wwwrun user on UnitedLinux 1.0
I have installed an Apache Tomcat/4.1.24-LE-jdk14 on a UnitedLinux 1.0 (UL) system (which is very much alike to SuSE Linux 8.x). UL contains a Tomcat 4.0 distribution. UL also has a custom startup script /etc/init.d/tomcat. The script starts Tomcat with a user wwwrun: su wwwrun -c "$TOMCAT_HOME/bin/startup.sh" I shot myself in the foot by adapting this startup script to Tomcat 4.1 (see below). Everything seemed to work fine, until "Tomcat Administration" webapp failed. (It could not deploy struts.jar). Running under root everything works fine - so far. What's the point? - SuSE should have a reason for using a wwwrun user instead of root. Is it a possible vulnerability to Tomcat when running under user root? We will use Tomcat in a production environment. If somebody has a working script for UL and Tomcat41, please let me know. References to documentation are also welcome. Hayo Schmidt - #! /bin/sh # Copyright (c) 1995-2001 SuSE GmbH Nuernberg, Germany. # Copyright (c) 2002 SuSE Linux AG Nuernberg, Germany. # # Author: Rolf Haberrecker <[EMAIL PROTECTED]> # Adaptiert: hys 2003-05-16 # # /etc/init.d/tomcat41 # # and symbolic its link # # /usr/sbin/rctomcat41 # # System startup script for the Tomcat servlet container # ### BEGIN INIT INFO # Provides: tomcat41 # Required-Start: $local_fs $remote_fs # X-UnitedLinux-Should-Start: $named $syslog $time $network # Required-Stop: $local_fs $remote_fs # X-UnitedLinux-Should-Stop: $named $syslog $time $network # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Short-Description: Tomcat Servlet Container Version 4.1 # Description:Start Tomcat 4.1 to allow JAVA server pages ### END INIT INFO CATALINA_HOME=/usr/java/tomcat test -d $CATALINA_HOME/bin || exit 5 # Shell functions sourced from /etc/rc.status: # rc_check check and set local and overall rc status # rc_statuscheck and set local and overall rc status # rc_status -v ditto but be verbose in local rc status # rc_status -v -r ditto and clear the local rc status # rc_failedset local and overall rc status to failed # rc_failed set local and overall rc status to # rc_reset clear local rc status (overall remains) # rc_exit exit appropriate to overall rc status . /etc/rc.status # First reset status of this service rc_reset # Return values acc. to LSB for all commands but status: # 0 - success # 1 - generic or unspecified error # 2 - invalid or excess argument(s) # 3 - unimplemented feature (e.g. "reload") # 4 - insufficient privilege # 5 - program is not installed # 6 - program is not configured # 7 - program is not running # # Note that starting an already running service, stopping # or restarting a not-running service as well as the restart # with force-reload (in case signalling is not supported) are # considered a success. case "$1" in start) echo -n "Starting Tomcat" ## Start daemon with startproc(8). If this fails ## the echo return value is set appropriate. # NOTE: startproc return 0, even if service is # already running to match LSB spec. ps -aux --cols 1024 >/var/tmp/tomcat.ps.log if grep "/usr/java/tomcat/temp org.apache.catalina.startup.Bootstrap" /var/tmp/tomcat.ps.log >/dev/null 2>/dev/null ; then rc_failed 0 else chown -R wwwrun:root $CATALINA_HOME/logs $CATALINA_HOME/work su wwwrun -c "$CATALINA_HOME/bin/startup.sh" >/var/log/tomcat.log 2>/var/log/tomcat.log #su root -c "$CATALINA_HOME/bin/startup.sh" >/var/log/tomcat.log 2>/var/log/tomcat.log sleep 1 #hys chgrp root "$CATALINA_HOME/conf/tomcat-users.xml" ps -aux --cols 1024 >/var/tmp/tomcat.ps.log if grep "/usr/java/tomcat/temp org.apache.catalina.startup.Bootstrap" /var/tmp/tomcat.ps.log >/dev/null 2>/dev/null ; then rc_failed 0 else rc_failed 7 fi fi rm -f /var/tmp/tomcat.ps.log rc_status -v ;; stop) echo -n "Shutting down Tomcat" ## Stop daemon with killproc(8) and if this fails ## set echo the echo return value. ps -aux --cols 1024 >/var/tmp/tomcat.ps.log if grep "/usr/java/tomcat/temp org.apache.catalina.startup.Bootstrap" /var/tmp/tomcat.ps.log >/dev/null 2>/dev/null ; then su wwwrun -c "$CATALINA_HOME/bin/shutdown.sh" >/var/log/tomcat.log 2>/var/log/tomcat.log #su root -c "$CATALINA_HOME/bin/shutdown.sh" >/var/log/tomcat.log 2>/var/log/tomcat.log sleep 12 ps -aux --cols 1024 >/var/tmp/tomcat.ps.log if grep "/usr/java/tomcat/temp org.apache.catalina.startup.Bootstrap" /var/tmp/tomcat.ps.log >/dev/null 2>/dev/null ; then
Where to place the tomcat distribution in file system
Neil Zanella schrieb: [...] This sets CATALINA_HOME correctly according to the current installation of tomcat4 under /var/tomcat4 (whose correctness according to FHS I am not yet convinced of). What's the official recommendation? The RedHat rpm, which BTW is not marked as RedHat in jakarta download area, installs in /var/tomcat4. UnitedLinux 1.0 installs in /opt/jakarta/tomcat. I thought it would be a good idea to install in /usr/java/tomcat. Hayo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Where to place the tomcat distribution in file system
The different locations make it difficult to understand systems other people have set up. And that wastes time. This obviously is a general problem of Linux. Hayo John Turner schrieb: I don't think there is an official recommendation. I put anything unrelated to the official OS distribution under /usr/local, but that's me. John On Mon, 23 Jun 2003 15:25:14 +0200, Hayo Schmidt <[EMAIL PROTECTED]> wrote: Neil Zanella schrieb: [...] This sets CATALINA_HOME correctly according to the current installation of tomcat4 under /var/tomcat4 (whose correctness according to FHS I am not yet convinced of). What's the official recommendation? The RedHat rpm, which BTW is not marked as RedHat in jakarta download area, installs in /var/tomcat4. UnitedLinux 1.0 installs in /opt/jakarta/tomcat. I thought it would be a good idea to install in /usr/java/tomcat. Hayo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Where to place the tomcat distribution in file system
I have a Folder C:\Programme and a Folder C:\Program Files on my windows system, just because some installers are not programmed correctly.. The point is, i can do what i like with my personal system. But i am working together with colleagues and clients, i might use several systems (FreeBSD, SuSE, Mandrake, Debian...) that members of my computer club (http://www.hmh-ev.de) have set up. And all people can do what they like on their systems. Having an official *recommendation*, just that, would make life much easier than it is now. Yes, standards make life easier. Hayo Jason Bainbridge schrieb: On Wed, 25 Jun 2003 17:09, Hayo Schmidt wrote: The different locations make it difficult to understand systems other people have set up. And that wastes time. This obviously is a general problem of Linux. I hate statements like that... What about the fact that one of the first options within just about any Windows based installset is to select the location you wish to install to? I've seen C:\Program Files\, D:\Program Files and even on E:... So it's a quirk of human nature not of any O/S related problem, different people like different things so they do things differently. :) At least on Linux normal users are restricted to their Home directory so they can't muck up the actual filesystem without knowing at least a little about what they are doing... - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
realm-howto.html JNDI OpenLDAP example does not work for me
I am not able to get the Example in
tomcat-docs/realm-howto.html#JNDIRealm to run as is.
First i tried to create the LDIF files and import them into OpenLDAP2.
This did not work (some error messages i can't remember). Probably the
example itself is wrong, probably i had been copy/pasting some
non-printing characters into the example, or trailing spaces or
whatever. I don't know. There should have been the ldif sources for
download to avoid these useless problems.
Then i tried to build the directory with a tool called JXplorer. This
did not work, because it ist not possible to set uid to a 'naming value'
with the tool. Obviously because uid is not defined as mandatory (MUST)
in the schema file.
After getting around all this by building my own subclass it still does
not work. The example tells me to set up the JNDIRealm like this:
ldap://localhost:389";
userPattern="uid={0},ou=people,dc=mycompany,dc=com"
roleBase="ou=groups,dc=mycompany,dc=com"
roleName="cn"
roleSearch="(uniqueMember={0})"
/>
As i said, no positive result. But when i set up the JNDIRealm as follows
ldap://localhost:389";
roleBase="ou=people,dc=mycompany,dc=com"
roleName="cn"
roleSearch="(uniqueMember={0})"
userBase="ou=users,dc=mycompany,dc=com"
userSearch="(uid={0})"
/>
the thing works.
I had to read a book about LDAP (LDAP System Administration, O'Reilly),
and experiment a lot. I had to convert from a dumb newbie to an LDAP
expert, just to get this simple example to work.
A good HOW-TO should provide examples running instantly. This HOW-TO
consumed many days of my valuable working time.
Hayo Schmidt
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm: Authentication Failing
Is 'mail' the naming value?
This means, if you export to an ldif file you should find a line
dn: [EMAIL PROTECTED],ou=People,dc=tritus,dc=ca
Hayo Schmidt
Adam Sherman schrieb:
I am trying to get JNDIRealm to authenticate against my LDAP tree:
debug="200"
connectionURL="ldap://localhost:389";
userBase="ou=People,dc=tritus,dc=ca"
userSearch="(mail={0})"
roleBase="ou=Groups,dc=tritus,dc=ca"
roleName="cn"
roleSearch="(member={0})"
/>
Using a user I can authenticate with the OpenLDAP CLI tools:
2003-07-27 13:44:06 JNDIRealm[Standalone]: Searching for [EMAIL PROTECTED]
2003-07-27 13:44:06 JNDIRealm[Standalone]: base:
ou=People,dc=tritus,dc=ca filter: ([EMAIL PROTECTED])
2003-07-27 13:44:06 JNDIRealm[Standalone]: entry found for
[EMAIL PROTECTED] with dn uid=adam,ou=People,dc=tritus,dc=ca
2003-07-27 13:44:06 JNDIRealm[Standalone]: validating credentials by
binding as the user
2003-07-27 13:44:06 JNDIRealm[Standalone]: binding as
uid=adam,ou=People,dc=tritus,dc=ca
2003-07-27 13:44:06 JNDIRealm[Standalone]: bind attempt failed
2003-07-27 13:44:06 JNDIRealm[Standalone]: Username [EMAIL PROTECTED] NOT
successfully authenticated
The lookup functions correctly, but binding fails. Even though I know
the user can bind.
Info:
Tomcat 4.1.24, OpenLDAP 2.1.x
Any ideas?
A.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm: Authentication Failing
Is 'mail' the naming value?
This means, if you export to an ldif file you should find a line
dn: [EMAIL PROTECTED],ou=People,dc=tritus,dc=ca
Hayo Schmidt
Adam Sherman schrieb:
I am trying to get JNDIRealm to authenticate against my LDAP tree:
debug="200"
connectionURL="ldap://localhost:389";
userBase="ou=People,dc=tritus,dc=ca"
userSearch="(mail={0})"
roleBase="ou=Groups,dc=tritus,dc=ca"
roleName="cn"
roleSearch="(member={0})"
/>
Using a user I can authenticate with the OpenLDAP CLI tools:
2003-07-27 13:44:06 JNDIRealm[Standalone]: Searching for [EMAIL PROTECTED]
2003-07-27 13:44:06 JNDIRealm[Standalone]: base:
ou=People,dc=tritus,dc=ca filter: ([EMAIL PROTECTED])
2003-07-27 13:44:06 JNDIRealm[Standalone]: entry found for
[EMAIL PROTECTED] with dn uid=adam,ou=People,dc=tritus,dc=ca
2003-07-27 13:44:06 JNDIRealm[Standalone]: validating credentials by
binding as the user
2003-07-27 13:44:06 JNDIRealm[Standalone]: binding as
uid=adam,ou=People,dc=tritus,dc=ca
2003-07-27 13:44:06 JNDIRealm[Standalone]: bind attempt failed
2003-07-27 13:44:06 JNDIRealm[Standalone]: Username [EMAIL PROTECTED] NOT
successfully authenticated
The lookup functions correctly, but binding fails. Even though I know
the user can bind.
Info:
Tomcat 4.1.24, OpenLDAP 2.1.x
Any ideas?
A.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat Using Log4J ?
Bottom line is that, if you want Log4j logging to work properly, make sure log4j.jar is in WEB-INF/lib. I had unwanted Debugging-Output from org.apache.commons.Digester and org.apache.commons.Digester.sax that made it impossible to continue to work. Everytime i started Tomcat i had to wait 10 minutes for the initialization of a tag library, because of that crap debug output. This was the solution indeed. Thanks. Hayo Jacob Kjome schrieb: Quoting Lukas Bradley <[EMAIL PROTECTED]>: Does Tomcat 4.1.24 initialize a Log4J instance? It seems as if something is stepping on my Log4J properties, and I don't know where it is. The first thing my application does is start the plugin, but here is my log: It's actually Commons Digester. When I set it to a DEBUG level, it goes CRAZY on the log. Is there any way to ensure that my log properties get set before Digester starts? That Depends. Where do you have Log4j; in common/lib, WEB-INF/lib, or both? Is digester in your WEB-INF/lib or is it Tomcat's copy of digester which reads the server.xml and other xml config files? Note that the trouble is usually the fault of commons-logging which messes things up significantly. Do you have commons-logging in your WEB-INF/lib? Bottom line is that, if you want Log4j logging to work properly, make sure log4j.jar is in WEB-INF/lib. Then, nothing else will step on your configuration except for, possibly, other 3rd party libraries in WEB-INF/lib that perform Log4j configuration (which is a big no, no...general libraries shouldn't be performing Log4j configuration, they should leave that to your application). Put your config file in WEB-INF/classes for default log4j configuration or put it wherever and load it yourself. I suggest using a servlet context listener to load configuration upon startup. Anway, until you detail the setup of your application, I can't tell you much more. BTW, you really should remove Xerces from WEB-INF/lib. This should be loaded from common/lib. The explanation has been detailed on the list many times before so I won't go into it. Jake Lukas - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
How do i handle session-timeout in an acceptable manner?
I have a built a web application on Tomcat 4.1.18. The application is running with a HTTPS connection. session-timeout is configured and works so far. But i am absolutely not satisfied with what happens when a timeout occurs. The web application is configured for form based authentication. When the connection has timed out, the user is presented the login page when he does his next action. And, all data saved with the session are lost. Fine - i could live with that. But what happens in a real case: - The user waits too long - timeout. - The user pushes an INPUT type="submit" and creates a POST operation. - Tomcat redirects to the login page. - The user logs in. - Tomcat redirects to the original aim of the post operation, but he does it as a GET operation. Alternative 1: - My application does not allow get operations at this place ==> Application Error. Alternative 2: - The application allows the vulnerable get operation, but the button that was pushed is not passed anymore ==> Application Error. Now what can i do? I must interfere the session timeout to do an operation. Or i should be able to detemine that the current request is the first after a timeout. The way my application currently crashes is not acceptable. Hayo Schmidt - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How do i handle session-timeout in an acceptable manner?
The problem with your solution is, that the application does not know
where to continue after the login page. This will result in an error.
I have implemented this workaround:
protected void doGet(
HttpServletRequest httpServletRequest,
HttpServletResponse httpServletResponse)
throws ServletException, IOException {
String reqURI = httpServletRequest.getRequestURI();
if ((reqURI.indexOf("/actions/") != -1)) {
// Calling of 'actions' via get is not allowed
String referer = httpServletRequest.getHeader("referer");
if ((referer != null) && (referer.endsWith("/loginpage.jsp))) {
// if this happens, we probably had a Time-Out
RequestDispatcher dispatcher =
getServletContext().getRequestDispatcher("/timeout_info.jsp");
dispatcher.forward(httpServletRequest, httpServletResponse);
} else {
throw new ServletException("Action forbidden.");
}
} else {
// Call shared, standard request processing code.
processRequest(httpServletRequest, httpServletResponse);
}
}
What it does: if there is a get call to an URL that should be called as
post, and the referer is the login page, then forward the request to
some kind of informational message.
Of course there can't be any guarantee this works with coming versions
of Tomcat. So i would like to have an general solution.
Hayo Schmidt
-
Shapira, Yoav wrote:
Howdy,
Here's an idea: add an HTML META refresh tag to each page whose redirect
URL is the login page and whose timeout is the session timeout less a
few seconds. That way the user will get redirected to the login page
before the session timeout -- they won't be able to press the submit
button.
Yoav Shapira
Millennium ChemInformatics
-Original Message-
From: Hayo Schmidt [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 01, 2003 11:16 AM
To: Tomcat Users List
Subject: How do i handle session-timeout in an acceptable manner?
I have a built a web application on Tomcat 4.1.18. The application is
running with a HTTPS connection. session-timeout is configured and
works
so far. But i am absolutely not satisfied with what happens when a
timeout occurs.
The web application is configured for form based authentication. When
the connection has timed out, the user is presented the login page when
he does his next action. And, all data saved with the session are lost.
Fine - i could live with that.
But what happens in a real case:
- The user waits too long - timeout.
- The user pushes an INPUT type="submit" and creates a POST operation.
- Tomcat redirects to the login page.
- The user logs in.
- Tomcat redirects to the original aim of the post operation, but he
does it as a GET operation.
Alternative 1:
- My application does not allow get operations at this place ==>
Application Error.
Alternative 2:
- The application allows the vulnerable get operation, but the button
that was pushed is not passed anymore ==> Application Error.
Now what can i do? I must interfere the session timeout to do an
operation. Or i should be able to detemine that the current request is
the first after a timeout. The way my application currently crashes is
not acceptable.
Hayo Schmidt
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: How do i handle session-timeout in an acceptable manner?
Shapira, Yoav schrieb: I have implemented this workaround: As for this workaround, why wouldn't it work with future tomcat versions? There's nothing tomcat-specific in it, much less tomcat 4.1.x-specific. Yoav Shapira A different servlet engine could use a POST instead of a GET to continue processing after form based login. Then my solution would not work. Hayo Schmidt - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm using LDAP with SSL
Did you solve your problem? I don't get the whole thing to run.
Are you really able to use *ldaps* in the connectionURL. On my system i
get the following error:
"LifecycleException: Exception opening directory server connection:
javax.naming.NamingException:
Cannot parse url: ldaps://localhost:636 [Root exception is
java.net.MalformedURLException: Not an L
DAP URL: ldaps://localhost:636]"
If i just use ldap://localhost:636 i get this:
"LifecycleException: Exception opening directory server connection:
javax.naming.CommunicationExce
ption: Request: 1 cancelled"
Both doesn't really help defending network sniffers from stealing user
data.
Hayo Schmidt
Chris Egolf schrieb:
Does anyone have any experience getting ldaps working w/ the
JDNIRealms in Tomcat 4.1.24? Regular LDAP is working fine, but when I
change the connection URL to ldaps://:636 I get the
following error:
2003-07-28 09:40:49 JNDIRealm[Standalone]: Connecting to URL
ldaps://10.1.1.50:636
2003-07-28 09:40:50 JNDIRealm[Standalone]: Exception performing
authentication
javax.naming.CommunicationException: simple bind failed: 10.1.1.50:636
[Root exception is javax.net.ssl.SSLException: Connection has been
shutdown: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate found]
My Realm element in server.xml:
resourceName="UserDatabase"
connectionURL="ldaps://10.1.1.50:636"
connectionName="cn=TOMCAT,ou=WebAppUser,ou=MyOU,o=MyCompany"
connectionPassword="password"
userBase="o=MyCompany"
userSearch="(&(cn={0})(objectClass=inetOrgPerson))"
userSubtree="true"
roleBase="ou=WebAppGrp,ou=MyOU,o=MyCompany"
roleSearch="(uniqueMember={0})"
roleName="cn"
/>
Like I said, this works if connectionURL="ldap://10.1.1.50:389";. I
can connect to the LDAP server (Novell eDirectory) via SSL using a
Java browser if I accept the certificate, so I wonder if that might
have something to do with it.
I've also successfully followed the Config-SSL-HOWTO, accepted the
certificate from the server and setup the keystore for the connector
as described, but I get the feeling that this is strictly for enabling
SSL over HTTP.
Thanks in advance.
Chris
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
