RE: [newbie] Container Managed Security - preventing direct access to .jsp
Filters are portable. On Tue, 2004-12-14 at 12:32, Robert Taylor wrote: Ping... Please let me know if this questions is just too obvious and I'll gladly RTFM...even more. And yes, I know this list is not here just to serve _my_ interests. It just seems like a common idiom to provide a portable mechanism for protecting direct access to .jsp so as to enforce access through some controller. I have in the past placed .jsp files behind WEB-INF, but I don't believe that is portable and would like to use CMS to achieve this. Thanks again. /robert -Original Message- From: Robert Taylor [mailto:[EMAIL PROTECTED] Sent: Monday, December 13, 2004 8:59 PM To: [EMAIL PROTECTED] Subject: [newbie] Container Managed Security - preventing direct access to .jsp Greetings, I'm new to Tomcat and this mailing list, and have a question regarding configuring Tomcat to simply disallow access to .jsp pages which I have been protected via the security-constraint/ in my web app web.xml file. From what I understand, the following should do the trick and cause a 403 error to be sent to the browser by the container. I would like to trap that error code and display a user friendly page (I chose any page so I would know it's working). I've simply modified the Tomcat jsp-examples web app. Here's a snippet of the necessary artifacts in the web.xml file. error-page error-code403/error-code location/dates/date.jsp/location /error-page security-constraint display-nameExample Security Constraint/display-name web-resource-collection web-resource-nameProtected Area/web-resource-name url-pattern/security/protected/*/url-pattern /web-resource-collection /security-constraint I believe the constraint is working, but I don't think the error-page/ is catching the 403 status code. This is probably because a 403 status code is not returned, but rather a 200 (I verified this by looking at the response headers). Anyhow, the content of the returned page is below within the content/: content You are logged in as remote user null in session D97EE937BEC953A7E82E42B3956AED86 No user principal could be identified. To check whether your username has been granted a particular role, enter it here: If you have configured this app for form-based authentication, you can log off by clicking here. This should cause you to be returned to the logon page after the redirect that is performed. /content I'm sure this has happened to someone else, I just cannot find where. I googled and didn't come up with much. I searched the archives using You are logged in as remote user null in session and no matches were found. Any help would be greatly appreciated. /robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [newbie] Container Managed Security - preventing direct access to .jsp
Robert Taylor wrote: Please let me know if this questions is just too obvious and I'll gladly RTFM... See below :-) It just seems like a common idiom to provide a portable mechanism for protecting direct access to .jsp so as to enforce access through some controller. I have in the past placed .jsp files behind WEB-INF, but I don't believe that is portable and would like to use CMS to achieve this. Given that the Java Servlet Specification Version 2.4, page 70 sez: A special directory exists within the application hierarchy named WEB-INF. This directory contains all things related to the application that aren't in the document root of the application. The WEB-INF node is not part of the public document tree of the application. No file contained in the WEB-INF directory may be served directly to a client by the container. I don't know how much more portable you want it to be :-) HTH! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [newbie] Container Managed Security - preventing direct accessto .jsp
Yes. That would be an alternative approach. However, I want to use CMS (Container Managed Security) to protect direct access to .jsp pages. This should be possible as per the Servlet specification. /robert -Original Message- From: Ben Souther [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 14, 2004 1:16 PM To: Tomcat Users List Subject: RE: [newbie] Container Managed Security - preventing direct accessto .jsp Filters are portable. On Tue, 2004-12-14 at 12:32, Robert Taylor wrote: Ping... Please let me know if this questions is just too obvious and I'll gladly RTFM...even more. And yes, I know this list is not here just to serve _my_ interests. It just seems like a common idiom to provide a portable mechanism for protecting direct access to .jsp so as to enforce access through some controller. I have in the past placed .jsp files behind WEB-INF, but I don't believe that is portable and would like to use CMS to achieve this. Thanks again. /robert -Original Message- From: Robert Taylor [mailto:[EMAIL PROTECTED] Sent: Monday, December 13, 2004 8:59 PM To: [EMAIL PROTECTED] Subject: [newbie] Container Managed Security - preventing direct access to .jsp Greetings, I'm new to Tomcat and this mailing list, and have a question regarding configuring Tomcat to simply disallow access to .jsp pages which I have been protected via the security-constraint/ in my web app web.xml file. From what I understand, the following should do the trick and cause a 403 error to be sent to the browser by the container. I would like to trap that error code and display a user friendly page (I chose any page so I would know it's working). I've simply modified the Tomcat jsp-examples web app. Here's a snippet of the necessary artifacts in the web.xml file. error-page error-code403/error-code location/dates/date.jsp/location /error-page security-constraint display-nameExample Security Constraint/display-name web-resource-collection web-resource-nameProtected Area/web-resource-name url-pattern/security/protected/*/url-pattern /web-resource-collection /security-constraint I believe the constraint is working, but I don't think the error-page/ is catching the 403 status code. This is probably because a 403 status code is not returned, but rather a 200 (I verified this by looking at the response headers). Anyhow, the content of the returned page is below within the content/: content You are logged in as remote user null in session D97EE937BEC953A7E82E42B3956AED86 No user principal could be identified. To check whether your username has been granted a particular role, enter it here: If you have configured this app for form-based authentication, you can log off by clicking here. This should cause you to be returned to the logon page after the redirect that is performed. /content I'm sure this has happened to someone else, I just cannot find where. I googled and didn't come up with much. I searched the archives using You are logged in as remote user null in session and no matches were found. Any help would be greatly appreciated. /robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [newbie] Container Managed Security - preventing direct access to .jsp
Thanks Hassan. I didn't realize that was added to the 2.4 spec. Thanks for pointing that out. Even so, it would be nice to know how to use CMS to achieve this. Maybe a better way to form the question would be how do I use CMS to protect .jsp pages from direct access and return a user friendly page/message when a .jsp page is requested without going through the controller? /robert -Original Message- From: Hassan Schroeder [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 14, 2004 2:21 PM To: Tomcat Users List Subject: Re: [newbie] Container Managed Security - preventing direct access to .jsp Robert Taylor wrote: Please let me know if this questions is just too obvious and I'll gladly RTFM... See below :-) It just seems like a common idiom to provide a portable mechanism for protecting direct access to .jsp so as to enforce access through some controller. I have in the past placed .jsp files behind WEB-INF, but I don't believe that is portable and would like to use CMS to achieve this. Given that the Java Servlet Specification Version 2.4, page 70 sez: A special directory exists within the application hierarchy named WEB-INF. This directory contains all things related to the application that aren't in the document root of the application. The WEB-INF node is not part of the public document tree of the application. No file contained in the WEB-INF directory may be served directly to a client by the container. I don't know how much more portable you want it to be :-) HTH! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [newbie] Container Managed Security - preventing direct access to .jsp
I have not run into that kind of problem before... typically if you hit a JSP without hitting its controller first you will just get nothing (an HTML screen with no data). when it gets routed back to the controller, it will then register a failure due to lack of data. Problem solved. [EMAIL PROTECTED] 12-14-2004 12:20 Robert Taylor wrote: Please let me know if this questions is just too obvious and I'll gladly RTFM... See below :-) It just seems like a common idiom to provide a portable mechanism for protecting direct access to .jsp so as to enforce access through some controller. I have in the past placed .jsp files behind WEB-INF, but I don't believe that is portable and would like to use CMS to achieve this. Given that the Java Servlet Specification Version 2.4, page 70 sez: A special directory exists within the application hierarchy named WEB-INF. This directory contains all things related to the application that aren't in the document root of the application. The WEB-INF node is not part of the public document tree of the application. No file contained in the WEB-INF directory may be served directly to a client by the container. I don't know how much more portable you want it to be :-) HTH! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [newbie] Container Managed Security - preventing direct access to .jsp
Fair enough. When I mention Container Managed Security, I am refering to using security constraints defined in web.xml to prevent direct access to resources. More specifically in Section 12.8 of the 2.4 specification: Security constraints are a declarative way of defining the protection of web content. A security constraint associates authorization and or user data constraints with HTTP operations on web resources. A security constraint, which is represented by security-constraint in deployment descriptor, consists of the following elements: web resource collection (web-resource-collection in deployment descriptor) authorization constraint (auth-constraint in deployment descriptor) user data constraint (user-data-constraint in deployment descriptor) The HTTP operations and web resources to which a security constraint applies (i.e. the constrained requests) are identified by one or more web resource collections. A web resource collection consists of the following elements: URL patterns (url-pattern in deployment descriptor) HTTP methods (http-method in deployment descriptor) An authorization constraint establishes a requirement for authentication and names the authorization roles permitted to perform the constrained requests. A user must be a member of at least one of the named roles to be permitted to perform the constrained requests. The special role name * is a shorthand for all role names defined in the deployment descriptor. An authorization constraint that names no roles indicates that access to the constrained requests must not be permitted under any circumstances. Does this not imply that I can do what I am trying to do? /robert -Original Message- From: Hassan Schroeder [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 14, 2004 5:07 PM To: Tomcat Users List Subject: Re: [newbie] Container Managed Security - preventing direct access to .jsp Robert Taylor wrote: I didn't realize that was added to the 2.4 spec. It was in 2.3, too. I'd guess it was in the spec from the get-go, but don't have an older copy to hand to confirm. Even so, it would be nice to know how to use CMS to achieve this. What is your definition of Container Managed Security, then, if not this? The container prevents direct access to the resources placed within WEB-INF, without you having to do anything else. Maybe a better way to form the question would be how do I use CMS to protect .jsp pages from direct access as above. and return a user friendly page/message when a .jsp page is requested without going through the controller? A custom 404 page should take care of it. And you can get as fancy with that as you like :-) FWIW! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [newbie] Container Managed Security - preventing direct access to .jsp
Robert Taylor wrote: Does this not imply that I can do what I am trying to do? I suppose; I'm just baffled why you want to reinvent this particular built-in wheel, but don't let that stop you :-) -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [newbie] Container Managed Security - preventing direct access to .jsp
I'm not trying to re-invent anything. I'm just trying to leverage the specification to secure resources. Personally I prefer WEB-INF to contain web application configuration and information resources instead of content and other non-configuration resources. IMHO, its intuitive that way. For anyone else that may even be remotely interested in this topic, some further googling produced some interesting results. I searched using the string: preventing direct access to .jsp files It appears that there is no standard way to do this even though it's implied in the spec. Here's a good example: http://forums.bea.com/bea/message.jspa?messageID=202433201 Oh well... /robert -Original Message- From: Hassan Schroeder [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 14, 2004 5:55 PM To: Tomcat Users List Subject: Re: [newbie] Container Managed Security - preventing direct access to .jsp Robert Taylor wrote: Does this not imply that I can do what I am trying to do? I suppose; I'm just baffled why you want to reinvent this particular built-in wheel, but don't let that stop you :-) -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [newbie] Container Managed Security - preventing direct access to .jsp
Have you tried writing a session bean??? if not just write a session bean and import it as a header in all you *.jsp pages. The sessions will controll the flow of the application. ex: %@ include file=Secrity_stuff.jsp % This is common in writing applications. Robert Taylor wrote: Thanks Hassan. I didn't realize that was added to the 2.4 spec. Thanks for pointing that out. Even so, it would be nice to know how to use CMS to achieve this. Maybe a better way to form the question would be how do I use CMS to protect .jsp pages from direct access and return a user friendly page/message when a .jsp page is requested without going through the controller? /robert -Original Message- From: Hassan Schroeder [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 14, 2004 2:21 PM To: Tomcat Users List Subject: Re: [newbie] Container Managed Security - preventing direct access to .jsp Robert Taylor wrote: Please let me know if this questions is just too obvious and I'll gladly RTFM... See below :-) It just seems like a common idiom to provide a portable mechanism for protecting direct access to .jsp so as to enforce access through some controller. I have in the past placed .jsp files behind WEB-INF, but I don't believe that is portable and would like to use CMS to achieve this. Given that the Java Servlet Specification Version 2.4, page 70 sez: A special directory exists within the application hierarchy named WEB-INF. This directory contains all things related to the application that aren't in the document root of the application. The WEB-INF node is not part of the public document tree of the application. No file contained in the WEB-INF directory may be served directly to a client by the container. I don't know how much more portable you want it to be :-) HTH! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Dwayne A. Ghant Application Developer Temple University 215.204. [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [newbie] Container Managed Security - preventing direct access to .jsp
Robert Taylor wrote: I didn't realize that was added to the 2.4 spec. It was in 2.3, too. I'd guess it was in the spec from the get-go, but don't have an older copy to hand to confirm. Even so, it would be nice to know how to use CMS to achieve this. What is your definition of Container Managed Security, then, if not this? The container prevents direct access to the resources placed within WEB-INF, without you having to do anything else. Maybe a better way to form the question would be how do I use CMS to protect .jsp pages from direct access as above. and return a user friendly page/message when a .jsp page is requested without going through the controller? A custom 404 page should take care of it. And you can get as fancy with that as you like :-) FWIW! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [newbie] Container Managed Security - preventing direct access to .jsp
From: Hassan Schroeder [EMAIL PROTECTED] Given that the Java Servlet Specification Version 2.4, page 70 sez: A special directory exists within the application hierarchy named WEB-INF. This directory contains all things related to the application that aren't in the document root of the application. The WEB-INF node is not part of the public document tree of the application. No file contained in the WEB-INF directory may be served directly to a client by the container. I don't know how much more portable you want it to be :-) Except that I think at least one commercial Servlet container interpreted it more strictly and refused to serve anything under WEB-INF, even with a forward. IOW, the specification says the container MAY NOT serve anything under WEB-INF directly, but it doesn't say that the container MUST serve those things INdirectly. No idea which one that was, I just remember being warned when I put things under WEB-INF, that it wouldn't work everywhere. Since I never plan to use anything but Tomcat, it wasn't a problem. -- Wendy Smoak - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [newbie] Container Managed Security - preventing direct access to .jsp
It appears that there is no standard way to do this even though it's implied in the spec. I don't know how standard this is but it works. The trick is in the auth-constraint node (note the commented out role-name). Since it is exclusive. Not declaring a role-name for the protected resource denies access to everyone. You then catch the 403 error with an error page mapping and you're good to go. The JSPs can still be accessed from the request dispatcher so you can reach them through the MVC pattern. I suppose a simpler solution would be simply to create a servelet-mapping with a url pattern of *.jsp and map it to an error servlet. If you want to test this out quickly grab the SimpleMVC.war from http://simple.souther.us and replace the web.xml file with this one. You'd have to create your own no-jsp-4-u.html page. Hope it helps -Ben ?xml version=1.0 encoding=ISO-8859-1? web-app xmlns=http://java.sun.com/xml/ns/j2ee; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd; version=2.4 servlet servlet-name ControllerServlet /servlet-name servlet-class us.souther.simple.mvc.ControllerServlet/servlet-class /servlet servlet-mapping servlet-nameControllerServlet/servlet-name url-pattern/simple-mvc/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-name off-limits /web-resource-name url-pattern *.jsp /url-pattern /web-resource-collection auth-constraint !--role-name manager /role-name-- /auth-constraint /security-constraint error-page error-code403/error-code location/no-jsp-4-u.html/location /error-page /web-app - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[newbie] Container Managed Security - preventing direct access to .jsp
Greetings, I'm new to Tomcat and this mailing list, and have a question regarding configuring Tomcat to simply disallow access to .jsp pages which I have been protected via the security-constraint/ in my web app web.xml file. From what I understand, the following should do the trick and cause a 403 error to be sent to the browser by the container. I would like to trap that error code and display a user friendly page (I chose any page so I would know it's working). I've simply modified the Tomcat jsp-examples web app. Here's a snippet of the necessary artifacts in the web.xml file. error-page error-code403/error-code location/dates/date.jsp/location /error-page security-constraint display-nameExample Security Constraint/display-name web-resource-collection web-resource-nameProtected Area/web-resource-name url-pattern/security/protected/*/url-pattern /web-resource-collection /security-constraint I believe the constraint is working, but I don't think the error-page/ is catching the 403 status code. This is probably because a 403 status code is not returned, but rather a 200 (I verified this by looking at the response headers). Anyhow, the content of the returned page is below within the content/: content You are logged in as remote user null in session D97EE937BEC953A7E82E42B3956AED86 No user principal could be identified. To check whether your username has been granted a particular role, enter it here: If you have configured this app for form-based authentication, you can log off by clicking here. This should cause you to be returned to the logon page after the redirect that is performed. /content I'm sure this has happened to someone else, I just cannot find where. I googled and didn't come up with much. I searched the archives using You are logged in as remote user null in session and no matches were found. Any help would be greatly appreciated. /robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [newbie] Container Managed Security - preventing direct access to .jsp
Sorry. I left off some info: Tomcat 5.0.25 Win2k JDK1.4.2 /robert -Original Message- From: Robert Taylor [mailto:[EMAIL PROTECTED] Sent: Monday, December 13, 2004 8:59 PM To: [EMAIL PROTECTED] Subject: [newbie] Container Managed Security - preventing direct access to .jsp Greetings, I'm new to Tomcat and this mailing list, and have a question regarding configuring Tomcat to simply disallow access to .jsp pages which I have been protected via the security-constraint/ in my web app web.xml file. From what I understand, the following should do the trick and cause a 403 error to be sent to the browser by the container. I would like to trap that error code and display a user friendly page (I chose any page so I would know it's working). I've simply modified the Tomcat jsp-examples web app. Here's a snippet of the necessary artifacts in the web.xml file. error-page error-code403/error-code location/dates/date.jsp/location /error-page security-constraint display-nameExample Security Constraint/display-name web-resource-collection web-resource-nameProtected Area/web-resource-name url-pattern/security/protected/*/url-pattern /web-resource-collection /security-constraint I believe the constraint is working, but I don't think the error-page/ is catching the 403 status code. This is probably because a 403 status code is not returned, but rather a 200 (I verified this by looking at the response headers). Anyhow, the content of the returned page is below within the content/: content You are logged in as remote user null in session D97EE937BEC953A7E82E42B3956AED86 No user principal could be identified. To check whether your username has been granted a particular role, enter it here: If you have configured this app for form-based authentication, you can log off by clicking here. This should cause you to be returned to the logon page after the redirect that is performed. /content I'm sure this has happened to someone else, I just cannot find where. I googled and didn't come up with much. I searched the archives using You are logged in as remote user null in session and no matches were found. Any help would be greatly appreciated. /robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Admin and Manager applications don't work withmodifiedCATALINA_BASE and startup.sh -security
I saved my problem with your tip. Thank you very much. -Mensaje original- De: Andoni [mailto:[EMAIL PROTECTED] Enviado el: martes, 30 de noviembre de 2004 12:12 Para: Tomcat Users List Asunto: Re: Admin and Manager applications don't work withmodifiedCATALINA_BASE and startup.sh -security Your problem is this one line: java.security.AccessControlException: access denied (java.io.FilePermission /iobox/servicios/desarrollo/mms/webapps/admin/WEB-INF/lib/struts.jar read) Forget about all the rest. You have put the following into catalina.policy: catalina.policy in $CATALINA_BASE/conf was modified with: grant codeBase file:/iobox/Sw_comercial/Tomcat/jakarta-tomcat-4.1.31/server/webapps/admin/ WEB-INF/classes/- { permission java.security.AllPermission; }; I would recommend that you fix the problem by taking out the directory here and starting with full permissions to be sure everything works then: grant { permission java.security.AllPermission; } Assuming that this box is not live on the web and that you trust everyone who has access to it! Then add the directories one at a time, testing as you go: grant codeBase file:/iobox/- { permission java.security.AllPermission; } Then grow it up until something breaks again. Andoni. - Original Message - From: David Crecente [EMAIL PROTECTED] Newsgroups: gmane.comp.jakarta.tomcat.user Sent: Tuesday, November 30, 2004 9:03 AM Subject: Admin and Manager applications don't work with modified CATALINA_BASE and startup.sh -security Hi all, I have problems to run jakarta-tomcat-4.1.31 with CATALINA_BASE other than CATALINA_HOME using security. I use startup.sh -security. My CATALINA_HOME is /iobox/Sw_comercial/Tomcat/jakarta-tomcat-4.1.31 My CATALINA_BASE is /iobox/servicios/desarrollo/mms My admin.xml is in /iobox/servicios/desarrollo/mms/webapps My manager.xml is in /iobox/servicios/desarrollo/mms/webapps admin.xml and manager.xml were modified following http://jakarta.apache.org/tomcat/tomcat-4.1-doc/RUNNING.txt so, admin.xml has Context path=/admin docBase=/iobox/Sw_comercial/Tomcat/jakarta-tomcat-4.1.31/server/webapps/adm in debug=0 privileged=true and manager.xml has Context path=/admin docBase=/iobox/Sw_comercial/Tomcat/jakarta-tomcat-4.1.31/server/webapps/man ager debug=0 privileged=true catalina.policy in $CATALINA_BASE/conf was modified with: grant codeBase file:/iobox/Sw_comercial/Tomcat/jakarta-tomcat-4.1.31/server/webapps/admin/ WEB-INF/classes/- { permission java.security.AllPermission; }; grant codeBase file:/iobox/Sw_comercial/Tomcat/jakarta-tomcat-4.1.31/server/webapps/admin/ WEB-INF/lib/struts.jar { permission java.security.AllPermission; }; When Tomcat is starting I get the next exception: - Root Cause - java.security.AccessControlException: access denied (java.io.FilePermission /iobox/servicios/desarrollo/mms/webapps/admin/WEB-INF/lib/struts.jar read) at java.security.AccessControlContext.checkPermission(AccessControlContext.java :270) Any idea will be appreciated. Thank you in advance. Full exception is: 2004-11-30 09:14:52 StandardWrapper[/admin:default]: Loading container servlet default 2004-11-30 09:14:52 StandardContext[/admin]: Servlet /admin threw load() exception javax.servlet.ServletException: Servlet.init() for servlet action threw exception at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:91 6) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:776) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java: 3363) at org.apache.catalina.core.StandardContext.start(StandardContext.java:3586) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1141) at org.apache.catalina.core.StandardHost.start(StandardHost.java:707) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1141) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:316) at org.apache.catalina.core.StandardService.start(StandardService.java:450) at org.apache.catalina.core.StandardServer.start(StandardServer.java:2143) at org.apache.catalina.startup.Catalina.start(Catalina.java:463) at org.apache.catalina.startup.Catalina.execute(Catalina.java:350) at org.apache.catalina.startup.Catalina.process(Catalina.java:129) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39 ) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl .java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:156) - Root Cause - java.security.AccessControlException: access denied
Tomcat Security Application
Hi, i've implemented an application using tomcat security FORM based, and authenticating against a database. My login page is the standard FORM: form method=POST action='%=response.encodeURL(j_security_check) %' table border=3 align=center cellpadding=3 cellspacing=1 bordercolor=#99 class=Stile1 tr td width=71pUsername:/p/td td width=176input type=text name=j_username/td /tr tr tdpPassword:/p/td tdinput type=password name=j_password/td /tr tr tdnbsp;/td td div align=left input type=submit value=Login input type=reset value=Reset /div/td /tr /table /form The problem is that when i login the page seems to authenticate correctly, but when i click the back browser button and i retry to login again it gives an error page with the message: The requested resource (/pmt/manage/j_security_check) is not available. Can anyone help me? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
basic security tutorial
hello! does anyone know if there's a tutorial or reference on how to set up basic security using tomcat (5.5)? i'd like to get a better understanding of how to secure particular pages in a webapp. thanks! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: basic security tutorial
http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html Is a start, but doesn't give a how to. From the web.xml for the examples with added comments. !--Starts the section. Located after jsp-config near end of file-- security-constraint !--A description for identification by you. In real world might be Salesmen Area. Or Admin Only-- display-nameExample Security Constraint/display-name web-resource-collection web-resource-nameProtected Area/web-resource-name !-- Define the context-relative URL(s) to be protected (* may only be used at end of string)-- !--Follows file structure in the app. If you need different areas for different people, place in peer folders.-- url-pattern/security/protected/*/url-pattern !-- If you list http methods, only those methods are protected -- http-methodDELETE/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint !-- Anyone with one of the listed roles may access this area -- role-nametomcat/role-name role-namerole1/role-name /auth-constraint /security-constraint If you had another area to protect and its location was in /security/safe then create another complete security-constraint and use /security/safe/* as the url-pattern. Then define the role-name for this area for example: role-nametomcat/role-name role-namerole2/role-name This allows a user of role tomcat to access both areas but only role2 can get pages from safe. Then define the roles. !-- Security roles referenced by this web application -- security-role role-namerole1/role-name /security-role security-role role-namerole2/role-name /security-role security-role role-nametomcat/role-name /security-role Now where Tomcat goes to look up the user/password to determine the role depends on the method you choose as discussed in the link. If I have foobarred something, hopefully someone will be nice and correct me nicely. Doug www.parsonstechnical.com - Original Message - From: Jeff Ousley [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, December 02, 2004 3:24 PM Subject: basic security tutorial hello! does anyone know if there's a tutorial or reference on how to set up basic security using tomcat (5.5)? i'd like to get a better understanding of how to secure particular pages in a webapp. thanks! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
How/Where do I get security advisories for tomcat ?
Is there an official channel/website where security advisories for tomcat are releases/posted ? I saw some advisories on www.cert.org. Is www.cert.org the official source for these security advisories ? ___ Regards, Jeff Ong IBM Toronto Lab, Toronto, CANADA - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How/Where do I get security advisories for tomcat ?
Hi, CERT is about as official as you can get, yeah. Yoav Shapira http://www.yoavshapira.com -Original Message- From: Jeff Ong [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 01, 2004 2:43 PM To: [EMAIL PROTECTED] Subject: How/Where do I get security advisories for tomcat ? Is there an official channel/website where security advisories for tomcat are releases/posted ? I saw some advisories on www.cert.org. Is www.cert.org the official source for these security advisories ? ___ Regards, Jeff Ong IBM Toronto Lab, Toronto, CANADA - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How/Where do I get security advisories for tomcat ?
Thanks for the information Yoav. Regards, Jeff Ong IBM Toronto Lab, Toronto, CANADA - Message from Shapira, Yoav [EMAIL PROTECTED] on Wed, 1 Dec 2004 14:55:17 -0500 - To: Tomcat Users List [EMAIL PROTECTED] Subject: RE: How/Where do I get security advisories for tomcat ? Hi, CERT is about as official as you can get, yeah. Yoav Shapira http://www.yoavshapira.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Admin and Manager applications don't work with modified CATALINA_BASE and startup.sh -security
Hi all, I have problems to run jakarta-tomcat-4.1.31 with CATALINA_BASE other than CATALINA_HOME using security. I use startup.sh -security. My CATALINA_HOME is /iobox/Sw_comercial/Tomcat/jakarta-tomcat-4.1.31 My CATALINA_BASE is /iobox/servicios/desarrollo/mms My admin.xml is in /iobox/servicios/desarrollo/mms/webapps My manager.xml is in /iobox/servicios/desarrollo/mms/webapps admin.xml and manager.xml were modified following http://jakarta.apache.org/tomcat/tomcat-4.1-doc/RUNNING.txt so, admin.xml has Context path=/admin docBase=/iobox/Sw_comercial/Tomcat/jakarta-tomcat-4.1.31/server/webapps/adm in debug=0 privileged=true and manager.xml has Context path=/admin docBase=/iobox/Sw_comercial/Tomcat/jakarta-tomcat-4.1.31/server/webapps/man ager debug=0 privileged=true catalina.policy in $CATALINA_BASE/conf was modified with: grant codeBase file:/iobox/Sw_comercial/Tomcat/jakarta-tomcat-4.1.31/server/webapps/admin/ WEB-INF/classes/- { permission java.security.AllPermission; }; grant codeBase file:/iobox/Sw_comercial/Tomcat/jakarta-tomcat-4.1.31/server/webapps/admin/ WEB-INF/lib/struts.jar { permission java.security.AllPermission; }; When Tomcat is starting I get the next exception: - Root Cause - java.security.AccessControlException: access denied (java.io.FilePermission /iobox/servicios/desarrollo/mms/webapps/admin/WEB-INF/lib/struts.jar read) at java.security.AccessControlContext.checkPermission(AccessControlContext.java :270) Any idea will be appreciated. Thank you in advance. Full exception is: 2004-11-30 09:14:52 StandardWrapper[/admin:default]: Loading container servlet default 2004-11-30 09:14:52 StandardContext[/admin]: Servlet /admin threw load() exception javax.servlet.ServletException: Servlet.init() for servlet action threw exception at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:91 6) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:776) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java: 3363) at org.apache.catalina.core.StandardContext.start(StandardContext.java:3586) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1141) at org.apache.catalina.core.StandardHost.start(StandardHost.java:707) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1141) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:316) at org.apache.catalina.core.StandardService.start(StandardService.java:450) at org.apache.catalina.core.StandardServer.start(StandardServer.java:2143) at org.apache.catalina.startup.Catalina.start(Catalina.java:463) at org.apache.catalina.startup.Catalina.execute(Catalina.java:350) at org.apache.catalina.startup.Catalina.process(Catalina.java:129) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39 ) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl .java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:156) - Root Cause - java.security.AccessControlException: access denied (java.io.FilePermission /iobox/servicios/desarrollo/mms/webapps/admin/WEB-INF/lib/struts.jar read) at java.security.AccessControlContext.checkPermission(AccessControlContext.java :270) at java.security.AccessController.checkPermission(AccessController.java:401) at java.lang.SecurityManager.checkPermission(SecurityManager.java:542) at java.lang.SecurityManager.checkRead(SecurityManager.java:887) at java.util.zip.ZipFile.init(ZipFile.java:107) at java.util.jar.JarFile.init(JarFile.java:117) at java.util.jar.JarFile.init(JarFile.java:55) at sun.net.www.protocol.jar.URLJarFile.init(URLJarFile.java:55) at sun.net.www.protocol.jar.URLJarFile.getJarFile(URLJarFile.java:40) at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:53) at sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:85) at sun.net.www.protocol.jar.JarURLConnection.getInputStream(JarURLConnection.ja va:105) at java.net.URL.openStream(URL.java:960) at org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(Unknown Source) at org.apache.xerces.impl.XMLEntityManager.startEntity(Unknown Source) at org.apache.xerces.impl.XMLEntityManager.startDTDEntity(Unknown Source) at org.apache.xerces.impl.XMLDTDScannerImpl.setInputSource(Unknown Source) at org.apache.xerces.impl.XMLDocumentScannerImpl$DTDDispatcher.dispatch(Unknown Source) at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source
RE: Runtime.exec security issue?
Any further thoughts on this issue? There must be some reason why this won't run under Tomcat but does work stand-alone. To recap, I am trying to execute the following code on an Xp box with Tomcat 5.0.27: Process proc = runtime.exec(cmd.exe /C shutdown -r -f -m \\myPC -t 50); int exitVal = proc.waitFor(); When this runs the proc exits with a value of 0 but nothing happens (no re-boot) and no exceptions are thrown. I have tried running the code from a batch file and without the cmd.exe /C bit. I have tried running Tomcat from the command line (not as service). I have tried allowing all permissions in the catalina.policy file: grant codeBase file:${catalina.home}/webapps/ROOT/WEB-INF/classes/- { permission java.security.AllPermission *; }; I CAN successfully set the the system time and date using the same approach though. I am truly flummoxed! Thanks, Andy _ Express yourself with cool new emoticons http://www.msn.co.uk/specials/myemo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Admin and Manager applications don't work with modified CATALINA_BASE and startup.sh -security
Your problem is this one line: java.security.AccessControlException: access denied (java.io.FilePermission /iobox/servicios/desarrollo/mms/webapps/admin/WEB-INF/lib/struts.jar read) Forget about all the rest. You have put the following into catalina.policy: catalina.policy in $CATALINA_BASE/conf was modified with: grant codeBase file:/iobox/Sw_comercial/Tomcat/jakarta-tomcat-4.1.31/server/webapps/admin/ WEB-INF/classes/- { permission java.security.AllPermission; }; I would recommend that you fix the problem by taking out the directory here and starting with full permissions to be sure everything works then: grant { permission java.security.AllPermission; } Assuming that this box is not live on the web and that you trust everyone who has access to it! Then add the directories one at a time, testing as you go: grant codeBase file:/iobox/- { permission java.security.AllPermission; } Then grow it up until something breaks again. Andoni. - Original Message - From: David Crecente [EMAIL PROTECTED] Newsgroups: gmane.comp.jakarta.tomcat.user Sent: Tuesday, November 30, 2004 9:03 AM Subject: Admin and Manager applications don't work with modified CATALINA_BASE and startup.sh -security Hi all, I have problems to run jakarta-tomcat-4.1.31 with CATALINA_BASE other than CATALINA_HOME using security. I use startup.sh -security. My CATALINA_HOME is /iobox/Sw_comercial/Tomcat/jakarta-tomcat-4.1.31 My CATALINA_BASE is /iobox/servicios/desarrollo/mms My admin.xml is in /iobox/servicios/desarrollo/mms/webapps My manager.xml is in /iobox/servicios/desarrollo/mms/webapps admin.xml and manager.xml were modified following http://jakarta.apache.org/tomcat/tomcat-4.1-doc/RUNNING.txt so, admin.xml has Context path=/admin docBase=/iobox/Sw_comercial/Tomcat/jakarta-tomcat-4.1.31/server/webapps/adm in debug=0 privileged=true and manager.xml has Context path=/admin docBase=/iobox/Sw_comercial/Tomcat/jakarta-tomcat-4.1.31/server/webapps/man ager debug=0 privileged=true catalina.policy in $CATALINA_BASE/conf was modified with: grant codeBase file:/iobox/Sw_comercial/Tomcat/jakarta-tomcat-4.1.31/server/webapps/admin/ WEB-INF/classes/- { permission java.security.AllPermission; }; grant codeBase file:/iobox/Sw_comercial/Tomcat/jakarta-tomcat-4.1.31/server/webapps/admin/ WEB-INF/lib/struts.jar { permission java.security.AllPermission; }; When Tomcat is starting I get the next exception: - Root Cause - java.security.AccessControlException: access denied (java.io.FilePermission /iobox/servicios/desarrollo/mms/webapps/admin/WEB-INF/lib/struts.jar read) at java.security.AccessControlContext.checkPermission(AccessControlContext.java :270) Any idea will be appreciated. Thank you in advance. Full exception is: 2004-11-30 09:14:52 StandardWrapper[/admin:default]: Loading container servlet default 2004-11-30 09:14:52 StandardContext[/admin]: Servlet /admin threw load() exception javax.servlet.ServletException: Servlet.init() for servlet action threw exception at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:91 6) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:776) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java: 3363) at org.apache.catalina.core.StandardContext.start(StandardContext.java:3586) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1141) at org.apache.catalina.core.StandardHost.start(StandardHost.java:707) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1141) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:316) at org.apache.catalina.core.StandardService.start(StandardService.java:450) at org.apache.catalina.core.StandardServer.start(StandardServer.java:2143) at org.apache.catalina.startup.Catalina.start(Catalina.java:463) at org.apache.catalina.startup.Catalina.execute(Catalina.java:350) at org.apache.catalina.startup.Catalina.process(Catalina.java:129) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39 ) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl .java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:156) - Root Cause - java.security.AccessControlException: access denied (java.io.FilePermission /iobox/servicios/desarrollo/mms/webapps/admin/WEB-INF/lib/struts.jar read) at java.security.AccessControlContext.checkPermission(AccessControlContext.java :270) at java.security.AccessController.checkPermission(AccessController.java:401
Runtime.exec security issue?
Hi, I am trying to run a simple exec command to open notepad with code as follows: Runtime runtime = Runtime.getRuntime(); Process proc = runtime.exec(C:\\WINDOWS\\system32\\notepad.exe); This code works fine from a stand-alone program but not run under Tomcat. I CAN successfully set the the system time and date using the same approach though. I get the same results when Tomcat is not run as a service. I am running Xp with Tomcat 5.0.27. I thought this might be a java permissions issue, but I don't get any exceptions thrown - just nothing happens. Thanks, Andy _ Use MSN Messenger to send music and pics to your friends http://www.msn.co.uk/messenger - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Runtime.exec security issue?
This behaviour makes sense to me as you are trying to display an application but there is not necessarily a windows display associated with Tomcat so it doesnt know where to launch the app to. And by the lack of error message i'd guess that the application is actually getting launched but not displayed on the console. -Original Message- From: andy wix [mailto:[EMAIL PROTECTED] Sent: 29 November 2004 09:45 To: [EMAIL PROTECTED] Subject: Runtime.exec security issue? Hi, I am trying to run a simple exec command to open notepad with code as follows: Runtime runtime = Runtime.getRuntime(); Process proc = runtime.exec(C:\\WINDOWS\\system32\\notepad.exe); This code works fine from a stand-alone program but not run under Tomcat. I CAN successfully set the the system time and date using the same approach though. I get the same results when Tomcat is not run as a service. I am running Xp with Tomcat 5.0.27. I thought this might be a java permissions issue, but I don't get any exceptions thrown - just nothing happens. Thanks, Andy _ Use MSN Messenger to send music and pics to your friends http://www.msn.co.uk/messenger - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Any opinions expressed in this E-mail may be those of the individual and not necessarily the company. This E-mail and any files transmitted with it are confidential and solely for the use of the intended recipient. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this E-mail in error and that any use or copying is strictly prohibited. If you have received this E-mail in error please notify the beCogent postmaster at [EMAIL PROTECTED] Unless expressly stated, opinions in this email are those of the individual sender and not beCogent Ltd. You must take full responsibility for virus checking this email and any attachments. Please note that the content of this email or any of its attachments may contain data that falls within the scope of the Data Protection Acts and that you must ensure that any handling or processing of such data by you is fully compliant with the terms and provisions of the Data Protection Act 1984 and 1998. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Runtime.exec security issue?
Hi Matt, I have tried running the Tomcat service with 'allow service to interact with desk top' checked in the service properties - I don't know if this should allow Tomat to know about Windows? Also, I don't think the application is actually getting launched as I don't see it in the processes list. Thanks, Andy _ Stay in touch with absent friends - get MSN Messenger http://www.msn.co.uk/messenger - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Runtime.exec security issue?
You could be right. I still reckon that launching graphical programs from tomcat is gonna be a bit dicey. -Original Message- From: andy wix [mailto:[EMAIL PROTECTED] Sent: 29 November 2004 10:13 To: [EMAIL PROTECTED] Subject: RE: Runtime.exec security issue? Hi Matt, I have tried running the Tomcat service with 'allow service to interact with desk top' checked in the service properties - I don't know if this should allow Tomat to know about Windows? Also, I don't think the application is actually getting launched as I don't see it in the processes list. Thanks, Andy _ Stay in touch with absent friends - get MSN Messenger http://www.msn.co.uk/messenger - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Any opinions expressed in this E-mail may be those of the individual and not necessarily the company. This E-mail and any files transmitted with it are confidential and solely for the use of the intended recipient. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this E-mail in error and that any use or copying is strictly prohibited. If you have received this E-mail in error please notify the beCogent postmaster at [EMAIL PROTECTED] Unless expressly stated, opinions in this email are those of the individual sender and not beCogent Ltd. You must take full responsibility for virus checking this email and any attachments. Please note that the content of this email or any of its attachments may contain data that falls within the scope of the Data Protection Acts and that you must ensure that any handling or processing of such data by you is fully compliant with the terms and provisions of the Data Protection Act 1984 and 1998. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Runtime.exec security issue?
Hi, Actually, I was assuming this was a simple example of a runitme call. My real goal is to allow a privelidged user to re-boot the server with the following code: runtime.exec(cmd.exe /C shutdown -r -f -m \\myPC -t 50); I would also like to call a couple of batch files. These attempts have met with the same (nothing doing) response. Cheers Andy _ It's fast, it's easy and it's free. Get MSN Messenger today! http://www.msn.co.uk/messenger - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Runtime.exec security issue?
Have you tried the shutdown command without launching cmd? This could also be a permissions thing if you are running as a service. By default the service will run as a non-priviliged user which you'd have to change in order to reboot. -Original Message- From: andy wix [mailto:[EMAIL PROTECTED] Sent: 29 November 2004 10:35 To: [EMAIL PROTECTED] Subject: RE: Runtime.exec security issue? Hi, Actually, I was assuming this was a simple example of a runitme call. My real goal is to allow a privelidged user to re-boot the server with the following code: runtime.exec(cmd.exe /C shutdown -r -f -m \\myPC -t 50); I would also like to call a couple of batch files. These attempts have met with the same (nothing doing) response. Cheers Andy _ It's fast, it's easy and it's free. Get MSN Messenger today! http://www.msn.co.uk/messenger - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Any opinions expressed in this E-mail may be those of the individual and not necessarily the company. This E-mail and any files transmitted with it are confidential and solely for the use of the intended recipient. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this E-mail in error and that any use or copying is strictly prohibited. If you have received this E-mail in error please notify the beCogent postmaster at [EMAIL PROTECTED] Unless expressly stated, opinions in this email are those of the individual sender and not beCogent Ltd. You must take full responsibility for virus checking this email and any attachments. Please note that the content of this email or any of its attachments may contain data that falls within the scope of the Data Protection Acts and that you must ensure that any handling or processing of such data by you is fully compliant with the terms and provisions of the Data Protection Act 1984 and 1998. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Runtime.exec security issue?
Hi, I've tried without the cmd.exe bit and also I have tried with the service set to run as Administrator. Cheers Andy _ Stay in touch with absent friends - get MSN Messenger http://www.msn.co.uk/messenger - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Declarative security in context?
Wendy Smoak wrote: From: Simon Tardell [EMAIL PROTECTED] I want to deploy multiple instances of the same webapp, with different authorization rules. However, declarative security is done in the web.xml of which there will only be one copy (referred by multiple contexts). I'm confused by why you say there's only one copy of web.xml. In addition to the global web.xml, I also have one for each context. Is there a reason why you can't do whatever you're trying to do in the web.xml that lives in .../webapps/yourContext/WEB-INF/ ? I was confused too. I was under (the wrong) impression that the war-files were not expanded. They are (but only if unpackWARs is true for the host) . So, assuming unpackWARs is true, after deploying, I can edit the web.xml. However this bothers me because of three reasons: 1/ It is not persistent. If I upgrade the web app, the old web.xml is replaced, along with the rest of the old version of the web app (correct?). This is a problem if we are talking security constraints. 2/ There is a time window during which a web app is open until I have edited the web.xml (assuming that the default of the web app is to have no constraints). 3/ In the scenario where more than one webapp make upp a website security constraints have to be specified in more than one place. It'd be handy to be able to specify at the host level that all URLs hierarchically under /foo/bar are protected this way and all under /baz some other way regardless of how many webapps that are mounted under each namespace. So, to rephrase my question, how would I go about specifying security constraints on the host level from the outside of any webapp? It is probably easier than I think. Simon Simon Tardell, [EMAIL PROTECTED], +46 70 3198319
Re: Declarative security in context?
Simon Tardell [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Wendy Smoak wrote: From: Simon Tardell [EMAIL PROTECTED] I want to deploy multiple instances of the same webapp, with different authorization rules. However, declarative security is done in the web.xml of which there will only be one copy (referred by multiple contexts). I'm confused by why you say there's only one copy of web.xml. In addition to the global web.xml, I also have one for each context. Is there a reason why you can't do whatever you're trying to do in the web.xml that lives in .../webapps/yourContext/WEB-INF/ ? I was confused too. I was under (the wrong) impression that the war-files were not expanded. They are (but only if unpackWARs is true for the host) . So, assuming unpackWARs is true, after deploying, I can edit the web.xml. However this bothers me because of three reasons: 1/ It is not persistent. If I upgrade the web app, the old web.xml is replaced, along with the rest of the old version of the web app (correct?). This is a problem if we are talking security constraints. 2/ There is a time window during which a web app is open until I have edited the web.xml (assuming that the default of the web app is to have no constraints). 3/ In the scenario where more than one webapp make upp a website security constraints have to be specified in more than one place. It'd be handy to be able to specify at the host level that all URLs hierarchically under /foo/bar are protected this way and all under /baz some other way regardless of how many webapps that are mounted under each namespace. So, to rephrase my question, how would I go about specifying security constraints on the host level from the outside of any webapp? It is probably easier than I think. With TC 5.5, you can put them in $CATALINA_HOME/conf/host/web.xml.default. Simon Simon Tardell, [EMAIL PROTECTED], +46 70 3198319 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Declarative security in context?
Hiya, I want to deploy multiple instances of the same webapp, with different authorization rules. However, declarative security is done in the web.xml of which there will only be one copy (referred by multiple contexts). Is it possible to impose security constraints on a web app from the outside, i.e. declaring them in the context rather than in the web.xml? Ideally I'd like to be able to shadow parts of the web.xml on a per context basis, but I can't see how to do that. Would I have to write a valve to do custom authorization? TIA, Simon Tardell Simon Tardell, [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Declarative security in context?
From: Simon Tardell [EMAIL PROTECTED] I want to deploy multiple instances of the same webapp, with different authorization rules. However, declarative security is done in the web.xml of which there will only be one copy (referred by multiple contexts). I'm confused by why you say there's only one copy of web.xml. In addition to the global web.xml, I also have one for each context. Is there a reason why you can't do whatever you're trying to do in the web.xml that lives in .../webapps/yourContext/WEB-INF/ ? -- Wendy Smoak - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Declarative security in context?
On Wed, Nov 17, 2004 at 10:58:23PM +0100, Simon Tardell wrote: : I want to deploy multiple instances of the same webapp, with different : authorization rules. However, declarative security is done in the : web.xml of which there will only be one copy (referred by multiple : contexts). Is it possible to impose security constraints on a web app : from the outside, i.e. declaring them in the context rather than in the : web.xml? Ideally I'd like to be able to shadow parts of the web.xml : on a per context basis, but I can't see how to do that. Would I have to : write a valve to do custom authorization? You may have an easier time using an automated build process (e.g. Ant) that supports substitution rules in files, and creating separate webapps for each set of security rules. Pain in the rear? Not really. Wasteful of space? Perhaps, but perhaps not. Portable across all containers? Yes. I forget the task off the top of my head, but I believe Ant's copy task lets you feed a series of property-based replacement patterns to the replacement engine. For example, if the file has [EMAIL PROTECTED]@ ... and the property file defines app.port_num = 4000 Then the resultant (copied) file will have: port=4000 ... Have one properties file per webapp, aka per set of security rules. -QM -- software -- http://www.brandxdev.net tech news -- http://www.RoarNetworX.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE : Declarative security example
Define a realm element for your Engine/Host/Context node in your server.xml configuration file. For example : Realm className=org.apache.catalina.realm.MemoryRealm / -Message d'origine- De : Freddy Villalba A. [mailto:[EMAIL PROTECTED] Envoyé : vendredi 12 novembre 2004 18:44 À : [EMAIL PROTECTED] Objet : Declarative security example Hello everybody, I'm trying to run the following test application on a Tomcat v4.1 that comes along with JBuilder X. web-app servlet servlet-nameSecureServlet/servlet-name servlet-classSecureServlet/servlet-class /servlet security-constraint web-resource-collection web-resource-nameprueba de seguridad declarativa/web-resource-name url-pattern/servlet/SecureServlet/url-pattern http-methodPOST/http-method /web-resource-collection auth-constraint role-namesupervisor/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/formlogin.html/form-login-page form-error-page/formerror.html/form-error-page /form-login-config /login-config security-role role-namesupervisor/role-name /security-role /web-app When I launch the server, it is not able to initialize the web app. This is the trace I get from Tomcat: 12-nov-2004 18:30:05 org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on port 8080 Starting service Tomcat-Standalone Apache Tomcat/4.1.27-LE-jdk14 HostConfig[localhost]: Deploying configuration descriptor jb-cursoj2ee.xml WebappLoader[/cursoj2ee]: Deploying class repositories to work directory C:\cursoj2ee\seguridadDeclarativa\seguridadDeclarativa\Tomcat\work\cursoj2ee WebappLoader[/cursoj2ee]: Deploy class files /WEB-INF/classes to C:\cursoj2ee\seguridadDeclarativa\seguridadDeclarativa\modulo1\WEB-INF\class es WebappLoader[/cursoj2ee]: Reloading checks are enabled for this Context ContextConfig[/cursoj2ee]: No Realm has been configured to authenticate against ContextConfig[/cursoj2ee]: Marking this application unavailable due to previous error(s) StandardManager[/cursoj2ee]: Seeding random number generator class java.security.SecureRandom StandardManager[/cursoj2ee]: Seeding of random number generator has been completed StandardContext[/cursoj2ee]: Context startup failed due to previous errors 12-nov-2004 18:30:07 org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on port 8080 It seems like I've got to define some realm on Tomcat in order for this silly example to work. However, I've read (Sun's material) this example should be straightforward, just deploy the webapp anywhere and run, without defining anything particular to the servlet container. What am I missing? Am I required to define a realm in order for it to work? Thanx everybody, F. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Declarative security example
Hello everybody, I'm trying to run the following test application on a Tomcat v4.1 that comes along with JBuilder X. web-app servlet servlet-nameSecureServlet/servlet-name servlet-classSecureServlet/servlet-class /servlet security-constraint web-resource-collection web-resource-nameprueba de seguridad declarativa/web-resource-name url-pattern/servlet/SecureServlet/url-pattern http-methodPOST/http-method /web-resource-collection auth-constraint role-namesupervisor/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/formlogin.html/form-login-page form-error-page/formerror.html/form-error-page /form-login-config /login-config security-role role-namesupervisor/role-name /security-role /web-app When I launch the server, it is not able to initialize the web app. This is the trace I get from Tomcat: 12-nov-2004 18:30:05 org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on port 8080 Starting service Tomcat-Standalone Apache Tomcat/4.1.27-LE-jdk14 HostConfig[localhost]: Deploying configuration descriptor jb-cursoj2ee.xml WebappLoader[/cursoj2ee]: Deploying class repositories to work directory C:\cursoj2ee\seguridadDeclarativa\seguridadDeclarativa\Tomcat\work\cursoj2ee WebappLoader[/cursoj2ee]: Deploy class files /WEB-INF/classes to C:\cursoj2ee\seguridadDeclarativa\seguridadDeclarativa\modulo1\WEB-INF\class es WebappLoader[/cursoj2ee]: Reloading checks are enabled for this Context ContextConfig[/cursoj2ee]: No Realm has been configured to authenticate against ContextConfig[/cursoj2ee]: Marking this application unavailable due to previous error(s) StandardManager[/cursoj2ee]: Seeding random number generator class java.security.SecureRandom StandardManager[/cursoj2ee]: Seeding of random number generator has been completed StandardContext[/cursoj2ee]: Context startup failed due to previous errors 12-nov-2004 18:30:07 org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on port 8080 It seems like I've got to define some realm on Tomcat in order for this silly example to work. However, I've read (Sun's material) this example should be straightforward, just deploy the webapp anywhere and run, without defining anything particular to the servlet container. What am I missing? Am I required to define a realm in order for it to work? Thanx everybody, F. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
has anyone tried or run the TC -security with mail session or database connection successfully?
Thanks lot if anyone can point me in the right direction. TC5.5.4 ( it happens to other versions) Window XP JAVA 1.5.0 My program runs successfully without turning on the -security, but has the errors when it is turned on. The errors generated look like not related to access violation because of active security? Otherwise, I will see the access violation security errors. I searched all the internet sources but found no answers. I setup the security as follows: 1. catalina.policy grant codeBase file:${catalina.home}/webapps/javaxml2/WEB-INF/classes/- { permission java.util.PropertyPermission javax.mail.Session.Factory,read; permission java.net.SocketPermission localhost:25, connect,resolve; permission java.net.SocketPermission localhost:1521,connect,resolve; }; 2. mail session errors: INFO: HTMLManager: list: Listing contexts for virtual host 'localhost' javax.mail.MessagingException: IOException while sending message; nested exception is: javax.activation.UnsupportedDataTypeException: no object DCH for MIME type text/plain at com.sun.mail.smtp.SMTPTransport.sendMessage(SMTPTransport.java:566) at javax.mail.Transport.send0(Transport.java:151) at javax.mail.Transport.send(Transport.java:80) at javaxml2.UpdateItemServlet.doPost(Unknown Source) at javax.servlet.http.HttpServlet.service(HttpServlet.java:709) at javax.servlet.http.HttpServlet.service(HttpServlet.java:802) 3. DB connection errors: INFO: HTMLManager: list: Listing contexts for virtual host 'localhost' javax.naming.NamingException: Cannot create resource instance at org.apache.naming.factory.ResourceFactory.getObjectInstance(ResourceFact ory.java:132) at javax.naming.spi.NamingManager.getObjectInstance(NamingManager.java:304) at org.apache.naming.NamingContext.lookup(NamingContext.java:792) at org.apache.naming.NamingContext.lookup(NamingContext.java:139) at org.apache.naming.NamingContext.lookup(NamingContext.java:780) at org.apache.naming.NamingContext.lookup(NamingContext.java:152) at javaxml2.UpdateItemServlet.doPost(Unknown Source) at javax.servlet.http.HttpServlet.service(HttpServlet.java:709) at javax.servlet.http.HttpServlet.service(HttpServlet.java:802) 4. context.xml Resource name=mail/Session auth=Container type=javax.mail.Session mail.smtp.host=localhost / Resource name=jdbc/EmployeeDB auth=Container type=javax.sql.DataSource username=scott password=tiger driverClassName=oracle.jdbc.driver.OracleDriver url=jdbc:oracle:thin:@localhost:1521:oracle maxActive=8 maxIdle=4/
Anyone knows how to deal with mail session -security error for TC5.5.4
if running tomcat5.5.4 without turning on -security, everything works fine for jndi context mail session and DBCP. But if -security turned on, I got the following errors. If anyone can point to me what I missed or did wrong, greatly appreciated. Thanks David 1. TC errors access: access allowed (java.util.PropertyPermission line.separator read) Nov 8, 2004 9:55:25 PM org.apache.naming.NamingContext lookup WARNING: Unexpected exception resolving reference java.security.AccessControlException: access denied (java.util.PropertyPermission javax.mail.Session.Factory read) at java.security.AccessControlContext.checkPermission(AccessControlContext. java:264) at java.security.AccessController.checkPermission(AccessController.java:427 ) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) 2. catalina.policy: grant codeBase file:${catalina.home}/webapps/javaxml2/WEB-INF/classes/UpdateItemServle t.class { permission java.net.SocketPermission localhost:1521,connect,resolve; permission java.util.PropertyPermission javax.mail.Session.Factory,read; permission java.net.SocketPermission localhost:25,connect,resolve; };
Re: Anyone knows how to deal with mail session -security error for TC5.5.4
David Lee wrote: 2. catalina.policy: grant codeBase file:${catalina.home}/webapps/javaxml2/WEB-INF/classes/UpdateItemServle t.class { Shouldn't you be giving those permissions (except the Oracle one :-) to mail.jar, rather than your servlet class? That's what is actually making the reference, isn't it? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
How to fix the security error like this for tomcat5.5.4 -security
when tc security turned on then errors, if no security, it works fine, tried everything, still has errors Thanks for anyone who can help!!! greatly appreciated David Lee 1. Errors: access: access allowed (java.util.PropertyPermission line.separator read) Nov 8, 2004 9:55:25 PM org.apache.naming.NamingContext lookup WARNING: Unexpected exception resolving reference java.security.AccessControlException: access denied (java.util.PropertyPermission javax.mail.Session.Factory read) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264) at java.security.AccessController.checkPermission(AccessController.java:427) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1285) at java.lang.System.getProperty(System.java:661) at org.apache.naming.factory.ResourceFactory.getObjectInstance(ResourceFactory.java:117) at javax.naming.spi.NamingManager.getObjectInstance(NamingManager.java:304) at org.apache.naming.NamingContext.lookup(NamingContext.java:792) at org.apache.naming.NamingContext.lookup(NamingContext.java:139) at org.apache.naming.NamingContext.lookup(NamingContext.java:780) at org.apache.naming.NamingContext.lookup(NamingContext.java:152) at javaxml2.UpdateItemServlet.doPost(Unknown Source) at javax.servlet.http.HttpServlet.service(HttpServlet.java:709) at javax.servlet.http.HttpServlet.service(HttpServlet.java:802) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) 2. catalina.policy: grant codeBase file:${catalina.home}/webapps/javaxml2/WEB-INF/classes/UpdateItemServlet.class { permission java.net.SocketPermission localhost:1521,connect,resolve; permission java.util.PropertyPermission javax.mail.Session.Factory,read; permission java.net.SocketPermission localhost:25,connect,resolve; }; 3. context.xml Resource name=mail/Session auth=Container type=javax.mail.Session mail.smtp.host=localhost / Resource name=jdbc/EmployeeDB auth=Container type=javax.sql.DataSource username=scott password=tiger driverClassName=oracle.jdbc.driver.OracleDriver url=jdbc:oracle:thin:@localhost:1521:dev maxActive=8 maxIdle=4/ 4. web.xml resource-ref descriptionResource reference to a factory for javax.mail.Session instances that may be used for sending electronic mail messages, preconfigured to connect to the appropriate SMTP server. /description res-ref-name mail/Session /res-ref-name res-type javax.mail.Session /res-type res-auth Container /res-auth /resource-ref resource-ref description Resource reference to a factory for java.sql.Connection instances that may be used for talking to a particular database that is configured in the server.xml file. /description res-ref-name jdbc/EmployeeDB /res-ref-name res-type javax.sql.DataSource /res-type res-auth Container /res-auth /resource-ref
Re: problem with security manager, plesk and mysql (catalina.policy ignored?)
I see now where my problem can be. If I extract the war file to directory ${catalina.home}/psa-webapps/mydomain.com/myapplication/ and insert in the policy file grant codeBase file:${catalina.home}/psa-webapps/mydomain.com/myapplication/ { permission java.net.SocketPermission localhost,resolve; permission java.net.SocketPermission localhost:3306,connect,resolve; }; I can then connect to the database, so I guess my problem is I'm not using the proper syntax in the policy file for the .war I will google for a while :-) Alfonso. El sáb, 30-10-2004 a las 00:21, Alfonso Alba García escribió: Hi everybody, I have problems when connecting to mysql. I'm getting the following exception when trying to connect to a mysql database: (SQLException): java.sql.SQLException: Unable to connect to any hosts due to exception: java.security.AccessControlException: access denied (java.net.SocketPermission localhost resolve) I have read about similar problems in google and tried to modify the catalina.policy without success. I deploy applications via a Plesk web interface which loads my .war file, sets it in /var/tomcat4/psa-wars/mydomain.com/ creates a symlink to the war file in /var/tomcat4/psa-webapps/mydomain.com/ and makes the application available via mydomain.com/myapplication. It works fine except when an application tries to access a mysql database. I´m getting the exception above, even though I tried the following lines in catalina.policy without success (found similar exeptions to this one in google): grant codeBase file:${catalina.home}/psa-webapps/mydomain.com/myapplication/- { permission java.net.SocketPermission localhost,resolve; permission java.net.SocketPermission localhost:3306,connect,resolve; }; grant codeBase file:${catalina.home}/psa-webapps/mydomain.com/myapplication/WEB-INF/lib/mysql-connector-java-3.0.9-stable-bin.jar { permission java.net.SocketPermission localhost,resolve; permission java.net.SocketPermission localhost:3306,connect,resolve; }; I tried both of them one at a time and I restarted tomcat after every modification made to the catalina.policy I´m using tomcat 4.1.24 on a redhat linux Enterprise server, with /mysql-connector-java-3.0.9 and jre 1.4.2. Tomcat and mysql are in the same server. The way I´m trying to access the database in a jsp is conexion = DriverManager.getConnection(jdbc:mysql://localhost/DATABASE?user=USERpassword=PASSWORD); I've checked that the database exists, I can connect to the database from a console as user USER with password PASSWORD. The application works perfectly well in another server (debian woody with tomcat 4.0) where it was not necessary to modify the security policy. I talked to a friend of mine who also knows something about tomcat and told me that to access a database in the same server where tomcat is, it should not be necessary to modify the catalina.policy file. I have some experience with tomcat but i run out of ideas and things to try. Any help to open my eyes would be appreciated. Thanks a lot in advance, Alfonso signature.asc Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente
problem with security manager, plesk and mysql (catalina.policy ignored?)
Hi everybody, I have problems when connecting to mysql. I'm getting the following exception when trying to connect to a mysql database: (SQLException): java.sql.SQLException: Unable to connect to any hosts due to exception: java.security.AccessControlException: access denied (java.net.SocketPermission localhost resolve) I have read about similar problems in google and tried to modify the catalina.policy without success. I deploy applications via a Plesk web interface which loads my .war file, sets it in /var/tomcat4/psa-wars/mydomain.com/ creates a symlink to the war file in /var/tomcat4/psa-webapps/mydomain.com/ and makes the application available via mydomain.com/myapplication. It works fine except when an application tries to access a mysql database. I´m getting the exception above, even though I tried the following lines in catalina.policy without success (found similar exeptions to this one in google): grant codeBase file:${catalina.home}/psa-webapps/mydomain.com/myapplication/- { permission java.net.SocketPermission localhost,resolve; permission java.net.SocketPermission localhost:3306,connect,resolve; }; grant codeBase file:${catalina.home}/psa-webapps/mydomain.com/myapplication/WEB-INF/lib/mysql-connector-java-3.0.9-stable-bin.jar { permission java.net.SocketPermission localhost,resolve; permission java.net.SocketPermission localhost:3306,connect,resolve; }; I tried both of them one at a time and I restarted tomcat after every modification made to the catalina.policy I´m using tomcat 4.1.24 on a redhat linux Enterprise server, with /mysql-connector-java-3.0.9 and jre 1.4.2. Tomcat and mysql are in the same server. The way I´m trying to access the database in a jsp is conexion = DriverManager.getConnection(jdbc:mysql://localhost/DATABASE?user=USERpassword=PASSWORD); I've checked that the database exists, I can connect to the database from a console as user USER with password PASSWORD. The application works perfectly well in another server (debian woody with tomcat 4.0) where it was not necessary to modify the security policy. I talked to a friend of mine who also knows something about tomcat and told me that to access a database in the same server where tomcat is, it should not be necessary to modify the catalina.policy file. I have some experience with tomcat but i run out of ideas and things to try. Any help to open my eyes would be appreciated. Thanks a lot in advance, Alfonso signature.asc Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente
Tomcat security stopping log4j write to a file
I want log4j to write its output to the webapps/[application dir]/WEB-INF/logs directory. The log4j properties file is located in the WEB-INF/classes directory, as specified. Monitoring trace of log4j's process, shows log4j is unable to find (create) the requested files. I believe Tomcat is not allowing the application to write into WEB-INF/logs subdirectory. How do I direct Tomcat to allow this functionality? Tomcat 4.1.30 Thanks - Lawrence Winkler UW-Madison Division of Information Technology 608-265-4610 [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat security stopping log4j write to a file
Hi, Two options come to mind. Either You're running with a SecurityManager and your java.policy file doesn't specify a write permission into WEB-INF/logs. Or you've misconfigured log4j. If this is the case, post your log4j configuration file and we can help you although that's a bit off-topic for this list. Yoav Shapira http://www.yoavshapira.com -Original Message- From: Lawrence J Winkler [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 19, 2004 3:18 PM To: [EMAIL PROTECTED] Subject: Tomcat security stopping log4j write to a file I want log4j to write its output to the webapps/[application dir]/WEB-INF/logs directory. The log4j properties file is located in the WEB-INF/classes directory, as specified. Monitoring trace of log4j's process, shows log4j is unable to find (create) the requested files. I believe Tomcat is not allowing the application to write into WEB-INF/logs subdirectory. How do I direct Tomcat to allow this functionality? Tomcat 4.1.30 Thanks - Lawrence Winkler UW-Madison Division of Information Technology 608-265-4610 [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat security stopping log4j write to a file
Lawrence J Winkler wrote: I want log4j to write its output to the webapps/[application dir]/WEB-INF/logs directory. The log4j properties file is located in the WEB-INF/classes directory, as specified. Monitoring trace of log4j's process, shows log4j is unable to find (create) the requested files. I believe Tomcat is not allowing the application to write into WEB-INF/logs subdirectory. How do I direct Tomcat to allow this functionality? take a look at catalina.policy in the conf directory, in the file you can find some examples. edoardo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
problem with security-constraint with Tomcat 5
I'm looking into migrating our project from Tomcat 4.1.30 to Tomcat 5.0.28. We're also using Tiles and Struts 1.1. The problem is that Tomcat 5 seems to be confused with a url pattern that works with Tomcat 4. Here's the pertinent parts of web.xml (I get the same results with 2.3 or 2.4 version of web.xml): ... !-- Struts action servlet -- servlet servlet-namestrutsnav/servlet-name servlet-classorg.apache.struts.action.ActionServlet/servlet-class init-param param-nameconfig/param-name param-value/WEB-INF/conf/struts-config.xml/param-value /init-param init-param param-namevalidate/param-name param-valuetrue/param-value /init-param load-on-startup1/load-on-startup /servlet ... servlet-mapping servlet-namestrutsnav/servlet-name url-pattern*.do/url-pattern /servlet-mapping ... !-- JAAS Security Realm config -- security-constraint web-resource-collection web-resource-nameSecure Struts Actions/web-resource-name url-pattern*.sec.do/url-pattern /web-resource-collection auth-constraint role-nameGeneral User/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.do/form-login-page form-error-page/logininvalid.do/form-error-page /form-login-config /login-config security-role role-nameGeneral User/role-name /security-role ... If I try to access a sec.do Struts action, I just get a blank space in the body of the Tiles layout - I don't get the login form. If I change the url-pattern in web-resource-collection to *.do, then I get the login page. It seems that Tomcat 5 doesn't like two dots in the url pattern. Is this a bug? I also tried to add the following, but it didn't help: servlet-mapping servlet-namestrutsnav/servlet-name url-pattern*.sec.do/url-pattern /servlet-mapping Thanks, Cecile Mercado - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: problem with security-constraint with Tomcat 5
Hi, Could this be something that changed (or rather, was clarified) in the Servlet Spec between version 2.3 (which Tomcat 4.x implements) and 2.4 (which Tomcat 5.x implements)? ;) Yoav Shapira http://www.yoavshapira.com -Original Message- From: Mercado . Maria [mailto:[EMAIL PROTECTED] Sent: Monday, October 18, 2004 10:08 AM To: [EMAIL PROTECTED] Subject: problem with security-constraint with Tomcat 5 I'm looking into migrating our project from Tomcat 4.1.30 to Tomcat 5.0.28. We're also using Tiles and Struts 1.1. The problem is that Tomcat 5 seems to be confused with a url pattern that works with Tomcat 4. Here's the pertinent parts of web.xml (I get the same results with 2.3 or 2.4 version of web.xml): ... !-- Struts action servlet -- servlet servlet-namestrutsnav/servlet-name servlet-classorg.apache.struts.action.ActionServlet/servlet- class init-param param-nameconfig/param-name param-value/WEB-INF/conf/struts-config.xml/param-value /init-param init-param param-namevalidate/param-name param-valuetrue/param-value /init-param load-on-startup1/load-on-startup /servlet ... servlet-mapping servlet-namestrutsnav/servlet-name url-pattern*.do/url-pattern /servlet-mapping ... !-- JAAS Security Realm config -- security-constraint web-resource-collection web-resource-nameSecure Struts Actions/web-resource-name url-pattern*.sec.do/url-pattern /web-resource-collection auth-constraint role-nameGeneral User/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.do/form-login-page form-error-page/logininvalid.do/form-error-page /form-login-config /login-config security-role role-nameGeneral User/role-name /security-role ... If I try to access a sec.do Struts action, I just get a blank space in the body of the Tiles layout - I don't get the login form. If I change the url-pattern in web-resource-collection to *.do, then I get the login page. It seems that Tomcat 5 doesn't like two dots in the url pattern. Is this a bug? I also tried to add the following, but it didn't help: servlet-mapping servlet-namestrutsnav/servlet-name url-pattern*.sec.do/url-pattern /servlet-mapping Thanks, Cecile Mercado - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: problem with security-constraint with Tomcat 5
Thanks for the suggestion, Yoav. I looked but I didn't see anything that stated that a url pattern with 2 dots is illegal. - Cecile Mercado -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Monday, October 18, 2004 9:12 AM To: Tomcat Users List Subject: RE: problem with security-constraint with Tomcat 5 Hi, Could this be something that changed (or rather, was clarified) in the Servlet Spec between version 2.3 (which Tomcat 4.x implements) and 2.4 (which Tomcat 5.x implements)? ;) Yoav Shapira http://www.yoavshapira.com -Original Message- From: Mercado . Maria [mailto:[EMAIL PROTECTED] Sent: Monday, October 18, 2004 10:08 AM To: [EMAIL PROTECTED] Subject: problem with security-constraint with Tomcat 5 I'm looking into migrating our project from Tomcat 4.1.30 to Tomcat 5.0.28. We're also using Tiles and Struts 1.1. The problem is that Tomcat 5 seems to be confused with a url pattern that works with Tomcat 4. Here's the pertinent parts of web.xml (I get the same results with 2.3 or 2.4 version of web.xml): ... !-- Struts action servlet -- servlet servlet-namestrutsnav/servlet-name servlet-classorg.apache.struts.action.ActionServlet/servlet- class init-param param-nameconfig/param-name param-value/WEB-INF/conf/struts-config.xml/param-value /init-param init-param param-namevalidate/param-name param-valuetrue/param-value /init-param load-on-startup1/load-on-startup /servlet ... servlet-mapping servlet-namestrutsnav/servlet-name url-pattern*.do/url-pattern /servlet-mapping ... !-- JAAS Security Realm config -- security-constraint web-resource-collection web-resource-nameSecure Struts Actions/web-resource-name url-pattern*.sec.do/url-pattern /web-resource-collection auth-constraint role-nameGeneral User/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.do/form-login-page form-error-page/logininvalid.do/form-error-page /form-login-config /login-config security-role role-nameGeneral User/role-name /security-role ... If I try to access a sec.do Struts action, I just get a blank space in the body of the Tiles layout - I don't get the login form. If I change the url-pattern in web-resource-collection to *.do, then I get the login page. It seems that Tomcat 5 doesn't like two dots in the url pattern. Is this a bug? I also tried to add the following, but it didn't help: servlet-mapping servlet-namestrutsnav/servlet-name url-pattern*.sec.do/url-pattern /servlet-mapping Thanks, Cecile Mercado - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: problem with security-constraint with Tomcat 5
On Mon, 18 Oct 2004 10:45:23 -0400, Mercado . Maria [EMAIL PROTECTED] wrote: Thanks for the suggestion, Yoav. I looked but I didn't see anything that stated that a url pattern with 2 dots is illegal. Most systems I am aware of consider that the extension is the last dot. Otherwise, it starts adding complexity. Don't expect a fix (assuming this is indeed a valid issue, which I doubt). -- x Rémy Maucherat Developer Consultant JBoss Group (Europe) SàRL x - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: problem with security-constraint with Tomcat 5
You didn't look hard enough :) spec-quote version=2.4 section=11.1 An extension is defined as the part of the last segment after the last '.' character. /spec-quote - Original Message - From: Mercado . Maria [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Monday, October 18, 2004 7:45 AM Subject: RE: problem with security-constraint with Tomcat 5 Thanks for the suggestion, Yoav. I looked but I didn't see anything that stated that a url pattern with 2 dots is illegal. - Cecile Mercado -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Monday, October 18, 2004 9:12 AM To: Tomcat Users List Subject: RE: problem with security-constraint with Tomcat 5 Hi, Could this be something that changed (or rather, was clarified) in the Servlet Spec between version 2.3 (which Tomcat 4.x implements) and 2.4 (which Tomcat 5.x implements)? ;) Yoav Shapira http://www.yoavshapira.com -Original Message- From: Mercado . Maria [mailto:[EMAIL PROTECTED] Sent: Monday, October 18, 2004 10:08 AM To: [EMAIL PROTECTED] Subject: problem with security-constraint with Tomcat 5 I'm looking into migrating our project from Tomcat 4.1.30 to Tomcat 5.0.28. We're also using Tiles and Struts 1.1. The problem is that Tomcat 5 seems to be confused with a url pattern that works with Tomcat 4. Here's the pertinent parts of web.xml (I get the same results with 2.3 or 2.4 version of web.xml): ... !-- Struts action servlet -- servlet servlet-namestrutsnav/servlet-name servlet-classorg.apache.struts.action.ActionServlet/servlet- class init-param param-nameconfig/param-name param-value/WEB-INF/conf/struts-config.xml/param-value /init-param init-param param-namevalidate/param-name param-valuetrue/param-value /init-param load-on-startup1/load-on-startup /servlet ... servlet-mapping servlet-namestrutsnav/servlet-name url-pattern*.do/url-pattern /servlet-mapping ... !-- JAAS Security Realm config -- security-constraint web-resource-collection web-resource-nameSecure Struts Actions/web-resource-name url-pattern*.sec.do/url-pattern /web-resource-collection auth-constraint role-nameGeneral User/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.do/form-login-page form-error-page/logininvalid.do/form-error-page /form-login-config /login-config security-role role-nameGeneral User/role-name /security-role ... If I try to access a sec.do Struts action, I just get a blank space in the body of the Tiles layout - I don't get the login form. If I change the url-pattern in web-resource-collection to *.do, then I get the login page. It seems that Tomcat 5 doesn't like two dots in the url pattern. Is this a bug? I also tried to add the following, but it didn't help: servlet-mapping servlet-namestrutsnav/servlet-name url-pattern*.sec.do/url-pattern /servlet-mapping Thanks, Cecile Mercado - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments. In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
web.xml - security-constraint oddity/problem
Hello I am running apache 2.0.46 with SSL with tomcat/mod_jk2, white box linux. I do not have tomcat running SSL on 8443. So I have this issue with my app... I am securing my app with the security-constraint tag in web.xml (connected to mysql backend), it works perfectly with the url-pattern/clients.jsp/url-pattern. clients.jsp is a https:// uri, therefore my apache SSL is handling it, and so is the remaining of the session (?). However, if i throw url-pattern/index.jsp/url-pattern, which is a http:// uri, then tomcat tries to connect to port 8443 (instead of 443), where of course it fails miserably since nothing is running there. I guess my question is, why is tomcat trying to get to port 8443, when none of my uri point to https://myhost:8443, but simply to https://myhost (which should be handled on port 443 by my apache ssl)? I don't know if i have been very clear... I always suck at explaining my pb :P Please ask me if I can clarify Thanks a lot Best Regards Fred ?xml version=1.0 encoding=ISO-8859-1? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.3//EN http://java.sun.com/dtd/web-app_2_3.dtd; web-app !-- Beginning of web.xml deployment descriptor -- security-constraint web-resource-collection web-resource-nameClient login/web-resource-name url-pattern/clients.jsp/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-nameclients/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/loginError.jsp/form-error-page /form-login-config /login-config security-role role-nameclients/role-name /security-role /web-app - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[SOLVED] Re: web.xml - security-constraint oddity/problem
Well, that was an easy fix... I just changed the redirect port of the Coyote/JK2 AJP 1.3 Connector on port 8009, to 443 instead of 8443... :) Fred On Wed, 2004-10-06 at 22:56 -0500, Fred Blaise wrote: Hello I am running apache 2.0.46 with SSL with tomcat/mod_jk2, white box linux. I do not have tomcat running SSL on 8443. So I have this issue with my app... I am securing my app with the security-constraint tag in web.xml (connected to mysql backend), it works perfectly with the url-pattern/clients.jsp/url-pattern. clients.jsp is a https:// uri, therefore my apache SSL is handling it, and so is the remaining of the session (?). However, if i throw url-pattern/index.jsp/url-pattern, which is a http:// uri, then tomcat tries to connect to port 8443 (instead of 443), where of course it fails miserably since nothing is running there. I guess my question is, why is tomcat trying to get to port 8443, when none of my uri point to https://myhost:8443, but simply to https://myhost (which should be handled on port 443 by my apache ssl)? I don't know if i have been very clear... I always suck at explaining my pb :P Please ask me if I can clarify Thanks a lot Best Regards Fred ?xml version=1.0 encoding=ISO-8859-1? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.3//EN http://java.sun.com/dtd/web-app_2_3.dtd; web-app !-- Beginning of web.xml deployment descriptor -- security-constraint web-resource-collection web-resource-nameClient login/web-resource-name url-pattern/clients.jsp/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-nameclients/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/loginError.jsp/form-error-page /form-login-config /login-config security-role role-nameclients/role-name /security-role /web-app - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Security Constraint - Tomcat 5.0
Goodmorning all, Can I set a security constraint saying that i need to protect all except a directory or a certain file? My folder tree is quite like this one: myApp | + - - /images/ | + - - /WEB-INF/ | + -- *.jsp files Well, what I need is to protect all, but to not protect the images folder. How can I do it? Thisi is what i have in my web.xml file. security-constraint [...] web-resource-collection web-resource-nameBanner Manager/web-resource-name url-pattern/*/url-pattern http-methodDELETE/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection /security-constraint regards, Omar
RE: Security of Servlets
-Original Message- From: QM Executables and other server-side dynamic content( CGI, servlets/JSPs, PHP, etc) permit end-users to interact with the server in a different way: they must process user input, and in doing so, watch out for malformed values. Which has me scratching my head as to how. I'm using mySQL for login name, password validation. This from a standard html static page. I can't see how I can get to this data to validate it? Is it possible? regards DaveP ** snip here ** -- DISCLAIMER: NOTICE: The information contained in this email and any attachments is confidential and may be privileged. If you are not the intended recipient you should not use, disclose, distribute or copy any of the content of it or of any attachment; you are requested to notify the sender immediately of your receipt of the email and then to delete it and any attachments from your system. RNIB endeavours to ensure that emails and any attachments generated by its staff are free from viruses or other contaminants. However, it cannot accept any responsibility for any such which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Security of Servlets
Hi, I'm using mySQL for login name, password validation. This from a standard html static page. I can't see how I can get to this data to validate it? Is it possible? On a standard HTML static page you can use JavaScript for form field validation and not even submit the form if the inputs aren't valid. There are dozens of free scripts that do this for you, check out sites like dynamicdrive.com and alistapart.com. Even if you didn't want to use JavaScript, you could (and should) add checking to whatever handles the login on the server side, e.g. the servlet/JSP/login bean/login action, whatever technology you're using. Yoav This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Security of Servlets
-Original Message- From: Shapira, Yoav I'm using mySQL for login name, password validation. This from a standard html static page. I can't see how I can get to this data to validate it? Is it possible? On a standard HTML static page you can use JavaScript Even if you didn't want to use JavaScript, you could (and should) add checking to whatever handles the login on the server side, e.g. the servlet/JSP/login bean/login action, whatever technology you're using. tc 5.0.27; form method=POST action=j_security_check name=login Which I'm guessing is picked up by Tomcat, though I don't know how to 'add checking to it'? Any advice appreciated, since I'd prefer java to jscript! regards DaveP -- DISCLAIMER: NOTICE: The information contained in this email and any attachments is confidential and may be privileged. If you are not the intended recipient you should not use, disclose, distribute or copy any of the content of it or of any attachment; you are requested to notify the sender immediately of your receipt of the email and then to delete it and any attachments from your system. RNIB endeavours to ensure that emails and any attachments generated by its staff are free from viruses or other contaminants. However, it cannot accept any responsibility for any such which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Security of Servlets
Hi, form method=POST action=j_security_check name=login Which I'm guessing is picked up by Tomcat, though I don't know how to 'add checking to it'? Any advice appreciated, since I'd prefer java to jscript! If you're trusting the container, trust it ;) You're depending on the container to auth for you, so you can't do server-side checks here, unless you customize the relevant Realm further (which is of course possible with Tomcat). Yoav This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Security of Servlets
We are giving some thought to putting a CGI-based Wiki, specifically OddMuse, on a website that runs on a Linux server. In 'Using Linux (Fourth Edition)', the authors warn that "The biggest cause for concern about protecting your site from external threats is CGI scripts." They go on to suggest various precautions that will reduce the risk. This has me wondering if servlets are equally insecure or have a much stronger security model. I also have Jason Hunter's 'Java Servlet Programming (Second Edition)' which has a 30 page chapter on Security that details how various forms of authentication take place in servlets. However, I can't find any categorical statement that says servlets are actually any more secure than CGI. I was wondering if someone with extensive experience with the security aspects of both servlets and CGI can give me any sense of which is more secure and why?I need this information so that we can choose the right approach for our wiki. Also, if servlets are more secure than CGI, is anyone aware of a wiki that runs as a servlet, preferably open source? Rhino---rhino1 AT sympatico DOT ca"There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies." - C.A.R. Hoare
Re: Security of Servlets
On Thu, Sep 30, 2004 at 02:55:45PM -0400, Rhino wrote: : We are giving some thought to putting a CGI-based Wiki, specifically OddMuse, : on a website that runs on a Linux server. In 'Using Linux (Fourth Edition)', : the authors warn that The biggest cause for concern about protecting your : site from external threats is CGI scripts. They go on to suggest various : precautions that will reduce the risk. : : This has me wondering if servlets are equally insecure or have a much stronger : security model. The authors of that book may have said CGI but what they probably meant, in a larger scheme, was executables and other server-side dynamic content. Web servers that only dish out static content are tougher to crack (in a certain sense) because they have a fairly rigid set of permissible values: either the specified file exists under the doc root, or it doesn't. Executables and other server-side dynamic content( CGI, servlets/JSPs, PHP, etc) permit end-users to interact with the server in a different way: they must process user input, and in doing so, watch out for malformed values. So, other than a denial-of-service attack caused by flooding a CGI-based service with requests (i.e. filling the process table as each httpd process fork()s to spawn a new CGI child), there's not a whole lot of difference between CGI, PHP, Java, etc. : However, I can't find any : categorical statement that says servlets are actually any more secure than : CGI. See above. ;) : I was wondering if someone with extensive experience with the security aspects : of both servlets and CGI can give me any sense of which is more secure and : why? I need this information so that we can choose the right approach for our : wiki. See above. ;) -QM -- software -- http://www.brandxdev.net tech news -- http://www.RoarNetworX.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Security of Servlets
Hi, I'd say it's easier to expose security flaws with CGI scripts than it is with Servlets, and vice versa it's easier to configure a secure environment for Servlets than it is for CGI scripts. That's not the same as saying Servlets are more secure than CGI. I don't think such a categorical statement would be valid for this case, and it's a waste of time looking for such a statement. Both technologies require the system designer, deployer, and administrator to be conscious of security issues and address them proactively. That said, I'd support the statement in the first paragraph on two grounds. One is a simple historical comparison: use any search you like (plain Google, or forums like Bugtraq and CERT) and you'll see many more CGI-based attacked and vulnerabilities than Servlet-based ones. Of course some of that is because CGI is an older and was more widely used for a long time, but those facts are irrelevant for the point of this discussion. The second ground is the existence of finer grained control over Java code. To secure a CGI script, you'd have to peer-review its code, make sure the user running it has only the required privileges, etc. With Servlets, you can apply extremely fine-grained security using a variety of approaches like PrivilegedActions, SecurityManager (these two are inside the JVM and portable), the security-constraint elements in web.xml (which can also be done for CGI in most servers, like httpd), and Java's built-in controls over memory allocation and such low-level matters. So both technologies can be made secure, but it's easier to assure a given Servlet is secure than a given CGI script, IMHO. If someone has tons of experience in CGI security assessments and little in Java, they might say the opposite ;) As far as wiki implementations, let's see. Of the top of my head, Friki is Java and open source (SourceForge). MoinMoin is Python. Litux is in the middle: Jython ;) Yoav Shapira Millennium Research Informatics -Original Message- From: Rhino [mailto:[EMAIL PROTECTED] Sent: Thursday, September 30, 2004 2:56 PM To: tomcat-user Subject: Security of Servlets We are giving some thought to putting a CGI-based Wiki, specifically OddMuse, on a website that runs on a Linux server. In 'Using Linux (Fourth Edition)', the authors warn that The biggest cause for concern about protecting your site from external threats is CGI scripts. They go on to suggest various precautions that will reduce the risk. This has me wondering if servlets are equally insecure or have a much stronger security model. I also have Jason Hunter's 'Java Servlet Programming (Second Edition)' which has a 30 page chapter on Security that details how various forms of authentication take place in servlets. However, I can't find any categorical statement that says servlets are actually any more secure than CGI. I was wondering if someone with extensive experience with the security aspects of both servlets and CGI can give me any sense of which is more secure and why? I need this information so that we can choose the right approach for our wiki. Also, if servlets are more secure than CGI, is anyone aware of a wiki that runs as a servlet, preferably open source? Rhino --- rhino1 AT sympatico DOT ca There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies. - C.A.R. Hoare This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security of Servlets
Rhino wrote: /* others having responded to the first issue(s), I'll just confine myself to this one :-) */ is anyone aware of a wiki that runs as a servlet, preferably open source? You might look at JSPWiki -- http://www.jspwiki.org/ FWIW! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Is it possible to configure the security manager such that my servlet can write into the tomcat-home/logs directory?
Hi -- With tomcat 5.0.16, I could write into that directory (Windows), But with tomcat 5.0.27, I can no longer do so. I've tried all sorts of stuff in catalina.policy, but I still cannot configure it such that I can write my own log file into the logs directory. Thanks Betty
RE: Application-level security
Hi, This is an old issue, but have a small twist in the requirements that I need to satisfy and that can't be done using the solution outlined in the following article. I am just wondering if things have changed in tha past one year. Also, I apologize for the cross-post, but I thought it was relevant. Here is my scenario. I want to expose my Struts based site to our recently added business partners, either a web service or like a portlet. And of course, I need to authenticate them and authorize the resource against their role. I want to be able to take the j_username,j_password and accomplish everything in one call other than asking them to authenticate as a side-effect of requesting a resource? My quick and dirty solution was to make an internal http request and deal with authentication and send the extracted response back. OT I had tough time making my manager understand why it took a little longer than it should have been, who gave 30 mts as estimate to our customer to accomplish this. I ended up taking an hour, including testing :-). /OT Thank you, Vishu -Original Message- From: Robert Hall [mailto:[EMAIL PROTECTED] Sent: Monday, October 27, 2003 10:19 AM To: Tomcat Users List Subject: Re: Application-level security Chris, The August 2003 Java Developer's Journal (vol 8 issue 8) has an article you might want to take a look at: ActiveAuthentication - Extending J2EE form-based authentication by Thomas Beck; http://www.sys-con.com/java/article.cfm?id=2160. Yes, logout is implemented by invalidating the session. Since you provide the login module code you can do whatever is required/desired after the user is authenticated before returning control to the app server (Tomcat). If you aren't familiar with JAAS (Java Authentication and Authorization Service) you should take a look at http://java.sun.com/products/jaas/ and http://java.sun.com/security/jaas/doc/api.html before deciding to roll your own authentication/authorization layer. Regards, Robert Christopher Schultz wrote: All, I've been involved in quite a few web-based applications, and every time I've done one, the team has a different kind of application-level security. I'm interested in people's thoughts on the following methods. 1. Using container-based authentication and authorization (in the form of j_security_check and the security-constraint sections of web.xml). Here are the advantages I see for this: - Declarative security restrictions. I think this is great! No matter what I decide to do, the fact that I can change the security restrictions using a file instead of code will be mandatory. - Container supports the actual login procedure, so I don't have to write/manage the code. Unfortunately, there are also some disadvantages, and some of them are deal-breakers: - No logout function (does session.invalidate() kill it? it occurs to me that it doesn't, but I haven't yet tried) - If you hit a resource that requires auth, you go to the login page, login, and then go to the page you were trying to hit. I need to be able to first send the request to an action that will set up the user's session before the destination resource is accessed. (deal-breaker) - If I want to modify usernames or passwords as they are read by j_security_check, I cannot do this. A concrete example: often, it is preferable to have case-insensitive usernames and passwords. Using j_security_check, I cannot flatten-out the case before the authorization is done. (I suppose this might be solved using a custom Realm). (deal-breaker) Given that container authorization has a few shortcomings, there are also two other obvious styles of AAA: 2. Do it myself using action-level code. Each action (in my case, struts, but it really doesn't matter) must perform its own check. This burdon can be lessened by inserting a common superclass that can handle the checks, redirections to login, etc., but that would require me to re-code most of my existing actions because they either need to call an authorization method provided by the superclass or the superclass must implement a final version of the request handler method and then call an abstract method defined in the subclass. This seems cleaner yet requires more code changes. On the upside, I have complete control over the login flow, and I get to keep the desired declarative security model. (Does anyone know if there's an easy way to grab the security-constraint stuff from the web.xml file, or would I have to parse it myself and keep my own data structure for this purpose?) On the downside, I now have to write this code and maintain it. Also, the security-constraint and j_security_check conspire together to do really sexy things like cache POST data and send it ultimately to the desired resource. It would take me some time to clone that functionality. 3. Do it myself using a Filter. This has the same advantages
RE: web.xml security configuration.
Thanks for getting back to me Ruth; I've been three days with this now. -Original Message- From: Ruth, Brice question. I'm assuming these are 'part of' the repository app? Is that right? What should the uri-pattern be for these? Again the browse path will be http://localhost/repository/upload/index.html I want to have different security requirements for upload and search. If I have the security constraint on repository defined with url-pattern of /*, I'm thinking that will cover all the descendents of the repository directory? Is that wrong? That's a correct assumption. You should be able to do what you're wanting to do, the main thing to understand is that if you need to set a granular constraint, say for /repository/search/index.html, then you need to access that page as such. yes, for testing I'm using http://localhost/repository/search/index.html I have no mapping for these since they are simple html files. On the other hand, if you want to take advantage of index files, then a security constraint in the form of /repository/search/ should work (no wildcard * at the end). Its really just a pattern/glob match that takes place to determine if a security constraint should be invoked or not. This last pattern should only be invoked for /repository/search/, not for anything else. So it would not impact /repository/search/otherFile.html ? And no other child directories? That's a relief. Same goes if you have one tied to /repository/. I would advise that you add an additional URL-pattern for the actual index file as well, otherwise, if that file is accessed directly, then the security constraint will not be invoked. Yes, I've tried that. No success. I've reverted to the $catalina-home/conf/tomcat-users.xml to take out the mySQL loop too. Still no success. Could someone provide a (simple) example of the security-constraint .. url-pattern vs the $catalina-home/webapps/X structure please. I can't find any examples other than a single app using appname/* as the url-pattern. With 3 roles. admin, read, rwrite and /webapps /repository admin|read|rwrite /adminadmin only /search admin|read|rwrite /upload admin|rwrite All use index.html. I think the url-patterns are: url-pattern/repository/admin/index.html/url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method http-methodDELETE/http-method auth-constraint role-nameadmin/role-name /auth-constraint url-pattern/repository/upload/*/url-pattern ditto auth-constraint role-namerwrite/role-name role-nameadmin/role-name /auth-constraint url-pattern/repository/search/*/url-pattern auth-constraint role-nameadmin/role-name role-namerwrite/role-name role-nameread/role-name /auth-constraint Anything wrong with these? *must* I use wildcards/globbing when I'm using defaults (index.html, index.jsp or whatever?) regards DaveP -- DISCLAIMER: NOTICE: The information contained in this email and any attachments is confidential and may be privileged. If you are not the intended recipient you should not use, disclose, distribute or copy any of the content of it or of any attachment; you are requested to notify the sender immediately of your receipt of the email and then to delete it and any attachments from your system. RNIB endeavours to ensure that emails and any attachments generated by its staff are free from viruses or other contaminants. However, it cannot accept any responsibility for any such which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: web.xml security configuration.
-Original Message- From: Ruth, Brice The security constraint is based on the actual URL requested, not the resource that is being accessed. So, if you're accessing: http://my.host.com/ - and its actually loading http://my.host.com/repository/index.jsp, then your security-constraint won't be triggered if you don't have /* indicated. With a constraint of /repository/index.jsp, try accessing that path directly from your browser - the constraint *should* be triggered then. in my web.xml I have servlet-mapping servlet-namerepository/servlet-name url-pattern/repository/url-pattern /servlet-mapping servlet-mapping servlet-namegetit/servlet-name url-pattern/getit/url-pattern /servlet-mapping I.e. its a one to one, so if I understand you correctly, when I browse to http://localhost/repository/index.jsp my uril-pattern should be security-constraint web-resource-collection web-resource-nameRead-WriteArea/web-resource-name url-pattern/repository/*/url-pattern I have other (html files) in /webapps /repository /upload index.html /search index.html question. I'm assuming these are 'part of' the repository app? Is that right? What should the uri-pattern be for these? Again the browse path will be http://localhost/repository/upload/index.html I want to have different security requirements for upload and search. If I have the security constraint on repository defined with url-pattern of /*, I'm thinking that will cover all the descendents of the repository directory? Is that wrong? regards daveP ** snip here ** -- DISCLAIMER: NOTICE: The information contained in this email and any attachments is confidential and may be privileged. If you are not the intended recipient you should not use, disclose, distribute or copy any of the content of it or of any attachment; you are requested to notify the sender immediately of your receipt of the email and then to delete it and any attachments from your system. RNIB endeavours to ensure that emails and any attachments generated by its staff are free from viruses or other contaminants. However, it cannot accept any responsibility for any such which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: web.xml security configuration.
[EMAIL PROTECTED] wrote: in my web.xml I have servlet-mapping servlet-namerepository/servlet-name url-pattern/repository/url-pattern /servlet-mapping servlet-mapping servlet-namegetit/servlet-name url-pattern/getit/url-pattern /servlet-mapping I.e. its a one to one, so if I understand you correctly, when I browse to http://localhost/repository/index.jsp my uril-pattern should be security-constraint web-resource-collection web-resource-nameRead-WriteArea/web-resource-name url-pattern/repository/*/url-pattern I have other (html files) in /webapps /repository /upload index.html /search index.html question. I'm assuming these are 'part of' the repository app? Is that right? What should the uri-pattern be for these? Again the browse path will be http://localhost/repository/upload/index.html I want to have different security requirements for upload and search. If I have the security constraint on repository defined with url-pattern of /*, I'm thinking that will cover all the descendents of the repository directory? Is that wrong? regards daveP Dave, That's a correct assumption. You should be able to do what you're wanting to do, the main thing to understand is that if you need to set a granular constraint, say for /repository/search/index.html, then you need to access that page as such. On the other hand, if you want to take advantage of index files, then a security constraint in the form of /repository/search/ should work (no wildcard * at the end). Its really just a pattern/glob match that takes place to determine if a security constraint should be invoked or not. This last pattern should only be invoked for /repository/search/, not for anything else. Same goes if you have one tied to /repository/. I would advise that you add an additional URL-pattern for the actual index file as well, otherwise, if that file is accessed directly, then the security constraint will not be invoked. Hope this helps! -Brice -- Brice Ruth, Sr. IT Analyst Fiskars Brands Inc http://www.fiskarsbrands.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
web.xml security configuration.
In my applications web.xml I have security-constraint web-resource-collection web-resource-nameRead-WriteArea/web-resource-name description accessible by users of all roles/description url-pattern/*/url-pattern!-- was /* -- http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method http-methodDELETE/http-method /web-resource-collection auth-constraint descriptionThese roles are allowed access/description role-nameread/role-name role-namerwrite/role-name role-nameadmin/role-name /auth-constraint /security-constraint If the url-pattern is /* I get my jdbc based form showing, and password authentication using mySQL. If I change it to /repository/index.jsp, i.e. the actual file used, I don't get any authentication. Any advice on what form this element should take please? TIA, DaveP snip here * -- DISCLAIMER: NOTICE: The information contained in this email and any attachments is confidential and may be privileged. If you are not the intended recipient you should not use, disclose, distribute or copy any of the content of it or of any attachment; you are requested to notify the sender immediately of your receipt of the email and then to delete it and any attachments from your system. RNIB endeavours to ensure that emails and any attachments generated by its staff are free from viruses or other contaminants. However, it cannot accept any responsibility for any such which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: web.xml security configuration.
[EMAIL PROTECTED] wrote: In my applications web.xml I have security-constraint web-resource-collection web-resource-nameRead-WriteArea/web-resource-name description accessible by users of all roles/description url-pattern/*/url-pattern!-- was /* -- http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method http-methodDELETE/http-method /web-resource-collection auth-constraint descriptionThese roles are allowed access/description role-nameread/role-name role-namerwrite/role-name role-nameadmin/role-name /auth-constraint /security-constraint If the url-pattern is /* I get my jdbc based form showing, and password authentication using mySQL. If I change it to /repository/index.jsp, i.e. the actual file used, I don't get any authentication. Any advice on what form this element should take please? TIA, DaveP Dave, The security constraint is based on the actual URL requested, not the resource that is being accessed. So, if you're accessing: http://my.host.com/ - and its actually loading http://my.host.com/repository/index.jsp, then your security-constraint won't be triggered if you don't have /* indicated. With a constraint of /repository/index.jsp, try accessing that path directly from your browser - the constraint *should* be triggered then. -Brice -- Brice Ruth, Sr. IT Analyst Fiskars Brands Inc http://www.fiskarsbrands.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Security: per app policy, app root relative FilePermissions?
(1) When using a SecurityManager, all permissions are managed globally in two senses. They're granted in a single policy file, conf/catalina.policy and they pertain to all installed webapps. (2) FilePermission can't be relative to the root of a particular webapp. That is my current understanding. If I'm wrong, where can I learn more? Michael -- Michael Schuerig Face reality and stare it down mailto:[EMAIL PROTECTED]--Jethro Tull, Silver River Turning http://www.schuerig.de/michael/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
StandardClassLoader: Security Violation, attempt to use Restricted Class: org.apache.tomcat.util.net.SSLSupport$CipherData
What do I have misconfigured to cause this security violation? I am using -security to start a security manager and the page is https secure. Using TC 5.0.27 on Redhat Linux, I received the following error in catalina.out: StandardClassLoader: Security Violation, attempt to use Restricted Class: org.apache.tomcat.util.net.SSLSupport$CipherData My JSP page redirected to my error page, and this stack trace was shown: org/apache/tomcat/util/net/SSLSupport$CipherDatajava.lang.NoClassDefFoundErr or: org/apache/tomcat/util/net/SSLSupport$CipherData at org.apache.tomcat.util.net.SSLSupport.(SSLSupport.java:55) at org.apache.tomcat.util.net.jsse.JSSESupport.getKeySize(JSSESupport.java:137) at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:973) at org.apache.coyote.Request.action(Request.java:363) at org.apache.coyote.tomcat5.CoyoteRequest.getAttribute(CoyoteRequest.java:934) at org.apache.coyote.tomcat5.CoyoteRequestFacade.getAttribute(CoyoteRequestFaca de.java:214) at org.apache.jsp.login_jsp._jspService(login_jsp.java:201) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:94) at javax.servlet.http.HttpServlet.service(HttpServlet.java:802) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:3 24) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:292) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:236) at javax.servlet.http.HttpServlet.service(HttpServlet.java:802) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39 ) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl .java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:239) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:500) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:266) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:15 7) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain.java:231) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilter Chain.java:50) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain .java:140) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:136) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.ja va:214) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex t.java:104) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520) at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContext Valve.java:198) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.ja va:152) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex t.java:104) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase .java:540) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex t.java:102) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137 ) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex t.java:104) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117 ) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex t.java:102) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:535) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex t.java:102) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java :109) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex t.java:104) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929) at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:799) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConne ction(Http11Protocol.java:705) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:577) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav a:683) at java.lang.Thread.run(Thread.java:534) Thanks, David - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
problem with security manager.
I am running Tomcat4.1.30 on windows 2000, with security option turned on. My java application which is using JDK 1.4, connects to the the credit card authorizing company called verisign, and returns the approval authorization code. I have installed the digital certificate on $TOMCAT_HOME\certs directory. There are read permissions on the cert file. But still for some reason the verisign is not able to read the cert file due to the below error. RESULT=-31RESPMSG=The certificate chain did not validate, no local certificate found, java.security.AccessControlException: access denied (java.io.FilePermissi on C:\Program Files\Apache Group\Tomcat 4.1\certs read) However when i run Tomcat server without security, everything is file. Somehow tomcat is restricting the permission to read the cert file. Verisign uses Jsse.jar to do the security authentication. I have modofied both java.policy and catalina.policy to grant permission on the cert file as below. permission java.io.FilePermission C:\\Program Files\\Apache Group\\Tomcat 4.1\\certs\\-, read; But this does not help, is there anything else i should do to the server.xml file... How does the security manager runs in Tomcat4.1 Please help... - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Using catalina security manager in embedded tomcat application?
Our application has several catalina engines embedded in it and I am trying to determine if it makes sense or is even possible to use the catalina security manager in this setting. Specifically, what takes the place of the '-security' switch on tomcat in an embedded scenario? BH
Re: Using catalina security manager in embedded tomcat application?
Bill Hughey a écrit : Our application has several catalina engines embedded in it and I am trying to determine if it makes sense or is even possible to use the catalina security manager in this setting. Specifically, what takes the place of the '-security' switch on tomcat in an embedded scenario? BH Make sence. SJSAS PE 8.0 ships with Tomcat 5 embedded and security turned on. You just need to call: System.setSecurityManager() (see J2SE API docs) somewhere in your code. -- Jeanfrancois - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Jakarta http server with LDAP security
Hi. I am running jakarta catalina version 5.0.27 on windows and I wanna remove anonymous access to port 80 and I wanna integrate security to validate on LDAP ( windows 2000 ADS - primary domain control ). I am used to do that on IIS. Can anyone give me hints about this. Thanks in advance. Ricardo Souza
Re: Jakarta http server with LDAP security
On Fri, Aug 20, 2004 at 09:45:05AM -0300, Ricardo Souza wrote: : I am running jakarta catalina version 5.0.27 on windows and I wanna remove : anonymous access to port 80 and I wanna integrate security to validate on LDAP : ( windows 2000 ADS - primary domain control ). : I am used to do that on IIS. : Can anyone give me hints about this. Since you asked ;) Hint: review the Tomcat docs, pay special attention to the Realms section. Then review the servlet spec for security and constraint. -QM -- software -- http://www.brandxdev.net tech news -- http://www.RoarNetworX.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Container managed security in tomcat 5.x, need j_password in struts web app, ServletFilter or IntermediateServlet? [Auf Viren geprüft]
Subject: Container managed security in tomcat 5.x, need j_password in struts web app, ServletFilter or IntermediateServlet? Background: = I'm writing a web front-end to a back-end system which has 1000 user accounts and each user has different rights (ACIs, ACLs) in that back-end (think of LDAP Directory, RDBMS, Filessystem = any Data-Store with user-dependend access-rights) I use J2EE, Tomcat 5.0.27, Struts 1.1+Tiles as front-end, Sun One LDAP as back-end. Requirement(s): - I want to user container managed security to leverage Realms and JNDI/JAAS. - I want to connect to the same back-end with the same user used by container managed security - Therefore I need principal *and* credential of that user by whatever means - authorization is not managed by security-roles in J2EE sphere but by security rules of backend which automatically apply to the logged on user Problem: authorization in back-end: == I can use container-managed security (JNDI-Realm) to authenticate users, *but* can't connect to the back-end as the current user because my application doesn't know the password(credential) of the current user. I can get the Principal, which is not enough. So I can't leverage the ACIs, ACLs of my Back-End System because I have to logon as Superuser/root/DBA who is allowed everything. Solution(s): = 1. Intermediate Servlet -- - User request protected resource - Container forwards to my configured login.jsp - User enters j_username and j_password and submits - login.jsp does not POST to container servlet /j_security_check directly but to by servlet which copies j_username and j_password in the session context and *then* forwards or redirects /j_security_check - Problem: /j_security_check as a servlet mapping magically disappeares by that time in Tomcat 5.0.x, so it complains it can't find '/j_security_check' :-P Part of my LoginAction: ActionForward forward = new ActionForward(); forward.setName(securityCheck); forward.setPath(/j_security_check); // forward.setPath(/../j_security_check); // forward.setPath(http://localhost:8080/j_security_check;); forward.setContextRelative(false); forward.setRedirect(false); // forward.setRedirect(true); 2. ServletFilter -- - User request protected resource - Container forwards to my configured login.jsp - User enters j_username and j_password and submits - login.jsp POSTS to /j_security_check - Container is configured as to apply MyServletFilter to the URL pattern /j_security_check - MyServletFilter gets the POSTed j_username, j_password out of the request, copies them into the session.context and chains to the Servlet /j_security_check which authentificates the user as normal - Problem: MyServletFilter gets called for all URL patterns with the one exeption being '/j_security_check'. :-P Part of my FilterMapping in web.xml: filter-mapping filter-nameLoginFilter/filter-name url-pattern/j_security_check/url-pattern dispatcherREQUEST/dispatcher dispatcherFORWARD/dispatcher /filter-mapping Part of my LoginFilter: log.warn(*** Executing LoginFilter doFilter()); chain.doFilter(request, response); Being J2EE conform? === Both solutions are J2EE conform. Standards were a bit ambigous at that point but I don't consider both solutions valid. The ServletFilter-solution is described for IBM Webpshere in developerWorks and the Intermediate Servlet was proposed by people on the tomcat mailing and seemed to work on tomcat 4.x Struts and Tiles: I use struts and tiles for the front-end. form-based authentification via login.jsp does work, even with struts and tiles, if I call /j_security_servlet directly in a non Struts-action. The Intermediate Servlet is my Action servlet from struts. j_username and j_password are in an action form bean. I use an ActionForward to '/j_security_check'. Because Struts appends the name of the web-app I tried '/../j_security_check' and 'http://localhost:8080/j_security_check' with forward or redirect but to no success. All *.do URLs are secure and protect be container-managed security. All resources to build the login.jsp are not protected. Subquestion: How do I forward to URIs outside my current web-app? Now it gets appended so I end up with /web-app/j_security_check which cannot be found? I don't think I'm the only one with this problem. What did I wrong? Did I overlook anything? Are my solutions valid. Are there more solutions? I don't want to use ServletFiltering for my proprietary SecurityFilter like the sourceforge.net project but stay with container-managed security. All help is welcome, TIA, Frerk Meyer EDEKA Aktiengesellschaft GB Datenverarbeitung Frerk Meyer CC Web Technologien New-York-Ring 6 22297 Hamburg Tel: 040/6377 - 3272 Fax: 040/6377 - 41268
Re: Container managed security in tomcat 5.x, need j_password in struts web app, ServletFilter or IntermediateServlet? [Auf Viren geprüft]
It sounds like you'll need to create your own realm. You might be able to extend JNDIRealm. You cannot run filters on /j_security_check. The spec says so. Websphere might allow it - but tomcat doesn't. -Tim [EMAIL PROTECTED] wrote: http://marc.theaimsgroup.com/?l=tomcat-userm=109282146309790w=2 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Container managed security in tomcat 5.x, need j_password in struts web app, ServletFilter or IntermediateServlet? [Auf Viren geprüft]
Thanks Tim Funk for the quick answer, In FormAuthenticator there is a line: principal = context.getRealm().authenticate(username, password); It returns an interface java.security.Principal The Principal stores the username (uid), not the password (Credential). I only can call getName(). Furthermore any Realm has no access to the users session. So I can't get the password from the realm. I could of course write the password as cleartext or obscured code in my own Realm to an external data store. But I don't want that. It's dirty and unsafe and against the security requirements of this web-app. I've searched the Java Servlet Specification v.2.4 http://jcp.org/aboutJava/communityprocess/final/jsr154/index.html but haven't found a place where applying ServletFilters to /j_security_check is forbidden. Could you please provide me with an pointer to the spec you have forbidding this kind of filtering? One of many same questions I have found on http://www.mail-archive.com/[EMAIL PROTECTED]/msg117539.html (Message 1117539 on this list) was answered by yourself with the suggestion of using a valve. Could you please me more detail on that solution? On the same answer there was mentioned that BEA WebLogic provides a hook named auth-filter which would solve my problem too (in a proprietary way). With Websphere this is the second App-Server which could solve my problem. I have a Sun ONE Web App Server 7 at hands, so will try eventually the ServletFilter-method too. Another thread on this list with the same requirement is number 111855: servlet sendRedirect() to j_security_check problem (remember me) http://www.mail-archive.com/[EMAIL PROTECTED]/msg111855.html It announces Matt Raibles solution, programmed into his example application AppFuse. It works y submitting a subrequest vie HttpClient lib which seems rather strange to me. It cites an earlier posting number 111700 http://www.mail-archive.com/tomcat-user%40jakarta.apache.org/msg111700.html One more question: In the Tomcat 5.0.27 source in FormAuthentificator.java it says // Save the authenticated Principal in our session session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal); // If we are not caching, save the username and password as well if (!cache) { session.setNote(Constants.SESS_USERNAME_NOTE, username); session.setNote(Constants.SESS_PASSWORD_NOTE, password); } Am I able to session.getNote(Constants.SESS_PASSWORD_NOTE, password) in my web-app? It seems to be stored in the session, or am I wrong? Frerk Meyer EDEKA Aktiengesellschaft GB Datenverarbeitung Frerk Meyer CC Web Technologien New-York-Ring 6 22297 Hamburg Tel: 040/6377 - 3272 Fax: 040/6377 - 41268 mailto:[EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Container managed security in tomcat 5.x, need j_password in struts web app, ServletFilter or IntermediateServlet? [Auf Viren geprüft]
http://issues.apache.org/bugzilla/show_bug.cgi?id=21795 You can always write your own Realm which creates your own custom Principal which can store the password in it. This does require some casting but not uncommon. -Tim [EMAIL PROTECTED] wrote: Thanks Tim Funk for the quick answer, In FormAuthenticator there is a line: principal = context.getRealm().authenticate(username, password); It returns an interface java.security.Principal The Principal stores the username (uid), not the password (Credential). I only can call getName(). Furthermore any Realm has no access to the users session. So I can't get the password from the realm. I could of course write the password as cleartext or obscured code in my own Realm to an external data store. But I don't want that. It's dirty and unsafe and against the security requirements of this web-app. I've searched the Java Servlet Specification v.2.4 http://jcp.org/aboutJava/communityprocess/final/jsr154/index.html but haven't found a place where applying ServletFilters to /j_security_check is forbidden. Could you please provide me with an pointer to the spec you have forbidding this kind of filtering? One of many same questions I have found on http://www.mail-archive.com/[EMAIL PROTECTED]/msg117539.html (Message 1117539 on this list) was answered by yourself with the suggestion of using a valve. Could you please me more detail on that solution? On the same answer there was mentioned that BEA WebLogic provides a hook named auth-filter which would solve my problem too (in a proprietary way). With Websphere this is the second App-Server which could solve my problem. I have a Sun ONE Web App Server 7 at hands, so will try eventually the ServletFilter-method too. Another thread on this list with the same requirement is number 111855: servlet sendRedirect() to j_security_check problem (remember me) http://www.mail-archive.com/[EMAIL PROTECTED]/msg111855.html It announces Matt Raibles solution, programmed into his example application AppFuse. It works y submitting a subrequest vie HttpClient lib which seems rather strange to me. It cites an earlier posting number 111700 http://www.mail-archive.com/tomcat-user%40jakarta.apache.org/msg111700.html One more question: In the Tomcat 5.0.27 source in FormAuthentificator.java it says // Save the authenticated Principal in our session session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal); // If we are not caching, save the username and password as well if (!cache) { session.setNote(Constants.SESS_USERNAME_NOTE, username); session.setNote(Constants.SESS_PASSWORD_NOTE, password); } Am I able to session.getNote(Constants.SESS_PASSWORD_NOTE, password) in my web-app? It seems to be stored in the session, or am I wrong? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Container managed security in tomcat 5.x, need j_password in struts web app, ServletFilter or IntermediateServlet? [Auf Viren geprüft]
Thanks again Tim Funk. Your answer is another solution I didn't think of and it sounds standard conform and secure and clean to me. I'll develop my own JNDIRealm / JAASRealm and my own Principal, so I get not only the name and roles of the user out of the directory but every other information that is store (UserBean) and the login password. Very well, Frerk Meyer EDEKA Aktiengesellschaft GB Datenverarbeitung Frerk Meyer CC Web Technologien New-York-Ring 6 22297 Hamburg Tel: 040/6377 - 3272 Fax: 040/6377 - 41268 mailto:[EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security-constraint in web.xml
Your suggestion work perfectly Thank you very much. Fabian Bill Barker wrote: You simply need to have two security-constraints: One looks like below, and the other has url-pattern/*/url-pattern, and doesn't have an auth-constraint. [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I need help to configure a secure application. I'm trying to request a client certificate in one page only (the rest should be accesible without presenting a certificate) and force to use SSL in the entire application. I put the following in the web.xml security-constraint web-resource-collection web-resource-namecertificates/web-resource-name url-pattern/certificates/add.action/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-name*/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config If I add a new url pattern, this page will request client certificate too. How can I force to use SSL without requiring a client certificate but still require it in a specific page? Thanks in advance. regards, fabian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature
security-constraint in web.xml
I need help to configure a secure application. I'm trying to request a client certificate in one page only (the rest should be accesible without presenting a certificate) and force to use SSL in the entire application. I put the following in the web.xml security-constraint web-resource-collection web-resource-namecertificates/web-resource-name url-pattern/certificates/add.action/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-name*/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config If I add a new url pattern, this page will request client certificate too. How can I force to use SSL without requiring a client certificate but still require it in a specific page? Thanks in advance. regards, fabian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security-constraint in web.xml
Not sure you can do this with Tomcat alone (but would be happy to be shown the error of my ways). This is because every ssl connection uses the same SSLSocketFactory configuration irrespective of requested URI. The mod_ssl module for Apache has support for this type of config, though: http://www.modssl.org/docs/2.8/ssl_howto.html#ToC8 HTH (or prompts another answer), Jon [EMAIL PROTECTED] wrote: I need help to configure a secure application. I'm trying to request a client certificate in one page only (the rest should be accesible without presenting a certificate) and force to use SSL in the entire application. I put the following in the web.xml security-constraint web-resource-collection web-resource-namecertificates/web-resource-name url-pattern/certificates/add.action/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-name*/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config If I add a new url pattern, this page will request client certificate too. How can I force to use SSL without requiring a client certificate but still require it in a specific page? Thanks in advance. regards, fabian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security-constraint in web.xml
On Mon, 16 Aug 2004 09:58:04 -0300 [EMAIL PROTECTED] wrote I need help to configure a secure application. I'm trying to request a client certificate in one page only (the rest should be accesible without presenting a certificate) and force to use SSL in the entire application. I put the following in the web.xml security-constraint web-resource-collection web-resource-namecertificates/web-resource-name url-pattern/certificates/add.action/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-name*/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config If I add a new url pattern, this page will request client certificate too. How can I force to use SSL without requiring a client certificate but still require it in a specific page? I haven't taken the time to analyze your security-constraint/, but my impression is that ssl can't really function without certificates. It might be possible to pre-supply a (fake) client certificate, but I'm not sure that would buy you anything. If the client needs a certificate, it would be best to supply the client with (a real) one (even if only self-certified). If the client doesn't know what to do with a certificate, how would it know what to do with the encrypted streams? -- Joel [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security-constraint in web.xml
You simply need to have two security-constraints: One looks like below, and the other has url-pattern/*/url-pattern, and doesn't have an auth-constraint. [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I need help to configure a secure application. I'm trying to request a client certificate in one page only (the rest should be accesible without presenting a certificate) and force to use SSL in the entire application. I put the following in the web.xml security-constraint web-resource-collection web-resource-namecertificates/web-resource-name url-pattern/certificates/add.action/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-name*/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config If I add a new url pattern, this page will request client certificate too. How can I force to use SSL without requiring a client certificate but still require it in a specific page? Thanks in advance. regards, fabian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
security-constraint in web.xml
Hello, how are you? I need help to configure a secure application. I am trying to request client certificate in only one page and force to use SSL in the entire application. I put the following in the web.xml security-constraint web-resource-collection web-resource-namecertificates/web-resource-name url-pattern/certificates/add.action/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-name*/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config If I add a new url pattern, this page will request client certificate too. How can I force to use SSL without require cliente certificate but still require it in a specific page? I hope that you can understand me. If you need more information or clarify something, please let me know. Thank you very much in advanced. Fabian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [tomcat] Help with mod_jk2 and security on Win 2003
Before going deeply into your config, I'd ask if your app runs well without the mod_jk2 using the (standard) 8080 port. At least that way we can figure out if the problem has to do with your tomcat configuration or with your mod_jk2 configuration. José Ernesto Echeverría [EMAIL PROTECTED] Tel. (503)8859011 -Original Message- From: Eugene [mailto:[EMAIL PROTECTED] Sent: Viernes, 13 de Agosto de 2004 09:47 p.m. To: Tomcat Users List Subject: [tomcat] Help with mod_jk2 and security on Win 2003 Hi to all! First of all - thank you for this list! It helps to individuals like I am to keep their job:) I am newbie, so maybe my questions too silly for you, but anyway I must to ask. I am running Apache 2.0.50+Tomcat 5.0.27-mod_jk 1.2 on Win 2003, JDK 1.4.2_05. 1) I dont have a problems to deploy and run it with mod_jk 1.2, but when I am trying to configure mod_jk 2 it fails. It returns java.io.FileNotFoundException when I am trying to start app. my app is in the WEB-INF/classes/MyApp.class (as always:)) BTW, Tomcat starts and runs perfectly - stderr is clear, I am trying to test it with standard jsp-examples - all works, but when I am trying to open the same page which works with mod_jk 1.2 with applet tag - it returns error with mod_jk 2. The error log of Apache sais the same thing - applet not found. What am I doing wrong??? Help me please to figure it out. My apps directory located in the same folder that jsp-examples folder, in web.xml servlet mapping looks has the same locations like for example, plugin servlet from examples: servlet-mapping servlet-name MyApp /servlet-name url-pattern /MyApp /url-pattern /servlet-mapping 2) The second question is about security - I am running my server under the second administrator account with reassigned rights (so its not administrator anymore but it has more power then advanced user which is not enough for me). So the question is - does anybody can give tips/instructions/links to documentaton HowTo exactly I must configure my Windows to run with Apache and Tomcat without give to user so much power like I have now??? I have experienced attacks on my server so I dont have so much money to repair it again. Please help me with this if you know how - ASAP. These are my conofiguration key moments:) I am mounting my app directory in httpd.conf (in Virtual Host section) like this: ==Start Location /*.jsp JkUriSet group ajp13:site.com:8009 /Location Location /*.jspx JkUriSet group ajp13:site.com:8009 /Location Location /*.do JkUriSet group ajp13:site.com:8009 /Location ===End= My Host / in server.xml mounts apps base like this: ==Start appBase=C:\apache_home\apache-2\htdocs ===End= my wokers2.properties contains this: ==Start [uri:/*.jsp] group=ajp13:site.com:8009 [uri:/*.jspx] group=ajp13:site.com:8009 [uri:/*.do] group=ajp13:site.com:8009 [uri:/jsp-examples/*] group=ajp13:site.com:8009 [uri:/myapp-folder/*] group=ajp13:site.com:8009 ===End= Thank you very much in advance!!! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re[2]: [tomcat] Help with mod_jk2 and security on Win 2003
Thank you for reply! Yes its working on 8080, and its working if I am running just Tomcat without Apache, I am deploying it in the webapp/myapp folder of TC. I've tryed to run this app on ports from 8009 to 8100 (just for fun:)) - it works fine on any of these ports (actually I dont see any difference). Thanks in advance! Before going deeply into your config, I'd ask if your app runs well without the mod_jk2 using the (standard) 8080 port. At least that way we can figure out if the problem has to do with your tomcat configuration or with your mod_jk2 configuration. José Ernesto Echeverría [EMAIL PROTECTED] Tel. (503)8859011 -Original Message- From: Eugene [mailto:[EMAIL PROTECTED] Sent: Viernes, 13 de Agosto de 2004 09:47 p.m. To: Tomcat Users List Subject: [tomcat] Help with mod_jk2 and security on Win 2003 Hi to all! First of all - thank you for this list! It helps to individuals like I am to keep their job:) I am newbie, so maybe my questions too silly for you, but anyway I must to ask. I am running Apache 2.0.50+Tomcat 5.0.27-mod_jk 1.2 on Win 2003, JDK 1.4.2_05. 1) I dont have a problems to deploy and run it with mod_jk 1.2, but when I am trying to configure mod_jk 2 it fails. It returns java.io.FileNotFoundException when I am trying to start app. my app is in the WEB-INF/classes/MyApp.class (as always:)) BTW, Tomcat starts and runs perfectly - stderr is clear, I am trying to test it with standard jsp-examples - all works, but when I am trying to open the same page which works with mod_jk 1.2 with applet tag - it returns error with mod_jk 2. The error log of Apache sais the same thing - applet not found. What am I doing wrong??? Help me please to figure it out. My apps directory located in the same folder that jsp-examples folder, in web.xml servlet mapping looks has the same locations like for example, plugin servlet from examples: servlet-mapping servlet-name MyApp /servlet-name url-pattern /MyApp /url-pattern /servlet-mapping 2) The second question is about security - I am running my server under the second administrator account with reassigned rights (so its not administrator anymore but it has more power then advanced user which is not enough for me). So the question is - does anybody can give tips/instructions/links to documentaton HowTo exactly I must configure my Windows to run with Apache and Tomcat without give to user so much power like I have now??? I have experienced attacks on my server so I dont have so much money to repair it again. Please help me with this if you know how - ASAP. These are my conofiguration key moments:) I am mounting my app directory in httpd.conf (in Virtual Host section) like this: ==Start Location /*.jsp JkUriSet group ajp13:site.com:8009 /Location Location /*.jspx JkUriSet group ajp13:site.com:8009 /Location Location /*.do JkUriSet group ajp13:site.com:8009 /Location ===End= My Host / in server.xml mounts apps base like this: ==Start appBase=C:\apache_home\apache-2\htdocs ===End= my wokers2.properties contains this: ==Start [uri:/*.jsp] group=ajp13:site.com:8009 [uri:/*.jspx] group=ajp13:site.com:8009 [uri:/*.do] group=ajp13:site.com:8009 [uri:/jsp-examples/*] group=ajp13:site.com:8009 [uri:/myapp-folder/*] group=ajp13:site.com:8009 ===End= Thank you very much in advance!!! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Re[2]: [tomcat] Help with mod_jk2 and security on Win 2003
Well from your comments and for point #1, what's the name location of the applet? It should be locatable within your mod_jk settings as well. I recently had some problems with a particular configuration of mod_jk and the following tag worked fine for me (in the workers2.properties file): [uri:$/jsp-examples/*] Worker=ajp13:site:8009 The $ before the root context made the difference... Regards! PS. I've noticed you mention mod_jk2 but then mod_jk 1.2 in your text. Which one is it? If 1.2, have you considered upgrading to mod_jk2? José Ernesto Echeverría -Original Message- From: Eugene [mailto:[EMAIL PROTECTED] Sent: Sábado, 14 de Agosto de 2004 03:53 p.m. To: Tomcat Users List Subject: Re[2]: [tomcat] Help with mod_jk2 and security on Win 2003 Thank you for reply! Yes its working on 8080, and its working if I am running just Tomcat without Apache, I am deploying it in the webapp/myapp folder of TC. I've tryed to run this app on ports from 8009 to 8100 (just for fun:)) - it works fine on any of these ports (actually I dont see any difference). Thanks in advance! Before going deeply into your config, I'd ask if your app runs well without the mod_jk2 using the (standard) 8080 port. At least that way we can figure out if the problem has to do with your tomcat configuration or with your mod_jk2 configuration. José Ernesto Echeverría [EMAIL PROTECTED] Tel. (503)8859011 -Original Message- From: Eugene [mailto:[EMAIL PROTECTED] Sent: Viernes, 13 de Agosto de 2004 09:47 p.m. To: Tomcat Users List Subject: [tomcat] Help with mod_jk2 and security on Win 2003 Hi to all! First of all - thank you for this list! It helps to individuals like I am to keep their job:) I am newbie, so maybe my questions too silly for you, but anyway I must to ask. I am running Apache 2.0.50+Tomcat 5.0.27-mod_jk 1.2 on Win 2003, JDK 1.4.2_05. 1) I dont have a problems to deploy and run it with mod_jk 1.2, but when I am trying to configure mod_jk 2 it fails. It returns java.io.FileNotFoundException when I am trying to start app. my app is in the WEB-INF/classes/MyApp.class (as always:)) BTW, Tomcat starts and runs perfectly - stderr is clear, I am trying to test it with standard jsp-examples - all works, but when I am trying to open the same page which works with mod_jk 1.2 with applet tag - it returns error with mod_jk 2. The error log of Apache sais the same thing - applet not found. What am I doing wrong??? Help me please to figure it out. My apps directory located in the same folder that jsp-examples folder, in web.xml servlet mapping looks has the same locations like for example, plugin servlet from examples: servlet-mapping servlet-name MyApp /servlet-name url-pattern /MyApp /url-pattern /servlet-mapping 2) The second question is about security - I am running my server under the second administrator account with reassigned rights (so its not administrator anymore but it has more power then advanced user which is not enough for me). So the question is - does anybody can give tips/instructions/links to documentaton HowTo exactly I must configure my Windows to run with Apache and Tomcat without give to user so much power like I have now??? I have experienced attacks on my server so I dont have so much money to repair it again. Please help me with this if you know how - ASAP. These are my conofiguration key moments:) I am mounting my app directory in httpd.conf (in Virtual Host section) like this: ==Start Location /*.jsp JkUriSet group ajp13:site.com:8009 /Location Location /*.jspx JkUriSet group ajp13:site.com:8009 /Location Location /*.do JkUriSet group ajp13:site.com:8009 /Location ===End= My Host / in server.xml mounts apps base like this: ==Start appBase=C:\apache_home\apache-2\htdocs ===End= my wokers2.properties contains this: ==Start [uri:/*.jsp] group=ajp13:site.com:8009 [uri:/*.jspx] group=ajp13:site.com:8009 [uri:/*.do] group=ajp13:site.com:8009 [uri:/jsp-examples/*] group=ajp13:site.com:8009 [uri:/myapp-folder/*] group=ajp13:site.com:8009 ===End= Thank you very much in advance!!! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED
Re[4]: [tomcat] Help with mod_jk2 and security on Win 2003
Thank you for help. The location of my servlet is this: C:\wpub\apache\www\myapp-folder\WEB-INF\classes\MyApp.class. Weird thing - today I've tried to configure the same app at my home computer... And all works! With mod_jk or mod_jk2. BTW, mod_jk 1.2 its mod_jk (sorry:)) Anyway, I've put my old config in 'workers2.properties' exactly like on my server: [uri:/myapp-folder/*] group=ajp13:site:8009 It looks like I have a problem with mapping to the servlet. I can't exactly tell you what's wrong until Tuesday (its fin de semana largo), when I will try to experiment with configs. But for now - all difference that I have it's a different version of servers. My server runs on Windows 2003 Enterprise Server, Apache 2.0.50+Tomcat5.0.27, JDK 1.4.2_05. At my home computer I'm using Windows XP Pro SP1, Apache 2.0.48+Tomcat5.0.24, JDK 1.4.2_03. Almost forgot one more important thing - I have an additional conf for my servlet and it's configured like this: mapviewer-config WMSProvider url=MyApp map-format=JPEG/ map maplayer layerid=AllProject/ /map /mapviewer-config The old version of this app required full URL to the applet like url=http://site/myapp-flder/MyApp;, but new version must accept url=MyApp. I've configured it on both ways on the server. I have doubts about it, but maybe I've lost something, I will check it at Tuesday. Thank you very much for help! Well from your comments and for point #1, what's the name location of the applet? It should be locatable within your mod_jk settings as well. I recently had some problems with a particular configuration of mod_jk and the following tag worked fine for me (in the workers2.properties file): [uri:$/jsp-examples/*] Worker=ajp13:site:8009 The $ before the root context made the difference... Regards! PS. I've noticed you mention mod_jk2 but then mod_jk 1.2 in your text. Which one is it? If 1.2, have you considered upgrading to mod_jk2? José Ernesto Echeverría -Original Message- From: Eugene [mailto:[EMAIL PROTECTED] Sent: Sábado, 14 de Agosto de 2004 03:53 p.m. To: Tomcat Users List Subject: Re[2]: [tomcat] Help with mod_jk2 and security on Win 2003 Thank you for reply! Yes its working on 8080, and its working if I am running just Tomcat without Apache, I am deploying it in the webapp/myapp folder of TC. I've tryed to run this app on ports from 8009 to 8100 (just for fun:)) - it works fine on any of these ports (actually I dont see any difference). Thanks in advance! Before going deeply into your config, I'd ask if your app runs well without the mod_jk2 using the (standard) 8080 port. At least that way we can figure out if the problem has to do with your tomcat configuration or with your mod_jk2 configuration. José Ernesto Echeverría [EMAIL PROTECTED] Tel. (503)8859011 -Original Message- From: Eugene [mailto:[EMAIL PROTECTED] Sent: Viernes, 13 de Agosto de 2004 09:47 p.m. To: Tomcat Users List Subject: [tomcat] Help with mod_jk2 and security on Win 2003 Hi to all! First of all - thank you for this list! It helps to individuals like I am to keep their job:) I am newbie, so maybe my questions too silly for you, but anyway I must to ask. I am running Apache 2.0.50+Tomcat 5.0.27-mod_jk 1.2 on Win 2003, JDK 1.4.2_05. 1) I dont have a problems to deploy and run it with mod_jk 1.2, but when I am trying to configure mod_jk 2 it fails. It returns java.io.FileNotFoundException when I am trying to start app. my app is in the WEB-INF/classes/MyApp.class (as always:)) BTW, Tomcat starts and runs perfectly - stderr is clear, I am trying to test it with standard jsp-examples - all works, but when I am trying to open the same page which works with mod_jk 1.2 with applet tag - it returns error with mod_jk 2. The error log of Apache sais the same thing - applet not found. What am I doing wrong??? Help me please to figure it out. My apps directory located in the same folder that jsp-examples folder, in web.xml servlet mapping looks has the same locations like for example, plugin servlet from examples: servlet-mapping servlet-name MyApp /servlet-name url-pattern /MyApp /url-pattern /servlet-mapping 2) The second question is about security - I am running my server under the second administrator account with reassigned rights (so its not administrator anymore but it has more power then advanced user which is not enough for me). So the question is - does anybody can give tips/instructions/links to documentaton HowTo exactly I must configure my Windows to run with Apache and Tomcat without give to user so much power like I have now??? I have experienced attacks on my server so I dont have so much money to repair it again. Please help me with this if you know how - ASAP. These are my conofiguration key moments:) I am
Help with mod_jk2 and security on Win 2003
Hi to all! First of all - thank you for this list! It helps to individuals like I am to keep their job:) I am newbie, so maybe my questions too silly for you, but anyway I must to ask. I am running Apache 2.0.50+Tomcat 5.0.27-mod_jk 1.2 on Win 2003, JDK 1.4.2_05. 1) I dont have a problems to deploy and run it with mod_jk 1.2, but when I am trying to configure mod_jk 2 it fails. It returns java.io.FileNotFoundException when I am trying to start app. my app is in the WEB-INF/classes/MyApp.class (as always:)) BTW, Tomcat starts and runs perfectly - stderr is clear, I am trying to test it with standard jsp-examples - all works, but when I am trying to open the same page which works with mod_jk 1.2 with applet tag - it returns error with mod_jk 2. The error log of Apache sais the same thing - applet not found. What am I doing wrong??? Help me please to figure it out. My apps directory located in the same folder that jsp-examples folder, in web.xml servlet mapping looks has the same locations like for example, plugin servlet from examples: servlet-mapping servlet-name MyApp /servlet-name url-pattern /MyApp /url-pattern /servlet-mapping 2) The second question is about security - I am running my server under the second administrator account with reassigned rights (so its not administrator anymore but it has more power then advanced user which is not enough for me). So the question is - does anybody can give tips/instructions/links to documentaton HowTo exactly I must configure my Windows to run with Apache and Tomcat without give to user so much power like I have now??? I have experienced attacks on my server so I dont have so much money to repair it again. Please help me with this if you know how - ASAP. These are my conofiguration key moments:) I am mounting my app directory in httpd.conf (in Virtual Host section) like this: ==Start Location /*.jsp JkUriSet group ajp13:site.com:8009 /Location Location /*.jspx JkUriSet group ajp13:site.com:8009 /Location Location /*.do JkUriSet group ajp13:site.com:8009 /Location ===End= My Host / in server.xml mounts apps base like this: ==Start appBase=C:\apache_home\apache-2\htdocs ===End= my wokers2.properties contains this: ==Start [uri:/*.jsp] group=ajp13:site.com:8009 [uri:/*.jspx] group=ajp13:site.com:8009 [uri:/*.do] group=ajp13:site.com:8009 [uri:/jsp-examples/*] group=ajp13:site.com:8009 [uri:/myapp-folder/*] group=ajp13:site.com:8009 ===End= Thank you very much in advance!!! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Help with mod_jk2 and security on Win 2003
Hi to all! First of all - thank you for this list! It helps to individuals like I am to keep their job:) I am newbie, so maybe my questions too silly for you, but anyway I must to ask. I am running Apache 2.0.50+Tomcat 5.0.27-mod_jk 1.2 on Win 2003, JDK 1.4.2_05. 1) I dont have a problems to deploy and run it with mod_jk 1.2, but when I am trying to configure mod_jk 2 it fails. It returns java.io.FileNotFoundException when I am trying to start app. my app is in the WEB-INF/classes/MyApp.class (as always:)) BTW, Tomcat starts and runs perfectly - stderr is clear, I am trying to test it with standard jsp-examples - all works, but when I am trying to open the same page which works with mod_jk 1.2 with applet tag - it returns error with mod_jk 2. The error log of Apache sais the same thing - applet not found. What am I doing wrong??? Help me please to figure it out. My apps directory located in the same folder that jsp-examples folder, in web.xml servlet mapping looks has the same locations like for example, plugin servlet from examples: servlet-mapping servlet-name MyApp /servlet-name url-pattern /MyApp /url-pattern /servlet-mapping 2) The second question is about security - I am running my server under the second administrator account with reassigned rights (so its not administrator anymore but it has more power then advanced user which is not enough for me). So the question is - does anybody can give tips/instructions/links to documentaton HowTo exactly I must configure my Windows to run with Apache and Tomcat without give to user so much power like I have now??? I have experienced attacks on my server so I dont have so much money to repair it again. Please help me with this if you know how - ASAP. These are my conofiguration key moments:) I am mounting my app directory in httpd.conf (in Virtual Host section) like this: ==Start Location /*.jsp JkUriSet group ajp13:site.com:8009 /Location Location /*.jspx JkUriSet group ajp13:site.com:8009 /Location Location /*.do JkUriSet group ajp13:site.com:8009 /Location ===End= My Host / in server.xml mounts apps base like this: ==Start appBase=C:\apache_home\apache-2\htdocs ===End= my wokers2.properties contains this: ==Start [uri:/*.jsp] group=ajp13:site.com:8009 [uri:/*.jspx] group=ajp13:site.com:8009 [uri:/*.do] group=ajp13:site.com:8009 [uri:/jsp-examples/*] group=ajp13:site.com:8009 [uri:/myapp-folder/*] group=ajp13:site.com:8009 ===End= Thank you very much in advance!!! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat and Apache Axis Security
Actually I have tried that and it doesn't work. One of the problems is that class is visible to Tomcat only. I tried placing a copy of the jar in the common/lib area and get classloading problems. I am not sure how to make that work. If you have any other ideas I would appreciate it. Thanks for your help. -Original Message- From: Isen,Ciji [mailto:[EMAIL PROTECTED] Sent: Monday, August 09, 2004 5:00 PM To: Tomcat Users List Subject: Re: Tomcat and Apache Axis Security Have you tried access it from the Principal. GenericPrincipal p = (GenericPrincipal)request.getUserPrincipal(); String uid = p.getName(); String passwd = p.getPassword(); Srofe, Douglas (c) wrote: We use single sign for our Tomcat applications. We have another Tomcat that hosts various web services. I would like to be able to send the logged on users name and password as credentials to the web service and have Tomcat authenticate it. I have tested this part with a hardcoded user name and password and this works fine. But I need to send the username and password used when the user logged on. How do I get access to the password that was used when the user logged on so I can send it as part of the credentials to the web service? Am I going to have to write custom authenticators and realms in order to do this? Thanks for any response. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat and Apache Axis Security
We use single sign for our Tomcat applications. We have another Tomcat that hosts various web services. I would like to be able to send the logged on users name and password as credentials to the web service and have Tomcat authenticate it. I have tested this part with a hardcoded user name and password and this works fine. But I need to send the username and password used when the user logged on. How do I get access to the password that was used when the user logged on so I can send it as part of the credentials to the web service? Am I going to have to write custom authenticators and realms in order to do this? Thanks for any response.
Re: Tomcat and Apache Axis Security
Have you tried access it from the Principal. GenericPrincipal p = (GenericPrincipal)request.getUserPrincipal(); String uid = p.getName(); String passwd = p.getPassword(); Srofe, Douglas (c) wrote: We use single sign for our Tomcat applications. We have another Tomcat that hosts various web services. I would like to be able to send the logged on users name and password as credentials to the web service and have Tomcat authenticate it. I have tested this part with a hardcoded user name and password and this works fine. But I need to send the username and password used when the user logged on. How do I get access to the password that was used when the user logged on so I can send it as part of the credentials to the web service? Am I going to have to write custom authenticators and realms in order to do this? Thanks for any response. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Symantec Mail Security detected that you sent a message containing prohibited content (SYM:01879276160509391668)
Hi, Could the tomcat-user subscriber at this domain (talisentech.com) please tell me what prohibited content my message contained, and if it did not contain any, please properly configure their mail security program? Thanks, Frans [EMAIL PROTECTED] wrote: Subject of the message: Re: Mysterious null pointer exception Recipient of the message: Tomcat Users List [EMAIL PROTECTED] -- Quinity : Your Partner In eBusiness Solution Delivery Biltstraat 449 3572 AW Utrecht P.O. Box 13097 3507 LB Utrecht The Netherlands Telephone: (+31) (0)30 2335999 Fax : (+31) (0)30 2335998 WWW : http://www.quinity.com The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. Quinity is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: AW: Tomcat 4.1.24 + Security Manager + weird Exceptions
I'm experiencing this same issue. I've got Tomcat 5.0.27, Apache 2.0.46, and jk2 version 2.0.4. Has there been any solution? It occurs primarily under heavy load. -Joshua Szmajda We've got a similar issue, though this in on Linux and using channelUnix/JNI instead of normal tcp channelSocket. We're using Apache2/mod_jk2 (built from tomcat-connectors-1.1M1). On heavy load, there are over 3000 sockets open by one Tomcat/JVM, they don't seem to go down again too while Tomcat is running. (since File Descriptor limit on Solaris is lower normally (1024 or summat i think) this would cause us heavy problems there too) The Tomcats and Apache are restarted during the night to free up Memory, so socket count goes down then. However the application doesn't seem to be affected by this. In catalina.out there are many errors like this: org.apache.jk.common.ChannelUn receive SEVERE: receive error: 12 java.lang.Throwable at org.apache.jk.common.ChannelUn.receive(ChannelUn.java:230) at org.apache.jk.common.ChannelUn.processConnection(ChannelUn.java:282) at org.apache.jk.common.AprConnection.runIt(ChannelUn.java:350) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:631) at java.lang.Thread.run(Thread.java:536) org.apache.jk.common.JniHandler nativeDispatch SEVERE: nativeDispatch: error -3 java.lang.Throwable at org.apache.jk.common.JniHandler.nativeDispatch(JniHandler.java:312) at org.apache.jk.common.ChannelUn.send(ChannelUn.java:221) at org.apache.jk.common.ChannelUn.invoke(ChannelUn.java:306) at org.apache.jk.server.JkCoyoteHandler.doWrite(JkCoyoteHandler.java:249) at org.apache.coyote.Response.doWrite(Response.java:530) at org.apache.coyote.tomcat4.OutputBuffer.realWriteBytes(OutputBuffer.java:384) at org.apache.tomcat.util.buf.ByteChunk.flushBuffer(ByteChunk.java:439) at org.apache.tomcat.util.buf.ByteChunk.append(ByteChunk.java:359) at org.apache.coyote.tomcat4.OutputBuffer.writeBytes(OutputBuffer.java:411) at org.apache.coyote.tomcat4.OutputBuffer.write(OutputBuffer.java:398) at org.apache.coyote.tomcat4.CoyoteOutputStream.write(CoyoteOutputStream.java:110) at org.apache.catalina.servlets.DefaultServlet.copyRange(DefaultServlet.java:1996) at org.apache.catalina.servlets.DefaultServlet.copy(DefaultServlet.java:1745) at org.apache.catalina.servlets.DefaultServlet.serveResource(DefaultServlet.java:1073) at org.apache.catalina.servlets.DefaultServlet.doGet(DefaultServlet.java:506) . - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: AW: Tomcat 4.1.24 + Security Manager + weird Exceptions
I'm experiencing this same issue. I've got Tomcat 5.0.27, Apache 2.0.46, and jk2 version 2.0.4. Has there been any solution? It occurs primarily under heavy load. -Joshua Szmajda We've got a similar issue, though this in on Linux and using channelUnix/JNI instead of normal tcp channelSocket. We're using Apache2/mod_jk2 (built from tomcat-connectors-1.1M1). On heavy load, there are over 3000 sockets open by one Tomcat/JVM, they don't seem to go down again too while Tomcat is running. (since File Descriptor limit on Solaris is lower normally (1024 or summat i think) this would cause us heavy problems there too) The Tomcats and Apache are restarted during the night to free up Memory, so socket count goes down then. However the application doesn't seem to be affected by this. In catalina.out there are many errors like this: org.apache.jk.common.ChannelUn receive SEVERE: receive error: 12 java.lang.Throwable at org.apache.jk.common.ChannelUn.receive(ChannelUn.java:230) at org.apache.jk.common.ChannelUn.processConnection(ChannelUn.java:282) at org.apache.jk.common.AprConnection.runIt(ChannelUn.java:350) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:631) at java.lang.Thread.run(Thread.java:536) org.apache.jk.common.JniHandler nativeDispatch SEVERE: nativeDispatch: error -3 java.lang.Throwable at org.apache.jk.common.JniHandler.nativeDispatch(JniHandler.java:312) at org.apache.jk.common.ChannelUn.send(ChannelUn.java:221) at org.apache.jk.common.ChannelUn.invoke(ChannelUn.java:306) at org.apache.jk.server.JkCoyoteHandler.doWrite(JkCoyoteHandler.java:249) at org.apache.coyote.Response.doWrite(Response.java:530) at org.apache.coyote.tomcat4.OutputBuffer.realWriteBytes(OutputBuffer.java:384) at org.apache.tomcat.util.buf.ByteChunk.flushBuffer(ByteChunk.java:439) at org.apache.tomcat.util.buf.ByteChunk.append(ByteChunk.java:359) at org.apache.coyote.tomcat4.OutputBuffer.writeBytes(OutputBuffer.java:411) at org.apache.coyote.tomcat4.OutputBuffer.write(OutputBuffer.java:398) at org.apache.coyote.tomcat4.CoyoteOutputStream.write(CoyoteOutputStream.java:110) at org.apache.catalina.servlets.DefaultServlet.copyRange(DefaultServlet.java:1996) at org.apache.catalina.servlets.DefaultServlet.copy(DefaultServlet.java:1745) at org.apache.catalina.servlets.DefaultServlet.serveResource(DefaultServlet.java:1073) at org.apache.catalina.servlets.DefaultServlet.doGet(DefaultServlet.java:506) . - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]