RE: Protect JSP from Direct Access in Tomcat 7.0.xx
You could always position your jsp's inside the WEB-INF dir This will enable you to access them only through server redirects rather than absolute url's Sharon -Original Message- From: Kiran Badi [mailto:ki...@poonam.org] Sent: Tuesday, June 19, 2012 3:10 AM To: Tomcat Users List Subject: Protect JSP from Direct Access in Tomcat 7.0.xx Hi All, I need your guidance again.I have bunch of JSP's close to 100+ which I need to protect it from direct access. I have this mapping in web xml and this is not working,It seems that probably i need to define a role first and then use below settings.But unfortunately my app is open internet application which does not use realm at all. security-constraint display-nameDenyAccesstoDirectJSP/display-name web-resource-collection web-resource-namesample.jsp/web-resource-name descriptionSample confirmation JSP/description url-pattern*.jsp/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection /security-constraint All my jsp's are residing in the webpages folder of project directory.I know this is incorrect and probably gives direct access to jsp's. So I have some clarification to ask, 1. is their a way to tell tomcat to not to serve direct jsp's probably via web xml 2. Is their any extra setting that is required if I move my JSP's inside web-inf.I created a folder under web-inf and create sample hello world.jsp and then tried to invoke that jsp but got 404 message. - Kiran - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Session time out never takes place with ajax
Ok, Thanks all for the inputs. I found a hybrid solution for this. So for future use here goes In my application I make sure there is a filter that is called on every hit to the server /* Next I create a new filter which will handle only calls such as poling and other ajax calls that do not postpone the expiration date of the session. In the web.xml I can use the url-pattern element as a framework hook for each developer in the application to enter their own poling link The way it works is as follows 1)SessionTimeoutFilter doFilter public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest) request; HttpSession session = req.getSession(false); if (null != session) { Date realLastAccessDate = (Date) session .getAttribute(SESSION_LAST_ACCESS_IDENTIFIER); if (realLastAccessDate == null) { realLastAccessDate = new Date(); session.setAttribute(SESSION_LAST_ACCESS_IDENTIFIER, realLastAccessDate); } if (realLastAccessDate.before(new Date())) { // probably want to log this event session.invalidate(); session = null; } } request.setAttribute(IS_SESSION_TIMEOUT_RESETER,false); filterChain.doFilter(request, response); } 2)The general filter that is always called... public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException { HttpSession session = hreq.getSession(false); if(session!=null (hreq.getAttribute(SessionTimeoutFilter.IS_SESSION_TIMEOUT_RESETER)==null || ((Boolean)hreq.getAttribute(SessionTimeoutFilter.IS_SESSION_TIMEOUT_RESETER)).booleanValue())){ Date expirationDate = new Date(System.currentTimeMillis() + session.getMaxInactiveInterval()/*seconds*/ * 1000 /*milliseconds*/); session.setAttribute(SessionTimeoutFilter.SESSION_LAST_ACCESS_IDENTIFIER, expirationDate); } chain.doFilter(request, response); } 3) the web.xml... (make sure it’s a the first filter defined!) filter filter-nameSessionTimeoutFilter/filter-name filter-class(the package)SessionTimeoutFilter/filter-class /filter filter-mapping filter-nameSessionTimeoutFilter/filter-name url-pattern/YOUR-URL-PATTERN/url-pattern dispatcherREQUEST/dispatcher dispatcherFORWARD/dispatcher dispatcherINCLUDE/dispatcher /filter-mapping From this point on any developer can add url patterns that will not postpone the expiration date simply by adding url-pattern/YOUR-OTHER-URL-PATTERN/url-pattern HTH anyone, Sharon -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Monday, November 14, 2011 6:17 PM To: Tomcat Users List Subject: Re: Session time out never takes place with ajax -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sharon, On 11/10/11 3:11 AM, Sharon Prober (sprober) wrote: I understand it is invoked before the filters, but after completion it would arrive to the filter/servlet container anyway. So what your saying is that if I build a valve and read information from IO file or/db or any other cached data which doesn’t trigger a request.getSession That will work? I think it would help if you explained what your ping needs to do. Basically, if you need session data to do it, you are out of luck. If you don't need session data, why are you pinging? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7BPvIACgkQ9CaO5/Lv0PD6rQCglhRD4lA4qMaqkybwBXvjeqc1 +LIAn3ARzOKhsdzPqBJ9xkkLYAeIWiXf =kM6R -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Session time out never takes place with ajax
Christopher, So to recap, and verify my understanding... Perhaps I am missing some valve overview. I understand it is invoked before the filters, but after completion it would arrive to the filter/servlet container anyway. So what your saying is that if I build a valve and read information from IO file or/db or any other cached data which doesn’t trigger a request.getSession That will work? And if so, I will still need to break the chain and prevent it from continuing deeper into tomcat or else it will update the session access time Did I get it right? Sharon -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Thursday, November 10, 2011 8:04 AM To: Tomcat Users List Subject: Re: Session time out never takes place with ajax -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sharon, On 11/9/11 12:56 AM, Sharon Prober (sprober) wrote: This is my first post here so wish me luck J Welcome. My question is as follow: I have a web based application running on tomcat 6.0.29 On my main page there is a polling ajax call every 5 seconds. Clearly this revalidates the session and by that renders the session timeout feature unusable Yes. I read about two main solutions for this issue 1. Coding on the server side (filter) a simple snippet that identifies an ajax call based on a parameter passed and based on that knows if this is a valid post or a polling hit that should not affect the session expiration date This is problematic for a few reasons: 1. You usually want a polling request to return something of use, which often involves the session. You can't access the session without updating its last-accessed-time. 2. Under certain configuration, Tomcat will update the last-accessed-time of the session even if you don't call request.getSession(). This may be only the case in Tomcat 7 with the following configuration settings: See the org.apache.catalina.core. StandardHostValve.ACCESS_SESSION and org.apache.catalina.STRICT_SERVLET_COMPLIANCE system properties here: http://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Sessions 2. Create a stub webapp and redirect the calls of the polling to that app I'm not sure this buys you anything: if you pass-through calls to the real webapp, then you'll still be touching the session. So my question is, is there another way for this to be achieved? It would be best to describe what your ping actually does. If it doesn't require session access, you may have some options. Note. I think it might be a cool feature (with the vast ajax use these days) to have a configuration in the web.xml the excludes various paths/urls from the session validation checkups This would, by definition, be a violation of the specification. Instead, something like a Valve placed early in the pipeline could avoid a session update but still perform some trivial action. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk67aUkACgkQ9CaO5/Lv0PBl2ACdHDKUqQ/zkT0dfc63MFELStLK +a4An3kuFz39fXKymLVFBqYRMQ9xWUbX =naid -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Session time out never takes place with ajax
Hi, This is my first post here so wish me luck J My question is as follow: I have a web based application running on tomcat 6.0.29 On my main page there is a polling ajax call every 5 seconds. Clearly this revalidates the session and by that renders the session timeout feature unusable I read about two main solutions for this issue 1. Coding on the server side (filter) a simple snippet that identifies an ajax call based on a parameter passed and based on that knows if this is a valid post or a polling hit that should not affect the session expiration date 2. Create a stub webapp and redirect the calls of the polling to that app So my question is, is there another way for this to be achieved? Note. I think it might be a cool feature (with the vast ajax use these days) to have a configuration in the web.xml the excludes various paths/urls from the session validation checkups Something like session-config session-timeout30/session-timeout ignorepath1,path2./ignore /session-config Thanks, Sharon
RE: WAR unzipping not catched
Perhaps consider using the tomcat event listeners that trigger when a context is up Sharon -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Wednesday, November 09, 2011 3:01 PM To: Tomcat Users List Subject: Re: WAR unzipping not catched Stefan Siegel wrote: Hi everyone, I have a question concerning Tomcats WAR deployment behavior: I have a web application which allows me to upload WAR files to the server via a web form. I get feedback from Tomcat once the upload is finished. I then put the file in Tomcats webapps folder. Tomcat now starts unzipping the package. How can I manage to get a notification from Tomcat indicating me that the application is ready to be switched to? If I had the same problem, and I did not want to start wading through the Tomcat Manager application code (*), then what I would do would be to have my application issue a simple HTTP request to this application, and check what comes back. And if it was not the first page of the application (**), then I'd wait and retry. But there are probably other ways to do this. (*) which is available and, some say, surprisingly easy to understand (**) which, considering I wrote it, could contain some unique string easy to detect - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org