Jean-Francois Arcand a écrit :+1
The security mechanism in TC 4.x and higher (due to digester)
avoid me to use such easy configuration tuning and so we have
to stay with Tomcat 3.3.x for now.
I'm probably missing something here....why the digester suffer from that limitation? What kind of security exception are you seeing. If you give all permissions to the Digester, does it change something?
Same problem with TC 5.0.12 ;(
To reproduce, I added an external entity file in the web.xml of the provided servlet-examples webapp web.xml :
----
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd";>[ <!ENTITY % appconf SYSTEM "../../../etc/webapp/appconf.xml"> %appconf; ]
<web-app>
====>
Here is my startup log...
[INFO] Http11Protocol - -Initialisation de Coyote HTTP/1.1 sur le port 8080
[INFO] Catalina - -Initialization processed in 5468 ms
[INFO] StandardService - -Démarrage du service Catalina
[INFO] StandardEngine - -Starting Servlet Engine: Apache Tomcat/5.0.12
[INFO] StandardHost - -Create Host deployer for direct deployment (
non-jmx )
[INFO] StandardHostDeployer - -Installation d'une application pour le
chemin de contexte /jsp-examples depuis l'URL
file:C:\jakarta-tomcat-5.0.12\webapps\jsp-examples
[INFO] StandardHostDeployer - -Installation d'une application pour le
chemin de contexte depuis l'URL file:C:\jakarta-tomcat-5.0.12\webapps\ROOT
[INFO] StandardHostDeployer - -Installation d'une application pour le
chemin de contexte /servlets-examples depuis l'URL
file:C:\jakarta-tomcat-5.0.12\webapps\servlets-examples
[ERROR] Digester - -Parse Fatal Error at line 7 column 1: Content is not
allowed in prolog. <org.xml.sax.SAXParseException: Content is not
allowed in prolog.>org.xml.sax.SAXParseException: Content is not allowed
in prolog.
at
org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(Unknown
Source)
at org.apache.xerces.util.ErrorHandlerWrapper.fatalError(Unknown Source)
at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source)
at org.apache.xerces.impl.XMLScanner.reportFatalError(Unknown Source)
at
org.apache.xerces.impl.XMLDocumentScannerImpl$PrologDispatcher.dispatch(Unknown
Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown
Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.DTDConfiguration.parse(Unknown Source)
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
at org.apache.commons.digester.Digester.parse(Digester.java:1548)
at
org.apache.catalina.startup.ContextConfig.applicationConfig(ContextConfig.java:305)
at org.apache.catalina.startup.ContextConfig.start(ContextConfig.java:729)
at
org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:257)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:166)
at
org.apache.catalina.core.StandardContext.start(StandardContext.java:4073)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:866)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:850)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:614)
at
org.apache.catalina.core.StandardHostDeployer.install(StandardHostDeployer.java:315)
at org.apache.catalina.core.StandardHost.install(StandardHost.java:835)
at
org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:723)
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:473)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1002)
at
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:393)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:166)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:792)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1125)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:502)
at org.apache.catalina.core.StandardService.start(StandardService.java:519)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:2343)
at org.apache.catalina.startup.Catalina.start(Catalina.java:578)
at java.lang.reflect.Method.invoke(Native Method)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:392)[ERROR] ContextConfig - -Erreur d'évaluation (parse) dans le fichier
web.xml de l'application <org.xml.sax.SAXParseException: Content is not
allowed in prolog.>org.xml.sax.SAXParseException: Content is not allowed
in prolog.
at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
at org.apache.commons.digester.Digester.parse(Digester.java:1548)
at
org.apache.catalina.startup.ContextConfig.applicationConfig(ContextConfig.java:305)
at org.apache.catalina.startup.ContextConfig.start(ContextConfig.java:729)
at
org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:257)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:166)
at
org.apache.catalina.core.StandardContext.start(StandardContext.java:4073)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:866)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:850)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:614)
at
org.apache.catalina.core.StandardHostDeployer.install(StandardHostDeployer.java:315)
at org.apache.catalina.core.StandardHost.install(StandardHost.java:835)
at
org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:723)
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:473)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1002)
at
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:393)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:166)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:792)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1125)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:502)
at org.apache.catalina.core.StandardService.start(StandardService.java:519)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:2343)
at org.apache.catalina.startup.Catalina.start(Catalina.java:578)
at java.lang.reflect.Method.invoke(Native Method)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:392)[ERROR] ContextConfig - -Sest produite à la ligne {0} colonne {1}
[ERROR] ContextConfig - -Cette application est marquée comme non
disponible suite aux erreurs précédentes
[ERROR] Context - -Error getConfigured
[ERROR] Context - -Erreur de démarrage du contexte suite aux erreurs
précédentes
[INFO] StandardHostDeployer - -Installation d'une application pour le
chemin de contexte /tomcat-docs depuis l'URL
file:C:\jakarta-tomcat-5.0.12\webapps\tomcat-docs
[INFO] Http11Protocol - -Démarrage de Coyote HTTP/1.1 sur le port 8080
[INFO] ChannelSocket - -JK2: ajp13 listening on 0.0.0.0/0.0.0.0:8009
[INFO] JkMain - -Jk running ID=0 time=0/80
config=C:\jakarta-tomcat-5.0.12\conf\jk2.properties
[INFO] Catalina - -Server startup in 12538 ms
Me and co-workers, read and reread 2.3 specs, and its specified that a servlet engine MAY restrict access to stuff outside the webapp area.
MAY restrict, not WILL restrict, the difference is subtile, and in my case it will prevent me to upgrade to Tomcat 5.x ;(
So please add a relaxed mode, which will be DISABLED by default, I know others admins which have the same kind of settings for large ASP applications and they have to stay with Tomcat 3.2 or 3.3.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
