users Digest 7 Feb 2012 17:14:41 -0000 Issue 10794

Topics (messages 231841 through 231865):

Re: Client Authentication--getting certificate information on the server side
 231841 by: Pid
 231842 by: Sanjeev Sharma
 231848 by: Christopher Schultz

Re: starting connectors after the tomcat startup
 231843 by: Pradeep Fernando

Re: [OT] Dependencies on extensions functionality
 231844 by: Christopher Schultz

Re: Dependencies on extensions functionality
 231845 by: Christopher Schultz
 231847 by: Violeta Georgieva
 231850 by: Christopher Schultz
 231851 by: Violeta Georgieva

Re: Clustering and https configuration
 231846 by: Christopher Schultz
 231852 by: Pid

Odd interface binding observations
 231849 by: Christopher Schultz
 231853 by: Konstantin Kolinko

Web app calls JMS over SSL - certificates
 231854 by: Peter Kleczka
 231857 by: Pid
 231863 by: Peter Kleczka
 231864 by: Caldarale, Charles R

Re: POST data (single character) cleared when using tomcat 6.0.33 and Character Encoding Filter
 231855 by: kitagawa

Re: How can I access tomcat's logs using my jsp?
 231856 by: Lev A KARATUN
 231858 by: André Warnier
 231859 by: Pid
 231860 by: André Warnier
 231861 by: André Warnier

All-in-One Toolbar (TV, Radio, Games, BlogNews, Tools, etc.) and FREE!
 231862 by: yupibar

Running Tomcat on Port 80 with Fedora 16 without IP tables redirect
 231865 by: Ole Ersoy

Administrivia:

---------------------------------------------------------------------
To post to the list, e-mail: users@(protected)
To unsubscribe, e-mail: users-digest-unsubscribe@(protected)
For additional commands, e-mail: users-digest-help@(protected)

----------------------------------------------------------------------

On 06/02/2012 17:01, Sanjeev Sharma wrote:
> Hello,
>
> I'm trying to configure client authentication in Tomcat 7 on Windows 7. I have the following connector in the server.xml:
>
> <Connector port="443"
>        protocol="HTTP/1.1"
>        SSLEnabled="true"
>        maxThreads="150"
>        scheme="https"
>        secure="true"
>        keystoreFile="d:\certs\server_cert.jks"
>        keystorePass="changeit"
>        truststoreFile="d:\certs\truststore.jks"
>        truststorePass="changeit"
>        clientAuth="true"
>        sslProtocol="TLS" />
>
> In my web.xml I have the following :
>
>   <login-config>
>      <auth-method>CLIENT-CERT</auth-method>
>      <realm-name>PKI Enabled App</realm-name>
>   </login-config>
>
> This forces client authentication when I try to access the app using a browser and when I provide a trusted certificate, I'm able get authenticated. After the authentication I was expecting to get the client certificate information in the session, but I get nothing. How do I pass the Common Name from the subject line of the client certificate to the server during authentication so that I can access it from a struts action?
>
> Thanks in advance.

There are a number of variables (javax.servlet.request.ssl*) available
in the *request* rather than the session. Which ones are you trying to
access?

There's a list of various relevant things here:

http://svn.apache.org/repos/asf/tomcat/trunk/java/org/apache/catalina/Globals.java


p





--

[key:62590808]

Actually as I wrote in the mail with the scenario:

, when I do not specify the "catalina.ext.dirs", deployment fails

>INFO: Deploying web application archive
C:\apache-tomcat-7.0.25\webapps\test-web-app.war
>Feb 4, 2012 10:41:44 PM org.apache.catalina.util.ExtensionValidator
validateManifestResources
>INFO: ExtensionValidator[/test-web-app][Web Application Manifest]:
Required extension [test-jar] not found.
>Feb 4, 2012 10:41:44 PM org.apache.catalina.util.ExtensionValidator
validateManifestResources
>INFO: ExtensionValidator[/test-web-app]: Failure to find [1] required
extension(s).
>Feb 4, 2012 10:41:44 PM org.apache.catalina.core.StandardContext
startInternal

>SEVERE: Error getConfigured
>Feb 4, 2012 10:41:44 PM org.apache.catalina.core.StandardContext
startInternal
>SEVERE: Context [/test-web-app] startup failed due to previous errors

then when I specify "catalina.ext.dirs" then it fails with CNFE

2012/2/6 Christopher Schultz <chris@(protected)>

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Pid,
>
> On 2/6/12 6:48 AM, Pid wrote:
> > On 06/02/2012 11:08, Violeta Georgieva wrote:
> >>> I was going to ask you why you were using it! So is your
> >>> interest purely academic?
> >> I have existing applications that are moving to Tomcat from
> >> another application server. As "dependencies on extensions" is a
> >> standard mechanism for shared libraries, they use it in order to
> >> be independent from the application servers.
> >
> > I see - in my experience this mechanism is rarely used in web
> > applications. Interesting.
>
> Yeah, I had never heard of it.
>
> Also, the whole metadata-scanning thing seems totally unnecessary: the
> webapp tries to load a class, and the ClassLoader figures it out. The
> fact that the metadata exists doesn't really help much.
>
> I haven't looked at the validation code, though, so it's possible that
> the container is supposed to refuse to deploy the webapp if an
> appropriate extension isn't available.
>
> That obviously wasn't happening in Violeta's case because the
> deployment succeeded but then she got a CNFE.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk8wGqYACgkQ9CaO5/Lv0PAxhQCfQ2NBq+vrLxIREvKp8mFROnw5
> mOUAn194PtKwYxvxKv1BJrTAkmnCksfu
> =X6VY
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@(protected)
> For additional commands, e-mail: users-help@(protected)
>
>

>Gotcha: so, the validation works properly, but the catalina.ext.dirs
>doesn't actually get added to the classpath. Oops.
that's correct

2012/2/6 Christopher Schultz <chris@(protected)>

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Violeta,
>
> On 2/6/12 1:31 PM, Violeta Georgieva wrote:
> > Actually as I wrote in the mail with the scenario:
> >
> > when I do not specify the "catalina.ext.dirs", deployment fails
> >
> >> INFO: Deploying web application archive
> > C:\apache-tomcat-7.0.25\webapps\test-web-app.war
> >> Feb 4, 2012 10:41:44 PM
> >> org.apache.catalina.util.ExtensionValidator
> > validateManifestResources
> >> INFO: ExtensionValidator[/test-web-app][Web Application
> >> Manifest]:
> > Required extension [test-jar] not found.
> >> Feb 4, 2012 10:41:44 PM
> >> org.apache.catalina.util.ExtensionValidator
> > validateManifestResources
> >> INFO: ExtensionValidator[/test-web-app]: Failure to find [1]
> >> required
> > extension(s).
> >> Feb 4, 2012 10:41:44 PM org.apache.catalina.core.StandardContext
> > startInternal
> >
> >> SEVERE: Error getConfigured Feb 4, 2012 10:41:44 PM
> >> org.apache.catalina.core.StandardContext
> > startInternal
> >> SEVERE: Context [/test-web-app] startup failed due to previous
> >> errors
> >
> > then when I specify "catalina.ext.dirs" then it fails with CNFE
>
> Gotcha: so, the validation works properly, but the catalina.ext.dirs
> doesn't actually get added to the classpath. Oops.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk8wHqkACgkQ9CaO5/Lv0PBXdQCgkvcmuAnGBEmcbrUUtPySGqmS
> dJUAoJ1KGf/flTDzmNd0JigGEO+7muMD
> =dog/
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@(protected)
> For additional commands, e-mail: users-help@(protected)
>
>

On 06/02/2012 18:29, Christopher Schultz wrote:
> Riccardo,
>
> On 2/6/12 8:10 AM, Riccardo Venittelli wrote:
>> Now my test web app work fine but i'm unable to find a
>> configuration for SingleSignOn in cluster.
>
> Are you trying to set up a Cluster to communicate over SSL? I don't
> believe <Cluster> supports that. I have two recommendations (having
> never done anything like this):

Or is he asking for a ClusterSingleSignOn?


p

> * stunnel (requires that you know in advance which ports will be used)
>
> That's probably either non-ideal or not actually possible due to the
> multicast nature of the <Cluster> capabilities.
>
> * Use a secure VPN with multicast enabled on that interface
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@(protected)
> For additional commands, e-mail: users-help@(protected)
>

--

[key:62590808]

Hello

I have a web app on Tomcat 6.0.24. The app needs to call a JMS app on
another server over SSL. I installed the keystore/truststore files in
$CatalinaHome/conf/certs and set VM arguments so that the JVM knows where
to find the certs. The server administrator says that I should encapsulate
these certs within the WAR file and that we should not have to set the VM
arguments.

The documentation that I have read so far seems to only discuss how to set
up SSL on Tomcat.

Is there a way that Tomcat or my web app can automatically load the certs
without setting VM arguments?

Thanks kindly in advance.

I am using ActiveMQ and its activemq.xml file has a section where the
keystore and truststore point to those files. So I assume that means that
there is a way to set these at runtime. Still leaves me with the question
of whether I can set these at runtime from my app on Tomcat.

On Mon, Feb 6, 2012 at 11:50 PM, Pid * <pid@(protected):

> On 6 Feb 2012, at 23:10, Peter Kleczka <pkleczka@(protected):
>
> > Hello
> >
> > I have a web app on Tomcat 6.0.24. The app needs to call a JMS app on
> > another server over SSL. I installed the keystore/truststore files in
> > $CatalinaHome/conf/certs and set VM arguments so that the JVM knows where
> > to find the certs. The server administrator says that I should
> encapsulate
> > these certs within the WAR file and that we should not have to set the VM
> > arguments.
> >
> > The documentation that I have read so far seems to only discuss how to
> set
> > up SSL on Tomcat.
> >
> > Is there a way that Tomcat or my web app can automatically load the certs
> > without setting VM arguments?
>
> How are you configuring JMS now?
>
> Which JMS provider/lib are you using?
>
>
> p
>
>
>
> >
> > Thanks kindly in advance.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@(protected)
> For additional commands, e-mail: users-help@(protected)
>
>

Charles,

I made the adjustments and it works now.

Thank you!

Best Regards,
Karatun Lev,


"Caldarale, Charles R" <Chuck.Caldarale@(protected)
18:41:18:

> "Caldarale, Charles R" <Chuck.Caldarale@(protected)>
> 06.02.2012 18:42
>
> Please respond to
> "Tomcat Users List" <users@(protected)>
>
> To
>
> Tomcat Users List <users@(protected)>
>
> cc
>
> Subject
>
> RE: How can I access tomcat's logs using my jsp?
>
> > From: Lev A KARATUN [mailto:Lev.KARATUN@(protected)]
> > Subject: RE: How can I access tomcat's logs using my jsp?
>
> > when I'm copypasting the default servlet block to
> > $CATALINA_BASE/logs/WEB-INF/web.xml, the application
> > no longer works.
>
> There's an additional step required for Tomcat 6 that's not
> necessary for Tomcat 7. So either upgrade, or do the following:
>
> Change the name of the DefaultServlet in logs/WEB-INF/web.xml to
> logsdefault (or some other unique label):
>
>      <servlet-name>logsdefault</servlet-name>
>
> and add a <servlet-mapping> for it:
>
>   <servlet-mapping>
>      <servlet-name>logsdefault</servlet-name>
>      <url-pattern>/</url-pattern>
>   </servlet-mapping>
>
> Tomcat 6 does not allow you to override the <servlet-name> settings
> in the global conf/web.xml, but Tomcat 7 does.
>
> > And one more question - if myapp's docBase is set to
$CATALINA_BASE/logs ,
> > does it matter what is in the webapps/myapp folder?
>
> Assuming the "myapp" you're referring to is the one for accessing
> Tomcat's logs, you should not risk problems by also having a
> webapps/myapp. It shouldn't hurt, but...
>
> And, as usual, ignore Martin G's irrelevant ramblings.
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE
> PROPRIETARY MATERIAL and is thus for use only by the intended
> recipient. If you received this in error, please contact the sender
> and delete the e-mail and its attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@(protected)
> For additional commands, e-mail: users-help@(protected)
>



-----------------------------------
This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. ZAO Raiffeisenbank neither makes nor accepts legally binding statements by e-mail unless otherwise agreed.
-----------------------------------

On 07/02/2012 09:07, André Warnier wrote:
> For once, it may be best to top-post.
>
> Anyone feels like making a FAQ out of this thread ?
> It looks like a generic-enough question and answer.

I don't think I want to encourage publishing logs via the same
container. I've seen all sorts of private data published in log files.


p

> Lev A KARATUN wrote:
>> Charles,
>>
>> I made the adjustments and it works now.
>>
>> Thank you!
>>
>> Best Regards, Karatun Lev,
>>
>>
>> "Caldarale, Charles R" <Chuck.Caldarale@(protected)
>> 06.02.2012 18:41:18:
>>
>>> "Caldarale, Charles R" <Chuck.Caldarale@(protected)
>>>
>>> Please respond to
>>> "Tomcat Users List" <users@(protected)>
>>>
>>> To
>>>
>>> Tomcat Users List <users@(protected)>
>>>
>>> cc
>>>
>>> Subject
>>>
>>> RE: How can I access tomcat's logs using my jsp?
>>>
>>>> From: Lev A KARATUN [mailto:Lev.KARATUN@(protected):
>>>> How can I access tomcat's logs using my jsp?
>>>> when I'm copypasting the default servlet block to
>>>> $CATALINA_BASE/logs/WEB-INF/web.xml, the application
>>>> no longer works.
>>> There's an additional step required for Tomcat 6 that's not necessary
>>> for Tomcat 7. So either upgrade, or do the following:
>>>
>>> Change the name of the DefaultServlet in logs/WEB-INF/web.xml to
>>> logsdefault (or some other unique label):
>>>
>>>      <servlet-name>logsdefault</servlet-name>
>>>
>>> and add a <servlet-mapping> for it:
>>>
>>>   <servlet-mapping>
>>>      <servlet-name>logsdefault</servlet-name>
>>>      <url-pattern>/</url-pattern>
>>>   </servlet-mapping>
>>>
>>> Tomcat 6 does not allow you to override the <servlet-name> settings
>>> in the global conf/web.xml, but Tomcat 7 does.
>>>
>>>> And one more question - if myapp's docBase is set to
>> $CATALINA_BASE/logs ,
>>>> does it matter what is in the webapps/myapp folder?
>>> Assuming the "myapp" you're referring to is the one for accessing
>>> Tomcat's logs, you should not risk problems by also having a
>>> webapps/myapp. It shouldn't hurt, but...
>>>
>>> And, as usual, ignore Martin G's irrelevant ramblings.
>>>
>>> - Chuck
>>>
>>>
>>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE
>>> PROPRIETARY MATERIAL and is thus for use only by the intended
>>> recipient. If you received this in error, please contact the sender
>>> and delete the e-mail and its attachments from all computers.
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@(protected)
>>> For additional commands, e-mail: users-help@(protected)
>>>
>>
>>
>>
>> -----------------------------------
>> This message and any attachment are confidential and may be privileged
>> or otherwise protected from disclosure. If you are not the intended
>> recipient any use, distribution, copying or disclosure is strictly
>> prohibited. If you have received this message in error, please notify
>> the sender immediately either by telephone or by e-mail and delete
>> this message and any attachment from your system. Correspondence via
>> e-mail is for information purposes only. ZAO Raiffeisenbank neither
>> makes nor accepts legally binding statements by e-mail unless
>> otherwise agreed. -----------------------------------
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@(protected)
> For additional commands, e-mail: users-help@(protected)
>


--

[key:62590808]

Yupibar - When the global information becomes an easy task.


The most complete worldwide toolbar on the Internet is ready.
A press, information, recreational and productive tool for everyone.


2300+ World TV Channels
4500+ Radio Stations
1400+ Games Online
World Newspapers, Magazines
Blog News, Streaming News
Tools for each job (File Converters, Photo Editors, Translation, Dictionaries, Movie Subtitles, Software, and much more ...)
100% Safe! & FREE!


Homepage: http://yupibar.blogspot.com
Download: http://yupibar.ourtoolbar.com


SPREAD it to your friends, your blogs, social networks, EVERYWHERE.




If you believe that this mail message is annoying you can sent to us a message to unsubscribe from our mail list.