You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Dinesh Khetarpal <dk...@karora.ca> on 2002/08/16 17:58:48 UTC

crimson or xmlParserAPIs and xercesImpl

In 3.3 tomcat I have crimson in my web-inf/lib and it is dynamically
loaded, in 4.x I have to remove crimson and put two(xmlPar.. and
xercesImpl). In 3.3 xmlPar and xercesI.. does not work. I am confused ..

-----Original Message-----
From: Scott Dayberry [mailto:Scott.Dayberry@wcom.com]
Sent: Friday, August 16, 2002 11:32 AM
To: tomcat-user@jakarta.apache.org
Subject: getRemoteUser() reset to null after authenticated user hits
anunauthorized page


I am using form-based authentication under Tomcat 3.2.3.

I have 3 security-constraint sections in web.xml for 3 different user
roles.
If an already authenticated user selects a page to which he is not
authorized, he is redirected to the form-error-page (I thought this
should
be a 403-Forbidden error instead), and his authentication is
invalidated.
(A getRemoteUser() call returning null at this point verifies this).

The implication of this, is that he can no longer select any pages that
he
IS authorized for, and must re-login. Is this a known bug with Tomcat
3.2.3,
expected behavior, or is there a configuration setting I am missing?

Thanks in advance,
Scott


--
To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
For additional commands, e-mail:
<ma...@jakarta.apache.org>


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: crimson or xmlParserAPIs and xercesImpl

Posted by Jacob Kjome <ho...@visi.com>.
Hello Dinesh,

Yep, starting with Tomcat-4.0.2, Tomcat has been enforcing the Sun
classloading spec which says that no DOM or XML libraries can be
loaded out of the child classloader, of which WEB-INF/lib is.  Tomcat-3.3.x and 4.0 and 4.0.1
did *not* enforce this.  However, it cause some various buggy behavior
that you may or may not have noticed.  Bottom line is that you now
much put your DOM/XML libraries out of a parent classloader... either in one of Tomcat's special
directories such as $TOMCAT_HOME/lib or $TOMCAT_HOME/common/lib or you
can load them from the JDK if you are using j2sdk1.4.x or greater.
You can also override the DOM/XML libraries in jdk1.4.x by creating a
$JAVA_HOME/jre/lib/endorsed directory and then putting your preferred
DOM/XML libraries in there.  They will be loaded on the bootclasspath
with the rest of the standard Java libraries and override libraries
with the same package that might have come with the JDK.

later,

Jake

Friday, August 16, 2002, 10:58:48 AM, you wrote:

DK> In 3.3 tomcat I have crimson in my web-inf/lib and it is dynamically
DK> loaded, in 4.x I have to remove crimson and put two(xmlPar.. and
DK> xercesImpl). In 3.3 xmlPar and xercesI.. does not work. I am confused ..

DK> -----Original Message-----
DK> From: Scott Dayberry [mailto:Scott.Dayberry@wcom.com]
DK> Sent: Friday, August 16, 2002 11:32 AM
DK> To: tomcat-user@jakarta.apache.org
DK> Subject: getRemoteUser() reset to null after authenticated user hits
DK> anunauthorized page


DK> I am using form-based authentication under Tomcat 3.2.3.

DK> I have 3 security-constraint sections in web.xml for 3 different user
DK> roles.
DK> If an already authenticated user selects a page to which he is not
DK> authorized, he is redirected to the form-error-page (I thought this
DK> should
DK> be a 403-Forbidden error instead), and his authentication is
DK> invalidated.
DK> (A getRemoteUser() call returning null at this point verifies this).

DK> The implication of this, is that he can no longer select any pages that
DK> he
DK> IS authorized for, and must re-login. Is this a known bug with Tomcat
DK> 3.2.3,
DK> expected behavior, or is there a configuration setting I am missing?

DK> Thanks in advance,
DK> Scott


DK> --
DK> To unsubscribe, e-mail:
DK> <ma...@jakarta.apache.org>
DK> For additional commands, e-mail:
DK> <ma...@jakarta.apache.org>


DK> --
DK> To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
DK> For additional commands, e-mail: <ma...@jakarta.apache.org>



-- 
Best regards,
 Jacob                            mailto:hoju@visi.com


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>