Re: suppressing white space in jsps
On Wed, 22 Aug 2001 [EMAIL PROTECTED] wrote: Is there any way to suppress the whitespace that is output by jsp's in Tomcat/Catalina? I have a simple jsp that generates a .csv, and sets the HTTP headers so that it opens in Excel (intranet app). Even with cramming all the jsp intro stuff on one line, I still end up with one blank line as the first line of output. (actually, one newline code). I have been using two approaches when producing output formats where extra newlines are not allowed. Either I leave them inside tags like... %@ whatever... %%@ whatever.. %Here goes the first line of output ...or using comments like... %@ whatever... %%-- --%%@ whatever... %%-- --%Here goest the first line of output I have to admit this is not very elegant so I would be happy to know of any cleaner alternatives. -- Johannes Lehtinen [EMAIL PROTECTED], http://www.iki.fi/jle/
Re: Multiple Url Patterns
On Tue, 21 Aug 2001, Jonathan Holloway wrote: My problem is that I need to access exactly the same servlet but using a different url pattern. ... Is it possible to deploy a servlet under two pattern. i.e. as follows Does it matter if you get two instances of the same servlet? If two instances is ok then you can include two servlet/servlet sections using the same servlet-class but different servlet-name and map these two two different URLs. The Deployment Descriptor DTD seems to allow only one url-pattern in servlet-mapping (reading the servlet 2.2 spec). -- Johannes Lehtinen [EMAIL PROTECTED], http://www.iki.fi/jle/
Re: Running Tomcat as a nonpriviledged user
On Sat, 18 Aug 2001, Pier P. Fumagalli wrote: I am starting the Tomcat from /etc/rc.d/init.d/tomcat script (using it in stand-alone mode) using exec su -c $TOMCAT_HOME/bin/startup.sh tomcat. Seems all right for me, apart the exec command... But it really depends on how you installed your RC script. That's true, the exec is really not required. It is probably a remainder from my earlier setups. I also left out the input/output redirection. Can I include it in the docs for TC4.0? With the obvious modifications, of course :) :) :) Sure, it is much more convenient to point people to official docs than resending old e-mails around :) -- Johannes Lehtinen [EMAIL PROTECTED], http://www.iki.fi/jle/
Running Tomcat as a nonpriviledged user
On Fri, 17 Aug 2001, Doug Sparling wrote:
I personally would never run a web app as root just
for the black hole of security issues dealing with the outside internet.
Do you create a 'tomcat' user? I'm assuming
permissions or owner must be changed under
/usr/local/jakarta-tomcat
I am running Tomcat 3.2.3 as a 'tomcat' user in a 'tomcat' group. By
default, I have made all files owned by root and made them world-readable
(not writable) using something like this (as a root)
cd .../jakarta-tomcat-3.2.3
chown -R root:root .
chmod -R go= .
find . -perm -100 -exec chmod go+x \{\} \;
find . -perm -400 -exec chmod go+r \{\} \;
Then I have done the following changes (as a root).
cd .../jakarta-tomcat-3.2.3
mkdir logs ; chown tomcat logs ; chmod 755 logs
mkdir work ; chown tomcat work ; chmod 755 work
cd conf
touch iis_redirect.reg-auto
chown tomcat iis_redirect.reg-auto
touch mod_jk.conf-auto
chown tomcat mod_jk.conf-auto
touch obj.conf-auto
chown tomcat obj.conf-auto
touch tomcat-apache.conf
chown tomcat tomcat-apache.conf
touch uriworkermap.properties-auto
chown tomcat uriworkermap.properties-auto
If you use conf/tomcat-users.xml for authentication (not really a good
idea if you have anything dynamic there), you most probably want to do
chown tomcat tomcat-users.xml ; chmod 400 tomcat-users.xml
Depending on the level of paranoia you might want to do the same to some
other configuration files as well.
Note 1: You might not want to make the 'logs' directory world-readable,
again depending on the desired local security level.
Note 2: You could also place the modifiable tomcat owned directories/files
to a different location in a file system and use symbolic links in
jakarta-tomcat-3.2.3 (or tweak configuration) for clarity (I have logs -
/var/log/tomcat, for example).
The webapps have been installed as root owned, world-readable files. I
extract them by hand (doing cd webapps ; mkdir foobar ; jar xf
../foobar.war as a root). None of my webapps need write access to
anywhere else than /tmp.
I am starting the Tomcat from /etc/rc.d/init.d/tomcat script (using it in
stand-alone mode) using exec su -c $TOMCAT_HOME/bin/startup.sh tomcat.
I hope I didn't forget anything. This works for me on a production server.
The procedure to run Tomcat as a nonpriviledged user should really be
better documented because no-one runs (well, should not run IMO) it as a
root owned daemon in a production environment.
Best regards,
--
Johannes Lehtinen [EMAIL PROTECTED], http://www.iki.fi/jle/
Problem with security constraints on /
Hello, Tomcat users! Earlier this week I stumbled on the following problem. I already found a solution to it but I am still not sure whether I had misconfigured things or whether this is a Tomcat bug that should be filed (didn't find an existing record). Could someone with more expertise confirm if the following is correct behaviour according to servlet standard (short explanation would be nice in that case). I am using Tomcat 3.2.3. I have a servlet mapped to / (within its application context) and I have restricted the access to / using the following webapp definition. - clip - servlet servlet-namesms-dispatcher/servlet-name servlet-classfi.rossum.bg.sms.SMSDispatcher/servlet-class /servlet servlet-mapping servlet-namesms-dispatcher/servlet-name url-pattern//url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-namesms-dispatcher/web-resource-name url-pattern//url-pattern /web-resource-collection auth-constraint role-namesmscore/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-namesmscore/realm-name /login-config - clip - However, when I point my browser at http://127.0.0.1:8080/smsdispatcher/ Tomcat lets me in without basic authentication! Now, when I do the following modification... - clip - security-constraint web-resource-collection web-resource-namesms-dispatcher/web-resource-name - url-pattern//url-pattern + url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namesmscore/role-name - clip - ...everything starts working as expected and I have to provide a user name and password. Is this really how it is supposed to work? Thanks for clarifications! -- Johannes Lehtinen [EMAIL PROTECTED], http://www.iki.fi/jle/
