Re: clearReferencesThreads, Poller SunPKCS11-Solaris and strange context class loader
2010/5/7 Rainer Jung : > I'm wondering why the PCKS Token > Poller thread was captured by the leak prevention. Since we know the code, > it was because its context class loader was equal to the WebappClassLoader > of /manager. That's what I don't understand. See my original post. > TCCL is inherited from the parent thread. It means that that thread was started either during request processing, or during webapplication startup. BTW, 4th result in http://www.google.com/search?q=SunPKCS11+TokenPoller gives source code for that class. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Tomcat Wiki] Update of "PoweredBy" by DavidGhedini
Dear Wiki user,
You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change
notification.
The "PoweredBy" page has been changed by DavidGhedini.
http://wiki.apache.org/tomcat/PoweredBy?action=diff&rev1=256&rev2=257
--
<>
== Hosting providers ==
+ === Application Outsource UK Ltd. ===
+ {{http://www.application-outsource.co.uk/images/logo.gif}}
+
+ [[http://www.application-outsource.co.uk/|Application Outsource UK Ltd.]]
offers a variety of affordable Tomcat hosting options. Oracle and MySQL. Tomcat
5 and 6. All plans feature private Tomcat instance. Plans for every budget.
+
=== WebAppCabaret Hosting ===
{{http://www.webappcabaret.com/wac/waclogo.gif}}
[[http://www.webappcabaret.com/|WebAppCabaret]] is the oldest JAVA Web
hosting provider. Features include one-click installation of many versions of
Tomcat.
-
-
=== björn hahnefeld IT TC_Framework ===
{{http://www.hahnefeld.de/images/archive/small.jpg}} "björn hahnefeld IT
TC_Framework" [[http://www.hahnefeld.de|björn hahnefeld IT]] runs on Tomcat. It
is a Framework for the ATOSS employee portal with runs on Tomcat too.
Hosting-Plans for the "björn hahnefeld IT TC_Framework" can be booked under
[[http://www.hahnefeld.de/internet-services_server.html|TomCat Co-Location and
Serverhousing]]. The "björn hahnefeld IT TC_Framework" for project and time
control is live in action in three companies at the moment:
[[http://www.schoen-alarm.at|Gerald Schön Elektro- & Sicherheitstechnik]],
[[http://www.konstruktionsbuero-dos.de|Konstruktionsbüro DOS]] and
[[http://www.brot-und-wein.eu|Enoteca "Brot & Wein"]].
@@ -363, +366 @@
{{http://webmail.innoshare.com/images/innoshare_logo_small.jpg}}
[[http://www.innoshare.com/|InnoShare]] - A full-service
[[http://www.innoshare.com/services/atlanta-website-design|web design]],
[[http://www.innoshare.com/services/atlanta-email-newsletters|email
newsletter]],
[[http://www.innoshare.com/services/atlanta-business-web-hosting|web hosting]]
and
[[http://www.innoshare.com/services/atlanta-search-engine-optimization|search
engine optimization]] provider.
=== Infrenion Networks ===
-
{{http://www.infrenion.com/images/logo.jpg}} "Cheap UK and US Web Hosting"
[[http://www.infrenion.com/|Infrenion Networks]] - Cheap UK and US Web Hosting
service provider with FFMPEG and TOMCAT v6
-
=== Javaprovider.net ===
{{http://javaprovider.net/img/logo.gif}} [[http://javaprovider.net|Java
Hosting]] - !WebApplication hosting company. We created Java Panel with Tomcat
6.
=== JavaServletHosting.com ===
-
{{http://javaservlethosting.com/images/javaservlethosting.com_logo_for_tomcat.apache.org.png}}
[[http://www.javaservlethosting.com|JavaServletHosting]] - You'll find
professional-grade Java Hosting at very affordable prices. For more than 15
years, they've been a leader in commercial web hosting and n-tier application
development. They are one of the original three hosting providers featured on
this page back in 2005.
+
{{http://javaservlethosting.com/images/javaservlethosting.com_logo_for_tomcat.apache.org.png}}
[[http://www.javaservlethosting.com|JavaServletHosting]] - You'll find
professional-grade Java Hosting at very affordable prices. For more than 15
years, they've been a leader in commercial web hosting and n-tier application
development. They are one of the original three hosting providers featured on
this page back in 2005.
=== KingHost ===
{{http://www.kinghost.com.br/img/logo_kinghost_painel.jpg}}
[[http://www.kinghost.com.br/|KingHost - Hospedagem de Sites]] provides
webhosting with JSP/Servlets support using Tomcat 5.0, 5.5 and 6.0.
@@ -404, +405 @@
{{http://www.oxxus.net/images/oxxuslogo2.gif}}
[[http://www.oxxus.net|Oxxus.net Tomcat Hosting]] - Offers latest Tomcat 6
hosting services on private JVM.
=== RSHosting.co.uk ===
- {{http://www.rshosting.co.uk/images/logo3.jpg}} [[http://www.rshosting.co.uk
|RSHosting.co.uk UK Tomcat Web Hosting]] - provides TomCat Web Hosting on our
Linux and Windows servers in UK.
+ {{http://www.rshosting.co.uk/images/logo3.jpg}}
[[http://www.rshosting.co.uk|RSHosting.co.uk UK Tomcat Web Hosting]] - provides
TomCat Web Hosting on our Linux and Windows servers in UK.
=== RSHosting.com ===
- {{http://www.rshosting.com/images/logo3.jpg}} [[http://www.rshosting.com
|RSHosting.com US based Tomcat Web Hosting]] - provides TomCat Web Hosting on
our Linux and Windows servers in US datacenter.
+ {{http://www.rshosting.com/images/logo3.jpg}}
[[http://www.rshosting.com|RSHosting.com US based Tomcat Web Hosting]] -
provides TomCat Web Hosting on our Linux and Windows servers in US datacenter.
=== Starhost ===
{{http://www.starhost.com.br/imagens/estrutura/logo_starhost.jpg}}
[[http://www.starhost.com.br/|Starhost - Hospedagem de Sites]] Brazilian
webhost provides JSP/Servlets support using Tomcat 5.0, 5.5 and 6.0.
@@ -
[Tomcat Wiki] Update of "PoweredBy" by DavidGhedini
Dear Wiki user,
You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change
notification.
The "PoweredBy" page has been changed by DavidGhedini.
http://wiki.apache.org/tomcat/PoweredBy?action=diff&rev1=257&rev2=258
--
=== Application Outsource UK Ltd. ===
{{http://www.application-outsource.co.uk/images/logo.gif}}
- [[http://www.application-outsource.co.uk/|Application Outsource UK Ltd.]]
offers a variety of affordable Tomcat hosting options. Oracle and MySQL. Tomcat
5 and 6. All plans feature private Tomcat instance. Plans for every budget.
+ [[http://www.application-outsource.co.uk/|Application Outsource UK Ltd.]]
offers a variety of affordable Tomcat hosting options. Oracle and MySQL. Tomcat
5 and 6. Choice of US or UK locations. All plans feature private Tomcat
instance. Plans for every budget.
=== WebAppCabaret Hosting ===
{{http://www.webappcabaret.com/wac/waclogo.gif}}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: clearReferencesThreads, Poller SunPKCS11-Solaris and strange context class loader
On 07.05.2010 11:00, Konstantin Kolinko wrote: 2010/5/7 Rainer Jung: I'm wondering why the PCKS Token Poller thread was captured by the leak prevention. Since we know the code, it was because its context class loader was equal to the WebappClassLoader of /manager. That's what I don't understand. See my original post. TCCL is inherited from the parent thread. It means that that thread was started either during request processing, or during webapplication startup. But unfortunately that doesn't provide consistent results. If I sart Tomcat without any webapp (but with ROOT context) the thread is started too. The heap dump shows the system cl as the tccl, but during restart or shutdown the leak prevention retrieves the tccl and finds it s equal to the WebappClassLoader of the manager. I'm confused. BTW, 4th result in http://www.google.com/search?q=SunPKCS11+TokenPoller gives source code for that class. I'll see, but I guess the point is more about who starts it when and why, less about what it does. Regards, Rainer - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: clearReferencesThreads, Poller SunPKCS11-Solaris and strange context class loader
2010/5/7 Rainer Jung : > On 07.05.2010 11:00, Konstantin Kolinko wrote: >> >> 2010/5/7 Rainer Jung: >>> >>> I'm wondering why the PCKS Token >>> Poller thread was captured by the leak prevention. Since we know the >>> code, >>> it was because its context class loader was equal to the >>> WebappClassLoader >>> of /manager. That's what I don't understand. See my original post. >>> >> >> TCCL is inherited from the parent thread. It means that that thread >> was started either during request processing, or during webapplication >> startup. > > But unfortunately that doesn't provide consistent results. > > If I sart Tomcat without any webapp (but with ROOT context) the thread is > started too. The heap dump shows the system cl as the tccl, but during > restart or shutdown the leak prevention retrieves the tccl and finds it s > equal to the WebappClassLoader of the manager. > > I'm confused. > >> BTW, 4th result in >> http://www.google.com/search?q=SunPKCS11+TokenPoller >> gives source code for that class. > > I'll see, but I guess the point is more about who starts it when and why, > less about what it does. > What is this all about, I means this PKCS11 tokens? Is it something that is used in your configuration? I mean, what are those "tokens" that it works with? (for a newbie) Do you use JAAS? >From the code, e.g. SunPKCS11#uninitToken() calls 1) destroyPoller() 2) createPoller() which restarts the thread. So the one at shutdown time might be different from the one that you see when Tomcat starts. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: clearReferencesThreads, Poller SunPKCS11-Solaris and strange context class loader
On 07.05.2010 14:23, Konstantin Kolinko wrote: 2010/5/7 Rainer Jung: On 07.05.2010 11:00, Konstantin Kolinko wrote: 2010/5/7 Rainer Jung: I'm wondering why the PCKS Token Poller thread was captured by the leak prevention. Since we know the code, it was because its context class loader was equal to the WebappClassLoader of /manager. That's what I don't understand. See my original post. TCCL is inherited from the parent thread. It means that that thread was started either during request processing, or during webapplication startup. But unfortunately that doesn't provide consistent results. If I sart Tomcat without any webapp (but with ROOT context) the thread is started too. The heap dump shows the system cl as the tccl, but during restart or shutdown the leak prevention retrieves the tccl and finds it s equal to the WebappClassLoader of the manager. I'm confused. BTW, 4th result in http://www.google.com/search?q=SunPKCS11+TokenPoller gives source code for that class. I'll see, but I guess the point is more about who starts it when and why, less about what it does. What is this all about, I means this PKCS11 tokens? Is it something that is used in your configuration? No, not at all. There's not HTTPS connector, no keystore no nothing. The PKCS11 provider comes with the JDK but I'm not aware of anything that uses it. Default Tomcat configuration plus log4j. It's there after JDK start with some version of the JDK. It's not there if I only start a plain Java test doing only a sleep using the same JDK. I mean, what are those "tokens" that it works with? (for a newbie) Do you use JAAS? Not that I'm aware of. From the code, e.g. SunPKCS11#uninitToken() calls 1) destroyPoller() 2) createPoller() which restarts the thread. So the one at shutdown time might be different from the one that you see when Tomcat starts. Hmmm. Will dig deeper over the weekend. Regards, Rainer - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 48600] Performance issue with tags
https://issues.apache.org/bugzilla/show_bug.cgi?id=48600 --- Comment #12 from Philippe Prados 2010-05-07 11:11:28 EDT --- Do you do something to optimize the code ? -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r942157 - in /tomcat/trunk: java/org/apache/catalina/filters/Constants.java java/org/apache/catalina/filters/CsrfPreventionFilter.java webapps/docs/config/filter.xml
Author: markt
Date: Fri May 7 17:38:03 2010
New Revision: 942157
URL: http://svn.apache.org/viewvc?rev=942157&view=rev
Log:
Add a simple CSRF prevention filter. It has been tested with the Tomcat 6
manager app and a back-port proposal will follow shortly.
Added:
tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
(with props)
Modified:
tomcat/trunk/java/org/apache/catalina/filters/Constants.java
tomcat/trunk/webapps/docs/config/filter.xml
Modified: tomcat/trunk/java/org/apache/catalina/filters/Constants.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/Constants.java?rev=942157&r1=942156&r2=942157&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/filters/Constants.java (original)
+++ tomcat/trunk/java/org/apache/catalina/filters/Constants.java Fri May 7
17:38:03 2010
@@ -31,4 +31,9 @@ public final class Constants {
public static final String Package = "org.apache.catalina.filters";
+public static final String CSRF_NONCE_SESSION_ATTR_NAME =
+"org.apache.catalina.filters.CSRF_NONCE";
+
+public static final String CSRF_NONCE_REQUEST_PARAM =
+"org.apache.catalina.filters.CSRF_NONCE";
}
Added: tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java?rev=942157&view=auto
==
--- tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java
(added)
+++ tomcat/trunk/java/org/apache/catalina/filters/CsrfPreventionFilter.java Fri
May 7 17:38:03 2010
@@ -0,0 +1,190 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.catalina.filters;
+
+import java.io.IOException;
+import java.util.Random;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpServletResponseWrapper;
+
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+
+/**
+ * Provides basic CSRF protection for a web application. The filter assumes
+ * that:
+ *
+ * The filter is mapped to /*
+ * {...@link HttpServletResponse#encodeRedirectURL(String)} and
+ * {...@link HttpServletResponse#encodeURL(String)} are used to encode all URLs
+ * returned to the client
+ *
+ */
+public class CsrfPreventionFilter extends FilterBase {
+
+private static final Log log =
+LogFactory.getLog(CsrfPreventionFilter.class);
+
+private final Random randomSource = new Random();
+
+@Override
+protected Log getLogger() {
+return log;
+}
+
+public void doFilter(ServletRequest request, ServletResponse response,
+FilterChain chain) throws IOException, ServletException {
+
+ServletResponse wResponse = null;
+
+if (request instanceof HttpServletRequest &&
+response instanceof HttpServletResponse) {
+
+HttpServletRequest req = (HttpServletRequest) request;
+HttpServletResponse res = (HttpServletResponse) response;
+
+String previousNonce =
+req.getParameter(Constants.CSRF_NONCE_REQUEST_PARAM);
+String expectedNonce = (String) req.getSession(true).getAttribute(
+Constants.CSRF_NONCE_SESSION_ATTR_NAME);
+
+if (expectedNonce != null && !expectedNonce.equals(previousNonce))
{
+res.sendError(HttpServletResponse.SC_FORBIDDEN);
+return;
+}
+
+String newNonce = generateNonce();
+
+req.getSession(true).setAttribute(
+Constants.CSRF_NONCE_SESSION_ATTR_NAME, newNonce);
+
+wResponse = new CsrfResponseWrapper(res, newNonce);
+} else {
+wResponse = response;
+}
+
+chain.doFilter(re
CSRF prevention filter and Tomcat 5/6
I'm trying to decide the best way to back-port the configuration of this to the (Host) Manager app in Tomcat 5 & 6. The requirements are: - not to break anything that currently works - enable CSRF for the HTML interface - the same user cannot have access to the HTML and text interfaces for the filter to be effective. I can't see a way to meet all of these. The options I am considering are: A: change the role required to access the text interface to manager-text - consistent with Tomcat 7 - will break tools currently using the manager role B: comment out the mapping for the test interface - will break tools currently using the text interface C: change the role required to access the HTML interface - not consistent with Tomcat 7 - will break user access to the Manager GUI D: Don't enable the filter by default but provide instructions on what to do if you do want to enable it in the docs. Something along the lines of: - uncomment the Filter and filter mapping - change the role used for the text and jmx interfaces (to match the new names in Tomcat 7) I am currently leaning towards D along with some changes to the web.xml files that won't change current behaviour but will make it simpler to add the CSRF filter. Thoughts? Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: clearReferencesThreads, Poller SunPKCS11-Solaris and strange context class loader
On 05/07/2010 08:03 AM, Rainer Jung wrote: On 07.05.2010 14:23, Konstantin Kolinko wrote: 2010/5/7 Rainer Jung: On 07.05.2010 11:00, Konstantin Kolinko wrote: 2010/5/7 Rainer Jung: I'm wondering why the PCKS Token Poller thread was captured by the leak prevention. Since we know the code, it was because its context class loader was equal to the WebappClassLoader of /manager. That's what I don't understand. See my original post. TCCL is inherited from the parent thread. It means that that thread was started either during request processing, or during webapplication startup. But unfortunately that doesn't provide consistent results. If I sart Tomcat without any webapp (but with ROOT context) the thread is started too. The heap dump shows the system cl as the tccl, but during restart or shutdown the leak prevention retrieves the tccl and finds it s equal to the WebappClassLoader of the manager. I'm confused. BTW, 4th result in http://www.google.com/search?q=SunPKCS11+TokenPoller gives source code for that class. I'll see, but I guess the point is more about who starts it when and why, less about what it does. What is this all about, I means this PKCS11 tokens? Is it something that is used in your configuration? No, not at all. There's not HTTPS connector, no keystore no nothing. The PKCS11 provider comes with the JDK but I'm not aware of anything that uses it. Default Tomcat configuration plus log4j. It's there after JDK start with some version of the JDK. It's not there if I only start a plain Java test doing only a sleep using the same JDK. well, if the app uses java.net.URL to a https, then this would make sense that the thread got started with the webapp's class loader I mean, what are those "tokens" that it works with? (for a newbie) Do you use JAAS? Not that I'm aware of. From the code, e.g. SunPKCS11#uninitToken() calls 1) destroyPoller() 2) createPoller() which restarts the thread. So the one at shutdown time might be different from the one that you see when Tomcat starts. Hmmm. Will dig deeper over the weekend. Regards, Rainer - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: CSRF prevention filter and Tomcat 5/6
D (and possibly B)
In the case of B - instead of commenting out - wrap a filter around it
that has default behavior of not being enabled.
So it would look like this:
boolean allowTextInterface = false;
init(FilterConfig) {
String s=System.getProperty("manager.allowTextInterface");
allowTextInterface = "Y".equals(s);
}
doFilter(req,resp) {
if (!allowTextInterface) {
chain.doFilter(req,resp);
} else {
response.sendError(403);
}
}
The advantage of a system property is admins don't need to change
web.xml. They only need to add a system property on startup, which
something all admins need to do due to GC flags etc. Then for those in
the know - they can always rip out the filter from web.xml (which is D
anyways)
-Tim
On 5/7/2010 1:50 PM, Mark Thomas wrote:
I'm trying to decide the best way to back-port the configuration of this
to the (Host) Manager app in Tomcat 5 & 6.
The requirements are:
- not to break anything that currently works
- enable CSRF for the HTML interface
- the same user cannot have access to the HTML and text interfaces for
the filter to be effective.
I can't see a way to meet all of these.
The options I am considering are:
A: change the role required to access the text interface to manager-text
- consistent with Tomcat 7
- will break tools currently using the manager role
B: comment out the mapping for the test interface
- will break tools currently using the text interface
C: change the role required to access the HTML interface
- not consistent with Tomcat 7
- will break user access to the Manager GUI
D: Don't enable the filter by default but provide instructions on what
to do if you do want to enable it in the docs. Something along the lines
of:
- uncomment the Filter and filter mapping
- change the role used for the text and jmx interfaces (to match the new
names in Tomcat 7)
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
