Re: Problem with security?
Gagnon, Joseph M (US SSA) wrote: Did I not say that I'm new to this? I made no mention to whether or not I was trying to make it secure. This is only meant to be used within my company's intranet and my intention was to take the user account and then compare it with a set of registered users in the application's DB. I am beginning to see that at the very least I need to create some kind of mechanism (although I don't understand yet how to go about that, or how many different ways it can be done) to perform user authentication. If anyone can provide information on how to do this (keep in mind I'm new at this), please let me know. HttpServletRequest interface gives you remoteUser() method to determine WHO requested the page. How server gets this is another story. Basically, some sort of authentication has to take place. Keep in mind that in production people usually place Apache as a front-end, which can have benefits in your case. There are several mechanisms available for authentication: - HTTP Basic (both TC and Apache can do this) unencrypted user/pass - HTTP Digest (both TC and Apache can do this) MD5 Digest hashing (secure) - HTTPS Client Certificate (both TC and Apache can do this) - HTTP Negotiate (TC cannot do this, Apache needs mod_krb_auth or similar module, IIS can do it) "Basic" is supported by all browsers, Digest is not so commonly supported (AFAIK), HTTPS is widely supported. "Negotiate" is intended for MS Active Directory, since it can go with Kerberos V. It requires advanced sys admin skills to setup, but it will give your users the ability to login to ADS and use those credentials for authentication to your application. Nix. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with security?
Not if you are using mutually authenticated SSL. On 6/10/05, Caldarale, Charles R <[EMAIL PROTECTED]> wrote: > > From: Gagnon, Joseph M (US SSA) > [mailto:[EMAIL PROTECTED] > > Subject: Problem with security? > > > > I have a situation where I want to be able to provide user access > > to an application by determining the identity of the requesting > > user, without them having to go through a login procedure. > > Those seem to be rather contradictory requirements. How do you expect > to determine identity without some form of login? > > - Chuck > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you > received this in error, please contact the sender and delete the e-mail > and its attachments from all computers. > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with security?
There are some pretty good resources for getting started on Servlet/JSP stuff; try the O'Reilly books, especially the latest version of their JSP book. I suggest that you need to think of what you are wanting to do in 2 phases: 1. Login 2. Authenticate (using values supplied by login). There are a couple of alternatives if you want to save your user's from having to type in passwords over and over; since I'm kind of bored, here's a brief list: 1. If you're users are on Windows desktops, then NTLM Auth can get the User information from the browser (either IE or Firefox) without the user having to login (see http://jcifs.samba.org/src/docs/ntlmhttpauth.html) 2. If you have then deployed, then you could use client-certificates to authenticate users. 3. You could use a 'remember-me' library (typically uses cookies so that user only has to login once). Gagnon, Joseph M (US SSA) wrote: Did I not say that I'm new to this? I made no mention to whether or not I was trying to make it secure. This is only meant to be used within my company's intranet and my intention was to take the user account and then compare it with a set of registered users in the application's DB. I am beginning to see that at the very least I need to create some kind of mechanism (although I don't understand yet how to go about that, or how many different ways it can be done) to perform user authentication. If anyone can provide information on how to do this (keep in mind I'm new at this), please let me know. -Original Message- From: Robert Harper [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 10:59 AM To: 'Tomcat Users List' Subject: RE: Problem with security? -- Robert r. Sanders Chief Technologist iPOV (334) 821-5412 www.ipov.net - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with security?
Hi Joe, To summarize the point that all of these others folks were making; Tomcat by itself has no way of interrogating the operating system of the connecting machine or noticing through the information that it gets from then browser that the user is a particular person. Tomcat can only tell you for sure about the physical connection (IP, and possibly hostname... either of which may be useful to me, but I'll get there in a minute). I don't have the tomcat source in front of me right now, but I'm pretty sure that the getRemoteUser() method is a typical java 'getter' method; the part of tomcat that manages sessions looks at the incoming cookie and notices that this request is part of an existing, validated session and does essentially 'setRemoteUser()'... nothing automagical about it. So, back to what you *can* do. So, you know their IP/host; you could use this to query a windows domain controller, which would be able to report which real user is logged onto which machine -- I believe that's what Pete's suggestion was as well; seems like there's some potential there. You can just trust the IP address or hostname (if physical access to the computer is strong enough authentication for you... it really shouldn't be though, because names/IPs can be changed). So, bottom line, you're gonna have to put some work in. If you *do* find a solution that works, make sure to report it back to the list so that everyone can benefit. Cheers, Patrick On 6/10/05, Gagnon, Joseph M (US SSA) <[EMAIL PROTECTED]> wrote: > Did I not say that I'm new to this? > > I made no mention to whether or not I was trying to make it secure. > This is only meant to be used within my company's intranet and my > intention was to take the user account and then compare it with a set of > registered users in the application's DB. > > I am beginning to see that at the very least I need to create some kind > of mechanism (although I don't understand yet how to go about that, or > how many different ways it can be done) to perform user authentication. > > If anyone can provide information on how to do this (keep in mind I'm > new at this), please let me know. > > -Original Message- > From: Robert Harper [mailto:[EMAIL PROTECTED] > Sent: Friday, June 10, 2005 10:59 AM > To: 'Tomcat Users List' > Subject: RE: Problem with security? > > I think you have missed the point that you cannot get user information > unless the user authenticates. You don't want to have a user > authenticate > but you want to get user information. These are mutually exclusive > tasks. > > If the user does not authenticate, you can only get the external IP > address > of the requestor. In order to get user information, you must have the > user > authenticate. You might have your users sent to a page that gathers the > user > ID and then store it in a cookie. You cannot count on the browser > sending > user information because the logged in user may and often is not the > actual > user. > > I don't know how you can call it secure if you don't require a key to > open > the door. You may be encrypted in your transfer over SSL but if you > don't > have the user log in, you are not secure. > > Robert S. Harper > Information Access Technology, Inc. > > -Original Message- > From: Gagnon, Joseph M (US SSA) [mailto:[EMAIL PROTECTED] > Sent: Friday, June 10, 2005 8:43 AM > To: Tomcat Users List > Subject: RE: Problem with security? > > I believe I've covered that all in my original message. Read further. > > -Original Message- > From: egan0019 [mailto:[EMAIL PROTECTED] > Sent: Friday, June 10, 2005 10:10 AM > To: Tomcat Users List > Subject: Re: Problem with security? > > Look into the ServletRequest interface. That interface, which is > extended > in HttpServletRequest. You can call the getRemoteAddr(), > getRemoteHost(), > etc. methods. You receive null in your getRemoteUser because the user > hasn't been 'authenticated' yet. > > > On 10 Jun 2005, Gagnon, Joseph M (US SSA) wrote: > > Hello, > > > > I'm new to JSP development (and to dynamic web development as a whole) > > so please bear with me. I'm investigating using JSP/Java for a > project > > at my workplace. My system (test server, if you will) is a PC running > > Windows XP Pro and I am using Tomcat 5.5.9. > > > > I have a situation where I want to be able to provide user access to > an > > application by determining the identity of the requesting user, > without > > them having to go through a login
RE: Problem with security?
Try basic authentication. The browser will cache the user name and password and it will only expire when the browse closes. Read in the documents on how to configure the authentication. You might require authentication for all protocols and use BASIC authentication. This will make it easier for the user with a single login and then they can go wherever you allow them and not have to login again until they close the browser. Robert S. Harper Information Access Technology, Inc. -Original Message- From: Gagnon, Joseph M (US SSA) [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 9:19 AM To: Tomcat Users List Subject: RE: Problem with security? Did I not say that I'm new to this? I made no mention to whether or not I was trying to make it secure. This is only meant to be used within my company's intranet and my intention was to take the user account and then compare it with a set of registered users in the application's DB. I am beginning to see that at the very least I need to create some kind of mechanism (although I don't understand yet how to go about that, or how many different ways it can be done) to perform user authentication. If anyone can provide information on how to do this (keep in mind I'm new at this), please let me know. -Original Message- From: Robert Harper [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 10:59 AM To: 'Tomcat Users List' Subject: RE: Problem with security? I think you have missed the point that you cannot get user information unless the user authenticates. You don't want to have a user authenticate but you want to get user information. These are mutually exclusive tasks. If the user does not authenticate, you can only get the external IP address of the requestor. In order to get user information, you must have the user authenticate. You might have your users sent to a page that gathers the user ID and then store it in a cookie. You cannot count on the browser sending user information because the logged in user may and often is not the actual user. I don't know how you can call it secure if you don't require a key to open the door. You may be encrypted in your transfer over SSL but if you don't have the user log in, you are not secure. Robert S. Harper Information Access Technology, Inc. -Original Message- From: Gagnon, Joseph M (US SSA) [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 8:43 AM To: Tomcat Users List Subject: RE: Problem with security? I believe I've covered that all in my original message. Read further. -Original Message- From: egan0019 [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 10:10 AM To: Tomcat Users List Subject: Re: Problem with security? Look into the ServletRequest interface. That interface, which is extended in HttpServletRequest. You can call the getRemoteAddr(), getRemoteHost(), etc. methods. You receive null in your getRemoteUser because the user hasn't been 'authenticated' yet. On 10 Jun 2005, Gagnon, Joseph M (US SSA) wrote: > Hello, > > I'm new to JSP development (and to dynamic web development as a whole) > so please bear with me. I'm investigating using JSP/Java for a project > at my workplace. My system (test server, if you will) is a PC running > Windows XP Pro and I am using Tomcat 5.5.9. > > I have a situation where I want to be able to provide user access to an > application by determining the identity of the requesting user, without > them having to go through a login procedure. Specifically, what I've > been trying to do is call the request.getRemoteUser() method to ID the > requesting user. When I do so, I keep getting null. After reading in > the JSP and Java servlet specifications, I see that this call would > return null if the user is not authenticated. Reading further, I get > the impression that by default, no authentication is needed to access [Robert Harper] [snip] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Problem with security?
Did I not say that I'm new to this? I made no mention to whether or not I was trying to make it secure. This is only meant to be used within my company's intranet and my intention was to take the user account and then compare it with a set of registered users in the application's DB. I am beginning to see that at the very least I need to create some kind of mechanism (although I don't understand yet how to go about that, or how many different ways it can be done) to perform user authentication. If anyone can provide information on how to do this (keep in mind I'm new at this), please let me know. -Original Message- From: Robert Harper [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 10:59 AM To: 'Tomcat Users List' Subject: RE: Problem with security? I think you have missed the point that you cannot get user information unless the user authenticates. You don't want to have a user authenticate but you want to get user information. These are mutually exclusive tasks. If the user does not authenticate, you can only get the external IP address of the requestor. In order to get user information, you must have the user authenticate. You might have your users sent to a page that gathers the user ID and then store it in a cookie. You cannot count on the browser sending user information because the logged in user may and often is not the actual user. I don't know how you can call it secure if you don't require a key to open the door. You may be encrypted in your transfer over SSL but if you don't have the user log in, you are not secure. Robert S. Harper Information Access Technology, Inc. -Original Message- From: Gagnon, Joseph M (US SSA) [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 8:43 AM To: Tomcat Users List Subject: RE: Problem with security? I believe I've covered that all in my original message. Read further. -Original Message- From: egan0019 [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 10:10 AM To: Tomcat Users List Subject: Re: Problem with security? Look into the ServletRequest interface. That interface, which is extended in HttpServletRequest. You can call the getRemoteAddr(), getRemoteHost(), etc. methods. You receive null in your getRemoteUser because the user hasn't been 'authenticated' yet. On 10 Jun 2005, Gagnon, Joseph M (US SSA) wrote: > Hello, > > I'm new to JSP development (and to dynamic web development as a whole) > so please bear with me. I'm investigating using JSP/Java for a project > at my workplace. My system (test server, if you will) is a PC running > Windows XP Pro and I am using Tomcat 5.5.9. > > I have a situation where I want to be able to provide user access to an > application by determining the identity of the requesting user, without > them having to go through a login procedure. Specifically, what I've > been trying to do is call the request.getRemoteUser() method to ID the > requesting user. When I do so, I keep getting null. After reading in > the JSP and Java servlet specifications, I see that this call would > return null if the user is not authenticated. Reading further, I get > the impression that by default, no authentication is needed to access [Robert Harper] [snip] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Problem with security?
I think you have missed the point that you cannot get user information unless the user authenticates. You don't want to have a user authenticate but you want to get user information. These are mutually exclusive tasks. If the user does not authenticate, you can only get the external IP address of the requestor. In order to get user information, you must have the user authenticate. You might have your users sent to a page that gathers the user ID and then store it in a cookie. You cannot count on the browser sending user information because the logged in user may and often is not the actual user. I don't know how you can call it secure if you don't require a key to open the door. You may be encrypted in your transfer over SSL but if you don't have the user log in, you are not secure. Robert S. Harper Information Access Technology, Inc. -Original Message- From: Gagnon, Joseph M (US SSA) [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 8:43 AM To: Tomcat Users List Subject: RE: Problem with security? I believe I've covered that all in my original message. Read further. -Original Message- From: egan0019 [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 10:10 AM To: Tomcat Users List Subject: Re: Problem with security? Look into the ServletRequest interface. That interface, which is extended in HttpServletRequest. You can call the getRemoteAddr(), getRemoteHost(), etc. methods. You receive null in your getRemoteUser because the user hasn't been 'authenticated' yet. On 10 Jun 2005, Gagnon, Joseph M (US SSA) wrote: > Hello, > > I'm new to JSP development (and to dynamic web development as a whole) > so please bear with me. I'm investigating using JSP/Java for a project > at my workplace. My system (test server, if you will) is a PC running > Windows XP Pro and I am using Tomcat 5.5.9. > > I have a situation where I want to be able to provide user access to an > application by determining the identity of the requesting user, without > them having to go through a login procedure. Specifically, what I've > been trying to do is call the request.getRemoteUser() method to ID the > requesting user. When I do so, I keep getting null. After reading in > the JSP and Java servlet specifications, I see that this call would > return null if the user is not authenticated. Reading further, I get > the impression that by default, no authentication is needed to access [Robert Harper] [snip] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Problem with security?
I believe I've covered that all in my original message. Read further. -Original Message- From: egan0019 [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 10:10 AM To: Tomcat Users List Subject: Re: Problem with security? Look into the ServletRequest interface. That interface, which is extended in HttpServletRequest. You can call the getRemoteAddr(), getRemoteHost(), etc. methods. You receive null in your getRemoteUser because the user hasn't been 'authenticated' yet. On 10 Jun 2005, Gagnon, Joseph M (US SSA) wrote: > Hello, > > I'm new to JSP development (and to dynamic web development as a whole) > so please bear with me. I'm investigating using JSP/Java for a project > at my workplace. My system (test server, if you will) is a PC running > Windows XP Pro and I am using Tomcat 5.5.9. > > I have a situation where I want to be able to provide user access to an > application by determining the identity of the requesting user, without > them having to go through a login procedure. Specifically, what I've > been trying to do is call the request.getRemoteUser() method to ID the > requesting user. When I do so, I keep getting null. After reading in > the JSP and Java servlet specifications, I see that this call would > return null if the user is not authenticated. Reading further, I get > the impression that by default, no authentication is needed to access > resources. If a security mechanism is specified in the deployment > descriptor (which I take to be my webapps\ROOT\WEB-INF\web.xml file), > then authentication would be required. > > Now, I'm not sure that I understand all the nuances of the terminology > (not to mention the technology), but it seems that what I've been trying > to do should have worked. The web.xml file indicated above contains > only the following (and this is the way it came - I added nothing): > > > > > http://java.sun.com/xml/ns/j2ee"; > xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance"; > xsi:schemaLocation=3D"http://java.sun.com/xml/ns/j2ee > http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"; > version=3D"2.4"> > > Welcome to Tomcat > > Welcome to Tomcat > > > > > > org.apache.jsp.index_jsp > org.apache.jsp.index_jsp > > > > org.apache.jsp.index_jsp > /index.jsp > > > > > > > Does anyone have any suggestions as to why this doesn't work -or- any > suggestions for an alternate method? Also, in a more general sense, any > information regarding good sources of information for learning how to do > JSP/Servlet programming (web, books, etc.) would be appreciated. Please > keep in mind that I am new at this, so examples of some obscure > objective or expert level programming will probably be over my head. > > Thanks, > Joe Gagnon > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with security?
Look into the ServletRequest interface. That interface, which is extended in HttpServletRequest. You can call the getRemoteAddr(), getRemoteHost(), etc. methods. You receive null in your getRemoteUser because the user hasn't been 'authenticated' yet. On 10 Jun 2005, Gagnon, Joseph M (US SSA) wrote: > Hello, > > I'm new to JSP development (and to dynamic web development as a whole) > so please bear with me. I'm investigating using JSP/Java for a project > at my workplace. My system (test server, if you will) is a PC running > Windows XP Pro and I am using Tomcat 5.5.9. > > I have a situation where I want to be able to provide user access to an > application by determining the identity of the requesting user, without > them having to go through a login procedure. Specifically, what I've > been trying to do is call the request.getRemoteUser() method to ID the > requesting user. When I do so, I keep getting null. After reading in > the JSP and Java servlet specifications, I see that this call would > return null if the user is not authenticated. Reading further, I get > the impression that by default, no authentication is needed to access > resources. If a security mechanism is specified in the deployment > descriptor (which I take to be my webapps\ROOT\WEB-INF\web.xml file), > then authentication would be required. > > Now, I'm not sure that I understand all the nuances of the terminology > (not to mention the technology), but it seems that what I've been trying > to do should have worked. The web.xml file indicated above contains > only the following (and this is the way it came - I added nothing): > > > > > http://java.sun.com/xml/ns/j2ee"; > xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance"; > xsi:schemaLocation=3D"http://java.sun.com/xml/ns/j2ee > http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"; > version=3D"2.4"> > > Welcome to Tomcat > > Welcome to Tomcat > > > > > > org.apache.jsp.index_jsp > org.apache.jsp.index_jsp > > > > org.apache.jsp.index_jsp > /index.jsp > > > > > > > Does anyone have any suggestions as to why this doesn't work -or- any > suggestions for an alternate method? Also, in a more general sense, any > information regarding good sources of information for learning how to do > JSP/Servlet programming (web, books, etc.) would be appreciated. Please > keep in mind that I am new at this, so examples of some obscure > objective or expert level programming will probably be over my head. > > Thanks, > Joe Gagnon > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Problem with security?
> From: Gagnon, Joseph M (US SSA) > I have a situation where I want to be able to provide user > access to an > application by determining the identity of the requesting > user, without > them having to go through a login procedure. OK. So what identity can the browser present that you wish to discover? Are all your users on Windows, for example, and you wish to discover their Windows username? On UNIX? The way HTTP works is that your servlet has to refuse access to a resource before it can obtain any information at all about the user at the other end of the connection. So at the very least, you'll have to investigate creating a servlet that requires authentication. You can then have some control over the kinds of authentication you say you'll accept, and therefore whether the user's browser tries to satisfy the request behind the scenes or whether it pops up that ugly dialog box requesting a username and password. If you're on Windows and want the user's Windows authentication, take a look at the NTLM Authentication Filter - see http://jcifs.samba.org/src/docs/ntlmhttpauth.html for details. Note that I've never used this and can't help any further than these pointers. - Peter - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Problem with security?
> From: Gagnon, Joseph M (US SSA) [mailto:[EMAIL PROTECTED] > Subject: Problem with security? > > I have a situation where I want to be able to provide user access > to an application by determining the identity of the requesting > user, without them having to go through a login procedure. Those seem to be rather contradictory requirements. How do you expect to determine identity without some form of login? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Problem with security?
Hello, I'm new to JSP development (and to dynamic web development as a whole) so please bear with me. I'm investigating using JSP/Java for a project at my workplace. My system (test server, if you will) is a PC running Windows XP Pro and I am using Tomcat 5.5.9. I have a situation where I want to be able to provide user access to an application by determining the identity of the requesting user, without them having to go through a login procedure. Specifically, what I've been trying to do is call the request.getRemoteUser() method to ID the requesting user. When I do so, I keep getting null. After reading in the JSP and Java servlet specifications, I see that this call would return null if the user is not authenticated. Reading further, I get the impression that by default, no authentication is needed to access resources. If a security mechanism is specified in the deployment descriptor (which I take to be my webapps\ROOT\WEB-INF\web.xml file), then authentication would be required. Now, I'm not sure that I understand all the nuances of the terminology (not to mention the technology), but it seems that what I've been trying to do should have worked. The web.xml file indicated above contains only the following (and this is the way it came - I added nothing): http://java.sun.com/xml/ns/j2ee"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"; version="2.4"> Welcome to Tomcat Welcome to Tomcat org.apache.jsp.index_jsp org.apache.jsp.index_jsp org.apache.jsp.index_jsp /index.jsp Does anyone have any suggestions as to why this doesn't work -or- any suggestions for an alternate method? Also, in a more general sense, any information regarding good sources of information for learning how to do JSP/Servlet programming (web, books, etc.) would be appreciated. Please keep in mind that I am new at this, so examples of some obscure objective or expert level programming will probably be over my head. Thanks, Joe Gagnon - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: xalan problem with security manager
Michael-
If you suspect the error is related to the security manager, run tomcat
with the following environment variable set:
export CATALINA_OPTS=-Djava.security.debug=access:failure
This will put logging for the security manager in your catalina.out
file (or your applications log file if you defined a new logger for
your webapp). It will show all the access checks (in short form) and a
stack trace and domain that caused the failure when a failure occurs.
It will tell you what permission was denied, and the codebase it was
denied to.
I used it extensively yesterday to set up my security policy. For more
info see
http://jakarta.apache.org/tomcat/tomcat-5.0-doc/security-manager-
howto.html
Greg
On Jan 14, 2005, at 4:58 AM, Michal Kwiatek wrote:
Hi all,
I can't make xalan work when I run tomcat with security manager.
All I get is java.lang.ExceptionInInitializerError (see stack trace
below).
It works fine without security manager.
Has any of you used xalan on tomcat with secuirity manager? What
privileges should I grant to the code?
I tried:
grant {
permission java.util.PropertyPermission "*", "read";
permission java.net.SocketPermission "*", "connect";
permission java.lang.RuntimePermission "getClassLoader";
};
grant {
permission java.io.FilePermission "${catalina.home}/temp/*", "read,
write, delete";
};
But it doesn't help. Any ideas?
Thank you very much in advance,
Michal.
My setup is tomcat 5.0.28 on jdk 1.4.2_06, it behaves the same on win
xp
or linux.
Here's the code:
File xmlFileObj = new File(xmlFile);
File xslFileObj = new File(xslFile);
this.out = out;
TransformerFactory tFactory =
TransformerFactory.newInstance();
Transformer transformer = tFactory.newTransformer(new
StreamSource(xslFileObj));
transformer.setParameter("serviceName", serviceName);
transformer.transform(new StreamSource(xmlFileObj), new
StreamResult(out));
out.flush();
And the stack trace.
javax.servlet.ServletException
org.apache.jasper.runtime.PageContextImpl.doHandlePageException(PageCon
t
extImpl.java:825)
org.apache.jasper.runtime.PageContextImpl.access$1100(PageContextImpl.j
a
va:64)
org.apache.jasper.runtime.PageContextImpl$12.run(PageContextImpl.java:
74
5)
java.security.AccessController.doPrivileged(Native Method)
org.apache.jasper.runtime.PageContextImpl.handlePageException(PageConte
x
tImpl.java:743)
org.apache.jsp.tree_jsp._jspService(tree_jsp.java:98)
org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:94)
javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.j
a
va:324)
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:
292)
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:236)
javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.ja
v
a:39)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccesso
r
Impl.java:25)
java.lang.reflect.Method.invoke(Method.java:324)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:239)
java.security.AccessController.doPrivileged(Native Method)
javax.security.auth.Subject.doAsPrivileged(Subject.java:500)
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:
268)
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.ja
v
a:157)
root cause
java.lang.ExceptionInInitializerError
java.lang.Class.forName0(Native Method)
java.lang.Class.forName(Class.java:141)
org.apache.xalan.serialize.SerializerFactory.getSerializer(SerializerFa
c
tory.java:131)
org.apache.xalan.transformer.TransformerImpl.createResultContentHandler
(
TransformerImpl.java:1048)
org.apache.xalan.transformer.TransformerImpl.createResultContentHandler
(
TransformerImpl.java:975)
org.apache.xalan.transformer.TransformerImpl.transform(TransformerImpl.
j
ava:1124)
org.apache.xalan.transformer.TransformerImpl.transform(TransformerImpl.
j
ava:1107)
circeos.xml.XslHtmlConverter.Display(XslHtmlConverter.java:29)
org.apache.jsp.tree_jsp._jspService(tree_jsp.java:84)
org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:94)
javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.j
a
va:324)
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:
292)
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:236)
javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.ja
v
a:39)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccesso
r
Impl.java:25)
java.lang.reflect.Method.invo
xalan problem with security manager
Hi all,
I can't make xalan work when I run tomcat with security manager.
All I get is java.lang.ExceptionInInitializerError (see stack trace
below).
It works fine without security manager.
Has any of you used xalan on tomcat with secuirity manager? What
privileges should I grant to the code?
I tried:
grant {
permission java.util.PropertyPermission "*", "read";
permission java.net.SocketPermission "*", "connect";
permission java.lang.RuntimePermission "getClassLoader";
};
grant {
permission java.io.FilePermission "${catalina.home}/temp/*", "read,
write, delete";
};
But it doesn't help. Any ideas?
Thank you very much in advance,
Michal.
My setup is tomcat 5.0.28 on jdk 1.4.2_06, it behaves the same on win xp
or linux.
Here's the code:
File xmlFileObj = new File(xmlFile);
File xslFileObj = new File(xslFile);
this.out = out;
TransformerFactory tFactory =
TransformerFactory.newInstance();
Transformer transformer = tFactory.newTransformer(new
StreamSource(xslFileObj));
transformer.setParameter("serviceName", serviceName);
transformer.transform(new StreamSource(xmlFileObj), new
StreamResult(out));
out.flush();
And the stack trace.
javax.servlet.ServletException
org.apache.jasper.runtime.PageContextImpl.doHandlePageException(PageCont
extImpl.java:825)
org.apache.jasper.runtime.PageContextImpl.access$1100(PageContextImpl.ja
va:64)
org.apache.jasper.runtime.PageContextImpl$12.run(PageContextImpl.java:74
5)
java.security.AccessController.doPrivileged(Native Method)
org.apache.jasper.runtime.PageContextImpl.handlePageException(PageContex
tImpl.java:743)
org.apache.jsp.tree_jsp._jspService(tree_jsp.java:98)
org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:94)
javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.ja
va:324)
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:292)
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:236)
javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav
a:39)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:25)
java.lang.reflect.Method.invoke(Method.java:324)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:239)
java.security.AccessController.doPrivileged(Native Method)
javax.security.auth.Subject.doAsPrivileged(Subject.java:500)
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:268)
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.jav
a:157)
root cause
java.lang.ExceptionInInitializerError
java.lang.Class.forName0(Native Method)
java.lang.Class.forName(Class.java:141)
org.apache.xalan.serialize.SerializerFactory.getSerializer(SerializerFac
tory.java:131)
org.apache.xalan.transformer.TransformerImpl.createResultContentHandler(
TransformerImpl.java:1048)
org.apache.xalan.transformer.TransformerImpl.createResultContentHandler(
TransformerImpl.java:975)
org.apache.xalan.transformer.TransformerImpl.transform(TransformerImpl.j
ava:1124)
org.apache.xalan.transformer.TransformerImpl.transform(TransformerImpl.j
ava:1107)
circeos.xml.XslHtmlConverter.Display(XslHtmlConverter.java:29)
org.apache.jsp.tree_jsp._jspService(tree_jsp.java:84)
org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:94)
javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.ja
va:324)
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:292)
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:236)
javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav
a:39)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:25)
java.lang.reflect.Method.invoke(Method.java:324)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:239)
java.security.AccessController.doPrivileged(Native Method)
javax.security.auth.Subject.doAsPrivileged(Subject.java:500)
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:268)
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.jav
a:157)
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For
Re: problem with security manager, plesk and mysql (catalina.policy ignored?)
I see now where my problem can be. If I extract the war file to
directory ${catalina.home}/psa-webapps/mydomain.com/myapplication/
and insert in the policy file
grant codeBase
"file:${catalina.home}/psa-webapps/mydomain.com/myapplication/" {
permission java.net.SocketPermission "localhost","resolve";
permission java.net.SocketPermission "localhost:3306","connect,resolve";
};
I can then connect to the database, so I guess my problem is I'm not
using the proper syntax in the policy file for the .war
I will google for a while :-)
Alfonso.
El sáb, 30-10-2004 a las 00:21, Alfonso Alba García escribió:
> Hi everybody,
>
> I have problems when connecting to mysql. I'm getting the following
> exception when trying to connect to a mysql database:
>
> (SQLException): java.sql.SQLException: Unable to connect to any hosts
> due to exception: java.security.AccessControlException: access denied
> (java.net.SocketPermission localhost resolve)
>
> I have read about similar problems in google and tried to modify the
> catalina.policy without success.
>
> I deploy applications via a Plesk web interface which loads my .war
> file, sets it in /var/tomcat4/psa-wars/mydomain.com/ creates a symlink
> to the war file in /var/tomcat4/psa-webapps/mydomain.com/ and makes the
> application available via mydomain.com/myapplication.
>
> It works fine except when an application tries to access a mysql
> database. I´m getting the exception above, even though I tried the
> following lines in catalina.policy without success (found similar
> exeptions to this one in google):
>
> grant codeBase
> "file:${catalina.home}/psa-webapps/mydomain.com/myapplication/-" {
> permission java.net.SocketPermission "localhost","resolve";
> permission java.net.SocketPermission
> "localhost:3306","connect,resolve";
> };
>
> grant codeBase
> "file:${catalina.home}/psa-webapps/mydomain.com/myapplication/WEB-INF/lib/mysql-connector-java-3.0.9-stable-bin.jar"
> {
> permission java.net.SocketPermission "localhost","resolve";
> permission java.net.SocketPermission
> "localhost:3306","connect,resolve";
> };
>
> I tried both of them one at a time and I restarted tomcat after every
> modification made to the catalina.policy
>
> I´m using tomcat 4.1.24 on a redhat linux Enterprise server, with
> /mysql-connector-java-3.0.9 and jre 1.4.2.
>
> Tomcat and mysql are in the same server.
>
> The way I´m trying to access the database in a jsp is
> conexion =
> DriverManager.getConnection("jdbc:mysql://localhost/DATABASE?user=USER&password=PASSWORD");
>
> I've checked that the database exists, I can connect to the database
> from a console as user USER with password PASSWORD.
>
> The application works perfectly well in another server (debian woody
> with tomcat 4.0) where it was not necessary to modify the security
> policy.
>
> I talked to a friend of mine who also knows something about tomcat and
> told me that to access a database in the same server where tomcat is, it
> should not be necessary to modify the catalina.policy file.
>
> I have some experience with tomcat but i run out of ideas and things to
> try. Any help to open my eyes would be appreciated.
>
> Thanks a lot in advance,
>
> Alfonso
>
>
>
signature.asc
Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente
problem with security manager, plesk and mysql (catalina.policy ignored?)
Hi everybody,
I have problems when connecting to mysql. I'm getting the following
exception when trying to connect to a mysql database:
(SQLException): java.sql.SQLException: Unable to connect to any hosts
due to exception: java.security.AccessControlException: access denied
(java.net.SocketPermission localhost resolve)
I have read about similar problems in google and tried to modify the
catalina.policy without success.
I deploy applications via a Plesk web interface which loads my .war
file, sets it in /var/tomcat4/psa-wars/mydomain.com/ creates a symlink
to the war file in /var/tomcat4/psa-webapps/mydomain.com/ and makes the
application available via mydomain.com/myapplication.
It works fine except when an application tries to access a mysql
database. I´m getting the exception above, even though I tried the
following lines in catalina.policy without success (found similar
exeptions to this one in google):
grant codeBase
"file:${catalina.home}/psa-webapps/mydomain.com/myapplication/-" {
permission java.net.SocketPermission "localhost","resolve";
permission java.net.SocketPermission
"localhost:3306","connect,resolve";
};
grant codeBase
"file:${catalina.home}/psa-webapps/mydomain.com/myapplication/WEB-INF/lib/mysql-connector-java-3.0.9-stable-bin.jar"
{
permission java.net.SocketPermission "localhost","resolve";
permission java.net.SocketPermission
"localhost:3306","connect,resolve";
};
I tried both of them one at a time and I restarted tomcat after every
modification made to the catalina.policy
I´m using tomcat 4.1.24 on a redhat linux Enterprise server, with
/mysql-connector-java-3.0.9 and jre 1.4.2.
Tomcat and mysql are in the same server.
The way I´m trying to access the database in a jsp is
conexion =
DriverManager.getConnection("jdbc:mysql://localhost/DATABASE?user=USER&password=PASSWORD");
I've checked that the database exists, I can connect to the database
from a console as user USER with password PASSWORD.
The application works perfectly well in another server (debian woody
with tomcat 4.0) where it was not necessary to modify the security
policy.
I talked to a friend of mine who also knows something about tomcat and
told me that to access a database in the same server where tomcat is, it
should not be necessary to modify the catalina.policy file.
I have some experience with tomcat but i run out of ideas and things to
try. Any help to open my eyes would be appreciated.
Thanks a lot in advance,
Alfonso
signature.asc
Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente
Re: problem with security-constraint with Tomcat 5
You didn't look hard enough :) An extension is defined as the part of the last segment after the last '.' character. - Original Message - From: "Mercado . Maria" <[EMAIL PROTECTED]> To: "Tomcat Users List" <[EMAIL PROTECTED]> Sent: Monday, October 18, 2004 7:45 AM Subject: RE: problem with security-constraint with Tomcat 5 Thanks for the suggestion, Yoav. I looked but I didn't see anything that stated that a url pattern with 2 dots is illegal. - Cecile Mercado -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Monday, October 18, 2004 9:12 AM To: Tomcat Users List Subject: RE: problem with security-constraint with Tomcat 5 Hi, Could this be something that changed (or rather, was clarified) in the Servlet Spec between version 2.3 (which Tomcat 4.x implements) and 2.4 (which Tomcat 5.x implements)? ;) Yoav Shapira http://www.yoavshapira.com >-Original Message- >From: Mercado . Maria [mailto:[EMAIL PROTECTED] >Sent: Monday, October 18, 2004 10:08 AM >To: [EMAIL PROTECTED] >Subject: problem with security-constraint with Tomcat 5 > >I'm looking into migrating our project from Tomcat 4.1.30 to Tomcat 5.0.28. >We're also using Tiles and Struts 1.1. The problem is that Tomcat 5 seems >to be confused with a url pattern that works with Tomcat 4. Here's the >pertinent parts of web.xml (I get the same results with 2.3 or 2.4 version >of web.xml): > >"... > > > >strutsnav >org.apache.struts.action.ActionServletclass> > >config >/WEB-INF/conf/struts-config.xml > > >validate >true > >1 > > >... > > >strutsnav >*.do > > >... > > > > >Secure Struts Actions >*.sec.do > > >General User > > > > >FORM > >/login.do >/logininvalid.do > > > > >General User > > >..." > >If I try to access a sec.do Struts action, I just get a blank space in the >body of the Tiles layout - I don't get the login form. If I change the >url-pattern in web-resource-collection to "*.do", then I get the login >page. It seems that Tomcat 5 doesn't like two dots in the url pattern. Is >this a bug? > >I also tried to add the following, but it didn't help: > >strutsnav >*.sec.do > > > >Thanks, >Cecile Mercado > > >- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments. In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: problem with security-constraint with Tomcat 5
On Mon, 18 Oct 2004 10:45:23 -0400, Mercado . Maria <[EMAIL PROTECTED]> wrote: > Thanks for the suggestion, Yoav. I looked but I didn't see anything that stated > that a url pattern with 2 dots is illegal. Most systems I am aware of consider that the extension is the last dot. Otherwise, it starts adding complexity. Don't expect a fix (assuming this is indeed a valid issue, which I doubt). -- x Rémy Maucherat Developer & Consultant JBoss Group (Europe) SàRL x - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: problem with security-constraint with Tomcat 5
Thanks for the suggestion, Yoav. I looked but I didn't see anything that stated that a url pattern with 2 dots is illegal. - Cecile Mercado -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Monday, October 18, 2004 9:12 AM To: Tomcat Users List Subject: RE: problem with security-constraint with Tomcat 5 Hi, Could this be something that changed (or rather, was clarified) in the Servlet Spec between version 2.3 (which Tomcat 4.x implements) and 2.4 (which Tomcat 5.x implements)? ;) Yoav Shapira http://www.yoavshapira.com >-Original Message- >From: Mercado . Maria [mailto:[EMAIL PROTECTED] >Sent: Monday, October 18, 2004 10:08 AM >To: [EMAIL PROTECTED] >Subject: problem with security-constraint with Tomcat 5 > >I'm looking into migrating our project from Tomcat 4.1.30 to Tomcat 5.0.28. >We're also using Tiles and Struts 1.1. The problem is that Tomcat 5 seems >to be confused with a url pattern that works with Tomcat 4. Here's the >pertinent parts of web.xml (I get the same results with 2.3 or 2.4 version >of web.xml): > >"... > > > >strutsnav >org.apache.struts.action.ActionServletclass> > >config >/WEB-INF/conf/struts-config.xml > > >validate >true > >1 > > >... > > >strutsnav >*.do > > >... > > > > >Secure Struts Actions >*.sec.do > > >General User > > > > >FORM > >/login.do >/logininvalid.do > > > > >General User > > >..." > >If I try to access a sec.do Struts action, I just get a blank space in the >body of the Tiles layout - I don't get the login form. If I change the >url-pattern in web-resource-collection to "*.do", then I get the login >page. It seems that Tomcat 5 doesn't like two dots in the url pattern. Is >this a bug? > >I also tried to add the following, but it didn't help: > >strutsnav >*.sec.do > > > >Thanks, >Cecile Mercado > > >- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: problem with security-constraint with Tomcat 5
Hi, Could this be something that changed (or rather, was clarified) in the Servlet Spec between version 2.3 (which Tomcat 4.x implements) and 2.4 (which Tomcat 5.x implements)? ;) Yoav Shapira http://www.yoavshapira.com >-Original Message- >From: Mercado . Maria [mailto:[EMAIL PROTECTED] >Sent: Monday, October 18, 2004 10:08 AM >To: [EMAIL PROTECTED] >Subject: problem with security-constraint with Tomcat 5 > >I'm looking into migrating our project from Tomcat 4.1.30 to Tomcat 5.0.28. >We're also using Tiles and Struts 1.1. The problem is that Tomcat 5 seems >to be confused with a url pattern that works with Tomcat 4. Here's the >pertinent parts of web.xml (I get the same results with 2.3 or 2.4 version >of web.xml): > >"... > > > >strutsnav >org.apache.struts.action.ActionServletclass> > >config >/WEB-INF/conf/struts-config.xml > > >validate >true > >1 > > >... > > >strutsnav >*.do > > >... > > > > >Secure Struts Actions >*.sec.do > > >General User > > > > >FORM > >/login.do >/logininvalid.do > > > > >General User > > >..." > >If I try to access a sec.do Struts action, I just get a blank space in the >body of the Tiles layout - I don't get the login form. If I change the >url-pattern in web-resource-collection to "*.do", then I get the login >page. It seems that Tomcat 5 doesn't like two dots in the url pattern. Is >this a bug? > >I also tried to add the following, but it didn't help: > >strutsnav >*.sec.do > > > >Thanks, >Cecile Mercado > > >- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
problem with security-constraint with Tomcat 5
I'm looking into migrating our project from Tomcat 4.1.30 to Tomcat 5.0.28. We're also using Tiles and Struts 1.1. The problem is that Tomcat 5 seems to be confused with a url pattern that works with Tomcat 4. Here's the pertinent parts of web.xml (I get the same results with 2.3 or 2.4 version of web.xml): "... strutsnav org.apache.struts.action.ActionServlet config /WEB-INF/conf/struts-config.xml validate true 1 ... strutsnav *.do ... Secure Struts Actions *.sec.do General User FORM /login.do /logininvalid.do General User ..." If I try to access a sec.do Struts action, I just get a blank space in the body of the Tiles layout - I don't get the login form. If I change the url-pattern in web-resource-collection to "*.do", then I get the login page. It seems that Tomcat 5 doesn't like two dots in the url pattern. Is this a bug? I also tried to add the following, but it didn't help: strutsnav *.sec.do Thanks, Cecile Mercado - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
problem with security manager.
I am running Tomcat4.1.30 on windows 2000, with security option turned on. My java application which is using JDK 1.4, connects to the the credit card authorizing company called verisign, and returns the approval authorization code. I have installed the digital certificate on $TOMCAT_HOME\certs directory. There are read permissions on the cert file. But still for some reason the verisign is not able to read the cert file due to the below error. RESULT=-31&RESPMSG=The certificate chain did not validate, no local certificate found, java.security.AccessControlException: access denied (java.io.FilePermissi on C:\Program Files\Apache Group\Tomcat 4.1\certs read) However when i run Tomcat server without security, everything is file. Somehow tomcat is restricting the permission to read the cert file. Verisign uses Jsse.jar to do the security authentication. I have modofied both java.policy and catalina.policy to grant permission on the cert file as below. permission java.io.FilePermission "C:\\Program Files\\Apache Group\\Tomcat 4.1\\certs\\-", "read"; But this does not help, is there anything else i should do to the server.xml file... How does the security manager runs in Tomcat4.1 Please help... - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: problem with security manager and manager webapp
Jason Keltz wrote:
Hi Jeanfrancois,
I'm not sure now if it's a bug or not. I realized that the problem is
that the code in "catalina.policy" to allow access refers to
"${catalina.home}":
// These permissions apply to the container's core code, plus any additional
// libraries installed in the "server" directory
grant codeBase "file:${catalina.home}/server/-" {
permission java.security.AllPermission;
};
I had copied the "server" directory to "CATALINA_BASE" to get the manager
app working a while ago. The default context for the manager app refers
to "../server", which, of course wouldn't otherwise exist in CATALINA_BASE
unless copied. When the conf directory along with
"Catalina/localhost/manager.xml" was copied to CATALINA_BASE, the manager
app couldn't be found.
I've tried these two things and they both work:
1) Change ${catalina.home}/server to ${catalina.base}/server
2) Get rid of the server directory in CATALINA_BASE, and change
the context descriptor for the manager app in the CATALINA_BASE
directory to refer to the full path to the manager in CATALINA_HOME. Now,
the existing security policy works.
Yes, except it is not supposed to work like that. I will try to fix it
tonigh or tomorrow.
Thanks
-- Jeanfrancois
Jason.
On Tue, 16 Mar 2004, Jeanfrancois Arcand wrote:
Jason Keltz wrote:
Hi.
I've been using the manager webapp, but after enabling the security
manager (-security on tomcat startup), the manager doesn't run any longer,
giving this error:
type Exception report
message
description The server encountered an internal error () that prevented it
from fulfilling this request.
exception
javax.servlet.ServletException: Wrapper cannot find servlet class
org.apache.catalina.manager.ManagerServlet or a class it depends on
And in the log file, I see that:
java.security.AccessControlException: access denied
(java.lang.RuntimePermission accessClassInPackage.org.apache.catalina)
That's abug bug on our side. I will take a look latter today. As a
workaround, you can do:
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina";
or remove that package in catalina.properties.
-- Jeanfrancois
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:269)
at
java.security.AccessController.checkPermission(AccessController.java:401)
at
java.lang.SecurityManager.checkPermission(SecurityManager.java:524)
at
java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1491)
at java.lang.ClassLoader$1.run(ClassLoader.java:313)
at java.security.AccessController.doPrivileged(Native Method)
at java.lang.ClassLoader.checkPackageAccess(ClassLoader.java:311)
at java.lang.ClassLoader.defineClass0(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:537)
at
java.security.SecureClassLoader.defineClass(SecureClassLoader.java:123)
at
org.apache.catalina.loader.WebappClassLoader.findClassInternal(WebappClassLoader.java:1677)
at
org.apache.catalina.loader.WebappClassLoader.findClass(WebappClassLoader.java:900)
at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1350)
at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1230)
at
org.apache.catalina.core.StandardWrapper$1.run(StandardWrapper.java:962)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:958)
at
org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:712)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:187)
at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:567)
at
org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:245)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:199)
at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:587)
at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:567)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:184)
at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:164)
at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)
---
In the default Cat
Re: problem with security manager and manager webapp
Hi Jeanfrancois,
I'm not sure now if it's a bug or not. I realized that the problem is
that the code in "catalina.policy" to allow access refers to
"${catalina.home}":
// These permissions apply to the container's core code, plus any additional
// libraries installed in the "server" directory
grant codeBase "file:${catalina.home}/server/-" {
permission java.security.AllPermission;
};
I had copied the "server" directory to "CATALINA_BASE" to get the manager
app working a while ago. The default context for the manager app refers
to "../server", which, of course wouldn't otherwise exist in CATALINA_BASE
unless copied. When the conf directory along with
"Catalina/localhost/manager.xml" was copied to CATALINA_BASE, the manager
app couldn't be found.
I've tried these two things and they both work:
1) Change ${catalina.home}/server to ${catalina.base}/server
2) Get rid of the server directory in CATALINA_BASE, and change
the context descriptor for the manager app in the CATALINA_BASE
directory to refer to the full path to the manager in CATALINA_HOME. Now,
the existing security policy works.
Jason.
On Tue, 16 Mar 2004, Jeanfrancois Arcand wrote:
>
>
> Jason Keltz wrote:
>
> >Hi.
> >
> >I've been using the manager webapp, but after enabling the security
> >manager (-security on tomcat startup), the manager doesn't run any longer,
> >giving this error:
> >
> >type Exception report
> >
> >message
> >
> >description The server encountered an internal error () that prevented it
> >from fulfilling this request.
> >
> >exception
> >
> >javax.servlet.ServletException: Wrapper cannot find servlet class
> >org.apache.catalina.manager.ManagerServlet or a class it depends on
> >
> >
> >And in the log file, I see that:
> >
> >java.security.AccessControlException: access denied
> >(java.lang.RuntimePermission accessClassInPackage.org.apache.catalina)
> >
> >
> That's abug bug on our side. I will take a look latter today. As a
> workaround, you can do:
>
> > permission java.lang.RuntimePermission
> > "accessClassInPackage.org.apache.catalina";
> > permission java.lang.RuntimePermission
> > "accessClassInPackage.org.apache.catalina";
>
> or remove that package in catalina.properties.
>
>
> -- Jeanfrancois
>
>
>
> >at
> >java.security.AccessControlContext.checkPermission(AccessControlContext.java:269)
> >at
> >java.security.AccessController.checkPermission(AccessController.java:401)
> >at
> >java.lang.SecurityManager.checkPermission(SecurityManager.java:524)
> >at
> >java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1491)
> >at java.lang.ClassLoader$1.run(ClassLoader.java:313)
> >at java.security.AccessController.doPrivileged(Native Method)
> >at java.lang.ClassLoader.checkPackageAccess(ClassLoader.java:311)
> >at java.lang.ClassLoader.defineClass0(Native Method)
> >at java.lang.ClassLoader.defineClass(ClassLoader.java:537)
> >at
> >java.security.SecureClassLoader.defineClass(SecureClassLoader.java:123)
> >at
> >org.apache.catalina.loader.WebappClassLoader.findClassInternal(WebappClassLoader.java:1677)
> >at
> >org.apache.catalina.loader.WebappClassLoader.findClass(WebappClassLoader.java:900)
> >at
> >org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1350)
> >at
> >org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1230)
> >at
> >org.apache.catalina.core.StandardWrapper$1.run(StandardWrapper.java:962)
> >at java.security.AccessController.doPrivileged(Native Method)
> >at
> >org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:958)
> >at
> >org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:712)
> >at
> >org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:187)
> >at
> >org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)
> >at
> >org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:567)
> >at
> >org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:245)
> >at
> >org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:199)
> >at
> >org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)
> >at
> >org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:587)
> >at
> >org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)
> >at
> >org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:567)
> >at
> >org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:184)
> >at
> >org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)
> >at
> >org.apache.catalina.valves.ErrorR
Re: problem with security manager and manager webapp
Jason Keltz wrote:
Hi.
I've been using the manager webapp, but after enabling the security
manager (-security on tomcat startup), the manager doesn't run any longer,
giving this error:
type Exception report
message
description The server encountered an internal error () that prevented it
from fulfilling this request.
exception
javax.servlet.ServletException: Wrapper cannot find servlet class
org.apache.catalina.manager.ManagerServlet or a class it depends on
And in the log file, I see that:
java.security.AccessControlException: access denied
(java.lang.RuntimePermission accessClassInPackage.org.apache.catalina)
That's abug bug on our side. I will take a look latter today. As a
workaround, you can do:
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina";
or remove that package in catalina.properties.
-- Jeanfrancois
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:269)
at
java.security.AccessController.checkPermission(AccessController.java:401)
at
java.lang.SecurityManager.checkPermission(SecurityManager.java:524)
at
java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1491)
at java.lang.ClassLoader$1.run(ClassLoader.java:313)
at java.security.AccessController.doPrivileged(Native Method)
at java.lang.ClassLoader.checkPackageAccess(ClassLoader.java:311)
at java.lang.ClassLoader.defineClass0(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:537)
at
java.security.SecureClassLoader.defineClass(SecureClassLoader.java:123)
at
org.apache.catalina.loader.WebappClassLoader.findClassInternal(WebappClassLoader.java:1677)
at
org.apache.catalina.loader.WebappClassLoader.findClass(WebappClassLoader.java:900)
at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1350)
at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1230)
at
org.apache.catalina.core.StandardWrapper$1.run(StandardWrapper.java:962)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:958)
at
org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:712)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:187)
at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:567)
at
org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:245)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:199)
at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:587)
at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:567)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:184)
at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:164)
at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)
---
In the default Catalina.policy file, I see:
// libraries installed in the "server" directory
grant codeBase "file:${catalina.home}/server/-" {
permission java.security.AllPermission;
};
Why can I not get the manager app to work with the security manager
enabled?
Thanks,
Jason Keltz
[EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
problem with security manager and manager webapp
Hi.
I've been using the manager webapp, but after enabling the security
manager (-security on tomcat startup), the manager doesn't run any longer,
giving this error:
type Exception report
message
description The server encountered an internal error () that prevented it
from fulfilling this request.
exception
javax.servlet.ServletException: Wrapper cannot find servlet class
org.apache.catalina.manager.ManagerServlet or a class it depends on
And in the log file, I see that:
java.security.AccessControlException: access denied
(java.lang.RuntimePermission accessClassInPackage.org.apache.catalina)
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:269)
at
java.security.AccessController.checkPermission(AccessController.java:401)
at
java.lang.SecurityManager.checkPermission(SecurityManager.java:524)
at
java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1491)
at java.lang.ClassLoader$1.run(ClassLoader.java:313)
at java.security.AccessController.doPrivileged(Native Method)
at java.lang.ClassLoader.checkPackageAccess(ClassLoader.java:311)
at java.lang.ClassLoader.defineClass0(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:537)
at
java.security.SecureClassLoader.defineClass(SecureClassLoader.java:123)
at
org.apache.catalina.loader.WebappClassLoader.findClassInternal(WebappClassLoader.java:1677)
at
org.apache.catalina.loader.WebappClassLoader.findClass(WebappClassLoader.java:900)
at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1350)
at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1230)
at
org.apache.catalina.core.StandardWrapper$1.run(StandardWrapper.java:962)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:958)
at
org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:712)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:187)
at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:567)
at
org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:245)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:199)
at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:587)
at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:567)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:184)
at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:164)
at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)
---
In the default Catalina.policy file, I see:
// libraries installed in the "server" directory
grant codeBase "file:${catalina.home}/server/-" {
permission java.security.AllPermission;
};
Why can I not get the manager app to work with the security manager
enabled?
Thanks,
Jason Keltz
[EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Problem with security constraints on /
Hello, Tomcat users! Earlier this week I stumbled on the following problem. I already found a solution to it but I am still not sure whether I had misconfigured things or whether this is a Tomcat bug that should be filed (didn't find an existing record). Could someone with more expertise confirm if the following is correct behaviour according to servlet standard (short explanation would be nice in that case). I am using Tomcat 3.2.3. I have a servlet mapped to / (within its application context) and I have restricted the access to / using the following webapp definition. - clip - sms-dispatcher fi.rossum.bg.sms.SMSDispatcher sms-dispatcher / sms-dispatcher / smscore BASIC smscore - clip - However, when I point my browser at http://127.0.0.1:8080/smsdispatcher/ Tomcat lets me in without basic authentication! Now, when I do the following modification... - clip - sms-dispatcher - / + /* smscore - clip - ...everything starts working as expected and I have to provide a user name and password. Is this really how it is supposed to work? Thanks for clarifications! -- Johannes Lehtinen <[EMAIL PROTECTED]>, http://www.iki.fi/jle/
