Tomcat 4.0.3: security-constraint error in web.xml
Dear all, we actually have this very boring problem on Tomcat 4.0.3 (why not yet upgraded? customer requirements): We want to restrict the access at our application on HTTPS port only. after many unsuccesful tests, we added, for testing purpose, these following lines (which we believe to be the minimal configuration for achieving security) to our web.xml file: security-constraint web-resource-collection web-resource-name Tutta IPMS /web-resource-name /web-resource-collection /security-constraint Unfortunately, at startup Tomcat refuses the above lines saying, in its log file catalina.out : org.xml.sax.SAXParseException: The content of element type web-app must match (icon?,display-name?,description?,distributable?,context-param*,servlet*,se rvlet-mapping*,session-config?,mime-mapping*,welcome-file-list?,error-page*, taglib*,resource-ref*,security-constraint*,login-config?,security-role*,env- entry*,ejb-ref*) What's wrong? Any hint? Very Thanks in advance for your help. Tito Santini - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat - PERL problem.
Dear all, I'm currently having this strange problem with Tomcat 4.0.3 (running on Solaris) and a CGI program written in PERL. The program outputs some HTML lines, and everything goes OK until the HTML page is small. When the page grows up, i.e inserting SELECT field with 100 options, Tomcat stops responding. The UNIX ps command shows: user1 12838 12310 0 16:14:45 pts/50:00 /usr/local/bin/perl /usr/local/jakarta-tomcat-4.0.3/webapps/my_app/WEB-INF/ user1 12464 12310 0 14:34:56 pts/50:00 /usr/local/bin/perl /usr/local/jakarta-tomcat-4.0.3/webapps/my_app/WEB-INF/ Those processes don't stop running until killed. Any help? Thanks in advance. Tito. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: authenticate with java servlets
Hi,
with tomcat 3.2.1 you may try with:
String strX509 = req.getAttribute(javax.servlet.request.X509Certificate)
Certificate cert = new X509Certificate(strX509.getBytes() );
if it doesn't work, you could try with (as servlet specs says):
Object obj = req.getAttribute(javax.servlet.request.X509Certificate)
Certificate cert = null;
if(obj instanceof String)
{
String strX509 = (String)obj;
cert = new X509Certificate(strX509.getBytes() );
}
else
{
cert = (Certificate)obj;
}
Hope this helps.
Tito.
- Original Message -
From: Erki Kriks [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Sent: Friday, March 21, 2003 9:42 AM
Subject: authenticate with java servlets
Hello!
I'm using OpenSA (Apache 1.3), Tomcat 3.2.1 and mod_jk.
For SSL i red that ajp13 is needed (not ajp12).
So i get run Tomcat under Apache SSL.
I authenticate user with Apache SSL, but when i read authenticate
variables
then i always get null.
String subject = request.getHeader( CERT_SUBJECT );
String issuer = request.getHeader( CERT_ISSUER );
String issuer = request.getHeader( SSL_CLIENT_CERT );
Specification also says that in httpd.conf ajp13 declarations is needed,
like so:
JkExtractSSL On
JkHTTPSIndicator HTTPS
JkSESSIONIndicator SSL_SESSION_ID
JkCIPHERIndicator SSL_CIPHER
JkCERTSIndicator SSL_CLIENT_CERT
Can anybody expert exactly explain what exactly is needed to read certs
with
java servlets?
Many thanx!
Erki
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: mod_jk.conf and ajp13
Hello, did you uncommented the following lines in server.xml? !-- Apache AJP13 support. This is also used to shut down tomcat. -- Connector className=org.apache.tomcat.service.PoolTcpConnector Parameter name=handler value=org.apache.tomcat.service.connector.Ajp13ConnectionHandler/ Parameter name=port value=8009/ /Connector and your workers.properties has something similar to the following lines: worker.list=ajp12, ajp13 worker.ajp13.port=8009 worker.ajp13.host=localhost worker.ajp13.type=ajp13 worker.loadbalancer.balanced_workers=ajp12, ajp13 Hope this helps. - Original Message - From: Erki Kriks [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, March 20, 2003 9:49 AM Subject: mod_jk.conf and ajp13 Hello! I want to use ajp13 (not ajp12). I'm using Windows 2000 server and tomcat 3.2.1 I have declared into mod_jk.conf following lines: LoadModule jk_module modules/mod_jk.dll IfModule mod_jk.c JkWorkersFile fill-path-to/workers.properties JkLogFile logs/jk.log JkLogLevel warn JkMount /*.jsp ajp13 JkMount /servlet/* ajp13 JkMount /examples/* ajp13 /IfModule But when tomcat is started then i can see in mod_jk.conf-auto following lines: ... JkMount /*.jsp ajp12 JkMount /servlet/* ajp12 JkMount /examples/servlet/* ajp12 JkMount /examples/*.jsp ajp12 How it is possible? I declared ajp13?? Many thanx! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: mod_jk.conf and ajp13
Hi! I suppose ajp12 is used in tomcat 3.2.1 to shutdown Tomcat, so it's still required. If you're still having trouble, you'd check which mod_jk configuration file is used to configure mod_jk: every time Tomcat restarts, it creates a new auto-config files, which, as you noted, declares to use only ajp12. You should tell httpd-server to use your mod_jk configuration file. (i.e. in Apache, you'd modify the last line of httpd.conf in include /tomcat-MY_mod_jk.conf ) - Original Message - From: Erki Kriks [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, March 20, 2003 11:08 AM Subject: Re: mod_jk.conf and ajp13 Hi! Thank you for your help! I have the same configuration. But why are you using worker.list=ajp12, ajp13 instead of worker.list=ajp13 , while ajp13 is only required? It's very interesting, all auto-configuration files includes only ajp12 (instead of ajp13)? But nowhere ajp12 is declared, only ajp13 is used :-) Hello, did you uncommented the following lines in server.xml? !-- Apache AJP13 support. This is also used to shut down tomcat. -- Connector className=org.apache.tomcat.service.PoolTcpConnector Parameter name=handler value=org.apache.tomcat.service.connector.Ajp13ConnectionHandler/ Parameter name=port value=8009/ /Connector and your workers.properties has something similar to the following lines: worker.list=ajp12, ajp13 worker.ajp13.port=8009 worker.ajp13.host=localhost worker.ajp13.type=ajp13 worker.loadbalancer.balanced_workers=ajp12, ajp13 Hope this helps. - Original Message - From: Erki Kriks [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, March 20, 2003 9:49 AM Subject: mod_jk.conf and ajp13 Hello! I want to use ajp13 (not ajp12). I'm using Windows 2000 server and tomcat 3.2.1 I have declared into mod_jk.conf following lines: LoadModule jk_module modules/mod_jk.dll IfModule mod_jk.c JkWorkersFile fill-path-to/workers.properties JkLogFile logs/jk.log JkLogLevel warn JkMount /*.jsp ajp13 JkMount /servlet/* ajp13 JkMount /examples/* ajp13 /IfModule But when tomcat is started then i can see in mod_jk.conf-auto following lines: ... JkMount /*.jsp ajp12 JkMount /servlet/* ajp12 JkMount /examples/servlet/* ajp12 JkMount /examples/*.jsp ajp12 How it is possible? I declared ajp13?? Many thanx! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
UTF-8 help needed -EURO problem.
Hi all, We're actually having the following problem with our application (which runs in IE 6.0, Apache 1.3.19 - Tomcat 3.2.2): the application provides user with a HTML input form that allows him to send text to a JSP in the query string (i.e. it calls http://my_host:my_port/my_jsp?text=user_text ) The JSP then store it into a Database. The problem occours when the user tries to put the euro sign ( '?' == xF2x82xAC) in the text. If, at client-side, we use the (deprecated) javascript function escape ( i.e UNICODE format), Tomcat throws an exception; If, otherwise, we use the javascript 1.5 function encodeURI, Tomcat accepts it, but the JSP reiceives garbage from request.getParameter(text). We found a mail of Larry Isaacs about this problem (19/02/2002), and so we followed the hint to add charset=UTF-8 to the query: http://my_host:my_port/my_jsp;charset-UTF-8?text=user_text but I.E. told us page not found. Then we modify the URI, and tried with : http://my_host:my_port/my_jsp?charset-UTF-8text=user_text but Tomcat interpreted it like any other parameter. Any hints or suggestion? Thanks in advance for your help. Tito Santini - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: UTF-8 help needed -EURO problem.
Hi ,
thanks a lot for your help.
We followed your advice, but we're still having trouble.
Here you are what we did and the results we obtained.
Client side:
1. user inserts into html form the following string : euro .
2. the javascript which manages the form converts, using function
encodeURI, the string in UTF-8 format: string becomes euro%20%E2%82%AC
3. URI is sent to WEB Server.
The HttpServletRequest so becomes :
http:/my_host:my_port/my_jsp.jsp?my_text=euro%20%E2%82%AC
Server Side:
In the bean of the JSP we do:
String my_text =request.getParameter(my_text);
System.out.println(my_text) produces euro ?
then we followed your hint:
byte[] stringBytesISO = my_text.getBytes(ISO-8859-1);
String new_text = new String(stringBytesISO, UTF-8);
Now the dump (done converting the String to a byte[] and then
System.out.println() of every byte of the array) of the String new _text
shows the Euro symbol in the correct UTF-8 format,
i.e. 128,
but when we redo the System.out.println(new_text) we obtain
euro .
We suppose it is only a problem of System.out.println, and so we don't care
about it, the big problem arises when we send back to client the String new
_text to be reshown at the user in a html page.
The user now sees euro in the html page.
At client side we use the function decodeURI() , in the javascript used
for loading the data in the html page.
Any suggestion?
Very Thanks in advance.
Tito.
- Original Message -
From: Andoni [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Sent: Wednesday, March 19, 2003 1:15 PM
Subject: Re: UTF-8 help needed -EURO problem.
It's a simple translation:
try{
byte[] stringBytesISO = strTestString.getBytes(ISO-8859-1);
strTestString = new String(stringBytesISO, UTF-8);
}catch(UnsupportedEncodingException
e){System.out.println(e.getMessage());}
Use this to convert strTestString from what is received in the parameter
string into what you put into the database and it should work away without
any other problems.
Andoni.
- Original Message -
From: tito santini [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, March 19, 2003 11:57 AM
Subject: UTF-8 help needed -EURO problem.
Hi all,
We're actually having the following problem with our application (which
runs
in IE 6.0, Apache 1.3.19 - Tomcat 3.2.2):
the application provides user with a HTML input form that allows him to
send text to a JSP in the query string
(i.e. it calls http://my_host:my_port/my_jsp?text=user_text ) The JSP
then
store it into a Database.
The problem occours when the user tries to put the euro sign ( '?' ==
xF2x82xAC) in the text.
If, at client-side, we use the (deprecated) javascript function escape
(
i.e UNICODE format), Tomcat throws an exception;
If, otherwise, we use the javascript 1.5 function encodeURI, Tomcat
accepts it, but the JSP reiceives garbage from
request.getParameter(text).
We found a mail of Larry Isaacs about this problem (19/02/2002), and so
we
followed the hint to add charset=UTF-8 to the query:
http://my_host:my_port/my_jsp;charset-UTF-8?text=user_text but I.E.
told
us
page not found.
Then we modify the URI, and tried with :
http://my_host:my_port/my_jsp?charset-UTF-8text=user_text
but Tomcat interpreted it like any other parameter.
Any hints or suggestion?
Thanks in advance for your help.
Tito Santini
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to access X509 Certificate?
Hi,
instead of Object,
try with:
String strX509 = new String();
strX509 = (String)
req.getAttribute(javax.servlet.request.X509Certificate);
if( strX509 != null )
{
try
{
byte [] byX509 = strX509.getBytes();
//change with your security provider
iaik.x509.X509Certificate xcUser = new
iaik.x509.X509Certificate(byX509);
Principal prDN = xcUser.getIssuerDN();
Principal prCN = xcUser.getSubjectDN();
}
catch( java.security.cert.CertificateException jc)
{
}
}
Hope this may help.
Tito Santini
NETikos S.p.A.
Via Matteucci, 34 B
56124 PISA - ITALY
Tel.: + 39 050 968 671
Fax: + 39 050 968 626
mailto:[EMAIL PROTECTED]
www.netikos.com
- Original Message -
From: Christoph Ender [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Tuesday, September 04, 2001 1:26 AM
Subject: Re: How to access X509 Certificate?
Christoph Ender wrote:
Hey all,
I'm trying to access the certificate that the user has sent to
authenticate himself. I'm using the Tomcat/Apache combo. Apache
correctly
exports the Certificate to the SSL_CLIENT_CERT environment variable,
but
when I try to read javax.servlet.request.X509Certificate, Tomcat
always
returns null. The list of attributes is always empty.
I've uncommented JkHTTPSIndicator HTTPS, JkSESSIONIndicator
SSL_SESSION_ID,
JkCIPHERIndicator SSL_CIPHER, JkCERTSIndicator SSL_CLIENT_CERT and set
JkExtractSSL to On. I'm sure the Ajp13 protocol is used since I've
disabled everything else.
What am I missing here? Any help greatly appreciated!
On Mon, 3 Sep 2001, jean-frederic clere wrote:
What code are you using?
If you're referring to versions:
Tomcat is version 3.2.2, Apache 1.3.20, the servlet jar 2.2b.
In case you're referring how to check for the certificate :-) :
System.out.println(request.isSecure());
System.out.println(request.getProtocol());
System.out.println(request.getScheme());
System.out.println(request.getServerPort());
System.out.println(--- start headernames ---);
enum = request.getHeaderNames();
while (enum.hasMoreElements()) {
thisparameter = (String)enum.nextElement();
System.out.println(thisparameter);
}
System.out.println(--- end headernames --- );
System.out.println(--- start attributenames ---);
enum = request.getAttributeNames();
while (enum.hasMoreElements()) {
thisparameter = (String)enum.nextElement();
System.out.println(thisparameter);
}
System.out.println(--- end attributenames --- );
Object o =
request.getAttribute(javax.servlet.request.X509Certificate);
if (o == null)
System.out.println(request.getAttribute(\javax.servlet.request.X509Certifi
cate\) == null.);
These lines produce the following output:
true
HTTP/1.0
https
443
--- start headernames ---
accept
accept-charset
pragma
accept-encoding
host
accept-language
connection
user-agent
--- end headernames ---
--- start attributenames ---
--- end attributenames ---
request.getAttribute(javax.servlet.request.X509Certificate) == null.
Regards,
Christoph.
Re: Problem with mod_jk
Hi, I have had the same problem, with Apache 1.3.20 and Tomcat 3.2.2. I recompiled Apache with DSO support and the error disappeared. Hope this hint may help you. Tito Santini NETikos S.p.A. Via Matteucci, 34 B 56124 PISA - ITALY Tel.: + 39 050 968 671 Fax: + 39 050 968 626 mailto:[EMAIL PROTECTED] www.netikos.com - Original Message - From: Tomeu BennĂ ssar [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 13, 2001 3:13 PM Subject: Problem with mod_jk Hi: I'm trying to connect Apache 1.3.4 with Tomcat 3.2.2 using mod_jk but I can't do it. I have configured the mod_jk as it is explanied in mod_jk-howto but when I try to restart the Apache server the next error comes out: Syntax error on line 8 of /usr/local/jakarta-tomcat-3.2.2/conf/mod_jk.conf-auto: Invalid command 'LoadModule', perhaps mis-spelled or defined by a module not included in the server configuration on line 8 of mod_jk.conf-auto file I have the next: LoadModule jk_module libexec/mod_jk.so I don't know how to solve it. Could anyone help me, please? Thanks Tomeu
