Re: Expression Language in JSP and JasperException
On Tue, Feb 20, 2007 at 03:23:32PM -0500, David Smith wrote:
Ok forgive me now, but this is getting confusing. Where does
result come into this picture? Were you expecting actionBean to be an
instance of a different class? You aren't offering a lot to go on here.
That's what it sounds like to me:
Piotr Kiraga wrote:
The problem is that there could be a class that has no property with
name result. In another case there could be another class (bean) that
has such property (than of course it works fine, but at first case
Tomcat throws exception).
I actually have some jsp code that does stuff like this, but in my case
there is a type property that each object has. I check that and do
the appropriate thing.
If you want to hard code a class name in your jsp page, you can just use
${foo.class.name} to figure out what type of object you have.
Or, if you want to get really crazy you could loop over ${foo.class.methods}
checking if there's a method named getResult.
But, you'd probably be better off figuring out way to ensure the objects
you're working with have a result property.
eric
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Web spiders - disabling jsessionid
On Fri, Dec 01, 2006 at 04:50:02PM -0500, Christopher Schultz wrote: Mikolaj Rydzewski wrote: Caldarale, Charles R wrote: That contradicts what Len said about his site: On my site (as on many others) you can browse the site without a session, but if you want to log in (to add content or to use personalized settings) you need a session. I can't believe you don't get it ;-) One can browse the site without a session (read: not using a session already provided by the container), but after login you simply start using a session (i.e. to store user context object). Right. You said after login. I'm imagining that googlebot doesn't login to your site. Therefore, there's no need for a session to be created at all. Perhaps you are using a bunch of JSPs that do not have 'session=false' explicitly configured in them, and they are therefore creating a session for you implicitly (thus, the jsessionid in the generated URLs). I wouldn't be suprised if he wasn't using session=false, since tomcat makes it _very_ hard to write pages that work with that. ANY reference to a session object, even if it would never be accessed (e.g. inside a c:if test=false) causes tomcat to throw an error. I was trying to do the same thing wrt removing the jsessionid, although to make a link checker work better, rather than for google. I ended up using session=false on all my (non logged in) pages, but to do so I had to write a Filter to create my own session map object in request scope (using a custom EnumeratedMap class) and then change ALL references to session in my jsp pages to ss_session (the custom object). Perhaps that is the /quickest/ solution, but I would argue that the best solution is not to create a session if you don't actually need one. heh. yeah, not creating the session is definitely NOT the quickest way. :) eric - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: StandartSession.accessCount bug?
On Tue, Oct 31, 2006 at 08:38:37AM -0500, Christopher Schultz wrote: Also, did your +50ns figure mean that the /overhead/ was +50ns, or that waiting for the other thread to release the lock (which would include execution of the method itself) took 50ms longer. Since those threads cannot really run concurrently due to the synchronization, your timing should be affected by that fact, instead of merely the added overhead. uh.. I read that as 50 _m_s, not ns. eric - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: permission on server.xml
On Sun, Oct 29, 2006 at 02:33:31PM -0600, Caldarale, Charles R wrote: I mean with a jsp code you can see/write file can a user write outside the webapps defined in the server.xml? Certainly code in a .jsp or servlet can read or write anywhere that Tomcat's userid is allowed to (subject to JVM security policies, of course). Anyone stupid enough to put code in a webapp that allows end users to read or write in arbitrary locations deserves what they get. Charles, you're missing his point. His user is not a website user, it's a _tomcat_ user. I.e. someone that is allowed to deploy an application on the app server. From: mast [mailto:[EMAIL PROTECTED] Subject: Re: permission on server.xml i ask this because i have already a server with customer that with a simple jsp code write file into the conf or bin directory (and the user was under a webapps) You probably need to run a separate tomcat instance for each customer. eric - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache with Windows 98
On Fri, Oct 27, 2006 at 02:21:06PM +0800, Eric wrote: i wanna avoid this problem too but i am a student now having my internship to do my Final Year Project. so there is no choice because i got a PC that is running on Windows98. so what to do. i have to live with it and find solutions to work it out. =) this computer is running on 128mb ram. do u even think it's possible to run apache tomcat? would it hang? thanks alot for the info. i will think abt it. You can always install a modern OS, such as NetBSD or (some variant of) Linux. eric - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Platform list
On Mon, Sep 25, 2006 at 01:19:58PM -0500, Caldarale, Charles R wrote: From: David Kerber [mailto:[EMAIL PROTECTED] Subject: Platform list I just looked, but couldn't find the list of supported platforms for tomcat 5.5.x. I'm specifically looking to see if it will run ok on a Fedora core 4 server. Tomcat is pure Java; ergo, if your platform supports Java 1.4 or newer, it will run. Isn't there some new feature with native APR code being used for something? eric - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Putting tomcat on Mainframe running z/OS
On Mon, Sep 11, 2006 at 02:26:24PM -0700, Kevin Mullin wrote: Does anyone have experience in porting tomcat (I'm using version 5.5.17) to a mainframe system that is running z/OS operating system software? I'd appreciate getting any kind of 'heads up' information. I'm just in the process of downloading it and putting it there, but if anyone has experience doing this, I'd appreciate a response to this telling me of that. I found a few references to doing that while I was looking for something else, so I don't actually have any experience doing it, but try google'ing for: tomcat z/OS under an hour eric - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: configuration setting to disable URL sessions?
On Thu, Sep 07, 2006 at 06:33:41PM -0400, Chetan Sabnis wrote: Is there a way to disable the Tomcat server (5.5) from accepting sessions that are sent in the URL using jsessionid? This would be useful in preventing certain session fixation attacks. Basically, I would want sessions to be accepted only if they are sent using a cookie. Specifically, I am concerned about the following scenario: 1) Attacker sends a simple HTTP Get to server (http://www.example.com/test). The server returns a response with a Set-Cookie header for JSESSIONID. Say that this cookie value is 1234. 2) Attacker sends victim a link of the form http://www.example.com/test;jsessionid=1234 3) Victim clicks the link. The server accepts that its session with the victim is 1234 since it is a valid session. 4) Victim authenticates to the site (presuming that jessionid is preserved in all interactions with the webapp) 4a) site login action calls session.invalidate() followed by request.getSession() to get a new session to defeat this attack. 5) Attacker can impersonate victim since the attacker knows the session id of the victim. Or, you could write a filter that checks request.isRequestedSessionIdFromURL() and invalidates the session if it is. btw, if there is a cookie set, that overrides anything provided in the url. eric - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Retrieve certain session data inside a servlet
On Fri, Jun 02, 2006 at 11:15:03AM +0200, Carlos Alonso Vega wrote: Bob, Thanks for the reply. My problem is that the session info I need is not of the session that makes the request. I need to check other sessions in the same context. I can use the request because it is in the same context, so the manager is the same. This servlet is called internally from the app, and checks if some session exists. It is similar to the case of obtaining all active sessions from one context using the manager inside the servlet code (findSessions). If someone have this piece of code (or similar), it will serve me. To do something like that you need to do it yourself. i.e. store a HashTable in the application context, then add and remove sessions to it when people login and logout, or at some other convinient time. Of course, this assumes your app isn't running in a distributed environment. If it is, then it's impossible to get a session object from a different JVM. (well, you could serialize it and transfer the data, but it won't be the same object and it won't be useful for much other than extracting some info) eric - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Easy Tomcat Linux/Unix Platform
On Sun, Apr 30, 2006 at 10:03:49AM -0400, Mark Thomas wrote: When starting a new thread (ie sending a message to the list about a new topic) please do not reply to an existing message and change the subject line. To many of the list archiving services and mail clients used by list subscribers this makes your new message appear as part of the old thread. This makes it harder for other users to find relevant information when searching the lists. This is known as thread hijacking and is that is frowned upon on this list. Frequent offenders will be removed from the list. It should also be noted that many list subscribers automatically ignore any messages that hijack another thread. The correct procedure is to create a new message with a new subject. This will start a new thread. What would be really nice is if the digest emails included the In-Reply-To header on the individual pieces, so my mail software could actually piece together the threads in the correct way. Right now all it has to go on is the subject, which doesn't always work. eric - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: is there a possibility to define the startup order for webapps?
On Mon, Apr 24, 2006 at 11:20:54AM -0400, David Smith wrote: This question comes up every so often and the answer is always no. The webapp load order cannot be relied upon. In your case, might I suggest the database webapp be run on a separate instance of tomcat? Can the connection be done via TCP/IP? eh? I thought that's what the load-on-startup element in a web.xml's servlet element does. Or does that not take effect across web applications? eric - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Form login UTF-8 username problem
Daniel Blumenthal [EMAIL PROTECTED] wrote: As a security concern, you might not want to allow full UTF-8 usernames. There are a number of invisible characters (from the soft hyphen to various connector characters) which people can use to spoof other users' names. On Sun, Mar 05, 2006 at 07:09:52PM -0800, Dave wrote: Hi Daniel, I am not quite understanding. Is it a security hole? User needs a username and password to login to the web application. It _can_ be a security hole, but it does not necessarily _have_ to be one. It certainly can make things a bit trickier to get right. The problem is that two usernames that are actually different can _look_ the same. For example, say you are looking at two usernames, both of which appear on your screen as joe-bob. It is possible that one of them uses an actual ascii hyphen character, while the other uses the unicode soft-hyphen. This can lead to all sorts of problems. e.g. let's say joe-bob (the soft-hyphen one) send you a message through your web-app (thus supposedly proving he is authorized to ask) asking you to cancel his account. You go and type joe-bob (with an ascii hyphen) into your delete-a-user form and end up deleting the wrong user. eric - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JSP with use beans calls do not work
On Sat, Feb 25, 2006 at 05:04:18PM -0300, Claudio Veas wrote:
Hello list, I m really new to tomcat ,I have the following problem
recently
I tried to resume my practices on JSP on my tomcat server but I seem
to
have
a problem and I do not know what it is. Every time I try to run a
JSP with
a
usebean it shows me this error
org.apache.jasper.JasperException: /colors/controlguardo.jsp(1,1)
org.apache.jasper.compiler.DefaultErrorHandler.jspError
Check to make sure there isn't another, more descriptive exception either
before or after that one. If that's really the only error you see in the
logs, then you might want to wrap your entire jsp page in a c:catch tag
(or % try { % and % } catch (Exception e) { ... } % code).
Tomcat sucks at logging certain types of errors, so if you print out
the exception manually you might get some more insight as to what the
actual problem is.
eric
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: turning off sessions
On Wed, Feb 08, 2006 at 12:14:36AM +0100, Ed wrote: Yep, JSPs automatically create sessions (part of the JSP spec certainly). To turn session off put %@ page session=false % in your JSP. Beware, that web frameworks such as struts may also create sessions for other purposes (eg, storing the locale). you may also turn this off also beware that tomcat makes it _extremely_ hard to share content between jsp pages that have session=false and those that don't. Even if you try to wrap the access to the session scope in an if statement, tomcat will refuse to compile the jsp file. The closest I could get was a tag file that contained this: c:if test=%= ((PageContext)jspContext).getSession() != null % c:set var=optScope value=%= org.apache.commons.el.ImplicitObjects.creat eSessionScopeMap((PageContext)jspContext) %/ /c:if But even that fails because the getSession() call always returns null, even if there is a session, if the including page has session=false. I really wish there was a session=use_it_if_its_there option. eric - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
