But if the user has the session then he or she can change the user
credentials (of course only for this site unless the password is shown in
the system, which would be really bad) or if the user has enough rights
add a new user which can be used by the hacker.
Remember how easy it is to hijack
On 20 June 2011 17:02, Christopher Schultz ch...@christopherschultz.net wrote:
That depends on what Service.logHit does. If it only uses the
HttpServletRequest object during the method's lifetime, then everything
is fine. If it retains a reference to the request object, you will
probably end
Hi there,
I am using Log4j with the following log4j.properties for the Tomcat:
/log4j.rootLogger=INFO, R
log4j.appender.R=org.apache.log4j.RollingFileAppender
log4j.appender.R.File=${catalina.home}/logs/tomcat.log
log4j.appender.R.encoding=UTF-8
log4j.appender.R.MaxFileSize=2MB
2011/6/21 Björn Agel bjo...@agel-rosen.de:
Hi there,
I am using Log4j with the following log4j.properties for the Tomcat:
/log4j.rootLogger=INFO, R
log4j.appender.R=org.apache.log4j.RollingFileAppender
log4j.appender.R.File=${catalina.home}/logs/tomcat.log
Could somebody please point me to an institute which conducts Tomcat
administration training in INDIA (Bangalore)?
Thanks for your help.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands,
Hi,
in which order are classes loaded in jars in WEB-INF/lib? Alphabetically? By
date? Unordered?
My problem is:
My WEB-INF/lib contains jar's where on jar contains older versions of a
classes than the other jar. I will ensure to load the newer versions of the
classes. How can this be done?
On 21/06/2011 12:05, spr...@gmx.eu wrote:
Hi,
in which order are classes loaded in jars in WEB-INF/lib? Alphabetically? By
date? Unordered?
There is no order.
My problem is:
My WEB-INF/lib contains jar's where on jar contains older versions of a
classes than the other jar. I will
in which order are classes loaded in jars in WEB-INF/lib?
Alphabetically? By
date? Unordered?
There is no order.
Thank you.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail:
On Tue, Jun 21, 2011 at 4:02 AM, André Brunnsberg
andre.brunnsb...@planmill.com wrote:
But if the user has the session then he or she can change the user
credentials
Actually it depends on how application that implement password change.
Usually for changing the password you need to enter the
2011/6/21 Björn Agel bjo...@agel-rosen.de:
H,
In the documentation of Struts 1.3.10 it says they are using commons-logging
API.
I configured Tomcat to use log4j, so I don't know where the calls to
ServletContext.log() should come from.
Any ideas?
Search for the PropertyMessageResources
Am 21.06.2011 14:59, schrieb Konstantin Kolinko:
2011/6/21 Björn Agelbjo...@agel-rosen.de:
H,
In the documentation of Struts 1.3.10 it says they are using commons-logging
API.
I configured Tomcat to use log4j, so I don't know where the calls to
ServletContext.log() should come from.
Any
2011/6/21 Björn Agel bjo...@agel-rosen.de:
Am 21.06.2011 14:59, schrieb Konstantin Kolinko:
2011/6/21 Björn Agelbjo...@agel-rosen.de:
H,
In the documentation of Struts 1.3.10 it says they are using
commons-logging
API.
I configured Tomcat to use log4j, so I don't know where the calls
Hello,
In servlets 3.0 specification regarding async sockets, setTimeout with 0 or
negative value should be used for infinite timeout (no timeout).
I am not sure if there is a bug or a particular design in Tomcat 7.0.14 (did
not tested with 7.0.16), but when I use setTimeout(0) or
Hi
Appreciate if someone can help me here.
Thanks
Tauqir Akhtar
-Original Message-
From: Tauqir Akhtar [mailto:takh...@jny.com]
Sent: Monday, June 20, 2011 2:10 PM
To: 'Tomcat Users List'
Subject: RE: Tomact 5.5 Clustering
Hi
My Clustering Fails :
SEVERE: Unable to send
Am 21.06.2011 15:33, schrieb Konstantin Kolinko:
2011/6/21 Björn Agelbjo...@agel-rosen.de:
Am 21.06.2011 14:59, schrieb Konstantin Kolinko:
2011/6/21 Björn Agelbjo...@agel-rosen.de:
H,
In the documentation of Struts 1.3.10 it says they are using
commons-logging
API.
I configured Tomcat
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Calum,
On 6/21/2011 4:26 AM, Calum wrote:
On 20 June 2011 17:02, Christopher Schultz ch...@christopherschultz.net
wrote:
That depends on what Service.logHit does. If it only uses the
HttpServletRequest object during the method's lifetime, then
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Rafael,
On 6/20/2011 8:12 PM, Rafael Liu wrote:
Good point Chuck. I agree with you, the webapp wouldn't be all secured. But
there are 2 different things here:
* the issue with the plain password
* the issue with session hijacking
This does
Hey Chris,
as you said, each problem compromise different kinds of things: account vs
credentials. And I think they have different kind of consequences and can
be, each one , dangerous its own way. I brought the discussion into the list
because I thought it was relevant.
Looking at the code, a
On 21/06/2011 17:05, Rafael Liu wrote:
Hey Chris,
as you said, each problem compromise different kinds of things: account vs
credentials. And I think they have different kind of consequences and can
be, each one , dangerous its own way. I brought the discussion into the list
because I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Rafael,
On 6/21/2011 12:05 PM, Rafael Liu wrote:
I agree it's kind of a philosophical question but I see some real
implications. Anyway, for the record, as a quick and dirty fix I set the
full URL with https schema in /form@action. But the hosting
Well, if it's the spec I guess there's no much to argue. Maybe turn it into
an option, but I already got the feeling of the community. I won't insist as
this is my specific requirement and may not be of use to a wide range of the
community.
Mark, there could be a MIM attack but that's yet another
Hi,
It is OSX 10.6.7, java 1.6.0_24, tomcat 7.0.14, jk 1.2.31, apache 2.2.19. It
is a one machine with two tomcat instances setup. I am trying to do session
replication testing with the examples webapp. When I shut down one of the
tomcat instances I receive this in the log of that instance:
Dear Sirs,
On Thursday, May 26, 2011 1:14 AM
- From what you have above, /guess does not appear to be a valid URL.
You appear to have lost the context path somewhere.
This problem has been resolved. In this case, when JSP(guess.jsp) calls
Servlet(GuessServlet.java), the absolute path is
If I alter JarFactory to always use FileUrlJar, then my startup is
around 20 seconds faster, i.e. the speed is fully back to that of 7.0.12.
It turns out the issue is the large jars I have in my WEB-INF/lib
directory -- and FileUrlJar is still much faster in this case than using
UrlJar even
24 matches
Mail list logo