Understanding the error cause
I am moving an application I have had running under tomcat5.5 to tomcat6 on another computer. I placed my war file in the webapps directory and tomcat duly automatically deployed it. But as soon as I try to access it, it throws an exception - the root cause of which appears to be this line java.security.AccessControlException: access denied (java.io.FilePermission /var/lib/tomcat6/webapps/akcmoney/WEB-INF/classes/META-INF/hivemodule.xml read) This file is inside the deployed web app, and exists and has file permissions 644 with ownership and group of tomcat6. I do not understand what is wrong. Can someone give me some advice as to how to understand the problem. -- Alan Chandler http://www.chandlerfamily.org.uk - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Understanding the error cause
Konstantin Kolinko wrote: 2009/12/26 Alan Chandler a...@chandlerfamily.org.uk: I am moving an application I have had running under tomcat5.5 to tomcat6 on another computer. I placed my war file in the webapps directory and tomcat duly automatically deployed it. But as soon as I try to access it, it throws an exception - the root cause of which appears to be this line java.security.AccessControlException: access denied (java.io.FilePermission /var/lib/tomcat6/webapps/akcmoney/WEB-INF/classes/META-INF/hivemodule.xml read) This file is inside the deployed web app, and exists and has file permissions 644 with ownership and group of tomcat6. I do not understand what is wrong. Can someone give me some advice as to how to understand the problem. http://tomcat.apache.org/tomcat-6.0-doc/security-manager-howto.html Thanks - understand much more now. -- Alan Chandler http://www.chandlerfamily.org.uk - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat not listing on ipv4
I have just upgraded my Debian server to unstable, and now find that attempt to connect to my tomcat via ajp fails. It appears from netstat is tomcat is listing on 8009 but only on ipv6 I have been unable to find out how to change this. Can someone give me a clue. -- Alan Chandler http://www.chandlerfamily.org.uk - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat not listing on ipv4
André Warnier wrote: Alan Chandler wrote: I have just upgraded my Debian server to unstable, and now find that attempt to connect to my tomcat via ajp fails. It appears from netstat is tomcat is listing on 8009 but only on ipv6 I have been unable to find out how to change this. Can someone give me a clue. As a hack : use the Address attribute of the AJP Connector and specify a V4 address ? (if only 127.0.0.1) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org It works at least as far as connecting to Tomcat from apache is concerned. I now have problems accessing the database from tomcat and that is throwing an exception -- Alan Chandler http://www.chandlerfamily.org.uk - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
context placement
I am trying to use tomcat 5.5 for the first time - having just moved from tomcat5. I am getting symptoms (I think) of my JDNI resource having not been set up properly In particular, I have NO contexts in my $CATALINA_HOME/conf/server.xml, since I want to bring these in in my webapps .war file. So in the .war file for my app I have a META-INF/context.xml file with the following in (apart from the password which I have changed) ?xml version=1.0 encoding=UTF-8? Context docBase=usermgr path=/usermgr Resource name =jdbc/usermgr auth=Container type=javax.sql.DataSource driverClassName=org.postgresql.Driver url=jdbc:postgresql://127.0.0.1:5432/users username=tomcat password=x maxActive=20 maxIdle=10 maxWait=-1 / /Context and my application attempts to connect to the JDNI resource java:/comp/env/jdbc/usermgr But when I run it, I get the following in the error message Cause: org.apache.commons.dbcp.SQLNestedException: Cannot create JDBC driver of class '' for connect URL 'null' I am interpreting this as the JDNI resource has not been recognised. Do I have the right interpretation? Have I misunderstood how tomcat can find the contexts? -- Alan Chandler http://www.chandlerfamily.org.uk - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: context placement
On Tuesday 06 February 2007 20:03, Alan Chandler wrote: I am getting symptoms (I think) of my JDNI resource having not been set up properly I forgot to say that I have this working under eclipse on a development system, but it seems (as part of the Web App plugin) to copy the contents of context.xml into server.xml My reading of the docs of tomcat5.5 is that I don't need to do this (nor to Catalina/ENGINE_NAME/HOST_NAME/usermgr.xml) -- Alan Chandler http://www.chandlerfamily.org.uk - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: context placement
On Tuesday 06 February 2007 20:34, Pid wrote: Alan Chandler wrote: On Tuesday 06 February 2007 20:03, Alan Chandler wrote: I am getting symptoms (I think) of my JDNI resource having not been set up properly Context first: Yeh just took that out as per suggestion further up thread you don't need to specify the /path. the path to the webapp is determined from the name of the deployed .war or the name of the context.xml file. for: %tomcat_home%/webapps/appname1.war the context xml file should deploy to: %tomcat_home%/conf/Catalina/localhost/appname1.xml When you say this, are you saying that tomcat automatically copies from the the META-INF/context.xml file in the .war file to that location (in my case that would be /var/lib/tomcat5.5/conf/Catalina/appserv.home/usermgr.xml because my host is appserv.home) BUT I only have an EMPTY localhost directory in the /var/lib/tomcat5.5/conf/Catalina directory and no appserv.home directory at all. -- Alan Chandler http://www.chandlerfamily.org.uk - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[SOLVED] Re: context placement
On Tuesday 06 February 2007 20:46, Alan Chandler wrote: On Tuesday 06 February 2007 20:34, Pid wrote: Alan Chandler wrote: On Tuesday 06 February 2007 20:03, Alan Chandler wrote: I am getting symptoms (I think) of my JDNI resource having not been set up properly ... for: %tomcat_home%/webapps/appname1.war the context xml file should deploy to: %tomcat_home%/conf/Catalina/localhost/appname1.xml When you say this, are you saying that tomcat automatically copies from the the META-INF/context.xml file in the .war file to that location Answer yes - but only if it has permissions. I think this is a debian problem in that Catalina directory is owned by root with 755 access rights. -- Alan Chandler http://www.chandlerfamily.org.uk - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
File permission problem not understood
I have just upgraded my Debian Etch system from tomcat5 to tomcat5.5 Now when I start my applications I am getting the following javax.servlet.ServletException: Unable to initialize application servlet: access denied (java.io.FilePermission /var/lib/tomcat5.5/webapps/blog/WEB-INF/classes/META-INF/hivemodule.xml read) the root cause of this is ... java.security.AccessControlException: access denied (java.io.FilePermission /var/lib/tomcat5.5/webapps/blog/WEB-INF/classes/META-INF/hivemodule.xml read) The file refered to exists and is accessable by tomcat ls -l /var/lib/tomcat5.5/webapps/blog/WEB-INF/classes/META-INF/hivemodule.xml gives -rw-r--r-- 1 tomcat55 nogroup 1035 2006-01-26 19:13 hivemodule.xml so I puzzled as what I need to do to fix it. Can anyone help please -- Alan Chandler http://www.chandlerfamily.org.uk
Re: Struggling with basic database connection
On Sunday 01 October 2006 17:27, John Najarian wrote: Alan, Did you ever resolve this? I don't have enough information here to help you. ... Sort of ... The WTP plugin for eclipse copies what is in META-INF/context.xml and writes it into CATALINA_BASE/conf/server.xml. So for tomcat5.0, I have relied on testing/debuging like that so far, and achieving the same manually when I come to deploy on the production server. At some stage soon, I will be changing to tomcat 5.5 but I am not sure where to go to make things work then, as I am still not sure there is any definitive guide to where these things go and how tomcat deals with a META-INF/context.xml --- Alan Chandler [EMAIL PROTECTED] wrote: On Saturday 23 September 2006 15:23, David Smith wrote: Correction: context.xml belongs in META-INF of the war archive. I have just conducted experiments with Tomcat 5.0 putting a context.xml file in META-INF doesn't appear to work I have not been having success with putting in conf/server.xml - but I have had success with putting the context in conf/Catalina/localhost/akcmoney.xml -- Alan Chandler http://www.chandlerfamily.org.uk - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Alan Chandler http://www.chandlerfamily.org.uk - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struggling with basic database connection
On Saturday 23 September 2006 15:23, David Smith wrote: Correction: context.xml belongs in META-INF of the war archive. I have just conducted experiments with Tomcat 5.0 putting a context.xml file in META-INF doesn't appear to work I have not been having success with putting in conf/server.xml - but I have had success with putting the context in conf/Catalina/localhost/akcmoney.xml -- Alan Chandler http://www.chandlerfamily.org.uk - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Struggling with basic database connection
I am struggling to figure out why my Tomcat installation is failing to allow
me to connect my java web application to a database. I am looking for ideas
as to how to find out what is wrong. I have (what I think) is the same setup
on another machine and it works fine. The only difference between these is
that the working one in tomcat 5.0 and this machine is tomcat 5.5 (although I
am just about and try with a 5.0 setup).
I am trying with this simple piece of code - plucked from the tomcat docs.
Context initCtx;
try {
initCtx = new InitialContext();
Context envCtx = (Context)
initCtx.lookup(java:comp/env);
DataSource ds = (DataSource)
envCtx.lookup(jdbc/akcmoney);
Connection conn = ds.getConnection();
} catch (Exception e1) {
e1.printStackTrace();
}
and with debug, I can see that initCtX, envCtx and ds all are assigned non
null values, but the ds.getConnection() results in the following.
org.apache.tomcat.dbcp.dbcp.SQLNestedException: Cannot create JDBC
driver of class '' for connect URL 'null'
I have the postgresql jdbc driver jar in $CATALINA.BASE/common/lib
Server.xml contains
Context docBase=akcmoney path=/akcmoney reloadable=true
source=org.eclipse.jst.j2ee.server:akcmoney
Resource auth=Container name=jdbc/akcmoney
type=javax.sql.DataSource/
ResourceParams name=jdbc/akcmoney
parameter
namefactory/name
valueorg.apache.commons.dbcp.BasicDataSourceFactory/value
/parameter
parameter
namedriverClassName/name
valueorg.postgresql.Driver/value
/parameter
parameter
nameurl/name
valuejdbc:postgresql://127.0.0.1:5432/akcmoney/value
/parameter
parameter
nameusername/name
valuetomcat4/value
/parameter
parameter
namepassword/name
valuexxx/value
/parameter
parameter
namemaxActive/name
value20/value
/parameter
parameter
namemaxIdle/name
value10/value
/parameter
parameter
namemaxWait/name
value-1/value
/parameter
/ResourceParams
/Context
my WEB-INF/web.xml contains this reference.
resource-ref
descriptionAKCMoney Database/description
res-ref-namejdbc/akcmoney/res-ref-name
res-typejavax.sql.DataSource/res-type
res-authContainer/res-auth
res-sharing-scopeShareable/res-sharing-scope
/resource-ref
Anyone any ideas where I am going wrong, or how to look at the contents of the
nitCtX, envCtx and ds variables in the above code snippet to understand how
far I have got
--
Alan Chandler
http://www.chandlerfamily.org.uk
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struggling with basic database connection
On Saturday 23 September 2006 09:57, Andrew Stepanenko wrote: Hello, there is a difference between how resources are defined in 5.0 and 5.5. In 5.0 you could provide your resource definitions right in the server.xml, but in 5.5 you need to create a separate context.xml file ($CATALINA_HOME/conf/Catalina/hostname/context.xml) and put resource definitions there. See this link: http://tomcat.apache.org/tomcat-5.5-doc/jndi-resources-howto.html I also had this problem when migrating from 5.0 to 5.5. After I defined a separate context.xml it started to work again. The docs seem very vague on this issue, but it does imply that I could still use $CATALINA_HOME/conf/server.xml One question that isn't answered in the docs is what the root element should be - the best seems to be the example for accessing a database, and even there it puts Context ... I tried with context.xml in the directory you mentioned and it said it couldn't find the webapp context, so I renamed it to my application and tried again. But it didn't work. So still stumped -- Alan Chandler http://www.chandlerfamily.org.uk - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struggling with basic database connection
On Saturday 23 September 2006 15:23, David Smith wrote: Correction: context.xml belongs in META-INF of the war archive. OK, I am begining to comprehend - and knowledge about the context.xml in the META-INF file for a WAR archive is good. I was looking for a way to wrap all the info about the application in one directory structure - for my version control. Does this work with Tomcat 5.0 - thats my current production environment? HOWEVER, in the short term I am not working with WAR files - instead I am trying to deploy the application inside Eclipse. I tried creating a directory etc under eclipse's (probably WTP plugin's) server configuration, but it doesn't publish that to the conf directory inside it's CATALINA_HOME. So still not sure how to proceed. -- Alan Chandler http://www.chandlerfamily.org.uk - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
problem building tcnative
Trying to get rid of this error message when I start tomcat 5.5.17 The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path I discovered I have to build the tcnative library, but its giving me problems. I am running under Debian unstable, having installed libapr1-dev . In essence I run this command ./configure --with-apr=/usr/bin/apr-config --with-java-home=/usr/lib/jvm/java-1.5.0-sun make make install and after configuring correctly, the first line of the make file fails make[1]: Entering directory `/home/alan/dev/tomcat-native-1.1.3/jni/native' /bin/sh /usr/share/apr-1.0/build/libtool --silent --mode=compile i486-linux-gnu-gcc -pipe -Wall -g -O2 -pthread -pipe -Wall -g -O2 -DHAVE_CONFIG_H -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -g -O2 -DHAVE_OPENSSL -I/home/alan/dev/tomcat-native-1.1.3/jni/native/include -I/usr/lib/jvm/java-1.5.0-sun/include -I/usr/lib/jvm/java-1.5.0-sun/include/linux -I/usr/include/apr-1.0 -o src/os.lo -c src/os.c touch src/os.lo /bin/sh: /usr/share/apr-1.0/build/libtool: No such file or directory Tracking back what seems to be happening is that configure runs build/tcnative.m4 which includes this APR_BUILD_DIR=`$apr_config --installbuilddir` ($apr_config is the apr-config tool I specified on the command line, and outputs this - /usr/share/apr-1.0/build ) and then it sets up build/rules.mk where APR_BUILD_DIR gets turned into apr_builddir. Then this line inside rules.mk defines libtool thus LIBTOOL=$(SHELL) $(apr_builddir)/libtool which is where the error occurs, because libtool is (in Debian) in /usr/bin, not in /usr/share/apr-1.0/build/ The question is - where is the error? in the Debian packaging or in this piece of tomcat, or have I missed some parameter of the ./configure? -- Alan Chandler http://www.chandlerfamily.org.uk - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Setting up a parallel test environment on the same machine as main server
On Tuesday 14 February 2006 12:36, Tim Lucia wrote: 1. Moving the JkMount directive inside a VirtualHost... will make it accesible from only that virtual host. So, you must repeat common ones, such as /jkmanager. I put the mappings (JkMount(s)) right in the virtual host definition(s) with no trouble at all. Thanks - just what I needed confirmation on 2. The virtual host is determined by the http host header, not by the connector host name. This is true for both httpd and tomcat (and any other web server.) Not sure I understand what you are mean here by http host header, isn't that the name of the web site that I am accessing (ie as known by apache) rather than as known by a backend topcat At the moment, I have apache, with two virtual host names of home.chandlerfamily.org.uk (also known as www.chandlerfamily.org.uk) (ip address of my WAN) money.home (ip address of 192.168.0.32) based on ip addressing only (ie not named virtual hosts - because it also needs to support https where named virtual hosts are not supported) which all end up using tomcat services for parts of the web site (urls as defined in JkMountFile). It is all directed to a single tomcat host via a single worker.properties file with the following worker.list=tomcat worker.tomcat.type=ajp13 worker.tomcat.host=appserv.home worker.tomcat.port=8009 worker.tomcat.connect_timeout=10 and a single host on the server.xml line defined as appserv.home This appserv.home (ip address 192.168.0.31) is certainly currently getting all the traffic it should get from apache - but I don't see how that is related to the http host in the header. BUT ... Do you mean that if I had changed my workers thusly worker.list=production,test worker.production.host=prodserv.home worker.test.host=testserv.home ... for the other parameters but where both prodserv.home, and testserv.home had the SAME ip address (say 127.0.0.1 :-) ) AND i add an apache virtual host of test.home (ip address 192.168.0.39) That I can differenciate them in the server.xml file by having an engine running of localhost, but with two hosts with names of prodserv.home and testserv.home respectively, and that provided the JkMountFile was then moved into the correct apache virtual host context, then the same url could be mapped by one apache virtual host to worker production and the other apache virtual host could map to worker test. I could then have different versions of the same app running on production and test. You can always install Apache httpd + Tomcat on a second machine (or on the same machine on a separate set of ports), if you are reluctant to try it on you production host. HTH, Tim -Original Message- From: Alan Chandler [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 14, 2006 3:50 AM To: users@tomcat.apache.org Subject: Re: Setting up a parallel test environment on the same machine as main server On Sunday 12 February 2006 17:07, Alan Chandler wrote: ... Unless anyone here can suggest a better way, I would like to move the JkMountFile directive from global scope to virtual host scope and have two separate files urimap files so that I can map different things dependent on which virtual host. However, since this is a live site I don't want to just conduct the simple experiment to see if will work, so I am asking here if this is OK. Is there really nobody on this list who can answer this simple question? ... However, I don't fully understand the relationship between service, engine and host stanza's in the server.xml file, and until I do, I am reluctant to muck about with it and potentially screw the currently working arrangement. Specifically, there was some conversation here about it best that if tomcat was running on the same box as the web server (which it is in my case) that it would be best to make the connection between apache2 and tomcat be via localhost. That being the case, how can I map the SAME servlet name but from a different virtual host (albeit ip based) on apache to DIFFERENT hosts on the same tomcat engine. -- Alan Chandler http://www.chandlerfamily.org.uk Open Source. It's the difference between trust and antitrust. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Setting up a parallel test environment on the same machine as main server
On Tuesday 14 February 2006 12:36, Tim Lucia wrote: You can always install Apache httpd + Tomcat on a second machine (or on the same machine on a separate set of ports), if you are reluctant to try it on you production host. Of course in an ideal world I would - but this is my home, and I don't have any more spare machines. I am already testing on an independant machine first, but I want to essentially bring a new version gently into play - running off of a single database on my main server - just to prove that I can bring the application up in as close to production environment as possible in a test environment before switching it to live. -- Alan Chandler http://www.chandlerfamily.org.uk Open Source. It's the difference between trust and antitrust. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Setting up a parallel test environment on the same machine as main server
On Wednesday 15 February 2006 01:13, Tim Lucia wrote: The http host header is sent by the user-agent (browser) based on the address requested in the URL. This is how virtual hosts are differentiated. Tomcat supports a host container for virtual host differentiation, just like Apache does. You do not need to change the workers at all. Tomcat sees the same host header that Apache does. I.e., using Tamper Data and FireFox, I see Host=www.chandlerfamily.org.uk Yes - I get that part. When I request your web site. (Along with a photo of you, presumably, in a tie sunglasses ;-) You might also want to send just Apache for the server, rather then Yes its me (although they are my normal glasses that I wear all the time - they just have light sensitive lenses), taken at my daughters graduation from Southampton University in the summer 2004 :-) Server=Apache/2.0.54 (Debian GNU/Linux) mod_auth_pgsql/2.0.2b1 DAV/2 SVN/1.1.4 mod_jk/1.2.14 mod_python/3.1.3 Python/2.3.5 PHP/4.3.10-16 mod_ssl/2.0.54 OpenSSL/0.9.7e mod-xslt/1.0.0rc1 As it is more secure. How to do this was recently discussed on this list. Low priority - but I'll look at it. So, you should have two virtual hosts (by name) in both server.xml and httpd.conf. Not sure how to solve the https problem -- never tried to myself. This is where I get lost. I currently have two virtual hosts on apache pointing at the same virtual host on tomcat ALL with different names - so this doesn't square with what you are saying of there being a one to one mapping. This server is running linux, with two ethernet cards. On the WAN side (which is what you can see) my ISP allocated via dhcp a single IP address. That is the www.chandlerfamily.org.uk address. On the lan side, I can allocate multiple IP addresses to the card in a set of psuedo devices, so at the moment it has address 192.168.0.20 and 192.168.0.30, 31, 32 and 39. Each of these is given separate names such as roo.home, appserv.home, webmail.home money.home and test.home by a nameserver also running on that machine On apache I have a number of virtual hosts set up (but because of the https problem they MUST be differenciated by ip address). At the moment I have the virtual hosts www.chandlerfamily.org.uk and money.home directing traffic to tomcat on the host appserv.home (the home page you saw was being generated in a java application). I want to add a tomcat host to serve java applications to an apache virtual host running on test.home. If I understand you correctly you would advocate creating additional host elements of my server.xml file with names of www.chandlerfamily.org.uk and test.home (I presume I have to keep default host of appserv.home just so that tomcat knows which ip address to listen on). If I do that how do I pick up traffic to money.home? add another host statement with repeated contexts? -- Alan Chandler http://www.chandlerfamily.org.uk Open Source. It's the difference between trust and antitrust. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Trouble understanding security constraints
My normal deployment of Tomcat is behind apache2, and up to now I have been using basic authentication defined by Apache's configuration file as to who has access to what. I am about to implement the piece of the application that allows users to change their own passwords, and the administrator to set up and administer users. In order to develop and test the application where I am only running tomcat (controlled via eclipse) I need to replicate the security controls I will eventually be putting in place via apache. given a servlet application called /usermgr, then relative to that root, I need url patterns /* to require that any user who has an entry in the user table of the JDBCRealm I am using is prompted to login, and must successfully do so, whereas to access a url pattern of /admin/* I need to ensure that the person who has logged in has the role of 'admin'. I think I need something like this in my web.xml file. Have I understood this correctly? security-constraint web-resource-collection web-resource-name Valid Users /web-resource-name url-pattern /* /url-pattern /web-resource-collection auth-constraint role-name*/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-name Site Admin /web-resource-name url-pattern /admin/* /url-pattern /web-resource-collection auth-constraint role-nameadmin/role-name /auth-constraint /security-constraint but where I am stuck is with the login config login-config auth-methodBASIC/auth-method realm-name/realm-name /login-config Is realm name just some descriptive text to prompt the user with, or has it any other significance, and am I limited to only one user prompt for both security constraints? Finally, what does security role mean within there. ie do I need the following security-role descriptionSite administrator/description role-nameadmin/role-name /security-role and what does it acutally mean? -- Alan Chandler http://www.chandlerfamily.org.uk Open Source. It's the difference between trust and antitrust. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Trouble understanding security constraints
On Thursday 09 February 2006 04:05, Bill Barker wrote: Alan Chandler [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] ... This works correctly in TC 5.x. You need to reverse the order for TC 4.1.x (this is due to a change in the respective versions of the servlet spec they implement). security-constraint web-resource-collection web-resource-name Valid Users /web-resource-name url-pattern /* /url-pattern /web-resource-collection auth-constraint role-name*/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-name Site Admin /web-resource-name url-pattern /admin/* /url-pattern /web-resource-collection auth-constraint role-nameadmin/role-name /auth-constraint /security-constraint Since I am doing everything for TC 4.1.3 (Debian Stable) and just to be clear, do you mean the following (ie swapping round the security-constraints) security-constraint web-resource-collection web-resource-name Site Admin /web-resource-name url-pattern /admin/* /url-pattern /web-resource-collection auth-constraint role-nameadmin/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-name Valid Users /web-resource-name url-pattern /* /url-pattern /web-resource-collection auth-constraint role-name*/role-name /auth-constraint /security-constraint Otherwise thank you very much that was very clear. -- Alan Chandler http://www.chandlerfamily.org.uk Open Source. It's the difference between trust and antitrust. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
What is the correct way to install a new version of a war
I am trying to install a new version of my application war I tried various ways, using the HTML manager, including removing the application and then installing by uploading a new war file, but all of them seemed to screw up one way or the other. The option I mention above (complete re-install) seemed to have a problem with re-initiallising my connection to the database (which is using the built in Tomcat pooling). In the end I had to shutdown and restart the server. Is there a recommended step by step approach to doing this safely? -- Alan Chandler http://www.chandlerfamily.org.uk Open Source. It's the difference between trust and antitrust. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
How do you debug Authentication Problems
I have tomcat4 fronted by apache2 and linked via mod_jk. I am running well with basic applications, but up until now I have been manually loading applications. I tried to use the manager application, and it is asking me to authenticate myself. I have added myself into the manager role in the tomcat-users, but I get into a loop of authentication failures. As a TEMPORARY measure, I have added the authentication into the Apache configuration (inside a Location directive and removed it from the web.xml of the manager application. And that works. There is nothing in any of my standardly configured logs to indicate what is happening. But, given this effect of getting it to work when I delegate security control to Apache, I suspect that the front ending of tomcat with apache is playing some effect on the failures. It also explains why I could never get my application with user login to work and had to give up trying to build authentication into a web app. But what is the problem? and how do I debug this to get a clear picture of what is happening? Surely others have had the same issues - front ending Tomcat with apache must be a relatively frequent configuration - and have overcome them. -- Alan Chandler http://www.chandlerfamily.org.uk Open Source. It's the difference between trust and antitrust. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Still failing authentication - need help on how to Debug
I am still struggling to get tomcat to authenticate access to my application. As a starting point I am trying to use BASIC authentication with the DataSource Realm (basically because I can check the query SQL) Whatever I do the user is presented with the authentication dialog box, but this authentication ALWAYS fails. Any way, as can be seen from the logs I am doing an authenticate test and failing. But thats not suprising when you look at the SQL that is being requested. The username is null Why? I can't see how I have anything wrong in server.xml - otherwise the postgres query would not have happened. I can't see what I could possibly have wrong in my web.xml as this does not even mention username!. Nevertheless - here is my web.xml is below How can I get further info that would be helpful in debugging this? ===famtree log (from tomcat4) 2005-11-01 19:53:00 famtree: init 2005-11-01 19:54:29 Authenticator[/famtree]: Security checking request GET /famtree/app 2005-11-01 19:54:29 Authenticator[/famtree]: Checking constraint 'SecurityConstraint[Famtree Application]' against GET /app -- true 2005-11-01 19:54:29 Authenticator[/famtree]: Subject to constraint SecurityConstraint[Famtree Application] 2005-11-01 19:54:29 Authenticator[/famtree]: Calling checkUserData() 2005-11-01 19:54:29 Authenticator[/famtree]: User data constraint has no restrictions 2005-11-01 19:54:29 Authenticator[/famtree]: Calling authenticate() 2005-11-01 19:54:30 Authenticator[/famtree]: Failed authenticate() test roo:/var/log/tomcat4# =postgres.log 2005-11-01 19:54:30 [3756] LOG: duration: 0.283 ms statement: set client_encoding = 'UNICODE' 2005-11-01 19:54:30 [3756] LOG: duration: 5.291 ms statement: SELECT password FROM users WHERE name = null ===web.xml ?xml version=1.0 encoding=UTF-8? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.3//EN http://java.sun.com/dtd/web-app_2_3.dtd; web-app id=WebApp_ID display-nameFamily Tree Manager/display-name filter filter-nameredirect/filter-name filter-classorg.apache.tapestry.RedirectFilter/filter-class /filter filter-mapping filter-nameredirect/filter-name url-pattern//url-pattern /filter-mapping servlet servlet-namefamtree/servlet-name servlet-classorg.apache.tapestry.ApplicationServlet/servlet-class load-on-startup0/load-on-startup /servlet servlet-mapping servlet-namefamtree/servlet-name url-pattern/app/url-pattern /servlet-mapping servlet-mapping servlet-namefamtree/servlet-name url-pattern*.page/url-pattern /servlet-mapping servlet-mapping servlet-namefamtree/servlet-name url-pattern*.do/url-pattern /servlet-mapping servlet-mapping servlet-namefamtree/servlet-name url-pattern*.sdo/url-pattern /servlet-mapping servlet-mapping servlet-namefamtree/servlet-name url-pattern*.svc/url-pattern /servlet-mapping servlet-mapping servlet-namefamtree/servlet-name url-pattern/assets/*/url-pattern /servlet-mapping session-config session-timeout15/session-timeout /session-config welcome-file-list welcome-fileindex.html/welcome-file welcome-fileindex.htm/welcome-file welcome-fileindex.jsp/welcome-file welcome-filedefault.html/welcome-file welcome-filedefault.htm/welcome-file welcome-filedefault.jsp/welcome-file /welcome-file-list resource-ref descriptionFamily Tree Database/description res-ref-namejdbc/family_tree/res-ref-name res-typejavax.sql.DataSource/res-type res-authContainer/res-auth res-sharing-scopeShareable/res-sharing-scope /resource-ref security-constraint web-resource-collection web-resource-nameFamtree Application/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namefamily/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameFamily Member/realm-name /login-config security-role role-namefamily/role-name /security-role /web-app -- Alan Chandler http://www.chandlerfamily.org.uk Open Source. It's the difference between trust and antitrust. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Still failing authentication - need help on how to Debug
On Tuesday 01 Nov 2005 20:26, Andoni wrote: Hi Alan, Show us the relevant section of your server.xml. Are you using a view in your database? What the authenticator is doing is basically two select statements on your database to find the usernames and passwords. If the name of the username column is not correctly corresponding to the username column in the database then you may be in trouble! You are not going to believe this, but I was fiddling about putting ethereal up to try and check what username was going between the machines and it suddenly just started working. I have no idea what I have done that makes it work, or why it wasn't working before. (I have only just switched over the Datasource Realm because I couldn't get the UserDatabase Realm to work either.). -- Alan Chandler http://www.chandlerfamily.org.uk Open Source. It's the difference between trust and antitrust. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
