<< Sums Of Odd Integers | Home | If Your Ant Build File Works On Windows But ... >>

Weblog Software Upgraded

I upgraded the weblog software this weekend to Pebble 1.4-dev. A major new feature is trackback.

An interesting twist is that Pebble 1.4-dev uses the commons-httpclient.jar from Apache Commons Project. JBoss 3.2.1 + Tomcat 4.1.24 that hosts this weblog also uses it.

Of course they use different versions of the jar. And posting a trackback to my weblog causes a NoSuchMethodException because the older version that JBoss uses lacks certain method present in the newer version.

Tweaking JBoss's class loading scheme to force the webapp to load it's own commons-httpclient.jar causes errors elsewhere. Copying the newer jar over the older jar doesn't work either.

Luckily, the latest beta version of JBoss, 3.2.2 RC4, uses the exact same version of commons-httpclient.jar as Pebble 1.4-dev. So I upgraded JBoss, and the new feature works as advertised now.

I still have problem with HTTP BASIC authentication in the embedded Tomcat. But it only affect the owner.

Tags : pebble weblog

Responses[6]

Posted by Weiqi Gao on October 12, 2003 7:50:11 PM CDT #

Re: Weblog Software Upgraded

Comment from Simon Brown on October 14, 2003 5:12:39 AM CDT #

If you login and then navigate back to the home page of the webapp, do you lose all the admin links at the top of the page? I've installed the same version of JBoss/Tomcat that you're running and this is what happens to me. I am guessing that this is why I also can't see the remove comment link when the popup window opens. It seems that JBoss doesn't remember that you are logged in unless you access a secured resource. Very strange. I thought at first that the session was timing out immediately, but this doesn't seem to be the case. I will continue looking for a solution.

Re: Weblog Software Upgraded

Comment from Weiqi Gao on October 14, 2003 7:55:38 AM CDT #

Yes, I do lose the admin links if I come back to the home page after loggin in. I checked JBoss's bug database at SourceForge and saw one entry about Form based authentication not working with Jetty (Bug number 786668). I'm not sure if that is related to what we are seeing, though. My post to jboss-users remain unanswered.

Re: Weblog Software Upgraded

Comment from Weiqi Gao on October 14, 2003 10:35:46 AM CDT #

JBoss's Scott M Stark wrote on jboss-user:

There is nothing wrong with basic auth in JBoss-3.2.2RC4_Tomcat-4.1.27. It sounds like the app is expecting there to be a valid user on non-secured pages and the caching that is required to achive this is disabled in the embedded version because it breaks the ability to transmit the caller credentials from servlets to ejbs. There is no spec mandate that the caller identity is available within a session from unsecured pages.

Re: Weblog Software Upgraded

Comment from Simon Brown on October 14, 2003 2:22:11 PM CDT #

True, the spec may not explicitly mandate this, but section SRV.12.3 Programmatic Security (servlets 2.3) says the following:

If no user has been authenticated, the getRemoteUser method returns null, the isUserInRole method always returns false, and the getUserPrincipal method returns null.

Clearly this is in contrast because this statement doesn't differentiate protected and unprotected resources. The javadoc of the relevant methods in HttpServletRequest also makes no differentiation between protected and unprotected resources, instead being specific about whether the current user has been authenticated. With our problem, the current user has been authenticated. IMHO, I don't think JBoss is playing ball.

Perhaps it's worth dropping a note to this effect (or even copying and pasting this response) into the JBoss forum. ;-)

Re: Weblog Software Upgraded

Comment from Simon Brown on November 26, 2003 4:02:42 PM CST #

Just thought you'd like to know that Pebble 1.4 will have fixes for all this stuff nasty security stuff. I'll write a blog entry about it all (as I think it's quite interesting), but essentially when logging in, I've had to stick the user's credentials into their session. I think it's the only way that you can guarantee consistency between web servers. Tomcat and Resin work how I would expect, but JBoss and Jetty are a different story!

Deploying Pebble to JBoss 3.2.1/Tomcat 4.1.24

TrackBack from Simon Brown's weblog on October 14, 2003 8:35:05 AM CDT #

Weiqi runs Pebble on the JBoss 3/Tomcat 4 distribution and aside from some problems with the Servlet security mechanism it seems to be working well.

Add a comment Send a TrackBack

October 2003
Sun	Mon	Tue	Wed	Thu	Fri	Sat
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31
Sep \| Today \| Nov

2012 May (2) April (1) March (0) February (3) January (3)	2011 December (0) November (1) October (3) September (1) August (0) July (0) June (0) May (1) April (0) March (2) February (0) January (1)
2010 December (2) November (1) October (2) September (3) August (3) July (2) June (3) May (2) April (0) March (3) February (1) January (3)	2009 December (1) November (5) October (5) September (3) August (3) July (13) June (5) May (7) April (5) March (4) February (5) January (4)
2008 December (10) November (14) October (16) September (18) August (16) July (7) June (11) May (14) April (17) March (13) February (11) January (12)	2007 December (10) November (9) October (12) September (9) August (17) July (9) June (18) May (16) April (9) March (14) February (13) January (18)
2006 December (15) November (10) October (15) September (13) August (16) July (7) June (18) May (22) April (17) March (20) February (16) January (14)	2005 December (15) November (13) October (15) September (17) August (14) July (13) June (11) May (14) April (12) March (24) February (18) January (12)
2004 December (18) November (20) October (17) September (20) August (18) July (19) June (13) May (18) April (17) March (14) February (13) January (17)	2003 December (16) November (11) October (14) September (10) August (19) July (6)

Re: Weblog Software Upgraded Comment from Anonymous on May 17, 2012 2:38:58 AM CDT #
Title
Body	HTML : b, strong, i, em, blockquote, br, p, pre, a href="", ul, ol, li, sub, sup
Name
E-mail address
Website
Remember me	Yes No
E-mail addresses are not publicly displayed, so please only leave your e-mail address if you would like to be notified when new comments are added to this blog entry (you can opt-out later).

Username
Password
Remember me