I'd guess the "easiest" way is to use the builtin Tomcat functionality for
max
for the smaller number.
Then for the bigger number ... Use a servlet filter for the "special"
urls that slurps the "input stream" and parses the parameters in
application space. And use RequestWrapper to intercept getP
"sigar-amd64-winnt.dll" is triggering the error. The details will be
in the core dump.
The vendor which supports "sigar-amd64-winnt.dll" will need to fix it.
Based on the release revisions, I suspect the DLL is using a reference
to a request or response object *after* the request was already compl
As long as the webapp is reporting 404's - you're in good
shape and probably not exposing hints of new vectors for
attack. (Sometimes 500's errors can provide hints for tweaking
parameters)
But this is really a case study for why people may want to
run a web application firewall. (I do not have a
One possible workaround is to precompile the JSP's at build time.
https://tomcat.apache.org/tomcat-9.0-doc/jasper-howto.html#Web_Application_Compilation
-Tim
On Fri, Mar 22, 2024 at 1:37 AM Subodh Joshi
wrote:
>
> Why i am doing this exercise?
> In our some of the deployed linux environment ma
Crazy wild guess looking at the stack trace ...
> sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)
> at sun.nio.fs.UnixCopyFile.copyFile(UnixCopyFile.java:283) at
A snoop of sun.nio.fs.UnixCopyFile shows its calling the system call
utimes() or futimes() (probably utimes) - An
One option (hacky workaround) is to try using "swallowOutput"
which may mitigate the worst of your issue. (Beyond a rewrite with
a logging framework)
https://tomcat.apache.org/tomcat-9.0-doc/config/context.html
-Tim
On Mon, Jan 29, 2024 at 3:28 PM Aryeh Friedman
wrote:
> We need to shrink the
See AbstractAccessLogValve (which AccessLogValve overrides)
Then you could override AbstractAccessLogValve.createAccessLogElement()
which has
case 'q':
return new QueryElement();
To possible do doing something like
case 'q':
return new ObfuscatedQueryElemen
My bad - AccessLogValve also supports that feature too
- *%{xxx}r* write value of ServletRequest attribute with name xxx (escaped
if required, value ?? if request is null)
https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Access_Logging
-Tim
On Fri, Jan 26, 2024 at 7:23 AM Tim
It depends on what you are trying to accomplish. ExtendedAccessLogValve is
a
little more flexible where you can write out arbitrary request
attributes but still format the request like the standard access
log. So you could have a filter set the value and not need to
write your own access logger.
-
I don't think there is a technical reason why it couldn't be added. I think
the hard part is getting the config wording/naming correct
Alternatively, I think an out of the box workaround could also be Tomcat's
RewriteValve where the condition matches on header and sets the
"environment variable"
h
Out of the box, no version of Apache Tomcat uses any log4j version.
If log4j is used, it is by a specific application (not provided by the ASF)
deployed to Tomcat. (Or an admin changed the default install to add it)
-Tim
On Fri, Jan 28, 2022 at 10:36 AM Samuel Anderson-Burrell | Cloud21
wrote:
LOG4J2 allows for multiple keyword types of keyword expansions in the logs.
Keyword expansion is a "great way" to log items possibly only known at run
time. And with trace, debug level logging - Comparing those expanded values
to logged values makes debugging "easier". (The closest you'll get to
br
My guess? ClassNotFoundException is rooted in some other exception. Such
as a different error is thrown during class initiation. Such as a static {
doStuff();} block where doStuff does bad stuff.
Hopefully there is more stack trace out there. If the JSP has static
initializers - wrap them in try
Forward needed to be used due to this in the original email
> I also tried using RequestDispatcher#include but I need to keep response
> headers, added during the forward
And include() is not allowed to set headers.
-Tim
On Tue, Sep 29, 2020 at 2:27 PM Christopher Schultz
wrote:
>
> If you wan
Advice: Redesign since this will be a support nightmare for you in the
future since the design is not in the spirit of how the spec works.
Now onto the real solution (over simplified .. but google can expand
on each sub-idea)
Create a ServletResponseWrapper and pass that to the forward() method
w
It should be ...
http://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Error_Report_Valve
On Thu, Sep 17, 2020 at 10:40 AM Rathore, Rajendra wrote:
>
> Hi Tim,
>
> I am using tomcat 8.5.x, will that available over there?
>
-
It should a tweak to the ErrorReportValve as documented here: (inside of
server.xml)
https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Error_Report_Valve
You'll want to set showServerInfo and showReport to false
-Tim
On Thu, Sep 17, 2020 at 8:20 AM Rathore, Rajendra wrote:
> Hi All,
On Mon, Dec 8, 2014 at 4:39 PM, Mark Thomas wrote:
>
> The call for papers is currently open for ApacheCon North America in
> April 2015. While I could submit some talks on what ever Tomcat related
> subject I fancy talking about, I'd prefer to talk about what you want to
> hear.
>
> So, with that
[resend ... I just realized my email settings were borked for sending]
It might be easier (and much more efficient) for your operating system to
do this for you:
For example:
http://unix.stackexchange.com/questions/139285/limit-max-connections-per-ip-address-and-new-connections-per-second-with-i
+1 Awesome! Welcome!
-Tim
On Fri, Sep 19, 2014 at 3:49 AM, Rainer Jung wrote:
> On behalf of the Tomcat committers I am pleased to announce that
> Felix Schumacher (fschumacher) has been voted in as a new Tomcat committer.
>
> Please join me in welcoming him.
>
> Regards,
>
> Rainer
>
>
Depending on how you look at it - use the HTTP spec and look at the Date
response header
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.18
The above technique doesn't require shell access and is an "easy" way to
get the date of ANY webserver. (read the spec for caveats)
On Wed,
Its a best practice to keep your jsp's inside of WEB-INF. Since WEB-INF/ is
not allowed to be requested by the browser - its a simple enforcement
mechanism to prevent users from direct access to calling jsps. (Since it
may be common to have jsp's as snippets for header / footers etc -- and
there fo
yes - this is the pattern we use and trivial to put in your own webapp
For completeness ...
in web.xml
*.jsp
/WEB-INF/prelude1.jspf
prelude1.jspf contents: <%@page session='false' %>
-Tim
On Mon, Apr 23, 2012 at 5:06 PM, Konstantin Kolinko
wrote:
> 2012/4/24 Christopher Schult
While useful ... I would conjecture that things like this eventually undergo
feature creep and over time would turn into
http://www.tuckey.org/urlrewrite/
-Tim
On Wed, Aug 24, 2011 at 11:14 AM, Mattmann, Chris A (388J) <
chris.a.mattm...@jpl.nasa.gov> wrote:
> Thanks for your reply Chuck.
>
> I
Looks like this is the root cause from DefaultServlet ...
While the ISE is caught ... since the mimetype for js was changed - it
doesn't match the fallback method
try {
ostream = response.getOutputStream();
} catch (IllegalStateException e) {
Apache = Apache Software Foundation. This is the legal organization which
has all the wonderful bureaucracy in setting up rules for
software development and making sure projects adhere to various countries
laws.
Tomcat - Actually Apache Tomcat - the implementation of the servlet spec. A
project in
**
Observations ...
1) If relying on native - it might be easiest to place the
System.loadLibrary() and its classes in the common classloader. Then use a
Valve to call System.loadLibrary() so it's only called once. Hack, yes ...
also very simple to do. This might allow webapps to be reloaded witho
yes - that would be a problem. The invoker doesn't know how to serve static
resources.
-Tim
On Wed, Jun 8, 2011 at 1:44 PM, wrote:
> I agree with you.
>
> The static resources where never a problem to me, but since I messed with
> the web.xml they started to behave oddly.
>
> Maybe this line i
If your images are in the correct directory then tomcat will serve them for
you with its DefaultServlet. There should be nothing to do.
Then to serve resources via the invoker - this is where the filter is handy.
You declare the invoker servlet - but you do not map it. The servlet api
allows you t
No - images will be served by the default servlet so nothing needs to be
done for images.
The filter is used as a way to let the invoker work and be a tiny bit more
secure. So the filter is mapped to /* and will forward anything to the
invoker serllet if the requested path *looks like one of your
Your "easiest" workaround is to use a filter.
So
1) have the default servlet map to /* (which is the default)
2) keep the invoker declared
3) And make your filter do this ...
doFilter(..) {
if (request.getServletPath().matches(regex-here)) {
servletContext.getNamedDispatcher("invoker").for
This looks looks like a nice time to look at your existing traffic and get
actuals of
1) Hits per second
2) Bandwidth usage
Then use your access logs (or if you have a test suite - use that ...
guessing owning 8 weblogic instances probably means there was a budget to
own a test suite) to determin
I've loathed this issue too. There are 2 major cases to deal with
- Libraries changing (like dojo, prototype, etc)
- Your external files changing
The first is "easy" to change .. in that you create a /scripts/ dir and
all 3rd party libraries go into their own directory with version number.
New
Or it could be in the world of outsourcing you have a giant pool of 1st,
2nd, and 3rd level support who are offshore which need "access" to
perform basic trouble shooting before escalation. And 90% of them have
no idea they have access but getting them access when they would need it
becomes a g
No "coding" needed if you use Url Rewrite Filter ...
http://urlrewritefilter.googlecode.com
.*
P3P code here
-Tim
On 1/17/2011 8:11 AM, Joseph Morgan wrote:
You know what... I need to learn to read what I write... you are correct, it
needs to be added to every respo
I'm late to the party. But how about trying the following ...
1) Add a filter which runs first and logs the request. This WILL have a
performance impact - but a non-running application is a tad bit slower
than writing each request to disk. With luck - this may call out a class
of (or single) u
If you have Apr available ... you might be able to use this ...
org.apache.tomcat.jni.Stdlib.getpid()
// public static native int getpid();
-Tim
On 11/18/2010 6:10 AM, Pid wrote:
On 18/11/2010 10:47, André Warnier wrote:
The justification according to which a PID is not
necessarily available
Has anyone successfully used (or experimented with) either of these?
-XX:OnError=";"
-XX:OnOutOfMemoryError=";
-Tim
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@to
Doh - too fast in copy paste - I pasted the wrong name.
You want *RemoteAddrValve* - you do NOT want RemoteIpValve
-Tim
On 11/9/2010 3:18 PM, Tim Funk wrote:
See RemoteIpValve
http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Remote_IP_Valve
-Tim
On 11/9/2010 1:34 PM, Ari King
See RemoteIpValve
http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Remote_IP_Valve
-Tim
On 11/9/2010 1:34 PM, Ari King wrote:
Hi all,
I have an httpd proxy in front of my tomcat servers/instances, and I'd
like to restrict access to those tomcat servers/instances to be
through the htt
An enhancement bug has been entered for those with the itch. It appears
the existing JspC task still writes out 2.3 when it writes a new web.xml.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50234
-Tim
On 11/8/2010 5:45 AM, Ronald Klop wrote:
+1 Precompiled jsp's with annotations in a
While I like the idea of using web-fragment.xml for precompiled jsp's -
it would require the "meta-data complete" flag to be set to false which
may as a side effect allow other artifacts to be loaded too.
Hopefully jsp-precompile is part of the webapp build/deploy process so a
developer can ig
Check all the files in the log dir. There should be an exception there
with ContextLoaderListener throwing some exception. (Probably a
SaxException)
-Tim
On 11/3/2010 12:14 AM, Will Sumekar wrote:
Hi
When I put these lines:
org.springframework.web.context.ContextLoaderList
Ideally - you would do this as a servlet filter and configured as part
of the webapp. So when the filter is destroyed - it unregisters the object.
-Tim
On 11/2/2010 2:53 PM, Leo Donahue - PLANDEVX wrote:
http://j-integra.intrinsyc.com/support/com/doc/gc/index.html
#4 com.linar.jintegra.Cleane
Its the time the Valve starts processing until the valve has finished
processing.
Vague heh?
So this means that Tomcat will need to do the following first before
timing starts
- Accept the connection
- Receive the 1st line of the request, and probably the headers such as Host
- From there - T
Use pattern="combined" to see the querystring
-Tim
On 10/12/2010 12:21 PM, Leo Donahue - PLANDEVX wrote:
I am currently using the common pattern to log all requests using the Access
Log Valve.
-
To unsubscribe, e
Enable listings is "sort of"** a global setting.
Since the default servlet is declared in conf/web.xml - its inherited in
*every* webapp. So its config is also inherited. (Bummer)
BUT - if you add a WEB-INF/web.xml to EVERY webapp with the default
servlet settings - then you can remove the de
The way things work now by default ... The session cookie is set at the
path level and is different per context. So you may have multiple
sessino id cookies set for a given server (but given the path constraint
on the cookie - you only get one of those cookies (typically))
But (IIRC) you can a
Equally well
AllowOverride none
deny from all
The docs say AllowOverride is not allowed on regex's so I believe in
reality - this could be overridden with effort.
-Tim
Pid wrote:
On 25/11/2009 16:47, Nikolay Diulgerov wrote:
Try
AllowOverride None
deny from all
Sorry - (AFAICT) there isn't a way to do that. You have to configure
each one.
-Tim
Ursula Walenciak wrote:
Hi,
I'm trying to configure access-logging per context
by using the AccessLogValve.
Actually I would like to produce one log-file per context
but avoid configuring it for each context
I'll one up it to make it trivial ...
// put this in a filter mapped to everything
doFilter(...) {
if (servletContext.getAttribute("initFailed")) {
response.sendError(503);
return;
}
chain.doFilter(request,response);
}
// and put this in any servlet or listerer
} catch(Throwable e)
Confirmed. The docs are not in sync with what the installer does. We'll
get this fixed in a future release.
In future, please report possible security issues privately rather than
publicly.
-Tim
David Norheim wrote:
Hi,
I would like someone's opinion on the following issue that we have
di
For Servlets - as long as
Servlet.service(ServletRequest,ServletResponse) is implemented - you
wont see the 501.
So thats why you see the 501 for your servlet.
JSP's are "funny" since there is nothing in the spec which restricts the
request method. So service(...) is overridden by all JSP's s
My bad - by context filter I meant to say the web.xml as found in
$CATALINA_HOME/conf/web.xml
There is nothing contexty about it
-Tim
Caldarale, Charles R wrote:
From: Tim Funk [mailto:funk...@apache.org]
Subject: Re: Cannot set remote address in valve (Tomcat 5.5)
Context filters are
Context filters are executed before webapp filters. I believe (but not
confirmed) that valves execute before the filters.
-Tim
Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mark,
On 10/2/2009 5:55 AM, Mark Thomas wrote:
Elli Albek wrote:
A few reasons why not to
If you use JSP tags where the JSP body does not directly stream but
needs buffered for the tag to finish processing it (using BodyContent) -
then tomcat will allocate and reuse these. If you are creating pages
with large body contents - this can take *A LOT* of memory. The rational
is to reuse
http://mina.apache.org/
-Tim
Sergio Bello wrote:
Tim Funk escribió:
I was thinking on tomcat to take advantage of several features (request
and thread management, etc) that I know have been tested for years, but
I'm not tied to the use of tomcat.
If you know another project (java/opens
Don't - there are other apache projects which can do that much better
than Tomcat.
-Tim
Sergio Bello wrote:
Hi all,
I'm trying to figure out how to use tomcat as a TCP server. The basic
idea is to receive tcp connections, through a given port, process them
and return a response. Has anyone d
My bad - I was quoting the servlet 3.0 spec (usually the headings align)
I need to reread but it might be a bug. (I dont have the spec in front
of me) but IIRC it said something to the effect of using the url + the
HTTP method to get all applicable constraints. And then unioning them
together.
See 13.8.1 of the servlet spec.
The result in is unioning all the constraints together for one that passes
It might be easier to write a filter to implement the restriction that
only GET/POST/HEAD is allowed.
-Tim
Peter Holcomb wrote:
We have a situation where we recently introduced a new s
There is no way.
But you can alter the format property to log the Via header which does
have the ip address. (But it will also have more text in it too)
The javadocs for AccessLogValve have all the variables you can use.
-Tim
Angelo Chen wrote:
Hi,
I run tomcat behind an Apache server, Apac
This worked fine for me conf/tomcat-users.xml - make sure this is the
full XML file:
(and then restart tomcat)
-Tim
Bruce Nourish wrote:
Hi,
I have a 6.0.20 Tomcat binary distribution downloaded and untarred
directly from the Tomcat site. My system is Ubuntu 8.04 with Java
version 1.5.0
At this point, no one on the list will have a clue since we don't know
1) apache version
2) tomcat version
3) type of connector used, mod_proxy_ajp, mod_jk, or mod_proxy_http
But if tomcat is saying All threads (250) are currently busy, waiting. -
that means it is only configured to handle 250 w
you have a config issue. I bet you have 250 apache workers (per server)
and 250 tomcat workers(per server).
But there are 500 apache workers (250 * 2). So in the worst case - you
need tomcat to handle 500 connections.
-Tim
keeplearning wrote:
I am running a load test with 2 web (apache) and
mp
directory. I set cachingAllowed to false, but it doesn't work for me.
Do you have any idea ?
Regards
On Wed, Sep 2, 2009 at 1:01 PM, Tim Funk wrote:
There are too many unknown constraints to answer - but I'll try.
In app B - use an init parameter which is a filename
There are too many unknown constraints to answer - but I'll try.
In app B - use an init parameter which is a filename where test.xml is
located.
myfile
/usr/local/more/cowbell/test.xml
Then when app b needs to write the file;
File f = new File(servletContext.getInitPa
I thought the Oracle JDBC driver allowed for all the nodes to be placed
into the connect string and the driver was smart enough to detect
failover. [So its a configuration exercise on the connection string.]
-Tim
Ognjen Blagojevic wrote:
This is interesting topic.
IANA-failover-expert, but o
jvmRoute needs to be unique across all the tomcat instances.
server1:
server2:
To test - tail the access logs on each tomcat and see what appears.
-Tim
given.shiri...@sita.co.za wrote:
Hi Guyz.
I got two linux servers machine running,in both of them,I have tomcat 5 running i.e
server
s ago). Of
course - since you are using iText - this shouldn't be an issue.
-Tim
Michael Ludwig wrote:
Tim Funk schrieb:
http://wiki.apache.org/tomcat/FAQ/Linux_Unix
You're probably alluding to:
How do I run without an X server and still get graphics?
You either need to run
http://wiki.apache.org/tomcat/FAQ/Linux_Unix
-Tim
method8 wrote:
Dear all,
I'm using the iText library to generate pdfs from a database on the fly.
Whenever I use some
of it's features that require simple things like java.awt.Color, I get an
java.lang.UnsatisfiedLinkError as shown:
---
Put this in a JSP all by itself - you should get an error (or at least -
I did):
<%request.setAttribute("aList", new java.util.ArrayList());%>
${aList.a}
Not sure why yours did not produce an erro - a more complete snippet
would be needed.
-Tim
David Balažic wrote:
versions: Tomcat 5.5.28
Since there is manual intervention to stop the app. There can be manual
intervention to tell apache not to forward requests to tomcat, for example:
- change the apache config and graceful restart (but it does require a
restart)
- Use mod_rewrite to look for some marker (file existence or rewrite
I am assuming loader is an instance of a classloader. The classloader
doesn't see the conf directory. (But as your noticed - it does see the
common directory)
Your "easiest" (but tomcat specific) solution is to do something like this:
File confDir = new File(System.properties("catalina.home"),
to make. (Too lazy to
look up the bug report)
[Personally - I'd rather stick apache in front let apache trap the
condition during the outage window and not worry about the rest.]
-Tim
Caldarale, Charles R wrote:
From: Tim Funk [mailto:funk...@apache.org]
Subject: Re: Custom 404 page
My first inclination is that this a bug or enhancement request.
From a user point of view, if I have an app (which is not the root
webapp) and I stop it, then all requests should then go to the root
webapp. Of course doing this might introduce bad side effects during the
course of an applicati
You probably want to implement your own DirContext. See FileDirContext
and WARDirContext - which is how Tomcat serves Files from disk or WAR
files. Of course this solution makes your webapp tomcat dependent and
you'll need to place new classes/jars into the server classloader.
-Tim
gerv...@po
Something will eventually call bin/startup.sh (or bin/catalina.sh).
Changing bin/startup.sh (or bin/catalina.sh) is typically a bad idea.
Whatever is calling that should export JAVA_OPTS first.
For example:
export JAVA_OPTS='-Xmx256m'
- or -
export JAVA_OPTS='-Xmx256m -Djava.awt.headless=true'
Out of the box - no. But you can write a filter to add the response to
all requests.
doFilter(...) {
response.setHeader("Cache-Control","no-cache"); /* or no-store YMMV*/
response.setHeader("Pragma","no-cache");
response.setDateHeader ("Expires", 0);
chain.doFilter();
}
-Tim
Epithemeus
An ssh tunnel is also easy too. (but can also open other security holes
depending on how its deployed and the requirements)
-Tim
Mark Thomas wrote:
Florian Kirchhoff wrote:
Hi,
I know this has been asked before, but after reading the documentation and
searching previous threads:
http://ww
Its probably also failing for less than 8k since I am guess the view is
a jsp and when the jsp finishes execution - the response will be
committed. (Or somewhere in the request/response cycle - a forward() was
done which also will eventually commit the response per the servlet spec)
If you are
If you are doing this:
doFilter() {
chain.doFilter()
response.addHeader(...)
}
Expect failure to occur. (unless you are sending less than 8k in the
response)
-Tim
Anantha Padmanabha wrote:
I'm using tomcat 6.0.18. I added a filter that adds a custom response header
by doing setIntHeader
need Glassfish -- just a servlet engine. Nor do I need most Servlet 3.0
stuff at this time. A better Tomcat 6 would be nice, though :-)
Tim Funk wrote:
I doubt this will be seen in tomcat 6. The closest you'll get are the
function taglibs functionality.
-Tim
Jess Holle w
I doubt this will be seen in tomcat 6. The closest you'll get are the
function taglibs functionality.
-Tim
Jess Holle wrote:
I note in http://java.dzone.com/articles/unified-el-learns-method that
in JEE 6 EL finally allows method invocations.
Is there any chance this feature can be used in J
Try adding this to web.xml (and IIUC - this is portable across all
containers)
users
SG-FooBar-Users
admins
SG-FooBar-Admins
-Tim
Jason Royals wrote:
Hello Tomcatters,
Consider the following scenario. I have a Java web application, and it
is a packaged, commercial appli
See conf/web.xml in your tomcat installation (and look for xpoweredBy in
the comments) - if that doesn't exist - then you'll need to consult the
JBOSS docs since they configure it in a different manner.
-Tim
acastanheira2001 wrote:
Mark,
Could you tell me what Tomcat doc is?
Thanks for your
but don't know what the "authentication" is defined as?
if (authentication != null)
env.put(Context.SECURITY_AUTHENTICATION, authentication);
-Original Message-
From: Tim Funk [mailto:funk...@apache.org]
Sent: Tuesday, 4 August 2009 11:55 p.m.
To: Tom
JNDIRealm is based on communicating to an LDAP server. (Which is one way
AD can communicate)
-Tim
Geofrey Rainey wrote:
Does anyone know what type of authentication Tomcat uses by default to
authenticate to an AD server using the JNDIRealm?
(I haven't specified any particular authenticati
allow is a regex - you probably want this:
allow="176\.24\..+"
with allow="176.24.*.*" - you would also let through
176.240.
176.241.
...
176.249.
-Tim
Leo Donahue - PLANDEVX wrote:
I want to restrict web access to a specific web app to only allow it to be
available on our domain.
If I put
Don't run Symantec ? :)
Symantec is probably doing 1 of 2 things
1) Noticing tomcat is trying to bind to a socket (it is a webserver) and
killing it
2) It has bad heuristics and thinks its a trojan
My bet is #1. You probably need to white list tomcat. Actually - you
might need to whitelist ja
LiveHttHeaders is your friend ...
Lets assume I have this as foo.jsp:
<%
response.sendRedirect(null);
if (out!=null) {return;}
%>
http://localhost/foo.jsp
GET /foo.jsp HTTP/1.1
Host: localhost
HTTP/1.x 302 Moved Temporarily
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Conten
If you want a black list - it would probably be easier to write a filter
[programmatic security] instead of declarative security. [At a minimum,
everyone would still need to be authenticated - its the authorization
which is done via the filter (actually the filter will defer to the
realm so the
Do you really want to have allow different passwords for the same user
id? Sounds dangerous.
For different access control restrictions you needs to set up various
roles, which are names chosen by you. Which can be something like
- reader, writer
- admin, superuser, user
- it, sales, marketing,
they create.
I edit the html template files they have to add my images and javascript.
I use their environment to create/edit/build the web application. Underneath
I have tied in netBeans the best I can so I can debug their stuff. But that
has issues too.
Thanks,
Susan
-Original Message
If the images are physical images in the classes directory - you have a
few options.
1) At build time - move (or copy) the files from the classes directory
to somewhere more sane that the default servlet can access
2) Write a filter the detects these images that live in the classes dir,
and th
Change your loop to be:
int i;
while ((i=in.read())>) {
out.write(i);
}
available() - "Returns the number of bytes that can be read (or skipped
over) from this input stream without blocking by the next caller of a
method for this input stream." So its not an accurate gauge of how much
correction: The double checked idiom was "fixed" in java5. The variable
which is checked needs to be declared as volatile. The link states that
at the bottom.
-Tim
Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
David,
On 6/14/2009 5:43 PM, David Blevins wrote:
Its there "for convenience" (and been there "forever") - but it is a
great big security whole if we ignore case (Try asking for
/web-INF/wEb.xml - or even more evil "/web-INF/wEb.xm%6c")
-Tim
André Warnier wrote:
Even that wouldn't work.
Since the filesystem is case-sensitive, it may well h
http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html
3.6.1
All HTTP/1.1 applications MUST be able to receive and decode the
"chunked" transfer-coding, and MUST ignore chunk-extension extensions
they do not understand.
So you have to jump through big hoops to not use chunked encoding
[IIRC -
See |caseSensitive| here
http://tomcat.apache.org/tomcat-6.0-doc/config/context.html
But doing so makes your installation VERY insecure in a windows
environment. (Since ACL's can be bypassed since most ACL rules are case
sensitive)
I performance is of no concern - you could go crazy and forc
is 1 linux apache2 server with 4 linux tomcat servers and each
tomcat server has 4 sepearte tomcat instances. So we have a total of 16 tomcat
instances across 4 servers.
Yes, there is a firewall between the web sever and the app(tomcat)/db(mysql)
server.
KJ
-Original Message-
From
1 - 100 of 473 matches
Mail list logo
