Re: Limits on the size of the web.xml file?
At 05:57 PM 04/09/01, you wrote: On Tue, 4 Sep 2001, Jim Cheesman wrote: RTFAPI ;) This acronym will *definitely* come in handy! :-) Something good comes out of my ignorance, then... -- * Jim Cheesman * Trabajo: [EMAIL PROTECTED] - (34)(91) 724 9200 x 2360 What is the probability that something will happen according to the odds?
Re: Limits on the size of the web.xml file?
Craig, I would have thought RTFS would have been more to your liking... given your regular points to the spec (o: On Tue, 4 Sep 2001, Craig R. McClanahan wrote: On Tue, 4 Sep 2001, Jim Cheesman wrote: RTFAPI ;) This acronym will *definitely* come in handy! :-) Craig
Re: Limits on the size of the web.xml file?
On Wed, 5 Sep 2001, Dmitri Colebatch wrote: Date: Wed, 5 Sep 2001 08:21:44 +1000 From: Dmitri Colebatch [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Limits on the size of the web.xml file? Craig, I would have thought RTFS would have been more to your liking... given your regular points to the spec (o: Yep ... that one too! S, of course, meaning the servlet and JSP specifications. http://java.sun.com/products/servlet/download.html:-) http://java.sun.com/products/jsp/download.html:-) On Tue, 4 Sep 2001, Craig R. McClanahan wrote: On Tue, 4 Sep 2001, Jim Cheesman wrote: RTFAPI ;) This acronym will *definitely* come in handy! :-) Craig
Re: Limits on the size of the web.xml file?
Consider that you might have the mailboxes for a particular user defined in a database table called mailboxes, with columns username and mailboxname. It would be easy to construct an SQL statement like this: select mailboxname from mailboxes where username = xxx and replace xxx by the value returned from request.getRemoteUser(). This would allow the user access *only* to his or her own mailboxes. Assuming, of course, that your users are using the same machine / login id - not necessarily the case in, for example, a university with shared machines... Still, you're going to need to do something like that. -- * Jim Cheesman * Trabajo: [EMAIL PROTECTED] - (34)(91) 724 9200 x 2360 Evil is not all bad.
Re: Limits on the size of the web.xml file?
On Tue, 4 Sep 2001, Jim Cheesman wrote: RTFAPI ;) This acronym will *definitely* come in handy! :-) Craig
Re: Limits on the size of the web.xml file?
Sounds like a redesign is more appropriate. Memory issues aside, have you considered the fact that using individual security constraints for each and every user means that you have to restart the entire app every time you add a new user? Or, that every time you add a user and restart, the restart time gets longer and longer? Thats a problem! Use application specific logic to ensure that a particular user can only see things that are relevant to them (i.e. their own mailbox in a WebMail scenario). That was my original design idea. BUT, in this case I don't know how to prevent someone to see the data from other users. How can I stop someone from trying to access the mail from someone else? Supposing that all standard users will have the same role, the security will allow him to see all directories. A question besides here, using JDBC realms is it possible to assign mutliple roles to one user? How do I do it? Do I have to put several entries in the user_roles table? One line for each role of the user? Thanks in advance...
Re: Limits on the size of the web.xml file?
On Mon, 3 Sep 2001, Roland wrote: Date: Mon, 3 Sep 2001 16:19:48 -0300 From: Roland [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Limits on the size of the web.xml file? Sounds like a redesign is more appropriate. Memory issues aside, have you considered the fact that using individual security constraints for each and every user means that you have to restart the entire app every time you add a new user? Or, that every time you add a user and restart, the restart time gets longer and longer? Thats a problem! Use application specific logic to ensure that a particular user can only see things that are relevant to them (i.e. their own mailbox in a WebMail scenario). That was my original design idea. BUT, in this case I don't know how to prevent someone to see the data from other users. How can I stop someone from trying to access the mail from someone else? Supposing that all standard users will have the same role, the security will allow him to see all directories. The details *vastly* depend on how your app is put together, but it isn't all that complicated to figure out. Consider that you might have the mailboxes for a particular user defined in a database table called mailboxes, with columns username and mailboxname. It would be easy to construct an SQL statement like this: select mailboxname from mailboxes where username = xxx and replace xxx by the value returned from request.getRemoteUser(). This would allow the user access *only* to his or her own mailboxes. I'm assuming that you are *not* allowing users to upload their own servlets or JSP pages, so they can only access what your app allows. If this is not true, all bets are off (and I wouldn't ever trust your server with my mail messages anyway :-). A question besides here, using JDBC realms is it possible to assign mutliple roles to one user? How do I do it? Do I have to put several entries in the user_roles table? One line for each role of the user? Yep. A user can have as many roles as you want to assign them. Thanks in advance... Craig
Re: Limits on the size of the web.xml file?
The details *vastly* depend on how your app is put together, but it isn't all that complicated to figure out. Consider that you might have the mailboxes for a particular user defined in a database table called mailboxes, with columns username and mailboxname. It would be easy to construct an SQL statement like this: select mailboxname from mailboxes where username = xxx Ok, having Data in the database is fine. But what if we also have image data? We will store Charts and things like that. I think it would be easier to create a directory for each user(maybe I'm wrong). It is possible to store images in a mysql database but I think its not as easy as text data. And then we will have to create a HTML page from that image data and send it to the user. To put the question more simply: is it possible to create a directory for each user and prevent other users from accessing it? If every standard user has the same role how can this be done? I had the idea of letting no one acess the user directories. Then the jsp pages would take the info from the user directories according to the user that is logged in. That would bring up the question how can I make the jsp page access directories that are not accessible to the user. I posted this question in the newsgroup but had no good answer. One guy made the suggestion to read the file with FileInputStreams and pass it on to the browser, but I think this would be very hard to implement. and replace xxx by the value returned from request.getRemoteUser(). This would allow the user access *only* to his or her own mailboxes. I'm assuming that you are *not* allowing users to upload their own servlets or JSP pages, so they can only access what your app allows. If this is not true, all bets are off (and I wouldn't ever trust your server with my mail messages anyway :-). NO, of course not :)
Re: Limits on the size of the web.xml file?
On Mon, 3 Sep 2001, Roland wrote: Date: Mon, 3 Sep 2001 16:37:17 -0300 From: Roland [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Limits on the size of the web.xml file? The details *vastly* depend on how your app is put together, but it isn't all that complicated to figure out. Consider that you might have the mailboxes for a particular user defined in a database table called mailboxes, with columns username and mailboxname. It would be easy to construct an SQL statement like this: select mailboxname from mailboxes where username = xxx Ok, having Data in the database is fine. But what if we also have image data? We will store Charts and things like that. I think it would be easier to create a directory for each user(maybe I'm wrong). It is possible to store images in a mysql database but I think its not as easy as text data. And then we will have to create a HTML page from that image data and send it to the user. Storing binary data in the database isn't all that hard. Then, all you'd need to do is create a servlet mapped to *.gif, *.jpg, and so on that did the user identity check before serving the contents (in binary). The same basic principle would work for data stored in per-user directories. In essence, you're replacing the default file-serving servlet that comes with Tomcat. If you run under Tomcat 4 (which supports Servlet 2.3), you also have another choice -- you can implement your custom authentication checker as a Filter instead of a Servlet. That way, you can apply your own custom check onto any path, without having to modify or replace the file-serving servlet that comes with Tomcat. Craig
Re: Limits on the size of the web.xml file?
On Mon, 3 Sep 2001, Roland wrote: Date: Mon, 3 Sep 2001 15:15:36 -0300 From: Roland [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Limits on the size of the web.xml file? Hello is there a limit to the size of the web.xml file? There are no predefined limits -- the only limits will be indirect ones based on how much JVM heap space it takes to represent the security constraints, servlet mappings, and so on internal to the container. This is because if we want to have a large user database with say 500 users, and make a separate security constraint for each user to protect his directories from the other users we will have quite a large web.xml file. Each security constraint has 602 bytes(characters), that would make 500*602 = 301000 bytes = 300 Kb(for 500 users). From an XML parsing perspective, or an in-memory perspective, 300kb isn't much (I've run some large scale apps on gigabyte-memory machines :-). But ... Any problems with that? What about the really large stuff(fortunately not our case)? If you would make a public Webmail and have say 1 000 000(one million) users? That would make 602 Million bytes = 602 Megabyte web.xml file. Quite large, isn't it ? :))) Sounds like a redesign is more appropriate. Memory issues aside, have you considered the fact that using individual security constraints for each and every user means that you have to restart the entire app every time you add a new user? Or, that every time you add a user and restart, the restart time gets longer and longer? I suggest that you use security constraints to ensure things like there must be a logged on user. You can also use roles to identify whether the particular user is ordinary, or has administrative capabilities as well, by defining a few roles. Use application specific logic to ensure that a particular user can only see things that are relevant to them (i.e. their own mailbox in a WebMail scenario). Thanks Roland Craig McClanahan
Re: Limits on the size of the web.xml file?
On Mon, 3 Sep 2001, Calvin Lau wrote: Date: Mon, 03 Sep 2001 14:23:19 -0700 From: Calvin Lau [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Limits on the size of the web.xml file? My web.xml file worked fine in Tomcat3.2.1 as did the Context/Context that I added to server.xml. Are there differences in the DTD I'm not aware of? There are two differences that may or may not be relevant to a particular web app: * Tomcat 4 does a *validating* XML parse of the web.xml file, so it will choke on things like elements not being in the order required by the DTD. (Normally, though, you get a more intelligible error message than this one. Tomcat 3.x did *not* do a validating parse, so the XML checking was not as rigorous. * Tomcat 4 uses JAXP/1.1 to parse web.xml files, where Tomcat 3.2 uses JAXP/1.0. There might have been changes in what the underlying parsers accept. The web.xml DTD for Servlet 2.3 is a proper superset of the DTD for Servlet 2.2. In addition, a 2.3 container (like Tomcat 4) is required to accept a valid web.xml file based on the Servlet 2.2 or 2.3 DTDs. But, it does have to be valid (in the XML sense) for this portability to be achieved -- Tomcat 3.x didn't require this, so it accepted some incorrect web.xml files. Craig Calvin Craig R. McClanahan wrote: On Mon, 3 Sep 2001, Roland wrote: Date: Mon, 3 Sep 2001 16:37:17 -0300 From: Roland [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Limits on the size of the web.xml file? The details *vastly* depend on how your app is put together, but it isn't all that complicated to figure out. Consider that you might have the mailboxes for a particular user defined in a database table called mailboxes, with columns username and mailboxname. It would be easy to construct an SQL statement like this: select mailboxname from mailboxes where username = xxx Ok, having Data in the database is fine. But what if we also have image data? We will store Charts and things like that. I think it would be easier to create a directory for each user(maybe I'm wrong). It is possible to store images in a mysql database but I think its not as easy as text data. And then we will have to create a HTML page from that image data and send it to the user. Storing binary data in the database isn't all that hard. Then, all you'd need to do is create a servlet mapped to *.gif, *.jpg, and so on that did the user identity check before serving the contents (in binary). The same basic principle would work for data stored in per-user directories. In essence, you're replacing the default file-serving servlet that comes with Tomcat. If you run under Tomcat 4 (which supports Servlet 2.3), you also have another choice -- you can implement your custom authentication checker as a Filter instead of a Servlet. That way, you can apply your own custom check onto any path, without having to modify or replace the file-serving servlet that comes with Tomcat. Craig
