Return-Path: Delivered-To: apmail-jakarta-tomcat-dev-archive@www.apache.org Received: (qmail 66248 invoked from network); 3 Oct 2003 07:45:54 -0000 Received: from daedalus.apache.org (HELO mail.apache.org) (208.185.179.12) by minotaur-2.apache.org with SMTP; 3 Oct 2003 07:45:54 -0000 Received: (qmail 4429 invoked by uid 500); 3 Oct 2003 07:45:23 -0000 Delivered-To: apmail-jakarta-tomcat-dev-archive@jakarta.apache.org Received: (qmail 4380 invoked by uid 500); 3 Oct 2003 07:45:23 -0000 Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Developers List" Reply-To: "Tomcat Developers List" Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 4367 invoked from network); 3 Oct 2003 07:45:22 -0000 Received: from unknown (HELO minotaur.apache.org) (209.237.227.194) by daedalus.apache.org with SMTP; 3 Oct 2003 07:45:22 -0000 Received: (qmail 66187 invoked from network); 3 Oct 2003 07:45:45 -0000 Received: from unknown (HELO apache.org) (127.0.0.1) by localhost with SMTP; 3 Oct 2003 07:45:45 -0000 Message-ID: <3F7D2977.7090003@apache.org> Date: Fri, 03 Oct 2003 09:47:03 +0200 From: Henri Gomez User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; fr; rv:1.5b) Gecko/20030901 Thunderbird/0.2 X-Accept-Language: fr, en MIME-Version: 1.0 To: Tomcat Developers List Subject: Re: [next] What's next ? References: <9C5166762F311146951505C6790A9CF83464AF@US-VS1.corp.mpi.com> <3F7C3F51.9030206@apache.org> <3F7C400C.5060206@apache.org> <3F7C4221.1040008@apache.org> <3F7C42E6.2000001@apache.org> <3F7C4500.2060904@apache.org> In-Reply-To: <3F7C4500.2060904@apache.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Rating: localhost 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N Henri Gomez a �crit : > Jean-Francois Arcand a �crit : >> +1 >> >>> >>> >>> The security mechanism in TC 4.x and higher (due to digester) >>> avoid me to use such easy configuration tuning and so we have >>> to stay with Tomcat 3.3.x for now. >> >> >> >> I'm probably missing something here....why the digester suffer from >> that limitation? What kind of security exception are you seeing. If >> you give all permissions to the Digester, does it change something? > Same problem with TC 5.0.12 ;( To reproduce, I added an external entity file in the web.xml of the provided servlet-examples webapp web.xml : ---- [ %appconf; ] ====> Here is my startup log... [INFO] Http11Protocol - -Initialisation de Coyote HTTP/1.1 sur le port 8080 [INFO] Catalina - -Initialization processed in 5468 ms [INFO] StandardService - -D�marrage du service Catalina [INFO] StandardEngine - -Starting Servlet Engine: Apache Tomcat/5.0.12 [INFO] StandardHost - -Create Host deployer for direct deployment ( non-jmx ) [INFO] StandardHostDeployer - -Installation d'une application pour le chemin de contexte /jsp-examples depuis l'URL file:C:\jakarta-tomcat-5.0.12\webapps\jsp-examples [INFO] StandardHostDeployer - -Installation d'une application pour le chemin de contexte depuis l'URL file:C:\jakarta-tomcat-5.0.12\webapps\ROOT [INFO] StandardHostDeployer - -Installation d'une application pour le chemin de contexte /servlets-examples depuis l'URL file:C:\jakarta-tomcat-5.0.12\webapps\servlets-examples [ERROR] Digester - -Parse Fatal Error at line 7 column 1: Content is not allowed in prolog. org.xml.sax.SAXParseException: Content is not allowed in prolog. at org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(Unknown Source) at org.apache.xerces.util.ErrorHandlerWrapper.fatalError(Unknown Source) at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source) at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown Source) at org.apache.xerces.impl.XMLScanner.reportFatalError(Unknown Source) at org.apache.xerces.impl.XMLDocumentScannerImpl$PrologDispatcher.dispatch(Unknown Source) at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source) at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) at org.apache.xerces.parsers.DTDConfiguration.parse(Unknown Source) at org.apache.xerces.parsers.XMLParser.parse(Unknown Source) at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source) at org.apache.commons.digester.Digester.parse(Digester.java:1548) at org.apache.catalina.startup.ContextConfig.applicationConfig(ContextConfig.java:305) at org.apache.catalina.startup.ContextConfig.start(ContextConfig.java:729) at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:257) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:166) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4073) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:866) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:850) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:614) at org.apache.catalina.core.StandardHostDeployer.install(StandardHostDeployer.java:315) at org.apache.catalina.core.StandardHost.install(StandardHost.java:835) at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:723) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:473) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1002) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:393) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:166) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133) at org.apache.catalina.core.StandardHost.start(StandardHost.java:792) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1125) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:502) at org.apache.catalina.core.StandardService.start(StandardService.java:519) at org.apache.catalina.core.StandardServer.start(StandardServer.java:2343) at org.apache.catalina.startup.Catalina.start(Catalina.java:578) at java.lang.reflect.Method.invoke(Native Method) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:392) [ERROR] ContextConfig - -Erreur d'�valuation (parse) dans le fichier web.xml de l'application org.xml.sax.SAXParseException: Content is not allowed in prolog. at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source) at org.apache.commons.digester.Digester.parse(Digester.java:1548) at org.apache.catalina.startup.ContextConfig.applicationConfig(ContextConfig.java:305) at org.apache.catalina.startup.ContextConfig.start(ContextConfig.java:729) at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:257) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:166) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4073) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:866) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:850) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:614) at org.apache.catalina.core.StandardHostDeployer.install(StandardHostDeployer.java:315) at org.apache.catalina.core.StandardHost.install(StandardHost.java:835) at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:723) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:473) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1002) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:393) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:166) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133) at org.apache.catalina.core.StandardHost.start(StandardHost.java:792) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1125) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:502) at org.apache.catalina.core.StandardService.start(StandardService.java:519) at org.apache.catalina.core.StandardServer.start(StandardServer.java:2343) at org.apache.catalina.startup.Catalina.start(Catalina.java:578) at java.lang.reflect.Method.invoke(Native Method) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:392) [ERROR] ContextConfig - -Sest produite � la ligne {0} colonne {1} [ERROR] ContextConfig - -Cette application est marqu�e comme non disponible suite aux erreurs pr�c�dentes [ERROR] Context - -Error getConfigured [ERROR] Context - -Erreur de d�marrage du contexte suite aux erreurs pr�c�dentes [INFO] StandardHostDeployer - -Installation d'une application pour le chemin de contexte /tomcat-docs depuis l'URL file:C:\jakarta-tomcat-5.0.12\webapps\tomcat-docs [INFO] Http11Protocol - -D�marrage de Coyote HTTP/1.1 sur le port 8080 [INFO] ChannelSocket - -JK2: ajp13 listening on 0.0.0.0/0.0.0.0:8009 [INFO] JkMain - -Jk running ID=0 time=0/80 config=C:\jakarta-tomcat-5.0.12\conf\jk2.properties [INFO] Catalina - -Server startup in 12538 ms Me and co-workers, read and reread 2.3 specs, and its specified that a servlet engine MAY restrict access to stuff outside the webapp area. MAY restrict, not WILL restrict, the difference is subtile, and in my case it will prevent me to upgrade to Tomcat 5.x ;( So please add a relaxed mode, which will be DISABLED by default, I know others admins which have the same kind of settings for large ASP applications and they have to stay with Tomcat 3.2 or 3.3. --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org