You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Martin Knoblauch <kn...@knobisoft.de> on 2017/02/21 13:31:16 UTC
Getting application root path before servlet is initialized?
Hi,
is there a way to find the absolute path of the application root before
the servlet is initialized?
Alternatively: is there a way to defer the initialization of a datasource
until the servlet is initialized?
Background: I have extended "org.apache.tomcat.jdbc.pool.DataSourceFactory"
to automatically set credentials so that they are not stored in the
"Catalina/localhost/XXX.xml" file. Instead they are taken from encrypted
values in a file below the application root. Works fine if I know that path
at "createDataSource" time.
In order to avoid hard coding that path, I need a programmatic to find that
value. Unfortunately the datasource is initialized before the servlet, so
"getRealPath()" is not working yet.
Environment is Tomcat 8 plus JDK 8. Plus an commercial application that I
do not want to name :-)
Thanks in advance
Martin
--
------------------------------------------------------
Martin Knoblauch
email: k n o b i AT knobisoft DOT de
www: http://www.knobisoft.de
Re: Getting application root path before servlet is initialized?
Posted by Daniel Küppers <da...@tetralog.com>.
Am 22.02.2017 um 11:19 schrieb Martin Knoblauch:
> On Tue, Feb 21, 2017 at 8:55 PM, Mark Thomas <ma...@apache.org> wrote:
>
>> On 21/02/2017 13:31, Martin Knoblauch wrote:
>>> Hi,
>>>
>>> is there a way to find the absolute path of the application root before
>>> the servlet is initialized?
>>>
>>> Alternatively: is there a way to defer the initialization of a datasource
>>> until the servlet is initialized?
>>>
>>> Background: I have extended "org.apache.tomcat.jdbc.pool.
>> DataSourceFactory"
>>> to automatically set credentials so that they are not stored in the
>>> "Catalina/localhost/XXX.xml" file. Instead they are taken from encrypted
>>> values in a file below the application root. Works fine if I know that
>> path
>>> at "createDataSource" time.
>> And the decryption key for that file is stored where?
>>
>> https://wiki.apache.org/tomcat/FAQ/Password
>>
>>
> Thanks for link. It clearly reflects my opinion as well, but the customer
> demand is:
>
> - no plain-text credentials (Big multinational company security policies -
> fight them if you need the fun). And yes, this is all about making auditors
> happy
> - minimize the locations where credentials are stored. This is only lightly
> related to the decrypt issue. Having to store identical stuff in more than
> one place is opening up all other sorts of practical issues
>
> So, yes - any mechanism that can decrypt needs to store the key somewhere
> and this just shifts away the problem from securing one item to securing
> another one. In my case the application (that I will not reveal here)
> stores encrypted DB credentials in its configuration and provides an API to
> retrieve them decrypted. I guess, the key is somewhere in the source code
> (likely obfuscated to prevent casual hacking by debugging). the less I know
> ... :-)
>
>> In order to avoid hard coding that path, I need a programmatic to find
>> that
>>> value. Unfortunately the datasource is initialized before the servlet, so
>>> "getRealPath()" is not working yet.
>>>
>>> Environment is Tomcat 8 plus JDK 8. Plus an commercial application that I
>>> do not want to name :-)
>> Ignoring what I suspect is a fundamental flaw in this plan, you probably
>> want a ServletContextListener and contextInitialized()
>>
>>
> Thanks again for the hint. Will have a look. In the meanwhile I found a
> way by looking at
>
> this.getClass().getProtectionDomain().getCodeSource().getLocation().getPath();
>
> Adding some assumptions about the classpath (which are required to be true
> in this whole context) this gives me the needed information :-)
>
> Thanks
> Martin
>
>> Mark
>>
>>
I could imagine that the use of a secure key-value store would be
helpfull in this scenario.
vault is a great solution for this. quick googling [1] brings a tomcat
implementation for vault.
If youre not allready familiar with vault, give it a try [2].
Daniel
[1] https://github.com/januslabs/tomcat-vault
[2] https://www.hashicorp.com/vault.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Getting application root path before servlet is initialized?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Martin,
On 2/24/17 12:32 PM, Martin Knoblauch wrote:
> On Fri, Feb 24, 2017 at 6:06 PM, Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>
>> Martin,
>>
>> On 2/22/17 5:19 AM, Martin Knoblauch wrote:
>>> On Tue, Feb 21, 2017 at 8:55 PM, Mark Thomas
>>> <ma...@apache.org> wrote:
>>>
>>>> On 21/02/2017 13:31, Martin Knoblauch wrote:
>>>>> Hi,
>>>>>
>>>>> is there a way to find the absolute path of the
>>>>> application root before the servlet is initialized?
>>>>>
>>>>> Alternatively: is there a way to defer the initialization
>>>>> of a datasource until the servlet is initialized?
>>>>>
>>>>> Background: I have extended "org.apache.tomcat.jdbc.pool.
>>>> DataSourceFactory"
>>>>> to automatically set credentials so that they are not
>>>>> stored in the "Catalina/localhost/XXX.xml" file. Instead
>>>>> they are taken from encrypted values in a file below the
>>>>> application root. Works fine if I know that
>>>> path
>>>>> at "createDataSource" time.
>>>>
>>>> And the decryption key for that file is stored where?
>>>>
>>>> https://wiki.apache.org/tomcat/FAQ/Password
>>>>
>>>>
>>> Thanks for link. It clearly reflects my opinion as well
>>
>> Good. At least you know this is all a farce.
>>
>
> Not sure I'd call it a farce, but yes this is all hide and seek
>
>
>>
>>> , but the customer demand is:
>>>
>>> - no plain-text credentials (Big multinational company
>>> security policies - fight them if you need the fun). And yes,
>>> this is all about making auditors happy
>>
>> Obviously, you are still failing this requirement. The only
>> requirement you are satisfying is "no plain-text credentials in
>> a standard configuration file". What you are doing is moving the
>> plain-text credentials into a non-standard configuration file.
>>
>>
> No, there are no plain-text credentials stored anywhere. They are
> stored crypted with an api to decrypt them.
... and the keys passed-into the API.
> But of course
>
> - how good is the decryption key protected
It must be plain-text somewhere. You can obscure it all you want, but
you are just buying yourself a small amount of time.
> - what about the in-memory copy of the credentials once the
> datasource has been initialized
They are always available, since the connection-pool manager may have
to open a new connection at any moment.
> - what about snooping them on the network when the DB connection is
> built. OK. We are using SSL there.
TLS should do your job, here. Of course, nobody needs your credentials
if they can sniff the network traffic. So TLS is important to ensure.
I would even require it as a condition of all non-local connections.
> This makes most auditors and penetration testers sufficiently
> happy.
>
>
>>> - minimize the locations where credentials are stored. This is
>>> only lightly related to the decrypt issue. Having to store
>>> identical stuff in more than one place is opening up all other
>>> sorts of practical issues
>>
>> This is a reasonable requirement, as it helps reduce the attack
>> surface. But when the attack surface is "a file on the disk",
>> getting owned means you are owned, regardless of the location of
>> the file(s).
>>
>> As for the location of the secrets file, would it be possible to
>> store it *outside* of the web application's on-disk footprint?
>> That will in fact make you more secure. Let's say for example
>> that a vulnerability exists in the DefaultServlet, or one of your
>> application's own servlets. It allows path-traversal or whatever.
>> A file living in your application will then be potentially
>> remotely-fetchable :( If you move that file outside of the web
>> application, you have a better change of preventing that kind of
>> thing.
>
> There is no secrets file. As I said before - the app has obfuscated
> the key deep in the source...
So the secrets file is called MySecrets.class :)
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJYsK2qAAoJEBzwKT+lPKRYQbEP/RamJmHnm+G3Pz4hCprsGrqA
n6xCcdCyU2jMqHpIdnhVHNLoMAYmeRDHpetn4GTWLff3TNjcljRfEdmPggQOy4Ei
bE7sq/1A79TS/Y+Xo2/QuYdMFHm0F0nAuyMsVdJ/XzoMuQtNlWjq3SlZQcYzkzGC
aofnpd7FjtePrCyBeSQfyAZ+lep8Tjvsg0tzH03eUMsgM6RJ5E0jcloBbqm7hsVP
oo6oS4cwts/Vq+PnNbmTiQaQA/wQWEvZRLQctflyeRYjvcLr5/ABJ1iBJc6tdTXA
zY8qd8Zx2DMOdsSvVLSdjATm1YvT+ucQl5O1TJ6AXJKRa+f76eM17kr7fafOyG4U
IeQgCwS9/q0UB4HH14bvsb9jhSXup3j5aNHMGgI6xyZtbaRoI8jrwQvGd/KNXDjQ
jXtr7xBBWFTxE6r3bk5afJvHC+A3n0KlBySoQ4S0Wg6B37QFW+ThU4sTpOKrH/Bs
NiM0r+qEDXA255O3LuvYJJUYPBGSL0AD7UaV14LWiFN9iPgWZyB633JW8Ngnm5ZO
9Ogp0udT4zjuZc2Q20MNuheR9LFKDcji0K92STGbhhHhsk/TBJBrijq2ApIAkeSH
CDU5jIVfzjwd5vVXzlGc44s2vIbMxaok6grbEl5fWvthqlO3kYfgozHS1k43qvFb
hPiAqnZv9E+e/fBqME4u
=uY5I
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Getting application root path before servlet is initialized?
Posted by Martin Knoblauch <kn...@knobisoft.de>.
On Fri, Feb 24, 2017 at 6:06 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Martin,
>
> On 2/22/17 5:19 AM, Martin Knoblauch wrote:
> > On Tue, Feb 21, 2017 at 8:55 PM, Mark Thomas <ma...@apache.org>
> > wrote:
> >
> >> On 21/02/2017 13:31, Martin Knoblauch wrote:
> >>> Hi,
> >>>
> >>> is there a way to find the absolute path of the application
> >>> root before the servlet is initialized?
> >>>
> >>> Alternatively: is there a way to defer the initialization of a
> >>> datasource until the servlet is initialized?
> >>>
> >>> Background: I have extended "org.apache.tomcat.jdbc.pool.
> >> DataSourceFactory"
> >>> to automatically set credentials so that they are not stored
> >>> in the "Catalina/localhost/XXX.xml" file. Instead they are
> >>> taken from encrypted values in a file below the application
> >>> root. Works fine if I know that
> >> path
> >>> at "createDataSource" time.
> >>
> >> And the decryption key for that file is stored where?
> >>
> >> https://wiki.apache.org/tomcat/FAQ/Password
> >>
> >>
> > Thanks for link. It clearly reflects my opinion as well
>
> Good. At least you know this is all a farce.
>
Not sure I'd call it a farce, but yes this is all hide and seek
>
> > , but the customer demand is:
> >
> > - no plain-text credentials (Big multinational company security
> > policies - fight them if you need the fun). And yes, this is all
> > about making auditors happy
>
> Obviously, you are still failing this requirement. The only
> requirement you are satisfying is "no plain-text credentials in a
> standard configuration file". What you are doing is moving the
> plain-text credentials into a non-standard configuration file.
>
>
No, there are no plain-text credentials stored anywhere. They are stored
crypted with an api to decrypt them. But of course
- how good is the decryption key protected
- what about the in-memory copy of the credentials once the datasource has
been initialized
- what about snooping them on the network when the DB connection is built.
OK. We are using SSL there.
This makes most auditors and penetration testers sufficiently happy.
> > - minimize the locations where credentials are stored. This is
> > only lightly related to the decrypt issue. Having to store
> > identical stuff in more than one place is opening up all other
> > sorts of practical issues
>
> This is a reasonable requirement, as it helps reduce the attack
> surface. But when the attack surface is "a file on the disk", getting
> owned means you are owned, regardless of the location of the file(s).
>
> As for the location of the secrets file, would it be possible to store
> it *outside* of the web application's on-disk footprint? That will in
> fact make you more secure. Let's say for example that a vulnerability
> exists in the DefaultServlet, or one of your application's own
> servlets. It allows path-traversal or whatever. A file living in your
> application will then be potentially remotely-fetchable :( If you move
> that file outside of the web application, you have a better change of
> preventing that kind of thing.
>
There is no secrets file. As I said before - the app has obfuscated the key
deep in the source...
Thanks
Martin
--
------------------------------------------------------
Martin Knoblauch
email: k n o b i AT knobisoft DOT de
www: http://www.knobisoft.de
Re: Getting application root path before servlet is initialized?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Martin,
On 2/22/17 5:19 AM, Martin Knoblauch wrote:
> On Tue, Feb 21, 2017 at 8:55 PM, Mark Thomas <ma...@apache.org>
> wrote:
>
>> On 21/02/2017 13:31, Martin Knoblauch wrote:
>>> Hi,
>>>
>>> is there a way to find the absolute path of the application
>>> root before the servlet is initialized?
>>>
>>> Alternatively: is there a way to defer the initialization of a
>>> datasource until the servlet is initialized?
>>>
>>> Background: I have extended "org.apache.tomcat.jdbc.pool.
>> DataSourceFactory"
>>> to automatically set credentials so that they are not stored
>>> in the "Catalina/localhost/XXX.xml" file. Instead they are
>>> taken from encrypted values in a file below the application
>>> root. Works fine if I know that
>> path
>>> at "createDataSource" time.
>>
>> And the decryption key for that file is stored where?
>>
>> https://wiki.apache.org/tomcat/FAQ/Password
>>
>>
> Thanks for link. It clearly reflects my opinion as well
Good. At least you know this is all a farce.
> , but the customer demand is:
>
> - no plain-text credentials (Big multinational company security
> policies - fight them if you need the fun). And yes, this is all
> about making auditors happy
Obviously, you are still failing this requirement. The only
requirement you are satisfying is "no plain-text credentials in a
standard configuration file". What you are doing is moving the
plain-text credentials into a non-standard configuration file.
> - minimize the locations where credentials are stored. This is
> only lightly related to the decrypt issue. Having to store
> identical stuff in more than one place is opening up all other
> sorts of practical issues
This is a reasonable requirement, as it helps reduce the attack
surface. But when the attack surface is "a file on the disk", getting
owned means you are owned, regardless of the location of the file(s).
As for the location of the secrets file, would it be possible to store
it *outside* of the web application's on-disk footprint? That will in
fact make you more secure. Let's say for example that a vulnerability
exists in the DefaultServlet, or one of your application's own
servlets. It allows path-traversal or whatever. A file living in your
application will then be potentially remotely-fetchable :( If you move
that file outside of the web application, you have a better change of
preventing that kind of thing.
If the file is located outside of the application, you may be able to
reference it directly -- e.g. /etc/secrets/my-application-secrets.conf
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJYsGgKAAoJEBzwKT+lPKRYzeEQAKV4Gn9E2ymPQpY4sQQqmuNW
hTUVT2Wc/yIO5Cy7leyrDCTKIwPgasavmuF1c4qjno+i7Q9utL58s7XkeUYUpJTf
6y/Ry+XcCFtS493YAhNl64oJnAt5++vKSO7/b97qe2NaHbOfAGOH8IsNlyjelPPw
N0an2Z8sjkyTQ+x7Anic239coEUf0wAKJ/lczI4KhkugHiz3JCwUQl/YqKRsgJZ7
UQQbX4lO/8qib+8Bcqgn1OoAf64bYN8J2/7/yB4+fEmEUeRc5NTK3knePDX2VtTr
r62iRlh0a8YHHgEvgPNPwn4CwGF3gBYuv2Wfo6+g8exQpRBMwAIkyW7+FyulALGr
+cCBn1X+9jiY8YZBqJxdweb02kotYga1rTUHAorguGHzGryCrC7KiVy5CdXC9aYj
wTRlEKauXH+G878M0iJw1oMJlEiAOO+5UIW/Jb9T8Z8nhcpgRwb50O4IpwKU84Gn
dMDhkUc6WL2almtlD9gu3/Uzbju41NzZWhEdXcfSr/JafsoiEBl2c1wAP/tgmzSu
GvQnT1OHBpbNcqCOsKfGAi8B/HGwVHuaUCjVuTX8qfVf3EcZ1Y8A4COGLITorawr
AbPgnHrTM9a16o+50Jzzylv4FUieBJlfehMgfRKhlEWPsBkeT0bfnBZGeXtnHsu6
4MzpshE1LrK5LI+5fvEJ
=xzqv
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Getting application root path before servlet is initialized?
Posted by Martin Knoblauch <kn...@knobisoft.de>.
On Tue, Feb 21, 2017 at 8:55 PM, Mark Thomas <ma...@apache.org> wrote:
> On 21/02/2017 13:31, Martin Knoblauch wrote:
> > Hi,
> >
> > is there a way to find the absolute path of the application root before
> > the servlet is initialized?
> >
> > Alternatively: is there a way to defer the initialization of a datasource
> > until the servlet is initialized?
> >
> > Background: I have extended "org.apache.tomcat.jdbc.pool.
> DataSourceFactory"
> > to automatically set credentials so that they are not stored in the
> > "Catalina/localhost/XXX.xml" file. Instead they are taken from encrypted
> > values in a file below the application root. Works fine if I know that
> path
> > at "createDataSource" time.
>
> And the decryption key for that file is stored where?
>
> https://wiki.apache.org/tomcat/FAQ/Password
>
>
Thanks for link. It clearly reflects my opinion as well, but the customer
demand is:
- no plain-text credentials (Big multinational company security policies -
fight them if you need the fun). And yes, this is all about making auditors
happy
- minimize the locations where credentials are stored. This is only lightly
related to the decrypt issue. Having to store identical stuff in more than
one place is opening up all other sorts of practical issues
So, yes - any mechanism that can decrypt needs to store the key somewhere
and this just shifts away the problem from securing one item to securing
another one. In my case the application (that I will not reveal here)
stores encrypted DB credentials in its configuration and provides an API to
retrieve them decrypted. I guess, the key is somewhere in the source code
(likely obfuscated to prevent casual hacking by debugging). the less I know
... :-)
> In order to avoid hard coding that path, I need a programmatic to find
> that
> > value. Unfortunately the datasource is initialized before the servlet, so
> > "getRealPath()" is not working yet.
> >
> > Environment is Tomcat 8 plus JDK 8. Plus an commercial application that I
> > do not want to name :-)
>
> Ignoring what I suspect is a fundamental flaw in this plan, you probably
> want a ServletContextListener and contextInitialized()
>
>
Thanks again for the hint. Will have a look. In the meanwhile I found a
way by looking at
this.getClass().getProtectionDomain().getCodeSource().getLocation().getPath();
Adding some assumptions about the classpath (which are required to be true
in this whole context) this gives me the needed information :-)
Thanks
Martin
> Mark
>
>
Re: Getting application root path before servlet is initialized?
Posted by Mark Thomas <ma...@apache.org>.
On 21/02/2017 13:31, Martin Knoblauch wrote:
> Hi,
>
> is there a way to find the absolute path of the application root before
> the servlet is initialized?
>
> Alternatively: is there a way to defer the initialization of a datasource
> until the servlet is initialized?
>
> Background: I have extended "org.apache.tomcat.jdbc.pool.DataSourceFactory"
> to automatically set credentials so that they are not stored in the
> "Catalina/localhost/XXX.xml" file. Instead they are taken from encrypted
> values in a file below the application root. Works fine if I know that path
> at "createDataSource" time.
And the decryption key for that file is stored where?
https://wiki.apache.org/tomcat/FAQ/Password
> In order to avoid hard coding that path, I need a programmatic to find that
> value. Unfortunately the datasource is initialized before the servlet, so
> "getRealPath()" is not working yet.
>
> Environment is Tomcat 8 plus JDK 8. Plus an commercial application that I
> do not want to name :-)
Ignoring what I suspect is a fundamental flaw in this plan, you probably
want a ServletContextListener and contextInitialized()
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Getting application root path before servlet is initialized?
Posted by "Antonio S. Cofiño" <co...@gmail.com>.
Dear Martin,
On 21/02/17 13:31, Martin Knoblauch wrote:
> Hi,
>
> is there a way to find the absolute path of the application root before
> the servlet is initialized?
>
> Alternatively: is there a way to defer the initialization of a datasource
> until the servlet is initialized?
>
> Background: I have extended "org.apache.tomcat.jdbc.pool.DataSourceFactory"
> to automatically set credentials so that they are not stored in the
> "Catalina/localhost/XXX.xml" file. Instead they are taken from encrypted
> values in a file below the application root. Works fine if I know that path
> at "createDataSource" time.
>
> In order to avoid hard coding that path, I need a programmatic to find that
> value. Unfortunately the datasource is initialized before the servlet, so
> "getRealPath()" is not working yet.
>
> Environment is Tomcat 8 plus JDK 8. Plus an commercial application that I
> do not want to name :-)
>
> Thanks in advance
> Martin
For this purpose I use the ant properties interpolation on tomcat
configuration xml-files
http://tomcat.apache.org/tomcat-7.0-doc/config/index.html
It may be you requirements needs a more elaborated solution, but this a
convenient way to do it.
Regards
Antonio
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Getting application root path before servlet is initialized?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Martin,
On 2/24/17 12:37 PM, Martin Knoblauch wrote:
> On Fri, Feb 24, 2017 at 6:00 PM, Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>
>> Martin,
>>
>> On 2/21/17 8:31 AM, Martin Knoblauch wrote:
>>> Hi,
>>>
>>> is there a way to find the absolute path of the application
>>> root before the servlet is initialized?
>>>
>>> Alternatively: is there a way to defer the initialization of a
>>> datasource until the servlet is initialized?
>>>
>>> Background: I have extended
>>> "org.apache.tomcat.jdbc.pool.DataSourceFactory" to
>>> automatically set credentials so that they are not stored in
>>> the "Catalina/localhost/XXX.xml" file. Instead they are taken
>>> from encrypted values in a file below the application root.
>>> Works fine if I know that path at "createDataSource" time.
>>
>> Where are you configuring your <Resource>? In conf/server.xml or
>> in your application's META-INF/context.xml file?
>>
>
> conf/Catalina/localhost/XXX.xml
Good. If your custom DataSource can accept custom properties, then you
can add one with a dynamic path, like this:
<Resource name="myDB"
myCustomPathName="/path/to/the/secrets"
... />
In your code, you read that path and use it.
>>> In order to avoid hard coding that path, I need a programmatic
>>> to find that value. Unfortunately the datasource is initialized
>>> before the servlet, so "getRealPath()" is not working yet.
>>
>> getRealPath is a bad idea. Also, your DataSources will be
>> fully-configured before any servlets are initialized, so it's too
>> late.
>
> Correct :-( That is the problem I need(ed) to solve. Given enough
> assumptions about the deployment rules for this app, I was able to
> find a reliable way to deduce the AppRoot. But the fact that the DS
> is initialized before the/any servlet is still ugly.
You can use system property replacement in your Tomcat deployment
descriptor (META-INF/context.xml, or in your case
conf/Catalina/localhost/XXX.xml) to locate the file relative to
CATALINA_BASE like this:
<Resource myCustomPathName="${catalina.base}/webapps/XXX/secrets.dat"
... />
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJYsK//AAoJEBzwKT+lPKRYU0QP/30vNxE+FBStms0J8TA0aC6w
ZPyA53htgBnMFbKEPt6zmSx3pYtdRE866I3IXiq7c8j9Fcy3c6img9ohVW9cwx+q
Id8Gc1MqHNk1dMxSUpQN+YBVTg+N6hEQshocxcIAKJ7vzind1dUdJgnGLowZBb2G
OCLbr8BqdhBz97Cw+B2tv+P310ez0RS1ZInbi0cTr7RHkFsUYPFL8Z86668ZYJGA
HO5cOEv1+a2W6kIiVEcyDzAo65y6dlp8/Nn/7J00mufT241F/haON7KHWyGXSYKU
C19zYFWjhbZWENrTO2gOSPumib12RgUs45mVbOzYKnMDAZxzMQETgtX31hJE9Pxt
J++OLvF+OwdFwveBNNNpJOpAcmzmX40RSKp+wez+nLftvI6aKXTXKer8zIiYur9Y
nu4cyj4Hjb1tFOFsl2+2jdhFjHb3dFJ/76qylMNgfpsjw1VYHiUlU6QM6G7I2xZd
AROO6Nk4uPElPzl4u83pJ0knD7CKIV8oTE7H5/7pXgFU1SmUq+S/QLhN9Nvq2XKi
Sykr/lxJWkDIpT1w3mRUhcnREODt4Uzp/0dpuD1i+oSrz8hIcAvZMqgAh8F1nSOQ
d8N0TnrJ2w0j63R0mDfoNiRg+2Olxwy0J+xQgNimSC8rOPahu8msatUkXg/JtFDX
z4DR8aawD45uJ+tO18Tr
=bMSR
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Getting application root path before servlet is initialized?
Posted by Martin Knoblauch <kn...@knobisoft.de>.
On Fri, Feb 24, 2017 at 6:00 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Martin,
>
> On 2/21/17 8:31 AM, Martin Knoblauch wrote:
> > Hi,
> >
> > is there a way to find the absolute path of the application root
> > before the servlet is initialized?
> >
> > Alternatively: is there a way to defer the initialization of a
> > datasource until the servlet is initialized?
> >
> > Background: I have extended
> > "org.apache.tomcat.jdbc.pool.DataSourceFactory" to automatically
> > set credentials so that they are not stored in the
> > "Catalina/localhost/XXX.xml" file. Instead they are taken from
> > encrypted values in a file below the application root. Works fine
> > if I know that path at "createDataSource" time.
>
> Where are you configuring your <Resource>? In conf/server.xml or in
> your application's META-INF/context.xml file?
>
conf/Catalina/localhost/XXX.xml
>
> > In order to avoid hard coding that path, I need a programmatic to
> > find that value. Unfortunately the datasource is initialized before
> > the servlet, so "getRealPath()" is not working yet.
>
> getRealPath is a bad idea. Also, your DataSources will be
> fully-configured before any servlets are initialized, so it's too late.
>
>
Correct :-( That is the problem I need(ed) to solve. Given enough
assumptions about the deployment rules for this app, I was able to find a
reliable way to deduce the AppRoot. But the fact that the DS is initialized
before the/any servlet is still ugly.
Thanks
Martin
Re: Getting application root path before servlet is initialized?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Martin,
On 2/21/17 8:31 AM, Martin Knoblauch wrote:
> Hi,
>
> is there a way to find the absolute path of the application root
> before the servlet is initialized?
>
> Alternatively: is there a way to defer the initialization of a
> datasource until the servlet is initialized?
>
> Background: I have extended
> "org.apache.tomcat.jdbc.pool.DataSourceFactory" to automatically
> set credentials so that they are not stored in the
> "Catalina/localhost/XXX.xml" file. Instead they are taken from
> encrypted values in a file below the application root. Works fine
> if I know that path at "createDataSource" time.
Where are you configuring your <Resource>? In conf/server.xml or in
your application's META-INF/context.xml file?
> In order to avoid hard coding that path, I need a programmatic to
> find that value. Unfortunately the datasource is initialized before
> the servlet, so "getRealPath()" is not working yet.
getRealPath is a bad idea. Also, your DataSources will be
fully-configured before any servlets are initialized, so it's too late.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJYsGa4AAoJEBzwKT+lPKRYSFEP/148R7SLCoXyYMyx8e5heN+J
3YwyJriefzfD1Y1t/X2koKmluaz4waOZgFdiJDEoGwdYiX0r9oD/IGk026vrO9pF
5o/RRGB/WioedqniPRrdosn9zObYnAea2HNgn2uYndlHioJ1KSR9xomlcYuAiW9+
ZCaKxCH+jmnh9OXmpV025pfips8Iga4EKGE2mtQI6yGW9chgy1v+PX+3usMy6b2L
jE0koGCBQcnaQQHxDsFI3sUBmnY8nkQ80bCq21gQy+TEvFs7mZte1i+Zi+pgwlTe
mZ4RpMebQUZzqeH8fmEHUwSuaphrP2O+xq07rWl/oXQCjEQGrlZJml2C9C6nS3Ds
2uhfclEz+Yhb3aw/iRtEHXWKnTa58PZ4Qtqlq9gDH3SYvIj+ancPKy3Wkv+K+dc8
ora7qKl97OoAcsAkKT0dL+psUcpepskw7EoCiEwPHeQKqSKOW1X0PXNVpHgZD2J4
kjX38PzFmtTjWj+wPa8cdZmD576iT8iiD4nClwON0dF6ipOY6R321GKmXPT2UUup
YSmSO39WqKuehy5uhIK4EXs0XGlZU4y5ASPS0frdAv3SvxX7BqxKT1UJLbrEQFm6
QTJuFlZeRuPxEnsKpBMaEQtTrbwB3M9FTP/znrjCh7Bxq0TuMSafe2/nCXEFg201
jpJkYWzch8pZ2CKzU6Yw
=d2oI
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org