Security BUG in the web container!

Similar Messages

• How to view the session in the web container

  hi, Folks,
  is there any way to view the sessions in J2EE web container? I need to know how many living session currently in the web container.
  Thanks

  You did not indicate the Web Server version that you are using for web container. Assuming its Sun Java System Web Server 6.1, per Servlet 2.3 specification, you should be able to use of session creation and destruction events. This can be done using HttpSessionListener to count active sessions. Here's the docs for reference:
  http://java.sun.com/j2ee/sdk_1.3/techdocs/api/javax/servlet/http/HttpSessionListener.html
  Thanks
  Manish

• How to run a report out of the web container?

  Hi All,
  <p>
  Does anyone have tips on running a report outside of the web container?  I'd like to be able to JUnit the scenarios I'm coding up without having an app server running.  What is the ReportClientDocument expecting in the request, response, and context?  The code as shown just returns the enclosed error.
  <p>
  All I'm really trying to do is have the report execute and be able to assert that the data is appropriately retrieved from the data source.  If there's a way to do that without the Viewer, that would be cool, too.
  <p>
  Any tips would be much appreciated.   Sorry about the poorly formatted code and error... the code tags don't seem to be working...
  <p>
  Thanks,
  <p>
  Eric
  <pre>public void testReportRunning() throws ReportSDKExceptionBase{
            ReportClientDocument rcd = initReportClientDoc("./test/data/EBTest1.rpt");
            assertTrue(rcd.isOpen());
            CrystalReportViewer crv = new CrystalReportViewer();
            crv.setReportSource(rcd.getReportSource());
          String htmlContent = crv.getHtmlContent(new MockHttpServletRequest(), new MockHttpServletResponse(), new MockServletContext());
          System.out.println(htmlContent);
  com.businessobjects.report.web.shared.WebReportingException---- Error code:0
       at com.businessobjects.report.web.e.if(Unknown Source)
       at com.businessobjects.report.web.e.a(Unknown Source)
       at com.crystaldecisions.report.web.ServerControl.a(Unknown Source)
       at com.crystaldecisions.report.web.ServerControl.a(Unknown Source)
       at com.crystaldecisions.report.web.ServerControl.getHtmlContent(Unknown Source)
       at com.tririga.crystalpoc.ReportAccessorTest.testReportRunning(ReportAccessorTest.java:82)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at junit.framework.TestCase.runTest(TestCase.java:164)
       at junit.framework.TestCase.runBare(TestCase.java:130)
       at junit.framework.TestResult$1.protect(TestResult.java:106)
       at junit.framework.TestResult.runProtected(TestResult.java:124)
       at junit.framework.TestResult.run(TestResult.java:109)
       at junit.framework.TestCase.run(TestCase.java:120)
       at org.eclipse.jdt.internal.junit.runner.junit3.JUnit3TestReference.run(JUnit3TestReference.java:130)
       at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
       at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:460)
       at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:673)
       at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:386)
       at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:196)</pre>
  Edited by: Eric Batzdorff on Jun 12, 2009 12:24 AM
  Edited by: Eric Batzdorff on Jun 12, 2009 12:24 AM
  Edited by: Eric Batzdorff on Jun 12, 2009 12:25 AM

  There's no documentation as to what's the minimum HTTPServletContext, HTTPServletRequest and HTTPServletResponse the CrystalReportViewer expects. 
  There certainly are plenty of unit testing frameworks for Java Web Apps out there, if that's where you're headed.
  Sincerely,
  Ted Ueda

• ServerSocket(TCP/IP) listening in the web container part

  So, if I implement the ServerSocket(TCP/IP) listening in the web container part (Websphere), what is the best way to do this?
  I need to monitor socket state and statistics from browser.
  When I receive message from socket, I must read something from database and send as response to client (meaning I need to create my own thread to do this).
  Solution:
  - to have one servlet with serverSoket listener in it or
  - during web application statup to start my own thread with serverSoket listener
  - or....
  Also there is a problem that websphere write warning when i try do use DB connection from thread I have created!
  Any suggestion?

  hi,
  do you use websphere? version?
  More details:
  http://www.javaranch.com/newsletter/200403/AsynchronousProcessingFromServlets.html
  According to a Technical note from WebSphere support "If a Servlet is spinning its own threads and accessing a database, the J2EE specification is not clear on this, so WebSphere Application Server 5.0 will allow it at this time. IBM is working with Sun to clarify this in the specification, so eventually (i.e. J2EE 1.4) spun threads from a Servlet accessing a database outside of a transaction will not be supported either". Later the same tech note states "Customers should consider changing their application to comply with the J2EE specification."
  and check this
  http://www-1.ibm.com/support/docview.wss?uid=swg21121449

• LINKSYS SRW 2048 bug on the web console ?

  Hello,
  hope you can help us.
  we are experiencing a bug on 2  LINKSYS SRW 2048, that we use since more the 4 years now.
  We are currently configuring them for Vmware, we never accessed them trough the console (web gui), but now that we need the switch to be configured (vlan, trunk, ec..) it suddenly reboot every time we enter user and password and press the enter key.
  We know that they are pretty old but we just wanted to give it a try...maybe someone of you alreday encountered the same problem.
  best regards,
  Robi

  Dear Lati,
  Thank you for reaching Small Business Support Community and for your time and patience regarding your inquiry.
  I would first suggest you to reset the switch; unplug it, wait a minute and plug it back in, then try the console connection through hyperterminal as described in the chapter 4 of the admin guide;
  http://www.cisco.com/en/US/docs/switches/lan/csbms/srw2048/administration/guide/SRW-US_v10_UG_A-Web.pdf
  If the problem persists reset the router once more and try the web-based utility as described by the same admin guide, chapter 5.
  If you are still unable to login the device I would then suggest you to contact the Small Business Contact Center for further assistance and please do not hesitate to reach me back if there is anything I may assist you with in the meantime.
  https://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
  Kind regards,
  Jeffrey Rodriguez S. .:|:.:|:.
  Cisco Customer Support Engineer
  *Please rate the Post so other will know when an answer has been found.

• Secure and non-secure access to the web application in one war

  Say we have one web application (in one war) which includes JSP, servlets and the security intercepter. There is one business requirement to have most of the JSP(s) accessed via HTTPS, but a few JSP(S) accessed via HTTP.
  My questions are:
  a. Is this possible, or a reasonable requirement or a good practice?
  b. if yes, what can we do to make it happen in the security intercepter implementation?
  c. If not, what is the technical reasons?
  Thanks much.

  a) Yes its is reasonable and good practive, there is an overhead using https, so you should only encrypt file you need to. When you use an online store, only account details / payments are https, the shop itself is http
  b) I dont really understand your difficulty. You can define a folder as 'secure' and put all your secure pages in this folder, leaving non secure files in a different folder. Whenever a page in the secure folder is accessed, https is automatically invoked.

• Spawning Threads inside the Web Container

  What are the ramifications of a developer spawning off threads from a "helper"
  object called from a servlet service() method ?
  Thanks in advance.

  That's what I said, it is not at all advisable but if you know what you
  are doing it can work just fine.
  The biggest issue is migration since the behavior is not defined in the
  spec and thus all vendors can implement it differently and it can change
  from version to version, which in turn defeats the J2EE portability
  advantage.
  That is why I highly recommended using JMX timers since it is going to
  be available on all J2EE servers and then the only vendor dependent
  thing is to get the MBeanServer.
  Dejan
  DN wrote:
  Hello
  I was also doing the same thing from my servlet but using another class which
  extends thread.
  I was using JDBC calls in the new thread , eventhough it worked fine I was getting
  warning messages in the console when I was using WSAD.(websphere studio).
  My app is deployed to WLS , i did not see any messages in WLS.
  When I post this issue in a forum , some one advised me that it is not advisable
  to open up threads from the servlets and this is what he said 'quote'
  so eventually (i.e.
  J2EE 1.4) spun threads from a Servlet accessing a
  database outside of a transaction will not be
  supported either.
  "Deyan D. Bektchiev" <[email protected]> wrote:
  Whit,
  If you are not careful you can very well starve the JVM, lose your
  security, transaction contexts and probably some other bad things I
  don't know about...
  But having said all those scary things, I must admit that we do it all
  the time and don't have any issues with that.
  For most purposes you should try to use the JMX timer service instead
  of
  spawning your own threads. You callback will be called in a different
  thread from the Weblogic thread pool and I guess this will be sufficient
  for most cases.
  Regards,
  Dejan
  Whit Armstrong wrote:
  What are the ramifications of a developer spawning off threads from
  a "helper"
  object called from a servlet service() method ?
  Thanks in advance.

• HT5192 has anyone else foud the security bug of the camera in the lock screen after the update to 5.1

  Hi
  has anyone found that you can get into an iPhone from the lock screen with the camera option. I have just upgraded and now have the camera option on the lock screen. you can go into the camera without the need of the pass code and then when in it press the home button to get into the phone. this is a big security problem, or am I alone of thinking this.
  thanks
  ally

  I have tried that a few times.  Also I can only get the phone to lock out someone after using the camera shortcut on the lock screen if the passcode is required immediately. If it is set to 1 minute you can still get into the phone and use it without the passcode.

• Using Local EJB obect in web container that installed in on the same Web AS

  we can use the local ejb object in the application that runs in same JVM.
  The Web Container and EJB Container run in the same JVM when Web AS installed as Minimum Cluster Installation(one cluster node).
  But, what happened if we install the Web AS as Large Cluster Installation? Can we still use the local ejb objects in the Web Container?
  Best regards,
  Raja
  Message was edited by: Raja Nasrallah

  Hi Raja,
  Yes you can. When you use local EJB objects there's no remote communication and the web container will find them in the EJB container of the local cluster node. For the application providers this is transparent - they shouldn't care about the configuration of the cluster.
  Best regards,
  Vladimir
  PS: Please consider <a href="https://www.sdn.sap.com/sdn/index.sdn?page=crp_help.htm#lostme">rewarding points</a> for helpful answers.

• Updating the web-services.xml for WS-Security

  If I wanted to change my webservice from encryption of both the request and response to just encryption of the request how do I manually change the web-services.xml file ??? Do I have to un-archive the ear and re-archive the ear everytime I want to make security changes to the web-services.xml file ?

  It works. Thanks,
  Ioana
  "Neal Yin" <[email protected]> wrote:
  The error means your EJB is not deployed.
  Adding a EJB module to your application.xml file of the ear should fixe
  it.
  <application>
  <display-name />
  <module>
  <web>
  <web-uri>dox_sdi.war</web-uri>
  </web>
  </module>
  <module>
  <ejb>DocumentService.jar</ejb>
  </module>
  </application>
  "Ioana Meissner" <[email protected]> wrote in message
  news:3cf640cc$[email protected]..
  I have used the following example for my own web service with EJBcomponent and SOAP
  Message Handler Chain:
  http://e-docs.bea.com/wls/docs70/webServices/dd.html#1058208
  I have a deployment error:
  javax.naming.NameNotFoundException: Unable to resolve'app/ejb/DocumentService.j
  ar#DocumentService/home' Resolved: 'app/ejb'Unresolved:'DocumentService.jar#Doc
  umentService' ; remaining name 'DocumentService.jar#DocumentService/home'
  In attachement is the ear file.
  Is there a problem in web-services.xml?
  Thanks

• Using local session bean interface from web container using EJB 3.0

  Hi,
  How can you use a local session bean interface from Java (rather than data controls) in a web container using EJB 3.0?
  I can use a remote interface by looking up InitialContext, but I can't find a local interface this way (even from another session EJB). I can use a local interface from an EJB using annotation "EJB", but as I understand, this is not available in the web container.
  If I try to add an ejb-jar.xml file, these seems to mess up by project...
  Hope you can help.
  Roger

  The portable way to retrieve an EJB reference in Java EE is to either inject it or look it up via the
  component's private naming environment. The simplest way is :
  @EJB
  private DocumentManager dm;
  The global JNDI name is only used as an implementation specific way to uniquely assign an
  identifier to a specific Remote EJB. It's best for this not to appear directly in the source code.
  There's more on global JNDI names in our EJB FAQ :
  https://glassfish.dev.java.net/javaee5/ejb/EJB_FAQ.html
  The alternative to annotations is to use an ejb-ref to declare the ejb dependency. The ejb-ref
  is declared in the standard deployment descriptor corresponding to the component doing the
  lookup. Each ejb-ref has an ejb-ref-name, e.g. <ejb-ref-name>DM_ref</ejb-ref-name>
  The code looks up the ejb-ref-name relative to the java:comp/env namespace to retrieve the
  EJB reference.
  DocumentManager dm = (DocumentManager)
  new InitialContext().lookup("java:comp/env/DM_ref");

• Mapping of Web App context root and the physical directory of the web app

  I'm running Weblogic 7.0 on Windows2000.The physical directory of my web application
  is D:\WL8\weblogic81\TestDeploy\build\TestWebApp and under these directory I have
  my JSPS, static HTML and WEB-INF. I define the context path of this web app in
  the weblogic.xml ;-
  <weblogic-web-app>
       <context-root>/testapp</context-root>
  </weblogic-web-app>
  As a result of deploying this web app in the server (or it may be created manually
  also), the following entry gets inserted in the server's config.xml ,-
  <Application Deployed="true" Name="TestWebApp"
  Path="D:\WL8\weblogic81\TestDeploy\build" TwoPhase="true">
  <WebAppComponent Name="TestWebApp" Targets="myserver" URI="TestWebApp"/>
  </Application>
  Now, whenever I make a request of the form "http://localhost:7001/testapp/..",
  it's properly executing my web app. My question is, how does the container knows
  that for any request for the web app with context path as 'testapp', it has to
  server files from D:\WL8\weblogic81\TestDeploy\build\TestWebApp. In the above
  process, nowhere such mapping is specified. I expected something like Tomcat's
  server.xml, where in docbase we clearly specify this mapping between the context
  path and the physical directory. Please help.

  Let me give some more details and hopefully this will make things clearer.
  Say you deploy /foo/bar/myweb.war and in myweb.war you configure a
  context-root of /rob
  During deployment, the server creates an ApplicationMBean with a path of
  /foo/bar/. It then creates a WebAppComponent with a uri of myweb.war.
  Next, deployment calls back on the web container and tells it to deploy
  the WebAppComponent. The web container reads the myweb.war, parses
  descriptors etc. The web container then updates its data structures to
  register that myweb.war has a context path of /rob. (It has to figure
  out all the other servlet mappings as well.)
  When a request for /rob/foo comes in, the web container consults its
  data structures to determine which webapp and servlet receives the
  request. This is not a linear search of all webapps and servlets.
  There's much better ways to do pattern matching.
  Hope this clears things up. Let me know if you still have questions.
  -- Rob
  Arindam Chandra wrote:
  Thanks for the answer. Still one thing is not clear. Whatever context path I declare
  for my web app as the value of <context-root> element in the weblogic.xml (in
  my example it's "/testapp"), it is no where mapped with the "URI" attribute (or
  any other attribute, sub-element whatsoever in the <Application> element).
  Application Deployed="true" Name="TestWebApp"
  Path="D:\WL8\weblogic81\TestDeploy\build" TwoPhase="true">
  <WebAppComponent Name="TestWebApp" Targets="myserver" URI="TestWebApp"/>
  </Application>
  So when a request of the form http://myweblogic.com:7001/testapp/... arrives at
  the server, how does the server knows that it has to serve this request with files
  from D:\WL8\weblogic81\TestDeploy\build\TestWebApp ? It should not be like the
  web container iterates thru all the web application entries in config.xml and
  tries to match with one context-root declaration. I repeat, I expected some mapping
  similar to Tomcat's server.xml, where in the <docbase> element u clearly specify
  the mapping between the context path and the physical directory
  Rob Woollen <[email protected]> wrote:
  Arindam Chandra wrote:
  I'm running Weblogic 7.0 on Windows2000.The physical directory of myweb application
  is D:\WL8\weblogic81\TestDeploy\build\TestWebApp and under these directoryI have
  my JSPS, static HTML and WEB-INF. I define the context path of thisweb app in
  the weblogic.xml ;-
  <weblogic-web-app>
       <context-root>/testapp</context-root>
  </weblogic-web-app>
  As a result of deploying this web app in the server (or it may be createdmanually
  also), the following entry gets inserted in the server's config.xml,-
  <>So the server will look for your web application at the Application Path
  (D:\WL8\weblogic81\TestDeploy\build|) + the web uri (TestWebApp). So
  it
  maps the context-root you've specified /testapp to that path.
  It's a little clearer in the case where you had a full-fledged EAR.
  Then you'r application path would map to the "root" of the EAR, and the
  uris would point to the various modules (eg webapps.)
  -- Rob
  Now, whenever I make a request of the form "http://localhost:7001/testapp/..",
  it's properly executing my web app. My question is, how does the containerknows
  that for any request for the web app with context path as 'testapp',it has to
  server files from D:\WL8\weblogic81\TestDeploy\build\TestWebApp. Inthe above
  process, nowhere such mapping is specified. I expected something likeTomcat's
  server.xml, where in docbase we clearly specify this mapping betweenthe context
  path and the physical directory. Please help.

• Schedueld tasks in web-container

  Hi,
  i have a small application consisting only of a set of JSP's.
  My problem is: I need to execute a task at schedueld times (e.g. every 5 minutes) and I also want the task to run in the web-container.
  What is the best way to achieve this?
  Thanks in advance

  Hi hemmings!
  I'm currently working in something like this. I can't use TimerTask approach because schedule may vary before next execution gets reached. For instance, user may want to execute something in Chritsmas and cancel the execution before the day arrives. The points I must cover are:
  User configures the execution giving:
  Start date, end date. Both might be null = eternity.
  When daily, every...
  When weekly, every... at weekday...
  When Monthly, every... at monthday...
  or every... the nst weekday...
  Plus daily frequency, starting at... ending at... every...
  Scheduler will point to the script that should be executed. Script must accept Java and SQL syntax.
  I already did something similar some years ago, but I was not quitely satisfied.
  Well, if your requirements are similar to mines I will be glad to share code with you.

• Configuration of Thread Pool for CQ's Web Container

  I am trying to detrmine whether there is any specific configuration for tuning the web container thread pool for CQ. The only configuration I observe is OSGi 's Apache Sling Event Thread Pool but tuning this does not directly correlate to the thread pool that is used for serving web requests by the publish instance.
  Any help would be greatly appreciated as I work through tuning our CQ instance.

  Unfortunately, the max thread settings is not exposed in CQ 5.5.However, all the other configurable settings (equivalent for server.xml) can be seen at [1]
  [1] http://localhost:4502/system/console/configMgr/org.apache.felix.http
  This is fixed in CQ 5.6 current release.
  Thanks,
  Varun

• Error when accessing the web-based portal for SQL Azure

  Hi,
  when trying to access SQL azure management portal, the following error is thrown:
  [MoreThanOneMatch]
  Arguments:
  Debugging resource strings are unavailable. Often the key and arguments provide sufficient information to diagnose the problem. See
  http://go.microsoft.com/fwlink/?linkid=106663&Version=5.1.30214.00&File=System.Core.dll&Key=MoreThanOneMatch -
  Looking at the site in question, the problem seems to be Silverlight related. However, I am unable to debug as suggested since the server is located on Microsoft premises. To rule out a wrong password, I did a reset and ruled out typos by copying username
  and password into the field. Furthermore since its not a production database, all IPv4 addresses (range 0.0.0.0-255.255.255.255) are allowed to access the database, so the problem should not be related to ip-based access restrictions. Is this a bug
  in the web interface or is the problem sitting in front of the screen?
  Regards,
  Chris

  Hello,
  I also meet this issue when connect to SQL database without specify database on the login page. But the error disappear when I specify the database name in the database section, for example, master.It may be a bug in Management Portal of SQL Database. 
  Regards,
  Fanny Liu
  If you have any feedback on our support, please click here. 
  Fanny Liu
  TechNet Community Support