SSI SecurityException

2011-10-21 Thread Steve Major
Hello folks,

I have a new Tomcat install, version 7.0.21 running on OS X 10.6.8 server (not 
using Apple's install of Tomcat, BTW), and Java 1.6.0.  I've successfully setup 
a SSI Filter before with Tomcat 6.0 a few years ago with the help of this list, 
but I'm just stuck right now.

I've uncommented the SSI Filters as described in: 
http://tomcat.apache.org/tomcat-7.0-doc/ssi-howto.html and enabled all files to 
be parsed with *

I've made my app privileged with Context antiResourceLocking=false 
privileged=true  based on the Manager app since it's already privileged.  
The META-INF directory in my app is where the context.xml is stored with this.

I'm using the Filters because I'd like it to find ssi directives within .jsp 
files.  When I launch Tomcat I see this in my logs:

SEVERE: Exception starting filter ssi
java.lang.SecurityException: Restricted class org.apache.catalina.ssi.SSIFilter
at 
org.apache.catalina.core.DefaultInstanceManager.checkAccess(DefaultInstanceManager.java:432)
at 
org.apache.catalina.core.DefaultInstanceManager.checkAccess(DefaultInstanceManager.java:421)
at 
org.apache.catalina.core.DefaultInstanceManager.loadClassMaybePrivileged(DefaultInstanceManager.java:399)
at 
org.apache.catalina.core.DefaultInstanceManager.newInstance(DefaultInstanceManager.java:118)
at 
org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:252)
at 
org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:372)
at 
org.apache.catalina.core.ApplicationFilterConfig.init(ApplicationFilterConfig.java:98)
at 
org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:4584)
at 
org.apache.catalina.core.StandardContext$2.call(StandardContext.java:5262)
at 
org.apache.catalina.core.StandardContext$2.call(StandardContext.java:5257)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
at java.util.concurrent.FutureTask.run(FutureTask.java:138)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:680)

As as test, I tried using the Servlet instead of the Filter and that worked - 
at least the ssi include was shown, although Tomcat then didn't process the 
.jsp which I would expect.

I'm sure this is the way I configured it on version 6, but I may have missed 
something when I made my notes on that install.

Any direction would be appreciated.
-Steve


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: SSI SecurityException

2011-10-21 Thread Steve Major
Hello, thank you for replying!

Yes, that is the location I uncommented it since that is what their 
instructions say. I'm only deploying a single webapp, so I do not mind it being 
global.  I do see how it would be tidier in the future, if I deploy more, to do 
it on a per-app basis.  If this is contributing to my current problem, I have 
no issues doing as you suggest.

Should I copy it from the conf directory in its entirety or just a subsection 
of the file?

Thank you again.
-Steve

On Oct 21, 2011, at 2:27 PM, Konstantin Kolinko wrote:

 2011/10/21 Steve Major st...@themajorshome.com:
 Hello folks,
 
 I have a new Tomcat install, version 7.0.21 running on OS X 10.6.8 server 
 (not using Apple's install of Tomcat, BTW), and Java 1.6.0.  I've 
 successfully setup a SSI Filter before with Tomcat 6.0 a few years ago with 
 the help of this list, but I'm just stuck right now.
 
 I've uncommented the SSI Filters as described in: 
 http://tomcat.apache.org/tomcat-7.0-doc/ssi-howto.html and enabled all files 
 to be parsed with *
 
 Where did you uncomment it?
 
 You should not have modified conf/web.xml, because it applies to all
 webapps. You should copy it into your webapp only.
 
 
 Best regards,
 Konstantin Kolinko
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: SSI SecurityException

2011-10-21 Thread Steve Major
Thanks, I figured that out shortly before getting your reply.

Moving the filter and mapping into the app's web.xml has eliminated the error 
from the logs, however, the ssi still won't display a result.

By this I mean if I insert: Today is !--#echo var=DATE_LOCAL -- into my 
.jsp, when I view the page I only see Today is.

My previous experience with Apache's SSI suggests if it wasn't enabled 
correctly, I'd see Today is !--#echo var=DATE_LOCAL -- on my page because 
it just would assume that directive is text.

Assuming Tomcat follows the same, it would tell me that it is parsing it and 
for whatever reason not outputting a result.  I could be wrong.

Thank you again for your time.
-Steve


On Oct 21, 2011, at 3:01 PM, Konstantin Kolinko wrote:

 Should I copy it from the conf directory in its entirety or just a 
 subsection of the file?
 
 Only definition of the filter and its mapping.
 
 Best regards,
 Konstantin Kolinko
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Help with TomCat 6.0 SSI

2008-03-23 Thread Steve Major
Okay, I've gone back to the beginning with this problem with the  
advice so far and reinstalled Tomcat fresh on a clone of my existing  
box with no web apps deployed yet.  I think my initial diagnosis of  
something wrong with privileged app may have been off.


I think my problem is (aside from being a new with Tomcat) is with the  
SSI filters themselves or something to do with them.


If I go into my web.xml and simply uncomment the SSI filter and filter  
mappings, restart Tomcat, and try to go to the default page, I'm  
greeted with:


HTTP Status 404 - /

type Status report

message /

description The requested resource (/) is not available.
Apache Tomcat/6.0.16

My logs show (in part)

Mar 23, 2008 11:26:02 AM org.apache.catalina.core.StandardContext start
SEVERE: Error filterStart

Re-commenting both those sections restore Tomcat to working order.

On Mar 17, 2008, at 7:36 PM, Caldarale, Charles R wrote:


From: Steve Major [mailto:[EMAIL PROTECTED]
Subject: Re: Help with TomCat 6.0  SSI

Does this mean I need to revert to putting it in my server.xml?


No, it means you've got something else wrong.  Make sure your webapp's
directory structure is correct by comparing it to the manager and
host-manager webapps that come with Tomcat 6.0 (both of which are
privileged).

Once that's verified, install Lambda Probe (www.lambdaprobe.org) and
bring up Tomcat.  Browse to the Lambda Probe app (usually
http://localhost:8080/probe), click on your webapp name in the left
column, then the Context descriptor box on the right side.  Make sure
your Context element is shown correctly.

If that's all correct, then you may have to fiddle with the
conf/catalina.policy file, but I don't think that should be necessary.

- Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE  
PROPRIETARY

MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e- 
mail

and its attachments from all computers.

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Help with TomCat 6.0 SSI

2008-03-23 Thread Steve Major
Thanks for the clarification.  I got SSI Filters all uncommented.   
Manager works now.


I have Probe installed and working too.  When I go to my web app I  
really want to get SSI working with and view it with Probe - under  
Context Descriptor it says Cannot find context descriptor of this  
application.


The app I want to use didn't have a META-INF folder, so I copied it  
over the one from the manager app since it's already a privileged app  
and as the appropriate context.xml contained within.  Same thing.


Is it a problem with my web app?

Thanks again.
--
Various ways of contacting me can be found at my Signat-url webpage: 
http://www.themajorshome.com/signat-url


On Mar 23, 2008, at 12:46 PM, Mark Thomas wrote:


Steve Major wrote:
I think my problem is (aside from being a new with Tomcat) is with  
the SSI filters themselves or something to do with them.
If I go into my web.xml and simply uncomment the SSI filter and  
filter mappings, restart Tomcat, and try to go to the default page,  
I'm greeted with:


You still need to mark the context as privileged or the loading of  
the filter will fail which will lead to:


Mar 23, 2008 11:26:02 AM org.apache.catalina.core.StandardContext  
start

SEVERE: Error filterStart


Mark


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Help with TomCat 6.0 SSI

2008-03-23 Thread Steve Major
Okay, success!  THANK YOU!  Success defined as my app now working, I  
just have to try some SSI with it. ;-)


Some clarification, if you don't mind.

My apps seem to have Context.xml 's in:

$CATALINA_HOME/webapps/manager/META-INF/Context.xml

and

$CATALINA_HOME/webapps/probe/META-INF/Context.xml

These seem to have the privileged=true contained within.

I did the same with my webapp e.g. $CATALINA_HOME/webapps/myapp/META- 
INF/Context.xml


Are those necessary in addition to $CATALINA_HOME/conf/[enginename]/ 
[hostname]/yourapp.xml ?  Or is this all that I really need?


-Steve

On Mar 23, 2008, at 1:51 PM, Mark Thomas wrote:


Steve Major wrote:
The app I want to use didn't have a META-INF folder, so I copied it  
over the one from the manager app since it's already a privileged  
app and as the appropriate context.xml contained within.  Same thing.


Copied what from where to where? You'll need to copy the context.xml  
to $CATALINA_HOME/conf/[enginename]/[hostname]/yourapp.xml


Mark


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Help with TomCat 6.0 SSI

2008-03-17 Thread Steve Major

Hello,

I'm new to the list and fairly new to TomCat.  I've used it to deploy  
simple apps, but now need to get some SSI involved.


I've followed the How To located here:  
http://tomcat.apache.org/tomcat-6.0-doc/ssi-howto.html

Two problems:

1) when modifying my web.xml conf as instructed, that file says:

  !-- IMPORTANT: To use the SSI filter, you also need to rename  
the--
  !--$CATALINA_HOME/server/lib/servlets-ssi.renametojar  
file   --
  !--to $CATALINA_HOME/server/lib/servlets- 
ssi.jar --


I don't have a servlets-ssi.renametojar file nor an existing servlets- 
ssi.jar.  I downloaded various versions of 6.0.x and it doesn't appear  
to be a part of any of those archives.  I can only find that file in  
archives of TomCat 5.5.


2) I'm unsure about this part of the How To:  Only Contexts which are  
marked as privileged may use SSI features (see the privileged property  
of the Context element).


Can someone point me in the right direction as to what this means?  It  
seems to indicate that my deployed apps will have to be given  
permission to use SSI, but I'm not sure where to configure this.


Thanks in advance,
-Steve


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Help with TomCat 6.0 SSI

2008-03-17 Thread Steve Major
Thanks very much, I believe I want an entry in my context.xml  
something like:


Context path=/myapplication privileged=true
 docBase=/usr/local/tomcat/server/webapps/myapplication
/Context

Thanks again for getting me in the right direction.
-Steve

On Mar 17, 2008, at 2:59 PM, Mark Thomas wrote:


Steve Major wrote:
I don't have a servlets-ssi.renametojar file nor an existing  
servlets-ssi.jar.  I downloaded various versions of 6.0.x and it  
doesn't appear to be a part of any of those archives.  I can only  
find that file in archives of TomCat 5.5.


You can ignore this. The classes you need are part of the standard  
distro.


2) I'm unsure about this part of the How To:  Only Contexts which  
are marked as privileged may use SSI features (see the privileged  
property of the Context element).


http://tomcat.apache.org/tomcat-6.0-doc/config/context.html
Search for privileged.

Mark


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Help with TomCat 6.0 SSI

2008-03-17 Thread Steve Major
Thanks, my webapp has neither a META-INF directory or a context.xml  
file anywhere in it's directory structure.  I tried creating a META- 
INF/context.xml in my webapp's root directory, but that didn't work.   
I still get:


Servlet of class org.apache.catalina.servlets.SSIServlet is privileged  
and cannot be loaded by this web application.


Does this mean I need to revert to putting it in my server.xml?

On Mar 17, 2008, at 3:47 PM, Caldarale, Charles R wrote:


From: Steve Major [mailto:[EMAIL PROTECTED]
Subject: Re: Help with TomCat 6.0  SSI

Thanks very much, I believe I want an entry in my context.xml
something like:

Context path=/myapplication privileged=true
 docBase=/usr/local/tomcat/server/webapps/myapplication
/Context


No, do not put Context elements in server.xml; that is strongly
discouraged, and persists only for compatibility with older levels.
Your Context element should go into your webapp's META-INF/ 
context.xml

file, but without the path and docBase attributes.  Your webapp should
be placed in webapps, not server/webapps (that directory doesn't exist
in Tomcat 6).

Don't forget to uncomment the servlet-mapping for the ssi servlet in
conf/web.xml.

- Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE  
PROPRIETARY

MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e- 
mail

and its attachments from all computers.

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]