Writing my own valve to do extra logging

[Dr. Evil]

Hi, I have found that I need to write my own access logging mechanism
to work with Tomcat.  I need the ability to log to a database and do
other things that the built-in mechanism simply can't do.  Extremely
good database-searchable real-time logging is critical to this project.

One way to do this is to write a logging filter.  Unfortunately this
doesn't give me all the info I need.  I need to be able to capture all
response codes, content length, etc.  Even if I write a class that
extends HttpServletResponseWrapper and use a filter to use that
response object, it doesn't catch all the info I need (trust me, I've
tried this).

So my solution is to write a valve which will replace the built-in
org.apache.catalina.valves.AccessLogValve valve.  It's very easy to
write a valve, but in this case, I simply copied the catalina valve,
adjusted import directives so it would compile, compiled it, and put
it in CATALINA/server/lib/mylogger.jar.

Then I edited bin/catalina.sh so that mylogger.jar was on the java
classpath, and edited server.xml so that instead of mailto:[EMAIL PROTECTED]>
For additional commands: 
Troubles with the list: 

Writing a logging filter

[Dr. Evil]

I am trying to write a filter which will perform some custom logging
actions for my servlets.  It's pretty basic stuff.  I want to log the
browser IP, the browser User Agent, the response code and the response
content type and length.

The browser info is easy.  I can fetch all that from the Request
object.

The problem is finding out the content type, length and response code
from the Response object.  There appears to be no way of doing this.

How can I write my own logger for Tomcat?  Any sugestions would be
appreciated.


--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

Log analysis tool for Tomcat?

[Dr. Evil]

Can someone recomend a tool that can analyze Tomcat's access log?  I
want to do the basic things like reverse-lookup all the IPs in the
log, see which domains are hitting me, and which pages they visit.
More advanced things like graphs of usage or storing the logs in a db
would be fine, too, but aren't necessary at this point.  I do have
Postgres on that machine so I could use it.

Any recomendations?

Thanks

--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

Request.getHeader(String) and multiple headers with the same name...

[Dr. Evil]

If you were designing a Web browser you probably wouldn't put in
multiple headers with the same name, because that might confuse all
kinds of servers.  Unfortunately, not all Web browser designers have
thought along these lines, and so I am having to deal with a header
that looks like this:

GET / HTTP/1.1
Host: yermom.com
Accept: text/vnd.wap.wml
Accept: text/vnd.wap.wmlscript

followed by even more Accept: and accept: headers.  In my opinion,
this is broken behavior on the part of the browser, but there's
nothing I can do about that.  This is from a Siemens ME45 phone, btw.

When I use Request.getHeader() on this thing, I only get the first
one, which is "text/vnd.wap.wml", which doesn't help me know what kind
of images, etc, I can send to this lovely device.

Is there a way to make Tomcat get all the headers with on name, or do
I have to do something else?

Thanks

--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

Can a Tag know its own name?

[Dr. Evil]

Unfortunately there seems to be no way to pass config info to a tag
from the TLD file.  I would like to create several different tags
which all work in similar ways but do slightly different things.  I
want to implement them by using one class which sees which name it is
used as.  I could do this by having an attribute which I specify every
time I use the tag, but it would be nice to have the class simply be
able to detect its tag name.  Is this possible?

Thanks

--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

Re: Finding the content type from within a JSP

[Dr. Evil]

> How can your tags not know that type they are generating?  I don't 
> understand that.

And I would like to understand how they can know which type they are
generating.  Could you possibly show me how to write a very simple tag
which simply prints out the content type of the page it is on?

>From what I can tell, the only way they can know is if I create a
filter which puts a "contenttype" attribute in the request object.
Unless there are other sugestions this is what I'll do.

Thanks!

--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

Finding the content type from within a JSP

[Dr. Evil]

I have an interesting question.  I can see that there is a
ServletRequest.setContentType(String) method which would let me set
the content type, but from what I can tell, there is no corresponding
get method.  This seems very strange.  I want some of my jsp tags to
generate different content depending on whether they are generating
html, wml or plain text, so I need to know the content type.  Is there
a way to find it out?

Thanks!

--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

Java question: From one stream to another

[Dr. Evil]

Hi, this is partially a Java question and partially a Tomcat
question.  I looked through "Java Servlet Programming" and some other
books and I couldn't find a good answer.

I am writing a program which uses Jmagick to generate some images
which will be sent back to the client with a servlet.  In the book, it
says the way to do this is to create a BufferedOutputStream from the
response.getOutputStream(); and then do this:

byte[] buffer = new byte[4096];
int size;
size = bufferInputStream.read(buffer);
while(size != -1) { ...

You get the idea.  Is there a Java class that does this loop for me,
so I can just connect the Input and the Output streams and it will
handle it?  It seems like it would be a pretty logical class to have,
but I can't find anything that does that.

Thanks!

--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

The (tom)cat with 9 lives...

[Dr. Evil]

I was trying to get Tomcat to work with Jmagick, and I appear to be
having some problems which cause Tomcat to stop working, but it leaves
a bunch of threads going.  For some reason I can't kill these threads
using the ordinary 'kill -9' method.  This is under Mandrake Linux,
with a 2.4 kernel.  Any sugestions on how to kill these threads which
never die?  I don't want to have to reboot this computer all the
time.  That's a Windows thing!

Also, I am having a lot of problems with getting Jmagick to work.  It
can link in and do some things, but it seems to crash a lot, too.
Basically, I am trying to set up Tomcat so that users can download
images, which are then stored in a DB.  To do this, the images need to
be scaled down to a certain maximum size (ie, we don't want 1000x1000
images) and I also need to convert formats, to go from JPEG/GIF/PNG to
PNG and WBMP.  Any alternatives to Jmagick?

Thanks!

--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

JNI libs and Tomcat?

[Dr. Evil]

Hi, I'm trying to get Jmagick (a JNI interface for Imagemagick) to
work with my favorite web server, which is Tomcat 4.  In the release
notes, it says:

Applications that require native libraries must ensure that the
libraries have been loaded prior to use.  Typically, this is done with
a call like:
 
  static {
System.loadLibrary("path-to-library-file");
  }

However, when I put in /usr/local/lib/libImagemagick.so in there, and
put it in a Listener that starts when the app starts, I get an error
that path separators are not allowed in the loadLibrary method.  I
tried putting that library in the $TOMCAT/lib directory, and taking
out the full path, and that didn't work.  Any sugestions?

Thanks!

--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

Re: Startup order

[Dr. Evil]

> See javax.servlet.ServletContextListener.  The contextStarted() event
> method is the first thing your application will ever see, and that is the
> right place to put initialization of things that need to go into servlet
> context attributes for all filters and servlets to see.

Thanks Craig.  That worked perfectly.  On a side note, it is mighty
impressive to get an answer to a question within a couple of hours of
posting it... on a Sunday night, from one of the guys who writes the
code!  Once my company starts getting some revenue, we want to start
investing in great Open Source software like the Jakarta project
because if it didn't exist, neither would we.

--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

Startup order

[Dr. Evil]

I'm using Tomcat with both filters and servlets.  Here's the problem:
I need to load a few objects into the servlet context (a logger, a DB
connection pool, etc), which will be used by all the other filters and
servlets.  Here's the problem: The Init method of some of the filters
need some of these objects, and it looks like Tomcat runs the
load-on-startup servlets after it has called all the init methods of
all the filters.

What's the right way for me to make objects available in the filters'
init methods?  Should I create a filter, with no mapping, and do all
my object loading in that filter's init method?  How can I make sure
that that filter's init method is called before any of the other
filters?  Do filters init in the order they appear in the web.xml
file?

Thanks for any tips on this.

--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

JVM and speed issues

[Dr. Evil]

As we all know, java is "write once, run anywhere".  Given that, it
makes sense to choose a good place to run it, right?  All my questions
in this post relate to Tomcat 4 standalone; I'm not using any other
app or any other java functionality.  I'll be developing on a separate
box.  The first step is choosing the right jvm and the right OS.

In my particular case (I'm sure this is a pretty common case) I'm
restricted to Intel/AMD hardware, basically because it's the best
performance I can get within my budget.  When it comes time to launch,
I'll probably get a fast dual-CPU box.

So, the first choice to make is OS.  It seems that the only two
reasonable choices are Linux and FreeBSD.  Which is going to give me
the best performance for Tomcat?

Second choice is JVM.  I have heard that the IBM JVM is somewhat
faster than Sun's.  Should I go with IBM, or are there any other good,
solid choices?

Finally, compiler questions.  It looks like we have Sun javac, IBM
javac, IBM jikes, and gcj.  Which of these produce the fastest
bytecode?  I've heard jikes is very good.  Also on compiler questions,
does -O matter?  If I download the Tomcat binary distribution, do I
have to recompile it with -O for best performance?

Thanks for any tips!

--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

Re: somebody trying hack me, what they really wanted?

[Dr. Evil]

> HA! your funny!  FBI stop building your Magic Lantern and come find the poor
> sap that is trying to hack my free software nothing invested but time server
> sitting in my broadband closet! 
> Ya Right!

It was just a thought.  I hope the FBI has better things to be
doing...


--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

Re: somebody trying hack me, what they really wanted?

[Dr. Evil]

I get those all the time.  I wish I could put a sign on my computer
that says, "You're wasting your time.  This machine is running
Tomcat/Linux.  Find someone running Windows".  On a more serious note,
this is a computer hacking attack, and it comes accross state lines.
Could I get the FBI to investigate these things?  I'm sure this is a
Federal crime.

--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

Re: AW: security issue: tomcat on port 80

[Dr. Evil]

Ok, this subject is getting pretty far from Tomcat, but I'll address this.

> > I asked once on the OpenBSD list.  Those guys are very much
> > traditionalists so they did not like the idea.  Still, there is no
> > longer any rational reason for this restriction.  I challenge
> > anyone to point out a good reason for it.  Basically, it
> 
> I discussed this on a local LUG. It seems there are plenty of local
> root exploits and even if u run the servers as non-root, you can
> still gain access to this non-root user and then use the local root
> exploits to get root. Now how do u beat this ?

Yes, there are plenty of local root exploits in Linux.  There has even
been one in OpenBSD.  Local root exploits are a fact of life in
non-trusted systems such as OpenBSD and Linux.

In your post you sugest that if I were running the web server as
non-root, and it had a buffer overflow or similar vulnerability, the
hack process would be this:

1. Hack into web server process.

2. Run local -> root exploit.

3. Done.

In the case where the server is running as root (which is the case on
all *UNIX things right now), the process looks like this:

1. Hack into web server process.

2. Done.

Your comment above basicly proves my point that we get better security
if we allow non-root stuff to bind to low ports.  The reason why this
is such a big deal is that Step 2 (Run local -> root exploit) is an
extra barrier and it can be very very difficult barrier on some OSes,
such as OpenBSD or a well-configured Linux system.  In its years of
existence, OpenBSD has had only one local -> root exploit.

On the subject of local -> root exploits, they are mostly caused by
SUID processes, like sendmail or "trivial" things like lpd or at.  If
you want your server to be secure, audit the system for suid files and
turn off all that aren't absolutely necessary.  This goes a long way.
Btw, there would be a lot _less_ suid stuff on systems if non-root
could bind to low ports.  This would also prevent some local attacks.

Basically security design is hard to understand and few people
understand it.  People who don't understand it often think that "more
restrictions means more secure", which is often incorrect, because it
often means that you need to run ordinary stuff at higher permission
levels to get around these restrictions, and that's bad.  People who
understand security design think more in terms of comparentalization
and auditing than in terms of generic restrictions.

Trusted systems like EROS, Trusted BSD and SE Linux are based on this
idea.  Root is the root of all evil, and so these three systems solve
the problem by not having root.

This may sound strange, but that actually makes the systems _easier_
to use.

Just for completeness, here is how the above attack would look on a
Trusted BSD system:

1. Hack into web server process.

2. Serve your own "| 0\^//\/ 7H|S S|73!!" message.

3. That's all you can do.  Oh, and it's all audited.


--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

Re: AW: security issue: tomcat on port 80

[Dr. Evil]

> Have you tried asking your question in the linux mailing lists ?
> What do those guys got to say about this restriction to bind to
> ports < 1024 in the present day server systems?

I asked once on the OpenBSD list.  Those guys are very much
traditionalists so they did not like the idea.  Still, there is no
longer any rational reason for this restriction.  I challenge anyone
to point out a good reason for it.  Basically, it used to be the case
that sysadmins didn't want ordinary users to be able to run sendmail
on port 25.  This altruisticly protects other users on other machines
from dealing with trojaned services (ie, trojan telnetd, etc).  This
concern is ridiculous today, because how often do you telnet to some
unknown server and enter a password?  Never, probably.

--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

Re: AW: AW: security issue: tomcat on port 80

[Dr. Evil]

> The past 12 years I worked constantly for companies that had one or
> more unix servers and always only a small number of users had an
> admin=20 account, all other had 'normal' user accounts.

Anyway, can someone explain to me the security benefit of restricting
bind < 1024 to uid 0?  At this point I can't see what good it does,
and I can see that it does harm.

> Even on a single user system I wouldn't recommend to work constantly
> as administrator (neither under=20 windows nor under linux). I
> prefer to work always with the least possible rights, so that any
> virus=20 that might come in, can do fewer harm. (in this=20 sense I
> don't trust even myself, although I was=20 never infected in all
> those years)

No, it's definitely a bad idea to work as root all the time because
mistakes can be very bad.  I was just explaining why long ago that
restriction was implemented.  It's ridiculous now.  On my server
machine, I'm the only one who can log in to it.  It would definitely
be better if Tomcat could run without uid 0.

> All the solutions I've seen in the past for
> trustedxxx, had nice features but where so=20
> difficult to configure and maintain, that it was=20
> hard to get more security whithout affecting the=20
> ease of use for the daily work.

I think it's just a question of familiarity.  Today when you install
Linux/*BSD/etc, all the permissions on all the files are set correctly
so you don't have to mess around with it.  If you had to figure it all
out yourself it would be a pain.  Actually the capabilities based
stuff may make things easier because today, they try to achieve
similar results by having multiple users for multiple stuff (a user
for lpd, for uucp, etc) and then use group and file perms.  It's a
confusing mess.  It would be much clearer to say: "Sendmail has the
capability to bind port 25 and write files in this directory" than to
figure out the right combination of suid stuff, tcpwrapper, etc, that
will do the right thing.

--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

Re: AW: security issue: tomcat on port 80

[Dr. Evil]

> The VM itself is typically writen in C/C++, so I wouldn't beg on more=20
> safety for a VM than Apache.

That's probably true.  However, the likelihood of someone being able
to send a web request to Tomcat that will result in Tomcat triggering
a buffer overflow in the VM seems ridiculously small.  It's not like
the VM is executing arbitrary code from users, even though it is
designed to be able to do that safely.

> And there are other potential risks running tomcat as root. (If you=20
> make a configuration or implementation error that allows to store
> JSP on the server, an intruder can do anything on your server)

Yeah, that could be a big problem.

> This was introduced to protect the ports that are used for the most
> fundamental services from missuse by any user.

Which is plain old stupid, I must say.  It's not like Yahoo sells
shell accounts on www.yahoo.com, right?  It dates from the good old
days (now long gone) when root/sysadmins users basically trusted other
root users, but didn't trust their own misbehaving shell account
users.  This is totally irrelevant on today's Internet.  In the old
days there had to be many users on one machine doing different things
because machines were expensive.  Machines today are not shared.  They
are owned and used by single entities, and for server machines (like
www.yahoo.com) the only people with access to the machine are ones who
already have root access.  Either you trust the machine and all of its
sysadmins and users, or you don't.  How many companies still sell
shell account service?  This OS limitation no longer has any security
upside, and it has a huge downside, which is that the same process
which runs CGIs or servlets also has (at some point) the power to edit
/etc/passwd, and similar things which it should not have the
capability of doing.

The ultimate solution for this is capabilities based security.  At a
very fundamental level, I should be able to give a proc the capability
to bind to a port without also giving it the capability to edit
/etc/passwd or read arbitrary RAM.  The "uid 0 to bind < 1024"
restriction just makes things worse.

I'm still waiting for TrustedBSD which will implement all this.
Pretty much every exploit known in the Unix world has, as one of its
steps, or as its end goal, getting root.  The solution to this is to
not have root, obviously.

--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

Re: security issue: tomcat on port 80

[Dr. Evil]

> How safe is it to have tomcat listening on port 80
> running on a RH6.2, which  is on the internet ?
> Did anybody face any security problems ever ?

>From the conventional point of view, having things run on port 80 has
been dangerous because a proc has to have uid 0 to bind to the port.
Apache is regarded as safe because the code drops root ASAP and si
thoroughly tested and audited.  Tomcat is not regarded as safe because
it can't drop uid 0.

However, the reason why uid 0 is so dangerous for Apache is because
it's written in C.  Buffer overlflows are almost inevitable in a
language like C, with its direct memory access and unsafe pointers.
Java bytecode doesn't have any of those problems.  It can't manipulate
memory or pointers ever.  It is much much safer than C will ever be.
So I think running Tomcat on port 80 should be fine.

An even better solution would be to recompile your kernel so that you
don't need uid 0 to bind to port 80.  I still can't figure out why
they have that dumb restriction that you must have uid 0 to bind ports
< 1024.  That's just stupid and it causes far more security problems
than it solves today.

--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

Sending WAP notifications from Java

[Dr. Evil]

Hi Tomcat users,

I am trying to find a java class which will let me send UP.link
notifications from java.  OpenWave has some libraries for doing it
from C.  I was wondering if there was something equivalent for java?
I have searched all over the net and I can't find anything.

Thanks

--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

Re: RequestDispatcher.forward() ?

[Dr. Evil]

> Could somebody tell me if this behavior by design and if so why:
> 
> The following fragment forwards a request to main application page:
> 
> //---
> String main = "/index.jsp";
> //String main = "/";
> 
> RequestDispatcher dispatcher
> = getServletContext().getRequestDispatcher(main);
> dispatcher.forward(req, resp);
> //---
> 
> 
> Forwarding works on server side if code being executed as shown (main is
> "/index.jsp") so client isn't aware about it. However, if main is set to be
> "/" (commented line above), 302 is sent to the client, so it's not a
> server-side redirect, right? In this case response "Location" header is set
> to http://host/pathtowebapp/index.jsp. Am I missing something? Tomcat was
> able to find out that index.jsp is a welcome file but nonetheless it's a
> client side redirect. Not a big problem of course, just curious...

You have to be clear about what you mean when you say "forward".
There is "send a redirect" or "get a RequestDispatcher", which are
different things.  What the fragment above does is it tries to forward
to a servlet which is the resources associated with /.  That doesn't
exist so it sends an error.  If you want to send something to the
client you need to use response.sendRedirect() I believe.

--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

MVC in Tomcat is hard

[Dr. Evil]

I'm trying to use the Model-View-Controler design approach in Tomcat.
Here's what I'm trying to do:

I'll put the Model stuff in a servlet.  The View stuff will go into a
jsp page (actually a custom tag lib).  What I need to do is, when I
view a page like foo.jsp, the servlet needs to get invoked to set up
some state, so the tags can then dispaly it.  So, let's say the client
requests

http://host/dir/foo.jsp

I want to have a servlet, let's call it controler.class, be called,
do its stuff, and then get a RequestDispatcher, and then do
rd.forward() to foo.jsp.  This doesn't seem to be possible.  Is there
a way to do this?

Thanks

--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

servlet-mappings

[Dr. Evil]

I'm trying to do some fancy stuff with servlet mappings.  This
mechanism leaves a lot to be desired; specificly, it would be
amazingly useful to be able to do a getRequestDispatcher in some way
that bypasses the servlet mappings in the web.xml file.  Alternatively
it would be extremely useful to be able to call the jsp servlet from
within another servlet, but this doesn't seem to be possible.  rd =
request.getRequestDispatcher("jsp") never seems to work.

Anyway, here's the question:

I know there are prefix mappings, such as /foo/bar/, and extension
mappings such as *.foo, but it doesn't seem like it's possible to do
mappings like /foo/bar/*.baz.  This mapping seems to never hit.  Is
there a way to do that?

Thanks

--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

More experiments with changing the default (/) mapping

[Dr. Evil]

I have figured out a few things about how servlet-mapping and
RequestDispatcher might work together.

If I put in a servlet-mapping entry for /* (which will catch every
request coming in to the server, which is something which I need to
do), and I make the servlet which handles it look like this:

RequestDispatcher rd = context.getNamedDispatcher("default");
rd.forward(request, response);

then it works for serving plain old static files.  In toher words,
http://localhost/foo/bar.html will get the bar.html from the /foo
directory.

This leaves me with two problems:  First, if I understand correctly,
servlets are not allowed to modify the HttpRequest object.  This means
that my director servlet can't change which director bar.html will be
in.  This is bad for me.

Second, I can't get it to work at all for jsp pages.  I would have
thought that:

RequestDispatcher rd = context.getNamedDispatcher("jsp");
rd.forward(request, response);

would work but it doesn't.  I get an exception with a message
"org.apache.jasper.JasperException: No output directory: String index
out of range: -1".  I can't figure out why that is happening or what
to do about it.

So, any sugestions on a) changing the paths "default" and "jsp" will
use to get their source pages from and b) how to get jsp to work?

I also thought about doing this with filters, but the problem with
filters is that they can only dispatch to servlets, not to jsp or html
pages, which is what I need to do.  Any sugestions would be most
appreciated.

Thanks

getNamedDispatcher

[Dr. Evil]

Hi, I am trying to use ServletContext.getNamedDispatcher(String) to get
a RequestDispatcher object in my servlet.  The goal of this is to
allow my controller servlet to hand off request processing to another
servlet.  What I have done is set up a default  in my
web.xml file, so that all requests going to the server will be handled
initially by a controller servlet, which will then decide which
servlet should really handle the request.  It will go through its
logic and then come up with a string, which will be the real servlet
which will handle the request.

I'm trying to use getNamedDispatcher so that I can avoid the loop that
would happen because of the default servlet-mapping.  This seems like
it should work.

In my servlet's init method, I do this:

   this.context = getServletConfig().getServletContext();

This works.  context is not null after this call, so it definitely
gets a context.

However, later when I do:

 RequestDispatcher rd =
 this.context.getNamedDispatcher("/static/index.html");

rd comes back as null, and obviously rd.forward(request, response) is
impossible.

Any sugestions on this?  How do I get a servlet to send something to a
named servlet without going through the servlet-mappings again?

Thanks

Servlet mapping with /

[Dr. Evil]

I'm trying to do something tricky with a servlet mapping for "/".
Basically, one machine will be serving a bunch of different hostnames
from one IP address.  For various reasons which I won't go into right
now, it is an absolute impossibility to have separate IP addrs for
these different machines, and also we can't configure them as virtual
hosts in the server.xml file (trust me on this, it's an absolute
impossibility).  All the files that are served are in a few specific
directories, like /statichtml, or /userhtml or whatever, which contain
either static html or jsp pages.  So here's what I did:

I put this line in web.xml for the app:

   
  
director
  
  
/
  
   

I created a servlet called director.java, which would look at various
parameters in the request, and then forwards it to the right place
like this:

RequestDispatcher rd =
request.getRequestDispatcher("/staticpages/hello.html");
rd.forward(request, response);

or

RequestDispatcher rd =
request.getRequestDispatcher("/dynamic/hello.jsp");
rd.forward(request, response);

What happens is that when RequestDispatcher.forward() is called, it
goes back through the mappings list, and sends the request straight
back to director.java, which then looks at it and forwards it
again, etc, in an endless loop.  I understand what's going on, but is
there a way to do it differently?

I tried this also:

  RequestDispatcher rd =
  ServletContext.getNamedDispatcher(settings.corphtmlindex);

but then I got this error:

RequestDispatcher rd = ServletContext.getNamedDispatcher("/statichtml/hello.html");
  ^
director.java:159: non-static method getNamedDispatcher(java.lang.String) cannot be 
referenced from a static context

I'm not sure what's going on here.

One thought I had was this: in the mappings list, more specific
mappings override less specific mappings, and / is the least specific
mapping possible.  Is there a way to put in mappings in web.xml to
prevent the director servlet from being called?

This seems like it would be a common thing to do under the MVC model,
so there must be some solutions out there.

Thanks

Re: Opinions on detecting browser type for WML vs. HTML

[Dr. Evil]

> What do you mean by "The 'user-agent' header always contains the string "UP.
> Browser" 
> 
> I bet you 100 pounds that it doesn't. A Nokia phone on a Nokia or CMG
> Gateway will not have "UP" anywhere.

Right, I looked into that and UP.browser is a particular kind of
browser.  Not all mobiles will have it.  It looks like there is a lot
of variation out there, so I will just look through my server logs for
clients that have unusual browser types and add them in.

Now, maybe you can answer another question: Is there any way to detect
the phone number of the browser, or anything else that would let me
send a WAP push back to the same browser?

Opinions on detecting browser type for WML vs. HTML

[Dr. Evil]

I am working on a site where the same URL will be hit by both WML and
HTML browsers.  Fortunately, with Tomcat, it's very easy to have a
controller servlet which takes all incoming requests and decides to
forward them to various processors.  The problem is, how should I make
this servlet decide what to do?

It looks to me like basically every ordinary web browser in use
includes the string "Mozilla" somewhere in its browser type header.  I
believe this includes IE, Netscape, Konqueror, Galeon, Opera and
almost all the others.

My current thought is to check for the string "mozilla".  If it's
there, you get HTML, and if it's not there, you get WML.

Is this a reasonable approach?  I like to do things in a way that is
browser independent, but in this case I don't see how to do it.  There
really should be a header sent by the browser listing the MIME types
it accepts, perhaps, but there isn't so I don't know any other
alternative.

Thanks

Re: Logging solution is complicated (was Re: Debugging in Tomcat 4)

[Dr. Evil]

> Jeesch, Dr. Evil, I gave you a logger that does fancier logging and has no
> setup.  You didn't like it?  It also has simpler code in the class.  And, it
> does automatic type identification on the fly.  Whatchawant?  ;-)

Sorry, Marcel, I couldn't figure it out.  I was extremeley extremely
frustrated that night by not being able to get prepared statments to
work and having no debugging output and then looking at log4j's
enormous installation guide... but I did manage to get log4j installed
and it works fine.

Your logger's auto-object detection is cool, I must way.

Now with log4j everything is on track.  Tomcat works.  The learning is
painful though.

Making an application serve / ?

[Dr. Evil]

Under Tomcat 4, if I want an application to serve the main url (ie,
http://www.server.com/), what's the right way to do it?  Should I put
the app in webapps/ROOT/, or should I somehow tell Tomcat which is the
default app to use?  If it makes any difference, there won't be any
other apps on this server.

Thanks

Re: servlet in startup

[Dr. Evil]

>   Can someone please help me how to make my servlet run when the Tomcat
> starts up. What do I have to do in my codes
> to impelement this or some setup needed for my Tomcat config.?


Put these lines in web.xml:

   
  startlogging
  startlogging
  1
   

The number in the load-on-startup tag specifies the order of loadup.

In your servlet, put the code that you want to run on startup in the
init() method.  It will be called in the order listed in the web.xml
on server startup.  It works.  I use it to start log4j and to start my
database connection pool.

Logging solution is complicated (was Re: Debugging in Tomcat 4)

[Dr. Evil]

Ok, I figured out how to get log4j to work with Tomcat in a
reasonable, although complicated, way:

Download the log4j files, and copy the .jar files into
TOMCAT_HOME/libs, otherwise servlets can't find them.

First, compile a servlet called startlogging.java, in the classes
directory:

--
// start logging functions
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
import org.apache.log4j.PropertyConfigurator;
 
public class startlogging extends HttpServlet {
 
public void init() throws ServletException {

PropertyConfigurator.configure("/usr/local/jakarta-tomcat-4.0/webapps/myapp/WEB-INF/classes/log4j.properties");
// or wherever your properties file is
}
 
}
--

Then, put this in the web.xml file:

--
   
  startlogging
  startlogging
  1
   
--

I put it as my first servlet entry in the file.  Order is important in
that file.

Then, create the log4j.properties file, in the classes directory:

--
# Set root category priority to DEBUG and its only appender to A1.
log4j.rootCategory=DEBUG, A1
 
# A1 is set to be a ConsoleAppender.
#log4j.appender.A1=org.apache.log4j.ConsoleAppender
log4j.appender.A1=org.apache.log4j.FileAppender
 
# set up the filename - change as appropriate
log4j.appender.A1.File=/tmp/test.log
 
# A1 uses PatternLayout.
log4j.appender.A1.layout=org.apache.log4j.PatternLayout
log4j.appender.A1.layout.ConversionPattern=%-4r [%t] %-5p %c %x - %m%n
--

Finally, in classes that you want to log from:

--
class myclass {

static Category cat = Category.getInstance(userinfo.class);   

public void mymethod() {
.
cat.info("This is an info log entry.");
--

and then it will log to the file you specified in the log4j.properties
file.  That's a lot of complexity to get a line into a file, but
whatever, it's better than trying to figure out what's going on by
looking at html output from a servlet...

The other problem here is that it uses the FileAppender method from
the log4j package.  I'm not sure what's wrong with this method, but
they say it is depracated, slated for removal, and there doesn't seem
to be any replacement for it.  Sometimes all you want is to put a line
in a file.  When you can't figure out what's going on, nothing is
better than falling back on a good old printf("we're here\n");.  I am
glad to here that java 1.4 is getting an assert() facility.  Maybe a
log() facility would be another good addition to that.

Re: Debugging in Tomcat 4

[Dr. Evil]

> Well, have you checked the log files ?

Yes, they work great, except they only exist if I import the various
Tomcat packages.  Unfortunately most of the work is being done in
classes which don't import the Tomcat stuff, so basically I have these
large-ish class files which I can't debug and which can't log
anything, so all I can do is make changes to them, restart the server,
and hit reload, and guess at what may or may not have happened.  This
is extremely painful, given that these classes are doing SQL stuff, so
plenty of things can go wrong there.

> Guys like Craig etc, have been pointing to the xml configuration
> files. I'll go take a look myself.

I'll take a look into it.  It would be wonderfully awesome to be able
to get a little debug message from some of these classes.  That would
basicly spend my development up by literally ten times or more.  My
project is basically stopped now because I can't figure out what's
going on in one of these classes.

> Well, I guess that's why I'm interested in Smalltalk :-) (Aargh ! no
> flames please !)

Java is great in many ways but it seems like it is very painful if you
aren't very good at it, which discourages people from becoming very
good at it, I think.

Re: Debugging in Tomcat 4

[Dr. Evil]

> I use Visual Age for Java .

I should look into that but I can't afford to buy stuff like that
right now.  This whole situation is aweful.  I looked into log4j, and
it looks like it has tons of features, except it doesn't have the one
feature which I really want, which is being able to log a string to a
file.  It can log a string to a Writer, but then how do I declare a
global writer variable that it can write to?  Is there a way to
declare absolutely global static objects in Tomcat?  Why can't there
be something as simple as log("string", "filename") which I can just
call anywhere, any time, and it writes the string to the file?  Under
Tomcat 4, System.out.println doesn't even work.  All I want is to see
why my class method isn't doing what I think it should do.

I'm about to throw away my project and go back to PHP.  Java may be
powerful, but if I can't debug stuff, then anything more complex than
"hello world" is nearly intractable.

Java is so widely used.  Surely there is some kind of logging
mechanism that works easily with minimal dependencies?

Sometimes some parts of working with Java are so powerful that it's
hard to do basic things with them.

Debugging in Tomcat 4

[Dr. Evil]

This is very painful.  The log() facility is great... in classes which
have the appropriate servlet packages imported.  However, if I am
using other classes which don't import those packages, then I don't
have log().  System.out.println() doesn't display anything to console
or any logs.  Running Tomcat in a debugger is challenging.  I'm left
with... hmm, not much other than throwing exceptions, but that's not a
good way to see something in operation.  So how do people debug with
Tomcat?  If there is no way to look at internal state of methods as
they are going, then that is a major, major failure of the product,
right?  Even a simple method can have some logic errors in it.  I
can't imagine trying to write a large, complex class without any form
of debugging.

Thanks

I figured it out (was Re: Java datatypes question: the Set)

[Dr. Evil]

HashSet is what I want...

Java datatypes question: the Set

[Dr. Evil]

In the particular class that I'm working on, it would be extremely
handy to have an unordered collection of unique objects (strings)
which can grow as necessary.  This sounds exactly like the Set class.
However, Set is an abstract class, so I can't instantiate it.  Are
there any non-abstract classes that do what Set does?  I have seen
there is ArrayList, but that allows duplicate values and is ordered.
There is Vector, which is a lot like ArrayList.  There are the various
Map classes, but they are associations, which is totally different.
Any other classes I could be using?

Thanks from a java newbie.

Re: Logging from a servlet in Tomcat

[Dr. Evil]

> I haven't tried this in 4 but in 3 you can always just print to stdout or
> stderr
> eg. System.out.println("In the Foo function");
> Which will get printed to the console or your logs depending on how you're
> running tomcat

That is a very good idea.  I'll give that a try.  Also, I found that
the log() command does work; I think there was a permissions problem
on the logs/ directory.

Thanks

Logging from a servlet in Tomcat

[Dr. Evil]

I have a question: It would be extremely useful for a servlet to be
able to record debugging messages in some way.  I don't have a Java
debugger, but I could do a lot of debugging if I had a command that
looked like this:

log("We are in this part of the code now");

I have seen documentation for a command like that, and I have tried it
in my installation of Tomcat 4.0, but it doesn't send any output
anywhere, so it seems useless.  Is there a way to get it to work?

Thanks

Re: How to change Tomcat default port from 8080 to standard port 80?

[Dr. Evil]

> How to change Tomcat default port from 8080 to standard port 80?

In conf/server.xml, edit this section:



in the obvious way.

Figured it out (was Re: Using a servlet for authorization)

[Dr. Evil]

This...

>
>   
> authservlet
>   
>   
> /secure/*
>   
>

and this

> RequestDispatcher rd =
> request.getRequestDispatcher("/secure/hello.jsp");
> rd.forward(request, response);

were causing a horrible loop.  I didn't realize that Tomcat would run
the servlet mappings on the args to getRequestDispatcher, but it
does.  The solution is simple:  make the url-pattern something else,
like securepages, and then it can serve the files out of the /secure/
directory.

This is going to be a fantasticly useful auth method once I get it all
working.  Yet again, I find that tomcat is enormously powerful and has
a steep learning curve.  The two go together I guess.

Using a servlet for authorization

[Dr. Evil]

I am trying to use a servlet for authorization like this:

There is a servlet called authservlet which checks to see if there is
a valid user object in the session state.  Here is how it is used:

I have a directory called /secure with a bunch of .jsp files in it.

There is a mapping in web.xml:

   
  
authservlet
  
  
/secure/*
  
   

Every time someone tries to request a page like /secure/hello.jsp, the
request is instead handed to authservlet.  That part is working fine.
authservlet gets the request and can decide what to do with it.

The problem is that I am trying to get authservlet to pass the request
back to the jsp by doing something like this:

RequestDispatcher rd =
request.getRequestDispatcher("/secure/hello.jsp");
rd.forward(request, response);

where in this case I have hard-coded in hello.jsp as the target, just
for testing (obviously I will replace this with something which looks
at what the real url is).

The problem is, when I then try to load /secure/hello.jsp, it looks
like the server goes into an infinite loop.  It never returns the page
and I end up with a bunch of catalina processes running, which I have
to kill -9 to get rid of.

I'm sure I'm making some simple mistake here.  Any sugestions?

Thanks