you using for
> that ?

+1

Most libraries have a way to set the character encoding used for
everything. Generally speaking, I would avoid using non-US-ACSII in
URLs because not all servers behave the way you'd expect. If you send
the data in a request body with a proper Content-Type header,
everything should be fine.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTUEwRAAoJEBzwKT+lPKRYqrYP/1endxLrASJZ2tKvRhOFDm6A
v4EOCTBoNvoAwxUybLZ4Nz8JR2EG21ihycA+p3nWeTT8ZHWY4po3bFClt0s9gqab
RhjHxqU1WZbR8ZCZh5LQLsuvHFfsaMqc/HerJ2QNkqh2lpK45Z2TNT8wvBmYAvN2
tuvTwSYd/Yc+j/ZGRQq02pPC2nPuPQLWVUNvAWuQaJ6HO6CTndEp+YPXyrxbQWEe
/urG9wVsE57C0pataraOhgTqlR+Buysbx187RANI7msJ89W5qQsdhSkrhMegwrRQ
NsY5oz3W6d4ekt8vZBMEaVUhKd6682I8fKfbvCQ+VQclH6DLfChKDyazVHNWbkv7
5Fqw8zDRofkEDAaZGjEMyuYXKVjeS1ItDh2gjGm/aFW4dDpN2pPlV2WxuoakBXFZ
/neQaW8em0yYUrB3fqzL4fajRpjmZyplA/+0Yal1x3XFe4tDpIhEoaQy9Yh2Bu3k
IOzGNmpe0KIfxaLCeE/Elxcs7vC1FsmU8feCBfIJ+vFTqg1OsLySTSM6UKuF3Dqp
LcV2Rt07tM3Q0jtyCMiyWGoxwFougJHo+8RdFrrWse04b/ps4Qgp/kyRJiVoZnSj
kKqPd3AXjzyfWKw/tDu1ndZRMeBW/0R8y6DW7GRMRGkS73FRdh9O3oJ7M7C0ITqk
H7yR1WQZuSqRehAIYvTK
=HkN+
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat logging with Log4j

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Scott,

On 4/16/14, 10:15 AM, Scott Bailey wrote:
> I was able to get one of our developers and it was simple for them
> to add the logging for our app to the logback we are using a file
> and add logging rotation. My issue is resolved. Thanks for the
> help though.

Glad to hear you got your issue fixed, though you didn't actually tell
us how it was fixed. It would help others if you would explain what you
had to do to fix this.

I'm not sure why you want to log to the console (stdout), but it looks
like you've managed to do it.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTUEp7AAoJEBzwKT+lPKRYh1IQALT16jdmdy0HvjEIW2NS638b
7NyAmq/VamC2bYMcSwnpc3Zb2MpyJBkpG/dpfEIq14yYf9oqw9veC55hczrTI2YB
Fov95SLzH1e0fnH5tBWTxfS7xGxImv+pI3691gMMElCeR35yrGeNuhdM9sPB22IY
+JjOuX8gDTkI3m5Jq1r2UWe4inLjOneZp3sk5C7esxG8DV4yHUe6C5MFr0+RxsbH
ofZQaaOi+x2PH79vk28YSPB+7OTHf156UhSohFF8jHT5ue1vwl6XqaABjLy79z6Q
ZtCIfudTzKU31FMRJWarD4glHNkKfs+3t6Hw/VKnl6NeS+GnVQYvLDpxhfuKG9Ar
akwQipRaoeudFJSXIu39U8YgrJBYTQFVgMjt4aH3eIdXPhpkC7/hMhuQ2kdXRfgw
pW4L9s2nwaCXN13IOcOOS4CgaXkfXr+DVi7W+zZPVPK0AYmraOCDLrpaRwBJXQvW
5TTqCAfU1SmYDsPrSIjpwFzE4sq8GododUm8lWL2zH+BfOLXFI2Pboy2ji3vpVHU
CKiPhgB+N7zezULlwhZ09gmZOLLb3zBg6q/oFzTwZC9oCX5AN0ziEzi00lLgWf5Q
6y2AN/0zvGv2MziWvWZCrOzL6yyKEscdH5S9O0M1r6FF/BKRH8V95Y7emdnX5ShT
M9cojCEJ9nl3LMzZ697s
=hPD6
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: removeValve() in Container object

[Mark Thomas]

On 17/04/2014 19:15, Joaquin Obieta wrote:



> The Tomcat 7 ContainerBase object still has references to removeValve, but 
> not the method. The Tomcat 6 documentation has the method explicitly defined:
> 
> https://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/catalina/core/ContainerBase.html
> https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/core/ContainerBase.html
> 
> Any help would be appreciated.

Context.getPipeline().removeValve(Valve)

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

removeValve() in Container object

[Joaquin Obieta]

We are upgrading a solution to Tomcat 7 and have run into several challenges in 
dealing with the Tomcat context.

We've overcome how to retrieve the context object, but are currently struggling 
with a replacement for the "removeValve()" method.

In Tomcat 6, that method was inherited by StandardContext from ContainerBase. 
See 
https://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/catalina/core/StandardContext.html

In the Tomcat 7 documentation, 
https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/core/StandardContext.html,
 there is no mention of it.

The Tomcat 7 ContainerBase object still has references to removeValve, but not 
the method. The Tomcat 6 documentation has the method explicitly defined:

https://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/catalina/core/ContainerBase.html
https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/core/ContainerBase.html

Any help would be appreciated.

JFO

Joaquin Obieta | Blackboard Inc.
Consultant, Blackboard Consulting
jobi...@blackboard.com
650 Massachusetts Ave NW, 6th Floor
p: 202.463.4860 x2807
p: 800.424.9299 x2807
Visit us online at:  www.blackboard.com


This email and any attachments may contain confidential and proprietary 
information of Blackboard that is for the sole use of the intended recipient. 
If you are not the intended recipient, disclosure, copying, re-distribution or 
other use of any of this information is strictly prohibited. Please immediately 
notify the sender and delete this transmission if you received this email in 
error.

Re: [OT] Configuration question

[Mark Murphy]

No frameworks, no standard configurations, it is so bad that the only way
to deploy changes is to manually find the file that needs replacing, and
replace it. I can't even use a war file to deploy. If I was in charge, I
would probably rewrite even if it was still Java, though I might be able to
keep some of the components.


On Thu, Apr 17, 2014 at 11:44 AM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Mark,
>
> On 4/17/14, 11:01 AM, Mark Murphy wrote:
> > Yes, I inherited this mess part time when the original developer
> > left, and am trying to keep it alive, and fix problems as they
> > arise. There are a lot of issues, some cosmetic, and others not so
> > much. The current staff is planning to rewrite using an environment
> > that they are more familiar with, probably .NET. In the meantime I
> > need to keep this thing on life support.
>
> Ugh, that's too bad. I've seen that kind of thing happen many times: a
> new group comes in and re-writes everything, rather than getting a
> group of people who can do a better job with what they've got.
>
> It doesn't matter to me that Java is being abandoned for .NET -- .NET
> is a great environment as I understand -- but the fact that a whole
> lot of work is being trashed just seems like a waste.
>
> Then again, if the pages are that bad, perhaps the code is just as awful.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJTT/bxAAoJEBzwKT+lPKRYwesP/izl1jMic5+HMr9zv3TVoPCq
> NAoAyGtJWA3trXte3M6y2ap5plBec/HEFVTyVQO1a5cJxd2aEBy3X5oEg5FQgDCx
> EmPB+pi4JWcEH/UGJwQBiRtzyu6mrJJZPzPNm60J2ipBUCaII+iVKoU49it5iwBL
> a2BRus1xR1SvBHm9svEOPDqwebCnLFhzdUn1+HMUmR3B9aMM4Dt6vtnR8ugATUhB
> HBfOcX0ulHhKC5eAsD2E0UYxp/Ys2uA93gVoX/LSTza/i3vKJrjlEMNer6Ep6AbN
> 6UCvnjQF80b4+MK2ssLrcqpKbm1R+d5jt0YnO20xcV63zwP+UqwfYjtRn/srIodW
> 1SZa3mZFEGFKlVxkPpsBFYFu5KJa/FY4T4WGNdIXTYkS5MplROFtJr/p8yP/gglb
> MqOLfLoEhp6jHZpZF2YsbchYfe9yPbFJj/SMxUwO8SAKUqwEUXae8q9bg6cB0HWX
> Be5q8pq1bOqxnAnOltZ0nN9BWT1fTwfXpDq628a0VTa9M0WVsCD93GKuJ6JOmqhi
> XeiSpUq5GFOCx71IlOISeia0CinIq3FF6R8SSGPBm9uKvGrXYzErmXzsxB5JYyVZ
> FqmRhy6aMww5cjPlzOcAoZPsHIb49yTpAemLg4bV7ymveu6FlEyrSKqKbhnHgpLg
> jR1JHs5U9nCukAbk2e4t
> =1HT+
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: [OT] Configuration question

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 4/17/14, 11:01 AM, Mark Murphy wrote:
> Yes, I inherited this mess part time when the original developer
> left, and am trying to keep it alive, and fix problems as they
> arise. There are a lot of issues, some cosmetic, and others not so
> much. The current staff is planning to rewrite using an environment
> that they are more familiar with, probably .NET. In the meantime I
> need to keep this thing on life support.

Ugh, that's too bad. I've seen that kind of thing happen many times: a
new group comes in and re-writes everything, rather than getting a
group of people who can do a better job with what they've got.

It doesn't matter to me that Java is being abandoned for .NET -- .NET
is a great environment as I understand -- but the fact that a whole
lot of work is being trashed just seems like a waste.

Then again, if the pages are that bad, perhaps the code is just as awful.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTT/bxAAoJEBzwKT+lPKRYwesP/izl1jMic5+HMr9zv3TVoPCq
NAoAyGtJWA3trXte3M6y2ap5plBec/HEFVTyVQO1a5cJxd2aEBy3X5oEg5FQgDCx
EmPB+pi4JWcEH/UGJwQBiRtzyu6mrJJZPzPNm60J2ipBUCaII+iVKoU49it5iwBL
a2BRus1xR1SvBHm9svEOPDqwebCnLFhzdUn1+HMUmR3B9aMM4Dt6vtnR8ugATUhB
HBfOcX0ulHhKC5eAsD2E0UYxp/Ys2uA93gVoX/LSTza/i3vKJrjlEMNer6Ep6AbN
6UCvnjQF80b4+MK2ssLrcqpKbm1R+d5jt0YnO20xcV63zwP+UqwfYjtRn/srIodW
1SZa3mZFEGFKlVxkPpsBFYFu5KJa/FY4T4WGNdIXTYkS5MplROFtJr/p8yP/gglb
MqOLfLoEhp6jHZpZF2YsbchYfe9yPbFJj/SMxUwO8SAKUqwEUXae8q9bg6cB0HWX
Be5q8pq1bOqxnAnOltZ0nN9BWT1fTwfXpDq628a0VTa9M0WVsCD93GKuJ6JOmqhi
XeiSpUq5GFOCx71IlOISeia0CinIq3FF6R8SSGPBm9uKvGrXYzErmXzsxB5JYyVZ
FqmRhy6aMww5cjPlzOcAoZPsHIb49yTpAemLg4bV7ymveu6FlEyrSKqKbhnHgpLg
jR1JHs5U9nCukAbk2e4t
=1HT+
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] Configuration question

[Mark Murphy]

Yes, I inherited this mess part time when the original developer left, and
am trying to keep it alive, and fix problems as they arise. There are a lot
of issues, some cosmetic, and others not so much. The current staff is
planning to rewrite using an environment that they are more familiar with,
probably .NET. In the meantime I need to keep this thing on life support.


On Thu, Apr 17, 2014 at 10:40 AM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Mark,
>
> On 4/17/14, 10:01 AM, Mark Murphy wrote:
> > Here is the configuration, as you can see the default host is set
> > and the IP is not aliased.
> >
> > in server.xml ...  > connectionTimeout="2" redirectPort="443" /> ...  > protocol="org.apache.coyote.http11.Http11NioProtocol" port="443"
> > scheme="https" secure="true" SSLEnabled="true"
> > keystoreFile="xxx.keystore" keystorePass="xxx"
> > keyAlias="xxx" clientAuth="false" sslProtocol="TLS" /> ...
> >  > defaultHost="www.torquewrenchrecalibration.com"> ...  > name="www.torquewrenchrecalibration.com"  appBase="webapps"
>
>
> Just for the heck of it, I visited this site. The markup there is
> horrendous. It's not well-formed, does not conform to the HTML spec,
> and has a bunch of totally superfluous Javascript.
>
> Did your security vendor complain that the server responds with
> "Server: Apache-Coyote/1.1"? They often do, even though it makes no
> difference whatsoever IMHO.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJTT+fyAAoJEBzwKT+lPKRY6qsP/RfClbLB57VT7G5eyDaCeMQI
> WeuTRi1du39GP3C1zSgqy7iz2ifgM740znKLi7hFkOSAA/Sb0G3iN2gPg/IX7uku
> ItGNi0GRYa+k6NqXuwxegGGdUSvMqD2dkmohutJMAC+ANXtOXELO29GLYT5dJk+V
> ROH3f0wci73t1jMgf/zuhWiHLyB32jlC2tHXRLhnD+yofMWS3iz4/5pcRk7JRm9f
> NjdndQK/mV15P2ZrFMBRaK29bd591VtWZIvCvXnp3RzYesjfDAEqnp6kGZrq+zBe
> sbWhigh7Lz1d0O7vjGMc2PMqq+uLckxfNRRcbsmve9qfezNgwLxGh20AiK57Bda3
> 3X5RUlGUh6KgkRuXqFa0BOzsEt3GcpyFDGoTWDwszA5P2l2mkx+n2cq1fGTEk69k
> kZjC9i2CbeZ4Bj1gTVGpMP/lpB0QH/TNVVhaaqt19RrFWWrknzVOjcrDvbfDL/du
> KYTAfMWJvezdXErLULddczDZ+Yk9hHfllNHg2+DEtmT7Q2DSEf8gYLn1lDgw3Hha
> PfirjJAVIQ+i4vpa7zFrDuzvtX33KnEfDx+6Jtif+4XbHBqhD7dPUsW0Vzvcl9o2
> 6SEcvxscqgiWTRYTJZ/jZ7GGY3MdJknYzMJolZ4Jx8qqWMxSYT0M3Xg7H+6+gEvf
> uW/+8ke4TsnxZPwWGqkT
> =jhbr
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: http status 400 question

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

David,

On 4/16/14, 7:54 PM, David Wall wrote:
> 
> On 4/16/2014 3:17 PM, Christopher Schultz wrote:
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
>> 
>> 
>> The access log of course does not give the whole story. It's
>> possible that the client sent for example a badly-formed HTTP
>> header value. In those cases, the request-line (shown in the
>> access log) can be read and the target context determined, but
>> the headers can fail.
>> 
>> Can you narrow-down the types of requests that cause this to
>> occur at all? If so, you could enable a request dumper and set it
>> to match those requests (I think you have to write a Valve to
>> sniff the request and place an attribute in the request in order
>> to trigger the request dumper to dump the request). I wouldn't
>> recommend using the request-dumper on all requests: it would slow
>> everything to a crawl and likely represent a privacy problem as
>> well).
>> 
>> - -chris
> 
> Chris,
> 
> Thanks for the reply.  We're not sure about the status 400s --
> like today, we show 349 of them, but yesterday it was 157, and on
> Monday 122.  The prior Wednesday, there were 0.
> 
> Some appear to be hack attempts or the like with requests like
> this: 62.210.114.138 - - [10/Apr/2014:04:02:28 -0400] "GET 
> /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 - 0 - 62.210.114.138 -
> - [10/Apr/2014:04:02:28 -0400] "GET /w00tw00t.at.ISC.SANS.DFind:)
> HTTP/1.1" 400 - 0 -
> 
> But most seem to be a combination of images and JSPs that are on
> our system.  Even the user agent strings appear to be highly varied
> and requests come throughout the day.
> 
> I've never done a request dumper before, but is there a way to
> trigger it only if Tomcat is going to issue a 400?

I don't think so. You could probably write a 400-error-handler and
register it with your web application. It's possible that Tomcat won't
dispatch such a request to the error handler for a number of reasons.
If it doesn't work in your own webapp, try deploying it to the ROOT
webapp.

I'll take a look at the code to see if maybe we can conditionally log
something somewhere when we get a 400 error. You can probably get
information about it by enabling DEBUG logging on the component that
throws the 400 error, but you'll likely get a huge amount of output in
that log file, which you obviously don't want.

> We run the same sort of software on other servers that seem to
> have these only rarely, and the access logs make them appear like
> they are hacker/sniffers perhaps:
> 
> 107.152.128.226 - - [31/Dec/1969:16:00:00 -0800] "-" 400 - 0 - 
> 107.152.128.226 - - [31/Dec/1969:16:00:00 -0800] "-" 400 - 0 - 
> 188.95.234.6 - - [16/Apr/2014:04:59:58 -0700] "HEAD / HTTP/1.1" 400
> - 0 -

Requests with "-" as the request are often "internal" requests as
reported by Apache httpd. Are you seeing these in your /Tomcat/ logs?

Doing a "HEAD /" in and of itself isn't an indication of nefarious
activity, but given that it returned a 400 and likely represents a Bad
Request (probably due to headers, since "HEAD /" is perfectly legal),
then it might be a probing you for some specific vulnerability like
HTTP request-splitting or something like that.

> But the ones originally mentioned seem to be more likely coming
> from regular users.  What is odd is we've never had any reports of
> users complaining, but you'd think those 400s would cause someone
> to grumble. Because they appear to have valid URLs in the access
> logs, often containing the unique 20 random characters that are
> used by our application to identify a specific resource, it seems
> unlikely they are also hacker types.  The links otherwise work if
> we enter them into our browser and they should be impossible for
> others to guess.

It could also be possible that a browser is incorrectly-formatting
something. Do you make extensive use of cookies> Do you ever store
anything in a cookie name or value that isn't in US-ASCII? If so, you
might have some edge cases where the overwhelming majority of your
users are find but some folks with Greek names or whatever step-over
into non-US-ASCII and hit some edge cases with either the browser or
Tomcat itself.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTT+ojAAoJEBzwKT+lPKRYblEQAMDDOmd/CeT8GahcgB3thKBE
y/NGo3c9P/efJ9aREnmCoKAOdEmpuoGYcfFyUXZwDEB5/t3/9zoRl6LAJ+GYI999
FLMkZjzLn0G5crfOtucUmoY9V/ETjWYtvImEQN6wx3dC4Fb9dzkHbCsZdWWcohBm
/lXo8wUO1+T2xHDylpVkkhC/VHjtKt8THSW0FDykXLKBnFFeWhJWuelPhpJ/jkD9
SBBNrpv69ZLrnCJ8Y7w5lhvxrhpM54PkIRX0bbxBes3LCmMHOwS0hpIW0qH1nK8h
ja6fcUzXhJqXER6G/6jMr+GV/XLy08fw37NqckBy+m5y+vZoSPnwXvZyJRn8G8Gf
9S5BzFqbnKxsZhcl4mb3DAH6/QzJRlBzmHa8gc/xFzG5NgbJFIapC6dxL1YYCyHt
R/freSFYLRRK8KRx6sHLD3CylQ8E/3O6K3uiL5q2tMVMyvwmmC9me3WfXYUAeTNh
woZukoLQ5jWxyrOCLUebxKi3ZIAJoJwHknsva91QsX+tdDmTn4qunJM/XhGVUrqC
Fc3lAqAzT72KiORm3FQ9xR667MP1LFw3V+

RE: Best practice to programmatically get the disableURLRewriting context attribute value

[Sauvel Laurent]

Thanks for your answer.

1. Before testing the code below with different Tomcat configurations, I would 
like to know if there is a better way to do what I want. I'm not really 
satisfied with this code that is closely related to Tomcat classes.

2. The original problem is that I would like to:

a) prevent Tomcat (6.0.x, including versions older than 6.0.30) from adding the 
";jsessionid=xxx" string to the URL when there is no cookie named JSESSIONID in 
the client browser
b) prevent jsessionid hijacking via the url, i.e redirect to an error page when 
the "jsessionid=" string is detected in the URL

Lo

-Message d'origine-
De : Mark Thomas [mailto:ma...@apache.org] 
Envoyé : jeudi 17 avril 2014 11:54
À : Tomcat Users List
Objet : Re: Best practice to programmatically get the disableURLRewriting 
context attribute value

On 10/04/2014 14:01, lo lo wrote:
> Tomcat version 6.0.x on Linux OS
> 
> Hi all,
> 
> I have an application deployed on several customers Tomcat servers.
> 
> The Tomcat versions are different (6.0.16, 6.0.37, etc.) and asking 
> all customers to upgrade to the latest Tomcat version would be too tricky.
> 
> I would like to programmatically get the disableURLRewriting context 
> attribute value, when it exists (i.e Tomcat 6.0.30 onwards).
> My purpose is to add a tuckey.org/urlrewrite filter rule that 
> redirects the user to an error page when the 'jsessionid=' string is detected 
> in the URL.
> if (disableURLRewriting exists and its value is true) -> the filter 
> rule should be applied if (disableURLRewriting doesn't exist or its 
> value is false) -> the filter rule should not be applied because 
> Tomcat 6 adds ';jsessionid=xxx' when there is no cookie in the client 
> browser
> 
> The only way that I have found to achieve this on different Tomcat 
> versions is to use Tomcat classes:
> 
> public boolean isDisableURLRewriting(StandardContext standardContext) {
> Method isDisableURLRewritingMethod = null;
> try {
> isDisableURLRewritingMethod = 
> StandardContext.class.getMethod("isDisableURLRewriting");
> } catch (Exception e) {
> // the method does not exist or is not accesible
> }
> if (isDisableURLRewritingMethod != null) {
> try {
> return ((Boolean)
> isDisableURLRewritingMethod.invoke(standardContext)).booleanValue();
> } catch (Exception e) {
> throw new RuntimeException("Unable to invoke the 
> isDisableURLRewriting method on the standard context");
> }
> }
> // the method does not exist, we return false
> return false;
> }
> 
> StandardEngine engine = (StandardEngine) 
> ServerFactory.getServer().findService("Catalina").getContainer();
> Container container = engine.findChild(engine.getDefaultHost());
> StandardContext standardContext = (StandardContext) 
> container.findChild(context.getContextPath());
> if (isDisableURLRewriting(standardContext)) {
> // apply the rule
> } else {
> // don't apply the rule
> }
> 
> 1. Will this code work for every Tomcat configuration?
> (I know that this code works when the context file is in the 
> conf/Catalina/localhost directory with the default server.xml file, 
> but I don't know if it will work when several hosts are defined in the 
> server.xml file, because I'm using engine.getDefaultHost())

So maybe you should test that and see what happens.

> 2. Is there a better way to achieve this? (maybe without using Tomcat
> classes?)

It depends on what you are trying to achieve. You have described a problem with 
your current solution but not what your original problem is.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Apache Tomcat 7 load-balancing and clustering

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Fidelis,

On 4/17/14, 7:14 AM, MNYANYI, FIDELIS wrote:
> Hi,
> 
> I'm relatively new to Apache Tomcat, especially on 
> clustering/load-balancing. The question I have is:
> 
> Can I implement load-balancing of Apache Tomcat 7 instances using 
> native solutions if any. I mean without putting either Apache
> HTTPD or other load-balancing hardware/software in front of my
> Apache Tomcat servers? The documentations I have read so far talk
> of installing Apache HTTPD and installing mod_jk on top of Apache
> HTTPD. The question here is, does Apache Tomcat not come with its
> own Apache HTTPD that I can use instead of installing another one
> infront of my Tomcat?

As others have said, Tomcat needs some help. But you have more options
than just Apache httpd and some expensive hardware load-balancer. You
can use one of the other fine products like Nginx, lighttpd, Squid,
IIS (maybe not "fine", but still available) or others to act as a load
balancer / reverse proxy.

Tomcat has never implemented this kind of thing because honestly it
really doesn't make any sense. Tomcat should be a web application
server that must have an HTTP front-end. Acting as a reverse proxy is
really out of scope, and other products are much better-suited to this
kind of task.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTT+iYAAoJEBzwKT+lPKRYh2MP/jcrHE9Zh8rd7VP2rY8qdiK+
ULl9CvOwFW6rjVGTjauaodMs4bHoJU/0lrgOELdzsW0vZ9Ui0fqqh1LUogRMv+c6
xN1U0WCwvZuTKQDaGe3fz3LU00Bsy+17PQ5AWsnYMEX77pFa7R2JVQNbfewin4b8
i4zObzzxCykI2a5Pl0Ybdpa34zA2MD7EPSsOfsKw4autiNSxuKw/zwA5D/fkm7MD
3hxkGZ9UCTXf1k0llsmezOoDjTgqP7+CftnUIH6bKVzuMxe9iOI1zNrK+Tk8EeDa
uVkicAkKh5nRVMlQoH7aw5ooMzTqd5FyNenk/q65sJebpXxYDHJPb7KXqp9zQcUg
LHbyF3+SmPfDbLgGwelNd8lzoaG99jOXwhYujilsSCkNj6Vbzk6gHuDPCDrbUfH9
V7SAp151f8njR/WzfApyJAvtNUsl+S+E1CIB5xNLtvlm29+iI1my5Cq88CwFy506
GOh+PpqIsmaxqenZ3vDbEYmYZjjxs6/t2a8uO6sGy34FUNDQCnswgGpEX+udjdfG
f80A2Shn+L1cBex1qVt5LhFprZtxHN2KOnF1CXqJ1Fsyw977YhG8D9VkNZF5+jDh
sF9jKZ1oOmQSNKrmDSUIqSHO1z+g0EAW2z+ZEpF5v4X2y2W1pQWieqzJyhrfIdOE
aT2QbGRoLkvGkmW7OkZT
=r1zb
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] Configuration question

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 4/17/14, 10:01 AM, Mark Murphy wrote:
> Here is the configuration, as you can see the default host is set
> and the IP is not aliased.
> 
> in server.xml ...  connectionTimeout="2" redirectPort="443" /> ...  protocol="org.apache.coyote.http11.Http11NioProtocol" port="443" 
> scheme="https" secure="true" SSLEnabled="true" 
> keystoreFile="xxx.keystore" keystorePass="xxx"
> keyAlias="xxx" clientAuth="false" sslProtocol="TLS" /> ... 
>  defaultHost="www.torquewrenchrecalibration.com"> ...  name="www.torquewrenchrecalibration.com"  appBase="webapps"


Just for the heck of it, I visited this site. The markup there is
horrendous. It's not well-formed, does not conform to the HTML spec,
and has a bunch of totally superfluous Javascript.

Did your security vendor complain that the server responds with
"Server: Apache-Coyote/1.1"? They often do, even though it makes no
difference whatsoever IMHO.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTT+fyAAoJEBzwKT+lPKRY6qsP/RfClbLB57VT7G5eyDaCeMQI
WeuTRi1du39GP3C1zSgqy7iz2ifgM740znKLi7hFkOSAA/Sb0G3iN2gPg/IX7uku
ItGNi0GRYa+k6NqXuwxegGGdUSvMqD2dkmohutJMAC+ANXtOXELO29GLYT5dJk+V
ROH3f0wci73t1jMgf/zuhWiHLyB32jlC2tHXRLhnD+yofMWS3iz4/5pcRk7JRm9f
NjdndQK/mV15P2ZrFMBRaK29bd591VtWZIvCvXnp3RzYesjfDAEqnp6kGZrq+zBe
sbWhigh7Lz1d0O7vjGMc2PMqq+uLckxfNRRcbsmve9qfezNgwLxGh20AiK57Bda3
3X5RUlGUh6KgkRuXqFa0BOzsEt3GcpyFDGoTWDwszA5P2l2mkx+n2cq1fGTEk69k
kZjC9i2CbeZ4Bj1gTVGpMP/lpB0QH/TNVVhaaqt19RrFWWrknzVOjcrDvbfDL/du
KYTAfMWJvezdXErLULddczDZ+Yk9hHfllNHg2+DEtmT7Q2DSEf8gYLn1lDgw3Hha
PfirjJAVIQ+i4vpa7zFrDuzvtX33KnEfDx+6Jtif+4XbHBqhD7dPUsW0Vzvcl9o2
6SEcvxscqgiWTRYTJZ/jZ7GGY3MdJknYzMJolZ4Jx8qqWMxSYT0M3Xg7H+6+gEvf
uW/+8ke4TsnxZPwWGqkT
=jhbr
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Patching Tomcat for Heartbleed

[Cormier, Greg]

Chris/Konstatin,

Thanks for your help. It was indeed the wrong binary, I had used the x32 
instead of x64. I also forced APR as recommended. Kicked the server and we're 
all good!

Many thanks,

Greg


-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Sent: April-16-14 6:13 PM
To: Tomcat Users List
Subject: Re: Patching Tomcat for Heartbleed

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Greg,

On 4/16/14, 2:28 PM, Cormier, Greg wrote:
>> -Original Message- From: Konstantin Kolinko 
>> [mailto:knst.koli...@gmail.com] Sent: April-16-14 2:12 PM To:
>> Tomcat Users List Subject: Re: Patching Tomcat for Heartbleed
>> 
>> 2014-04-16 21:44 GMT+04:00 Cormier, Greg
>> :
>>> I have a Tomcat 7.0.30 server I'm trying to patch to resolve the 
>>> heartbleed
>> exploit.
>>> 
>>> I shut down the server and overwrite tcnative-1.dll with the 
>>> recently
>> released version.
>>> 
>>> When I restart tomcat, I get errors about the Java Key Store.
>>> 
>>> Apr 16, 2014 9:36:07 AM
>>> org.apache.catalina.core.AprLifecycleListener init INFO: The APR 
>>> based Apache Tomcat Native library which allows optimal
>> performance in production environments was not found on the
>> java.library.path: D:\Tomcat
>> 7.0\bin;C:\Windows\Sun\Java\bin;C:\Windows\system32;C:\Windows;C:\Wi
>>
>> 
ndows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\S
>> ystem32\WindowsPowerShell\v1.0\;C:\OpenSSL-Win32\bin;;.
>> 
>> The above means that tcnative-1.dll was not found in the directories 
>> listed above.
>> 
>> I would guess that you used a wrong DLL. It must match the CPU 
>> architecture of JRE/JDK that you are using.
>> 
>> Is tcnative-1.dll file readable?
> 
> Hmm, I think this might be the case - I may have snagged the 32 bit 
> version instead of 64 bit! I will try this after business hours so I 
> can take Tomcat offline and let you know!

If you bounced Tomcat and got the above error, then your connector is dead 
anyway. Unless you rolled-back to the prior configuration, you are already down.

If you are pretty sure you are not down even with the above errors, then 
perhaps you don't need that connector at all. Is Tomcat terminating SSL for 
you? No web server or SSL-terminating load-balancer in front of Tomcat?

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTTwBPAAoJEBzwKT+lPKRYBDgP/1yTjd/FIq4QHp2Ozvif+PP7
JW2knwVsk7A/63AmmZqzGPMoZrq7XrGTuhoinfTNCzQn6nlPNi8w/Fw+/btdPisp
LHDcgVThsYJJLhmPq8T3IiH9A9QY9hAugVs4OlGuetHtoZf5J5W7P1qMmrj8/3Cc
ejgKr4/a5/qzIVTsXfY5aNzjQicxC1yJgUwP0kuPojh4yc8ZQ6JO0jEmFCycfrmy
7fHwKosUoWOs4O5+wkzNMnhiEY5hGHDUujY5oQTY9RFdjbGJDzEfxGs2EEiH6S4v
A1pV/Srn/aNdT9PKkP5tH8ZgCJr4W4XRqr60UEe5Q27Ghii5ZzYYHWZ99FZF1TmE
slzL5ZQXEs7wjXt5nwxWOa0zuiP7oTGD02qHiyN76oVcq039x4NXc0JtiZbLJFlG
eR2HstrpRs3eFRXieuPfiFPEdbvn6uzgJi2A4mm+s1XOzyb5x8MGwNaUy3RnANem
OAf9h3BOVEV2wUfHmPhY896uia/cwpVuX0NAOehkJWqQF1UJ7wCeE0bRUjK+B62d
Qm1/j8vgcqNDjRatAFXig+/kLuHsRj+SA1PjoGLdU7UZ03qt075EIGxC/2YjbyKI
0AxJznTMRh0aPAAkyrkdsJIRZdNDWReOFmDAtp3fnsXvSZNjmr54pHK1SQFPvDzP
vwBJAPdIIeeb+G1MPz5+
=Dwd1
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configuration question

[Mark Murphy]

Here is the configuration, as you can see the default host is set and the
IP is not aliased.

in server.xml
...

...

...

...
  
www.torque-wrench-recalibration.com
www.myerstorquetracker.com
  
...

in web.xml
...

  
Entire App
/*
  
  
CONFIDENTIAL
  

...



On Thu, Apr 17, 2014 at 9:42 AM, Jeffrey Janner  wrote:

> > -Original Message-
> > From: Mark Murphy [mailto:jmarkmur...@gmail.com]
> > Sent: Wednesday, April 16, 2014 12:42 PM
> > To: Tomcat Users List
> > Subject: Configuration question
> >
> > How do I prevent Tomcat 6 from responding to a request to an IP
> > address, that is I only want my Tomcat server to respond to requests to
> > www.mydomain.com vs. 10.1.1.1.
> >
> > Is this possible?
> >
> To address the question asked:
> The easiest way may be to create a dummy  entry with an 
> entry for the IP Address. Do not allocate any contexts to the host, or
> perhaps one that points to an empty directory.  Haven't tested it, just a
> thought.
> However read rest of answer.
>
> > The problem is that our web security scanner is reporting "Web Server
> > Uses Basic Authentication Without HTTPS", and the infrastructure guys
> > think it is because Tomcat allows connection to the IP address.
> >
> > Does this make sense?
> No this does not make sense.  If the IP isn't returning HTTPS, then your
> DNS name probably isn't either. Tomcat doesn't care about the supplied
> name, except to match it to the  entry in server.xml.  You didn't
> post your config, but I'm assuming that the default host is set to
> www.mydomain.com, and the IP address isn't aliased. If it is not that
> way, you should either correctly set your default host, or add an 
> entry for the IP address to you  config.
>
> You'd definitely get this response if your default host was still set at
> the default of "localhost", instead of your  entry's name value,
> there was no  entry for the IP, and the security tester was testing
> against IP as well as name (though one would expect the report to indicate
> this).
>

RE: Configuration question

[Jeffrey Janner]

> -Original Message-
> From: Mark Murphy [mailto:jmarkmur...@gmail.com]
> Sent: Wednesday, April 16, 2014 12:42 PM
> To: Tomcat Users List
> Subject: Configuration question
> 
> How do I prevent Tomcat 6 from responding to a request to an IP
> address, that is I only want my Tomcat server to respond to requests to
> www.mydomain.com vs. 10.1.1.1.
> 
> Is this possible?
> 
To address the question asked:
The easiest way may be to create a dummy  entry with an  entry for 
the IP Address. Do not allocate any contexts to the host, or perhaps one that 
points to an empty directory.  Haven't tested it, just a thought.
However read rest of answer.

> The problem is that our web security scanner is reporting "Web Server
> Uses Basic Authentication Without HTTPS", and the infrastructure guys
> think it is because Tomcat allows connection to the IP address.
> 
> Does this make sense?
No this does not make sense.  If the IP isn't returning HTTPS, then your DNS 
name probably isn't either. Tomcat doesn't care about the supplied name, except 
to match it to the  entry in server.xml.  You didn't post your config, 
but I'm assuming that the default host is set to www.mydomain.com, and the IP 
address isn't aliased. If it is not that way, you should either correctly set 
your default host, or add an  entry for the IP address to you  
config.

You'd definitely get this response if your default host was still set at the 
default of "localhost", instead of your  entry's name value, there was no 
 entry for the IP, and the security tester was testing against IP as 
well as name (though one would expect the report to indicate this).

Re: Apache Tomcat 7 load-balancing and clustering

[Daniel Mikusa]

On Apr 17, 2014, at 7:14 AM, MNYANYI, FIDELIS  wrote:

> Hi,
> 
> I'm relatively new to Apache Tomcat, especially on clustering/load-balancing. 
> The question I have is:
> 
>  Can I implement load-balancing of Apache Tomcat 7 instances using native 
> solutions if any. I mean without putting either Apache HTTPD or other 
> load-balancing hardware/software in front of my Apache Tomcat servers?

No.  Traditionally you need something to handle incoming requests and 
distribute them across the nodes in your Tomcat cluster (can provide other 
services as well, like sticky sessions, HTTPS termination and / or static 
resource hosting). This is commonly Apache HTTPD, but could be a variety of 
other things both software or hardware.

>  The documentations I have read so far talk of installing Apache HTTPD and 
> installing mod_jk on top of Apache HTTPD. The question here is, does Apache 
> Tomcat not come with its own Apache HTTPD that I can use instead of 
> installing another one infront of my Tomcat?

No.  Nothing is bundled with Tomcat.  You need to pick what software / hardware 
to use as a load balancer.  Apache HTTPD is suggested in the documentation, but 
there are other perfectly valid options as well.

Dan


> 
> Thanks,
> Fidelis
> 
> [http://www.afdb.org/fileadmin/uploads/afdb/Photos/logo50_small.png]


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Apache Tomcat 7 load-balancing and clustering

[Mark Thomas]

On 17/04/2014 12:14, MNYANYI, FIDELIS wrote:
> Hi,
> 
> I'm relatively new to Apache Tomcat, especially on
> clustering/load-balancing. The question I have is:
> 
> Can I implement load-balancing of Apache Tomcat 7 instances using
> native solutions if any.

No.

> I mean without putting either Apache HTTPD
> or other load-balancing hardware/software in front of my Apache
> Tomcat servers?

Still no.

> The documentations I have read so far talk of
> installing Apache HTTPD and installing mod_jk on top of Apache HTTPD.
> The question here is, does Apache Tomcat not come with its own Apache
> HTTPD that I can use instead of installing another one infront of my
> Tomcat?

No. You'll need to install your own httpd instances.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Apache Tomcat 7 load-balancing and clustering

[MNYANYI, FIDELIS]

Hi,

I'm relatively new to Apache Tomcat, especially on clustering/load-balancing. 
The question I have is:

  Can I implement load-balancing of Apache Tomcat 7 instances using native 
solutions if any. I mean without putting either Apache HTTPD or other 
load-balancing hardware/software in front of my Apache Tomcat servers? The 
documentations I have read so far talk of installing Apache HTTPD and 
installing mod_jk on top of Apache HTTPD. The question here is, does Apache 
Tomcat not come with its own Apache HTTPD that I can use instead of installing 
another one infront of my Tomcat?

Thanks,
Fidelis

[http://www.afdb.org/fileadmin/uploads/afdb/Photos/logo50_small.png]

Re: Best practice to programmatically get the disableURLRewriting context attribute value

[Mark Thomas]

On 10/04/2014 14:01, lo lo wrote:
> Tomcat version 6.0.x on Linux OS
> 
> Hi all,
> 
> I have an application deployed on several customers Tomcat servers.
> 
> The Tomcat versions are different (6.0.16, 6.0.37, etc.) and asking all
> customers to upgrade to the latest Tomcat version would be too tricky.
> 
> I would like to programmatically get the disableURLRewriting context
> attribute value, when it exists (i.e Tomcat 6.0.30 onwards).
> My purpose is to add a tuckey.org/urlrewrite filter rule that redirects the
> user to an error page when the 'jsessionid=' string is detected in the URL.
> if (disableURLRewriting exists and its value is true) -> the filter rule
> should be applied
> if (disableURLRewriting doesn't exist or its value is false) -> the filter
> rule should not be applied because Tomcat 6 adds ';jsessionid=xxx' when
> there is no cookie in the client browser
> 
> The only way that I have found to achieve this on different Tomcat versions
> is to use Tomcat classes:
> 
> public boolean isDisableURLRewriting(StandardContext standardContext) {
> Method isDisableURLRewritingMethod = null;
> try {
> isDisableURLRewritingMethod =
> StandardContext.class.getMethod("isDisableURLRewriting");
> } catch (Exception e) {
> // the method does not exist or is not accesible
> }
> if (isDisableURLRewritingMethod != null) {
> try {
> return ((Boolean)
> isDisableURLRewritingMethod.invoke(standardContext)).booleanValue();
> } catch (Exception e) {
> throw new RuntimeException("Unable to invoke the
> isDisableURLRewriting method on the standard context");
> }
> }
> // the method does not exist, we return false
> return false;
> }
> 
> StandardEngine engine = (StandardEngine)
> ServerFactory.getServer().findService("Catalina").getContainer();
> Container container = engine.findChild(engine.getDefaultHost());
> StandardContext standardContext = (StandardContext)
> container.findChild(context.getContextPath());
> if (isDisableURLRewriting(standardContext)) {
> // apply the rule
> } else {
> // don't apply the rule
> }
> 
> 1. Will this code work for every Tomcat configuration?
> (I know that this code works when the context file is in the
> conf/Catalina/localhost directory with the default server.xml file, but I
> don't know if it will work when several hosts are defined in the server.xml
> file, because I'm using engine.getDefaultHost())

So maybe you should test that and see what happens.

> 2. Is there a better way to achieve this? (maybe without using Tomcat
> classes?)

It depends on what you are trying to achieve. You have described a
problem with your current solution but not what your original problem is.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org