Hi all:
I'm using realm tool for user authentication on Tomcat 7
I've made a custom realm overriding authenticate() method of
DataSourceRealm class.
And all works fine.
But I would like to initialize HTTP session in this stage with user data.
My custom authenticate() method queries user data to
2011/7/18 chris derham :
>
> Couldn't you just implement HttpSessionListener?
>
> Chris
>
Yes, could be useful :-)
Thanks
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...
2011/7/18 Chema
>>
>
> Yes, could be useful :-)
>
> Thanks
>
I guess it's not so useful than I thought :-/
The reason is that HttpSessionListener.sessionCreated method is
invoked always when Tomcat server receives the first petition.
Session is not created by realm c
Hi:
I'm having a strange behaviour when using realm in Tomcat 7 ( 7.0.16)
with browser tabs
My web app has some protected resources ( with
tag in web.xml ) by a realm.
I'm using FORM method in tag. So, i've got my own login page :
Steps:
1) I open a tab in my
> The behaviour is correct. You can't stop it.
>
> Mark
Thanks for you answer.
But,
is it right according to specs or according to Tomcat ?
I can understand step 3 behaviour because is returned the last
resource request by session ( althought user doesn't understand that
two tabs are same session
2011/7/27 Vibhor Kumar Agarwal :
> Does the web server know the login id of windows?
>
> Thanks in advance.
Windows OS ?
You can look at
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
-
To unsubscribe, e-mail:
> If anyone has any suggestions on how we can add files into the exploded
> webapp structure and still perform undeploy/re-deploy of our webapp, I would
> greatly appreciate it. Or, if there's a way to tell tomcat to completely
> remove the directory - regardless of additional files/directories
2011/8/1 Bob DeRemer :
> Thanks, but I need to do this in a production environment, where we're
> deploying/re-deploying a WAR and there is no eclipse IDE. In addition, I am
> dynamically adding extensions to our webapp without having to restart our
> webapp, which is what republishing from Ecl
Hi:
I've got Tomcat 7.0.16 and I'm using realm
authentication/authorization mechanism , via FORM method.
I'd like to store in user session the URL accessed and forwarded to
realm authentication.
An example of URL could be
http://localhost:8080/myapp/protected/file.properties
I try to configure
>
> Why? What problem are you trying to solve?
>
Well, I'm invoking j_security_check with an asynchronous RPC call.
If I use a HTML form and action = j_security_check , Tomcat performs
redirection after authenticate user, as you said,
But I need to implement with an asynchronous RPC call.
So, m
> I think it is possible to share sessions across contexts. Portal
> applications need to do this. Try
> http://jee-bpel-soa.blogspot.com/2009/06/session-sharing-in-apache-tomcat.html
>
But this solution shares information between contexts , not creates an
unique shared session per user (session d
Regards
>
> Ron
>
> - Original Message - From: "Chema"
> To: "Tomcat Users List"
> Sent: Thursday, August 04, 2011 6:39 PM
> Subject: Re: Sharing session between different webapps under same tomcat
>
>
>>> I think it is possible to share
Hi Ron:
> My understanding is that once these options are confgured, the SAME session
> data is stored across contexts separately for each user.
Thanks for you answer, but in the last seccion of that webpage
(Session-aware cross context data sharing), explains that:
- he's sharing data using Se
Hi:
I've configurated my server.xml with
and I've got deployed two web applications with Realm authentication
How I can get SSO ID on a servlet ? I want to know this ID without
browser sends a cookie to server.
I don't need this SSO ID be equal to JSESSIONIDSSO . I only want to
relate two ses
> Why do you need a consistent ID between the two apps?
Because I'll store this ID into a record in database.
The apps checking every 60 sec if this record exists and, if dont ,
perform a logout
-
To unsubscribe, e-mail: users-un
> Why bother?
>
> "
> As soon as the user logs out of one web application (for example, by
> invalidating the corresponding session if form based login is used), the
> user's sessions in all web applications will be invalidated. Any
> subsequent attempt to access a protected resource in any applica
2011/8/15 Chen Paz :
>
> Hi,
>
> I am using a servlet to intercept form based authentication in order to
> insert attribute into the request
What parameter do you want to insert into the request ?
I don't know, but maybe you can do the same with a custom realm
Or, using by Spring Security
> How do you accomplish that? By doing this SSO sniff-and-kill-session
> thing? It seems more straightforward to expire a particular webapp's
> session explicitly and let the SSO expire along with it.
> Doesn't that mean you'll have to re-run the same query just to expire
> the sessions in the othe
> how can access the SSLSession in a jsp or a servlet
> to be able to invalidate it.
Sorry, but
is there any difference between to invalidate a HTTP Session and a SSLSession ?
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.
Hello:
I've got a web application running on Tomcat 7.0.16
It uses realm authentication to validate users ( FORM login method
with a custom login page named login.html)
and it's secured by SSL with
ssl
/*
CONFIDENTIAL
So, if I write https://localhost:8080/pr
t;);
if (context != null)
response.sendRedirect(context.getContextPath() + "/protected.html" );
I hoped that login.html was return but protected.html is
I dont find any doc about realm + SSL what 's wrong ?
Thanks and regards
2011/9/7 Mark Thomas :
> On 07/09/2011 12:20, Chema wrote:
>>
>> org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:425)
>>
>> org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:228)
>> org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
>> org.apache.strut
Hello:
Ive got a web application running on Tomcat 7, with SSL (https) and
realm for authentication/authorization
When I invalidate() a session ( session.invalidate() ) , Tomcat
doesn't know it and thinks that user is still logged in
So, that user can get protected pages. Tomcat should return him
>
> Presumably, you are using CLIENT-CERT as your ?
Not , FORM method
>
>> When I invalidate() a session ( session.invalidate() ) , Tomcat
>> doesn't know it and thinks that user is still logged in So, that
>> user can get protected pages. Tomcat should return him a login
>> window but doesn't.
>
hultz :
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Chema,
>
> On 9/16/2011 1:25 PM, Chema wrote:
>>>
>>> Presumably, you are using CLIENT-CERT as your ?
>>
>> No, [I am using] FORM method
>
> Hmm. HttpSession.invalidate() *is*
Thanks Christopher.
Great explanation.
Finally, my problem was solved by upgrading up to Tomcat 7.0.21
On 7.0.16, my application doesn't work fine with SSL & realm ( see
previous emails )
Upgrading to 7.0.21 ( clean install, really ) solved the problem and works fine.
Regards
2011/9/16 Christ
>
> In your code, you would examine the Principal & see if it had permission
> to proceed. Then return the resource or an error, accordingly.
>
On my way , I would put "your code that examine the Principal & see
if it had permission " into a custom realm class.
This custom realm can check only u
> Why getContext("/app") ??
>
> HTTP Sessions are local to each web application.
>
> If "protected.html" belongs to a different web application, it would
> not (and cannot) know that you invalidated session in this webapp.
Hi
You're right: protected.html belongs another web application.
But my To
For logout, you can implement a HttpSessionListener .
It has got a method:
public void sessionDestroyed(HttpSessionEvent se)
It's invoked when http session is invalidated. ( session.invalidated() )
So, you have to invalidate http session when user makes logout ( i.e, user
clicks a logout button
2011/10/6 Martin O'Shea
>
> Detecting a logoff is easier using the sessionDestroyed method.
>
How do you detect that an user is closing his browser ?
>
> So how it is possible to access HttpRequestServlet and set some
> session attribute in my Custom Realm which extends RealmBase.
>
I guess you can't do it that
>
> Or else it should be a different Procedure.
>
You can try by using filters or try Spring Security
>
> Waiting for some clue
This is one of the reasons I switched to SecurityFilter: there is a
> FlexibleRealmInterface that passes-in the HttpServletRequest that was
> used to attempt authentication. That allows you to get nice things
> like the ip address of the request for logging.
>
>
I'm interested on what are talking
> In my Custom Realm Implementation iam autheticating some user and
> allowing
> him to access my webapps(servlets or filters) (my application)
> This authentication session i need it to be reused in my webapp(to avoid
> another authentication) if it is an authorized session.
> So for this pur
>
>
>
> Frankly, if you're using Spring Security, I'd stick with it. I myself
> am thinking of making the switch.
>
>
Yes, I tried it and like it , but I need Single Sign On support and the
solutions what Spring Security offers are complicated to implement by me
A silly question:
why do you use a ThreadLocal to store a constant value for entire
application? why not a static variable or store into web application
context , by example ?
Thanks
2011/11/23 Christopher Schultz :
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> All,
>
> I've got a servle
>> The string of the date format is constant. However the SimpleDateFormat
> class is not threadsafe, so you will hit intermittant issues when sharing
> across threads
Do you mean that read operations (getters) in not-threadsafe objects
are not an atomic operations and could retrieve "dirty" value
>> This result is as expected, but from time to time we saw the
>> following URL string returned
>> http://mytestsystem/login.action?login_error=1&u=OtherUser although
>> we sent the form with Tester as value away. But now in the input
>> field it is also OtherUser set.
One question
How the return
String uParam = "";
> if (StringUtils.isBlank(username) == false) {
> uParam = "&u=".concat(username);
> }
> logonFilter.setLoginFailedUrl("/action?login_error=1".concat(uParam));
>
> -Ursprüngliche Nachricht-
> Von: Chema [mail
You can try to set traces into the code of your realm class, if it's a
custom realm : to watch the query executed , to watch the
user/password passed from browser, to catch exceptions and print stack
trace ...
If you dont have a custom realm, you can try to create one for testing
Can you paste yo
> 10 to 1 you've got stale connections in your pool; first try fails, second
> one gets a fresh connection
I thought the same
autoReconnect
Should the driver try to re-establish stale and/or dead connections?
If enabled the driver will throw an exception for a queries issued on
a stale or dea
Well, I don't know about this , but
What is the "URLRewrite" filter ? A Servlet filter ?
You can try to write a Valve and test if it works. I think it's
processed before calling container code. Maybe ...
Or to configure a proxy web to rewrite . I did't make this before, but
I know it's possible.
2012/1/3 Anjib Mulepati :
> Hi All,
>
> One simple question If I have JINDI configuration in my application will my
> application reconnect to the DB whenever my DB gets restart.
> I am having DB connection problem every Monday since our DB get restarted on
> weekends which we don't have control of
> But in my application I have context.xml with following
>
>
> driverClassName="oracle.jdbc.driver.OracleDriver"
> maxActive="20"
> maxIdle="10"
> maxWait="-1"
> name="jdbc/myName"
> password="myPassword"
> type="javax.
> Try adding validationQuery="SELECT 1 FROM DUAL" and testOnBorrow="true".
testOnBorrow is true by default :-)
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apa
2012/1/9 Anjib Mulepati :
> I did change my config.xml to
>
>
>
> driverClassName="oracle.jdbc.driver.OracleDriver"
> maxActive="20"
> maxIdle="10"
> maxWait="-1"
> name="jdbc/myName"
> password="myPassword"
> testOnBorr
> Caused by: oracle.net.ns.NetException: The Network Adapter could not
> establish the connection
> at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:375)
> at
> oracle.net.resolver.AddrResolution.resolveAndExecute(AddrResolution.java:422)
> at oracle.net.ns.NSProtocol.establishConne
>>
>> Caused by: java.io.IOException: Keystore was tampered with, or password
>> was incorrect
Well, I don't know what is the problem.
I followed these steps and it worked : http://blog.frankel.ch/ssl-your-tomcat-7
Other option is HTTP Connector in your server.xml is incorrectly configured
>2012/1/23 :
> Initially I thought that my RootJDBCRealm might be the problem, but how can
> that be? RootJDBCRealm extends Tomcat's own JDBCRealm. It >overrides
> authenticate to call super.authenticate and if there are 3 failures (in that
> super.authenticate returns null), then it locks ou
> "Asynchronous Notification 'interface
> com.evertz.registry.ServerRegistryListener: masterChanged'" daemon prio=6
> tid=0x28c77000 nid=0x16d8 in Object.wait() [0x2899f000]
> java.lang.Thread.State: WAITING (on object monitor)
> at java.lang.Object.wait(Native Method)
> - waiting
>> Can I see ApplicationShutdownHooks source code ?
>
> That is located in java.lang, you can see the source online...
>
Sorry, I meant about *your* app's shutdown hook.
>> What 's com.evertz.registry.ServerRegistryListener ?
Right
>
> This is just the listener that triggers the shutdown call.
2012/2/27 hernan
>
>
> The process may take some seconds or a few minutes to be completed. I'd
> like to limit the number of client requests per user.
>
Why not do you use Tomcat's valves mechanism ?
You can implement a request filter on a Context scope
Where store the counter of requests ?
Mem
>>
>> > That approach doesn't work when the application uses symlinks to get to
>> > data on other Oracle servers.
Right. With dblinks, it's the RDBMS who opens/closes a session against
the remote server, via dblinks
I guess that when you say "our Oracle database has to be restarted",
you *only*
> We use Spring w/ Hibernate as I recall. Yes, we have talked about that - a
> ping query. What we don't like about that is now we have a tc ping and app
> ping. We have also discussed just changing the tc borrow/ping to do the
> dual@remotedb query as this would test both primary and remote. W
>>
>> Do you have testOnBorrow="true" and a validationQuery="SELECT 1 FROM
>> DUAL" configured?
>>
>> This should suffice to ensure each connection is valid before use.
>
>
> Pid,
>
> works like a charms. Thanks very much.
>
>From Tomcat doc for testOnBorrow setting:
"The indication of whether ob
2012/3/5 Michael :
> Chema schrieb:
>
>>>> Do you have testOnBorrow="true" and a validationQuery="SELECT 1 FROM
>>>> DUAL" configured?
>>>>
>>>> This should suffice to ensure each connection is valid before use.
>>>
> No if the connection has been reset by the instance. The query will result
> in a SQLException. You have to close the connection and open a new one. The
> query works on an open connection only. That's the point.
> See the second paragraph of this [1].
>
But the problem was when you restart the
> There's nothing like chasing your tail for a few days on a mailing list.
>
> - -chris
ok, ok ...it was my fault ... sorry :-/
Regards
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mai
> 1. http://en.wikipedia.org/wiki/Chunked_transfer_encoding
> 2. RFC 2616 (the specification of HTTP/1.1 protocol)
One question
How does web browser know what is the right order of the chunks ?
When server waits for generating the whole response, I understand that
transmission can rely on TCP and
> The server application must pass the chunks to its outbound TCP/IP stack in
> order, so normal TCP sequencing takes care of it.
>
Thanks
But, if I'm not wrong , chunks messages belong application layer, so
when servers pass them to TCP/IP stack , they are different messages.
Do it by same conne
>
> TCP packets are numbered (by TCP itself). Thus chunks are ordered as well.
>
So, chunks aren't sent on the same time, but they are sent by the same
TCP connection .
In this case, it has sense for me: a stream of chunks . Thanks
-
2012/3/23 Caldarale, Charles R :
>> From: Chema [mailto:demablo...@gmail.com]
>> Subject: Re: chunked encoding
>
>> But, if I'm not wrong , chunks messages belong application layer, so
>> when servers pass them to TCP/IP stack , they are different messages.
>
>
Hi:
I've just installed ( unzipped ) Tomcat 7.0.14 and I'm trying to
access to manager web application.
So,
http://127.0.0.1:8080/manager/html
and popup a browser logging form.
My conf/tomcat-users.xml is
But, when I try to log in, an exception occurs:
01-jul-2011 16:10:51 org.apache
2011/7/1 Mark Thomas :
> On 01/07/2011 15:22, Chema wrote:
>> Hi:
>>
>> I've just installed ( unzipped ) Tomcat 7.0.14 and I'm trying to
>> access to manager web application.
>
> What else did you change?
>
I think nothing.
There is a log when serve
> 01-jul-2011 17:23:55 org.apache.catalina.realm.JAASRealm setContainer
> INFO: Set JAAS app name Catalina
>> I don't see a log error, only an INFO message.
Right. I just said that I didnt understand this message , because I
dont have configurated any JAASRealm
I've dowloaded 7.0.16 release and t
64 matches
Mail list logo
