Re: [tomcat-native] branch 1.2.x updated: Align default pass phrase prompt with HTTPd

[Michael Osipov]

On 2023/06/27 18:53:05 Christopher Schultz wrote:
> Michael,
> 
> On 6/27/23 12:55, Michael Osipov wrote:
> > On 2023/06/27 14:44:46 Christopher Schultz wrote:
> >> Michael,
> >>
> >> On 6/27/23 10:37, Michael Osipov wrote:
> >>> On 2023/06/27 14:13:37 Christopher Schultz wrote:
>  Michael,
> 
>  On 6/27/23 04:06, Michael Osipov wrote:
> > Chris,
> >
> > On 2023/06/26 19:50:39 Christopher Schultz wrote:
> >> Michael,
> >> On 6/26/23 13:11, micha...@apache.org wrote:
> >>> This is an automated email from the ASF dual-hosted git repository.
> >>>
> >>> michaelo pushed a commit to branch 1.2.x
> >>> in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
> >>>
> >>>
> >>> The following commit(s) were added to refs/heads/1.2.x by this push:
> >>>  new 8049561c8 Align default pass phrase prompt with HTTPd
> >>> 8049561c8 is described below
> >>>
> >>> commit 8049561c86c3270b86dfd484fd07f1e8627d6b41
> >>> Author: Michael Osipov 
> >>> AuthorDate: Mon Jun 26 18:05:40 2023 +0200
> >>>
> >>> Align default pass phrase prompt with HTTPd
> >>
> >> I'm close to a -1 on this, ant it entirely comes down to something
> >> stupid that people should definitely NOT do, but they probably actually
> >> do: script the injection of a password into the startup process because
> >> #securityReasons and their startup process looks specifically for the
> >> text "Enter password".
> >>
> >> Think expect(1) or similar being used to enter a password automatically
> >> when, really, the password should not be required for an automated 
> >> process.
> >>
> >> I think I'm okay with changing this for 2.x but 1.x is just too set in
> >> its ways at this point.
> >
> > I think you are misunderstanding something here. There is no functional 
> > change. The pass phrase popup has always been there. All I did is to 
> > align the message prompt, nothing else. If you want a decent solution 
> > one needs to port the SSLPassPhraseDialog from mod_ssl. I took a look, 
> > a lot of work, mostly not work the pain. The pass phrase prompt is only 
> > relevant when you start interactively from the terminal, if your 
> > process starts detached, it won't work anyway. I have tried here on 
> > HP-UX and FreeBSD, both failed because stdin is not connected to a tty.
> >
> > Can you re-explain your position based on these, new facts?
> 
>  No new facts, here, and I totally understand what you have done: change
>  the text "only".
> 
>  But, expect(1) literally expects specific text. If I have a script that
>  says:
> 
>  ===
>  expect "Enter password :"
> 
>  send $password
>  ===
> 
>  Then my script stops working because "Enter password :" has changed to
>  "Enter pass phrase:".
> 
>  So after umpteen years, the text is changing and that could break 20
>  years of scripts written for that specific text.
> 
>  I have not actually tried using expect(1) with this prompt. Does it
>  actually fail? The whole point of expect(1) is to simulate a console and
>  provide input to the process, so I suspect that it will work for the
>  same reasons it's worked for the past 30 years.
> 
>  Did you actually try using expect(1), if did you just "nohup catalina.sh
>  run" or something similar?
> >>>
> >>> I think you have the point here. As written, I tried no-tty option, yes 
> >>> one of was nohup.
> >>> Let me try that with py-expect and get back to you tomorrow. I still 
> >>> wonder who would actually use that.
> >>
> >> Yes, doing this kind of thing is definitely stupid because if you are
> >> going to put your password into a script, you may as well just put it in
> >> the #&$*% configuration file, but there are still dumb reasons for
> >> things like Tomcat Vault[1] to exist. I just don't want to suddenly
> >> break a bunch of installations for something trivial like the spelling
> >> of an output message.
> > 
> > I did now play around with expect(1), the original one. I can confirm your 
> > fears. expect(1) does block when the expected line changes.
> > 
> > Question is how big the change is that someone uses which broken setup. 
> > Would you accept the compromise that if someone complain we'd roll back in 
> > 1.2.x?
> 
> I'd prefer to just not change it. I know that sounds maybe insanely 
> hesitant and smacks of "nothing can ever change" but this /could/ 
> represent a very important very breaking change to some users.

If you don't break it you don't know who uses it ;-)

> We don't have a policy of "never change anything, never break anything" 
> but because of the specific interactions in this case, I view the text 
> of this message almost like a public software interface (i.e. API). 
> Changing that requires some serious consideration w

[Bug 66670] Add SSLHostConfig#certificateKeyPasswordFile

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=66670

--- Comment #7 from Michael Osipov  ---
So, you guys don't see a need for such a feature? Yeah, we all know that are
workarounds/solutions, but they (completely) lack documentation and ease of
access.

Chris, of course in my I can read the file myself, but this can basically apply
to everything which is text-based, no?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] michael-o commented on pull request #631: Bug 66665: Provide option to supply role mapping from a properties file

[via GitHub]

michael-o commented on PR #631:
URL: https://github.com/apache/tomcat/pull/631#issuecomment-1610892466

   If there are no objections, I will merge this week.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] markt-asf commented on a diff in pull request #631: Bug 66665: Provide option to supply role mapping from a properties file

[via GitHub]

markt-asf commented on code in PR #631:
URL: https://github.com/apache/tomcat/pull/631#discussion_r1244833991


##
java/org/apache/catalina/core/PropertiesRoleMappingListener.java:
##
@@ -0,0 +1,165 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.core;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Map.Entry;
+import java.util.Objects;
+import java.util.Properties;
+
+import org.apache.catalina.Context;
+import org.apache.catalina.Lifecycle;
+import org.apache.catalina.LifecycleEvent;
+import org.apache.catalina.LifecycleListener;
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.res.StringManager;
+
+/**
+ * Implementation of {@code LifecycleListener} that will populate the 
context's role mapping from a properties file.
+ * 
+ * This listener must only be nested within {@link Context} elements.
+ * 
+ * The keys represent application roles (e.g., admin, user, uservisor, etc.) 
while the values represent technical roles
+ * (e.g., DNs, SIDs, UUIDs, etc.). A key can also be prefixed if, e.g., the 
properties file contains generic
+ * application configuration as well: {@code app-roles.}.
+ * 
+ * Note: The default value for the {@code roleMappingFile} is {@code 
webapp:/WEB-INF/role-mapping.properties}.
+ */
+public class PropertiesRoleMappingListener implements LifecycleListener {
+
+private static final String WEBAPP_RESOURCE_PREFIX = "webapp:";
+private static final String CLASSPATH_RESOURCE_PREFIX = "classpath:";
+

Review Comment:
   This creates a new scheme for naming configuration files. It should instead 
use the `ConfigFileLoader` and `ConfigurationSource`. They would need extending 
to include web application relative resources as they currently only support 
absolute file, files relative to $CATALINA_BASE, classpath and URI.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] rmaucher commented on a diff in pull request #631: Bug 66665: Provide option to supply role mapping from a properties file

[via GitHub]

rmaucher commented on code in PR #631:
URL: https://github.com/apache/tomcat/pull/631#discussion_r1244881448


##
java/org/apache/catalina/core/PropertiesRoleMappingListener.java:
##
@@ -0,0 +1,165 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.core;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Map.Entry;
+import java.util.Objects;
+import java.util.Properties;
+
+import org.apache.catalina.Context;
+import org.apache.catalina.Lifecycle;
+import org.apache.catalina.LifecycleEvent;
+import org.apache.catalina.LifecycleListener;
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.res.StringManager;
+
+/**
+ * Implementation of {@code LifecycleListener} that will populate the 
context's role mapping from a properties file.
+ * 
+ * This listener must only be nested within {@link Context} elements.
+ * 
+ * The keys represent application roles (e.g., admin, user, uservisor, etc.) 
while the values represent technical roles
+ * (e.g., DNs, SIDs, UUIDs, etc.). A key can also be prefixed if, e.g., the 
properties file contains generic
+ * application configuration as well: {@code app-roles.}.
+ * 
+ * Note: The default value for the {@code roleMappingFile} is {@code 
webapp:/WEB-INF/role-mapping.properties}.
+ */
+public class PropertiesRoleMappingListener implements LifecycleListener {
+
+private static final String WEBAPP_RESOURCE_PREFIX = "webapp:";
+private static final String CLASSPATH_RESOURCE_PREFIX = "classpath:";
+

Review Comment:
   In the specific case of this feature, it seems the only "real" location that 
makes sense would be the default one anyway. So I would simply remove the 
option to have it in random places and be done with it.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] michael-o commented on pull request #631: Bug 66665: Provide option to supply role mapping from a properties file

[via GitHub]

michael-o commented on PR #631:
URL: https://github.com/apache/tomcat/pull/631#issuecomment-1611007682

   > I like the idea of exposing this feature. I'm somewhat surprised that it 
isn't part of the specification but, unless I am reading the XSDs incorrectly, 
the spec only defines role-mapping on a per Servlet basis which seems odd to me.
   
   Correct and I consider the per-Servlet one as unusable if you have tens of 
them.
   
   > I'm not convinced an extra file configuration is necessary. This looks 
like something that could be a nested element in the context.xml file and 
implemented with an extra digester rule.
   
   Both should be possible because the file could be in the classpath which 
contains more than just the mapping. Just being int he context.xml it not 
available to the actual application, but just some Tomcat. In a future revision 
the source could be done flexible. At least in my usecase, having it in 
context.xml would force me to duplicate the mapping and that is unacceptable.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] michael-o commented on a diff in pull request #631: Bug 66665: Provide option to supply role mapping from a properties file

[via GitHub]

michael-o commented on code in PR #631:
URL: https://github.com/apache/tomcat/pull/631#discussion_r1244890559


##
java/org/apache/catalina/core/PropertiesRoleMappingListener.java:
##
@@ -0,0 +1,165 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.core;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Map.Entry;
+import java.util.Objects;
+import java.util.Properties;
+
+import org.apache.catalina.Context;
+import org.apache.catalina.Lifecycle;
+import org.apache.catalina.LifecycleEvent;
+import org.apache.catalina.LifecycleListener;
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.res.StringManager;
+
+/**
+ * Implementation of {@code LifecycleListener} that will populate the 
context's role mapping from a properties file.
+ * 
+ * This listener must only be nested within {@link Context} elements.
+ * 
+ * The keys represent application roles (e.g., admin, user, uservisor, etc.) 
while the values represent technical roles
+ * (e.g., DNs, SIDs, UUIDs, etc.). A key can also be prefixed if, e.g., the 
properties file contains generic
+ * application configuration as well: {@code app-roles.}.
+ * 
+ * Note: The default value for the {@code roleMappingFile} is {@code 
webapp:/WEB-INF/role-mapping.properties}.
+ */
+public class PropertiesRoleMappingListener implements LifecycleListener {
+
+private static final String WEBAPP_RESOURCE_PREFIX = "webapp:";
+private static final String CLASSPATH_RESOURCE_PREFIX = "classpath:";
+

Review Comment:
   > In the specific case of this feature, it seems the only "real" location 
that makes sense would be the default one anyway. So I would simply remove the 
option to have it in random places and be done with it.
   
   I disagree, see my explanation below.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] michael-o commented on a diff in pull request #631: Bug 66665: Provide option to supply role mapping from a properties file

[via GitHub]

michael-o commented on code in PR #631:
URL: https://github.com/apache/tomcat/pull/631#discussion_r1244891581


##
java/org/apache/catalina/core/PropertiesRoleMappingListener.java:
##
@@ -0,0 +1,165 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.core;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Map.Entry;
+import java.util.Objects;
+import java.util.Properties;
+
+import org.apache.catalina.Context;
+import org.apache.catalina.Lifecycle;
+import org.apache.catalina.LifecycleEvent;
+import org.apache.catalina.LifecycleListener;
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.res.StringManager;
+
+/**
+ * Implementation of {@code LifecycleListener} that will populate the 
context's role mapping from a properties file.
+ * 
+ * This listener must only be nested within {@link Context} elements.
+ * 
+ * The keys represent application roles (e.g., admin, user, uservisor, etc.) 
while the values represent technical roles
+ * (e.g., DNs, SIDs, UUIDs, etc.). A key can also be prefixed if, e.g., the 
properties file contains generic
+ * application configuration as well: {@code app-roles.}.
+ * 
+ * Note: The default value for the {@code roleMappingFile} is {@code 
webapp:/WEB-INF/role-mapping.properties}.
+ */
+public class PropertiesRoleMappingListener implements LifecycleListener {
+
+private static final String WEBAPP_RESOURCE_PREFIX = "webapp:";
+private static final String CLASSPATH_RESOURCE_PREFIX = "classpath:";
+

Review Comment:
   > This creates a new scheme for naming configuration files. It should 
instead use the `ConfigFileLoader` and `ConfigurationSource`. They would need 
extending to include web application relative resources as they currently only 
support absolute file, files relative to $CATALINA_BASE, classpath and URI.
   
   Correct, that is a problem. I didn't now what features are available to make 
this happen. Let me look into the mention files.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] michael-o commented on a diff in pull request #631: Bug 66665: Provide option to supply role mapping from a properties file

[via GitHub]

michael-o commented on code in PR #631:
URL: https://github.com/apache/tomcat/pull/631#discussion_r1244891581


##
java/org/apache/catalina/core/PropertiesRoleMappingListener.java:
##
@@ -0,0 +1,165 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.core;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Map.Entry;
+import java.util.Objects;
+import java.util.Properties;
+
+import org.apache.catalina.Context;
+import org.apache.catalina.Lifecycle;
+import org.apache.catalina.LifecycleEvent;
+import org.apache.catalina.LifecycleListener;
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.res.StringManager;
+
+/**
+ * Implementation of {@code LifecycleListener} that will populate the 
context's role mapping from a properties file.
+ * 
+ * This listener must only be nested within {@link Context} elements.
+ * 
+ * The keys represent application roles (e.g., admin, user, uservisor, etc.) 
while the values represent technical roles
+ * (e.g., DNs, SIDs, UUIDs, etc.). A key can also be prefixed if, e.g., the 
properties file contains generic
+ * application configuration as well: {@code app-roles.}.
+ * 
+ * Note: The default value for the {@code roleMappingFile} is {@code 
webapp:/WEB-INF/role-mapping.properties}.
+ */
+public class PropertiesRoleMappingListener implements LifecycleListener {
+
+private static final String WEBAPP_RESOURCE_PREFIX = "webapp:";
+private static final String CLASSPATH_RESOURCE_PREFIX = "classpath:";
+

Review Comment:
   > This creates a new scheme for naming configuration files. It should 
instead use the `ConfigFileLoader` and `ConfigurationSource`. They would need 
extending to include web application relative resources as they currently only 
support absolute file, files relative to $CATALINA_BASE, classpath and URI.
   
   Correct, that is a problem. I didn't know what features are available to 
make this happen. Let me look into the mention files.



##
java/org/apache/catalina/core/PropertiesRoleMappingListener.java:
##
@@ -0,0 +1,165 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.core;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Map.Entry;
+import java.util.Objects;
+import java.util.Properties;
+
+import org.apache.catalina.Context;
+import org.apache.catalina.Lifecycle;
+import org.apache.catalina.LifecycleEvent;
+import org.apache.catalina.LifecycleListener;
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.res.StringManager;
+
+/**
+ * Implementation of {@code LifecycleListener} that will populate the 
context's role mapping from a properties file.
+ * 
+ * This listener must only be nested within {@link Context} elements.
+ * 
+ * The keys represent application roles (e.g., admin, user, uservisor, etc.) 
while the values represent technical roles
+ * (e.g., DNs, SIDs, UUIDs, etc.). A key can also be prefixed if, e.g., the 
properties file contains generic
+ * application configuration as well: {@code app-roles.}.
+ * 
+ * Note: The default value for the {@code roleMappingFile} is {@code 
webapp:/WEB-INF/role-mapping.properties}.
+ */
+public class PropertiesRoleMappingListener implements LifecycleListener {
+
+private static final String WEBAPP_RESOURCE_PREFIX = "webapp

[GitHub] [tomcat] michael-o commented on a diff in pull request #631: Bug 66665: Provide option to supply role mapping from a properties file

[via GitHub]

michael-o commented on code in PR #631:
URL: https://github.com/apache/tomcat/pull/631#discussion_r1244917856


##
java/org/apache/catalina/core/PropertiesRoleMappingListener.java:
##
@@ -0,0 +1,165 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.core;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Map.Entry;
+import java.util.Objects;
+import java.util.Properties;
+
+import org.apache.catalina.Context;
+import org.apache.catalina.Lifecycle;
+import org.apache.catalina.LifecycleEvent;
+import org.apache.catalina.LifecycleListener;
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.res.StringManager;
+
+/**
+ * Implementation of {@code LifecycleListener} that will populate the 
context's role mapping from a properties file.
+ * 
+ * This listener must only be nested within {@link Context} elements.
+ * 
+ * The keys represent application roles (e.g., admin, user, uservisor, etc.) 
while the values represent technical roles
+ * (e.g., DNs, SIDs, UUIDs, etc.). A key can also be prefixed if, e.g., the 
properties file contains generic
+ * application configuration as well: {@code app-roles.}.
+ * 
+ * Note: The default value for the {@code roleMappingFile} is {@code 
webapp:/WEB-INF/role-mapping.properties}.
+ */
+public class PropertiesRoleMappingListener implements LifecycleListener {
+
+private static final String WEBAPP_RESOURCE_PREFIX = "webapp:";
+private static final String CLASSPATH_RESOURCE_PREFIX = "classpath:";
+

Review Comment:
   > This creates a new scheme for naming configuration files. It should 
instead use the `ConfigFileLoader` and `ConfigurationSource`. They would need 
extending to include web application relative resources as they currently only 
support absolute file, files relative to $CATALINA_BASE, classpath and URI.
   
   @markt-asf While looking into this, I understand how the system works how 
`classpath:` is registered with the JVM, hoping that it will use the webapp's 
classpath, but I fail to see how to provide the `Context` to 
`org.apache.tomcat.util.file.ConfigFileLoader.getSource()` without modifing it. 
Any pointers I could evaluate? I could of course first look into servlet 
context and then if not found pass to the `ConfigFileLoader`...



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] michael-o commented on a diff in pull request #631: Bug 66665: Provide option to supply role mapping from a properties file

[via GitHub]

michael-o commented on code in PR #631:
URL: https://github.com/apache/tomcat/pull/631#discussion_r1244917856


##
java/org/apache/catalina/core/PropertiesRoleMappingListener.java:
##
@@ -0,0 +1,165 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.core;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Map.Entry;
+import java.util.Objects;
+import java.util.Properties;
+
+import org.apache.catalina.Context;
+import org.apache.catalina.Lifecycle;
+import org.apache.catalina.LifecycleEvent;
+import org.apache.catalina.LifecycleListener;
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.res.StringManager;
+
+/**
+ * Implementation of {@code LifecycleListener} that will populate the 
context's role mapping from a properties file.
+ * 
+ * This listener must only be nested within {@link Context} elements.
+ * 
+ * The keys represent application roles (e.g., admin, user, uservisor, etc.) 
while the values represent technical roles
+ * (e.g., DNs, SIDs, UUIDs, etc.). A key can also be prefixed if, e.g., the 
properties file contains generic
+ * application configuration as well: {@code app-roles.}.
+ * 
+ * Note: The default value for the {@code roleMappingFile} is {@code 
webapp:/WEB-INF/role-mapping.properties}.
+ */
+public class PropertiesRoleMappingListener implements LifecycleListener {
+
+private static final String WEBAPP_RESOURCE_PREFIX = "webapp:";
+private static final String CLASSPATH_RESOURCE_PREFIX = "classpath:";
+

Review Comment:
   > This creates a new scheme for naming configuration files. It should 
instead use the `ConfigFileLoader` and `ConfigurationSource`. They would need 
extending to include web application relative resources as they currently only 
support absolute file, files relative to $CATALINA_BASE, classpath and URI.
   
   @markt-asf While looking into this, I understand how the system works how 
`classpath:` is registered with the JVM, hoping that it will use the webapp's 
classpath, but I fail to see how to provide the `Context` to 
`org.apache.tomcat.util.file.ConfigFileLoader.getSource()` without modifing it. 
Any pointers I could evaluate? I could of course first look into servlet 
context and then if not found pass to the `ConfigFileLoader`... (chaining 
basically)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] rmaucher commented on a diff in pull request #631: Bug 66665: Provide option to supply role mapping from a properties file

[via GitHub]

rmaucher commented on code in PR #631:
URL: https://github.com/apache/tomcat/pull/631#discussion_r1244989146


##
java/org/apache/catalina/core/PropertiesRoleMappingListener.java:
##
@@ -0,0 +1,165 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.core;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Map.Entry;
+import java.util.Objects;
+import java.util.Properties;
+
+import org.apache.catalina.Context;
+import org.apache.catalina.Lifecycle;
+import org.apache.catalina.LifecycleEvent;
+import org.apache.catalina.LifecycleListener;
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.res.StringManager;
+
+/**
+ * Implementation of {@code LifecycleListener} that will populate the 
context's role mapping from a properties file.
+ * 
+ * This listener must only be nested within {@link Context} elements.
+ * 
+ * The keys represent application roles (e.g., admin, user, uservisor, etc.) 
while the values represent technical roles
+ * (e.g., DNs, SIDs, UUIDs, etc.). A key can also be prefixed if, e.g., the 
properties file contains generic
+ * application configuration as well: {@code app-roles.}.
+ * 
+ * Note: The default value for the {@code roleMappingFile} is {@code 
webapp:/WEB-INF/role-mapping.properties}.
+ */
+public class PropertiesRoleMappingListener implements LifecycleListener {
+
+private static final String WEBAPP_RESOURCE_PREFIX = "webapp:";
+private static final String CLASSPATH_RESOURCE_PREFIX = "classpath:";
+

Review Comment:
   > > This creates a new scheme for naming configuration files. It should 
instead use the `ConfigFileLoader` and `ConfigurationSource`. They would need 
extending to include web application relative resources as they currently only 
support absolute file, files relative to $CATALINA_BASE, classpath and URI.
   > 
   > @markt-asf While looking into this, I understand how the system works how 
`classpath:` is registered with the JVM, hoping that it will use the webapp's 
classpath, but I fail to see how to provide the `Context` to 
`org.apache.tomcat.util.file.ConfigFileLoader.getSource()` without modifing it. 
Any pointers I could evaluate? I could of course first look into servlet 
context and then if not found pass to the `ConfigFileLoader`... (chaining 
basically)
   
   Ok, so since the multiple location options are useful, then you can use the 
configuration source instead of the last fallback after checking for the 
webapp: prefix (I would argue "ok keep this one, but the other classpath prefix 
is then overkill"). The configuration source is a server level setting and so 
would have trouble accessing the Context object itself.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] michael-o commented on a diff in pull request #631: Bug 66665: Provide option to supply role mapping from a properties file

[via GitHub]

michael-o commented on code in PR #631:
URL: https://github.com/apache/tomcat/pull/631#discussion_r1244995761


##
java/org/apache/catalina/core/PropertiesRoleMappingListener.java:
##
@@ -0,0 +1,165 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.core;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Map.Entry;
+import java.util.Objects;
+import java.util.Properties;
+
+import org.apache.catalina.Context;
+import org.apache.catalina.Lifecycle;
+import org.apache.catalina.LifecycleEvent;
+import org.apache.catalina.LifecycleListener;
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.res.StringManager;
+
+/**
+ * Implementation of {@code LifecycleListener} that will populate the 
context's role mapping from a properties file.
+ * 
+ * This listener must only be nested within {@link Context} elements.
+ * 
+ * The keys represent application roles (e.g., admin, user, uservisor, etc.) 
while the values represent technical roles
+ * (e.g., DNs, SIDs, UUIDs, etc.). A key can also be prefixed if, e.g., the 
properties file contains generic
+ * application configuration as well: {@code app-roles.}.
+ * 
+ * Note: The default value for the {@code roleMappingFile} is {@code 
webapp:/WEB-INF/role-mapping.properties}.
+ */
+public class PropertiesRoleMappingListener implements LifecycleListener {
+
+private static final String WEBAPP_RESOURCE_PREFIX = "webapp:";
+private static final String CLASSPATH_RESOURCE_PREFIX = "classpath:";
+

Review Comment:
   > > > This creates a new scheme for naming configuration files. It should 
instead use the `ConfigFileLoader` and `ConfigurationSource`. They would need 
extending to include web application relative resources as they currently only 
support absolute file, files relative to $CATALINA_BASE, classpath and URI.
   > > 
   > > 
   > > @markt-asf While looking into this, I understand how the system works 
how `classpath:` is registered with the JVM, hoping that it will use the 
webapp's classpath, but I fail to see how to provide the `Context` to 
`org.apache.tomcat.util.file.ConfigFileLoader.getSource()` without modifing it. 
Any pointers I could evaluate? I could of course first look into servlet 
context and then if not found pass to the `ConfigFileLoader`... (chaining 
basically)
   > 
   > Ok, so since the multiple location options are useful, then you can use 
the configuration source instead of the last fallback after checking for the 
webapp: prefix (I would argue "ok keep this one, but the other classpath prefix 
is then overkill"). The configuration source is a server level setting and so 
would have trouble accessing the Context object itself.
   
   Right, this is exactly what I do not. Let me also update the docs and push 
the branch.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] michael-o commented on pull request #631: Bug 66665: Provide option to supply role mapping from a properties file

[via GitHub]

michael-o commented on PR #631:
URL: https://github.com/apache/tomcat/pull/631#issuecomment-1611149722

   @rmaucher @markt-asf Incorporated your comments. Please have a look again.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch main updated: Implement java.util.Optional support for the EL 6.0 API

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
 new 6c8b2d1e0a Implement java.util.Optional support for the EL 6.0 API
6c8b2d1e0a is described below

commit 6c8b2d1e0aeeae2e2a5dda946360ff626bd79ad6
Author: Mark Thomas 
AuthorDate: Wed Jun 28 12:18:53 2023 +0100

Implement java.util.Optional support for the EL 6.0 API

See also:
https://github.com/jakartaee/expression-language/issues/176
---
 java/jakarta/el/OptionalELResolver.java  | 182 
 java/jakarta/el/Util.java|   6 +-
 test/jakarta/el/TestOptionalELResolver.java  | 210 +++
 test/jakarta/el/TestOptionalELResolverInJsp.java |  87 ++
 test/jakarta/el/TesterBeanA.java |  33 
 test/jakarta/el/TesterBeanB.java |  35 
 test/webapp/el-optional.jsp  |  48 ++
 webapps/docs/changelog.xml   |  10 ++
 8 files changed, 609 insertions(+), 2 deletions(-)

diff --git a/java/jakarta/el/OptionalELResolver.java 
b/java/jakarta/el/OptionalELResolver.java
new file mode 100644
index 00..6f9c3da73f
--- /dev/null
+++ b/java/jakarta/el/OptionalELResolver.java
@@ -0,0 +1,182 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package jakarta.el;
+
+import java.util.Objects;
+import java.util.Optional;
+
+/**
+ * Defines property resolution behaviour on {@link Optional}s.
+ *
+ * 
+ * This resolver handles base objects that are instances of {@link Optional}.
+ *
+ * 
+ * If the {@link Optional#isEmpty()} is {@code true} for the base object and 
the property is {@code null} then the
+ * resulting value is {@code null}.
+ *
+ * 
+ * If the {@link Optional#isEmpty()} is {@code true} for the base object and 
the property is not {@code null} then the
+ * resulting value is the base object (an empty {@link Optional}).
+ *
+ * 
+ * If the {@link Optional#isPresent()} is {@code true} for the base object and 
the property is {@code null} then the
+ * resulting value is the result of calling {@link Optional#get()} on the base 
object.
+ *
+ * 
+ * If the {@link Optional#isPresent()} is {@code true} for the base object and 
the property is not {@code null} then the
+ * resulting value is the result of calling {@link 
ELResolver#getValue(ELContext, Object, Object)} using the
+ * {@link ELResolver} obtained from {@link ELContext#getELResolver()} with the 
following parameters:
+ * 
+ * The {@link ELContext} is the current context
+ * The base object is the result of calling {@link Optional#get()} on the 
current base object
+ * The property object is the current property object
+ * 
+ *
+ * 
+ * This resolver is always a read-only resolver.
+ */
+public class OptionalELResolver extends ELResolver {
+
+@Override
+public Object getValue(ELContext context, Object base, Object property) {
+Objects.requireNonNull(context);
+
+if (base instanceof Optional) {
+context.setPropertyResolved(base, property);
+if (((Optional) base).isEmpty()) {
+if (property == null) {
+return null;
+} else {
+return base;
+}
+} else {
+if (property == null) {
+return ((Optional) base).get();
+} else {
+Object resolvedBase = ((Optional) base).get();
+return context.getELResolver().getValue(context, 
resolvedBase, property);
+}
+}
+}
+
+return null;
+}
+
+/**
+ * {@inheritDoc}
+ *
+ * 
+ * If the base object is an {@link Optional} this method always returns 
{@code null} since instances of this
+ * resolver are always read-only.
+ */
+@Override
+public Class getType(ELContext context, Object base, Object property) {
+Objects.requireNonNull(context);
+
+if (base instanceof Optional) {
+context.setPropertyResolved(base, property);
+}
+

[tomcat] branch main updated: Fix formatting and copy/paste error

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
 new 91d3d59727 Fix formatting and copy/paste error
91d3d59727 is described below

commit 91d3d5972737cee7ece90fc0672bc4842130ea72
Author: Mark Thomas 
AuthorDate: Wed Jun 28 12:33:59 2023 +0100

Fix formatting and copy/paste error
---
 java/jakarta/el/OptionalELResolver.java | 22 +-
 1 file changed, 9 insertions(+), 13 deletions(-)

diff --git a/java/jakarta/el/OptionalELResolver.java 
b/java/jakarta/el/OptionalELResolver.java
index 6f9c3da73f..95eb1c5323 100644
--- a/java/jakarta/el/OptionalELResolver.java
+++ b/java/jakarta/el/OptionalELResolver.java
@@ -21,32 +21,27 @@ import java.util.Optional;
 
 /**
  * Defines property resolution behaviour on {@link Optional}s.
- *
  * 
  * This resolver handles base objects that are instances of {@link Optional}.
- *
  * 
  * If the {@link Optional#isEmpty()} is {@code true} for the base object and 
the property is {@code null} then the
  * resulting value is {@code null}.
- *
  * 
  * If the {@link Optional#isEmpty()} is {@code true} for the base object and 
the property is not {@code null} then the
  * resulting value is the base object (an empty {@link Optional}).
- *
  * 
  * If the {@link Optional#isPresent()} is {@code true} for the base object and 
the property is {@code null} then the
  * resulting value is the result of calling {@link Optional#get()} on the base 
object.
- *
  * 
  * If the {@link Optional#isPresent()} is {@code true} for the base object and 
the property is not {@code null} then the
  * resulting value is the result of calling {@link 
ELResolver#getValue(ELContext, Object, Object)} using the
  * {@link ELResolver} obtained from {@link ELContext#getELResolver()} with the 
following parameters:
  * 
  * The {@link ELContext} is the current context
- * The base object is the result of calling {@link Optional#get()} on the 
current base object
+ * The base object is the result of calling {@link Optional#get()} on the 
current base object
+ * 
  * The property object is the current property object
  * 
- *
  * 
  * This resolver is always a read-only resolver.
  */
@@ -77,9 +72,9 @@ public class OptionalELResolver extends ELResolver {
 return null;
 }
 
+
 /**
  * {@inheritDoc}
- *
  * 
  * If the base object is an {@link Optional} this method always returns 
{@code null} since instances of this
  * resolver are always read-only.
@@ -95,9 +90,9 @@ public class OptionalELResolver extends ELResolver {
 return null;
 }
 
+
 /**
  * {@inheritDoc}
- *
  * 
  * If the base object is an {@link Optional} this method always throws a 
{@link PropertyNotWritableException} since
  * instances of this resolver are always read-only.
@@ -112,9 +107,9 @@ public class OptionalELResolver extends ELResolver {
 }
 }
 
+
 /**
  * {@inheritDoc}
- *
  * 
  * If the base object is an {@link Optional} this method always returns 
{@code true} since instances of this
  * resolver are always read-only.
@@ -131,9 +126,9 @@ public class OptionalELResolver extends ELResolver {
 return false;
 }
 
+
 /**
  * {@inheritDoc}
- *
  * 
  * If the base object is an {@link Optional} this method always returns 
{@code Object.class}.
  */
@@ -146,6 +141,7 @@ public class OptionalELResolver extends ELResolver {
 return null;
 }
 
+
 @Override
 public  T convertToType(ELContext context, Object obj, Class type) {
 Objects.requireNonNull(context);
@@ -168,8 +164,8 @@ public class OptionalELResolver extends ELResolver {
 return result;
 } catch (ELException e) {
 /*
- *  TODO: This isn't pretty but it works. Significant 
refactoring would be required to avoid the
- *  exception. See also OptionalELResolver.convertToType().
+ * TODO: This isn't pretty but it works. Significant 
refactoring would be required to avoid the
+ * exception. See also Util.isCoercibleFrom().
  */
 }
 } else {


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 66669] JVM crash in APR mode

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=9

--- Comment #2 from Mark Thomas  ---
Note:
The APR/Tomcat Native HTTP and AJP connectors are deprecated in Tomcat 9 and
have been removed in Tomcat 10.1.x onwards. You have plenty of time before
9.0.x reaches End-Of-Life but you might want to switch to one of the
alternatives sooner rather than later. The NIO connector with
OpenSSLImplementation is probably a good option.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] rmaucher commented on a diff in pull request #631: Bug 66665: Provide option to supply role mapping from a properties file

[via GitHub]

rmaucher commented on code in PR #631:
URL: https://github.com/apache/tomcat/pull/631#discussion_r1245185858


##
java/org/apache/catalina/core/PropertiesRoleMappingListener.java:
##
@@ -0,0 +1,165 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.core;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Map.Entry;
+import java.util.Objects;
+import java.util.Properties;
+
+import org.apache.catalina.Context;
+import org.apache.catalina.Lifecycle;
+import org.apache.catalina.LifecycleEvent;
+import org.apache.catalina.LifecycleListener;
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.res.StringManager;
+
+/**
+ * Implementation of {@code LifecycleListener} that will populate the 
context's role mapping from a properties file.
+ * 
+ * This listener must only be nested within {@link Context} elements.
+ * 
+ * The keys represent application roles (e.g., admin, user, uservisor, etc.) 
while the values represent technical roles
+ * (e.g., DNs, SIDs, UUIDs, etc.). A key can also be prefixed if, e.g., the 
properties file contains generic
+ * application configuration as well: {@code app-roles.}.
+ * 
+ * Note: The default value for the {@code roleMappingFile} is {@code 
webapp:/WEB-INF/role-mapping.properties}.
+ */
+public class PropertiesRoleMappingListener implements LifecycleListener {
+
+private static final String WEBAPP_RESOURCE_PREFIX = "webapp:";
+private static final String CLASSPATH_RESOURCE_PREFIX = "classpath:";
+

Review Comment:
   Ok. I tried to find a spot to add a new call in the configuration source for 
a "public Resource getResource(Context context, String name)" but IMO this 
doesn't add anything and also there's no ideal spot for that.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] michael-o commented on a diff in pull request #631: Bug 66665: Provide option to supply role mapping from a properties file

[via GitHub]

michael-o commented on code in PR #631:
URL: https://github.com/apache/tomcat/pull/631#discussion_r1245197279


##
java/org/apache/catalina/core/PropertiesRoleMappingListener.java:
##
@@ -0,0 +1,165 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.core;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Map.Entry;
+import java.util.Objects;
+import java.util.Properties;
+
+import org.apache.catalina.Context;
+import org.apache.catalina.Lifecycle;
+import org.apache.catalina.LifecycleEvent;
+import org.apache.catalina.LifecycleListener;
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.res.StringManager;
+
+/**
+ * Implementation of {@code LifecycleListener} that will populate the 
context's role mapping from a properties file.
+ * 
+ * This listener must only be nested within {@link Context} elements.
+ * 
+ * The keys represent application roles (e.g., admin, user, uservisor, etc.) 
while the values represent technical roles
+ * (e.g., DNs, SIDs, UUIDs, etc.). A key can also be prefixed if, e.g., the 
properties file contains generic
+ * application configuration as well: {@code app-roles.}.
+ * 
+ * Note: The default value for the {@code roleMappingFile} is {@code 
webapp:/WEB-INF/role-mapping.properties}.
+ */
+public class PropertiesRoleMappingListener implements LifecycleListener {
+
+private static final String WEBAPP_RESOURCE_PREFIX = "webapp:";
+private static final String CLASSPATH_RESOURCE_PREFIX = "classpath:";
+

Review Comment:
   > Ok. I tried to find a spot to add a new call in the configuration source 
for a "public Resource getResource(Context context, String name)" but IMO this 
doesn't add anything and also there's no ideal spot for that.
   
   Correct, I would consider improving the `ConfigurationSource` a separate 
discussion which should not be solved here. If the class is being improved, I'd 
be happy to skim this class after that.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 66669] JVM crash in APR mode

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=9

--- Comment #3 from Michael Osipov  ---
Can you reliably reproduce the issue? What OS are you using? I haven't seen so
many crashes with APR for the past 10 years in such a short time frame.
Especially #setSocketOptions() is weird.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 66669] JVM crash in APR mode

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=9

Mark Thomas  changed:

   What|Removed |Added

 Status|NEW |NEEDINFO

--- Comment #4 from Mark Thomas  ---
To investigate this further we need a test case that reproduces the crash
reliably enough for us to be able to debug it.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 66669] JVM crash in APR mode

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=9

Mark Thomas  changed:

   What|Removed |Added

   Severity|critical|normal

--- Comment #5 from Mark Thomas  ---
Reduce severity to normal.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 66669] JVM crash in APR mode

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=9

--- Comment #6 from Christopher Schultz  ---
Also, the native backtrace would be helpful (it should be found in the
hs_pid_.txt file generated on crash). If you were able to inspect with gdb,
anything you found in there would be helpful as well.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 66659] Tomcat does not send FIN message upon request by client to close TCP connection

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=66659

Mark Thomas  changed:

   What|Removed |Added

 OS||All

--- Comment #1 from Mark Thomas  ---
The issue is that Tomcat won't see the effects of the FIN until it tries to
read from the socket. That won't happen until Tomcat tries to read the next
request. And that will never happen as with SSE the current response
(effectively) never ends so Tomcat never gets as far as trying to read the next
request.

If Tomcat tried to read earlier then it should see the FIN and be able to act
on it but handling the results of that early read when there is pipe-lined HTTP
data is going to be "interesting".

Architecturally I'm not even sure that it is possible to fix this for HTTP/1.1.
I have a few ideas but they involve extensive low-level changes and I haven't
fully thought through the concurrency issues involved.

A simpler solution (and quicker for you to implement) should be switching to
HTTP/2. The multiplexing nature of HTTP/2 means that Tomcat is, effectively,
always trying to read the input and will see the close of either the stream or
the connection.

Switching to WebSocket is another option but one that is almost certainly
rather more work for you.

I'm leaning towards closing this as WONTFIX but I'll leave it open for now to
allow others to comment.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch main updated: Add utlity config file resource lookup

[remm]

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
 new 3d41f33af2 Add utlity config file resource lookup
3d41f33af2 is described below

commit 3d41f33af2aaa8af97ea45c2e2d0776f870ab073
Author: remm 
AuthorDate: Wed Jun 28 20:49:21 2023 +0200

Add utlity config file resource lookup

Located on Context to allow looking up resources from the webapp
(prefixed with "webapp:") and make the resource lookup API more visible.
---
 java/org/apache/catalina/Context.java  | 20 
 java/org/apache/catalina/core/StandardContext.java | 22 ++
 webapps/docs/changelog.xml |  6 ++
 3 files changed, 48 insertions(+)

diff --git a/java/org/apache/catalina/Context.java 
b/java/org/apache/catalina/Context.java
index 928c1bfcd0..ddb29516b6 100644
--- a/java/org/apache/catalina/Context.java
+++ b/java/org/apache/catalina/Context.java
@@ -16,6 +16,7 @@
  */
 package org.apache.catalina;
 
+import java.io.IOException;
 import java.net.URL;
 import java.util.Locale;
 import java.util.Map;
@@ -38,6 +39,7 @@ import org.apache.tomcat.util.descriptor.web.FilterDef;
 import org.apache.tomcat.util.descriptor.web.FilterMap;
 import org.apache.tomcat.util.descriptor.web.LoginConfig;
 import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
+import org.apache.tomcat.util.file.ConfigurationSource.Resource;
 import org.apache.tomcat.util.http.CookieProcessor;
 
 /**
@@ -84,6 +86,11 @@ public interface Context extends Container, ContextBind {
 String CHANGE_SESSION_ID_EVENT = "changeSessionId";
 
 
+/**
+ * Prefix for resource lookup.
+ */
+String WEBAPP_PROTOCOL = "webapp:";
+
 // - Properties
 
 /**
@@ -1963,4 +1970,17 @@ public interface Context extends Container, ContextBind {
  * @param dispatcherWrapsSameObject the new flag value
  */
 void setDispatcherWrapsSameObject(boolean dispatcherWrapsSameObject);
+
+
+/**
+ * Find configuration file with the specified path, first looking into the
+ * webapp resources, then delegating to
+ * ConfigFileLoader.getSource().getResource. The
+ * WEBAPP_PROTOCOL constant prefix is used to denote webapp
+ * resources.
+ * @param name The resource name
+ * @return the resource
+ * @throws IOException if an error occurs or if the resource does not exist
+ */
+Resource findConfigFileResource(String name) throws IOException;
 }
diff --git a/java/org/apache/catalina/core/StandardContext.java 
b/java/org/apache/catalina/core/StandardContext.java
index 6476bf08c5..b8c911a9c3 100644
--- a/java/org/apache/catalina/core/StandardContext.java
+++ b/java/org/apache/catalina/core/StandardContext.java
@@ -20,6 +20,7 @@ import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.MalformedURLException;
+import java.net.URISyntaxException;
 import java.net.URL;
 import java.nio.charset.StandardCharsets;
 import java.util.ArrayDeque;
@@ -127,6 +128,8 @@ import org.apache.tomcat.util.descriptor.web.LoginConfig;
 import org.apache.tomcat.util.descriptor.web.MessageDestination;
 import org.apache.tomcat.util.descriptor.web.SecurityCollection;
 import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
+import org.apache.tomcat.util.file.ConfigFileLoader;
+import org.apache.tomcat.util.file.ConfigurationSource.Resource;
 import org.apache.tomcat.util.http.CookieProcessor;
 import org.apache.tomcat.util.http.Rfc6265CookieProcessor;
 import org.apache.tomcat.util.scan.StandardJarScanner;
@@ -3497,6 +3500,25 @@ public class StandardContext extends ContainerBase 
implements Context, Notificat
 }
 
 
+@Override
+public Resource findConfigFileResource(String name) throws IOException {
+if (name.startsWith(WEBAPP_PROTOCOL)) {
+String path = name.substring(WEBAPP_PROTOCOL.length());
+WebResource resource = getResources().getResource(path);
+if (resource.canRead()) {
+InputStream stream = resource.getInputStream();
+try {
+return new Resource(stream, resource.getURL().toURI());
+} catch (URISyntaxException e) {
+stream.close();
+}
+}
+return null;
+} else {
+return ConfigFileLoader.getSource().getResource(name);
+}
+}
+
 /**
  * Reload this web application, if reloading is supported.
  * 
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 6d58f1ceb2..537749e57a 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -117,6 +117,12 @@
 if the web applications were deliberately crafted to allow it

Buildbot failure in on tomcat-11.0.x

[buildbot]

Build status: BUILD FAILED: failed compile (failure)
Worker used: bb_worker2_ubuntu
URL: https://ci2.apache.org/#builders/112/builds/456
Blamelist: remm 
Build Text: failed compile (failure)
Status Detected: new failure
Build Source Stamp: [branch main] 3d41f33af2aaa8af97ea45c2e2d0776f870ab073


Steps:

  worker_preparation: 0

  git: 0

  shell: 0

  shell_1: 0

  shell_2: 0

  shell_3: 0

  shell_4: 0

  shell_5: 0

  compile: 2


-- ASF Buildbot


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch main updated: Add new method in helper classes

[remm]

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
 new c340b6a258 Add new method in helper classes
c340b6a258 is described below

commit c340b6a25856c7aaab19dc492ac710142a22c954
Author: remm 
AuthorDate: Wed Jun 28 20:55:10 2023 +0200

Add new method in helper classes
---
 java/org/apache/catalina/startup/FailedContext.java | 5 +
 test/org/apache/tomcat/unittest/TesterContext.java  | 4 
 2 files changed, 9 insertions(+)

diff --git a/java/org/apache/catalina/startup/FailedContext.java 
b/java/org/apache/catalina/startup/FailedContext.java
index f892b61298..62ae2f35a8 100644
--- a/java/org/apache/catalina/startup/FailedContext.java
+++ b/java/org/apache/catalina/startup/FailedContext.java
@@ -18,6 +18,7 @@ package org.apache.catalina.startup;
 
 import java.beans.PropertyChangeListener;
 import java.io.File;
+import java.io.IOException;
 import java.net.URL;
 import java.util.Locale;
 import java.util.Map;
@@ -61,6 +62,7 @@ import org.apache.tomcat.util.descriptor.web.FilterDef;
 import org.apache.tomcat.util.descriptor.web.FilterMap;
 import org.apache.tomcat.util.descriptor.web.LoginConfig;
 import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
+import org.apache.tomcat.util.file.ConfigurationSource.Resource;
 import org.apache.tomcat.util.http.CookieProcessor;
 import org.apache.tomcat.util.res.StringManager;
 
@@ -850,4 +852,7 @@ public class FailedContext extends LifecycleMBeanBase 
implements Context {
 public boolean getParallelAnnotationScanning() { return false; }
 @Override
 public void setParallelAnnotationScanning(boolean 
parallelAnnotationScanning) {}
+
+@Override
+public Resource findConfigFileResource(String name) throws IOException { 
return null; }
 }
\ No newline at end of file
diff --git a/test/org/apache/tomcat/unittest/TesterContext.java 
b/test/org/apache/tomcat/unittest/TesterContext.java
index 9c2e10754c..d906b60010 100644
--- a/test/org/apache/tomcat/unittest/TesterContext.java
+++ b/test/org/apache/tomcat/unittest/TesterContext.java
@@ -18,6 +18,7 @@ package org.apache.tomcat.unittest;
 
 import java.beans.PropertyChangeListener;
 import java.io.File;
+import java.io.IOException;
 import java.net.URL;
 import java.util.ArrayList;
 import java.util.List;
@@ -64,6 +65,7 @@ import org.apache.tomcat.util.descriptor.web.FilterDef;
 import org.apache.tomcat.util.descriptor.web.FilterMap;
 import org.apache.tomcat.util.descriptor.web.LoginConfig;
 import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
+import org.apache.tomcat.util.file.ConfigurationSource.Resource;
 import org.apache.tomcat.util.http.CookieProcessor;
 
 /**
@@ -1321,4 +1323,6 @@ public class TesterContext implements Context {
 @Override
 public void setMetadataComplete(boolean metadataComplete) { /* NO-OP */ }
 
+@Override
+public Resource findConfigFileResource(String name) throws IOException { 
return null; }
 }


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] rmaucher commented on a diff in pull request #631: Bug 66665: Provide option to supply role mapping from a properties file

[via GitHub]

rmaucher commented on code in PR #631:
URL: https://github.com/apache/tomcat/pull/631#discussion_r1245631182


##
java/org/apache/catalina/core/PropertiesRoleMappingListener.java:
##
@@ -0,0 +1,165 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.core;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Map.Entry;
+import java.util.Objects;
+import java.util.Properties;
+
+import org.apache.catalina.Context;
+import org.apache.catalina.Lifecycle;
+import org.apache.catalina.LifecycleEvent;
+import org.apache.catalina.LifecycleListener;
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.res.StringManager;
+
+/**
+ * Implementation of {@code LifecycleListener} that will populate the 
context's role mapping from a properties file.
+ * 
+ * This listener must only be nested within {@link Context} elements.
+ * 
+ * The keys represent application roles (e.g., admin, user, uservisor, etc.) 
while the values represent technical roles
+ * (e.g., DNs, SIDs, UUIDs, etc.). A key can also be prefixed if, e.g., the 
properties file contains generic
+ * application configuration as well: {@code app-roles.}.
+ * 
+ * Note: The default value for the {@code roleMappingFile} is {@code 
webapp:/WEB-INF/role-mapping.properties}.
+ */
+public class PropertiesRoleMappingListener implements LifecycleListener {
+
+private static final String WEBAPP_RESOURCE_PREFIX = "webapp:";
+private static final String CLASSPATH_RESOURCE_PREFIX = "classpath:";
+

Review Comment:
   After thinking about it for a bit, adding a helper method to the Context 
interface seemed like the way to go to me. This is helpful to allow more 
flexibility on location of configs that can be bundled in the webapp, and also 
it makes the ConfigurationSource API a bit more visible.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch main updated: Pull up as default method since it avoids API compatibility issues

[remm]

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
 new d1f0c34b18 Pull up as default method since it avoids API compatibility 
issues
d1f0c34b18 is described below

commit d1f0c34b1831a1a11c9c7a3fc9d0455ca79857e0
Author: remm 
AuthorDate: Wed Jun 28 21:03:13 2023 +0200

Pull up as default method since it avoids API compatibility issues
---
 java/org/apache/catalina/Context.java  | 22 +-
 java/org/apache/catalina/core/StandardContext.java | 22 --
 .../org/apache/catalina/startup/FailedContext.java |  4 
 test/org/apache/tomcat/unittest/TesterContext.java |  4 
 4 files changed, 21 insertions(+), 31 deletions(-)

diff --git a/java/org/apache/catalina/Context.java 
b/java/org/apache/catalina/Context.java
index ddb29516b6..30f9f3016d 100644
--- a/java/org/apache/catalina/Context.java
+++ b/java/org/apache/catalina/Context.java
@@ -17,6 +17,8 @@
 package org.apache.catalina;
 
 import java.io.IOException;
+import java.io.InputStream;
+import java.net.URISyntaxException;
 import java.net.URL;
 import java.util.Locale;
 import java.util.Map;
@@ -39,6 +41,7 @@ import org.apache.tomcat.util.descriptor.web.FilterDef;
 import org.apache.tomcat.util.descriptor.web.FilterMap;
 import org.apache.tomcat.util.descriptor.web.LoginConfig;
 import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
+import org.apache.tomcat.util.file.ConfigFileLoader;
 import org.apache.tomcat.util.file.ConfigurationSource.Resource;
 import org.apache.tomcat.util.http.CookieProcessor;
 
@@ -1982,5 +1985,22 @@ public interface Context extends Container, ContextBind {
  * @return the resource
  * @throws IOException if an error occurs or if the resource does not exist
  */
-Resource findConfigFileResource(String name) throws IOException;
+default Resource findConfigFileResource(String name) throws IOException {
+if (name.startsWith(WEBAPP_PROTOCOL)) {
+String path = name.substring(WEBAPP_PROTOCOL.length());
+WebResource resource = getResources().getResource(path);
+if (resource.canRead()) {
+InputStream stream = resource.getInputStream();
+try {
+return new Resource(stream, resource.getURL().toURI());
+} catch (URISyntaxException e) {
+stream.close();
+}
+}
+return null;
+} else {
+return ConfigFileLoader.getSource().getResource(name);
+}
+}
+
 }
diff --git a/java/org/apache/catalina/core/StandardContext.java 
b/java/org/apache/catalina/core/StandardContext.java
index b8c911a9c3..6476bf08c5 100644
--- a/java/org/apache/catalina/core/StandardContext.java
+++ b/java/org/apache/catalina/core/StandardContext.java
@@ -20,7 +20,6 @@ import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.MalformedURLException;
-import java.net.URISyntaxException;
 import java.net.URL;
 import java.nio.charset.StandardCharsets;
 import java.util.ArrayDeque;
@@ -128,8 +127,6 @@ import org.apache.tomcat.util.descriptor.web.LoginConfig;
 import org.apache.tomcat.util.descriptor.web.MessageDestination;
 import org.apache.tomcat.util.descriptor.web.SecurityCollection;
 import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
-import org.apache.tomcat.util.file.ConfigFileLoader;
-import org.apache.tomcat.util.file.ConfigurationSource.Resource;
 import org.apache.tomcat.util.http.CookieProcessor;
 import org.apache.tomcat.util.http.Rfc6265CookieProcessor;
 import org.apache.tomcat.util.scan.StandardJarScanner;
@@ -3500,25 +3497,6 @@ public class StandardContext extends ContainerBase 
implements Context, Notificat
 }
 
 
-@Override
-public Resource findConfigFileResource(String name) throws IOException {
-if (name.startsWith(WEBAPP_PROTOCOL)) {
-String path = name.substring(WEBAPP_PROTOCOL.length());
-WebResource resource = getResources().getResource(path);
-if (resource.canRead()) {
-InputStream stream = resource.getInputStream();
-try {
-return new Resource(stream, resource.getURL().toURI());
-} catch (URISyntaxException e) {
-stream.close();
-}
-}
-return null;
-} else {
-return ConfigFileLoader.getSource().getResource(name);
-}
-}
-
 /**
  * Reload this web application, if reloading is supported.
  * 
diff --git a/java/org/apache/catalina/startup/FailedContext.java 
b/java/org/apache/catalina/startup/FailedContext.java
index 62ae2f35a8..71e9e76c27 100644
--- a/java/org/apache/catalina/startup/FailedContext.java
+++ b/java/org

Buildbot success in on tomcat-11.0.x

[buildbot]

Build status: Build succeeded!
Worker used: bb_worker2_ubuntu
URL: https://ci2.apache.org/#builders/112/builds/457
Blamelist: remm 
Build Text: build successful
Status Detected: restored build
Build Source Stamp: [branch main] c340b6a25856c7aaab19dc492ac710142a22c954


Steps:

  worker_preparation: 0

  git: 0

  shell: 0

  shell_1: 0

  shell_2: 0

  shell_3: 0

  shell_4: 0

  shell_5: 0

  compile: 1

  shell_6: 0

  shell_7: 0

  shell_8: 0

  shell_9: 0

  Rsync docs to nightlies.apache.org: 0

  shell_10: 0

  Rsync RAT to nightlies.apache.org: 0

  compile_1: 1

  shell_11: 0

  Rsync Logs to nightlies.apache.org: 0


-- ASF Buildbot


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] michael-o commented on a diff in pull request #631: Bug 66665: Provide option to supply role mapping from a properties file

[via GitHub]

michael-o commented on code in PR #631:
URL: https://github.com/apache/tomcat/pull/631#discussion_r1245695672


##
java/org/apache/catalina/core/PropertiesRoleMappingListener.java:
##
@@ -0,0 +1,165 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.core;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Map.Entry;
+import java.util.Objects;
+import java.util.Properties;
+
+import org.apache.catalina.Context;
+import org.apache.catalina.Lifecycle;
+import org.apache.catalina.LifecycleEvent;
+import org.apache.catalina.LifecycleListener;
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.res.StringManager;
+
+/**
+ * Implementation of {@code LifecycleListener} that will populate the 
context's role mapping from a properties file.
+ * 
+ * This listener must only be nested within {@link Context} elements.
+ * 
+ * The keys represent application roles (e.g., admin, user, uservisor, etc.) 
while the values represent technical roles
+ * (e.g., DNs, SIDs, UUIDs, etc.). A key can also be prefixed if, e.g., the 
properties file contains generic
+ * application configuration as well: {@code app-roles.}.
+ * 
+ * Note: The default value for the {@code roleMappingFile} is {@code 
webapp:/WEB-INF/role-mapping.properties}.
+ */
+public class PropertiesRoleMappingListener implements LifecycleListener {
+
+private static final String WEBAPP_RESOURCE_PREFIX = "webapp:";
+private static final String CLASSPATH_RESOURCE_PREFIX = "classpath:";
+

Review Comment:
   I see what you are after:
   `public Resource org.apache.catalina.Context#getResource(String)` which will 
probe for `webapp:` and the delegate to `ConfigFileLoader`?
   
   I will happily add this, but it should be a separate PR after this one. Then 
when the new PR is done, I can modify this listener and it will be its first 
use case. Is that OK for you?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] rmaucher commented on a diff in pull request #631: Bug 66665: Provide option to supply role mapping from a properties file

[via GitHub]

rmaucher commented on code in PR #631:
URL: https://github.com/apache/tomcat/pull/631#discussion_r1245704486


##
java/org/apache/catalina/core/PropertiesRoleMappingListener.java:
##
@@ -0,0 +1,165 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.core;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Map.Entry;
+import java.util.Objects;
+import java.util.Properties;
+
+import org.apache.catalina.Context;
+import org.apache.catalina.Lifecycle;
+import org.apache.catalina.LifecycleEvent;
+import org.apache.catalina.LifecycleListener;
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.res.StringManager;
+
+/**
+ * Implementation of {@code LifecycleListener} that will populate the 
context's role mapping from a properties file.
+ * 
+ * This listener must only be nested within {@link Context} elements.
+ * 
+ * The keys represent application roles (e.g., admin, user, uservisor, etc.) 
while the values represent technical roles
+ * (e.g., DNs, SIDs, UUIDs, etc.). A key can also be prefixed if, e.g., the 
properties file contains generic
+ * application configuration as well: {@code app-roles.}.
+ * 
+ * Note: The default value for the {@code roleMappingFile} is {@code 
webapp:/WEB-INF/role-mapping.properties}.
+ */
+public class PropertiesRoleMappingListener implements LifecycleListener {
+
+private static final String WEBAPP_RESOURCE_PREFIX = "webapp:";
+private static final String CLASSPATH_RESOURCE_PREFIX = "classpath:";
+

Review Comment:
   Of course, this is a minor detail.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Final Reminder: Community Over Code call for presentations closing soon

[Rich Bowen]

[Note: You're receiving this email because you are subscribed to one or
more project dev@ mailing lists at the Apache Software Foundation.]

This is your final reminder that the Call for Presentations for
Community Over Code (formerly known as ApacheCon) is closing soon - on
Thursday, 13 July 2023 at 23:59:59 GMT.

https://communityovercode.org/call-for-presentations/

We are looking for talk proposals on all topics related to ASF projects
and open source software.

The event will be held in Halifax, Nova Scotia, Octiber 7th through
10th. More details about the event may be found on the event website at
https://communityovercode.org/

Rich, for the event planners

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org