Init HTTP session during realm authentication stage
Hi all: I'm using realm tool for user authentication on Tomcat 7 I've made a custom realm overriding authenticate() method of DataSourceRealm class. And all works fine. But I would like to initialize HTTP session in this stage with user data. My custom authenticate() method queries user data to check if exists or not , and I wouldn't like to have to call another service to perform the same query. Is this possible ? Any ideas ?? Thanks and regards - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Init HTTP session during realm authentication stage
2011/7/18 chris derham : > > Couldn't you just implement HttpSessionListener? > > Chris > Yes, could be useful :-) Thanks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Init HTTP session during realm authentication stage
2011/7/18 Chema >> > > Yes, could be useful :-) > > Thanks > I guess it's not so useful than I thought :-/ The reason is that HttpSessionListener.sessionCreated method is invoked always when Tomcat server receives the first petition. Session is not created by realm code when user is validated. Now I'm trying to use filters. When realm code validates an user , redirect to protected resource. If I can filter this redirection and load user data into session, I think that could works Thanks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Strange behaviour (or bug) with realm + browser tabs in Tomcat 7
Hi: I'm having a strange behaviour when using realm in Tomcat 7 ( 7.0.16) with browser tabs My web app has some protected resources ( with tag in web.xml ) by a realm. I'm using FORM method in tag. So, i've got my own login page : Steps: 1) I open a tab in my browser and access to a protected resource http://localhost:8080/myapp/protected/file_one.properties So, login page is shown 2) I open a new tab in the browser and access to another protected resource http://localhost:8080/myapp/protected/file_two.properties So, login page is shown 3) Back first tab , and authenticate with a valid user. The resource shown is file_two.properties (??) 4) Go to second tab, and authenticate with the same valid user ( or another valid user ) and an error happens State HTTP 404 - /myapp/j_security_check I know that session is shared between tabs but I think there are two rare results : - on step 3, it's returned a different resource than requested . - on step 4 , it's returned a 404 error If this is a right behaviour , how I can avoid that an user can perform this steps ? Thanks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Strange behaviour (or bug) with realm + browser tabs in Tomcat 7
> The behaviour is correct. You can't stop it. > > Mark Thanks for you answer. But, is it right according to specs or according to Tomcat ? I can understand step 3 behaviour because is returned the last resource request by session ( althought user doesn't understand that two tabs are same session ) But I would like to avoid 404 errors Regards - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Finding user name without authentication
2011/7/27 Vibhor Kumar Agarwal : > Does the web server know the login id of windows? > > Thanks in advance. Windows OS ? You can look at http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HOW TO: re-deploy or undeploy a webapp when additional files are added after initial deployment
> If anyone has any suggestions on how we can add files into the exploded > webapp structure and still perform undeploy/re-deploy of our webapp, I would > greatly appreciate it. Or, if there's a way to tell tomcat to completely > remove the directory - regardless of additional files/directories, that would > probably work, too. > Eclipse Hellios' plugins to deploy web applications work fine for me. You can try Eclipse IDE for Java EE Developers. When I change any file deployed , it's automatically republished. And you can clean work folders from IDE. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HOW TO: re-deploy or undeploy a webapp when additional files are added after initial deployment
2011/8/1 Bob DeRemer : > Thanks, but I need to do this in a production environment, where we're > deploying/re-deploying a WAR and there is no eclipse IDE. In addition, I am > dynamically adding extensions to our webapp without having to restart our > webapp, which is what republishing from Eclipse does. OK. I'm not expert and I cannot speak so much about this tool, but you could have a look at LiveRebel http://www.zeroturnaround.com/liverebel/ But it's not for free - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
How does it get the URL forwarded to realm ?
Hi: I've got Tomcat 7.0.16 and I'm using realm authentication/authorization mechanism , via FORM method. I'd like to store in user session the URL accessed and forwarded to realm authentication. An example of URL could be http://localhost:8080/myapp/protected/file.properties I try to configure my web.xml to invoke a servlet before returns login page /login /error Also, I try to configure filters. But i don't know where to find the original URL Any solution ? Thanks and regards - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How does it get the URL forwarded to realm ?
> > Why? What problem are you trying to solve? > Well, I'm invoking j_security_check with an asynchronous RPC call. If I use a HTML form and action = j_security_check , Tomcat performs redirection after authenticate user, as you said, But I need to implement with an asynchronous RPC call. So, my idea is load into session user attribute the protected resource accessed ( http://localhost:8080/myapp/protected/file.properties ) When Tomcat returns to my asynchronous RPC call, I can determinate if user was authorized or not checking header status code. And if user was authorized , perform a new call to RedirectService , who reads user session attribute (http://localhost:8080/myapp/protected/file.properties ) and returns it to browser for redirection. I know all steps have an additional call to server to perform redirection, but I'm trying to integrate asynchronous RPC calls from GWT , with Tomcat's realm Thanks and regards - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Sharing session between different webapps under same tomcat
> I think it is possible to share sessions across contexts. Portal > applications need to do this. Try > http://jee-bpel-soa.blogspot.com/2009/06/session-sharing-in-apache-tomcat.html > But this solution shares information between contexts , not creates an unique shared session per user (session data) am i wrong ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Sharing session between different webapps under same tomcat
OK, I got it Use context scope to store a HashMap object indexing by JSESSIONID I guess , this way you have to free manually all per-user session data from the context when user session is finished ( by example, closing browser). Or your context scope datastore could be full of information of all users which were logged , right ? 2011/8/4 Ron McNulty : > Sorry, I think you are missing something :) The session is per user across > multiple contexts. Portlet apps are typically compiled into separate .war > files, but can share a single session object at runtime. > > Regards > > Ron > > - Original Message - From: "Chema" > To: "Tomcat Users List" > Sent: Thursday, August 04, 2011 6:39 PM > Subject: Re: Sharing session between different webapps under same tomcat > > >>> I think it is possible to share sessions across contexts. Portal >>> applications need to do this. Try >>> >>> http://jee-bpel-soa.blogspot.com/2009/06/session-sharing-in-apache-tomcat.html >>> >> >> But this solution shares information between contexts , not creates an >> unique shared session per user (session data) >> >> am i wrong ? >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Sharing session between different webapps under same tomcat
Hi Ron: > My understanding is that once these options are confgured, the SAME session > data is stored across contexts separately for each user. Thanks for you answer, but in the last seccion of that webpage (Session-aware cross context data sharing), explains that: - he's sharing data using ServletContext. Its scope is the application scope, not the session scope. - to make it session-aware , he creates a hashmap in application scope , indexing by JSESSIONID So, it's a trick: use the session1's ServletContext as a global store and access to it from session2, cause crossContext="true" Works but it's a trick because it's not managed by Tomcat > There is no need to > do anything special - the session will be explicitly invalidated when the > user logs out, otherwise when the session timeout is exceeded. If I dont free resources from this hashmap manually when a session is invalidated, Tomcat doesn't ( except when restarting ) That can be a problem if store big objects, like user information Regards - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Get SSO ID on server
Hi: I've configurated my server.xml with and I've got deployed two web applications with Realm authentication How I can get SSO ID on a servlet ? I want to know this ID without browser sends a cookie to server. I don't need this SSO ID be equal to JSESSIONIDSSO . I only want to relate two sessions ( with different JSSESSIONID ) with only one identifier There is a session.getId() method, but retrieves session ID for each application. I need something like session.getSSOId() Thanks and regards - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Get SSO ID on server
> Why do you need a consistent ID between the two apps? Because I'll store this ID into a record in database. The apps checking every 60 sec if this record exists and, if dont , perform a logout - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Get SSO ID on server
> Why bother? > > " > As soon as the user logs out of one web application (for example, by > invalidating the corresponding session if form based login is used), the > user's sessions in all web applications will be invalidated. Any > subsequent attempt to access a protected resource in any application > will require the user to authenticate himself or herself again. > " Right. But the application requires than an administrator can expulse an user. It's a client requirement. So, I need to record all "SSO sessions" FYI, I made it using by JSESSIONIDSSO cookie and works fine Thanks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: j_security_check and RequestDispatcher forward
2011/8/15 Chen Paz : > > Hi, > > I am using a servlet to intercept form based authentication in order to > insert attribute into the request What parameter do you want to insert into the request ? I don't know, but maybe you can do the same with a custom realm Or, using by Spring Security - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Get SSO ID on server
> How do you accomplish that? By doing this SSO sniff-and-kill-session > thing? It seems more straightforward to expire a particular webapp's > session explicitly and let the SSO expire along with it. > Doesn't that mean you'll have to re-run the same query just to expire > the sessions in the other webapps? We've got deployed many web applications on our Tomcat. The user goes from one to another and, for user's point of view , he is into a only one session. We store into a database this 'only one session', so we use JSESSIONIDSSO cookie Obviously, when an user logout (closing browser or clicking logout button ), we invalidate the particular session (JSESSIONID ) and Tomcat SSO feature is the responsible to close all of others sessions opened ( as you says ) Maybe cause my bad English didnt explain myself right Regards - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSLSession invalidate
> how can access the SSLSession in a jsp or a servlet > to be able to invalidate it. Sorry, but is there any difference between to invalidate a HTTP Session and a SSLSession ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Realm & SSL : issue when logout
Hello: I've got a web application running on Tomcat 7.0.16 It uses realm authentication to validate users ( FORM login method with a custom login page named login.html) and it's secured by SSL with ssl /* CONFIDENTIAL So, if I write https://localhost:8080/protected.html, Tomcat redirect to my login.html page to authenticate the user, and , if it's valid, returns main.html. All fine The web application has got a service to implement a logout with 2 steps: - session.invalidate() - redirect to protected.html Well, when I invoked last service, I hoped that when redirecting to protected.html, as I invalidated session before and protected.html is a protected resource, Tomcat redirected my browser to login.html. But didn't : protected.html was returned. If I repeat this steps without SSL configuration , Tomcat does (redirects my browser to login.html) What I need to finish a SSL session and realm mechanism knows it ? Thanks and regards - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Realm & SSL : issue when logout
Thanks but that didn't work for me
I've got
in my server.xml
And I've created a SessionTrackingModeListener (just like manual) and
modified web.xml with this listener
And now I finish SSL Session with
session.invalidate();
org.apache.tomcat.util.net.SSLSessionManager mgr
=(org.apache.tomcat.util.net.SSLSessionManager)request.getAttribute("javax.servlet.request.ssl_session_mgr");
mgr.invalidateSession();
response.setHeader("Connection", "close");
ServletContext context = this.getServletContext().getContext("/app");
if (context != null)
response.sendRedirect(context.getContextPath() + "/protected.html" );
I hoped that login.html was return but protected.html is
I dont find any doc about realm + SSL what 's wrong ?
Thanks and regards
2011/9/7 Mark Thomas :
> On 07/09/2011 12:20, Chema wrote:
>> Hello:
>>
>> I've got a web application running on Tomcat 7.0.16
>> It uses realm authentication to validate users ( FORM login method
>> with a custom login page named login.html)
>> and it's secured by SSL with
>>
>>
>>
>> ssl
>> /*
>>
>>
>> CONFIDENTIAL
>>
>>
>>
>> So, if I write https://localhost:8080/protected.html, Tomcat redirect
>> to my login.html page to authenticate the user,
>> and , if it's valid, returns main.html.
>> All fine
>>
>>
>> The web application has got a service to implement a logout with 2 steps:
>>
>> - session.invalidate()
>> - redirect to protected.html
>>
>>
>> Well, when I invoked last service, I hoped that when redirecting to
>> protected.html, as I invalidated session before and protected.html is
>> a protected resource, Tomcat redirected my browser to login.html.
>> But didn't : protected.html was returned.
>>
>> If I repeat this steps without SSL configuration , Tomcat does
>> (redirects my browser to login.html)
>>
>>
>> What I need to finish a SSL session and realm mechanism knows it ?
>
> http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Using_the_SSL_for_session_tracking_in_your_application
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JNDI configuration with 6.0.29
>> >> org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:425) >> >> org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:228) >> org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913) >> org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:449) >> javax.servlet.http.HttpServlet.service(HttpServlet.java:617) >> javax.servlet.http.HttpServlet.service(HttpServlet.java:717) Are you try to create a simple HttpServlet and run that code (lookup method) directly at doGetmethod ( i mean, no struts, no factory ) ? I'm not sure this be the problem but ... Regards - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Example to logout on Tomcat 7 and SSL + Realm
Hello: Ive got a web application running on Tomcat 7, with SSL (https) and realm for authentication/authorization When I invalidate() a session ( session.invalidate() ) , Tomcat doesn't know it and thinks that user is still logged in So, that user can get protected pages. Tomcat should return him a login window but doesn't If Tomcat doesn't use SSL , works fine, so I guess I'm not ending sessions properly with SSL activated Any example about how do it ? Anyone did it ? Thanks and regards - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Example to logout on Tomcat 7 and SSL + Realm
>
> Presumably, you are using CLIENT-CERT as your ?
Not , FORM method
>
>> When I invalidate() a session ( session.invalidate() ) , Tomcat
>> doesn't know it and thinks that user is still logged in So, that
>> user can get protected pages. Tomcat should return him a login
>> window but doesn't.
> SSL session != HttpSession
>
> You need to terminate the SSL session. See a separate thread
> "SSLSession invalidate" for a discussion about how this is (not) working.
Well, I don't know what I have to terminate
I only want to know what do to inform Tomcat that an user logs out (
user clicks a Logout button )
I tried to invalidate SSL session with this code
session.invalidate();
org.apache.tomcat.util.net.SSLSessionManager mgr
=(org.apache.tomcat.util.net.SSLSessionManager)request.getAttribute("javax.servlet.request.ssl_session_mgr");
mgr.invalidateSession();
response.setHeader("Connection", "close");
but didnt work.
does anyone have worked with realm + SSL ? anyone ?
Thanks and regards
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Example to logout on Tomcat 7 and SSL + Realm
Here goes web.xml and servlet.xml
I will note that server.xml contains SingleSignOn because I've got two
applications which share logging
LoginServlet
com.server.servlet.LoginServlet
LoginServlet
/login.do
LogoutServlet
com.server.servlet.LogoutServlet
LogoutServlet
/logout.do
index.jsp
admin
ssl
/*
CONFIDENTIAL
admin
/*
admin
FORM
realm
/login.do
/error.do
***
2011/9/16 Christopher Schultz :
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Chema,
>
> On 9/16/2011 1:25 PM, Chema wrote:
>>>
>>> Presumably, you are using CLIENT-CERT as your ?
>>
>> No, [I am using] FORM method
>
> Hmm. HttpSession.invalidate() *is* the proper way to terminate a
> "FORM" authentication login.
>
>> session.invalidate(); org.apache.tomcat.util.net.SSLSessionManager
>> mgr
>> =(org.apache.tomcat.util.net.SSLSessionManager)request.getAttribute("javax.servlet.request.ssl_session_mgr");
>>
>>
> mgr.invalidateSession();
>
> You don't need this SSL stuff. HttpSession.invalidate() ought to do
> the trick.
>
>> response.setHeader("Connection", "close");
>
> This is optional, and not usually necessary.
>
>> but didnt work. does anyone have worked with realm + SSL ? anyone
>> ?
>
> This definitely works.
>
> Are you saying that when you use HTTP instead of HTTPS, logouts work?
> That sounds really strange.
>
> Please post the relevant sections of web.xml and server.xml, and be
> sure to remove any sensitive information.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk5ziX4ACgkQ9CaO5/Lv0PCitQCgwgv0Khtvabe0xJK0A5SYe0u0
> BlAAnRno9V/PAwyRKIs1s4cC/2oFz0GK
> =pshV
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Example to logout on Tomcat 7 and SSL + Realm [SOLVED]
Thanks Christopher. Great explanation. Finally, my problem was solved by upgrading up to Tomcat 7.0.21 On 7.0.16, my application doesn't work fine with SSL & realm ( see previous emails ) Upgrading to 7.0.21 ( clean install, really ) solved the problem and works fine. Regards 2011/9/16 Christopher Schultz : > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > André, > > On 9/16/2011 1:38 PM, André Warnier wrote: >> I guess that where the OP (and I) get a little confused is in the >> distinction between the state of "having a session" and "being >> logged-in", and maybe the sequence in which these things happen. >> >> 1) a browser sends a first request to Tomcat, and this happens to >> be directed to an application which requires authentication >> (container-driven). >> >> 2) Tomcat intercepts the request (because of the authentication >> requirement), sends back something to the browser which tells the >> browser (or the user) to supply credentials. >> >> 3) the browser (or the user) supplies the credentials along with a >> subsequent request >> >> 4) Tomcat intercepts this again, verifies the credentials, and if >> they "fit", allows the request (now "authenticated") to proceed to >> the application which had been requested in the first place. >> >> (and I know that there is some variety in the above, depending on >> the type of authentication, but roughly that's it, no ?) > > This is all correct for BASIC, FORM, and CLIENT-CERT authentication > strategies. The difference is how the server requests the credentials > and how the client provides them. > > For instance, BASIC uses a 401 server response to request credentials > and the client provides them in an WWW-Authenticate header with a > subsequent response. FORM responds with a login form and the client > sends credentials using POST or query data (aka parameters). For > CLIENT-CERT, the server requests the certificate as part of the SSL > negotiation, and the certificate is sent as part of the SSL negotiation. > >> 5) then the request hits the application, and it is the >> application which "decides" if a session is created or not. Yes ? > > Here's where things change. For FORM authentication, an HttpSession is > created and corresponds directly to the user's privileged status. Once > the HttpSession is invalidated, the login expires and the user is > logged-out. > >> And if it decides so, this creates some storage place for this >> "session thing", and makes it so that a cookie will later be sent >> back to the browser, with an id pointing to this session storage >> thing, so that a subsequent request which provides this cookie, >> allows the application to retrieve the saved session and its >> contents prior to handling the next request. > > The JSESSIONID is used to associated HttpSessions with requests. You > can have an HttpSession without having authenticated, but for a FORM > authentication, you must have an HttpSession after (and, in Tomcat, > /before/) you are successfully authenticated (Servlet spec 3.0 allows > you to perform a programmatic login, but I'll ignore that for the > purposes of this discussion). > >> Now what is maybe less clear, is whether the "session thing" which >> was created, contains or not the authentication data. > > For FORM authentication, it does. > >> And if yes : a "session invalidate" should delete the "session >> thing" (and the contained authentication info), and this should >> have the effect that when the browser sends a subsequent request, >> it will find a "no session yet" situation. > > There will be no existing session to fetch in any case. For FORM > authentication, that also means that you will have to re-authenticate > in order to get to a privileged resource again. > >> Obviously though, "no session" does not necessarily mean "not >> authenticated", but this is I believe where the OP (and I) are >> getting confused. > > For FORM authentication, no session -> not authenticated. > > Technically speaking, the servlet spec defines "being logged into an > application" as "[corresponding] precisely to there being a valid > non-null caller identity associated with the request as may be > determined by calling getRemoteUser or getUserPrincipal on the > request" (section 13.10). Tomcat implements FORM login by attaching > principal information to the session, so when the session dies, so > does the login. > > This is not the case with the other authentication mechanisms (BASIC > and CLIENT-CERT): the existence of an HttpSession for a request is > independent of the "login". This is because the client sends a > WWW-Authenticate header (for BASIC) or a client certificate (for > CLIENT-CERT) for every request after authentication. The only way to > terminate a BASIC login is to issue another 401 response, and the only > way to terminate a CLIENT-CERT login is to disrupt the SSL session (I > don't know how to do that). > > - -chris > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.10 (MingW32) > Comment
Re: Limiting access to resources, based on username, not on the user role
> > In your code, you would examine the Principal & see if it had permission > to proceed. Then return the resource or an error, accordingly. > On my way , I would put "your code that examine the Principal & see if it had permission " into a custom realm class. This custom realm can check only user authorization , no role This way, you avoid to have to implement a redirection manually - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Realm & SSL : issue when logout
> Why getContext("/app") ??
>
> HTTP Sessions are local to each web application.
>
> If "protected.html" belongs to a different web application, it would
> not (and cannot) know that you invalidated session in this webapp.
Hi
You're right: protected.html belongs another web application.
But my Tomcat is configurated with Single Sign On and, about docs,
"as soon as the user logs out of one web application (for example, by
invalidating the corresponding session if form based login is used),
the user's sessions in all web applications will be invalidated."
http://tomcat.apache.org/tomcat-7.0-doc/config/host.html#Single Sign On
Anyway, this problem also occurs with a single and simple web application.
As I told in another thread, this issue was solved, at least, in Tomcat 7.0.21
( My tests were on 7.0.11 )
Regards
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Detecting a login or logoff event
For logout, you can implement a HttpSessionListener .
It has got a method:
public void sessionDestroyed(HttpSessionEvent se)
It's invoked when http session is invalidated. ( session.invalidated() )
So, you have to invalidate http session when user makes logout ( i.e, user
clicks a logout button and calls a servlet )
To capture when user is closing the browser , you need use javascript events
and throw a call to the server. Maybe, a filter can be use to capture this
event
For login, you can use Spring Security
Maybe for logout too, but I don't know it
Or your use your own filters
2011/10/6 Martin O'Shea
> I need to be able to intercept a successful authentication of a login /
> logout request which can then be used to make a series of system updates to
> record the fact.
>
> So, if John Doe has just logged in successfully, an update is made to his
> session like:
>
> session.setAttribute("loggedIntoSession", true);
>
> Or an update made to the database?
>
> Conversely, upon logout:
>
> session.setAttribute("loggedIntoSession", false);
>
> At the moment, I am thinking about scriptlets in the pages served testing
> the request's servlet path after login is successful but is a filter better?
> But if so, what might a filter check for?
>
> -Original Message-
> From: Martin O'Shea [mailto:app...@dsl.pipex.com]
> Sent: 05 Oct 2011 23 06
> To: 'Tomcat Users List'
> Subject: RE: Using multiple login pages
>
> Thanks for this Chris. It is food for thought.
>
> I was under the impression that was static, because
> that's how I seen it used in apps I've worked on.
>
> But I am curious to try a filter as well, something like this mapped to the
> login:
>
> public void doFilter(ServletRequest request, ServletResponse response,
> FilterChain chain) throws java.io.IOException, ServletException {
>
>
> HttpServletRequest req = (HttpServletRequest)request;
> HttpServletResponse res = (HttpServletResponse)response;
>
> // pre login action
>
> // get username
> String username = req.getParameter("j_username");
>
> // if user is in revoked list send error
> if ( revokeList.contains(username) ) {
> res.sendError(javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED);
> return;
> }
>
> // call next filter in the chain : let j_security_check authenticate
> // user
> chain.doFilter(request, response);
>
> // post login action
>
> }
>
> I wouldn't mind seeing a servlet specified as if you know
> of an example.
>
> -Original Message-
> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Sent: 05 Oct 2011 22 08
> To: Tomcat Users List
> Subject: Re: Using multiple login pages
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Martin,
>
> On 10/5/2011 1:59 PM, Martin O'Shea wrote:
> > I have it now. There was a redirection going on in a method called
> > from a scriptlet in the login page. It now seems to be OK.
>
> Glad you got it going.
>
> > But one thing bugs me still: you said that you can have 'different
> > login pages for different types of resources you're trying to
> > reach.' Can you give any pointers about this?
>
> A "page" is defined as whatever the server responds when you request a
> resource. The you configure in your web.xml can be
> dynamic: you can do whatever you want in that page. It doesn't have to
> be a static that always looks the same. You can
> include/forward/etc from that page. It doesn't even have to be a JSP.
> You can configure the to be a servlet that makes
> decisions and forwards to some other .jsp file.
>
> Use your imagination.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk6MxyEACgkQ9CaO5/Lv0PByHACfZL9ykx3wPGApX1yyzjxYwkQR
> Rf4AoJG5DnnBtbIFYzZsKSLzPJOjJq2j
> =A5GW
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
Re: Detecting a login or logoff event
2011/10/6 Martin O'Shea > > Detecting a logoff is easier using the sessionDestroyed method. > How do you detect that an user is closing his browser ?
Re: Session across Realm and Servlet
> > So how it is possible to access HttpRequestServlet and set some > session attribute in my Custom Realm which extends RealmBase. > I guess you can't do it that > > Or else it should be a different Procedure. > You can try by using filters or try Spring Security > > Waiting for some clue. > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: filters on j_security_check
This is one of the reasons I switched to SecurityFilter: there is a > FlexibleRealmInterface that passes-in the HttpServletRequest that was > used to attempt authentication. That allows you to get nice things > like the ip address of the request for logging. > > I'm interested on what are talking about , where I can find info about SecurityFilter ? I've used Spring Security for reasons like you but I want try another options Thanks
Re: Session across Realm and Servlet
> In my Custom Realm Implementation iam autheticating some user and > allowing > him to access my webapps(servlets or filters) (my application) > This authentication session i need it to be reused in my webapp(to avoid > another authentication) if it is an authorized session. > So for this purpose i want to set an object in the session and reuse that > object(connection Object) at my servlets level. > > How can i over come this > You can use a Filter and check if remote user is setted. I do it this way to load user info into user http session
Re: filters on j_security_check
> > > > Frankly, if you're using Spring Security, I'd stick with it. I myself > am thinking of making the switch. > > Yes, I tried it and like it , but I need Single Sign On support and the solutions what Spring Security offers are complicated to implement by me
Re: Babysitting ThreadLocals
A silly question:
why do you use a ThreadLocal to store a constant value for entire
application? why not a static variable or store into web application
context , by example ?
Thanks
2011/11/23 Christopher Schultz :
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> All,
>
> I've got a servlet that needs to log every request (potentially big
> requests) to files on the disk. In order to do that in a
> reasonably-tidy way, we write each file into a directory with the
> current date in the path, something like this:
>
> .../logs/2011-11-23/request-XYX.log
>
> To do this, we have a SimpleDateFormat object that we use to ensure we
> target the right directory. Since SimpleDateFormat isn't threadsafe,
> we have two choices: synchronize or use ThreadLocal. We have opted for
> the latter: ThreadLocal.
>
> Our servlet defines the ThreadLocal to be protected (because this is a
> base class for several servlets that all do similar things) and
> transient (because we just don't need it to be serialized) and
> override the initialValue method, like this:
>
> protected transient ThreadLocal dayFormat = new
> ThreadLocal() {
> public SimpleDateFormat initialValue()
> {
> return new SimpleDateFormat("-MM-dd");
> }
> };
>
> In the servlet's destroy method, we dutifully call dayFormat.remove().
> Tomcat complains that we are leaving sloppy ThreadLocals around on
> shutdown. Duh: Servlet.destroy is called by a single thread and won't
> actually remove the ThreadLocal in any meaningful way.
>
> So, my question is whether or not there is a good way to clean-out the
> ThreadLocals from our webapp?
>
> Given the declaration above, we are creating a new class which will be
> loaded by our webapp's ClassLoader and therefore pinning that
> ClassLoader in memory definitely causing a memory leak across reploy
> cycles.
>
> One way to avoid this would be to have a library at the server-level
> that only contains this simple ThreadLocat
> definition, but that seems like kind of an awkward solution.
>
> Removing the ThreadLocal after every request of course means that the
> use of ThreadLocal is entirely useless.
>
> Should I stop worrying about the overhead of creating a
> SimpleDateFormat? Should I look for a threadsafe implementation of
> SimpleDateFormat (maybe in commons-lang or something)? Should I
> synchronize access to the object?
>
> Any suggestions would be very helpful.
>
> Thanks,
> - -chris
> -BEGIN PGP SIGNATURE-
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk7NFcAACgkQ9CaO5/Lv0PDIoACgrc5nNYGXUxjJ+hz1kWpiIL6J
> SpYAoJQ6dcxCi4WmPX+1BJs9b3c+UQB5
> =3bj2
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Babysitting ThreadLocals
>> The string of the date format is constant. However the SimpleDateFormat > class is not threadsafe, so you will hit intermittant issues when sharing > across threads Do you mean that read operations (getters) in not-threadsafe objects are not an atomic operations and could retrieve "dirty" values cause sharing across threads? So, singleton objects must be threadsafe to be a rea singleton ? Maybe my doubts are very basic but I didn't know about these issues ... - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Mysterious request edirect with value exchange
>> This result is as expected, but from time to time we saw the >> following URL string returned >> http://mytestsystem/login.action?login_error=1&u=OtherUser although >> we sent the form with Tester as value away. But now in the input >> field it is also OtherUser set. One question How the returned URL is built ? Where is stored username ? Thanks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Mysterious request edirect with value exchange
OK
Just for discard what is answering Chuck in another thread: a
request-specific value kept in a servlet instance field
2011/12/20 :
> It is a webformular.
>
> The java code should this fragment.
>
> final String username = req.getParameter("username");
> String uParam = "";
> if (StringUtils.isBlank(username) == false) {
> uParam = "&u=".concat(username);
> }
> logonFilter.setLoginFailedUrl("/action?login_error=1".concat(uParam));
>
> -Ursprüngliche Nachricht-
> Von: Chema [mailto:demablo...@gmail.com]
> Gesendet: Dienstag, 20. Dezember 2011 15:04
> An: Tomcat Users List
> Betreff: Re: Mysterious request edirect with value exchange
>
>>> This result is as expected, but from time to time we saw the
>>> following URL string returned
>>> http://mytestsystem/login.action?login_error=1&u=OtherUser although
>>> we sent the form with Tester as value away. But now in the input
>>> field it is also OtherUser set.
>
> One question
> How the returned URL is built ? Where is stored username ?
>
> Thanks
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Login fails, then works subsequently (Tomcat 7)
You can try to set traces into the code of your realm class, if it's a custom realm : to watch the query executed , to watch the user/password passed from browser, to catch exceptions and print stack trace ... If you dont have a custom realm, you can try to create one for testing Can you paste your server.xml conf ? Only realm parts (all), without sensible data Good luck 2011/12/21 Jerry Malcolm <2ndgenfi...@gmail.com>: > About a month ago, I upgraded two different servers from TC 5 to TC 7. The > migration went cleanly, and everything has been working fine with the > exception of one thing. About 50% of the time, when I log in to the realm > for my web app (form-based login), the login will fail. When I try again > with the same id/pw it works. I can then log out and log back in > repeatedly with no problem. But if I come back later and try to log on > again, same things. Fails once, and then passes. > > My authentication configuration hasn't changed for years on these webapps, > and this has worked solid on TC 5. My database (MySQL) hasn't changed, and > the user tables are unchanged. The only thing that has changed is TC 5- > -->TC 7. And the problem has hit both servers, completely independent of > each other, other than they both got the TC 7 upgrade. > > First of all, has anyone ever heard of this situation? Second, any idea > how where/how to turn on detailed tracing/logging of the authentication > calls to see what might be going on in the authentication code in TC? The > only information I'm getting is that the id/pw were not correct. But > again, same id/pw becomes correct when I submit it a 2nd time. > > The one thing I didn't change was the MySQL connector. Should that have > been changed for TC 7? (Just guessing now) > > Suggestions for how to proceed? > > Thx. > > Jerry - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Login fails, then works subsequently (Tomcat 7)
> 10 to 1 you've got stale connections in your pool; first try fails, second > one gets a fresh connection I thought the same autoReconnect Should the driver try to re-establish stale and/or dead connections? If enabled the driver will throw an exception for a queries issued on a stale or dead connection, which belong to the current transaction, but will attempt reconnect before the next query issued on the connection in a new transaction. The use of this feature is not recommended, because it has side effects related to session state and data consistency when applications don't handle SQLExceptions properly, http://dev.mysql.com/doc/refman/5.1/en/connector-j-reference-configuration-properties.html You can implement your own realm extending DataSourceRealm and overriding authenticate() method with your traces . And don't forget to call super.authenticate(). More info: http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#DataSourceRealm - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Security Constraints With URL Rewrite filter
Well, I don't know about this , but What is the "URLRewrite" filter ? A Servlet filter ? You can try to write a Valve and test if it works. I think it's processed before calling container code. Maybe ... Or to configure a proxy web to rewrite . I did't make this before, but I know it's possible. If I find some info about this, I send it to you Bye 2011/12/21 Jerry Malcolm <2ndgenfi...@gmail.com>: > I structure my webapps with different JSP folders for different user role > access, and define the folder patterns in web.xml for each role access. > This has worked for many years in my webapps. But in the interest of > getting cleaner URLs, I've written a URLRewrite filter. The rewrite filter > is correctly rewriting the URLs and forwarding the requests. But I just > noticed something I hadn't counted on. The security constraints no longer > apply to the call to the rewritten URLs from the filter. In other words, > JSPs in /jsp/admin folder are configured to require "admin" role. But I > can call a JSP from inside the filter to /jsp/admin/myadmintask.jsp and no > security challenge occurs. > > I guess this makes sense to me. I just wasn't expecting it. I assume that > the security constraint now applies to the pattern that come INTO the > filter. So instead of constraining /jsp/myadmintask/*.jsp in web.xml, I > now need to constrain the inbound url "/doadmin". Is that correct? > > I just need some education here. Is it correct that should map all of the > URL patterns that come INTO the rewrite filter? Alternatively, is there > some way for me to do the requestdispatcher.forward call from the filter, > and tell it to honor security constraints on the folder structure like it > worked prior to adding the rewrite function? > > Thanks. > > Jerry - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: DB Connection error
2012/1/3 Anjib Mulepati : > Hi All, > > One simple question If I have JINDI configuration in my application will my > application reconnect to the DB whenever my DB gets restart. > I am having DB connection problem every Monday since our DB get restarted on > weekends which we don't have control of. > I am using Tomcat 6.0.20 Hi: can you attach your element in server.xml file ( except sensible data )? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: DB Connection error
> But in my application I have context.xml with following > > > driverClassName="oracle.jdbc.driver.OracleDriver" > maxActive="20" > maxIdle="10" > maxWait="-1" > name="jdbc/myName" > password="myPassword" > type="javax.sql.DataSource" > url="jdbc:oracle:thin:@//localhost:8080/MYDBS" > username="myUsername" > /> > Well, you can use validationQuery parameter with "SELECT 1 FROM DUAL;". I'v never used it but you can test it And take a look at http://commons.apache.org/dbcp/configuration.html If you can send us what is the exact error that your web app returns ... Bye - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: DB Connection error
> Try adding validationQuery="SELECT 1 FROM DUAL" and testOnBorrow="true". testOnBorrow is true by default :-) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: DB Connection error
2012/1/9 Anjib Mulepati : > I did change my config.xml to > > > > driverClassName="oracle.jdbc.driver.OracleDriver" > maxActive="20" > maxIdle="10" > maxWait="-1" > name="jdbc/myName" > password="myPassword" > testOnBorrow="true" > > type="javax.sql.DataSource" > url="jdbc:oracle:thin:@//localhost:8080/MYDBS" > username="myUsername" > validationQuery="SELECT 1 FROM DUAL" /> > > Can you attach error trace ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: DB Connection error
> Caused by: oracle.net.ns.NetException: The Network Adapter could not > establish the connection > at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:375) > at > oracle.net.resolver.AddrResolution.resolveAndExecute(AddrResolution.java:422) > at oracle.net.ns.NSProtocol.establishConnection(NSProtocol.java:678) > at oracle.net.ns.NSProtocol.connect(NSProtocol.java:238) > at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1054) > at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:308) > ... 30 more > Caused by: java.net.ConnectException: Connection refused: connect > at java.net.PlainSocketImpl.socketConnect(Native Method) > at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:351) > at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:213) > at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:200) > at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:366) > at java.net.Socket.connect(Socket.java:529) > at oracle.net.nt.TcpNTAdapter.connect(TcpNTAdapter.java:209) > at oracle.net.nt.ConnOption.connect(ConnOption.java:123) > at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:353) > ... 35 more > I see that database is on the same machine than Tomcat , right ? It's important, for me at least , to know if this error "Caused by: java.net.ConnectException: Connection refused: connect" occurs while restarting database server or just after that ? One question : after restarting database , can you make a telnet to localhost:8080 from the same machine ? By the way, 8080 is a curious port for a database ...is it the real port for listening incoming connections ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 SSL activation on AS/400?
>> >> Caused by: java.io.IOException: Keystore was tampered with, or password >> was incorrect Well, I don't know what is the problem. I followed these steps and it worked : http://blog.frankel.ch/ssl-your-tomcat-7 Other option is HTTP Connector in your server.xml is incorrectly configured - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Connection.close() has already been called during login
>2012/1/23 : > Initially I thought that my RootJDBCRealm might be the problem, but how can > that be? RootJDBCRealm extends Tomcat's own JDBCRealm. It >overrides > authenticate to call super.authenticate and if there are 3 failures (in that > super.authenticate returns null), then it locks out the user. So could >the > user of RootJDBCRealm still be a problem? Thanks. >From Tomcat 7 docs: "The JDBCRealm is not recommended for production use as it is single threaded for all authentication and authorization options. Use the DataSourceRealm instead. The UserDatabaseRealm is not intended for large-scale installations. It is intended for small-scale, relatively static environments." - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Shutdown Hooks not firing when tomcat is shutdown from within a webapp
> "Asynchronous Notification 'interface > com.evertz.registry.ServerRegistryListener: masterChanged'" daemon prio=6 > tid=0x28c77000 nid=0x16d8 in Object.wait() [0x2899f000] > java.lang.Thread.State: WAITING (on object monitor) > at java.lang.Object.wait(Native Method) > - waiting on <0x08bc3ac0> (a > org.apache.catalina.startup.Catalina$CatalinaShutdownHook) > at java.lang.Thread.join(Thread.java:1143) > - locked <0x08bc3ac0> (a > org.apache.catalina.startup.Catalina$CatalinaShutdownHook) > at java.lang.Thread.join(Thread.java:1196) > at > java.lang.ApplicationShutdownHooks.runHooks(ApplicationShutdownHooks.java:79) > at > java.lang.ApplicationShutdownHooks$1.run(ApplicationShutdownHooks.java:24) > at java.lang.Shutdown.runHooks(Shutdown.java:79) > at java.lang.Shutdown.sequence(Shutdown.java:123) > at java.lang.Shutdown.exit(Shutdown.java:168) > - locked <0x23c8bf68> (a java.lang.Class for java.lang.Shutdown) > at java.lang.Runtime.exit(Runtime.java:90) > at java.lang.System.exit(System.java:904) Can I see ApplicationShutdownHooks source code ? What 's com.evertz.registry.ServerRegistryListener ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Shutdown Hooks not firing when tomcat is shutdown from within a webapp
>> Can I see ApplicationShutdownHooks source code ? > > That is located in java.lang, you can see the source online... > Sorry, I meant about *your* app's shutdown hook. >> What 's com.evertz.registry.ServerRegistryListener ? Right > > This is just the listener that triggers the shutdown call. > That the trace shows it that I call System.exit(0), which then runs the > shutdown hooks, but then gets stuck running the CatalinaShutdownHook. It > looks like all CatalinaShutdownHook does is call catalina.stop, I don't > really know how to figure out what it is waiting on though. >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Limiting concurrent requests by user
2012/2/27 hernan > > > The process may take some seconds or a few minutes to be completed. I'd > like to limit the number of client requests per user. > Why not do you use Tomcat's valves mechanism ? You can implement a request filter on a Context scope Where store the counter of requests ? Memory looks the better option ... except if you application runs on a clustered enviroment. In this case, you can try a database
Re: [Tomcat JDBC Pool] Close pooled connections via JMX
>> >> > That approach doesn't work when the application uses symlinks to get to >> > data on other Oracle servers. Right. With dblinks, it's the RDBMS who opens/closes a session against the remote server, via dblinks I guess that when you say "our Oracle database has to be restarted", you *only* restart the remote server , right ? One question : do you use any kind of ORM framework ? Some of them (myBatis , for example ) allow you to configure different schemas with different pingQuery settings. So, you could define the remote queries into a particular schema with a pingQuery like "SELECT 1 FROM DUAL@REMOTEDB" - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [Tomcat JDBC Pool] Close pooled connections via JMX
> We use Spring w/ Hibernate as I recall. Yes, we have talked about that - a > ping query. What we don't like about that is now we have a tc ping and app > ping. We have also discussed just changing the tc borrow/ping to do the > dual@remotedb query as this would test both primary and remote. We have > tested this and it works. What stinks about this is we only access the > remotedb 10% of the time. Well, I don't know how works Hibernate , but I know that you can have many SessionFactory Can you define different SessionFactory with different settings , for example, with different pingQuery value? Does Hibernate have a pingQuery setting ? So, when you want to perform a remote query, you use SessionFactory who returns local connections but before SELECT 1 FROM DUAL@remotedb testing query - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [Tomcat JDBC Pool] Close pooled connections via JMX
>> >> Do you have testOnBorrow="true" and a validationQuery="SELECT 1 FROM >> DUAL" configured? >> >> This should suffice to ensure each connection is valid before use. > > > Pid, > > works like a charms. Thanks very much. > >From Tomcat doc for testOnBorrow setting: "The indication of whether objects will be validated before being borrowed from the pool. If the object fails to validate, it will be dropped from the pool, and we will attempt to borrow another For a true value to have any effect, the validationQuery parameter must be set to a non-null string. Default value is false In order to have a more efficient validation, see validationInterval Default value is false" I don't understand how it works now By the way, what does "validate" a object ? Regards - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [Tomcat JDBC Pool] Close pooled connections via JMX
2012/3/5 Michael : > Chema schrieb: > >>>> Do you have testOnBorrow="true" and a validationQuery="SELECT 1 FROM >>>> DUAL" configured? >>>> >>>> This should suffice to ensure each connection is valid before use. >>> >>> >>> Pid, >>> >>> works like a charms. Thanks very much. >>> >> > It executes the validation query and checks if there is no SQLException. Thanks ...but , if you only restart the remote db , the query "SELECT 1 FROM DUAL" always works , am I wrong ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [Tomcat JDBC Pool] Close pooled connections via JMX
> No if the connection has been reset by the instance. The query will result > in a SQLException. You have to close the connection and open a new one. The > query works on an open connection only. That's the point. > See the second paragraph of this [1]. > But the problem was when you restart the remote database , not the local database. In this case, SELECT 1 FROM DUAL works ( doesn't return a SQL exception ). But , when you execute after the query "SELEC * FROM TABLE@remotedb", then fails , was this the problem, right ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [Tomcat JDBC Pool] Close pooled connections via JMX
> There's nothing like chasing your tail for a few days on a mailing list. > > - -chris ok, ok ...it was my fault ... sorry :-/ Regards - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: chunked encoding
> 1. http://en.wikipedia.org/wiki/Chunked_transfer_encoding > 2. RFC 2616 (the specification of HTTP/1.1 protocol) One question How does web browser know what is the right order of the chunks ? When server waits for generating the whole response, I understand that transmission can rely on TCP and the client ( web browser ) can be sure that response is completed and all message parts are in order But when server sends response by chunks I don't know how the client ( web browser ) puts them in order I did't seen anything about it on Wikipedia link Thanks and regards - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: chunked encoding
> The server application must pass the chunks to its outbound TCP/IP stack in > order, so normal TCP sequencing takes care of it. > Thanks But, if I'm not wrong , chunks messages belong application layer, so when servers pass them to TCP/IP stack , they are different messages. Do it by same connection , but they are different messages on application layer , right ? I see it how a chat conversation: when I send "Hello" and "Bye" by client chat , receiver chat only can know the right order if there is any mechanism on *application layer* to put them in order I can rely on the order which messages were sent, but it doesn't look very reliable Sure I'm wrong but I don't understand it Thanks and regards - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: chunked encoding
> > TCP packets are numbered (by TCP itself). Thus chunks are ordered as well. > So, chunks aren't sent on the same time, but they are sent by the same TCP connection . In this case, it has sense for me: a stream of chunks . Thanks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: chunked encoding
2012/3/23 Caldarale, Charles R : >> From: Chema [mailto:demablo...@gmail.com] >> Subject: Re: chunked encoding > >> But, if I'm not wrong , chunks messages belong application layer, so >> when servers pass them to TCP/IP stack , they are different messages. > > TCP/IP knows nothing about "messages", only about the two byte streams for > the connection (one inbound, one outbound). Thanks. You're right . It was my fault. If I consider to send many chunks over the same TCP connection, it has sense for me. I don't know why I thought on different chunks over separate connections. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Access to manager webapp (JAAS exception)
Hi: I've just installed ( unzipped ) Tomcat 7.0.14 and I'm trying to access to manager web application. So, http://127.0.0.1:8080/manager/html and popup a browser logging form. My conf/tomcat-users.xml is But, when I try to log in, an exception occurs: 01-jul-2011 16:10:51 org.apache.catalina.realm.JAASRealm authenticate java.lang.SecurityException: at com.sun.security.auth.login.ConfigFile.(Unknown Source) Why ? There isnt configured in my server to use JAAS. Indeed , conf/server.xml has Any ideas ? Thanks and regards - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Access to manager webapp (JAAS exception)
2011/7/1 Mark Thomas : > On 01/07/2011 15:22, Chema wrote: >> Hi: >> >> I've just installed ( unzipped ) Tomcat 7.0.14 and I'm trying to >> access to manager web application. > > What else did you change? > I think nothing. There is a log when server starts that I dont understand : 01-jul-2011 17:23:55 org.apache.catalina.realm.JAASRealm setContainer INFO: Set JAAS app name Catalina any idea ? I've downloaded 7.0.16 release and this log doesnt occur when server starts I don`t know if I changed something on former installation ( 7.0.14 ) ... Thanks > Mark > >> >> So, >> >> http://127.0.0.1:8080/manager/html >> >> and popup a browser logging form. >> >> My conf/tomcat-users.xml is >> >> >> >> >> >> >> >> But, when I try to log in, an exception occurs: >> >> 01-jul-2011 16:10:51 org.apache.catalina.realm.JAASRealm authenticate >> java.lang.SecurityException: >> at com.sun.security.auth.login.ConfigFile.(Unknown Source) >> >> >> Why ? There isnt configured in my server to use JAAS. >> Indeed , conf/server.xml has >> >> >> > factory="org.apache.catalina.users.MemoryUserDatabaseFactory" >> name="UserDatabase" pathname="conf/tomcat-users.xml" >> type="org.apache.catalina.UserDatabase"/> >> >> >> Any ideas ? >> >> Thanks and regards >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Access to manager webapp (JAAS exception)
> 01-jul-2011 17:23:55 org.apache.catalina.realm.JAASRealm setContainer > INFO: Set JAAS app name Catalina >> I don't see a log error, only an INFO message. Right. I just said that I didnt understand this message , because I dont have configurated any JAASRealm I've dowloaded 7.0.16 release and this INFO message doesnt appear. I don't know why. And now, access to manager webapp works fine. Thanks !! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
