You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Roland <ro...@netquant.com.br> on 2001/09/03 20:15:36 UTC
Limits on the size of the web.xml file?
Hello is there a limit to the size of the web.xml file? This is because if
we want to have a large user database with say 500 users, and make a
separate security constraint for each user to protect his directories from
the other users we will have quite a large web.xml file.
Each security constraint has 602 bytes(characters), that would make 500*602
= 301000 bytes = 300 Kb(for 500 users).
Any problems with that?
What about the really large stuff(fortunately not our case)? If you would
make a public Webmail and have say 1 000 000(one million) users?
That would make 602 Million bytes = 602 Megabyte web.xml file. Quite large,
isn't it ? :)))
Thanks Roland
Re: Limits on the size of the web.xml file?
Posted by Jim Cheesman <jc...@msl.es>.
At 05:57 PM 04/09/01, you wrote:
>On Tue, 4 Sep 2001, Jim Cheesman wrote:
>
> >
> > RTFAPI ;)
> >
>
>This acronym will *definitely* come in handy! :-)
Something good comes out of my ignorance, then...
--
* Jim Cheesman *
Trabajo:
jchees@msl.es - (34)(91) 724 9200 x 2360
What is the
probability that something
will happen according to the
odds?
Re: Limits on the size of the web.xml file?
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Wed, 5 Sep 2001, Dmitri Colebatch wrote:
> Date: Wed, 5 Sep 2001 08:21:44 +1000
> From: Dmitri Colebatch <di...@bigpond.net.au>
> Reply-To: tomcat-user@jakarta.apache.org
> To: tomcat-user@jakarta.apache.org
> Subject: Re: Limits on the size of the web.xml file?
>
> Craig,
>
> I would have thought RTFS would have been more to your liking... given
> your regular points to the spec (o:
>
Yep ... that one too! "S", of course, meaning the servlet and JSP
specifications.
<http://java.sun.com/products/servlet/download.html> :-)
<http://java.sun.com/products/jsp/download.html> :-)
> On Tue, 4 Sep 2001, Craig R. McClanahan wrote:
> >
> >
> > On Tue, 4 Sep 2001, Jim Cheesman wrote:
> >
> > >
> > > RTFAPI ;)
> > >
> >
> > This acronym will *definitely* come in handy! :-)
> >
> > Craig
> >
> >
>
>
Re: Limits on the size of the web.xml file?
Posted by Dmitri Colebatch <di...@bigpond.net.au>.
Craig,
I would have thought RTFS would have been more to your liking... given
your regular points to the spec (o:
On Tue, 4 Sep 2001, Craig R. McClanahan wrote:
>
>
> On Tue, 4 Sep 2001, Jim Cheesman wrote:
>
> >
> > RTFAPI ;)
> >
>
> This acronym will *definitely* come in handy! :-)
>
> Craig
>
>
Re: Limits on the size of the web.xml file?
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Tue, 4 Sep 2001, Jim Cheesman wrote:
>
> RTFAPI ;)
>
This acronym will *definitely* come in handy! :-)
Craig
Re: Limits on the size of the web.xml file?
Posted by Jim Cheesman <jc...@msl.es>.
> > >Consider that you might have the mailboxes for a particular user defined
> > >in a database table called "mailboxes", with columns "username" and
> > >"mailboxname". It would be easy to construct an SQL statement like this:
> > >
> > > select mailboxname from mailboxes
> > > where username = xxx
> > >
> > >and replace xxx by the value returned from request.getRemoteUser(). This
> > >would allow the user access *only* to his or her own mailboxes.
> >
> > Assuming, of course, that your users are using the same machine / login id
> > - not necessarily the case in, for example, a university with shared
> > machines...
> >
>
>Why would you need to make this assumption?
>
>The "username" we are talking about here is the one stored in something
>like JDBCRealm for the servlet container
My bad - I was confusing request.getRemoteUser() with something else -
probably url.getUserInfo.... that'll teach me not to RTFM, or at least
RTFAPI ;)
--
* Jim Cheesman *
Trabajo:
jchees@msl.es - (34)(91) 724 9200 x 2360
Some people say that I'm
superficial, but that's just on the surface.
Re: Limits on the size of the web.xml file?
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Tue, 4 Sep 2001, Jim Cheesman wrote:
> Date: Tue, 04 Sep 2001 09:10:06 +0200
> From: Jim Cheesman <jc...@msl.es>
> Reply-To: tomcat-user@jakarta.apache.org
> To: tomcat-user@jakarta.apache.org
> Subject: Re: Limits on the size of the web.xml file?
>
>
> >
> >Consider that you might have the mailboxes for a particular user defined
> >in a database table called "mailboxes", with columns "username" and
> >"mailboxname". It would be easy to construct an SQL statement like this:
> >
> > select mailboxname from mailboxes
> > where username = xxx
> >
> >and replace xxx by the value returned from request.getRemoteUser(). This
> >would allow the user access *only* to his or her own mailboxes.
>
> Assuming, of course, that your users are using the same machine / login id
> - not necessarily the case in, for example, a university with shared
> machines...
>
Why would you need to make this assumption?
The "username" we are talking about here is the one stored in something
like JDBCRealm for the servlet container -- it need not (and probably
should not) have anything to do with logon ids on the actual servers. It
would actually be the set of users that have subscribed to the mailbox
service, in this particular use case.
In a distributed environment, all the servlet containers would be talking
to the same database (or mirrors of the same database), so they would see
identical sets of valid users, no matter which server your particular
session got assigned to.
>
> Still, you're going to need to do something like that.
>
>
Craig
Re: Limits on the size of the web.xml file?
Posted by Jim Cheesman <jc...@msl.es>.
>
>Consider that you might have the mailboxes for a particular user defined
>in a database table called "mailboxes", with columns "username" and
>"mailboxname". It would be easy to construct an SQL statement like this:
>
> select mailboxname from mailboxes
> where username = xxx
>
>and replace xxx by the value returned from request.getRemoteUser(). This
>would allow the user access *only* to his or her own mailboxes.
Assuming, of course, that your users are using the same machine / login id
- not necessarily the case in, for example, a university with shared
machines...
Still, you're going to need to do something like that.
--
* Jim Cheesman *
Trabajo:
jchees@msl.es - (34)(91) 724 9200 x 2360
Evil is
not all bad.
Re: Limits on the size of the web.xml file?
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Mon, 3 Sep 2001, Calvin Lau wrote:
> Date: Mon, 03 Sep 2001 14:23:19 -0700
> From: Calvin Lau <al...@uclink4.berkeley.edu>
> Reply-To: tomcat-user@jakarta.apache.org
> To: tomcat-user@jakarta.apache.org
> Subject: Re: Limits on the size of the web.xml file?
>
> My web.xml file worked fine in Tomcat3.2.1 as did the <Context>....</Context> that
> I added to server.xml. Are there differences in the DTD I'm not aware of?
>
There are two differences that may or may not be relevant to a particular
web app:
* Tomcat 4 does a *validating* XML parse of the web.xml file, so it will
choke on things like elements not being in the order required by the
DTD. (Normally, though, you get a more intelligible error message than
this one. Tomcat 3.x did *not* do a validating parse, so the XML
checking was not as rigorous.
* Tomcat 4 uses JAXP/1.1 to parse web.xml files, where Tomcat 3.2 uses
JAXP/1.0. There might have been changes in what the underlying parsers
accept.
The web.xml DTD for Servlet 2.3 is a proper superset of the DTD for
Servlet 2.2. In addition, a 2.3 container (like Tomcat 4) is required to
accept a valid web.xml file based on the Servlet 2.2 or 2.3 DTDs. But, it
does have to be valid (in the XML sense) for this portability to be
achieved -- Tomcat 3.x didn't require this, so it accepted some incorrect
web.xml files.
Craig
> Calvin
>
> "Craig R. McClanahan" wrote:
>
> > On Mon, 3 Sep 2001, Roland wrote:
> >
> > > Date: Mon, 3 Sep 2001 16:37:17 -0300
> > > From: Roland <ro...@netquant.com.br>
> > > Reply-To: tomcat-user@jakarta.apache.org
> > > To: tomcat-user@jakarta.apache.org
> > > Subject: Re: Limits on the size of the web.xml file?
> > >
> > > > The details *vastly* depend on how your app is put together, but it isn't
> > > > all that complicated to figure out.
> > > >
> > > > Consider that you might have the mailboxes for a particular user defined
> > > > in a database table called "mailboxes", with columns "username" and
> > > > "mailboxname". It would be easy to construct an SQL statement like this:
> > > >
> > > > select mailboxname from mailboxes
> > > > where username = xxx
> > >
> > > Ok, having Data in the database is fine. But what if we also have image
> > > data? We will store Charts and things like that. I think it would be easier
> > > to create a directory for each user(maybe I'm wrong). It is possible to
> > > store images in a mysql database but I think its not as easy as text data.
> > > And then we will have to create a HTML page from that image data and send it
> > > to the user.
> >
> > Storing binary data in the database isn't all that hard. Then, all you'd
> > need to do is create a servlet mapped to "*.gif", "*.jpg", and so on that
> > did the user identity check before serving the contents (in binary). The
> > same basic principle would work for data stored in per-user directories.
> > In essence, you're replacing the default file-serving servlet that comes
> > with Tomcat.
> >
> > If you run under Tomcat 4 (which supports Servlet 2.3), you also have
> > another choice -- you can implement your custom authentication checker as
> > a Filter instead of a Servlet. That way, you can apply your own custom
> > check onto any path, without having to modify or replace the file-serving
> > servlet that comes with Tomcat.
> >
> > Craig
>
>
Re: Limits on the size of the web.xml file?
Posted by Calvin Lau <al...@uclink4.berkeley.edu>.
My web.xml file worked fine in Tomcat3.2.1 as did the <Context>....</Context> that
I added to server.xml. Are there differences in the DTD I'm not aware of?
Calvin
"Craig R. McClanahan" wrote:
> On Mon, 3 Sep 2001, Roland wrote:
>
> > Date: Mon, 3 Sep 2001 16:37:17 -0300
> > From: Roland <ro...@netquant.com.br>
> > Reply-To: tomcat-user@jakarta.apache.org
> > To: tomcat-user@jakarta.apache.org
> > Subject: Re: Limits on the size of the web.xml file?
> >
> > > The details *vastly* depend on how your app is put together, but it isn't
> > > all that complicated to figure out.
> > >
> > > Consider that you might have the mailboxes for a particular user defined
> > > in a database table called "mailboxes", with columns "username" and
> > > "mailboxname". It would be easy to construct an SQL statement like this:
> > >
> > > select mailboxname from mailboxes
> > > where username = xxx
> >
> > Ok, having Data in the database is fine. But what if we also have image
> > data? We will store Charts and things like that. I think it would be easier
> > to create a directory for each user(maybe I'm wrong). It is possible to
> > store images in a mysql database but I think its not as easy as text data.
> > And then we will have to create a HTML page from that image data and send it
> > to the user.
>
> Storing binary data in the database isn't all that hard. Then, all you'd
> need to do is create a servlet mapped to "*.gif", "*.jpg", and so on that
> did the user identity check before serving the contents (in binary). The
> same basic principle would work for data stored in per-user directories.
> In essence, you're replacing the default file-serving servlet that comes
> with Tomcat.
>
> If you run under Tomcat 4 (which supports Servlet 2.3), you also have
> another choice -- you can implement your custom authentication checker as
> a Filter instead of a Servlet. That way, you can apply your own custom
> check onto any path, without having to modify or replace the file-serving
> servlet that comes with Tomcat.
>
> Craig
Re: Limits on the size of the web.xml file?
Posted by Roland <ro...@netquant.com.br>.
Reading trough the servlet2.3 specs I found another interesting thing. How
about using getResource() or getResourceAsStream() on the ServletContext?
The specs say you should be able to access ANY file using that. How do I
code that in a jps page? getResource() returns an URL object. What do I do
with it? Would it be like this:
<% servletContext.getResource("/myfile.gif"); %>
Thanks
Re: Limits on the size of the web.xml file?
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Mon, 3 Sep 2001, Roland wrote:
> Date: Mon, 3 Sep 2001 16:37:17 -0300
> From: Roland <ro...@netquant.com.br>
> Reply-To: tomcat-user@jakarta.apache.org
> To: tomcat-user@jakarta.apache.org
> Subject: Re: Limits on the size of the web.xml file?
>
> > The details *vastly* depend on how your app is put together, but it isn't
> > all that complicated to figure out.
> >
> > Consider that you might have the mailboxes for a particular user defined
> > in a database table called "mailboxes", with columns "username" and
> > "mailboxname". It would be easy to construct an SQL statement like this:
> >
> > select mailboxname from mailboxes
> > where username = xxx
>
> Ok, having Data in the database is fine. But what if we also have image
> data? We will store Charts and things like that. I think it would be easier
> to create a directory for each user(maybe I'm wrong). It is possible to
> store images in a mysql database but I think its not as easy as text data.
> And then we will have to create a HTML page from that image data and send it
> to the user.
Storing binary data in the database isn't all that hard. Then, all you'd
need to do is create a servlet mapped to "*.gif", "*.jpg", and so on that
did the user identity check before serving the contents (in binary). The
same basic principle would work for data stored in per-user directories.
In essence, you're replacing the default file-serving servlet that comes
with Tomcat.
If you run under Tomcat 4 (which supports Servlet 2.3), you also have
another choice -- you can implement your custom authentication checker as
a Filter instead of a Servlet. That way, you can apply your own custom
check onto any path, without having to modify or replace the file-serving
servlet that comes with Tomcat.
Craig
Re: Limits on the size of the web.xml file?
Posted by Roland <ro...@netquant.com.br>.
> The details *vastly* depend on how your app is put together, but it isn't
> all that complicated to figure out.
>
> Consider that you might have the mailboxes for a particular user defined
> in a database table called "mailboxes", with columns "username" and
> "mailboxname". It would be easy to construct an SQL statement like this:
>
> select mailboxname from mailboxes
> where username = xxx
Ok, having Data in the database is fine. But what if we also have image
data? We will store Charts and things like that. I think it would be easier
to create a directory for each user(maybe I'm wrong). It is possible to
store images in a mysql database but I think its not as easy as text data.
And then we will have to create a HTML page from that image data and send it
to the user.
To put the question more simply: is it possible to create a directory for
each user and prevent other users from accessing it? If every standard user
has the same role how can this be done? I had the idea of letting no one
acess the user directories. Then the jsp pages would take the info from the
user directories according to the user that is logged in. That would bring
up the question how can I make the jsp page access directories that are not
accessible to the user. I posted this question in the newsgroup but had no
good answer. One guy made the suggestion to read the file with
FileInputStreams and pass it on to the browser, but I think this would be
very hard to implement.
> and replace xxx by the value returned from request.getRemoteUser(). This
> would allow the user access *only* to his or her own mailboxes.
>
> I'm assuming that you are *not* allowing users to upload their own
> servlets or JSP pages, so they can only access what your app allows. If
> this is not true, all bets are off (and I wouldn't ever trust your server
> with my mail messages anyway :-).
NO, of course not :)
Re: Limits on the size of the web.xml file?
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Mon, 3 Sep 2001, Roland wrote:
> Date: Mon, 3 Sep 2001 16:19:48 -0300
> From: Roland <ro...@netquant.com.br>
> Reply-To: tomcat-user@jakarta.apache.org
> To: tomcat-user@jakarta.apache.org
> Subject: Re: Limits on the size of the web.xml file?
>
> > Sounds like a redesign is more appropriate.
> >
> > Memory issues aside, have you considered the fact that using individual
> > security constraints for each and every user means that you have to
> > restart the entire app every time you add a new user? Or, that every time
> > you add a user and restart, the restart time gets longer and longer?
>
> Thats a problem!
>
> > Use application specific logic to ensure that a particular user can only
> > see things that are relevant to them (i.e. their own mailbox in a
> > WebMail scenario).
>
> That was my original design idea. BUT, in this case I don't know how to
> prevent someone to see the data from other users. How can I stop someone
> from trying to access the mail from someone else? Supposing that all
> "standard" users will have the same role, the security will allow him to see
> all directories.
>
The details *vastly* depend on how your app is put together, but it isn't
all that complicated to figure out.
Consider that you might have the mailboxes for a particular user defined
in a database table called "mailboxes", with columns "username" and
"mailboxname". It would be easy to construct an SQL statement like this:
select mailboxname from mailboxes
where username = xxx
and replace xxx by the value returned from request.getRemoteUser(). This
would allow the user access *only* to his or her own mailboxes.
I'm assuming that you are *not* allowing users to upload their own
servlets or JSP pages, so they can only access what your app allows. If
this is not true, all bets are off (and I wouldn't ever trust your server
with my mail messages anyway :-).
> A question besides here, using JDBC realms is it possible to assign mutliple
> roles to one user? How do I do it? Do I have to put several entries in the
> user_roles table? One line for each role of the user?
Yep. A user can have as many roles as you want to assign them.
>
> Thanks in advance...
>
>
>
Craig
Re: Limits on the size of the web.xml file?
Posted by Roland <ro...@netquant.com.br>.
> Sounds like a redesign is more appropriate.
>
> Memory issues aside, have you considered the fact that using individual
> security constraints for each and every user means that you have to
> restart the entire app every time you add a new user? Or, that every time
> you add a user and restart, the restart time gets longer and longer?
Thats a problem!
> Use application specific logic to ensure that a particular user can only
> see things that are relevant to them (i.e. their own mailbox in a
> WebMail scenario).
That was my original design idea. BUT, in this case I don't know how to
prevent someone to see the data from other users. How can I stop someone
from trying to access the mail from someone else? Supposing that all
"standard" users will have the same role, the security will allow him to see
all directories.
A question besides here, using JDBC realms is it possible to assign mutliple
roles to one user? How do I do it? Do I have to put several entries in the
user_roles table? One line for each role of the user?
Thanks in advance...
Re: Limits on the size of the web.xml file?
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Mon, 3 Sep 2001, Roland wrote:
> Date: Mon, 3 Sep 2001 15:15:36 -0300
> From: Roland <ro...@netquant.com.br>
> Reply-To: tomcat-dev@jakarta.apache.org
> To: tomcat-user@jakarta.apache.org
> Cc: tomcat-dev@jakarta.apache.org
> Subject: Limits on the size of the web.xml file?
>
> Hello is there a limit to the size of the web.xml file?
There are no predefined limits -- the only limits will be indirect ones
based on how much JVM heap space it takes to represent the security
constraints, servlet mappings, and so on internal to the container.
> This is because if
> we want to have a large user database with say 500 users, and make a
> separate security constraint for each user to protect his directories from
> the other users we will have quite a large web.xml file.
> Each security constraint has 602 bytes(characters), that would make 500*602
> = 301000 bytes = 300 Kb(for 500 users).
>
>From an XML parsing perspective, or an in-memory perspective, 300kb isn't
much (I've run some large scale apps on gigabyte-memory machines :-). But
...
> Any problems with that?
>
> What about the really large stuff(fortunately not our case)? If you would
> make a public Webmail and have say 1 000 000(one million) users?
> That would make 602 Million bytes = 602 Megabyte web.xml file. Quite large,
> isn't it ? :)))
>
Sounds like a redesign is more appropriate.
Memory issues aside, have you considered the fact that using individual
security constraints for each and every user means that you have to
restart the entire app every time you add a new user? Or, that every time
you add a user and restart, the restart time gets longer and longer?
I suggest that you use security constraints to ensure things like "there
must be a logged on user". You can also use roles to identify whether the
particular user is ordinary, or has administrative capabilities as well,
by defining a few roles.
Use application specific logic to ensure that a particular user can only
see things that are relevant to them (i.e. their own mailbox in a
WebMail scenario).
> Thanks Roland
>
>
>
Craig McClanahan
Re: Limits on the size of the web.xml file?
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Mon, 3 Sep 2001, Roland wrote:
> Date: Mon, 3 Sep 2001 15:15:36 -0300
> From: Roland <ro...@netquant.com.br>
> Reply-To: tomcat-dev@jakarta.apache.org
> To: tomcat-user@jakarta.apache.org
> Cc: tomcat-dev@jakarta.apache.org
> Subject: Limits on the size of the web.xml file?
>
> Hello is there a limit to the size of the web.xml file?
There are no predefined limits -- the only limits will be indirect ones
based on how much JVM heap space it takes to represent the security
constraints, servlet mappings, and so on internal to the container.
> This is because if
> we want to have a large user database with say 500 users, and make a
> separate security constraint for each user to protect his directories from
> the other users we will have quite a large web.xml file.
> Each security constraint has 602 bytes(characters), that would make 500*602
> = 301000 bytes = 300 Kb(for 500 users).
>
>From an XML parsing perspective, or an in-memory perspective, 300kb isn't
much (I've run some large scale apps on gigabyte-memory machines :-). But
...
> Any problems with that?
>
> What about the really large stuff(fortunately not our case)? If you would
> make a public Webmail and have say 1 000 000(one million) users?
> That would make 602 Million bytes = 602 Megabyte web.xml file. Quite large,
> isn't it ? :)))
>
Sounds like a redesign is more appropriate.
Memory issues aside, have you considered the fact that using individual
security constraints for each and every user means that you have to
restart the entire app every time you add a new user? Or, that every time
you add a user and restart, the restart time gets longer and longer?
I suggest that you use security constraints to ensure things like "there
must be a logged on user". You can also use roles to identify whether the
particular user is ordinary, or has administrative capabilities as well,
by defining a few roles.
Use application specific logic to ensure that a particular user can only
see things that are relevant to them (i.e. their own mailbox in a
WebMail scenario).
> Thanks Roland
>
>
>
Craig McClanahan