import java.text.MessageFormat;
import java.util.Iterator;
import java.util.Map;
-import java.util.Random;
import java.util.TreeMap;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpSession;
import org.apache.catalina.Container;
import org.apache.catalina.Host;
private static final long serialVersionUID = 1L;
- protected static final String NONCE_SESSION =
- "org.apache.catalina.manager.host.NONCE";
- protected static final String NONCE_REQUEST = "nonce";
-
- private final Random randomSource = new Random();
-
// --------------------------------------------------------- Public Methods
/**
String command = request.getPathInfo();
String name = request.getParameter("name");
- String requestNonce = request.getParameter(NONCE_REQUEST);
// Prepare our output writer to generate the response message
response.setContentType("text/html; charset=" + Constants.CHARSET);
String message = "";
- // Check nonce
- // There *must* be a nonce in the session before any POST is processed
- HttpSession session = request.getSession();
- String sessionNonce = (String) session.getAttribute(NONCE_SESSION);
- if (sessionNonce == null) {
- message = sm.getString("htmlHostManagerServlet.noNonce", command);
- // Reset the command
- command = null;
- } else {
- if (!sessionNonce.equals(requestNonce)) {
- // Nonce mis-match.
- message =
- sm.getString("htmlHostManagerServlet.nonceMismatch", command);
- // Reset the command
- command = null;
- }
- }
-
// Process the requested command
if (command == null) {
// No command == list
/**
- * Generate a once time token (nonce) for authenticating subsequent
- * requests. This will also add the token to the session. The nonce
- * generation is a simplified version of ManagerBase.generateSessionId().
- *
- */
- protected String generateNonce() {
- byte random[] = new byte[16];
-
- // Render the result as a String of hexadecimal digits
- StringBuilder buffer = new StringBuilder();
-
- randomSource.nextBytes(random);
-
- for (int j = 0; j < random.length; j++) {
- byte b1 = (byte) ((random[j] & 0xf0) >> 4);
- byte b2 = (byte) (random[j] & 0x0f);
- if (b1 < 10)
- buffer.append((char) ('0' + b1));
- else
- buffer.append((char) ('A' + (b1 - 10)));
- if (b2 < 10)
- buffer.append((char) ('0' + b2));
- else
- buffer.append((char) ('A' + (b2 - 10)));
- }
-
- return buffer.toString();
- }
-
-
- /**
* Add a host using the specified parameters.
*
* @param name host name
log(sm.getString("hostManagerServlet.list", engine.getName()));
}
- String newNonce = generateNonce();
- request.getSession().setAttribute(NONCE_SESSION, newNonce);
-
PrintWriter writer = response.getWriter();
// HTML Header Section
writer.print
(MessageFormat.format(HOSTS_ROW_DETAILS_SECTION, args));
- args = new Object[7];
- args[0] = response.encodeURL
- (request.getContextPath() +
- "/html/start?name=" +
- URLEncoder.encode(hostName, "UTF-8"));
- args[1] = hostsStart;
- args[2] = response.encodeURL
+ args = new Object[4];
+ if (host.getState().isAvailable()) {
+ args[0] = response.encodeURL
(request.getContextPath() +
"/html/stop?name=" +
URLEncoder.encode(hostName, "UTF-8"));
- args[3] = hostsStop;
- args[4] = response.encodeURL
+ args[1] = hostsStop;
+ } else {
+ args[0] = response.encodeURL
+ (request.getContextPath() +
+ "/html/start?name=" +
+ URLEncoder.encode(hostName, "UTF-8"));
+ args[1] = hostsStart;
+ }
+ args[2] = response.encodeURL
(request.getContextPath() +
"/html/remove?name=" +
URLEncoder.encode(hostName, "UTF-8"));
- args[5] = hostsRemove;
- args[6] = newNonce;
+ args[3] = hostsRemove;
if (host == this.installedHost) {
writer.print(MessageFormat.format(
MANAGER_HOST_ROW_BUTTON_SECTION, args));
writer.print(MessageFormat.format(
HOSTS_ROW_BUTTON_SECTION, args));
}
-
}
}
// Add Section
- args = new Object[7];
+ args = new Object[6];
args[0] = sm.getString("htmlHostManagerServlet.addTitle");
args[1] = sm.getString("htmlHostManagerServlet.addHost");
args[2] = response.encodeURL(request.getContextPath() + "/html/add");
args[3] = sm.getString("htmlHostManagerServlet.addName");
args[4] = sm.getString("htmlHostManagerServlet.addAliases");
args[5] = sm.getString("htmlHostManagerServlet.addAppBase");
- args[6] = newNonce;
writer.print(MessageFormat.format(ADD_SECTION_START, args));
args = new Object[3];
private static final String MANAGER_HOST_ROW_BUTTON_SECTION =
" <td class=\"row-left\">\n" +
" <small>\n" +
- " {1} \n" +
- " {3} \n" +
- " {5} \n" +
+ sm.getString("htmlHostManagerServlet.hostThis") +
" </small>\n" +
" </td>\n" +
"</tr>\n";
private static final String HOSTS_ROW_BUTTON_SECTION =
" <td class=\"row-left\" NOWRAP>\n" +
" <form class=\"inline\" method=\"POST\" action=\"{0}\">" +
- " <input type=\"hidden\" name=\"" + NONCE_REQUEST + "\" value=\"{6}\"" +
" <small><input type=\"submit\" value=\"{1}\"></small>" +
" </form>\n" +
" <form class=\"inline\" method=\"POST\" action=\"{2}\">" +
- " <input type=\"hidden\" name=\"" + NONCE_REQUEST + "\" value=\"{6}\"" +
" <small><input type=\"submit\" value=\"{3}\"></small>" +
" </form>\n" +
- " <form class=\"inline\" method=\"POST\" action=\"{4}\">" +
- " <input type=\"hidden\" name=\"" + NONCE_REQUEST + "\" value=\"{6}\"" +
- " <small><input type=\"submit\" value=\"{5}\"></small>" +
- " </form>\n" +
" </td>\n" +
"</tr>\n";
"<tr>\n" +
" <td colspan=\"2\">\n" +
"<form method=\"post\" action=\"{2}\">\n" +
- "<input type=\"hidden\" name=\"" + NONCE_REQUEST + "\" value=\"{6}\"\n" +
"<table cellspacing=\"0\" cellpadding=\"3\">\n" +
"<tr>\n" +
" <td class=\"row-right\">\n" +
# See the License for the specific language governing permissions and
# limitations under the License.
+hostManagerServlet.alreadyStarted=FAIL - Host [{0}] is already started
+hostManagerServlet.alreadyStopped=FAIL - Host [{0}] is already stopped
hostManagerServlet.appBaseCreateFail=FAIL - Failed to create appBase [{0}] for host [{1}]
hostManagerServlet.configBaseCreateFail=FAIL - Failed to identify configBase for host [{0}]
hostManagerServlet.noCommand=FAIL - No command was specified
htmlHostManagerServlet.hostsStart=Start
htmlHostManagerServlet.hostsStop=Stop
htmlHostManagerServlet.hostsRemove=Remove
+htmlHostManagerServlet.hostThis=Host Manager installed - commands disabled
htmlHostManagerServlet.addTitle=Add Virtual Host
htmlHostManagerServlet.addHost=Host
htmlHostManagerServlet.addName=Name:
htmlHostManagerServlet.serverOSName=OS Name
htmlHostManagerServlet.serverOSVersion=OS Version
htmlHostManagerServlet.serverOSArch=OS Architecture
-htmlHostManagerServlet.noNonce=FAIL: No nonce found in session. Command \"{0}\" was ignored
-htmlHostManagerServlet.nonceMismatch=FAIL: Nonce mismatch. Command \"{0}\" was ignored.
statusServlet.title=Server Status
statusServlet.complete=Complete Server Status
<body>
<h1>403 Access Denied</h1>
<p>
- You are not authorized to view this page. If you have not changed
+ You are not authorized to view this page.
+ </p>
+ <p>
+ If you have already configured the Host Manager application to allow access
+ and you have used your browsers back button, used a saved book-mark or
+ similar then you may have triggered the cross-site request forgery (CSRF)
+ protection that has been enabled for the HTML interface of the Host Manager
+ application. You will need to reset this protection by returning to the
+ <a href="<%=request.getContextPath()%>/html">main Host Manager page</a>.
+ Once you return to this page, you will be able to continue using the Host
+ Manager appliction's HTML interface normally. If you continue to see this
+ access denied message, check that you have the necessary permissions to
+ access this application.
+ </p>
+ <p> If you have not changed
any configuration files, please examine the file
<tt>conf/tomcat-users.xml</tt> in your installation. That
file must contain the credentials to let you use this webapp.
projects / tomcat7.0 / commitdiff