Re: chunked encoding

2012-03-23 Thread Chema
 1. http://en.wikipedia.org/wiki/Chunked_transfer_encoding
 2. RFC 2616 (the specification of HTTP/1.1 protocol)

One question

How does web browser know what is the right order of the chunks ?
When server waits for generating the whole response, I understand that
transmission can rely on TCP and the client ( web browser ) can be
sure that response is completed and all message parts are in order

But when server sends response by chunks I don't know how the client (
web browser ) puts them in order
I did't seen anything about it on Wikipedia link

Thanks and regards

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: chunked encoding

2012-03-23 Thread Chema
 The server application must pass the chunks to its outbound TCP/IP stack in 
 order, so normal TCP sequencing takes care of it.


Thanks
But, if I'm not wrong , chunks messages belong application layer, so
when servers pass them to TCP/IP stack , they are different messages.
Do it by same connection , but they are different messages on
application layer , right ?

I see it how a chat conversation: when I send Hello and Bye by
client chat  , receiver chat only can know the right order if there is
any mechanism on *application layer* to put them in order

I can rely on the order which messages were sent, but it doesn't look
very reliable

Sure I'm wrong but I don't understand it

Thanks and regards

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: chunked encoding

2012-03-23 Thread Chema

 TCP packets are numbered (by TCP itself). Thus chunks are ordered as well.


So, chunks aren't sent on the same time, but they are sent by the same
TCP connection .
In this case, it has sense for me: a stream of chunks . Thanks

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: chunked encoding

2012-03-23 Thread Chema
2012/3/23 Caldarale, Charles R chuck.caldar...@unisys.com:
 From: Chema [mailto:demablo...@gmail.com]
 Subject: Re: chunked encoding

 But, if I'm not wrong , chunks messages belong application layer, so
 when servers pass them to TCP/IP stack , they are different messages.

 TCP/IP knows nothing about messages, only about the two byte streams for 
 the connection (one inbound, one outbound).

Thanks.
You're right . It was my fault.
If I consider to send many chunks over the same TCP connection, it has
sense for me.

I don't know why I thought on different chunks over separate connections.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: [Tomcat JDBC Pool] Close pooled connections via JMX

2012-03-06 Thread Chema
 There's nothing like chasing your tail for a few days on a mailing list.

 - -chris

ok, ok ...it was my fault ... sorry :-/

Regards

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: [Tomcat JDBC Pool] Close pooled connections via JMX

2012-03-05 Thread Chema

 Do you have testOnBorrow=true and a validationQuery=SELECT 1 FROM
 DUAL configured?

 This should suffice to ensure each connection is valid before use.


 Pid,

 works like a charms. Thanks very much.


From Tomcat doc for testOnBorrow setting:

The indication of whether objects will be validated before being
borrowed from the pool. If the object fails to validate, it will be
dropped from the pool, and we will attempt to borrow another
For a true value to have any effect, the validationQuery parameter
must be set to a non-null string. Default value is false In order to
have a more efficient validation, see validationInterval Default value
is false

I don't understand how it works now

By the way, what does validate a object ?

Regards

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: [Tomcat JDBC Pool] Close pooled connections via JMX

2012-03-05 Thread Chema
2012/3/5 Michael sg...@gmx.net:
 Chema schrieb:

 Do you have testOnBorrow=true and a validationQuery=SELECT 1 FROM
 DUAL configured?

 This should suffice to ensure each connection is valid before use.


 Pid,

 works like a charms. Thanks very much.



 It executes the validation query and checks if there is no SQLException.

Thanks ...but , if you only restart the remote db , the query SELECT
1 FROM DUAL always works , am I wrong ?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: [Tomcat JDBC Pool] Close pooled connections via JMX

2012-03-05 Thread Chema
 No if the connection has been reset by the instance. The query will result
 in a SQLException. You have to close the connection and open a new one. The
 query works on an open connection only. That's the point.
 See the second paragraph of this [1].


But the problem was when you restart the remote database , not the
local database.
In this case, SELECT 1 FROM DUAL works ( doesn't return a SQL exception ).
But , when you execute after the query SELEC * FROM TABLE@remotedb,
then fails , was this the problem, right ?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: [Tomcat JDBC Pool] Close pooled connections via JMX

2012-03-04 Thread Chema

  That approach doesn't work when the application uses symlinks to get to
  data on other Oracle servers.


Right. With dblinks, it's the RDBMS who opens/closes a session against
the remote server, via dblinks
I guess that when you say  our Oracle database has to be restarted,
you *only* restart the remote server , right ?

One question :

do you use any kind of ORM framework ? Some of them (myBatis , for
example ) allow you to configure different schemas with different
pingQuery settings.
So, you could define the remote queries into a particular schema with
a pingQuery like SELECT 1 FROM DUAL@REMOTEDB

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: [Tomcat JDBC Pool] Close pooled connections via JMX

2012-03-04 Thread Chema
 We use Spring w/ Hibernate as I recall.  Yes, we have talked about that - a
 ping query.  What we don't like about that is now we have a tc ping and app
 ping.  We have also discussed just changing the tc borrow/ping to do the
 dual@remotedb query as this would test both primary and remote.  We have
 tested this and it works.  What stinks about this is we only access the
 remotedb 10% of the time.

Well, I don't know how works Hibernate , but I know that you can have
many SessionFactory
Can you define different SessionFactory with different settings , for
example, with different pingQuery value?
Does Hibernate have a pingQuery setting ?

So, when you want to perform a remote query, you use SessionFactory
who returns local connections but before  SELECT 1 FROM DUAL@remotedb
testing query

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Limiting concurrent requests by user

2012-02-27 Thread Chema
2012/2/27 hernan hbe...@gmail.com



 The process may take some seconds or a few minutes to be completed. I'd
 like to limit the number of client requests per user.


Why not do you use Tomcat's valves mechanism ?
You can implement a request filter on a Context scope

Where store the counter of requests ?
Memory looks the better option ... except if you application runs on a
clustered enviroment. In this case, you can try a database


Re: Shutdown Hooks not firing when tomcat is shutdown from within a webapp

2012-02-07 Thread Chema
 Asynchronous Notification 'interface 
 com.evertz.registry.ServerRegistryListener: masterChanged' daemon prio=6 
 tid=0x28c77000 nid=0x16d8 in Object.wait() [0x2899f000]
   java.lang.Thread.State: WAITING (on object monitor)
        at java.lang.Object.wait(Native Method)
        - waiting on 0x08bc3ac0 (a 
 org.apache.catalina.startup.Catalina$CatalinaShutdownHook)
        at java.lang.Thread.join(Thread.java:1143)
        - locked 0x08bc3ac0 (a 
 org.apache.catalina.startup.Catalina$CatalinaShutdownHook)
        at java.lang.Thread.join(Thread.java:1196)
        at 
 java.lang.ApplicationShutdownHooks.runHooks(ApplicationShutdownHooks.java:79)
        at 
 java.lang.ApplicationShutdownHooks$1.run(ApplicationShutdownHooks.java:24)
        at java.lang.Shutdown.runHooks(Shutdown.java:79)
        at java.lang.Shutdown.sequence(Shutdown.java:123)
        at java.lang.Shutdown.exit(Shutdown.java:168)
        - locked 0x23c8bf68 (a java.lang.Class for java.lang.Shutdown)
        at java.lang.Runtime.exit(Runtime.java:90)
        at java.lang.System.exit(System.java:904)

Can I see ApplicationShutdownHooks source code ?
What 's com.evertz.registry.ServerRegistryListener ?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Shutdown Hooks not firing when tomcat is shutdown from within a webapp

2012-02-07 Thread Chema
 Can I see ApplicationShutdownHooks source code ?

 That is located in java.lang, you can see the source online...


Sorry, I meant about *your* app's shutdown hook.

 What 's com.evertz.registry.ServerRegistryListener ?

Right


 This is just the listener that triggers the shutdown call.
 That the trace shows it that I call System.exit(0), which then runs the 
 shutdown hooks, but then gets stuck running the CatalinaShutdownHook. It 
 looks like all CatalinaShutdownHook does is call catalina.stop, I don't 
 really know how to figure out what it is waiting on though.

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Connection.close() has already been called during login

2012-01-23 Thread Chema
2012/1/23  removeps-c...@yahoo.com:
 Initially I thought that my RootJDBCRealm might be the problem, but how can 
 that be?  RootJDBCRealm extends Tomcat's own JDBCRealm.  It overrides 
 authenticate to call super.authenticate and if there are 3 failures (in that 
 super.authenticate returns null), then it locks out the user.  So could the 
 user of RootJDBCRealm still be a problem?  Thanks.


From Tomcat 7 docs:

The JDBCRealm is not recommended for production use as it is single
threaded for all authentication and authorization options. Use the
DataSourceRealm instead.
The UserDatabaseRealm is not intended for large-scale installations.
It is intended for small-scale, relatively static environments.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: DB Connection error

2012-01-09 Thread Chema
2012/1/9 Anjib Mulepati anji...@hotmail.com:
 I did change my config.xml to


 Context antiJARLocking=true path=/myApp
 Resource auth=Container
            driverClassName=oracle.jdbc.driver.OracleDriver
            maxActive=20
            maxIdle=10
            maxWait=-1
            name=jdbc/myName
            password=myPassword
            testOnBorrow=true

            type=javax.sql.DataSource
            url=jdbc:oracle:thin:@//localhost:8080/MYDBS
            username=myUsername
            validationQuery=SELECT 1 FROM DUAL /
 /Context


Can you attach error trace ?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: DB Connection error

2012-01-09 Thread Chema
 Caused by: oracle.net.ns.NetException: The Network Adapter could not
 establish the connection
    at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:375)
    at
 oracle.net.resolver.AddrResolution.resolveAndExecute(AddrResolution.java:422)
    at oracle.net.ns.NSProtocol.establishConnection(NSProtocol.java:678)
    at oracle.net.ns.NSProtocol.connect(NSProtocol.java:238)
    at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1054)
    at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:308)
    ... 30 more
 Caused by: java.net.ConnectException: Connection refused: connect
    at java.net.PlainSocketImpl.socketConnect(Native Method)
    at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:351)
    at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:213)
    at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:200)
    at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:366)
    at java.net.Socket.connect(Socket.java:529)
    at oracle.net.nt.TcpNTAdapter.connect(TcpNTAdapter.java:209)
    at oracle.net.nt.ConnOption.connect(ConnOption.java:123)
    at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:353)
    ... 35 more


I see that database is on the same machine than Tomcat , right ?

It's important, for me at least ,  to know if this error

Caused by: java.net.ConnectException: Connection refused: connect

occurs while restarting database server or just after that ?

One question : after restarting database , can you make a telnet to
localhost:8080 from the same machine ?
By the way, 8080 is a curious port for a database ...is it the real
port for listening incoming connections ?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Tomcat 7 SSL activation on AS/400?

2012-01-09 Thread Chema

    Caused by: java.io.IOException: Keystore was tampered with, or password
 was incorrect

Well, I don't know what is the problem.

I followed these steps  and it worked : http://blog.frankel.ch/ssl-your-tomcat-7

Other option is HTTP Connector in your server.xml is incorrectly configured

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: DB Connection error

2012-01-03 Thread Chema
2012/1/3 Anjib Mulepati anji...@hotmail.com:
 Hi All,

 One simple question If I have JINDI configuration in my application will my
 application reconnect to the DB whenever my DB gets restart.
 I am having DB connection problem every Monday since our DB get restarted on
 weekends which we don't have control of.
 I am using Tomcat 6.0.20

Hi:

can you attach your Resource/ element in server.xml file ( except
sensible data )?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: DB Connection error

2012-01-03 Thread Chema
 But in my application I have context.xml with following

 Context antiJARLocking=true path=/myApp
 Resource auth=Container
            driverClassName=oracle.jdbc.driver.OracleDriver
            maxActive=20
            maxIdle=10
            maxWait=-1
            name=jdbc/myName
            password=myPassword
            type=javax.sql.DataSource
            url=jdbc:oracle:thin:@//localhost:8080/MYDBS
            username=myUsername
             /
 /Context

Well, you can use validationQuery parameter with SELECT 1 FROM
DUAL;. I'v never used it but you can test it
And take a look at http://commons.apache.org/dbcp/configuration.html

If you can send us what is the exact error that your web app returns ...

Bye

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: DB Connection error

2012-01-03 Thread Chema
 Try adding validationQuery=SELECT 1 FROM DUAL and testOnBorrow=true.

testOnBorrow is true by default   :-)

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Login fails, then works subsequently (Tomcat 7)

2011-12-21 Thread Chema
You can try to set traces into the code of your realm class, if it's a
custom realm : to watch the query executed ,  to watch the
user/password passed from browser, to catch exceptions and print stack
trace ...
If you dont have a custom realm, you can try to create one for testing

Can you paste your server.xml conf ? Only realm parts (all), without
sensible data

Good luck



2011/12/21 Jerry Malcolm 2ndgenfi...@gmail.com:
 About a month ago, I upgraded two different servers from TC 5 to TC 7.  The
 migration went cleanly, and everything has been working fine with the
 exception of one thing.   About 50% of the time, when I log in to the realm
 for my web app (form-based login), the login will fail.  When I try again
 with the same id/pw it works.  I can then log out and log back in
 repeatedly with no problem.  But if I come back later and try to log on
 again, same things.  Fails once, and then passes.

 My authentication configuration hasn't changed for years on these webapps,
 and this has worked solid on TC 5.  My database (MySQL) hasn't changed, and
 the user tables are unchanged.  The only thing that has changed is TC 5-
 --TC 7.  And the problem has hit both servers, completely independent of
 each other, other than they both got the TC 7 upgrade.

 First of all, has anyone ever heard of this situation?  Second, any idea
 how where/how to turn on detailed tracing/logging of the authentication
 calls to see what might be going on in the authentication code in TC?  The
 only information I'm getting is that the id/pw were not correct.  But
 again, same id/pw becomes correct when I submit it a 2nd time.

 The one thing I didn't change was the MySQL connector.  Should that have
 been changed for TC 7? (Just guessing now)

 Suggestions for how to proceed?

 Thx.

 Jerry

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Login fails, then works subsequently (Tomcat 7)

2011-12-21 Thread Chema
 10 to 1 you've got stale connections in your pool; first try fails, second
 one gets a fresh connection

I thought the same


autoReconnect   
Should the driver try to re-establish stale and/or dead connections?
If enabled the driver will throw an exception for a queries issued on
a stale or dead connection, which belong to the current transaction,
but will attempt reconnect before the next query issued on the
connection in a new transaction. The use of this feature is not
recommended, because it has side effects related to session state and
data consistency when applications don't handle SQLExceptions
properly,


http://dev.mysql.com/doc/refman/5.1/en/connector-j-reference-configuration-properties.html


You can implement your own realm extending DataSourceRealm and
overriding authenticate() method with your traces . And don't forget
to call super.authenticate().

More info:
http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#DataSourceRealm

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Security Constraints With URL Rewrite filter

2011-12-21 Thread Chema
Well, I don't know about this , but

What is the URLRewrite filter ? A Servlet filter ?

You can try to write a Valve and test if it works. I think it's
processed before calling container code. Maybe ...
Or to configure a proxy web to rewrite . I did't make this before, but
I know it's possible. If I find some info about this, I send it to you

Bye

2011/12/21 Jerry Malcolm 2ndgenfi...@gmail.com:
 I structure my webapps with different JSP folders for different user role
 access, and define the folder patterns in web.xml for each role access.
 This has worked for many years in my webapps.  But in the interest of
 getting cleaner URLs, I've written a URLRewrite filter.  The rewrite filter
 is correctly rewriting the URLs and forwarding the requests.  But I just
 noticed something I hadn't counted on.  The security constraints no longer
 apply to the call to the rewritten URLs from the filter.  In other words,
 JSPs in /jsp/admin folder are configured to require admin role.  But I
 can call a JSP from inside the filter to /jsp/admin/myadmintask.jsp and no
 security challenge occurs.

 I guess this makes sense to me.  I just wasn't expecting it.  I assume that
 the security constraint now applies to the pattern that come INTO the
 filter.  So instead of constraining /jsp/myadmintask/*.jsp in web.xml, I
 now need to constrain the inbound url /doadmin.  Is that correct?

 I just need some education here.  Is it correct that should map all of the
 URL patterns that come INTO the rewrite filter?  Alternatively, is there
 some way for me to do the requestdispatcher.forward call from the filter,
 and tell it to honor security constraints on the folder structure like it
 worked prior to adding the rewrite function?

 Thanks.

 Jerry

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Mysterious request edirect with value exchange

2011-12-20 Thread Chema
 This result is as expected, but from time to time we saw the
 following URL string returned
 http://mytestsystem/login.action?login_error=1u=OtherUser although
 we sent the form with Tester as value away. But now in the input
 field it is also OtherUser set.

One question
How the returned URL is built ? Where is stored username ?

Thanks

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Mysterious request edirect with value exchange

2011-12-20 Thread Chema
OK
Just for discard what is answering Chuck in another thread: a
request-specific value kept in a servlet instance field



2011/12/20  uwe.hellm...@t-systems.com:
 It is a webformular.

 The java code should this fragment.

 final String username = req.getParameter(username);
    String uParam = ;
    if (StringUtils.isBlank(username) == false) {
      uParam = u=.concat(username);
    }
    logonFilter.setLoginFailedUrl(/action?login_error=1.concat(uParam));

 -Ursprüngliche Nachricht-
 Von: Chema [mailto:demablo...@gmail.com]
 Gesendet: Dienstag, 20. Dezember 2011 15:04
 An: Tomcat Users List
 Betreff: Re: Mysterious request edirect with value exchange

 This result is as expected, but from time to time we saw the
 following URL string returned
 http://mytestsystem/login.action?login_error=1u=OtherUser although
 we sent the form with Tester as value away. But now in the input
 field it is also OtherUser set.

 One question
 How the returned URL is built ? Where is stored username ?

 Thanks

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Babysitting ThreadLocals

2011-11-23 Thread Chema
A silly question:

why do you use a ThreadLocal to store a constant value for entire
application? why not a static variable or store into web application
context , by example ?

Thanks

2011/11/23 Christopher Schultz ch...@christopherschultz.net:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 All,

 I've got a servlet that needs to log every request (potentially big
 requests) to files on the disk. In order to do that in a
 reasonably-tidy way, we write each file into a directory with the
 current date in the path, something like this:

 .../logs/2011-11-23/request-XYX.log

 To do this, we have a SimpleDateFormat object that we use to ensure we
 target the right directory. Since SimpleDateFormat isn't threadsafe,
 we have two choices: synchronize or use ThreadLocal. We have opted for
 the latter: ThreadLocal.

 Our servlet defines the ThreadLocal to be protected (because this is a
 base class for several servlets that all do similar things) and
 transient (because we just don't need it to be serialized) and
 override the initialValue method, like this:

    protected transient ThreadLocalSimpleDateFormat dayFormat = new
 ThreadLocalSimpleDateFormat() {
        public SimpleDateFormat initialValue()
        {
            return new SimpleDateFormat(-MM-dd);
        }
    };

 In the servlet's destroy method, we dutifully call dayFormat.remove().
 Tomcat complains that we are leaving sloppy ThreadLocals around on
 shutdown. Duh: Servlet.destroy is called by a single thread and won't
 actually remove the ThreadLocal in any meaningful way.

 So, my question is whether or not there is a good way to clean-out the
 ThreadLocals from our webapp?

 Given the declaration above, we are creating a new class which will be
 loaded by our webapp's ClassLoader and therefore pinning that
 ClassLoader in memory definitely causing a memory leak across reploy
 cycles.

 One way to avoid this would be to have a library at the server-level
 that only contains this simple ThreadLocatSimpleDateFormat
 definition, but that seems like kind of an awkward solution.

 Removing the ThreadLocal after every request of course means that the
 use of ThreadLocal is entirely useless.

 Should I stop worrying about the overhead of creating a
 SimpleDateFormat? Should I look for a threadsafe implementation of
 SimpleDateFormat (maybe in commons-lang or something)? Should I
 synchronize access to the object?

 Any suggestions would be very helpful.

 Thanks,
 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
 Comment: GPGTools - http://gpgtools.org
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

 iEYEARECAAYFAk7NFcAACgkQ9CaO5/Lv0PDIoACgrc5nNYGXUxjJ+hz1kWpiIL6J
 SpYAoJQ6dcxCi4WmPX+1BJs9b3c+UQB5
 =3bj2
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Babysitting ThreadLocals

2011-11-23 Thread Chema
 The string of the date format is constant. However the SimpleDateFormat
 class is not threadsafe, so you will hit intermittant issues when sharing
 across threads

Do you mean that read operations (getters) in not-threadsafe objects
are not an atomic operations and could retrieve dirty values cause
sharing
across threads?

So, singleton objects must be threadsafe to be a rea singleton ?

Maybe my doubts are very basic but I didn't know about these issues ...

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Session across Realm and Servlet

2011-10-16 Thread Chema
   In my Custom Realm Implementation iam autheticating some user and
 allowing
 him to access my webapps(servlets or filters) (my application)
  This authentication session i need it to be reused in my webapp(to avoid
 another authentication)  if it is an authorized session.
  So for this purpose i want to set an object in the session and reuse that
 object(connection Object) at my servlets level.

 How can i over come this



You can use a Filter and check if remote user is setted.
I do it this way to load user info into user http session


Re: filters on j_security_check

2011-10-16 Thread Chema



 Frankly, if you're using Spring Security, I'd stick with it. I myself
 am thinking of making the switch.


Yes, I tried it and like it , but I need Single Sign On support and the
solutions what Spring Security offers are complicated to implement by me


Re: filters on j_security_check

2011-10-15 Thread Chema
This is one of the reasons I switched to SecurityFilter: there is a

 FlexibleRealmInterface that passes-in the HttpServletRequest that was
 used to attempt authentication. That allows you to get nice things
 like the ip address of the request for logging.


I'm interested on what are talking about , where I can find info
about SecurityFilter ?
I've used Spring Security for reasons like you but I want try another
options

Thanks


Re: Session across Realm and Servlet

2011-10-14 Thread Chema

 So how it is possible to access HttpRequestServlet and set some
 session attribute in my Custom Realm which extends RealmBase.



I guess you can't do it that



 Or else it should be a different Procedure.



You can try by using filters or try Spring Security




 Waiting for some clue.

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org




Re: Detecting a login or logoff event

2011-10-06 Thread Chema
For logout, you can implement a HttpSessionListener .
It has got a method:

public void sessionDestroyed(HttpSessionEvent se)

It's invoked when http session is invalidated. ( session.invalidated() )

So, you have to invalidate http session when user makes logout ( i.e, user
clicks a logout button and calls a servlet )
To capture when user is closing the browser , you need use javascript events
and throw a call to the server. Maybe, a filter can be use to capture this
event

For login, you can use Spring Security
Maybe for logout too, but I don't know it
Or your use your own filters




2011/10/6 Martin O'Shea app...@dsl.pipex.com

 I need to be able to intercept a successful authentication of a login /
 logout request which can then be used to make a series of system updates to
 record the fact.

 So, if John Doe has just logged in successfully, an update is made to his
 session like:

 session.setAttribute(loggedIntoSession, true);

 Or an update made to the database?

 Conversely, upon logout:

 session.setAttribute(loggedIntoSession, false);

 At the moment, I am thinking about scriptlets in the pages served testing
 the request's servlet path after login is successful but is a filter better?
 But if so, what might a filter check for?

 -Original Message-
 From: Martin O'Shea [mailto:app...@dsl.pipex.com]
 Sent: 05 Oct 2011 23 06
 To: 'Tomcat Users List'
 Subject: RE: Using multiple login pages

 Thanks for this Chris. It is food for thought.

 I was under the impression that form-login-page was static, because
 that's how I seen it used in apps I've worked on.

 But I am curious to try a filter as well, something like this mapped to the
 login:

 public void doFilter(ServletRequest request, ServletResponse response,
 FilterChain chain) throws java.io.IOException, ServletException {


  HttpServletRequest req = (HttpServletRequest)request;
  HttpServletResponse res = (HttpServletResponse)response;

  // pre login action

  // get username
  String username = req.getParameter(j_username);

  // if user is in revoked list send error
  if ( revokeList.contains(username) ) {
  res.sendError(javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED);
  return;
  }

  // call next filter in the chain : let j_security_check authenticate
  // user
  chain.doFilter(request, response);

  // post login action

   }

 I wouldn't mind seeing a servlet specified as form-login-page if you know
 of an example.

 -Original Message-
 From: Christopher Schultz [mailto:ch...@christopherschultz.net]
 Sent: 05 Oct 2011 22 08
 To: Tomcat Users List
 Subject: Re: Using multiple login pages

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Martin,

 On 10/5/2011 1:59 PM, Martin O'Shea wrote:
  I have it now. There was a redirection going on in a method called
  from a scriptlet in the login page. It now seems to be OK.

 Glad you got it going.

  But one thing bugs me still: you said that you can have 'different
  login pages for different types of resources you're trying to
  reach.' Can you give any pointers about this?

 A page is defined as whatever the server responds when you request a
 resource. The form-login-page you configure in your web.xml can be
 dynamic: you can do whatever you want in that page. It doesn't have to
 be a static form that always looks the same. You can
 include/forward/etc from that page. It doesn't even have to be a JSP.
 You can configure the login-form-page to be a servlet that makes
 decisions and forwards to some other .jsp file.

 Use your imagination.

 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.10 (MingW32)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

 iEYEARECAAYFAk6MxyEACgkQ9CaO5/Lv0PByHACfZL9ykx3wPGApX1yyzjxYwkQR
 Rf4AoJG5DnnBtbIFYzZsKSLzPJOjJq2j
 =A5GW
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org




 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org




Re: Detecting a login or logoff event

2011-10-06 Thread Chema
2011/10/6 Martin O'Shea app...@dsl.pipex.com


 Detecting a logoff is easier using the sessionDestroyed method.


How do you detect that an user is closing his browser ?


Re: Realm SSL : issue when logout

2011-09-27 Thread Chema
 Why getContext(/app) ??

 HTTP Sessions are local to each web application.

 If protected.html belongs to a different web application, it would
 not (and cannot) know that you invalidated session in this webapp.

Hi

You're right: protected.html belongs another web application.
But my Tomcat is configurated with Single Sign On and, about docs,

as soon as the user logs out of one web application (for example, by
invalidating the corresponding session if form based login is used),
the user's sessions in all web applications will be invalidated.

http://tomcat.apache.org/tomcat-7.0-doc/config/host.html#Single Sign On


Anyway,  this problem also occurs with a single and simple web application.
As I told in another thread, this issue was solved, at least, in Tomcat 7.0.21
( My tests were on 7.0.11 )


Regards

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Limiting access to resources, based on username, not on the user role

2011-09-23 Thread Chema

 In your code, you would examine the Principal  see if it had permission
 to proceed.  Then return the resource or an error, accordingly.


On my way , I would put your code that  examine the Principal  see
if it had permission  into a custom realm class.
This custom realm can check only user authorization , no role

This way, you avoid to have to implement a redirection manually

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Example to logout on Tomcat 7 and SSL + Realm [SOLVED]

2011-09-20 Thread Chema
Thanks Christopher.
Great explanation.

Finally, my problem was solved by upgrading up to Tomcat 7.0.21
On 7.0.16, my application doesn't work fine with SSL  realm ( see
previous emails )

Upgrading to 7.0.21 ( clean install, really ) solved the problem and works fine.


Regards


2011/9/16 Christopher Schultz ch...@christopherschultz.net:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 André,

 On 9/16/2011 1:38 PM, André Warnier wrote:
 I guess that where the OP (and I) get a little confused is in the
 distinction between the state of having a session and being
 logged-in, and maybe the sequence in which these things happen.

 1) a browser sends a first request to Tomcat, and this happens to
 be directed to an application which requires authentication
 (container-driven).

 2) Tomcat intercepts the request (because of the authentication
 requirement), sends back something to the browser which tells the
 browser (or the user) to supply credentials.

 3) the browser (or the user) supplies the credentials along with a
 subsequent request

 4) Tomcat intercepts this again, verifies the credentials, and if
 they fit, allows the request (now authenticated) to proceed to
 the application which had been requested in the first place.

 (and I know that there is some variety in the above, depending on
 the type of authentication, but roughly that's it, no ?)

 This is all correct for BASIC, FORM, and CLIENT-CERT authentication
 strategies. The difference is how the server requests the credentials
 and how the client provides them.

 For instance, BASIC uses a 401 server response to request credentials
 and the client provides them in an WWW-Authenticate header with a
 subsequent response. FORM responds with a login form and the client
 sends credentials using POST or query data (aka parameters). For
 CLIENT-CERT, the server requests the certificate as part of the SSL
 negotiation, and the certificate is sent as part of the SSL negotiation.

 5) then the request hits the application, and it is the
 application which decides if a session is created or not. Yes ?

 Here's where things change. For FORM authentication, an HttpSession is
 created and corresponds directly to the user's privileged status. Once
 the HttpSession is invalidated, the login expires and the user is
 logged-out.

 And if it decides so, this creates some storage place for this
 session thing, and makes it so that a cookie will later be sent
 back to the browser, with an id pointing to this session storage
 thing, so that a subsequent request which provides this cookie,
 allows the application to retrieve the saved session and its
 contents prior to handling the next request.

 The JSESSIONID is used to associated HttpSessions with requests. You
 can have an HttpSession without having authenticated, but for a FORM
 authentication, you must have an HttpSession after (and, in Tomcat,
 /before/) you are successfully authenticated (Servlet spec 3.0 allows
 you to perform a programmatic login, but I'll ignore that for the
 purposes of this discussion).

 Now what is maybe less clear, is whether the session thing which
 was created, contains or not the authentication data.

 For FORM authentication, it does.

 And if yes : a session invalidate should delete the session
 thing (and the contained authentication info), and this should
 have the effect that when the browser sends a subsequent request,
 it will find a no session yet situation.

 There will be no existing session to fetch in any case. For FORM
 authentication, that also means that you will have to re-authenticate
 in order to get to a privileged resource again.

 Obviously though, no session does not necessarily mean not
 authenticated, but this is I believe where the OP (and I) are
 getting confused.

 For FORM authentication, no session - not authenticated.

 Technically speaking, the servlet spec defines being logged into an
 application as [corresponding] precisely to there being a valid
 non-null caller identity associated with the request as may be
 determined by calling getRemoteUser or getUserPrincipal on the
 request (section 13.10). Tomcat implements FORM login by attaching
 principal information to the session, so when the session dies, so
 does the login.

 This is not the case with the other authentication mechanisms (BASIC
 and CLIENT-CERT): the existence of an HttpSession for a request is
 independent of the login. This is because the client sends a
 WWW-Authenticate header (for BASIC) or a client certificate (for
 CLIENT-CERT) for every request after authentication. The only way to
 terminate a BASIC login is to issue another 401 response, and the only
 way to terminate a CLIENT-CERT login is to disrupt the SSL session (I
 don't know how to do that).

 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.10 (MingW32)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

 iEYEARECAAYFAk5zkEEACgkQ9CaO5/Lv0PBNdACfS39J4iloiOxkFu9Ru9ncQDUS
 

Example to logout on Tomcat 7 and SSL + Realm

2011-09-16 Thread Chema
Hello:

Ive got a web application running on Tomcat 7, with SSL (https) and
realm for authentication/authorization

When I invalidate() a session ( session.invalidate() ) , Tomcat
doesn't know it and thinks that user is still logged in
So, that user can get protected pages. Tomcat should return him a
login window but doesn't

If Tomcat doesn't use SSL , works fine, so I guess I'm not ending
sessions properly with SSL activated

Any example about how do it ?
Anyone did it ?


Thanks and regards

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Example to logout on Tomcat 7 and SSL + Realm

2011-09-16 Thread Chema

 Presumably, you are using CLIENT-CERT as your auth-method?

Not , FORM method


 When I invalidate() a session ( session.invalidate() ) , Tomcat
 doesn't know it and thinks that user is still logged in So, that
 user can get protected pages. Tomcat should return him a login
 window but doesn't.
 SSL session != HttpSession

 You need to terminate the SSL session. See a separate thread
 SSLSession invalidate for a discussion about how this is (not) working.

Well, I don't know what I have to terminate
I only want to know what do to inform Tomcat that an user logs out (
user clicks a Logout button )

I tried to invalidate SSL session with this code

session.invalidate();
org.apache.tomcat.util.net.SSLSessionManager mgr
=(org.apache.tomcat.util.net.SSLSessionManager)request.getAttribute(javax.servlet.request.ssl_session_mgr);
mgr.invalidateSession();
response.setHeader(Connection, close);

but didnt work.
does anyone have worked with realm + SSL ? anyone ?

Thanks and regards

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Example to logout on Tomcat 7 and SSL + Realm

2011-09-16 Thread Chema
Here goes web.xml and servlet.xml
I will note that server.xml contains SingleSignOn because I've got two
applications which share logging

?xml version=1.0 encoding=UTF-8?
web-app


  !-- Authentication --
  servlet
servlet-nameLoginServlet/servlet-name
servlet-classcom.server.servlet.LoginServlet/servlet-class
  /servlet

  servlet-mapping
servlet-nameLoginServlet/servlet-name
url-pattern/login.do/url-pattern
  /servlet-mapping

   servlet
servlet-nameLogoutServlet/servlet-name
servlet-classcom.server.servlet.LogoutServlet/servlet-class
  /servlet

  servlet-mapping
servlet-nameLogoutServlet/servlet-name
url-pattern/logout.do/url-pattern
  /servlet-mapping

  !-- Default page to serve --
  welcome-file-list
welcome-fileindex.jsp/welcome-file
  /welcome-file-list

  security-role
role-nameadmin/role-name
  /security-role
  security-constraint
  web-resource-collection
web-resource-namessl/web-resource-name
url-pattern/*/url-pattern
  /web-resource-collection
  user-data-constraint
transport-guaranteeCONFIDENTIAL/transport-guarantee
  /user-data-constraint
  /security-constraint
  security-constraint
web-resource-collection
web-resource-nameadmin/web-resource-name
url-pattern/*/url-pattern
/web-resource-collection
auth-constraint
role-nameadmin/role-name
/auth-constraint
  /security-constraint
login-config
auth-methodFORM/auth-method
realm-namerealm/realm-name
form-login-config
form-login-page/login.do/form-login-page
form-error-page/error.do/form-error-page
/form-login-config
  /login-config
/web-app

***
Connector connectionTimeout=2 port=8080 protocol=HTTP/1.1
redirectPort=8443/
Connector SSLEnabled=true clientAuth=false
keystoreFile=C:\keystore.jks keystorePass=tomcat maxThreads=150
port=8443 protocol=HTTP/1.1 scheme=https secure=true
sslProtocol=TLS/

!-- Define an AJP 1.3 Connector on port 8009 --
Connector port=8009 protocol=AJP/1.3 redirectPort=8443/

Engine defaultHost=localhost name=Catalina

Realm 
className=org.apache.catalina.realm.UserDatabaseRealm
resourceName=UserDatabase/

Host appBase=webapps autoDeploy=true 
name=localhost unpackWARs=true

Realm className=com.realm.CustomRealm 
dataSourceName=ds_admin
digest=SHA roleNameCol=role userCredCol=password
userNameCol=email userRoleTable=group_role_user userTable=user/

Valve 
className=org.apache.catalina.authenticator.SingleSignOn/

Context crossContext=true path=/login 
reloadable=true/
Context crossContext=true  path=/admin reloadable=true //Host
/Engine


2011/9/16 Christopher Schultz ch...@christopherschultz.net:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Chema,

 On 9/16/2011 1:25 PM, Chema wrote:

 Presumably, you are using CLIENT-CERT as your auth-method?

 No, [I am using] FORM method

 Hmm. HttpSession.invalidate() *is* the proper way to terminate a
 FORM authentication login.

 session.invalidate(); org.apache.tomcat.util.net.SSLSessionManager
 mgr
 =(org.apache.tomcat.util.net.SSLSessionManager)request.getAttribute(javax.servlet.request.ssl_session_mgr);


 mgr.invalidateSession();

 You don't need this SSL stuff. HttpSession.invalidate() ought to do
 the trick.

 response.setHeader(Connection, close);

 This is optional, and not usually necessary.

 but didnt work. does anyone have worked with realm + SSL ? anyone
 ?

 This definitely works.

 Are you saying that when you use HTTP instead of HTTPS, logouts work?
 That sounds really strange.

 Please post the relevant sections of web.xml and server.xml, and be
 sure to remove any sensitive information.

 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.10 (MingW32)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

 iEYEARECAAYFAk5ziX4ACgkQ9CaO5/Lv0PCitQCgwgv0Khtvabe0xJK0A5SYe0u0
 BlAAnRno9V/PAwyRKIs1s4cC/2oFz0GK
 =pshV
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: JNDI configuration with 6.0.29 Reformatted

2011-09-08 Thread Chema
       
 org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:425)
       
 org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:228)
       org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
       org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:449)
       javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
       javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

Are you try to create a simple HttpServlet and run that code (lookup
method) directly at doGetmethod ( i mean, no struts, no factory ) ?
I'm not sure this be the problem but ...

Regards

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Realm SSL : issue when logout

2011-09-07 Thread Chema
Hello:

I've got a web application running on Tomcat 7.0.16
It uses realm authentication to validate users ( FORM login method
with a custom login page named login.html)
and it's secured by SSL with

security-constraint
  web-resource-collection
web-resource-namessl/web-resource-name
url-pattern/*/url-pattern
  /web-resource-collection
  user-data-constraint
transport-guaranteeCONFIDENTIAL/transport-guarantee
  /user-data-constraint
/security-constraint

So, if I write https://localhost:8080/protected.html, Tomcat redirect
to my login.html page to authenticate the user,
and , if it's valid,  returns main.html.
All fine


The web application has got a service to implement a logout with 2 steps:

- session.invalidate()
- redirect to protected.html


Well, when I invoked last service, I hoped that when redirecting to
protected.html, as I invalidated session before and protected.html is
a protected resource, Tomcat redirected my browser to login.html.
But didn't : protected.html was returned.

If I repeat this steps without SSL configuration , Tomcat does
(redirects my browser to login.html)


What I need to finish a SSL session and realm mechanism knows it ?


Thanks and regards

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Realm SSL : issue when logout

2011-09-07 Thread Chema
Thanks but that didn't work for me

I've got

Connector SSLEnabled=true clientAuth=false
keystoreFile=C:\keystore.jks keystorePass=tomcat maxThreads=150
port=8443 protocol=HTTP/1.1 scheme=https secure=true
sslProtocol=TLS/

in my server.xml

And I've created a SessionTrackingModeListener (just like manual) and
modified web.xml with this listener

And now I finish SSL Session with

session.invalidate();
org.apache.tomcat.util.net.SSLSessionManager mgr
=(org.apache.tomcat.util.net.SSLSessionManager)request.getAttribute(javax.servlet.request.ssl_session_mgr);
mgr.invalidateSession();
response.setHeader(Connection, close);
ServletContext context = this.getServletContext().getContext(/app);
if (context != null)
response.sendRedirect(context.getContextPath() + /protected.html );


I hoped that login.html was return but protected.html is


I dont find any doc about realm + SSL  what 's wrong ?

Thanks and regards




2011/9/7 Mark Thomas ma...@apache.org:
 On 07/09/2011 12:20, Chema wrote:
 Hello:

 I've got a web application running on Tomcat 7.0.16
 It uses realm authentication to validate users ( FORM login method
 with a custom login page named login.html)
 and it's secured by SSL with

 security-constraint
   web-resource-collection
       web-resource-namessl/web-resource-name
         url-pattern/*/url-pattern
   /web-resource-collection
   user-data-constraint
       transport-guaranteeCONFIDENTIAL/transport-guarantee
   /user-data-constraint
 /security-constraint

 So, if I write https://localhost:8080/protected.html, Tomcat redirect
 to my login.html page to authenticate the user,
 and , if it's valid,  returns main.html.
 All fine


 The web application has got a service to implement a logout with 2 steps:

 - session.invalidate()
 - redirect to protected.html


 Well, when I invoked last service, I hoped that when redirecting to
 protected.html, as I invalidated session before and protected.html is
 a protected resource, Tomcat redirected my browser to login.html.
 But didn't : protected.html was returned.

 If I repeat this steps without SSL configuration , Tomcat does
 (redirects my browser to login.html)


 What I need to finish a SSL session and realm mechanism knows it ?

 http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Using_the_SSL_for_session_tracking_in_your_application

 Mark

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: SSLSession invalidate

2011-09-06 Thread Chema
 how can access the SSLSession in a jsp or a servlet
 to be able to invalidate it.

Sorry, but

is there any difference between to  invalidate a HTTP Session and a SSLSession ?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Get SSO ID on server

2011-08-16 Thread Chema
 How do you accomplish that? By doing this SSO sniff-and-kill-session
 thing? It seems more straightforward to expire a particular webapp's
 session explicitly and let the SSO expire along with it.
 Doesn't that mean you'll have to re-run the same query just to expire
 the sessions in the other webapps?


We've got deployed many web applications on our Tomcat.
The user goes from one to another and, for user's point of view , he
is into a only one session.
We store into a database this 'only one session', so we use
JSESSIONIDSSO cookie

Obviously, when an user logout (closing browser or clicking logout
button ), we invalidate the particular session (JSESSIONID ) and
Tomcat SSO feature is the responsible to close all of others sessions
opened ( as you says )

Maybe cause my bad English didnt explain myself right

Regards

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: j_security_check and RequestDispatcher forward

2011-08-15 Thread Chema
2011/8/15 Chen Paz chen@expand.com:

 Hi,

 I am using a servlet to intercept form based authentication in order to 
 insert attribute into the request


What parameter do you want to insert into the request ?
I don't know, but maybe you can do the same with a custom realm

Or, using by Spring Security

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Get SSO ID on server

2011-08-12 Thread Chema
 Why do you need a consistent ID between the two apps?

Because I'll store this ID into a record in database.
The apps checking every 60 sec if this record exists and, if dont ,
perform a logout

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Get SSO ID on server

2011-08-12 Thread Chema
 Why bother?

 
 As soon as the user logs out of one web application (for example, by
 invalidating the corresponding session if form based login is used), the
 user's sessions in all web applications will be invalidated. Any
 subsequent attempt to access a protected resource in any application
 will require the user to authenticate himself or herself again.
 

Right.
But the application requires than an administrator can expulse an
user. It's a client requirement.
So,  I need to record all SSO sessions
FYI, I made it using by JSESSIONIDSSO cookie and works fine

Thanks

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Get SSO ID on server

2011-08-11 Thread Chema
Hi:

I've configurated my server.xml with

Valve className=org.apache.catalina.authenticator.SingleSignOn/

and I've got deployed two web applications with Realm authentication

How I can get  SSO ID on a servlet ? I want to know this ID without
browser sends a cookie to server.
I don't need this SSO ID be equal to JSESSIONIDSSO . I only want to
relate two sessions ( with different JSSESSIONID ) with only one
identifier

There is a session.getId() method, but retrieves session ID for each
application.
I need something like session.getSSOId()


Thanks and regards

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Sharing session between different webapps under same tomcat

2011-08-06 Thread Chema
Hi Ron:


 My understanding is that once these options are confgured, the SAME session
 data is stored across contexts separately for each user.

Thanks for you answer, but in the last seccion of that webpage
(Session-aware cross context data sharing), explains that:

- he's sharing data using ServletContext. Its scope is the application
scope, not the session scope.
- to make it session-aware , he creates a hashmap in application scope
, indexing by JSESSIONID

So, it's a trick: use the session1's ServletContext as a global store
and access to it from session2, cause crossContext=true
Works but it's a trick because it's not managed by Tomcat

 There is no need to
 do anything special - the session will be explicitly invalidated when the
 user logs out, otherwise when the session timeout is exceeded.

If I dont free resources from this hashmap manually when a session is
invalidated, Tomcat doesn't ( except when restarting )
That can be a problem if store big objects, like user information


Regards

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Sharing session between different webapps under same tomcat

2011-08-04 Thread Chema
 I think it is possible to share sessions across contexts. Portal
 applications need to do this. Try
 http://jee-bpel-soa.blogspot.com/2009/06/session-sharing-in-apache-tomcat.html


But this solution shares information between contexts , not creates an
unique shared session per user (session data)

am i wrong ?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




Re: Sharing session between different webapps under same tomcat

2011-08-04 Thread Chema
OK, I got it

Use context scope to store a HashMap object indexing by JSESSIONID

I guess , this way you have to free manually all per-user session data
from the context when user session is finished ( by example, closing
browser).
Or your context scope datastore could be full of information of all
users which were logged , right ?



2011/8/4 Ron McNulty rmcnu...@clear.net.nz:
 Sorry, I think you are missing something :) The session is per user across
 multiple contexts. Portlet apps are typically compiled into separate .war
 files, but can share a single session object at runtime.

 Regards

 Ron

 - Original Message - From: Chema demablo...@gmail.com
 To: Tomcat Users List users@tomcat.apache.org
 Sent: Thursday, August 04, 2011 6:39 PM
 Subject: Re: Sharing session between different webapps under same tomcat


 I think it is possible to share sessions across contexts. Portal
 applications need to do this. Try

 http://jee-bpel-soa.blogspot.com/2009/06/session-sharing-in-apache-tomcat.html


 But this solution shares information between contexts , not creates an
 unique shared session per user (session data)

 am i wrong ?

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org



 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



How does it get the URL forwarded to realm ?

2011-08-02 Thread Chema
Hi:

I've got Tomcat 7.0.16 and I'm using realm
authentication/authorization mechanism , via FORM method.

I'd like to store in user session the URL accessed and forwarded to
realm authentication.
An example of URL could be

http://localhost:8080/myapp/protected/file.properties

I try to configure my web.xml to invoke a servlet before returns login page

form-login-config
form-login-page/login/form-login-page
form-error-page/error/form-error-page
/form-login-config

Also, I try to configure filters.

But i don't know where to find the original URL

Any solution ?


Thanks and regards

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: How does it get the URL forwarded to realm ?

2011-08-02 Thread Chema

 Why? What problem are you trying to solve?


Well, I'm invoking j_security_check with an asynchronous RPC call.
If I use a HTML form  and action = j_security_check , Tomcat performs
redirection after authenticate user, as you said,

But I need to implement with  an asynchronous RPC call.
So, my idea is load into session user attribute the protected resource
accessed ( http://localhost:8080/myapp/protected/file.properties )

When Tomcat returns to my asynchronous RPC call, I can determinate if
user was authorized or not checking header status code.
And if user was authorized , perform a new call to RedirectService ,
who reads user session attribute
(http://localhost:8080/myapp/protected/file.properties ) and returns
it to browser for redirection.

I know all steps have an additional call to server to perform
redirection, but I'm trying to integrate asynchronous RPC calls from
GWT , with Tomcat's realm

Thanks and regards

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: HOW TO: re-deploy or undeploy a webapp when additional files are added after initial deployment

2011-08-01 Thread Chema
 If anyone has any suggestions on how we can add files into the exploded 
 webapp structure and still perform undeploy/re-deploy of our webapp, I would 
 greatly appreciate it.  Or, if there's a way to tell tomcat to completely 
 remove the directory - regardless of additional files/directories, that would 
 probably work, too.


Eclipse Hellios' plugins to deploy web applications work fine for me.
You can try Eclipse IDE for Java EE Developers.

When I change any file deployed , it's automatically republished. And
you can clean work folders from IDE.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: HOW TO: re-deploy or undeploy a webapp when additional files are added after initial deployment

2011-08-01 Thread Chema
2011/8/1 Bob DeRemer bob.dere...@thingworx.com:
 Thanks, but I need to do this in a production environment, where we're 
 deploying/re-deploying a WAR and there is no eclipse IDE.  In addition, I am 
 dynamically adding extensions to our webapp without having to restart our 
 webapp, which is what republishing from Eclipse does.

OK.
I'm not expert and I cannot speak so much about this tool, but you
could have a look at LiveRebel

http://www.zeroturnaround.com/liverebel/

But it's not for free

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Finding user name without authentication

2011-07-27 Thread Chema
2011/7/27 Vibhor Kumar Agarwal vibhor_agarwa...@rediffmail.com:

 Does the web server know the login id of windows?

 Thanks in advance.

Windows OS ?
You can look at

http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Strange behaviour (or bug) with realm + browser tabs in Tomcat 7

2011-07-25 Thread Chema
Hi:

I'm having a strange behaviour when using realm in Tomcat 7 ( 7.0.16)
with browser tabs
My web app has some protected resources ( with security-constraint
tag in web.xml ) by a realm.
I'm using FORM method in auth-method tag. So, i've got my own login page :

html
form method='post' action='j_security_check'
input type='text' name='j_username'
input type='password' name='j_password'
input type='submit' name='send'
/form 
/html


Steps:

1) I open a tab in my browser and access to a protected resource

http://localhost:8080/myapp/protected/file_one.properties

So, login page is shown

2) I open a new tab in the browser and access to another protected resource

http://localhost:8080/myapp/protected/file_two.properties

So, login page is shown


3) Back first tab , and authenticate with a valid user. The resource
shown is file_two.properties (??)

4) Go to second tab, and authenticate with the same valid user ( or
another valid user ) and an error happens

State HTTP 404 - /myapp/j_security_check


I know that session is shared between tabs but I think there are two
rare results :

- on step 3, it's returned a different resource than requested .
- on step 4 , it's returned a 404 error

If this is a right behaviour , how I can avoid that an user can
perform this steps ?


Thanks

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Strange behaviour (or bug) with realm + browser tabs in Tomcat 7

2011-07-25 Thread Chema
 The behaviour is correct. You can't stop it.

 Mark

Thanks for you answer.
But,
is it right according to specs or according to Tomcat ?

I can understand step 3 behaviour because is returned the last
resource request by session ( althought user doesn't understand that
two tabs are same session )
But I would like to avoid 404 errors

Regards

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Init HTTP session during realm authentication stage

2011-07-18 Thread Chema
Hi all:

I'm using realm tool for user authentication on Tomcat 7

I've made a custom realm overriding authenticate() method of
DataSourceRealm class.
And all works fine.

But I would like to initialize HTTP session in this stage  with user data.
My custom authenticate() method queries user data to check if exists
or not , and I wouldn't like to have to call another service to
perform the same query.

Is this possible ? Any ideas ??

Thanks and regards

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Init HTTP session during realm authentication stage

2011-07-18 Thread Chema
2011/7/18 chris derham ch...@derham.me.uk:

 Couldn't you just implement HttpSessionListener?

 Chris


Yes, could be useful  :-)

Thanks

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Init HTTP session during realm authentication stage

2011-07-18 Thread Chema
2011/7/18 Chema demablo...@gmail.com


 Yes, could be useful  :-)

 Thanks


I guess it's not so useful than I thought :-/

The reason is that HttpSessionListener.sessionCreated method is
invoked always when Tomcat server receives the first petition.
Session is not created by realm code when user is validated.

Now I'm trying to use filters. When realm code validates an user ,
redirect to protected resource. If I can filter this redirection and
load user data into session, I think that could works

Thanks

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Access to manager webapp (JAAS exception)

2011-07-01 Thread Chema
Hi:

I've just installed ( unzipped ) Tomcat 7.0.14 and I'm trying to
access to manager web application.

So,

http://127.0.0.1:8080/manager/html

and popup a browser logging form.

My conf/tomcat-users.xml is

tomcat-users
 role rolename=manager-gui/
 user username=tomcat password=tomcat roles=manager-gui/
/tomcat-users


But, when I try to log in, an exception occurs:

01-jul-2011 16:10:51 org.apache.catalina.realm.JAASRealm authenticate
java.lang.SecurityException:
at com.sun.security.auth.login.ConfigFile.init(Unknown Source)


Why ? There isnt configured in my server to use JAAS.
Indeed , conf/server.xml has

 GlobalNamingResources
Resource auth=Container
factory=org.apache.catalina.users.MemoryUserDatabaseFactory
name=UserDatabase pathname=conf/tomcat-users.xml
type=org.apache.catalina.UserDatabase/
  /GlobalNamingResources

Any ideas ?

Thanks and regards

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Access to manager webapp (JAAS exception)

2011-07-01 Thread Chema
2011/7/1 Mark Thomas ma...@apache.org:
 On 01/07/2011 15:22, Chema wrote:
 Hi:

 I've just installed ( unzipped ) Tomcat 7.0.14 and I'm trying to
 access to manager web application.

 What else did you change?



I think nothing.
There is a log when server starts that I dont understand :

01-jul-2011 17:23:55 org.apache.catalina.realm.JAASRealm setContainer
INFO: Set JAAS app name Catalina

any idea ?

I've downloaded 7.0.16 release and  this log doesnt occur when server starts
I don`t know if I changed something on former installation ( 7.0.14 )  ...


Thanks








 Mark


 So,

 http://127.0.0.1:8080/manager/html

 and popup a browser logging form.

 My conf/tomcat-users.xml is

 tomcat-users
  role rolename=manager-gui/
  user username=tomcat password=tomcat roles=manager-gui/
 /tomcat-users


 But, when I try to log in, an exception occurs:

 01-jul-2011 16:10:51 org.apache.catalina.realm.JAASRealm authenticate
 java.lang.SecurityException:
       at com.sun.security.auth.login.ConfigFile.init(Unknown Source)


 Why ? There isnt configured in my server to use JAAS.
 Indeed , conf/server.xml has

  GlobalNamingResources
     Resource auth=Container
 factory=org.apache.catalina.users.MemoryUserDatabaseFactory
 name=UserDatabase pathname=conf/tomcat-users.xml
 type=org.apache.catalina.UserDatabase/
   /GlobalNamingResources

 Any ideas ?

 Thanks and regards

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org





 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org