You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by JavaJosh <jo...@yahoo.com> on 2002/03/11 00:30:21 UTC
Tomcat questions (long)
Hi List,
I am interested in building a data driven web app with Tomcat 4.0 and
JSP/Servlets, but am new to the field, and have lots of questions. Some
are general, some are specific to Tomcat. Please be patient, as I am
new. Here it goes:
System design: It seems that managing client state transitions is
difficult. Unlike traditional GUIs, basically all forms are modal. How
do you design around this? I have some ideas below that I would like
some feedback on.
Implementation: Looking at the servlet code that comes with Tomcat, it
seems very ugly. All those out.println()'s give me the willies! JSP
looks slightly better, since at least Java embedded in HTML is more
readable than HTML embedded in Java! Even the latter can be minimized
with taglibs, right?
I have read some about FreeMarker and WebMacro. How exactly do these fit
into the equation?
Finally, regarding the design philosophy behind data-driven
weblications: they are mostly parameterized finite state machines,
right? There is a set of templates which, when requested, are filled
with data, perhaps adjusted in some other, structural way, and served.
Each user may have access to a different set of these templates (for
example, limited by security). Each template may allow the user to
transition to certain other templates. The process repeats during
session lifetime.
So it seems to me that a state diagram is in order, and each state
corresponds to each HTML page the user sees. State transitions are
basically hyperlinks. Because the number of states (pages) can grow
large, it seems reasonable to expect them to be fairly uniform, and
perhaps "inherit" in some way from a common parent template. Does this
sound right? How can I achieve this?
(this way of programming is much much different than the event driven
concepts of, say, VB or Swing!)
So a user logs in, gets a session identifier, and, unless all state
transitions are allowed (the degenerate case), the server must also
track client state, yes? Where can I find out more about how Tomcat
assigns session identifiers and processes URLs to include them?
If my understanding is correct, it seems that for most web apps 2
servlets would be adequate: one for login and client instantiation
(assigning session and initial state) and one for all other state
transitions (call it servlet 2). After all, servlet 2 can get the
session and then look up the client state from that, and then determine
valid state transitions, and compare it to what the client requested to
make sure everything is kosher! Logout would be a state transition on
servlet 2, although there might be a polling process checking login time
and auto-change user state when a certain amount of time has elapsed.
I have a question about this and Tomcat: will servlet 2 be reused for
all client requests? EG does Tomcat instance a copy of that servlet for
every request, in the same way ServerSocket generates new Sockets? Or is
the servlet required to behave linearly (that is, service request 1,
then request 2, etc...)?
One security concern would be spoofing the session data, probably after
eavesdropping on the tcp stream/http content. This would only be of
concern for the duration of the session, so it might pay to keep the
sessions short. However, I thought of another thing to help prevent
this: log the client IP address and correlate it with the session key.
This won't help in some circumstances, for example if the client is
using NAT behind a firewall and the spoofer is behind there too (so they
look like they have the same IP), or if the spoofer is relatively
sophisticated and forges his packet headers. But still, I think this
would be a useful security measure. That is, if my understanding of HTTP
over TCP is correct, in that a client keeps a TCP connection to the HTTP
server for a relatively long period of time (speaking of which, is there
any way to adjust this time with Tomcat?)
Another security concern is the login process itself. Are there any
standards for moving the user name password data across the wire
securely, especially ones that Tomcat supports? (HTTPS seems like
overkill, but I don't know, I'm just a newbie.)
Can this be IP logging idea be done with Tomcat? In other words, is
there a way to determine the Requesters IP address, even though this
info is not necessarily in the HTTP stream? If Tomcat does offer this
information, where does it get it? The HTTP or the actual TCP stream?
Kind regards,
Josh Rehman
-----Original Message-----
From: Greg Munger [mailto:gjmlists@attbi.com]
Sent: Sunday, March 10, 2002 2:24 PM
To: Tomcat Users List
Subject: mod_webapp.so error "duplicate connection name"
I just started following this list, but I have tried to look in the
archives and in deja news for an explanation for the "duplicate
connection
name" error. This error occurs when I restart Apache.
I am using a hosted server where I do not have root. Currently tomcat
4.0.1
and apache 1.3 are installed. The Tomcat standalone http server works
fine
at port 8080, and apache is running on port 80. This system is using the
2.1.3 glibc libraries, so I cannot use the precompiled versions
mod_webapp
(which seem to use 2.2).
1. I obtained the source from this url:
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.1/src/w
ebapp-module-1.0.1-tc401-src.tar.gz
2. built the module:
support/buildconfs.sh
configure --with-apxs
make
3. copied apache-1.3/mod_webapp.so to the apache libexec directory
4. added the following to httpd.conf
LoadModule webapp_module libexec/mod_webapp.so
...
AddModule mod_webapp.c
...
WebAppConnection conn warp localhost:8008
WebAppDeploy xx conn /xx
5. the server.xml file contains the information that came with it:
<!-- Define an Apache-Connector Service -->
<Service name="Tomcat-Apache">
<Connector
className="org.apache.catalina.connector.warp.WarpConnector"
port="8008" minProcessors="5" maxProcessors="75"
enableLookups="true"
acceptCount="10" debug="0"/>
<!-- Replace "localhost" with what your Apache "ServerName" is set
to -->
<Engine className="org.apache.catalina.connector.warp.WarpEngine"
name="Apache" debug="0" appBase="webapps">
<Logger className="org.apache.catalina.logger.FileLogger"
prefix="apache_log." suffix=".txt"
timestamp="true"/>
<Realm className="org.apache.catalina.realm.MemoryRealm" />
</Engine>
</Service>
6. When I restart apache I get the "duplicate connection name" error
reported for the WebAppConnection statement.
7. I have the same setup running locally on a machine where I do have
root
access, and it is working fine. The only difference between the systems
that I am aware of is that it is glibc 2.2. And I am not sure what the
apache version of the hosted system is, but I am pretty sure it is
1.3.something.
-- what causes the "duplicate connection name" errors?
-- are there any other choices for accessing Tomcat through port 80? I
am
aware of using a ProxyPass directive in Apache, but using that approach
static content will always be served by Tomcat.
- what does the "replace localhost..." comment in the server.xml file
mean?
There is no "localhost" parameter in either 4.0.1 or 4.0.3.
thanks,
Greg
Greg Munger - 219-926-7604 - Lake Point Interactive -
www.lpiweb.com
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>
RE: Tomcat questions (long)
Posted by JavaJosh <jo...@yahoo.com>.
Thanks for the quick response Yu-Meng. I am reading now...
> -----Original Message-----
> From: Yu-Meng Chong [mailto:chongym@cymulacrum.net]
> Sent: Sunday, March 10, 2002 5:26 PM
> To: Tomcat Users List
> Subject: Re: Tomcat questions (long)
>
> Hi Josh !
>
> I can help you out with the first part of your really long email (you
> weren't kidding, were you ?). I, too, had a problem with all those
> out.println()'s, and there *is* a better solution. You *can* try JSP
> code,
> but it becomes difficult to maintain after a while -- especially if
> you're
> trying to do some complex processing. My choice would be Velocity (see
> http://jakarta.apache.org/velocity/index.html ) It's a template engine
> which
> makes a very clean (IMHO, at least) division between interface and
> implementation. How it works is : you create a normal HTML file, but
> put
> placeholders in the code that will be populated by your servlet. Then
> you
> write a servlet that does the processing and outputs the result as a
> string
> which gets inserted into the placeholder. This is a VERY different
> approach
> from the more "mainstream" method of JSPs and JavaBeans, which (again
> IMHO)
> is too complicated and prone to error. A very good comparison can be
> found
> here : http://jakarta.apache.org/velocity/ymtd/ymtd.html
>
> As for the rest of your email ... well, I'll leave it to others more
> knowledgeable and articulate than myself to explain.
>
> Regards,
> Pascal Chong
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>
Re: Tomcat questions (long)
Posted by Yu-Meng Chong <ch...@cymulacrum.net>.
Hi Josh !
I can help you out with the first part of your really long email (you
weren't kidding, were you ?). I, too, had a problem with all those
out.println()'s, and there *is* a better solution. You *can* try JSP code,
but it becomes difficult to maintain after a while -- especially if you're
trying to do some complex processing. My choice would be Velocity (see
http://jakarta.apache.org/velocity/index.html ) It's a template engine which
makes a very clean (IMHO, at least) division between interface and
implementation. How it works is : you create a normal HTML file, but put
placeholders in the code that will be populated by your servlet. Then you
write a servlet that does the processing and outputs the result as a string
which gets inserted into the placeholder. This is a VERY different approach
from the more "mainstream" method of JSPs and JavaBeans, which (again IMHO)
is too complicated and prone to error. A very good comparison can be found
here : http://jakarta.apache.org/velocity/ymtd/ymtd.html
As for the rest of your email ... well, I'll leave it to others more
knowledgeable and articulate than myself to explain.
Regards,
Pascal Chong
----- Original Message -----
From: "JavaJosh" <jo...@yahoo.com>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Monday, March 11, 2002 7:30 AM
Subject: Tomcat questions (long)
> Hi List,
>
> I am interested in building a data driven web app with Tomcat 4.0 and
> JSP/Servlets, but am new to the field, and have lots of questions. Some
> are general, some are specific to Tomcat. Please be patient, as I am
> new. Here it goes:
>
> System design: It seems that managing client state transitions is
> difficult. Unlike traditional GUIs, basically all forms are modal. How
> do you design around this? I have some ideas below that I would like
> some feedback on.
>
> Implementation: Looking at the servlet code that comes with Tomcat, it
> seems very ugly. All those out.println()'s give me the willies! JSP
> looks slightly better, since at least Java embedded in HTML is more
> readable than HTML embedded in Java! Even the latter can be minimized
> with taglibs, right?
>
> I have read some about FreeMarker and WebMacro. How exactly do these fit
> into the equation?
>
> Finally, regarding the design philosophy behind data-driven
> weblications: they are mostly parameterized finite state machines,
> right? There is a set of templates which, when requested, are filled
> with data, perhaps adjusted in some other, structural way, and served.
> Each user may have access to a different set of these templates (for
> example, limited by security). Each template may allow the user to
> transition to certain other templates. The process repeats during
> session lifetime.
>
> So it seems to me that a state diagram is in order, and each state
> corresponds to each HTML page the user sees. State transitions are
> basically hyperlinks. Because the number of states (pages) can grow
> large, it seems reasonable to expect them to be fairly uniform, and
> perhaps "inherit" in some way from a common parent template. Does this
> sound right? How can I achieve this?
>
> (this way of programming is much much different than the event driven
> concepts of, say, VB or Swing!)
>
> So a user logs in, gets a session identifier, and, unless all state
> transitions are allowed (the degenerate case), the server must also
> track client state, yes? Where can I find out more about how Tomcat
> assigns session identifiers and processes URLs to include them?
>
> If my understanding is correct, it seems that for most web apps 2
> servlets would be adequate: one for login and client instantiation
> (assigning session and initial state) and one for all other state
> transitions (call it servlet 2). After all, servlet 2 can get the
> session and then look up the client state from that, and then determine
> valid state transitions, and compare it to what the client requested to
> make sure everything is kosher! Logout would be a state transition on
> servlet 2, although there might be a polling process checking login time
> and auto-change user state when a certain amount of time has elapsed.
>
> I have a question about this and Tomcat: will servlet 2 be reused for
> all client requests? EG does Tomcat instance a copy of that servlet for
> every request, in the same way ServerSocket generates new Sockets? Or is
> the servlet required to behave linearly (that is, service request 1,
> then request 2, etc...)?
>
> One security concern would be spoofing the session data, probably after
> eavesdropping on the tcp stream/http content. This would only be of
> concern for the duration of the session, so it might pay to keep the
> sessions short. However, I thought of another thing to help prevent
> this: log the client IP address and correlate it with the session key.
> This won't help in some circumstances, for example if the client is
> using NAT behind a firewall and the spoofer is behind there too (so they
> look like they have the same IP), or if the spoofer is relatively
> sophisticated and forges his packet headers. But still, I think this
> would be a useful security measure. That is, if my understanding of HTTP
> over TCP is correct, in that a client keeps a TCP connection to the HTTP
> server for a relatively long period of time (speaking of which, is there
> any way to adjust this time with Tomcat?)
>
> Another security concern is the login process itself. Are there any
> standards for moving the user name password data across the wire
> securely, especially ones that Tomcat supports? (HTTPS seems like
> overkill, but I don't know, I'm just a newbie.)
>
> Can this be IP logging idea be done with Tomcat? In other words, is
> there a way to determine the Requesters IP address, even though this
> info is not necessarily in the HTTP stream? If Tomcat does offer this
> information, where does it get it? The HTTP or the actual TCP stream?
>
> Kind regards,
> Josh Rehman
>
> -----Original Message-----
> From: Greg Munger [mailto:gjmlists@attbi.com]
> Sent: Sunday, March 10, 2002 2:24 PM
> To: Tomcat Users List
> Subject: mod_webapp.so error "duplicate connection name"
>
> I just started following this list, but I have tried to look in the
> archives and in deja news for an explanation for the "duplicate
> connection
> name" error. This error occurs when I restart Apache.
>
> I am using a hosted server where I do not have root. Currently tomcat
> 4.0.1
> and apache 1.3 are installed. The Tomcat standalone http server works
> fine
> at port 8080, and apache is running on port 80. This system is using the
> 2.1.3 glibc libraries, so I cannot use the precompiled versions
> mod_webapp
> (which seem to use 2.2).
>
> 1. I obtained the source from this url:
> http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.1/src/w
> ebapp-module-1.0.1-tc401-src.tar.gz
>
>
> 2. built the module:
> support/buildconfs.sh
> configure --with-apxs
> make
>
> 3. copied apache-1.3/mod_webapp.so to the apache libexec directory
>
> 4. added the following to httpd.conf
> LoadModule webapp_module libexec/mod_webapp.so
> ...
> AddModule mod_webapp.c
> ...
> WebAppConnection conn warp localhost:8008
> WebAppDeploy xx conn /xx
>
> 5. the server.xml file contains the information that came with it:
>
> <!-- Define an Apache-Connector Service -->
> <Service name="Tomcat-Apache">
> <Connector
> className="org.apache.catalina.connector.warp.WarpConnector"
> port="8008" minProcessors="5" maxProcessors="75"
> enableLookups="true"
> acceptCount="10" debug="0"/>
> <!-- Replace "localhost" with what your Apache "ServerName" is set
> to -->
> <Engine className="org.apache.catalina.connector.warp.WarpEngine"
> name="Apache" debug="0" appBase="webapps">
> <Logger className="org.apache.catalina.logger.FileLogger"
> prefix="apache_log." suffix=".txt"
> timestamp="true"/>
> <Realm className="org.apache.catalina.realm.MemoryRealm" />
> </Engine>
> </Service>
>
>
> 6. When I restart apache I get the "duplicate connection name" error
> reported for the WebAppConnection statement.
>
> 7. I have the same setup running locally on a machine where I do have
> root
> access, and it is working fine. The only difference between the systems
> that I am aware of is that it is glibc 2.2. And I am not sure what the
> apache version of the hosted system is, but I am pretty sure it is
> 1.3.something.
>
>
> -- what causes the "duplicate connection name" errors?
> -- are there any other choices for accessing Tomcat through port 80? I
> am
> aware of using a ProxyPass directive in Apache, but using that approach
> static content will always be served by Tomcat.
> - what does the "replace localhost..." comment in the server.xml file
> mean?
> There is no "localhost" parameter in either 4.0.1 or 4.0.3.
>
> thanks,
> Greg
>
>
> Greg Munger - 219-926-7604 - Lake Point Interactive -
> www.lpiweb.com
>
>
> --
> To unsubscribe: <ma...@jakarta.apache.org>
> For additional commands: <ma...@jakarta.apache.org>
> Troubles with the list: <ma...@jakarta.apache.org>
>
>
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
>
>
> --
> To unsubscribe: <ma...@jakarta.apache.org>
> For additional commands: <ma...@jakarta.apache.org>
> Troubles with the list: <ma...@jakarta.apache.org>
>
>
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>