Do symlinks under aliased directories require any special handing/configuration (tomcat = 7.0.56)?
Please forgive any misuse of terminology here. I am a sysadmin involved in devops deployments of tomcat servers and applications, but I don't really know much about how tomcat actually works. I am a unix guy! We recently had a deployment of a third party application that resulted in tomcat throwing 404 errors on any content of a symlinked directory that was contained in/under an aliased path. It seems to me that it is something in the app configuration gone awry, but the vendor claims not. So I am casting about for some information here after not coming up with anything definitive in the docs or by act of google. Example: 1) The context.xml for the root context has the following: aliases="/static=/pnas/legacy/static" 2) /pnas/legacy/static/ has a symlinked directory that functions as expected at the o/s level: [root@exampleserver]# ls -lad /pnas/legacy/static/Digital lrwxrwxrwx. 1 appsrv apps 34 Jul 17 21:40 /pnas/legacy/static/Digital -> /pnas/editorial/Digital/ 3) tomcat runs as the appsrv user and all files in /pnas/editorial/Digital/ are owned by appsrv:apps, so we would expect /static/Digital/* to be accessible without error 4) attempts to access files in /static/Digital result in a 404 error ... but this was not the case before this last app deploy 5) reverting the build of the app is not possible as it was one part of a really big multiheaded deployment. We can work around the issue but accrue signifcant technical debt as a result. 6) Versions of anything relevant other than the app itself have not changed: tomcat = 7.0.56 java = 1.7.0_71 o/s = Red Hat Enterprise Linux Server release 6.8 (Santiago) 2.6.32-642.11.1.el6.x86_64 Question: Does the use of symlinks under aliases require some like an "allowLinking" attribute or something else that could have misconfigured in the app? The docs don't really address this case and I can only find reference to "allowLinking" affecting material symlinked directlly in or under the web context root. Aliases appear to be suggested as an alternative and symlinks under an alias are not specifically addressed (that I have seen). Any thoughts are appreciated and please do pardon any tomcat vocabulary that I may have injured in this effort to pose a question. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Storing JNDI binding password using encryption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Alex, On 7/19/17 3:53 PM, Alex O'Ree wrote: > The jar file is in /tomcat/lib. The class is super simple > > package org.redacted; public class JNDIRealmExt extends JNDIRealm{ > @Override public String getConnectionPassword(){ return > Utility.decrypt(connectionPassword); } } > > server.xml looks like this > > > > connectionName="ldapUser" > connectionPassword="encryptedPasswordHere" > connectionURL="ldap://localhost:389; userBase="..." > userSearch="..." roleBase="..." roleName=".." roleSubtree=".." > roleSearch=".." referrals="follow" > > /> > > > resourceName="UserDatabase"/> > > I'm attaching the debugger pretty close to tomcat's startup and > the getConnectionPassword method never fires. I do see tons of logs > in the console for ldap connection failures due to the password > not functioning (pretty much immediately locks the account out at > the ldap server). The stack trace does not included my extended > JNDI class, only the tomcat provided JNDIRealm class. What's the runtime data type of the realm? If you override setConnectionPassword() does that get called by the digester when reading your configuration? - -chris > On Wed, Jul 19, 2017 at 3:03 PM, Christopher Schultz >wrote: Alex, > > On 7/19/17 1:53 PM, Alex O'Ree wrote: On Wed, Jul 19, 2017 at 12:09 PM, Mark Thomas wrote: > On 19/07/17 16:22, Alex O'Ree wrote: >> Assuming I had access to a reversible encryption >> mechanism and wanted to store the JNDI binding password >> in an encrypted form by extending the JNDIRealm class, >> which method should i override to encrypt the password >> stored in server.xml on the fly? > > You could do this via a custom PropertySource. I wouldn't > recommend it. > > https://wiki.apache.org/tomcat/FAQ/Password I tried just extend the JDNI Realm class and overriding getConnectionPassword but it doesn't appear that my code ever called, even those my fully qualified classname is listed in the realm xml element. Any ideas? > > Please post your configuration (without secrets) and as much of > your code as is relevant. > > Also, where did you place your .class file for your JNDIRealm > subclass? > > -chris >> >> - >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZb8SHAAoJEBzwKT+lPKRYoHIQAMAnCqAdmY9Bhi5FehVAdkQs M+q7nWSFoxzb+sMnce+IjmQ1uGVq3cAae7Hlc//IPDBaHaCGSlcODSXR2936osZM S8bQZltIxLs/lx+ydjIlrhT6Y/AQsm9e+IV6ZyQGcQAZxtDLWXvUy6KDxDt/+ivr PcuHbrC9TZZRMb7Bjyp40YuNUtMEcc1F5/Iy/Hv81B2IpJjrUpPHVBdkXscCQfOK cdO8jg8Cjk2zJjd5ko/7H/8F2G1QlTq4WhqccwjPfoCObZOgbHXzn9N+woha/b7g AZYSECVClygq/ip2L736Mlx/X3uQR176m3uTxxjuuLuMiRsq+ByCEa+FApyzFCNN FGzhWcOg3NS6wF5hUKvIlndr0lVXojXukV3LAjkbr1VKevWUotfRT51cPi9CvScX Wz8kcelNr2oqlsRn8tfMpdRteqk26njvniRM6H0Dw155Atq1hvgP9kXw91IWuFXx wYANvQtmJDF5kZylaKTPyWLULHxazRBsQyD6hI6mJyDKslK1yn7S1M3bjwPXmeAR 3h8J093qLIJoFmNA0tXoqGPOPWBV58PMeAgl++hNgBkEfjol9Ens8izsDD+mJMl1 voh5nhFMKY2Pue+Hs+xzfZ/lAw4xukr+VHBUNWsxzG1NprFBuFo9NlpMT72XTgKT PK+lfz917/OgpoODhX86 =v0p6 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Maven Tomcat Plugin Specific Properties File
Is there anyway to load a specific properties file for the Tomcat plugin? I know about the section of the plugin config, but I am looking to point to a specific file when using tomcat7:run instead of having to code these properties into the pom.
Re: Storing JNDI binding password using encryption
The jar file is in /tomcat/lib. The class is super simple package org.redacted; public class JNDIRealmExt extends JNDIRealm{ @Override public String getConnectionPassword(){ return Utility.decrypt(connectionPassword); } } server.xml looks like this ldap://localhost:389; userBase="..." userSearch="..." roleBase="..." roleName=".." roleSubtree=".." roleSearch=".." referrals="follow" /> I'm attaching the debugger pretty close to tomcat's startup and the getConnectionPassword method never fires. I do see tons of logs in the console for ldap connection failures due to the password not functioning (pretty much immediately locks the account out at the ldap server). The stack trace does not included my extended JNDI class, only the tomcat provided JNDIRealm class. On Wed, Jul 19, 2017 at 3:03 PM, Christopher Schultzwrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Alex, > > On 7/19/17 1:53 PM, Alex O'Ree wrote: >> On Wed, Jul 19, 2017 at 12:09 PM, Mark Thomas >> wrote: >>> On 19/07/17 16:22, Alex O'Ree wrote: Assuming I had access to a reversible encryption mechanism and wanted to store the JNDI binding password in an encrypted form by extending the JNDIRealm class, which method should i override to encrypt the password stored in server.xml on the fly? >>> >>> You could do this via a custom PropertySource. I wouldn't >>> recommend it. >>> >>> https://wiki.apache.org/tomcat/FAQ/Password >> >> I tried just extend the JDNI Realm class and overriding >> getConnectionPassword but it doesn't appear that my code ever >> called, even those my fully qualified classname is listed in the >> realm xml element. Any ideas? > > Please post your configuration (without secrets) and as much of your > code as is relevant. > > Also, where did you place your .class file for your JNDIRealm subclass? > > - -chris > -BEGIN PGP SIGNATURE- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJZb60bAAoJEBzwKT+lPKRYgGkP/25fnw6EVElSQCmXVgINsCBX > rBb/77kSxNGnnBO1KBmGszjyUUXmW0aKDfwLM+fR+poGYyI3IOyzwZ7iZlXiQ2+2 > iqNfoqv8J/OjFezV9fRMKSk3Iws5CGJcuV13wUgmgAKgquUOvR21hKI8j3BbQvq8 > S0Z1hXxLdCNGLWesQiXJEg4wYzNSDjlruOHaAFH7sQ6pyfCYKKEpOs73no3QVeTd > Rl/xIP70wu36IYIGPedUrufARij5bQOVd8mqi4VAyOxj8f3ENsbT/qFHA5xAb8Qi > m8TofIkYYXOC11rBHsr17zobPawiZurh/ocUC4/8GN3O1FWYwd4jrAiJXlVPe8pQ > SuLLTygXu2NTa5F6atjFbKeBDSasBFNSAuEE1OaW7qYIYW3oc+4vNRegcK3SAnRK > R+2GonQLMUB51H5AHuU/pXcuZXZWbxxE1Fu1xMMULtVpI6iIxLLxKvw6y+MV2S2w > AVcWJASMdAXmBq8NgiYVj/yjn/jlXdDMvJSs1mUzKE8egMHxZkGkbyEDcwjGjTod > b3SgvDRD/DcjwubzsanNPFwDmsdFTRrvhOHmtbFkZ+Rod/QWlRkgDN0kC2SyltmY > Dp5zcTlJW33RTQl9T9Hzg3rkH4OFOpchw4ObmhLwgrPPl25SPCq9sn8JHMvZrbii > 4z8GSeBeaXCf9UVubrrR > =9o3d > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Storing JNDI binding password using encryption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Alex, On 7/19/17 1:53 PM, Alex O'Ree wrote: > On Wed, Jul 19, 2017 at 12:09 PM, Mark Thomas> wrote: >> On 19/07/17 16:22, Alex O'Ree wrote: >>> Assuming I had access to a reversible encryption mechanism and >>> wanted to store the JNDI binding password in an encrypted form >>> by extending the JNDIRealm class, which method should i >>> override to encrypt the password stored in server.xml on the >>> fly? >> >> You could do this via a custom PropertySource. I wouldn't >> recommend it. >> >> https://wiki.apache.org/tomcat/FAQ/Password > > I tried just extend the JDNI Realm class and overriding > getConnectionPassword but it doesn't appear that my code ever > called, even those my fully qualified classname is listed in the > realm xml element. Any ideas? Please post your configuration (without secrets) and as much of your code as is relevant. Also, where did you place your .class file for your JNDIRealm subclass? - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZb60bAAoJEBzwKT+lPKRYgGkP/25fnw6EVElSQCmXVgINsCBX rBb/77kSxNGnnBO1KBmGszjyUUXmW0aKDfwLM+fR+poGYyI3IOyzwZ7iZlXiQ2+2 iqNfoqv8J/OjFezV9fRMKSk3Iws5CGJcuV13wUgmgAKgquUOvR21hKI8j3BbQvq8 S0Z1hXxLdCNGLWesQiXJEg4wYzNSDjlruOHaAFH7sQ6pyfCYKKEpOs73no3QVeTd Rl/xIP70wu36IYIGPedUrufARij5bQOVd8mqi4VAyOxj8f3ENsbT/qFHA5xAb8Qi m8TofIkYYXOC11rBHsr17zobPawiZurh/ocUC4/8GN3O1FWYwd4jrAiJXlVPe8pQ SuLLTygXu2NTa5F6atjFbKeBDSasBFNSAuEE1OaW7qYIYW3oc+4vNRegcK3SAnRK R+2GonQLMUB51H5AHuU/pXcuZXZWbxxE1Fu1xMMULtVpI6iIxLLxKvw6y+MV2S2w AVcWJASMdAXmBq8NgiYVj/yjn/jlXdDMvJSs1mUzKE8egMHxZkGkbyEDcwjGjTod b3SgvDRD/DcjwubzsanNPFwDmsdFTRrvhOHmtbFkZ+Rod/QWlRkgDN0kC2SyltmY Dp5zcTlJW33RTQl9T9Hzg3rkH4OFOpchw4ObmhLwgrPPl25SPCq9sn8JHMvZrbii 4z8GSeBeaXCf9UVubrrR =9o3d -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Storing JNDI binding password using encryption
Thanks Mark I tried just extend the JDNI Realm class and overriding getConnectionPassword but it doesn't appear that my code ever called, even those my fully qualified classname is listed in the realm xml element. Any ideas? On Wed, Jul 19, 2017 at 12:09 PM, Mark Thomaswrote: > On 19/07/17 16:22, Alex O'Ree wrote: >> Assuming I had access to a reversible encryption mechanism and wanted >> to store the JNDI binding password in an encrypted form by extending >> the JNDIRealm class, which method should i override to encrypt the >> password stored in server.xml on the fly? > > You could do this via a custom PropertySource. I wouldn't recommend it. > > https://wiki.apache.org/tomcat/FAQ/Password > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Storing JNDI binding password using encryption
On 19/07/17 16:22, Alex O'Ree wrote: > Assuming I had access to a reversible encryption mechanism and wanted > to store the JNDI binding password in an encrypted form by extending > the JNDIRealm class, which method should i override to encrypt the > password stored in server.xml on the fly? You could do this via a custom PropertySource. I wouldn't recommend it. https://wiki.apache.org/tomcat/FAQ/Password Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Storing JNDI binding password using encryption
Assuming I had access to a reversible encryption mechanism and wanted to store the JNDI binding password in an encrypted form by extending the JNDIRealm class, which method should i override to encrypt the password stored in server.xml on the fly? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Getting user role membership without context
Got it to work! Thanks Mark! On Wed, Jul 19, 2017 at 10:40 AM, Mark Thomaswrote: > On 19/07/17 15:34, Alex O'Ree wrote: >> Context.findChild and findChildren returns an instance of "Container". >> It looks like StandardWrapper extends Container, so I should be able >> to type cast it. The question is, is it always going to be an instance >> of StandardWrapper? > > For a Context, it should always be an instance of Wrapper so as long as > you cast to Wrapper, you should be fine. > > In a default Tomcat install it will always be StandardWrapper but better > to use the interface here since it has the method you need. > > Mark > > >> >> On Tue, Jul 18, 2017 at 6:40 PM, Mark Thomas wrote: >>> On 18/07/17 23:21, Alex O'Ree wrote: Nice, any idea which method I need to call? >>> >>> You already have the Context so you want >>> >>> Context.findChildren() >>> >>> for a list of all the Wrappers (and it is the wrapper object you need) or >>> >>> Context.findChild(String) >>> >>> for a specific Wrapper if you know the name. The name should be the name >>> used in web.xml to define the Servlet. >>> >>> Mark >>> >>> On Jul 18, 2017 3:54 PM, "Mark Thomas" wrote: > On 18/07/17 17:41, Alex O'Ree wrote: >> Alright, quick update on this. >> >> At this point, I have servlet context and a username running off the >> main tomcat http threads (quartz job) >> >>> StandardContext tomcat;load from reflection from ApplicationContext > from ServletContext as ApplicationContextFacade >>> Realm realm = tomcat.getRealm() >> >> At this point, realm is a LockoutRealm that contains two child realms, >> the JNDI Realm and the standard UserDatabaseRealm >> >>> Principal user = realm.authenticate(username); >> >> At this point, the user object is populated and appears to have the >> roles attached to it (they are listed in the to String method). >> >>> realm.hasRole(new StandardWrapper(), user, role); >> >> This part returns false, if and only if the ldap membership matches >> exactly. Mapped roles via servlet/security-role-ref/role-link and >> role-name do not appear to be effect. >> >> I think this may have something to do with the Principal object not >> having a login context. Normally, this is available via a servlet, but >> this it is not. >> >> I think the root cause might be this line. >> https://github.com/apache/tomcat/blob/TOMCAT_7_0_42/ > java/org/apache/catalina/realm/RealmBase.java#L933 >> >> Which probably does the translation from the LDAP defined group or >> role into what the application is expecting. Am I on the right path >> here? > > Yes. If you check auth outside of a Servlet, the role mappings for the > Servlet won't apply. If you know which servlet to use for the role > mappings you can get that from the Context (Wrappers represent Servlets > and are children of the Context). > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > >>> >>> >>> - >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Getting user role membership without context
On 19/07/17 15:34, Alex O'Ree wrote: > Context.findChild and findChildren returns an instance of "Container". > It looks like StandardWrapper extends Container, so I should be able > to type cast it. The question is, is it always going to be an instance > of StandardWrapper? For a Context, it should always be an instance of Wrapper so as long as you cast to Wrapper, you should be fine. In a default Tomcat install it will always be StandardWrapper but better to use the interface here since it has the method you need. Mark > > On Tue, Jul 18, 2017 at 6:40 PM, Mark Thomaswrote: >> On 18/07/17 23:21, Alex O'Ree wrote: >>> Nice, any idea which method I need to call? >> >> You already have the Context so you want >> >> Context.findChildren() >> >> for a list of all the Wrappers (and it is the wrapper object you need) or >> >> Context.findChild(String) >> >> for a specific Wrapper if you know the name. The name should be the name >> used in web.xml to define the Servlet. >> >> Mark >> >> >>> >>> On Jul 18, 2017 3:54 PM, "Mark Thomas" wrote: >>> On 18/07/17 17:41, Alex O'Ree wrote: > Alright, quick update on this. > > At this point, I have servlet context and a username running off the > main tomcat http threads (quartz job) > >> StandardContext tomcat;load from reflection from ApplicationContext from ServletContext as ApplicationContextFacade >> Realm realm = tomcat.getRealm() > > At this point, realm is a LockoutRealm that contains two child realms, > the JNDI Realm and the standard UserDatabaseRealm > >> Principal user = realm.authenticate(username); > > At this point, the user object is populated and appears to have the > roles attached to it (they are listed in the to String method). > >> realm.hasRole(new StandardWrapper(), user, role); > > This part returns false, if and only if the ldap membership matches > exactly. Mapped roles via servlet/security-role-ref/role-link and > role-name do not appear to be effect. > > I think this may have something to do with the Principal object not > having a login context. Normally, this is available via a servlet, but > this it is not. > > I think the root cause might be this line. > https://github.com/apache/tomcat/blob/TOMCAT_7_0_42/ java/org/apache/catalina/realm/RealmBase.java#L933 > > Which probably does the translation from the LDAP defined group or > role into what the application is expecting. Am I on the right path > here? Yes. If you check auth outside of a Servlet, the role mappings for the Servlet won't apply. If you know which servlet to use for the role mappings you can get that from the Context (Wrappers represent Servlets and are children of the Context). Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org >>> >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: run thread from servlet
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Lance, On 7/19/17 7:35 AM, Campbell, Lance wrote: > Thanks for your information. So when I have a process that I want > to run as a thread I would assume I need to implement the > interface ServletContextListener. I would also assume that the > servlet that creates the process will call the following method: > > this.getServletContext().addListener(myProcess) > > That way the Tomcat container can send a message to myProcess to > tell it to end itself because Tomcat is trying to stop. > > Did I understand that correctly? I'm not entirely sure I understand what /you/ are saying above. I'll explain. During context ("webapp") startup, Tomcat will call init() on any registered ServletContextListeners. You can register them either via configuration in web.xml or via code annotations. During context shutdown, Tomcat will call destroy() on those same listeners. Your servlets do not need to do anything to interact with those listeners: no need to call addListener or anything like that. You can do anything you want in those two methods. Here's my recommendation: 1. Write a ServletContextListener that does the following: a. on init(), creates an ExecutorService with as many threads as you want (you want one-at-a-time semantics, so that would be only a single thread). b. places itself into the ServletContext ("application") under a well-known attribute name (e.g. "MyJobRunnerService"). c. on destroy(), shuts-down the ExecutorService, potentially cancelling any in-progress operations it's performing (in order to shut-down quickly) 2. In your servlet that accepts jobs, grab the JobRunnerService from the ServletContext and call a method like "submit" on the job and stop. The ExecutorService will handle things from there. This should give you a solution that nicely-separates your work into two operations: submitting jobs (the servlet) and actually running the jobs (the JobRunnerService). The ExecutorService handles the heavy-lifting of managing threads and actually running the jobs. Makes sense? - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZb28OAAoJEBzwKT+lPKRYc/8P/i3LnqPe/SNFPPqbhcK6o557 9ZmP4n2n8Ywt8hs4MOf2Oe+2E1Xxr46Pj73jxfpJgRkpXfCt7yRHLIRteCa5Vxt3 /aecIn7yxM3bfGJUHr8OnAnAipnN+80sUKLvjnov5lO2Mj0+GOomqtWKkSkoZGvr itGIYuOYFBT8eYIhEaOoVgXCIBuK0s0qpNlTMxfyTnLZ6TWZSOsM8unDSWTpeHUs G8ut9fJ8tp8Xi0seMAu4crMLEg7d3FiALhtGFrDIS8UzB9xYCWuY797D2+s8673u u9bIWtIXwjrEzmAuIWRZm7MEO7R0IY8a5iMK+qvNMPNEVIAglMZPI2//YllmNwq+ tQDrvsS6zKzgMgSS1GCa45OoKphOl2ea7bR7Y7rmf1zT1UviKqIJ9EBFXUliE9dQ zub87m7aRdQNovgU2h/ZGUYoTjFPW2WJzyAA7/hGFlsXSzMPAs3OeVNOL11EY1Pb g97/+fkG2uY5eVTORdSvEgPulOZ0TOBc79i80hn9Kz7fG1svbSwC4F/z41Yi/rsP K4yx2c6T+0+7DWwhxVy8Pn4vSbBAof0Vhj51jdpYYfJGExcNrmxSKsgxKftrrPOt pjZymykGnpKzt6lNXMUseX9UOLpn1vAXzRSXIXWgno7AXNbpWfhwfuICy0f4eeq+ TrFpAV4NJdTklAZtImBm =QyVQ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Getting user role membership without context
Context.findChild and findChildren returns an instance of "Container". It looks like StandardWrapper extends Container, so I should be able to type cast it. The question is, is it always going to be an instance of StandardWrapper? On Tue, Jul 18, 2017 at 6:40 PM, Mark Thomaswrote: > On 18/07/17 23:21, Alex O'Ree wrote: >> Nice, any idea which method I need to call? > > You already have the Context so you want > > Context.findChildren() > > for a list of all the Wrappers (and it is the wrapper object you need) or > > Context.findChild(String) > > for a specific Wrapper if you know the name. The name should be the name > used in web.xml to define the Servlet. > > Mark > > >> >> On Jul 18, 2017 3:54 PM, "Mark Thomas" wrote: >> >>> On 18/07/17 17:41, Alex O'Ree wrote: Alright, quick update on this. At this point, I have servlet context and a username running off the main tomcat http threads (quartz job) > StandardContext tomcat;load from reflection from ApplicationContext >>> from ServletContext as ApplicationContextFacade > Realm realm = tomcat.getRealm() At this point, realm is a LockoutRealm that contains two child realms, the JNDI Realm and the standard UserDatabaseRealm > Principal user = realm.authenticate(username); At this point, the user object is populated and appears to have the roles attached to it (they are listed in the to String method). > realm.hasRole(new StandardWrapper(), user, role); This part returns false, if and only if the ldap membership matches exactly. Mapped roles via servlet/security-role-ref/role-link and role-name do not appear to be effect. I think this may have something to do with the Principal object not having a login context. Normally, this is available via a servlet, but this it is not. I think the root cause might be this line. https://github.com/apache/tomcat/blob/TOMCAT_7_0_42/ >>> java/org/apache/catalina/realm/RealmBase.java#L933 Which probably does the translation from the LDAP defined group or role into what the application is expecting. Am I on the right path here? >>> >>> Yes. If you check auth outside of a Servlet, the role mappings for the >>> Servlet won't apply. If you know which servlet to use for the role >>> mappings you can get that from the Context (Wrappers represent Servlets >>> and are children of the Context). >>> >>> Mark >>> >>> - >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >> > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: run thread from servlet
Chris, Thanks for your information. So when I have a process that I want to run as a thread I would assume I need to implement the interface ServletContextListener. I would also assume that the servlet that creates the process will call the following method: this.getServletContext().addListener(myProcess) That way the Tomcat container can send a message to myProcess to tell it to end itself because Tomcat is trying to stop. Did I understand that correctly? Thanks, Lance -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Tuesday, July 18, 2017 4:30 PM To: users@tomcat.apache.org Subject: Re: run thread from servlet -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Lance, On 7/18/17 9:56 AM, Campbell, Lance wrote: > Tomcat 8.0.x Question: I am wanting to know the proper way to start a > thread from a servlet. > > Use Case: A batch process will call a URL that is a servlet. The > servlet will call a processes that will trigger a thread to run to do > a particular job. The thread will run for a while. The servlet will > not wait on the thread to finish running. Also the thread that is > started is running a processes that requires there to only be one of > these processes running at any given time. > > What I have done: I created a class I call EmailProcess. I have a > static Boolean flag in the class called isWorking that indicates if > the process is running. The class extends Runnable. The class also > has a static method to start the thread if isWorking flag is false. I > have a servlet that will call the static method in EmailProcess to > start the thread if possible. > > Note: If the Tomcat container decides to clean up the servlet that is > called that triggers the thread I don't want it to mess with the > thread. I want it to keep on running. You want an ExecutorService (provided by the Java standard library), and you can limit the number of simultaneous jobs to 1. Submit the jobs to the service as they arrive, and then make sure you call service.shutdown() when the servlet (or better yet, context) is being taken out of service. You might want to provide a way to cancel in-process jobs, otherwise you may stall container shutdown which might be inconvenient for you. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZbn3uAAoJEBzwKT+lPKRYCTUP/1Ho+5z49FntCBrEevVxnYiO He331XbbPN7x6XLzO8nqf82pZcjnH1DGPtZXhPdZ2DKOjqPKmSeoI3az1+s1gu6X Igff6xoHpARdyWdVElIxHYO93QOJdIa0DtuaSgaO4HXwpZYgwxs/QwbuN9VWLK5f 4afXp0gE5VaUxZoLHb9TTVIV8t0IABXdq+m9tuKZtrihfVwyc79w0HTwDCzqHlYH 39p70KQEagzhj/ZNqUHZENvFZ+2vMHD8zGcnWtAoVzOaseNth0FtZY5aqO+2WThl k1VpcCGIK6hsytcBXuYAtfp/H6o2ircpwa66+O1nbNuP3OLT9x4IHqe5I0KoG/zG hPOA/ydauaTps4xoYVLPjIVfVLx4D3+Rcrsti2tlo80hRK4Mv3SEeZu5eH1Zxz/N W1MSLrVa5QOdWQ1rLMUbfWyNFXbm3xT8DrlQ3WvsAlMsRCrHkBIPqihnN7cPdRKp m7QsQGYk/QNJ4U45ZeF/n5e/P62Dw34dHEbsefXNozvAOzykRSmwSG+6guCVXiiL tfxC72zOiPxHUFMO8+mfXUrbsODNUjAUQA8O5dphwHGkTIni9xAL3/38dxkyaVy3 1jU2CFGaou5rdvjeL/Ixwqs4LzsY4Li0DrA5MwJVjEJG62MGK9x65NcpQ/3AtvZ4 T6lRQ5ZjJH99h9b2/ijL =SVOd -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 8 Connection Pooling
You'll find here : http://www.5flow.com/tmp/tomcatjndidb.zip a very small sample that works on my computer (with IntelliJ project). Just change the context.xml with your database. Viewing the home page will create a database, insert records, then display them. The data source is of type javax.sql.datasource and this is the database connection pool. In mysql console, do : show processlist; when reloading the home page of the sample you can see that the connection has always the same id. But if you restart tomcat the id changes. This means that tomcat keeps the connection to the db in a pool instead of creating a new connection at each ds.getConnection(); On 19/07/2017 06:03, Avinash Krishnan wrote: Hello Riccardo, When I try using the pool properties(Without JNDI ) it gives me URL Cannot Be null error. What I have understood is that, when we make the data source as a static variable or a member variable of another class and try to use it another class's function it throws error. If I instantiate and use Data Souce on same function it is working. I am wondering how to use the JNDI based Tomcat JDBC Connection Pool. If I use Context variable and instantiate DataSouce object,the object should be of type javax.sql.datasource and we don't get the latest org.apache.tomcat.jdbc.pool.DataSource;. Any idea find the exact way to implement JNDI usage of new org.apache.tomcat.jdbc.pool.DataSource; ? On Tue, Jul 18, 2017 at 9:02 PM, Riccardo Cohenwrote: Can you see any info in the log : login incorrect, database not found etc. ? (There are many logs in tomcat : localhost log, catalina log, manager log, host manager log, localhost access log) On 18/07/2017 13:55, Avinash Krishnan wrote: Hello Riccardo , Thanks for the response. This didn't work for me. Connections are not getting initated and I am seeing java.lang.NullPointerException on accessing getConnection. I am refering to http://tomcat.apache.org/tomcat-8.0-doc/jdbc-pool.html The pool properties is also not working. On Tue, Jul 18, 2017 at 4:18 PM, Riccardo Cohen < riccardo.co...@e5group.fr> wrote: Hello Avinash I'm not expert but this is rather simple : in web/META-INF/context.xml write something like : in web/WEB-INF/web.xml add in tag : jdbc/tomcattest javax.sql.DataSource and in a java class add this : public class T3Servlet extends HttpServlet { @Resource(name="jdbc/tomcattest") public DataSource ds; You will normally have a data source in your class, by injection, using tomcat database pool. On 18/07/2017 12:26, Avinash Krishnan wrote: I am trying to implement Apache Tomcat 8.5.15 "Tomcat JDBC Connection Pool" using the steps mentioned in the guide. Can some one help me to understand how this connection pooling has to be done. Is the Plain Java Method,by implementing Pool Properties is an alternative to the JNDI lookup based pooling ? When I implement using Pool Properties, there isn't any provision to set up the Factory to org.apache.tomcat.jdbc.pool.DataSourceFactory" and I always get invalid arguments in call. On a different note, I tried by adding to context.xml . And implementing JNDI lookup from context. But that time,I get "org.apache.tomcat.dbcp.dbcp2.BasicDataSource cannot be cast to org.apache.tomcat.jdbc.pool.DataSource" even after setting factory to DataSourceFactory. -- Riccardo Cohen +33 6 09 83 64 49 E5Group http://www.5flow.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Riccardo Cohen +33 6 09 83 64 49 E5Group http://www.5flow.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Riccardo Cohen +33 6 09 83 64 49 E5Group http://www.5flow.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org