Re: mod_jk for OS X PPC
See Thread at: http://www.techienuggets.com/Detail?tx=16694 Posted on behalf of a User hi. i have an iphone and i try to downgrade it with ibrickr. it seems to work but i have a big problem. your program is start running stops and restart iphone. i dont know what to do. please help me . thanks loizos In Response To: Hi. I'm a developer of a JBoss/Tomcat app. I work on a Mac. I upgraded my Mac's OS on Saturday to OS X 10.5 (Leopard). Prior to the upgrade I was using the version of Apache that came with 10.4, which I think was 1.3. Apple is shipping 2.2.6 with 10.5. They don't include the mod_jk module built for the OS with the non-server version of the OS. (I guess they might with the server version, I'm not sure.) Anyway, I need mod_jk in order for Apache to talk to Tomcat, so I went to the Tomcat Connectors pages and found that mod_jk is only available in an x86 version as a binary. So I downloaded the source, installed the XCode tools so that I could try to compile it. I'm unable to find apxs2 on my hard drive, but I have a apxs file in my /usr/sbin directory, so I thought I would try to build using: ./configure --with-apxs=/usr/sbin/apxs When I install the resultant mod_jk.so, Apache complains that it found mod_jk mach-o, but it is for the wrong architecture. If anyone has already done this, I'd love to hear from you. Thank you, Richard - To start a new topic, e-mail: [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
QUESTION: How to use *only* cookies for session tracking?
http://tomcat.apache.org/tomcat-5.5-doc/config/context.html I can turn cookies on or off but I don't see a similar setting for URL rewriting. I've already made my peace with requiring cookies for other reasons. Possible? Downsides? I'm seeing a lot of double fetching of content (JavaScript files and images) (once for when there's ;jsessionid= as part of the URL and again once the client's accepted the cookie and the URL is changed). thanks, greg
Re: managing user uploads best practices
--- HARBOR: http://coolharbor.100free.com/index.htm The most powerful application server on earth. The only real POJO Application Server. Making the Java dream come true. --- - Original Message - From: <[EMAIL PROTECTED]> To: Sent: Friday, February 08, 2008 11:13 PM Subject: managing user uploads best practices Yes... outside. Its been a long long time now, vaguely remember struggling with Apache uploader then eventually getting all to work... Anyway... what I did is store the files in an Apache httpD folder, so I could spy on the uploads, and they available for viewing again. And whats cool is because Apache is also the load balancer in my case... can have lots of TC's doing their thing. I was making a kind of wiki thing for an estate agency... thats how I did it way back when... What's the current wisdom on managing user uploaded files to a web app that's deployed via a WAR? In other words, when the WAR is updated, the directory containing uploaded files would be wiped out. Do people save uploaded files outside of the web app root directory? Security issues with this? Do people not use auto-expanding WAR files and manage the deployment by hand? Do you not include the directory for uploaded files in the WAR (but create it at runtime) and then trust that the expanded WAR won't overwrite it on deployment? Any pointers greatly appreciated! - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[SECURITY] CVE-2007-6286: Tomcat duplicate request processing vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2007-6286: Tomcat duplicate request processing vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: Tomcat 5.5.11 to 5.5.25 Tomcat 6.0.0 to 6.0.15 Description: When using the native (APR based) connector, connecting to the SSL port using netcat and then disconnecting without sending any data will cause tomcat to handle a duplicate copy of one of the recent requests. Mitigation: 6.0.x users should upgrade to 6.0.16 which includes version 1.1.12 of the native connector. 5.5.x users should upgrade to 5.5.26 which includes version 1.1.12 of the native connector. Example: See description. Credit: This issue was discovered by System Core (http://www.systemcore.ca/). References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-6.html The Apache Tomcat Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHrOcwb7IeiTPGAkMRAq+NAJ45EswKdmWWGfG8r1pr+8TMXzBHCgCePkK0 SYpXhEieSJHQcsO/rxN0ylY= =JK4t -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[SECURITY] CVE-2007-5333: Tomcat Cookie handling vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2007-5333: Tomcat Cookie handling vulnerabilities Severity: low - Session hi-jacking Vendor: The Apache Software Foundation Versions Affected: Tomcat 4.1.0 to 4.1.36 Tomcat 5.5.0 to 5.5.25 Tomcat 6.0.0 to 6.0.14 Description: The previous fix for CVE-2007-3385 was incomplete. It did not consider the use of quotes or %5C within a cookie value. Mitigation: 6.0.x users should upgrade to Tomcat 6.0.16 or later 5.5.x users should upgrade to Tomcat 5.5.26 or later 4.1.x users should build from the latest svn source Examples: +++ GET /myapp/MyCookies HTTP/1.1 Host: localhost Cookie: name="val " ue" Cookie: name1=moi +++ http://example:8080/examples/servlets/servlet/CookieExample?cookiename=test&cookievalue=test%5c%5c%22%3B+Expires%3DThu%2C+1+Jan+2009+00%3A00%3A01+UTC%3B+Path%3D%2Fservlets-examples%2Fservlet+%3B Credit: The quotes issue was reported by John Kew. The %5C issue was reported by Ishikawa Yoshihiro via JPCERT/CC. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-4.html http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-6.html The Apache Tomcat Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHrONyb7IeiTPGAkMRAgKrAJwIX1fbtGT7iualwzRK8BDi+QRAkQCg3cMo 58hTHdwJzeFxLXgkLRQwBKk= =Dnsp -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
CVE-2008-0002: Tomcat information disclosure vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2008-0002: Tomcat information disclosure vulnerability Severity: important Vendor: The Apache Software Foundation Versions Affected: Tomcat 6.0.5 to 6.0.15 Description: If an exception occurs during the processing of parameters (eg if the client disconnects) then it is possible that the parameters submitted for that request will be incorrectly processed as part of a following request. Mitigation: 6.0.x users should upgrade to 6.0.16 or later. Example: See description. Credit: This issue was discovered by Chitrapandian N of AdventNet Inc. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-6.html The Apache Tomcat Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHrNaZb7IeiTPGAkMRAgRxAKCjiAu1kTbKcE4mo0azKvtakl3u/wCcD8Vk S5EZi3e+Da7+99Jkxb/jzn8= =rUWc -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: managing user uploads best practices
I certainly don't speak for everyone, but in the past I've either provided an external folder for upload storage or a database. As far as security goes, I don't see these being much if any different than storing the files inside the webapp. In some ways you may get better access control as the servlet serving them can be customized to provide very fine grained access. --David [EMAIL PROTECTED] wrote: What's the current wisdom on managing user uploaded files to a web app that's deployed via a WAR? In other words, when the WAR is updated, the directory containing uploaded files would be wiped out. Do people save uploaded files outside of the web app root directory? Security issues with this? Do people not use auto-expanding WAR files and manage the deployment by hand? Do you not include the directory for uploaded files in the WAR (but create it at runtime) and then trust that the expanded WAR won't overwrite it on deployment? Any pointers greatly appreciated! - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
managing user uploads best practices
What's the current wisdom on managing user uploaded files to a web app that's deployed via a WAR? In other words, when the WAR is updated, the directory containing uploaded files would be wiped out. Do people save uploaded files outside of the web app root directory? Security issues with this? Do people not use auto-expanding WAR files and manage the deployment by hand? Do you not include the directory for uploaded files in the WAR (but create it at runtime) and then trust that the expanded WAR won't overwrite it on deployment? Any pointers greatly appreciated! - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Fwd: can't get servlets to run
Ahh... tomcat/servlet spec 101 questions. Here's the scoop: 1. Don't enable the invoker servlet unless you have an unbelievably excellent reason for it. If you are just starting to learn servlet technology, you are better off learning best practices up front. Mess with the invoker after you have a firm grounding in the technology and understand the ramifications of using it. To my knowledge, only the really old books and articles ever even mention the invoker servlet much less advocate enabling it. That may be your clue to stop reading it and get something newer. 2. Your servlet class needs to be in a package. That means you have 'package com.mycomany.myproject ;' at the top of your java source code and you place the class itself in WEB-INF/classes/com/mycompany/myproject of your webapp. It can also be jarred and the .jar file placed in WEB-INF/lib but since you are learning, this isn't necessary. 3. Write a web.xml file with a proper servlet mapping in it. There are a lot of resources out on the web describing this including the most excellent servlet specification which should become your best buddy. I believe David Brown posted a link to it. If you are relying on a book, make sure it covers at minimum servlet spec 2.4, preferably servlet spec 2.5 and tomcat 6 since that's what you are working with. 4. The second two places you put the context fragment work -- just use only one or the other to avoid confusion. Also given where you are storing your webapp, the docbase and path attributes are really not necessary. The docBase will be picked up automagically and the path will be named after the context fragment file in conf/Catalina/localhost or your webapp's docBase. 5. If you are still having trouble, the relevant parts of your setup will go miles towards helping solve your problems. In most cases, that amounts to your context xml fragment, web.xml file and folder layout of your webapp. --David ilene m wrote: --- ilene m <[EMAIL PROTECTED]> wrote: Date: Thu, 7 Feb 2008 19:50:18 -0800 (PST) From: ilene m <[EMAIL PROTECTED]> Subject: can't get servlets to run To: users@tomcat.apache.org Hi, I cannot get servlets to run outside of the servlet examples link off of the main page. I'm getting the ole 404 The requested resource - servlet - is not available. I have tried the 6.0.14 zip file and a "preconfigured 6.0.10 version of of the coreservlets.com site. i've tried loading 6.0.14 twice. Everything else runs but the servlets. In the first iteration of 6.0.14 i had html, jsp, php, php accessing mysql running happily. Thought it might have been something i did to make php happy so i took a clean version but it didn't help. When i loaded 6.0.14 i tried to run servlets by using the invoker servlet. Uncommented the invoker servlet and it's mapping in web.xml and added privileged="true" to context.xml and threw a HelloWorld.class file into webapps\Root\WEB-INF\classes dir accessing via http:\\localhost:8080\servlet\HelloWorld. I also tried my own app dir and a context fragment file. Tried putting the context fragment file in tomcat\conf\Catalina\localhost\myApp.xml, tomcat\conf\Catalina\localhost\myApp\myApp.xml and tomcat\webapps\myApp\META-INF\context.xml. Tried changing up the docbase. Tried raising the logging level to see if anything useful would pop out. NADA Wondering if I'm missing an environment var. Any help would be GREATLY appreciated. Thanks for your time. Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Cleanup of org.apache.naming.resources.CacheEntry resources
Diego Rodríguez Martín wrote: I have made a simple webapp with 2 jsp and a taglibrary, and the memory leak is still there, so I guess there is no cleaning of CacheEntry resources at context shutdown. Have I found a memory leak in Tomcat? Quite probably. Is my explanation correct or I have missed the leak source? Don't know until I do my own profiling. Should I open a BZ issue? Yes please. If you attach you test app that will make investigating this very easy. Is there any workaround to clean this resources on context shutdown? Not that I can think of. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with Apache mod_jk + Tomcat/Jboss + Client Certificate Chain
Hi Bruno,
I finally got the whole cert chain, but the real problem is that
I can't get it through the
request.getAttribute("javax.servlet.request.X509Certificate"), I only
got it using the request.getAttribute("SSL_CLIENT_CERT_CHAIN_n").
I read an e-mail that you stated:
"In Tomcat, I've only managed to get the client certificate and
not the full chain. A quick glance at
apache-tomcat-6.0.14-src/java/org/apache/coyote/ajp/AjpProcessor.java
seems to indicate that only an array of size 1 is created, which would
explain this behaviour. I'm not sure if everything regarding AJP and
X509Certificates happens in this class in Tomcat."
Did you managed to get full cert chain in a X509Certificate array
using request.getAttribute("javax.servlet.request.X509Certificate")?
Other thing that I noticed that you wrote, is that you are able to
get the full cert-chain only the first time the client browser connect
to the server, looking at mod_jk.log seems to be a mod_jk issue, it
happens to me as well.
Best regards,
Rafael
On 2/1/08, Rainer Jung <[EMAIL PROTECTED]> wrote:
> Hi Rafael,
>
> if your certificate chain is to large for the default AJP packet size of
> app. 8KB and you increase via max_packet_size, you need to change your
> Tomcat connector settings as well. See max_packet_size in
>
> http://tomcat.apache.org/connectors-doc/reference/workers.html
>
> Didn't try it myself, let us know if it works.
>
> If you can easily test this with one or few requests, you can set
> JkLogLevel trace and you'll see the complete packet traffic between
> httpd and Tomcat.
>
> Regards,
>
> Rainer
>
> Rafael Rossetto schrieb:
> > Bruno,
> >
> > I tried to change my conf file, the only thing I didn't set before was:
> > - JkEnvVar SSL_CLIENT_CERT SSL_CLIENT_CERT
> >
> > When I set this option the Firefox give me the following error:
> > Request Entity Too Large
> >
> > So I changed the workers.properties to set the max_packet_size
> > bigger. And the Entity Too Large Error stopped.
> >
> > But the thing is, I still don't get the cert chain through the
> > request.getAttribute("javax.servlet.request.X509Certificate").
> >
> > Do you use the request.getAttribute("SSL_CLIENT_CERT") to get the
> > cert chain?
> >
> > Thanks,
> > Rafael
> >
> > On 2/1/08, Bruno Harbulot <[EMAIL PROTECTED]> wrote:
> >> Hi,
> >>
> >> Rafael Rossetto wrote:
> >>> I'm using the JkOptions +ForwardSSLCertChain in httpd.conf. In
> >>> ssl.conf I also use the SSLVerifyClient require(tried optional and
> >>> optional_no_ca), so the client certificate validation in Apache seems
> >>> all right to me. And the SSLOptions is SSLOptions +StdEnvVars
> >>> +ExportCertData.
> >> Just to make sure, do you use 'JkExtractSSL On' as well (it should be on
> >> by default anyway)?
> >>
> >> I generally use this:
> >>
> >> JkExtractSSL On
> >> JkHTTPSIndicator HTTPS
> >> JkSESSIONIndicator SSL_SESSION_ID
> >> JkCIPHERIndicator SSL_CIPHER
> >> JkCERTSIndicator SSL_CLIENT_CERT
> >> JkEnvVar SSL_CLIENT_CERT SSL_CLIENT_CERT
> >> JkOptions +ForwardSSLCertChain
> >>
> >> and this in the relevant VirtualHost:
> >>
> >> SSLEngine on
> >> SSLCertificateFile ...
> >> SSLCertificateKeyFile ...
> >> SSLCACertificatePath...
> >> SSLCARevocationPath ...
> >> SSLVerifyClient optional
> >> SSLVerifyDepth 5
> >> SSLOptions +ExportCertData +StdEnvVars
> >>
> >>
> >> I get the full chain with this.
> >>
> >> Best wishes,
> >>
> >> Bruno.
> >>
> >>
> >> -
> >> To start a new topic, e-mail: users@tomcat.apache.org
> >> To unsubscribe, e-mail: [EMAIL PROTECTED]
> >> For additional commands, e-mail: [EMAIL PROTECTED]
> >>
> >>
> >
> > -
> > To start a new topic, e-mail: users@tomcat.apache.org
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
>
> -
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Password Input on Tomcat Startup
--- HARBOR: http://coolharbor.100free.com/index.htm The most powerful application server on earth. The only real POJO Application Server. Making the Java dream come true. --- - Original Message - From: "Jan Mönnich" <[EMAIL PROTECTED]> To: Sent: Friday, February 08, 2008 12:30 PM Subject: Password Input on Tomcat Startup Hi folks, we have a very sensitive webapp that requires the input of a password when the tomcat server starts. We don't want to store this password in a file. One way we've already tested could be the use of a JDialog with a JPasswordField that is shown in the init() method of a servlet (1). Unfortunately this requires our server to run X11... :-( Is there any (hidden) way to input this password on the terminal tomcat was started from? Ha ha... hey linux is supposed to be free ;) Sounds like a licensing scheme... naughty naughty, ok you got to eat ;) I natural way is as the other poster explained... a web page. Poping UI out of a servelt even with X... no, its just ugly. You have to hide the password on the machine... One way is to... when they pay for the software... is to give them a license key which is a hash of the password and say the IP address, thus it doesnt work on other machines. Then you store your password inside the application... it hashes itself and the IP, if same, its on, if not, the browsers just give a "pay me, people" message... ;) Something like that... Also look at the POJO application server above... you could have a central registry... ie when servlet starts it calls into the PAS, it checks a user registry and either allows it to run or not... Yes, tomcat is also an application server... probably the most powerful application server ever ha ha Have fun... Thanks in advance for any idea! Jan -- Dipl.-Inf. (FH) Jan Mönnich, PKI Team Phone: +49 40 808077-632, Fax: +49 40 808077-556, [EMAIL PROTECTED] DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 Sachsenstraße 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski 15 Jahre DFN-CERT + 15. DFN-Workshop "Sicherheit in vernetzten Systemen" am 13./14. Februar 2008 im CCH Hamburg - https://www.dfn-cert.de/ws2008/ - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat 5.5.9 aliases
Thank you very much, that did the trick. -- View this message in context: http://www.nabble.com/tomcat-5.5.9-aliases-tp15341478p15363120.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat SSL, Windows 2003 and Windows-My Provider
--- HARBOR: http://coolharbor.100free.com/index.htm The most powerful application server on earth. The only real POJO Application Server. Making the Java dream come true. --- - Original Message - From: "Luis Villa" <[EMAIL PROTECTED]> To: Sent: Friday, February 08, 2008 12:46 PM Subject: Tomcat SSL, Windows 2003 and Windows-My Provider Hello all, I'm trying to configure a Tomcat 6 server with SSL using the Windows-My provider from java 6. I've been able to do it in Windows XP and it works perfectly, but when executing in Windows 2003, tomcat is not able to open the keystore (it says it cannot find .keystore file, althought the configuration is completely the same as in WindowsXP). Hi... listen I think its because the .ketstore file is stored in the user folder... and that is changing... So when you logon its in "Docs and Settings"/Username... but when the service starts as "system" user, that location is now under C:/ I think... So, either try change the service configuraion to run in your user name, or figure out where its looking for it and move the keystore there IF you start tomcat from the BAT file... it will run in your user name... if that works, then you can eliminate configurations problems and just try figure out where 2003 is hiding the user location... I think I'm using the following connector: On our sytems we seem to be using the default stuff... I actually dont know what "Windows-MY" is ;) I've accessed the store with 'keytool -list -storetype Windows-MY' and it works (it shows myKey). Is there more configuration needed in W2003 (permissions, policies, etc)? has someone found this problem before? Thanks in advance - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Cleanup of org.apache.naming.resources.CacheEntry resources
Hi, I am memory profiling a webapp for my company because we suspect it has memory leaks when redeploying. This webapp has to be redeployed several times a week for security reasons (most of the time it is undeployed) and the memory leaks forced us to shutdown tomcat once a week to avoid OOM exception. I'm using jvm1.5 and tomcat 6.0.13 (also tried with 6.0.14 and today with 6.0.16), and Yourkit as the profiling tool. I have made the test in both linux and windows. I have created a JMeter test to deploy the app using the manager, make some request to the app and then undeploy it using again the manager app in a loop. After some redeployments, I got my OutOfMemoryException. Then I checked with my profiling tool and found that my own classes were correctly destroyed, and the classes retaining more memory were these ones (listed as a heirarchy): org.apache.catalina.core.ApplicationContext$DispatchData org.apache.catalina.core.ApplicationContext mapper of org.apache.catalina.core.StandardContext context of org.apache.tomcat.util.http.mapper.Mapper resources of org.apache.tomcat.util.http.mapper.Mapper$Context cache of org.apache.naming.resources.ProxyDirContext cache of org.apache.naming.resources.ResourceCache org.apache.naming.resources.CacheEntry[] The number of objects of each class were exactly the number of times I had redeployed the webapp. I have checked the contents of CacheEntry inside CacheEntry[] and it has an attribute "name" and the contents are the jsps and tld files of my app. There are as many CacheEntry with the same jsp attribute as times the webapp has been reloaded. I have made a simple webapp with 2 jsp and a taglibrary, and the memory leak is still there, so I guess there is no cleaning of CacheEntry resources at context shutdown. Have I found a memory leak in Tomcat? Is my explanation correct or I have missed the leak source? Should I open a BZ issue? Is there any workaround to clean this resources on context shutdown? -- - Diego Rodríguez Martín ALTIRIA TIC - Servicios SMS - Desarrollo Web Tel. +34 913311198 - Fax +34 915713993 - Móvil +34 610299750 www.altiria.com - - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Cluster Membership not picking up ttl setting
Filip . . . you are most definitely the man. That solved my problem. I
Added -Djava.net.preferIPv4Stack=true to the start options in catalina.sh
and now my servers are communicating beautifully. Thanks a million.
~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~
Mark Osborne
Web Systems Engineer
[EMAIL PROTECTED]
(512) 683-5019
~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~
Filip Hanik - Dev Lists <[EMAIL PROTECTED]>
02/08/2008 11:47 AM
Please respond to
"Tomcat Users List"
To
Tomcat Users List
cc
Subject
Re: Cluster Membership not picking up ttl setting
running your config, the print out is
Feb 8, 2008 10:13:51 AM
org.apache.catalina.tribes.membership.McastServiceImpl setupSocket
INFO: Setting cluster mcast TTL to 15
and that executes the code
if ( mcastTTL >= 0 ) {
if(log.isInfoEnabled())
log.info("Setting cluster mcast TTL to " + mcastTTL);
socket.setTimeToLive(mcastTTL);
}
which is this method
http://java.sun.com/j2se/1.5.0/docs/api/java/net/MulticastSocket.html#setTimeToLive(int)
then I capture this in wireshark (two systems running
WINDOWS
Frame 1 (111 bytes on wire, 111 bytes captured)
Ethernet II, Src: Dell_08:6c:61 (00:15:c5:08:6c:61), Dst:
01:00:5e:00:00:04 (01:00:5e:00:00:04)
Internet Protocol, Src: 192.168.3.102 (192.168.3.102), Dst: 228.0.0.4
(228.0.0.4)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
Total Length: 97
Identification: 0x6662 (26210)
Flags: 0x00
Fragment offset: 0
Time to live: 15
Protocol: UDP (0x11)
Header checksum: 0x9d17 [correct]
Source: 192.168.3.102 (192.168.3.102)
Destination: 228.0.0.4 (228.0.0.4)
all good, TTL is 15
LINUX-FEDORA 6
No. TimeSourceDestination Protocol
Info
2 0.229936192.168.3.111 228.0.0.4 UDP
Source port: 45564 Destination port: 45564
Frame 2 (111 bytes on wire, 111 bytes captured)
Ethernet II, Src: IntelCor_73:41:5a (00:13:20:73:41:5a), Dst:
01:00:5e:00:00:04 (01:00:5e:00:00:04)
Internet Protocol, Src: 192.168.3.111 (192.168.3.111), Dst: 228.0.0.4
(228.0.0.4)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
Total Length: 97
Identification: 0x (0)
Flags: 0x04 (Don't Fragment)
Fragment offset: 0
Time to live: 1
Protocol: UDP (0x11)
Header checksum: 0xd170 [correct]
Source: 192.168.3.111 (192.168.3.111)
Destination: 228.0.0.4 (228.0.0.4)
not good at all, TTL is 1 here, even though the Java code set it to 15
so I googled a little bit, the bug is either in the JVM or on linux,
most likely linux.
to solve this problem add
-Djava.net.preferIPv4Stack=true
to your startup script. and when I did that I got
Frame 1 (111 bytes on wire, 111 bytes captured)
Ethernet II, Src: IntelCor_73:41:5a (00:13:20:73:41:5a), Dst:
01:00:5e:00:00:04 (01:00:5e:00:00:04)
Internet Protocol, Src: 192.168.3.111 (192.168.3.111), Dst: 228.0.0.4
(228.0.0.4)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
Total Length: 97
Identification: 0x (0)
Flags: 0x04 (Don't Fragment)
Fragment offset: 0
Time to live: 15
Protocol: UDP (0x11)
Header checksum: 0xc370 [correct]
Source: 192.168.3.111 (192.168.3.111)
Destination: 228.0.0.4 (228.0.0.4)
and all is good
Filip
Mark Osborne wrote:
> Hello All,
>
> I actually sent this yesterday, but never saw it show up in the archive
or
> in my inbox so trying again. Sorry if y'all are getting this twice.
>
> I'm having a problem setting up clustering in Tomcat 6.0 on RedHat ES 4.
> I'm hoping someone can help me with this. I'm using a very vanilla
> multicast clustering implementation. The problem is that the 2 machines
I
> want to cluster are on different subnets with 4 hops between them.
Because
> of this I need to up the Membership multicast ttl. Unfortunately for
some
> reason it doesn't appear that setting the ttl is having any effect for
me.
> I have verified that I can change the multicast address, port, and
> frequency and those settings seem to work. It is only the ttl that
> doesn't seem to change. (I've reverted all of those changes back to
> default now).
>
> Here is my clustering set up from server.xml
>
> channelSendOptions="8">
>
> expireSessionsOnShutdown="false"
> notifyListenersOnReplication="true"/>
>
> className="org.apache.catalina.tribes.group.GroupChannel">
>className="org.apache.catalina.tribes.membership.McastService"
> address="228.0.0.4"
> port="45564"
> ttl="15"
> frequency="500"
> dropTime="3000"/>
>className="org.apache.catalina.tribes.transpo
Re: Fwd: can't get servlets to run
Hello ilene, in fear of retribution I must give you the standard: http://jcp.org/aboutJava/communityprocess/mrel/jsr154/index2.html Moreover, you might want to learn and understand the web application deployment file system hierarchy as it exists under the Tomcat installation. The TC file system is fairly much the same regardless of platform. This being said I would like to point out that in the future to get expert guru Tomcat help you might want to clarify your issues in a bulleted or tabulated form. This should included log file snippets from say: server.log. Java Exceptions are very informative combined with other pieces of information. Itemize or information stepwise such that busy people can follow easier. You know what you are doing but they don't. Send email that is painfully obvious that you have done your homework and somebody will help. HTH. ilene m wrote .. > > --- ilene m <[EMAIL PROTECTED]> wrote: > > > Date: Thu, 7 Feb 2008 19:50:18 -0800 (PST) > > From: ilene m <[EMAIL PROTECTED]> > > Subject: can't get servlets to run > > To: users@tomcat.apache.org > > > > Hi, > > > > I cannot get servlets to run outside of the servlet > > examples link off of the main page. > > I'm getting the ole 404 The requested resource - > > servlet - is not available. > > > > I have tried the 6.0.14 zip file and a > > "preconfigured > > 6.0.10 version of of the coreservlets.com site. > > > > i've tried loading 6.0.14 twice. Everything else > > runs > > but the servlets. In the first iteration of 6.0.14 > > i > > had html, jsp, php, php accessing mysql running > > happily. Thought it might have been something i did > > to make php happy so i took a clean version but it > > didn't help. > > > > When i loaded 6.0.14 i tried to run servlets by > > using > > the invoker servlet. Uncommented the invoker > > servlet > > and it's mapping in web.xml and added > > privileged="true" to context.xml and threw a > > HelloWorld.class file into > > webapps\Root\WEB-INF\classes dir accessing via > > http:\\localhost:8080\servlet\HelloWorld. > > > > I also tried my own app dir and a context fragment > > file. > > Tried putting the context fragment file in > > tomcat\conf\Catalina\localhost\myApp.xml, > > tomcat\conf\Catalina\localhost\myApp\myApp.xml and > > tomcat\webapps\myApp\META-INF\context.xml. > > Tried changing up the docbase. > > > > Tried raising the logging level to see if anything > > useful would pop out. NADA > > > > Wondering if I'm missing an environment var. > > > > Any help would be GREATLY appreciated. > > > > Thanks for your time. > > > > > > > > > > > > > > > > > Never miss a thing. Make Yahoo your home page. > > http://www.yahoo.com/r/hs > > > > > > > > Looking for last minute shopping deals? > Find them fast with Yahoo! Search. > http://tools.search.yahoo.com/newsearch/category.php?category=shopping > > - > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Cluster Membership not picking up ttl setting
running your config, the print out is
Feb 8, 2008 10:13:51 AM
org.apache.catalina.tribes.membership.McastServiceImpl setupSocket
INFO: Setting cluster mcast TTL to 15
and that executes the code
if ( mcastTTL >= 0 ) {
if(log.isInfoEnabled())
log.info("Setting cluster mcast TTL to " + mcastTTL);
socket.setTimeToLive(mcastTTL);
}
which is this method
http://java.sun.com/j2se/1.5.0/docs/api/java/net/MulticastSocket.html#setTimeToLive(int)
then I capture this in wireshark (two systems running
WINDOWS
Frame 1 (111 bytes on wire, 111 bytes captured)
Ethernet II, Src: Dell_08:6c:61 (00:15:c5:08:6c:61), Dst:
01:00:5e:00:00:04 (01:00:5e:00:00:04)
Internet Protocol, Src: 192.168.3.102 (192.168.3.102), Dst: 228.0.0.4
(228.0.0.4)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
Total Length: 97
Identification: 0x6662 (26210)
Flags: 0x00
Fragment offset: 0
Time to live: 15
Protocol: UDP (0x11)
Header checksum: 0x9d17 [correct]
Source: 192.168.3.102 (192.168.3.102)
Destination: 228.0.0.4 (228.0.0.4)
all good, TTL is 15
LINUX-FEDORA 6
No. TimeSourceDestination Protocol
Info
2 0.229936192.168.3.111 228.0.0.4 UDP
Source port: 45564 Destination port: 45564
Frame 2 (111 bytes on wire, 111 bytes captured)
Ethernet II, Src: IntelCor_73:41:5a (00:13:20:73:41:5a), Dst:
01:00:5e:00:00:04 (01:00:5e:00:00:04)
Internet Protocol, Src: 192.168.3.111 (192.168.3.111), Dst: 228.0.0.4
(228.0.0.4)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
Total Length: 97
Identification: 0x (0)
Flags: 0x04 (Don't Fragment)
Fragment offset: 0
Time to live: 1
Protocol: UDP (0x11)
Header checksum: 0xd170 [correct]
Source: 192.168.3.111 (192.168.3.111)
Destination: 228.0.0.4 (228.0.0.4)
not good at all, TTL is 1 here, even though the Java code set it to 15
so I googled a little bit, the bug is either in the JVM or on linux,
most likely linux.
to solve this problem add
-Djava.net.preferIPv4Stack=true
to your startup script. and when I did that I got
Frame 1 (111 bytes on wire, 111 bytes captured)
Ethernet II, Src: IntelCor_73:41:5a (00:13:20:73:41:5a), Dst:
01:00:5e:00:00:04 (01:00:5e:00:00:04)
Internet Protocol, Src: 192.168.3.111 (192.168.3.111), Dst: 228.0.0.4
(228.0.0.4)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
Total Length: 97
Identification: 0x (0)
Flags: 0x04 (Don't Fragment)
Fragment offset: 0
Time to live: 15
Protocol: UDP (0x11)
Header checksum: 0xc370 [correct]
Source: 192.168.3.111 (192.168.3.111)
Destination: 228.0.0.4 (228.0.0.4)
and all is good
Filip
Mark Osborne wrote:
Hello All,
I actually sent this yesterday, but never saw it show up in the archive or
in my inbox so trying again. Sorry if y'all are getting this twice.
I'm having a problem setting up clustering in Tomcat 6.0 on RedHat ES 4.
I'm hoping someone can help me with this. I'm using a very vanilla
multicast clustering implementation. The problem is that the 2 machines I
want to cluster are on different subnets with 4 hops between them. Because
of this I need to up the Membership multicast ttl. Unfortunately for some
reason it doesn't appear that setting the ttl is having any effect for me.
I have verified that I can change the multicast address, port, and
frequency and those settings seem to work. It is only the ttl that
doesn't seem to change. (I've reverted all of those changes back to
default now).
Here is my clustering set up from server.xml
className="org.apache.catalina.tribes.group.GroupChannel">
className="org.apache.catalina.tribes.membership.McastService"
address="228.0.0.4"
port="45564"
ttl="15"
frequency="500"
dropTime="3000"/>
className="org.apache.catalina.tribes.transport.ReplicationTransmitter">
className="org.apache.catalina.tribes.transport.nio.PooledParallelSender"/>
className="org.apache.catalina.tribes.transport.nio.NioReceiver"
address="auto"
port="4000"
autoBind="100"
selectorTimeout="5000"
maxThreads="6"/>
className="org.apache.catalina.tribes.group.interceptors.TcpFailureDetector"/>
className="org.apache.catalina.tribes.group.interceptors.MessageDispatch15Interceptor"/>
className="org.apache.catalina.ha.session.JvmRouteBinderValve"/>
className="org.apache.catalina.ha.session.JvmRouteSessionIDBinderListener"/>
className="org.apache.catalina.ha.sess
RE: SecurityException when starting TomCat
> From: Bob the BlueBerry [mailto:[EMAIL PROTECTED] > Subject: Re: SecurityException when starting TomCat > > I just enabled the invoker servlet because the book > I'm reading told me to, and it said to use the > '/servlet/*' mapping. Which one should I use? Throw that book away and read the servlet spec and the real Tomcat docs. There probably are decent books about Tomcat out there that others could recommend. Don't use the invoker servlet - it truly is anathema. Proper servlet mappings are pretty simple, and the Tomcat download includes many examples. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SecurityException when starting TomCat
I'm not familiar with servlet mappings. I just enabled the invoker servlet because the book I'm reading told me to, and it said to use the '/servlet/*' mapping. Which one should I use? -- From: "Caldarale, Charles R" <[EMAIL PROTECTED]> Sent: Tuesday, January 15, 2008 1:24 PM To: "Tomcat Users List" Subject: RE: SecurityException when starting TomCat From: Bob the BlueBerry [mailto:[EMAIL PROTECTED] Subject: SecurityException when starting TomCat Can you tell me how to fix this? java.lang.SecurityException: Servlet of class org.apache.catalina.servlets.InvokerServlet is privileged and cannot be loaded by this web application Don't use the InvokerServlet - it's certifiably evil: http://wiki.apache.org/tomcat/FAQ/Miscellaneous?highlight=%28invoker%29 Use the proper servlet mappings, and the see if you've got a problem. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Cluster Membership not picking up ttl setting
Hello All, I actually sent this yesterday, but never saw it show up in the archive or in my inbox so trying again. Sorry if y'all are getting this twice. I'm having a problem setting up clustering in Tomcat 6.0 on RedHat ES 4. I'm hoping someone can help me with this. I'm using a very vanilla multicast clustering implementation. The problem is that the 2 machines I want to cluster are on different subnets with 4 hops between them. Because of this I need to up the Membership multicast ttl. Unfortunately for some reason it doesn't appear that setting the ttl is having any effect for me. I have verified that I can change the multicast address, port, and frequency and those settings seem to work. It is only the ttl that doesn't seem to change. (I've reverted all of those changes back to default now). Here is my clustering set up from server.xml As you can see I've changed the Membership ttl to 15. However, when I start up apache and run a tcpdump it appears that the TTL is still set to 1. Our network admins have also verified from their end that it appears the ttl on the multicast traffic is 1. [ root on godofwar ] tcpdump host 228.0.0.4 -v tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 17:32:45.852847 IP (tos 0xc0, ttl 1, id 63038, offset 0, flags [none], proto 2, length: 28) mp3-1n14-c1-e-gw-vlan-1329.natinst.com > reserved-multicast-range-not-delegated.example.com: igmp query v2 [max resp time 10] [gaddr reserved-multicast-range-not-delegated.example.com] 17:32:50.560751 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto 2, length: 32, optlength: 4 ( RA )) godofwar.natinst.com > reserved-multicast-range-not-delegated.example.com: igmp v2 report reserved-multicast-range-not-delegated.example.com 17:32:51.583260 IP (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto 17, length: 97) godofwar.natinst.com.45564 > reserved-multicast-range-not-delegated.example.com.45564: UDP, length 69 17:32:51.585935 IP (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto 17, length: 97) godofwar.natinst.com.45564 > reserved-multicast-range-not-delegated.example.com.45564: UDP, length 69 17:32:52.087227 IP (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto 17, length: 97) godofwar.natinst.com.45564 > reserved-multicast-range-not-delegated.example.com.45564: UDP, length 69 17:32:52.589311 IP (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto 17, length: 97) godofwar.natinst.com.45564 > reserved-multicast-range-not-delegated.example.com.45564: UDP, length 69 17:32:53.091522 IP (tos 0x0, ttl 1, id 0, offset 0, flags [DF], proto 17, length: 97) godofwar.natinst.com.45564 > reserved-multicast-range-not-delegated.example.com.45564: UDP, length 69 Does anybody have any ideas on why this is? Thanks in advance ~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~ Mark Osborne Web Systems Engineer [EMAIL PROTECTED] (512) 683-5019 ~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~
RE: problem with HttpSessionBindListner
> From: Murthy Chelankuri [mailto:[EMAIL PROTECTED] > Subject: problem with HttpSessionBindListner > > Is there any way to know about the valid sessions at the > startup of the tomcat?. See section 10 of the servlet spec. You need to implement a HttpSessionActivationListener to catch passivations and activations during Tomcat shutdown and startup. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
pre load Webapp before deploying to tomcat
Hi, i have a rather large webapp with spring and hibernate which takes some time to startup (30 seconds) when i redeploy this webapp the application is not available for 30 seconds until everything is loaded. I looked at "hot deployment" but this is only about not restarting tomcat, but tomcat still does: 1. undeploy 2. deploy so i still have 30 seconds of unavailability. (thats not what i call "hot" deployment) is it possible to "load" a webapp in a different Context and "move" it afterwards to the running context? Say i have my running webapp version 1 in context "/production". no i deploy my new webapp version 2 in context "/upgrade" and everything gets initalized. i even can check my new version running. after this i would like to just move "/upgrade" to "/production" Is it possible? kind regards, janning - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[ANN] Apache Tomcat 6.0.16 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat 6.0.16 stable. This release includes many bugfixes over Apache Tomcat 6.0.14. Apache Tomcat 6.0 includes new features over Apache Tomcat 5.5, including support for the new Servlet 2.5 and JSP 2.1 specifications, a refactored clustering implementation, advanced IO features, and improvements in memory usage. Please refer to the change log for the list of changes: http://tomcat.apache.org/tomcat-6.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-60.cgi Migration guide from Apache Tomcat 5.5.x: http://tomcat.apache.org/migration.html Thank you, -- The Apache Tomcat Team - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat SSL, Windows 2003 and Windows-My Provider
Hello all, I'm trying to configure a Tomcat 6 server with SSL using the Windows-My provider from java 6. I've been able to do it in Windows XP and it works perfectly, but when executing in Windows 2003, tomcat is not able to open the keystore (it says it cannot find .keystore file, althought the configuration is completely the same as in WindowsXP). I'm using the following connector: I've accessed the store with 'keytool -list -storetype Windows-MY' and it works (it shows myKey). Is there more configuration needed in W2003 (permissions, policies, etc)? has someone found this problem before? Thanks in advance
RE: Password Input on Tomcat Startup
> From: Jan Mönnich [mailto:[EMAIL PROTECTED] > we have a very sensitive webapp that requires the input of a password > when the tomcat server starts. We don't want to store this password > in a file. One way we've already tested could be the use of a JDialog > with a JPasswordField that is shown in the init() method of a servlet > (1). Unfortunately this requires our server to run > X11... :-( > > Is there any (hidden) way to input this password on the terminal > tomcat was started from? Assuming all communication is via HTTPS, an alternative goes roughly as follows: - Pull any initialisation out of the servlet's init(), leaving just a boolean as to whether the password's been entered or not; - Modify the servlet to serve a please-enter-the-password page at a particular URL; - When the user enters the password, run any init code; - Refuse to serve any other pages until the password has been entered. This uses Tomcat's normal interface - HTTP - to your advantage, and probably maintains security to the level you need - you'll have to evaluate that. Depends how much control you have over the webapp, though. - Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Password Input on Tomcat Startup
Hi folks, we have a very sensitive webapp that requires the input of a password when the tomcat server starts. We don't want to store this password in a file. One way we've already tested could be the use of a JDialog with a JPasswordField that is shown in the init() method of a servlet (1). Unfortunately this requires our server to run X11... :-( Is there any (hidden) way to input this password on the terminal tomcat was started from? Thanks in advance for any idea! Jan -- Dipl.-Inf. (FH) Jan Mönnich, PKI Team Phone: +49 40 808077-632, Fax: +49 40 808077-556, [EMAIL PROTECTED] DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 Sachsenstraße 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski 15 Jahre DFN-CERT + 15. DFN-Workshop "Sicherheit in vernetzten Systemen" am 13./14. Februar 2008 im CCH Hamburg - https://www.dfn-cert.de/ws2008/ smime.p7s Description: S/MIME Cryptographic Signature
Re: How to avoid session fixation?
I think this is worth submitting a security issue request on tracker, to ask that, at least, the container links the requester IP to the session. Changing session ID upon login in container would be a good thing imho, it would ensure ID become unknown to attacker after login, wouldn't destroy user session (keep session, only change it's identifier) and would work whatever authentification mecanism is used. Draw back is that webapp that rely on session id for some session tracking mecanism would break. btw, you hack is limited to form based authentification, i successfully "shared" an authentificated session on tomcat 5.5.7 using http basic authentification. One of computer had access to secured ressouce whithout ever being prompted for user/pass En l'instant précis du 08/02/08 10:49, Christoph Lenggenhager s'exprimait en ces termes: David, Christopher Thank you for sharing your thoughts. It seems to me that there is no standard solution to this problem, but you agree with me that the problem exists. As I mentioned before, I came up with a solution that looks promising. Here's a rough description, I'd welcome your opinions/concerns: - a custom valve contains the whole implementation - requests to the servlet/URI "j_security_check" are intercepted - for intercepted requests the current session is destroyed and a new one is created: -- snip -- ... request.getSession().invalidate(); request.getSession(true); ... -- snap -- - to have a proper redirect to the originally requested page the original request has to be copied from the old session to the new one. I filter out any references to the old session id, although I'm not sure whether this is really necessary. Well, first of all, I'm in the comfortable situation that I'm not interested in any session attributes that existed before the actual login, so this make things easier. Furthermore, it's clearly a homemade hack, but it seems to do the job. Do you think it's worth to open a bug/feature request concerning this issue? For I actually think that this is clearly a task the container should take care of. Thanks. regards, christoph - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- http://www.devlog.be (a belgian developer's logs) - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to avoid session fixation?
David, Christopher Thank you for sharing your thoughts. It seems to me that there is no standard solution to this problem, but you agree with me that the problem exists. As I mentioned before, I came up with a solution that looks promising. Here's a rough description, I'd welcome your opinions/concerns: - a custom valve contains the whole implementation - requests to the servlet/URI "j_security_check" are intercepted - for intercepted requests the current session is destroyed and a new one is created: -- snip -- ... request.getSession().invalidate(); request.getSession(true); ... -- snap -- - to have a proper redirect to the originally requested page the original request has to be copied from the old session to the new one. I filter out any references to the old session id, although I'm not sure whether this is really necessary. Well, first of all, I'm in the comfortable situation that I'm not interested in any session attributes that existed before the actual login, so this make things easier. Furthermore, it's clearly a homemade hack, but it seems to do the job. Do you think it's worth to open a bug/feature request concerning this issue? For I actually think that this is clearly a task the container should take care of. Thanks. regards, christoph - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
problem with HttpSessionBindListner
I am using the HttpSessionBindListner to notify the session events ( to know when the user loged in, logout or session timeout). This was worked fine in resin. With tomcat6 when we stop the tomcat the listner is notifying the unbound event. Once we start the tomcat the previous user sessions ( i.e sessions before stoping the tomcat) are still valid. This is because of tomcat persisting the sessions info in a persistent storage ( might be a file in the work directory). But at the startup its not notifying any events for the valid sessions . Is there any way to know about the valid sessions at the startup of the tomcat?. Thanks, Murthy - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
