DO NOT REPLY [Bug 10544] - crossContext for servlets not working

[bugzilla]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10544

crossContext for servlets not working





--- Additional Comments From [EMAIL PROTECTED]  2002-10-10 06:51 ---
I also found this problem in tomcat 4.0.6 and tomcat 4.1.12.

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: Tomcat 4.1.12: Xerces 2.2 problems - > Struts 1.0.2 bug.

[Henri Gomez]

Jean-Francois Arcand wrote:
> Hi,
> 
> with Tomcat 4.1.12, Xerces 2.2 is throwing the following exception:
> 
> org.xml.sax.SAXParseException: The string "--" is not permitted within 
> comments.
>at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
> 
> This is a bug in the org.apache.struts.digester.Digester class. If you 
> uses Struts 1.1 beta 2 jar file, the bug will not happen. Xerces 2.2 
> generates a lot of Warnings and the Digester version of Struts 1.0.2 
> logs an exception instead of a warning. This has been corrected in the 
> current Digester (1.3) we are using.

You means in the struts implementation of Digester ?

> So we have to decide which combinaison we want to support with 4.1.x:

4.1.x => Xerces 2.1 + Struts 1.0.2

5.x => Xerces 2.2 + Struts 1.1b2


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

DO NOT REPLY [Bug 13477] - tomcat 4.1.2 installed from rpms fails to start

[bugzilla]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13477

tomcat 4.1.2 installed from rpms fails to start

[EMAIL PROTECTED] changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution||WORKSFORME



--- Additional Comments From [EMAIL PROTECTED]  2002-10-10 06:39 ---
tomcat4 started is a wrapper which change user id to tomcat4 and then launch
tomcat4 with user tomcat4.tomcat4.

If you use dtomcat4 as root at anytime, the logs and settings files will be
owned by root so at a later time they couldn't be updated by a tomcat4 user process.

I didn't see this problem on my box, catalina.out is owned tomcat4.tomcat4.

You should as root :

remove all files in /var/tomcat4/logs/, check the tomcat-users.xml and
jk2.properties in /etc/tomcat4, and make them writeable by tomcat4 if it's not
the case.

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: apps conversion from 3.3.1 to 4.1.12

[Henri Gomez]

> If this reference is in your web.xml file, then my suggestion is already
> being done.  To test it, try temporarily copying the settings.xml file
> into the WEB-INF directory and changing the relative URL appropriately.

Putting the file in WEB-INF works, even if I use ../settings, ie 
directly in webapps/ROOT.

> I'd be -1 on removing the security check in 4.x/5.x.  Fixing 3.3.2 sounds
> like a good idea.

I'll be -1 to fix the 3.3.2 for many reasons :

- It will brake all deployment strategy

- I'm still not sure it's a security problem since nobody prevent
   you to change to PUBLIC and goes outside :

%settings;

to

   http://hackme.com/settings.xml";> 
%settings;

That's more than insecure isn't it ?

I take a look in specs and didn't see anything preventing you to have 
entities located outside WEBAPP so I feel it's a regression and not a
security feature.

Ad minima, in TC 4.x and 5.x, there should be a setting in web.xml,
or server.xml to enable this behaviour even if it's prevented by default.





--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: [Proposal] Security Audit

[Glenn Nielsen]

The more who review/audit tomcat for security, the better. :-)

Comments intermixed below.

Jean-Francois Arcand wrote:
> Hi,
> 
> I'm looking to do a Security Audit on the current Tomcat 5.0 codebase. I 
> would like to collect as more as information as where you think I should 
> look at (code, security hole, etc.). I'm planning to do the audit using 
> the default SecurityManager. Rigth now, I have started looking at:
> 
> - doPrivilege blocks. Are they small enough? Can they be reduced?

I don't think there are more than a dozen doPrivileged() blocks in all
of catalina and jasper.  They are relatively few and restricted to a
few specific methods in catalina which may get executed by some action
a servlet or jsp performs.  For example, when a jsp page does a forward.

> - JSP generated code. Are they secure? Can a malicious app uses the code 
> to access o.a.catalina code?

Class restrictions are implemented in two ways.
First, the catalina core API's are in server/lib so that they are not
one of the parent class loaders visible to a web app.  Second, the
WebappClassLoader implements checkPackageAccess() and checkPackageDefinition().
These are only implemented if Tomcat was started with the SecurityManager.

One change we considered with Tomcat 4 was whether it should require using
the Java SecurityManager.  You may want to open up that debate again with
Tomcat 5.

> - Is catalina.policy restricted enough?

Not for my needs, my security policies are much more restrictive.
But restrictive enough for some users.  Perhaps there should be a second more
restrictive example catalina.policy.

> - Is our Classloader secure?
> 
> Any direction/ideas/recommendations will be appreciated.
> 

I don't have time right now to particpate in the security audit, but I will
make sure I review any findings.

One item that has been on my todo list for a while is a document on how to
write SecurityManager and web application friendly code.  I find numerous
packages, frameworks, etc. which perform things in ways which are not
friendly to the SecurityManager or a web application.

I have been known to file bug reports with other jakarta projects when I run
across these issues. :-)

Regards,

Glenn




--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

DO NOT REPLY [Bug 13477] New: - tomcat 4.1.2 installed from rpms fails to start

[bugzilla]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13477

tomcat 4.1.2 installed from rpms fails to start

   Summary: tomcat 4.1.2 installed from rpms fails to start
   Product: Tomcat 4
   Version: 4.1.12
  Platform: Other
OS/Version: Linux
Status: NEW
  Severity: Normal
  Priority: Other
 Component: Installable Packages
AssignedTo: [EMAIL PROTECTED]
ReportedBy: [EMAIL PROTECTED]


I installed the current version of tomcat (4.1.2) from RPMs using the version as
of 9 October (tomcat4-4.1.12-full.2jpp.noarch.rpm). The install worked after I
removed all traces of the prior tomcat install (user and group, etc). When I try
to start tomcat from /etc/init.d/tomcat4 I get an OK but tomcat does not start.

When I start tomcat using /usr/bin/dtomcat4 as root, tomcat starts. When I su -
tomcat4 and start tomcat using /usr/bin/dtomcat4 I get:

-bash-2.05b$ /usr/bin/dtomcat4 start
Using CATALINA_BASE:   /var/tomcat4
Using CATALINA_HOME:   /var/tomcat4
Using CATALINA_TMPDIR: /var/tomcat4/temp
Using JAVA_HOME:   /usr/java/j2sdk1.4
touch: creating `/var/tomcat4/logs/catalina.out': Permission denied
-bash-2.05b$ /usr/bin/dtomcat4: line 205: /var/tomcat4/logs/catalina.out:
Permission denied
q

In /var/tomcat4/logs I see:

-rw-r--r--1 root tomcat4  1731 Oct  9 20:44 catalina.out 

In order for tomcat to touch catalina.out, permissions need to be changed for
the group tomcat4. Once this is done, then tomcat4 will start as expected.

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: mod_jk crash, please help

[Bojan Smojver]

Quoting Eugene Gluzberg <[EMAIL PROTECTED]>:

> Please help. How can i trace this further? How do i get apache to 
> generate a core file so i can see where in apache code this is? Any 
> pointers for help here at all?

Have a look at this: http://httpd.apache.org/dev/debugging.html

Bojan

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

cvs commit: jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/compiler JspReader.java

[luehe]

luehe   2002/10/09 17:49:21

  Modified:jasper2/src/share/org/apache/jasper JspC.java
JspCompilationContext.java
   jasper2/src/share/org/apache/jasper/compiler JspReader.java
  Log:
  Changed visibility of o.a.j.c.JspReader to package scope, and the visibility
  of some of its methods to "private".
  
  Revision  ChangesPath
  1.15  +3 -4  
jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/JspC.java
  
  Index: JspC.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/JspC.java,v
  retrieving revision 1.14
  retrieving revision 1.15
  diff -u -r1.14 -r1.15
  --- JspC.java 21 Aug 2002 17:56:03 -  1.14
  +++ JspC.java 10 Oct 2002 00:49:21 -  1.15
  @@ -65,7 +65,6 @@
   import java.net.*;
   import java.util.*;
   
  -import org.apache.jasper.compiler.JspReader;
   import org.apache.jasper.compiler.ServletWriter;
   import org.apache.jasper.compiler.Compiler;
   import org.apache.jasper.compiler.TldLocationsCache;
  
  
  
  1.22  +3 -16 
jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/JspCompilationContext.java
  
  Index: JspCompilationContext.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/JspCompilationContext.java,v
  retrieving revision 1.21
  retrieving revision 1.22
  diff -u -r1.21 -r1.22
  --- JspCompilationContext.java11 Sep 2002 19:07:32 -  1.21
  +++ JspCompilationContext.java10 Oct 2002 00:49:21 -  1.22
  @@ -68,7 +68,6 @@
   import javax.servlet.jsp.tagext.TagInfo;
   import javax.servlet.jsp.tagext.TagData;
   import org.apache.jasper.compiler.JspRuntimeContext;
  -import org.apache.jasper.compiler.JspReader;
   import org.apache.jasper.compiler.ServletWriter;
   import org.apache.jasper.compiler.Compiler;
   import org.apache.jasper.servlet.JspServletWrapper;
  @@ -100,7 +99,6 @@
   protected String jspPath;
   protected String classFileName;
   protected String contentType;
  -protected JspReader reader;
   protected ServletWriter writer;
   protected Options options;
   protected JspServletWrapper jsw;
  @@ -491,17 +489,6 @@
   
   public void setContentType(String contentType) {
   this.contentType = contentType;
  -}
  -
  -/**
  - * Get the input reader for the JSP text. 
  - */
  -public JspReader getReader() { 
  -return reader;
  -}
  -
  -public void setReader(JspReader reader) {
  -this.reader = reader;
   }
   
   /**
  
  
  
  1.10  +148 -137  
jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/compiler/JspReader.java
  
  Index: JspReader.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/compiler/JspReader.java,v
  retrieving revision 1.9
  retrieving revision 1.10
  diff -u -r1.9 -r1.10
  --- JspReader.java28 Aug 2002 23:50:10 -  1.9
  +++ JspReader.java10 Oct 2002 00:49:21 -  1.10
  @@ -80,137 +80,50 @@
* @author Mark Roth
*/
   
  -public class JspReader {
  +class JspReader {
   
  -protected Mark current  = null;
  -String master = null;
  -
  -Vector sourceFiles = new Vector();
  -int currFileId = 0;
  -int size = 0;
  -
  +private Mark current;
  +private String master;
  +private Vector sourceFiles;
  +private int currFileId;
  +private int size;
   private JspCompilationContext context;
   private ErrorDispatcher err;
  +private Logger.Helper loghelper;
   
   /*
* Set to true when using the JspReader on a single file where we read up
* to the end and reset to the beginning many times.
* (as in ParserCtl.figureOutJspDocument().
*/
  -boolean singleFile = false;
  +private boolean singleFile;
   
  -Logger.Helper loghelper = new Logger.Helper("JASPER_LOG", "JspReader");
  -
  -public String getFile(int fileid) {
  - return (String) sourceFiles.elementAt(fileid);
  -}
  -
  -/**
  - * Register a new source file.
  - * This method is used to implement file inclusion. Each included file
  - * gets a uniq identifier (which is the index in the array of source files).
  - * @return The index of the now registered file.
  - */
  -protected int registerSourceFile(String file) {
  -if (sourceFiles.contains(file))
  -return -1;
  - sourceFiles.addElement(file);
  - this.size++;
  - return sourceFiles.size() - 1;
  -}
  -
  -
  -/**
  - * Unregister the source file.
  - * This method is used to implement file inclusion. Each included file
  - * gets a uniq identifier (which is the index in the array of source

cvs commit: jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/compiler JspUtil.java

[luehe]

luehe   2002/10/09 15:46:41

  Modified:jasper2/src/share/org/apache/jasper/compiler JspUtil.java
  Log:
  Removed redundant methods
  
  Revision  ChangesPath
  1.18  +3 -87 
jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/compiler/JspUtil.java
  
  Index: JspUtil.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/compiler/JspUtil.java,v
  retrieving revision 1.17
  retrieving revision 1.18
  diff -u -r1.17 -r1.18
  --- JspUtil.java  19 Sep 2002 23:21:39 -  1.17
  +++ JspUtil.java  9 Oct 2002 22:46:41 -   1.18
  @@ -235,60 +235,6 @@
   }
   
   /**
  - * Parses the XML document contained in the InputStream.
  - *
  - * @deprecated Use ParserUtils.parseXMLDocument() instead
  - */
  -public static Document parseXMLDoc(String uri, InputStream in) 
  - throws JasperException 
  -{
  - return parseXMLDocJaxp(uri, in);
  -}
  -
  -/**
  - * Parses the XML document contained in the InputStream.
  - * This XML document is either web.xml or a tld.
  - * [The TLD has to be cached internally (see MyEntityResolver)]
  - *
  - * @deprecated Use ParserUtils.parseXMLDocument() instead
  - */
  -public static Document parseXMLDocJaxp(String uri, InputStream in)
  - throws JasperException
  -{
  - try {
  - Document doc;
  - DocumentBuilderFactory docFactory = 
  - DocumentBuilderFactory.newInstance();
  - docFactory.setValidating(true);
  - docFactory.setNamespaceAware(true);
  - DocumentBuilder builder = docFactory.newDocumentBuilder();
  - builder.setEntityResolver(entityResolver);
  - builder.setErrorHandler(errorHandler);
  - doc = builder.parse(in);
  - return doc;
  - } catch (ParserConfigurationException ex) {
  -throw new JasperException(
  - Constants.getString("jsp.error.parse.xml",
  - new Object[]{uri, ex.getMessage()}));
  - } catch (SAXParseException ex) {
  -throw new JasperException(
  - Constants.getString("jsp.error.parse.xml.line",
  - new Object[]{uri,
  -  new Integer(ex.getLineNumber()),
  -  new Integer(ex.getColumnNumber()),
  -  ex.getMessage()}));
  - } catch (SAXException sx) {
  -throw new JasperException(
  -Constants.getString("jsp.error.parse.xml",
  - new Object[]{uri, sx.getMessage()}));
  -} catch (IOException io) {
  -throw new JasperException(
  -Constants.getString("jsp.error.parse.xml",
  - new Object[]{uri, io.toString()}));
  - }
  -}
  -
  -/**
* Checks if all mandatory attributes are present and if all attributes
* present have valid names.  Checks attributes specified as XML-style
* attributes as well as attributes specified using the jsp:attribute
  @@ -477,36 +423,6 @@
}
   }
   
  -public static Hashtable attrsToHashtable(Attributes attrs) {
  -int len = attrs.getLength();
  -Hashtable table = new Hashtable(len);
  -for (int i=0; imailto:[EMAIL PROTECTED]>
For additional commands, e-mail: 

DO NOT REPLY [Bug 13392] - When tag pooling is enabled, release() is not called on tag instances

[bugzilla]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13392

When tag pooling is enabled, release() is not called on tag instances

[EMAIL PROTECTED] changed:

   What|Removed |Added

 Status|REOPENED|RESOLVED
 Resolution||INVALID



--- Additional Comments From [EMAIL PROTECTED]  2002-10-09 22:21 ---
Not a bug.

See description of release() method in JSP.10.1.1.2 (JSP 1.2):
 
  Called on a Tag handler to release state. The page compiler guarantees
  that JSP page implementation objects will invoke this method on all
  tag handlers, but there may be multiple invocations on doStartTag()
  and doEndTag() in between.

Also, see

  http://jakarta.apache.org/taglibs/guidelines.html

Item 2:

  Private, invocation-specific state must be managed manually. Implications
  include that: 

release() is not necessarily called between invocations, which means
that tag logic should not count on private invocation- specific state
being reset by release()

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

cvs commit: jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/runtime JspRuntimeLibrary.java

[luehe]

luehe   2002/10/09 14:59:08

  Modified:jasper2/src/share/org/apache/jasper/resources Tag:
tomcat_4_branch messages.properties
messages_es.properties messages_ja.properties
   jasper2/src/share/org/apache/jasper/runtime Tag:
tomcat_4_branch JspRuntimeLibrary.java
  Log:
  Fixed 13206: Invalid java bean property error message could be reported better.
  
  Revision  ChangesPath
  No   revision
  
  
  No   revision
  
  
  1.9.2.4   +2 -2  
jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/resources/messages.properties
  
  Index: messages.properties
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/resources/messages.properties,v
  retrieving revision 1.9.2.3
  retrieving revision 1.9.2.4
  diff -u -r1.9.2.3 -r1.9.2.4
  --- messages.properties   8 Oct 2002 23:42:06 -   1.9.2.3
  +++ messages.properties   9 Oct 2002 21:59:08 -   1.9.2.4
  @@ -88,7 +88,7 @@
   jsp.error.beans.nobeaninfo=No BeanInfo for the bean of type ''{0}'' could be found, 
the class likely does not exist.
   jsp.error.beans.introspection=An exception occurred while introspecting the read 
method of property ''{0}'' in a bean of type ''{1}'':\n{2}
   jsp.error.beans.nomethod=Cannot find a method to read property ''{0}'' in a bean of 
type ''{1}''
  -jsp.error.beans.nomethod.setproperty=Can''t find a method to write property ''{0}'' 
in a bean of type ''{1}''
  +jsp.error.beans.nomethod.setproperty=Can''t find a method to write property ''{0}'' 
of type ''{1}'' in a bean of type ''{2}''
   jsp.error.beans.noproperty=Cannot find any information on property ''{0}'' in a 
bean of type ''{1}''
   jsp.error.beans.setproperty.noindexset=Cannot set indexed property
   jsp.error.include.tag=Invalid jsp:include tag
  
  
  
  1.3.2.3   +2 -2  
jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/resources/messages_es.properties
  
  Index: messages_es.properties
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/resources/messages_es.properties,v
  retrieving revision 1.3.2.2
  retrieving revision 1.3.2.3
  diff -u -r1.3.2.2 -r1.3.2.3
  --- messages_es.properties8 Oct 2002 23:42:06 -   1.3.2.2
  +++ messages_es.properties9 Oct 2002 21:59:08 -   1.3.2.3
  @@ -73,7 +73,7 @@
   jsp.error.beans.nobeaninfo=No se puede encontrar BeanInfo para el bean  ''{0}'' 
seguramente la clase no existe
   jsp.error.beans.introspection=Una excepcion a ocurrido mientras se leia el metodo 
de lectura de la propiedad ''{0}'' en un bean del tipo ''{1}'':\n{2}
   jsp.error.beans.nomethod=No puedo encontrar un metodo para leer la propiedad 
''{0}'' en un bean del tipo ''{1}''
  -jsp.error.beans.nomethod.setproperty=No puedo encontrar un metodo para write de la 
propiedad ''{0}'' en un bean del tipo ''{1}''
  +jsp.error.beans.nomethod.setproperty=No puedo encontrar un metodo para write de la 
propiedad ''{0}'' en un bean del tipo ''{2}''
   jsp.error.beans.noproperty=No puedo encontrar informacion de la propiedad ''{0}'' 
en un bean del tipo ''{1}''
   jsp.error.beans.setproperty.noindexset=No puedo hacer set de la propiedad indexada
   jsp.error.include.tag=Tag jsp:include no valido
  
  
  
  1.2.2.2   +2 -2  
jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/resources/messages_ja.properties
  
  Index: messages_ja.properties
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/resources/messages_ja.properties,v
  retrieving revision 1.2.2.1
  retrieving revision 1.2.2.2
  diff -u -r1.2.2.1 -r1.2.2.2
  --- messages_ja.properties8 Oct 2002 23:42:06 -   1.2.2.1
  +++ messages_ja.properties9 Oct 2002 21:59:08 -   1.2.2.2
  @@ -84,7 +84,7 @@
   jsp.error.beans.nobeaninfo=\u30bf\u30a4\u30d7 ''{0}'' 
\u306eBean\u306bBeanInfo\u304c\u306a\u3044\u306e\u3092\u691c\u51fa\u3057\u307e\u3057\u305f,
 
\u30af\u30e9\u30b9\u304c\u5b58\u5728\u3057\u306a\u3044\u304b\u3082\u3057\u308c\u307e\u305b\u3093
   jsp.error.beans.introspection=\u30bf\u30a4\u30d7 ''{1}'' 
\u306eBean\u4e2d\u306e\u5c5e\u6027 ''{0}'' 
\u306eread\u30e1\u30bd\u30c3\u30c9\u3092\u5185\u7701\u4e2d\u306b\u4f8b\u5916\u304c\u767a\u751f\u3057\u307e\u3057\u305f:\n{2}
   jsp.error.beans.nomethod=\u30bf\u30a4\u30d7 ''{1}'' 
\u306eBean\u4e2d\u306e\u5c5e\u6027 ''{0}'' 
\u3092\u8aad\u307f\u8fbc\u3080\u30e1\u30bd\u30c3\u30c9\u3092\u767a\u898b\u3067\u304d\u307e\u305b\u3093\u3067\u3057\u305f
  -jsp.error.beans.nomethod.setproperty=\u30bf\u30a4\u30d7 ''{1}'' 
\u306eBean\u4e2d\u306e\u5c5e\u6027 ''{0}'' 
\u3092\u66f8\u304d\u8fbc\u3080\u30e1\u30bd\u30c3\u30c9\u3092\u767a\u898b\u3067\u304d\u307e\u305b\u3093\u3067\u3057\u3

cvs commit: jakarta-servletapi-5/jsr152/examples/jsp2/misc config.jsp config.txt

[kinman]

kinman  2002/10/09 14:31:24

  Modified:jsr152/examples/WEB-INF web.xml
   jsr152/examples/jsp2/misc config.jsp config.txt
  Log:
  - Modified the examples to use el-ignore and scripting-invalid
  
  Revision  ChangesPath
  1.4   +2 -2  jakarta-servletapi-5/jsr152/examples/WEB-INF/web.xml
  
  Index: web.xml
  ===
  RCS file: /home/cvs/jakarta-servletapi-5/jsr152/examples/WEB-INF/web.xml,v
  retrieving revision 1.3
  retrieving revision 1.4
  diff -u -r1.3 -r1.4
  --- web.xml   7 Oct 2002 18:09:58 -   1.3
  +++ web.xml   9 Oct 2002 21:31:24 -   1.4
  @@ -202,9 +202,9 @@

JSPConfiguration
/jsp2/misc/config.jsp
  - false
  + true
ISO-8859-1
  - false
  + true
/jsp2/misc/prelude.jspf
/jsp2/misc/coda.jspf

  
  
  
  1.2   +2 -2  jakarta-servletapi-5/jsr152/examples/jsp2/misc/config.jsp
  
  Index: config.jsp
  ===
  RCS file: /home/cvs/jakarta-servletapi-5/jsr152/examples/jsp2/misc/config.jsp,v
  retrieving revision 1.1
  retrieving revision 1.2
  diff -u -r1.1 -r1.2
  --- config.jsp7 Sep 2002 00:48:00 -   1.1
  +++ config.jsp9 Oct 2002 21:31:24 -   1.2
  @@ -7,9 +7,9 @@
   
 Uses  to include the top banner.
 Uses  to include the bottom banner.
  -  Uses  false to disable 
  +  Uses  true to disable 
  <% scripting %> elements
  -  Uses  false to disable ${EL} elements
  +  Uses  true to disable ${EL} elements
 Uses  ISO-8859-1 to set the page encoding (though 
this is the default anyway)
   
   There are various other configuration options that can be used.
  
  
  
  1.2   +2 -2  jakarta-servletapi-5/jsr152/examples/jsp2/misc/config.txt
  
  Index: config.txt
  ===
  RCS file: /home/cvs/jakarta-servletapi-5/jsr152/examples/jsp2/misc/config.txt,v
  retrieving revision 1.1
  retrieving revision 1.2
  diff -u -r1.1 -r1.2
  --- config.txt7 Sep 2002 00:48:00 -   1.1
  +++ config.txt9 Oct 2002 21:31:24 -   1.2
  @@ -7,9 +7,9 @@
   
 Uses  to include the top banner.
 Uses  to include the bottom banner.
  -  Uses  false to disable 
  +  Uses  true to disable 
  <% scripting %> elements
  -  Uses  false to disable ${EL} elements
  +  Uses  true to disable ${EL} elements
 Uses  ISO-8859-1 to set the page encoding (though 
this is the default anyway)
   
   There are various other configuration options that can be used.
  
  
  

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

DO NOT REPLY [Bug 11678] - JNDIRealm times out/prompts for password with BASIC authentication

[bugzilla]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11678

JNDIRealm times out/prompts for password with BASIC authentication





--- Additional Comments From [EMAIL PROTECTED]  2002-10-09 20:33 ---
Another problem is that I'm pretty sure that if you use BASIC authentication 
rather than session based authentication, it doesn't do any caching which 
means that everytime you access a protected resource, it authenticates against 
the LDAP directory which isn't a very efficient thing to do.

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

DO NOT REPLY [Bug 13206] - Invalid java bean property error message could be reported better.

[bugzilla]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13206

Invalid java bean property error message could be reported better.

[EMAIL PROTECTED] changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution||FIXED

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

cvs commit: jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/runtime JspRuntimeLibrary.java

[luehe]

luehe   2002/10/09 13:21:52

  Modified:jasper2/src/share/org/apache/jasper/resources
messages.properties messages_es.properties
messages_ja.properties
   jasper2/src/share/org/apache/jasper/runtime
JspRuntimeLibrary.java
  Log:
  Fixed 13206: Invalid java bean property error message could be reported better.
  
  Revision  ChangesPath
  1.45  +2 -2  
jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/resources/messages.properties
  
  Index: messages.properties
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/resources/messages.properties,v
  retrieving revision 1.44
  retrieving revision 1.45
  diff -u -r1.44 -r1.45
  --- messages.properties   8 Oct 2002 23:22:57 -   1.44
  +++ messages.properties   9 Oct 2002 20:21:52 -   1.45
  @@ -94,7 +94,7 @@
   jsp.error.beans.nobeaninfo=No BeanInfo for the bean of type ''{0}'' could be found, 
the class likely does not exist.
   jsp.error.beans.introspection=An exception occurred while introspecting the read 
method of property ''{0}'' in a bean of type ''{1}'':\n{2}
   jsp.error.beans.nomethod=Cannot find a method to read property ''{0}'' in a bean of 
type ''{1}''
  -jsp.error.beans.nomethod.setproperty=Can''t find a method to write property ''{0}'' 
in a bean of type ''{1}''
  +jsp.error.beans.nomethod.setproperty=Can''t find a method to write property ''{0}'' 
of type ''{1}'' in a bean of type ''{2}''
   jsp.error.beans.noproperty=Cannot find any information on property ''{0}'' in a 
bean of type ''{1}''
   jsp.error.beans.setproperty.noindexset=Cannot set indexed property
   jsp.error.include.tag=Invalid jsp:include tag
  
  
  
  1.16  +2 -2  
jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/resources/messages_es.properties
  
  Index: messages_es.properties
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/resources/messages_es.properties,v
  retrieving revision 1.15
  retrieving revision 1.16
  diff -u -r1.15 -r1.16
  --- messages_es.properties8 Oct 2002 23:22:57 -   1.15
  +++ messages_es.properties9 Oct 2002 20:21:52 -   1.16
  @@ -73,7 +73,7 @@
   jsp.error.beans.nobeaninfo=No se puede encontrar BeanInfo para el bean  ''{0}'' 
seguramente la clase no existe
   jsp.error.beans.introspection=Una excepcion a ocurrido mientras se leia el metodo 
de lectura de la propiedad ''{0}'' en un bean del tipo ''{1}'':\n{2}
   jsp.error.beans.nomethod=No puedo encontrar un metodo para leer la propiedad 
''{0}'' en un bean del tipo ''{1}''
  -jsp.error.beans.nomethod.setproperty=No puedo encontrar un metodo para write de la 
propiedad ''{0}'' en un bean del tipo ''{1}''
  +jsp.error.beans.nomethod.setproperty=No puedo encontrar un metodo para write de la 
propiedad ''{0}'' en un bean del tipo ''{2}''
   jsp.error.beans.noproperty=No puedo encontrar informacion de la propiedad ''{0}'' 
en un bean del tipo ''{1}''
   jsp.error.beans.setproperty.noindexset=No puedo hacer set de la propiedad indexada
   jsp.error.include.tag=Tag jsp:include no valido
  
  
  
  1.16  +2 -2  
jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/resources/messages_ja.properties
  
  Index: messages_ja.properties
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/resources/messages_ja.properties,v
  retrieving revision 1.15
  retrieving revision 1.16
  diff -u -r1.15 -r1.16
  --- messages_ja.properties8 Oct 2002 23:22:57 -   1.15
  +++ messages_ja.properties9 Oct 2002 20:21:52 -   1.16
  @@ -84,7 +84,7 @@
   jsp.error.beans.nobeaninfo=\u30bf\u30a4\u30d7 ''{0}'' 
\u306eBean\u306bBeanInfo\u304c\u306a\u3044\u306e\u3092\u691c\u51fa\u3057\u307e\u3057\u305f,
 
\u30af\u30e9\u30b9\u304c\u5b58\u5728\u3057\u306a\u3044\u304b\u3082\u3057\u308c\u307e\u305b\u3093
   jsp.error.beans.introspection=\u30bf\u30a4\u30d7 ''{1}'' 
\u306eBean\u4e2d\u306e\u5c5e\u6027 ''{0}'' 
\u306eread\u30e1\u30bd\u30c3\u30c9\u3092\u5185\u7701\u4e2d\u306b\u4f8b\u5916\u304c\u767a\u751f\u3057\u307e\u3057\u305f:\n{2}
   jsp.error.beans.nomethod=\u30bf\u30a4\u30d7 ''{1}'' 
\u306eBean\u4e2d\u306e\u5c5e\u6027 ''{0}'' 
\u3092\u8aad\u307f\u8fbc\u3080\u30e1\u30bd\u30c3\u30c9\u3092\u767a\u898b\u3067\u304d\u307e\u305b\u3093\u3067\u3057\u305f
  -jsp.error.beans.nomethod.setproperty=\u30bf\u30a4\u30d7 ''{1}'' 
\u306eBean\u4e2d\u306e\u5c5e\u6027 ''{0}'' 
\u3092\u66f8\u304d\u8fbc\u3080\u30e1\u30bd\u30c3\u30c9\u3092\u767a\u898b\u3067\u304d\u307e\u305b\u3093\u3067\u3057\u305f
  +jsp.error.beans.nomethod.setproperty=\u30bf\u30a4\u30d7 ''{2}'' 
\u306eBean\u4e2d\u306e\u5c5e\u6027 ''{0}'' 
\u3092\u66f8\u304d\u8fbc\u3080\u30e1\u30bd\u30c3\u30c9\u

DO NOT REPLY [Bug 11678] - JNDIRealm times out/prompts for password with BASIC authentication

[bugzilla]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11678

JNDIRealm times out/prompts for password with BASIC authentication





--- Additional Comments From [EMAIL PROTECTED]  2002-10-09 20:21 ---
I've noticed this bug with tomcat 4.1.12 as well. I believe this is because the 
ldap server timesout the connection after some time if there is no activity 
from the ldap client. Once the timeout occurs, if a user tries to browse a url 
that requires authentication, the bind operation in ldap fails as ldap 
connection is invalid and JNDIRealm class throws a 
javax.naming.CommunicationException. This results in authentication failure and 
user is prompted for authentication again. This is quite irritating to the 
user. When user types in uid/password second time, a new ldap connection is 
created and authentication succeeds.

I think the solution is to detect ldap connection timeout in JNDIRealm and make 
a new connection if necessary and then perform the bind for authentication. 
Hope this bug gets fixed.

-nagraj

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

DO NOT REPLY [Bug 13419] - Weird seg fault on Mac OS X for mod_jk2 + Apache2

[bugzilla]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13419

Weird seg fault on Mac OS X for mod_jk2 + Apache2





--- Additional Comments From [EMAIL PROTECTED]  2002-10-09 20:03 ---
That's very strange. 
First - make sure you compile with -O0 - it may be something wrong with the
line numbers due to reordering by the compiler. 
It seems obvious that the NPE is in the printf implementation - that's 
common in many OSes if a param is NULL. However the code fragment seems
to check for null.

I would sugest double checking the -O flag and the printf params.

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

DO NOT REPLY [Bug 11730] - build fails - can't find jni_md.h

[bugzilla]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11730

build fails - can't find jni_md.h

[EMAIL PROTECTED] changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution||FIXED



--- Additional Comments From [EMAIL PROTECTED]  2002-10-09 19:57 ---
You need a -Dlinux=1 as param. 
( and we need to either automate the os detection or document this better ).

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: [Proposal] Security Audit

[Jean-Francois Arcand]

Costin Manolache wrote:

  AFAIK, the most important check is doPriviledged(). What we need
to look for is if any of those blocks could be used by 
untrusted code to do something. 

The second very important check is the facades - making sure 
untrusted code can't get access to the real objects.

We should also make sure that the facades are not reused or
are reused only inside a context.

It is nice to review all code for security and bugs ( and general
quality ) - but IMO it is more important to review first the 
critical areas.

I will start looking at the doPrivilege block. One thing that I have found
is most Tomcat's doPrivilege block contains more operations that they should.
Minimizing what we put inside the doPrivilege is very important. As an example
(need to be optimized), I made some change to the WebappClassLoader (see
the diff.txt). 


  

The ClassLoader shouldn't create any major problems ( at least in
delegating mode - in non delegating mode we can only trust the 
servlet experts that they did the resarch and can guarantee there's
no security implications. I haven't heard anything convincing on this, but 
they should have this knowledge - otherwise it wouldn't be in the spec :-)

Other areas we can look first are:

- Admin Tool. Is the tool secure enougth?
- Invoker/Defaut Servlet ;-)
- The code Jasper generates. This is one place where  facade will get accessed.

-- Jeanfrancois




  


Costin

Bob Herrmann wrote:

  
  
FYI, Just to start off, I am going to review these classes.  If
someone else also reviews them, thats probably a good thing...

# classes, package name

17 o.a.c.deploy
9  o.a.c.users
44 o.a.c.*
34 o.a.jk.*
15 j.s.http

Briefly, I am going to look for
 - How/if a ClassLoader is used
 - privilege blocks (are they small, use trusted values)
 - look for non-final static variables (can they be abused)
 - can methods/fields be made private?
 - are mutable objects returned to caller (especially arrays)
   think about returning clones
 - non final equals/hashcode methods? (accessing sensitive stuff?)
 - Serializable (exposes private stuff?)

Does anyone publish a security checklist list like this?

Blah Blah,
-bob


On Tue, 2002-10-08 at 16:36, Jean-Francois Arcand wrote:


  Hi,

I'm looking to do a Security Audit on the current Tomcat 5.0 codebase. I
would like to collect as more as information as where you think I should
look at (code, security hole, etc.). I'm planning to do the audit using
the default SecurityManager. Rigth now, I have started looking at:

- doPrivilege blocks. Are they small enough? Can they be reduced?
- JSP generated code. Are they secure? Can a malicious app uses the code
to access o.a.catalina code?
- Is catalina.policy restricted enough?
- Is our Classloader secure?

Any direction/ideas/recommendations will be appreciated.

Thanks,

-- Jeanfrancois


--
To unsubscribe, e-mail:  
 For additional
commands, e-mail: 
  

  
  
  




Index: WebappClassLoader.java
===
RCS file: 
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java,v
retrieving revision 1.6
diff -u -r1.6 WebappClassLoader.java
--- WebappClassLoader.java  5 Sep 2002 11:38:59 -   1.6
+++ WebappClassLoader.java  9 Oct 2002 19:23:07 -
@@ -154,16 +154,16 @@
 protected class PrivilegedFindResource
 implements PrivilegedAction {
 
-private String name;
+private int filePointer;
 private String path;
 
-PrivilegedFindResource(String name, String path) {
-this.name = name;
+PrivilegedFindResource(int filePointer, String path) {
+this.filePointer = filePointer;
 this.path = path;
 }
 
 public Object run() {
-return findResourceInternal(name, path);
+return findResourceInternal(filePointer, path);
 }
 
 }
@@ -895,13 +895,7 @@
 
 ResourceEntry entry = (ResourceEntry) resourceEntries.get(name);
 if (entry == null) {
-if (securityManager != null) {
-PrivilegedAction dp =
-new PrivilegedFindResource(name, name);
-entry = (ResourceEntry)AccessController.doPrivileged(dp);
-} else {
-entry = findResourceInternal(name, name);
-}
+entry = findResourceInternal(name, name);
 }
 if (entry != null) {
 url = entry.source;
@@ -1479,13 +1473,7 @@
 
 ResourceEntry entry = null;
 
-if (securityManager != null) {
-PrivilegedAction dp =
-new PrivilegedFindResource(name, classPath);
-entry = (ResourceEntry)AccessController.doPrivileged(dp);
-} else {
-entry = findResourceInternal(name, classPath);
-}
+entry = findResourceInternal(name, classPath);
 
 if ((entry == null

Axis1.0 and chains/handlers

[Costin Manolache]

This is just FYI, in case you don't know all this already.

I'm sure some of you are already using axis. One thing it
would be worth looking at is the basic architecture they use
for request processing. 

I think the model they're using is more powerfull than both
3.3 Interceptor and 4.0 Valve, and it may be worth understanding
it better.

They use multiple named 'chains' - request chain, transport chain, etc.
Each chain consist of Handlers - and the config explicitely specifies
the order of handlers in each chain.

That's an improvement over 3.3 - the system is more extensible ( 
instead of few dozens hardcoded callbacks in BaseInterceptor ). It
also allow fine control over the order of handlers - which is one
of the big pain points.

It provide benefits over 4.0 - where all processing happens in a
single chain ( with some additional 'chains' in listeners ).

It is also better than ActionCode - again, it is extensible (
we hardcode all the chains ) and provides more control.

The code is quite messy ( again IMO ), but as I said it is well
worth learning and using some of the ideas in future tomcats.

-- 
Costin



--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: [JK2] make hostMap cache

[Costin Manolache]

+1

One question - do you think it's a good idea to extend the jk2_map
to do the full mapping ? ( actually, all the code is there, but
it's not used ). 

By full mapping I mean setting/sending the 'servletPath', 'pathInfo', 
'wrapperName' and all the extra information that is needed - and bypassing 
the normal mapper in java.

In order for this to work we need to add the extra info to the [uri]
and make sure it is sent - and then find how to bypass catalina mapper
( for 3.3 it's quite easy ).

Costin


Mladen Turk wrote:

> Hi,
> 
> I would like to make the hostMap cache for hostname:port combination.
> Right now we doing hostMap over and over again for each request, so I
> would like to make a table that will save the once found hostEnv for
> requested hostname:port combination, skipping hostMap when already
> resolved.
> 
> Any objections to that?
> 
> Also I would like to extend the jk2_map to use the precomputed key
> checksum value, similar to the apr's table. That will give us
> significant speedup for table processing.
> 
> MT.

-- 
Costin



--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

DO NOT REPLY [Bug 13467] New: - getResource() URL doesn't know the content type

[bugzilla]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13467

getResource() URL doesn't know the content type

   Summary: getResource() URL doesn't know the content type
   Product: Tomcat 4
   Version: 4.0.4 Final
  Platform: All
OS/Version: All
Status: NEW
  Severity: Normal
  Priority: Other
 Component: Unknown
AssignedTo: [EMAIL PROTECTED]
ReportedBy: [EMAIL PROTECTED]


the URL object returned by the ServletContext's getResource() method
doesn't figure out the content-type of the wrapped resource

strictly speaking this is maybe not a bug
but shurely is a low-quality implementation

the javadoc for ServletContext's getResourceAsStream() method says:
"Meta-information such as content length and CONTENT TYPE that is available via 
getResource method is lost when using this method."
so it implicitly states, that the content type should be available from the 
getResource() method

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: [5.0] [VOTE] Remove deprecated and unsupported components

[Bill Barker]

> 
> 
> [X] Remove deprecated org.apache.catalina.connector components from the 
> j-t-catalina module
> [ ] Leave them in
> 
> 



--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: [Proposal] Security Audit

[Costin Manolache]

AFAIK, the most important check is doPriviledged(). What we need
to look for is if any of those blocks could be used by 
untrusted code to do something. 

The second very important check is the facades - making sure 
untrusted code can't get access to the real objects.

We should also make sure that the facades are not reused or
are reused only inside a context.

It is nice to review all code for security and bugs ( and general
quality ) - but IMO it is more important to review first the 
critical areas.

The ClassLoader shouldn't create any major problems ( at least in
delegating mode - in non delegating mode we can only trust the 
servlet experts that they did the resarch and can guarantee there's
no security implications. I haven't heard anything convincing on this, but 
they should have this knowledge - otherwise it wouldn't be in the spec :-)


Costin

Bob Herrmann wrote:

> FYI, Just to start off, I am going to review these classes.  If
> someone else also reviews them, thats probably a good thing...
> 
> # classes, package name
> 
> 17 o.a.c.deploy
> 9  o.a.c.users
> 44 o.a.c.*
> 34 o.a.jk.*
> 15 j.s.http
> 
> Briefly, I am going to look for
>  - How/if a ClassLoader is used
>  - privilege blocks (are they small, use trusted values)
>  - look for non-final static variables (can they be abused)
>  - can methods/fields be made private?
>  - are mutable objects returned to caller (especially arrays)
>think about returning clones
>  - non final equals/hashcode methods? (accessing sensitive stuff?)
>  - Serializable (exposes private stuff?)
> 
> Does anyone publish a security checklist list like this?
> 
> Blah Blah,
> -bob
> 
> 
> On Tue, 2002-10-08 at 16:36, Jean-Francois Arcand wrote:
>> Hi,
>> 
>> I'm looking to do a Security Audit on the current Tomcat 5.0 codebase. I
>> would like to collect as more as information as where you think I should
>> look at (code, security hole, etc.). I'm planning to do the audit using
>> the default SecurityManager. Rigth now, I have started looking at:
>> 
>> - doPrivilege blocks. Are they small enough? Can they be reduced?
>> - JSP generated code. Are they secure? Can a malicious app uses the code
>> to access o.a.catalina code?
>> - Is catalina.policy restricted enough?
>> - Is our Classloader secure?
>> 
>> Any direction/ideas/recommendations will be appreciated.
>> 
>> Thanks,
>> 
>> -- Jeanfrancois
>> 
>> 
>> --
>> To unsubscribe, e-mail:  
>>  For additional
>> commands, e-mail: 

-- 
Costin



--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

[JK2] make hostMap cache

[Mladen Turk]

Hi,

I would like to make the hostMap cache for hostname:port combination.
Right now we doing hostMap over and over again for each request, so I
would like to make a table that will save the once found hostEnv for
requested hostname:port combination, skipping hostMap when already
resolved.

Any objections to that?

Also I would like to extend the jk2_map to use the precomputed key
checksum value, similar to the apr's table. That will give us
significant speedup for table processing.

MT.



--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: [Proposal] Security Audit

[Bob Herrmann]

FYI, Just to start off, I am going to review these classes.  If
someone else also reviews them, thats probably a good thing...

# classes, package name

17 o.a.c.deploy
9  o.a.c.users
44 o.a.c.*
34 o.a.jk.*
15 j.s.http

Briefly, I am going to look for
 - How/if a ClassLoader is used
 - privilege blocks (are they small, use trusted values)
 - look for non-final static variables (can they be abused)
 - can methods/fields be made private?
 - are mutable objects returned to caller (especially arrays)
   think about returning clones
 - non final equals/hashcode methods? (accessing sensitive stuff?)
 - Serializable (exposes private stuff?)

Does anyone publish a security checklist list like this?

Blah Blah,
-bob


On Tue, 2002-10-08 at 16:36, Jean-Francois Arcand wrote:
> Hi,
> 
> I'm looking to do a Security Audit on the current Tomcat 5.0 codebase. I 
> would like to collect as more as information as where you think I should 
> look at (code, security hole, etc.). I'm planning to do the audit using 
> the default SecurityManager. Rigth now, I have started looking at:
> 
> - doPrivilege blocks. Are they small enough? Can they be reduced?
> - JSP generated code. Are they secure? Can a malicious app uses the code 
> to access o.a.catalina code?
> - Is catalina.policy restricted enough?
> - Is our Classloader secure?
> 
> Any direction/ideas/recommendations will be appreciated.
> 
> Thanks,
> 
> -- Jeanfrancois
> 
> 
> --
> To unsubscribe, e-mail:   
> For additional commands, e-mail: 
-- 
Bob Herrmann <[EMAIL PROTECTED]>


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

mod_jk crash, please help

[Eugene Gluzberg]

I am running apache 1.3 with mod_jk, my apache has apxs.

I compiled and installed mod_jk from source, tag TOMCAT_4_1_12, 
configured it using the following options:
./configure --with-gnu-ld --with-apxs=/myapxpath/bin/apxs --enable-EAPI 
--with-java-home=/usr/java/jdk1.3.1

ran make

installed mod_jk into the module directory, loaded fine.


I created a virtual host in apache and added the following JkMount:

JkMount /*.jsp wwwuser_wk

My workers.properties looks as follows:
workers.java_home=/usr/java/jdk1.3.1
workers.tomcat_home=/var/tomcat4
worker.list=wwwuser_wk

worker.wwwuser_wk.host=localhost
worker.wwwuser_wk.port=5266
worker.wwwuser_wk.type=ajp13
worker.wwwuser_wk.lbfactor=50
worker.wwwuser_wk.cachesize=10
worker.wwwuser_wk.cache_timeout=600
worker.wwwuser_wk.socket_keepalive=1
worker.wwwuser_wk.socket_timeout=300


I startup apache and tomcat, then i point my browser to xyz.com/index.jsp

I get nothing back on the browser, and the following in error_log
[notice] child pid 19817 exit signal Segmentation fault (11)

I added debugging code to mod_jk and traced it to the following line in 
mod_jk.c
   s->remote_host  = (char *)ap_get_remote_host(r->connection, 
r->per_dir_config, REMOTE_HOST);


REMOTE_HOST seems to be NULL for that since i printed all the stuff from 
there.

Please help. How can i trace this further? How do i get apache to 
generate a core file so i can see where in apache code this is? Any 
pointers for help here at all?

Eugene



--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: Tomcat4: Persistent http connection problem

[mike thomas]

I also have been surfing the web to find out how to implement
an applet-to-servlet communication link over a persistent http connection.

There is a working implementation available for download at
http://www.ustobe.com/

After clicking on the 'news' item in the menu, there are links
available to download HttpKeepalive.java, with javadoc explaining
how to use this class.

Mike



_
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

cvs commit: jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/xmlparser ParserUtils.java

[luehe]

luehe   2002/10/09 11:25:39

  Modified:jasper2/src/share/org/apache/jasper/compiler JspConfig.java
TagLibraryInfoImpl.java TldLocationsCache.java
   jasper2/src/share/org/apache/jasper/xmlparser
ParserUtils.java
  Log:
  Removed redundant code
  
  Revision  ChangesPath
  1.5   +4 -5  
jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/compiler/JspConfig.java
  
  Index: JspConfig.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/compiler/JspConfig.java,v
  retrieving revision 1.4
  retrieving revision 1.5
  diff -u -r1.4 -r1.5
  --- JspConfig.java9 Oct 2002 17:41:13 -   1.4
  +++ JspConfig.java9 Oct 2002 18:25:39 -   1.5
  @@ -105,8 +105,7 @@
return;
}
   
  - ClassLoader cl = this.getClass().getClassLoader();
  - ParserUtils pu = ParserUtils.createParserUtils(cl);
  + ParserUtils pu = new ParserUtils();
TreeNode webApp = pu.parseXMLDocument(WEB_XML, is);
if (webApp == null || !"2.4".equals(webApp.findAttribute("version"))) {
defaultIsELIgnored = "true";
  
  
  
  1.16  +4 -5  
jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/compiler/TagLibraryInfoImpl.java
  
  Index: TagLibraryInfoImpl.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/compiler/TagLibraryInfoImpl.java,v
  retrieving revision 1.15
  retrieving revision 1.16
  diff -u -r1.15 -r1.16
  --- TagLibraryInfoImpl.java   27 Sep 2002 20:18:32 -  1.15
  +++ TagLibraryInfoImpl.java   9 Oct 2002 18:25:39 -   1.16
  @@ -258,8 +258,7 @@
   Vector functionVector = new Vector();
   
   // Create an iterator over the child elements of our  element
  -ClassLoader cl = ctxt.getClassLoader();
  -ParserUtils pu = ParserUtils.createParserUtils(cl);
  +ParserUtils pu = new ParserUtils();
   TreeNode tld = pu.parseXMLDocument(uri, in);
   Iterator list = tld.findChildren();
   
  
  
  
  1.8   +12 -13
jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/compiler/TldLocationsCache.java
  
  Index: TldLocationsCache.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/compiler/TldLocationsCache.java,v
  retrieving revision 1.7
  retrieving revision 1.8
  diff -u -r1.7 -r1.8
  --- TldLocationsCache.java7 Oct 2002 22:52:22 -   1.7
  +++ TldLocationsCache.java9 Oct 2002 18:25:39 -   1.8
  @@ -118,7 +118,7 @@
   public static final int ROOT_REL_URI = 1;
   public static final int NOROOT_REL_URI = 2;
   
  -static private final String WEB_XML = "/WEB-INF/web.xml";
  +private static final String WEB_XML = "/WEB-INF/web.xml";
   
   /**
* The mapping of the 'global' tag library URI to the location
  @@ -128,17 +128,21 @@
*[1] If the location is a jar file, this is the location
*of the tld.
*/
  -private Hashtable mappings = new Hashtable();
  +private Hashtable mappings;
   
  -private Hashtable tlds = new Hashtable();
  +private Hashtable tlds;
  +
  +private boolean initialized;
  +private ServletContext ctxt;
   
  -private boolean initialized=false;
  -ServletContext ctxt;
   //*
   // Constructor and Initilizations
   
   public TldLocationsCache(ServletContext ctxt) {
  -this.ctxt=ctxt;
  +this.ctxt = ctxt;
  + mappings = new Hashtable();
  + tlds = new Hashtable();
  + initialized = false;
   }
   
   private void init() {
  @@ -168,10 +172,7 @@
   }
   
   // Parse the web application deployment descriptor
  -ClassLoader cl =
  -// (ClassLoader) ctxt.getAttribute(Constants.SERVLET_CLASS_LOADER);
  -this.getClass().getClassLoader();
  -ParserUtils pu = ParserUtils.createParserUtils(cl);
  +ParserUtils pu = new ParserUtils();
   TreeNode webtld = pu.parseXMLDocument(WEB_XML, is);
   
// Allow taglib be an element of the root or jsp-config (JSP2.0)
  @@ -286,7 +287,6 @@
   private String parseTldForUri(String resourcePath, InputStream in) 
   throws JasperException
   {
  -
   // Parse the tag library descriptor at the specified resource path
   ParserUtils pu = new ParserUtils();
   TreeNode tld = pu.parseXMLDocument(resourcePath, in);
  @@ -297,7 +297,6 @@
   return body;
   }
   return null; // No  element is present
  -
   }
   
   //

DO NOT REPLY [Bug 13466] New: - Jikes compilation fails

[bugzilla]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13466

Jikes compilation fails

   Summary: Jikes compilation fails
   Product: Tomcat 4
   Version: 4.1.12
  Platform: Sun
OS/Version: Solaris
Status: NEW
  Severity: Critical
  Priority: Other
 Component: Jasper 2
AssignedTo: [EMAIL PROTECTED]
ReportedBy: [EMAIL PROTECTED]


Solaris 8, Tomcat 4.1.12, Jikes 1.17, JDK 1.2.2_06

Following the instructions for using jikes instead of javac, I am getting the 
following error:

org.apache.jasper.JasperException: Unable to compile class for JSP

An error occurred at line: -1 in the jsp file: null

Generated servlet error:
[javac] jsp/error500_jsp.java added as /export/home/mpark/jakarta-tomcat-
4.1.12/work/Standalone/localhost/memento/jsp/error500_jsp.class doesn't exist.
[javac] Compiling 1 source file
[javac] Using jikes compiler
dropping /usr/java1.2/jre/jre/lib/rt.jar from path as it doesn't exist
dropping /usr/java1.2/Classes/classes.jar from path as it doesn't exist
dropping /usr/java1.2/Classes/ui.jar from path as it doesn't exist
[javac] Compilation arguments:
[javac] '-classpath'

[javac] '/usr/java1.2/jre/lib/ext/iiimp.jar:/usr/java/lib/tools.jar:/export/home
/mpark/jakarta-tomcat-4.1.12/bin/bootstrap.jar:/export/home/mpark/jakarta-
tomcat-4.1.12/webapps/memento/WEB-INF/classes:/export/home/mpark/jakarta-tomcat-
4.1.12/webapps/memento/WEB-INF/lib/log4j-1.2.6.jar:/export/home/mpark/jakarta-
tomcat-4.1.12/webapps/memento/WEB-
INF/lib/memento.jar:/export/home/mpark/jakarta-tomcat-
4.1.12/webapps/memento/WEB-INF/lib/webapp.jar:/export/home/mpark/jakarta-tomcat-
4.1.12/shared/classes:/export/home/mpark/jakarta-tomcat-
4.1.12/common/classes:/export/home/mpark/jakarta-tomcat-
4.1.12/common/endorsed/xercesImpl.jar:/export/home/mpark/jakarta-tomcat-
4.1.12/common/endorsed/xmlParserAPIs.jar:/export/home/mpark/jakarta-tomcat-
4.1.12/common/lib/jasper-compiler.jar:/export/home/mpark/jakarta-tomcat-
4.1.12/common/lib/commons-logging-api.jar:/export/home/mpark/jakarta-tomcat-
4.1.12/common/lib/naming-factory.jar:/export/home/mpark/jakarta-tomcat-
4.1.12/common/lib/ant.jar:/export/home/mpark/jakarta-tomcat-
4.1.12/common/lib/naming-common.jar:/export/home/mpark/jakarta-tomcat-
4.1.12/common/lib/naming-resources.jar:/export/home/mpark/jakarta-tomcat-
4.1.12/common/lib/commons-collections.jar:/export/home/mpark/jakarta-tomcat-
4.1.12/common/lib/activation.jar:/export/home/mpark/jakarta-tomcat-
4.1.12/common/lib/jta.jar:/export/home/mpark/jakarta-tomcat-
4.1.12/common/lib/commons-dbcp.jar:/export/home/mpark/jakarta-tomcat-
4.1.12/common/lib/mail.jar:/export/home/mpark/jakarta-tomcat-
4.1.12/common/lib/jasper-runtime.jar:/export/home/mpark/jakarta-tomcat-
4.1.12/common/lib/jdbc2_0-stdext.jar:/export/home/mpark/jakarta-tomcat-
4.1.12/common/lib/jndi.jar:/export/home/mpark/jakarta-tomcat-
4.1.12/common/lib/commons-pool.jar:/export/home/mpark/jakarta-tomcat-
4.1.12/common/lib/servlet.jar:/usr/java1.2/jre/lib/rt.jar:/export/home/mpark/jak
arta-tomcat-4.1.12/work/Standalone/localhost/memento'
[javac] '-encoding'
[javac] 'ISO-8859-1'
[javac] '-g'
[javac]
[javac] The ' characters around the executable and arguments are
[javac] not part of the command.
[javac] File to be compiled:
[javac] /export/home/mpark/jakarta-tomcat-
4.1.12/work/Standalone/localhost/memento/jsp/error500_jsp.java




web.xml snippet:


jsp
org.apache.jasper.servlet.JspServlet

logVerbosityLevel
DEBUG


compiler
jikes


javaEncoding
ISO-8859-1

3


# uname -a
SunOS osiris 5.8 Generic_108528-06 sun4u sparc SUNW,Ultra-5_10

# java -version
java version "1.2.2"
Solaris VM (build Solaris_JDK_1.2.2_06, native threads, sunwjit)

# jikes -version
Jikes Compiler - Version 1.17 - 27 September 2002

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

JNDI Initial Context, outside webapp

[Luca Zago]

Hi,
I noticed that is pratically impossible to retrieve a JNDI resource 
outside a webapp.If I need to access my resourse in some classes 
istantiated outside a single webapp, I always get an exception.

Name jdbc/myDS is not bound in this Context

I read the docs. If I understand well, the initialContext is read-only, 
(for this reason I cannot published a resource there), then the only 
context available is "java:comp/env", available only insdie a webapp.
I think that a solution could be: since initialContext for sure is 
initialized before webapps, if I can publish a resource there, then I 
can access this resource outside a webapp. have I understood well, is it 
so impossible to publish in the initialContext, like in other 
Application servers?
is there a way to access a JNDI resource outside a webapp?
or is it a limitation of the JNDI implementation in Tomcat?

Thank you in advance for suggestions or explanation.


-- 
Luca Zago
Senior IT Developer
_

E-TREE S.p.a.  Via Fonderia 43 - 31100 Treviso (Italy)
phone +39.0422.3107
fax   +39.0422.310888
http://www.e-tree.com  http://www.webanana.com
_


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

DO NOT REPLY [Bug 13084] - jsp compilation with jikes fails

[bugzilla]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13084

jsp compilation with jikes fails





--- Additional Comments From [EMAIL PROTECTED]  2002-10-09 18:03 ---
My apologies. I'm still getting used to bugzilla, and thought the OS version 
was only related to the comment that I was posting. I'll open a new bug.

Matt

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: administration-howto.html

[Amy Roh]

Glenn Nielsen wrote:

> jean-frederic clere wrote:
> > Hi,
> >
> > I am willing to use the administration tools of Tomcat but I am
> > wondering where the administration-howto.html is located.
> >
> > If it is not existing I will create one similar to the existing
> > manager-howto.xml.
> >
> > Any comments?
> >
>
> I know that Amy has been working on taking care of some of the problems
> I posted about the Tomcat 4.1 configuration admin application.  A help
> document was one of the issues.

There is also Tomcat Administration tool tutorial for the Java Web Services at
http://java.sun.com/webservices/docs/1.0/tutorial/doc/Admintool.html.  It
doesn't have the latest admin addition but I'm sure you can reference to the
documentation as you write the administration-howto.html in Tomcat.  Perhaps,
you can add a link to it as well.  Thanks for good suggestion!

Amy

>
>
> This is really needed, thanks!
>
> Glenn
>
> --
> To unsubscribe, e-mail:   
> For additional commands, e-mail: 


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

cvs commit: jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/compiler Compiler.java Generator.java JspConfig.java PageInfo.java TagFileProcessor.java Validator.java

[kinman]

kinman  2002/10/09 10:41:13

  Modified:jasper2/src/share/org/apache/jasper/compiler Compiler.java
Generator.java JspConfig.java PageInfo.java
TagFileProcessor.java Validator.java
  Log:
  - Modified because of spec changes syntax and semantic of turning on and off
scripting and EL.
  
  Revision  ChangesPath
  1.36  +5 -2  
jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/compiler/Compiler.java
  
  Index: Compiler.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/compiler/Compiler.java,v
  retrieving revision 1.35
  retrieving revision 1.36
  diff -u -r1.35 -r1.36
  --- Compiler.java 24 Sep 2002 21:24:58 -  1.35
  +++ Compiler.java 9 Oct 2002 17:41:13 -   1.36
  @@ -210,10 +210,13 @@
if (jspProperty.isXml() != null) {
pageInfo.setIsXmlSpecified(true);
}
  + if (jspProperty.isELIgnored() != null) {
  + pageInfo.setELIgnoredSpecified(true);
  + }
pageInfo.setIsXml(JspUtil.booleanValue(jspProperty.isXml()));
pageInfo.setPageEncoding(jspProperty.getPageEncoding());
  - pageInfo.setELEnabled(JspUtil.booleanValue(jspProperty.isELEnabled()));
  - 
pageInfo.setScriptingEnabled(JspUtil.booleanValue(jspProperty.isScriptingEnabled()));
  + pageInfo.setELIgnored(JspUtil.booleanValue(jspProperty.isELIgnored()));
  + 
pageInfo.setScriptingInvalid(JspUtil.booleanValue(jspProperty.isScriptingInvalid()));
pageInfo.setIncludePrelude(jspProperty.getIncludePrelude());
pageInfo.setIncludeCoda(jspProperty.getIncludeCoda());
}
  
  
  
  1.109 +4 -4  
jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/compiler/Generator.java
  
  Index: Generator.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/compiler/Generator.java,v
  retrieving revision 1.108
  retrieving revision 1.109
  diff -u -r1.108 -r1.109
  --- Generator.java8 Oct 2002 00:45:23 -   1.108
  +++ Generator.java9 Oct 2002 17:41:13 -   1.109
  @@ -826,7 +826,7 @@
   
   public void visit(Node.ELExpression n) throws JasperException {
   n.setBeginJavaLine(out.getJavaLine());
  -if ( pageInfo.isELEnabled() ) {
  +if ( !pageInfo.isELIgnored() ) {
   out.printil(
   "out.write("
+ JspUtil.interpreterCall(this.isTagFile,
  
  
  
  1.4   +51 -51
jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/compiler/JspConfig.java
  
  Index: JspConfig.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/compiler/JspConfig.java,v
  retrieving revision 1.3
  retrieving revision 1.4
  diff -u -r1.3 -r1.4
  --- JspConfig.java24 Aug 2002 21:42:34 -  1.3
  +++ JspConfig.java9 Oct 2002 17:41:13 -   1.4
  @@ -90,8 +90,8 @@
   private boolean initialized = false;
   
   private String defaultIsXml = null;  // unspecified
  -private String defaultIsELEnabled = "true";
  -private String defaultIsScriptingEnabled = "true";
  +private String defaultIsELIgnored = null;// unspecified
  +private String defaultIsScriptingInvalid = "false";
   
   public JspConfig(ServletContext ctxt) {
this.ctxt = ctxt;
  @@ -109,7 +109,7 @@
ParserUtils pu = ParserUtils.createParserUtils(cl);
TreeNode webApp = pu.parseXMLDocument(WEB_XML, is);
if (webApp == null || !"2.4".equals(webApp.findAttribute("version"))) {
  - defaultIsELEnabled = "false";
  + defaultIsELIgnored = "true";
return;
}
TreeNode jspConfig = webApp.findChild("jsp-config");
  @@ -126,8 +126,8 @@
   
   Vector urlPatterns = new Vector();
String pageEncoding = null;
  - String scriptingEnabled = null;
  - String elEnabled = null;
  + String scriptingInvalid = null;
  + String elIgnored = null;
String isXml = null;
Vector includePrelude = new Vector();
Vector includeCoda = new Vector();
  @@ -143,10 +143,10 @@
pageEncoding = element.getBody();
else if ("is-xml".equals(tname))
isXml = element.getBody();
  - else if ("el-enabled".equals(tname))
  - elEnabled = element.getBody();
  - else if ("scripting-enabled".equals(tname))
  - scriptingEnabled = element.getBody();
  + else if ("el-ignored".equals(tname))
  + elIgnored = element.getBody();
  + else if 

Re: [5.0] [VOTE] Remove deprecated and unsupported components

[Amy Roh]

> 
> [X] Remove deprecated org.apache.catalina.connector components from the
> j-t-catalina module
> [ ] Leave them in
> 

Amy


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

cvs commit: jakarta-servletapi-5/jsr154/src/share/dtd jsp_2_0.xsd

[kinman]

kinman  2002/10/09 10:38:49

  Modified:jsr152/src/share/dtd jsp_2_0.xsd
   jsr152/src/share/javax/servlet/jsp/el Expression.java
   jsr154/src/share/dtd jsp_2_0.xsd
  Log:
  - Patch by Mark Roth
  
  jsr152/src/share/javax/serlvet/jsp/el/Expression.java
   - Removed null as a return value for error - method must throw an
 exception to signal an error.
  
  jsr152/src/share/dtd/jsp_2_0.xsd:
  jsr154/src/share/dtd/jsp_2_0.xsd:
   - As per the Expert Group's decision, changed  to
  and  to .
 Jasper2 needs to be updated accordingly.
  
  Revision  ChangesPath
  1.4   +9 -8  jakarta-servletapi-5/jsr152/src/share/dtd/jsp_2_0.xsd
  
  Index: jsp_2_0.xsd
  ===
  RCS file: /home/cvs/jakarta-servletapi-5/jsr152/src/share/dtd/jsp_2_0.xsd,v
  retrieving revision 1.3
  retrieving revision 1.4
  diff -u -r1.3 -r1.4
  --- jsp_2_0.xsd   20 Sep 2002 01:56:44 -  1.3
  +++ jsp_2_0.xsd   9 Oct 2002 17:38:49 -   1.4
  @@ -8,7 +8,7 @@
version="2.0">
   
   
  -@(#)jsp_2_0.xsds 1.12 09/18/02
  +%W% %G%
   
   
   
  @@ -150,16 +150,17 @@
   
  -
   
   
   
  -Can be used to easily set the isELEnabled
  +Can be used to easily set the isELIgnored
   property of a group of JSP pages.  By default, the
   EL evaluation is enabled for Web Applications using
  -a Servlet 2.4 or greater web.xml.
  +a Servlet 2.4 or greater web.xml, and disabled
  + otherwise.
   
   
   
  @@ -181,15 +182,15 @@
   
   
   
  -
   
   
   
  -Can be used to easily set the isScriptingEnabled
  -property of a group of JSP pages.  By default,
  -scripting is enabled.
  +Can be used to easily disable scripting in a
  +group of JSP pages.  By default, scripting is
  + enabled.
   
   
   
  
  
  
  1.2   +1 -1  
jakarta-servletapi-5/jsr152/src/share/javax/servlet/jsp/el/Expression.java
  
  Index: Expression.java
  ===
  RCS file: 
/home/cvs/jakarta-servletapi-5/jsr152/src/share/javax/servlet/jsp/el/Expression.java,v
  retrieving revision 1.1
  retrieving revision 1.2
  diff -u -r1.1 -r1.2
  --- Expression.java   19 Aug 2002 16:29:50 -  1.1
  +++ Expression.java   9 Oct 2002 17:38:49 -   1.2
  @@ -81,7 +81,7 @@
*
* @param vResolver A VariableResolver instance that can be used at runtime to
*   resolve the name of implicit objects into Objects.
  - * @return The result of the expression evaluation or null if errors were 
encountered.
  + * @return The result of the expression evaluation.
*
* @exception ELException Thrown if the expression evaluation failed.
*/ 
  
  
  
  1.4   +9 -8  jakarta-servletapi-5/jsr154/src/share/dtd/jsp_2_0.xsd
  
  Index: jsp_2_0.xsd
  ===
  RCS file: /home/cvs/jakarta-servletapi-5/jsr154/src/share/dtd/jsp_2_0.xsd,v
  retrieving revision 1.3
  retrieving revision 1.4
  diff -u -r1.3 -r1.4
  --- jsp_2_0.xsd   20 Sep 2002 01:56:44 -  1.3
  +++ jsp_2_0.xsd   9 Oct 2002 17:38:49 -   1.4
  @@ -8,7 +8,7 @@
version="2.0">
   
   
  -@(#)jsp_2_0.xsds 1.12 09/18/02
  +%W% %G%
   
   
   
  @@ -150,16 +150,17 @@
   
  -
   
   
   
  -Can be used to easily set the isELEnabled
  +Can be used to easily set the isELIgnored
   property of a group of JSP pages.  By default, the
   EL evaluation is enabled for Web Applications using
  -a Servlet 2.4 or greater web.xml.
  +a Servlet 2.4 or greater web.xml, and disabled
  + otherwise.
   
   
   
  @@ -181,15 +182,15 @@
   
   
   
  -
   
   
   
  -Can be used to easily set the isScriptingEnabled
  -property of a group of JSP pages.  By default,
  -scripting is enabled.
  +Can be used to easily disable scripting in a
  +group of JSP pages.  By default, scripting is
  + enabled.
   
   
   
  
  
  

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: commons-daemon release ?

[Costin Manolache]

Remy Maucherat wrote:

> Henri Gomez wrote:
>> I wonder if a release of commons-daemon is planned.
> 
> No, because promoting it to commons proper got vetoed.
> At the moment, it looks like a split between daemon and launcher will
> happen.

For the record - nobody can 'veto' a promotion to commons 
or a release. It is a majority vote. If it gets 3 +1 and 
more +1 than -1 - then it'll pass.

I'm willing to change my vote to -0 if the API is fixed to
not require applications to implement the daemon interfaces
( I don't like the split init any more than I did - and so
I don't plan to use it any time soon ). I remain -1 on
tomcat having dependecies on daemon, and probably -0 on
bundling daemon with tomcat. 

As I said, for 'chuid' functionality I prefer using a direct
call - I have most of it implemented using jk2, I'll
finish this well before 5.0 is released.  

-- 
Costin



--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: [5.0] [VOTE] Remove deprecated and unsupported components

[Costin Manolache]

Remy Maucherat wrote:


> 
> [X] Remove deprecated org.apache.catalina.connector components from the
> j-t-catalina module
> [ ] Leave them in
> 


-- 
Costin



--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: tomcat4 write in conf files which is not FHS compliant

[Costin Manolache]

I'm not sure about this. AFAIK on RedHat and Mandrake ( and probably
any other distro ) there are tools that are modifying config 
files ( in etc ). I don't know how the FHS can request 'read only'
status.

jk2.properties saving can be disabled. Right now the feature is not
completely implemented - we still need the java interface ( JMX proxy )
and documentation. So disabling it for now is fine.

But from all I know, the configuration is RW.

Costin

jean-frederic clere wrote:

> Henri Gomez wrote:
>> Hi to all,
>> 
>> Tomcat 4 make write access to 2 files in the conf directory,
>> jk2.properties and tomcat-users.xml (and may be others).
>> 
>> The problem is that FHS indicate that a conf directory should
>> be read only.
> 
> I have the same problem with /opt where I am installing Tomcat.
> 
>> 
>> For instance, tomcat4 rpm install the conf directory in /etc/tomcat4
>> and use symlink to map it to /var/tomcat4/conf.
>> 
>> What could be done to have a behaviour following FHS recommandations ?
>> 
>> Could we imagine having jk2.properties and tomcat-users.xml (and other
>> files in conf which may be updated by tomcat4) in another directory,
>> ie work/conf ?
> 
> I am using catalina-home and catalina-base.
> catalina-home contains the fixed data.
> catalina-base contains the "instance" data.
> 
> I have the following (opt/SMAWoIS/jakarta-tomcat-4.1.12 is catalina-home):
> +++
> # ls -l /opt/SMAWoIS/jakarta-tomcat
> total 12
> drwxr-xr-x   2 root other512 Oct  8 11:34 bin
> drwxr-xr-x   2 nobody   other512 Oct  8 11:31 conf
> drwxr-xr-x   4 root other512 Oct  3 10:32 conf.save
> drwxr-xr-x   2 nobody   other512 Oct  8 11:31 logs
> lrwxrwxrwx   1 root other 42 Oct  8 11:31 webapps ->
> /opt/SMAWoIS/jakarta-tomcat-4.1.12/webapps
> drwxr-xr-x   3 nobody   other512 Oct  3 12:04 work
> +++
> 
> The user nobody needs to write in conf because of these 2 files.
> 
> That is the same  for logs because the log files are not created at the
> right place in time (I am using daemon to start the Tomcat).
> 
> conf.save is a save of the conf directory.
> 
> 
>> 
>> Regards
>> 
>> 
>> --
>> To unsubscribe, e-mail:
>> 
>> For additional commands, e-mail:
>> 
>> 
>>

-- 
Costin



--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

cvs commit: jakarta-tomcat-connectors/jk/native2/server/isapi jk_isapi_plugin.c

[mturk]

mturk   2002/10/09 10:11:22

  Modified:jk/native2/server/isapi jk_isapi_plugin.c
  Log:
  Skip the checking of default hostname and port. Using
  that scheme the same behaviour is on all web servers.
  
  Revision  ChangesPath
  1.50  +5 -6  
jakarta-tomcat-connectors/jk/native2/server/isapi/jk_isapi_plugin.c
  
  Index: jk_isapi_plugin.c
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-connectors/jk/native2/server/isapi/jk_isapi_plugin.c,v
  retrieving revision 1.49
  retrieving revision 1.50
  diff -u -r1.49 -r1.50
  --- jk_isapi_plugin.c 25 Sep 2002 07:36:48 -  1.49
  +++ jk_isapi_plugin.c 9 Oct 2002 17:11:22 -   1.50
  @@ -270,6 +270,7 @@
   DWORD szHost = sizeof(Host);
   DWORD szTranslate = sizeof(Translate);
   DWORD szPort = sizeof(Port);
  +int   nPort;
   #ifdef SF_NOTIFY_AUTH_COMPLETE
   if (auth_notification_flags == SF_NOTIFY_AUTH_COMPLETE) {
   
GetHeader=((PHTTP_FILTER_AUTH_COMPLETE_INFO)pvNotification)->GetHeader;
  @@ -341,13 +342,11 @@
   Port[szPort-1] = '\0';
   }
   }
  -szPort = atoi(Port);
  -if (szPort == 80 || szPort == 443)
  -szPort = 0;
  +nPort = atoi(Port);
   env->l->jkLog(env, env->l,  JK_LOG_DEBUG, 
  -"In HttpFilterProc Virtual Host redirection of %s : 
%d\n", 
  +"In HttpFilterProc Virtual Host redirection of %s : 
%s\n", 
   Host, Port);
  -uriEnv = workerEnv->uriMap->mapUri(env, workerEnv->uriMap,Host, 
szPort, uri );
  +uriEnv = workerEnv->uriMap->mapUri(env, workerEnv->uriMap,Host, 
nPort, uri );
   
   if( uriEnv!=NULL ) {
   char *forwardURI;
  
  
  

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

cvs commit: jakarta-tomcat-connectors/jk/native2/server/apache2 mod_jk2.c

[mturk]

mturk   2002/10/09 10:10:52

  Modified:jk/native2/server/apache2 mod_jk2.c
  Log:
  Skip the checking of default hostname and port. Using
  that scheme the same behaviour is on all web servers.
  
  Revision  ChangesPath
  1.54  +3 -7  jakarta-tomcat-connectors/jk/native2/server/apache2/mod_jk2.c
  
  Index: mod_jk2.c
  ===
  RCS file: /home/cvs/jakarta-tomcat-connectors/jk/native2/server/apache2/mod_jk2.c,v
  retrieving revision 1.53
  retrieving revision 1.54
  diff -u -r1.53 -r1.54
  --- mod_jk2.c 23 Sep 2002 17:40:17 -  1.53
  +++ mod_jk2.c 9 Oct 2002 17:10:52 -   1.54
  @@ -629,7 +629,6 @@
   {
   jk_uriEnv_t *uriEnv;
   jk_env_t *env;
  -int port;
   
   if(r->proxyreq || workerEnv==NULL) {
   return DECLINED;
  @@ -679,12 +678,9 @@
  the real mapping. 
   */
   
  -port = ap_get_server_port(r);
  -if (ap_is_default_port(port, r))
  -port = 0;
   uriEnv = workerEnv->uriMap->mapUri(env, workerEnv->uriMap,
  -r->server->is_virtual ? ap_get_server_name(r) : NULL,
  -port,
  +ap_get_server_name(r),
  +ap_get_server_port(r),
   r->uri);
   
   if( uriEnv== NULL || uriEnv->workerName == NULL) {
  
  
  

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

cvs commit: jakarta-tomcat-connectors/jk/native2/server/apache13 mod_jk2.c

[mturk]

mturk   2002/10/09 10:10:24

  Modified:jk/native2/server/apache13 mod_jk2.c
  Log:
  Skip the checking of default hostname and port. Using
  that scheme the same behaviour is on all web servers.
  
  Revision  ChangesPath
  1.25  +4 -8  jakarta-tomcat-connectors/jk/native2/server/apache13/mod_jk2.c
  
  Index: mod_jk2.c
  ===
  RCS file: /home/cvs/jakarta-tomcat-connectors/jk/native2/server/apache13/mod_jk2.c,v
  retrieving revision 1.24
  retrieving revision 1.25
  diff -u -r1.24 -r1.25
  --- mod_jk2.c 4 Oct 2002 16:23:42 -   1.24
  +++ mod_jk2.c 9 Oct 2002 17:10:24 -   1.25
  @@ -437,7 +437,6 @@
   {
   jk_uriEnv_t *uriEnv;
   jk_env_t *env;
  -int port;
   
   if(r->proxyreq) {
   return DECLINED;
  @@ -450,13 +449,10 @@
   /* get_env() */
   env = workerEnv->globalEnv->getEnv( workerEnv->globalEnv );
   
  -port = ap_get_server_port(r);
  -if (ap_is_default_port(port, r))
  -port = 0;
   uriEnv = workerEnv->uriMap->mapUri(env, workerEnv->uriMap,
  -r->server->is_virtual ? ap_get_server_name(r) : NULL,
  -port,
  -r->uri);
  +   ap_get_server_name(r),
  +   ap_get_server_port(r),
  +   r->uri);
   
   if(uriEnv==NULL || uriEnv->workerName==NULL) {
   workerEnv->globalEnv->releaseEnv( workerEnv->globalEnv, env );
  
  
  

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

cvs commit: jakarta-tomcat-connectors/jk/native2/common jk_uriMap.c

[mturk]

mturk   2002/10/09 10:08:10

  Modified:jk/native2/common jk_uriMap.c
  Log:
  Fix the hostMap checking hostname:port then hostname
  
  Revision  ChangesPath
  1.51  +21 -14jakarta-tomcat-connectors/jk/native2/common/jk_uriMap.c
  
  Index: jk_uriMap.c
  ===
  RCS file: /home/cvs/jakarta-tomcat-connectors/jk/native2/common/jk_uriMap.c,v
  retrieving revision 1.50
  retrieving revision 1.51
  diff -u -r1.50 -r1.51
  --- jk_uriMap.c   3 Oct 2002 10:32:29 -   1.50
  +++ jk_uriMap.c   9 Oct 2002 17:08:09 -   1.51
  @@ -256,31 +256,40 @@
   {
   int i, j, n;
   char *name;
  -char hostame[1024] = {0};
  +char hostname[1024] = {0};
   
   if (port) {
   if (vhost) {
   if (strchr(vhost, ':'))
  -strcpy(hostame, vhost);
  +strcpy(hostname, vhost);
   else
  -   sprintf(hostame, "%s:%d", vhost, port);
  +   sprintf(hostname, "%s:%d", vhost, port);
   }
   else
  -sprintf(hostame, "*:%d", port);
  +sprintf(hostname, "*:%d", port);
   }
   else if (vhost)
  -strcpy(hostame, vhost); 
  +strcpy(hostname, vhost); 
   else /* Return default host if vhost and port wasn't suplied */
   return uriMap->vhosts->get(env, uriMap->vhosts, "*");
   
   n = uriMap->vhosts->size(env, uriMap->vhosts);
  -/* Check the hostnames first */
  +/* Check the exact hostname:port first */
   for (i = 0 ; i < n ; i++) {
   jk_uriEnv_t *uriEnv = uriMap->vhosts->valueAt(env, uriMap->vhosts, i);
   name = uriMap->vhosts->nameAt(env, uriMap->vhosts, i);
   /* Host name is not case sensitive */
  -if (strcasecmp(name, hostame) == 0) {
  -if (port == 0 || port == uriEnv->port)
  +if (strcasecmp(name, hostname) == 0 && port == uriEnv->port)
  +return uriEnv;
  +}
  +
  +if (vhost) {
  +/* Check the hostname */
  +for (i = 0 ; i < n ; i++) {
  +jk_uriEnv_t *uriEnv = uriMap->vhosts->valueAt(env, uriMap->vhosts, i);
  +name = uriMap->vhosts->nameAt(env, uriMap->vhosts, i);
  +/* Host name is not case sensitive */
  +if (strcasecmp(name, vhost) == 0)
   return uriEnv;
   }
   }
  @@ -292,10 +301,8 @@
   int m = uriEnv->aliases->size(env, uriEnv->aliases);
   for (j = 0; j < m; j++) {
   name = uriEnv->aliases->nameAt(env, uriEnv->aliases, j);
  -if (strcasecmp(name, hostame) == 0) {
  -if (port == 0 || port == uriEnv->port)
  -return uriEnv;
  -}
  +if (strcasecmp(name, hostname) == 0)
  +return uriEnv;
   }
   }
   }
  @@ -574,7 +581,7 @@
   const char *str_minus_one=str-1;
   const char *s=str+strlen(str);
   while(s!=str_minus_one && ch!=*s) {
  - --s;
  +--s;
   }
   return (s-str);
   }
  @@ -632,7 +639,7 @@
   */
   
   if (uriMap == NULL || uri==NULL) 
  - return NULL;
  +return NULL;
   
   if (uriMap->mbean->debug > 1)
   env->l->jkLog(env, env->l, JK_LOG_DEBUG,
  
  
  

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

DO NOT REPLY [Bug 13223] - JSP pages in XML syntax do not compile properly

[bugzilla]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13223

JSP pages in XML syntax do not compile properly





--- Additional Comments From [EMAIL PROTECTED]  2002-10-09 16:57 ---
Sorry, I mispoke.  I checked with JSP spec lead and Andreas is right that
 cannot be used in the way I described, per JSP.5.10.  However,
this can be used instead.


mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: 

cvs commit: jakarta-tomcat-connectors/http11/src/java/org/apache/coyote/http11 Constants.java

[remm]

remm2002/10/09 09:56:17

  Modified:http11/src/java/org/apache/coyote/http11 Constants.java
  Log:
  - Increase a little bit buffer sizes.
  
  Revision  ChangesPath
  1.10  +1 -1  
jakarta-tomcat-connectors/http11/src/java/org/apache/coyote/http11/Constants.java
  
  Index: Constants.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-connectors/http11/src/java/org/apache/coyote/http11/Constants.java,v
  retrieving revision 1.9
  retrieving revision 1.10
  diff -u -r1.9 -r1.10
  --- Constants.java23 Jul 2002 15:27:24 -  1.9
  +++ Constants.java9 Oct 2002 16:56:17 -   1.10
  @@ -147,7 +147,7 @@
   /**
* Default HTTP header buffer size.
*/
  -public static final int DEFAULT_HTTP_HEADER_BUFFER_SIZE = 32 * 1000;
  +public static final int DEFAULT_HTTP_HEADER_BUFFER_SIZE = 48 * 1024;
   
   
   /**
  
  
  

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

cvs commit: jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/util StringManager.java

[luehe]

luehe   2002/10/09 09:55:14

  Removed: jasper2/src/share/org/apache/jasper/util StringManager.java
  Log:
  Removed redundant org.apache.jasper.util.StringManager

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

cvs commit: jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/xmlparser ParserUtils.java

[luehe]

luehe   2002/10/09 09:47:31

  Modified:jasper2/src/share/org/apache/jasper/xmlparser
ParserUtils.java
  Log:
  Removed dead code
  
  Revision  ChangesPath
  1.5   +1 -96 
jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/xmlparser/ParserUtils.java
  
  Index: ParserUtils.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/xmlparser/ParserUtils.java,v
  retrieving revision 1.4
  retrieving revision 1.5
  diff -u -r1.4 -r1.5
  --- ParserUtils.java  16 Jul 2002 19:30:53 -  1.4
  +++ ParserUtils.java  9 Oct 2002 16:47:31 -   1.5
  @@ -124,17 +124,6 @@
   
   // - Public Methods
   
  -
  -/**
  - * Return the class loader used to access our XML parser.
  - */
  -// public ClassLoader getClassLoader() {
  -
  -// return (this.classLoader);
  -
  -// }
  -
  -
   /**
* Parse the specified XML document, and return a TreeNode
* that corresponds to the root node of the document tree.
  @@ -154,34 +143,12 @@
   try {
   DocumentBuilderFactory factory =
   DocumentBuilderFactory.newInstance();
  -/*
  -Class clazz =
  - classLoader.loadClass("javax.xml.parsers.DocumentBuilderFactory");
  -System.out.println("Loaded DBF from:");
  -System.out.println(clazz.getClassLoader());
  -Method method = clazz.getMethod("newInstance", new Class[0]);
  -DocumentBuilderFactory factory = (DocumentBuilderFactory)
  -method.invoke(null, new Object[0]);
  -*/
   factory.setNamespaceAware(true);
   factory.setValidating(validating);
   DocumentBuilder builder = factory.newDocumentBuilder();
   builder.setEntityResolver(entityResolver);
   builder.setErrorHandler(errorHandler);
   document = builder.parse(is);
  -//System.out.println("Parsing " + uri );
  -/*
  -} catch (ClassNotFoundException ex) {
  -throw new JasperException("CNFE: " + ex); // FIXME
  -} catch (IllegalAccessException ex) {
  -throw new JasperException("IACE: " + ex); // FIXME
  -} catch (IllegalArgumentException ex) {
  -throw new JasperException("IARE: " + ex); // FIXME
  -} catch (InvocationTargetException ex) {
  -throw new JasperException("ITE: " + ex); // FIXME
  -} catch (NoSuchMethodException ex) {
  -throw new JasperException("NSME: " + ex); // FIXME
  -*/
} catch (ParserConfigurationException ex) {
   throw new JasperException
   (Constants.getString("jsp.error.parse.xml",
  @@ -306,71 +273,10 @@
   (ClassLoader parentLoader) {
   
   ParserUtils parserUtils = null;
  -/*
  -try {
  -Class clazz = parentLoader.loadClass
  -("org.apache.jasper.xmlparser.ParserUtils");
  -parserUtils = (ParserUtils) clazz.newInstance();
  -System.out.println("ParserUtils loaded by ClassLoader:\r\n" +
  -   parserUtils.getClass().getClassLoader());
  -parserUtils.setClassLoader(createClassLoader(parentLoader));
  -} catch (ClassNotFoundException e) {
  -System.out.println("createParserUtils:  ClassNotFoundException");
  -e.printStackTrace(System.out);
  -} catch (IllegalAccessException e) {
  -System.out.println("createParserUtils:  IllegalAccessException");
  -e.printStackTrace(System.out);
  -} catch (InstantiationException e) {
  -System.out.println("createParserUtils:  InstantiationException");
  -e.printStackTrace(System.out);
  -} catch (MalformedURLException e) {
  -System.out.println("createParserUtils:  MalformedURLException");
  -e.printStackTrace(System.out);
  -}
  -*/
   parserUtils = new ParserUtils();
   parserUtils.setClassLoader(parentLoader);
   return (parserUtils);
   }
  -
  -
  -/**
  - * Construct (if necessary) and return a class loader that has been
  - * configured with the specified parent class loader, and repositories
  - * as needed to access the required XML parser.
  - *
  - * @param parentLoader The web application class loader
  - *
  - * @exception MalformedURLException if we cannot create a valid URL for
  - *  one of the required repositories
  - */
  -/* This  doesn't work.
  -  
  -  public synchronized static ClassLoader createClassLoader
  -(ClassLoader parentLoader) throws MalformedURLException {
  -
  -// Return any 

Re: Tomcat 4.1.12: Xerces 2.2 problems - > Struts 1.0.2 bug.

[Remy Maucherat]

Jean-Francois Arcand wrote:
> Hi,
> 
> with Tomcat 4.1.12, Xerces 2.2 is throwing the following exception:
> 
> org.xml.sax.SAXParseException: The string "--" is not permitted within 
> comments.
>at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
> 
> This is a bug in the org.apache.struts.digester.Digester class. If you 
> uses Struts 1.1 beta 2 jar file, the bug will not happen. Xerces 2.2 
> generates a lot of Warnings and the Digester version of Struts 1.0.2 
> logs an exception instead of a warning. This has been corrected in the 
> current Digester (1.3) we are using.
> 
> So we have to decide which combinaison we want to support with 4.1.x:
> 
> Xerces 2.1 + Struts 1.0.2
> or
> Xerces 2.2 + Struts 1.1b2

For 4.1.x, I'll definitely package the stable releases (X 2.1 + S 1.0.x).
For 5.0.0, I'll package S 1.1 beta + X 2.2 (nice explanation).

(I still plan to tag 5.0.0 this week, as it's been relatively stable for 
some time now)

Remy


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Tomcat 4.1.12: Xerces 2.2 problems - > Struts 1.0.2 bug.

[Jean-Francois Arcand]

Hi,

with Tomcat 4.1.12, Xerces 2.2 is throwing the following exception:

org.xml.sax.SAXParseException: The string "--" is not permitted within 
comments.
at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)

This is a bug in the org.apache.struts.digester.Digester class. If you 
uses Struts 1.1 beta 2 jar file, the bug will not happen. Xerces 2.2 
generates a lot of Warnings and the Digester version of Struts 1.0.2 
logs an exception instead of a warning. This has been corrected in the 
current Digester (1.3) we are using.

So we have to decide which combinaison we want to support with 4.1.x:

Xerces 2.1 + Struts 1.0.2
or
Xerces 2.2 + Struts 1.1b2

-- Jeanfrancois


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: [5.0] [VOTE] Remove deprecated and unsupported components

[Ian Darwin]

> 
> [X ] Remove deprecated org.apache.catalina.connector components from the
> j-t-catalina module
> [ ] Leave them in
> 

As long as it won't break builds of 4.1 :-)

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: [Proposal] Security Audit

[Ian Darwin]

> I'm looking to do a Security Audit on the current Tomcat 5.0 codebase. I
> would like to collect as more as information as where you think I should
> look at (code, security hole, etc.). I'm planning to do the audit using
> the default SecurityManager. Rigth now, I have started looking at:

Although their goals and technology are different (an OS written in C),
I believe anyone interested in helping might learn a lot by looking at OpenBSD (a 
free UNIX-like OS whose entire code base has been subjected to a careful (and
ongoing!) security audit). They have some papers online;
go to www.openbsd.org and look at press.html (which has links to various
papers). Look for "auditing".

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: apps conversion from 3.3.1 to 4.1.12

[Craig R. McClanahan]

On Wed, 9 Oct 2002, Henri Gomez wrote:

> Date: Wed, 09 Oct 2002 18:13:10 +0200
> From: Henri Gomez <[EMAIL PROTECTED]>
> Reply-To: Tomcat Developers List <[EMAIL PROTECTED]>
> To: Tomcat Developers List <[EMAIL PROTECTED]>
> Subject: Re: apps conversion from 3.3.1 to 4.1.12
>
>
> > Haven't looked at the code, but here's a couple of thoughts that might
> > help:
> >
> > If your path above ("../../../settings.xml") is attempting to go above
> > the context root of the webapp, it's pretty much guaranteed to fail
> > because of the security restrictions.  Undoing that restriction would just
> > create a bunch of CERT reports about Tomcat letting you browse the entire
> > directory structure of your disk.
>
> I agree but the ../../../settings.xml was set in web.xml, under
> administrator control, and tomcat can't even overwrite it.
>
> We've got another problem here since Tomcat 3.3.x allow this and but
> Tomcat 4.1.x prevent it. Should we fix Tomcat 3.3.2 ?
>
> > One of the important enablers for using external entity files in Digester
> > is to use the Digester.parse() that takes an InputSource (rather than an
> > InputStream), and be sure you have configured your InputSource to include
> > the source URL.  That is necessary for the XML parser to be able to
> > resolve relative system ids.  The code in ContextConfig that parses
> > web.xml and TLD files was modified (a while back) to do this kind of
> > thing, if you need an example.
>
> Didn't have access on it since the external entity is set in web.xml so
> under org.apache.catalina.startup.ContextConfig.applicationConfig
> control, not application control.
>

If this reference is in your web.xml file, then my suggestion is already
being done.  To test it, try temporarily copying the settings.xml file
into the WEB-INF directory and changing the relative URL appropriately.

I'd be -1 on removing the security check in 4.x/5.x.  Fixing 3.3.2 sounds
like a good idea.

Craig


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: apps conversion from 3.3.1 to 4.1.12

[Henri Gomez]

> Haven't looked at the code, but here's a couple of thoughts that might
> help:
> 
> If your path above ("../../../settings.xml") is attempting to go above
> the context root of the webapp, it's pretty much guaranteed to fail
> because of the security restrictions.  Undoing that restriction would just
> create a bunch of CERT reports about Tomcat letting you browse the entire
> directory structure of your disk.

I agree but the ../../../settings.xml was set in web.xml, under 
administrator control, and tomcat can't even overwrite it.

We've got another problem here since Tomcat 3.3.x allow this and but
Tomcat 4.1.x prevent it. Should we fix Tomcat 3.3.2 ?

> One of the important enablers for using external entity files in Digester
> is to use the Digester.parse() that takes an InputSource (rather than an
> InputStream), and be sure you have configured your InputSource to include
> the source URL.  That is necessary for the XML parser to be able to
> resolve relative system ids.  The code in ContextConfig that parses
> web.xml and TLD files was modified (a while back) to do this kind of
> thing, if you need an example.

Didn't have access on it since the external entity is set in web.xml so
under org.apache.catalina.startup.ContextConfig.applicationConfig 
control, not application control.



--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: apps conversion from 3.3.1 to 4.1.12

[Henri Gomez]

>> 
>org.apache.naming.resources.DirContextURLConnection.getInputStream(DirContextURLConnection.java:344)
> 
>>
>> at java.net.URL.openStream(URL.java:793)
> 
> 
> Well, that's exactly the same. Where do you think that weird URL 
> connection goes ?? (hint: to the aforementioned FileDirContext, through 
> some classloader binding)

Well it's my initial diggs in TC 4.1.x, let me some time to discover it.

> The place where it gets rejected should be the FileDirContext.file() 
> method, as far as I can remember.

FileDirContext.file() is used to get webapps/ROOT/web.xml ref and
validate access, but the external entity is grabbed from Digester
so outside FileDirContext control (from my debug analyze).



--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: apps conversion from 3.3.1 to 4.1.12

[Remy Maucherat]

Henri Gomez wrote:
> Remy Maucherat wrote:
> 
>> Henri Gomez wrote:
>>
 This is likely the protection against reading anything outside the 
 webapp root (see the "allowLinking" of FileDirContext), although I 
 don't know how the digester will try to load the included file.
>>>
>>>
>>>
>>>
>>> Digester code is derived from XmlMapper which is able to locate 
>>> entities in ../../../ directories.
>>>
>>> My concern here is :
>>>
>>> Specs didn't mentions restriction on use of external entities outside 
>>> the webapp.
>>>
>>> So it should be granted by default isn't it ?
>>>
>>> I take a look at FileDirContext but I didn't understand what 
>>> allowLinking is ?
>>
>>
>>  >
>>
>>> So my question is : bug or feature ?
>>
>>
>>
>> There's a pretty strict check on the canonical path of a resource 
>> which I added.
>> I consider it a security feature. I think a webapp should be self 
>> contained, so I think it's reasonable to have the check as the default.
>>
>> "allowLinking" disables the check.
>>
>> Don't be lazy, just do a search in FileDirContext ;-)
> 
> 
> I take a look at this but but digester didn't use FileDirContext so the 
> allowLinking didn't fit.
> 
> The problem seems be only in Digester which fail to load 
> ../../../settings.xml
> 
> What could we do ?
> 
> PS: I tried with TC 4.1.x and all commons from CVS.
> 
> 
> at 
> 
>org.apache.naming.resources.DirContextURLConnection.getInputStream(DirContextURLConnection.java:344)
> 
> 
> at java.net.URL.openStream(URL.java:793)

Well, that's exactly the same. Where do you think that weird URL 
connection goes ?? (hint: to the aforementioned FileDirContext, through 
some classloader binding)

The place where it gets rejected should be the FileDirContext.file() 
method, as far as I can remember.

Remy


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: apps conversion from 3.3.1 to 4.1.12

[Craig R. McClanahan]

On Wed, 9 Oct 2002, Henri Gomez wrote:

> Date: Wed, 09 Oct 2002 17:39:00 +0200
> From: Henri Gomez <[EMAIL PROTECTED]>
> Reply-To: Tomcat Developers List <[EMAIL PROTECTED]>
> To: Tomcat Developers List <[EMAIL PROTECTED]>
> Subject: Re: apps conversion from 3.3.1 to 4.1.12
>
> Remy Maucherat wrote:
> > Henri Gomez wrote:
> >
> >>> This is likely the protection against reading anything outside the
> >>> webapp root (see the "allowLinking" of FileDirContext), although I
> >>> don't know how the digester will try to load the included file.
> >>
> >>
> >>
> >> Digester code is derived from XmlMapper which is able to locate
> >> entities in ../../../ directories.
> >>
> >> My concern here is :
> >>
> >> Specs didn't mentions restriction on use of external entities outside
> >> the webapp.
> >>
> >> So it should be granted by default isn't it ?
> >>
> >> I take a look at FileDirContext but I didn't understand what
> >> allowLinking is ?
> >
> >  >
> >
> >> So my question is : bug or feature ?
> >
> >
> > There's a pretty strict check on the canonical path of a resource which
> > I added.
> > I consider it a security feature. I think a webapp should be self
> > contained, so I think it's reasonable to have the check as the default.
> >
> > "allowLinking" disables the check.
> >
> > Don't be lazy, just do a search in FileDirContext ;-)
>
> I take a look at this but but digester didn't use FileDirContext so the
> allowLinking didn't fit.
>
> The problem seems be only in Digester which fail to load
> ../../../settings.xml
>
> What could we do ?
>

Haven't looked at the code, but here's a couple of thoughts that might
help:

If your path above ("../../../settings.xml") is attempting to go above
the context root of the webapp, it's pretty much guaranteed to fail
because of the security restrictions.  Undoing that restriction would just
create a bunch of CERT reports about Tomcat letting you browse the entire
directory structure of your disk.

One of the important enablers for using external entity files in Digester
is to use the Digester.parse() that takes an InputSource (rather than an
InputStream), and be sure you have configured your InputSource to include
the source URL.  That is necessary for the XML parser to be able to
resolve relative system ids.  The code in ContextConfig that parses
web.xml and TLD files was modified (a while back) to do this kind of
thing, if you need an example.

> PS: I tried with TC 4.1.x and all commons from CVS.
>

Craig

>
>   at
> 
>org.apache.naming.resources.DirContextURLConnection.getInputStream(DirContextURLConnection.java:344)
>   at java.net.URL.openStream(URL.java:793)
>   at
> org.apache.xerces.impl.XMLEntityManager.startEntity(XMLEntityManager.java:807)
>   at
> org.apache.xerces.impl.XMLEntityManager.startEntity(XMLEntityManager.java:738)
>   at
> org.apache.xerces.impl.XMLDTDScannerImpl.startPE(XMLDTDScannerImpl.java:609)
>   at
> org.apache.xerces.impl.XMLDTDScannerImpl.skipSeparator(XMLDTDScannerImpl.java:1927)
>   at
> org.apache.xerces.impl.XMLDTDScannerImpl.scanDecls(XMLDTDScannerImpl.java:1889)
>   at
> 
>org.apache.xerces.impl.XMLDTDScannerImpl.scanDTDInternalSubset(XMLDTDScannerImpl.java:359)
>   at
> 
>org.apache.xerces.impl.XMLDocumentScannerImpl$DTDDispatcher.dispatch(XMLDocumentScannerImpl.java:808)
>   at
> 
>org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:329)
>   at
> org.apache.xerces.parsers.DTDConfiguration.parse(DTDConfiguration.java:525)
>   at
> org.apache.xerces.parsers.DTDConfiguration.parse(DTDConfiguration.java:581)
>   at org.apache.xerces.parsers.XMLParser.parse(XMLParser.java:152)
>   at
> org.apache.xerces.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1175)
>   at org.apache.commons.digester.Digester.parse(Digester.java:1542)
>   at
> org.apache.catalina.startup.ContextConfig.applicationConfig(ContextConfig.java:282)
>   at org.apache.catalina.startup.ContextConfig.start(ContextConfig.java:639)
>   at
> org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:243)
>   at
> 
>org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:166)
>   at
> org.apache.catalina.core.StandardContext.start(StandardContext.java:3567)
>   at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1188)
>   at org.apache.catalina.core.StandardHost.start(StandardHost.java:738)
>   at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1188)
>   at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:347)
>   at org.apache.catalina.core.StandardService.start(StandardService.java:497)
>
>
>
>
>
>
>
>
>
>
> --
> To unsubscribe, e-mail:   
> For additional commands, e-mail: 
>
>


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: [Proposal] Security Audit

[Bob Herrmann]

I can't think of anything more boring and tedious (bug fixing?) but I am
willing to help.  Maybe we should divide up the classes.  

Cheers,
-bob

On Tue, 2002-10-08 at 16:36, Jean-Francois Arcand wrote:
> Hi,
> 
> I'm looking to do a Security Audit on the current Tomcat 5.0 codebase. I 
> would like to collect as more as information as where you think I should 
> look at (code, security hole, etc.). I'm planning to do the audit using 
> the default SecurityManager. Rigth now, I have started looking at:
> 
> - doPrivilege blocks. Are they small enough? Can they be reduced?
> - JSP generated code. Are they secure? Can a malicious app uses the code 
> to access o.a.catalina code?
> - Is catalina.policy restricted enough?
> - Is our Classloader secure?
> 
> Any direction/ideas/recommendations will be appreciated.
> 
> Thanks,
> 
> -- Jeanfrancois
> 
> 
> --
> To unsubscribe, e-mail:   
> For additional commands, e-mail: 
-- 
Bob Herrmann <[EMAIL PROTECTED]>


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: apps conversion from 3.3.1 to 4.1.12

[Henri Gomez]

Remy Maucherat wrote:
> Henri Gomez wrote:
> 
>>> This is likely the protection against reading anything outside the 
>>> webapp root (see the "allowLinking" of FileDirContext), although I 
>>> don't know how the digester will try to load the included file.
>>
>>
>>
>> Digester code is derived from XmlMapper which is able to locate 
>> entities in ../../../ directories.
>>
>> My concern here is :
>>
>> Specs didn't mentions restriction on use of external entities outside 
>> the webapp.
>>
>> So it should be granted by default isn't it ?
>>
>> I take a look at FileDirContext but I didn't understand what 
>> allowLinking is ?
> 
>  >
> 
>> So my question is : bug or feature ?
> 
> 
> There's a pretty strict check on the canonical path of a resource which 
> I added.
> I consider it a security feature. I think a webapp should be self 
> contained, so I think it's reasonable to have the check as the default.
> 
> "allowLinking" disables the check.
> 
> Don't be lazy, just do a search in FileDirContext ;-)

I take a look at this but but digester didn't use FileDirContext so the 
allowLinking didn't fit.

The problem seems be only in Digester which fail to load 
../../../settings.xml

What could we do ?

PS: I tried with TC 4.1.x and all commons from CVS.


at 
org.apache.naming.resources.DirContextURLConnection.getInputStream(DirContextURLConnection.java:344)
at java.net.URL.openStream(URL.java:793)
at 
org.apache.xerces.impl.XMLEntityManager.startEntity(XMLEntityManager.java:807)
at 
org.apache.xerces.impl.XMLEntityManager.startEntity(XMLEntityManager.java:738)
at 
org.apache.xerces.impl.XMLDTDScannerImpl.startPE(XMLDTDScannerImpl.java:609)
at 
org.apache.xerces.impl.XMLDTDScannerImpl.skipSeparator(XMLDTDScannerImpl.java:1927)
at 
org.apache.xerces.impl.XMLDTDScannerImpl.scanDecls(XMLDTDScannerImpl.java:1889)
at 
org.apache.xerces.impl.XMLDTDScannerImpl.scanDTDInternalSubset(XMLDTDScannerImpl.java:359)
at 
org.apache.xerces.impl.XMLDocumentScannerImpl$DTDDispatcher.dispatch(XMLDocumentScannerImpl.java:808)
at 
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:329)
at 
org.apache.xerces.parsers.DTDConfiguration.parse(DTDConfiguration.java:525)
at 
org.apache.xerces.parsers.DTDConfiguration.parse(DTDConfiguration.java:581)
at org.apache.xerces.parsers.XMLParser.parse(XMLParser.java:152)
at 
org.apache.xerces.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1175)
at org.apache.commons.digester.Digester.parse(Digester.java:1542)
at 
org.apache.catalina.startup.ContextConfig.applicationConfig(ContextConfig.java:282)
at org.apache.catalina.startup.ContextConfig.start(ContextConfig.java:639)
at 
org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:243)
at 
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:166)
at 
org.apache.catalina.core.StandardContext.start(StandardContext.java:3567)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1188)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:738)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1188)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:347)
at org.apache.catalina.core.StandardService.start(StandardService.java:497)










--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

DO NOT REPLY [Bug 13014] - OS/390/USS - Invalid  in servlet mapping

[bugzilla]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13014

OS/390/USS - Invalid   in servlet mapping





--- Additional Comments From [EMAIL PROTECTED]  2002-10-09 15:11 ---
The USS environment is somewhat unusual...perhaps no one at apache.org has 
ready access to such a system for testing and debugging this issue. Attachmate 
would be happy to provide such access to anyone involved with Tomcat 
development at apache.org if it would help speed resolution. Please email me, 
and we can discuss details of this.  -Ned

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

cvs commit: jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse JSSESupport.java

[bobh]

bobh2002/10/09 08:03:21

  Modified:util/java/org/apache/tomcat/util/net/jsse JSSESupport.java
  Log:
  - make gump happy by getting rid of "1.4" only class java.net.SocketTimeoutException
  
  Revision  ChangesPath
  1.3   +3 -3  
jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESupport.java
  
  Index: JSSESupport.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESupport.java,v
  retrieving revision 1.2
  retrieving revision 1.3
  diff -u -r1.2 -r1.3
  --- JSSESupport.java  8 Oct 2002 16:49:43 -   1.2
  +++ JSSESupport.java  9 Oct 2002 15:03:21 -   1.3
  @@ -222,8 +222,8 @@
   for (int i = 0; i < maxTries; i++) {
   try {
   int x = in.read(b);
  -} catch (SocketTimeoutException e) {
  -// ignore
  +} catch (IOException e) {
  +// ignore - presumably the timeout
   }
   if (listener.completed) {
   break;
  @@ -232,7 +232,7 @@
   socket.removeHandshakeCompletedListener(listener);
   socket.setSoTimeout(oldTimeout);
   if (listener.completed == false) {
  -throw new SocketTimeoutException("SSL Cert handshake timeout");
  +throw new SocketException("SSL Cert handshake timeout");
   }
   }
   
  
  
  

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

DO NOT REPLY [Bug 13456] - allowChuncking="false" not working

[bugzilla]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13456

allowChuncking="false" not working

[EMAIL PROTECTED] changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution||WONTFIX
Version|4.0 Final   |4.1.12



--- Additional Comments From [EMAIL PROTECTED]  2002-10-09 14:26 ---
FYI, this is not supported (and will never be supported) in Coyote HTTP/1.1. The
documentation does not specify this flag is allowed.

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

DO NOT REPLY [Bug 13365] - JSP source disclosure vulnerability not fixed when invoking servlets by name

[bugzilla]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13365

JSP source disclosure vulnerability not fixed when invoking servlets by name

[EMAIL PROTECTED] changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution||FIXED



--- Additional Comments From [EMAIL PROTECTED]  2002-10-09 14:23 ---
Ok, this is fixed in all branches, and Tomcat 4.0.6 has been released (the
default Tomcat 4.0.5 installation was vulnerable).

However, NEVER EVER DISCUSS A POTENTIAL SECURITY PROBLEM ON A PUBLIC
COMMUNICATION CHANNEL, because this puts all Tomcat users at risk. The Tomcat
Team also cannot release a new version within minutes a security problem is
published. Thanks. There are *private* mailing lists for that (security at
apache.org), and you will be given all the credit you want or deserve.

I used the patch submitted as a patch which can be applied to Tomcat 4.0.5 to
resolve the problem without upgrading to 4.0.6.

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

RE: [5.0] [VOTE] Remove deprecated and unsupported components

[Ignacio J. Ortega]

> 
> [X] Remove deprecated org.apache.catalina.connector 
> components from the 
> j-t-catalina module
> [ ] Leave them in
> 
> 

Saludos, 
Ignacio J. Ortega 

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

DO NOT REPLY [Bug 13456] New: - allowChuncking="false" not working

[bugzilla]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13456

allowChuncking="false" not working

   Summary: allowChuncking="false" not working
   Product: Tomcat 4
   Version: 4.0 Final
  Platform: PC
OS/Version: Other
Status: NEW
  Severity: Major
  Priority: Other
 Component: Connector:Coyote HTTP/1.1
AssignedTo: [EMAIL PROTECTED]
ReportedBy: [EMAIL PROTECTED]


allowChunking="false" in Coyoute connector still give chunked responses.

simply changed to the catalina Connector and the problem was solved.

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: administration-howto.html

[Glenn Nielsen]

jean-frederic clere wrote:
> Hi,
> 
> I am willing to use the administration tools of Tomcat but I am 
> wondering where the administration-howto.html is located.
> 
> If it is not existing I will create one similar to the existing 
> manager-howto.xml.
> 
> Any comments?
> 

I know that Amy has been working on taking care of some of the problems
I posted about the Tomcat 4.1 configuration admin application.  A help
document was one of the issues.

This is really needed, thanks!

Glenn


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

[SECURITY] Apache Tomcat 4.x JSP source disclosure vulnerability;Apache Tomcat 4.0.6 released

[Remy Maucherat]

A security vulnerability has been confirmed to exist in Apache Tomcat
4.0.x releases (including Tomcat 4.0.5), which allows to use a specially
crafted URL to return the unprocessed source of a JSP page, or, under
special circumstances, a static resource which would otherwise have been
protected by security constraint, without the need for being properly
authenticated. This is based on a variant of the exploit that was
disclosed on 09/24/2002.

The cause
-

Using the invoker servlet in conjunction with the default servlet
(responsible for handling static content in Tomcat) triggers this
vulnerability.

Who is vulnerable
-

- All Tomcat 4.0.x releases, except those in which the invoker servlet
is disabled (this is not the default setting).
- All Tomcat 4.1.x releases before 4.1.12, except those in which the
invoker servlet is disabled (this is not the default setting), as
well as 4.1.12 if and only if the invoker servlet has been enabled.
The default Tomcat 4.1.12 installation is not vulnerable.

Fixes and workarounds
-

Doing either of the following will resolve the security problem:

A) Disabling the invoker servlet

In the $CATALINA_HOME/conf/web.xml file (on Windows,
%CATALINA_HOME%\conf\web.xml), comment out or remove the following
XML fragment:

  
  invoker
  /servlet/*
  

B) If running any Tomcat 4.0.x releases, download and install the
following binary patch:

http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/bin/hotfix/13365.zip

Simply unzip the archive in the $CATALINA_HOME folder (on Windows
%CATALINA_HOME%). Make sure paths are preserved when unzipping. The
patch will overwrite the default webapp configuration file
($CATALINA_HOME/conf/web.xml) to add a workaround to protect
against the security vulnerability.

C) If running Tomcat 4.1.12 and the invoker servlet was enabled, it must
be disabled at this time. A new Tomcat 4.1.x release incorporating
the fix to the invoker servlet will be made available shortly.

D) If running any Tomcat 4.0.x release, download and install Tomcat 4.0.6.

New release
---

The Apache Tomcat Team announces the immediate availability of
a new release which includes a fix to the invoker servlet.

Apache Tomcat 4.0.6:
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.6/

Remy


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: [5.0] [VOTE] Remove deprecated and unsupported components

[Jean-Francois Arcand]

>
> 
> [ X ] Remove deprecated org.apache.catalina.connector components from 
> the j-t-catalina module
> [ ] Leave them in
> 

-- Jeanfrancois


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: commons-daemon release ?

[jean-frederic clere]

Remy Maucherat wrote:
> Henri Gomez wrote:
> 
>> I wonder if a release of commons-daemon is planned.
> 
> 
> No, because promoting it to commons proper got vetoed.

And the reasons why have not been changed... I had no time to write the needed 
code (and I was on holidays at the time of the veto: it was in mid-august).

> At the moment, it looks like a split between daemon and launcher will 
> happen.

Because a release of launcher is needed.

> 
> (like Costin, I'd really like to get rid of the Java code in daemon - 
> the o.a.c.daemon package -, BTW)

-1 I am using it. And I need time to write the corresponding C code.

> 
> Remy
> 
> 
> -- 
> To unsubscribe, e-mail:   
> 
> For additional commands, e-mail: 
> 
> 
> 




--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

cvs commit: jakarta-tomcat-connectors/jk/xdocs/jk2 confighowto.xml

[mturk]

mturk   2002/10/09 06:01:29

  Modified:jk/xdocs/jk2 confighowto.xml
  Log:
  Add the JNI Minimum configuration.
  
  Revision  ChangesPath
  1.2   +57 -1 jakarta-tomcat-connectors/jk/xdocs/jk2/confighowto.xml
  
  Index: confighowto.xml
  ===
  RCS file: /home/cvs/jakarta-tomcat-connectors/jk/xdocs/jk2/confighowto.xml,v
  retrieving revision 1.1
  retrieving revision 1.2
  diff -u -r1.1 -r1.2
  --- confighowto.xml   8 Oct 2002 17:59:25 -   1.1
  +++ confighowto.xml   9 Oct 2002 13:01:29 -   1.2
  @@ -58,4 +58,60 @@
   
   
   
  +
  +
  +Minimum JNI configuration is the simplest one to make the Tomcat working
  +from inside the web server as inprocess. The only comunication channel used
  +is JNI. The JK2 will register all the native calls by itself, so there is
  +no need to specify the native library on Java side.
  +
  +
  +jk2.properties:
  +
  +# Add the apr and channelJni to the list of handlers
  +handler.list=apr,request,container,channelJni
  +# The native libraries will be registered by JK2
  +apr.jniModeSo=inprocess
  +
  +
  +
  +workers2.properties:
  +
  +# Define the comunication channel 
  +[channel.jni:jni]
  +info=The jni channel, used if tomcat is started inprocess
  +
  +# Define the parameters for the Java Virtual Machine
  +[vm:]
  +info=Parameters used to load a JVM in the server process
  
+OPT=-Djava.class.path=${TOMCAT_HOME}/lib/tomcat-jni.jar;${TOMCAT_HOME}/lib/tomcat.jar
  +OPT=-Dtomcat.home=${TOMCAT_HOME}
  +OPT=-Dcatalina.home=${TOMCAT_HOME}
  +OPT=-Xmx128M
  +
  +# JNI worker startup handler
  +[worker.jni:onStartup]
  +info=Command to be executed by the VM on startup. This one will start tomcat.
  +class=org/apache/jk/apr/TomcatStarter
  +ARG=start
  +stdout=${serverRoot}/logs/stdout.log
  +stderr=${serverRoot}/logs/stderr.log
  +
  +# JNI worker shutdown handler
  +[worker.jni:onShutdown]
  +info=Command to be executed by the VM on shutdown. This one will stop tomcat.
  +class=org/apache/jk/apr/TomcatStarter
  +ARG=stop
  +
  +# Map the Tomcat examples webapp to the Web server uri space
  +[uri:/examples/*]
  +info=Map the whole webapp
  +
  +
  +
  +Start the Web server and browse to the http://localhost/examples/
  +
  +
  +
  +
   
  
  
  

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core StandardWrapperValve.java

[remm]

remm2002/10/09 05:52:40

  Modified:catalina/src/share/org/apache/catalina/core
StandardWrapperValve.java
  Log:
  - Oops, not the right object.
  
  Revision  ChangesPath
  1.6   +5 -5  
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/StandardWrapperValve.java
  
  Index: StandardWrapperValve.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/StandardWrapperValve.java,v
  retrieving revision 1.5
  retrieving revision 1.6
  diff -u -r1.5 -r1.6
  --- StandardWrapperValve.java 9 Oct 2002 12:40:53 -   1.5
  +++ StandardWrapperValve.java 9 Oct 2002 12:52:40 -   1.6
  @@ -248,7 +248,7 @@
   String contextPath = hreq.getContextPath();
   if (contextPath == null)
   contextPath = "";
  -String requestURI = ((HttpRequest) hreq).getDecodedRequestURI();
  +String requestURI = ((HttpRequest) request).getDecodedRequestURI();
   if (requestURI.length() >= contextPath.length())
   requestPath = requestURI.substring(contextPath.length());
   }
  
  
  

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/valves ErrorReportValve.java

[remm]

remm2002/10/09 05:42:51

  Modified:catalina/src/share/org/apache/catalina/valves
ErrorReportValve.java
  Log:
  - Port patch.
  
  Revision  ChangesPath
  1.3   +6 -9  
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/valves/ErrorReportValve.java
  
  Index: ErrorReportValve.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/valves/ErrorReportValve.java,v
  retrieving revision 1.2
  retrieving revision 1.3
  diff -u -r1.2 -r1.3
  --- ErrorReportValve.java 12 Sep 2002 06:44:25 -  1.2
  +++ ErrorReportValve.java 9 Oct 2002 12:42:51 -   1.3
  @@ -250,11 +250,8 @@
   if (message == null)
   message = "";
   
  -// Do nothing on a 1xx and 2xx status
  -if (statusCode < 300)
  -return;
  -// Do nothing on a NOT MODIFIED status
  -if (statusCode == HttpServletResponse.SC_NOT_MODIFIED)
  +// Do nothing on a 1xx, 2xx and 3xx status
  +if (statusCode < 400)
   return;
   
   // FIXME: Reset part of the request
  
  
  

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: commons-daemon release ?

[jean-frederic clere]

Henri Gomez wrote:
> I wonder if a release of commons-daemon is planned.
> 
> JF ?
> 
> 
> -- 
> To unsubscribe, e-mail:   
> 
> For additional commands, e-mail: 
> 
> 
> 

I am using it in a product named openIS.
The FSC QA are still complaining about small problems.
I have to fix them... Then that will be time to make a release.



--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core StandardWrapperValve.java

[remm]

remm2002/10/09 05:40:53

  Modified:catalina/src/share/org/apache/catalina/core
StandardWrapperValve.java
  Log:
  - The decoded URI should be used there.
  
  Revision  ChangesPath
  1.5   +15 -10
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/StandardWrapperValve.java
  
  Index: StandardWrapperValve.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/StandardWrapperValve.java,v
  retrieving revision 1.4
  retrieving revision 1.5
  diff -u -r1.4 -r1.5
  --- StandardWrapperValve.java 12 Sep 2002 00:09:27 -  1.4
  +++ StandardWrapperValve.java 9 Oct 2002 12:40:53 -   1.5
  @@ -248,16 +248,21 @@
   String contextPath = hreq.getContextPath();
   if (contextPath == null)
   contextPath = "";
  -String requestURI = hreq.getRequestURI();
  +String requestURI = ((HttpRequest) hreq).getDecodedRequestURI();
   if (requestURI.length() >= contextPath.length())
   requestPath = requestURI.substring(contextPath.length());
   }
  -sreq.setAttribute(ApplicationFilterFactory.DISPATCHER_TYPE_ATTR,
  -new 
Integer(ApplicationFilterFactory.REQUEST));
  -sreq.setAttribute(ApplicationFilterFactory.DISPATCHER_REQUEST_PATH_ATTR, 
requestPath);
  +sreq.setAttribute
  +(ApplicationFilterFactory.DISPATCHER_TYPE_ATTR,
  + new Integer(ApplicationFilterFactory.REQUEST));
  +sreq.setAttribute
  +(ApplicationFilterFactory.DISPATCHER_REQUEST_PATH_ATTR, 
  + requestPath);
   // Create the filter chain for this request
  -ApplicationFilterFactory factory = ApplicationFilterFactory.getInstance();
  -ApplicationFilterChain filterChain = factory.createFilterChain(sreq, 
wrapper, servlet);
  +ApplicationFilterFactory factory = 
  +ApplicationFilterFactory.getInstance();
  +ApplicationFilterChain filterChain = 
  +factory.createFilterChain(sreq, wrapper, servlet);
   
   // Call the filter chain for this request
   // NOTE: This also calls the servlet's service() method
  
  
  

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: [5.0] [VOTE] Remove deprecated and unsupported components

[jean-frederic clere]

[X] Remove deprecated org.apache.catalina.connector components from the 
j-t-catalina module
[ ] Leave them in


Cheers

Jean-frederic


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

cvs commit: jakarta-tomcat-5/resources INSTALLLICENSE

[remm]

remm2002/10/09 05:20:40

  Modified:.build.xml tomcat.nsi
   resources INSTALLLICENSE
  Log:
  - Cleanups and small fixes.
  
  Revision  ChangesPath
  1.40  +1 -1  jakarta-tomcat-5/build.xml
  
  Index: build.xml
  ===
  RCS file: /home/cvs/jakarta-tomcat-5/build.xml,v
  retrieving revision 1.39
  retrieving revision 1.40
  diff -u -r1.39 -r1.40
  --- build.xml 9 Oct 2002 10:07:48 -   1.39
  +++ build.xml 9 Oct 2002 12:20:40 -   1.40
  @@ -419,7 +419,7 @@
   
 
 
  +   description="Create a Tomcat 5 packaged distribution">
   
   
   
  
  
  
  1.9   +26 -25jakarta-tomcat-5/tomcat.nsi
  
  Index: tomcat.nsi
  ===
  RCS file: /home/cvs/jakarta-tomcat-5/tomcat.nsi,v
  retrieving revision 1.8
  retrieving revision 1.9
  diff -u -r1.8 -r1.9
  --- tomcat.nsi8 Oct 2002 09:36:39 -   1.8
  +++ tomcat.nsi9 Oct 2002 12:20:40 -   1.9
  @@ -12,6 +12,11 @@
   ;
   ;Configuration
   
  +  !define MUI_LICENSEPAGE
  +  !define MUI_COMPONENTPAGE
  +  !define MUI_DIRSELECTPAGE
  +  !define MUI_UNINSTALLER
  +
 ;Language
   ;English
   LoadLanguageFile "${NSISDIR}\Contrib\Language files\English.nlf"
  @@ -31,28 +36,18 @@
 !insertmacro MUI_INTERFACE "modern.exe" "adni18-installer-C-no48xp.ico" 
"adni18-uninstall-C-no48xp.ico" "modern.bmp" "smooth" "$9"
   
 ;License dialog
  -  LicenseText "Press Page Down to see the rest of the agreement."
 LicenseData INSTALLLICENSE
   
  -  ;Component-select dialog
  -  ComponentText "Check the components you want to install and uncheck the 
components you don't want to install. Click Next to continue."
  -
 ;Folder-select dialog
  -  !insertmacro MUI_ENGLISH_DIRTEXT
 InstallDir "$PROGRAMFILES\Apache Group\Tomcat 5.0"
   
  -  ;Uninstaller
  -  !insertmacro MUI_ENGLISH_UNINSTALLTEXT
  +  ;Install types
  +  InstType Normal
  +  InstType Minimum
  +  InstType Full
   
  -InstType Normal
  -InstType Minimum
  -InstType Full
  -AutoCloseWindow false
  -ShowInstDetails show
  -SetOverwrite on
  -SetDateSave on
  -
  -InstallDirRegKey HKLM "SOFTWARE\Apache Group\Tomcat\5.0" ""
  +  ; Main registry key
  +  InstallDirRegKey HKLM "SOFTWARE\Apache Group\Tomcat\5.0" ""
   
   SubSection "Tomcat" SecTomcat
   
  @@ -66,6 +61,7 @@
 File /r bin
 Delete "$INSTDIR\bin\tomcat.exe"
 File /r common
  +  File /r conf
 File /r shared
 File /r logs
 File /r server
  @@ -79,6 +75,7 @@
 Pop $2
   
 CopyFiles "$2\lib\tools.jar" "$INSTDIR\common\lib" 4500
  +  BringToFront
   
   SectionEnd
   
  @@ -94,6 +91,7 @@
 
 ExecWait '"$INSTDIR\bin\tomcat.exe" -install "Apache Tomcat 5.0" "$2" 
-Djava.class.path="$INSTDIR\bin\bootstrap.jar" -Dcatalina.home="$INSTDIR" 
-Djava.endorsed.dirs="$INSTDIR\common\endorsed" -start 
org.apache.catalina.startup.BootstrapService -params start -stop 
org.apache.catalina.startup.BootstrapService -params stop -out 
"$INSTDIR\logs\stdout.log" -err "$INSTDIR\logs\stderr.log"'
 
  +  BringToFront
 ClearErrors
   
   SectionEnd
  @@ -172,12 +170,6 @@
   
 WriteUninstaller "$INSTDIR\Uninstall.exe"
   
  -  SetOverwrite off
  -  SetOutPath $INSTDIR
  -  File /r conf
  -
  -  SetOverwrite on
  -
 Call startService
   
 WriteRegStr HKLM "SOFTWARE\Apache Group\Tomcat\5.0" "" $INSTDIR
  @@ -412,6 +404,9 @@
 StrCpy $R4 'port="$R0"'
 StrCpy $R5 ''
   
  +  DetailPrint 'HTTP/1.1 Connector configured on port "$R0"'
  +  DetailPrint 'Admin user added: "$R1"'
  +
 SetOutPath $TEMP
 File /r confinstall
   
  @@ -427,6 +422,8 @@
   
 FileClose $R9
   
  +  DetailPrint "server.xml written"
  +
 ; Build final tomcat-users.xml
 Delete "$INSTDIR\conf\tomcat-users.xml"
 FileOpen $R9 "$INSTDIR\conf\tomcat-users.xml" w
  @@ -439,6 +436,8 @@
   
 FileClose $R9
   
  +  DetailPrint "tomcat-users.xml written"
  +
 ; Creating a few shortcuts
 IfFileExists "$SMPROGRAMS\Apache Tomcat 5.0" 0 NoLinks
   
  @@ -499,7 +498,8 @@
   
 IfFileExists "$INSTDIR\bin\tomcat.exe" 0 NoService
 ExecWait 'net start "Apache Tomcat 5.0"'
  -  Sleep 4000
  +  Sleep 3000
  +  BringToFront
   
NoService:
   
  @@ -516,7 +516,8 @@
   
 IfFileExists "$INSTDIR\bin\tomcat.exe" 0 NoService
 ExecWait 'net stop "Apache Tomcat 5.0"'
  -  Sleep 2000
  +  Sleep 1000
  +  BringToFront
   
NoService:
   
  
  
  
  1.3   +4 -4  jakarta-tomcat-5/resources/INSTALLLICENSE
  
  Index: INSTALLLICENSE
  ===
  RCS file: /home/cvs/jakarta-tomcat-5/resources/INSTALLLICENSE,v
  retrieving revision 1.2
  retrieving revision 1.3
  diff -u -r1.2 -r1.3
  --- INSTALLLICENSE9 Oct 2002 10:06:07 -   1.2
  +++ INSTALLLICENSE9 Oct 2002 12:20:40 - 

Re: commons-daemon release ?

[Remy Maucherat]

Henri Gomez wrote:
> I wonder if a release of commons-daemon is planned.

No, because promoting it to commons proper got vetoed.
At the moment, it looks like a split between daemon and launcher will 
happen.

(like Costin, I'd really like to get rid of the Java code in daemon - 
the o.a.c.daemon package -, BTW)

Remy


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: apps conversion from 3.3.1 to 4.1.12

[Remy Maucherat]

Henri Gomez wrote:
>> This is likely the protection against reading anything outside the 
>> webapp root (see the "allowLinking" of FileDirContext), although I 
>> don't know how the digester will try to load the included file.
> 
> 
> Digester code is derived from XmlMapper which is able to locate entities 
> in ../../../ directories.
> 
> My concern here is :
> 
> Specs didn't mentions restriction on use of external entities outside 
> the webapp.
> 
> So it should be granted by default isn't it ?
> 
> I take a look at FileDirContext but I didn't understand what 
> allowLinking is ?
 >
> So my question is : bug or feature ?

There's a pretty strict check on the canonical path of a resource which 
I added.
I consider it a security feature. I think a webapp should be self 
contained, so I think it's reasonable to have the check as the default.

"allowLinking" disables the check.

Don't be lazy, just do a search in FileDirContext ;-)

Remy


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

commons-daemon release ?

[Henri Gomez]

I wonder if a release of commons-daemon is planned.

JF ?


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: apps conversion from 3.3.1 to 4.1.12

[Henri Gomez]

> This is likely the protection against reading anything outside the 
> webapp root (see the "allowLinking" of FileDirContext), although I don't 
> know how the digester will try to load the included file.

Digester code is derived from XmlMapper which is able to locate entities 
in ../../../ directories.

My concern here is :

Specs didn't mentions restriction on use of external entities outside 
the webapp.

So it should be granted by default isn't it ?

I take a look at FileDirContext but I didn't understand what 
allowLinking is ?

So my question is : bug or feature ?


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

RE: [5.0] [VOTE] Remove deprecated and unsupported components

[John Trollinger]

> 
> [ ] Remove deprecated org.apache.catalina.connector 
> components from the 
> j-t-catalina module
> [X ] Leave them in
> 


Atleast untill all the excessive log messages are removed from the
coyote connectors (ie the socket error messages) or there is a way to
disable them (ie give them a log level) 


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

[GUMP] Build Failure - jakarta-tomcat-util

[Craig McClanahan]

This email is autogenerated from the output from:



Buildfile: build.xml

detect:

build-prepare:
[mkdir] Created dir: /home/rubys/jakarta/jakarta-tomcat-connectors/util/build
[mkdir] Created dir: 
/home/rubys/jakarta/jakarta-tomcat-connectors/util/build/classes
[mkdir] Created dir: /home/rubys/jakarta/jakarta-tomcat-connectors/util/build/lib

build-main:
 [echo] - Java-utils -
 [echo] -- puretls.present = ${puretls.present}
 [echo] -- jsse.present = true
 [echo] -- commons-logging = true
 [echo] -- jmx = true /opt/jmx-1_0_1-ri_bin/jmx/lib/jmxri.jar
[javac] Compiling 59 source files to 
/home/rubys/jakarta/jakarta-tomcat-connectors/util/build/classes
[javac] 
/home/rubys/jakarta/jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESupport.java:225:
 cannot resolve symbol
[javac] symbol  : class SocketTimeoutException  
[javac] location: class org.apache.tomcat.util.net.jsse.JSSESupport
[javac] } catch (SocketTimeoutException e) {
[javac]  ^
[javac] 
/home/rubys/jakarta/jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESupport.java:235:
 cannot resolve symbol
[javac] symbol  : class SocketTimeoutException  
[javac] location: class org.apache.tomcat.util.net.jsse.JSSESupport
[javac] throw new SocketTimeoutException("SSL Cert handshake timeout");
[javac]   ^
[javac] 2 errors

BUILD FAILED
file:/home/rubys/jakarta/jakarta-tomcat-connectors/util/build.xml:49: Compile failed; 
see the compiler error output for details.

Total time: 3 seconds

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: HttpSessionListener

[Andreas Junghans]

John Baker wrote:

> I'm trying to write a bean so when sessions are closed, database 
> connections
> and other resources are released. I realise when the sessionDestroyed 
> method
> is called on HttpSessionListener the session is already invalidated (I 
> would
> like to know why such a design decision was made there, it seems 
> wrong).
> Anyway, as I need to be able to map stuff to a session I'm trying to 
> write a
> listener where I can say "For this newly created session, hold on to 
> this
> object". So when the session is destroyed, the object can be retrieved 
> and
> methods called upon it (such as close db connections).

This question should be directed at [EMAIL PROTECTED]

You're right that you cannot use HttpSessionListener since that is only 
an after the fact notification. For things like this, I usually use a 
session attribute that implements HttpSessionBindingListener. In its 
valueUnbound() method, you can perform cleanup actions for the session.

Regards

   Andreas Junghans


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

RE: [5.0] [VOTE] Remove deprecated and unsupported components

[iasandcb]

[X] Remove deprecated org.apache.catalina.connector components from the 
j-t-catalina module
[ ] Leave them in


IAS

Jakarta-Seoul Project Coordinator
http://jakarta.apache-korea.org

-Original Message-
From: Remy Maucherat [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, October 09, 2002 6:11 PM
To: Tomcat Developers List
Subject: [5.0] [VOTE] Remove deprecated and unsupported components


The connectors which depend on the org.apache.catalina.connector package

(including JK 1, webapp, and the old HTTP connectors) will either need 
to be updated or removed. The Coyote family of connectors is well 
supported and provides a suitable replacement (IMO). Coyote is the 
default connector in the current Tomcat 4.1.x releases, and should be 
reaching maturity by the time Tomcat 5 is released.

I'd like to remove the deprecated org.apache.catalina.connector classes 
(and move the remaining facade and wrapper classes to other new
packages).

Even if they are removed from the main tree, the deprecated components 
could also be distributed with updated versions of the affected 
connectors should it is decided they should be made available for Tomcat

5 (but in any case, some work will be needed).


[ ] Remove deprecated org.apache.catalina.connector components from the 
j-t-catalina module
[ ] Leave them in


In case the second option is voted, volunteers will be needed to update 
and maintain the components (right now, I don't think the connectors 
based on them would even build against the new API).

Remy


--
To unsubscribe, e-mail:

For additional commands, e-mail:


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

cvs commit: jakarta-tomcat-5 build.xml

[remm]

remm2002/10/09 03:07:48

  Modified:.build.xml
  Log:
  - No reason to clean the release folder.
  
  Revision  ChangesPath
  1.39  +0 -2  jakarta-tomcat-5/build.xml
  
  Index: build.xml
  ===
  RCS file: /home/cvs/jakarta-tomcat-5/build.xml,v
  retrieving revision 1.38
  retrieving revision 1.39
  diff -u -r1.38 -r1.39
  --- build.xml 9 Oct 2002 10:06:07 -   1.38
  +++ build.xml 9 Oct 2002 10:07:48 -   1.39
  @@ -130,8 +130,6 @@
   
   
   
  -
  -
 
   
   
  
  
  

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

cvs commit: jakarta-tomcat-5 .cvsignore

[remm]

remm2002/10/09 03:06:34

  Modified:..cvsignore
  Log:
  - Update .cvsignore.
  
  Revision  ChangesPath
  1.3   +1 -0  jakarta-tomcat-5/.cvsignore
  
  Index: .cvsignore
  ===
  RCS file: /home/cvs/jakarta-tomcat-5/.cvsignore,v
  retrieving revision 1.2
  retrieving revision 1.3
  diff -u -r1.2 -r1.3
  --- .cvsignore26 Jul 2002 16:28:50 -  1.2
  +++ .cvsignore9 Oct 2002 10:06:34 -   1.3
  @@ -1,3 +1,4 @@
   build
   dist
  +release
   build.properties
  
  
  

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

cvs commit: jakarta-tomcat-5/resources welcome.bin.html welcome.main.html INSTALLLICENSE

[remm]

remm2002/10/09 03:06:07

  Modified:.build.xml
   resources INSTALLLICENSE
  Added:   .CHANGELOG RELEASE-NOTES
   resources welcome.bin.html welcome.main.html
  Log:
  - Improve release target, so that it will create a ready to upload package.
  
  Revision  ChangesPath
  1.38  +46 -5 jakarta-tomcat-5/build.xml
  
  Index: build.xml
  ===
  RCS file: /home/cvs/jakarta-tomcat-5/build.xml,v
  retrieving revision 1.37
  retrieving revision 1.38
  diff -u -r1.37 -r1.38
  --- build.xml 8 Oct 2002 09:36:39 -   1.37
  +++ build.xml 9 Oct 2002 10:06:07 -   1.38
  @@ -44,6 +44,7 @@
 
 
 
  +  
 
 
   
  @@ -129,6 +130,8 @@
   
   
   
  +
  +
 
   
   
  @@ -418,7 +421,42 @@
   
 
 
  +   description="Create a Tomcat 5 packaged distribution" if="full-dist">
  +
  +
  +
  +
  +
  +
  +
  +
  +
  +
  +
  +
  +
  +
  +
  +
  +
  +
  +
  +
  +  
   
 
   
  @@ -445,11 +483,13 @@
 
 
  +   includes="RELEASE-NOTES" />
 
  +   includes="CHANGELOG" />
 
  +  
   
 
   
  @@ -479,9 +519,10 @@
   
   
   
  -
  -
  +
  +
   
  +
 
   
   >
  
  
  1.1  jakarta-tomcat-5/RELEASE-NOTES
  
  Index: RELEASE-NOTES
  ===
  
  
   Apache Tomcat Version @VERSION@
  Release Notes
  
  
  $Id: RELEASE-NOTES,v 1.1 2002/10/09 10:06:07 remm Exp $
  
  
  
  KNOWN ISSUES IN THIS RELEASE:
  
  
  * Tomcat 5.0 and JNI Based Applications
  * Tomcat 5.0 Standard APIs Available
  * Tomcat 5.0 and XML Parsers
  * Web application reloading and static fields in shared libraries
  * JAVAC leaking memory
  * Linux and Sun JDK 1.2.x - 1.3.x
  * Enabling SSI and CGI Support
  * Security manager URLs
  * Symlinking static resources
  * Enabling invoker servlet
  
  
  -
  Tomcat 5.0 and JNI Based Applications:
  -
  
  Applications that require native libraries must ensure that the libraries have
  been loaded prior to use.  Typically, this is done with a call like:
  
static {
  System.loadLibrary("path-to-library-file");
}
  
  in some class.  However, the application must also ensure that the library is
  not loaded more than once.  If the above code were placed in a class inside
  the web application (i.e. under /WEB-INF/classes or /WEB-INF/lib), and the
  application were reloaded, the loadLibrary() call would be attempted a second
  time.
  
  To avoid this problem, place classes that load native libraries outside of the
  web application, and ensure that the loadLibrary() call is executed only once
  during the lifetime of a particular JVM.
  
  
  --
  Tomcat 5.0 Standard APIs Available:
  --
  
  A standard installation of Tomcat 4 makes all of the following APIs available
  for use by web applications (by placing them in "common/lib" or "shared/lib"):
  * ant.jar (Apache Ant)
  * commons-collections.jar (Commons Collections)
  * commons-dbcp.jar (Commons DBCP 1.0)
  * commons-logging-api.jar (Commons Logging)
  * commons-pool.jar (Commons Pool)
  * jasper-compiler.jar (Jasper 2 Compiler)
  * jasper-runtime.jar (Jasper 2 Runtime)
  * jsp-api.jar (JSP 2.0 API)
  * jsp20el.jar (JSP 2.0 Expression Language)
  * naming-common.jar (JNDI Context implementation)
  * naming-factory.jar (JNDI object factories)
  * naming-resources.jar (JNDI DirContext implementations)
  * servlet-api.jar (Servlet 2.4 API)
  
  You can make additional APIs available to all of your web applications by
  putting unpacked classes into a "classes" directory (not created by default),
  or by placing them in JAR files in the "lib" directory.
  
  Tomcat 5.0 also makes available Xerces 2 to web applications.
  
  
  --
  Tomcat 5.0 and XML Parsers:
  --
  
  As described above, Tomcat 5.0 makes an XML parser (and many other standard
  APIs) available to web applications.  This parser is also used internally
  to parse web.xml files and the server.xml configuration file.  If you wish,
  you may replace the "xercesImpl.jar" file in "common/endorsed" with another 
  XML parser, as long as it is compatible with the JAXP 1.1 APIs.
  
  
  ---
  Web application reloading and static fields in shared libraries:
  ---
  
  Some shared libraries (many are part of the JDK) keep references to objects
  instan

Re: [5.0] [VOTE] Remove deprecated and unsupported components

[Henri Gomez]

Remy Maucherat wrote:
> The connectors which depend on the org.apache.catalina.connector package 
> (including JK 1, webapp, and the old HTTP connectors) will either need 
> to be updated or removed. The Coyote family of connectors is well 
> supported and provides a suitable replacement (IMO). Coyote is the 
> default connector in the current Tomcat 4.1.x releases, and should be 
> reaching maturity by the time Tomcat 5 is released.
> 
> I'd like to remove the deprecated org.apache.catalina.connector classes 
> (and move the remaining facade and wrapper classes to other new packages).
> 
> Even if they are removed from the main tree, the deprecated components 
> could also be distributed with updated versions of the affected 
> connectors should it is decided they should be made available for Tomcat 
> 5 (but in any case, some work will be needed).
> 
> 
> [X] Remove deprecated org.apache.catalina.connector components from the 
> j-t-catalina module
> [ ] Leave them in
> 
> 
> In case the second option is voted, volunteers will be needed to update 
> and maintain the components (right now, I don't think the connectors 
> based on them would even build against the new API).



--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

DO NOT REPLY [Bug 13446] New: - Invalide error page with request attribute.

[bugzilla]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13446

Invalide error page with request attribute.

   Summary: Invalide error page with request attribute.
   Product: Tomcat 4
   Version: 4.0.1 Final
  Platform: PC
OS/Version: Windows NT/2K
Status: NEW
  Severity: Normal
  Priority: Other
 Component: Catalina
AssignedTo: [EMAIL PROTECTED]
ReportedBy: [EMAIL PROTECTED]


In a servlet, i want to forward to a JSP error page. For transmit the current 
exception, i set the attribute javax.servlet.error.exception in the request, 
and i forward to the error page. This page initialise the exception variable 
with the exception. Then, in the error page, i call response.sendRedirect
("/index.jsp");
Because the variable "javax.servlet.error.exception" live when i call the 
sendRedirect, i receive the Tomcat error page and the sendRedirect can't work.
I make a sample for check that. Create to JSP file in a webapp.
Test.jsp

<%@ page errorPage="TestError.jsp" %>
Test.jsp
<%
  System.out.println("Test.jsp");
  request.setAttribute("javax.servlet.error.exception",new Throwable());
  Object n=null;
  n.toString(); // This statement generate a null pointer exception
%>

TestError.jsp
=

TestError.jsp
<%
  System.out.println("TestError.jsp");
// Next line for patch the bug
//  request.removeAttribute("javax.servlet.error.exception");
  response.sendRedirect(request.getContextPath()+"/index.jsp");
%>

Invoke the Test.jsp page. Because the NullPointerException was throw, the page 
TestError.jsp is called. This page want to send a redirect to the page 
index.jsp (must be present). But, you receive the Tomcat error page !

Because the servlet must be deconnected to JSP, normally, the JSP technique for 
manage the error can be deconnected to the servlet engine. I think, in the 
ErrorReportValve.java or ErrorDispatcherValve.c can detect this situation 
(reset this attribute AFTER the service() method, remember it's in error 
page, ...) Other servlet engine haven't this problem.

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

[5.0] [VOTE] Remove deprecated and unsupported components

[Remy Maucherat]

The connectors which depend on the org.apache.catalina.connector package 
(including JK 1, webapp, and the old HTTP connectors) will either need 
to be updated or removed. The Coyote family of connectors is well 
supported and provides a suitable replacement (IMO). Coyote is the 
default connector in the current Tomcat 4.1.x releases, and should be 
reaching maturity by the time Tomcat 5 is released.

I'd like to remove the deprecated org.apache.catalina.connector classes 
(and move the remaining facade and wrapper classes to other new packages).

Even if they are removed from the main tree, the deprecated components 
could also be distributed with updated versions of the affected 
connectors should it is decided they should be made available for Tomcat 
5 (but in any case, some work will be needed).


[ ] Remove deprecated org.apache.catalina.connector components from the 
j-t-catalina module
[ ] Leave them in


In case the second option is voted, volunteers will be needed to update 
and maintain the components (right now, I don't think the connectors 
based on them would even build against the new API).

Remy


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

DO NOT REPLY [Bug 13445] - Installing without the examples makes Tomcat startup fail

[bugzilla]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13445

Installing without the examples makes Tomcat startup fail

[EMAIL PROTECTED] changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution||WONTFIX



--- Additional Comments From [EMAIL PROTECTED]  2002-10-09 09:08 ---
Well, yes, sorry, this is a limitation of the updated and less hackish
installer. Edit server.xml to fix it.
The bug which causes Tomcat to crash on startup in that particular case has been
fixed (so in 4.1.13, you'll get an error in the logs, but nothing more serious).

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

DO NOT REPLY [Bug 13445] New: - Installing without the examples makes Tomcat startup fail

[bugzilla]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13445

Installing without the examples makes Tomcat startup fail

   Summary: Installing without the examples makes Tomcat startup
fail
   Product: Tomcat 4
   Version: 4.1.12
  Platform: PC
OS/Version: Windows NT/2K
Status: NEW
  Severity: Minor
  Priority: Other
 Component: Catalina
AssignedTo: [EMAIL PROTECTED]
ReportedBy: [EMAIL PROTECTED]


Using Sun JDK and JRE 1.4.1. Using "jakarta-tomcat-4.1.12.exe" not the "Light
Edition". Everything is installed in default directories. The only change I make
is that I don't select the "Example Web Applications" when given the choice
under the install.

After installing and setting the JAVA_HOME variable, I try to start it and I get
this error:

java.lang.IllegalArgumentException: Document base C:\Programmer\Apache
Group\Tomcat 4.1\webapps\examples does not exist or is not a readable directory
at
org.apache.naming.resources.FileDirContext.setDocBase(FileDirContext.java:193)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:3397)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1188)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:738)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1188)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:347)
at org.apache.catalina.core.StandardService.start(StandardService.java:497)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:2189)
at org.apache.catalina.startup.Catalina.start(Catalina.java:510)
at org.apache.catalina.startup.Catalina.execute(Catalina.java:400)
at org.apache.catalina.startup.Catalina.process(Catalina.java:180)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:203)

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: apps conversion from 3.3.1 to 4.1.12

[Remy Maucherat]

Henri Gomez wrote:
>>> While converting some applications from 3.3.1 to 4.1.12 I noticed
>>> some little problems.
>>
>>
>>
>> Wot? 3.3.1 isn't good enough for you any more. ;-)
> 
> 
> You're kidding, I'm preparing the future, which may be TC 5 for us
> if we could avoid JDK 1.4 to be mandatory.
> 
> And I'd like to do some internals benchmarks ;)

You can publish them if you want to (I think JDK 1.4.1 is supposed to 
give the best results with TC 4.1.x).
BTW, I added a document on benchmarks in TC 5. Feel free to modify it.

Remy


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

administration-howto.html

[jean-frederic clere]

Hi,

I am willing to use the administration tools of Tomcat but I am wondering where 
the administration-howto.html is located.

If it is not existing I will create one similar to the existing manager-howto.xml.

Any comments?

Cheers

Jean-frederic


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: apps conversion from 3.3.1 to 4.1.12

[Henri Gomez]

>>While converting some applications from 3.3.1 to 4.1.12 I noticed
>>some little problems.
> 
> 
> Wot? 3.3.1 isn't good enough for you any more. ;-)

You're kidding, I'm preparing the future, which may be TC 5 for us
if we could avoid JDK 1.4 to be mandatory.

And I'd like to do some internals benchmarks ;)

> Without testing, in theory you can put your jar in common/lib, and change
> the classname for "default" in conf/web.xml and the only bugs will be yours.
> :)  Note, that this is more than you can do with 3.3.1.
> 
> 
>>2) We also used to include external entities in web.xml which live
>>outside webapp dir :
>>
>>ie :
>>
>>
>>>2.2//EN"
>>  "http://java.sun.com/j2ee/dtds/web-app_2.2.dtd";
> 
> [
> 
>> %settings;
>>]>
>>
>>...
>>
>>Digester find settings.xml only when it's located in WEB-INF or
>>webapp directories (ie ROOT/WEB-INF/settings.xml or ROOT/settings.xml).
>>
>>How could I make it find the settings.xml outside webapps area ?
>>via conf/catalina.policy ?
>>
> 
> 
> This has always been a headache for me on all Tomcat versions.  However, I
> don't think that internal-entities can be used at all (usefully).

When you need to set some properties outside webapps, ie system settings
used by web applications, you need it.



--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core DummyRequest.java DummyResponse.java ApplicationContext.java StandardWrapper.java MappingRequest.java

[remm]

remm2002/10/09 01:01:12

  Modified:catalina/src/share/org/apache/catalina/core
ApplicationContext.java StandardWrapper.java
  Added:   catalina/src/share/org/apache/catalina/core
DummyRequest.java DummyResponse.java
  Removed: catalina/src/share/org/apache/catalina/core
MappingRequest.java
  Log:
  - Remove dependency on deprecated components.
  
  Revision  ChangesPath
  1.3   +6 -12 
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/ApplicationContext.java
  
  Index: ApplicationContext.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/ApplicationContext.java,v
  retrieving revision 1.2
  retrieving revision 1.3
  diff -u -r1.2 -r1.3
  --- ApplicationContext.java   5 Sep 2002 12:06:08 -   1.2
  +++ ApplicationContext.java   9 Oct 2002 08:01:11 -   1.3
  @@ -149,7 +149,7 @@
   }
   
   public Object run() {
  -HttpRequest request = new MappingRequest
  +HttpRequest request = new DummyRequest
   (context.getPath(), contextPath + relativeURI, queryString);
   Wrapper wrapper = (Wrapper) context.map(request, true);
   if (wrapper == null)
  @@ -604,14 +604,8 @@
   
   // The remaining code is duplicated in PrivilegedGetRequestDispatcher,
   // we need to make sure they stay in sync
  -HttpRequest request = new MappingRequest
  +HttpRequest request = new DummyRequest
   (context.getPath(), contextPath + relativeURI, queryString);
  -/*
  -request.setContext(context);
  -request.setContextPath(context.getPath());
  -request.setRequestURI(contextPath + relativeURI);
  -request.setQueryString(queryString);
  -*/
   Wrapper wrapper = (Wrapper) context.map(request, true);
   if (wrapper == null)
   return (null);
  
  
  
  1.5   +6 -8  
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/StandardWrapper.java
  
  Index: StandardWrapper.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/StandardWrapper.java,v
  retrieving revision 1.4
  retrieving revision 1.5
  diff -u -r1.4 -r1.5
  --- StandardWrapper.java  27 Sep 2002 07:13:05 -  1.4
  +++ StandardWrapper.java  9 Oct 2002 08:01:11 -   1.5
  @@ -93,8 +93,6 @@
   import org.apache.catalina.Wrapper;
   import javax.servlet.ServletRequest;
   import javax.servlet.ServletResponse;
  -import org.apache.catalina.connector.HttpRequestBase;
  -import org.apache.catalina.connector.HttpResponseBase;
   import org.apache.catalina.loader.StandardClassLoader;
   import org.apache.catalina.util.Enumerator;
   import org.apache.catalina.util.InstanceSupport;
  @@ -941,10 +939,10 @@
   // Invoke jspInit on JSP pages
   if ((loadOnStartup >= 0) && (jspFile != null)) {
   // Invoking jspInit
  -HttpRequestBase req = new HttpRequestBase();
  -HttpResponseBase res = new HttpResponseBase();
  +DummyRequest req = new DummyRequest();
   req.setServletPath(jspFile);
   req.setQueryString("jsp_precompile=true");
  +DummyResponse res = new DummyResponse();
   
   if( System.getSecurityManager() != null) {
   Class[] classType = new Class[]{ServletRequest.class, 
  
  
  
  1.1  
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/DummyRequest.java
  
  Index: DummyRequest.java
  ===
  /*
   * $Header: 
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/DummyRequest.java,v
 1.1 2002/10/09 08:01:11 remm Exp $
   * $Revision: 1.1 $
   * $Date: 2002/10/09 08:01:11 $
   *
   * 
   *
   * The Apache Software License, Version 1.1
   *
   * Copyright (c) 1999 The Apache Software Foundation.  All rights
   * reserved.
   *
   * Redistribution and use in source and binary forms, with or without
   * modification, are permitted provided that the following conditions
   * are met:
   *
   * 1. Redistributions of source code must retain the above copyright
   *notice, this list of conditions and the following disclaimer.
   *
   * 2. Redistributions in binary form must reproduce the above copyright
   *notice, this list of conditions and the following disclaimer in
   *the documentation and/or other materials provided with the
   *distribution.
   *
   * 3. T

DO NOT REPLY [Bug 13443] New: - request.getRequestURI() problem with jsp:include tag

[bugzilla]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13443

request.getRequestURI() problem with jsp:include tag

   Summary: request.getRequestURI() problem with jsp:include tag
   Product: Tomcat 4
   Version: 4.1.12
  Platform: PC
OS/Version: Windows NT/2K
Status: NEW
  Severity: Major
  Priority: Other
 Component: Unknown
AssignedTo: [EMAIL PROTECTED]
ReportedBy: [EMAIL PROTECTED]


the script:
file test.jsp:
 resolve 
the problem.

It seems that this bug doesn't appear in Tomcat 4.0.x release

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

UML Class Diagram

[Budi Kurniawan]

Hi,
I was wondering if I can get the Catalina class diagram to help me
understand how it works, or if it is available
online.

Thanks,
budi


--
To unsubscribe, e-mail:   
For additional commands, e-mail: