DIGEST auth in Tomcat 9 — browsers sending SHA-256 to MD5 server, how to adapt?

[DIGLLOYD]

ISSUE: users cannot login to my site.
CAUSE: Firefox and Chrome are sending SHA-256 DIGEST auth, which is MD5 (Safari 
uses MD5 which is working fine)

Details:
- Tomcat 9.0.98
- DIGEST auth using MD5
- has been working for 15+ years just fine.
- have read all available Tomcat docs, searched web for answers, etc.

Debugging so far:

Custom Realm in use purpose of managing auth info, but it otherwise defers to 
org.apache.catalina.realm.RealmBase.  
CredentialHandler: eg 

By instrumenting this realm, I have determined the following:

- Firefox and Chrome are sending  SHA-256 DIGEST to my server, which is using 
MD5.  Guaranteed failure since wrong digest.
- Safari is sending MD5, which works fine
- Realm uses standard 

Thoughts:

I would have thought that Tomcat would be replying to a client by advertising 
the correct algorithm.

Possibilities:
1.  Tomcat is not properly advising the client that MD5 is required.
2.  The spec is somehow deficient so that client and server do not know what is 
required.
3.  The clients (Firefox and Chrome) are doing it wrong.
4.  Something needs to be configured that I have not configured.

Lloyd Chambers




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: DIGEST auth in Tomcat 9 — browsers sending SHA-256 to MD5 server, how to adapt?

[DIGLLOYD]

Yes, it is returning the digest without modification. That’s not the issue.

There are three options:
(1) require MD5 only
(2) require SHA-256 only
(3) allow either MD5 or SHA-256

#2 is not an option since some browsers (eg Safari) do not yet support SHA-256. 
And SHA-256 will never be supported on millions of computers because they will 
never get upgraded to the latest OS/browser.

issue:  getPassword(username) has no parameter specifying algorithm MD5 or 
SHA-256. Therefore, it cannot be used.

My solution is to override getDigest(String username, String realmName, String 
algorithm), and return the digest for the actual algorithm.

If I am missing something, I’d like to hear it but I don’t see an alternative.



> On Dec 13, 2024, at 11:16:50, Christopher Schultz 
>  wrote:
> 
> Lloyd,
> 
> On 12/13/24 11:47 AM, DIGLLOYD wrote:
>> BTW, I was able to support *both* MD5 and SHA-256  in my subclass of 
>> org.apache.catalina.realm.RealmBase
>> ISSUE:  org.apache.catalina.realm.RealmBas.getPassword(final String 
>> username) affords no means to know *which* algorithm ie which digest to 
>> return.
>> I dealt with this by subclassing org.apache.catalina.realm.RealmBase:
>> 1.  Overriding getDigest(String username, String realmName, String 
>> algorithm) for the algorithm, returning the appropriate digest based on the 
>> actual algorithm.
>> 2.  getPassword(String username) never gets used because of #1.
>> 3.  Storing both MD5 and SHA-256 digests
>> In this way, I can support both MD5 and SHA-256. I don’t know if this was a 
>> good idea or not, but it is working as desired.
>> Should org.apache.catalina.realm.RealmBase should be improved to be  
>> getPassword(String username, String algorithm) instead of getPassword(String 
>> username)?
> 
> No, getPassword should be returning the stored credential without 
> modification. It's odd that you have multiple credentials stored.
> 
> -chris
> 
>>> On Dec 13, 2024, at 02:23:38, Mark Thomas  wrote:
>>> 
>>> On 13/12/2024 00:39, DIGLLOYD wrote:
>>>> ISSUE: users cannot login to my site.
>>>> CAUSE: Firefox and Chrome are sending SHA-256 DIGEST auth, which is MD5 
>>>> (Safari uses MD5 which is working fine)
>>>> 
>>>> Details:
>>>> - Tomcat 9.0.98
>>>> - DIGEST auth using MD5
>>>> - has been working for 15+ years just fine.
>>>> - have read all available Tomcat docs, searched web for answers, etc.
>>>> 
>>>> Debugging so far:
>>>> 
>>>> Custom Realm in use purpose of managing auth info, but it otherwise defers 
>>>> to org.apache.catalina.realm.RealmBase.
>>>> CredentialHandler: eg >>> className="org.apache.catalina.realm.MessageDigestCredentialHandler" 
>>>> algorithm="MD5"  />
>>> 
>>> So you have DIGEST authentication with digested credentials.
>>> 
>>> That will work as long as DIGEST authentication uses the same digest as
>>> the credentials. In this case: MD5.
>>> 
>>> By default, Tomcat advertises support for both SHA-256 and MD5 with
>>> DIGEST authentication. Browsers should choose SHA-256 given those
>>> options. To change that, you need to set the algorithms attribute for
>>> the DIGEST authentication Valve to "MD5" so the Valve only advertises MD5.
>>> 
>>> https://tomcat.apache.org/tomcat-11.0-doc/config/valve.html#Digest_Authenticator_Valve
>>> 
>>> Note the comment in the introduction to that section.
>>> 
>>> Mark
>>> 
>>> 
>>>> 
>>>> By instrumenting this realm, I have determined the following:
>>>> 
>>>> - Firefox and Chrome are sending  SHA-256 DIGEST to my server, which is 
>>>> using MD5.  Guaranteed failure since wrong digest.
>>>> - Safari is sending MD5, which works fine
>>>> - Realm uses standard
>>>> 
>>>> Thoughts:
>>>> 
>>>> I would have thought that Tomcat would be replying to a client by 
>>>> advertising the correct algorithm.
>>>> 
>>>> Possibilities:
>>>> 1.  Tomcat is not properly advising the client that MD5 is required.
>>>> 2.  The spec is somehow deficient so that client and server do not know 
>>>> what is required.
>>>> 3.  The clients (Firefox and Chrome) are doing it wrong.
>>>> 4.  Something needs to be configured that I have not configured.
>>>> 
>>>> Lloyd Chambers
>>>> 
>>>> 
>>>

Re: DIGEST auth in Tomcat 9 — browsers sending SHA-256 to MD5 server, how to adapt?

[DIGLLOYD]

Agreed, it is probably pointless to support SHA-256, given the hard requirement 
of supporting MD5 in older browsers for many years to come.

OTOH, running any kind of DIGEST over TLS and storing zero sensitive info on 
server is completely acceptable for my own use case.

> On Dec 13, 2024, at 11:37:27, Christopher Schultz 
>  wrote:
> 
> Lloyd,
> 
> On 12/13/24 2:32 PM, DIGLLOYD wrote:
>> Yes, it is returning the digest without modification. That’s not the issue.
>> 
>> There are three options:
>> (1) require MD5 only
>> (2) require SHA-256 only
>> (3) allow either MD5 or SHA-256
>> 
>> #2 is not an option since some browsers (eg Safari) do not yet support 
>> SHA-256.
>> And SHA-256 will never be supported on millions of computers because they 
>> will never get upgraded to the latest OS/browser.
>> 
>> issue:  getPassword(username) has no parameter specifying algorithm MD5 or 
>> SHA-256. Therefore, it cannot be used.
>> 
>> My solution is to override getDigest(String username, String realmName, 
>> String algorithm), and return the digest for the actual algorithm.
>> 
>> If I am missing something, I’d like to hear it but I don’t see an 
>> alternative.
>>>  className="org.apache.catalina.authenticator.DigestAuthenticator" ...
> algorithms="SHA-256,MD5" />
> 
> It's almost as if HTTP DIGEST authentication cannot be made both secure
> and backward-compatible.
> 
> -chris
> 
>>> On Dec 13, 2024, at 11:16:50, Christopher Schultz 
>>>  wrote:
>>> 
>>> Lloyd,
>>> 
>>> On 12/13/24 11:47 AM, DIGLLOYD wrote:
>>>> BTW, I was able to support *both* MD5 and SHA-256  in my subclass of 
>>>> org.apache.catalina.realm.RealmBase
>>>> ISSUE:  org.apache.catalina.realm.RealmBas.getPassword(final String 
>>>> username) affords no means to know *which* algorithm ie which digest to 
>>>> return.
>>>> I dealt with this by subclassing org.apache.catalina.realm.RealmBase:
>>>> 1.  Overriding getDigest(String username, String realmName, String 
>>>> algorithm) for the algorithm, returning the appropriate digest based on 
>>>> the actual algorithm.
>>>> 2.  getPassword(String username) never gets used because of #1.
>>>> 3.  Storing both MD5 and SHA-256 digests
>>>> In this way, I can support both MD5 and SHA-256. I don’t know if this was 
>>>> a good idea or not, but it is working as desired.
>>>> Should org.apache.catalina.realm.RealmBase should be improved to be  
>>>> getPassword(String username, String algorithm) instead of 
>>>> getPassword(String username)?
>>> 
>>> No, getPassword should be returning the stored credential without 
>>> modification. It's odd that you have multiple credentials stored.
>>> 
>>> -chris
>>> 
>>>>> On Dec 13, 2024, at 02:23:38, Mark Thomas  wrote:
>>>>> 
>>>>> On 13/12/2024 00:39, DIGLLOYD wrote:
>>>>>> ISSUE: users cannot login to my site.
>>>>>> CAUSE: Firefox and Chrome are sending SHA-256 DIGEST auth, which is MD5 
>>>>>> (Safari uses MD5 which is working fine)
>>>>>> 
>>>>>> Details:
>>>>>> - Tomcat 9.0.98
>>>>>> - DIGEST auth using MD5
>>>>>> - has been working for 15+ years just fine.
>>>>>> - have read all available Tomcat docs, searched web for answers, etc.
>>>>>> 
>>>>>> Debugging so far:
>>>>>> 
>>>>>> Custom Realm in use purpose of managing auth info, but it otherwise 
>>>>>> defers to org.apache.catalina.realm.RealmBase.
>>>>>> CredentialHandler: eg >>>>> className="org.apache.catalina.realm.MessageDigestCredentialHandler" 
>>>>>> algorithm="MD5"  />
>>>>> 
>>>>> So you have DIGEST authentication with digested credentials.
>>>>> 
>>>>> That will work as long as DIGEST authentication uses the same digest as
>>>>> the credentials. In this case: MD5.
>>>>> 
>>>>> By default, Tomcat advertises support for both SHA-256 and MD5 with
>>>>> DIGEST authentication. Browsers should choose SHA-256 given those
>>>>> options. To change that, you need to set the algorithms attribute for
>>>>> the DIGEST authentication Valve to "MD5" so the Valve only advertise

Re: DIGEST auth in Tomcat 9 — browsers sending SHA-256 to MD5 server, how to adapt?

[DIGLLOYD]

BTW, I was able to support *both* MD5 and SHA-256  in my subclass of 
org.apache.catalina.realm.RealmBase

ISSUE:  org.apache.catalina.realm.RealmBas.getPassword(final String username) 
affords no means to know *which* algorithm ie which digest to return.

I dealt with this by subclassing org.apache.catalina.realm.RealmBase:
1.  Overriding getDigest(String username, String realmName, String algorithm) 
for the algorithm, returning the appropriate digest based on the actual 
algorithm.   
2.  getPassword(String username) never gets used because of #1.
3.  Storing both MD5 and SHA-256 digests

In this way, I can support both MD5 and SHA-256. I don’t know if this was a 
good idea or not, but it is working as desired.

Should org.apache.catalina.realm.RealmBase should be improved to be  
getPassword(String username, String algorithm) instead of getPassword(String 
username)?

Lloyd

> On Dec 13, 2024, at 02:23:38, Mark Thomas  wrote:
> 
> On 13/12/2024 00:39, DIGLLOYD wrote:
>> ISSUE: users cannot login to my site.
>> CAUSE: Firefox and Chrome are sending SHA-256 DIGEST auth, which is MD5 
>> (Safari uses MD5 which is working fine)
>> 
>> Details:
>> - Tomcat 9.0.98
>> - DIGEST auth using MD5
>> - has been working for 15+ years just fine.
>> - have read all available Tomcat docs, searched web for answers, etc.
>> 
>> Debugging so far:
>> 
>> Custom Realm in use purpose of managing auth info, but it otherwise defers 
>> to org.apache.catalina.realm.RealmBase.
>> CredentialHandler: eg > className="org.apache.catalina.realm.MessageDigestCredentialHandler" 
>> algorithm="MD5"  />
> 
> So you have DIGEST authentication with digested credentials.
> 
> That will work as long as DIGEST authentication uses the same digest as
> the credentials. In this case: MD5.
> 
> By default, Tomcat advertises support for both SHA-256 and MD5 with
> DIGEST authentication. Browsers should choose SHA-256 given those
> options. To change that, you need to set the algorithms attribute for
> the DIGEST authentication Valve to "MD5" so the Valve only advertises MD5.
> 
> https://tomcat.apache.org/tomcat-11.0-doc/config/valve.html#Digest_Authenticator_Valve
> 
> Note the comment in the introduction to that section.
> 
> Mark
> 
> 
>> 
>> By instrumenting this realm, I have determined the following:
>> 
>> - Firefox and Chrome are sending  SHA-256 DIGEST to my server, which is 
>> using MD5.  Guaranteed failure since wrong digest.
>> - Safari is sending MD5, which works fine
>> - Realm uses standard
>> 
>> Thoughts:
>> 
>> I would have thought that Tomcat would be replying to a client by 
>> advertising the correct algorithm.
>> 
>> Possibilities:
>> 1.  Tomcat is not properly advising the client that MD5 is required.
>> 2.  The spec is somehow deficient so that client and server do not know what 
>> is required.
>> 3.  The clients (Firefox and Chrome) are doing it wrong.
>> 4.  Something needs to be configured that I have not configured.
>> 
>> Lloyd Chambers
>> 
>> 
>> 
>> 
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: DIGEST auth in Tomcat 9 — browsers sending SHA-256 to MD5 server, how to adapt?

[DIGLLOYD]

Thank you Mark.  

DIGEST, and in Tomcat 9 (not 11). Not sure if 9 vs 11 matters.

Sure enough, I missed “algorithms” attribute  in .   Having that config 
for ~15 years and then having things start to fail led me down the wrong path 
it seem.

I did 3 things wrong:
- just did not see “algorithms” in the  docs
- “algorithm” vs “algorithms” in the 
-  algorithm=“MD5”  in MessageDigestCredentialHandler.  Whose code looks to be 
incapable of handling both algorithms eg getPassword() omits the algorithm so 
there is no way to know except in getDigest()


Lloyd

> On Dec 13, 2024, at 02:23:38, Mark Thomas  wrote:
> 
> On 13/12/2024 00:39, DIGLLOYD wrote:
>> ISSUE: users cannot login to my site.
>> CAUSE: Firefox and Chrome are sending SHA-256 DIGEST auth, which is MD5 
>> (Safari uses MD5 which is working fine)
>> 
>> Details:
>> - Tomcat 9.0.98
>> - DIGEST auth using MD5
>> - has been working for 15+ years just fine.
>> - have read all available Tomcat docs, searched web for answers, etc.
>> 
>> Debugging so far:
>> 
>> Custom Realm in use purpose of managing auth info, but it otherwise defers 
>> to org.apache.catalina.realm.RealmBase.
>> CredentialHandler: eg > className="org.apache.catalina.realm.MessageDigestCredentialHandler" 
>> algorithm="MD5"  />
> 
> So you have DIGEST authentication with digested credentials.
> 
> That will work as long as DIGEST authentication uses the same digest as
> the credentials. In this case: MD5.
> 
> By default, Tomcat advertises support for both SHA-256 and MD5 with
> DIGEST authentication. Browsers should choose SHA-256 given those
> options. To change that, you need to set the algorithms attribute for
> the DIGEST authentication Valve to "MD5" so the Valve only advertises MD5.
> 
> https://tomcat.apache.org/tomcat-11.0-doc/config/valve.html#Digest_Authenticator_Valve
> 
> Note the comment in the introduction to that section.
> 
> Mark
> 
> 
>> 
>> By instrumenting this realm, I have determined the following:
>> 
>> - Firefox and Chrome are sending  SHA-256 DIGEST to my server, which is 
>> using MD5.  Guaranteed failure since wrong digest.
>> - Safari is sending MD5, which works fine
>> - Realm uses standard
>> 
>> Thoughts:
>> 
>> I would have thought that Tomcat would be replying to a client by 
>> advertising the correct algorithm.
>> 
>> Possibilities:
>> 1.  Tomcat is not properly advising the client that MD5 is required.
>> 2.  The spec is somehow deficient so that client and server do not know what 
>> is required.
>> 3.  The clients (Firefox and Chrome) are doing it wrong.
>> 4.  Something needs to be configured that I have not configured.
>> 
>> Lloyd Chambers
>> 
>> 
>> 
>> 
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Session lost when switching from https to http after upgrade to Tomcat 6

[DIGLLOYD INC]

I've been having the same issues others have been asking about.  This  
discussion has been useful, but...


===> What is a viable workaround for switching to http from https once  
the user is authenticated?  And is that idea unreasonable (see use  
case below).


My main concern is that sending large amounts of static content over  
https (large JPEGs in particular) will cause an undue load on the  
server, as opposed to 'http'.


Here is my use case:

1.  The user's password should be protected over https when logging  
in.  Ditto for the user's home page.


2.  Once logged in, a large amount of static content (html, large  
JPEGs, etc) is available to that user.  None of it is of a sensitive  
nature.


3. While it's true that the sessionid could be hijacked, an attacker  
would need the user's actual password to do anything malicious; there  
isn't any sensitive user data, just access to content.  So having  
sessionid travel over plain http would be fine.


Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]




On Jun 7, 2008, at 3:40 AM, Mark Thomas wrote:



The application may be trivial, but not the user's password.
If the functionality is important enough to protect with a password  
over SSL then the session ID, which for most applications will give  
access to that functionality, should usually be protected in the  
same way. There will be some exceptions to this. Protected the  
session by other means is one possibility.



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

how to populate database with SHA hash for DIGEST

[DIGLLOYD INC]

How to produce the hashed password when using auth-method DIGEST ?

Everything works with cleartext passwords using the following login- 
config in web.xml:



DIGEST
DIGLLOYD.COM


and in context.xml:

connectionName="test"
connectionPassword="test123" connectionURL="jdbc:mysql:// 
localhost/test"

driverName="com.mysql.jdbc.Driver"
userTable="UserAuth" userNameCol="username"  
userCredCol="password"

userRoleTable="UserRole" roleNameCol="role"  />

Now I want to add attribute digest="SHA" to the  above.  What  
value to insert for the password in the database? Following the Tomcat  
6 docs, I tried inserting the value produced by the following:


String credentials = username + ":" + "DIGLLOYD.COM" + ":" + password;
org.apache.catalina.realm.RealmBase.Digest( credentials, "SHA", null);

(http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html)

I've verified that the DB contains the hash values produced by Digest().

It isn't working; all attempts to login fail.

Help is greatly appreciated.

Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]




On Apr 22, 2008, at 9:37 AM, Mark Thomas wrote:


DIGLLOYD INC wrote:
Is the realm the  specified in the  in  
web.xml? (eg "Tomcat Manager Application")

Yes.

(link above) suggest "localhost:80" might be the realm, but that  
makes no sense to me, as this would tie it to a specific port.

That is the default you get if you don't specify one.

The book I have -- "Tomcat, The Definitive Guide, 2nd Edition" is  
in conflict with the above documentation, making no mention of  
digesting with the username and realm.  The book suggest doing:

bin/digest.sh -a MD5 user-password
As does the docs. This is for digested passwords with BASIC or FORM  
auth.



But the tomcat 6 docs referenced above suggest doing:
bin/digest.sh -a MD5 username:realm-name:password

This is for digested passwords with DIGEST auth.


--obviously very different approaches!

Because they have different uses.

Mark


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: how to populate database with SHA hash for DIGEST

[DIGLLOYD INC]

Answer:  SHA just doesn't work.  MD5 works fine.  I presume this is  
because the browser has no idea what algorithm to use, and just always  
uses MD5.


Lloyd


On Aug 17, 2008, at 9:11 PM, DIGLLOYD INC wrote:


How to produce the hashed password when using auth-method DIGEST ?

Everything works with cleartext passwords using the following login- 
config in web.xml:


   
   DIGEST
   DIGLLOYD.COM
   

and in context.xml:

   connectionName="test"
   connectionPassword="test123" connectionURL="jdbc:mysql:// 
localhost/test"

   driverName="com.mysql.jdbc.Driver"
   userTable="UserAuth" userNameCol="username"  
userCredCol="password"

   userRoleTable="UserRole" roleNameCol="role"  />

Now I want to add attribute digest="SHA" to the  above.  What  
value to insert for the password in the database? Following the  
Tomcat 6 docs, I tried inserting the value produced by the following:


String credentials = username + ":" + "DIGLLOYD.COM" + ":" + password;
org.apache.catalina.realm.RealmBase.Digest( credentials, "SHA", null);

(http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html)

I've verified that the DB contains the hash values produced by  
Digest().


It isn't working; all attempts to login fail.

Help is greatly appreciated.

Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]




On Apr 22, 2008, at 9:37 AM, Mark Thomas wrote:


DIGLLOYD INC wrote:
Is the realm the  specified in the  in  
web.xml? (eg "Tomcat Manager Application")

Yes.

(link above) suggest "localhost:80" might be the realm, but that  
makes no sense to me, as this would tie it to a specific port.

That is the default you get if you don't specify one.

The book I have -- "Tomcat, The Definitive Guide, 2nd Edition" is  
in conflict with the above documentation, making no mention of  
digesting with the username and realm.  The book suggest doing:

bin/digest.sh -a MD5 user-password
As does the docs. This is for digested passwords with BASIC or FORM  
auth.



But the tomcat 6 docs referenced above suggest doing:
bin/digest.sh -a MD5 username:realm-name:password

This is for digested passwords with DIGEST auth.


--obviously very different approaches!

Because they have different uses.

Mark


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: how to populate database with SHA hash for DIGEST

[DIGLLOYD INC]

Chris,

I accept your point.

It's too bad the Tomcat "how to" docs don't mention this in a brief  
note.


http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html

I'm not on the tomcat developer group, otherwise I'd fix it.

It's even more disappointing that the books I've seen on the subject  
(several) don't mention it either.


Lloyd

Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]
On Aug 18, 2008, at 7:40 AM, Christopher Schultz wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Lloyd,

DIGLLOYD INC wrote:

Answer:  SHA just doesn't work.  MD5 works fine.  I presume this is
because the browser has no idea what algorithm to use, and just  
always

uses MD5.


You should read the definition of HTTP DIGEST auth. It doesn't just
guess at using MD5, it is defined to use MD5.

http://en.wikipedia.org/wiki/Digest_access_authentication

- -chris

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkipifQACgkQ9CaO5/Lv0PBf/wCff+iV7P/jh+rqQiKZC/JXDQbF
b3YAn2Eme7dPn0Wx627jPY5vaofeYni/
=YVhm
-END PGP SIGNATURE-

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Why GlassFish

[DIGLLOYD INC]

Disclaimer: I am a Glassfish developer, working for Sun.  So you can  
ignore whatever I say. :)


I run Tomcat for my server (diglloyd.com), for specific reasons.   
Glassfish is a terrific product and so is Tomcat.  Which is better  
depends on the goal, as with any product.


Glassfish URL:  https://glassfish.dev.java.net/

Glassfish V2 has a number of differences with Tomcat, here are just a  
few:


- it's a full Java EE compliant server (eg, servlet, ejb, etc)
- it offers a fantastic web-based management interface, along with an  
extensive command-line interface

- it offers an extensive MBean interface for management and monitoring
- support for MySQL and Java DB built in
- commercial support from Sun at a variety of levels

It does indeed incorporate Tomcat, though there are some differences  
with Valves and configuration and deployment.


Glassfish V3 moves to a powerful OSGi-based modular system.  With V3,  
you'll essentially be able to pare a system down to any form you like,  
one that could run (for example), just Tomcat.


Tomcat is a great technology.  Glassfish is too, but has a much wider  
range of features. Sometimes simple is better, sometimes more features  
are better.


Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]


On Aug 28, 2008, at 6:31 AM, sam wun wrote:


Hi,



Just a quick question, I found that Tomcat is quite capable with  
servlet

application, but lack of EJB support.

Is GlassFish designed to fill the gaps to support EJB application  
only?




Thanks





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

JDBCRealm.getRoles causes NullPointerException

[DIGLLOYD INC]

I'm running Tomcat 6.0.16 with DIGEST auth using:

MySQL 5.0.51b + mysql-connector-java-5.1.6-bin.jar

Things work well until complete failure: every few days, all  
authentication begins to fail.  When this happens, nothing appears in  
catalina.out to indicate a problem, and unless I restart Tomcat, no  
authentication ever succeeds again.  It begins working immediately  
after Tomcat is restarted.  I've never had to restart MySQL for 2  
months.


The only clue I see in catalina.out is the stack trace below (10 of  
them or so), about 9 hours *prior* to my detecting the authentication  
failure.  However, my access logs show that users logged in  
successfully *after* that series of failures.


I'm not sure where or how to debug this further.  It seems that Tomcat  
is making a bad call to next() which causes the NPE, but that's  
unclear; perhaps it's ResultSetImpl with a problem.  It's also unclear  
why there's a burst of such problems, then no further ones in the log,  
then the hours-later complete failure.


Aug 31, 2008 5:30:48 PM org.apache.catalina.connector.CoyoteAdapter  
service
SEVERE: An exception or error occurred in the container during the  
request processing

java.lang.NullPointerException
	at  
com.mysql.jdbc.ResultSetImpl.setRowPositionValidity(ResultSetImpl.java: 
826)

at com.mysql.jdbc.ResultSetImpl.next(ResultSetImpl.java:7046)
at org.apache.catalina.realm.JDBCRealm.getRoles(JDBCRealm.java:632)
at org.apache.catalina.realm.JDBCRealm.getPrincipal(JDBCRealm.java:596)
at org.apache.catalina.realm.RealmBase.authenticate(RealmBase.java:400)
	at  
org 
.apache 
.catalina 
.authenticator 
.DigestAuthenticator.findPrincipal(DigestAuthenticator.java:283)
	at  
org 
.apache 
.catalina 
.authenticator 
.DigestAuthenticator.authenticate(DigestAuthenticator.java:176)
	at  
org 
.apache 
.catalina 
.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)

at com.diglloyd.tomcat.BadInputValve.invoke(BadInputValve.java:284)
	at  
org 
.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java: 
128)
	at  
org 
.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java: 
102)
	at  
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java: 
568)
	at  
org 
.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java: 
394)
	at  
org 
.apache 
.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at  
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java: 
286)
	at  
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java: 
844)
	at org.apache.coyote.http11.Http11Protocol 
$Http11ConnectionHandler.process(Http11Protocol.java:583)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java: 
447)

at java.lang.Thread.run(Thread.java:613)


Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

tomcat won't download large files -- out of memory error

[DIGLLOYD INC]

I have some large zip files I want to make available for download.   
When I try to download a 70MB file, tomcat is trying to cache these  
huge files (it seems).  The result is that downloading them always  
fails.  I *want* caching for most everything eg jpegs, html, etc and  
I've set tomcat to use up to 1.5GB of memory.


Is there a way to limit the size of the file that will be cached? It's  
regrettable that failure to cache a file can't gracefully degrade into  
just not caching it.



Sep 25, 2008 9:50:17 PM org.apache.catalina.connector.CoyoteAdapter  
service
SEVERE: An exception or error occurred in the container during the  
request processing

java.lang.OutOfMemoryError: Java heap space
	at  
org 
.apache 
.naming.resources.ProxyDirContext.cacheLoad(ProxyDirContext.java:1571)
	at  
org 
.apache 
.naming.resources.ProxyDirContext.cacheLookup(ProxyDirContext.java:1449)
	at  
org 
.apache.naming.resources.ProxyDirContext.lookup(ProxyDirContext.java: 
283)
	at  
org 
.apache.tomcat.util.http.mapper.Mapper.internalMapWrapper(Mapper.java: 
782)
	at org.apache.tomcat.util.http.mapper.Mapper.internalMap(Mapper.java: 
626)

at org.apache.tomcat.util.http.mapper.Mapper.map(Mapper.java:516)
	at  
org 
.apache 
.catalina.connector.CoyoteAdapter.postParseRequest(CoyoteAdapter.java: 
444)
	at  
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java: 
284)
	at  
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java: 
844)
	at org.apache.coyote.http11.Http11Protocol 
$Http11ConnectionHandler.process(Http11Protocol.java:583)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java: 
447)

at java.lang.Thread.run(Thread.java:613)


Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: tomcat won't download large files -- out of memory error

[DIGLLOYD INC]

I came across the following:

-Dorg.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER=true

at this page: 
http://hillert.blogspot.com/2008/05/if-tomcat-is-running-out-of-memory.html

I haven't tried it yet, and I don't know what it does (limits  
something apparently).


Anyone know?


Lloyd

On Sep 25, 2008, at 10:01 PM, DIGLLOYD INC wrote:

I have some large zip files I want to make available for download.   
When I try to download a 70MB file, tomcat is trying to cache these  
huge files (it seems).  The result is that downloading them always  
fails.  I *want* caching for most everything eg jpegs, html, etc and  
I've set tomcat to use up to 1.5GB of memory.


Is there a way to limit the size of the file that will be cached?  
It's regrettable that failure to cache a file can't gracefully  
degrade into just not caching it.



Sep 25, 2008 9:50:17 PM org.apache.catalina.connector.CoyoteAdapter  
service
SEVERE: An exception or error occurred in the container during the  
request processing

java.lang.OutOfMemoryError: Java heap space
	at  
org 
.apache 
.naming.resources.ProxyDirContext.cacheLoad(ProxyDirContext.java:1571)
	at  
org 
.apache 
.naming.resources.ProxyDirContext.cacheLookup(ProxyDirContext.java: 
1449)
	at  
org 
.apache.naming.resources.ProxyDirContext.lookup(ProxyDirContext.java: 
283)
	at  
org 
.apache 
.tomcat.util.http.mapper.Mapper.internalMapWrapper(Mapper.java:782)
	at  
org.apache.tomcat.util.http.mapper.Mapper.internalMap(Mapper.java:626)

at org.apache.tomcat.util.http.mapper.Mapper.map(Mapper.java:516)
	at  
org 
.apache 
.catalina 
.connector.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:444)
	at  
org 
.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java: 
284)
	at  
org 
.apache.coyote.http11.Http11Processor.process(Http11Processor.java: 
844)
	at org.apache.coyote.http11.Http11Protocol 
$Http11ConnectionHandler.process(Http11Protocol.java:583)
	at org.apache.tomcat.util.net.JIoEndpoint 
$Worker.run(JIoEndpoint.java:447)

at java.lang.Thread.run(Thread.java:613)


Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: tomcat won't download large files -- out of memory error

[DIGLLOYD INC]

Thanks to multiple people responding to this!

My site diglloyd.com serves almost entirely static content, with many  
large JPEG files.


I have set:
CATALINA_OPTS=-Xmx1024M

That's limiting the JVM to 1GB of memory. And in tomcat/conf/ 
context.xml, I set:


cachingAllowed="true" >


Therein presumably lies the problem.  I'll change CATALINA_OPTS to be  
2GB or so and retry.



Mark, it would be helpful to be able to say "don't cache anything  
larger the N kilobytes/megabytes". I'd probably use a setting of 2MB  
or so for that.


Lloyd

Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]




On Sep 26, 2008, at 4:07 AM, Mark Thomas wrote:


DIGLLOYD INC wrote:
I have some large zip files I want to make available for download.   
When

I try to download a 70MB file, tomcat is trying to cache these huge
files (it seems).  The result is that downloading them always  
fails.  I

*want* caching for most everything eg jpegs, html, etc and I've set
tomcat to use up to 1.5GB of memory.


Do you mean you have set cacheMaxSize="150" on the context?

Which JVM are you using? Particularly, are you using a 32bit or  
64bit JVM?



Is there a way to limit the size of the file that will be cached?

Not at present. The maximum (cacheObjectMaxSize) is set to
(cacheMaxSize/20). I can see a case for making cacheObjectMaxSize
configurable. The cache should probably use the smaller of
(cacheMaxSize/20) and cacheObjectMaxSize.


It's
regrettable that failure to cache a file can't gracefully degrade  
into

just not caching it.
It isn't possible to handle OOMs gracefully. Once they occur you  
have to

assume the JVM is toast and restart it.

Providing you have enough memory configured for the JVM to support the
cache size you have asked for plus the other memory you need to run  
Tomcat,

the cache will be fine and you won't see an OOM.

It appears in this case that the failure is that your JVM doesn't have
enough memory configured. With sufficient memory head room you  
should be
fine. The current cache implementation requires more headroom than  
is the
ideal. Limiting cacheObjectMaxSize should reduce the headroom  
required.


Mark



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: tomcat won't download large files -- out of memory error

[DIGLLOYD INC]

Thanks Mark.

How to force the 64-bit JVM to run?

For now I'm using -Xmx2047M, which solves the immediate problem.

Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.5 Intel, Tomcat 6.0.16]

On Sep 26, 2008, at 11:19 AM, Mark Thomas wrote:


DIGLLOYD INC wrote:

Thanks to multiple people responding to this!

My site diglloyd.com serves almost entirely static content, with many
large JPEG files.

I have set:
CATALINA_OPTS=-Xmx1024M

That's limiting the JVM to 1GB of memory. And in
tomcat/conf/context.xml, I set:

cachingAllowed="true" >


Therein presumably lies the problem.  I'll change CATALINA_OPTS to be
2GB or so and retry.


You'll probably need to be using a 64-bit JVM to set that to 2GB.

Mark, it would be helpful to be able to say "don't cache anything  
larger
the N kilobytes/megabytes". I'd probably use a setting of 2MB or so  
for

that.

cacheObjectMaxSize is now configurable (at least in trunk). The only
limitation is that it can't be greater than cacheMaxSize/20.

Mark



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

replacement for symbolic links to files (Apache httpd to Tomcat)

[DIGLLOYD INC]

I'm converting from an Apache http system.

Thousands of my users have bookmarked http://diglloyd.com/diglloyd/blog.html

With Apache, I symlinked blog.html to the current month's blog.

Now with Tomcat, I see warnings that enabling symlinks is a security
risk.

What is the best way to make blog.html => 2008-03-blog.html ?  (eg if
March 2008 is the current blog)

I realize that I can write a one-line blog.jsp which includes the
current month's blog.  But that won't help users that bookmarked
blog.html.

An http redirect works, but it seems the google search engine is not
enamored of redirects; I don't want to hurt my search ranking.

Lloyd Chambers

Re: replacement for symbolic links to files (Apache httpd to Tomcat)

[DIGLLOYD INC]

No, not behind httpd, but thanks.

On Mar 24, 2008, at 5:22 AM, [EMAIL PROTECTED] wrote:
You can also try redirect at the Apache httpd layer (I assume Tomcat  
is
hidden behind httpd), redirecting blog.html to the 1-liner JSP file  
you

mentioned.

Hai Vu

David Smith <[EMAIL PROTECTED]> wrote on 24/03/2008 08:13:40 AM:


Here's a possibility:

Write the quick and dirty blog jsp, name it blog.html, and then add  
this



to your web.xml file:


 jsp
 blog.html


The idea is to specifically map blog.html to the jsp servlet for jsp
processing.  I haven't tried it, but it seems like it should work.

--David

DIGLLOYD INC wrote:


I'm converting from an Apache http system.

Thousands of my users have bookmarked
http://diglloyd.com/diglloyd/blog.html

With Apache, I symlinked blog.html to the current month's blog.

Now with Tomcat, I see warnings that enabling symlinks is a security
risk.

What is the best way to make blog.html => 2008-03-blog.html ?  (eg  
if

March 2008 is the current blog)

I realize that I can write a one-line blog.jsp which includes the
current month's blog.  But that won't help users that bookmarked
blog.html.

An http redirect works, but it seems the google search engine is not
enamored of redirects; I don't want to hurt my search ranking.

Lloyd Chambers




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: replacement for symbolic links to files (Apache httpd to Tomcat)

[DIGLLOYD INC]

Hassan,

Thanks, this seems like it might be extensible to more than one file  
as well.


I'm new to Servlet programming (though experienced in java), so I  
guess I'll hit the docs to see how to do this, unless you have a code  
snippet handy--thanks.


Lloyd

On Mar 24, 2008, at 6:48 AM, Hassan Schroeder wrote:
On Sun, Mar 23, 2008 at 10:50 PM, DIGLLOYD INC  
<[EMAIL PROTECTED]> wrote:



What is the best way to make blog.html => 2008-03-blog.html ?  (eg if
March 2008 is the current blog)


I'd write a simple Filter that gets the current blog location from a
properties  file -- e.g. blog.html=2008-03-blog.html -- and forwards
to it.

Easy and flexible, a/k/a "cheap 'n' cheerful'  :-)

HTH,
--
Hassan Schroeder  [EMAIL PROTECTED]

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: replacement for symbolic links to files (Apache httpd to Tomcat)

[DIGLLOYD INC]

David,

I'm new to programming Servlets/JSP, I didn't realize a mapping> could just specify a  an not specify a servlet  
class, nor do I understand exactly what this example mapping does (and  
if it does it without other side-effects).


Do you mean to use this in conjunction with a "blog.jsp" which would  
then include blog.html?


Lloyd

On Mar 24, 2008, at 5:13 AM, David Smith wrote:

Here's a possibility:

Write the quick and dirty blog jsp, name it blog.html, and then add  
this to your web.xml file:



jsp
blog.html


The idea is to specifically map blog.html to the jsp servlet for jsp  
processing.  I haven't tried it, but it seems like it should work.


--David

DIGLLOYD INC wrote:


I'm converting from an Apache http system.

Thousands of my users have bookmarked http://diglloyd.com/diglloyd/blog.html

With Apache, I symlinked blog.html to the current month's blog.

Now with Tomcat, I see warnings that enabling symlinks is a security
risk.

What is the best way to make blog.html => 2008-03-blog.html ?  (eg if
March 2008 is the current blog)

I realize that I can write a one-line blog.jsp which includes the
current month's blog.  But that won't help users that bookmarked
blog.html.

An http redirect works, but it seems the google search engine is not
enamored of redirects; I don't want to hurt my search ranking.

Lloyd Chambers




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: PHP problem

[DIGLLOYD INC]

I don't know the answer, but how does one use PHP with Tomcat?   
(Thanks, if you have time for a pointer, I hadn't see docs on this).


On Mar 24, 2008, at 7:23 AM, Jonathan Mast wrote:
Can someone tell me why one project that uses PHP will work in  
tomcat, but

another that also uses PHP won't?

They have idential web.xml files, so that avenue is closed.  I keep on
getting the following message when I try to load one of the pages:
HTTP Status 404 - Servlet php is not available
--

*type* Status report

*message* *Servlet php is not available*

*description* *The requested resource (Servlet php is not available)  
is not

available.*


Environment:
Windows XP
Tomcat 5.5.17


thanks



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: replacement for symbolic links to files (Apache httpd to Tomcat)

[DIGLLOYD INC]

Thanks to both of you.  I'll give it a try.

Lloyd

On Mar 24, 2008, at 8:12 AM, David Smith wrote:
Oh and by the way ... Hassan's idea is really good as well.  For  
that, you just need to write a class that implements the  
javax.servlet.Filter interface and define the servlet in your  
web.xml file.

The servlet spec is an excellent resource for this kind of stuff:

http://jcp.org/aboutJava/communityprocess/final/jsr154/index.html

It has docs for the classes/interfaces in javax.servlet as well as  
docs on what's valid in the web.xml file.


--David

DIGLLOYD INC wrote:


David,

I'm new to programming Servlets/JSP, I didn't realize a mapping> could just specify a  an not specify a  
servlet  class, nor do I understand exactly what this example  
mapping does (and  if it does it without other side-effects).


Do you mean to use this in conjunction with a "blog.jsp" which  
would  then include blog.html?


Lloyd

On Mar 24, 2008, at 5:13 AM, David Smith wrote:


Here's a possibility:

Write the quick and dirty blog jsp, name it blog.html, and then  
add  this to your web.xml file:



jsp
blog.html


The idea is to specifically map blog.html to the jsp servlet for  
jsp  processing.  I haven't tried it, but it seems like it should  
work.


--David

DIGLLOYD INC wrote:


I'm converting from an Apache http system.

Thousands of my users have bookmarked http://diglloyd.com/diglloyd/blog.html

With Apache, I symlinked blog.html to the current month's blog.

Now with Tomcat, I see warnings that enabling symlinks is a  
security

risk.

What is the best way to make blog.html => 2008-03-blog.html ?   
(eg if

March 2008 is the current blog)

I realize that I can write a one-line blog.jsp which includes the
current month's blog.  But that won't help users that bookmarked
blog.html.

An http redirect works, but it seems the google search engine is  
not

enamored of redirects; I don't want to hurt my search ranking.

Lloyd Chambers





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: PHP problem

[DIGLLOYD INC]

Thank you--no plans to run PHP right now, actually I'd rather avoid  
it.  But it's on my list of "might do something useful at some point".



Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]

On Mar 24, 2008, at 8:00 AM, Pid wrote:

DIGLLOYD INC wrote:
I don't know the answer, but how does one use PHP with Tomcat?   
(Thanks, if you have time for a pointer, I hadn't see docs on this).


You know that every time an admin configures PHP on Tomcat a Java  
developer dies somewhere, right?


There are a couple of ways; configure PHP as CGI or via a proxy  
Servlet.
There's a couple of projects that support this, though I'd suggest  
that if you need PHP support as well as JSP/Servlet, the best  
solution is a combo of Apache HTTP + Tomcat (mod_jk/mod_proxy_ajp) +  
PHP.




To the OP: you didn't specify your tomcat, java, or OS versions,  
which is traditional in this forum.


You should check the following things:

* The tomcat/lib (or tomcat/[server|shared|common]/lib depending on  
your version) contain the right jar files in both installs.


* The catalina.out and other log files may be giving you information  
during startup which could indicate why the PHP servlet isn't  
starting up.





p



On Mar 24, 2008, at 7:23 AM, Jonathan Mast wrote:
Can someone tell me why one project that uses PHP will work in  
tomcat, but

another that also uses PHP won't?

They have idential web.xml files, so that avenue is closed.  I  
keep on

getting the following message when I try to load one of the pages:
HTTP Status 404 - Servlet php is not available
--

*type* Status report

*message* *Servlet php is not available*

*description* *The requested resource (Servlet php is not  
available) is not

available.*


Environment:
Windows XP
Tomcat 5.5.17


thanks

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]








-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: replacement for symbolic links to files (Apache httpd to Tomcat)

[DIGLLOYD INC]

David,

The URL I want to see work is http://diglloyd.com/diglloyd/blog.html   
(currently running on Apache with a symlink currently pointing to  
2008-03-blog.html).


I wrote blog.jsp which includes the current blog file:
<%@ include file="2008-03-blog.html" %>

That works great for:  http://diglloyd.com/diglloyd/blog.jsp

Next, I added this servlet mapping in ROOT/WEB-INF/web.xml (ROOT  
webapp contains diglloyd/blog.html).



    jsp
    /diglloyd/blog.html


(blog.jsp is in the ROOT webapp at /diglloyd/blog.jsp)

I get a 404 error when I do this, same as without the mapping.  Is  
there a path issue (eg the leading "diglloyd")?


Lloyd

On Mar 24, 2008, at 8:05 AM, David Smith wrote:
 ...  takes the name of a servlet  
as defined by the ... element, not the servlet's  
class.  That's what the  ...  element is for.  In  
this case, the jsp servlet is already defined in the global web.xml  
file found at conf/web.xml right next to the server.xml file.   
Please don't edit this web.xml file unless you *really* know what  
you are doing.  Just take a look at it to see how the default  
servlet and the jsp servlet are defined.  Note the separate mapping> element.  There can be more than one of these to map a  
servlet to different paths.


--David

DIGLLOYD INC wrote:


David,

I'm new to programming Servlets/JSP, I didn't realize a mapping> could just specify a  an not specify a  
servlet  class, nor do I understand exactly what this example  
mapping does (and  if it does it without other side-effects).


Do you mean to use this in conjunction with a "blog.jsp" which  
would  then include blog.html?


Lloyd

On Mar 24, 2008, at 5:13 AM, David Smith wrote:


Here's a possibility:

Write the quick and dirty blog jsp, name it blog.html, and then  
add  this to your web.xml file:



jsp
blog.html


The idea is to specifically map blog.html to the jsp servlet for  
jsp  processing.  I haven't tried it, but it seems like it should  
work.


--David

DIGLLOYD INC wrote:


I'm converting from an Apache http system.

Thousands of my users have bookmarked http://diglloyd.com/diglloyd/blog.html

With Apache, I symlinked blog.html to the current month's blog.

Now with Tomcat, I see warnings that enabling symlinks is a  
security

risk.

What is the best way to make blog.html => 2008-03-blog.html ?   
(eg if

March 2008 is the current blog)

I realize that I can write a one-line blog.jsp which includes the
current month's blog.  But that won't help users that bookmarked
blog.html.

An http redirect works, but it seems the google search engine is  
not

enamored of redirects; I don't want to hurt my search ranking.

Lloyd Chambers





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: replacement for symbolic links to files (Apache httpd to Tomcat)

[DIGLLOYD INC]

David/Hassan,

I've written a filter since I couldn't get the   
approach to work.


This is what I've got.  It needs generalization, but it does the job.

My question is this:  what is the right way to forward the request?   
The way I'm doing it bypasses the rest of the filter chain...or does  
the filter chain get reinvoked when the dispatcher forwards the request?


public void doFilter(
final ServletRequest request,
final ServletResponse response,
final FilterChain chain)
throws IOException, ServletException
{
final HttpServletRequest httpRequest =  
(HttpServletRequest)request;


	// very specific handling: forward /diglloyd/blog.html to /diglloyd/ 
blog.jsp

// should be generalized and/or do so based on init parameters
final String queryString = httpRequest.getQueryString();
if ( queryString == null )
{
final String uri = httpRequest.getRequestURI();
    if ( uri.equals( "/diglloyd/blog.html") )
{
final RequestDispatcher disp =  
request.getRequestDispatcher("/diglloyd/blog.jsp");

disp.forward(request, response);
}
}
else
{
chain.doFilter(request, response);
    }
}


    
    maps /diglloyd/blog.html to /diglloyd/blog.jspdescription>

BlogFilter
com.diglloyd.tomcat.BlogFilter
    

BlogFilter
/diglloyd/blog.html




On Mar 24, 2008, at 8:12 AM, David Smith wrote:
Oh and by the way ... Hassan's idea is really good as well.  For  
that, you just need to write a class that implements the  
javax.servlet.Filter interface and define the servlet in your  
web.xml file.

The servlet spec is an excellent resource for this kind of stuff:

http://jcp.org/aboutJava/communityprocess/final/jsr154/index.html

It has docs for the classes/interfaces in javax.servlet as well as  
docs on what's valid in the web.xml file.


--David

DIGLLOYD INC wrote:


David,

I'm new to programming Servlets/JSP, I didn't realize a mapping> could just specify a  an not specify a  
servlet  class, nor do I understand exactly what this example  
mapping does (and  if it does it without other side-effects).


Do you mean to use this in conjunction with a "blog.jsp" which  
would  then include blog.html?


Lloyd

On Mar 24, 2008, at 5:13 AM, David Smith wrote:


Here's a possibility:

Write the quick and dirty blog jsp, name it blog.html, and then  
add  this to your web.xml file:



jsp
blog.html


The idea is to specifically map blog.html to the jsp servlet for  
jsp  processing.  I haven't tried it, but it seems like it should  
work.


--David

DIGLLOYD INC wrote:


I'm converting from an Apache http system.

Thousands of my users have bookmarked http://diglloyd.com/diglloyd/blog.html

With Apache, I symlinked blog.html to the current month's blog.

Now with Tomcat, I see warnings that enabling symlinks is a  
security

risk.

What is the best way to make blog.html => 2008-03-blog.html ?   
(eg if

March 2008 is the current blog)

I realize that I can write a one-line blog.jsp which includes the
current month's blog.  But that won't help users that bookmarked
blog.html.

An http redirect works, but it seems the google search engine is  
not

enamored of redirects; I don't want to hurt my search ranking.

Lloyd Chambers





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: replacement for symbolic links to files (Apache httpd to Tomcat)

[DIGLLOYD INC]

Chuck,

Thanks, but perhaps I don't understand:

- "blog.html" is under /diglloyd eg at http://diglloyd.com/diglloyd/blog.html 
 eg not at the top level of the web app.


Wouldn't "/blog.html" refer to http://diglloyd.com/blog.html ?  That  
would be wrong...


lloyd

On Mar 24, 2008, at 10:58 AM, Caldarale, Charles R wrote:

From: DIGLLOYD INC [mailto:[EMAIL PROTECTED]
Subject: Re: replacement for symbolic links to files (Apache
httpd to Tomcat)


jsp
/diglloyd/blog.html



Take out the "/diglloyd", leaving "/blog.html"; the  is
relative to the webapp.

- Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE  
PROPRIETARY

MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e- 
mail

and its attachments from all computers.

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: replacement for symbolic links to files (Apache httpd to Tomcat)

[DIGLLOYD INC]

Thanks, this worked, I didn't understand the sneaky trick of making  
"blog.html" a jsp file.



jsp


/diglloyd/blog.html


The file "/diglloyd/blog.html" (same as /diglloyd/blog.jsp) so that  
existing user bookmarks will work:


<%@ include file="2008-03-blog.html" %>


On Mar 24, 2008, at 11:30 AM, Caldarale, Charles R wrote:

From: DIGLLOYD INC [mailto:[EMAIL PROTECTED]
Subject: Re: replacement for symbolic links to files (Apache
httpd to Tomcat)



Wouldn't "/blog.html" refer to http://diglloyd.com/blog.html ?  That
would be wrong...


Sorry, I didn't realize your webapp is named "ROOT" (the default
webapp), rather than "diglloyd", so your original value is correct.


(blog.jsp is in the ROOT webapp at /diglloyd/blog.jsp)


However, you didn't follow David's instructions: the above should be
named "blog.html", not "blog.jsp" in order for the servlet mapping  
trick

to work.

- Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE  
PROPRIETARY

MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e- 
mail

and its attachments from all computers.

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Tomcat 6 DIGEST auth

[DIGLLOYD INC]

I've read this doc:
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#Digested%20Passwords

But I cannot get it to authenticate.

I'm putting the digested password for myusers into tomcat-users.xml as  
directed.


One problem is that it's not at all clear what the realm is--

Is the realm the  specified in the  in  
web.xml? (eg "Tomcat Manager Application")  Or something else?  The  
docs (link above) suggest "localhost:80" might be the realm, but that  
makes no sense to me, as this would tie it to a specific port.


 
BASIC
Tomcat Manager Application
  


The book I have -- "Tomcat, The Definitive Guide, 2nd Edition" is in  
conflict with the above documentation, making no mention of digesting  
with the username and realm.  The book suggest doing:

bin/digest.sh -a MD5 user-password

But the tomcat 6 docs referenced above suggest doing:
bin/digest.sh -a MD5 username:realm-name:password

--obviously very different approaches!


Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

hackers sending long URLs to probe site?

[DIGLLOYD INC]

I've have to use a "deny" in a RemoteAddrValve to solve the following  
problem--


A normal URL for my site might be:

http://diglloyd.com/diglloyd/free/Eagles/Eagles.html
eg /diglloyd/free/Eagles/Eagles.html

(check it out if you want to see some unusual eagle photos)

But I see tons of 404 errors, with someone/thing from 62.42.21.210  
(ono.com) doing:


http://diglloyd.com/diglloyd/free/diglloyd/free/Eagles/Eagles.html
http://diglloyd.com/diglloyd/free/diglloyd/free/diglloyd/free/Eagles/Eagles.html
http://diglloyd.com/diglloyd/free/diglloyd/free/diglloyd/free/diglloyd/free/Eagles/Eagles.html
http://diglloyd.com/diglloyd/free/diglloyd/free/diglloyd/free/diglloyd/free/diglloyd/free/Eagles/Eagles.html
... ad nauseum...

Similar illegal variants are sent for all the other URLs on my site.

I also see illegal requests like this from several sites:

/diglloyd/blog-images/?S=A

Is there a weakness in Tomcat being probed here?
What is the best way to block such things? Ignore them since they just  
return 404 error anyway?  Write a filter to insert a long delay for  
blatantly wrong requests?


I'm not sure if that ono.com represents a single user or an entire  
ISP, so I'm loathe to block it entirely.


Lloyd

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

simple way to rewrite simple URL portion

[DIGLLOYD INC]

I'm looking for a very very basic URL-rewriting filter--simple text  
substitution.  I suppose I can write my own since the functionality I  
need is so limited, but I was hoping there was something built-in in  
Tomcat.


For past reasons, I get requests that include the path "bike/free".   
Right now those all 404 into /errors/error404.html.  The bike/free  
requests will probably stay around for years (hundreds of originating  
links), so I want to permanently map "bike/free" to "diglloyd/free" eg:


http://diglloyd.com/bike/free/...
to:
http://diglloyd.com/diglloyd/free/...

What's the easiest way to alter any URL containing "bike/free" to read  
"diglloyd/free"?


Lloyd


Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]

Re: Can we slow down the speed of servlet response ?

[DIGLLOYD INC]

Han,

I think you're barking up the wrong tree here--use a Mock Object (a  
dummy) to stub out your app so it thinks it's calling the Servlet.   
After you've tested your app working, then revert to actually sending  
the request to Tomcat.


If the Servlet provides real data that must come from the servlet,  
wrap the request on the client side, maintaining a queue of requests  
and responses *on the client side*.  Make your app use this client- 
side facility, and have that facility insert the delay when in test  
mode.


Lloyd

On Apr 16, 2008, at 6:24 PM, Wang Han wrote:


Hi all,

The story is:
 http
NM app  <>   servlet

the app sends some request to servlet and will handle the response
after 5 minutes.
But in the servlet side, it handles the request too fast and always
sends response back to app in 30 seconds.

So I wonder is there a way to add some delay in tomcat to slow down
the speed of response?

I know invoking thread.sleep() in servlet is not recommend , so any
other way please?

B.R
Han

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: simple way to rewrite simple URL portion

[DIGLLOYD INC]

Thank you Christopher I'll take a look at the link.  More than I need  
now, but maybe there will be other uses too...


(I'm just running Tomcat standalone, no httpd in front)


On Apr 24, 2008, at 10:01 AM, Christopher Schultz wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Lloyd,

DIGLLOYD INC wrote:
| I'm looking for a very very basic URL-rewriting filter--simple text
| substitution.  I suppose I can write my own since the  
functionality I

| need is so limited, but I was hoping there was something built-in in
| Tomcat.

Not built-in, but definitely exists:

http://tuckey.org/urlrewrite/

| For past reasons, I get requests that include the path "bike/free".
| Right now those all 404 into /errors/error404.html.  The bike/free
| requests will probably stay around for years (hundreds of  
originating
| links), so I want to permanently map "bike/free" to "diglloyd/ 
free" eg:

|
| http://diglloyd.com/bike/free/...
| to:
| http://diglloyd.com/diglloyd/free/...
|
| What's the easiest way to alter any URL containing "bike/free" to  
read

| "diglloyd/free"?

If you are using Apache httpd to front your Tomcat, you can probably  
use

either mod_rewrite (upon which the above urlrewrite was based) or the
simpler RedirecrPermanent directives to achieve the same goal. I  
believe
Apache httpd configuration might be a bit simpler, but don't add  
Apache
httpd to your configuration just for this -- it would be a huge  
waste of

effort and added complexity.

- -chris

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkgQvN4ACgkQ9CaO5/Lv0PCzKACdGi0QMyJLcRaZQthBuBjDfmYJ
Ei4AnjhBd5Lkl31zzG/diVHjhmONdJRU
=OIqw
-END PGP SIGNATURE-

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: hackers sending long URLs to probe site?

[DIGLLOYD INC]

Christopher,

Thank you.  This is helpful.  Sorry about the "hijacked thread", I  
didn't think of that.


Yes, I've double-checked that my site isn't generating the bad links.  
It's all static HTML and I've searched for any duplications, "../../"  
type things, etc. I don't currently generate any URLs, and the sheer  
length of the duplication rules out any basic mistakes in static html.


I have directory indexes turned off, confirmed by seeing 404 codes on  
certain directories in which I don't have index files (intentionally).


Lloyd


On Apr 24, 2008, at 10:12 AM, Christopher Schultz wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Lloyd,

For future reference, please don't "hijack" a thread. You replied to
another message on the list to ask this one. In the future, please
create a brand new message.

DIGLLOYD INC wrote:
| But I see tons of 404 errors, with someone/thing from 62.42.21.210
| (ono.com) doing:
|
| http://diglloyd.com/diglloyd/free/diglloyd/free/Eagles/Eagles.html
|
http://diglloyd.com/diglloyd/free/diglloyd/free/diglloyd/free/Eagles/Eagles.html


Are you sure this isn't a problem with your own site accidentally
generating URLs that are double- or triple-length? You should record  
the

"referer" (sic) header to see where the links are coming from. If
they're coming from your site, you might want to check your own  
software.


| I also see illegal requests like this from several sites:
|
| /diglloyd/blog-images/?S=A

That looks like a URL generated by Apache httpd's "index" feature.  
I've

never used Tomcat's DefaultServlet to serve directory indexes (so I'm
not sure if it uses the same URL syntax for file sorting, etc.), but  
is

it possible that you are serving directory indexes from Tomcat? If so,
then this looks like a legitimate request.

| Is there a weakness in Tomcat being probed here?

Perhaps. But I don't believe there are any known weaknesses around  
this

part of the code. I wouldn't worry about it.

| What is the best way to block such things?

You could write a filter that checks for certain URL patterns and
replies with a 403 (Forbidden) response code.

| Ignore them since they just return 404 error anyway?

That's what I would do.

| Write a filter to insert a long delay for blatantly wrong requests?

Definitely don't do that -- you'd be creating a DOS vector. :(

| I'm not sure if that ono.com represents a single user or an entire  
ISP,

| so I'm loathe to block it entirely.

Lessee...

$ nslookup 62.42.21.210
Server: 192.168.1.40
Address:192.168.1.40#53

Non-authoritative answer:
210.21.42.62.in-addr.arpa   name = 62.42.21.210.dyn.user.ono.com.

Authoritative answers can be found from:
21.42.62.in-addr.arpa   nameserver = dns03.ono.com.
21.42.62.in-addr.arpa   nameserver = dns01.ono.com.
21.42.62.in-addr.arpa   nameserver = dns02.ono.com.

Looks like an ISP. You are probably being visited (or scanned?) by
someone within their network. They probably own a whole class B  
network

or more, so you would go crazy blocking IPs individually.

I would just ignore them unless they start to be a significant portion
of your traffic.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkgQv5cACgkQ9CaO5/Lv0PB2bQCeJaqttVqSc99fiZpVJi1sH1i6
r9gAn33e0h7kK10/IhMmIrwsJ3C4GSfn
=xv8f
-END PGP SIGNATURE-

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: simple way to rewrite simple URL portion

[DIGLLOYD INC]

I've got another issue--

I want to place an index.jsp file in certain directories that simply  
loads another page eg:



This works fine for a page in the same directory.  But my site uses  
relative links heavily, so if I do this:




All that pages relative links don't work, since they seem to be  
relative to the originating directory, not the parent directory.


I want to use relative links, I have a huge amount of static content,  
so this is a real headache.


Any solution to this?  It seems bizarre that a forward doesn't  
reestablish the correct directory.



Lloyd


On Apr 24, 2008, at 10:57 AM, Ken Bowen wrote:


Take a look at

http://tuckey.org/urlrewrite/

I found it very easy to use for exactly the kind of problem you  
described.


P.S. Your eagles are great.

On Apr 24, 2008, at 12:53 PM, DIGLLOYD INC wrote:

I'm looking for a very very basic URL-rewriting filter--simple text  
substitution.  I suppose I can write my own since the functionality  
I need is so limited, but I was hoping there was something built-in  
in Tomcat.


For past reasons, I get requests that include the path "bike/ 
free".  Right now those all 404 into /errors/error404.html.  The  
bike/free requests will probably stay around for years (hundreds of  
originating links), so I want to permanently map "bike/free" to  
"diglloyd/free" eg:


  http://diglloyd.com/bike/free/...
to:
  http://diglloyd.com/diglloyd/free/...

What's the easiest way to alter any URL containing "bike/free" to  
read "diglloyd/free"?


Lloyd


Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]







-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

simple JSP redirect to another page -- how to deal with relative URLs

[DIGLLOYD INC]

I previously asked about remapping URLs and got some helpful  
responses. In a nutshell, this was recommended:

http://tuckey.org/urlrewrite/

Looks very good for some purposes.

But I also want to solve a much simpler problem--

I have a very large amount of static content (articles), with each  
article in its own directory.  A main Table of Contents links to the  
start page in each directory, which is *not* index.html (eg some-main- 
page.html).  I don't want to rename or change those pages as they have  
world-wide direct links to them--they have to stay as-is.  But I do  
want to insert an index.jsp page without altering any content.


For many of these folders inserting a trival index.jsp solves the  
index-page problem:

<%@ include file="the-main-page.html" %>

(though I do wonder if google consider this unacceptable duplicate  
content)


My pages all use relative links eg "..", "./", etc.  So this works  
***when the page being included is in the same directory**.


But when the include page is in another directory, none of the  
relative links work.  None of these variants do the right thing; any  
referenced images cannot be found.


<%@ include  file="../ReviewInfo.html" %>



The jsp:forward directive seems perfect, but the flaw of not changing  
the current location (eg no "cd" is done first) makes it useless for  
this purpose.  Or does it?  Is there something I'm missing here?


Alternately, is there some other trivial solution?

URL-rewriting is not appropriate in this case; there is no particular  
pattern, just a fair number of specific cases.  I was hoping for a  
simple 1-line index.jsp in each directory.


Lloyd


Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: simple JSP redirect to another page -- how to deal with relative URLs

[DIGLLOYD INC]

David,

Yes, I understand how relative paths work.

The problem is that the jsp include directives:
- include an html page that is *not* in the same directory as the jsp  
page;
- the relative links in the included html file are supposed to be  
relative to their own directory not the directory of the JSP.


eg:
/foo/bar/index.jsp
/foo/some-page.html

index.jsp contains


This doesn't work; a link "images/foo.jpg" in some-page.html ends up  
being /foo/bar/images/foo.jpg instead of /foo/images/foo.jpg.


Lloyd

On Apr 25, 2008, at 12:40 PM, David kerber wrote:


DIGLLOYD INC wrote:
I previously asked about remapping URLs and got some helpful  
responses. In a nutshell, this was recommended:

http://tuckey.org/urlrewrite/

Looks very good for some purposes.

But I also want to solve a much simpler problem--

I have a very large amount of static content (articles), with each  
article in its own directory.  A main Table of Contents links to  
the start page in each directory, which is *not* index.html (eg  
some-main-page.html).  I don't want to rename or change those pages  
as they have world-wide direct links to them--they have to stay as- 
is.  But I do want to insert an index.jsp page without altering any  
content.


For many of these folders inserting a trival index.jsp solves the  
index-page problem:

<%@ include file="the-main-page.html" %>

(though I do wonder if google consider this unacceptable duplicate  
content)


My pages all use relative links eg "..", "./", etc.  So this works  
***when the page being included is in the same directory**.


But when the include page is in another directory, none of the  
relative links work.  None of these variants do the right thing;  
any referenced images cannot be found.


<%@ include  file="../ReviewInfo.html" %>



The jsp:forward directive seems perfect, but the flaw of not  
changing the current location (eg no "cd" is done first) makes it  
useless for this purpose.  Or does it?  Is there something I'm  
missing here?


Alternately, is there some other trivial solution?

URL-rewriting is not appropriate in this case; there is no  
particular pattern, just a fair number of specific cases.  I was  
hoping for a simple 1-line index.jsp in each directory.
Your examples may be simplified from the real thing, but remember  
what the .'s mean:  a single one means the current folder, and a  
double means the parent of the current folder.  So get into another  
directory at the same level (both subfolders of the same parent  
folder), you need to go up with the double dot, and then back down  
into the other folder.  For example, if you are in folder B, which  
is a subfolder of A, and you want to get into C, which is also a  
subfolder of A, you need to do:  ../C/myotherpage.html.


HTH
D



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: simple JSP redirect to another page -- how to deal with relative URLs

[DIGLLOYD INC]

Hassan,

As I said there are other issues.  Making them fixed paths would mean  
I couldn't edit them, copy them (for revisions, etc) without having to  
fix up numerous pages.  And the uses are not only when routed through  
a web server.


Lloyd

On Apr 25, 2008, at 1:08 PM, Hassan Schroeder wrote:

On Fri, Apr 25, 2008 at 1:00 PM, DIGLLOYD INC  
<[EMAIL PROTECTED]> wrote:


The problem is that the jsp include directives:
- include an html page that is *not* in the same directory as the  
jsp page;


I've never -- and that's a long time, web-wise :-) -- liked relative  
paths

for this reason, among others.

If I were you I'd bite the bullet and fix 'em once and for all.

--
Hassan Schroeder  [EMAIL PROTECTED]

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: simple JSP redirect to another page -- how to deal with relative URLs

[DIGLLOYD INC]

Christopher,

Well, I'm not a web expert, so if there's a better way (redirect) I'm  
all ears.


From what I can find by googling, redirects have a slew of issues of  
their own. But I'm a newbie at this, so I might be misunderstanding.


How would I do a redirect in Tomcat for my stated issue, keeping in  
mind that doing so is case-by-case, not a nice regexp pattern.


Lloyd

On Apr 25, 2008, at 1:05 PM, Christopher Schultz wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Lloyd,

DIGLLOYD INC wrote:
| My pages all use relative links eg "..", "./", etc.  So this works
| ***when the page being included is in the same directory**.
|
| But when the include page is in another directory, none of the  
relative
| links work.  None of these variants do the right thing; any  
referenced

| images cannot be found.
|
| <%@ include  file="../ReviewInfo.html" %>
| 
| 

This is a very weird way to do things. You should either generate
content /or/ forward. Why are you doing both?

Instead of using a forward, why not do a redirect? That way, the new
request has the correct URL and your relative paths should be correct.

- -chris

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkgSOW4ACgkQ9CaO5/Lv0PCZtgCgwMQ2Nq53WFJV1qA2UtOVT62P
aroAoLf5WOFn4FKM/4PN1TtFukZPSUkI
=/4tC
-END PGP SIGNATURE-

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: simple JSP redirect to another page -- how to deal with relative URLs

[DIGLLOYD INC]

Thanks, I've tried that.  Including with a full path still makes the  
included file relative to the directory in which the jsp resides.



On Apr 25, 2008, at 1:02 PM, David Smith wrote:

I see the problem.  You could use absolute paths in jsp includes and  
the servlet container would understand them as relative to the  
webapp's root as opposed to the server's root:


Say you have this file layout

webapp
|index.jsp
|article1
|index.jsp
|article1.html
|article2
|index.jsp
|article1.html

article2/index.jsp could simply have  and it would find article1.html in the article1  
folder.


--David

DIGLLOYD INC wrote:
I previously asked about remapping URLs and got some helpful  
responses. In a nutshell, this was recommended:

http://tuckey.org/urlrewrite/

Looks very good for some purposes.

But I also want to solve a much simpler problem--

I have a very large amount of static content (articles), with each  
article in its own directory.  A main Table of Contents links to  
the start page in each directory, which is *not* index.html (eg  
some-main-page.html).  I don't want to rename or change those pages  
as they have world-wide direct links to them--they have to stay as- 
is.  But I do want to insert an index.jsp page without altering any  
content.


For many of these folders inserting a trival index.jsp solves the  
index-page problem:

<%@ include file="the-main-page.html" %>

(though I do wonder if google consider this unacceptable duplicate  
content)


My pages all use relative links eg "..", "./", etc.  So this works  
***when the page being included is in the same directory**.


But when the include page is in another directory, none of the  
relative links work.  None of these variants do the right thing;  
any referenced images cannot be found.


<%@ include  file="../ReviewInfo.html" %>



The jsp:forward directive seems perfect, but the flaw of not  
changing the current location (eg no "cd" is done first) makes it  
useless for this purpose.  Or does it?  Is there something I'm  
missing here?


Alternately, is there some other trivial solution?

URL-rewriting is not appropriate in this case; there is no  
particular pattern, just a fair number of specific cases.  I was  
hoping for a simple 1-line index.jsp in each directory.


Lloyd


Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: simple JSP redirect to another page -- how to deal with relative URLs

[DIGLLOYD INC]

David,

I want to redirect perhaps a dozen links in directories that have a  
main page accessed something like:

/stuff/start-page.html

In thinking about this, maybe my best solution is to rename the main  
page to "index.html" for simplicity and use the org.tuckey.web.filters.urlrewrite.UrlRewriteFilter 
 with basic patterns.


Lloyd

On Apr 25, 2008, at 1:38 PM, David Fisher wrote:


Seconded.

DIGLLOYD said the following:

From what I can find by googling, redirects have a slew of issues  
of their own. But I'm a newbie at this, so I might be  
misunderstanding.


The only trouble I've had with redirects is when you redirect to a  
page which redirects to a page which redirects to a page. Browsers  
consider more than a few redirects in a row to be a bad thing and  
they stop. My experience taught me (about 7 years ago) that more  
then 2 was pushing things.


DIGLLOYD are only replacing a single generation of files, as you do  
this "relinking" how many links do you want to "forward" or  
"redirect"?


Regards,
Dave

On Apr 25, 2008, at 3:27 PM, David Smith wrote:

Never mind .. I saw your other responses and the best solution is  
the redirect option.  After following the redirect, the browser  
will have the correct URL for calculating the full url of each of  
the page's resources.


--David

David Smith wrote:
I see the problem.  You could use absolute paths in jsp includes  
and the servlet container would understand them as relative to the  
webapp's root as opposed to the server's root:


Say you have this file layout

webapp
|index.jsp
|article1
|index.jsp
|article1.html
|article2
|index.jsp
|article1.html

article2/index.jsp could simply have  and it would find article1.html in the article1  
folder.


--David

DIGLLOYD INC wrote:
I previously asked about remapping URLs and got some helpful  
responses. In a nutshell, this was recommended:

http://tuckey.org/urlrewrite/

Looks very good for some purposes.

But I also want to solve a much simpler problem--

I have a very large amount of static content (articles), with  
each article in its own directory.  A main Table of Contents  
links to the start page in each directory, which is *not*  
index.html (eg some-main-page.html).  I don't want to rename or  
change those pages as they have world-wide direct links to them-- 
they have to stay as-is.  But I do want to insert an index.jsp  
page without altering any content.


For many of these folders inserting a trival index.jsp solves the  
index-page problem:

<%@ include file="the-main-page.html" %>

(though I do wonder if google consider this unacceptable  
duplicate content)


My pages all use relative links eg "..", "./", etc.  So this  
works ***when the page being included is in the same directory**.


But when the include page is in another directory, none of the  
relative links work.  None of these variants do the right thing;  
any referenced images cannot be found.


<%@ include  file="../ReviewInfo.html" %>



The jsp:forward directive seems perfect, but the flaw of not  
changing the current location (eg no "cd" is done first) makes it  
useless for this purpose.  Or does it?  Is there something I'm  
missing here?


Alternately, is there some other trivial solution?

URL-rewriting is not appropriate in this case; there is no  
particular pattern, just a fair number of specific cases.  I was  
hoping for a simple 1-line index.jsp in each directory.


Lloyd


Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: simple JSP redirect to another page -- how to deal with relative URLs

[DIGLLOYD INC]

Thanks for everyone's help on this and my related message.

I found that using org.tuckey.web.filters.urlrewrite.UrlRewriteFilter  
works well: http://tuckey.org/urlrewrite/


With entries like:


/diglloyd/free/CardReaders/CardReaders.html
/diglloyd/free/CardReaders/


(I'm not sure if I should stick "index.html" in the "to" URL)

Lloyd


On Apr 27, 2008, at 1:13 PM, DIGLLOYD INC wrote:


David,

I want to redirect perhaps a dozen links in directories that have a  
main page accessed something like:

/stuff/start-page.html

In thinking about this, maybe my best solution is to rename the main  
page to "index.html" for simplicity and use the org.tuckey.web.filters.urlrewrite.UrlRewriteFilter 
 with basic patterns.


Lloyd

On Apr 25, 2008, at 1:38 PM, David Fisher wrote:


Seconded.

DIGLLOYD said the following:

From what I can find by googling, redirects have a slew of issues  
of their own. But I'm a newbie at this, so I might be  
misunderstanding.


The only trouble I've had with redirects is when you redirect to a  
page which redirects to a page which redirects to a page. Browsers  
consider more than a few redirects in a row to be a bad thing and  
they stop. My experience taught me (about 7 years ago) that more  
then 2 was pushing things.


DIGLLOYD are only replacing a single generation of files, as you do  
this "relinking" how many links do you want to "forward" or  
"redirect"?


Regards,
Dave

On Apr 25, 2008, at 3:27 PM, David Smith wrote:

Never mind .. I saw your other responses and the best solution is  
the redirect option.  After following the redirect, the browser  
will have the correct URL for calculating the full url of each of  
the page's resources.


--David

David Smith wrote:
I see the problem.  You could use absolute paths in jsp includes  
and the servlet container would understand them as relative to  
the webapp's root as opposed to the server's root:


Say you have this file layout

webapp
|index.jsp
|article1
|index.jsp
|article1.html
|article2
|index.jsp
|article1.html

article2/index.jsp could simply have  and it would find article1.html in the article1  
folder.


--David

DIGLLOYD INC wrote:
I previously asked about remapping URLs and got some helpful  
responses. In a nutshell, this was recommended:

http://tuckey.org/urlrewrite/

Looks very good for some purposes.

But I also want to solve a much simpler problem--

I have a very large amount of static content (articles), with  
each article in its own directory.  A main Table of Contents  
links to the start page in each directory, which is *not*  
index.html (eg some-main-page.html).  I don't want to rename or  
change those pages as they have world-wide direct links to them-- 
they have to stay as-is.  But I do want to insert an index.jsp  
page without altering any content.


For many of these folders inserting a trival index.jsp solves  
the index-page problem:

<%@ include file="the-main-page.html" %>

(though I do wonder if google consider this unacceptable  
duplicate content)


My pages all use relative links eg "..", "./", etc.  So this  
works ***when the page being included is in the same directory**.


But when the include page is in another directory, none of the  
relative links work.  None of these variants do the right thing;  
any referenced images cannot be found.


<%@ include  file="../ReviewInfo.html" %>



The jsp:forward directive seems perfect, but the flaw of not  
changing the current location (eg no "cd" is done first) makes  
it useless for this purpose.  Or does it?  Is there something  
I'm missing here?


Alternately, is there some other trivial solution?

URL-rewriting is not appropriate in this case; there is no  
particular pattern, just a fair number of specific cases.  I was  
hoping for a simple 1-line index.jsp in each directory.


Lloyd


Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To start a new topic, e-mail: users@tomcat.apache.org
To

Re: Large HTML file not getting compressed despite compressionenabled

[DIGLLOYD INC]

Well, I'm not using APR, just the default connector.

And I cannot get Tomcat to ever compress an HTML or text file of any  
size.  It's as if it completely ignores the setting.


   

I've tried small medium and large html and text files, and it doesn't  
matte whether I set compression to "on", "1024", etc. It just doesn't  
work!


I've verified that it doesn't work by checking the amount of data  
actually transferred over the network.


Lloyd

On Apr 19, 2008, at 8:50 AM, Alex Epshteyn wrote:



I thought about trying without APR, but wasn't sure how to disable  
it (on

Linux).

Anyways, I've worked around this problem by implementing my own  
filter that
serves up a pre-gzipped version of the files that aren't getting  
compressed.


Alex



Caldarale, Charles R wrote:



From: Alex Epshteyn [mailto:[EMAIL PROTECTED]
Subject: Re: Large HTML file not getting compressed despite
compressionenabled

org.apache.coyote.http11.Http11AprProcessor:1504:
   response.getContentLengthLong() returns 4,
instead of the true file size, making it appear
lower than the minimum compression threshold.


Just for grins, have you tried it without APR in the mix?

- Chuck



--
View this message in context: 
http://www.nabble.com/Large-HTML-file-not-getting-compressed-despite-compression-enabled-tp16387385p16784626.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: hackers sending long URLs to probe site?

[DIGLLOYD INC]

It's certainly something nefarious...one of my paths contains  
"diglloyd/free", and I see URLs containing 100 or 200 of that string  
repeated...


On Apr 30, 2008, at 1:58 PM, David Delbecq wrote:


DIGLLOYD INC a écrit :

Christopher,

Thank you.  This is helpful.  Sorry about the "hijacked thread", I  
didn't think of that.


Yes, I've double-checked that my site isn't generating the bad  
links. It's all static HTML and I've searched for any duplications,  
"../../" type things, etc. I don't currently generate any URLs, and  
the sheer length of the duplication rules out any basic mistakes in  
static html.


I have directory indexes turned off, confirmed by seeing 404 codes  
on certain directories in which I don't have index files  
(intentionally).


Lloyd
A bit late to respond, but it might also be a worm infected computer  
trying to probe your server to check if it can be used as an attack  
vector. However, am more used to worms checking for urls containing  
cmd.exe, which probes for security holes in IIS.


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

authenticated but not authorized -- blank page

[DIGLLOYD INC]

I have a webapp 'guest', with two subfolders 'guest1' and 'guest2'.
These are protected by security constraints.


/guest/guest1 has a security constraint requiring role 'guest1'
/guest/guest2 has a security constraint requiring role 'guest2'

Users 'guest1' and 'guest2' map to roles of the same names, and each  
user has its own distinct password.


1.  User 'guest1' logs in successfully and is able to view /guest/ 
guest1/*


2.  Now user guest1 tries to access /guest/guest2.  Since s/he is not  
authorized to access this area, one can expect a failure.


PROBLEM:  the server returns a 404 error when 'guest1' accesses a non- 
authorized area (/guest/guest2).  This results in a blank page in the  
browser-very confusing.  In this case I don't really care, but I have  
other more important situations coming.


QUESTION: shouldn't some kind of "not authorized" error be returned by  
Tomcat?  A 404 error is very confusing for the user.


The web.xml configuration is shown below.


   
   guest
   /*
   


  
blah blah blah
users
org.apache.catalina.UserDatabaseenv-ref-type>

  

  
  

  Guest 1 access
  /_guest1_/*


   guest1

  

  

  Guest 2 access
  /_guest2_/*


   guest2

  

  
  
BASIC
Guest Realm
  

  
  
guest1
guest2
  


Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]

Re: authenticated but not authorized -- blank page

[DIGLLOYD INC]

I was trying to simplify the discussion. The folders are actually  
_guest1_ and _guest2_ and the security constraints match.  Login and  
the mappings work correctly. I just was trying to phrase the  
discussion generally.



On May 2, 2008, at 10:14 AM, Caldarale, Charles R wrote:


From: DIGLLOYD INC [mailto:[EMAIL PROTECTED]
Subject: authenticated but not authorized -- blank page

I have a webapp 'guest', with two subfolders 'guest1' and
'guest2'.


Really?  Because that's not what's in your security constraints:


  /_guest1_/*
  /_guest2_/*


Which is it - with or without the underlines?

- Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE  
PROPRIETARY

MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e- 
mail

and its attachments from all computers.

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: authenticated but not authorized -- blank page

[DIGLLOYD INC]

I found the problem.  In fact, an error 401 is sent, which caused the  
browser to retry somehow, but that resulted in a 404.  My 404 page,  
while specified, did not exist.  So then a blank page results. Or at  
least it seems that this is what is going on.


On May 2, 2008, at 2:38 PM, DIGLLOYD INC wrote:

I was trying to simplify the discussion. The folders are actually  
_guest1_ and _guest2_ and the security constraints match.  Login and  
the mappings work correctly. I just was trying to phrase the  
discussion generally.



On May 2, 2008, at 10:14 AM, Caldarale, Charles R wrote:


From: DIGLLOYD INC [mailto:[EMAIL PROTECTED]
Subject: authenticated but not authorized -- blank page

I have a webapp 'guest', with two subfolders 'guest1' and
'guest2'.


Really?  Because that's not what's in your security constraints:


 /_guest1_/*
 /_guest2_/*


Which is it - with or without the underlines?

- Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE  
PROPRIETARY

MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e- 
mail

and its attachments from all computers.

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: authenticated but not authorized -- blank page

[DIGLLOYD INC]

I'm using:

http://java.sun.com/xml/ns/javaee";
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
   xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd 
"

   version="2.5">

I don't read schemas well.  Perhaps if you would be so kind as to  
explain why it's wrong?  Is it because there is more than one name> specified eg it needs to be:



   guest1


guest2



This is what I see in the schema:

http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd


  

  A role-name-key is specified to allow the references
  from the security-role-refs.

  
  
  



Lloyd


On May 4, 2008, at 5:58 AM, Christopher Schultz wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Lloyd,

DIGLLOYD INC wrote:
|   
| guest1
| guest2
|   

Not sure if Tomcat actually cares, but this is an invalid  
configuration.

Look at the DTD or Schema (whichever one you are using) again.

- -chris

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkgdsvkACgkQ9CaO5/Lv0PA11gCfY+qjBS8Ps/+Oo6euBrtH2XYX
WG8AmwQua1rRdHt8XZ9R59bUvYprX9MG
=zP74
-END PGP SIGNATURE-

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Lloyd Chambers
http://diglloyd.com

[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DigestAuthenticator failure: java.sql.SQLException: Operation not allowed after ResultSet closed

[DIGLLOYD INC]

How can I resolve this issue?  It takes Tomcat own on a regular basis,  
locking out legitimate users.  Looks like JDBCRealm has some kind of  
bug.


Thanks!

Jul 29, 2009 1:46:41 PM org.apache.catalina.realm.JDBCRealm getRoles
SEVERE: Exception performing authentication
java.sql.SQLException: Operation not allowed after ResultSet closed
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:1055)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:956)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:926)
at com.mysql.jdbc.ResultSetImpl.checkClosed(ResultSetImpl.java:768)
at com.mysql.jdbc.ResultSetImpl.next(ResultSetImpl.java:7008)
at org.apache.catalina.realm.JDBCRealm.getRoles(JDBCRealm.java:632)
at org.apache.catalina.realm.JDBCRealm.getPrincipal(JDBCRealm.java:596)
at org.apache.catalina.realm.RealmBase.authenticate(RealmBase.java:400)
	at  
org 
.apache 
.catalina 
.authenticator 
.DigestAuthenticator.findPrincipal(DigestAuthenticator.java:283)
	at  
org 
.apache 
.catalina 
.authenticator 
.DigestAuthenticator.authenticate(DigestAuthenticator.java:176)
	at  
org 
.apache 
.catalina 
.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)

at com.diglloyd.tomcat.BadInputValve.invoke(BadInputValve.java:284)
	at  
org 
.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java: 
128)
	at  
org 
.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java: 
102)
	at  
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java: 
568)
	at  
org 
.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java: 
394)
	at  
org 
.apache 
.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at  
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java: 
286)
	at  
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java: 
844)
	at org.apache.coyote.http11.Http11Protocol 
$Http11ConnectionHandler.process(Http11Protocol.java:583)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java: 
447)

at java.lang.Thread.run(Thread.java:613)


diglloyd:bin lloyd$ ./version
-bash: ./version: No such file or directory
diglloyd:bin lloyd$ ./version.sh
Using CATALINA_BASE:   /web/tomcat
Using CATALINA_HOME:   /web/tomcat
Using CATALINA_TMPDIR: /web/tomcat/temp
Using JRE_HOME:   /System/Library/Frameworks/JavaVM.framework/ 
Versions/CurrentJDK/Home

Server version: Apache Tomcat/6.0.16
Server built:   Jan 28 2008 11:35:29
Server number:  6.0.16.0
OS Name:Mac OS X
OS Version: 10.5.7
Architecture:   i386
JVM Version:1.5.0_19-b02-304
JVM Vendor: Apple Inc.



Lloyd Chambers
http://diglloyd.com
http://macperformanceguide.com/
[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]






-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: DigestAuthenticator failure: java.sql.SQLException: Operation not allowed after ResultSet closed

[DIGLLOYD INC]

Thank you, looks like 6.0.19 should fix it, I've upgraded to that.

Lloyd

Lloyd Chambers
http://diglloyd.com
http://macperformanceguide.com/
[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]





On Jul 30, 2009, at 10:28 AM, Konstantin Kolinko wrote:


2009/7/30 DIGLLOYD INC :
How can I resolve this issue?  It takes Tomcat own on a regular  
basis,
locking out legitimate users.  Looks like JDBCRealm has some kind  
of bug.


Thanks!

Jul 29, 2009 1:46:41 PM org.apache.catalina.realm.JDBCRealm getRoles
SEVERE: Exception performing authentication
java.sql.SQLException: Operation not allowed after ResultSet closed
   at com.mysql.jdbc.SQLError.createSQLException(SQLError.java: 
1055)
   at com.mysql.jdbc.SQLError.createSQLException(SQLError.java: 
956)
   at com.mysql.jdbc.SQLError.createSQLException(SQLError.java: 
926)
   at  
com.mysql.jdbc.ResultSetImpl.checkClosed(ResultSetImpl.java:768)

   at com.mysql.jdbc.ResultSetImpl.next(ResultSetImpl.java:7008)
   at  
org.apache.catalina.realm.JDBCRealm.getRoles(JDBCRealm.java:632)

   at
org.apache.catalina.realm.JDBCRealm.getPrincipal(JDBCRealm.java:596)
   at
org.apache.catalina.realm.RealmBase.authenticate(RealmBase.java:400)
   at
org 
.apache 
.catalina 
.authenticator 
.DigestAuthenticator.findPrincipal(DigestAuthenticator.java:283)

   at
org 
.apache 
.catalina 
.authenticator 
.DigestAuthenticator.authenticate(DigestAuthenticator.java:176)

   at
org 
.apache 
.catalina 
.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
   at  
com.diglloyd.tomcat.BadInputValve.invoke(BadInputValve.java:284)

   at
org 
.apache 
.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)

   at
org 
.apache 
.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

   at
org 
.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java: 
568)

   at
org 
.apache 
.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:394)

   at
org 
.apache 
.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java: 
109)

   at
org 
.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java: 
286)

   at
org 
.apache.coyote.http11.Http11Processor.process(Http11Processor.java: 
844)

   at
org.apache.coyote.http11.Http11Protocol 
$Http11ConnectionHandler.process(Http11Protocol.java:583)

   at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java: 
447)

   at java.lang.Thread.run(Thread.java:613)


diglloyd:bin lloyd$ ./version
-bash: ./version: No such file or directory
diglloyd:bin lloyd$ ./version.sh
Using CATALINA_BASE:   /web/tomcat
Using CATALINA_HOME:   /web/tomcat
Using CATALINA_TMPDIR: /web/tomcat/temp
Using JRE_HOME:
/System/Library/Frameworks/JavaVM.framework/Versions/CurrentJDK/Home
Server version: Apache Tomcat/6.0.16
Server built:   Jan 28 2008 11:35:29
Server number:  6.0.16.0
OS Name:Mac OS X
OS Version: 10.5.7
Architecture:   i386
JVM Version:1.5.0_19-b02-304
JVM Vendor: Apple Inc.



Lloyd Chambers
http://diglloyd.com
http://macperformanceguide.com/
[Mac OS X 10.5.2 Intel, Tomcat 6.0.16]


It should be the following issue:
https://issues.apache.org/bugzilla/show_bug.cgi?id=45453

It was fixed in rev.685696
(http://svn.apache.org/viewvc?view=rev&revision=685696)

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: DigestAuthenticator failure: java.sql.SQLException: Operation not allowed after ResultSet closed

[DIGLLOYD INC]

Chris,

Thank you.  Any snippet on the right way to to the Realm/Resource  
thing? It's been so long I don't remember the right way


Lloyd

On Jul 30, 2009, at 12:13 PM, Christopher Schultz wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Diglloyd,

On 7/30/2009 1:28 PM, Konstantin Kolinko wrote:

It should be the following issue:
https://issues.apache.org/bugzilla/show_bug.cgi?id=45453


For whatever reason, JDBCRealm has always been a steaming POS. I would
highly recommend using DataSourceRealm along with a  element
in your context.xml file: it's a much more stable Realm to use.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkpx8NAACgkQ9CaO5/Lv0PCzPQCfTkBFyQhTJnE/N/BnwmkQw2bC
148AoL+2dqYEfAVZPVOwS1ZyGxjWFRay
=RZ5b
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: DigestAuthenticator failure: java.sql.SQLException: Operation not allowed after ResultSet closed

[DIGLLOYD INC]

Thank you!

(and thanks to Chuck also)

Lloyd Chambers
http://diglloyd.com
http://macperformanceguide.com/
[Mac OS X 10.5.7 Intel, Tomcat 6.0.20]






On Aug 3, 2009, at 3:05 PM, Christopher Schultz wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Digilloyd,

On 7/31/2009 1:59 PM, DIGLLOYD INC wrote:
Thank you.  Any snippet on the right way to to the Realm/Resource  
thing?

It's been so long I don't remember the right way


Simple: just put this in your WEB-INF/context.xml file:

  

Obviously, fill-in the appropriate values above.

You should also have in your web.xml something like this:

   
  [whatever]
  jdbc/MyDataSource
  javax.sql.DataSource
  Container
   

...but I've found that it is not strictly necessary. I think it's
because Tomcat knows that any  in WEB-INF/context.xml should
automatically be available in the visible JNDI context for the webapp.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkp3XxcACgkQ9CaO5/Lv0PDGcgCePI8NTUrVpCUyYKPBBOhhRnnW
aUQAoJAJEt2j0asnrgCDla49v5G1FQ7F
=F0rT
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org