re: apache + orion
Hi, Yes it is. But you have to play with mod_rewrite as mod_proxy just allows you to redirect directories. Combining both modules you can select certaing types of files, but be careful as mod_rewite is somtimes tricky. D. Hello, I recently started up Orion on 127.0.0.1:8090 with apache serving up the front end. I have the proxy service working great, but I would like to get Orion to answer all .jsp request similar to how I have php setup. Is this possible? Thanks in advance. Justen Stepka -- This message was sent using Sake Mail, a web-based email tool from Endymion Corporation. http://www.endymion.com/products/sake Hello, I recently started up Orion on 127.0.0.1:8090 with apache serving up the front end. I have the proxy service working great, but I would like to get Orion to answer all .jsp request similar to how I have php setup. Is this possible? Thanks in advance. Justen Stepka
Re: Auto Class Reloading
Hi Ted, Something like that happened to me recently, and it turns development into a tedious task as you have to re-login every time. The usual cause, as you mentioned, is that you probably store something in some session or in the context that is not serializable. The fact that you can store it in the session or in the context doesn't mean that it is serializable, and sometimes you don't even get a proper error message. In my case, I had stored a reference to the servlet context to an object that was being kept in the context. As the servlet context is not serializable, all the sessions and application state was being thrashed every time I redeployed. With orion 1.4.8, I was getting an application state not serializable: com.orion...HttpApplication error. With orion 1.5.2, I was getting NO ERROR, and it silently ignored the previous state. In the end, I re-checked all the attributes of all the classes that were being stored in the sessions and in the context and I found it. It's not an easy problem to follow, I wish there were better means to track this down. I queried the list and I got no answer so I guess there isn't a way of getting more information about the process. Good luck, it it worked before and now it doesn't, track the changes you have made to the classes added to the sessions and the context and remember that a class is only serializable if all its RUNTIME non-transient members are also serializable (apart of the small detail of implementing the serializable interface, of course ;) ). Watch out for hashtables, vectors and the like, they can hide non-serializable instances. regards, D. Rice, Ted wrote: i have read, and re-read, all of the postings on class (re)loading in relation to deployed applications inside orion. yet, i still have some unanswered questions. in my past experience, compiling classes to the ./WEB-INF/classes directory and touching either the web.xml or application.xml file will cause the new classes to be picked up and used. all objects that are in session are serialized and available after the application is re-deployed without having to re-start orion. however, i am now experiencing a situation wherein i'm losing my session information and being forced to re-login to my application to continue development. is there a set of criteria or implemenation details i'm missing. all objects are obviously serializable or they would not be able to be stored in a session. yet, my latest encounters with class reloading makes me doubt this assertion. any ideas/paths i can explore to making my development life less hell-like? thanks, ted rice
Re: Design strategy
Hi George,
I don't know about EJB, as we don't use them, but having an extra table to
represent an n-m relationship is a well stablished technique when designing
relational databases. AFAIK there's no other way to do that while providing
db-enforced consistency and avoiding redundancy. You represent a logical n-m
relationship, you create a new table that implements two real 1-n relationships,
thus creating one extra table. I don't see where you get two extra tables per
relationship from.
regards,
D.
George Mardale wrote:
Hello Owen,
Thank you for your kind response. Yesterday, while waiting for a response on
the Orion mailing list, we thought of a design somehow close to yours. We
thought that using 3 different tables (ClassRoles, GroupRoles, UserRoles)
was a good ideea.
But today, we came up with a solution that we thought would benefit of
Orion's powerful features. Thanks to Alex Paransky who helped us a lot, we
tried to redesign the system, using OR mapping. So, we designed something
like this:
public class GroupBean implements EntityBean
{
...
List users; //1..* relationship with UserBean
}
public class UserBean implements EntityBean
{
List groups; //1..* relationship with GroupBean
}
Practically, we broke every *..* relationship (in this case Group(*) -
User(*)) into two 1..* relationships. And so on, for every relationship that
we have:
Class(1) - Group(*)
User(*) - Role(*)
Group(*) - Role(*)
Class(*) - Role(*)
As far as I know, Orion will create an additional table in the database that
will store the relationship. For example, for users attribute in GroupBean,
it will create a new table Group_users, besides the existing Group and User
tables. Practically, for every *-* relationship will have 2 more tables in
the database. Is that correct?
What I want to know is if this design is correct. Are there any drawbacks
that would make this system work unproperly (may be some OR mapping
problems)?
Tkanks,
George.
- Original Message -
From: Owen Fellows [EMAIL PROTECTED]
To: Orion-Interest [EMAIL PROTECTED]
Sent: Tuesday, October 02, 2001 10:58 AM
Subject: RE: Design strategy
Hello,
We have done a similar thing were we don't know the type of class assign
the
role except at runtime.
The solution we used was to have an Object Type table (contain Class,
Group,
User).
Then created a interface which was Roleable (i.e. this class can have a
role
assigned).
In the database you can store each assignment in a different table
(ClassRoles, GroupRoles, UserRoles),
or have a generic table that stores Roleable_id, Role_id and
Object_type_id.
This does have drawbacks e.g. the Database does not have enforced
consistence as the Roleable_id is not a foreign key on any one table. It
may also be slower to retrieve the Roles for a particular (Class, Group,
User) as you will have to lookup it object type and then its roles. (You
could always cache object types as there will not be that many).
I'm sure you can implement a Bean with the above functionality (we haven't
used beans for this so I can help there).
Hope this is of some help.
Owen
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of George Mardale
Sent: 02 October 2001 06:06
To: Orion-Interest
Subject: RE: Design strategy
Hello Alex,
Thank you for your prompt response. Your suggestions are excellent.
You're right, the analysis is not correct. I tried to reduce the problem
to
a
simple example. To avoid complexity, I just limited the relationships to
1..*.
Maybe the example is not the best, but I only wanted to know if I could
model
the Abstract being bean in Orion.
There are still 2 issues we are unclear about:
1. what are the advantages of dumping entity Class? (Class has specific
fields
that Group does not have)
2. could you please detail the best way to implement a *-* relationship
in
Orion?
Thanks,
George.
Re: ORacle db string over 4000 chars
Hi, I've implemented a couple of applications that stored files inside the database using the Oracle thin driver (we never use any driver type but the thin). To do so we just used LONG RAW columns and getBinaryStream() and setBinaryStream(). Even though we also used ZipInputStream/ZipOutputStream to compress/decompress the files as they were getting in/out of the database, files were pretty much always bigger than 4K. Now we started using Blobs because of the advantages they give you on the database side, even though their handling in Java is not that simple. Just my 2c, D. The elephantwalker wrote: the oracle thin driver can't handle any types larger than 4000 char, period. It doesn't matter whether you use long raw or whatever. If you have larger stuff, you will need to use clob or blob...these require reading and writing the character data or the byte[] data, taking care to use the empty_clob() and empty_blob() functions before your do your writing.We will be posting an example of how to do this with a slsb on our site soon...stay tuned...regards,the elephantwalkerwww.elephantwalker.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Nusairat, Joseph F. Sent: Friday, September 07, 2001 12:10 PM To: Orion-Interest Subject: RE: ORacle db string over 4000 chars I do realise oracle has 4000 varchar limits ... but i have seen other systems get around this by using LONG or LONG RAW data types instead however when i use those i still have it bug out at 4000 chars Joseph Faisal Nusairat, Sr. Project Manager WorldCom tel: 614-723-4232 pager: 888-452-0399 textmsg: [EMAIL PROTECTED] -Original Message- From: Nusairat, Joseph F. [mailto:[EMAIL PROTECTED]] Sent: Friday, September 07, 2001 11:39 AM To: Orion-Interest Subject: ORacle db string over 4000 chars Does anyone know how to handle this oracle 8.x u can have a varchar set to 4k ... sooo to do more than that i tried using a long and a long raw and inserting it that way ... however whenver i go over 4000 chars it bombs any one come across this problem? Joseph Faisal Nusairat, Sr. Project Manager WorldCom tel: 614-723-4232 pager: 888-452-0399 textmsg: [EMAIL PROTECTED]
Re: FORM based authentication with form-login-page as a JSP
Hi, I've never tried using FORM based authentication, but if orion uses the forward mechanism to redirect the request to the login page, I think I remember there is a method to get the original request URL when you do so... let me see... no, I can't seem to find it in the spec. I've just found something like that if you use the include mechanism. You might try to check the Attributes of the request, using getAttributeNames, to see if there's any object that tells you where the original request was directed to. good luck, D. SAURUGGER,PETER (A-PaloAlto,ex2) wrote: Would be interesting to control where a user goes, e.g. always redirecting them to the home page. Unfortunately, I don't have an answer to your question, just another observation: you don't even have to submit the page to j_security_check (see e.g. atm/atm-web/login.jsp) - orion -knows- where to send the request from the page specified in FORM based authentication. The regular case would be that the same page is served (without specifying the ACTION attribute to the FORM), but Orion nicely processes your request and does the 'appropriate' thing. I have not had time to try to look inside orion to find out what they are doing internally. If an answer is found to this question, I'd sure like to hear about it --peter -Original Message- From: Trujillo, Kris [mailto:[EMAIL PROTECTED]] Sent: Friday, September 07, 2001 1:24 PM To: Orion-Interest Subject: FORM based authentication with form-login-page as a JSP Here's some starting context for my question I have a war file that has been configured to use FORM based authentication. I have set the form-login-page in the web.xml of the war file to point to a jsp file in my war file. I have setup constraints against different jsps in the war file (/foo/foo.jsp, /foo2/foo.jsp, etc). When a user invokes any jsp without being logged in the login jsp is displayed. The user enters the userid/password submits the page to j_security_check, is validated and redirected to the requested page. My question is ... Has anyone ever tried discovering the page that the user is trying to access from within the jsp page referenced as the form-login-page? I have tried checking the HTTP headers and session, but have not discovered it being saved anywhere. Usually when a page invokes another page the HTTP header REFERER exists with the URL to the previous page. I have noticed that once the user posts the login form on my login.jsp to j_security_check and is authenticated they are redirect to the correct location .. correct location being back to the page they wanted to access originally. This would mean that it has to be somewhere, but where??
[Fwd: Re: Orion and JMS: javax.naming.NameNotFoundException]
Hi (third try to the list, first ones didn't make it), I haven't got a single answer, so I'm wondering if nobody is using Orion JMS or this mailing list is playing funny with me. Has anybody configured and used Orion JMS? Could somebody please elaborate on the steps necessary to get this thing working? Thanks in advance, D. Daniel López wrote: Hi, I know this topic has been discussed a lot in here, but I haven't been able to find the answer in the archive or in the documentation. The problem is: I decided to have a go with JMS but I can't even start to play with it, as all I get is javax.naming.NameNotFoundException. These are the steps I have followed: .- Configure server.xml with the following line: ... jms-config path=./jms.xml / ... .- Configure jms.xml with this content: jms-server port=9127 host=localhost queue-connection-factory location=jms/QueueConnectionFactory/ queue name=Demo Queue location=jms/demoQueue descriptionA dummy queue/description /queue log file path=../logs/jms.log / /log /jms-server .- Add jndi.properties to my application's classes(WEB-INF/classes), with the following content: java.naming.factory.initial=com.evermind.server.ApplicationClientInitialContextFactory java.naming.provider.url=ormi://localhost/ java.naming.security.principal=admin .- Then in my servlet, I just try to see if the objects are there: ... Context ctx = new InitialContext(); QueueConnectionFactory queueConnectionFactory = (QueueConnectionFactory) ctx.lookup(java:comp/env/jms/QueueConnectionFactory); // Exception is thrown in the line above ... The facts: .- JMS Server seems to have been started, as I can see the jms.log file and reads (Date 1.4.5 Started) .- I have tried with various names, with and without java:comp/env, and with various methods (list, listBindings...) with no look. I cannot get a single object to be looked up. .- Platform is WinNt 4.0, JDK1.3.0-c hotspot, Orion 1.4.5 (I also tried 1.5.2 with the same results) So, what have I forgotten to do? It seems like I just forgot to do some essential step. I tried to find the JMS how to by Kesav Kumar but I couldn't find it. Anybody, please? Thank you in advance, D. PD: On a side note, I have seen man people trying to use external JMS providers with Orion, is that so because Orion JMS is buggy? Would it be better to use some external tool like OpenJMS or so? I had thought it would be nice to have everything in the same place, this way you just have to take care of one server. Comments?
Strange problem with JSP
Hi, I'm having a pretty strange problem with a JSP page, the error I'm getting is somethinh like: 500 Internal Server Error Error parsing JSP page /nav/HOMRSV.jsp Syntax error in source /nav/HOMRSV.jsp.java:7330: No variable orionserver defined in class java.lang.String. (JSP page line 4997) else com.orionserver.http.OrionHttpJspPage.writeBytes(out, __staticContent, 105149, 10, ISO-8859-1); ^ /nav/HOMRSV.jsp.java:7336: No variable orionserver defined in class java.lang.String. (JSP page line 4997) else com.orionserver.http.OrionHttpJspPage.writeBytes(out, __staticContent, 105159, 21, ISO-8859-1); ^ ...blah blah blah, up to 25 errors. I decided to try to debug this beasty, hence I set development=true in the orion-web-app... tag and then I try again the same page. But then, I'm redirected to the error page and I get a different error, which is something like... - 500 Internal Server Error java.lang.NullPointerException at com.evermind[Orion/1.5.2 (build 10460)]._rj._xoc(Unknown Source) at com.evermind[Orion/1.5.2 (build 10460)]._rj._bb(Unknown Source) at com.evermind[Orion/1.5.2 (build 10460)].server.http.JSPPage._bb(Unknown Source) at com.evermind[Orion/1.5.2 (build 10460)]._ah._bfe(Unknown Source) at com.evermind[Orion/1.5.2 (build 10460)]._ah._rad(Unknown Source) at com.evermind[Orion/1.5.2 (build 10460)].server.http.JSPServlet.service(Unknown Source) at com.evermind[Orion/1.5.2 (build 10460)]._cxb._abe(Unknown Source) at com.evermind[Orion/1.5.2 (build 10460)]._cxb._uec(Unknown Source) at com.evermind[Orion/1.5.2 (build 10460)]._io._twc(Unknown Source) at com.evermind[Orion/1.5.2 (build 10460)]._io._gc(Unknown Source) at com.evermind[Orion/1.5.2 (build 10460)]._if.run(Unknown Source) - And even though I can have a look at the generated page, I see no sentence like the ones mentioned previously. This pages do work under tomcat 3.2 and I was just trying to configure Orion so I can replace the tomcat server due to some problems. Has anybody had a problem like that? It might be that the JSP page is too big? It includes a couple of other pages and they should be around 60K altogether. I'm using Orion 1.5.2 under linux with IBM- Java 1.3.0 Anybody? Dan
Re: Using JAAS for authentication (Was: bugs in @page extends=...)
Hi Joni,
Thank you very much for you info. It actually sounds as I thought it
would when I looked at it, some time ago. Unfortunately, I had already
implemented our own framework and I decided not to go for JAAS until
these points that you mention are solved.
Things that, IMHO, are lacking in order to have a standard, flexible and
dynamic authentication/authorization service are:
.- A standard and DYNAMIC way of specifying users/roles that take part
in the system. Right now this job is left to container-specific
implementations, which breaks portability between containers.
.- A standard, FLEXIBLE and DYNAMIC way of specifying permissions
required for a request. Using URL-Mappings inside a text file is, IMO,
not enough as sometimes I would like to require different permissions
for the same kind of request (URL) depending on the parameters.
Apart from that, the JAAS concept of LoginModules is very interesting so
if I had to start my implementation again, I would use JAAS APIs and add
the forementioned features. As we have it now, we specified those
features using interfaces, which can be implemented anyhow and that are
queried for the appropriate data in Runtime. With that, no security
logic is ever intermixed with business logic, unless the business logic
explicitly requires security information.
JSDK2.3 doesn't seem to make any move towards adding the flexibility and
dynamicity I'm talking about. Let's see what happens with JDK1.4, so far
it seems I'll able to finally get rid of my logging system, which is
also flexible and dynamic ;).
Regards and thanks again, Joni.
Dan
Joni Suominen escribió:
Hi Daniel,
See some answers below.
Daniel López wrote:
Hi Joni,
That sounds pretty interesting, however, I still have some doubts.
Let's see:
.- Where do you get the user from (the one you use with
user.getSubject()). Can these users be specified dynamically through a
standard interface? Or do they have to be specified in a container
specific way?
JAAS is not in any way related to user management. Since there's not
(sadly) yet any standard way to do user management I decided to roll my
own. However, this approach should work no matter what kind of user
management is used. Here's some concepts and how the process flows:
- LoginModule (JAAS concept) handles user login. JAAS supports pluggable
login modules which means that it is possible to user different kinds of
login modules without affecting to the rest of the application (e.g. at
some point I could change my login module to use fingerprints instead of
username and passwords).
- Principal (Java security concept) represents some identity for a user
(e.g. Principal(John Doe), GroupPrincipal(user),
IdPrincipal(12345-12))
- Subject (JAAS concept) groups one particular user's various Principals
together. So, the Subject is linked to a user.
- Permission (Java security concept) represents a permission for
something. These are usually really simple tag-like objects.
- Policy (JAAS concept) represents access control policy. To get all the
permissions for a user you can use: PermissionCollection pc =
Policy.getPolicy().getPermissions(subject, null);
- User (my implementation) represents a user in a system.
OK, using these concepts the authentication in my system goes:
1. Authenticate user using a configured LoginModules:
LoginContext lc = new LoginContext(DefaultLoginModule,
new LoginCallbackHandler(username,
password));
lc.login(); // This is JAAS's abstraction, actually the call is
eventually dispatched to LoginModule.
2. In the actual LoginModule do the real authentication. This can be
done for instance against RDBMS, LDAP, Solaris user management etc... I
currently a UserManager session bean:
UserManager userManager = userManagerHome.create();
User user = userManager.authenticate(username, new String(password));
3. Fill the user's Subject with the user's Principals if the
authentication succeeds. I currently use two types of Principals: one
which uniquely identifies user (UserIdPrincipal) and one which
represents a group where the user belongs to (GroupPrincipal). I store
this information in an RDBMS and access them through EJB layer:
// Add the identity which uniquely identifies the user.
Set principals = subject.getPrincipals(); // Subject is an object which
created automatically by JAAS.
principals.add(new UserIdPrincipal(user.getId()));
// Add the identities representing the groups for which the user belongs
to.
String[] groupNames = null;
groupNames = userManager.getGroupNamesForUser(user.getId());
for (int i = 0; i groupNames.length; i++) {
GroupPrincipal p = new GroupPrincipal(groupNames[i]);
if (!principals.contains(p)) {
principals.add(p);
}
}
user.setSubject(subject);
4. Then I cache this information to HttpSession so that it is fast to
Re: Cocoon in Harmony with Orion?
Hi Holden, I'm afraid I can't help you much, as I also tried unsuccesfully to get Cocoon 1.8.2 to work with Orion. In ended up using 1.8.0 which at least works. I think the problem lies in the different XML parsers that both products use. With the previous version of Cocoon you had some ways of avoiding the incompatibility but I couldn't get it to work with 1.8.2. Anybody has been able to? regards, Dan Holden Glova wrote: Hello again folks of the list, I'm sure this must have been asked before although my searches on Deja and looking on both orionsupport.com and orionserver.com have come up pretty much empty. orionsupport.com has some documentation on the subject but I can't get the cocoon examples to run without getting an exception right at the start. I am very new to this subject matter and would appreciate any direction that can be given in this area. I'm using Orion 1.4.8 along with cocoon 1.8.2 Thanks very much in advance for any help that can be provided. -- Holden Glova, [EMAIL PROTECTED] Software Engineer Alchemy Group Limited Level 6 Royal Sun Alliance Bldg PO Box 2386 Christchurch New Zealand Phone: +64 3 962-0396 Fax: +64 3 962-0388
Re: Standar Template
Hi, I haven't looked much into SiteMesh, but, just looking at the overview, it seems to me that you still have to generate the content of the different sites that you want to mesh, and if they look totally different then you are out of luck. We are using the same approach that Jeff is talking about and we don't consider XML/XSL to be that slow, as using precompiled stylesheets we boosted aour performance by a factor of three and the heaviest operation is accesing the database. As XSLT implementations improve day by day, I hope this will be less of a problem in the future. And using XML as the common ground is, IMHO, a very good approach to integrating different applications as you can use common stylesheets to integrate the different sources. But I won't pretend it is a perfect solution or that everybody should use it. That's what we use because it fits well into our team and requirements. And, Jeff, we also created our own framework to basically allow us to get the XLM content from various sources, including directly from PLSQL, so if you want we could talk about it privately. We GPLd our framework but we haven't publicized it as we don't have much time to do so. Just my 2c, Dan Mike Cannon-Brookes wrote: Noo - XML/XSL is too slow / fugly to actually use day to day (IMHO) I'd advise you to check out SiteMesh - it's built for this exact purpose! http://www.opensymphony.com/sitemesh Quite simply you provide JSP based decorators which are mapped to URIs. Download and install the sample app, it's the only way to learn about it. $10 says you're using it within a week ;) -mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jeff Schnitzer Sent: Friday, May 11, 2001 7:12 AM To: Orion-Interest Subject: RE: Standar Template I've iterated through several solutions to this problem and can offer some advice: I started out using option 1 as you describe. I quickly noticed that *every* page contains the definition of the layout and look of the website. What if I wanted to put the navigation bar on the right instead of the left? I would have to modify *every single page* in my website. Yuck. My next step was to put the container code in separate head/foot JSP files and @include them like this: %@ include file=head_stuff.jsp % p My content /p %@ include file=foot_stuff.jsp % Which at least puts all the look and feel stuff in a handful of places. But my site has different templates for the logged in user vs the welcome/signup screens and a few other special cases as well. It quickly became a pain to keep track of all the different headers and footers, and in any case opening tags in one file and closing them in another really sucks. Yuck. Next step was option 2 as you describe. I created template_inside.jsp, template_outside.jsp, etc which contain all the layout structure and then include the appropriate content file based on a parameter. Since I'm using an MVC framework, this is pretty easy to do. This is the best option I've described so far, and it works. But it's not very sophisticated, and it doesn't make having multiple layers very easy. Fortunately I'm working on my own time, so now I'm moving on to the fourth generation of my website content: This sort of templating is where XSLT really shines. Rather than creating templating layers from the top down, XSLT allows you to start at the bottom and build up, successively transforming the input. Wrapping (in a layout template) is just one kind of transformation. Each step has no need to know anything specific about the previous step; it's all just based on transformation rules. I'm still near the bottom of the XSLT learning curve, but I'm already amazed at how powerful it is. It's also a lot easier to pick up than I had expected from first looking at a sample. The only problem with using XSLT in a web application is the lack of framework support. Cocoon did not make a favorable impression on me (to say the least). I wanted something that provides a simple MVC paradigm like WebWork or (not-so-simple) Struts but uses XSLT for the view templating. So I (and a friend) sat down and wrote it. Tomorrow we'll send out a link to the sourceforge site; we're still working on the documentation and examples. In summary: For a simple approach, Option 2 as you describe isn't bad. For (IMNSHO) a more elegant and powerful approach, it's worth looking into XSLT. Jeff Schnitzer [EMAIL PROTECTED] http://www.similarity.com (still using WebWork, but not for long :-) -Original Message- From: Dave Ford [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 10, 2001 12:17 PM To: Orion-Interest Cc: Dan Tharp Subject: Standar Template I want to create a web app in which every page on the site has a standard header along
Re: common practice for configuring orion app/web-site
I don't know what the others do, but we split different projects in different servers(orion instances), as we want to be able to stop/start applications without affecting the rest. Now that hot deployment is becoming a reality, we might start concentrating them using different applications inside the same container instance. As we use a proxy server in the port 80, the external URL will be exactly the same so no problem. Of course, in our case we prefer paying the extra step, the proxy, because our performance requirements are not too high. Just my 2ec, D. darl zero wrote: Hi, This might be sort of a newbie question or just a very general one. I tried looking through archives before posting but no luck, maybe someone has a quick anwser. I would like to know if most of you break up your projects into a lot of small apps and bind this to a web-site, or do most of you just pile all the apps into one big one.. so that there is only one application running on one default-web-site. -p
Re: Share sessions????
Hi Tomas, AFAIK, you can't do what you want to do, as sessions are not shared between different applications. When you try... disp=context.getRequestDispatcher(/app2/app2.jsp); disp.forward(request,response); from inside your app1 application, you are really forwarding to /app1/app2/app2.jsp, hence the 404 not found. And when you try sendRedirect(), you are asking the BROWSER to issue a call to the second page, and the browser knows nothing about server side sessions so that's why your attribute doesn't get through. Unless both jsp pertain to the same application, I don't know of any standard way of directly sharing objects between webapps. You might have to use something external. I guess the philosophy behind that is if they have to share, they should be part of the same webapp which can be seen, IMO, as a security feature and a limitation. As a non standard way of doing it, you might be able to use the parent attribute in the orion server.xml configuration (http://www.orionserver.com/docs/server.xml.html), but I'm not sure it allows you to do what you want to, as I have never used it. Does anyone know if there is a standard solution for this? regards, Dan Tomas Anderson wrote: Hello. I hope someone can help me with this basic question. I have 2 separate applications, app1 and app2. One jsp and one servlet in each. From the jsp I send some parameters to the servlet. I prosess them and put the answer in a session variable like this: servlet1.java: String strP1 = request.getParameter(param1); String strP2 = request.getParameter(param2); ... procsess them String strAnswer = strP1 + strP2; Get the session. session = request.getSession(true); Put a session variable. session.setAttribute(result, strAnswer); ... Now I want to send the session to the other application, app2, where the jsp file reads the session variable and displays it. jsp2.jsp: % String str = (String)session.getAttribute(result); out.println(result: + str); % I have put shared=true in both web-app tags. web-app application=App1 name=App1-web root=/app1 shared=true / web-app application=App2 name=App2-web root=/app2 shared=true / Ok. If I do in sevlet1.java: disp=context.getRequestDispatcher(/app2/app2.jsp); disp.forward(request,response); I get a: 404 Not Found... If I use sendRedirect(..,..) the session is not shared, it is empty. How can I connect the 2 applications? Did I miss andy configuration setting? And how to send the session to the other application. It seem setting shared=true means something else than I thought. Greatfull for any hint. Tomas
Re: Interests sake
Development on Windows (95/NT) and production on SunOS and Digital Unix, but we have even tested it on OpenVMS :). Cheers, D. Johan Fredriksson wrote: Development on win2k and production on Solaris. Johan - Original Message - From: Adam Cassar [EMAIL PROTECTED] To: Orion-Interest [EMAIL PROTECTED] Sent: Thursday, May 03, 2001 7:53 AM Subject: Interests sake Hi all, For interests sake, what OS is everyone on the list running orion on? Windows 2000? WinNT Linux? I would of thought that most people would be using Linux but I think from postings on this list that I might be mistaken -- Adam Cassar Technical Development Manager ___ NetRegistry http://www.netregistry.au.com Tel: +61 2 9641 8609 | Fax: +61 2 9699 6088 PO Box 270 Broadway NSW 2007 Australia
Re: MVC/XML Framework Comments please
Hi Jeff, As I mentioned in a previous post, we are also using XSLT in our applications (we've implemented around 10 so far). We already tried different approaches, namely Oracle Application Server PLSQL Cartridge, JDBC servlets, JSP + JDBC Servlets, JSP + EJB, as things were evolving. The story then goes like that Instead of using JSPs directly, we developed, as many people have done, our own Model 2 - Servlet controller framework. The JSDK specification left a couple of holes (security, application events...) that we also tried to fix with our framework. After that, there are two things that were gibing us headaches when developing web apps: .- Implementing the data layer .- Creating/Modifying the interface without having a programmer handy. Implementing the data layer using EJB is, unless you have lots of bucks to invest in a good GUI tool, a PITA. You have dozens of tables and relationships, bla, bla and you end up replicating this desing with dozens of JavaBeans and lots of getters/setters that do pretty much nothing new. And then relationships are not easily handled (it seems that specification 1.0 was created to develop 1-table applications ;)) and complex queries have to be writen by hand. You end up transforming your data from SQL to Java and then formatting it with JSP. As we were positive we were going to use Oracle, we developed a utility that allows us to write the data layer directly in PLSQL. This way if you specify the XML interface correctly, you can have a programmer that knows nothing about Java or web applications implementing your data layer. In order to modify the interface, you have to choose between making it easy to designers, or making it flexible. Using JSPs you cannot 100%-isolate the HTML code and the Java code. Even using custom tags. And telling them you cannot touch that is not enough in some cases, if they want to change some weird layouts. You can almost get it if you develop a complete set of custom tags to allow you to get the data in different orders, conditional code... but then you end up having pretty much with XSLT already has. It is not that with JSP you cannot do it but we prefer to have the designer on his own. That is what he can do with an HTML prototype and the XML specification: he can work on his own with a test XML file and he won't break any code, because there's not a single line of logic written by a developer in there. This is not a perfect solution, as XML/XSLT tools are nowadays quite young but we hope that tools will improve on that regard. We find it better to train a designer to use XSLT, which is a standar, than a set of custom tags that are not really useful outside the JSP scope. But as I said, it is not a one size fits all solution, but it is quite flexible. If we wanted to use EJBs with another database, we would then probably use JSPs to format the XML (still done by the developer) and the designer won't even know that we have changed the backed, as long as the XML is the same. Of course, just a personal opinion ;). D. Jeff Schnitzer wrote: Doh! Sorry, that wasn't supposed to go to the list. But to keep this topic going (because I'm still undecided about what direction to go): Is anyone here besides Tim using XSLT in their web application? How do you like it? Is it easy to get designers up and running with it? How do you interface between Java and XML (jsp? building dom nodes in java? something else?) ? Thanks, Jeff -Original Message- From: Jeff Schnitzer Sent: Friday, April 27, 2001 3:38 PM To: Orion-Interest Subject: RE: MVC/XML Framework Comments please I'm definitely interested in your framework; may I have a copy? Thanks, Jeff -Original Message- From: Duffey, Kevin [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 26, 2001 2:39 PM To: Orion-Interest Subject: RE: MVC/XML Framework Comments please I use my own framework for a couple of sites, and have gotten feedback from others using it as well. Its only 15K in size, full source, its free to use, modify, etc. If your interested in it, send me an email. It supports xsl transformations, and is very similar to Struts only that I found struts too much for my needs, and some features it didn't do that I needed, so I went that direction. -Original Message- From: Vic Cekvenich [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 26, 2001 11:53 AM To: Orion-Interest Subject: MVC/XML Framework Comments please We are bout to pick a a framework, and I am looking for are comments or recommendation on a frameworks, other than Struts. (Don't want to be HTML/JSP centric) Any feedback on your experience with a framework, or do you know of web sites in production that are using a certain frame work, or do you know of friend or someone who has used one. I would like it to be XML centric, and MVC. For example, the V should apply the XSL to XML, to make it HTML. It
Re: MVC/XML Framework Comments please
Hi, As we have also rolled our own solution, I'll just add my two cents. As Tim, we found that the existing frameworks didn't fit quite well into what we wanted to do, (that was even before Struts was created) and as we wanted to integrate other features... Following the Model 2-controller servlet approach, we have a centralised servlet, driven by an XML file, that specifies XML/XSLT sources for any given path. However, most of the times we are not generating XML in Java, but directly from PLSQL. We think that EJB is too much/too painful to develop for most of our applications so we developed a small library that allows us to generate the XML content directly from PLSQL. If you need to handle session values and the like, you can also use JSPs to generate part of the XML and integrate it with PLSQL generated XML. We also provide ways to modify the defined sources (XML or XSLT) on a per-request basis so it is quite flexible. We also use precompiled style-sheets, which, last time I checked, boosted our performance sometimes by a factor of three! Last detail I added to our XSLT cache is that precompiled stylesheets are stored through Soft References, thus preventing the cache from eating all the memory and providing a controlled degradation of service (not sure if that is the english translation ;)) We included also: .- a logging system, which we hope to be able to remove as soon as 1.4 provides something similar .- a flexible security system, which much more flexible that the one the JSDK spec. provides .- internationalisation, which allows us to change the config values depending on the language value .- browserization which also allows us to change the config values depending on the browser Agent and Accept strings. .- Our own connection pools, which we are thinking about replacing with another library... All in all... a .jar file of about 294KB The key point, IMHO, is to stick to standards as much as you can, and to allow different parts to be replaced when time comes. For example, we used to have a module that made the XSLT processing independent of the XSLT processor, now that JAXP 1.1 has done so, we removed the module and substituted it with JAXP. The better the standards, the easier to mantain our library. On the how to handle such a project side, we also follow the model of providing the designers with a set of static XML files so they can start playing with them while other people implement the logic. When logic is ready, you substitute XML_SOURCE=/.../static.xml with XML_SOURCE=plsql://.../package.procName and almost voilà ;). Almost because you still have to check that parameters are passed and things like that. We are pretty happy with it, as it allows us to concentrate on the real application (presentation-XSLT, logic-PLSQL/BDD) and we don't have to spend that much time developing Beans, interfaces... If we needed to, we would be able to use EJB, but for us it's been not worthy (so far). Just my 2ec, D. PD: We have had 5-6 applications with this system running production for a almost 1 year and half. We don't have big ones, but we have lots of them ;). Tim Endres wrote: We rolled our own servlet for this. I found none of the existing frameworks to properly address what we needed. It is not a complicated thing to write. An XML config file specifies the commands that get executed for any given pathinfo. The command is tied to an XSL stylesheet, which processes the XML that the command generates. Precompiled stylesheets are effectively XSL stylesheets that have already been parsed from the XML text into the DOM Node tree that is used by the XSLT processor. These compiled stylesheets are then Serialized out, and then Serialized back in, such that our code can then skip the cost of parsing the XSL's XML file, in exchange for the cost of serialization. tim. Tim, that sounds v.interesting. Forgive my ignorance but what toolkit are you using and what do you mean by precompile the XSL pages? Thanks, Trevor On Thu, 26 Apr 2001, Tim Endres wrote: We do exactly what you propose. A servlet drives lightweight commands. The commands get XML trees containing the HttpServletRequest information, and fill in a subtree with the XML results. This tree is fed into XSLT and the resulting HTML is sent down the wire. I prefer it over JSP by miles. We precompile the XSL pages, so we get really good performance. And the separation of content/presentation could not be better. tim. SNIP
Re: Orion support company
Eummm, www.orionserver.com works fine for me. OTOH, I haven't heard of www.orionserver.bea.com. Is this the BEA version of Orion (WebOrionLogic)? ;) (Warning, that was joke! just in case someone didn't get it :) ) D. Joseph B. Ottinger wrote: Orion's web site is still up? Every time I go to www.orionserver.bea.com, it comes back with an error. I knew they didn't update the site often, but taking it off the web seems a bit extreme. On Wed, Apr 25, 2001 at 02:30:09PM +0200, Bernard Sauterel wrote: I wonder if somebody saw on Orion web site, that there's now an official support company: Cadrion. For me it's good news. On Mec, 25 avr 2001, Joseph B. Ottinger [EMAIL PROTECTED] wrote: The list is DEAD? NO MAILS!??! OH NO! ORION HAS BEEN SOLD TO BEA AFTER ALL! On Wed, Apr 25, 2001 at 12:56:21PM +0200, Ismael wrote: Hi all, Is the list still running? The number of mails received have decreased to 0 !!! Are you still there?? -- --- Joseph B. Ottinger [EMAIL PROTECTED] http://epesh.com/ IT Consultant -- --- Joseph B. Ottinger [EMAIL PROTECTED] http://epesh.com/ IT Consultant
Re: Building an application
Olivier, I have the same setup as you have and it works for me. What are the error messages that you get in the error log? Just an internal server error? It sounds like orion is not able to "load" you application because of a configuration issue and that's why even the index.html doesn't work. Good luck with it, Dan olivier wrote: Dan, The error I have is 500 (http internal server error), when I type http://localhost/taskforce If I type http://localhost, I have the orion home page. This the tree of the applications directory, once expanded by orion. D:\JAVA\ORION\APPLICATIONS taskforce.ear \---taskforce taskforce.war userEJB.jar +---META-INF application.xml \---taskforce index.html +---images +---META-INF \---WEB-INF +---classes | +---net | | \---tnt | | +---user | | | \---model | | +---util | | \---web | | +---control | | \---taglib | \---org | \---apache | \---struts | \---resources +---lib \---tlds The server.xml and default-web-site.xml have been modified as mentionned at the bottom of this mail. I have tried to modify the context root to "/" but it did not change. I have just noticed that you can set the root="/taskforce" in default-web-site.xml web-app application="taskforce" name="taskforce-web" root="/taskforce"/ and also in the /META-INF/application.xml of you ear(context-root/taskforce/context) I suppose they must be the same (which is the case for me). What is the role of each ? I guess there are 2 possible source of error 1) the way I have update the server.xml and default-web-site.xml (default-web-site.xml) web-app application="taskforce" name="taskforceWebApp" root="/taskforce"/ (server.xml) application name="taskforce" path="../applications/taskforce.ear" / 2) the directory structure (see above) Thanks, Olivier -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Daniel Lopez Sent: 10 April 2001 07:05 To: Orion-Interest Subject: Re: Building an application Hi Oliver, Last week I was plating with the same thing and I was successful with pretty much the same configuration that you have, except that in application.xml I set the context root to / (context-root//context-root). Which error are you getting ? 404? Can you see your .ear file unpackaged? regards, Dan olivier wrote: Hi, I am new to Orion, and I have recently been trying to build an application (ear) with not much success. Basically, Orion seems to deploys all the components, but I can't get the first page to open on the browser. I am using struts as a framework, with the fix I have seen on this site (remove the dtd from the jar and put them under classes), and struts does not seem to be the problem now (especially since my first page is an index.html) The ear is in orion\applications userEjb.jar taskforce.war \META-INF application.xml source of application.xml for the ear application display-nametaskforce/display-name descriptionApplication description/description module web web-uritaskforce.war/web-uri context-root/taskforce/context-root /web /module module ejbuserEjb.jar/ejb /module /application I put this in default-web-site web-app application="taskforce" name="taskforceWebApp" root="/taskforce"/ this in server.xml application name="taskforce" path="../applications/taskforce.ear" / I have tried with the news.ear coming with orion, but same problem. Any clue? Thanks, olivier
Re: During development, how to allow only a couple of ips,includingmylocal system, to view the site?
Hey Kev, It seems that after that long discussion on the JSP list, each one ended up building his own MVC framework, remember that? ;) At the beginning, I also integrated this feature inside my framework but then I realised that this way I wouldn't be able to re-use it for other applications, or even for static content. That's the reason why I ended up creating a filter. But there are some things I don't like about filters: They have to be configured in the web.xml and they are not easily integrated with other parts of the framework, unless you share objetcs through the context or something simliar. What I would love to have is a "feedback" mechanism to provide the containers with some extra information/configuration that is not included in the web.xml. This way I could just configure everything in my own framework configuration file and then I would give the feedback to the container. Otherwise, if you use filters for logging, authentication, IP filtering... your web.xml ends up being extra-large and having the application configured in two places is error-prone. But well, such a feedback API is not in place so... ;) Talking about the IP filter, if you are interested, I can show you my DTD and even some code as it is nothing extra-complex. Regards, Dan Kevin Duffey wrote: Hey Daniel, That is a great idea..DUH! ;) I am using my own simple MVC framework, and I should just put in a feature in the web.xml that gets read in as an init parameter that designates ips that are allowed/now allowed to access the application. Its simple enough to do. Thanks. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Daniel Lopez Sent: Monday, April 09, 2001 3:28 AM To: Orion-Interest Subject: Re: During development, how to allow only a couple of ips,including my local system, to view the site? Hi Kev, I had a similar problem but for my production applications. I wanted my solution to be flexible and server independent so what I did was create a servlet filter, as someone else has already suggested. I've had it for production for almost a month and so far so good. I have to admit that I went a little further down the road and I allowed to specify the IP/hostnames to be allowed denied through an xml file that can be read from a file, a URL or a database. That way I got maximum flexibility. These are the links that I used to create my filter: http://developer.java.sun.com/developer/technicalArticles/Servlets/servletap i2.3\ http://www.orionserver.com/tutorials/filters/ I hope this helps, Dan Kevin Duffey wrote: Hi all, I would like to block out ALL ips from viewing my site (using my static ip) except for a few ips, which are from co-workers over the internet. Is this possible? If so, how? I read in the orion-web.xml.html file about ip-access tag, and when I tried it, it did block off all ips. But when I added when to allow it, such as "localhost" or my direct IP, sometimes it wouldn't allow it, and other times the browser sat and spun for about 5 minutes, then reported a time out. Thanks. -- ------- Daniel Lopez Janariz ([EMAIL PROTECTED]) Web Services Computer Center Balearic Islands University --- -- ------- Daniel Lopez Janariz ([EMAIL PROTECTED]) Web Services Computer Center Balearic Islands University ---
Re: During development, how to allow only a couple of ips,including mylocal system, to view the site?
Hi Kev, I had a similar problem but for my production applications. I wanted my solution to be flexible and server independent so what I did was create a servlet filter, as someone else has already suggested. I've had it for production for almost a month and so far so good. I have to admit that I went a little further down the road and I allowed to specify the IP/hostnames to be allowed denied through an xml file that can be read from a file, a URL or a database. That way I got maximum flexibility. These are the links that I used to create my filter: http://developer.java.sun.com/developer/technicalArticles/Servlets/servletapi2.3\ http://www.orionserver.com/tutorials/filters/ I hope this helps, Dan Kevin Duffey wrote: Hi all, I would like to block out ALL ips from viewing my site (using my static ip) except for a few ips, which are from co-workers over the internet. Is this possible? If so, how? I read in the orion-web.xml.html file about ip-access tag, and when I tried it, it did block off all ips. But when I added when to allow it, such as "localhost" or my direct IP, sometimes it wouldn't allow it, and other times the browser sat and spun for about 5 minutes, then reported a time out. Thanks. -- ------- Daniel Lopez Janariz ([EMAIL PROTECTED]) Web Services Computer Center Balearic Islands University ---
Re: Building an application
Hi Oliver, Last week I was plating with the same thing and I was successful with pretty much the same configuration that you have, except that in application.xml I set the context root to / (context-root//context-root). Which error are you getting ? 404? Can you see your .ear file unpackaged? regards, Dan olivier wrote: Hi, I am new to Orion, and I have recently been trying to build an application (ear) with not much success. Basically, Orion seems to deploys all the components, but I can't get the first page to open on the browser. I am using struts as a framework, with the fix I have seen on this site (remove the dtd from the jar and put them under classes), and struts does not seem to be the problem now (especially since my first page is an index.html) The ear is in orion\applications userEjb.jar taskforce.war \META-INF application.xml source of application.xml for the ear application display-nametaskforce/display-name descriptionApplication description/description module web web-uritaskforce.war/web-uri context-root/taskforce/context-root /web /module module ejbuserEjb.jar/ejb /module /application I put this in default-web-site web-app application="taskforce" name="taskforceWebApp" root="/taskforce"/ this in server.xml application name="taskforce" path="../applications/taskforce.ear" / I have tried with the news.ear coming with orion, but same problem. Any clue? Thanks, olivier
Re: How to run ORION on different ports
Hi Mohan, If you mean that you want to have two different orion instances running, you just have to copy the configuration files to some other directory, modify the paths and ports appropriately so they don't collide and then start orion with the option "-config [NEW_CONFIG_DIRECTORY]/server.xml" where [NEW_CONFIG_DIRECTORY] must be substituted with the directory where you put your new configuration files. We have about 9 different instances running with 1-2 web applications per instance. Why? Because this way when we have to upgrade an application and we have to tinker with one of the instances, we are pretty sure nothing is going to happen to the other applications. We also have different logging directories per instance, blah, blah so debugging is easier. Now that hot-deployment is becoming a reality, we might start gathering applications in common instances but in the mean time, we feel safer with separate instances and development and production should definitely be in different ones. The biggest drawback of this solution is that you need more HTTP ports and the only standard one is 80. We have solved it by using an Apache instance as a proxy in the 80 port and redirect from there to the appropriate host/port. This also allows us to show an appropriate "Application is being manteined" message automatically when an instance fails, instead of the browser answering "server could be down or not responding". Another added benefit is that we can distribute our applications among different hosts just by changing the proxy configuration: no html links have to be changed, no users have to be told "the URL was X but now is Y". We know that this means a second trip but as we proxy all non-dynamic content in the Apache server and our problem is not traffic and speed but number of applications and flexibility, then it's a price we are willing to pay. Just my 2c, Dan mohan krishna wrote: Hello, I am interested to run orion on multiple ports... Consider the following scenario : There is only one single server for production and development. Production sites are represented by virtual hosts, each one runs a single web site. Each sites of these only runs it's own "default" web application. Development is handled by default web site which runs under port 8080. Now i want to run one site on 8080 and other one on different port say 80. What are the things i have to do to achieve this Any input would be greatly appreciated Thanks Mohan Krishna
Re: SV: load-on-startup is not working
Okey guys, The load-on-startup="true" inside the web-app tag in the web-site.xml file did the trick so now everything works as expected. Now that I know where to look, I found the reference in the documentation even though it is not very intuitive. Thank you very much to all who responded. Dan ------- Daniel Lopez Janariz ([EMAIL PROTECTED]) Web Services Computer Center Balearic Islands University ---
Re: Hot deployment
Hi Marcel, You're right, I had already tried that and it didn't work. On the other hand, I tried to pack my .war inside a .ear and everything worked. Of course that adds another directory and another file to be created but it's something I can cope with ;). Touching the application.xml file works fine but I was hoping that auto-detection of new .war files would be as easy as .ear files, that way a simple ftp with the new war file is enough but that's not a problem. Another question, when I perform a hot deployment, all the sessions are lost. Is there any way I can keep the sessions alive? I mean is there any setting to persist the sessions across deployments? Thank you for your help, Dan --- Daniel Lopez Janariz ([EMAIL PROTECTED]) Web Services Computer Center Balearic Islands University --- Marcel Schutte wrote: I'm having the same problem as Daniel. It's not a matter of touching or recreating the .war. Daniel wrote that he tried that already. For me, the automatic redeployment of .ear files works fine. Whenever I overwrite the .ear file, orion starts redeploying right away. However, when I make my .war part of the global-application by editing the following line in orion/config/application.xml: web-module id="defaultWebApp" path="../default-web-app" / orion doesn't redeploy my web application when I overwrite the .war. Instead, I have to restart the server for it to pick up the changes. several minutes later Just occurred to me that perhaps touching the file orion/config/application.xml would trigger redeployment. And indeed it does, problem solved. Marcel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mike Cannon-Brookes Sent: Thursday, March 29, 2001 4:02 PM To: Orion-Interest Subject: RE: Hot deployment Touch the .war file or recreate it - Orion will detect that and redeploy it. If not, check your date settings etc. Sometimes one machine (if you're deploying across a network) may have a different clock to another. -mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Daniel Lopez Sent: Thursday, March 29, 2001 8:22 PM To: Orion-Interest Subject: Hot deployment Hi, I've been using Orion for a while and so far, so good. Now I'm trying to improve the way we develop/deply applications and I started to digg in the .war file world. I've created the war file containing just the web application and it's been auto-unpacked and auto-deployed succesfully, great! Now I wanted to check what are the steps that I need to follow in order to deploy a new version of an application. Re-creating the war file and substituting it seems not to affect Orion and it's not detecting a new version. I even tried to remove the deployed application directory to see if it would re-unpack it from the new war file but it didn't work either. So, what am I missing? Do I need to create the full .ear file blah, blah so hot-deployment works? As I don't use EJB, I was thinking about just using a plain .war file with just the web application. Is that the problem? Thank you very much in advance, regards Dan
Re: Simultaneous Username/Password Detection
Hi, Regarding security, the JSDK spec is IMHO too simple and that has forced many people to reinvent the wheel again and again, or get into proprietary solutions. We chose to go our own way to be fully portable and we end up with such a system: .- As we already have implemented a Model 2 architecture with a servlet controller, it was quite easy to decide where the security checks would be performed, that is, the controller servlet. .- To have an architecture that was also portable between applications and avoid copy/paste, we developed our security mechanisms(SM) using basically abstract classes and interfaces. This allows us to secure an application just by implementing the appropriate classes, which can be done apart of the business logic. .- We distinguish two parts: Defining the security environment of the application(users, roles...) and defining the security requirements of the applications operations(which roles are required for each request). .- For the first problem we provide a set of interfaces to define the users and roles at initialization time, to be stored in a cache (we also already provide an XML-based implementation that can be used for simple applications out-of-the-box and works from a file, URL or a database). .- For the second we wanted the ability to set the security constraints in runtime. So we implemented the SM so they ask for each request, through the interfaces, which is the requiered permission to perform such a request. As the application implementation is passed the request and the context, it can decide the required permissions depending on the parameters, the URL, some values stored in the servlet context... .- We also provide a "dynamic" setting in which we just pass the username/password and request to the application implementation and it has to answer back if the request is allowed or not. This feature is useful when you have too many users and they won't fit in the cache, or they change very often. The trickiest part to implement was the cache of sessions as we wanted to allow basic and form authentication and be able to log out, detect simultaneous sessions... Handling all that with the various browsers behaviours was not a simple task, but once done... But the key point is that it is a proprietary mechanism that we have to mantain and update, and I don't think we should do it. If the standard was complete enough, something like that would be specified in a portable way and every container vendor would provide such a service, thus making applications really portable. The proof to see that the standard is not complete is that evey container vendor has its own implementation. To be truly portable, you have to roll your own, but I wish I hadn't to. Just my 2ec, Dan PD: BTW, we are not a porn site either ;), just tired of copy/pasting the same security routines over and over and... ------- Daniel Lopez Janariz ([EMAIL PROTECTED]) Web Services Computer Center Balearic Islands University --- David Morton wrote: I am building a system that protects content by username and password. No problem there. The more complicated part of the system prevents two people using the same username and password at the same time on our web site. I have a plan to do this, but I haven't seen if there are any common methods/techniques/strategies/design patterns to do this in a jsp environment. Nor do any of our developers have any experience in doing this. Currently, I am just going to store server generated sessionId's and userId's with other necessary data/time checks..of course the user must be able to take over use of that username and password because the browser may crash...or they forget to hit logoutand also I must flag when this happens too many times in a period of time as a red flagobviously with an html web site, there is no 100% accurate way to only have one user using the site at once, however, I can build it well enough that 95% of the users that are giving out their passwords won't because it is annoying to keep re-logging in and being locked out for an hour if you trip one of our red flags.thoughts? experiences? This is not for a porn site, however, I bet that porn people have something like this. David
Re: Why xsl:include seems to try to find files in /Orion folder andnotweb-app root?
Hi, I've been using Xalan for quite a long time and whenever I used xsl:import href="fileName.xsl"/, it always used the directory where the xsl was located as base directory, NOT the the working directory. This includes Xalan 1.2.x versions as I haven't upgraded to 2.0 yet. So I would say Xalan follows the specificaction. Regards, Dan Arved Sandstrom wrote: We have observed this behaviour with Xalan (1.2.x family) both in and outside of app servers. Xalan uses the "working directory", according to Java, as the base URI. Which is of course wrong. Dunno about Xalan2. Possibly fixed. In any case I'm planning to switch over to Saxon. Regards, Arved Sandstrom -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Dan Cramer Sent: Tuesday, February 13, 2001 4:54 AM To: Orion-Interest Subject: RE: Why xsl:include seems to try to find files in /Orion folder and not web-app root? Check out the XSLT spec at http://www.w3.org/TR/xslt#include. According to the spec, in an xsl:include tag, a relative URI as the value for the href attribute should be interpreted as starting in the same directory as the including stylesheet. Example: assume that a stylesheet /www/xsl/A uses the tag: xsl:include href="B", then the XSLT engine should include the stylesheet /www/xsl/B. If this isn't what you're seeing, then your processor has a bug. This might help more than my suggestion before :-) Dan Cramer Chief Architect Dynamic Resolve, LLC Internet Solutions Consulting -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Duffey, Kevin Sent: Monday, February 12, 2001 5:47 PM To: Orion-Interest Subject: Why xsl:include seems to try to find files in /Orion folder and not web-app root? Hi, When I use the xsl:include.. directive, it appears to look in server root dir, and not the web-app root its deployed in. I am not quite sure if this is something to do with Orion, or if all servers operate in this manner and therefore its an error of the XSLT technology. Or..perhaps its an error of the saxon library I am working with. Just wondering if anyone working with Orion and XSL have seen this problem or not? Thanks.
Re: Orion and SSL
Hi all, Well, I played a lot with my certificate, test certificates blah, blah, blah and the final answer is NO. You cannot, AFAIK, use an existing certificate unless you generated the request with keytool and you kept the keystore. The key point is that when you generate a certificate request, public key and private key are generated and stored in the keystore, if you didn't create your request with keytool you don't have this information and when you import the real certificate, it is treated as a trusted certificate (like Verisigns one) but not as valid key to validate himself. I didn't fin any info on how to import the private key into the keystore so I asume the answer is that you cannot. Requesting a new certificate whose request has been generated with the keytool seems to be the answer but then you have to pay again. I would suggest this information to be included in the SSL how-to as this might save other people from getting the headaches I got while playing with all these buzzwords ;). Regards and thank you to all the people that offered their advice. Dan Rafael Alvarez wrote: Hello Daniel, Sorry for the delay in the answer. I had the same trouble migrating a certificate from IIS to orion. Did you generate the request to Verisign using the keystore where you're importing it? If not, you need to request a new certificate. Check Verisign to see how that can be done. Hope this help. -- Best regards, Rafaelmailto:[EMAIL PROTECTED]
Re: Displaying image files stored in a database
Hi Paul, We have already done with Oracle what you are asking for. As someone else pointed out, we just use a servlet that gets the images from the database using java.sql.ResultSet.getBinaryStream(). This servlet gets the image, sets the content type accordingly and then just writes the image content to the response output stream. You just have to provide your servlet with enough information to be able to rerieve the image, so the link in your html page would look something like...: img src="/servlet/my.ImageServlet?image_code=X" / Then you can alias your servlet, pass the image code as part of the URL etc to make it nicer, but I hope you get the basic idea. You might also try to optimise it by implementing a "cache" of the already extracted images somewhere in your filesystem but that's lef as an exercise to get a higher grade ;). regards, Dan Paul Kofon wrote: Hi, Phew! I think I'll just use my solution for now. In future I'll look at yours, perhaps when I get Informix. Hypersonic isn't that sophisticated. As far as I know (I have checked it out but I'm not 100% sure) it doesn't support BLOBs. Thanks a lot for your help. Regards, Paul
Re: Orion and SSL
As I've got no answer at all. Should I just suppose you cannot get Orion to work with SSL with an already created certificate by Verisign? Did the message just get lost somehow? Help, somebody? :) Thanks, Dan Daniel Lopez wrote: Hi, I've already browsed the list archive and I've seen that many people have had this problem but I didn't find a solution. So my problem is the typical "Error listening to SSLServerSocket: No available certificate corresponds to the SSL cipher suites which are enabled" I already imported the certificate using "keytool -import -trustcacerts -file mycert.der -keystore keystore", the certificate has been granted to the same hostname which is specified in the mysite-web-site.xml file, the certificate is valid until october, created by Verisign, 1024 public-key..., SSLv1, it works fine with Apache. So, is there any log file where I can get a more specific error message? Have I forgotten to do something? Any hints? TIA, Dan
Orion and SSL
Hi, I've already browsed the list archive and I've seen that many people have had this problem but I didn't find a solution. So my problem is the typical "Error listening to SSLServerSocket: No available certificate corresponds to the SSL cipher suites which are enabled" I already imported the certificate using "keytool -import -trustcacerts -file mycert.der -keystore keystore", the certificate has been granted to the same hostname which is specified in the mysite-web-site.xml file, the certificate is valid until october, created by Verisign, 1024 public-key..., SSLv1, it works fine with Apache. So, is there any log file where I can get a more specific error message? Have I forgotten to do something? Any hints? TIA, Dan ------- Daniel Lopez Janariz ([EMAIL PROTECTED]) Web Services Computer Center Balearic Islands University ---
