Regarding the "localhostips" property in deployment
Hi all, quick question: When setting up a deployment environment you usually have to set the property er.extensions.WOHostUtilities.localhostips (usually in /etc/WebObjects/Properties) to ensure your applications accept incoming admin requests from wotaskd. This feels a little redundant, so I've made a slight modification in my fork of Wonder, looking up and registering the server's registered IP addresses by default — which can then be optionally overridden using that property (which I really think you'd rarely do, since I think usually all local IPs should be able to submit management requests. If someone can send malicious requests from your server's IP to your app's port, you probably have a bigger problem). I'm still no security expert, so I'm just checking if anyone sees this as a bad idea/security issue, or if this can be safely kept and merged into Wonder. https://github.com/undur/wonder-slim/commit/1f6f71ae225485c49716278719e9066346a4b705 The change might not be huge, but it eliminates one of the steps when setting up a WO deployment environment, of which there already are quite a few (and that's eliminating a step that will bite you in the ass in a mysterious ways if you forget it or misconfigure it, given JavaMonitor's and wotaskd's aversion to error reporting). Cheers, - hugi ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
JavaXML.framework and Java 21 (and Eclipse)
Hello, I'm porting a project to Java 21. It makes some use of packages in the java.xml module, e.g. org.w3c.dom. When I switch java.version to 21, Eclipse complains:  [In case the image is dropped: The package org.w3c.dom is accessible from more than one module: , java.xml] That's fair enough, and it's true: JavaXML.framework smuggles in a bunch of packages, including this one. To be clear, though, it only seems to be Eclipse complaining: mvn package still builds the app bundle without complaint. My first thought was to exclude it via the POM, which works to remove those warnings, but then in deployment: 2025-05-05 04:45:11.012 WARN NSLog - Instance Request: Error parsing: STATISTICS Turns out Xerces is expected to be available on the classpath to parse messages from wotaskd. (Thanks Ramsey from 2013!) It seems to be sufficient to import Xerces alone: xerces xercesImpl 2.12.2 runtime But then I get the Eclipse warnings back, though now just for src/test classes: "runtime" scope causes Eclipse to ignore it for the app, but runtime-scoped artifacts are still provided for test compilation, hence Eclipse complains again (because we use colliding packages in some tests). Finally, I can silence Eclipse by putting this in .settings/org.eclipse.jdt.core.prefs: org.eclipse.jdt.core.compiler.ignoreUnnamedModuleForSplitPackage=enabled What a roller coaster. Now, my questions: 1. Has anyone else hit this, and, if so, what did you do about it? 2. Is anyone else living in a post-JavaXML.framework world? It smuggles in a lot of stuff that I'd like to get rid of (e.g., Log4J 1). If so, how did you do it? -- Paul Hoadley https://logicsquad.net/ https://www.linkedin.com/company/logic-squad/ ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Regarding the "localhostips" property in deployment
Hi, I can see this being set in an older installation here, but in many cases I don’t even have an /etc/WebObjects directory, and I don’t recall ever setting this property by hand. We do have complex setups with apache on different hosts than wotaskd, but it is sufficient to set the IP addresses of the wotaskd hosts in the apache adaptor config file to reach them. However, we do not have applications on hosts with no local wotaskd, so maybe that’s the one case where this would be necessary? Maik > Am 06.05.2025 um 04:05 schrieb Paul Hoadley via Webobjects-dev > : > > On 5 May 2025, at 16:38, Hugi Thordarson via Webobjects-dev > wrote: > >> quick question: When setting up a deployment environment you usually have to >> set the property er.extensions.WOHostUtilities.localhostips (usually in >> /etc/WebObjects/Properties) to ensure your applications accept incoming >> admin requests from wotaskd. > > Is this only in the setting where wotaskd is on a different host? Because > I've never done this, though we only deploy with wotaskd+JavaMonitor on the > host running the app instances. > >> I'm still no security expert, so I'm just checking if anyone sees this as a >> bad idea/security issue, or if this can be safely kept and merged into >> Wonder. > > I'm no security expert either, but it seems reasonable as a default that you > can override. What happens in the setting where someone doesn't currently set > the property, though? That is, what default behaviour will you be changing, > and how astonishing will this be? > > > -- > Paul Hoadley > https://logicsquad.net/ > https://www.linkedin.com/company/logic-squad/ > > > > ___ > Do not post admin requests to the list. They will be ignored. > Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) > Help/Unsubscribe/Update your Subscription: > https://lists.apple.com/mailman/options/webobjects-dev/maik%40selbstdenker.ag > > This email sent to m...@selbstdenker.ag smime.p7s Description: S/MIME cryptographic signature ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Regarding the "localhostips" property in deployment
On 5 May 2025, at 16:38, Hugi Thordarson via Webobjects-dev wrote: > quick question: When setting up a deployment environment you usually have to > set the property er.extensions.WOHostUtilities.localhostips (usually in > /etc/WebObjects/Properties) to ensure your applications accept incoming admin > requests from wotaskd. Is this only in the setting where wotaskd is on a different host? Because I've never done this, though we only deploy with wotaskd+JavaMonitor on the host running the app instances. > I'm still no security expert, so I'm just checking if anyone sees this as a > bad idea/security issue, or if this can be safely kept and merged into Wonder. I'm no security expert either, but it seems reasonable as a default that you can override. What happens in the setting where someone doesn't currently set the property, though? That is, what default behaviour will you be changing, and how astonishing will this be? -- Paul Hoadley https://logicsquad.net/ https://www.linkedin.com/company/logic-squad/ ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
