Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.java.programmer > #18549 > unrolled thread

Problem with tomcat 6.0.32

Back to article view | Back to comp.lang.java.programmer

Contents

  Problem with tomcat 6.0.32 ruds <rudranee@gmail.com> - 2012-09-04 23:50 -0700
    Re: Problem with tomcat 6.0.32 markspace <-@.> - 2012-09-05 09:03 -0700
      Re: Problem with tomcat 6.0.32 ruds <rudranee@gmail.com> - 2012-09-05 20:36 -0700
        Re: Problem with tomcat 6.0.32 markspace <-@.> - 2012-09-05 22:27 -0700
    Re: Problem with tomcat 6.0.32 Fredrik Jonson <fredrik@jonson.org> - 2012-09-06 04:36 +0000
      Re: Problem with tomcat 6.0.32 Arne Vajhøj <arne@vajhoej.dk> - 2012-09-08 22:33 -0400
        Re: Problem with tomcat 6.0.32 markspace <-@.> - 2012-09-08 20:22 -0700
          Re: Problem with tomcat 6.0.32 Arne Vajhøj <arne@vajhoej.dk> - 2012-09-08 23:25 -0400
            Re: Problem with tomcat 6.0.32 Arne Vajhøj <arne@vajhoej.dk> - 2012-09-08 23:30 -0400
            Re: Problem with tomcat 6.0.32 markspace <-@.> - 2012-09-08 20:36 -0700
              Re: Problem with tomcat 6.0.32 Arne Vajhøj <arne@vajhoej.dk> - 2012-09-08 23:51 -0400
                jsessionId (was: Re: Problem with tomcat 6.0.32) Andreas Leitgeb <avl@gamma.logic.tuwien.ac.at> - 2012-09-09 09:35 +0000
                  Re: jsessionId Arne Vajhøj <arne@vajhoej.dk> - 2012-09-09 09:39 -0400

#18549 — Problem with tomcat 6.0.32

hi,
I'm am deploying an application having JSP's and few servlets. My servlet is not getting invoked after calling from JSP. My web.xml entry is:
<web-app>
  <servlet>
    <servlet-name>login</servlet-name>
    <servlet-class>CheckLogin</servlet-class>
  </servlet> 
 <servlet-mapping>
    <servlet-name>login</servlet-name>
    <url-pattern>/CheckLogin/* </url-pattern>
 </servlet-mapping>
</web-app>

all my classes are in the WEB-INF/classes directory. On called by JSP I'm getting error as:
The requested resource (/CheckLogin) is not available.
I'm calling this from a JSP form element:
<FORM name="f1" ACTION="/CheckLogin" METHOD=POST onsubmit='return checkall()'>

please tell what might be causing this problem.
Thanks in advance.
 

[toc] | [next] | [standalone]

#18556

On 9/4/2012 11:50 PM, ruds wrote:
> hi,
> I'm am deploying an application having JSP's and few servlets. My servlet is not getting invoked after calling from JSP. My web.xml entry is:
> <web-app>
>    <servlet>
>      <servlet-name>login</servlet-name>
>      <servlet-class>CheckLogin</servlet-class>
>    </servlet>
>   <servlet-mapping>
>      <servlet-name>login</servlet-name>
>      <url-pattern>/CheckLogin/* </url-pattern>
>   </servlet-mapping>
> </web-app>
>
> all my classes are in the WEB-INF/classes directory. On called by JSP I'm getting error as:
> The requested resource (/CheckLogin) is not available.
> I'm calling this from a JSP form element:
> <FORM name="f1" ACTION="/CheckLogin" METHOD=POST onsubmit='return checkall()'>
>
> please tell what might be causing this problem.


What is the context path for the web app?  Can you show us the URL used 
for the FORM above, and the URL of the /CheckLogin action that doesn't 
work?  Just cut and paste them both from the browser, don't try to 
"figure them out."  I want the host name too, even if it's "127.0.0.1" 
or localhost.

[toc] | [prev] | [next] | [standalone]

#18563

the URL for my webapp is: http://localhost:8080/FIR/login.jsp
the URL which it gets directed to should be: http://localhost:8080/FIR/CheckLogin
but it is going at: http://localhost:8080/CheckLogin

[toc] | [prev] | [next] | [standalone]

#18565

On 9/5/2012 8:36 PM, ruds wrote:
> the URL for my webapp is: http://localhost:8080/FIR/login.jsp
> the URL which it gets directed to should be: http://localhost:8080/FIR/CheckLogin
> but it is going at: http://localhost:8080/CheckLogin
>


Yup, c.f. Fredrik's reply: the "action" from the form needs to either be 
/FIR/CheckLogin, or it needs to be a relative URL -- "CheckLogin" with 
no slash in front.

Your missing the context path, in other words, which is easy for newbies 
to trip on.

[toc] | [prev] | [next] | [standalone]

#18564

In <5f8ee108-bcec-4f96-ac86-d49e548b204a@googlegroups.com> ruds wrote:

>  I'm am deploying an application having JSP's and few servlets. My servlet is
>  not getting invoked after calling from JSP. My web.xml entry is:
>
>  <servlet-mapping>
>      <servlet-name>login</servlet-name>
>      <url-pattern>/CheckLogin/* </url-pattern>
>  </servlet-mapping>
>
>  I'm calling this from a JSP form element:
> <FORM name="f1" ACTION="/CheckLogin" METHOD=POST onsubmit='return checkall()'>

You need to prepend the servlet context path to the form action url.

In html, when you specify a relative url that starts with a / it is
interpered as being relative to the server root. So /foo is interpreted
as http://example.com/foo. The servlet mapping in web.xml does normally
not start from the server root, but from the servlet context path.

--
Fredrik Jonson

[toc] | [prev] | [next] | [standalone]

#18612

On 9/6/2012 12:36 AM, Fredrik Jonson wrote:
> In <5f8ee108-bcec-4f96-ac86-d49e548b204a@googlegroups.com> ruds wrote:
>
>>   I'm am deploying an application having JSP's and few servlets. My servlet is
>>   not getting invoked after calling from JSP. My web.xml entry is:
>>
>>   <servlet-mapping>
>>       <servlet-name>login</servlet-name>
>>       <url-pattern>/CheckLogin/* </url-pattern>
>>   </servlet-mapping>
>>
>>   I'm calling this from a JSP form element:
>> <FORM name="f1" ACTION="/CheckLogin" METHOD=POST onsubmit='return checkall()'>
>
> You need to prepend the servlet context path to the form action url.

Or drop thw / entirely.

> In html, when you specify a relative url that starts with a / it is
> interpered as being relative to the server root. So /foo is interpreted
> as http://example.com/foo. The servlet mapping in web.xml does normally
> not start from the server root, but from the servlet context path.

That is almost certainly the problem.

But may I use the opportunity to mention that it should not be:

action="CheckLogin"

but:

action="<%=response.encodeURL("CheckLogin")%>"

to work with cookies disabled.

Something that is often forgotten today.

An even better solution would probably be to use a taglib that
handles all that stuff for one, but then we are somewhat changing
topic.

Arne

[toc] | [prev] | [next] | [standalone]

#18617

On 9/8/2012 7:33 PM, Arne Vajhøj wrote:

> action="<%=response.encodeURL("CheckLogin")%>"
>
> to work with cookies disabled.
>
> Something that is often forgotten today.


Huh, I must be missing something.  "CheckLogin" is a hard-coded string 
that plainly needs no encoding.  What is it that I don't see?

[toc] | [prev] | [next] | [standalone]

#18618

On 9/8/2012 11:22 PM, markspace wrote:
> On 9/8/2012 7:33 PM, Arne Vajhøj wrote:
>
>> action="<%=response.encodeURL("CheckLogin")%>"
>>
>> to work with cookies disabled.
>>
>> Something that is often forgotten today.
>
> Huh, I must be missing something.  "CheckLogin" is a hard-coded string
> that plainly needs no encoding.  What is it that I don't see?

That encodeURL adds the session id to the URL if the browser
does not support cookies (or if it is unknown whether it support
cookies).

Arne

[toc] | [prev] | [next] | [standalone]

#18619

On 9/8/2012 11:25 PM, Arne Vajhøj wrote:
> On 9/8/2012 11:22 PM, markspace wrote:
>> On 9/8/2012 7:33 PM, Arne Vajhøj wrote:
>>
>>> action="<%=response.encodeURL("CheckLogin")%>"
>>>
>>> to work with cookies disabled.
>>>
>>> Something that is often forgotten today.
>>
>> Huh, I must be missing something.  "CheckLogin" is a hard-coded string
>> that plainly needs no encoding.  What is it that I don't see?
>
> That encodeURL adds the session id to the URL if the browser
> does not support cookies (or if it is unknown whether it support
> cookies).

It is well documented:

http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletResponse.html#encodeURL%28java.lang.String%29

but the cookies disabled scenario is not much on the radar
screen today.

Arne

[toc] | [prev] | [next] | [standalone]

#18620

On 9/8/2012 8:25 PM, Arne Vajhøj wrote:
> On 9/8/2012 11:22 PM, markspace wrote:
>> On 9/8/2012 7:33 PM, Arne Vajhøj wrote:
>>
>>> action="<%=response.encodeURL("CheckLogin")%>"
>>>
>>> to work with cookies disabled.
>>>
>>> Something that is often forgotten today.
>>
>> Huh, I must be missing something.  "CheckLogin" is a hard-coded string
>> that plainly needs no encoding.  What is it that I don't see?
>
> That encodeURL adds the session id to the URL if the browser
> does not support cookies (or if it is unknown whether it support
> cookies).

Ah right, I knew that, but I haven't used JSPs in so long I'd forgotten 
it.  Thanks!

[toc] | [prev] | [next] | [standalone]

#18621

On 9/8/2012 11:36 PM, markspace wrote:
> On 9/8/2012 8:25 PM, Arne Vajhøj wrote:
>> On 9/8/2012 11:22 PM, markspace wrote:
>>> On 9/8/2012 7:33 PM, Arne Vajhøj wrote:
>>>
>>>> action="<%=response.encodeURL("CheckLogin")%>"
>>>>
>>>> to work with cookies disabled.
>>>>
>>>> Something that is often forgotten today.
>>>
>>> Huh, I must be missing something.  "CheckLogin" is a hard-coded string
>>> that plainly needs no encoding.  What is it that I don't see?
>>
>> That encodeURL adds the session id to the URL if the browser
>> does not support cookies (or if it is unknown whether it support
>> cookies).
>
> Ah right, I knew that, but I haven't used JSPs in so long I'd forgotten
> it.

I suspect that even some having done JSP's recently may have forgotten.

Arne

[toc] | [prev] | [next] | [standalone]

#18623 — jsessionId (was: Re: Problem with tomcat 6.0.32)

Arne Vajhøj <arne@vajhoej.dk> wrote:
>>>>> action="<%=response.encodeURL("CheckLogin")%>"
>>>>> to work with cookies disabled.
> I suspect that even some having done JSP's recently may have forgotten.

I know of a case, where the encodeURL was actually removed.

Some security-guys barfed on the session-id in the url-string.
They called it unsafe, for allowing easy session-takeover.  (not
sure about the exact attack-vector they actually had in mind.)

Is that still an issue?  Probably, the "secure" way is to
pass the sessionId as a plain parameter in an https-POST
request, or as a cookie in any of https-GET or https-POST.

What's current state of the art?

Does it matter for plain http, whether the jsessionId is
in the URL or in the still unencrypted other data? Surely
not for network-sniffers, but maybe it makes a difference
for simpler attacks?

[toc] | [prev] | [next] | [standalone]

#18626 — Re: jsessionId

On 9/9/2012 5:35 AM, Andreas Leitgeb wrote:
> Arne Vajhøj <arne@vajhoej.dk> wrote:
>>>>>> action="<%=response.encodeURL("CheckLogin")%>"
>>>>>> to work with cookies disabled.
>> I suspect that even some having done JSP's recently may have forgotten.
>
> I know of a case, where the encodeURL was actually removed.
>
> Some security-guys barfed on the session-id in the url-string.
> They called it unsafe, for allowing easy session-takeover.  (not
> sure about the exact attack-vector they actually had in mind.)
>
> Is that still an issue?  Probably, the "secure" way is to
> pass the sessionId as a plain parameter in an https-POST
> request, or as a cookie in any of https-GET or https-POST.
>
> What's current state of the art?
>
> Does it matter for plain http, whether the jsessionId is
> in the URL or in the still unencrypted other data? Surely
> not for network-sniffers, but maybe it makes a difference
> for simpler attacks?

I don't see it as a big security concern.

But sessions cookies are generally considered more secure
than URL rewriting.

I believe the concerns are that URL rewriting causes the
session id to end up in:
- server log files
- browser history
and practically nobody logs out explicitly, so the session id
will be valid N minutes after the user has stopped using the
web app.

To me that is not super critical problems, but YMMV.

Arne

[toc] | [prev] | [standalone]

Back to top | Article view | comp.lang.java.programmer

csiph-web