[Resin-interest] Resin on Snow Leopard: Install scripts need updating?

2009-09-14 Thread Rob Lockstone 
I have not yet installed Snow Leopard. However, a co-worker has and he  
couldn't get Resin running. This was with Resin 3.1.x and also 4.x.  
Neither would work properly.

It looks like the Resin configuration/make scripts need to be updated.  
Please see this blog entry (not by me) for details.

http://www.angry-fly.com/post.cfm/fixing-railo-and-resin-on-snow-leopard

Rob



___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest

Re: [Resin-interest] Cookie security over SSL (https) connections - Sent Using Google Toolbar

2009-09-14 Thread Mattias Jiderhamn 
I think you need to make sure you are using an SSL connection
(request.isSecure()) before you create the Cookies in the first place.
The behaviour when changing a non-secure cookie to a secure one may be
browser dependant.//
//
 
//
//Abhinav Gupta wrote (2009-09-10 14:34):
> Thanks Jeff,
>
> But we are creating no cookies by our own. Our requirement is to just
> secure the Apache OR Resin created Cookies for session management.
> So we created a generic filter for that.
>
> Regards,
> Abhinav
>
>
> [Resin-interest] Cookie security over SSL (https) connections
> 
>
>
>   [Resin-interest] Cookie security over SSL (https) connections
>
> *Jeff Schnitzer* jeff at infohazard.org
> 
> /Wed Sep 9 09:30:32 CDT 2009/
>
> * Previous message: [Resin-interest] Cookie security over SSL
>   (https) connections
>   
> 
> * *Messages sorted by:* [ date ]
>   
> 
>   [ thread ]
>   
> 
>   [ subject ]
>   
> 
>   [ author ]
>   
> 
>
>
> 
> Why aren't you creating the cookies with setSecure(true) in the first place?
>
> If you have tons of legacy code that sets cookies, why not create a
> Filter that wraps HttpServletResponse (there is a convenient
>
> HttpServletResponseWrapper for this), intercepts the addCookie()
> method calls, and calls setSecure(true)?
>
> If you want this value set, you need to set it outbound, not after
> they've already been to the browser.
>
>
> Jeff
>
> On Wed, Sep 9, 2009 at 3:44 AM, Abhinav Gupta > wrote:
> >/ Hi All,
> />/
>
> />/
> />/ This problem is regarding cookie security over SSL(https). We are running 
> a
> />/ J2EE webapplication, our motive is to get the cookie's "isSecure" flag set
> />/ to true. We tried researching around the resin config settings for this 
> but
>
> />/ no luck. Details of the approach we tried and the issue faced are 
> elaborated
> />/ below.
> />/
> />/ Enviornment Details
> />/ 
> />/ 1. Resin 3.1.7 server running a webapplication called "tool"
>
> />/ 2. Apache is in the front forwarding/redirecting all inbound traffic to 
> the
> />/ resin server.
> />/ 3. Apache is setup with trusted SSL certificates from godaddy.
> />/
> />/
>
> />/ Problem Details
> />/ 
> />/ By default for all secure https requests, resin is sending cookies back 
> with
> />/ "isSecure" flag as false.
> />/ We tried looking for resin config settings to fix this, but can't find any
>
> />/ setting. So we created a Servlet filter in our webapp
> />/ to trap all inbound requests and manually set the isSecure flag to true.
> />/
> />/ This servlet filter approach partially fixed the problem. We are saying
>
> />/ partially because there are two cookies created by
> />/ the application in browser.
> />/
> />/ Cookie 1: Its path is "/" and the isSecure flag is "false"
>
> />/ Cookie 2: Its path is "/tools" and the isSecure flag is 
> "true"
> />/
> />/ So Cookie 2 is as expected, but Cookie 1 is not coming secured, to fix 
> this
>
> />/ we tried deploying the same servlet filter in the ROOT webapp of resin. 
> But
> />/ the problem persisted as before.
> />/
> />/
> />/ Here is the servlet filter code.
> />/
>
> />/ public class CookieFilter implements Filter {
> />/
> />/ public void doFilter(ServletRequest req, ServletResponse res,
> />/ FilterChain chain) throws ServletException, IOException {
>
> />/ // Secure if its a Http based request
> />/ if (req instanceof HttpServletRequest) {
> />/ HttpServletRequest httpReq = (HttpServletRequest) req;
> />/ HttpServletResponse httpRes = (HttpServletResponse) res;
>
> />/ Cookie[] cookies = httpReq.getCookies();
> />/ if (cookies != null && cookies.length > 0) {
> />/ for (Cookie cookie : cookies) {
> />/ // Make the cookie secure
>
> />/ cookie.setSecure(true);
> />/ // Add it to the response
> />/ httpRes.addCookie(cookie);
> />/ }
> />/ }
>
> />/ }
> />/ chain.doFilter(req, res);
> />/ }
> />/
> />/ public void init(FilterC

Re: [Resin-interest] resin-interest Digest, Vol 39, Issue 6

2009-09-14 Thread Abhinav Gupta 
No this will not work, as its just creating a Session cookie for SSL by a
new name.
We need to secure all the cookies going over a SSL connection.
Thanks,
Abhinav


> Message: 1
> Date: Thu, 10 Sep 2009 20:02:12 +0300
> From: Kai Virkki 
> Subject: Re: [Resin-interest] Cookie security over SSL (https)
>connections
> To: General Discussion for the Resin application server
>
> Message-ID:
>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi!
>
> Have you tried using ssl-session-cookie configuration?
>
> Here's the documentation:
>
> http://caucho.com/resin-3.1/doc/cluster-tags.xtp#ssl-session-cookie
>
>
> Cheers,
> Kai
>
>
> 2009/9/9 Abhinav Gupta :
> > Hi All,
> >
> >
> > This problem is regarding cookie security over SSL(https). We are running
> a
> > J2EE webapplication, our motive is to get the cookie's "isSecure" flag
> set
> > to true. We tried researching around the resin config settings for this
> but
> > no luck. Details of the approach we tried and the issue faced are
> elaborated
> > below.
> >
> > Enviornment Details
> > 
> > 1. Resin 3.1.7 server running a webapplication called "tool"
> > 2. Apache is in the front forwarding/redirecting all inbound traffic to
> the
> > resin server.
> > 3. Apache is setup with trusted SSL certificates from godaddy.
> >
> >
> > Problem Details
> > 
> > By default for all secure https requests, resin is sending cookies back
> with
> > "isSecure" flag as false.
> > We tried looking for resin config settings to fix this, but can't find
> any
> > setting. So we created a Servlet filter in our webapp
> > to trap all inbound requests and manually set the isSecure flag to true.
> >
> > This servlet filter approach partially fixed the problem. We are saying
> > partially because there are two cookies created by
> > the application in browser.
> >
> > Cookie 1: Its path is "/" and the isSecure flag is "false"
> > Cookie 2: Its path is "/tools" and the isSecure flag is
> "true"
> >
> > So Cookie 2 is as expected, but Cookie 1 is not coming secured, to fix
> this
> > we tried deploying the same servlet filter in the ROOT webapp of resin.
> But
> > the problem persisted as before.
> >
> >
> > Here is the servlet filter code.
> >
> > public class CookieFilter implements Filter {
> >
> > ??? public void doFilter(ServletRequest req, ServletResponse res,
> > ??? ??? ??? FilterChain chain) throws ServletException, IOException {
> > ??? ??? // Secure if its a Http based request
> > ??? ??? if (req instanceof HttpServletRequest) {
> > ??? ??? ??? HttpServletRequest httpReq = (HttpServletRequest) req;
> > ??? ??? ??? HttpServletResponse httpRes = (HttpServletResponse) res;
> > ??? ??? ??? Cookie[] cookies = httpReq.getCookies();
> > ??? ??? ??? if (cookies != null && cookies.length > 0) {
> > ??? ??? ??? ??? for (Cookie cookie : cookies) {
> > ??? ??? ??? ??? ??? // Make the cookie secure
> > ??? ??? ??? ??? ??? cookie.setSecure(true);
> > ??? ??? ??? ??? ??? // Add it to the response
> > ??? ??? ??? ??? ??? httpRes.addCookie(cookie);
> > ??? ??? ??? ??? }
> > ??? ??? ??? }
> > ??? ??? }
> > ??? ??? chain.doFilter(req, res);
> > ??? }
> >
> > ??? public void init(FilterConfig arg0) throws ServletException {
> > ??? }
> >
> > ??? public void destroy() {
> > ??? }
> >
> > }
> >
> > Please suggest.
> >
> > Regards,
> > Abhinav
> >
> > ___
> > resin-interest mailing list
> > resin-interest@caucho.com
> > http://maillist.caucho.com/mailman/listinfo/resin-interest
> >
> >
>
>
>
>
> --
>
> ___
> resin-interest mailing list
> resin-interest@caucho.com
> http://maillist.caucho.com/mailman/listinfo/resin-interest
>
>
> End of resin-interest Digest, Vol 39, Issue 6
> *
>
___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest

[Resin-interest] chunked encoding issue in HmuxResponse

2009-09-14 Thread Wu Wesley 
affected version: Resin 4.0.0 & 4.0.1
reproducible: every time

HmuxResponse.writeHeadersInt should not always return false, otherwise in
ResponseStream "write-chunk5" will never happen if _chunkedEncoding==false.

this result in UTF8Writer produces a reproducible error.

I modified HmuxResponse.writeHeadersInt to add some lines below:


// add by wesley start
boolean hasContentLength = false;
// add by wesley end
if (_contentLength >= 0) {
cb.clear();
cb.append(_contentLength);
_req.writeHeader("Content-Length", cb);
// add by wesley start
hasContentLength = true;
// add by wesley end
} else if (length >= 0) {
cb.clear();
cb.append(length);
_req.writeHeader("Content-Length", cb);
// add by wesley start
hasContentLength = true;
// add by wesley end
}

...

// add by wesley start
boolean isChunked = false;
if (!hasContentLength && !isHead) {
isChunked = true;
}
return isChunked;
// add by wesley start
  }

and everything goes fine.

-Wesley
___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest