Re: FormAuthenticator, Tomcat restart
Leonid Rozenblyum wrote: Hello, Christopher! I indeed meant this "The Tomcat restart between showing and submitting the login page is the source of the problem." Your explanation clarifies the core of the issue well! I'll dig into the Tomcat documentation deeper to find out how to inject that custom login handler. Thanks! On Thu, May 28, 2015 at 6:49 PM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 5/28/15 5:29 AM, Mark Thomas wrote: On 28/05/2015 10:22, Leonid Rozenblyum wrote: Hello experts. We are using FormAuthenticator and face a following issue: 1) Session persistence is disabled 2) User is on login page 3) Restart Tomcat 4) User tries authentication He receives error 400 or 408. While digging deeper we discovered that in this case Tomcat validates session id and if it's old/invalid - prevents logging-in even though valid credentials are passed. We tried landingPage solution - it looks better than error 400/408 but anyway it forces user to enter credentials twice (or we don't know how to pass credentials to landingPage implicitly). We think that an improvement of user experience would be : FormAuthenticator: 255 if (session == null) { session = request.getSessionInternal(false); } ==> if (session == null) { session = request.getSessionInternal(true); } So if session is invalid or missing - simply create it. Does this idea make sense? No. It makes no sense at all. Can we achieve the goal of not forcing user entering credentials twice without changes in Tomcat ? No. The credentials are stored in the session. If you restart Tomcat with session persistence disabled those credentials are lost and the user is going to have to re-enter them. I think the OP is saying that the credentials are only entered a single time. The Tomcat restart between showing and submitting the login page is the source of the problem. Leonid, the servlet spec is very clear about the workflow for authentication: the client must request a protected resource, then the container challenges the client for authentication (shows the login page), and then the client must submit valid credentials (send a request to j_security_check). After that, the container must re-process the client's original request with the newly-authenticated principal. Tomcat stores the original request in the session. If you lose your session between presenting the login page and submitting the credentials, Tomcat has no way to re-process the original request. IMO, this is a hole in the spec, because it doesn't allow people to login simply because they want to; instead, they must first attempt to reach a protected resource. If you want your users to be able to login without requesting a protected resource, you may write your own login-handler and call ServletRequest.login(). That way, you won't require a session to exist during that whole workflow. - -chris It all begs the question, by pure curiosity if nothing else, of how often the OP restarts his Tomcat, that this issue seems to bother him so. Last time I looked, my 20-odd Tomcats had been running for some 240 days or so. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: FormAuthenticator, Tomcat restart
Hello, Christopher! I indeed meant this "The Tomcat restart between showing and submitting the login page is the source of the problem." Your explanation clarifies the core of the issue well! I'll dig into the Tomcat documentation deeper to find out how to inject that custom login handler. Thanks! On Thu, May 28, 2015 at 6:49 PM, Christopher Schultz wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Mark, > > On 5/28/15 5:29 AM, Mark Thomas wrote: >> On 28/05/2015 10:22, Leonid Rozenblyum wrote: >>> Hello experts. >>> >>> We are using FormAuthenticator and face a following issue: >>> >>> 1) Session persistence is disabled 2) User is on login page 3) >>> Restart Tomcat 4) User tries authentication >>> >>> He receives error 400 or 408. >>> >>> While digging deeper we discovered that in this case Tomcat >>> validates session id and if it's old/invalid - prevents >>> logging-in even though valid credentials are passed. >>> >>> We tried landingPage solution - it looks better than error >>> 400/408 but anyway it forces user to enter credentials twice (or >>> we don't know how to pass credentials to landingPage >>> implicitly). >>> >>> We think that an improvement of user experience would be : >>> >>> FormAuthenticator: 255 if (session == null) { session = >>> request.getSessionInternal(false); } >>> >>> ==> if (session == null) { session = >>> request.getSessionInternal(true); } >>> >>> So if session is invalid or missing - simply create it. >>> >>> Does this idea make sense? >> >> No. It makes no sense at all. >> >>> Can we achieve the goal of not forcing user entering credentials >>> twice without changes in Tomcat ? >> >> No. The credentials are stored in the session. If you restart >> Tomcat with session persistence disabled those credentials are lost >> and the user is going to have to re-enter them. > > I think the OP is saying that the credentials are only entered a > single time. The Tomcat restart between showing and submitting the > login page is the source of the problem. > > Leonid, the servlet spec is very clear about the workflow for > authentication: the client must request a protected resource, then the > container challenges the client for authentication (shows the login > page), and then the client must submit valid credentials (send a > request to j_security_check). After that, the container must > re-process the client's original request with the newly-authenticated > principal. > > Tomcat stores the original request in the session. If you lose your > session between presenting the login page and submitting the > credentials, Tomcat has no way to re-process the original request. > > IMO, this is a hole in the spec, because it doesn't allow people to > login simply because they want to; instead, they must first attempt to > reach a protected resource. > > If you want your users to be able to login without requesting a > protected resource, you may write your own login-handler and call > ServletRequest.login(). That way, you won't require a session to exist > during that whole workflow. > > - -chris > -BEGIN PGP SIGNATURE- > Version: GnuPG v2 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJVZzkfAAoJEBzwKT+lPKRYnxgP/jRvzmTgLbjOWErrYrKcE3M1 > n6xnW8WRws8sTUnzZpcnqsE2sFdCuUBu5PFMZHmmU4Ku8EbuwO34F2P/BsmFellZ > flNpMBR1YEcm7BJMKRhWzpmGl9Bawa5GZaX5FLot+QvzHb7xpdQ4aI+nuy1SQM3s > eKEDPGzdLmOCNEK/ryJnQb9d4sbZ0iH7sNbQYDU7I8jsirbvQUDGOK/TUQEhejqA > uviUVjOWM0tvEfnbPWSNE3PQXznw3rlrOoEcixAzyF+k1w8rIoD1Kui8YvJQAWPP > j+lakjCgIPHDCQyFJRK0ysBKH3QsPvD0RITeWiwRfWNGevqyc2fqqGvcgUOrh4+2 > sbEcZTlOk5YtLpyTzfJggANFYx72m7GOcSE+hyRJ43S83RrBYVxezUoyNfPfelLF > UDcJt+yVxO37auIZAg4TLpiUYabHcFSmk2D1ka/8HXJO1mTiedckFzIkg2fHYL+8 > zIQG5i/L3HqMFYZ/uMThYJlIJztMVdzPTi4Uhf8AO8Cwof4ptw+Bds2Yk2K2S5UZ > OS3Xqw0Iw6UD/jY3aT6MXm6UvsXL2MI5JBJFvUSXDaBSWTDAU1nmE7U93k/qpt5L > ov8Bl3YLJoIj3QP1VZbPb537mAI0n4QmWRTf1+dPb0VPIt4LD5OifkuKE71aZkA/ > 8PAwsXwo1NQEqOMN4NQe > =VRcn > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Valve doing Request.getParameter() consumes the stream
Hi, 2015-05-28 22:44 GMT+03:00 Teunissen,Peter : > > (Tomcat 7) > > I am writing a Valve that does a getParameter on the Request. At the end of the Valve/Filter chain is a servlet that calls HttpServletRequest.getReader() returning an empty buffer (because the Valve consumed it). > > I tried hacking a wrapper for the Request together and pass that into the getNext().invoke , but not much luck yet (seems to be some state in the underlying coyoteStream/Request/Inputbuffer) > > I can't imagine I'm the first to encounter this and yet I can't find a good wrapper example on the internet. > > Anybody better suggestions? You may want to check this enhancement [1]. Regards, Violeta [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=45014 > > > CONFIDENTIALITY NOTICE This message and any included attachments are from Cerner Corporation and are intended only for the addressee. The information contained in this message is confidential and may constitute inside or non-public information under international, federal, or state securities laws. Unauthorized forwarding, printing, copying, distribution, or use of such information is strictly prohibited and may be unlawful. If you are not the addressee, please promptly delete this message and notify the sender of the delivery error by e-mail or you may call Cerner's corporate offices in Kansas City, Missouri, U.S.A at (+1) (816)221-1024.
Tomcat Valve doing Request.getParameter() consumes the stream
(Tomcat 7) I am writing a Valve that does a getParameter on the Request. At the end of the Valve/Filter chain is a servlet that calls HttpServletRequest.getReader() returning an empty buffer (because the Valve consumed it). I tried hacking a wrapper for the Request together and pass that into the getNext().invoke , but not much luck yet (seems to be some state in the underlying coyoteStream/Request/Inputbuffer) I can't imagine I'm the first to encounter this and yet I can't find a good wrapper example on the internet. Anybody better suggestions? CONFIDENTIALITY NOTICE This message and any included attachments are from Cerner Corporation and are intended only for the addressee. The information contained in this message is confidential and may constitute inside or non-public information under international, federal, or state securities laws. Unauthorized forwarding, printing, copying, distribution, or use of such information is strictly prohibited and may be unlawful. If you are not the addressee, please promptly delete this message and notify the sender of the delivery error by e-mail or you may call Cerner's corporate offices in Kansas City, Missouri, U.S.A at (+1) (816)221-1024.
RE: Problem specifying cipher suites in tomcat6
> From: Ramon Pfeiffer [mailto:ramon.pfeif...@uni-tuebingen.de] > Subject: Problem specifying cipher suites in tomcat6 > I'm currently trying to specify a list of cipher suites to be used by my > connector in Tomcat 6.0.24. > Anybody can shed some light on what I did wrong? Using a version of Tomcat that's more than five years old is the first thing - there have been many, many security fixes since then, including some related to the ciphers attribute. You also need to tell us the JVM version, the platform you're running on, and whether or not APR is in use for this (it's in the logs). - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Problem specifying cipher suites in tomcat6
Hi all, I'm currently trying to specify a list of cipher suites to be used by my connector in Tomcat 6.0.24. However, when testing the connector with ssllabs.com, a bunch of ciphers I didn't specify show up. Here is the connector config: Just for the sake of the argument, I specified only a single suite. This is what ssllabs gives me as list of possible ciphers: TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 Obviously, this is not what I specified. When configuring ciphers="ALL" the result Anybody can shed some light on what I did wrong? Thanks for any help. Best regards Ramon Pfeiffer -- -- Universität Tübingen Zentrum für Datenverarbeitung E-Mail: ramon.pfeif...@uni-tuebingen.de smime.p7s Description: S/MIME Cryptographic Signature
Re: can we pass OS username while connection Database from Tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Vijay, On 5/28/15 8:21 AM, Vijay Kumar wrote: > I am referring User_Id as Linux User_id where we installed Tomcat. > > My Oracle Database don't know about this user_id. Have you tried this? I know that catalina.properties will do system-property expansion, I think that server.xml will do it, but I'm not sure if context.xml will do it, too. Give it a try to see if it works. - -chris > On Thu, May 28, 2015 at 3:20 PM, André Warnier > wrote: > >> Vijay Kumar wrote: >> >>> Hi Mark, >>> >>> Please find below my exact requirement. >>> >>> I have Oracle Database where my objects are installed and I >>> have also a Linux instance where i installed Tomcat. I am >>> currently creating connection to the Oracle database from >>> Tomcat using 'apps' user as this schema is having all >>> permissions. >>> >>> One of my client want to monitor the connections that are >>> created from my application. For this i want to pass my Linux >>> user information (userid) while creating the connection from my >>> application or in context.xml file. >>> >>> Please suggest the approaches? If SPENGO can you redirect me >>> any doc/post how to achieve this? >>> >>> Vijay, >> you are repeating yourself (and still top-posting), but you are >> not providing the crucial information which would enable someone >> to really help you. For example, what "Linux user information >> (userid)" are you talking about ? >> >> Is it the Linux user-id under which Tomcat is running ? That >> would probably be "tomcat", so that is probably not going to help >> you fulfill your customer's wishes. >> >> Is it the user-id of the /user/ of your Tomcat application ? In >> that case, how does Tomcat know this user-id ? Do the users login >> into your application ? How ? What is the user authentication >> mechanism being used, now, at the Tomcat level ? >> >> Does the Oracle database also know this user-id ? How ? >> >> What does "One of my client want to monitor the connections" >> mean, exactly ? what does the customer want to know, and when ? >> Is this customer the only user/manager of the Oracle database, or >> are there multiple users/managers of the Oracle database ? >> >> >> >> - >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVZzpqAAoJEBzwKT+lPKRY7NQP/0G6LCGWqKvNrjDFCeYzbYZE gBiBe/VCgzCbEJAGr8ZS8qImAYobkiz+FcN5EXGXI7+XTZ0aXWG5QnQ6JtRBYScX BZLKLhxnIaXqGXlXYenwgsQSrDtA2zPm5WqeQbrtkqJ/5jn3U44erZHncTOKGp5E oBztT2lLCZr6Y2ORKZXISJgsvPSMFJlxMvKRf2mbsk1kui2ReNlhfjSdh4dyaTru Tz7G5CkvGshaEL+qo3HQRvdhjr6ha3s6SW8VASXEP0Y46xAKjBwvXg0MkqN6fVOw BP/tUvTiQPSq7chgyLyu+heUAT+FFm3Wro1XEwOLbaiAHqdilccmcSSNnaxKdeLb JHrcpjVvOQX2pqHYyeOPaAT7uC2z1r/f3kzxwBXSGoIdy3jN23E1ef263PlwCTqr EdhSritM6Sj3BzOJJqWRkxdkxvwhZFCxElDPO9HgfcPnTEgGX5J9Bj29tIZHyUzB mZKh7/hI9Q3nezZQtEWreh5urCIYkWWBSf7v6wp4TFx2J6yzmdkgSB87oq8Mh5Aw CNckVVbQcPiABUiAPnYPDmBna+pZtbZ+CfmLHEioTlxNbrg7lEpdaPK0tiALjQMz Dy0e68AaiLpdJTLE5YNKDpN+OKdE2NbPTJYKUp/+9fDIdMV/UeGKfUJl6mLbKSaq 3VFn03Usu6pw1N1d1+qV =Hwdf -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: FormAuthenticator, Tomcat restart
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 5/28/15 5:29 AM, Mark Thomas wrote: > On 28/05/2015 10:22, Leonid Rozenblyum wrote: >> Hello experts. >> >> We are using FormAuthenticator and face a following issue: >> >> 1) Session persistence is disabled 2) User is on login page 3) >> Restart Tomcat 4) User tries authentication >> >> He receives error 400 or 408. >> >> While digging deeper we discovered that in this case Tomcat >> validates session id and if it's old/invalid - prevents >> logging-in even though valid credentials are passed. >> >> We tried landingPage solution - it looks better than error >> 400/408 but anyway it forces user to enter credentials twice (or >> we don't know how to pass credentials to landingPage >> implicitly). >> >> We think that an improvement of user experience would be : >> >> FormAuthenticator: 255 if (session == null) { session = >> request.getSessionInternal(false); } >> >> ==> if (session == null) { session = >> request.getSessionInternal(true); } >> >> So if session is invalid or missing - simply create it. >> >> Does this idea make sense? > > No. It makes no sense at all. > >> Can we achieve the goal of not forcing user entering credentials >> twice without changes in Tomcat ? > > No. The credentials are stored in the session. If you restart > Tomcat with session persistence disabled those credentials are lost > and the user is going to have to re-enter them. I think the OP is saying that the credentials are only entered a single time. The Tomcat restart between showing and submitting the login page is the source of the problem. Leonid, the servlet spec is very clear about the workflow for authentication: the client must request a protected resource, then the container challenges the client for authentication (shows the login page), and then the client must submit valid credentials (send a request to j_security_check). After that, the container must re-process the client's original request with the newly-authenticated principal. Tomcat stores the original request in the session. If you lose your session between presenting the login page and submitting the credentials, Tomcat has no way to re-process the original request. IMO, this is a hole in the spec, because it doesn't allow people to login simply because they want to; instead, they must first attempt to reach a protected resource. If you want your users to be able to login without requesting a protected resource, you may write your own login-handler and call ServletRequest.login(). That way, you won't require a session to exist during that whole workflow. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVZzkfAAoJEBzwKT+lPKRYnxgP/jRvzmTgLbjOWErrYrKcE3M1 n6xnW8WRws8sTUnzZpcnqsE2sFdCuUBu5PFMZHmmU4Ku8EbuwO34F2P/BsmFellZ flNpMBR1YEcm7BJMKRhWzpmGl9Bawa5GZaX5FLot+QvzHb7xpdQ4aI+nuy1SQM3s eKEDPGzdLmOCNEK/ryJnQb9d4sbZ0iH7sNbQYDU7I8jsirbvQUDGOK/TUQEhejqA uviUVjOWM0tvEfnbPWSNE3PQXznw3rlrOoEcixAzyF+k1w8rIoD1Kui8YvJQAWPP j+lakjCgIPHDCQyFJRK0ysBKH3QsPvD0RITeWiwRfWNGevqyc2fqqGvcgUOrh4+2 sbEcZTlOk5YtLpyTzfJggANFYx72m7GOcSE+hyRJ43S83RrBYVxezUoyNfPfelLF UDcJt+yVxO37auIZAg4TLpiUYabHcFSmk2D1ka/8HXJO1mTiedckFzIkg2fHYL+8 zIQG5i/L3HqMFYZ/uMThYJlIJztMVdzPTi4Uhf8AO8Cwof4ptw+Bds2Yk2K2S5UZ OS3Xqw0Iw6UD/jY3aT6MXm6UvsXL2MI5JBJFvUSXDaBSWTDAU1nmE7U93k/qpt5L ov8Bl3YLJoIj3QP1VZbPb537mAI0n4QmWRTf1+dPb0VPIt4LD5OifkuKE71aZkA/ 8PAwsXwo1NQEqOMN4NQe =VRcn -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: After applying self-signed certificate, server is up but cannot connect with browser
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ori, On 5/27/15 3:29 AM, Ori Raz wrote: > Hi Christopher, We are still not capable to apply our self > certifications... > > Is there any document/guide (even a scratch notes you might have :) > ) for a walkthrough for the whole procedure (e.g A-Z from creating > the certifications and applying them)? We decided to start the > procedure from scratch... > > I can see only some hints in forums but no organized document or > procedure... What about this one? http://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html#Quick_Start - -chris > On Sat, May 23, 2015 at 10:22 AM, Ori Raz > wrote: > >> Thank you Christopher. Appreciate all your help. Please let me >> know if any additional info is required for the issue. Regarding >> the ssl connection, if I use with and without the -tls1 flag with >> the original certificate then it both cases it works fine. After >> doing the steps I mentioned initially, both are not working. >> >> Thanks, Barc >> >> On Fri, May 22, 2015 at 7:13 PM, Christopher Schultz < >> ch...@christopherschultz.net> wrote: >> > Ori, > > On 5/22/15 10:03 AM, Ori Raz wrote: > Thank you Christopher for your reply. > > I always make a backup before changes :) luckily :) > > I reverted back and tried without deleting the entries and > getting this: > > primeusr@sagi-vzadik-01 [~]# keytool -import -trustcacerts > -alias tomcat -file > /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.ce r > > > > - -keystore /opt/primecentral/install/utils/sslgen/prime.keystore > Enter keystore password: keytool error: > java.lang.Exception: Public keys in reply and keystore > don't match primeusr@sagi-vzadik-01 [~]# keytool -import > -trustcacerts -alias tomcat -file > /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.ce r > > > > - -keystore /opt/primecentral/XMP_Platform/jre/lib/security/cacerts > Enter keystore password: keytool error: > java.lang.Exception: Certificate not imported, alias > already exists primeusr@sagi-vzadik-01 [~]# > > > Regarding the import you wrote - $ keytool -import -alias > ${HOSTNAME} -file ${HOSTNAME}.crt -keystore${HOSTNAME}.jks > > Isnt that this one or am I missing something: keytool > -importcert -file > /opt/primecentral/SHARED/certificate/vlg-cipr-pcpil1.megafon.ru.ce r > > > > - -keystore /opt/primecentral/install/utils/sslgen/prime.keystore -alias > tomcat > > I'll have a look at that later when I have more time. > > as mentioned, catalina-.log is empty... I cannot see > any other relevant logs (if you can point me to other log > -please do :) ) > > > If I try to connect to ssl localy, then with the original > certificate it workes, but with the new one - here is the > output: primeusr@sagi-vzadik-01 [~]# openssl s_client > -connect 10.56.57.65:8443 CONNECTED(0003) > 4954:error:14077410:SSL > routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake > failure:s23_clnt.c:583: primeusr@sagi-vzadik-01 [~]# > openssl s_client -connect 127.0.0.1:8443 > CONNECTED(0003) 5050:error:14077410:SSL > routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake > failure:s23_clnt.c:583: > > Try using the -tls1 flag for s_client (or -tls1_1, ot -tls1_2), > since ssl3 is dead and the handshake won't even work anymore. > > -chris >>> >>> - - >>> >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >> > -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVZzd5AAoJEBzwKT+lPKRYpZYP/iOwWOjo/c6s6ghDahKDXvQM fdm4HjLbMkXrhhqH7KsqUxQc/MTckv/Gx6Hl1glXoRvSwGVB1jvwwt/YA+H6vEX5 rN/2EfpJmcUq1vtPTBNdfehSrZeg9PKDrWuZT7gyBgurtPOh3trZDfRSQVBbunvf CD2oIQ2YHYyJ1mqGl6t0n65Y0YNDoxIB5sxQNE0njykYghIUtuw50Pq6cqKEL45B Nq1SPwUM0HU9MjA+58WzoqTzsPz9s1o0mNwaIZyxB2C1Gny5GPfUGnrjaVE1FhUp U6xXQFW5pl7/W2j1sh+2sJ/PY96dn5M/5XvWfHoh+4D9O9Y+/Cdk5T0iIQ/K/leV l1dHELEIQp4oDMawmOAhLXdf6pzSmgapR4DfaX5WgNRPp0XQ2cI8tco1duQ8KGZv uBFo8wtYo+bIxlk59GmdRhR+2RTVyBHEfKJibE95e5djV1xfkZzUK7V6xkjVxyw1 ExCSJEKRphgDe1awi7SXVtVu/88r1Oy5HOkWM1DkYYQBCLnn2HHyoRkf44w1V9qv NY6LVRofFrohUR/L3aUG+ZIbn2Icydmn8CsIgPwStrMt8x4O4q42MBsWxIYw52EO SU53WGeBUp8xPKgTk4OIO5R0Q8siSpNGDWnsLS+I+exv2lmsAcmTnf4Fa4gn8Okf AgoluzfntLqqOUatRvNk =bksW -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: can we pass OS username while connection Database from Tomcat
Vijay Kumar wrote: Hi , I am referring User_Id as Linux User_id where we installed Tomcat. My Oracle Database don't know about this user_id. We seem to have some communication issue. But I have sinned a lot in my life, so this will probably count as redemption points. Another try : 1) read this : http://tomcat.apache.org/lists.html Paragraph "tomcat-users" --> important --> 6. 2) in Oracle, create the user "tomcat" 3) in your database configuration in server.xml or context.xml, replace "apps" by "tomcat". And then tell us if this is the answer to your question, or why it is not. Thanks, Vijay G On Thu, May 28, 2015 at 3:20 PM, André Warnier wrote: Vijay Kumar wrote: Hi Mark, Please find below my exact requirement. I have Oracle Database where my objects are installed and I have also a Linux instance where i installed Tomcat. I am currently creating connection to the Oracle database from Tomcat using 'apps' user as this schema is having all permissions. One of my client want to monitor the connections that are created from my application. For this i want to pass my Linux user information (userid) while creating the connection from my application or in context.xml file.. Please suggest the approaches? If SPENGO can you redirect me any doc/post how to achieve this? Vijay, you are repeating yourself (and still top-posting), but you are not providing the crucial information which would enable someone to really help you. For example, what "Linux user information (userid)" are you talking about ? Is it the Linux user-id under which Tomcat is running ? That would probably be "tomcat", so that is probably not going to help you fulfill your customer's wishes. Is it the user-id of the /user/ of your Tomcat application ? In that case, how does Tomcat know this user-id ? Do the users login into your application ? How ? What is the user authentication mechanism being used, now, at the Tomcat level ? Does the Oracle database also know this user-id ? How ? What does "One of my client want to monitor the connections" mean, exactly ? what does the customer want to know, and when ? Is this customer the only user/manager of the Oracle database, or are there multiple users/managers of the Oracle database ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: can we pass OS username while connection Database from Tomcat
Hi , I am referring User_Id as Linux User_id where we installed Tomcat. My Oracle Database don't know about this user_id. Thanks, Vijay G On Thu, May 28, 2015 at 3:20 PM, André Warnier wrote: > Vijay Kumar wrote: > >> Hi Mark, >> >> Please find below my exact requirement. >> >> I have Oracle Database where my objects are installed and I have also a >> Linux instance where i installed Tomcat. >> I am currently creating connection to the Oracle database from Tomcat >> using >> 'apps' user as this schema is having all permissions. >> >> One of my client want to monitor the connections that are created from my >> application. For this i want to pass my Linux user information (userid) >> while creating the connection from my application or in context.xml file. >> >> Please suggest the approaches? If SPENGO can you redirect me any doc/post >> how to achieve this? >> >> Vijay, > you are repeating yourself (and still top-posting), but you are not > providing the crucial information which would enable someone to really help > you. > For example, what "Linux user information (userid)" are you talking about ? > > Is it the Linux user-id under which Tomcat is running ? > That would probably be "tomcat", so that is probably not going to help you > fulfill your customer's wishes. > > Is it the user-id of the /user/ of your Tomcat application ? > In that case, how does Tomcat know this user-id ? Do the users login into > your application ? How ? What is the user authentication mechanism being > used, now, at the Tomcat level ? > > Does the Oracle database also know this user-id ? How ? > > What does "One of my client want to monitor the connections" mean, exactly > ? what does the customer want to know, and when ? Is this customer the only > user/manager of the Oracle database, or are there multiple users/managers > of the Oracle database ? > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: can we pass OS username while connection Database from Tomcat
Vijay Kumar wrote: Hi Mark, Please find below my exact requirement. I have Oracle Database where my objects are installed and I have also a Linux instance where i installed Tomcat. I am currently creating connection to the Oracle database from Tomcat using 'apps' user as this schema is having all permissions. One of my client want to monitor the connections that are created from my application. For this i want to pass my Linux user information (userid) while creating the connection from my application or in context.xml file. Please suggest the approaches? If SPENGO can you redirect me any doc/post how to achieve this? Vijay, you are repeating yourself (and still top-posting), but you are not providing the crucial information which would enable someone to really help you. For example, what "Linux user information (userid)" are you talking about ? Is it the Linux user-id under which Tomcat is running ? That would probably be "tomcat", so that is probably not going to help you fulfill your customer's wishes. Is it the user-id of the /user/ of your Tomcat application ? In that case, how does Tomcat know this user-id ? Do the users login into your application ? How ? What is the user authentication mechanism being used, now, at the Tomcat level ? Does the Oracle database also know this user-id ? How ? What does "One of my client want to monitor the connections" mean, exactly ? what does the customer want to know, and when ? Is this customer the only user/manager of the Oracle database, or are there multiple users/managers of the Oracle database ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: FormAuthenticator, Tomcat restart
The reason is : After Tomcat restart, and logging-in browser provides an old session id to server. FormAuthenticator treats it as an issue, and either sends error or landing page. On Thu, May 28, 2015 at 12:30 PM, Leonid Rozenblyum wrote: > Well the issue is that if user enters CORRECT credentials AFTER Tomcat restart > he sees Error 400/408 > > On Thu, May 28, 2015 at 12:29 PM, Mark Thomas wrote: >> On 28/05/2015 10:22, Leonid Rozenblyum wrote: >>> Hello experts. >>> >>> We are using FormAuthenticator and face a following issue: >>> >>> 1) Session persistence is disabled >>> 2) User is on login page >>> 3) Restart Tomcat >>> 4) User tries authentication >>> >>> He receives error 400 or 408. >>> >>> While digging deeper we discovered that in this case Tomcat validates >>> session id and if it's old/invalid - prevents logging-in even though >>> valid credentials are passed. >>> >>> We tried landingPage solution - it looks better than error 400/408 but >>> anyway it forces user to enter credentials twice (or we don't know how >>> to pass credentials to landingPage implicitly). >>> >>> We think that an improvement of user experience would be : >>> >>> FormAuthenticator: 255 >>>if (session == null) { >>> session = request.getSessionInternal(false); >>> } >>> >>> ==> >>> if (session == null) { >>> session = request.getSessionInternal(true); >>> } >>> >>> So if session is invalid or missing - simply create it. >>> >>> Does this idea make sense? >> >> No. It makes no sense at all. >> >>> Can we achieve the goal of not forcing user entering credentials twice >>> without changes in Tomcat ? >> >> No. The credentials are stored in the session. If you restart Tomcat >> with session persistence disabled those credentials are lost and the >> user is going to have to re-enter them. >> >> Mark >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: FormAuthenticator, Tomcat restart
Well the issue is that if user enters CORRECT credentials AFTER Tomcat restart he sees Error 400/408 On Thu, May 28, 2015 at 12:29 PM, Mark Thomas wrote: > On 28/05/2015 10:22, Leonid Rozenblyum wrote: >> Hello experts. >> >> We are using FormAuthenticator and face a following issue: >> >> 1) Session persistence is disabled >> 2) User is on login page >> 3) Restart Tomcat >> 4) User tries authentication >> >> He receives error 400 or 408. >> >> While digging deeper we discovered that in this case Tomcat validates >> session id and if it's old/invalid - prevents logging-in even though >> valid credentials are passed. >> >> We tried landingPage solution - it looks better than error 400/408 but >> anyway it forces user to enter credentials twice (or we don't know how >> to pass credentials to landingPage implicitly). >> >> We think that an improvement of user experience would be : >> >> FormAuthenticator: 255 >>if (session == null) { >> session = request.getSessionInternal(false); >> } >> >> ==> >> if (session == null) { >> session = request.getSessionInternal(true); >> } >> >> So if session is invalid or missing - simply create it. >> >> Does this idea make sense? > > No. It makes no sense at all. > >> Can we achieve the goal of not forcing user entering credentials twice >> without changes in Tomcat ? > > No. The credentials are stored in the session. If you restart Tomcat > with session persistence disabled those credentials are lost and the > user is going to have to re-enter them. > > Mark > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: can we pass OS username while connection Database from Tomcat
Hi Mark, Please find below my exact requirement. I have Oracle Database where my objects are installed and I have also a Linux instance where i installed Tomcat. I am currently creating connection to the Oracle database from Tomcat using 'apps' user as this schema is having all permissions. One of my client want to monitor the connections that are created from my application. For this i want to pass my Linux user information (userid) while creating the connection from my application or in context.xml file. Please suggest the approaches? If SPENGO can you redirect me any doc/post how to achieve this? Regards, Vijay G On Thu, May 28, 2015 at 2:47 PM, Mark Thomas wrote: > On 28/05/2015 09:59, André Warnier wrote: > > Mark Thomas wrote: > >> On 28/05/2015 08:26, Vijay Kumar wrote: > >>> Hi, > >>> > >>> Is it possible to pass OS username when making connection to any > >>> Database > >>> from Tomcat context.xml? > >> > >> In theory this should be possible if you are using SPNEGO > authentication. > >> > >> Testing this to figure out what is required to make it work is on the > >> TODO list. It is likely that some combination of configuration, Tomcat > >> code changes and application changes will be required. > >> > > > > I think that the term "OS username" should be carefully defined here, > > along with the precise circumstances in which this would apply. > > Agreed. My definition is "user authenticated via SPNEGO" > > > Also, connecting to a database using the user-id kind of defeats any > > kind of db connection persistence/pooling/sharing at the container level. > > You can have per user pools. Depending on the app and the usage pattern > of the DB there can still be some benefits. > > > If this kind of thing is desired anyway, should it then not be done at > > the application level, where you can retrieve the UserPrincipal anyway ? > > There are certainly different approaches available to solve this > problem. The best approach depends on the actual requirement. I've used > a range of approaches to this type of problem in the past. > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: FormAuthenticator, Tomcat restart
On 28/05/2015 10:22, Leonid Rozenblyum wrote: > Hello experts. > > We are using FormAuthenticator and face a following issue: > > 1) Session persistence is disabled > 2) User is on login page > 3) Restart Tomcat > 4) User tries authentication > > He receives error 400 or 408. > > While digging deeper we discovered that in this case Tomcat validates > session id and if it's old/invalid - prevents logging-in even though > valid credentials are passed. > > We tried landingPage solution - it looks better than error 400/408 but > anyway it forces user to enter credentials twice (or we don't know how > to pass credentials to landingPage implicitly). > > We think that an improvement of user experience would be : > > FormAuthenticator: 255 >if (session == null) { > session = request.getSessionInternal(false); > } > > ==> > if (session == null) { > session = request.getSessionInternal(true); > } > > So if session is invalid or missing - simply create it. > > Does this idea make sense? No. It makes no sense at all. > Can we achieve the goal of not forcing user entering credentials twice > without changes in Tomcat ? No. The credentials are stored in the session. If you restart Tomcat with session persistence disabled those credentials are lost and the user is going to have to re-enter them. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: can we pass OS username while connection Database from Tomcat
Vijay Kumar wrote: Hi Mark, Thanks for your update. I should have specify my requirement little more clear to you to understand what you are saying. I have Oracle Database where my objects are installed and I have also a Linux instance where i installed Tomcat. I am currently creating connection to the Oracle database from Tomcat using 'apps' user as this schema is having all permissions. One of my client want to monitor the connections that are created from my application. For this i want to pass my Linux user information (userid) while creating the connection from my application or in context.xml file. Please suggest is it possible or not? Possible, it certainly is. But is it the best solution to fulfill your customer's wishes, that is another question. I believe that you have to think carefully about all the implications, in your application as well as on the performance of the system, before rushing to any kind of "solution". For example, would it not be easier for your application to just write a line to some logfile, whenever it accesses the database on behalf of the logged-in user (and read and analyse that file later, and provide that information to your customer) ? If your customer just wants to know who is really using the database and/or how much, that would be enough. If you really want to open the connection to the database under each individual user-id, then it means for example that the database has to know each of those user-id's (and keep them up-to-date). It also means that different user-id's could have different access rights (or none), and that your application would have to take this into account. And so on.. It is not just the fact of opening the connection. It may be the whole design of your application that would need to change. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
FormAuthenticator, Tomcat restart
Hello experts. We are using FormAuthenticator and face a following issue: 1) Session persistence is disabled 2) User is on login page 3) Restart Tomcat 4) User tries authentication He receives error 400 or 408. While digging deeper we discovered that in this case Tomcat validates session id and if it's old/invalid - prevents logging-in even though valid credentials are passed. We tried landingPage solution - it looks better than error 400/408 but anyway it forces user to enter credentials twice (or we don't know how to pass credentials to landingPage implicitly). We think that an improvement of user experience would be : FormAuthenticator: 255 if (session == null) { session = request.getSessionInternal(false); } ==> if (session == null) { session = request.getSessionInternal(true); } So if session is invalid or missing - simply create it. Does this idea make sense? Can we achieve the goal of not forcing user entering credentials twice without changes in Tomcat ? Thanks in advance! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: can we pass OS username while connection Database from Tomcat
On 28/05/2015 09:59, André Warnier wrote: > Mark Thomas wrote: >> On 28/05/2015 08:26, Vijay Kumar wrote: >>> Hi, >>> >>> Is it possible to pass OS username when making connection to any >>> Database >>> from Tomcat context.xml? >> >> In theory this should be possible if you are using SPNEGO authentication. >> >> Testing this to figure out what is required to make it work is on the >> TODO list. It is likely that some combination of configuration, Tomcat >> code changes and application changes will be required. >> > > I think that the term "OS username" should be carefully defined here, > along with the precise circumstances in which this would apply. Agreed. My definition is "user authenticated via SPNEGO" > Also, connecting to a database using the user-id kind of defeats any > kind of db connection persistence/pooling/sharing at the container level. You can have per user pools. Depending on the app and the usage pattern of the DB there can still be some benefits. > If this kind of thing is desired anyway, should it then not be done at > the application level, where you can retrieve the UserPrincipal anyway ? There are certainly different approaches available to solve this problem. The best approach depends on the actual requirement. I've used a range of approaches to this type of problem in the past. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: can we pass OS username while connection Database from Tomcat
Vijay, do not "top post". As you can see below, it makes it difficult to follow the conversation. Vijay Kumar wrote: Hi Mark, Thanks for your update. I should have specify my requirement little more clear to you to understand what you are saying. I have Oracle Database where my objects are installed and I have also a Linux instance where i installed Tomcat. I am currently creating connection to the Oracle database from Tomcat using 'apps' user as this schema is having all permissions. One of my client want to monitor the connections that are created from my application. For this i want to pass my Linux user information (userid) while creating the connection from my application or in context.xml file. Please suggest is it possible or not? Regards, Vijay G On Thu, May 28, 2015 at 1:14 PM, Mark Thomas wrote: On 28/05/2015 08:26, Vijay Kumar wrote: Hi, Is it possible to pass OS username when making connection to any Database from Tomcat context.xml? In theory this should be possible if you are using SPNEGO authentication. Testing this to figure out what is required to make it work is on the TODO list. It is likely that some combination of configuration, Tomcat code changes and application changes will be required. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: can we pass OS username while connection Database from Tomcat
Mark Thomas wrote: On 28/05/2015 08:26, Vijay Kumar wrote: Hi, Is it possible to pass OS username when making connection to any Database from Tomcat context.xml? In theory this should be possible if you are using SPNEGO authentication. Testing this to figure out what is required to make it work is on the TODO list. It is likely that some combination of configuration, Tomcat code changes and application changes will be required. I think that the term "OS username" should be carefully defined here, along with the precise circumstances in which this would apply. Also, connecting to a database using the user-id kind of defeats any kind of db connection persistence/pooling/sharing at the container level. If this kind of thing is desired anyway, should it then not be done at the application level, where you can retrieve the UserPrincipal anyway ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: can we pass OS username while connection Database from Tomcat
Hi Mark, Thanks for your update. I should have specify my requirement little more clear to you to understand what you are saying. I have Oracle Database where my objects are installed and I have also a Linux instance where i installed Tomcat. I am currently creating connection to the Oracle database from Tomcat using 'apps' user as this schema is having all permissions. One of my client want to monitor the connections that are created from my application. For this i want to pass my Linux user information (userid) while creating the connection from my application or in context.xml file. Please suggest is it possible or not? Regards, Vijay G On Thu, May 28, 2015 at 1:14 PM, Mark Thomas wrote: > On 28/05/2015 08:26, Vijay Kumar wrote: > > Hi, > > > > Is it possible to pass OS username when making connection to any Database > > from Tomcat context.xml? > > In theory this should be possible if you are using SPNEGO authentication. > > Testing this to figure out what is required to make it work is on the > TODO list. It is likely that some combination of configuration, Tomcat > code changes and application changes will be required. > > Mark > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: can we pass OS username while connection Database from Tomcat
On 28/05/2015 08:26, Vijay Kumar wrote: > Hi, > > Is it possible to pass OS username when making connection to any Database > from Tomcat context.xml? In theory this should be possible if you are using SPNEGO authentication. Testing this to figure out what is required to make it work is on the TODO list. It is likely that some combination of configuration, Tomcat code changes and application changes will be required. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
can we pass OS username while connection Database from Tomcat
Hi, Is it possible to pass OS username when making connection to any Database from Tomcat context.xml? Thanks, Vijay G