Jetspeed 2
  1. Jetspeed 2
  2. JS2-1255

Update Jetspeed demo and installer to use latest Tomcat 6.x version for hardened security

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.2.1
    • Fix Version/s: 2.2.2
    • Component/s: None
    • Labels:
      None

      Activity

      Hide
      David Sean Taylor added a comment -

      The build also needs to support Tomcat 7 as a valid option for org.apache.jetspeed.catalina.version.major

      Show
      David Sean Taylor added a comment - The build also needs to support Tomcat 7 as a valid option for org.apache.jetspeed.catalina.version.major
      Hide
      Ate Douma added a comment - - edited

      Agreed.

      Actually, I was thinking if it maybe is time to drop Tomcat 5.x support and make Tomcat 7 the default (that is: if/when it properly works with Jetspeed, see below).
      The Tomcat 6 and Tomcat 7 deployment configurations actually are the same, so doing the above would simply "collapse" our maven deploy plugin configuration and behavior into a singular one.

      I've already played with this a bit trying to get it to work, and it actually turned out to be pretty trivial changes.

      One specific, and major, configuration change however is required for upgrading to Tomcat 7: the server.xml connector emptySessionPath="true" attribute no longer is supported!
      I discovered this while working on a similar upgrade for Pluto, see PLUTO-611
      But also for this, the "fix" is pretty trivial: now a new attribute sessionCookiePath="/" needs to be configured instead on the root Context in $CATALINA_HOME/conf/context.xml
      See: http://tomcat.apache.org/migration.html#Session_cookie_configuration
      The nice part of this change is: its backwards compatible with Tomcat 6.0.27+ (latest Tomcat 6 already is 6.0.33, so no big deal).
      Yet another reason IMO to now drop Tomcat 5.x support and support latest Tomcat 6 and 7 versions (and higher) only.

      Anyway, once I did these changes, building and deploying to Tomcat 7.0.21 worked without a problem, including through a jetspeed-installer build.

      However...

      We have a new and more serious technical problem: (only) when trying to login on Jetspeed, the PortalSessionsManagerImpl now throws a NPE for every portlet render:

      java.lang.NullPointerException
      at org.apache.jetspeed.container.session.PortalSessionsManagerImpl.checkMonitorSession(PortalSessionsManagerImpl.java:226)
      at org.apache.jetspeed.container.JetspeedContainerServlet.doGet(JetspeedContainerServlet.java:395)

      This I haven't had time to look into yet, but it seems like Tomcat 7 is "twisting" the session/cookie handling after login in some way.
      I'll try to figure out what goes wrong ASAP (this week).

      Show
      Ate Douma added a comment - - edited Agreed. Actually, I was thinking if it maybe is time to drop Tomcat 5.x support and make Tomcat 7 the default (that is: if/when it properly works with Jetspeed, see below). The Tomcat 6 and Tomcat 7 deployment configurations actually are the same, so doing the above would simply "collapse" our maven deploy plugin configuration and behavior into a singular one. I've already played with this a bit trying to get it to work, and it actually turned out to be pretty trivial changes. One specific, and major, configuration change however is required for upgrading to Tomcat 7: the server.xml connector emptySessionPath="true" attribute no longer is supported! I discovered this while working on a similar upgrade for Pluto, see PLUTO-611 But also for this, the "fix" is pretty trivial: now a new attribute sessionCookiePath="/" needs to be configured instead on the root Context in $CATALINA_HOME/conf/context.xml See: http://tomcat.apache.org/migration.html#Session_cookie_configuration The nice part of this change is: its backwards compatible with Tomcat 6.0.27+ (latest Tomcat 6 already is 6.0.33, so no big deal). Yet another reason IMO to now drop Tomcat 5.x support and support latest Tomcat 6 and 7 versions (and higher) only. Anyway, once I did these changes, building and deploying to Tomcat 7.0.21 worked without a problem, including through a jetspeed-installer build. However... We have a new and more serious technical problem: (only) when trying to login on Jetspeed, the PortalSessionsManagerImpl now throws a NPE for every portlet render: java.lang.NullPointerException at org.apache.jetspeed.container.session.PortalSessionsManagerImpl.checkMonitorSession(PortalSessionsManagerImpl.java:226) at org.apache.jetspeed.container.JetspeedContainerServlet.doGet(JetspeedContainerServlet.java:395) This I haven't had time to look into yet, but it seems like Tomcat 7 is "twisting" the session/cookie handling after login in some way. I'll try to figure out what goes wrong ASAP (this week).
      Hide
      Ate Douma added a comment -

      I found the problem of the above NPE and fixed it already, see: JS2-1257

      Everything else seems to be working as expected now, so I'll commence with committing my above proposed changes, including dropping support for Tomcat 5.x as so far nobody objected.

      Show
      Ate Douma added a comment - I found the problem of the above NPE and fixed it already, see: JS2-1257 Everything else seems to be working as expected now, so I'll commence with committing my above proposed changes, including dropping support for Tomcat 5.x as so far nobody objected.
      Hide
      Ate Douma added a comment -

      Done.
      Installer now bundles Tomcat 7.0.21 and Tomcat 7 is now the default deploy target

      Show
      Ate Douma added a comment - Done. Installer now bundles Tomcat 7.0.21 and Tomcat 7 is now the default deploy target
      Hide
      Ate Douma added a comment -

      I encountered some issues while testing with Tomcat 7, so I think is not trustable enough yet to use as default/demo Tomcat version.
      I'll update this issue (including title) and downgrade the installer to latest Tomcat 6.x (6.0.33)

      Show
      Ate Douma added a comment - I encountered some issues while testing with Tomcat 7, so I think is not trustable enough yet to use as default/demo Tomcat version. I'll update this issue (including title) and downgrade the installer to latest Tomcat 6.x (6.0.33)

        People

        • Assignee:
          Ate Douma
          Reporter:
          Ate Douma
        • Votes:
          0 Vote for this issue
          Watchers:
          0 Start watching this issue

          Dates

          • Created:
            Updated:
            Resolved:

            Development