Re: Incorrect cookie value in tomcat5.5.26
hi Sushil that scenario works just fine for me. you would have to show your actual code (and a test case) for me to analyze your actual problem Filip Sushil Vegad wrote: Hello Filip, Please let me know your thoughts on this. Our scenario is: We set the username in the cookie when the user logs in. I open a new browser instance, log-in and the cookie is set. If I logout of the application and return to login screen (on the same browser instance) the cookie is found. PROBLEM: If I use a NEW browser instance to go to the login page, the cookie is NOT found. On login submit, we set the cookie - Cookie cookie = new Cookie(Constants.REMEMBERME, username); cookie.setVersion(1); cookie.setMaxAge(Integer.MAX_VALUE); response.addCookie(cookie); On requesting the login page, we check if the cookie was set - Cookie cookies[] = request.getCookies(); String username = ; for (int i = 0; i cookies.length; i++) { Cookie c = cookies[i]; if (c.getName().equals(Constants.REMEMBERME)) { username = c.getValue();//Set username in the login field break; } } This code did not have an issue with tomcat 5.0 Thanks, Sushil -Original Message- From: Filip Hanik - Dev Lists [mailto:[EMAIL PROTECTED] Sent: Monday, February 25, 2008 6:54 PM To: Tomcat Users List Subject: Re: Incorrect cookie value in tomcat5.5.26 what is your scenario, the following code worked for me, even though the browser doesn't send up cookie version % javax.servlet.http.Cookie[] cs = request.getCookies(); String value = null; for (Cookie co : cs) { if (test.equals(co.getName())) value = co.getValue(); } javax.servlet.http.Cookie c = new javax.servlet.http.Cookie(test,someemail=somedomain.com); c.setVersion(1); c.setMaxAge(100); response.addCookie(c); % done!br/ %=value% Sushil Vegad wrote: Hello, cookie.setVersion(1) remembers the cookie only for the browser session. A new browser does not have access to the cookie We did cookie.setMaxAge(Integer.MAX_VALUE) but that doesn't help. Any thoughts please? Thanks, Sushil Vegad Technical Lead, Scheduling Project Serebrum Corporation - translating strategy into results Work: 609.777.3563 Cell: 732.216.4908 Email: [EMAIL PROTECTED] Conference Dial-in: 1-218-486-1300, Bridge: 427526 -Original Message- From: Filip Hanik - Dev Lists [mailto:[EMAIL PROTECTED] Sent: Monday, February 11, 2008 11:54 AM To: Tomcat Users List Subject: Re: Incorrect cookie value in tomcat5.5.26 not broken, corrected. the java doc says setValue public void *setValue*(String http://java.sun.com/j2se/1.5/docs/api/java/lang/String.html newValue) Assigns a new value to a cookie after the cookie is created. If you use a binary value, you may want to use BASE64 encoding. With Version 0 cookies, values should not contain white space, brackets, parentheses, equals signs, commas, double quotes, slashes, question marks, at signs, colons, and semicolons. Empty values may not behave the same way on all browsers. *Parameters:* |newValue| - a |String| specifying the new value to fix this, all you need to do is cookie.setVersion(1); Filip Konstantin Kolinko wrote: I guess the cause is the same as for tomcat 6.0.16. See messages entitles Cookies are broken in 6.0.16?. http://www.nabble.com/Cookies-are-broken-in-6.0.16--to15369118.html - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] AdmID:9EC7F06F601E48C3DE1439C1B4AB99EB
Re: SSL Setup From Site
what version of Tomcat and what are the logs saying? Filip Quoting Jim Reynolds [EMAIL PROTECTED]: After creating a new Host, I now want to set up SSL on it. Following the docs I did the following: 1) create keystore E:\Tomcat\bin\DEVKEYkeytool -genkey -alias tomcat -keyalg RSA -keystore E:/Tomc at/bin/DEVKEY/devKeystore answered questions. 2) made sure passwords were same. (changeit) 3) uncomment out the Connector port=443 minProcessors=5 maxProcessors=75 enableLookups=true disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true keystoreFile=E:/Tomcat/bin/DEVKEY/devKeystore keystorePass=changeit clientAuth=false sslProtocol=TLS/ // added above keystore location. 4) restarted tomcat, but I do not get ssl? http://devsite (still happy) https://devsite (canot connect) I am running all local here, no external hassles. Now while reading the docs for nth time, I am wondering if I need to create a certificate or not? It is hard to tell as they roll into discussing openSSL or verisign/Thawte. Anyway, If I am missing a step here, please let me know, Sincerely - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache Cookie Buffer Overflow
you scanner may not work so well, it thinks that Tomcat is Apache httpd, The warnings you see, and the suggested fix, are related to httpd.apache.org, not tomcat.apache.org two different prouducts Hello, We just installed a JBOSS server in our production Environment... Apparently JBOSS came bundled with Apache Tomcat/5.5.9 Our current environment is: Windows 2003 SP1 JBOSS 4.0.2 JVM Version: 1.4.2_11-b06 Apache Tomcat/5.5.9 Our security scanner has picked up 2 security vulnerabilities on this server. Apache Cookie Buffer Overflow HTTP Buffer Overflows Our security scanner indicated that we need to upgrade from Apache v1.1.1 to v1.3.2... but since we are already on Apache Tomcat/5.5.9... I don't think that is correct. The scanner also indicated that we may be able to change a field in Apache called LimitRequestFieldsize... Thus far I have been unable to find this LimitRequestFieldsize field in any of our config files... Is the LimitRequestFieldsize in Apache V.1.1.1 the same as maxHttpHeaderSize in Apache Tomcat/5.5.9? Any suggestions would be appreciated. Thank you --Doug CONFIDENTIALITY NOTICE: This message (including any attachments) may contain Molex confidential information, protected by law. If this message is confidential, forwarding it to individuals, other than those with a need to know, without the permission of the sender, is prohibited. This message is also intended for a specific individual. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message or taking of any action based upon it, is strictly prohibited. Chinese Japanese www.molex.com/confidentiality.html - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to forward external-ip-facing requests from ApacheHTTPServer to Tomcat?
use mod_proxy, much easier, and in our tests has proven to scale better, and you will wanna look for a directive called ProxyHostPreserve so that request.getServerName returns the right name, then the IP address will be stored in x-forwarded-for header in the HTTP request. Filip Hello Everyone, I have successfully configured Apache to forward requests to my Tomcat instance. But it does so...only for requests whose IP resolves to 127.0.0.1 If I try to access a page through apache server (that's actually on tomcat) with the outside-facing-ip of my computer it fails. For example: 1) URL: http://12.34.56.78:666/blah/serveMe.html;FAILS with a 404 (apache does not forward properly) 2) URL: http://12.34.56.78:8080/blah/serveMe.html; SUCCEEDS (tomcat seems to be ok when it gets the request directly, so it has to be a forwarding failure by apache in the previous case) 3) URL: http://my.domain.com:666/blah/serveMe.html; SUCCEEDS (I have my.domain.com mapped to 127.0.0.1 in my windows' hosts file) 4) URL: http://localhost:666/blah/serveMe.html;SUCCEEDS I think this happens because the 1st request (the one with the outside facing ip) is not forwarded to Tomcat by apache. a) The apache error logs show that Apache is trying to look for the page in the wrong place b) The access logs ofcourse show a 404 because it can't find the page to serve Now, I have read a few threads and been on a few forums and apparently my worker.properties file is supposed to be as simple as this: worker.list=ajp13 worker.ajp13.port=8009 worker.ajp13.host=my.domain.com worker.ajp13.type=ajp13 --- I also tried putting my outside-facing-ip and localhost as values for worker.ajp13.host but it didn't seem to make any difference at all. In that case I must ask all of you: Question 1: How do I go about configuring apache to forward the outside-facing-ip requests to Tomcat? If it is not done in workers.properties...then where is it handled? Question 2: Or am I wrong and it is actually handled by workers.properties? Even then, how? Thanks in advance to all those who answer and all those who take the time to read this. Cheers, - Pulkit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]