Re: Sessions mix-up on Tomcat 6.0.26 on Linux
Felix, the issue still persists, i dont know what else to do? and i dont know why this issue is popping up on linux enviroment only. under windows there is no session mixup issue. Now this are no class wide variables and i had moved them inside the login function. From: Felix Schumacher felix.schumac...@internetallee.de To: Tomcat Users List users@tomcat.apache.org Sent: Sat, August 21, 2010 6:07:18 PM Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux Yawar Khan khanya...@yahoo.com schrieb: thanks felix, very nicely explained! but do you think that declaring connection and rs variables outside the login function is causing the sessions mixup issue? Yes. But I think it is not messing with sessions, but rather messing with the values of your user beans. Hth Felix From: Felix Schumacher felix.schumac...@internetallee.de To: Tomcat Users List users@tomcat.apache.org Sent: Sat, August 21, 2010 4:13:52 PM Subject: RE: Sessions mix-up on Tomcat 6.0.26 on Linux Am Freitag, den 20.08.2010, 21:54 -0700 schrieb Yawar Khan: Chris, you identified a possible sql injection in my code and declaring it a very bad piece of code. Despite the fact that jdbc does not allow more than 1 query on this execute function and I am doing fields validation before submission of the form. Is there another genuine threat or bug that you identified and would like to share? Please do, I am sharing the udac source code as well, Wesley you comments are also welcome; somebody also asked that what will happen in case udac.login throws an exception, well exception handling is inside this class. Sorry but i missed that email so i am unable to name that gentleman friend. package org.mcb.services; import java.text.*; import java.util.*; import java.sql.*; import javax.servlet.http.HttpSession; public class udac { static Connection currentCon = null; static ResultSet rs = null; This seems to be really problematic. Having ResultSet and Connection shared by many users is a bad idea. Imagine what happens when two requests come in at the same time: Request A Request B login(beanA) | currentCon=new Connection() | login(beanB) | | | currentCon=new Connection() # BOOM you are overwriting the class wide variable currentCon. Same thing can happen to rs too. So better place currentCon and rs as method variables inside of login. public static userbean login(userbean bean) { //preparing some objects for connection Statement stmt = null; String userid = bean.getUserId(); String password = bean.getPassword(); String epass = null; String name = null; String user_id = null; String role_id = null; String branch_code = null; String last_login = null; String role_desc = null; try{ epass = passwordservices.getInstance().encrypt(password); //passwordservices is a class which has functions to ecrypt a string and return back the string. }catch(Exception e){ System.out.println(e); I find it very useful to use a logging framework for reporting errors. And adding information about the state in which the error occured might help finding the root cause more easily. } String searchQuery = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE, a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION a, ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ; searchQuery = searchQuery + AND LOWER(a.USER_ID) = LOWER('+ userid + ') AND a.PASSWORD = '+epass+'; If your are using prepared Statements with parameters, you don't have to worry, if someone has forgotten to check those parameters for sql-injection. But you were told so already. Bye Felix try{ //connect to DB: connectionmanager is a class which contains connection functions currentCon = connectionmanager.scgm_conn(); stmt=currentCon.createStatement(); rs = stmt.executeQuery(searchQuery); boolean hasdata=false; while(rs.next()) { hasdata=true; name = rs.getString(NAME); user_id = rs.getString(USER_ID); branch_code = rs.getString(BRANCH_CODE); role_id = rs.getString(ROLE_ID); last_login = rs.getString(LAST_LOGIN_DATE); role_desc = rs.getString(ROLE_DESC); bean.setName(name); bean.setUserId(user_id); bean.setBranch(branch_code
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
wesley, no i am not using sql bindings, what are the security holes? you havent told me why my sessions are getting mixed up here? From: Wesley Acheson wesley.ache...@gmail.com To: Tomcat Users List users@tomcat.apache.org Sent: Sat, August 21, 2010 3:16:23 PM Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux On Sat, Aug 21, 2010 at 6:54 AM, Yawar Khan khanya...@yahoo.com wrote: Chris, you identified a possible sql injection in my code and declaring it a very bad piece of code. Despite the fact that jdbc does not allow more than 1 query on this execute function and I am doing fields validation before submission of the form. Javascript / ECMAScript and any client side scripting are completely by-passable and offer no security. http://www.xs4all.nl/~sbpoley/webmatters/formval.html So field validation doesn't help you. Also anyone can post to your servlets. Are you using bindings for your SQL? I see security holes here but don't have time for a usecase. Is there another genuine threat or bug that you identified and would like to share? Please do, I am sharing the udac source code as well, Wesley you comments are also welcome; somebody also asked that what will happen in case udac.login throws an exception, well exception handling is inside this class. Sorry but i missed that email so i am unable to name that gentleman friend. package org.mcb.services; import java.text.*; import java.util.*; import java.sql.*; import javax.servlet.http.HttpSession; public class udac { static Connection currentCon = null; static ResultSet rs = null; public static userbean login(userbean bean) { //preparing some objects for connection Statement stmt = null; String userid = bean.getUserId(); String password = bean.getPassword(); String epass = null; String name = null; String user_id = null; String role_id = null; String branch_code = null; String last_login = null; String role_desc = null; try{ epass = passwordservices.getInstance().encrypt(password); //passwordservices is a class which has functions to ecrypt a string and return back the string. }catch(Exception e){ System.out.println(e); } String searchQuery = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE, a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION a, ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ; searchQuery = searchQuery + AND LOWER(a.USER_ID) = LOWER('+ userid + ') AND a.PASSWORD = '+epass+'; try{ //connect to DB: connectionmanager is a class which contains connection functions currentCon = connectionmanager.scgm_conn(); stmt=currentCon.createStatement(); rs = stmt.executeQuery(searchQuery); boolean hasdata=false; while(rs.next()) { hasdata=true; name = rs.getString(NAME); user_id = rs.getString(USER_ID); branch_code = rs.getString(BRANCH_CODE); role_id = rs.getString(ROLE_ID); last_login = rs.getString(LAST_LOGIN_DATE); role_desc = rs.getString(ROLE_DESC); bean.setName(name); bean.setUserId(user_id); bean.setBranch(branch_code); bean.setRole(role_id); bean.setLastLogin(last_login); bean.setRoleDesc(role_desc); bean.setValid(true); } if(!hasdata) { System.out.println(Sorry, you are not a registered user! Please sign up first + searchQuery); bean.setValid(false); } }catch (Exception ex){ System.out.println(Log In failed: An Exception has occurred! + ex); } //some exception handling finally{ if (rs != null) { try { rs.close(); } catch (Exception e) {} rs = null; } if (stmt != null) { try { stmt.close(); } catch (Exception e) {} stmt = null; } if (currentCon != null) { try { currentCon.close(); } catch (Exception e) { } currentCon = null; } } return bean; } } ysk -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, August 20, 2010 3:43 AM To: Tomcat Users List Subject
Re: Sessions mix-up on Tomcat 6.0.26 on Linux
thanks felix, very nicely explained! but do you think that declaring connection and rs variables outside the login function is causing the sessions mixup issue? From: Felix Schumacher felix.schumac...@internetallee.de To: Tomcat Users List users@tomcat.apache.org Sent: Sat, August 21, 2010 4:13:52 PM Subject: RE: Sessions mix-up on Tomcat 6.0.26 on Linux Am Freitag, den 20.08.2010, 21:54 -0700 schrieb Yawar Khan: Chris, you identified a possible sql injection in my code and declaring it a very bad piece of code. Despite the fact that jdbc does not allow more than 1 query on this execute function and I am doing fields validation before submission of the form. Is there another genuine threat or bug that you identified and would like to share? Please do, I am sharing the udac source code as well, Wesley you comments are also welcome; somebody also asked that what will happen in case udac.login throws an exception, well exception handling is inside this class. Sorry but i missed that email so i am unable to name that gentleman friend. package org.mcb.services; import java.text.*; import java.util.*; import java.sql.*; import javax.servlet.http.HttpSession; public class udac { static Connection currentCon = null; static ResultSet rs = null; This seems to be really problematic. Having ResultSet and Connection shared by many users is a bad idea. Imagine what happens when two requests come in at the same time: Request A Request B login(beanA) | currentCon=new Connection() | login(beanB) | | | currentCon=new Connection() # BOOM you are overwriting the class wide variable currentCon. Same thing can happen to rs too. So better place currentCon and rs as method variables inside of login. public static userbean login(userbean bean) { //preparing some objects for connection Statement stmt = null; String userid = bean.getUserId(); String password = bean.getPassword(); String epass = null; String name = null; String user_id = null; String role_id = null; String branch_code = null; String last_login = null; String role_desc = null; try{ epass = passwordservices.getInstance().encrypt(password); //passwordservices is a class which has functions to ecrypt a string and return back the string. }catch(Exception e){ System.out.println(e); I find it very useful to use a logging framework for reporting errors. And adding information about the state in which the error occured might help finding the root cause more easily. } String searchQuery = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE, a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION a, ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ; searchQuery = searchQuery + AND LOWER(a.USER_ID) = LOWER('+ userid + ') AND a.PASSWORD = '+epass+'; If your are using prepared Statements with parameters, you don't have to worry, if someone has forgotten to check those parameters for sql-injection. But you were told so already. Bye Felix try{ //connect to DB: connectionmanager is a class which contains connection functions currentCon = connectionmanager.scgm_conn(); stmt=currentCon.createStatement(); rs = stmt.executeQuery(searchQuery); boolean hasdata=false; while(rs.next()) { hasdata=true; name = rs.getString(NAME); user_id = rs.getString(USER_ID); branch_code = rs.getString(BRANCH_CODE); role_id = rs.getString(ROLE_ID); last_login = rs.getString(LAST_LOGIN_DATE); role_desc = rs.getString(ROLE_DESC); bean.setName(name); bean.setUserId(user_id); bean.setBranch(branch_code); bean.setRole(role_id); bean.setLastLogin(last_login); bean.setRoleDesc(role_desc); bean.setValid(true); } if(!hasdata) { System.out.println(Sorry, you are not a registered user! Please sign up first + searchQuery); bean.setValid(false); } }catch (Exception ex){ System.out.println(Log In failed: An Exception has occurred! + ex); } //some exception handling finally{ if (rs != null) { try
How stable is Tomcat?
Guys, is tomcat stable enough to host large scale production applications getting 1500+ hits everyday? and as much concurrent database connections. I know alot depends on the applications architecture but just how good is tomcat?
Re: How stable is Tomcat?
thank you marco for your insight and sharing your experience. From: Marco Castillo mabcasti...@vdkit.net To: Tomcat Users List users@tomcat.apache.org Sent: Sat, August 21, 2010 7:09:09 PM Subject: Re: How stable is Tomcat? I totally agree with Michel. We developed a JSF 2.0 application using Tomcat as the web container. Tomcat is as stable as the application you develop. The system we develop hosts a RIA application based on ICEFaces for almost 5000 users and after a lot of debugging and jvm fine tunning, we now have an almost rock solid product. Note that the debugging was done over the app, and the jvm fine tunning is a most for this kind of application. Tomcat works fine with just some modifications in the config files. Actually we use the latest tomcat 6 running over linux CentOS. Also we use Tomcat 6 for a landing page for a Telco Operator. The landing page was developed using JSP technology and implements Google SSO. This applications actually serves 2 users, with almost 15000 hits on a daily basis. Again, the main stabilization process was done in the application, not Tomcat, and Tomcat works just fine. Hope this information was helpful. Regards Ing. Marco Antonio Castillo Chief Design Engineer Van Der Kaaden IT Consulting Guatemala, Guatemala C.A. tel: +502 22382710 mobile: +502 59186971 e-mail: mabcasti...@vdkit.net sip: mabcasti...@sip.vdkit.net On Sat, Aug 21, 2010 at 7:07 AM, michel compu...@videotron.ca wrote: I think that maybe you are mixing up stability and scalability. While they are connected, an unstable system can fail at low volume. Also, I don't think that 1500 hits a day is that much. Michel - Original Message - From: Yawar Khan khanya...@yahoo.com To: Tomcat Users users@tomcat.apache.org Sent: Saturday, August 21, 2010 8:59 AM Subject: How stable is Tomcat? Guys, is tomcat stable enough to host large scale production applications getting 1500+ hits everyday? and as much concurrent database connections. I know alot depends on the applications architecture but just how good is tomcat? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [OT] Sessions mix-up on Tomcat 6.0.26 on Linux
chris, i had a look at container managed authentication and its quite handy. but i couldnt see how i can add extra functionality like calling an encryption function on password text field before tomcat does its authentication on it. for js, my client side authentication is done on form submit button click event, if the hackers do disable javascripts, how will my html form be submitted? however, i will add some server side validation as well, i agree thats important. -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, August 20, 2010 3:41 AM To: Tomcat Users List Subject: Re: [OT] Sessions mix-up on Tomcat 6.0.26 on Linux -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yawar, On 8/19/2010 3:27 PM, Yawar Saeed Khan/ITG/Karachi wrote: your comments on my current code tells me that this code is not bad, but I should check out tomcat's container managed logins... right? This code seems to be doing more work than necessary. Container-managed authentication and authorization is a useful service provided by the container. I highly recommend taking a look at using it, but it may be ... disruptive to your existing workflows. plus I would like to mention that I have client side form validations (js) to stop query busters. I'm sure that hackers will be sure to leave javascript enabled when they visit your site. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxtsuYACgkQ9CaO5/Lv0PBOsQCgnldndPM7po8wlgYUq6k/QDT3 1mAAoKo/47GXpG4dIEfRNpkZnX/SSveb =zrJ+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Sessions mix-up on Tomcat 6.0.26 on Linux
Hi, i have been trying to post emails on this list but getting mailerdeamon replies that only subscribers can post. i dont know what happened thereso i subscribed my other email address ok now for the topic at hand, Wesly, udac is a public class which exists in the same package and login is a static function. I think that much is pretty obvious. I had proper naming conventions but when i moved my source code to linux, my entire files names were changed to lower case, and the application could not find the classes and jsp files. i didnt know any other way(and didnt have any time for RnD) so i changed the names of classes and jsp files to lower. any ways, my original topic is sessions mix up, do you see any relevance of sessions in udac class? sessions are getting created in loginmanager. -Original Message- From: Wesley Acheson [mailto:wesley.ache...@gmail.com] Sent: Friday, August 20, 2010 2:05 AM To: Tomcat Users List Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux Maybe its just be but I still don't see where uadc is declared or even imported. On Thu, Aug 19, 2010 at 10:26 PM, Yawar Saeed Khan/ITG/Karachi yawar.sa...@mcb.com.pk wrote: yea I did attach a .java file, anyways I am posting the code here; package org.mcb.services; import java.io.IOException; import java.io.PrintWriter; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; /** * * @author yawar.saeed */ public class loginmanager extends HttpServlet { protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType(text/html;charset=iso-8859-1); PrintWriter out = response.getWriter(); try { userbean user = new userbean(); user.setUserId(request.getParameter(txt_userid)); user.setPassword(request.getParameter(txt_pass)); user = udac.login(user); if (user.isValid()){ HttpSession session = request.getSession(true); session.setAttribute(user_id,user.getUserId()); session.setAttribute(user_name,user.getName()); session.setAttribute(role_id,user.getRole()); session.setAttribute(role_desc, user.getRoleDesc()); session.setAttribute(last_login, user.getLastLogin()); //response.sendRedirect(main.jsp); //logged-in page response.sendRedirect(response.encodeRedirectURL(main.jsp)); }else{ // response.sendRedirect(index.jsp?user=+user.isValid()); //revert back to login page response.sendRedirect(response.encodeRedirectURL(index.jsp?user=+user.isValid())); //revert back to login page } } finally { out.close(); } } @Override protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { processRequest(request, response); } @Override protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { processRequest(request, response); } } From: Wesley Acheson [mailto:wesley.ache...@gmail.com] Sent: Fri 20-Aug-10 1:56 AM To: Tomcat Users List Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux Sorry can't see it. Are you sure you attached it? you could use something like pastebin if the mail list does accept attachments On Thu, Aug 19, 2010 at 9:27 PM, Yawar Saeed Khan/ITG/Karachi yawar.sa...@mcb.com.pk wrote: source code is attached; suggestions are welcome. From: Wesley Acheson [mailto:wesley.ache...@gmail.com] Sent: Fri 20-Aug-10 12:38 AM To: Tomcat Users List Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux Okay I've a little tehory could you post the entire code for loginmanager. How is udac declared? If its a class variable then *ITS NOT THREAD SAFE*. As a basic rule don't declare class variables in a servlet (There are exceptions to this rule but you shouldn't under normal circumstances)
RE: Sessions mix-up on Tomcat 6.0.26 on Linux
Chris, you identified a possible sql injection in my code and declaring it a very bad piece of code. Despite the fact that jdbc does not allow more than 1 query on this execute function and I am doing fields validation before submission of the form. Is there another genuine threat or bug that you identified and would like to share? Please do, I am sharing the udac source code as well, Wesley you comments are also welcome; somebody also asked that what will happen in case udac.login throws an exception, well exception handling is inside this class. Sorry but i missed that email so i am unable to name that gentleman friend. package org.mcb.services; import java.text.*; import java.util.*; import java.sql.*; import javax.servlet.http.HttpSession; public class udac { static Connection currentCon = null; static ResultSet rs = null; public static userbean login(userbean bean) { //preparing some objects for connection Statement stmt = null; String userid = bean.getUserId(); String password = bean.getPassword(); String epass = null; String name = null; String user_id = null; String role_id = null; String branch_code = null; String last_login = null; String role_desc = null; try{ epass = passwordservices.getInstance().encrypt(password); //passwordservices is a class which has functions to ecrypt a string and return back the string. }catch(Exception e){ System.out.println(e); } String searchQuery = SELECT a.USER_ID,a.NAME, a.BRANCH_CODE, a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION a, ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ; searchQuery = searchQuery + AND LOWER(a.USER_ID) = LOWER('+ userid + ') AND a.PASSWORD = '+epass+'; try{ //connect to DB: connectionmanager is a class which contains connection functions currentCon = connectionmanager.scgm_conn(); stmt=currentCon.createStatement(); rs = stmt.executeQuery(searchQuery); boolean hasdata=false; while(rs.next()) { hasdata=true; name = rs.getString(NAME); user_id = rs.getString(USER_ID); branch_code = rs.getString(BRANCH_CODE); role_id = rs.getString(ROLE_ID); last_login = rs.getString(LAST_LOGIN_DATE); role_desc = rs.getString(ROLE_DESC); bean.setName(name); bean.setUserId(user_id); bean.setBranch(branch_code); bean.setRole(role_id); bean.setLastLogin(last_login); bean.setRoleDesc(role_desc); bean.setValid(true); } if(!hasdata) { System.out.println(Sorry, you are not a registered user! Please sign up first + searchQuery); bean.setValid(false); } }catch (Exception ex){ System.out.println(Log In failed: An Exception has occurred! + ex); } //some exception handling finally{ if (rs != null) { try { rs.close(); } catch (Exception e) {} rs = null; } if (stmt != null) { try { stmt.close(); } catch (Exception e) {} stmt = null; } if (currentCon != null) { try { currentCon.close(); } catch (Exception e) { } currentCon = null; } } return bean; } } ysk -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, August 20, 2010 3:43 AM To: Tomcat Users List Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Wesley, On 8/19/2010 5:04 PM, Wesley Acheson wrote: Maybe its just be but I still don't see where uadc is declared or even imported. ...or even used. I'm guessing that the bad code exists outside of this login servlet. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxts1YACgkQ9CaO5/Lv0PBitwCeMXvEXLi1L9rnLmTVP4nofIGH NkAAnj9DTqFLwLAYxb2MQuI6v6ckVcYm =DR0I -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: