RE: Can't start Tomcat in debug mode

2018-07-16 Thread Sebastian Trost
-Original Message-
From: Désilets, Alain  
Sent: Monday, July 16, 2018 1:45 PM
To: Tomcat Users List 
Subject: Can't start Tomcat in debug mode

> I am unable to start Tomcat in debug mode. I have searched and see that lots 
> of people are having similar issues. I tried all the fixes that were proposed 
> and none of them seem to work.

> Here is what I have at the moment.

> I have a file /Library/Tomcat/bin/setenv with the following content
> # Trying to start Tomcat in debug mode...
> #
> # 
> CATALINA_OPTS="-agentlib:jdwp=transport=dt_socket,address=8000,server=y,suspend=n"
> JPDA_ADDRESS=8000
> JPDA_TRANSPORT=dtsocket
> JPDA_SUSPEND=n

Shouldn't it be "JDPA_TRANSPORT=dt_socket" - with the underscore?

Regards
Sebastian

[snip]


RE: Mapping role names to groups

2017-10-04 Thread Sebastian Trost
-Original Message-
From: André Warnier (tomcat) [mailto:a...@ice-sa.com] 
Sent: Wednesday, October 04, 2017 11:14 AM
To: users@tomcat.apache.org
Subject: Re: Mapping role names to groups

> On 04.10.2017 10:20, Sebastian Trost wrote:
>> -Original Message-
>> From: Mark Thomas [mailto:ma...@apache.org]
>> Sent: Tuesday, October 03, 2017 4:10 PM
>> To: Tomcat Users List <users@tomcat.apache.org>
>> Subject: Re: Mapping role names to groups
>>
>> On 03/10/17 14:01, Sebastian Trost wrote:
>>>> Hi!
>>>>
>>>> I was looking for a way to map security role names from tomcat to LDAP 
>>>> groups. I found an old thread from August 2009 with the exact problem in 
>>>> which Christopher Schultz recommended to write a servlet filter or valve 
>>>> to do that.
>>>>
>>>> Original mail: 
>>>> http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3C1249556542.8225.6.camel@habanero%3E
>>>> Response from Christopher Schulz: 
>>>> http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3c4a7af405.7090...@christopherschultz.net%3E
>>>>
>>>> It has now been eight years and I'm wondering if there is still no other 
>>>> solution than this?
>>
>>> security-role-ref ?
>>
>> AFAIK,  is only valid within the  element. 
>> Therefore, it doesn't work with JSPs or filters which are not servlets.
>>

> Isn't a JSP page ultimately translated into a servlet ?


I don't know. You tell me! ;)
My knowledge is very limited and as far as I know, you can have servlets but 
also standalone JSP files (which still can use isUserInRole()). While adding 
the  tag to the  element works with the servlet, it 
doesn't work with the standalone JSP file. 

Example:

Authentication and authorization is done with LDAP.
Due to company policy the admin-role must be named "company-application-admin". 
The application has one servlet named FooServlet and one JSP file called 
importantLegacyJsp.jsp.

In the web.xml the admin role is defined like this:


   Application admin role
   admin


Also in the web.xml the servlet is defined like this:


   FooServlet
   com.vendor.app.servlet.FooServlet
   
  admin
  company-application-admin
   



Calling request.isUserInRole("admin") inside the servlet FooServlet will return 
"true", because the of the security-role-ref element inside the 
servlet-element. Everything works fine and as intended. The user then opens 
importantLegacyJsp.jsp which also calls request.isUserInRole("admin"). Now that 
method will return false, because the mapping is only defined inside the 
servlet element. 

It seems that there doesn't exist a way to make that work without creating a 
custom realm. 

Regards
Sebastian Trost




RE: Mapping role names to groups

2017-10-04 Thread Sebastian Trost
-Original Message-
From: Mark Thomas [mailto:ma...@apache.org] 
Sent: Tuesday, October 03, 2017 4:10 PM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Mapping role names to groups

On 03/10/17 14:01, Sebastian Trost wrote:
>> Hi!
>> 
>> I was looking for a way to map security role names from tomcat to LDAP 
>> groups. I found an old thread from August 2009 with the exact problem in 
>> which Christopher Schultz recommended to write a servlet filter or valve to 
>> do that. 
>> 
>> Original mail: 
>> http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3C1249556542.8225.6.camel@habanero%3E
>> Response from Christopher Schulz: 
>> http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3c4a7af405.7090...@christopherschultz.net%3E
>> 
>> It has now been eight years and I'm wondering if there is still no other 
>> solution than this?

> security-role-ref ?

AFAIK,  is only valid within the  element. 
Therefore, it doesn't work with JSPs or filters which are not servlets. 

Regards
Sebastian Trost

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Mapping role names to groups

2017-10-03 Thread Sebastian Trost
Hi!

I was looking for a way to map security role names from tomcat to LDAP groups. 
I found an old thread from August 2009 with the exact problem in which 
Christopher Schultz recommended to write a servlet filter or valve to do that. 

Original mail: 
http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3C1249556542.8225.6.camel@habanero%3E
Response from Christopher Schulz: 
http://mail-archives.apache.org/mod_mbox/tomcat-users/200908.mbox/%3c4a7af405.7090...@christopherschultz.net%3E

It has now been eight years and I'm wondering if there is still no other 
solution than this? 

Regards
Sebastian Trost

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



RE: How to cancel download on the server side

2016-05-30 Thread Sebastian Trost
Hi,

We had a similar problem. We just added a "preparation" step before the actual 
download. 

1. User clicks on "request download" link 
2. jQuery sends a request to servlet and instructs it to prepare the download 
3. Meanwhile the request download link has been changed with Javascript to 
"preparing download..." 
4. jQuery periodically asks the servlet if the download is ready or if the 
preparation has failed
5. If it is ready, the "preparing download..." is replaced by "download file" - 
if it has failed, an error message would be displayed

This of course will only work if the client supports Javascript. But even if it 
doesn't you can work with HTTP reloads and/or redirects and using unique IDs to 
identify your client and their download.

Best Refards
Sebastian Trost

-Original Message-
From: Steffen Heil (Mailinglisten) [mailto:li...@steffen-heil.de] 
Sent: Sunday, May 29, 2016 8:08 PM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: How to cancel download on the server side

Hi


I am streaming a huge file from a servlet to the browser.
It can easily be multiple gigabytes.

Currently the data is prepared on the server, stored in a file and then sent to 
the client with a "Content-Disposition: attachment" header, so the browser 
handles it as a download. After the transfer the file is immediately deleted.

This kind of works but has two big disadvantages:
1. The client has to wait a long time until the first byte is transferred. I am 
afraid I could run into browser (or generic client) timeouts.
2. I need a lot of storage on the server.

The data I have could easily be streamed directly to the client without storing 
it on the server at all.
I would not know the precise size of the data In advance, but it could be 
transferred using "Transfer-Encoding: junked" so this would not be a problem.

My problem is that if anything goes wrong while creating the data I have no way 
to notify the client, as the response headers were already sent way before.
So I am looking for a way to cancel the download from the server side and 
letting the client know that something went wrong.
Simply stopping sending data is not enough, the client needs to know that the 
data is incomplete. 

Probably the only way to do that would be to abruptly disconnect the http(s) 
connection without completing the download using a "0\r\n" end marker.

So my questions are:
1. How can I force tomcat to disconnect a client like that?
2. Does anyone here have tried anything like that before? What client side 
reactions did you notice?


Best regards,
  Steffen


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



AW: javax.naming.NameNotFoundException Tomcat 8.0.32

2016-05-19 Thread Sebastian Trost
Hi Al,

Try using context.lookup("jdbc/308tubeOracle") instead of 
context.lookup("308tubeOracle").

Regards
Sebastian

-Ursprüngliche Nachricht-
Von: Al [mailto:rebra...@hotmail.com] 
Gesendet: Mittwoch, 18. Mai 2016 22:26
An: users@tomcat.apache.org
Betreff: javax.naming.NameNotFoundException Tomcat 8.0.32










Environment:Tomcat  8.0.32
Windows 10
Eclipse Mars 2 Release 4.5.2
MySQL-connector-java-5.1.39-bin.jar
 
I'm try to set up a jndi for a MySQL database connection in eclipse using 
Tomcat 8.0.32 . I keep receiving the following message when I try to run code 
example. 
 
javax.naming.NameNotFoundException: Name [308tubeOracle] is not bound in this 
Context. Unable to find [308tubeOracle].
 
I believe I have set everything up correctly and would really appreciate some 
direction.
I have added the following two entries into the context.xml under the Tomcat 
Server config in Eclipse.
 


 
I have added the following to the application web.xml in the WEB-INF folder of 
my application.  

http://www.w3.org/2001/XMLSchema-instance; 
xmlns="http://java.sun.com/xml/ns/javaee; 
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd; version="3.0">

com.youtube.rest


readme.html

index.html





DB Connection



jdbc/308tubeOracle

javax.sql.DataSource

Container


 I have copied the MySQL-connector-java-5.1.39-bin.jar to the  WEB-INF \lib in 
my application . 
Here is the code I call the context with to try and get the DataSource. I added 
the while loop to try to
  figure out what was going on.  It does print the name 308tubeOracle at that 
point. But I still get theName [308tubeOracle] is not bound in this Context. 
Unable to find [308tubeOracle].
 
import javax.naming.*;import javax.sql.*; public class get {private static 
DataSource Oracle308tube = null;
private static Context context = null; 
public static DataSource Oracle308tubeConn() throws Exception {if(Oracle308tube 
!= null){

return Oracle308tube;
}try {  if (context == null){
context = new InitialContext();
}NamingEnumeration list = 
context.list("java:comp/env/jdbc");while 
(list.hasMore()) {  
System.out.println(list.next().getName());}Oracle308tube = (DataSource) 
context.lookup("308tubeOracle");}catch (Exception e){ 
e.printStackTrace();}return Oracle308tube;}} 
 
 
 
 



  

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



AW: AW: OpenID Connect with Tomcat 8

2016-03-30 Thread Sebastian Trost
Hi Chris,

This is an OpenID Connect implementation for tomcat 8: 
https://github.com/boylesoftware/tomcat8-oidcauth

And as far as I know (I'm very new to this, so please correct me if I'm wrong) 
the Valve redirects the user to the OIDC provider before he reaches the login 
form of the tomcat. The Valve also sends a redirect_uri to the OIDC provider 
which he then uses to redirect the user back to the tomcat's j_security_check 
after a successfully authentication. This redirect contains a token and a token 
id which contains information of the user in JSON format. If something went 
wrong with the authentication on the OIDC provider's side, the user will be 
redirected to the form - I think. 

If I would only use a realm I couldn't redirect the user before he reaches the 
login form. I think. 

Regards
Sebastian


-Ursprüngliche Nachricht-
Von: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Gesendet: Mittwoch, 30. März 2016 17:03
An: Tomcat Users List <users@tomcat.apache.org>
Betreff: Re: AW: OpenID Connect with Tomcat 8

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Sebastian,

On 3/30/16 4:42 AM, Sebastian Trost wrote:
> Well, it seems that I will have to use a Valve + Realm combination.
> Thanks!

What does the Valve add?

- -chris

> -Ursprüngliche Nachricht- Von: Christopher Schultz
> [mailto:ch...@christopherschultz.net] Gesendet: Dienstag, 29. März
> 2016 19:57 An: Tomcat Users List <users@tomcat.apache.org> Betreff:
> Re: OpenID Connect with Tomcat 8
> 
> Sebastien,
> 
> On 3/29/16 12:57 PM, Sebastian Trost wrote:
>> Hi,
> 
>> I am looking for a way to use OpenID Connect (authentication AND 
>> authorization) with Tomcat 8. I found two ways to get 
>> authentication working, but not authorization. Here's what I
>> tested so far:
> 
>> Tomcat 8 + https://github.com/boylesoftware/tomcat8-oidcauth
>> This extension works very well for authentication. It isn't
>> possible to authorize users, though. You can configure a realm
>> which authorizes the user against LDAP or a database.
> 
>> Apache HTTPD + https://github.com/pingidentity/mod_auth_openidc
>> + Tomcat 8 This mod works pretty well, too. But the AJP
>> Connector doesn't seem to receive the roles from the web server
>> and also relies on the realm to fetch the roles for each user.
> 
>> With both methods I failed to read the roles OpenID Connect 
>> supplies with the id token.
> 
>> I experimented a bit with botching around in tomcat8-oidcauth. I 
>> removed the authenticate()-call and instead built the 
>> GenericPrincipal object with hard-coded roles on my own. That
>> seems to work. But is this safe? Can I just read the token id and
>> assume that it is correct and set the roles in the
>> GenericPrincipal? Are there any other methods to use both
>> authentication AND authorization with tomcat 8?
> 
> I haven't looked at any of the above projects but if you want to 
> authenticate and authorize against a different type of backing 
> database, then you need to create your own Realm. RealmBase
> provides some nice utilities, but you aren't required to actually
> extend it.
> 
> The Realm has complete control over how the Principal objects are 
> created, so if you have a way to identify the user and their
> roles, then you can simply create a GenericPrincipal and return
> that on login, and its roles will be used for authentication
> later.
> 
> Hope that helps, -chris
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlb76p8ACgkQ9CaO5/Lv0PABXwCgvEX9iIRA9n9IOdqpOtEgYQ4y
358An08Itleb8FBUrjkpQdenC6HYBP7R
=E8GZ
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



AW: OpenID Connect with Tomcat 8

2016-03-30 Thread Sebastian Trost
Hi Chris,

Well, it seems that I will have to use a Valve + Realm combination. Thanks!

Regards
Sebastian

-Ursprüngliche Nachricht-
Von: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Gesendet: Dienstag, 29. März 2016 19:57
An: Tomcat Users List <users@tomcat.apache.org>
Betreff: Re: OpenID Connect with Tomcat 8

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Sebastien,

On 3/29/16 12:57 PM, Sebastian Trost wrote:
> Hi,
> 
> I am looking for a way to use OpenID Connect (authentication AND
> authorization) with Tomcat 8. I found two ways to get
> authentication working, but not authorization. Here's what I tested
> so far:
> 
> Tomcat 8 + https://github.com/boylesoftware/tomcat8-oidcauth This
> extension works very well for authentication. It isn't possible to
> authorize users, though. You can configure a realm which authorizes
> the user against LDAP or a database.
> 
> Apache HTTPD + https://github.com/pingidentity/mod_auth_openidc +
> Tomcat 8 This mod works pretty well, too. But the AJP Connector
> doesn't seem to receive the roles from the web server and also
> relies on the realm to fetch the roles for each user.
> 
> With both methods I failed to read the roles OpenID Connect
> supplies with the id token.
> 
> I experimented a bit with botching around in tomcat8-oidcauth. I
> removed the authenticate()-call and instead built the
> GenericPrincipal object with hard-coded roles on my own. That seems
> to work. But is this safe? Can I just read the token id and assume
> that it is correct and set the roles in the GenericPrincipal? Are
> there any other methods to use both authentication AND
> authorization with tomcat 8?

I haven't looked at any of the above projects but if you want to
authenticate and authorize against a different type of backing
database, then you need to create your own Realm. RealmBase provides
some nice utilities, but you aren't required to actually extend it.

The Realm has complete control over how the Principal objects are
created, so if you have a way to identify the user and their roles,
then you can simply create a GenericPrincipal and return that on
login, and its roles will be used for authentication later.

Hope that helps,
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlb6wd4ACgkQ9CaO5/Lv0PDbYwCaAwKxMmUKPQWU9Vz/86xio4T2
/FwAn3kmrN6wJY1Fik4/Vcp6K62AF/tt
=30NH
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



OpenID Connect with Tomcat 8

2016-03-29 Thread Sebastian Trost
Hi,

I am looking for a way to use OpenID Connect (authentication AND authorization) 
with Tomcat 8. I found two ways to get authentication working, but not 
authorization. Here's what I tested so far:

Tomcat 8 + https://github.com/boylesoftware/tomcat8-oidcauth
This extension works very well for authentication. It isn't possible to 
authorize users, though. You can configure a realm which authorizes the user 
against LDAP or a database.

Apache HTTPD + https://github.com/pingidentity/mod_auth_openidc + Tomcat 8 
This mod works pretty well, too. But the AJP Connector doesn't seem to receive 
the roles from the web server and also relies on the realm to fetch the roles 
for each user.

With both methods I failed to read the roles OpenID Connect supplies with the 
id token. 

I experimented a bit with botching around in tomcat8-oidcauth. I removed the 
authenticate()-call and instead built the GenericPrincipal object with 
hard-coded roles on my own. That seems to work. But is this safe? Can I just 
read the token id and assume that it is correct and set the roles in the 
GenericPrincipal?
Are there any other methods to use both authentication AND authorization with 
tomcat 8?

Thanks and kind regards
Sebastian


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org