portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ate Douma (JIRA)" <jetspeed-...@portals.apache.org>
Subject [jira] [Issue Comment Edited] (JS2-1255) Update Jetspeed demo and installer to use latest Tomcat 7.x version for hardened security
Date Thu, 15 Sep 2011 02:40:08 GMT

    [ https://issues.apache.org/jira/browse/JS2-1255?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13105075#comment-13105075
] 

Ate Douma edited comment on JS2-1255 at 9/15/11 2:39 AM:
---------------------------------------------------------

Agreed. 

Actually, I was thinking if it maybe is time to drop Tomcat 5.x support and make Tomcat 7
the default (that is: if/when it properly works with Jetspeed, see below).
The Tomcat 6 and Tomcat 7 deployment configurations actually are the same, so doing the above
would simply "collapse" our maven deploy plugin configuration and behavior into a singular
one.

I've already played with this a bit trying to get it to work, and it actually turned out to
be pretty trivial changes.

One specific, and major, configuration change however is required for upgrading to Tomcat
7: the server.xml connector emptySessionPath="true" attribute no longer is supported!
I discovered this while working on a similar upgrade for Pluto, see PLUTO-611
But also for this, the "fix" is pretty trivial: now a new attribute sessionCookiePath="/"
needs to be configured instead on the root Context in $CATALINA_HOME/conf/context.xml
See: http://tomcat.apache.org/migration.html#Session_cookie_configuration
The nice part of this change is: its backwards compatible with Tomcat 6.0.27+ (latest Tomcat
6 already is 6.0.33, so no big deal).
Yet another reason IMO to now drop Tomcat 5.x support and support latest Tomcat 6 and 7 versions
(and higher) only. 

Anyway, once I did these changes, building and deploying to Tomcat 7.0.21 worked without a
problem, including through a jetspeed-installer build.

However...

We have a new and more serious technical problem: (only) when trying to login on Jetspeed,
the PortalSessionsManagerImpl now throws a NPE for every portlet render:

  java.lang.NullPointerException
	at org.apache.jetspeed.container.session.PortalSessionsManagerImpl.checkMonitorSession(PortalSessionsManagerImpl.java:226)
	at org.apache.jetspeed.container.JetspeedContainerServlet.doGet(JetspeedContainerServlet.java:395)
   
This I haven't had time to look into yet, but it seems like Tomcat 7 is "twisting" the session/cookie
handling after login in some way.
I'll try to figure out what goes wrong ASAP (this week).  

      was (Author: adouma):
    Agreed. 

Actually, I was thinking if it maybe is time to drop Tomcat 5.x support and make Tomcat 7
the default (that is: if/when it properly works with Jetspeed, see below).
The Tomcat 6 and Tomcat 7 deployment configurations actually are the same, so doing the above
would simply "collapse" our maven deploy plugin configuration and behavior into a singular
one.

I've already played with this a bit trying to get it to work, and it actually turned out to
be pretty trivial changes.

One specific, and major, configuration change however is required for upgrading to Tomcat
7: the server.xml connector emptySessionPath="true" attribute no longer is supported!
I discovered this while working on a similar upgrade for Pluto, see PLUTO-611
But also for this, the "fix" is pretty trivial: now a new attribute sessionCookiePath="/"
needs to be configured instead on the root Context in $CATALINA_HOME/conf/context.xml
See: http://tomcat.apache.org/migration.html#Session_cookie_configuration

Once I did these, building and deploying to Tomcat 7.0.21 worked without a problem, including
through a jetspeed-installer build.

However...
We have a new and more serious technical problem: (only) when trying to login on Jetspeed,
the PortalSessionsManagerImpl now throws a NPE for every portlet render:

  java.lang.NullPointerException
	at org.apache.jetspeed.container.session.PortalSessionsManagerImpl.checkMonitorSession(PortalSessionsManagerImpl.java:226)
	at org.apache.jetspeed.container.JetspeedContainerServlet.doGet(JetspeedContainerServlet.java:395)
   
This I haven't had time to look into yet, but it seems like Tomcat 7 is "twisting" the session/cookie
handling after login in some way.
I'll try to figure out what goes wrong ASAP (this week).  
  
> Update Jetspeed demo and installer to use latest Tomcat 7.x version for hardened security
> -----------------------------------------------------------------------------------------
>
>                 Key: JS2-1255
>                 URL: https://issues.apache.org/jira/browse/JS2-1255
>             Project: Jetspeed 2
>          Issue Type: Improvement
>    Affects Versions: 2.2.1
>            Reporter: Ate Douma
>            Assignee: Ate Douma
>             Fix For: 2.2.2
>
>


--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message