Re: mod_jk codepage in header values
Christopher thanks for quick replay. for connecting tomcat with apache i'm using mod_jk connector. But i'm having problem with header values. On apache side headers values are in UTF-8 cp but on tomcat side i have to make conversion from latin-1 cp. Hmm. HTTP defines header values as ASCII (well, it inherits that from other RFCs, but, whatever). If you need to encode non-ASCII data in header values, you'll need to do it in such a way that your client understands them. Often, URL-encoding (aka %-encoding) is used in these situations. I'm using this code: for(Enumeration en = request.getHeaderNames(); en.hasMoreElements();){ header = new Header(); headerName = (String) en.nextElement(); header.setHeaderName(headerName); header.setHeaderValue(new String(request.getHeader(headerName).getBytes(ISO-8859-1))); For most values, this will work. On the other hand, the response already knows how to convert a String into ASCII, so you probably don't have to do this. headers.add(header); header = new Header(); header.setHeaderName(headerName); header.setHeaderValue(request.getHeader(headerName)); headers.add(header); } The Header class is not part of the Servlet API. What does all of this do? This is just snap shot of my code. I use Header class to save values, it is just data holder. What information are you passing through the HTTP headers that needs to be in a particular encoding? These issues are typically handled using the response body coupled with a Content-Type header which specifies a character encoding. I'm from Slovenija, Europe. We are using character that are not defined in ASCII so we are using UTF-8 cp. I will try to explain what is this application about. This project (web page) is protected with AAI (http://www.switch.ch/aai/about/). This Authentication and Authorization infrastructure is roughly divided on SP (service provider) and Idp (identity provider). SP is module in apache. So when user try to get web page that is protected with AAI through apache, SP module checks if user is alredy logged in. If not SP redirects user to Idp where user can put his/her username and password. If everything is ok Idp sends users data in xml to SP. SP puts this data into apache environment variables so applications (web pages) can access it. Here i use mod_jk to get this environment variables in tomcat in HTTP header. If i print user data on apache side i get values in UTF-8 encoding but if i try this on tomcat i don't get right values i have to make conversion. Is it mod_jk responsible for converting UTF-8 environment variable to ACSII header values or is this conversion made elsewhere? mirko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat log analyzer
2010/1/21 Ramachandran, Vishwanath(IE10) vishwanath.ramachand...@honeywell.com I have evaluated around 8 tools which do not support catalina.out. Kindly suggest. Hi. catalina.out is not supposed to be used for traffic analyzis. Look at the AccessLogValve http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html Cheers, R. -- First they ignore you. Then they laugh at you. Then they fight you. Then you win. - Mohandas Gandhi.
Re: Polling and session timeout
On 21/01/2010 04:45, grailcattt wrote: That is exactly what I ended up doing and it is working well. I was hoping for a solution that used tomcat session management rather than managing my own session timeouts, but it works well. If you put the poll servlet in a separate app and are NOT using the single sign on valve, you could set a separate session timeout in that servlet/app. I think. p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat log analyzer
Hi Ryszard Yes catalina.out is not used for traffic analysis. I just looking for a tool, which I like to see visitors, access, counts, pages visited, browsers used etc. Is there any tool like e.g. weblog expert and deep log analyzer, where I just give the catalina.out in the log file location and generate reports Regards Vishwanath Desk: +91 80 26588360 Extn: 48555 -Original Message- From: Ryszard Łach [mailto:ryl...@gmail.com] Sent: Thursday, January 21, 2010 1:59 PM To: Tomcat Users List Subject: Re: tomcat log analyzer 2010/1/21 Ramachandran, Vishwanath(IE10) vishwanath.ramachand...@honeywell.com I have evaluated around 8 tools which do not support catalina.out. Kindly suggest. Hi. catalina.out is not supposed to be used for traffic analyzis. Look at the AccessLogValve http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html Cheers, R. -- First they ignore you. Then they laugh at you. Then they fight you. Then you win. - Mohandas Gandhi.
Re: mod_jk codepage in header values
Mirko Solic wrote: Christopher thanks for quick replay. ... I'm from Slovenija, Europe. We are using character that are not defined in ASCII so we are using UTF-8 cp. I will try to explain what is this application about. This project (web page) is protected with AAI (http://www.switch.ch/aai/about/). This Authentication and Authorization infrastructure is roughly divided on SP (service provider) and Idp (identity provider). SP is module in apache. So when user try to get web page that is protected with AAI through apache, SP module checks if user is alredy logged in. If not SP redirects user to Idp where user can put his/her username and password. If everything is ok Idp sends users data in xml to SP. SP puts this data into apache environment variables so applications (web pages) can access it. Here i use mod_jk to get this environment variables in tomcat in HTTP header. If i print user data on apache side i get values in UTF-8 encoding but if i try this on tomcat i don't get right values i have to make conversion. Is it mod_jk responsible for converting UTF-8 environment variable to ACSII header values or is this conversion made elsewhere? Mirko, I am from Belgium, Europe too. I live in Spain and work mostly for German and other international customers (among which are some from Poland too). This to say that I am well-aware of multi-lingual character set issues, and confront them every day. So, just so as to give you some context for your issues : Despite the fact that Unicode and UTF-8 are now being increasingly used on the web, the fact is that HTTP, and HTML, and most of the other WWW-relevant RFCs, are still US-ASCII and ISO-8859-1 (latin-1) based. For example, HTTP header values are /supposed/ to contain only single-byte character codes that are part of the (printable subset of) US-ASCII character set. For example also, by default, all content exchanged between browsers and web servers is iso-8859-1. And it is so because the relevant RFCs say that it should be. (So the developers of Apache and mod_jk and Tomcat have little choice in the matter; they have to follow the RFCs). This does not mean that you cannot handle other character sets on the web. But it means that whenever you do, you have to be attentive to the fact that it is /not/ the standard, and that you may have to do character set translations and/or encoding. It may even mean that, in order to exchange non-US-ASCII or non-ISO-8859-1 data, you may have to use tricks. It also means that, in some cases, by using such tricks, your applications may become non-standard, and will not necessarily work with all servers and all clients. So for example, to get back to your question above : mod_jk is not responsible for translating anything, and will not translate anything. That is because mod_jk follows the relevant WWW RFCs, which specify that such and such data is ASCII or ISO-8859-1. If the original HTTP request, as it is given by Apache to mod_jk, contains HTTP headers, mod_jk will forward these headers as is to the back-end Tomcat. But, because the HTTP RFC specifies that HTTP headers should contain only US-ASCII character data, mod_jk would be allowed, if it finds non-US-ASCII data in a HTTP header, to strip this data or ignore the header or something like that. I don't know if mod_jk actually does this, but if it did, it would be justified, because according to the HTTP RFC this would be an invalid header. So, to be practical : - the current HTTP 1.1 RFC specifies that HTTP headers can only contain US-ASCII printable character data - some UTF-8 codes contain bytes that are not part of the US-ASCII character set (e.g. : bytes with values above 0x7F) - so, if you want to forward such a header from Apache to Tomcat, in principle the right way is to encode the value of this header on the Apache side, in such a way that it contains only US-ASCII data (for example, using Base64 encoding), then pass it to mod_jk. - at the other end, your application would have to decode this header (using Base64 decoding) back into UTF-8, and then it would have to read this header value as UTF-8/Unicode. There is no guarantee that any standard module or class under Apache or mod_jk or Tomcat would properly handle a header that contains non-US-ASCII data. That because, in principle, they never have to. I know it is a mess. It is possible that there are shortcuts. It is possible that mod_jk would transmit a HTTP header, even if it contains non-US-ASCII data. But it is not sure, because the bible for mod_jk, as for Apache and as for Tomcat, are the RFCs. We non-English speakers worldwide desperately need a new version of the HTTP protocol where the default would be Unicode/UTF-8, for everything. But I do not see much happening right now in that direction. Maybe a tip for your authentication issues : If, in the AJP Connector on the Tomcat side, you set the attribute
tomcat seems not seeing context.xml
Hi guys,I've a absurd problem and I can't figure outI've a debian server on which tomcat 5.5 is installed.I need to run a jsf application, in which I use pool of connection for db. Issue is that my application can't connect to db!In catalina log I seeorg.apache.tomcat.dbcp.dbcp.SQLNestedException: Cannot create PoolableConnectionFactory (Access denied for user 'root'@'localhost' (using password: YES))the issue is that in context.xml of my application (I use local context) user and password are different (i don't pass root user!).Is it possible tomcat is not able to read context.xml and so try to go with root user?Please help me, my application doesn't see db.. -- View this message in context: http://old.nabble.com/tomcat-seems-not-seeing-context.xml-tp27255890p27255890.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Basic Authentication Failed with multibyte username
Hi, I've found a potential bug in the Basic Authentication module. I have users and some user's username is contains national characters (encoded in UTF-8). The HTTP header based authentication is fails when the username or the password contains multibyte characters. The root of the bug is the Base64 decoder, which decodes the Base64 stream to char array: converts each byte to individual char, this decode method corrupts the multibyte characters... Here is the patch: === Index: java/org/apache/catalina/util/Base64.java === --- java/org/apache/catalina/util/Base64.java (revision 901368) +++ java/org/apache/catalina/util/Base64.java (working copy) @@ -283,5 +283,84 @@ } } +/** + * Decodes Base64 data into octects + * + * @param base64DataBC Byte array containing Base64 data + * @param decodedDataBC The decoded data bytes + */ +public static void decode( ByteChunk base64DataBC, ByteChunk decodedDataBC) +{ +int start = base64DataBC.getStart(); +int end = base64DataBC.getEnd(); +byte[] base64Data = base64DataBC.getBuffer(); + +decodedDataBC.recycle(); + +// handle the edge case, so we don't have to worry about it later +if(end - start == 0) { return; } +int numberQuadruple= (end - start)/FOURBYTE; +byte b1=0,b2=0,b3=0, b4=0, marker0=0, marker1=0; + +// Throw away anything not in base64Data + +int encodedIndex = 0; +int dataIndex = start; +byte[] decodedData = null; + +{ +// this sizes the output array properly - rlw +int lastData = end - start; +// ignore the '=' padding +while (base64Data[start+lastData-1] == PAD) +{ +if (--lastData == 0) +{ +return; +} +} +decodedDataBC.allocate(lastData - numberQuadruple, -1); +decodedDataBC.setEnd(lastData - numberQuadruple); +decodedData = decodedDataBC.getBuffer(); +} + +for (int i = 0; i numberQuadruple; i++) +{ +dataIndex = start + i * 4; +marker0 = base64Data[dataIndex + 2]; +marker1 = base64Data[dataIndex + 3]; + +b1 = base64Alphabet[base64Data[dataIndex]]; +b2 = base64Alphabet[base64Data[dataIndex +1]]; + +if (marker0 != PAD marker1 != PAD) +{ +//No PAD e.g 3cQl +b3 = base64Alphabet[ marker0 ]; +b4 = base64Alphabet[ marker1 ]; + +decodedData[encodedIndex] = (byte) (( b1 2 | b24 ) 0xff); +decodedData[encodedIndex + 1] = +(byte) b2 0xf)4 ) |( (b32) 0xf) ) 0xff); +decodedData[encodedIndex + 2] = (byte) (( b36 | b4 ) 0xff); +} +else if (marker0 == PAD) +{ +//Two PAD e.g. 3c[Pad][Pad] +decodedData[encodedIndex] = (byte) (( b1 2 | b24 ) 0xff); +} +else if (marker1 == PAD) +{ +//One PAD e.g. 3cQ[Pad] +b3 = base64Alphabet[ marker0 ]; + +decodedData[encodedIndex] = (byte) (( b1 2 | b24 ) 0xff); +decodedData[encodedIndex + 1] = +(byte) b2 0xf)4 ) |( (b32) 0xf) ) 0xff); +} +encodedIndex += 3; +} +} + } Index: java/org/apache/catalina/authenticator/BasicAuthenticator.java === --- java/org/apache/catalina/authenticator/BasicAuthenticator.java (revision 901368) +++ java/org/apache/catalina/authenticator/BasicAuthenticator.java (working copy) @@ -161,18 +161,18 @@ // FIXME: Add trimming // authorizationBC.trim(); -CharChunk authorizationCC = authorization.getCharChunk(); -Base64.decode(authorizationBC, authorizationCC); +ByteChunk authorizationBCC = authorization.getByteChunk(); +Base64.decode(authorizationBC, authorizationBCC); // Get username and password -int colon = authorizationCC.indexOf(':'); +int colon = authorizationBCC.indexOf(':',0); if (colon 0) { -username = authorizationCC.toString(); +username = authorizationBCC.toString(); } else { -char[] buf = authorizationCC.getBuffer(); +byte[] buf = authorizationBCC.getBuffer(); username = new String(buf, 0, colon); password = new String(buf, colon + 1, -authorizationCC.getEnd() - colon - 1); +
Securing Tomcat Applications from Reverse Engineering
Hi, Can anyone throw some light on this topic, seems it is possible to convert the tomcat+tomcat web applications to native code to secure them and further to run them on client machines easily. Please check this. http://www.excelsior-usa.com/jetinternals.html How could we achieve this without the above tool? Because the pricing of the above tool is very costly. Looking forward to hear some ideas for this. http://www.excelsior-usa.com/jetinternals.html Best Regards, Kranti K K Parisa
Re: Basic Authentication Failed with multibyte username
Auth Gábor wrote: Hi, I've found a potential bug in the Basic Authentication module. I have users and some user's username is contains national characters (encoded in UTF-8). The HTTP header based authentication is fails when the username or the password contains multibyte characters. The root of the bug is the Base64 decoder, which decodes the Base64 stream to char array: converts each byte to individual char, this decode method corrupts the multibyte characters... Hi. Before declaring that this is a bug, I suggest that you read the other thread entitled mod_jk codepage in header values. The main point is : according to the HTTP RFCs, a HTTP header value is supposed to contain /only/ US-ASCII characters. Some byte values in UTF-8 encoding are /not/ valid US-ASCII characters, so strictly speaking and according to the RFC, HTTP headers which would contain them are invalid. It's a pain, but it's (probably) not a bug. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Securing Tomcat Applications from Reverse Engineering
Do you develop web applications and deliver them to the client, so that they can install your applications on their machines without your access to the machine? Leon 2010/1/21 Kranti™ K K Parisa kranti.par...@gmail.com: Hi, Can anyone throw some light on this topic, seems it is possible to convert the tomcat+tomcat web applications to native code to secure them and further to run them on client machines easily. Please check this. http://www.excelsior-usa.com/jetinternals.html How could we achieve this without the above tool? Because the pricing of the above tool is very costly. Looking forward to hear some ideas for this. http://www.excelsior-usa.com/jetinternals.html Best Regards, Kranti K K Parisa - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Securing Tomcat Applications from Reverse Engineering
2010/1/21 Kranti™ K K Parisa kranti.par...@gmail.com Hi, Can anyone throw some light on this topic, seems it is possible to convert the tomcat+tomcat web applications to native code to secure them and further to run them on client machines easily. Please check this. http://www.excelsior-usa.com/jetinternals.html How could we achieve this without the above tool? Because the pricing of the above tool is very costly. Well, you could always spend the developer-years to create your own version of that tool... which would probably be *more* costly. That's the company I was aware of; I'm not aware of anyone else who has developed similar technology. No application is ever 100% secure from reverse engineering. So, you have a business decision to take. How good is good enough protection for your application? Who are you defending against, and what kind of effort are you assuming they're willing to put into the reverse-engineering? As pointed out by another poster, you can compile JSPs to classes and you can obfuscate your code. Is that good enough? - Peter
Re: Securing Tomcat Applications from Reverse Engineering
Kranti™ K K Parisa wrote: Hi, Can anyone throw some light on this topic, seems it is possible to convert the tomcat+tomcat web applications to native code to secure them and further to run them on client machines easily. Please check this. http://www.excelsior-usa.com/jetinternals.html How could we achieve this without the above tool? Because the pricing of the above tool is very costly. Hi. Open Source software is very nice. But some developers have to make money to live, also. Presumably, if the above product is expensive, it is because it is complex and took a lot of time to develop. Nobody is stopping you from inventing and developing your own method, and you can then also decide to release it as open source or charge for it what you think is the right price. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Basic Authentication Failed with multibyte username
On 21/01/2010 05:54, Auth Gábor wrote: Hi, I've found a potential bug in the Basic Authentication module. I have users and some user's username is contains national characters (encoded in UTF-8). The HTTP header based authentication is fails when the username or the password contains multibyte characters. That sounds like a bug to me. The root of the bug is the Base64 decoder, which decodes the Base64 stream to char array: converts each byte to individual char, this decode method corrupts the multibyte characters... And that sounds like the root cause. It works, because the byte[] to String conversion supports the multibyte conversion and uses the encoding of the JVM. What do you think about it? I haven't tested it or looked at the detail of the base 64 decoding but on the basis it works for you then... Great! Many thanks. Please create a Bugzilla entry and add your patch to it. Patches sent to the mailing list are too easy to forget. Before you do, I have have one improvement suggestion. Using the platform default encoding to convert bytes to String is something that itself has caused bugs in the past and I can see it doing so here too. I'd suggest adding a characterEncoding attribute to the BasicAuthenticator (like there is for FormAuthenticator). Don't forget to include documenting this new attribute in your patch. The tricky question is what should the default be. I see the options as ISO-8859-1 or UTF-8. I'd use UTF-8 since that will work for most input including all ISO-8859-1 input. Thanks again for the patch. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Basic Authentication Failed with multibyte username
Hi, André Warnier wrote: I've found a potential bug in the Basic Authentication module. I have users and some user's username is contains national characters (encoded in UTF-8). The HTTP header based authentication is fails when the username or the password contains multibyte characters. The root of the bug is the Base64 decoder, which decodes the Base64 stream to char array: converts each byte to individual char, this decode method corrupts the multibyte characters... Before declaring that this is a bug, I suggest that you read the other thread entitled mod_jk codepage in header values. I've read that. The main point is : according to the HTTP RFCs, a HTTP header value is supposed to contain /only/ US-ASCII characters. Some byte values in UTF-8 encoding are /not/ valid US-ASCII characters, so strictly speaking and according to the RFC, HTTP headers which would contain them are invalid. It's a pain, but it's (probably) not a bug. Hmm... the Basic Authorization header like this: Authorization: BASIC w7pzZXJfMDA3MjpqZWxzem8xMkFB Where do you see non US-ASCII character in the header? :) Gábor Auth - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Basic Authentication Failed with multibyte username
On 21/01/2010 06:12, André Warnier wrote: Auth Gábor wrote: Hi, I've found a potential bug in the Basic Authentication module. I have users and some user's username is contains national characters (encoded in UTF-8). The HTTP header based authentication is fails when the username or the password contains multibyte characters. The root of the bug is the Base64 decoder, which decodes the Base64 stream to char array: converts each byte to individual char, this decode method corrupts the multibyte characters... Hi. Before declaring that this is a bug, I suggest that you read the other thread entitled mod_jk codepage in header values. The main point is : according to the HTTP RFCs, a HTTP header value is supposed to contain /only/ US-ASCII characters. Some byte values in UTF-8 encoding are /not/ valid US-ASCII characters, so strictly speaking and according to the RFC, HTTP headers which would contain them are invalid. It's a pain, but it's (probably) not a bug. In this case I think it is a bug. The authorisation header is base64 encoded so it is automatically compliant with RFC2616. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Securing Tomcat Applications from Reverse Engineering
Peter Crowther wrote: 2010/1/21 Kranti™ K K Parisa kranti.par...@gmail.com How could we achieve this without the above tool? Because the pricing of the above tool is very costly. Well, you could always spend the developer-years to create your own version of that tool... which would probably be *more* costly. I'll add something to that, just for the sake of it. I personally find this situation ironic : here we have someone who wants to protect their own code, presumably so that they can charge the customer for a copy of it, in order to get back their cost of development and some justified profit for their work. But the same people are apparently unwilling to pay for a product that would allow them to do so, and is sold on the same terms. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk codepage in header values
On Thu, 2010-01-21 at 11:30 +0100, André Warnier wrote: This was quite replay :). Thanks for you time and knowledge. Mirko, I am from Belgium, Europe too. I live in Spain and work mostly for German and other international customers (among which are some from Poland too). This to say that I am well-aware of multi-lingual character set issues, and confront them every day. So, just so as to give you some context for your issues : Despite the fact that Unicode and UTF-8 are now being increasingly used on the web, the fact is that HTTP, and HTML, and most of the other WWW-relevant RFCs, are still US-ASCII and ISO-8859-1 (latin-1) based. For example, HTTP header values are /supposed/ to contain only single-byte character codes that are part of the (printable subset of) US-ASCII character set. For example also, by default, all content exchanged between browsers and web servers is iso-8859-1. And it is so because the relevant RFCs say that it should be. (So the developers of Apache and mod_jk and Tomcat have little choice in the matter; they have to follow the RFCs). I agree RFC are there to be used. This does not mean that you cannot handle other character sets on the web. But it means that whenever you do, you have to be attentive to the fact that it is /not/ the standard, and that you may have to do character set translations and/or encoding. It may even mean that, in order to exchange non-US-ASCII or non-ISO-8859-1 data, you may have to use tricks. It also means that, in some cases, by using such tricks, your applications may become non-standard, and will not necessarily work with all servers and all clients. So for example, to get back to your question above : mod_jk is not responsible for translating anything, and will not translate anything. That is because mod_jk follows the relevant WWW RFCs, which specify that such and such data is ASCII or ISO-8859-1. If the original HTTP request, as it is given by Apache to mod_jk, contains HTTP headers, mod_jk will forward these headers as is to the back-end Tomcat. But, because the HTTP RFC specifies that HTTP headers should contain only US-ASCII character data, mod_jk would be allowed, if it finds non-US-ASCII data in a HTTP header, to strip this data or ignore the header or something like that. I don't know if mod_jk actually does this, but if it did, it would be justified, because according to the HTTP RFC this would be an invalid header. That what i'm afraid of. This code: new String(request.getHeader(headerName).getBytes(ISO-8859-1)) works for now but it really shouldn't work. That way i'm searching for more legitimate way. So, to be practical : - the current HTTP 1.1 RFC specifies that HTTP headers can only contain US-ASCII printable character data - some UTF-8 codes contain bytes that are not part of the US-ASCII character set (e.g. : bytes with values above 0x7F) - so, if you want to forward such a header from Apache to Tomcat, in principle the right way is to encode the value of this header on the Apache side, in such a way that it contains only US-ASCII data (for example, using Base64 encoding), then pass it to mod_jk. - at the other end, your application would have to decode this header (using Base64 decoding) back into UTF-8, and then it would have to read this header value as UTF-8/Unicode. There is no guarantee that any standard module or class under Apache or mod_jk or Tomcat would properly handle a header that contains non-US-ASCII data. That because, in principle, they never have to. I know it is a mess. It is possible that there are shortcuts. It is possible that mod_jk would transmit a HTTP header, even if it contains non-US-ASCII data. But it is not sure, because the bible for mod_jk, as for Apache and as for Tomcat, are the RFCs. But where to put this Base64 encoding (i do not use apache often :( i'm java programmer using tomcat). From Idp (AAI identity provider) i get user data and SP (AAI service provide, this is module in apache) put this data in apache environment variables with utf-8 values. Then as i understand mod_jk take this variables and pack them in http header. I would like to have environment variables on apache with utf-8 values so applications (e.g php web pages) that are on this apache would still work. So my guess is that Base64 encoding should happen before mod_jk takes values from environment variables and puts them in http header.Is this possible (i mean except to make change in mod_jk code)? Or is this topic for some other mail list :). We non-English speakers worldwide desperately need a new version of the HTTP protocol where the default would be Unicode/UTF-8, for everything. But I do not see much happening right now in that direction. O i do agree on that :) Maybe a tip for your authentication issues : If, in the AJP Connector on the Tomcat side, you set the attribute
Re: Basic Authentication Failed with multibyte username
Mark Thomas wrote: On 21/01/2010 06:12, André Warnier wrote: Auth Gábor wrote: Hi, I've found a potential bug in the Basic Authentication module. I have users and some user's username is contains national characters (encoded in UTF-8). The HTTP header based authentication is fails when the username or the password contains multibyte characters. The root of the bug is the Base64 decoder, which decodes the Base64 stream to char array: converts each byte to individual char, this decode method corrupts the multibyte characters... Hi. Before declaring that this is a bug, I suggest that you read the other thread entitled mod_jk codepage in header values. The main point is : according to the HTTP RFCs, a HTTP header value is supposed to contain /only/ US-ASCII characters. Some byte values in UTF-8 encoding are /not/ valid US-ASCII characters, so strictly speaking and according to the RFC, HTTP headers which would contain them are invalid. It's a pain, but it's (probably) not a bug. In this case I think it is a bug. The authorisation header is base64 encoded so it is automatically compliant with RFC2616. Yes, it sounds like you're right; my mistake. (Also for Gabor, I admit my mistake.) I agree that the HTTP header itself is correct. But there is still somethig which puzzles me in the absolute. Suppose that the browser and the server know nothing particular about one another, and that the server gets such an Authentication header from the browser. The Base64 decoding is done, and yields a series of bytes. Now this series of bytes have to be interpreted, to be translated into a string in Java (which is Unicode). Which encoding should be chosen to decode the byte array ? If you use the default platform JVM encoding, you are making the assumption that the browser knew what this encoding is, aren't you ? On the other hand, the browser sent nothing to indicate in which encoding this string was, before it encoded it using Base64, or did it ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
How to use custom classloader to load my own app classes in tomcat?
Hi All, How I can use my own custom classloader to load my own app classes inside webapp? Please share some ideas. Chinmoy
Re: memory leak
I take your point about getting realistic heap info. It's also been suggested that I set up profile a version just executing the Java side without DWR in the loop. Thanks Ken On Jan 20, 2010, at 10:02 PM, Caldarale, Charles R wrote: From: Ken Bowen [mailto:kbo...@als.com] Subject: memory leak Short version: I have a project which gets some simple info from a db via DWR, and outputs it simply on the page. There is a memory leak on the java side. First off, do you really have a leak? top is not an appropriate tool for examining Java heap usage. JConsole, JVisualVM, and the various GC logging settings will give you real information. If you really do have a leak, you can use a heap profiler to find out what's consuming the space and who's allocating it. Also, jhat can be used with a heap dump to trace objects back to their roots, so you can see if there perhaps are any object references lying around that should have been cleared; loggers and pooling mechanisms (as Travis noted) are somewhat infamous for doing that. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to use custom classloader to load my own app classes in tomcat?
2010/1/21 Chinmoy Chakraborty cch...@gmail.com How I can use my own custom classloader to load my own app classes inside webapp? Please share some ideas. 1) Write custom classloader. 2) Write code in web app to use your custom classloader. Sorry... if you want us to help you, I think you'll need to provide more information about what you're trying to achieve. - Peter
Re: How to use custom classloader to load my own app classes in tomcat?
Thanks a lot for your reply. This is what I want: I have a webapplication and I want to load the classes of my app (../WEB-INF/classes ../WEB-INF/lib) using my own classloader. Now I have my own classloader. My question is, how to tell tomcat to use my custom classloader to load classes of my app? can you please elaborate your point [2] i.e. Write code in web app to use your custom classloader? could you please give me an example? hope i have made clear about what i want to achieve. Chinmoy On Thu, Jan 21, 2010 at 5:58 PM, Peter Crowther peter.crowt...@melandra.com wrote: 2010/1/21 Chinmoy Chakraborty cch...@gmail.com How I can use my own custom classloader to load my own app classes inside webapp? Please share some ideas. 1) Write custom classloader. 2) Write code in web app to use your custom classloader. Sorry... if you want us to help you, I think you'll need to provide more information about what you're trying to achieve. - Peter
Re: Basic Authentication Failed with multibyte username
On 21/01/2010 06:55, André Warnier wrote: Mark Thomas wrote: The authorisation header is base64 encoded so it is automatically compliant with RFC2616. Yes, it sounds like you're right; my mistake. (Also for Gabor, I admit my mistake.) I agree that the HTTP header itself is correct. But there is still somethig which puzzles me in the absolute. Suppose that the browser and the server know nothing particular about one another, and that the server gets such an Authentication header from the browser. The Base64 decoding is done, and yields a series of bytes. Now this series of bytes have to be interpreted, to be translated into a string in Java (which is Unicode). Which encoding should be chosen to decode the byte array ? If you use the default platform JVM encoding, you are making the assumption that the browser knew what this encoding is, aren't you ? On the other hand, the browser sent nothing to indicate in which encoding this string was, before it encoded it using Base64, or did it ? RFC2617 to the rescue... basic-credentials = base64-user-pass base64-user-pass = base64 [4] encoding of user-pass, except not limited to 76 char/line user-pass = userid : password userid= *TEXT excluding : password = *TEXT *TEXT is defined in RFC2616 TEXT = any OCTET except CTLs, but including LWS and finally OCTET = any 8-bit sequence of data CTL= any US-ASCII control character (octets 0 - 31) and DEL (127) So actually, Tomcat is correct in the current treatment of credentials. Therefore, not a bug. Also André's comments regarding ISO-8859-1 were right if considering the actual user name and password rather than the header. Supporting other encodings would be a useful enhancement but the default will have to be ISO-8859-1 to remain spec compliant. What the browsers will do for user names and passwords in other encodings is not defined so it will be a case of YMMV. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat seems not seeing context.xml
2010/1/21 danielitob gbatt...@aliceposta.it: Hi guys,I've a absurd problem and I can't figure outI've a debian server on which tomcat 5.5 is installed.I need to run a jsf application, in which I use pool of connection for db. Issue is that my application can't connect to db!In catalina log I seeorg.apache.tomcat.dbcp.dbcp.SQLNestedException: Cannot create PoolableConnectionFactory (Access denied for user 'root'@'localhost' (using password: YES))the issue is that in context.xml of my application (I use local context) user and password are different (i don't pass root user!).Is it possible tomcat is not able to read context.xml and so try to go with root user?Please help me, my application doesn't see db.. 1. Check your spelling. If anything is spelled wrongly, it will be skipped. The file is META-INF/context.xml (in lowercase). The root element in the file is Context (with capital first letter) and so on. 2. The context.xml file is copied into ${CATALINA_BASE}/conf/Catalina/localhost/yourappname.xml when your application is deployed by Tomcat. (Subdirectory names in conf/ are Engine and Host names and can be different as well). If that file exists, the contents of META-INF/context.xml will be ignored (under the premise that the file in /conf might have been edited by the site administrators). 3. It is possible to disable processing of META-INF/context.xml files on a site, using deployXML attribute on the Host element in server.xml. Most probably you are facing #2. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Securing Tomcat Applications from Reverse Engineering
http://proguard.sourceforge.net/ -Original Message- From: Kranti(tm) K K Parisa [mailto:kranti.par...@gmail.com] Sent: Thursday, January 21, 2010 5:05 AM To: Tomcat Users List Subject: Securing Tomcat Applications from Reverse Engineering Hi, Can anyone throw some light on this topic, seems it is possible to convert the tomcat+tomcat web applications to native code to secure them and further to run them on client machines easily. Please check this. http://www.excelsior-usa.com/jetinternals.html How could we achieve this without the above tool? Because the pricing of the above tool is very costly. Looking forward to hear some ideas for this. http://www.excelsior-usa.com/jetinternals.html Best Regards, Kranti K K Parisa - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Securing Tomcat Applications from Reverse Engineering
Joseph Morgan wrote: http://proguard.sourceforge.net/ -Original Message- From: Kranti(tm) K K Parisa [mailto:kranti.par...@gmail.com] Sent: Thursday, January 21, 2010 5:05 AM To: Tomcat Users List Subject: Securing Tomcat Applications from Reverse Engineering Hi, Can anyone throw some light on this topic, seems it is possible to convert the tomcat+tomcat web applications to native code to secure them and further to run them on client machines easily. Please check this. http://www.excelsior-usa.com/jetinternals.html How could we achieve this without the above tool? Because the pricing of the above tool is very costly. How much is it worth to you to protect your IP against your estimate of the likely hacker effort to steal it (which only you can judge)? Is it more than the cost of that package? If so, then that package is reasonably priced. If not, then you need to pursue some of the other avenues to protect it that have already been mentioned, such as obfuscation, etc. D - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Basic Authentication Failed with multibyte username
Mark Thomas wrote: On 21/01/2010 06:55, André Warnier wrote: Mark Thomas wrote: The authorisation header is base64 encoded so it is automatically compliant with RFC2616. Yes, it sounds like you're right; my mistake. (Also for Gabor, I admit my mistake.) I agree that the HTTP header itself is correct. But there is still somethig which puzzles me in the absolute. Suppose that the browser and the server know nothing particular about one another, and that the server gets such an Authentication header from the browser. The Base64 decoding is done, and yields a series of bytes. Now this series of bytes have to be interpreted, to be translated into a string in Java (which is Unicode). Which encoding should be chosen to decode the byte array ? If you use the default platform JVM encoding, you are making the assumption that the browser knew what this encoding is, aren't you ? On the other hand, the browser sent nothing to indicate in which encoding this string was, before it encoded it using Base64, or did it ? RFC2617 to the rescue... basic-credentials = base64-user-pass base64-user-pass = base64 [4] encoding of user-pass, except not limited to 76 char/line user-pass = userid : password userid= *TEXT excluding : password = *TEXT *TEXT is defined in RFC2616 TEXT = any OCTET except CTLs, but including LWS and finally OCTET = any 8-bit sequence of data CTL= any US-ASCII control character (octets 0 - 31) and DEL (127) So actually, Tomcat is correct in the current treatment of credentials. Therefore, not a bug. Also André's comments regarding ISO-8859-1 were right if considering the actual user name and password rather than the header. Supporting other encodings would be a useful enhancement but the default will have to be ISO-8859-1 to remain spec compliant. What the browsers will do for user names and passwords in other encodings is not defined so it will be a case of YMMV. Mark Let me be even more pernickety : According to the HTTP 1.1 RFC 2616, HTTP header fields MAY contain *TEXT portions representing character sets other than US-ASCII. But then, such header field values MUST be encoded according to the rules of RFC 2047. RFC 2047 in turn, in 2. Syntax of encoded-words , indicates that this should be done using the form : encoded-word = =? charset ? encoding ? encoded-text ?= for example : Header-name: =?iso-8859-1?B?some iso-8859-1 text, base-64 encoded?= or Header-name: =?utf-8?B?some unicode/utf-8 text, base-64 encoded?= (I am not quite sure here of the utf-8 part as the correct name for the charset.) (NDLR: That is something one does find regularly in email headers; but I have never seen it used in HTTP headers until now.) On the other hand, regarding authentication mechanisms, RFC 2616 refers to RFC 2617, which itself indicates the following format for an authorization header sent by the browser to the server : Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== When base64-decoded, the above string should look like userid:password. I did not find in RFC 2617 any specific mention of character set encoding, but it itself refers back to RFC 2616 as being the base rules. And the base rules in RFC 2616 seem to be that header values are US-ASCII unless otherwise indicated. In other words, my contention is as follows : - if the userid:password above contain only US-ASCII characters, then the above simple form of the header is fine. - if the userid:password string above contain characters other than US-ASCII however, then they should be further encoded, using the rules of RFC 2047. This would mean that you should have something like : Authorization: Basic =?utf-8?B?QWxhZGRpbjpvcGVuIHNlc2FtZQ==?= (or, maybe, the other way around : it is the QWxhZGRpbjpvcGVuIHNlc2FtZQ string which, when base64-decoded, should yield a new string of the form =?utf-8?B?QWxhZGRpbjpvcGVuIHNlc2FtZQ==?=, which should then be decoded once more to give the userid:password string). Now, I am not sure that if you pass such a HTTP header, encoded as above, from Apache to Tomcat, that the Tomcat getHeader() call will properly decode it, using the indicated charset. And I am not sure either that there exists any browser on the market that will encode a userid:password string that way. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Basic Authentication Failed with multibyte username
Hi, Mark Thomas wrote: OCTET = any 8-bit sequence of data CTL= any US-ASCII control character (octets 0 - 31) and DEL (127) So actually, Tomcat is correct in the current treatment of credentials. Therefore, not a bug. Yes, but the UTF-8 encoded text is contains any 8-bit sequence of data except control characters, so IMHO the UTF-8 encoded text is TEXT. Also André's comments regarding ISO-8859-1 were right if considering the actual user name and password rather than the header. Yes, thats right. The default header encoding is ISO-8859-1. Supporting other encodings would be a useful enhancement but the default will have to be ISO-8859-1 to remain spec compliant. What the browsers will do for user names and passwords in other encodings is not defined so it will be a case of YMMV. I've found some information about this issue: http://stackoverflow.com/questions/702629/utf-8-characters-mangled-in-http- basic-auth-username So... this is the real chaos... :) By the way, my users are not use HTML browsers, they are using JAX-WS in their client program, and the JAX-WS sends authentication data in UTF-8 (like Opera), because the default encoding is UTF-8 in the client JVM (and the server too). Gábor Auth - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: How to use custom classloader to load my own app classes in tomcat?
From: Chinmoy Chakraborty [mailto:cch...@gmail.com] Subject: Re: How to use custom classloader to load my own app classes in tomcat? how to tell tomcat to use my custom classloader to load classes of my app? Read the doc: http://tomcat.apache.org/tomcat-6.0-doc/config/loader.html - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk codepage in header values
Mirko Solic wrote: On Thu, 2010-01-21 at 11:30 +0100, André Warnier wrote: Mirko, just for info : there is a related other thread taking place at the same time, entitled Basic Authentication Failed with multibyte username. Basically, I am interested in those topics because I encounter them myself often in our own web applications. I don't know all the answers, but I know that it is confusing. As far as I can interpret : According to the HTTP 1.1 RFC 2616, HTTP header fields MAY contain *TEXT portions representing character sets other than US-ASCII. But then, such header field values MUST be encoded according to the rules of RFC 2047. RFC 2047 in turn, in 2. Syntax of encoded-words , indicates that this should be done using the form : encoded-word = =? charset ? encoding ? encoded-text ?= for example : Header-name: =?iso-8859-1?B?some iso-8859-1 text, base-64 encoded?= or Header-name: =?utf-8?B?some unicode/utf-8 text, base-64 encoded?= (I am not quite sure here of the utf-8 part as the correct name for the charset.) Now, I am not sure that if you pass a HTTP header, encoded as above, from Apache to Tomcat, the Tomcat getHeader() call will properly decode it, using the indicated charset. If not, you will have to do the decoding yourself, if you want to pass non-ascii (or non-iso-8859-1) characters in those headers. Admittedly, it is a pain; but there are still quite a few grey areas like that in the WWW-related RFCs in what concerns character sets. If you have to do this kind of encoding/decoding, I suggest to have a look in MIME (email) libraries. Such kind of encoding/decoding is regularly used in email headers. Save the original text (.eml) format of an email, with a non-ascii subject line, for an example. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Securing Tomcat Applications from Reverse Engineering
Reverse engineering is not a technical problem; it is a legal problem. You need a lawyer, not a program. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Friends don't let friends publish revisable-form documents. pgpRmc02QIJYG.pgp Description: PGP signature
Re: Securing Tomcat Applications from Reverse Engineering
Hi Leon, That's correct. we develop and deploy on client machines. but we want to secure the code. please suggest. Best Regards, Kranti K K Parisa On Thu, Jan 21, 2010 at 4:45 PM, Leon Rosenberg rosenberg.l...@googlemail.com wrote: Do you develop web applications and deliver them to the client, so that they can install your applications on their machines without your access to the machine? Leon 2010/1/21 Kranti™ K K Parisa kranti.par...@gmail.com: Hi, Can anyone throw some light on this topic, seems it is possible to convert the tomcat+tomcat web applications to native code to secure them and further to run them on client machines easily. Please check this. http://www.excelsior-usa.com/jetinternals.html How could we achieve this without the above tool? Because the pricing of the above tool is very costly. Looking forward to hear some ideas for this. http://www.excelsior-usa.com/jetinternals.html Best Regards, Kranti K K Parisa - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[OT] Re: Securing Tomcat Applications from Reverse Engineering
2010/1/21 Mark H. Wood mw...@iupui.edu Reverse engineering is not a technical problem; it is a legal problem. You need a lawyer, not a program. Mmm, yes and no. Burglary is also a legal problem, but I have locks (on / around the things I want to keep, of a cost and quality appropriate to my expected loss) as well as being able to engage a lawyer if required. - Peter
Re: Securing Tomcat Applications from Reverse Engineering
Well there are soo many comments on the cost of IP and other tools. when we are a small team started working on a web based product with open source tools, for sure we can't spend too much on the tools to protect the IP rights. because once we deploy for few clients, if its a good product, what if they steal the code and also ideas. i agree to have legal terms and all that stuff. but that would be a big story for us being small. so just wanted to see if anything available to protect our work, ideas (ideas at code implementation level by using different opensource technologies, well there are many companies who started like this). anyways thanks for the comments, i would love to share if we invent anything in this process, because small is big and it matters :) Best Regards, Kranti K K Parisa On Thu, Jan 21, 2010 at 5:00 PM, André Warnier a...@ice-sa.com wrote: Peter Crowther wrote: 2010/1/21 Kranti™ K K Parisa kranti.par...@gmail.com How could we achieve this without the above tool? Because the pricing of the above tool is very costly. Well, you could always spend the developer-years to create your own version of that tool... which would probably be *more* costly. I'll add something to that, just for the sake of it. I personally find this situation ironic : here we have someone who wants to protect their own code, presumably so that they can charge the customer for a copy of it, in order to get back their cost of development and some justified profit for their work. But the same people are apparently unwilling to pay for a product that would allow them to do so, and is sold on the same terms. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Multiple Services running on single Server instance?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ted, On 1/20/2010 7:49 PM, Ted Steiner wrote: Is there any good reason to do this? If so, could someone please let me know and possibly provide an example? I can think of a few reasons you might want to do this: 1. You want to test the setup of a cluster, but don't have extra physical machines laying around for such a test. 2. You want to run separate instances of one webapp (or different webapps) and be able to start/stop them independently of each other. (We do this in production so we can upgrade one application independently of the others. That includes updating server-wide JDBC drivers, Tomcat version, etc. It also insulates each webapp from bringing down the others in case there is some kind of problem like OOME). 3. You need to specify the load ordering of webapps because they depend upon each other in certain ways. Since you can't force Tomcat to load webapps in a certain order, you can run them in separate instances and start those instances in a specific order. I'm sure there are other reasons, but generally it's best in terms of resource usage to run all webapps in a single Tomcat instance. If you run multiple Tomcat instances and don't want your users to have to use non-standard HTTP port numbers, you'll have to front your Tomcats with an HTTP router (usually some kind of lb device/software or a web server). Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktYcDAACgkQ9CaO5/Lv0PABhQCfY7uPrW2EWomJiVTyTZntKM4e ad4AoJnopJMUxWnPq1PAb3AmT0HETlD3 =+cjt -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Different apps clustering on the same Tomcat?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John, On 1/20/2010 10:28 PM, John Tangney wrote: We use a cluster to do seamless deploys. We use Nginx on the front end to direct traffic to one or other of the nodes in the cluster. To deploy, we bring up the new version of the app in a one node, tell Nginx to send traffic to that node, then bring down the other node. Because sessions are propagated, users never notice that one node has been exchanged for another. Careful: if you change the definition of any of the classes whose objects are in the session, you'll get a nasty replication error (because de-serialization will fail). Be careful with anything you modify that might be lurking in a user's session. We need to add two more nodes that run on Windows (we have platform-specific code, and Nginx sends windows traffic to one of the windows nodes based on URL) but we only have one Windows box. We thought that perhaps we could just run a second instance of the app on the Windows node. From what you said previously, this does not appear to be possible. So we'll be looking new hardware. Oh, you can certainly do it. Knowing why you want to do it certainly helps clear things up. I'm still as confused as Chuck is, though :) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktYcQ0ACgkQ9CaO5/Lv0PDZCgCdF4KSG28DNwocB2nYQyuX6gHU Me0AniApCDjAYyRRM+kAGI/nkBIv6+Oc =rdu1 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TOMCAT GC Issue
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Paulwintech, On 1/21/2010 2:00 AM, Paulwintech wrote: I am really sorry it was my typo mistake its 10 second not 10 mins =^D. You didn't say what type of hardware you're using, but 10 seconds of (concurrent) GC activity it not particularly troubling to me. It seems a bit on the long side, but if you're running on a single-processor 200MHz machine, maybe it's simply necessary. Please let me know what are the logs you are looking for accordingly i will send. Verbose GC will log to stderr, which generally goes to stdout.log on *NIX. You never told us about your environment, so I can't really help you, here. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktYcZ8ACgkQ9CaO5/Lv0PCkcwCfUslWTTG4N5RlQ3rU25wLw92a gBgAn2hxRZ8TXRmkC7/EDSIqOfv9jlfZ =g6ly -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Polling and session timeout
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pid, On 1/21/2010 3:32 AM, Pid wrote: On 21/01/2010 04:45, grailcattt wrote: That is exactly what I ended up doing and it is working well. I was hoping for a solution that used tomcat session management rather than managing my own session timeouts, but it works well. If you put the poll servlet in a separate app and are NOT using the single sign on valve, you could set a separate session timeout in that servlet/app. I think. If you access the session at all, it counts as a touch, thereby extending the life of the session. It's not possible to peek at the session without touching it AFAICT. There's probably a way to do this with a replacement for either the session manager or a valve, but I think the code would need to divine the intent of the calling code to work properly. :( - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktYciEACgkQ9CaO5/Lv0PBSGwCgnaBldO/uP45PVvlH6qAe4EC9 G1UAnR+FLmdiRgNVt84lblWS2DZ0xkzP =wPid -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat seems not seeing context.xml
Thanks your help I solved! It was point 2!!!Thanks thanks Konstantin Kolinko wrote: 2010/1/21 danielitob gbatt...@aliceposta.it: Hi guys,I've a absurd problem and I can't figure outI've a debian server on which tomcat 5.5 is installed.I need to run a jsf application, in which I use pool of connection for db. Issue is that my application can't connect to db!In catalina log I seeorg.apache.tomcat.dbcp.dbcp.SQLNestedException: Cannot create PoolableConnectionFactory (Access denied for user 'root'@'localhost' (using password: YES))the issue is that in context.xml of my application (I use local context) user and password are different (i don't pass root user!).Is it possible tomcat is not able to read context.xml and so try to go with root user?Please help me, my application doesn't see db.. 1. Check your spelling. If anything is spelled wrongly, it will be skipped. The file is META-INF/context.xml (in lowercase). The root element in the file is Context (with capital first letter) and so on. 2. The context.xml file is copied into ${CATALINA_BASE}/conf/Catalina/localhost/yourappname.xml when your application is deployed by Tomcat. (Subdirectory names in conf/ are Engine and Host names and can be different as well). If that file exists, the contents of META-INF/context.xml will be ignored (under the premise that the file in /conf might have been edited by the site administrators). 3. It is possible to disable processing of META-INF/context.xml files on a site, using deployXML attribute on the Host element in server.xml. Most probably you are facing #2. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/tomcat-seems-not-seeing-context.xml-tp27255890p27259625.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk codepage in header values
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mirko, On 1/21/2010 6:43 AM, Mirko Solic wrote: That what i'm afraid of. This code: new String(request.getHeader(headerName).getBytes(ISO-8859-1)) works for now but it really shouldn't work. That way i'm searching for more legitimate way. What would be better is to do something like this: java.net.URLEncoder.encode(request.getHeader(headerName), UTF-8) Of course, this will only work if your client knows that's how the encoding will be done. From Idp (AAI identity provider) i get user data and SP (AAI service provide, this is module in apache) put this data in apache environment variables with utf-8 values. Then as i understand mod_jk take this variables and pack them in http header. I would like to have environment variables on apache with utf-8 values so applications (e.g php web pages) that are on this apache would still work. AAI needs to support whatever encoding you intend to use. You can't simply transcode things in an arbitrary way and expect AAI to work properly. What does their documentation say about what format these values should take? AAI returns more then just user-id. Idea behind AAI is that application save as little as possible data about user. All data is provided by AAI. In this data is for example first-name, last-name, address, It would be perfect that we would have this SP running on tomcat and we wouldn't need apache but at the time there is no such SP. A better strategy would be for AAI to provide a numeric token (easily passable in HTTP headers without any encoding issues) and then provide an HTTP-based and/or XML-based API that uses proper document encoding to send textual data across the wire. Using HTTP headers for text data sucks! - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktYc/4ACgkQ9CaO5/Lv0PDtNwCeJzVwiPNpMCOXYTCHYa87pqXs f9IAoJiyaTh0lbiMnxwG7Bp9/jWnHeMV =fHrt -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Securing Tomcat Applications from Reverse Engineering
Hi Kranti - Honestly if the ideas in the product are that valuable anyone who uses the product with a web browser, print screen, and paint can fully mock up the application and send the mockups to development. Anything that is deployed on a server that is out of your control, is exactly that. I understand your need as: To remotely deploy a tomcat application to a customer server. This is the root of the issue. Have you considered a hosted model for delivery? 2010/1/21 Kranti™ K K Parisa kranti.par...@gmail.com Well there are soo many comments on the cost of IP and other tools. when we are a small team started working on a web based product with open source tools, for sure we can't spend too much on the tools to protect the IP rights. because once we deploy for few clients, if its a good product, what if they steal the code and also ideas. i agree to have legal terms and all that stuff. but that would be a big story for us being small. so just wanted to see if anything available to protect our work, ideas (ideas at code implementation level by using different opensource technologies, well there are many companies who started like this). anyways thanks for the comments, i would love to share if we invent anything in this process, because small is big and it matters :) Best Regards, Kranti K K Parisa On Thu, Jan 21, 2010 at 5:00 PM, André Warnier a...@ice-sa.com wrote: Peter Crowther wrote: 2010/1/21 Kranti™ K K Parisa kranti.par...@gmail.com How could we achieve this without the above tool? Because the pricing of the above tool is very costly. Well, you could always spend the developer-years to create your own version of that tool... which would probably be *more* costly. I'll add something to that, just for the sake of it. I personally find this situation ironic : here we have someone who wants to protect their own code, presumably so that they can charge the customer for a copy of it, in order to get back their cost of development and some justified profit for their work. But the same people are apparently unwilling to pay for a product that would allow them to do so, and is sold on the same terms. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[ANN] Apache Tomcat 6.0.24 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat 6.0.24 stable. This release includes many bug-fixes over Apache Tomcat 6.0.20. Note that is version has 4 zip binaries: a generic one and three bundled with Tomcat native binaries for different CPU architectures. Apache Tomcat 6.0 includes new features over Apache Tomcat 5.5, including support for the new Servlet 2.5 and JSP 2.1 specifications, a refactored clustering implementation, advanced IO features, and improvements in memory usage. Please refer to the change log for the list of changes: http://tomcat.apache.org/tomcat-6.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-60.cgi Migration guide from Apache Tomcat 5.5.x: http://tomcat.apache.org/migration.html Thank you, -- The Apache Tomcat Team - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Securing Tomcat Applications from Reverse Engineering
Kranti™ K K Parisa wrote: Well there are soo many comments on the cost of IP and other tools. when we are a small team started working on a web based product with open source tools, for sure we can't spend too much on the tools to protect the IP rights. because once we deploy for few clients, if its a good product, what if they steal the code and also ideas. i agree to have legal terms and all that stuff. but that would be a big story for us being small. so just wanted to see if anything available to protect our work, ideas (ideas at code implementation level by using different opensource technologies, well there are many companies who started like this). anyways thanks for the comments, i would love to share if we invent anything in this process, because small is big and it matters :) The basic principle is : if you developed it, then it is your code, and it is your decision what you do with it and how you sell it. But do not forget that, more than the code itself, it is generally the quality of the service that you provide to your customers that will matter. But I have another suggestion for you : you indicated this product that would allow to encrypt your code, and mentioned that it was expensive. OK. Now, presumably, these people know why they developed it, and why they charge the price that they do. Why do you not contact them, explain your situation, and ask them to explain why you should pay that price for their product ? They must have arguments, and maybe they will convince you. Or maybe they will offer you a discount. ;-) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Securing Tomcat Applications from Reverse Engineering
Hello Kranti, first of all I strongly believe in open source software and don't like to obfuscate things. But well. 1. If you have internet connectivity on the target server you could only deploy a skeleton of your application and load the protect-worthly classes directly from your servers with own classloading with some funny remoteid exchange system. This way even the compile version of the application will never be directly available on customers hard drive (you must consider swapping and memory snapshots, but modern OSes encode them). It's cheap but will probably add a load of complexity, which you have to manage and, logically, your customer have to pay. 2. precompile jsps and use a code obfuscator on the jsps and compiled classes (they replace all private methods and variables with a1,a2, and so on). There are some on the market, more or less good. Use also css/js minifier, they obfuscate as well. 3. create a genial encryption algorithm with some one-time passwords and let the customers call you each time they restart the server for a new password. Maybe charge them per password. The server can then decrypt the classes with the password before it starts the webapp. 4. put the code and tomcat onto a usb stick with unreadable filesystem and hack yourself into the usb protocol. Drawback: you'll have to patch the browsers to accept urls like usb://localhost/yourapp. 5. stop wasting your time and invest it into developing new features and actually selling your product. If its worth copying it will be copied this way or other. So far no one has managed to protect its software against copying, better concentrate on things you really CAN achieve. regards Leon 2010/1/21 Kranti™ K K Parisa kranti.par...@gmail.com: Well there are soo many comments on the cost of IP and other tools. when we are a small team started working on a web based product with open source tools, for sure we can't spend too much on the tools to protect the IP rights. because once we deploy for few clients, if its a good product, what if they steal the code and also ideas. i agree to have legal terms and all that stuff. but that would be a big story for us being small. so just wanted to see if anything available to protect our work, ideas (ideas at code implementation level by using different opensource technologies, well there are many companies who started like this). anyways thanks for the comments, i would love to share if we invent anything in this process, because small is big and it matters :) Best Regards, Kranti K K Parisa On Thu, Jan 21, 2010 at 5:00 PM, André Warnier a...@ice-sa.com wrote: Peter Crowther wrote: 2010/1/21 Kranti™ K K Parisa kranti.par...@gmail.com How could we achieve this without the above tool? Because the pricing of the above tool is very costly. Well, you could always spend the developer-years to create your own version of that tool... which would probably be *more* costly. I'll add something to that, just for the sake of it. I personally find this situation ironic : here we have someone who wants to protect their own code, presumably so that they can charge the customer for a copy of it, in order to get back their cost of development and some justified profit for their work. But the same people are apparently unwilling to pay for a product that would allow them to do so, and is sold on the same terms. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Building a more efficient war file
I run a tomcat based website which run about 10 sports leagues. All of the leagues have their own war based webapp. For the last 6 years or so I've been building 10 separate large war files or one for each. Each deployed webapp contains all the same source code copied across each. I have been trying to think of a better way to do this. The only difference in each webapp is the contents of the META-INF/context.xml which contains specific data about what database to connect to. Everything else is the same. I began thinking a better way to do this would be to build a new jar file and store it in my tomcat/common/lib directory along with all of my other shared libraries. Then my custom classes would only need to exist once. Then each of my 10 WAR files would look like this: META-INF/ META-INF/MANIFEST.MF WEB-INF/ WEB-INF/web.xml WEB-INF/classes/ WEB-INF/classes/log4j.properties error/ error/notfound.html META-INF/context.xml As you can see, this would leave my classes directory empty since everything is now stored in the new jar file in my common/lib directory. I've tried this though and it doesn't seem to work. None of the referenced classes in my new common/lib/ jar file are found when referenced by my web.xml file. I've googled thing such as war file without classes, etc and came up empty. Am I going about this totally wrong? Is it possible to have my own jar file of classes shared across all 10 of my webapps? Thanks a lot for any help. Eric - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Adding/removing hosts dynamically?
Dear Forum, Is it possible to dynamically add/remove hosts through code without restarting Tomcat (6.0)? I am writing an application that creates new websites on the fly (eg. website1.mydomain.com, website2.mydomain.com etc). Each of these websites will exist in a separate directory on the server - this is so they may be upgraded independently in the future. 1. I have considered programatically editing server.xml, but have ruled this out since it would require restarting Tomcat afterwards (and hence downtime of existing sites). 2. I have also considered running multiple instances of Tomcat, but each instance would have to use a different TCP port. In the absence of any additional software, this would mean I would need lots of external IPs. 3. I have looked at the 'tomcat-manager' app (and considered interfacing with it via HTTP) but the start function does not seem to work and from what I have read, this app is no longer supported? Would anybody be able to advise me on the best approach please? I have not ruled out any of the above options completely if they can be implemented reliably and without restarting the server. Thank you in advance! Richard. -- View this message in context: http://old.nabble.com/Adding-removing-hosts-dynamically--tp27261390p27261390.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Building a more efficient war file
From: Eric Pastoor [mailto:epast...@vt.edu] Subject: Building a more efficient war file Each deployed webapp contains all the same source code copied across each. Hopefully you don't put source code in the .war files. I have been trying to think of a better way to do this. Why do you think it's a problem? I began thinking a better way to do this would be to build a new jar file and store it in my tomcat/common/lib At that point, all of your webapps are tied together, and stopping/starting any one would effectively require restarting Tomcat. Maybe that's not a problem for you, but it is for most sites. Placing classes in a common location would reduce your PermGen footprint, but little else. Don't see much advantage to doing this. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Adding/removing hosts dynamically?
From: richard42 [mailto:tom...@webcogs.com] Subject: Adding/removing hosts dynamically? Is it possible to dynamically add/remove hosts through code without restarting Tomcat (6.0)? Yes - use the supplied host-manager webapp. It's mostly undocumented, so you'll need to poke around in it a bit; it does seem to do what you need. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Building a more efficient war file
2010/1/21 Eric Pastoor epast...@vt.edu I run a tomcat based website which run about 10 sports leagues. All of the leagues have their own war based webapp. [...] Am I going about this totally wrong? Well, a quick cost/benefit analysis... - How much does the memory and disk to hold the extra copies of the files cost? - How much does your time to think about changing this cost? - How much time do you expect to spend in / save by making any change? - Do you expect the changed version to have teething troubles that might impact your users? Other than for (some value of) conceptual neatness, why do you want to do this? What part of your life, your users' life or your business' life will this improve? I'm not aiming to persuade you against making the change, by the way; nor do I intend to teach grandmother to suck eggs if you've got a business case. It's just surprising how many people don't cost $500 of staff time and $10,000 of unscheduled downtime when trying to save $10 of RAM ;-). - Peter - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Adding/removing hosts dynamically?
answer is yes, it is possible. Others have done it successfully. If you want a place to start, take a look at host manager servlet http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/manager/host/HostManagerServlet.java?view=annotate Note, this doesn't imply that you have to do it over HTTP, implement it any way you want to fit your environment best Filip On 01/21/2010 10:24 AM, richard42 wrote: Dear Forum, Is it possible to dynamically add/remove hosts through code without restarting Tomcat (6.0)? I am writing an application that creates new websites on the fly (eg. website1.mydomain.com, website2.mydomain.com etc). Each of these websites will exist in a separate directory on the server - this is so they may be upgraded independently in the future. 1. I have considered programatically editing server.xml, but have ruled this out since it would require restarting Tomcat afterwards (and hence downtime of existing sites). 2. I have also considered running multiple instances of Tomcat, but each instance would have to use a different TCP port. In the absence of any additional software, this would mean I would need lots of external IPs. 3. I have looked at the 'tomcat-manager' app (and considered interfacing with it via HTTP) but the start function does not seem to work and from what I have read, this app is no longer supported? Would anybody be able to advise me on the best approach please? I have not ruled out any of the above options completely if they can be implemented reliably and without restarting the server. Thank you in advance! Richard. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Building a more efficient war file
Charles, You're right. I misspoke and meant to say that each webapp contains the exact same class files. My webhost provides me a virtual machine. Unfortunately this means I can't configure tomcat nor allocate more memory. They give me very little RAM, usually only about 512 MB at any given time. I am constantly running out memory as more and more users are on the sites. I was hoping that by changing my webapps to a much smaller footprint, it would reduce the strain on the server. The other reason is that whenever I apply an update to one of the webapps, I apply it to them all. I was hoping to simplify that a bit. On Thu, Jan 21, 2010 at 12:28 PM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Eric Pastoor [mailto:epast...@vt.edu] Subject: Building a more efficient war file Each deployed webapp contains all the same source code copied across each. Hopefully you don't put source code in the .war files. I have been trying to think of a better way to do this. Why do you think it's a problem? I began thinking a better way to do this would be to build a new jar file and store it in my tomcat/common/lib At that point, all of your webapps are tied together, and stopping/starting any one would effectively require restarting Tomcat. Maybe that's not a problem for you, but it is for most sites. Placing classes in a common location would reduce your PermGen footprint, but little else. Don't see much advantage to doing this. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Building a more efficient war file
From: Eric Pastoor [mailto:epast...@vt.edu] Subject: Re: Building a more efficient war file I was hoping that by changing my webapps to a much smaller footprint, it would reduce the strain on the server. Putting the class files in a common location won't reduce your footprint much, but it will help a little. 512MB is pretty small, these days. I was hoping to simplify that a bit. What you're doing should work. Post the stack trace and whatever other messages from the Tomcat logs that are generated when you deploy and attempt to access an app. You should also take a very hard look at your heap usage. If you're getting OOMEs, you may just be leaking memory somewhere in your webapp(s). - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
newbie: multiple ports for same tomcat server 5.0
I have recently inherted a tomcat 5 server (today - do want want to upgrade at this point). There is a SSI server on the outside that sends request to 8009 for this tomcat server (from what I have been told). The tomcat server is running on port 8082. I have been tasked to change this tomcat server to accept request from 8082 when they are coming from the outside and port 80 if you are inside the network. The outisde goes from an address that accepts the request on port 80 and then sends it to tomcat on port 8082. The inside I would set DHCP to send directly to the tomcat server and by pass the SSI server. Therefore I need to allow this tomcat server to listen on port 80 and port 8082. I am including my server.xml file. Thanks, ?xml version='1.0' encoding='utf-8'? Server Listener className=org.apache.catalina.mbeans.ServerLifecycleListener/ Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener/ GlobalNamingResources Environment name=simpleValue type=java.lang.Integer value=30/ Resource auth=Container description=User database that can be updated and saved name=UserDatabase type=org.apache.catalina.UserDatabase/ ResourceParams name=UserDatabase parameter namefactory/name valueorg.apache.catalina.users.MemoryUserDatabaseFactory/value /parameter parameter namepathname/name valueconf/tomcat-users.xml/value /parameter /ResourceParams /GlobalNamingResources Service name=Catalina Connector URIEncoding=UTF-8 acceptCount=100 connectionTimeout=2 disableUploadTimeout=true port=8082 redirectPort=8443 maxSpareThreads=75 maxThreads=150 minSpareThreads=25 /Connector Connector port=8009 protocol=AJP/1.3 protocolHandlerClassName=org.apache.jk.server.JkCoyoteHandler redirectPort=8443 tomcatAuthentication=false /Connector Engine defaultHost=localhost name=Catalina Host appBase=webapps name=localhost Logger className=org.apache.catalina.logger.FileLogger prefix=localhost_log. suffix=.txt timestamp=true/ /Host Logger className=org.apache.catalina.logger.FileLogger prefix=catalina_log. suffix=.txt timestamp=true/ Realm className=org.apache.catalina.realm.UserDatabaseRealm/ /Engine /Service /Server -- View this message in context: http://old.nabble.com/newbie%3A-multiple-ports-for-same-tomcat-server-5.0-tp27262778p27262778.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[ANN] Apache Tomcat Native 1.1.19 released
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.1.19 stable. This release include few minor fixes over Tomcat Native 1.1.18. Please refer to the change log for the list of changes: http://tomcat.apache.org/native-doc/miscellaneous/changelog.html Downloads: http://tomcat.apache.org/download-native.cgi Thank you, -- The Apache Tomcat Team - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk codepage in header values
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 1/21/2010 9:21 AM, André Warnier wrote: But then, such header field values MUST be encoded according to the rules of RFC 2047. Unfortunately, Tomcat does not follow RFC2047, at least not according to http://stackoverflow.com/questions/324470/http-headers-encoding-decoding-in-java and not according to my simple test: $ wget -O - --header Test-Value: =?iso-8859-1?q?this=20is=20some=20text?= http://myhost/SessionSnooper.jsp | grep -C 1 some=20text td =?iso-8859-1?q?this=20is=20some=20text?=br / /td The value is preserved as-is. (The SessionSnooper.jsp file referenced above can be found here: http://www.christopherschultz.net/projects/java/). Fortunately, the value /is/ passed-through without modification. That means that we can read it ourselves! Let's figure out how to decode the string =?iso-8859-1?q?this=20is=20some=20text?=: 1. Check the the string matches the pattern =\?[^?]*\?(B|Q)\?[^?]*\?=. 2. Extract the charset and encoding 3. If encoding is 'Q', convert value characters to bytes: =HL - 0xHL others direct 4. If encoding is 'B', base64 decode value into bytes 5. Convert bytes to characters using charset: new String(bytes, charset) As I started to write code to do this, it occurred to me that it must already exist. Googling for java rfc2047 decode shows that the javax.mail.internet.MimeUtility class (packaged with the JavaMail API) already has a method called decodeText that will do this for us. I wrote a simple wrapper around that method, and you can see that it works: $ java -classpath javamail-1.4.2.jar:. RFC2047Codec '=?iso-8859-1?q?this=20is=20some=20text?=' this is some text $ java -classpath javamail-1.4.2.jar:. RFC2047Codec '=?UTF-8?q?this=20is=20some=20text?=' this is some text $ java -classpath javamail-1.4.2.jar:. RFC2047Codec '=?utf-8?q?this=20is=20some=20text?=' this is some text $ java -classpath javamail-1.4.2.jar:. RFC2047Codec '=?utf-8?q?this=20is=20a=20pi:=20=cf=80?=' this is a pi: # Er the pi wouldn't copy correctly from my terminal, but I assure you that the pi character was dumped to my terminal. So, if you have to decode RFC2047-compliant values, MimeUtility can help you do that. It can also help you encode them, too. It sounds like you have everything you need at this point, as long as AAI recognizes RFC2047-formatted HTTP header values. Good luck, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktYq7AACgkQ9CaO5/Lv0PAW5wCbBZM3AKhY23dp4OqYm927gM40 Ty0AoJOwpJlLZ/f3IiCNfzSaimyMnRHB =Vf7P -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: newbie: multiple ports for same tomcat server 5.0
Chart wrote: I have recently inherted a tomcat 5 server (today - do want want to upgrade at this point). There is a SSI server on the outside that sends request to 8009 for this tomcat server (from what I have been told). The tomcat server is running on port 8082. I have been tasked to change this tomcat server to accept request from 8082 when they are coming from the outside and port 80 if you are inside the network. The outisde goes from an address that accepts the request on port 80 and then sends it to tomcat on port 8082. The inside I would set DHCP to send directly to the tomcat server and by pass the SSI server. Therefore I need to allow this tomcat server to listen on port 80 and port 8082. I am including my server.xml file. Thanks, ?xml version='1.0' encoding='utf-8'? Server Listener className=org.apache.catalina.mbeans.ServerLifecycleListener/ Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener/ GlobalNamingResources Environment name=simpleValue type=java.lang.Integer value=30/ Resource auth=Container description=User database that can be updated and saved name=UserDatabase type=org.apache.catalina.UserDatabase/ ResourceParams name=UserDatabase parameter namefactory/name valueorg.apache.catalina.users.MemoryUserDatabaseFactory/value /parameter parameter namepathname/name valueconf/tomcat-users.xml/value /parameter /ResourceParams /GlobalNamingResources Service name=Catalina Connector URIEncoding=UTF-8 acceptCount=100 connectionTimeout=2 disableUploadTimeout=true port=8082 redirectPort=8443 maxSpareThreads=75 maxThreads=150 minSpareThreads=25 /Connector Connector port=8009 protocol=AJP/1.3 protocolHandlerClassName=org.apache.jk.server.JkCoyoteHandler redirectPort=8443 tomcatAuthentication=false /Connector Engine defaultHost=localhost name=Catalina Host appBase=webapps name=localhost Logger className=org.apache.catalina.logger.FileLogger prefix=localhost_log. suffix=.txt timestamp=true/ /Host Logger className=org.apache.catalina.logger.FileLogger prefix=catalina_log. suffix=.txt timestamp=true/ Realm className=org.apache.catalina.realm.UserDatabaseRealm/ /Engine /Service /Server Finally a question at my level ! :-) What you have above, graphically (*), is like this : Users Users Users Users | || | | || | | || (HTTP protocol) (HTTP protocol) SSI server | (Apache httpd ?) | | | Apache/Tomcat connector| (inside Apache)| (mod_jk ?) | | | (AJP protocol) Tomcat AJP connector Tomcat HTTP connector Connector port=8009 Connector port=8082 |--| | Tomcat Host | -- | | | | webappswebapps webapps And you want this : Users Users External Users Internal Users | || | | || | | || | (HTTP protocol) (HTTP protocol) (HTTP protocol) SSI server | | (Apache httpd ?)| | | | | Apache/Tomcat connector | | (inside Apache) | | (mod_jk ?)| | | | | Tomcat AJP connector Tomcat HTTP connectorTomcat HTTP connector Connector port=8009 Connector port=8082Connector port=80 || |- | Tomcat Host | -- | | | | webappswebapps webapps Can you guess ? You just need to duplicate this section, and change one attribute : Connector URIEncoding=UTF-8 acceptCount=100 connectionTimeout=2 disableUploadTimeout=true port=8082 redirectPort=8443 maxSpareThreads=75 maxThreads=150 minSpareThreads=25 /Connector Easy, no ? (*) Well, I am doing my best, but there's a limit to what one can do in text emails Note that there is a catch, above : if there is already another server listening on port 80, it will not work. You need to choose,
RE: newbie: multiple ports for same tomcat server 5.0
From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: newbie: multiple ports for same tomcat server 5.0 What you have above, graphically (*), is like this : Nice pictures. (The lost art of ASCII art.) You just need to duplicate this section, and change one attribute : Connector URIEncoding=UTF-8 acceptCount=100 connectionTimeout=2 disableUploadTimeout=true port=8082 redirectPort=8443 maxSpareThreads=75 maxThreads=150 minSpareThreads=25 /Connector One addition: you might want to use an address attribute in each Connector to limit which IP addresses Tomcat will listen on, and avoid port conflicts. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: newbie: multiple ports for same tomcat server 5.0
Caldarale, Charles R wrote: From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: newbie: multiple ports for same tomcat server 5.0 What you have above, graphically (*), is like this : Nice pictures. (The lost art of ASCII art.) Thanks. Unfortunately, I have a feeling that only fellow artists of the same school and period would really appreciate the effort. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Basic Authentication Failed with multibyte username
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gábor, On 1/21/2010 9:16 AM, Auth Gábor wrote: Mark Thomas wrote: OCTET = any 8-bit sequence of data CTL= any US-ASCII control character (octets 0 - 31) and DEL (127) So actually, Tomcat is correct in the current treatment of credentials. Therefore, not a bug. Yes, but the UTF-8 encoded text is contains any 8-bit sequence of data except control characters, so IMHO the UTF-8 encoded text is TEXT. Sure, UTF-8 encoded text is TEXT, but you may not get the String value you expect. André is correct in that non-Latin characters appear to be unsupported by the HTTP Authenticate header. Now, there /are/ things that can be done to accommodate you. See below. The patch you posted probably will only work when the platform encoding is set to UTF-8. Instead, an encoding setting would probably have to be provided to the BasicAuthenticator to allow the Base64-encoded header value to use the desired encoding. Actually, the code as it looks right now does have a bug: the platform default encoding is used to decode Base-64 decoded bytes in the Authenticate header. Instead, it should probably be ASCII or maybe ISO-8859-1. Also André's comments regarding ISO-8859-1 were right if considering the actual user name and password rather than the header. Yes, thats right. The default header encoding is ISO-8859-1. It's ASCII, though ISO-8859-1 is backward-compatible (as is UTF-8). I've found some information about this issue: http://stackoverflow.com/questions/702629/utf-8-characters-mangled-in-http- basic-auth-username Nice that someone looked at actual behavior of the browsers. It would be pretty trivial to add a settable charset to the BasicAuthenticator, and also to allow things like RFC 2047 charset-in-value decoding, though I don't think that's appropriate because the Bas64 value has already been decoded. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktYuooACgkQ9CaO5/Lv0PAQZQCgoWiesTSQ/aX+oeRmF8Qvv+u3 73oAniYbXKfEIGdnIVyEHpZNgJ82ZjsI =qPwi -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Can anyone do a simple war deployment in Tomcat 6?
I want to deploy a war file in an embedded Tomcat. There a few outdated examples, and many posts where this gets asked and never answered. http://www.mail-archive.com/users@tomcat.apache.org/msg19481.html The methods once used to do this are gone, and I can't find any examples of how to do such a simple and useful task. This is pretty ridiculous, surely someone knows how to do this. Thanks, Clay - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Can anyone do a simple war deployment in Tomcat 6?
simplest http://tomcat.apache.org/tomcat-6.0-doc/appdev/sample/ http://tomcat.apache.org/tomcat-6.0-doc/deployer-howto.html On 01/21/2010 01:41 PM, Clay McCoy wrote: I want to deploy a war file in an embedded Tomcat. There a few outdated examples, and many posts where this gets asked and never answered. http://www.mail-archive.com/users@tomcat.apache.org/msg19481.html The methods once used to do this are gone, and I can't find any examples of how to do such a simple and useful task. This is pretty ridiculous, surely someone knows how to do this. Thanks, Clay - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Basic Authentication Failed with multibyte username
Christopher Schultz wrote: ... Nice that someone looked at actual behavior of the browsers. There is an easy way to find out what really happens. Gábor, I presume that you have a workstation set for iso-8859-2 (or whichever non iso-8859-1 charset is appropriate for Magyar, I forgot), and a browser set up similarly. Could you get one of these add-ons like Fiddler2 or LiveHttpHeaders, and arrange to capture what is sent by the browser in its authorization header when you enter a user-id/password containing some characters of the range above \x9F ? That should be the base64 encoding of whatever the browser is sending. Then of course you'll have to find a way to show us the base64-encoded form, and the corresponding non-encoded form of ditto (but I think that composing and sending your post as UTF-8 should do the trick). We could probably do much the same with our own charset-challenged browsers, but we don't have the easiest keyboards for that. It is my deep suspicion that the browsers will just take the input as iso-latin-x (whatever the workstation/browser is set for), and base64-encode it, without bothering to indicate the real charset in any way. But we'll see. Kösönöm szepen, I think it is... - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Can anyone do a simple war deployment in Tomcat 6?
Thank you for the reply, but I'm talking about embedded Tomcat. The war is deployed programmatically, and the API has changed drastically since the dated examples I can find. It would be great if the embedded use of Tomcat had the same level of documentation. On 1/21/10 3:23 PM, Filip Hanik - Dev Lists devli...@hanik.com wrote: simplest http://tomcat.apache.org/tomcat-6.0-doc/appdev/sample/ http://tomcat.apache.org/tomcat-6.0-doc/deployer-howto.html On 01/21/2010 01:41 PM, Clay McCoy wrote: I want to deploy a war file in an embedded Tomcat. There a few outdated examples, and many posts where this gets asked and never answered. http://www.mail-archive.com/users@tomcat.apache.org/msg19481.html The methods once used to do this are gone, and I can't find any examples of how to do such a simple and useful task. This is pretty ridiculous, surely someone knows how to do this. Thanks, Clay - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Securing Tomcat Applications from Reverse Engineering
André - Welcome to the world of small business, for-profit software development. This is a more common attitude that you might be aware. Jeff -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Thursday, January 21, 2010 5:31 AM To: Tomcat Users List Subject: Re: Securing Tomcat Applications from Reverse Engineering Peter Crowther wrote: 2010/1/21 Kranti(tm) K K Parisa kranti.par...@gmail.com How could we achieve this without the above tool? Because the pricing of the above tool is very costly. Well, you could always spend the developer-years to create your own version of that tool... which would probably be *more* costly. I'll add something to that, just for the sake of it. I personally find this situation ironic : here we have someone who wants to protect their own code, presumably so that they can charge the customer for a copy of it, in order to get back their cost of development and some justified profit for their work. But the same people are apparently unwilling to pay for a product that would allow them to do so, and is sold on the same terms. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org *** NOTICE * This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by reply or by telephone (call us collect at 512-343-9100) and immediately delete this message and all its attachments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Polling and session timeout
On 21/01/2010 15:26, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pid, On 1/21/2010 3:32 AM, Pid wrote: On 21/01/2010 04:45, grailcattt wrote: That is exactly what I ended up doing and it is working well. I was hoping for a solution that used tomcat session management rather than managing my own session timeouts, but it works well. If you put the poll servlet in a separate app and are NOT using the single sign on valve, you could set a separate session timeout in that servlet/app. I think. If you access the session at all, it counts as a touch, thereby extending the life of the session. It's not possible to peek at the session without touching it AFAICT. There's probably a way to do this with a replacement for either the session manager or a valve, but I think the code would need to divine the intent of the calling code to work properly. :( True - the poll servlet would have to be stateless and couldn't use any login credentials without an independant login, which would probably be counter productive. But, the session would be separate and so this would meet the initial criteria of allowing the main app to time out 'naturally'. I think. p - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktYciEACgkQ9CaO5/Lv0PBSGwCgnaBldO/uP45PVvlH6qAe4EC9 G1UAnR+FLmdiRgNVt84lblWS2DZ0xkzP =wPid -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Can anyone do a simple war deployment in Tomcat 6?
an embedded Tomcat is the same as a regular Tomcat if you configure it that way. The easiest way I can think of is to take a look at the class we use to launch a simple tomcat in trunk http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/startup/Tomcat.java?view=annotate there is a method called addWebApp Filip On 01/21/2010 02:50 PM, Clay McCoy wrote: Thank you for the reply, but I'm talking about embedded Tomcat. The war is deployed programmatically, and the API has changed drastically since the dated examples I can find. It would be great if the embedded use of Tomcat had the same level of documentation. On 1/21/10 3:23 PM, Filip Hanik - Dev Listsdevli...@hanik.com wrote: simplest http://tomcat.apache.org/tomcat-6.0-doc/appdev/sample/ http://tomcat.apache.org/tomcat-6.0-doc/deployer-howto.html On 01/21/2010 01:41 PM, Clay McCoy wrote: I want to deploy a war file in an embedded Tomcat. There a few outdated examples, and many posts where this gets asked and never answered. http://www.mail-archive.com/users@tomcat.apache.org/msg19481.html The methods once used to do this are gone, and I can't find any examples of how to do such a simple and useful task. This is pretty ridiculous, surely someone knows how to do this. Thanks, Clay - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Securing Tomcat Applications from Reverse Engineering
Jeffrey Janner wrote: André - Welcome to the world of small business, for-profit software development. This is a more common attitude that you might be aware. I was being somewhat ironic. Being myself a small for-profit software development business, I am well aware of the circumstances. ;-) But here are another few arguments (apart from the ones I already mentioned in another post) : If you are a small software business whose customers are businesses that use your product, and your product is good and your prices are reasonable, chances are good that none of your customers is even going to bother taking the time to try to copy your product. If they themselves are small/medium businesses, what would they do with it ? They have their own business to run. They are not a software company, you are. And if they are big, they will never risk their reputation and their money trying it. And, agreeing with another post by Leon, you are probably much better off spending your time improving and supporting your product, than developing ways to try protecting it from unfair copying. Things would be different of course if your product was something destined for the mass-market, or if you intend to sell it through resellers, or if your customers are themselves software companies. I will not mention the fact that in all of the above cases, your highest level of risk is probably inside, not outside. And if you really insist on protecting your code, then I am afraid that Java is not the best choice of tool. And I'll finish with another sarcastic note about code obfuscation : in my experience, it is not really necessary to put a lot of effort into this. Other people's code tends to be naturally obfuscated, all by itself. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Securing Tomcat Applications from Reverse Engineering
On 21/01/2010 16:24, Leon Rosenberg wrote: 5. stop wasting your time and invest it into developing new features and actually selling your product. If its worth copying it will be copied this way or other. So far no one has managed to protect its software against copying, better concentrate on things you really CAN achieve. regards Leon I agree with this statement. Legal issues aside, you can expend significant time and effort on protecting your code and a competitor can just copy the style, workflow and application logic with probably about as much effort as it would take to decompile the byte code, tidy it up get their devs to understand how it works. In fact, the latter would probably be *more* effort, and you can't use technical means to defend against the former. If you're really paranoid about your code, don't let it out of your control, run your app as a hosted service, (as previously suggested). As Leon says: focus your efforts on making a truly great product and let other people worry about keeping up with you. p On Thu, Jan 21, 2010 at 5:00 PM, André Warniera...@ice-sa.com wrote: Peter Crowther wrote: 2010/1/21 Kranti™ K K Parisakranti.par...@gmail.com How could we achieve this without the above tool? Because the pricing of the above tool is very costly. Well, you could always spend the developer-years to create your own version of that tool... which would probably be *more* costly. I'll add something to that, just for the sake of it. I personally find this situation ironic : here we have someone who wants to protect their own code, presumably so that they can charge the customer for a copy of it, in order to get back their cost of development and some justified profit for their work. But the same people are apparently unwilling to pay for a product that would allow them to do so, and is sold on the same terms. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Basic Authentication Failed with multibyte username
To get back to the underlying issue : Auth Gábor wrote: So... this is the real chaos... :) Yes. By the way, my users are not use HTML browsers, they are using JAX-WS in their client program, and the JAX-WS sends authentication data in UTF-8 (like Opera), because the default encoding is UTF-8 in the client JVM (and the server too). Basically, I would tend to say that if the server knows who the clients are and vice-versa, you should be free to use any encoding you want, with the limitation that what is exchanged on the wire conforms to HTTP (because there may be proxies on the way which are not so tolerant). What the client is sending is already (in a way) conformant to HTTP, because it is base64 encoded and so, on the surface, it does not contain non-ascii characters. And (I presume) you cannot change the code of the client, so it will continue to send these invalid headers with a UTF-8 value, base64-encoded. But the problem is that the standard Tomcat code which decodes the Basic Authorization header does not work in the way you want, for these illegal headers. And this code should preferably not be changed in a way which breaks the conformance with standard HTTP. Because if you do that, then your Tomcat becomes useless for anything else than your special client. An additional complication is that, if you want to use the embedded container-managed Tomcat authentication mechanisms, then you have to do something very early in the cycle, because that authentication takes place even before any servlet filter is invoked. Up to Tomcat 5.5, you would have to do this in a Valve then, which has the inconvenient that it is Tomcat-specific. (I think Tomcat 6 may give other options, maybe not Tomcat-specific.) Or, you drop the container-managed security, and you use something like the SecurityFilter (http://securityfilter.sourceforge.net/), but read the homepage carefully first. So, to be pragmatic, I would tend to go in the following direction : - create a Valve which - checks the User-Agent. If it does not match your special client, do nothing. If it matches, then - get the Authorization header. If there is none, do nothing - else, decode its value properly into a Unicode string - re-encode this string in a way that fits with standard HTTP. For example, replace each character by a string like {}, where is the hex value of the Unicode codepoint of the character. (That is always valid us-ascii, but check the maximum length). - re-encode the result using base64 - replace the Authorization header value with this new string - in your back-end authentication mechanism (I will suppose it is a database of userids/passwords), encode the userids/passwords the same way, and make this an alternate key The embedded Tomcat authentication will then decode the new base64 string, split it into userid:password, and use them to verify the credentials, which will match. If you do not like a Valve, then use a front-end server like Apache, and do the transformation of the header there, before the request is passed to Tomcat. Alternatively then, you could also do the user authentication at the Apache level, and just pass the user-id to Tomcat. (being an Apache/mod_perl guy myself, I find this last option much easier, but YMMV). And all that for a few Ö's and Á's and ß's Another option is to use a front-end Apache httpd server, which would modify the requests as follows : (I presume that you have a way to identify requests coming from this particular client)(User-Agent header e.g.). Create a filter at the Apache level, which detects your special client. If it detects it, then it adds an additional header to the request - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Adding/removing hosts dynamically?
Thank you for the advice! I have tried the host manager app as well as a class that I have just written which implements ContainerServlet. Unfortunately, I find that when I create a new host (by adding a StandardHost to the Engine), it appears to add it successfully, but only empty pages are served to the browser for that website. This seems to happen on the live server and my local machine (both Tomcat 6.0). Does anybody have any suggestions as to why this might be occurring please? Many thanks, Richard. Filip Hanik - Dev Lists wrote: answer is yes, it is possible. Others have done it successfully. If you want a place to start, take a look at host manager servlet http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/manager/host/HostManagerServlet.java?view=annotate Note, this doesn't imply that you have to do it over HTTP, implement it any way you want to fit your environment -- View this message in context: http://old.nabble.com/Adding-removing-hosts-dynamically--tp27261390p27266255.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: newbie: multiple ports for same tomcat server 5.0
Hello Chuck, I was going through this email thread and have a question for you. We have a similar setup like this in one of our containers but we do not use the address attribute as you mentioned in the connector declaration. You mentioned that adding the address attribute is recommended to prevent port conflicts. Can you please elaborate on this? I am having difficulties in imagining a scenario where this would result in a port conflict (an example would be great). Thanks Anurag -- Anurag Kapur Associate - Technology, Sapient Corporation. http://www.linkedin.com/in/anuragkapur http://www.google.com/profiles/anuragkapur -- On Thu, Jan 21, 2010 at 7:47 PM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: newbie: multiple ports for same tomcat server 5.0 What you have above, graphically (*), is like this : Nice pictures. (The lost art of ASCII art.) You just need to duplicate this section, and change one attribute : Connector URIEncoding=UTF-8 acceptCount=100 connectionTimeout=2 disableUploadTimeout=true port=8082 redirectPort=8443 maxSpareThreads=75 maxThreads=150 minSpareThreads=25 /Connector One addition: you might want to use an address attribute in each Connector to limit which IP addresses Tomcat will listen on, and avoid port conflicts. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat log analyzer
Ensure you are looking at the right log file for end user traffic information. This file would be configured via the Access Log Valve ( http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html) *Once you have the right file identified, you would be able to use any standard log analysis tool.* Note the following info from the link above: *Introduction* The *Access Log Valve* creates log files in the same format as those created by standard web servers. These logs can later be analyzed by standard log analysis tools to track page hit counts, user session activity, and so on. The files produces by this Valve are rolled over nightly at midnight. This Valve may be associated with any Catalina container (Context, Host, or Engine), and will record ALL requests processed by that container. Examples of tools: http://awstats.sourceforge.net/ http://www.mrunix.net/webalizer/ ~Anurag -- Anurag Kapur Associate - Technology, Sapient Corporation. http://www.linkedin.com/in/anuragkapur http://www.google.com/profiles/anuragkapur -- Sent from Poplar, Greater London, United Kingdom On Thu, Jan 21, 2010 at 9:24 AM, Ramachandran, Vishwanath(IE10) vishwanath.ramachand...@honeywell.com wrote: Hi Ryszard Yes catalina.out is not used for traffic analysis. I just looking for a tool, which I like to see visitors, access, counts, pages visited, browsers used etc. Is there any tool like e.g. weblog expert and deep log analyzer, where I just give the catalina.out in the log file location and generate reports Regards Vishwanath Desk: +91 80 26588360 Extn: 48555 -Original Message- From: Ryszard Łach [mailto:ryl...@gmail.com] Sent: Thursday, January 21, 2010 1:59 PM To: Tomcat Users List Subject: Re: tomcat log analyzer 2010/1/21 Ramachandran, Vishwanath(IE10) vishwanath.ramachand...@honeywell.com I have evaluated around 8 tools which do not support catalina.out. Kindly suggest. Hi. catalina.out is not supposed to be used for traffic analyzis. Look at the AccessLogValve http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html Cheers, R. -- First they ignore you. Then they laugh at you. Then they fight you. Then you win. - Mohandas Gandhi.
Re: Polling and session timeout
--- On Thu, 1/21/10 at 7:26 AM, Christopher Schultz ch...@christopherschultz.net wrote: If you access the session at all, it counts as a touch, thereby extending the life of the session. It's not possible to peek at the session without touching it AFAICT. The Session timeout can be set when the response is being delivered via Session's setMaxInactiveInterval() method without extending the life of the Session. In a JSP: % session.setMaxInactiveInterval(inactiveTimeSecs); % - Bob - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Timeout
Don't understand what exactly is the question here but maybe the following answers your question: http://tomcat.apache.org/tomcat-6.0-doc/config/http.html connectionTimeout keepAliveTimeout selectorTimeout socket.soTimeout socket.unlockTimeout http://tomcat.apache.org/tomcat-6.0-doc/config/http.html? -- Anurag Kapur Associate - Technology, Sapient Corporation. +44 (0) 7514 996 586 http://www.linkedin.com/in/anuragkapur http://www.google.com/profiles/anuragkapur -- Sent from Poplar, Greater London, United Kingdom On Wed, Jan 20, 2010 at 3:24 PM, Mohit Anchlia mohitanch...@gmail.comwrote: Tomcat 6: Are there any other kind of timeout values other than ConnectionTimeout? Does Connection Timeout come into affect when there is an ESTABLISHED socket connection from the client? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Adding/removing hosts dynamically?
richard42 wrote: ...it appears to add it successfully, but only empty pages are served to the browser for that website. This seems to happen on the live server and my local machine (both Tomcat 6.0). Please ignore this, I have since got it working (needed to add a context). Thanks once more. Cheers, Richard. -- View this message in context: http://old.nabble.com/Adding-removing-hosts-dynamically--tp27261390p27266468.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Ajp port in use - tomcat using next available port
Mark Thomas ma...@apache.org wrote in message news:4b57bb79.3010...@apache.org... On 20/01/2010 17:08, Christopher Schultz wrote: Paul, On 1/20/2010 4:08 PM, Paul Guglielmino wrote: I'm setting up the server to only listen on an ajp port (8009). If I already have something listening on that port then tomcat starts listening on the next port number (8010). This doesn't happen if the shutdown port is already in use or if I try it with a http connector port that is in use. I don't seem any mention of this behavior in the docs. I do see an autobind option for clustering which will turn on behavior like this but I'm not using clustering. I don't see any mention of the auto-port-choosing for Connectors, either. Are you doing this manually? It is an undocumented feature of the org.apache.jk.server.JkCoyoteHandler implementation. Setting maxPort to the same value as port should disable it. I think that mod_jk2 had logic to handle discovery. Granted, it isn't a very useful feature with mod_jk. Alternatively use the newer (and default in Tomcat 7) org.apache.coyote.ajp.AjpProtocol implementation. And currently the only pure Java implementation in Tomcat 7 :). Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Adding/removing hosts dynamically?
I'm extremely interested in this. Any chance anyone who has used this before could provide some direction (example implementation)? Bare-bones documentation - if you will? Thank you! -Jordan richard42 wrote: richard42 wrote: ...it appears to add it successfully, but only empty pages are served to the browser for that website. This seems to happen on the live server and my local machine (both Tomcat 6.0). Please ignore this, I have since got it working (needed to add a context). Thanks once more. Cheers, Richard. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: newbie: multiple ports for same tomcat server 5.0
From: Anurag Kapur [mailto:anuragka...@gmail.com] Subject: Re: newbie: multiple ports for same tomcat server 5.0 You mentioned that adding the address attribute is recommended to prevent port conflicts. I didn't say it was recommended, just that it was one way to avoid port conflicts, especially if you wanted both Connector elements to use a standard port, such as 80. The other way, of course, is to simply use different ports. In the case being discussed in the thread, the OP wanted to segregate external users and internal ones, and typically that's done by using separate IP addresses for each group. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Problem starting connection pooling
I'm very new to Tomcat, connection pooling, JSP, etc. and I've been banging my head against a wall for two weeks trying to get a simple program to connect to a MySQL database. *Vital Stats:* Ubuntu 9.10, Java 1.6.0_0, Java Servelet 2.5, Java Server Pages 2.1, JSTL 1.2, Apache2, Tomcat 6.0.20, MySQL 5.1.41 5.0.67 MySQL Connector/J 5.1.11 (also 5.1.10) - in $CATALINA_HOME/lib dbcp 1.2.1 - in $CATALINA_HOME/lib (all standard Ubuntu issue) *testapp/WEB-INF/web.xml:* ?xml version=1.0 encoding=ISO-8859-1? web-app xmlns=http://java.sun.com/xml/ns/javaee; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd; version=2.5 description Servlet and JSP Examples. /description display-nameServlet and JSP Examples/display-name resource-ref descriptionDB Connection/description res-ref-namejdbc/mydatabase/res-ref-name res-typejavax.sql.DataSource/res-type res-authContainer/res-auth /resource-ref /web-app *testapp/META-INF/context.xml:* ?xml version=1.0 encoding=UTF-8? Context path=/junk docBase=junk debug=5 reloadable=true crossContext=true Resource name=jdbc/mydatabase auth=Container type=javax.sql.DataSource maxActive=100 maxIdle=30 maxWait=1 username=foo password=bar driverClassName=com.mysql.jdbc.Driver url=jdbc:mysql://test.hostname.com:3306/database_test1/ /Context *testapp/testapp.jsp:* %@ page contentType=text/html % %-- These libraries are required for the c and sql tags --% %@ taglib prefix=c uri=http://java.sun.com/jsp/jstl/core; % %@ taglib prefix=sql uri=http://java.sun.com/jsp/jstl/sql; % meta http-equiv=Content-Type content=text/html; charset=UTF-8 html head titleJNDI DBCP Test Page/title /head body h1JNDI DBCP Test Page/h1 br/Executing the query ... br/ %-- Note: Enter a query that is valid for your database here --% sql:query var=result dataSource=jdbc/mydatabase SELECT company FROM manuals /sql:query /body /html I create the WAR (jar cvf testapp.war *), undeploy the old version and redeploy the new one through Tomcat Web Application Manager. Then restart Tomcat (sudo /etc/init.d/tomcat restart). The result is: Jan 21, 2010 9:40:35 PM org.apache.catalina.core.ApplicationContext log INFO: ContextListener: contextInitialized() Jan 21, 2010 9:40:35 PM org.apache.catalina.core.ApplicationContext log INFO: SessionListener: contextInitialized() Jan 21, 2010 9:43:06 PM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet jsp threw exception javax.servlet.jsp.JspException: Unable to get connection, DataSource invalid: org.apache.commons.dbcp.SQLNestedException: Cannot create PoolableConnectionFactory (Communications link failure The last packet sent successfully to the server was 0 milliseconds ago. The driver has not received any packets from the server.) at org.apache.taglibs.standard.tag.common.sql.QueryTagSupport.getConnection(Unknown Source) at org.apache.taglibs.standard.tag.common.sql.QueryTagSupport.doStartTag(Unknown Source) at org.apache.jsp.test_jsp._jspx_meth_sql_005fquery_005f0(test_jsp.java:188) at org.apache.jsp.test_jsp._jspService(test_jsp.java:138) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) Blah, Blah, Blah *More info: *The connection to MySQL tested successfully using the command line 'mysql'. There are no firewalls, that I can find, between the servers. What is going on here? What am I missing? What is going on here? How do I fix it? -Do I need to create a foo user in the tomcat-users.xml? -Do I have to mess with the policy files? or security? Thanks for your help. Mark
Re: TCNative installation failed
2010/1/22 Mark Eggers its_toas...@yahoo.com: (...) In all four cases, the tcnative library failed to load. In the first two cases, the INFO message indicated that the library was not found in /home/mdeggers/Apache/apache-tomcat-5.5.28/bin. In the last two cases, the INFO message listed all directories in java.library.path The same steps were used to build and deploy the tcnative libraries on Tomcat 6.0.24. Configurations 1 and 3 from above were tried. Both worked for Tomcat 6.0.24 as indicated by the INFO message: Ah, 5.5.28. There is https://issues.apache.org/bugzilla/show_bug.cgi?id=47712 Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Adding/removing hosts dynamically?
From: Jordan Michaels [mailto:jor...@viviotech.net] Subject: Re: Adding/removing hosts dynamically? I'm extremely interested in this. Any chance anyone who has used this before could provide some direction (example implementation)? Try the HTML version of host-manager to get familiar with it: http://localhost:8080/host-manager/html Note that the updates made by the HTML and plain text servlets are not persistent, so will be lost upon Tomcat restart. You'll need some additional means to preserve the added hosts. From the org/apache/catalina/manager/host/HostManagerServlet.java source code: * Servlet that enables remote management of the virtual hosts installed * on the server. Normally, this functionality will be protected by * a security constraint in the web application deployment descriptor. * However, this requirement can be relaxed during testing. * p * This servlet examines the value returned by codegetPathInfo()/code * and related query parameters to determine what action is being requested. * The following actions and parameters (starting after the servlet path) * are supported: * ul * lib/add?name={host-name}aliases={host-aliases}manager={manager}/b - * Create and add a new virtual host. The codehost-name/code attribute * indicates the name of the new host. The codehost-aliases/code * attribute is a comma separated list of the host alias names. * The codemanager/code attribute is a boolean value indicating if the * webapp manager will be installed in the newly created host (optional, * false by default)./li * lib/remove?name={host-name}/b - Remove a virtual host. * The codehost-name/code attribute indicates the name of the host. * /li * lib/list/b - List the virtual hosts installed on the server. * Each host will be listed with the following format * codehost-name#host-aliases/code./li * lib/start?name={host-name}/b - Start the virtual host./li * lib/stop?name={host-name}/b - Stop the virtual host./li * /ul * p * bNOTE/b - Attempting to stop or remove the host containing * this servlet itself will not succeed. Therefore, this servlet should * generally be deployed in a separate virtual host. * p Seems like the javadocs aren't currently installed on tomcat.apache.org, or I would have directed you there. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TCNative installation failed
Bingo and thanks. Note to the impatient (me) - Bugzilla is your friend.. Thanks again, /mde/ --- On Thu, 1/21/10, Konstantin Kolinko knst.koli...@gmail.com wrote: From: Konstantin Kolinko knst.koli...@gmail.com Subject: Re: TCNative installation failed To: Tomcat Users List users@tomcat.apache.org Date: Thursday, January 21, 2010, 7:12 PM 2010/1/22 Mark Eggers its_toas...@yahoo.com: (...) In all four cases, the tcnative library failed to load. In the first two cases, the INFO message indicated that the library was not found in /home/mdeggers/Apache/apache-tomcat-5.5.28/bin. In the last two cases, the INFO message listed all directories in java.library.path The same steps were used to build and deploy the tcnative libraries on Tomcat 6.0.24. Configurations 1 and 3 from above were tried. Both worked for Tomcat 6.0.24 as indicated by the INFO message: Ah, 5.5.28. There is https://issues.apache.org/bugzilla/show_bug.cgi?id=47712 Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Securing Tomcat Applications from Reverse Engineering
To list owner: I am not sure if vendors are prohibited from posting comments to this list, if they are, let me know and I won't post next time. Excelsior JET is not an IDE that every developer must have on his/her workstation. It is more like a setup generator. Typically, a team of developers working on a particular project would purchase one or two licenses. As a result, the smaller the team, the higher is the price per developer. For small companies, especially for early stage startups that do not yet have paying customers, this surely may be a deal breaker. We have therefore created a special licensing program that has been working very well for our smaller customers since mid-2008: http://www.excelsior-usa.com/store/jetmb.html Please do not hesitate to email me directly if you have any questions. Sincerely, Dmitry Leskov Excelsior LLC P.S. The main information page for Tomcat Web apps protection is http://www.excelsior-usa.com/protect-java-web-applications.html Well there are soo many comments on the cost of IP and other tools. when we are a small team started working on a web based product with open source tools, for sure we can't spend too much on the tools to protect the IP rights. because once we deploy for few clients, if its a good product, what if they steal the code and also ideas. i agree to have legal terms and all that stuff. but that would be a big story for us being small. so just wanted to see if anything available to protect our work, ideas (ideas at code implementation level by using different opensource technologies, well there are many companies who started like this). anyways thanks for the comments, i would love to share if we invent anything in this process, because small is big and it matters :) Best Regards, Kranti K K Parisa On Thu, Jan 21, 2010 at 5:00 PM, André Warnier a...@ice-sa.com wrote: Peter Crowther wrote: 2010/1/21 Kranti (tm) K K Parisa kranti.par...@gmail.com How could we achieve this without the above tool? Because the pricing of the above tool is very costly. Well, you could always spend the developer-years to create your own version of that tool... which would probably be *more* costly. I'll add something to that, just for the sake of it. I personally find this situation ironic : here we have someone who wants to protect their own code, presumably so that they can charge the customer for a copy of it, in order to get back their cost of development and some justified profit for their work. But the same people are apparently unwilling to pay for a product that would allow them to do so, and is sold on the same terms. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TCNative installation failed
Fixed issues are listed in the changelog file, http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?view=markup http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml?view=markup Best regards, Konstantin Kolinko 2010/1/22 Mark Eggers its_toas...@yahoo.com: Bingo and thanks. Note to the impatient (me) - Bugzilla is your friend.. Thanks again, /mde/ --- On Thu, 1/21/10, Konstantin Kolinko knst.koli...@gmail.com wrote: From: Konstantin Kolinko knst.koli...@gmail.com Subject: Re: TCNative installation failed To: Tomcat Users List users@tomcat.apache.org Date: Thursday, January 21, 2010, 7:12 PM 2010/1/22 Mark Eggers its_toas...@yahoo.com: (...) In all four cases, the tcnative library failed to load. In the first two cases, the INFO message indicated that the library was not found in /home/mdeggers/Apache/apache-tomcat-5.5.28/bin. In the last two cases, the INFO message listed all directories in java.library.path The same steps were used to build and deploy the tcnative libraries on Tomcat 6.0.24. Configurations 1 and 3 from above were tried. Both worked for Tomcat 6.0.24 as indicated by the INFO message: Ah, 5.5.28. There is https://issues.apache.org/bugzilla/show_bug.cgi?id=47712 Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Securing Tomcat Applications from Reverse Engineering
The GCC compiler for java allows you to compile java down to native code (AOC - Ahead Of time Compiling). I have never tried it before but it's open source and free to use. That being said I'm not certain that compiling your class files down to native code is going to solve your problem since java web apps are dependent on the class files generated by your application. Unless I'm missing out on some functionality of Tomcat that I'm aware of I think your best bet is obfuscation. Travis Beech -Original Message- From: KrantiT K K Parisa [mailto:kranti.par...@gmail.com] Sent: Thursday, January 21, 2010 3:05 AM To: Tomcat Users List Subject: Securing Tomcat Applications from Reverse Engineering Hi, Can anyone throw some light on this topic, seems it is possible to convert the tomcat+tomcat web applications to native code to secure them and further to run them on client machines easily. Please check this. http://www.excelsior-usa.com/jetinternals.html How could we achieve this without the above tool? Because the pricing of the above tool is very costly. Looking forward to hear some ideas for this. http://www.excelsior-usa.com/jetinternals.html Best Regards, Kranti K K Parisa - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Securing Tomcat Applications from Reverse Engineering
Hi Leon, Thanks for the notes, may be parallel to our sales we may spend some time on the points you mentioned to protect our selves in the future. Best Regards, Kranti K K Parisa On Thu, Jan 21, 2010 at 9:54 PM, Leon Rosenberg rosenberg.l...@googlemail.com wrote: Hello Kranti, first of all I strongly believe in open source software and don't like to obfuscate things. But well. 1. If you have internet connectivity on the target server you could only deploy a skeleton of your application and load the protect-worthly classes directly from your servers with own classloading with some funny remoteid exchange system. This way even the compile version of the application will never be directly available on customers hard drive (you must consider swapping and memory snapshots, but modern OSes encode them). It's cheap but will probably add a load of complexity, which you have to manage and, logically, your customer have to pay. 2. precompile jsps and use a code obfuscator on the jsps and compiled classes (they replace all private methods and variables with a1,a2, and so on). There are some on the market, more or less good. Use also css/js minifier, they obfuscate as well. 3. create a genial encryption algorithm with some one-time passwords and let the customers call you each time they restart the server for a new password. Maybe charge them per password. The server can then decrypt the classes with the password before it starts the webapp. 4. put the code and tomcat onto a usb stick with unreadable filesystem and hack yourself into the usb protocol. Drawback: you'll have to patch the browsers to accept urls like usb://localhost/yourapp. 5. stop wasting your time and invest it into developing new features and actually selling your product. If its worth copying it will be copied this way or other. So far no one has managed to protect its software against copying, better concentrate on things you really CAN achieve. regards Leon 2010/1/21 Kranti™ K K Parisa kranti.par...@gmail.com: Well there are soo many comments on the cost of IP and other tools. when we are a small team started working on a web based product with open source tools, for sure we can't spend too much on the tools to protect the IP rights. because once we deploy for few clients, if its a good product, what if they steal the code and also ideas. i agree to have legal terms and all that stuff. but that would be a big story for us being small. so just wanted to see if anything available to protect our work, ideas (ideas at code implementation level by using different opensource technologies, well there are many companies who started like this). anyways thanks for the comments, i would love to share if we invent anything in this process, because small is big and it matters :) Best Regards, Kranti K K Parisa On Thu, Jan 21, 2010 at 5:00 PM, André Warnier a...@ice-sa.com wrote: Peter Crowther wrote: 2010/1/21 Kranti™ K K Parisa kranti.par...@gmail.com How could we achieve this without the above tool? Because the pricing of the above tool is very costly. Well, you could always spend the developer-years to create your own version of that tool... which would probably be *more* costly. I'll add something to that, just for the sake of it. I personally find this situation ironic : here we have someone who wants to protect their own code, presumably so that they can charge the customer for a copy of it, in order to get back their cost of development and some justified profit for their work. But the same people are apparently unwilling to pay for a product that would allow them to do so, and is sold on the same terms. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Securing Tomcat Applications from Reverse Engineering
Dmitry Leskov wrote: We have therefore created a special licensing program that has been working very well for our smaller customers since mid-2008: http://www.excelsior-usa.com/store/jetmb.html To the OP : there, you see, a discount ! And you did not even have to ask. ;-) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org