SSI SecurityException
Hello folks, I have a new Tomcat install, version 7.0.21 running on OS X 10.6.8 server (not using Apple's install of Tomcat, BTW), and Java 1.6.0. I've successfully setup a SSI Filter before with Tomcat 6.0 a few years ago with the help of this list, but I'm just stuck right now. I've uncommented the SSI Filters as described in: http://tomcat.apache.org/tomcat-7.0-doc/ssi-howto.html and enabled all files to be parsed with * I've made my app privileged with Context antiResourceLocking=false privileged=true based on the Manager app since it's already privileged. The META-INF directory in my app is where the context.xml is stored with this. I'm using the Filters because I'd like it to find ssi directives within .jsp files. When I launch Tomcat I see this in my logs: SEVERE: Exception starting filter ssi java.lang.SecurityException: Restricted class org.apache.catalina.ssi.SSIFilter at org.apache.catalina.core.DefaultInstanceManager.checkAccess(DefaultInstanceManager.java:432) at org.apache.catalina.core.DefaultInstanceManager.checkAccess(DefaultInstanceManager.java:421) at org.apache.catalina.core.DefaultInstanceManager.loadClassMaybePrivileged(DefaultInstanceManager.java:399) at org.apache.catalina.core.DefaultInstanceManager.newInstance(DefaultInstanceManager.java:118) at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:252) at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:372) at org.apache.catalina.core.ApplicationFilterConfig.init(ApplicationFilterConfig.java:98) at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:4584) at org.apache.catalina.core.StandardContext$2.call(StandardContext.java:5262) at org.apache.catalina.core.StandardContext$2.call(StandardContext.java:5257) at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303) at java.util.concurrent.FutureTask.run(FutureTask.java:138) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) at java.lang.Thread.run(Thread.java:680) As as test, I tried using the Servlet instead of the Filter and that worked - at least the ssi include was shown, although Tomcat then didn't process the .jsp which I would expect. I'm sure this is the way I configured it on version 6, but I may have missed something when I made my notes on that install. Any direction would be appreciated. -Steve - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSI SecurityException
Hello, thank you for replying! Yes, that is the location I uncommented it since that is what their instructions say. I'm only deploying a single webapp, so I do not mind it being global. I do see how it would be tidier in the future, if I deploy more, to do it on a per-app basis. If this is contributing to my current problem, I have no issues doing as you suggest. Should I copy it from the conf directory in its entirety or just a subsection of the file? Thank you again. -Steve On Oct 21, 2011, at 2:27 PM, Konstantin Kolinko wrote: 2011/10/21 Steve Major st...@themajorshome.com: Hello folks, I have a new Tomcat install, version 7.0.21 running on OS X 10.6.8 server (not using Apple's install of Tomcat, BTW), and Java 1.6.0. I've successfully setup a SSI Filter before with Tomcat 6.0 a few years ago with the help of this list, but I'm just stuck right now. I've uncommented the SSI Filters as described in: http://tomcat.apache.org/tomcat-7.0-doc/ssi-howto.html and enabled all files to be parsed with * Where did you uncomment it? You should not have modified conf/web.xml, because it applies to all webapps. You should copy it into your webapp only. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSI SecurityException
Thanks, I figured that out shortly before getting your reply. Moving the filter and mapping into the app's web.xml has eliminated the error from the logs, however, the ssi still won't display a result. By this I mean if I insert: Today is !--#echo var=DATE_LOCAL -- into my .jsp, when I view the page I only see Today is. My previous experience with Apache's SSI suggests if it wasn't enabled correctly, I'd see Today is !--#echo var=DATE_LOCAL -- on my page because it just would assume that directive is text. Assuming Tomcat follows the same, it would tell me that it is parsing it and for whatever reason not outputting a result. I could be wrong. Thank you again for your time. -Steve On Oct 21, 2011, at 3:01 PM, Konstantin Kolinko wrote: Should I copy it from the conf directory in its entirety or just a subsection of the file? Only definition of the filter and its mapping. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Help with TomCat 6.0 SSI
Okay, I've gone back to the beginning with this problem with the advice so far and reinstalled Tomcat fresh on a clone of my existing box with no web apps deployed yet. I think my initial diagnosis of something wrong with privileged app may have been off. I think my problem is (aside from being a new with Tomcat) is with the SSI filters themselves or something to do with them. If I go into my web.xml and simply uncomment the SSI filter and filter mappings, restart Tomcat, and try to go to the default page, I'm greeted with: HTTP Status 404 - / type Status report message / description The requested resource (/) is not available. Apache Tomcat/6.0.16 My logs show (in part) Mar 23, 2008 11:26:02 AM org.apache.catalina.core.StandardContext start SEVERE: Error filterStart Re-commenting both those sections restore Tomcat to working order. On Mar 17, 2008, at 7:36 PM, Caldarale, Charles R wrote: From: Steve Major [mailto:[EMAIL PROTECTED] Subject: Re: Help with TomCat 6.0 SSI Does this mean I need to revert to putting it in my server.xml? No, it means you've got something else wrong. Make sure your webapp's directory structure is correct by comparing it to the manager and host-manager webapps that come with Tomcat 6.0 (both of which are privileged). Once that's verified, install Lambda Probe (www.lambdaprobe.org) and bring up Tomcat. Browse to the Lambda Probe app (usually http://localhost:8080/probe), click on your webapp name in the left column, then the Context descriptor box on the right side. Make sure your Context element is shown correctly. If that's all correct, then you may have to fiddle with the conf/catalina.policy file, but I don't think that should be necessary. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e- mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Help with TomCat 6.0 SSI
Thanks for the clarification. I got SSI Filters all uncommented. Manager works now. I have Probe installed and working too. When I go to my web app I really want to get SSI working with and view it with Probe - under Context Descriptor it says Cannot find context descriptor of this application. The app I want to use didn't have a META-INF folder, so I copied it over the one from the manager app since it's already a privileged app and as the appropriate context.xml contained within. Same thing. Is it a problem with my web app? Thanks again. -- Various ways of contacting me can be found at my Signat-url webpage: http://www.themajorshome.com/signat-url On Mar 23, 2008, at 12:46 PM, Mark Thomas wrote: Steve Major wrote: I think my problem is (aside from being a new with Tomcat) is with the SSI filters themselves or something to do with them. If I go into my web.xml and simply uncomment the SSI filter and filter mappings, restart Tomcat, and try to go to the default page, I'm greeted with: You still need to mark the context as privileged or the loading of the filter will fail which will lead to: Mar 23, 2008 11:26:02 AM org.apache.catalina.core.StandardContext start SEVERE: Error filterStart Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Help with TomCat 6.0 SSI
Okay, success! THANK YOU! Success defined as my app now working, I just have to try some SSI with it. ;-) Some clarification, if you don't mind. My apps seem to have Context.xml 's in: $CATALINA_HOME/webapps/manager/META-INF/Context.xml and $CATALINA_HOME/webapps/probe/META-INF/Context.xml These seem to have the privileged=true contained within. I did the same with my webapp e.g. $CATALINA_HOME/webapps/myapp/META- INF/Context.xml Are those necessary in addition to $CATALINA_HOME/conf/[enginename]/ [hostname]/yourapp.xml ? Or is this all that I really need? -Steve On Mar 23, 2008, at 1:51 PM, Mark Thomas wrote: Steve Major wrote: The app I want to use didn't have a META-INF folder, so I copied it over the one from the manager app since it's already a privileged app and as the appropriate context.xml contained within. Same thing. Copied what from where to where? You'll need to copy the context.xml to $CATALINA_HOME/conf/[enginename]/[hostname]/yourapp.xml Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Help with TomCat 6.0 SSI
Hello, I'm new to the list and fairly new to TomCat. I've used it to deploy simple apps, but now need to get some SSI involved. I've followed the How To located here: http://tomcat.apache.org/tomcat-6.0-doc/ssi-howto.html Two problems: 1) when modifying my web.xml conf as instructed, that file says: !-- IMPORTANT: To use the SSI filter, you also need to rename the-- !--$CATALINA_HOME/server/lib/servlets-ssi.renametojar file -- !--to $CATALINA_HOME/server/lib/servlets- ssi.jar -- I don't have a servlets-ssi.renametojar file nor an existing servlets- ssi.jar. I downloaded various versions of 6.0.x and it doesn't appear to be a part of any of those archives. I can only find that file in archives of TomCat 5.5. 2) I'm unsure about this part of the How To: Only Contexts which are marked as privileged may use SSI features (see the privileged property of the Context element). Can someone point me in the right direction as to what this means? It seems to indicate that my deployed apps will have to be given permission to use SSI, but I'm not sure where to configure this. Thanks in advance, -Steve - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Help with TomCat 6.0 SSI
Thanks very much, I believe I want an entry in my context.xml something like: Context path=/myapplication privileged=true docBase=/usr/local/tomcat/server/webapps/myapplication /Context Thanks again for getting me in the right direction. -Steve On Mar 17, 2008, at 2:59 PM, Mark Thomas wrote: Steve Major wrote: I don't have a servlets-ssi.renametojar file nor an existing servlets-ssi.jar. I downloaded various versions of 6.0.x and it doesn't appear to be a part of any of those archives. I can only find that file in archives of TomCat 5.5. You can ignore this. The classes you need are part of the standard distro. 2) I'm unsure about this part of the How To: Only Contexts which are marked as privileged may use SSI features (see the privileged property of the Context element). http://tomcat.apache.org/tomcat-6.0-doc/config/context.html Search for privileged. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Help with TomCat 6.0 SSI
Thanks, my webapp has neither a META-INF directory or a context.xml file anywhere in it's directory structure. I tried creating a META- INF/context.xml in my webapp's root directory, but that didn't work. I still get: Servlet of class org.apache.catalina.servlets.SSIServlet is privileged and cannot be loaded by this web application. Does this mean I need to revert to putting it in my server.xml? On Mar 17, 2008, at 3:47 PM, Caldarale, Charles R wrote: From: Steve Major [mailto:[EMAIL PROTECTED] Subject: Re: Help with TomCat 6.0 SSI Thanks very much, I believe I want an entry in my context.xml something like: Context path=/myapplication privileged=true docBase=/usr/local/tomcat/server/webapps/myapplication /Context No, do not put Context elements in server.xml; that is strongly discouraged, and persists only for compatibility with older levels. Your Context element should go into your webapp's META-INF/ context.xml file, but without the path and docBase attributes. Your webapp should be placed in webapps, not server/webapps (that directory doesn't exist in Tomcat 6). Don't forget to uncomment the servlet-mapping for the ssi servlet in conf/web.xml. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e- mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]