tomcat6

CSRF protection for a JSF based web app and Tomcat6 backend without using any external packages. Kindly help. BalusC JSF has already builtin protection against CSRF by the javax.faces.ViewState hidden field which is to be linked with the state of the component tree in the server side. If this hidden field is missing or contains a wrong value, then JSF simply won't process the POST request. On JSF 1.x the key is only a bit too easy to guess, see also JSF impl issue 812 and JSF spec issue 869 . This is fixed in JSF 2.1. Your major concern should be XSS . A succesful XSS attack can form a source

I'm running Tomcat 6.0.29 and created a realm and loginmodule of my own. They are defined in server.xml like so: <Realm className="mycompany.tomcat.MyRepositoryRealm" appName="My_Realm" userClassNames="mycompany.tomcat.IdentityPrincipal" roleClassNames="mycompany.tomcat.RolePrincipal" useContextClassLoader="true"/> I have added the library containing these classes to my tomcat/lib folder. Other than that, I have not changed Tomcat from it's default configuration. When I go to fire up the Tomcat manager application at http://localhost:9080/manager/html , I can't log in and the tomcat log shows

My server.xml looks like the following: <!--The connectors can use a shared executor, you can define one or more named thread pools--> <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" maxThreads="200" minSpareThreads="4"/> <Connector executor="tomcatThreadPool" port="8080" protocol="HTTP/1.1" connectionTimeout="10000" maxKeepAliveRequests="1" redirectPort="8443" /> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> However, in the Tomcat manager ( http://localhost/manager/status ) it shows to following http-8080: Max threads: -1 Current thread count: -1 Current

Since I'm running Java with Tomcat6 as servlet container I found it appropriate to use the Tomcat JNDIRealm feature so that LDAP users can log into my site without any additional efforts. The LDAP server I'm using is OpenLDAP on Ubuntu . On top of this I have the login page using form-based authentication over an https connection . I found two very good examples of authentication users via LDAP, here and here , that both achieve what I feel I almost achieved. Why almost achieved? When I attempt to login with the wrong credentials I'm appropriately sent to the <form-error-page> , login-failed

I'm trying to upgrade a perfectly running embedded Tomcat 5.5 to Tomcat 6.0. I understand that all I need to do is replace Tomcat 5.5 jars with 6.0. That's what I did. So I replaced the following jars: catalina-5.0.28.jar catalina-5.5.9.jar catalina-optional-5.5.9.jar commons-el.jar commons-modeler-1.1.0.jar jasper-compiler-jdt.jar jasper-compiler.jar jasper-runtime.jar jmx-5.0.28.jar jsp-api-2.0.jar naming-factory.jar naming-resources.jar servlet-api-2.4.jar servlets-default.jar tomcat-coyote.jar tomcat-http.jar tomcat-util.jar with: annotations-api.jar catalina.jar jasper.jar tomcat-dbcp.jar

I need to run multiple instances of tomcat6 under different directory names on the same port. I will install tomcat6 twice for two different projects. But how to configure both the instances to run on the same port? Kurt Du Bois You could realise this using an apache webserver that is directing the requests based on the application using mod_jk or mod_proxy. (and get an explanation on both extensions) To choose which apache extension to use: apache to tomcat: mod_jk vs mod_proxy victorpacheco3107 Yes, you can. In server.xml replace: <Host name="localhost" appBase="webapps" unpackWARs="true"