Re: How to get Tomcat to give a new session for a new window
Hi M.Hockings, If you tell us exactly wot it is u trying to do maybe we can find a solution... but here is an idea. A session is just a cookie stored under the domain name... so JSessionID is given a unique number like AABB445566778899 and that number is tracked. When you store stuff in a session its really just mapped to that number. As long as the domain is the same... that number comes back from the browser and that means all the stuff you have stored in its attributes is recallable. So if you have stored form data in the session... if the user opens another window, it will appear the same and I think thats your problem, also most of the time its what a user expects. In the old days when all browsers didnt support cookies... you had the choice of writing the persistant info into the URL a little like google does it or one could use hidden form fields. These other techniques are page specific and I think thats wot you looking for. So... you can still store stuff in the session... its nice and easy... but wot you also do is generate a unique number and stick it in a hidden field on the first form registration page request. So when that is returned you getting info that says its from that browser, AABB445566778899 registration process XX1, XX2 etc. Important thing I wanted to say it that you dont really want to mess with the main session its got too much functionality behind it... like session objects and attribute are cleaned up for you they used in load sharing to detect browsers... they used in security for SSO... etc etc if you do manage to change it... I think you will end up with a whole bunch of other problems. I think all you need to do is look up hidden form fieldshave fun. - Original Message - From: M.Hockings [EMAIL PROTECTED] To: users@tomcat.apache.org Sent: Thursday, May 17, 2007 11:39 PM Subject: How to get Tomcat to give a new session for a new window I would like, somehow, to be able to programatically create a new session on demand but I can't quite figure out how to get Tomcat to give me one. That is, for our webapp it can detect at logon when a session is in use and currently gives the user an already-in-use message. What we would like to do is when this condition is detected force the creation of a new session without damaging the old one. This would happen for example when the user tries to start a second instance of the webapp in a new browser tab or child window. Is there any way to do this? I have tried request.getSession(true) but it only creates a session if one does not already exist. Thanks for any thoughts or suggestions. Mike - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: UserDatabase security
As far as I am aware you cannot resolve this problem except by switching
to LDAP for your authentication. (Although I would be happy to be
corrected!)
For any larger scale hosting, LDAP provides a more secure solution.
(However it does add an extra point of failure). Any hosting solution
where users share the same instance of tomcat is dubious because anyone
can read anyones files!
Which gets me thinking, what is to stop anyone writing an application
that simply deletes the tomcat installation?
Best Regards,
Jacob
Jerome Benezech wrote:
Hi,
I have a question regarding Tomcat server UserDatabase
on Linux.
When choosing a MemoryUserDatabase, tomcat users and
passwords are declared in a tomcat-users.xml file. The
tomcat user running the server must have read
permission on this file.
At the same time, all webapps running in tomcat are
running under the same Linux user ('tomcat'). So any
webapp can access this file and display its content.
My app is hosted on a shared Linux server. With the
present configuration, I can retrieve this file and
display every user login/password, then if I wanted
to, I could go into somebody else' webapp manager and
undeploy it.
I am a bit worried that somebody would do that to
me...
Is there a way to ensure that only the root user can
read this file ?
Thanks
Jerome
Jerome Benezech
[EMAIL PROTECTED]
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
___
Jacob Rhoden - http://uptecs.com/
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: UserDatabase security
As far as I am aware you cannot resolve this problem
except by switching
to LDAP for your authentication. (Although I would
be happy to be
corrected!)
In this case, which user would be authenticated in
LDAP ? If th user connecting to LDAP is 'tomcat', the
issue remains no ?
Which gets me thinking, what is to stop anyone
writing an application
that simply deletes the tomcat installation?
Exactly, a simple Runtime.exec could do a lot of
damage for all webapps and tomcat install
Jerome Benezech wrote:
Hi,
I have a question regarding Tomcat server
UserDatabase
on Linux.
When choosing a MemoryUserDatabase, tomcat users
and
passwords are declared in a tomcat-users.xml file.
The
tomcat user running the server must have read
permission on this file.
At the same time, all webapps running in tomcat
are
running under the same Linux user ('tomcat'). So
any
webapp can access this file and display its
content.
My app is hosted on a shared Linux server. With
the
present configuration, I can retrieve this file
and
display every user login/password, then if I
wanted
to, I could go into somebody else' webapp manager
and
undeploy it.
I am a bit worried that somebody would do that to
me...
Is there a way to ensure that only the root user
can
read this file ?
Thanks
Jerome
Jerome Benezech
[EMAIL PROTECTED]
-
To start a new topic, e-mail:
users@tomcat.apache.org
To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
___
Jacob Rhoden - http://uptecs.com/
-
To start a new topic, e-mail:
users@tomcat.apache.org
To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
Jerome Benezech
[EMAIL PROTECTED]
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
javax.servlet.ServletException: Java heap space
Hi, I have this error : javax.servlet.ServletException: Java heap space But I can find how I can change this in catalina.sh. Can you have the solution? Cordially Aurelien Allienne
Re: UserDatabase security
Jerome Benezech wrote:
I have a question regarding Tomcat server UserDatabase
on Linux.
When choosing a MemoryUserDatabase, tomcat users and
passwords are declared in a tomcat-users.xml file. The
tomcat user running the server must have read
permission on this file.
At the same time, all webapps running in tomcat are
running under the same Linux user ('tomcat'). So any
webapp can access this file and display its content.
My app is hosted on a shared Linux server. With the
present configuration, I can retrieve this file and
display every user login/password, then if I wanted
to, I could go into somebody else' webapp manager and
undeploy it.
I am a bit worried that somebody would do that to
me...
Is there a way to ensure that only the root user can
read this file ?
Well, Tomcat needs to be able to read that file so you must make it
readable for Tomcat.
OTOH: instead of plaintext passwords you could use digested ones. Take a
look at the digest attribute of Realm and bin/digest.sh.
Regards
mks
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: UserDatabase security
Jerome Benezech wrote: As far as I am aware you cannot resolve this problem except by switching to LDAP for your authentication. (Although I would be happy to be corrected!) In this case, which user would be authenticated in LDAP ? If th user connecting to LDAP is 'tomcat', the issue remains no ? Not quite. You reconfigure tomcat to use LDAP to lookup passwords, instead of reading a text file. LDAP is a server that listens on a port on a server. So the passwords are no longer stored and owned by the tomcat user, but by the LDAP server, which can have its own file permissions and so on. Make sense? Lookup Tomcat LDAP in google. (: ___ Jacob Rhoden - http://uptecs.com/ - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Missing ETag in 304 Header
Hi, the spec says that a 304 response MUST include header - ETag and/or Content-Location, if the header would have been sent in a 200 response to the same request Does Tomcat send an ETag header in a 200 response when it serves static content? If not (and I assume that it doesn't), I read the spec in a sense that it is o.k. for the 304 response not to include an ETag. For static content, last modified information usually is sufficient to decide whether a cache entry is still valid, so what additional should an ETag header deliver in that case? Regards, Matthias -Original Message- From: Rashmi Rubdi [mailto:[EMAIL PROTECTED] Sent: Friday, May 18, 2007 3:10 AM To: Tomcat Users List Subject: Re: Missing ETag in 304 Header On 5/16/07, Joe Mun [EMAIL PROTECTED] wrote: Hi guys... so according to the HTTP 1.1 spec ( http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html), 304 Not Modified responses must include the ETag in the header. However, Tomcat doesn't seem to be adding it... I am serving a static text file, and the header only returns: HTTP/1.x 304 Not Modified Server: Apache-Coyote/1.1 Date: Wed, etc... I examined the header returned by Tomcat 6.0.10 with Firefox's TamperData extension and also by uncommenting Tomcat's RequestDumperValve. You are right that the ETag header doesn't appear. However, I saw another cache related header if-none-match , which also shows a checksum in the same format as ETag , perhaps you may find that header useful. May 17, 2007 9:01:46 PM org.apache.catalina.valves.RequestDumperValve invoke INFO: header=if-none-match=W/6958-1163795820656 I don't really know what causes the ETag to appear, I would expect it to appear by default without any configuration similar to many other HTTP Caching Headers. I did notice the ETag for static files on one website that is hosted on Apache httpd + Tomcat. Is there a reason that the Etag is not being included? Is there a way to configure Tomcat to include this? My company is working with a caching solution provider, and they are complaining about the missing ETag. thanks. Regards Rashmi - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: UserDatabase security
Right, stupid comment Will see if we can do with LDAP or maybe just putting digested passwords would be ok. Thanks for your help Jerome --- Jacob Rhoden [EMAIL PROTECTED] wrote: Jerome Benezech wrote: As far as I am aware you cannot resolve this problem except by switching to LDAP for your authentication. (Although I would be happy to be corrected!) In this case, which user would be authenticated in LDAP ? If th user connecting to LDAP is 'tomcat', the issue remains no ? Not quite. You reconfigure tomcat to use LDAP to lookup passwords, instead of reading a text file. LDAP is a server that listens on a port on a server. So the passwords are no longer stored and owned by the tomcat user, but by the LDAP server, which can have its own file permissions and so on. Make sense? Lookup Tomcat LDAP in google. (: ___ Jacob Rhoden - http://uptecs.com/ - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Jerome Benezech [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
path mapping on tomcat
Hello, I need to do in Tomcat 6 the equivalent of these Resin 2 directives : path-mapping url-pattern=/activeadv/* real-path=/doc_root/activeadv// path-mapping url-pattern=/includes/* real-path=/doc_root/includes// Thank you.
Re: displaying customized error page in tomcat 5.5.12
You are right Tim, How I came to know about this might explain why ! I changed my war file to ROOT.war as this is situation in our website's tomcat. Now when I go to localhost:8080/ my application is displayed properly something like localhost:8080/eApp gives the custom 404 page I designed and placed in newly renamed ROOT folder. But When I am trying to reload my root using manager/html and at the same time trying to access localhost:8080/, tomcat do not show custom page rather it sends a blank page. So, is apache web server is the only option left for me ?? can virtual hosting be used here ?? Thanks and Regards: Quayum Sagri On 5/17/07, Tim Lucia [EMAIL PROTECTED] wrote: That will work, but only if the root (/) context is available and running. This may or may not solve some or all of your problem(s). Tim -Original Message- From: Abdul Qayyum [mailto:[EMAIL PROTECTED] Sent: Thursday, May 17, 2007 12:08 PM To: Tomcat Users List Subject: Re: displaying customized error page in tomcat 5.5.12 Hi Tim, Thanks for that explanation. We are not using any web server, so, I cannot configure in httpd file. I resolved the problem using the same error-page tag. I have placed my custom error page in webapps/ROOT directory. Thanks for your support. On 5/17/07, Tim Lucia [EMAIL PROTECTED] wrote: -Original Message- From: Abdul Qayyum [mailto:[EMAIL PROTECTED] Sent: Thursday, May 17, 2007 2:01 AM To: Tomcat Users List Subject: Re: displaying customized error page in tomcat 5.5.12 Hi Tim Lucia, I'm guessing you can add a global error-page to Tomcat's conf/web.xml, but then it would apply to all apps on the server. This may or may not work for you. This is my target. If my tomcat recieves a context which is not in my tomcat, it should send customised page. And this is applicable to all the apps on server. What can be the reason for it, not working for me? I don't know. I've never tried it. You'll have to give specific reasons why it's not working, including configuration files as appropriate. I did this via httpd. Please Let me know WHAT IS FRONTING with httpd. please give me any links if you have for that. how to front my tomcat with httpd. Also I do not have any file named httpd.conf in my tomcat. I meant using Apache's httpd web server in front of Tomcat, connecting the two via mod_jk or mod_proxy. See http://tomcat.apache.org/connectors-doc/reference/apache.html for more ideas. In this case, I do send a custom 404 from httpd, regardless of whether it was local or came from Tomcat. Tim Thank you very much. On 5/16/07, Tim Lucia [EMAIL PROTECTED] wrote: In order for the custom error page to be used, the application must be deployed. I.e., Tomcat can give a custom 404 for /mycontext/badpagerequested.jsp but if there is no context /mycontext because the app is not (yet) deployed, Tomcat cannot know about your custom error page. I'm guessing you can add a global error-page to Tomcat's conf/web.xml, but then it would apply to all apps on the server. This may or may not work for you. If you have fronted Tomcat with httpd, you might be able to use custom error pages there instead. JK will send a 503 if the application is not currently available. Tim -Original Message- From: Abdul Qayyum [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 16, 2007 6:27 AM To: users@tomcat.apache.org Subject: displaying customized error page in tomcat 5.5.12 Hi all, I found that while we are updating our application, the application is not known to tomcat, untill it is completed. So tomcat sends 503 page as resource not found. I want to know is virtual hosting is the right way to deal with this issue.? Or can this be done using customised error pages. Is it possible to customise the 503 / 404 page, so that, for any resource not found issue, tomcat displays the customised page. That is if the web application is not presents in tomcats web apps directory, tomcat should display this customised error page. I found that usually custom error pages are written for a specific web application. If some error occurs in that web application, the error page is displayed using that web applications web.xml. I want to extend it to whole tomcat. I have added the following code in tomcat5.5.12/conf/web.xml after welcome file list tab error-page error-code404/error-code location/error404.html/location /error-page Now when I try for a resource that is not available in my tomcat, the result is a blank page instead of 404/- default page or my customised
Re: UserDatabase security
Hi Jerome...
Dont think its possible with tomcat doesnt have an encrypted password
store.
But I think you right... its part of a more general issue... namely that the
server as a user, is a power user, and has to be able to get at resources on
the machine... so you got this power user guarding all other users. Now if
the passwords are used in a web only context... not too big a problem... but
if the password is also the users XP password, and they have access to the
company's treasury... its a huge problem.
Now you will see that this is also an issue on other systems... even systems
that have the privilege of being able to integrate with the subsystem...
like for example IIS on Active Directory.
Where the password will not be stored normally... ie the hash of the
password is stored and thats protected behind admin priveleges... this all
breaks down because of the way BASIC and DIGEST authentication works... you
will see that then they have to store the original password (as a
reversible process) because without it... its not possible to make Digest
and Basic work... those systems need to get at the original plain text
password.
I think BASIC could be made to work with a hash, but I dont think Digest can
work at all without it (plain text password) and on the web Digest is
the better scheme... Basic is very vunerable.
Anyway... the thing is... theres tradeoffs... so if u looking for a
foolproof scheme... you not going to find it.
I do think that Tomcat could do with an encrypted password storage scheme...
ie there is a master password, stored as a hash... and only the system can
get to it and decrypt the passwords stored in users.xml. But having said
that... how would that work with other realms because now they have to
interoperate... and that means there has to be an single point of security
access... it all gets very complicated.
I've just made my own simple security solution for servlets, maybe you want
to look at it.
http://coolese.100free.com/ Its called GangBang... yeah I know... my
imagination is in the gutter ha ha... but its called that because it allows
for single sign on across domains, and multiple machines.
Anyway... I'm getting there because wots on your mind also worried me and I
want to tell you how GangBang handles it.
Like Tomcat it has a plain visible password store... because its easy, and
for many systems its all you need.
BUT... then what I did instead of going for the preconfigured realm idea...
is just expose an interface... so the system can be told to ask another
little class for the password and user roles. So wot this does is allow you
to do anything you want... for example if you wanted to store encrypted
passwords in your database... you can. Dont know enough about LDAP to really
comment but I imagine one could set up a one way password scheme on it AND a
reversible scheme just for your web server... point is you can code wot ever
u have 2.
In your case you could encrypt the passwords and store them in a file...
behind a master password with a little salt... in your web-app.
Security in theory should be visible... ie you should be able to tell people
the scheme and its still difficult... but I'm beginning to think that in a
cross platform system like tomcat... its near impossible... so all I came up
with is a way to let the programmer do whatever they want.
Can it stop someone hacking Tomcat as a power user no... I dont think
anything can... that like trying to keep an administrator out of a system.
But can you make it damn difficult to get at sensitive passwords yes.
... have fun
- Original Message -
From: Jerome Benezech [EMAIL PROTECTED]
To: users@tomcat.apache.org
Sent: Friday, May 18, 2007 6:29 AM
Subject: UserDatabase security
Hi,
I have a question regarding Tomcat server UserDatabase
on Linux.
When choosing a MemoryUserDatabase, tomcat users and
passwords are declared in a tomcat-users.xml file. The
tomcat user running the server must have read
permission on this file.
At the same time, all webapps running in tomcat are
running under the same Linux user ('tomcat'). So any
webapp can access this file and display its content.
My app is hosted on a shared Linux server. With the
present configuration, I can retrieve this file and
display every user login/password, then if I wanted
to, I could go into somebody else' webapp manager and
undeploy it.
I am a bit worried that somebody would do that to
me...
Is there a way to ensure that only the root user can
read this file ?
Thanks
Jerome
Jerome Benezech
[EMAIL PROTECTED]
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail:
Re: Tomcat URL redirect ?
Hi Will this approach redirect the page to other when one is under reloading or upgration? The situation is that, we want to send a customised error page when our website is under upgration. It will approximately take 1 hour for uploading a new war file on our server. During this time I want to show some custom page. Thank You. Regards: Sagri On 5/18/07, Jerome Benezech [EMAIL PROTECTED] wrote: Would something like this do ? Host name=mydomain.com appbase=... Aliaswww.mydomain.com/Alias Context.../Context /Host --- Jerome Benezech [EMAIL PROTECTED] wrote: Hi, Is there a way to configure Tomcat so that the URL http://www.mydomain.com/myapp would be the same as http://mydomain.com/mywebapp ? I noticed that Tomcat creates 2 directories under $TOMCAT_HOME/work/Catalina: $TOMCAT_HOME/work/Catalina/mydomain.com and $TOMCAT_HOME/work/Catalina/www.mydomain.com Then each directory has its own cache files for my webapp. So everything works as if I had 2 webapps (www.mydomain.com and mydomain.com). This means that the amount of memory used by the server is double and also that if a user authenticates itself using www.mydomain.com, he would not be authenticated under mydomain.com. Thanks Jerome Jerome Benezech [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Jerome Benezech [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: path mapping on tomcat
Nice didnt know Resin did that... I think the answer is you cant do it from XML configs... but maybe a guru will correct me... hopefully ;) Its probably about 20 lines of code though I do that sort of stuff in a servlet. ie in Tomcat you can map urls to a servlet... and then let the servlet display the Jsp or other servlet... which is wot I imagine Resins default invoker servlet is doing... Got me wondering probably fairly easy to modify Tomcats default servlet to do that... Just a guess... but i wonder wot one would find if u searched for tomcat invoker servlet enhancements... kinda thing that I imagine has been done... The official answer is... tomcat users can program dude!... we dont need that... haha but it is kinda nice ;) - Original Message - From: Manca Davide [EMAIL PROTECTED] To: users@tomcat.apache.org Sent: Friday, May 18, 2007 9:42 AM Subject: path mapping on tomcat Hello, I need to do in Tomcat 6 the equivalent of these Resin 2 directives : path-mapping url-pattern=/activeadv/* real-path=/doc_root/activeadv// path-mapping url-pattern=/includes/* real-path=/doc_root/includes// Thank you. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: UserDatabase security
Jerome Benezech wrote: Is there a way to ensure that only the root user can read this file ? Not quite root only but it will meet your requirement... Run Tomcat under a security manager. That way, webapps don't have access to files outside the docBase without explicit permissions being defined. This also protects from applications calling System.exit() and a host of other issues. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Suspected mod_jk connection problems
tomcat wrote: [error] ajp_service::jk_ajp_common.c (1659): Client connection aborted or network problems Could there be a firewall that is dropping the connection for some reason? Any further comments or suggestions would be kindly appreciated. That it works on your local network but not remotely strongly suggests a network issue. HTH, Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Suspected mod_jk connection problems
Hello All, I have a server that is not too heavily trafficked (yet!) that, to the user appears to hang on pages. This appears to be happening most often to users outside my network, as it has not been encountered by our developers unless they are working from home. I am not seeing any network issues, internally, but I do see these errors in my jk.log quite a lot: [error] ajp_service::jk_ajp_common.c (1659): Client connection aborted or network problems I've looked this error up in my search engines with no hits. Any suggestions on what to look for or how to clear this up? Configuration: CentOS 4.4 Apache 2.0.52 Jakarta-Tomcat 5.5.7 mod_jk-1.2.8 Thanks, Glenn At 05:41 PM 5/17/2007, you wrote: I used to work with a Sys Admin whose expertise was chaing the sys admin password when asked about issues such as interconnecting thru Pix he would say let me get back to you..it sounds like this sys admin is working for you now Anyway here is a quick tutorial on configuring pix http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch02_:_Introduction_to_Networking You'll have to do some fun things like setting up arp tables and such This will guarantee that IP x.x.x.x:PortX will be forwarded to y.y.y.y:PortY the other thing that you can do is open up your subnet mask which is probably set to something massively restrictive like 255.255.255.254 HTH/ I am the systems administrator. I generally build/install maintain the systems that my developers deploy on. Since this looks more like a network problem (to management), I've been tasked to solve the problem. However, it looks more like a Tomcat connector problem since I have not found any obvious network errors. One important note: I am using multiple virtual ethernet ports to support multiple SSL certs on this machine and I think that this could be part of the problem. This is a single Apache/mod_jk/Tomcat server with Apache handling port 80 and Tomcat on port 8009. I am also seeing: mod_jk: Error flushing \n errors in my Apache error log. I have read that updating the mod_jk may solve this problem, but I have not tied the two problems as a cause/effect of the other. Any further comments or suggestions would be kindly appreciated. Thanks, Glenn - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: displaying customized error page in tomcat 5.5.12
-Original Message- From: Abdul Qayyum [mailto:[EMAIL PROTECTED] Sent: Friday, May 18, 2007 3:54 AM To: Tomcat Users List Subject: Re: displaying customized error page in tomcat 5.5.12 You are right Tim, How I came to know about this might explain why ! I changed my war file to ROOT.war as this is situation in our website's tomcat. Now when I go to localhost:8080/ my application is displayed properly something like localhost:8080/eApp gives the custom 404 page I designed and placed in newly renamed ROOT folder. But When I am trying to reload my root using manager/html and at the same time trying to access localhost:8080/, tomcat do not show custom page rather it sends a blank page. So, is apache web server is the only option left for me ?? can virtual hosting be used here ?? I don't know. I use ErrorDocument 503 /maintenance.html ErrorDocument 404 /404.html in my httpd.conf and httpd sends the custom error page for me. Maybe someone else can offer you a different solution. Tim Thanks and Regards: Quayum Sagri On 5/17/07, Tim Lucia [EMAIL PROTECTED] wrote: That will work, but only if the root (/) context is available and running. This may or may not solve some or all of your problem(s). Tim -Original Message- From: Abdul Qayyum [mailto:[EMAIL PROTECTED] Sent: Thursday, May 17, 2007 12:08 PM To: Tomcat Users List Subject: Re: displaying customized error page in tomcat 5.5.12 Hi Tim, Thanks for that explanation. We are not using any web server, so, I cannot configure in httpd file. I resolved the problem using the same error-page tag. I have placed my custom error page in webapps/ROOT directory. Thanks for your support. On 5/17/07, Tim Lucia [EMAIL PROTECTED] wrote: -Original Message- From: Abdul Qayyum [mailto:[EMAIL PROTECTED] Sent: Thursday, May 17, 2007 2:01 AM To: Tomcat Users List Subject: Re: displaying customized error page in tomcat 5.5.12 Hi Tim Lucia, I'm guessing you can add a global error-page to Tomcat's conf/web.xml, but then it would apply to all apps on the server. This may or may not work for you. This is my target. If my tomcat recieves a context which is not in my tomcat, it should send customised page. And this is applicable to all the apps on server. What can be the reason for it, not working for me? I don't know. I've never tried it. You'll have to give specific reasons why it's not working, including configuration files as appropriate. I did this via httpd. Please Let me know WHAT IS FRONTING with httpd. please give me any links if you have for that. how to front my tomcat with httpd. Also I do not have any file named httpd.conf in my tomcat. I meant using Apache's httpd web server in front of Tomcat, connecting the two via mod_jk or mod_proxy. See http://tomcat.apache.org/connectors-doc/reference/apache.html for more ideas. In this case, I do send a custom 404 from httpd, regardless of whether it was local or came from Tomcat. Tim Thank you very much. On 5/16/07, Tim Lucia [EMAIL PROTECTED] wrote: In order for the custom error page to be used, the application must be deployed. I.e., Tomcat can give a custom 404 for /mycontext/badpagerequested.jsp but if there is no context /mycontext because the app is not (yet) deployed, Tomcat cannot know about your custom error page. I'm guessing you can add a global error-page to Tomcat's conf/web.xml, but then it would apply to all apps on the server. This may or may not work for you. If you have fronted Tomcat with httpd, you might be able to use custom error pages there instead. JK will send a 503 if the application is not currently available. Tim -Original Message- From: Abdul Qayyum [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 16, 2007 6:27 AM To: users@tomcat.apache.org Subject: displaying customized error page in tomcat 5.5.12 Hi all, I found that while we are updating our application, the application is not known to tomcat, untill it is completed. So tomcat sends 503 page as resource not found. I want to know is virtual hosting is the right way to deal with this issue.? Or can this be done using customised error pages. Is it possible to customise the 503 / 404 page, so that, for any resource not found issue, tomcat displays the customised page. That is if the web application is not presents in tomcats web apps directory,
Multiple JVM in Tomat
Hi all, Do you have any documentation link on how to setup tomcat to spawn a different JVM per webapp ? Cheers, Jerome Jerome Benezech [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: UserDatabase security
Thanks for the info, that would do great. Any link on documentation to configure tomcat that way ? --- Mark Thomas [EMAIL PROTECTED] wrote: Jerome Benezech wrote: Is there a way to ensure that only the root user can read this file ? Not quite root only but it will meet your requirement... Run Tomcat under a security manager. That way, webapps don't have access to files outside the docBase without explicit permissions being defined. This also protects from applications calling System.exit() and a host of other issues. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Jerome Benezech [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Multiple JVM in Tomat
From: Jerome Benezech [mailto:[EMAIL PROTECTED] Do you have any documentation link on how to setup tomcat to spawn a different JVM per webapp ? By hand. See the documentation on setting up multiple instances - to my knowledge, there's no way of setting up Tomcat to spawn JVMs. Note that each instance will require its own set of ports. - Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: I've been trying to unsubscribe from this list for years.
At 11:48 PM 5/17/2007, you wrote: When you send an email to [EMAIL PROTECTED] add the word Unsubscribe to the email's subject and body, that worked for me when I was trying to switch my e-mails. I think it sends you an additional e-mail to confirm unsubscription, reply to that one as well. Then you should receive a final email with something like good bye in the subject. -Rashmi On 5/17/07, Keith Adams [EMAIL PROTECTED] wrote: No matter how many times I send a blank email to: [EMAIL PROTECTED], like the one I sent at 11.19 Eastern this morning, nothing happens. I use a rule to delete them permanently when I'm in Outlook, but when I use my company's web outlook, it can only move them to the deleted-items folder, which rapidly fills up, making it very hard for me to find things in there if I need to. Please help. Thanks, Keith I had a broken mail account that was subscribed to this list and that I could not reply from. I successfully unsubscribed yesterday by sending to: [EMAIL PROTECTED] I replied from a different account and it worked! Cheers! - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Multiple JVM in Tomat
OK so I would have several tomcat instances running on different ports. This is fine but how would that impact memory usag eon the server ? I guess every tomcat instance needs quiet a bit of initial memory. Then that means this amount of memory would be multiplied by the number of webapps... Also, any link on that doc ? Can't find it in the main Tomcat documentation... --- Peter Crowther [EMAIL PROTECTED] wrote: From: Jerome Benezech [mailto:[EMAIL PROTECTED] Do you have any documentation link on how to setup tomcat to spawn a different JVM per webapp ? By hand. See the documentation on setting up multiple instances - to my knowledge, there's no way of setting up Tomcat to spawn JVMs. Note that each instance will require its own set of ports. - Peter Jerome Benezech [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat URL redirect ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Abdul, Abdul Qayyum wrote: Will this approach redirect the page to other when one is under reloading or upgration? IIRC, during a webapp reload, Tomcat will issue a 503 response. You might be able to catch this at the Tomcat level and display a certain please wait page. I do this using the ErrorDocument directive available through Apache httpd. The situation is that, we want to send a customised error page when our website is under upgration. It will approximately take 1 hour for uploading a new war file on our server. During this time I want to show some custom page. Might I suggest that you upload your WAR file and /then/ deploy it? I'm not sure how Tomcat does how upgrades (I hope it's smart enough to wait until the WAR is fully uploaded to reload the webapp), but an hour of down time is a /lot/. If all you're waiting for is the WAR file to upload, then you do not need this additional downtime, and should avoid it if possible. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGTZ/r9CaO5/Lv0PARAp2VAJ0Z85eclykwIGie8zcWqUvtvJ7GQQCgnuPl j0UecbcpBzDR+L0wxcnyrtA= =ZzR4 -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Multiple JVM in Tomat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jerome, Jerome Benezech wrote: OK so I would have several tomcat instances running on different ports. This is fine but how would that impact memory usag eon the server ? The same impact as a single Tomcat starting multiple VMs (however /that/ would work). I guess every tomcat instance needs quiet a bit of initial memory. Then that means this amount of memory would be multiplied by the number of webapps... Yes. More JVMs means more memory required. Also, any link on that doc ? Can't find it in the main Tomcat documentation... Look at the RUNNING.txt file that comes with every Tomcat distribution. If you have a package-managed bundle of Tomcat, just download one of the real packages from the Tomcat web site and read that file. It should still be accurate. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGTZ7w9CaO5/Lv0PARAuLvAJ0bV39WfJ8G7YRnbuRVwGFmW3U+bQCgmSQX MaDiQdVsV9CwO363wKtur3c= =SdZX -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: UserDatabase security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jacob, Jacob Rhoden wrote: Jerome Benezech wrote: In this case, which user would be authenticated in LDAP ? If th user connecting to LDAP is 'tomcat', the issue remains no ? Not quite. You reconfigure tomcat to use LDAP to lookup passwords, instead of reading a text file. LDAP is a server that listens on a port on a server. So the passwords are no longer stored and owned by the tomcat user, but by the LDAP server, which can have its own file permissions and so on. I believe Jerome is correct... the problem is merely moved. We have this discussion repeatedly on the list... how to authenticate without putting a plaintext password anywhere. It's basically impossible. Somehow, Tomcat has to authenticate itself to someone, so a password must be somewhere. The advantages to switching to LDAP (or RDBMS, or any other authentication, really) are that you can hide all but one of the passwords from snoopers on the local machine. You'll still need to have a set of credentials available to Tomcat, though, and so the issue remains. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGTZ5N9CaO5/Lv0PARAvzIAJ0SK/E3+3seb4ZlrxO7Iz52N3HeQQCcCiA0 bwrB487ErHiHNwn/geIK5X4= =knKw -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: I've been trying to unsubscribe from this list for years.
And on a completely unrelated note, ask your sysadmin how to set up server-side Outlook rules. They'll work in both your outlook client and through your webmail. -Original Message- From: Keith Adams [mailto:[EMAIL PROTECTED] Sent: Thursday, May 17, 2007 9:33 PM To: [EMAIL PROTECTED]; users@tomcat.apache.org Subject: I've been trying to unsubscribe from this list for years. No matter how many times I send a blank email to: [EMAIL PROTECTED], like the one I sent at 11.19 Eastern this morning, nothing happens. I use a rule to delete them permanently when I'm in Outlook, but when I use my company's web outlook, it can only move them to the deleted-items folder, which rapidly fills up, making it very hard for me to find things in there if I need to. Please help. Thanks, Keith - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Missing ETag in 304 Header
Tomcat DOES return ETag headers with static resources, and DOES NOT return the ETag with 304 responses. That seems wrong according to the quoted part of the spec. Here are the headers from a couple of Firefox requests for the same file. Note the first response is a 200 with an ETag, the second is a 304 without an ETag. -- http://localhost:8080/tomcat.gif GET /tomcat.gif HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.11) Gecko/20070312 Firefox/1.5.0.11 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Cookie: ShowOptions=1; loadDefault=Folder Pragma: no-cache Cache-Control: no-cache HTTP/1.x 200 OK Server: Apache-Coyote/1.1 Etag: W/1934-1173108368046 Last-Modified: Mon, 05 Mar 2007 15:26:08 GMT Content-Type: image/gif Content-Length: 1934 Date: Fri, 18 May 2007 15:16:46 GMT -- http://localhost:8080/tomcat.gif GET /tomcat.gif HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.11) Gecko/20070312 Firefox/1.5.0.11 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Cookie: ShowOptions=1; loadDefault=Folder If-Modified-Since: Mon, 05 Mar 2007 15:26:08 GMT If-None-Match: W/1934-1173108368046 Cache-Control: max-age=0 HTTP/1.x 304 Not Modified Server: Apache-Coyote/1.1 Date: Fri, 18 May 2007 15:16:46 GMT -- -- Len On 5/18/07, Reich, Matthias [EMAIL PROTECTED] wrote: Hi, the spec says that a 304 response MUST include header - ETag and/or Content-Location, if the header would have been sent in a 200 response to the same request Does Tomcat send an ETag header in a 200 response when it serves static content? If not (and I assume that it doesn't), I read the spec in a sense that it is o.k. for the 304 response not to include an ETag. For static content, last modified information usually is sufficient to decide whether a cache entry is still valid, so what additional should an ETag header deliver in that case? Regards, Matthias -Original Message- From: Rashmi Rubdi [mailto:[EMAIL PROTECTED] Sent: Friday, May 18, 2007 3:10 AM To: Tomcat Users List Subject: Re: Missing ETag in 304 Header On 5/16/07, Joe Mun [EMAIL PROTECTED] wrote: Hi guys... so according to the HTTP 1.1 spec ( http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html), 304 Not Modified responses must include the ETag in the header. However, Tomcat doesn't seem to be adding it... I am serving a static text file, and the header only returns: HTTP/1.x 304 Not Modified Server: Apache-Coyote/1.1 Date: Wed, etc... I examined the header returned by Tomcat 6.0.10 with Firefox's TamperData extension and also by uncommenting Tomcat's RequestDumperValve. You are right that the ETag header doesn't appear. However, I saw another cache related header if-none-match , which also shows a checksum in the same format as ETag , perhaps you may find that header useful. May 17, 2007 9:01:46 PM org.apache.catalina.valves.RequestDumperValve invoke INFO: header=if-none-match=W/6958-1163795820656 I don't really know what causes the ETag to appear, I would expect it to appear by default without any configuration similar to many other HTTP Caching Headers. I did notice the ETag for static files on one website that is hosted on Apache httpd + Tomcat. Is there a reason that the Etag is not being included? Is there a way to configure Tomcat to include this? My company is working with a caching solution provider, and they are complaining about the missing ETag. thanks. Regards Rashmi - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Connection:close request returns a response without any content-length or Transfer-Encoding: chunked
Can anyone help me about that? Regards, Eric Sorry, i forgot to mention I was working with JBoss 4.0.3 SP1, so I assume Tomcat 5.5.9. Here are some example to illustrate my case. The first one i my problem. Is that a fix bug? if so, In which version of TOmcat has it been fixed? It seems to work in the latest tomcat 5.5 version (5.5.23) If not, am I missing something from the Http specs? Regards, Eric Example with Tomcat 5.5.9 (connection : close and NO content-length or Transfer-Encoding provided): GET / HTTP/1.1 Host: 127.0.0.1:18080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q= 0.9 ,text/plain;q=0.8,image/png,*/*;q=0.5 Connection: close HTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-Powered-By: Servlet 2.4; JBoss-4.0.3SP1 (build: CVSTag=JBoss_4_0_3_SP1 date=200510231751)/Tomcat-5.5 Set-Cookie: JSESSIONID=7B90F594FCF9AB6A6AF690352724A94F; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 17 May 2007 00:19:04 GMT Connection: close Second example with Tomcat 5.5.9 (connection : close and Transfer-Encoding provided) GET / HTTP/1.1 Host: 127.0.0.1:18080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q= 0.9 ,text/plain;q=0.8,image/png,*/*;q=0.5 HTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-Powered-By: Servlet 2.4; JBoss-4.0.3SP1 (build: CVSTag=JBoss_4_0_3_SP1 date=200510231751)/Tomcat-5.5 Set-Cookie: JSESSIONID=8306B59382F5277A0782B98F9362213A; Path=/ Content-Type: text/html;charset=ISO-8859-1 Transfer-Encoding: chunked Date: Thu, 17 May 2007 00:19:25 GMT Finally, I have tried with the latest Tomcat version 5.5.23 (no connection : close and content-length provided) GET / HTTP/1.1 Host: 127.0.0.1:18080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9 ,text/plain;q=0.8,image/png,*/*;q=0.5 HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Length: 8132 Date: Thu, 17 May 2007 00:19:48 GMT Another test with Tomcat 5.5.23 (connection : close and content-length provided): GET / HTTP/1.1 Host: 127.0.0.1:18080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9 ,text/plain;q=0.8,image/png,*/*;q=0.5 Connection: close HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Length: 8132 Date: Thu, 17 May 2007 00:20:10 GMT Connection: close Hi, is that normal that when the header of my request contains Connection:close, the response I get does not contain any content-length or Transfer-Encoding header?? When, the Connection: close header is not a header of the request, I get either a content-length or Transfer-Encoding header. Thanks for your help!! Eric -- -- ERIC DESHAYES -- -- ERIC DESHAYES -- -- ERIC DESHAYES
Error trapping
In my plain .java files, is there a way of programmatically grabbing what method is executing? I already grab the class for logging in the catch block, but can I find the method without going through too many gyrations? Currently, I just hard-code the method name in the text that I log along with the error message. D - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Error trapping
Joe Riopel wrote: Can't you grab that from the stack trace? http://java.sun.com/j2se/1.4.2/docs/api/java/lang/StackTraceElement.html Looks like a possibility; I'll have to look into it. Thanks for the suggestion. D - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Error trapping
Can't you grab that from the stack trace? http://java.sun.com/j2se/1.4.2/docs/api/java/lang/StackTraceElement.html - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Error trapping
I actually have a note about this exact thing. Check here: http://randomcoolzip.blogspot.com/2006/02/hack-of-day.html | -Original Message- | From: David kerber [mailto:[EMAIL PROTECTED] | Sent: Friday, 18 May, 2007 12:47 | To: users@tomcat.apache.org | Subject: Error trapping | | In my plain .java files, is there a way of programmatically grabbing | what method is executing? I already grab the class for logging in the | catch block, but can I find the method without going through too many | gyrations? Currently, I just hard-code the method name in the text that | I log along with the error message. | | D | | | | - | To start a new topic, e-mail: users@tomcat.apache.org | To unsubscribe, e-mail: [EMAIL PROTECTED] | For additional commands, e-mail: [EMAIL PROTECTED] - The information contained in this message is confidential proprietary property of Nelnet, Inc. and its affiliated companies (Nelnet) and is intended for the recipient only. Any reproduction, forwarding, or copying without the express permission of Nelnet is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to this e-mail. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: I've been trying to unsubscribe from this list for years.
It didn't work neither Abdelmonaam KALLALI Test Specialist DragonWave Inc 411 Legget Dr Phone :613-599 9991 ext 275 -Original Message- From: tomcat [mailto:[EMAIL PROTECTED] Sent: Friday, May 18, 2007 7:29 AM To: Tomcat Users List Subject: Re: I've been trying to unsubscribe from this list for years. At 11:48 PM 5/17/2007, you wrote: When you send an email to [EMAIL PROTECTED] add the word Unsubscribe to the email's subject and body, that worked for me when I was trying to switch my e-mails. I think it sends you an additional e-mail to confirm unsubscription, reply to that one as well. Then you should receive a final email with something like good bye in the subject. -Rashmi On 5/17/07, Keith Adams [EMAIL PROTECTED] wrote: No matter how many times I send a blank email to: [EMAIL PROTECTED], like the one I sent at 11.19 Eastern this morning, nothing happens. I use a rule to delete them permanently when I'm in Outlook, but when I use my company's web outlook, it can only move them to the deleted-items folder, which rapidly fills up, making it very hard for me to find things in there if I need to. Please help. Thanks, Keith I had a broken mail account that was subscribed to this list and that I could not reply from. I successfully unsubscribed yesterday by sending to: [EMAIL PROTECTED] I replied from a different account and it worked! Cheers! - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Error trapping
So how do I use that getMethodName code? Can I make a utility routine that I can call from my catch block, and call it with the Exception object (so I can put the function call inline with the error report string), or do I have to embed the 3 functional lines of code into my catch block? D Nelson, Tracy M. wrote: I actually have a note about this exact thing. Check here: http://randomcoolzip.blogspot.com/2006/02/hack-of-day.html | -Original Message- | From: David kerber [mailto:[EMAIL PROTECTED] | Sent: Friday, 18 May, 2007 12:47 | To: users@tomcat.apache.org | Subject: Error trapping | | In my plain .java files, is there a way of programmatically grabbing | what method is executing? I already grab the class for logging in the | catch block, but can I find the method without going through too many | gyrations? Currently, I just hard-code the method name in the text that | I log along with the error message. | | D | | | | - | To start a new topic, e-mail: users@tomcat.apache.org | To unsubscribe, e-mail: [EMAIL PROTECTED] | For additional commands, e-mail: [EMAIL PROTECTED] - The information contained in this message is confidential proprietary property of Nelnet, Inc. and its affiliated companies (Nelnet) and is intended for the recipient only. Any reproduction, forwarding, or copying without the express permission of Nelnet is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to this e-mail. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Error trapping
David-- http://java.sun.com/j2se/1.5.0/docs/api/ embed what you need by creating your own Exception class with the custom method in that class? Does this help? M-- This email message and any files transmitted with it contain confidential information intended only for the person(s) to whom this email message is addressed. If you have received this email message in error, please notify the sender immediately by telephone or email and destroy the original message without making a copy. Thank you. - Original Message - From: David kerber [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Friday, May 18, 2007 3:01 PM Subject: Re: Error trapping So how do I use that getMethodName code? Can I make a utility routine that I can call from my catch block, and call it with the Exception object (so I can put the function call inline with the error report string), or do I have to embed the 3 functional lines of code into my catch block? D Nelson, Tracy M. wrote: I actually have a note about this exact thing. Check here: http://randomcoolzip.blogspot.com/2006/02/hack-of-day.html | -Original Message- | From: David kerber [mailto:[EMAIL PROTECTED] | Sent: Friday, 18 May, 2007 12:47 | To: users@tomcat.apache.org | Subject: Error trapping | | In my plain .java files, is there a way of programmatically grabbing | what method is executing? I already grab the class for logging in the | catch block, but can I find the method without going through too many | gyrations? Currently, I just hard-code the method name in the text that | I log along with the error message. | | D | | | | - | To start a new topic, e-mail: users@tomcat.apache.org | To unsubscribe, e-mail: [EMAIL PROTECTED] | For additional commands, e-mail: [EMAIL PROTECTED] - The information contained in this message is confidential proprietary property of Nelnet, Inc. and its affiliated companies (Nelnet) and is intended for the recipient only. Any reproduction, forwarding, or copying without the express permission of Nelnet is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to this e-mail. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: I've been trying to unsubscribe from this list for years.
it didn't work Either? -Original Message- From: Abdelmonaam Kallali [mailto:[EMAIL PROTECTED] Sent: Friday, May 18, 2007 1:45 PM To: 'Tomcat Users List' Subject: RE: I've been trying to unsubscribe from this list for years. It didn't work neither Abdelmonaam KALLALI Test Specialist DragonWave Inc 411 Legget Dr Phone :613-599 9991 ext 275 -Original Message- From: tomcat [mailto:[EMAIL PROTECTED] Sent: Friday, May 18, 2007 7:29 AM To: Tomcat Users List Subject: Re: I've been trying to unsubscribe from this list for years. At 11:48 PM 5/17/2007, you wrote: When you send an email to [EMAIL PROTECTED] add the word Unsubscribe to the email's subject and body, that worked for me when I was trying to switch my e-mails. I think it sends you an additional e-mail to confirm unsubscription, reply to that one as well. Then you should receive a final email with something like good bye in the subject. -Rashmi On 5/17/07, Keith Adams [EMAIL PROTECTED] wrote: No matter how many times I send a blank email to: [EMAIL PROTECTED], like the one I sent at 11.19 Eastern this morning, nothing happens. I use a rule to delete them permanently when I'm in Outlook, but when I use my company's web outlook, it can only move them to the deleted-items folder, which rapidly fills up, making it very hard for me to find things in there if I need to. Please help. Thanks, Keith I had a broken mail account that was subscribed to this list and that I could not reply from. I successfully unsubscribed yesterday by sending to: [EMAIL PROTECTED] I replied from a different account and it worked! Cheers! - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Error trapping
getMethodName() *is* the utility routine. I intended to stick it in the base class for all of our business objects, so it would always be available. If you're going to use it extensively, you might want to put it in a utility class as a static method. Either way, you can just concatenate the return value with your error message. Something like: log.error(Method ' + getMethodName() + ' failed due to: + err.getMessage()); Share and enjoy! | -Original Message- | From: David kerber [mailto:[EMAIL PROTECTED] | Sent: Friday, 18 May, 2007 14:02 | To: Tomcat Users List | Subject: Re: Error trapping | | So how do I use that getMethodName code? Can I make a utility routine | that I can call from my catch block, and call it with the Exception | object (so I can put the function call inline with the error report | string), or do I have to embed the 3 functional lines of code into my | catch block? - The information contained in this message is confidential proprietary property of Nelnet, Inc. and its affiliated companies (Nelnet) and is intended for the recipient only. Any reproduction, forwarding, or copying without the express permission of Nelnet is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to this e-mail. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[ANN] Apache Tomcat JK 1.2.23 Web Server Connector released
The Apache Tomcat team is pleased to announce the immediate availability of version 1.2.23 of the Apache Tomcat Connectors. It contains connectors, which allow a web server such as Apache HTTPD, Microsoft IIS and Sun Web Server to act as a front end to the Tomcat web application server. This version contains only one security fix: CVE-2007-1860: Information disclosure (patch for CVE-2007-0450 was insufficient) With the mod_jk default configuration, double encoded URLs could break JkMount access control. A complete fix might need configuration adjustments. Please consult http://tomcat.apache.org/security-jk.html for a more detailed description. Please note, that this issue only affected the Apache HTTPD module mod_jk. Source distribtions can be downloaded from an Apache Software Foundation mirror at: http://tomcat.apache.org/download-connectors.cgi Binary distributions for a number of different operating systems and web servers can be downloaded from an Apache Software Foundation mirror at: http://tomcat.apache.org/download-connectors.cgi Documentation for using JK with Tomcat 3.3, 4.1, 5.0 and 5.5 can be found at: http://tomcat.apache.org/connectors-doc/ Thank you, -- The Apache Tomcat Team - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Connection:close request returns a response without any content-length or Transfer-Encoding: chunked
I havnt kept up http standards so this is a guess as usual ;) In http 1.0 thats how the server told the browser that the transmission was over it closed the connection. So if its defaulting to the old way slamming down the telephone... context length doesnt mean anything... so the server wont bother... its the 1.0 spec. Then they got smart with keep alives... server reaction time is improved greatly... no http connection to reestablish... but then they had to include a context length otherwise the browser wont know when its got it. So just from that if your servlet program does not set the context length header... the server has no choice but to go back to the old 1.0 spec and slam down the phone. Sometimes u dont know the length like possibly when streaming an encrypted stream in that case I imagine tomcat will choose (I need help here people!) so if its short server will go... user didnt tell me how long this is... slam down phone... OR... its going to go is this guy nuts... the thing is 10 megs and I dont know when its going to end and it will start chunking... (I think). Anyway I think wot you seeing is normal if you setting the Content-Length... and not getting it... that doesnt make sense... but if not... tomcat is just trying to do the best it can - Original Message - From: Eric Deshayes [EMAIL PROTECTED] To: users@tomcat.apache.org Sent: Friday, May 18, 2007 6:23 PM Subject: Connection:close request returns a response without any content-length or Transfer-Encoding: chunked Can anyone help me about that? Regards, Eric Sorry, i forgot to mention I was working with JBoss 4.0.3 SP1, so I assume Tomcat 5.5.9. Here are some example to illustrate my case. The first one i my problem. Is that a fix bug? if so, In which version of TOmcat has it been fixed? It seems to work in the latest tomcat 5.5 version (5.5.23) If not, am I missing something from the Http specs? Regards, Eric Example with Tomcat 5.5.9 (connection : close and NO content-length or Transfer-Encoding provided): GET / HTTP/1.1 Host: 127.0.0.1:18080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q= 0.9 ,text/plain;q=0.8,image/png,*/*;q=0.5 Connection: close HTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-Powered-By: Servlet 2.4; JBoss-4.0.3SP1 (build: CVSTag=JBoss_4_0_3_SP1 date=200510231751)/Tomcat-5.5 Set-Cookie: JSESSIONID=7B90F594FCF9AB6A6AF690352724A94F; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 17 May 2007 00:19:04 GMT Connection: close Second example with Tomcat 5.5.9 (connection : close and Transfer-Encoding provided) GET / HTTP/1.1 Host: 127.0.0.1:18080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q= 0.9 ,text/plain;q=0.8,image/png,*/*;q=0.5 HTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-Powered-By: Servlet 2.4; JBoss-4.0.3SP1 (build: CVSTag=JBoss_4_0_3_SP1 date=200510231751)/Tomcat-5.5 Set-Cookie: JSESSIONID=8306B59382F5277A0782B98F9362213A; Path=/ Content-Type: text/html;charset=ISO-8859-1 Transfer-Encoding: chunked Date: Thu, 17 May 2007 00:19:25 GMT Finally, I have tried with the latest Tomcat version 5.5.23 (no connection : close and content-length provided) GET / HTTP/1.1 Host: 127.0.0.1:18080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9 ,text/plain;q=0.8,image/png,*/*;q=0.5 HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Length: 8132 Date: Thu, 17 May 2007 00:19:48 GMT Another test with Tomcat 5.5.23 (connection : close and content-length provided): GET / HTTP/1.1 Host: 127.0.0.1:18080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9 ,text/plain;q=0.8,image/png,*/*;q=0.5 Connection: close HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Length: 8132 Date: Thu, 17 May 2007 00:20:10 GMT Connection: close Hi, is that normal that when the header of my request contains Connection:close, the response I get does not contain any content-length or Transfer-Encoding header?? When, the Connection: close header is not a header of the request, I get either a content-length or Transfer-Encoding header. Thanks for your help!! Eric -- -- ERIC DESHAYES -- -- ERIC DESHAYES -- -- ERIC DESHAYES
Prevent unwanted requests
Is it possible to prevent the request os unwatned extensions, like
*.bak, *.java and so on, through web.xml file? My solution was creating
a servlet that gets mapped to this extensions, but I could realize that
it doesn't work along with DWR for example... The problem is that when
I invoke something like myapp/dwr/file.java, this URL is mapped to dwr
servlet instead of ForbiddenFilesController. Does anybody know how to
solve that?
My web.xml contains the following lines:
...
servlet-mapping
servlet-nameForbiddenFilesController/servlet-name
url-pattern*.java/url-pattern
/servlet-mapping
servlet-mapping
servlet-namedwr-invoker/servlet-name
url-pattern/dwr/*/url-pattern
/servlet-mapping
...
And my controller has the following lines of code:
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse
resp)
throws ServletException, IOException {
//proibido
resp.setStatus(HttpServletResponse.SC_FORBIDDEN);
//resp.getWriter().close();
return;
}
@Override
protected void doPost(HttpServletRequest req,
HttpServletResponse resp)
throws ServletException, IOException {
//proibido
resp.setStatus(HttpServletResponse.SC_FORBIDDEN);
//resp.getWriter().close();
super.doPost(req, resp);
}
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Prevent unwanted requests
From: Milanez, Marcus [mailto:[EMAIL PROTECTED] Subject: Prevent unwanted requests Is it possible to prevent the request os unwatned extensions, like *.bak, *.java and so on, through web.xml file? The real question is: Why do have .java, etc., files in accessible locations? If you keep such files under WEB-INF, they're guaranteed to be inaccessible. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RES: Prevent unwanted requests
Hi Chuck, In fact I don't have this files in my server. The thing is, whenever I invke URLs that matches /dwr/anyFile.java, I get a positive DWR answer, as if I had such files in my server. Whenever I run automated security test tools like Paros Proxy, many issues regarding these problems are pointed out... I just want to be sure that these kind of requests are rejected. Thanks! -Mensagem original- De: Caldarale, Charles R [mailto:[EMAIL PROTECTED] Enviada em: sexta-feira, 18 de maio de 2007 16:59 Para: Tomcat Users List Assunto: RE: Prevent unwanted requests From: Milanez, Marcus [mailto:[EMAIL PROTECTED] Subject: Prevent unwanted requests Is it possible to prevent the request os unwatned extensions, like *.bak, *.java and so on, through web.xml file? The real question is: Why do have .java, etc., files in accessible locations? If you keep such files under WEB-INF, they're guaranteed to be inaccessible. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Connection:close request returns a response without any content-length or Transfer-Encoding: chunked
Just a footnote coz i suddenly realized wot may be happening Because a browser may only support http 1.0... and or the content lengths are not been set in the server... if you have progress scripts in your page... you always have to check for divide by zero... which I imagine is your problem. In a good browser you will sometime see it downloading by the the length is ? The programmer forgot to set the length ;) or youre in a http 1.0 server (IIS... no just kidding ;) - Original Message - From: Johnny Kewl [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Friday, May 18, 2007 9:46 PM Subject: Re: Connection:close request returns a response without any content-length or Transfer-Encoding: chunked I havnt kept up http standards so this is a guess as usual ;) In http 1.0 thats how the server told the browser that the transmission was over it closed the connection. So if its defaulting to the old way slamming down the telephone... context length doesnt mean anything... so the server wont bother... its the 1.0 spec. Then they got smart with keep alives... server reaction time is improved greatly... no http connection to reestablish... but then they had to include a context length otherwise the browser wont know when its got it. So just from that if your servlet program does not set the context length header... the server has no choice but to go back to the old 1.0 spec and slam down the phone. Sometimes u dont know the length like possibly when streaming an encrypted stream in that case I imagine tomcat will choose (I need help here people!) so if its short server will go... user didnt tell me how long this is... slam down phone... OR... its going to go is this guy nuts... the thing is 10 megs and I dont know when its going to end and it will start chunking... (I think). Anyway I think wot you seeing is normal if you setting the Content-Length... and not getting it... that doesnt make sense... but if not... tomcat is just trying to do the best it can - Original Message - From: Eric Deshayes [EMAIL PROTECTED] To: users@tomcat.apache.org Sent: Friday, May 18, 2007 6:23 PM Subject: Connection:close request returns a response without any content-length or Transfer-Encoding: chunked Can anyone help me about that? Regards, Eric Sorry, i forgot to mention I was working with JBoss 4.0.3 SP1, so I assume Tomcat 5.5.9. Here are some example to illustrate my case. The first one i my problem. Is that a fix bug? if so, In which version of TOmcat has it been fixed? It seems to work in the latest tomcat 5.5 version (5.5.23) If not, am I missing something from the Http specs? Regards, Eric Example with Tomcat 5.5.9 (connection : close and NO content-length or Transfer-Encoding provided): GET / HTTP/1.1 Host: 127.0.0.1:18080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q= 0.9 ,text/plain;q=0.8,image/png,*/*;q=0.5 Connection: close HTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-Powered-By: Servlet 2.4; JBoss-4.0.3SP1 (build: CVSTag=JBoss_4_0_3_SP1 date=200510231751)/Tomcat-5.5 Set-Cookie: JSESSIONID=7B90F594FCF9AB6A6AF690352724A94F; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 17 May 2007 00:19:04 GMT Connection: close Second example with Tomcat 5.5.9 (connection : close and Transfer-Encoding provided) GET / HTTP/1.1 Host: 127.0.0.1:18080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q= 0.9 ,text/plain;q=0.8,image/png,*/*;q=0.5 HTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-Powered-By: Servlet 2.4; JBoss-4.0.3SP1 (build: CVSTag=JBoss_4_0_3_SP1 date=200510231751)/Tomcat-5.5 Set-Cookie: JSESSIONID=8306B59382F5277A0782B98F9362213A; Path=/ Content-Type: text/html;charset=ISO-8859-1 Transfer-Encoding: chunked Date: Thu, 17 May 2007 00:19:25 GMT Finally, I have tried with the latest Tomcat version 5.5.23 (no connection : close and content-length provided) GET / HTTP/1.1 Host: 127.0.0.1:18080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9 ,text/plain;q=0.8,image/png,*/*;q=0.5 HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Length: 8132 Date: Thu, 17 May 2007 00:19:48 GMT Another test with Tomcat 5.5.23 (connection : close and content-length provided): GET / HTTP/1.1 Host: 127.0.0.1:18080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9 ,text/plain;q=0.8,image/png,*/*;q=0.5 Connection: close HTTP/1.1 200 OK Server:
RES: Preventing unwanted requests
Well, I can't answer that.. I guess it is my fault. Bu anyway, it is not *my* DWR (http://getahead.ltd.uk/dwr/) application... I wish it was! :D -Mensagem original- De: Caldarale, Charles R [mailto:[EMAIL PROTECTED] Enviada em: sexta-feira, 18 de maio de 2007 17:11 Para: Tomcat Users List Assunto: RE: Prevent unwanted requests From: Milanez, Marcus [mailto:[EMAIL PROTECTED] Subject: RES: Prevent unwanted requests In fact I don't have this files in my server. The thing is, whenever I invke URLs that matches /dwr/anyFile.java, I get a positive DWR answer, as if I had such files in my server. Don't confuse URL paths with file locations. This sounds like there's a bug in your dwr application, in that it's ignoring invalid path information. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Prevent unwanted requests
On 5/18/07, Milanez, Marcus [EMAIL PROTECTED] wrote: In fact I don't have this files in my server. The thing is, whenever I invke URLs that matches /dwr/anyFile.java, I get a positive DWR answer, as if I had such files in my server. What do you mean by positive answer? I just happened to be looking at DWR, so I tried your example -- it returns a 404, which is what I'd expect. /* DWR 2.0.1 on TC 6.0.9 with JDK 1.6.0 */ FWIW, -- Hassan Schroeder [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Prevent unwanted requests
I think that a new servlet to filter these files is not the proper
approach, and you should use a filter :)
- LG
On 5/18/07, Milanez, Marcus [EMAIL PROTECTED] wrote:
Is it possible to prevent the request os unwatned extensions, like
*.bak, *.java and so on, through web.xml file? My solution was creating
a servlet that gets mapped to this extensions, but I could realize that
it doesn't work along with DWR for example... The problem is that when
I invoke something like myapp/dwr/file.java, this URL is mapped to dwr
servlet instead of ForbiddenFilesController. Does anybody know how to
solve that?
My web.xml contains the following lines:
...
servlet-mapping
servlet-nameForbiddenFilesController/servlet-name
url-pattern*.java/url-pattern
/servlet-mapping
servlet-mapping
servlet-namedwr-invoker/servlet-name
url-pattern/dwr/*/url-pattern
/servlet-mapping
...
And my controller has the following lines of code:
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse
resp)
throws ServletException, IOException {
//proibido
resp.setStatus(HttpServletResponse.SC_FORBIDDEN);
//resp.getWriter().close();
return;
}
@Override
protected void doPost(HttpServletRequest req,
HttpServletResponse resp)
throws ServletException, IOException {
//proibido
resp.setStatus(HttpServletResponse.SC_FORBIDDEN);
//resp.getWriter().close();
super.doPost(req, resp);
}
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Overriding Default Servlet?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Johnny, Johnny Kewl wrote: So this plebian is asking... wot does override actually mean?? I do know that if one creates a servlet and say maps it as /* that will effectively block the default servlet is that wot override means? Yes, but you should map it to / to match the default servlet's mapping. Or and this is wot I'm hoping does it mean one can extend it... as in... Class MagicDefault extends Default Absolutely. The default servlet is org.apache.catalina.servlets.DefaultServlet (at least in my TC 5.5 install). Anyway if it can be overriden in true class form without a recompile of Tomcat it gets very interesting?... if so please tell me how... thx Yeah, you don't need to recompile Tomcat. Just write your own servlet class to act as the default (you can subclass the above DefaultServlet if you want) and then map it appropriately. Note that depending on a particular version of TC for the DefaultServlet might lock you into an undesirable position. I don't think that the Tomcat folks see the DefaultServlet as part of any publicly-facing code, so they may make changes at any point. You should be careful about this. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGTi1K9CaO5/Lv0PARAihdAKCj0Z955qzpQ0RYzfIv6T+exapppACfXeX4 Yh7NRb1pRrMOcWGxt51Nguw= =izGB -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: UserDatabase security
Jerome Benezech wrote: Thanks for the info, that would do great. Any link on documentation to configure tomcat that way ? Would it have killed you to spend 30 seconds looking for this yourself? http://tomcat.apache.org/tomcat-6.0-doc/security-manager-howto.html Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Prevent unwanted requests
I'll second that one.
A basic filter that checks the request for .bak, .java, .whatever is
relatively easy and transparent (you don't have to change even one line
of your existing code). When you find one of those banned extensions,
just return a 403 (forbidden) or 404 (not found) on the response. If
not, just chain the request along to it's next step in the process --
probably a servlet or jsp.
--David
Lucas Galfaso wrote:
I think that a new servlet to filter these files is not the proper
approach, and you should use a filter :)
- LG
On 5/18/07, Milanez, Marcus [EMAIL PROTECTED] wrote:
Is it possible to prevent the request os unwatned extensions, like
*.bak, *.java and so on, through web.xml file? My solution was creating
a servlet that gets mapped to this extensions, but I could realize that
it doesn't work along with DWR for example... The problem is that when
I invoke something like myapp/dwr/file.java, this URL is mapped to dwr
servlet instead of ForbiddenFilesController. Does anybody know how to
solve that?
My web.xml contains the following lines:
...
servlet-mapping
servlet-nameForbiddenFilesController/servlet-name
url-pattern*.java/url-pattern
/servlet-mapping
servlet-mapping
servlet-namedwr-invoker/servlet-name
url-pattern/dwr/*/url-pattern
/servlet-mapping
...
And my controller has the following lines of code:
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse
resp)
throws ServletException, IOException {
//proibido
resp.setStatus(HttpServletResponse.SC_FORBIDDEN);
//resp.getWriter().close();
return;
}
@Override
protected void doPost(HttpServletRequest req,
HttpServletResponse resp)
throws ServletException, IOException {
//proibido
resp.setStatus(HttpServletResponse.SC_FORBIDDEN);
//resp.getWriter().close();
super.doPost(req, resp);
}
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Overriding Default Servlet?
It can be extended like any other java class. In reality - there are
probably 2 better solutions than extending (or replacing) the Default
Servlet.
1) Create a filter which does what you need then pass control to the
default servlet. (chain.doFilter())
2) Create your own default servlet but in cases where you'd rather use
the default servlet instead of your own - use the following code:
{
getServletContext().getNamedDispatcher(default)
.forward(request, response);
return;
}
-Tim
Johnny Kewl wrote:
Read some tomcat docs where it said one can override the default servlet... and then it gets a little cocky and says if you cant read the code... this is not for you (pleb!)
So this plebian is asking... wot does override actually mean??
I do know that if one creates a servlet and say maps it as /* that will
effectively block the default servlet is that wot override means?
Or and this is wot I'm hoping does it mean one can extend it... as in...
Class MagicDefault extends Default
Anyway if it can be overriden in true class form without a recompile of
Tomcat it gets very interesting?... if so please tell me how... thx
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: displaying customized error page in tomcat 5.5.12
Thank you very much for your time and knowledge. I am trying virtual hosting, If I get it, I will mail you. Regarsd: Sagri On 5/18/07, Tim Lucia [EMAIL PROTECTED] wrote: -Original Message- From: Abdul Qayyum [mailto:[EMAIL PROTECTED] Sent: Friday, May 18, 2007 3:54 AM To: Tomcat Users List Subject: Re: displaying customized error page in tomcat 5.5.12 You are right Tim, How I came to know about this might explain why ! I changed my war file to ROOT.war as this is situation in our website's tomcat. Now when I go to localhost:8080/ my application is displayed properly something like localhost:8080/eApp gives the custom 404 page I designed and placed in newly renamed ROOT folder. But When I am trying to reload my root using manager/html and at the same time trying to access localhost:8080/, tomcat do not show custom page rather it sends a blank page. So, is apache web server is the only option left for me ?? can virtual hosting be used here ?? I don't know. I use ErrorDocument 503 /maintenance.html ErrorDocument 404 /404.html in my httpd.conf and httpd sends the custom error page for me. Maybe someone else can offer you a different solution. Tim Thanks and Regards: Quayum Sagri On 5/17/07, Tim Lucia [EMAIL PROTECTED] wrote: That will work, but only if the root (/) context is available and running. This may or may not solve some or all of your problem(s). Tim -Original Message- From: Abdul Qayyum [mailto:[EMAIL PROTECTED] Sent: Thursday, May 17, 2007 12:08 PM To: Tomcat Users List Subject: Re: displaying customized error page in tomcat 5.5.12 Hi Tim, Thanks for that explanation. We are not using any web server, so, I cannot configure in httpd file. I resolved the problem using the same error-page tag. I have placed my custom error page in webapps/ROOT directory. Thanks for your support. On 5/17/07, Tim Lucia [EMAIL PROTECTED] wrote: -Original Message- From: Abdul Qayyum [mailto:[EMAIL PROTECTED] Sent: Thursday, May 17, 2007 2:01 AM To: Tomcat Users List Subject: Re: displaying customized error page in tomcat 5.5.12 Hi Tim Lucia, I'm guessing you can add a global error-page to Tomcat's conf/web.xml, but then it would apply to all apps on the server. This may or may not work for you. This is my target. If my tomcat recieves a context which is not in my tomcat, it should send customised page. And this is applicable to all the apps on server. What can be the reason for it, not working for me? I don't know. I've never tried it. You'll have to give specific reasons why it's not working, including configuration files as appropriate. I did this via httpd. Please Let me know WHAT IS FRONTING with httpd. please give me any links if you have for that. how to front my tomcat with httpd. Also I do not have any file named httpd.conf in my tomcat. I meant using Apache's httpd web server in front of Tomcat, connecting the two via mod_jk or mod_proxy. See http://tomcat.apache.org/connectors-doc/reference/apache.html for more ideas. In this case, I do send a custom 404 from httpd, regardless of whether it was local or came from Tomcat. Tim Thank you very much. On 5/16/07, Tim Lucia [EMAIL PROTECTED] wrote: In order for the custom error page to be used, the application must be deployed. I.e., Tomcat can give a custom 404 for /mycontext/badpagerequested.jsp but if there is no context /mycontext because the app is not (yet) deployed, Tomcat cannot know about your custom error page. I'm guessing you can add a global error-page to Tomcat's conf/web.xml, but then it would apply to all apps on the server. This may or may not work for you. If you have fronted Tomcat with httpd, you might be able to use custom error pages there instead. JK will send a 503 if the application is not currently available. Tim -Original Message- From: Abdul Qayyum [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 16, 2007 6:27 AM To: users@tomcat.apache.org Subject: displaying customized error page in tomcat 5.5.12 Hi all, I found that while we are updating our application, the application is not known to tomcat, untill it is completed. So tomcat sends 503 page as resource not found. I want to know is virtual hosting is the right way to deal with this issue.? Or can this be done using customised error pages. Is it possible to customise the 503 / 404 page, so that, for any
Re: Tomcat URL redirect ?
Hi Christopher Schultz, I understand that during a webapp reload, Tomcat will issue a 503 response. The issue is that, I have named my war file as ROOT.war, so that, when I access my tomcat default page using http://localhost:8080/ i get my application's index page. This is how our out side server's tomcat is configured. You might be able to catch this at the Tomcat level and display a certain please wait page. I catch this 503 page from my tomcat/conf/web.xml file and place my 503.htmlin ROOT folder itself. Why, because tomcat looks for the resources in this folder. below is the snippet I used in my tomcat/conf/web.xml file. welcome-file-list welcome-fileindex.html/welcome-file welcome-fileindex.htm/welcome-file welcome-fileindex.jsp/welcome-file /welcome-file-list error-page error-code404/error-code location/error404.jsp/location /error-page error-page error-code500/error-code location/error404.jsp/location /error-page error-page error-code503/error-code location/error404.jsp/location /error-page When I reload my application, that is ROOT.war form manager/html and at the same time access the application in a different browser, tomcat gives blank page. Since ROOT it self is reloading, even though it has the files tomcat is not fetching them. If I remove the / from the location tab (so that I can specify a different location) tomcat is not openning my application . It returns default 404 page for any URL I type. I do this using the ErrorDocument directive available through Apache httpd. There is no apache web server for our application. We only use tomcat 5.5.12. I only want to know if using Apache is the only option for me. Please tell me if There is any solution for this with in Tomcat. Thanks and regards: A. Quayum Sagri On 5/18/07, Christopher Schultz [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Abdul, Abdul Qayyum wrote: Will this approach redirect the page to other when one is under reloading or upgration? IIRC, during a webapp reload, Tomcat will issue a 503 response. You might be able to catch this at the Tomcat level and display a certain please wait page. I do this using the ErrorDocument directive available through Apache httpd. The situation is that, we want to send a customised error page when our website is under upgration. It will approximately take 1 hour for uploading a new war file on our server. During this time I want to show some custom page. Might I suggest that you upload your WAR file and /then/ deploy it? I'm not sure how Tomcat does how upgrades (I hope it's smart enough to wait until the WAR is fully uploaded to reload the webapp), but an hour of down time is a /lot/. If all you're waiting for is the WAR file to upload, then you do not need this additional downtime, and should avoid it if possible. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGTZ/r9CaO5/Lv0PARAp2VAJ0Z85eclykwIGie8zcWqUvtvJ7GQQCgnuPl j0UecbcpBzDR+L0wxcnyrtA= =ZzR4 -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
