How to get own Realm to work (seemes not to be used)
Hi, I wrote my own Realm, which connects to an EJB via JNDI. The EJB is looking at a database. I modified JDBCRealm and put it in my own package. I configured tomcat 3.2.3 (see above) and it started fine. The realm inited the connection to JBoss. The problem: the Realm is not used. I can access all the protected pages. Has anybody an answer? And who does the console output (see above)? It comes once for each webapp. It's not me in my realm. regards, Thomas my server.xml looks like this: RequestInterceptor className=de.tsystems.JNDIJDBCRealm userNameCol=KENNUNG userCredCol=PASSWORT userTable=IBENUTZER userRoleTable=IBENUTZER roleNameCol=ROLLE / my web.xml like this: security-constraint web-resource-collection web-resource-nameProtected Area/web-resource-name !-- Define the context-relative URL(s) to be protected -- url-patterntest/*/url-pattern /web-resource-collection auth-constraint !-- Anyone with one of the listed roles may access this area -- role-nameTestrolle/role-name /auth-constraint /security-constraint !-- Default login configuration uses BASIC authentication -- login-config auth-methodBASIC/auth-method realm-nameExample Basic Authentication Area/realm-name /login-config The console output like this: 2001-08-08 17:36:58 - ContextManager: JNDIJDBCRealm: JDBCRealm has been started succesfully
AW: [Security Issue] Sessions are visible across multiple clients
I think it will be in the next nightly build? I'll try. By the way I'm a bit confused about the different tomcat trees (3.2/3.3/4.0). There are no more 3.2 nightly builds but 3.2.2beta-release... -Ursprngliche Nachricht- Von: GOMEZ Henri [mailto:[EMAIL PROTECTED]] Gesendet am: Mittwoch, 28. Februar 2001 17:59 An: [EMAIL PROTECTED]; [EMAIL PROTECTED] Betreff: RE: [Security Issue] Sessions are visible across multiple clients Probably partially resolved by the patch I forward previously. From M. Frey La prise de conscience de votre propre ignorance est un grand pas vers la connaissance. -- Benjamin Disraeli -Original Message- From: Amrhein, Thomas [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 28, 2001 5:59 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [Security Issue] Sessions are visible across multiple clients Hi all, one session can be visible on multiple clients!! THIS IS A BIG SECURITY PROBLEM! Someone opens his webbrowser and has the session of somebody else. So critical data could be viewed without permission. Somebody can act as somebody else. What's wrong with tomcat's session-handling? I wrote a web application which can reproduce this. I'm working with Tomcat 3.3m1 on WinNT4. On 3.2 I have the same problems sometimes with our application but it is not reproducable there. To reproduce this: - put sessiontest.war in %TOMCAT_HOME%/webapps/ - start Tomcat - open browser1 (Netscape 4.7 or IE5) on machine1 (close it before if it's already open) - locate browser1 on http://yourtomcat/sessiontest/index.jsp (a cookie will be set) - browser1: login with name for example 'Testuser1' - browser1: show settings (The name is displayed) - open browser2 on machine2 (close it before if it's already open) - locate browser2 on http://yourtomcat/sessiontest/index.jsp (a cookie will be set) Browser2 now sees the same content like browser1 (logged in as Testuser1). Look for the sourcecode in the .war. All objects are session-bound. Normally you should not be logged in. Remember that you are on different machines! They should have different cookies, different sessions, different usernames. Sometimes but not often, they have the same Session-ID (I can not reproduce this). Bug #723: sessions are not properly recycled Perhaps my issue belongs to this. I've seen different bugs reported but not solved belonging to session-handling. #131,152,183,189,267,429,723,731 Can somebody reproduce this behaviour somewhere else? And can this behaviour also happen in Tomcat 3.2/3.2.1 (I don't know the code)? regards, Thomas PS: I'm new to tomcat-dev-mailinglist (two or three hours) to stay tuned. Perhaps it's already discussed and patched. Please inform me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
[Security Issue] Sessions are visible across multiple clients
Hi all, one session can be visible on multiple clients!! THIS IS A BIG SECURITY PROBLEM! Someone opens his webbrowser and has the session of somebody else. So critical data could be viewed without permission. Somebody can act as somebody else. What's wrong with tomcat's session-handling? I wrote a web application which can reproduce this. I'm working with Tomcat 3.3m1 on WinNT4. On 3.2 I have the same problems sometimes with our application but it is not reproducable there. To reproduce this: - put sessiontest.war in %TOMCAT_HOME%/webapps/ - start Tomcat - open browser1 (Netscape 4.7 or IE5) on machine1 (close it before if it's already open) - locate browser1 on http://yourtomcat/sessiontest/index.jsp (a cookie will be set) - browser1: login with name for example 'Testuser1' - browser1: show settings (The name is displayed) - open browser2 on machine2 (close it before if it's already open) - locate browser2 on http://yourtomcat/sessiontest/index.jsp (a cookie will be set) Browser2 now sees the same content like browser1 (logged in as Testuser1). Look for the sourcecode in the .war. All objects are session-bound. Normally you should not be logged in. Remember that you are on different machines! They should have different cookies, different sessions, different usernames. Sometimes but not often, they have the same Session-ID (I can not reproduce this). Bug #723: sessions are not properly recycled Perhaps my issue belongs to this. I've seen different bugs reported but not solved belonging to session-handling. #131,152,183,189,267,429,723,731 Can somebody reproduce this behaviour somewhere else? And can this behaviour also happen in Tomcat 3.2/3.2.1 (I don't know the code)? regards, Thomas PS: I'm new to tomcat-dev-mailinglist (two or three hours) to stay tuned. Perhaps it's already discussed and patched. Please inform me. sessiontest.war - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
AW: Tomcat 3.2.1 404 errors
Name your error-pages *.jsp and they will be found by tomcat. (this problem is discussed in this list) I reported this bug. http://znutar.cortexity.com/BugRatViewer/ShowReport/607 regards Thomas To reproduce this bug: Put a file called 404.html in the root directory of a context. Create the following web.xml: ... error-page error-code404/error-code location/404.html/location /error-page ... and try to load a non-existing page. Tomcat will hang in an infinite loop (tested on Win NT) with a file not found error. Workaround: Name your error-page *.jsp: Put a file called 404.jsp in the root directory of a context. Create the following web.xml: ... error-page error-code404/error-code location/404.jsp/location /error-page ... and try to load a non-existing page. Tomcat will display the 404.jsp - Page. -Ursprüngliche Nachricht- Von: Anthony Ikeda [mailto:[EMAIL PROTECTED]] Gesendet am: Montag, 18. Dezember 2000 08:43 An: '[EMAIL PROTECTED]' Betreff: Tomcat 3.2.1 404 errors Hi, I'm new to this list and I've checked the mailing list archives and cannot find a solution to my problem... I have Tomcat 3.2.1 installed on an NT4 box. It seems to be functioning alright, however when a page cannot be found it seems to get stuck in a loop and eventually falls over with a stack overflow error: java.lang.StackOverflowError at java.lang.Exception.(Exception.java:38) at java.io.IOException.(IOException.java:43) at java.io.FileNotFoundException.(FileNotFoundException.java:62) at java.io.FileInputStream.open(Native Method) at java.io.FileInputStream.(FileInputStream.java:64) at java.io.FileInputStream.(FileInputStream.java:95) at org.apache.tomcat.request.FileHandler.doService(StaticInterceptor.java:365) at org.apache.tomcat.core.Handler.service(Handler.java:286) at org.apache.tomcat.core.ServletWrapper.service(ServletWrapper.java:372) at org.apache.tomcat.core.ContextManager.handleStatus(ContextManager.java:1049) at org.apache.tomcat.request.FileHandler.doService(StaticInterceptor.java:387) ... The last 4 lines just keep repeating over and over again. I have error-pages set up in the web.xml file (have there been any changes to this?) but it won't display them either. Anyone have any ideas on how to fix it? Cheers, Anthony Ikeda, Web Application Developer, Proxima Technology, Level 13, 181 Miller Street, North Sydney Australia PH: +612-9458-1718 Mob: 041 624 5143
AW: Custom error pages!!
Hi, How is your error-page named? I use JSP and have found, that the error-page itself has to be a .jsp-file. With .html it did not work (Tomcat 3.2b6). Haven't tested 3.2 (final). But I don't expect any changes. Try to name your error-page a .jsp-file and retry it. Perhaps it works. regards, Thomas -Ursprüngliche Nachricht- Von: Pankaj Bhagat [mailto:[EMAIL PROTECTED]] Gesendet am: Dienstag, 12. Dezember 2000 12:59 An: [EMAIL PROTECTED] Betreff: Re: Custom error pages!! Thanks for your response. The solution really sounds good. But just for information, can you comment on the error-pages tag not working in the deployment descriptor of Tomcat 3.2 Anybody else who has been successful with this can also plese comment. Regards Pankaj - Original Message - From: "Kief Morris" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, December 12, 2000 12:26 PM Subject: Re: Custom error pages!! Pankaj Bhagat typed the following on 11:58 12/12/2000 +0100 So now what i can understand is that it should be Tomcat's problem to intercept any errors occuring in the servlet and then passing me onto the specified url in the deployment descriptor. I believe this only applies to JSP pages. For your servlet, you should just catch it normally: public void doGet (...) { try { // your code here } catch (Throwable e) { // forward to an error page } // write headers and output } If you want to take advantage of JSP error page handling, a slick thing to do might be to insert the Throwable object into the request as an attribute named "javax.servlet.jsp.jspException", then forward to a JSP page whose page directive includes the parameter isErrorPage="true". This will automatically create a variable called "exception" in the error page, which will be a reference to the Throwable object you set in the request. Check out section 2.7.1 of the JSP specification document for details on how this works. Kief --- bitBull makes the Internet bite: http://www.bitBull.com/demos/
AW: Tomcat 3.2 stability
Hi Jose, I except with NT Workstation the problem will never be fixed... :-( Perhaps it is in SP 6.a but I don't think so. NT Workstation is no server OS! NT Workstation therefore should never used as heavyly used webserver. Try Linux. It's nice and cheap and works fine. regards, Thomas -Ursprüngliche Nachricht- Von: Jose Euclides da Silva Junior - DIGR.O [mailto:[EMAIL PROTECTED]] Gesendet am: Freitag, 8. Dezember 2000 21:37 An: [EMAIL PROTECTED]; [EMAIL PROTECTED] Betreff: RES: Tomcat 3.2 stability -BEGIN PGP SIGNED MESSAGE- Dear Thomas, is there any problem if i use TomCat 3.1 under NT 4.0/SP 6.a? Jackarta's site doesnt write anything about it Now, i am developing a small system with this environment Best Regards, José Euclides Júnior __ E-mail: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] http://euclides.8m.com - -Mensagem original- De: Amrhein, Thomas [SMTP:[EMAIL PROTECTED]] Enviada em: Sexta-feira, 8 de Dezembro de 2000 08:36 Para: [EMAIL PROTECTED] Assunto:AW: Tomcat 3.2 stability Hi, we are running tomcat 3.2 with jdk 1.2.2 on linux and we have no problems. Except our test tool, which sometimes brakes down when making too heavy stress tests for hours. :-( and :-) We had stability problems with tomcat 3.1 on NT Workstation and noticed the same problems that you have now. Which NT do you use? NT Workstation or NT Server? And the newest Service Pack? There is a known feature, that NT Workstation does not handle more than six (perhaps a bit more) parallel HTTP-Connections correctly. The feature is, that you have to use NT Server instead, which is a bit more expensive or (my opinion) better use a linux system. regards, Thomas - -Ursprüngliche Nachricht- Von: Matthew Preston [mailto:[EMAIL PROTECTED]] Gesendet am: Donnerstag, 7. Dezember 2000 14:36 An: tomcat user Betreff: Tomcat 3.2 stability Has anyone noticed any stability problems with the recently relesaed Tomcat 3.2? The situation: After running a couple of web apps for ~4 days with light/moderate usage Tomcat becomes very slow and starts using 100% cpu. This never happened with Tomcat 3.1. This was seen running on a resonably fast P3 computer with 128 megs ram and NT4 with jdk 1.3. Is this a known problem? Cheers, Matt -BEGIN PGP SIGNATURE- Version: PGP 6.5.1 iQCVAwUBOjFgV90YhuJ3BUxtAQFlwAQAps/WWplDljjhytnZPG6ElFYvzNpc1ruS vtYOlQrJCNcu4aqyg+/HYSkfQzOEM8uh7R/Wis+fmEgwlr3Hrcz/AxsSR6yVpVOB 1hFP5xW0AkDmVCJZMUGYeKjzMHpY0jcSu7Pni3RW8lxz5FcfHjblW+1zQd/XXGlH zZt7FaypqTU= =58DM -END PGP SIGNATURE-
AW: tomcat vs orion vs weblogic testing results (Load Runner)
Which JVM did you use? -Ursprüngliche Nachricht- Von: Manne Anliot [mailto:[EMAIL PROTECTED]] Gesendet am: Montag, 20. November 2000 11:15 An: '[EMAIL PROTECTED]' Betreff: tomcat vs orion vs weblogic testing results (Load Runner) Hi all.. I'm doing work load testing on a webapplication built on javascript, .JSP:s and EJB:s. We've load tested on many different setups and are getting some interesting results: Simulated number of users: 25 Computer setup: NT4 sp6, 1 GB RAM, Pentium III ~600 MHz Tomcat setup: 1 ajp12-worker.. (We need out-of-process workers for scalability) snip setup1: webserver - apache 1.3.x, jsp - tomcat 3.2b6 (mod_jk.dll) setup2: webserver - weblogic, jsp - weblogic (latest versions as of this date) setup3: webserver - orion, jsp - orion (latest versions as of this date) snip setup2 and setup3 are 8 (eight) times faster in our tests (Load Runner). Even if we suspected tomcat to be a bit slower, this is truly remarkable.. We've tried optimizing Tomcat by: 1. using ajp13 protocol - failed, we're just getting exceptions from tomcat 2. reloadable=false - of course 3. fiddling with JVM memory settings - minor improvements Any ideas on what's wrong here? This must be a configuration problem. Have anyone else found the same results? Regards, Manne Anliot.
AW: error-page in web.xml
I tried it, too. But I have the same problem. Tomcat hangs in an endless loop, if I have following web.xml: error-page exception-typejava.lang.Exception/exception-type location/exception.jsp/location /error-page error-page error-code404/error-code location/404.jsp/location /error-page You say, you have no problem using x.html - Files as location? I have to use x.jsp Which Tomcat-Version do you use? I still use 3.2beta5. regards, Thomas -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Gesendet am: Freitag, 10. November 2000 11:24 An: [EMAIL PROTECTED] Betreff: error-page in web.xml I have to write the following in the web.xml-File: error-page exception-typejava.lang.Exception/exception-type location/exception.html/location /error-page But the tomcat don't catch the exception and don't show the exception.html-Page. My tomcat have no problem with the following: error-page error-code500/error-code location/ex1.html/location /error-page Hwo can I catch a java exception type? Thank you in advance! Katrin Seiffert
AW: Antwort: AW: error-page in web.xml
oops, I tested the wrong tomcat instance With Tomcat 3.2beta5 it _is_ possible to handle exceptions with web.xml error-page exception-typejava.lang.Exception/exception-type location/exception.jsp/location /error-page The above statement does a wonderful job. Please delete my first email about this issue. Thomas -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Gesendet am: Freitag, 10. November 2000 13:13 An: [EMAIL PROTECTED] Betreff: Antwort: AW: error-page in web.xml I think I use use tomcat 3.1. If I use the error-code tag, I get the exception.html-page. But if I use the exception-type tag, I don't get my own exception.html-page. Than I get the standard-exception-output from the tomcat. Katrin Seiffert "Amrhein, Thomas" An: [EMAIL PROTECTED] tamrhein@debKopie: is.com Thema: AW: error-page in web.xml 10.11.00 12:47 Bitte antworten an tomcat-user I tried it, too. But I have the same problem. Tomcat hangs in an endless loop, if I have following web.xml: error-page exception-typejava.lang.Exception/exception-type location/exception.jsp/location /error-page error-page error-code404/error-code location/404.jsp/location /error-page You say, you have no problem using x.html - Files as location? I have to use x.jsp Which Tomcat-Version do you use? I still use 3.2beta5. regards, Thomas -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Gesendet am: Freitag, 10. November 2000 11:24 An: [EMAIL PROTECTED] Betreff: error-page in web.xml I have to write the following in the web.xml-File: error-page exception-typejava.lang.Exception/exception-type location/exception.html/location /error-page But the tomcat don't catch the exception and don't show the exception.html-Page. My tomcat have no problem with the following: error-page error-code500/error-code location/ex1.html/location /error-page Hwo can I catch a java exception type? Thank you in advance! Katrin Seiffert
AW: configure the tomcat for my own error page
We discussed that two days before!! But the answer from Kenneth was not properly displayed in my mail-program. Perhaps you had some problems, too. Here is the solution: Belong the Servlet-Spec 2.2 we have to edit web.xml like this: ... web-app ... error-page error-code404/error-code location/404.jsp/location /error-page /web-app 404.jsp has to be located in path_to_web_app/404.jsp Note that you can't use the name 404.html Tomcat hangs in an endless loop. If you use .jsp all is fine. Does anybody know if that is a tomcat's bug??? regards Thomas -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Gesendet am: Donnerstag, 2. November 2000 09:55 An: [EMAIL PROTECTED] Betreff: configure the tomcat for my own error page I want to configure the tomcat to use a given error page. How can I do that? Katrin Seiffert
AW: Custom Error Document
Hi, I want to do the same. Belong the Servlet-Spec 2.2 we have to edit web.xml like this: ... web-app ... error-page error-code404/error-code location/404.html/location /error-page /web-app But my tomcat hangs in an endless loop. He does not find 404.html. In my system it's located in path_to_web_app/404.html Do you know where it has to be located? How does your system behave? I use Tomcat 3.2beta5 under NT. regards Thomas -Ursprüngliche Nachricht- Von: Fredrik Stenberg [mailto:[EMAIL PROTECTED]] Gesendet am: Dienstag, 31. Oktober 2000 11:04 An: '[EMAIL PROTECTED]' Betreff: Custom Error Document Is it possible to redirect to a custom error page when recieving an Error 500 from Tomcat? Eg. something equal to Apache's ErrorDocument directive. /Fred
AW: redirect problems?
Do you make a return after the sendRedirect? ... response.sendRedirect("/checkout2.jsp"); return; ... Otherwise, the output of checkout2.jsp is added (and not a 'new' output). Hint: Call sendRedirect before you make any output!!! -Ursprüngliche Nachricht- Von: jim [mailto:[EMAIL PROTECTED]] Gesendet am: Freitag, 27. Oktober 2000 18:41 An: [EMAIL PROTECTED] Betreff: redirect problems? Hi, We are using Apache 1.3.12 with Tomcat 3.1 and experiencing weird problems. 1. checkout.jsp (FORM collecting new user info) - POSTs to checkout_eng1.jsp 2. checkout_eng1.jsp - adds user from #1 and does a response.sendRedirect("/checkout2.jsp"); 3. checkout2.jsp shows the next FORM asking for mailing address information Weird Symptom #1 -- On any version of Internet Explorer (never on netscape) the POST to step #2 above fails and up comes this IE error "cannot find server or DNS error" which leads me to beleive that the response.sendredirect() is doing something odd, maybe not sending back the correct http location header or something If you immediatly hit the browsers back button and re-submit the form, it then works with no problem and as expected. This only seems to occur the first time submitting forms to a page that re-directs after an operation. Weird Symptom #2 occasionally on Internet Explorer AND Netscape. User submits info from form #1 above (checkout.jsp), their information is added to the database and they are redirected to checkout2.jsp, HOWEVER what is shown on checkout2.jsp is BOTH the previous pages contents (checkout.jsp) AND the expected contents of checkout2.jsp with a visible HTTP response header printed out in between checkout.jsp's contents and checkout2.jsp's contents ALL on visible on the URL checkout2.jsp Anyone have any ideas? I tried checking the bug database but it appears to be down.
AW: JNDI Under Tomcat 3.2, jdk1.3
Hi, I use Tomcat 3.2 and jdk1.2.2. The Application Server is Voyager and I have to use some .jar-files They have to be put in Tomcat's Classpath (Tomcat_Home/lib/). The problem: I can not use this within classes from a web application (web_app/Web-Inf/lib/) I don't know why. Seems to be a classpath problem. Solution: Put all your classes included the classes of the web_app, which try Context.lookup() in tomcat_home/lib or tomcat_home/classes and the lookup works fine. Hope this helps. Thomas -Ursprüngliche Nachricht- Von: David Harris [mailto:[EMAIL PROTECTED]] Gesendet am: Freitag, 27. Oktober 2000 00:15 An: Tomcat-User (E-mail) Betreff: JNDI Under Tomcat 3.2, jdk1.3 Hi, Has anyone experienced problems with the Context.lookup() function in a web application running under Tomcat 3.2 with jdk1.3 ? My problem is that the object returned is of type java.naming.reference, so it cannot be cast into the correct class. I do not get this behaviour when I run the same code as a console application. I think it must be something to do with the classloaders and/or the class path or the use of object factories which I do not fully understand yet. JRun 3.0 behaves the same way, however Tomcat 3.1 does not have this problem. any ideas? David Harris - Software Engineer Activ Australia Pty Ltd Level 3, 168 Day Street SYDNEY NSW 2000 Tel +61 2 9284 4250 Fax +61 2 9284 4242 http://www.activ.com.au http://www.activ.com.ausupport/ mailto:[EMAIL PROTECTED] [EMAIL PROTECTED]