webmacro-user — List for WebMacro users, developers, competitors, and friends.

Re: [WebMacro-user] Recursion within webmacro templates

[Holger K. <ki...@di...>]

Alex Twisleton-Wykeham-Fiennes wrote:

>On Mon 6 March 2006 15:55, Holger King wrote:
>  
>
>>Hi Group,
>>
>>is it possible to realize a webmacro recursion within a webmacro
>>template like:
>>
>>#macro counter($counterParam) {
>>    CounterParam: $counterParam<br/>
>>
>>    #set $digit = $counterParam + 1
>>
>>
>>    #if($digit < 10)
>>        $digit < 10!
>>        #counter($digit)
>>    #end
>>    #else
>>        $digit >= 10
>>    #end
>>}
>>
>>#counter(1)
>>
>>I always get an StackOverflowError when calling the above template. If
>>the are alternatives using other webmacro directives implementing a
>>recursion logic, tell me further details. Thanx in advance.
>>    
>>
>
>  
>

Hi,

is it even possible to access plugged in WebContext-Tools like URLTool 
within a "templet" directive like

>#templet $counter {
>  #set $digit = $digit + 1
>  #if ($digit < 10) {
>    [$digit < 10]
>  
>
             $URL.getRequestURL()?counter=$digit

>    #eval $Self using { "digit": $digit }
>  } #else {
>    [$digi >= 10]
>  }
>}
>#eval $counter using { "digit": $digit }
>
>gives me:-
>
>[1 < 10] [2 < 10] [3 < 10] [4 < 10] [5 < 10] [6 < 10] [7 < 10] [8 < 10] [9 < 
>10] [10 >= 10]  
>
>Alex
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by xPML, a groundbreaking scripting language
>that extends applications into web and mobile media. Attend the live webcast
>and join the prime developer group breaking into this new coding territory!
>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
>_______________________________________________
>Webmacro-user mailing list
>Web...@li...
>https://lists.sourceforge.net/lists/listinfo/webmacro-user
>
>  
>


-- 
Herzliche Grüße,
Holger King

---------------------------------------------------
DIG Digitale Medienberatungs- und Produktions- GmbH
Neckarstrasse 1-5, D-78727 Oberndorf, Germany
Phone: +49 7423 8750-0
Fax: +49 7423 8750-23

mailto:ki...@di...
http://www.dig.de
---------------------------------------------------

Re: [WebMacro-user] Recursion within webmacro templates

[Alex Twisleton-Wykeham-F. <al...@fi...>]

On Mon 6 March 2006 15:55, Holger King wrote:
> Hi Group,
>
> is it possible to realize a webmacro recursion within a webmacro
> template like:
>
> #macro counter($counterParam) {
>     CounterParam: $counterParam<br/>
>
>     #set $digit = $counterParam + 1
>
>
>     #if($digit < 10)
>         $digit < 10!
>         #counter($digit)
>     #end
>     #else
>         $digit >= 10
>     #end
> }
>
> #counter(1)
>
> I always get an StackOverflowError when calling the above template. If
> the are alternatives using other webmacro directives implementing a
> recursion logic, tell me further details. Thanx in advance.

#templet $counter {
  #set $digit = $digit + 1
  #if ($digit < 10) {
    [$digit < 10]
    #eval $Self using { "digit": $digit }
  } #else {
    [$digi >= 10]
  }
}
#eval $counter using { "digit": $digit }

gives me:-

[1 < 10] [2 < 10] [3 < 10] [4 < 10] [5 < 10] [6 < 10] [7 < 10] [8 < 10] [9 < 
10] [10 >= 10]  

Alex

[WebMacro-user] Recursion within webmacro templates

[Holger K. <ki...@di...>]

Hi Group,

is it possible to realize a webmacro recursion within a webmacro 
template like:

#macro counter($counterParam) {
    CounterParam: $counterParam<br/>                             
                             
    #set $digit = $counterParam + 1
                                                                                          

    #if($digit < 10)
        $digit < 10!
        #counter($digit)
    #end
    #else
        $digit >= 10
    #end
}
                          
#counter(1)

I always get an StackOverflowError when calling the above template. If 
the are alternatives using other webmacro directives implementing a 
recursion logic, tell me further details. Thanx in advance.

Kind regards,
Holger King

Re: [WebMacro-user] WebMacro.properties & NullPointerException

[Keats K. <ke...@xa...>]

viju wrote:

> I'm facing some issue with webmacro based webapp deployed in tomcat 
> 5.0.0.28. When ever try loading my welcome page from servlet I get the 
> following excpetion
>
>java.lang.NullPointerException   org.webmacro.servlet.WMServlet.doPost(WMServlet.java:230)   javax.servlet.http.HttpServlet.service(HttpServlet.java:709)   javax.servlet.http.HttpServlet.service(HttpServlet.java:802)   sun.reflect.GeneratedMethodAccessor99.invoke(Unknown Source)   sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)   java.lang.reflect.Method.invoke(Method.java:324)   org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:239)   java.security.AccessController.doPrivileged(Native Method)   javax.security.auth.Subject.doAsPrivileged(Subject.java:500)   org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:268)   org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:157)  
>
> < PRE>The tomcat log says the WebMacro.properties file must be 
> classpath. But I have copied this file into
>
>tomcat/shared/lib folder. I think the Classloader for the web application should find this property file 
>
The /lib directory is where Tomcat loads Jar files.  It is not part of 
the normal classpath. 

See: http://www.webmacro.org/WebMacroPropertiesFile
for details of where to put the WebMacro.properties file.  The best 
place is usually the /WEB-INF/ directory under your context root, or in 
the classpath, like /WEB-INF/classes/.  If you instantiate WM directly, 
instead of extending WMServlet, you can specify any location you want 
for the properties file.

Hope this helps.

Keats

>under this folder. 
>
>So can somebody help understand what could be the issue here?
>
> 
>
>thanks in advance
>
>Vijayendra 
>
> ------------------------------------------------------------------------

Re: [WebMacro-user] WebMacro.properties & NullPointerException

[Keats K. <ke...@xa...>]

The ConcurrentHashMap is part of the concurrent.jar which is in the /lib 
directory of the WM distro.  It is a set of classes for improving 
multithreaded programming in Java, which has been incorporated into JDK 
1.5. 

Keats

paul wrote:

> hi viju -
>
> i've attached a class file that loads the webmacro.properties from a 
> specific location. this however in not extending the WMServlet but 
> initializing webmacro independently. also for some reason this only 
> works with 1.1 and not 2.0...
>
> actually this is my question... when i initialize wm now with 2.0 i 
> get a NoClassDefFoundError... what's up with this class in 2.0 and why 
> do i need it in addition to the webmacro.jar?
>
> EDU/oswego/cs/dl/util/concurrent/ConcurrentHashMap
>
> cheers
> paul
>
>
> Lane Sharman wrote:
>
>> place the wm property file in the root of the classes/ folder in your 
>> web app.
>>
>> -Lane
>>
>>
>>  
>> --- viju <vij...@ya...> wrote:
>>  
>> *From:* viju <vij...@ya...>
>> *Date:* Thu, 23 Feb 2006 06:39:44 -0800 (PST)
>> *To:* web...@li...
>> *Subject:* [WebMacro-user] WebMacro.properties & NullPointerException
>>
>> Hi,
>>  
>> I'm facing some issue with webmacro based webapp deployed in tomcat 
>> 5.0.0.28. When ever try loading my welcome page from servlet I get 
>> the following excpetion
>>
>> java.lang.NullPointerException   
>> org.webmacro.servlet.WMServlet.doPost(WMServlet.java:230)   
>> javax.servlet.http.HttpServlet.service(HttpServlet.java:709)   
>> javax.servlet.http.HttpServlet.service(HttpServlet.java:802)   
>> sun.reflect.GeneratedMethodAccessor99.invoke(Unknown Source)   
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)   
>> java.lang.reflect.Method.invoke(Method.java:324)   
>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:239)   
>> java.security.AccessController.doPrivileged(Native Method)   
>> javax.security.auth.Subject.doAsPrivileged(Subject.java:500)   
>> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:268)   
>> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:157)  
>>
>> < PRE>The tomcat log says the WebMacro.properties file must be 
>> classpath. But I have copied this file into
>>
>> tomcat/shared/lib folder. I think the Classloader for the web 
>> application should find this property file
>> under this folder.
>> So can somebody help understand what could be the issue here?
>>
>>  
>>
>> thanks in advance
>>
>> Vijayendra
>> -------------------------------------------------------------------------------- 
>>
>> Relax. Yahoo! Mail virus scanning 
>> <http://us.rd.yahoo.com/mail_us/taglines/virusall/*http://communications.yahoo.com/features.php?page=221> 
>> helps detect nasty 
>> viruses!------------------------------------------------------- This 
>> SF.Net email is sponsored by xPML, a groundbreaking scripting 
>> language that extends applications into web and mobile media. Attend 
>> the live webcast and join the prime developer group breaking into 
>> this new coding territory! 
>> http://sel.as-us.falkag.net/sel?cmd=k&kid0944&bid$1720&dat1642 
>> _______________________________________________ Webmacro-user mailing 
>> list Web...@li... 
>> https://lists.sourceforge.net/lists/listinfo/webmacro-user
>
>
> ------------------------------------------------------------------------
>
>
>   HTTP Status 500 -
>
> ------------------------------------------------------------------------
>
> *type* Exception report
>
> *message*
>
> *description* _The server encountered an internal error () that 
> prevented it from fulfilling this request._
>
> *exception*
>
>javax.servlet.ServletException: Servlet execution threw an exception
>  
>
> *root cause*
>
>java.lang.NoClassDefFoundError: EDU/oswego/cs/dl/util/concurrent/ConcurrentHashMap
>	org.webmacro.Broker.<init>(Broker.java:86)
>	org.webmacro.Broker.<init>(Broker.java:156)
>	org.webmacro.Broker.getBroker(Broker.java:502)
>	org.webmacro.WM.<init>(WM.java:89)
>	com.wmx.main.Controller.doGet(Controller.java:24)
>	javax.servlet.http.HttpServlet.service(HttpServlet.java:689)
>	javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
>  
>
> *note* _The full stack trace of the root cause is available in the 
> Apache Tomcat/5.0.28 logs._
>
> ------------------------------------------------------------------------
>
>
>       Apache Tomcat/5.0.28
>
>------------------------------------------------------------------------
>
>
>package com.wmx.main;
>
>/**
> * @author psenescu
> * 
> */
>
>import java.io.IOException;
>
>import javax.servlet.ServletException;
>import javax.servlet.http.HttpServlet;
>import javax.servlet.http.HttpServletRequest;
>import javax.servlet.http.HttpServletResponse;
>
>import org.webmacro.Context;
>import org.webmacro.WM;
>import org.webmacro.WebMacro;
>
>public class Controller extends HttpServlet {
>
>	public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
>		try {
>			WebMacro wm = new WM(getServletContext().getRealPath("/") + "/WEB-INF/webmacro.properties");
>			Context ctx = wm.getWebContext(request, response);
>			wm.writeTemplate("index.tem", response.getOutputStream(), ctx);
>		} catch (Exception e) {
>			response.sendError(500, e.getMessage());
>		}
>	}
>
>	public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
>		doGet(request, response);
>	}
>}
>  
>

Re: [WebMacro-user] WebMacro.properties & NullPointerException

[paul <web...@pa...>]

hi viju -

i've attached a class file that loads the webmacro.properties from a 
specific location. this however in not extending the WMServlet but 
initializing webmacro independently. also for some reason this only 
works with 1.1 and not 2.0...

actually this is my question... when i initialize wm now with 2.0 i get 
a NoClassDefFoundError... what's up with this class in 2.0 and why do i 
need it in addition to the webmacro.jar?

EDU/oswego/cs/dl/util/concurrent/ConcurrentHashMap

cheers
paul


Lane Sharman wrote:
> place the wm property file in the root of the classes/ folder in your web app.
> 
> -Lane
> 
> 
>  
> --- viju <vij...@ya...> wrote:
>  
> *From:* viju <vij...@ya...>
> *Date:* Thu, 23 Feb 2006 06:39:44 -0800 (PST)
> *To:* web...@li...
> *Subject:* [WebMacro-user] WebMacro.properties & NullPointerException
> 
> Hi,
>  
> I'm facing some issue with webmacro based webapp deployed in tomcat 5.0.0.28. 
> When ever try loading my welcome page from servlet I get the following excpetion
> 
> java.lang.NullPointerException   org.webmacro.servlet.WMServlet.doPost(WMServlet.java:230)   javax.servlet.http.HttpServlet.service(HttpServlet.java:709)   javax.servlet.http.HttpServlet.service(HttpServlet.java:802)   sun.reflect.GeneratedMethodAccessor99.invoke(Unknown Source)   sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)   java.lang.reflect.Method.invoke(Method.java:324)   org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:239)   java.security.AccessController.doPrivileged(Native Method)   javax.security.auth.Subject.doAsPrivileged(Subject.java:500)   org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:268)   org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:157)  
> 
> < PRE>The tomcat log says the WebMacro.properties file must be classpath. But I 
> have copied this file into
> 
> tomcat/shared/lib folder. I think the Classloader for the web application should find this property file 
> 
> under this folder. 
> 
> So can somebody help understand what could be the issue here?
> 
>  
> 
> thanks in advance
> 
> Vijayendra 
> 
> --------------------------------------------------------------------------------
> Relax. Yahoo! Mail virus scanning 
> <http://us.rd.yahoo.com/mail_us/taglines/virusall/*http://communications.yahoo.com/features.php?page=221> 
> helps detect nasty 
> viruses!------------------------------------------------------- This SF.Net 
> email is sponsored by xPML, a groundbreaking scripting language that extends 
> applications into web and mobile media. Attend the live webcast and join the 
> prime developer group breaking into this new coding territory! 
> http://sel.as-us.falkag.net/sel?cmd=k&kid0944&bid$1720&dat1642 
> _______________________________________________ Webmacro-user mailing list 
> Web...@li... 
> https://lists.sourceforge.net/lists/listinfo/webmacro-user

Re: [WebMacro-user] WebMacro.properties & NullPointerException

[viju <vij...@ya...>]

Hi lane,

I tried out your suggestion. But it doesnot seem to be
working. I still get the same error.  

thanks
Vijayendra


--- Lane Sharman <la...@op...> wrote:


---------------------------------
place the wm property file in the root of the classes/
folder in your web app.

-Lane


 
--- viju <vij...@ya...> wrote:
 
From: viju <vij...@ya...>
Date: Thu, 23 Feb 2006 06:39:44 -0800 (PST)
To: web...@li...
Subject: [WebMacro-user] WebMacro.properties &
NullPointerException

Hi,
   
  I'mfacing some issue with webmacro based webapp
deployed in tomcat5.0.0.28. When ever try loading my
welcome page from servlet I get thefollowing excpetion


java.lang.NullPointerException  
org.webmacro.servlet.WMServlet.doPost(WMServlet.java:230)
 
javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
 
javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
  sun.reflect.GeneratedMethodAccessor99.invoke(Unknown
Source)  
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  java.lang.reflect.Method.invoke(Method.java:324)  
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:239)
  java.security.AccessController.doPrivileged(Native
Method)  
javax.security.auth.Subject.doAsPrivileged(Subject.java:500)
 
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:268)
 
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:157)
 
<  PRE>The  tomcat log says the WebMacro.properties
file must be classpath. But I have copied this file
into 
tomcat/shared/lib folder. I think the Classloader for
the web application should find this property file 

under this folder. 

So can somebody help understand what could be the
issue here?

 

thanks in advance

Vijayendra 

 		

---------------------------------
Relax. Yahoo! Mail  virus scanning helps detect nasty
viruses!-------------------------------------------------------This
SF.Net email is sponsored by xPML, a groundbreaking
scripting languagethat extends applications into web
and mobile media. Attend the live webcastand join the
prime developer group breaking into this new coding
territory!http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642_______________________________________________Webmacro-user
mailing
lis...@li...https://lists.sourceforge.net/lists/listinfo/webmacro-user


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: [WebMacro-user] WebMacro.properties & NullPointerException

[Lane S. <la...@op...>]

<html><body><font style=3D"font-family: arial,helvetica,sans-serif;" size=
=3D"2">place the wm property file in the root of the classes/ folder in you=
r web app.<br>
<br>
-Lane<br>
<br>
<br>&nbsp;<br>--- viju &lt;vij...@ya...&gt; wrote:<br>&nbsp;<br><b>=
From:</b> viju &lt;vij...@ya...&gt;<br><b>Date:</b> Thu, 23 Feb 200=
6 06:39:44 -0800 (PST)<br><b>To:</b> web...@li...<br=
><b>Subject:</b> [WebMacro-user] WebMacro.properties &amp; NullPointerExcep=
tion<br><br></font><div><font style=3D"font-family: arial,helvetica,sans-se=
rif;" size=3D"2">Hi,</font></div><font style=3D"font-family: arial,helvetic=
a,sans-serif;" size=3D"2">  </font><div><font style=3D"font-family: arial,h=
elvetica,sans-serif;" size=3D"2">&nbsp;</font></div><font style=3D"font-fam=
ily: arial,helvetica,sans-serif;" size=3D"2">  </font><div><font style=3D"f=
ont-family: arial,helvetica,sans-serif;" size=3D"2">I'm
facing some issue with webmacro based webapp deployed in tomcat
5.0.0.28. When ever try loading my welcome page from servlet I get the
following excpetion </font></div><pre><font style=3D"font-family: arial,hel=
vetica,sans-serif;" size=3D"2">java.lang.NullPointerException   org.webmacr=
o.servlet.WMServlet.doPost(WMServlet.java:230)   javax.servlet.http.HttpSer=
vlet.service(HttpServlet.java:709)   javax.servlet.http.HttpServlet.service=
(HttpServlet.java:802)   sun.reflect.GeneratedMethodAccessor99.invoke(Unkno=
wn Source)   sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMeth=
odAccessorImpl.java:25)   java.lang.reflect.Method.invoke(Method.java:324) =
  org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:239)   =
java.security.AccessController.doPrivileged(Native Method)   javax.security=
.auth.Subject.doAsPrivileged(Subject.java:500)   org.apache.catalina.securi=
ty.SecurityUtil.execute(SecurityUtil.java:268)   org.apache.catalina.securi=
ty.SecurityUtil.doAsPrivilege(SecurityUtil.java:157)  </font></pre><font st=
yle=3D"font-family: arial,helvetica,sans-serif;" size=3D"2">&lt;  PRE&gt;Th=
e  tomcat log says the WebMacro.properties file must be classpath. But I ha=
ve copied this file into </font><pre><font style=3D"font-family: arial,helv=
etica,sans-serif;" size=3D"2">tomcat/shared/lib folder. I think the Classlo=
ader for the web application should find this property file </font></pre><p=
re><font style=3D"font-family: arial,helvetica,sans-serif;" size=3D"2">unde=
r this folder. </font></pre><pre><font style=3D"font-family: arial,helvetic=
a,sans-serif;" size=3D"2">So can somebody help understand what could be the=
 issue here?</font></pre><pre><font style=3D"font-family: arial,helvetica,s=
ans-serif;" size=3D"2">&nbsp;</font></pre><pre><font style=3D"font-family: =
arial,helvetica,sans-serif;" size=3D"2">thanks in advance</font></pre><pre>=
<font style=3D"font-family: arial,helvetica,sans-serif;" size=3D"2">Vijayen=
dra </font></pre><p><font style=3D"font-family: arial,helvetica,sans-serif;=
" size=3D"2"> 		</font></p><hr size=3D"1"><font style=3D"font-family: arial=
,helvetica,sans-serif;" size=3D"2">Relax. Yahoo! Mail  <a href=3D"http://us=
.rd.yahoo.com/mail_us/taglines/virusall/*http://communications.yahoo.com/fe=
atures.php?page=3D221" target=3D"_blank">virus scanning</a> helps detect na=
sty viruses!</font></body></html>

[WebMacro-user] WebMacro.properties & NullPointerException

[viju <vij...@ya...>]

Hi,
   
  I'm facing some issue with webmacro based webapp deployed in tomcat 5.0.0.28. When ever try loading my welcome page from servlet I get the following excpetion 

java.lang.NullPointerException   org.webmacro.servlet.WMServlet.doPost(WMServlet.java:230)   javax.servlet.http.HttpServlet.service(HttpServlet.java:709)   javax.servlet.http.HttpServlet.service(HttpServlet.java:802)   sun.reflect.GeneratedMethodAccessor99.invoke(Unknown Source)   sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)   java.lang.reflect.Method.invoke(Method.java:324)   org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:239)   java.security.AccessController.doPrivileged(Native Method)   javax.security.auth.Subject.doAsPrivileged(Subject.java:500)   org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:268)   org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:157)  

The tomcat log says the WebMacro.properties file must be classpath. But I have copied this file into 

tomcat/shared/lib folder. I think the Classloader for the web application should find this property file 

under this folder. 

So can somebody help understand what could be the issue here?

 

thanks in advance

Vijayendra 

		
---------------------------------
Relax. Yahoo! Mail virus scanning helps detect nasty viruses!

Re: [WebMacro-user] Session integrity issue?

[Keats K. <ke...@xa...>]

Nikolaos,

If UsersManager.getManager() can return a shared Manager instance, which 
I presume it does, then its loadByWhere() needs synchronization.  Since 
the method is allocating the Users array, a second concurrent request 
could trash the value of the first request.  You need to synchronize the 
method (which would implicitly synchronize on the Manager instance), or 
synchronize on some other shared object.

Concurrency is a tricky business.  I'll put in a plug for WM developer 
Brian Goetz's book on the subject.  Unfortunately it's not coming out 
until June, but you can pre-order it on Amazon.  In the meantime, check 
out Doug Lea's writings.

Keats

Nikolaos Papadakis wrote:

> Dear Keats,
>
> thank you for replying.
> The code is protected against SQL-injections attacks. Special 
> characters and apostrophes are manipulated properly to avoid potential 
> attackers execute a different sql query.
> The classes I use are based on S2J (an O/R mapping tool) with a lot of 
> new additions.
>
> Now concerning the snippet you mentioned, from the servlet developer's 
> prospective, each client is another thread that calls the servlet via 
> the service(), doPost(), or doGet() methods (while only one instance 
> exists).
> Every thread will carry its specific userId (through its session given 
> by the servlet container).
> Every thread will execute the same “where USE_EMAIL.....”  snippet but 
> with different parameters (email address and password in this case).
> So I think there is no need the loadByWhere() method to be synchronized.
> The only synchronized mechanism, however, is used in the part of code 
> that is responsible for inserting a new column into the db (because I 
> am not using the autoincrement feature of the specific RDBMS), but 
> that's not pertinent here.
>
> Please correct me if I've gotten it wrong.
>
>
>
> Best Regards,
> Nikos Papadakis
>
>
> Keats Kirsch wrote:
>
>> Nikolaos,
>>
>> I don't know S2J, but I assume it's an O/R mapping tool.  I would 
>> focus my attention on the following line of code:
>>
>>            Users[] foundUsers = UsersManager.getManager().loadByWhere(
>>                    "where USE_EMAIL=\'" + login + "\' AND 
>> USE_PASSWORD=\'"
>>                            + password + "\'", connection);
>>
>> Is this invoking customized code?  Is loadByWhere() synchronized, or 
>> is there some other synchronization mechanism here?
>>
>> (Btw, unless the S2J protects against it, this code could be 
>> vulnerable to a SQL-injection attack.  Make sure you check the userid 
>> and password for apostrophes or other special characters that might 
>> trip up your RDBMS.)
>>
>> Hope this helps.
>>
>> Keats
>>
>> Nikolaos Papadakis wrote:
>>
>>> Hi all,
>>
>>
>>> I am sending a cut (but indicative---I hope) version of the core 
>>> servlet I am using.
>>> The userId variable is set into the session by the validateUser method.
>>> Various other methods have been omitted in this version for 
>>> readability reasons.
>>> Hope it is clear.
>>>
>>> Thank you in advance
>>> Nikolaos Papadakis
>>>
>>> P.S. Just for the record the configuration I am using includes:
>>> SuSe ver 10.0
>>> Java 1.4.2
>>> Tomcat 5.0.30 in conjunction with Apache ver 2.0.53.
>>> I also use some customized version of S2J to “objectize” tables and 
>>> relations in the db.
>>>
>>>
>>>
>>>
>>>
>>> Keats Kirsch wrote:
>>>
>>>> It's not possible to tell from the code snippet what is going 
>>>> wrong.  The concurrency issue that Lane is referring to is fairly 
>>>> obscure (only affecting the #include directive with dynamic 
>>>> template names if I recall correctly) and not relevant here.
>>>>
>>>> The code as shown looks OK, but we can't see how the USERID is 
>>>> stored in the session, or how the user data is stored and retrieved 
>>>> based on this USERID.  The bug could be in the data access layer or 
>>>> the session management subsystem (which depends on your Servlet 
>>>> container), or in some caching mechanism.  It is unlikely, but not 
>>>> impossible that this could be a WebMacro bug.  If I had to guess, I 
>>>> would suspect that the code which actually retrieves the user data 
>>>> is not properly synchronized.
>>>>
>>>> Send us a bit more information about your application, and maybe we 
>>>> can help you track this down.
>>>>
>>>> Keats
>>>>
>>>> Lane Sharman wrote:
>>>>
>>>>> Hi Nikolaos.
>>>>>
>>>>> This is most disturbing to hear about.
>>>>>
>>>>> First, there is a known concurrency issue with WM in 2.0 and 
>>>>> possibly in prior releases. If you look at the mail thread dating 
>>>>> back for 45 days, you will definitely see it.
>>>>>
>>>>> My concern is that the webmacro instance, shared, and the context, 
>>>>> not shared, is improperly orchestrated for concurrency. The 
>>>>> webmacro instance is local to WMServlet. You might consider 
>>>>> synchronizing access to this variable as a trial fix in your local 
>>>>> calls below. This will introduce some serialization of web 
>>>>> processing but it might help to verify the solution.
>>>>>
>>>>> One thing you might consider trying is to use a different cache 
>>>>> handler. A few years ago, I wrote one and it is a part of the 
>>>>> distro. I have never had a problem using this cache handler.
>>>>>
>>>>> Lane
>>>>>
>>>>> --- Nikolaos Papadakis <nk...@cc...> wrote:
>>>>>
>>>>> From: Nikolaos Papadakis <nk...@cc...>
>>>>> Date: Sat, 18 Feb 2006 10:50:33 +0200
>>>>> To: web...@li...
>>>>> Subject: [WebMacro-user] [WebMacro-user
>>>>>
>>>>> Hi all,
>>>>>
>>>>> I am using webmacro to develop a web-based application.
>>>>> Things seemed to work fine till yesterday. A customer complained 
>>>>> that he
>>>>> managed to “see” the account of another customer when he logged-in 
>>>>> using
>>>>> his own credentials (he send me a screen shot of the “view”).
>>>>> By inspecting the log file I found that both users have been 
>>>>> logged-in
>>>>> at the same time (the second customer logged in 3 sec after the first
>>>>> customer).
>>>>> The system has more than 1000 customers but this inconvenience 
>>>>> happened
>>>>> for the first time yesterday (?).
>>>>> It seems that different sessions have been mixed up.
>>>>> The servlet includes a handle method and uses several other methods
>>>>> (methods that write and read from a database).
>>>>> All methods are defined in the same class (that extends WMServlet).
>>>>> As far as I know servlets must not have instance variables (only 
>>>>> local
>>>>> variables -inside methods- to prevent data corruption and
>>>>> inconsistencies). However in my servlet I use only one non local
>>>>> variable (a Logger) and I don't think this is the cause of the 
>>>>> problem.
>>>>> As an attached file I send you a fragment of the before mentioned 
>>>>> servlet.
>>>>> Can instance variables be defined in the case of a servlet that 
>>>>> extends
>>>>> WMServlet? (I mean is it safe? or its not a good practice without
>>>>> keeping precautions?)
>>>>> Do you have any idea what can have caused this inconvenience ?
>>>>> Is the use of methods inside the servlet thread-safe ?
>>>>>
>>>>> Please help!!!
>>>>> Nikolaos Papadakis
>>>>> ------------------------------------------------------- This 
>>>>> SF.net email is sponsored by: Splunk Inc. Do you grep through log 
>>>>> files for problems? Stop! Download the new AJAX search engine that 
>>>>> makes searching your log files as easy as surfing the web. 
>>>>> DOWNLOAD SPLUNK! 
>>>>> http://sel.as-us.falkag.net/sel?cmd=k&kid3432&bid#0486&dat1642 
>>>>> _______________________________________________ Webmacro-user 
>>>>> mailing list Web...@li... 
>>>>> https://lists.sourceforge.net/lists/listinfo/webmacro-user 
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> -------------------------------------------------------
>>>> This SF.net email is sponsored by: Splunk Inc. Do you grep through 
>>>> log files
>>>> for problems?  Stop!  Download the new AJAX search engine that makes
>>>> searching your log files as easy as surfing the  web.  DOWNLOAD 
>>>> SPLUNK!
>>>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 
>>>>
>>>> _______________________________________________
>>>> Webmacro-user mailing list
>>>> Web...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/webmacro-user
>>>>
>>>>
>>> ------------------------------------------------------------------------ 
>>>
>>>
>>> package org.nkpap.visualizer;
>>>
>>> import java.io.BufferedOutputStream;
>>> import java.io.ByteArrayOutputStream;
>>> import java.io.File;
>>> import java.io.FileInputStream;
>>> import java.io.FileNotFoundException;
>>> import java.io.IOException;
>>> import java.io.InputStream;
>>> import java.io.OutputStream;
>>> import java.io.PrintStream;
>>> import java.sql.Connection;
>>> import java.sql.DriverManager;
>>> import java.sql.PreparedStatement;
>>> import java.sql.ResultSet;
>>> import java.sql.SQLException;
>>> import java.text.DateFormat;
>>> import java.text.SimpleDateFormat;
>>> import java.util.Calendar;
>>> import java.util.Date;
>>> import java.util.Enumeration;
>>> import java.util.Hashtable;
>>> import java.util.LinkedList;
>>> import java.util.List;
>>> import java.util.logging.FileHandler;
>>> import java.util.logging.Logger;
>>>
>>> import javax.servlet.ServletException;
>>> import javax.servlet.http.HttpServletRequest;
>>> import javax.servlet.http.HttpServletResponse;
>>> import javax.servlet.http.HttpSession;
>>>
>>> import org.netoperis.db.core.Authors;
>>> import org.netoperis.db.core.Interests;
>>> import org.netoperis.db.core.Reviews;
>>> import org.netoperis.db.core.Submissions;
>>> import org.netoperis.db.core.TopicList;
>>> import org.netoperis.db.core.Topics;
>>> import org.netoperis.db.core.Users;
>>> import org.netoperis.db.core.Votes;
>>> import org.netoperis.db.mgr.AuthorsManager;
>>> import org.netoperis.db.mgr.InterestsManager;
>>> import org.netoperis.db.mgr.ReviewsManager;
>>> import org.netoperis.db.mgr.SubmissionsManager;
>>> import org.netoperis.db.mgr.TopicListManager;
>>> import org.netoperis.db.mgr.TopicsManager;
>>> import org.netoperis.db.mgr.UsersManager;
>>> import org.netoperis.db.mgr.VotesManager;
>>> import org.nkpap.util.EmailBuffer;
>>> import org.nkpap.util.MyConnectionManager;
>>> import org.nkpap.util.RandomPasswordGenerator;
>>> import org.webmacro.PropertyException;
>>> import org.webmacro.ResourceException;
>>> import org.webmacro.Template;
>>> import org.webmacro.servlet.HandlerException;
>>> import org.webmacro.servlet.WMServlet;
>>> import org.webmacro.servlet.WebContext;
>>> import org.webmacro.util.Settings;
>>>
>>> import com.oreilly.servlet.MultipartRequest;
>>>
>>> /**
>>> * @author nkpap in Greece 2 ��� 2005
>>> * * (c) 2005 - 2006
>>> * */
>>> public class Login extends WMServlet {
>>>     public static Settings configProperties = null;
>>>     Logger logger;
>>>
>>>     protected void start() throws ServletException {
>>>         try {
>>>             configProperties = new Settings();
>>>             System.out.println(" READING CONFIGURATION FILE: 
>>> ms2.properties");
>>>
>>>             configProperties.load("ms2.properties");
>>>             System.out
>>>                     .println("  CONFIGURATION FILE: ms2.properties 
>>> LOADED SUCCESSFULLY ");
>>>             FileHandler handler = new FileHandler(configProperties
>>>                     .getSetting("LogsPath")
>>>                     + "my_log.txt", true);
>>>             logger = 
>>> Logger.getLogger("org.nkpap.visualizer.LoginUsers");
>>>             logger.addHandler(handler);
>>>         } catch (Exception ex) {
>>>             System.out
>>>                     .println("ERROR READING CONFIGURATION FILE: 
>>> ms2.properties");
>>>             System.out.println(ex);
>>>         }
>>>     }
>>>
>>>     private Template returnMyTemplate(String template, WebContext 
>>> context) {
>>>         try {
>>>             context.put("fragment", template);
>>>             return getTemplate("users/index.htm");
>>>         } catch (ResourceException e) {
>>>             System.out
>>>                     .println("Oooops!!!  a problem occured with the 
>>> error template!");
>>>             e.printStackTrace();
>>>             return null;
>>>         }
>>>     }
>>>
>>>     public Template handle(WebContext context) throws 
>>> HandlerException {
>>>         HttpServletRequest request = context.getRequest();
>>>         HttpSession session = request.getSession();
>>>         context.getResponse().setContentType("text/html; 
>>> charset=iso-8859-7");
>>>
>>>         String userID = (String) session.getAttribute("USERID");
>>>
>>>         if (isActionEqualTo("login", context)) {
>>>             // use has entered credentials
>>>             String login = request.getParameter("login");
>>>             String password = request.getParameter("password");
>>>
>>>             if (validateUser(login, password, context)) {
>>>                 if (session.getAttribute("FIRSTIME") != null)
>>>                     return showReviewer(
>>>                             (String) session.getAttribute("USERID"), 
>>> context);
>>>                 return returnMyTemplate("users/choices.htm", context);
>>>             }// user doesnt validate
>>>             session.invalidate();
>>>             context.put("fail", "Access denied !!");
>>>             return returnMyTemplate("users/login.htm", context);
>>>         }
>>>         // -----------------------ACTIONS---BEGIN----HERE-------------
>>>         // ACTIONS that do not require user to be logged-in
>>>         if (isActionEqualTo("register", context)) {
>>>             return returnMyTemplate("users/aut_registration.htm", 
>>> context);
>>>         }
>>>         if (isActionEqualTo("back", context)) {
>>>             return returnMyTemplate("users/login.htm", context);
>>>         }
>>>         if (isActionEqualTo("remind", context)) {
>>>             return returnMyTemplate("users/remind_passwd.htm", 
>>> context);
>>>         }
>>>         // end of ACTIONS that do not require user to be logged-in
>>>
>>>         if (isActionEqualTo("logout", context)) {
>>>             session.invalidate();
>>>             logger.info("User " + userID + " logged out");
>>>             return returnMyTemplate("users/login.htm", context);
>>>         }               // 
>>> --------------------ACTIONS----END-----HERE---------
>>>         // the default page to be shown...
>>>
>>>         if (request.getParameter("action") == null && userID != null) {
>>>             if (session.getAttribute("FIRSTIME") != null)
>>>                 return showReviewer((String) 
>>> session.getAttribute("USERID"),
>>>                         context);
>>>             return returnMyTemplate("users/choices.htm", context);
>>>         } else {
>>>             return returnMyTemplate("users/login.htm", context);
>>>         }
>>>     }
>>>
>>>     private Template handleError(Exception e, Connection connection,
>>>             WebContext context) {
>>>         logger.severe("An error occurred:\n" + e.toString());
>>>         if (connection != null) {
>>>             try {
>>>                 connection.close();
>>>             } catch (SQLException e1) {
>>>                 e1.printStackTrace();
>>>             }
>>>         }
>>>         e.printStackTrace();
>>>         context.put("msg", "An error occurred:\n" + e.toString());
>>>         return returnMyTemplate("users/errore.htm", context);
>>>     }
>>>
>>>     private Template showReviewer(String userId, WebContext context) {
>>>         MyConnectionManager ConnectionManager = new 
>>> MyConnectionManager();
>>>         Connection connection = null;
>>>         logger.info("starting method: showReviewer");
>>>         try {
>>>             int usId = Integer.parseInt(userId);
>>>             connection = ConnectionManager.getConnection();
>>>
>>>             Users user = UsersManager.getManager().loadByKey(usId, 
>>> connection);
>>>             Topics[] topics = 
>>> TopicsManager.getManager().loadAll(connection);
>>>
>>>             connection.close();
>>>             context.put("user", user);
>>>             // context.put("interests", interests);
>>>             context.put("topics", topics);
>>>         } catch (SQLException e) {
>>>             return handleError(e, connection, context);
>>>         }
>>>
>>>         logger.info("ended method: showReviewer");
>>>         return returnMyTemplate("users/rev_registration.htm", context);
>>>     }
>>>
>>>     private boolean isActionEqualTo(String actionName, WebContext 
>>> context) {
>>>         HttpServletRequest request = context.getRequest();
>>>         if (request.getParameter("action") != null
>>>                 && 
>>> request.getParameter("action").equalsIgnoreCase(actionName))
>>>             return true;
>>>         return false;
>>>     }
>>>
>>>     private Template showJobs(WebContext context) {
>>>         Connection connection = null;
>>>         MyConnectionManager ConnectionManager = new 
>>> MyConnectionManager();
>>>         HttpServletRequest request = context.getRequest();
>>>         HttpSession session = request.getSession();
>>>         String userId = (String) session.getAttribute("USERID");
>>>         logger.info("starting method: showJobs by user: " + userId);
>>>
>>>         try {
>>>             connection = ConnectionManager.getConnection();
>>>             Reviews[] reviews = 
>>> ReviewsManager.getManager().loadByWhere(
>>>                     "where USE_ID=\'" + userId + "\'", connection);
>>>             // System.out.println("Papers : " + submissions.length);
>>>
>>>             for (int i = 0; i < reviews.length; i++) {
>>>
>>>                 Submissions subm = 
>>> SubmissionsManager.getManager().loadByKey(
>>>                         reviews[i].getSubId(), connection);
>>>
>>>                 reviews[i].setForeignTitle(subm.getSubPaperTitle());
>>>                 reviews[i].setForeignStatus(subm.getSubStatus());
>>>             }
>>>             connection.close();
>>>             context.put("jobs", reviews);
>>>             logger.info("ended method: showJobs by user: " + userId);
>>>             return returnMyTemplate("users/rev_home.htm", context);
>>>         } catch (SQLException e) {
>>>             return handleError(e, connection, context);
>>>         }
>>>     }
>>>
>>>     private boolean validateUser(String login, String password,
>>>             WebContext context) {
>>>         MyConnectionManager ConnectionManager = new 
>>> MyConnectionManager();
>>>         HttpServletRequest request = context.getRequest();
>>>         HttpSession session = request.getSession();
>>>         Connection connection = null;
>>>         logger.info("starting method: validateUser login: " + login
>>>                 + " passwd: " + password);
>>>         boolean userOK = false;
>>>         try {
>>>             connection = ConnectionManager.getConnection();
>>>             Users[] foundUsers = UsersManager.getManager().loadByWhere(
>>>                     "where USE_EMAIL=\'" + login + "\' AND 
>>> USE_PASSWORD=\'"
>>>                             + password + "\'", connection);
>>>             if (foundUsers.length != 0) {
>>>                 userOK = true;
>>>                 if (foundUsers[0].getUseActive() == 0) {
>>>                     session.setAttribute("FIRSTIME", "TRUE");
>>>                 }
>>>                 session.setAttribute("USERID", foundUsers[0]
>>>                         .getUseId()+"");
>>>             }
>>>             connection.close();
>>>         } catch (SQLException e) {
>>>             handleError(e, connection, context);
>>>             return false;
>>>         }
>>>
>>>         logger.info("ended method: validateUser: " + userOK + " 
>>> login: "
>>>                 + login + " passwd: " + password);
>>>         return userOK;
>>>     }
>>> }
>>>
>>
>>
>>
>>

Re: [WebMacro-user] Session integrity issue?

[Nikolaos P. <nk...@cc...>]

Dear Keats,

thank you for replying.
The code is protected against SQL-injections attacks. Special characters=20
and apostrophes are manipulated properly to avoid potential attackers=20
execute a different sql query.
The classes I use are based on S2J (an O/R mapping tool) with a lot of=20
new additions.

Now concerning the snippet you mentioned, from the servlet developer's=20
prospective, each client is another thread that calls the servlet via=20
the service(), doPost(), or doGet() methods (while only one instance=20
exists).
Every thread will carry its specific userId (through its session given=20
by the servlet container).
Every thread will execute the same =E2=80=9Cwhere USE_EMAIL.....=E2=80=9D=
  snippet but=20
with different parameters (email address and password in this case).
So I think there is no need the loadByWhere() method to be synchronized.
The only synchronized mechanism, however, is used in the part of code=20
that is responsible for inserting a new column into the db (because I am=20
not using the autoincrement feature of the specific RDBMS), but that's=20
not pertinent here.

Please correct me if I've gotten it wrong.



Best Regards,
Nikos Papadakis


Keats Kirsch wrote:
> Nikolaos,
>
> I don't know S2J, but I assume it's an O/R mapping tool.  I would=20
> focus my attention on the following line of code:
>
>            Users[] foundUsers =3D UsersManager.getManager().loadByWhere=
(
>                    "where USE_EMAIL=3D\'" + login + "\' AND=20
> USE_PASSWORD=3D\'"
>                            + password + "\'", connection);
>
> Is this invoking customized code?  Is loadByWhere() synchronized, or=20
> is there some other synchronization mechanism here?
>
> (Btw, unless the S2J protects against it, this code could be=20
> vulnerable to a SQL-injection attack.  Make sure you check the userid=20
> and password for apostrophes or other special characters that might=20
> trip up your RDBMS.)
>
> Hope this helps.
>
> Keats
>
> Nikolaos Papadakis wrote:
>
>> Hi all,
>
>> I am sending a cut (but indicative---I hope) version of the core=20
>> servlet I am using.
>> The userId variable is set into the session by the validateUser method.
>> Various other methods have been omitted in this version for=20
>> readability reasons.
>> Hope it is clear.
>>
>> Thank you in advance
>> Nikolaos Papadakis
>>
>> P.S. Just for the record the configuration I am using includes:
>> SuSe ver 10.0
>> Java 1.4.2
>> Tomcat 5.0.30 in conjunction with Apache ver 2.0.53.
>> I also use some customized version of S2J to =E2=80=9Cobjectize=E2=80=9D=
 tables and=20
>> relations in the db.
>>
>>
>>
>>
>>
>> Keats Kirsch wrote:
>>
>>> It's not possible to tell from the code snippet what is going=20
>>> wrong.  The concurrency issue that Lane is referring to is fairly=20
>>> obscure (only affecting the #include directive with dynamic template=20
>>> names if I recall correctly) and not relevant here.
>>>
>>> The code as shown looks OK, but we can't see how the USERID is=20
>>> stored in the session, or how the user data is stored and retrieved=20
>>> based on this USERID.  The bug could be in the data access layer or=20
>>> the session management subsystem (which depends on your Servlet=20
>>> container), or in some caching mechanism.  It is unlikely, but not=20
>>> impossible that this could be a WebMacro bug.  If I had to guess, I=20
>>> would suspect that the code which actually retrieves the user data=20
>>> is not properly synchronized.
>>>
>>> Send us a bit more information about your application, and maybe we=20
>>> can help you track this down.
>>>
>>> Keats
>>>
>>> Lane Sharman wrote:
>>>
>>>> Hi Nikolaos.
>>>>
>>>> This is most disturbing to hear about.
>>>>
>>>> First, there is a known concurrency issue with WM in 2.0 and=20
>>>> possibly in prior releases. If you look at the mail thread dating=20
>>>> back for 45 days, you will definitely see it.
>>>>
>>>> My concern is that the webmacro instance, shared, and the context,=20
>>>> not shared, is improperly orchestrated for concurrency. The=20
>>>> webmacro instance is local to WMServlet. You might consider=20
>>>> synchronizing access to this variable as a trial fix in your local=20
>>>> calls below. This will introduce some serialization of web=20
>>>> processing but it might help to verify the solution.
>>>>
>>>> One thing you might consider trying is to use a different cache=20
>>>> handler. A few years ago, I wrote one and it is a part of the=20
>>>> distro. I have never had a problem using this cache handler.
>>>>
>>>> Lane
>>>>
>>>> --- Nikolaos Papadakis <nk...@cc...> wrote:
>>>>
>>>> From: Nikolaos Papadakis <nk...@cc...>
>>>> Date: Sat, 18 Feb 2006 10:50:33 +0200
>>>> To: web...@li...
>>>> Subject: [WebMacro-user] [WebMacro-user
>>>>
>>>> Hi all,
>>>>
>>>> I am using webmacro to develop a web-based application.
>>>> Things seemed to work fine till yesterday. A customer complained=20
>>>> that he
>>>> managed to =E2=80=9Csee=E2=80=9D the account of another customer whe=
n he logged-in=20
>>>> using
>>>> his own credentials (he send me a screen shot of the =E2=80=9Cview=E2=
=80=9D).
>>>> By inspecting the log file I found that both users have been logged-=
in
>>>> at the same time (the second customer logged in 3 sec after the firs=
t
>>>> customer).
>>>> The system has more than 1000 customers but this inconvenience=20
>>>> happened
>>>> for the first time yesterday (?).
>>>> It seems that different sessions have been mixed up.
>>>> The servlet includes a handle method and uses several other methods
>>>> (methods that write and read from a database).
>>>> All methods are defined in the same class (that extends WMServlet).
>>>> As far as I know servlets must not have instance variables (only loc=
al
>>>> variables -inside methods- to prevent data corruption and
>>>> inconsistencies). However in my servlet I use only one non local
>>>> variable (a Logger) and I don't think this is the cause of the=20
>>>> problem.
>>>> As an attached file I send you a fragment of the before mentioned=20
>>>> servlet.
>>>> Can instance variables be defined in the case of a servlet that=20
>>>> extends
>>>> WMServlet? (I mean is it safe? or its not a good practice without
>>>> keeping precautions?)
>>>> Do you have any idea what can have caused this inconvenience ?
>>>> Is the use of methods inside the servlet thread-safe ?
>>>>
>>>> Please help!!!
>>>> Nikolaos Papadakis
>>>> ------------------------------------------------------- This SF.net=20
>>>> email is sponsored by: Splunk Inc. Do you grep through log files=20
>>>> for problems? Stop! Download the new AJAX search engine that makes=20
>>>> searching your log files as easy as surfing the web. DOWNLOAD=20
>>>> SPLUNK!=20
>>>> http://sel.as-us.falkag.net/sel?cmd=3Dk&kid=103432&bid#0486&dat=1216=
42=20
>>>> _______________________________________________ Webmacro-user=20
>>>> mailing list Web...@li...=20
>>>> https://lists.sourceforge.net/lists/listinfo/webmacro-user=20
>>>
>>>
>>>
>>>
>>>
>>>
>>> -------------------------------------------------------
>>> This SF.net email is sponsored by: Splunk Inc. Do you grep through=20
>>> log files
>>> for problems?  Stop!  Download the new AJAX search engine that makes
>>> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUN=
K!
>>> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D103432&bid=3D230486&d=
at=3D121642=20
>>>
>>> _______________________________________________
>>> Webmacro-user mailing list
>>> Web...@li...
>>> https://lists.sourceforge.net/lists/listinfo/webmacro-user
>>>
>>>
>> ----------------------------------------------------------------------=
--
>>
>> package org.nkpap.visualizer;
>>
>> import java.io.BufferedOutputStream;
>> import java.io.ByteArrayOutputStream;
>> import java.io.File;
>> import java.io.FileInputStream;
>> import java.io.FileNotFoundException;
>> import java.io.IOException;
>> import java.io.InputStream;
>> import java.io.OutputStream;
>> import java.io.PrintStream;
>> import java.sql.Connection;
>> import java.sql.DriverManager;
>> import java.sql.PreparedStatement;
>> import java.sql.ResultSet;
>> import java.sql.SQLException;
>> import java.text.DateFormat;
>> import java.text.SimpleDateFormat;
>> import java.util.Calendar;
>> import java.util.Date;
>> import java.util.Enumeration;
>> import java.util.Hashtable;
>> import java.util.LinkedList;
>> import java.util.List;
>> import java.util.logging.FileHandler;
>> import java.util.logging.Logger;
>>
>> import javax.servlet.ServletException;
>> import javax.servlet.http.HttpServletRequest;
>> import javax.servlet.http.HttpServletResponse;
>> import javax.servlet.http.HttpSession;
>>
>> import org.netoperis.db.core.Authors;
>> import org.netoperis.db.core.Interests;
>> import org.netoperis.db.core.Reviews;
>> import org.netoperis.db.core.Submissions;
>> import org.netoperis.db.core.TopicList;
>> import org.netoperis.db.core.Topics;
>> import org.netoperis.db.core.Users;
>> import org.netoperis.db.core.Votes;
>> import org.netoperis.db.mgr.AuthorsManager;
>> import org.netoperis.db.mgr.InterestsManager;
>> import org.netoperis.db.mgr.ReviewsManager;
>> import org.netoperis.db.mgr.SubmissionsManager;
>> import org.netoperis.db.mgr.TopicListManager;
>> import org.netoperis.db.mgr.TopicsManager;
>> import org.netoperis.db.mgr.UsersManager;
>> import org.netoperis.db.mgr.VotesManager;
>> import org.nkpap.util.EmailBuffer;
>> import org.nkpap.util.MyConnectionManager;
>> import org.nkpap.util.RandomPasswordGenerator;
>> import org.webmacro.PropertyException;
>> import org.webmacro.ResourceException;
>> import org.webmacro.Template;
>> import org.webmacro.servlet.HandlerException;
>> import org.webmacro.servlet.WMServlet;
>> import org.webmacro.servlet.WebContext;
>> import org.webmacro.util.Settings;
>>
>> import com.oreilly.servlet.MultipartRequest;
>>
>> /**
>> * @author nkpap in Greece 2 =EF=BF=BD=EF=BF=BD=EF=BF=BD 2005
>> * * (c) 2005 - 2006
>> * */
>> public class Login extends WMServlet {
>>     public static Settings configProperties =3D null;
>>     Logger logger;
>>
>>     protected void start() throws ServletException {
>>         try {
>>             configProperties =3D new Settings();
>>             System.out.println(" READING CONFIGURATION FILE:=20
>> ms2.properties");
>>
>>             configProperties.load("ms2.properties");
>>             System.out
>>                     .println("  CONFIGURATION FILE: ms2.properties=20
>> LOADED SUCCESSFULLY ");
>>             FileHandler handler =3D new FileHandler(configProperties
>>                     .getSetting("LogsPath")
>>                     + "my_log.txt", true);
>>             logger =3D=20
>> Logger.getLogger("org.nkpap.visualizer.LoginUsers");
>>             logger.addHandler(handler);
>>         } catch (Exception ex) {
>>             System.out
>>                     .println("ERROR READING CONFIGURATION FILE:=20
>> ms2.properties");
>>             System.out.println(ex);
>>         }
>>     }
>>
>>     private Template returnMyTemplate(String template, WebContext=20
>> context) {
>>         try {
>>             context.put("fragment", template);
>>             return getTemplate("users/index.htm");
>>         } catch (ResourceException e) {
>>             System.out
>>                     .println("Oooops!!!  a problem occured with the=20
>> error template!");
>>             e.printStackTrace();
>>             return null;
>>         }
>>     }
>>
>>     public Template handle(WebContext context) throws HandlerException=
 {
>>         HttpServletRequest request =3D context.getRequest();
>>         HttpSession session =3D request.getSession();
>>         context.getResponse().setContentType("text/html;=20
>> charset=3Diso-8859-7");
>>
>>         String userID =3D (String) session.getAttribute("USERID");
>>
>>         if (isActionEqualTo("login", context)) {
>>             // use has entered credentials
>>             String login =3D request.getParameter("login");
>>             String password =3D request.getParameter("password");
>>
>>             if (validateUser(login, password, context)) {
>>                 if (session.getAttribute("FIRSTIME") !=3D null)
>>                     return showReviewer(
>>                             (String) session.getAttribute("USERID"),=20
>> context);
>>                 return returnMyTemplate("users/choices.htm", context);
>>             }// user doesnt validate
>>             session.invalidate();
>>             context.put("fail", "Access denied !!");
>>             return returnMyTemplate("users/login.htm", context);
>>         }
>>         // -----------------------ACTIONS---BEGIN----HERE-------------
>>         // ACTIONS that do not require user to be logged-in
>>         if (isActionEqualTo("register", context)) {
>>             return returnMyTemplate("users/aut_registration.htm",=20
>> context);
>>         }
>>         if (isActionEqualTo("back", context)) {
>>             return returnMyTemplate("users/login.htm", context);
>>         }
>>         if (isActionEqualTo("remind", context)) {
>>             return returnMyTemplate("users/remind_passwd.htm", context=
);
>>         }
>>         // end of ACTIONS that do not require user to be logged-in
>>
>>         if (isActionEqualTo("logout", context)) {
>>             session.invalidate();
>>             logger.info("User " + userID + " logged out");
>>             return returnMyTemplate("users/login.htm", context);
>>         }      =20
>>         // --------------------ACTIONS----END-----HERE---------
>>         // the default page to be shown...
>>
>>         if (request.getParameter("action") =3D=3D null && userID !=3D =
null) {
>>             if (session.getAttribute("FIRSTIME") !=3D null)
>>                 return showReviewer((String)=20
>> session.getAttribute("USERID"),
>>                         context);
>>             return returnMyTemplate("users/choices.htm", context);
>>         } else {
>>             return returnMyTemplate("users/login.htm", context);
>>         }
>>     }
>>
>>     private Template handleError(Exception e, Connection connection,
>>             WebContext context) {
>>         logger.severe("An error occurred:\n" + e.toString());
>>         if (connection !=3D null) {
>>             try {
>>                 connection.close();
>>             } catch (SQLException e1) {
>>                 e1.printStackTrace();
>>             }
>>         }
>>         e.printStackTrace();
>>         context.put("msg", "An error occurred:\n" + e.toString());
>>         return returnMyTemplate("users/errore.htm", context);
>>     }
>>
>>     private Template showReviewer(String userId, WebContext context) {
>>         MyConnectionManager ConnectionManager =3D new=20
>> MyConnectionManager();
>>         Connection connection =3D null;
>>         logger.info("starting method: showReviewer");
>>         try {
>>             int usId =3D Integer.parseInt(userId);
>>             connection =3D ConnectionManager.getConnection();
>>
>>             Users user =3D UsersManager.getManager().loadByKey(usId,=20
>> connection);
>>             Topics[] topics =3D=20
>> TopicsManager.getManager().loadAll(connection);
>>
>>             connection.close();
>>             context.put("user", user);
>>             // context.put("interests", interests);
>>             context.put("topics", topics);
>>         } catch (SQLException e) {
>>             return handleError(e, connection, context);
>>         }
>>
>>         logger.info("ended method: showReviewer");
>>         return returnMyTemplate("users/rev_registration.htm", context)=
;
>>     }
>>
>>     private boolean isActionEqualTo(String actionName, WebContext=20
>> context) {
>>         HttpServletRequest request =3D context.getRequest();
>>         if (request.getParameter("action") !=3D null
>>                 &&=20
>> request.getParameter("action").equalsIgnoreCase(actionName))
>>             return true;
>>         return false;
>>     }
>>
>>     private Template showJobs(WebContext context) {
>>         Connection connection =3D null;
>>         MyConnectionManager ConnectionManager =3D new=20
>> MyConnectionManager();
>>         HttpServletRequest request =3D context.getRequest();
>>         HttpSession session =3D request.getSession();
>>         String userId =3D (String) session.getAttribute("USERID");
>>         logger.info("starting method: showJobs by user: " + userId);
>>
>>         try {
>>             connection =3D ConnectionManager.getConnection();
>>             Reviews[] reviews =3D ReviewsManager.getManager().loadByWh=
ere(
>>                     "where USE_ID=3D\'" + userId + "\'", connection);
>>             // System.out.println("Papers : " + submissions.length);
>>
>>             for (int i =3D 0; i < reviews.length; i++) {
>>
>>                 Submissions subm =3D=20
>> SubmissionsManager.getManager().loadByKey(
>>                         reviews[i].getSubId(), connection);
>>
>>                 reviews[i].setForeignTitle(subm.getSubPaperTitle());
>>                 reviews[i].setForeignStatus(subm.getSubStatus());
>>             }
>>             connection.close();
>>             context.put("jobs", reviews);
>>             logger.info("ended method: showJobs by user: " + userId);
>>             return returnMyTemplate("users/rev_home.htm", context);
>>         } catch (SQLException e) {
>>             return handleError(e, connection, context);
>>         }
>>     }
>>
>>     private boolean validateUser(String login, String password,
>>             WebContext context) {
>>         MyConnectionManager ConnectionManager =3D new=20
>> MyConnectionManager();
>>         HttpServletRequest request =3D context.getRequest();
>>         HttpSession session =3D request.getSession();
>>         Connection connection =3D null;
>>         logger.info("starting method: validateUser login: " + login
>>                 + " passwd: " + password);
>>         boolean userOK =3D false;
>>         try {
>>             connection =3D ConnectionManager.getConnection();
>>             Users[] foundUsers =3D UsersManager.getManager().loadByWhe=
re(
>>                     "where USE_EMAIL=3D\'" + login + "\' AND=20
>> USE_PASSWORD=3D\'"
>>                             + password + "\'", connection);
>>             if (foundUsers.length !=3D 0) {
>>                 userOK =3D true;
>>                 if (foundUsers[0].getUseActive() =3D=3D 0) {
>>                     session.setAttribute("FIRSTIME", "TRUE");
>>                 }
>>                 session.setAttribute("USERID", foundUsers[0]
>>                         .getUseId()+"");
>>             }
>>             connection.close();
>>         } catch (SQLException e) {
>>             handleError(e, connection, context);
>>             return false;
>>         }
>>
>>         logger.info("ended method: validateUser: " + userOK + " login:=
 "
>>                 + login + " passwd: " + password);
>>         return userOK;
>>     }
>> }
>>
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log=20
> files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D103432&bid=3D230486&dat=
=3D121642
> _______________________________________________
> Webmacro-user mailing list
> Web...@li...
> https://lists.sourceforge.net/lists/listinfo/webmacro-user
>
>

Re: [WebMacro-user] Session integrity issue?

[Keats K. <ke...@xa...>]

Nikolaos,

I don't know S2J, but I assume it's an O/R mapping tool.  I would focus 
my attention on the following line of code:

            Users[] foundUsers = UsersManager.getManager().loadByWhere(
                    "where USE_EMAIL=\'" + login + "\' AND USE_PASSWORD=\'"
                            + password + "\'", connection);

Is this invoking customized code?  Is loadByWhere() synchronized, or is 
there some other synchronization mechanism here?

(Btw, unless the S2J protects against it, this code could be vulnerable 
to a SQL-injection attack.  Make sure you check the userid and password 
for apostrophes or other special characters that might trip up your RDBMS.)

Hope this helps.

Keats

Nikolaos Papadakis wrote:

> Hi all,

> I am sending a cut (but indicative---I hope) version of the core 
> servlet I am using.
> The userId variable is set into the session by the validateUser method.
> Various other methods have been omitted in this version for 
> readability reasons.
> Hope it is clear.
>
> Thank you in advance
> Nikolaos Papadakis
>
> P.S. Just for the record the configuration I am using includes:
> SuSe ver 10.0
> Java 1.4.2
> Tomcat 5.0.30 in conjunction with Apache ver 2.0.53.
> I also use some customized version of S2J to “objectize” tables and 
> relations in the db.
>
>
>
>
>
> Keats Kirsch wrote:
>
>> It's not possible to tell from the code snippet what is going wrong.  
>> The concurrency issue that Lane is referring to is fairly obscure 
>> (only affecting the #include directive with dynamic template names if 
>> I recall correctly) and not relevant here.
>>
>> The code as shown looks OK, but we can't see how the USERID is stored 
>> in the session, or how the user data is stored and retrieved based on 
>> this USERID.  The bug could be in the data access layer or the 
>> session management subsystem (which depends on your Servlet 
>> container), or in some caching mechanism.  It is unlikely, but not 
>> impossible that this could be a WebMacro bug.  If I had to guess, I 
>> would suspect that the code which actually retrieves the user data is 
>> not properly synchronized.
>>
>> Send us a bit more information about your application, and maybe we 
>> can help you track this down.
>>
>> Keats
>>
>> Lane Sharman wrote:
>>
>>> Hi Nikolaos.
>>>
>>> This is most disturbing to hear about.
>>>
>>> First, there is a known concurrency issue with WM in 2.0 and 
>>> possibly in prior releases. If you look at the mail thread dating 
>>> back for 45 days, you will definitely see it.
>>>
>>> My concern is that the webmacro instance, shared, and the context, 
>>> not shared, is improperly orchestrated for concurrency. The webmacro 
>>> instance is local to WMServlet. You might consider synchronizing 
>>> access to this variable as a trial fix in your local calls below. 
>>> This will introduce some serialization of web processing but it 
>>> might help to verify the solution.
>>>
>>> One thing you might consider trying is to use a different cache 
>>> handler. A few years ago, I wrote one and it is a part of the 
>>> distro. I have never had a problem using this cache handler.
>>>
>>> Lane
>>>
>>> --- Nikolaos Papadakis <nk...@cc...> wrote:
>>>
>>> From: Nikolaos Papadakis <nk...@cc...>
>>> Date: Sat, 18 Feb 2006 10:50:33 +0200
>>> To: web...@li...
>>> Subject: [WebMacro-user] [WebMacro-user
>>>
>>> Hi all,
>>>
>>> I am using webmacro to develop a web-based application.
>>> Things seemed to work fine till yesterday. A customer complained 
>>> that he
>>> managed to “see” the account of another customer when he logged-in 
>>> using
>>> his own credentials (he send me a screen shot of the “view”).
>>> By inspecting the log file I found that both users have been logged-in
>>> at the same time (the second customer logged in 3 sec after the first
>>> customer).
>>> The system has more than 1000 customers but this inconvenience happened
>>> for the first time yesterday (?).
>>> It seems that different sessions have been mixed up.
>>> The servlet includes a handle method and uses several other methods
>>> (methods that write and read from a database).
>>> All methods are defined in the same class (that extends WMServlet).
>>> As far as I know servlets must not have instance variables (only local
>>> variables -inside methods- to prevent data corruption and
>>> inconsistencies). However in my servlet I use only one non local
>>> variable (a Logger) and I don't think this is the cause of the problem.
>>> As an attached file I send you a fragment of the before mentioned 
>>> servlet.
>>> Can instance variables be defined in the case of a servlet that extends
>>> WMServlet? (I mean is it safe? or its not a good practice without
>>> keeping precautions?)
>>> Do you have any idea what can have caused this inconvenience ?
>>> Is the use of methods inside the servlet thread-safe ?
>>>
>>> Please help!!!
>>> Nikolaos Papadakis
>>> ------------------------------------------------------- This SF.net 
>>> email is sponsored by: Splunk Inc. Do you grep through log files for 
>>> problems? Stop! Download the new AJAX search engine that makes 
>>> searching your log files as easy as surfing the web. DOWNLOAD 
>>> SPLUNK! 
>>> http://sel.as-us.falkag.net/sel?cmd=k&kid3432&bid#0486&dat1642 
>>> _______________________________________________ Webmacro-user 
>>> mailing list Web...@li... 
>>> https://lists.sourceforge.net/lists/listinfo/webmacro-user 
>>
>>
>>
>>
>>
>>
>> -------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc. Do you grep through 
>> log files
>> for problems?  Stop!  Download the new AJAX search engine that makes
>> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
>> _______________________________________________
>> Webmacro-user mailing list
>> Web...@li...
>> https://lists.sourceforge.net/lists/listinfo/webmacro-user
>>
>>
>------------------------------------------------------------------------
>
>package org.nkpap.visualizer;
>
>import java.io.BufferedOutputStream;
>import java.io.ByteArrayOutputStream;
>import java.io.File;
>import java.io.FileInputStream;
>import java.io.FileNotFoundException;
>import java.io.IOException;
>import java.io.InputStream;
>import java.io.OutputStream;
>import java.io.PrintStream;
>import java.sql.Connection;
>import java.sql.DriverManager;
>import java.sql.PreparedStatement;
>import java.sql.ResultSet;
>import java.sql.SQLException;
>import java.text.DateFormat;
>import java.text.SimpleDateFormat;
>import java.util.Calendar;
>import java.util.Date;
>import java.util.Enumeration;
>import java.util.Hashtable;
>import java.util.LinkedList;
>import java.util.List;
>import java.util.logging.FileHandler;
>import java.util.logging.Logger;
>
>import javax.servlet.ServletException;
>import javax.servlet.http.HttpServletRequest;
>import javax.servlet.http.HttpServletResponse;
>import javax.servlet.http.HttpSession;
>
>import org.netoperis.db.core.Authors;
>import org.netoperis.db.core.Interests;
>import org.netoperis.db.core.Reviews;
>import org.netoperis.db.core.Submissions;
>import org.netoperis.db.core.TopicList;
>import org.netoperis.db.core.Topics;
>import org.netoperis.db.core.Users;
>import org.netoperis.db.core.Votes;
>import org.netoperis.db.mgr.AuthorsManager;
>import org.netoperis.db.mgr.InterestsManager;
>import org.netoperis.db.mgr.ReviewsManager;
>import org.netoperis.db.mgr.SubmissionsManager;
>import org.netoperis.db.mgr.TopicListManager;
>import org.netoperis.db.mgr.TopicsManager;
>import org.netoperis.db.mgr.UsersManager;
>import org.netoperis.db.mgr.VotesManager;
>import org.nkpap.util.EmailBuffer;
>import org.nkpap.util.MyConnectionManager;
>import org.nkpap.util.RandomPasswordGenerator;
>import org.webmacro.PropertyException;
>import org.webmacro.ResourceException;
>import org.webmacro.Template;
>import org.webmacro.servlet.HandlerException;
>import org.webmacro.servlet.WMServlet;
>import org.webmacro.servlet.WebContext;
>import org.webmacro.util.Settings;
>
>import com.oreilly.servlet.MultipartRequest;
>
>/**
> * @author nkpap in Greece 2 ��� 2005
> * 
> * (c) 2005 - 2006
> * 
> */
>public class Login extends WMServlet {
>	public static Settings configProperties = null;
>	Logger logger;
>
>	protected void start() throws ServletException {
>		try {
>			configProperties = new Settings();
>			System.out.println(" READING CONFIGURATION FILE: ms2.properties");
>
>			configProperties.load("ms2.properties");
>			System.out
>					.println("  CONFIGURATION FILE: ms2.properties LOADED SUCCESSFULLY ");
>			FileHandler handler = new FileHandler(configProperties
>					.getSetting("LogsPath")
>					+ "my_log.txt", true);
>			logger = Logger.getLogger("org.nkpap.visualizer.LoginUsers");
>			logger.addHandler(handler);
>		} catch (Exception ex) {
>			System.out
>					.println("ERROR READING CONFIGURATION FILE: ms2.properties");
>			System.out.println(ex);
>		}
>	}
>
>	private Template returnMyTemplate(String template, WebContext context) {
>		try {
>			context.put("fragment", template);
>			return getTemplate("users/index.htm");
>		} catch (ResourceException e) {
>			System.out
>					.println("Oooops!!!  a problem occured with the error template!");
>			e.printStackTrace();
>			return null;
>		}
>	}
>
>	public Template handle(WebContext context) throws HandlerException {
>		HttpServletRequest request = context.getRequest();
>		HttpSession session = request.getSession();
>		context.getResponse().setContentType("text/html; charset=iso-8859-7");
>
>		String userID = (String) session.getAttribute("USERID");
>
>		if (isActionEqualTo("login", context)) {
>			// use has entered credentials
>			String login = request.getParameter("login");
>			String password = request.getParameter("password");
>
>			if (validateUser(login, password, context)) {
>				if (session.getAttribute("FIRSTIME") != null)
>					return showReviewer(
>							(String) session.getAttribute("USERID"), context);
>				return returnMyTemplate("users/choices.htm", context);
>			}// user doesnt validate
>			session.invalidate();
>			context.put("fail", "Access denied !!");
>			return returnMyTemplate("users/login.htm", context);
>		}
>		// -----------------------ACTIONS---BEGIN----HERE-------------
>		// ACTIONS that do not require user to be logged-in
>		if (isActionEqualTo("register", context)) {
>			return returnMyTemplate("users/aut_registration.htm", context);
>		}
>		if (isActionEqualTo("back", context)) {
>			return returnMyTemplate("users/login.htm", context);
>		}
>		if (isActionEqualTo("remind", context)) {
>			return returnMyTemplate("users/remind_passwd.htm", context);
>		}
>		// end of ACTIONS that do not require user to be logged-in
>
>		if (isActionEqualTo("logout", context)) {
>			session.invalidate();
>			logger.info("User " + userID + " logged out");
>			return returnMyTemplate("users/login.htm", context);
>		}		
>		// --------------------ACTIONS----END-----HERE---------
>		// the default page to be shown...
>
>		if (request.getParameter("action") == null && userID != null) {
>			if (session.getAttribute("FIRSTIME") != null)
>				return showReviewer((String) session.getAttribute("USERID"),
>						context);
>			return returnMyTemplate("users/choices.htm", context);
>		} else {
>			return returnMyTemplate("users/login.htm", context);
>		}
>	}
>
>	private Template handleError(Exception e, Connection connection,
>			WebContext context) {
>		logger.severe("An error occurred:\n" + e.toString());
>		if (connection != null) {
>			try {
>				connection.close();
>			} catch (SQLException e1) {
>				e1.printStackTrace();
>			}
>		}
>		e.printStackTrace();
>		context.put("msg", "An error occurred:\n" + e.toString());
>		return returnMyTemplate("users/errore.htm", context);
>	}
>
>	private Template showReviewer(String userId, WebContext context) {
>		MyConnectionManager ConnectionManager = new MyConnectionManager();
>		Connection connection = null;
>		logger.info("starting method: showReviewer");
>		try {
>			int usId = Integer.parseInt(userId);
>			connection = ConnectionManager.getConnection();
>
>			Users user = UsersManager.getManager().loadByKey(usId, connection);
>			Topics[] topics = TopicsManager.getManager().loadAll(connection);
>
>			connection.close();
>			context.put("user", user);
>			// context.put("interests", interests);
>			context.put("topics", topics);
>		} catch (SQLException e) {
>			return handleError(e, connection, context);
>		}
>
>		logger.info("ended method: showReviewer");
>		return returnMyTemplate("users/rev_registration.htm", context);
>	}
>
>	private boolean isActionEqualTo(String actionName, WebContext context) {
>		HttpServletRequest request = context.getRequest();
>		if (request.getParameter("action") != null
>				&& request.getParameter("action").equalsIgnoreCase(actionName))
>			return true;
>		return false;
>	}
>
>	private Template showJobs(WebContext context) {
>		Connection connection = null;
>		MyConnectionManager ConnectionManager = new MyConnectionManager();
>		HttpServletRequest request = context.getRequest();
>		HttpSession session = request.getSession();
>		String userId = (String) session.getAttribute("USERID");
>		logger.info("starting method: showJobs by user: " + userId);
>
>		try {
>			connection = ConnectionManager.getConnection();
>			Reviews[] reviews = ReviewsManager.getManager().loadByWhere(
>					"where USE_ID=\'" + userId + "\'", connection);
>			// System.out.println("Papers : " + submissions.length);
>
>			for (int i = 0; i < reviews.length; i++) {
>
>				Submissions subm = SubmissionsManager.getManager().loadByKey(
>						reviews[i].getSubId(), connection);
>
>				reviews[i].setForeignTitle(subm.getSubPaperTitle());
>				reviews[i].setForeignStatus(subm.getSubStatus());
>			}
>			connection.close();
>			context.put("jobs", reviews);
>			logger.info("ended method: showJobs by user: " + userId);
>			return returnMyTemplate("users/rev_home.htm", context);
>		} catch (SQLException e) {
>			return handleError(e, connection, context);
>		}
>	}
>
>	private boolean validateUser(String login, String password,
>			WebContext context) {
>		MyConnectionManager ConnectionManager = new MyConnectionManager();
>		HttpServletRequest request = context.getRequest();
>		HttpSession session = request.getSession();
>		Connection connection = null;
>		logger.info("starting method: validateUser login: " + login
>				+ " passwd: " + password);
>		boolean userOK = false;
>		try {
>			connection = ConnectionManager.getConnection();
>			Users[] foundUsers = UsersManager.getManager().loadByWhere(
>					"where USE_EMAIL=\'" + login + "\' AND USE_PASSWORD=\'"
>							+ password + "\'", connection);
>			if (foundUsers.length != 0) {
>				userOK = true;
>				if (foundUsers[0].getUseActive() == 0) {
>					session.setAttribute("FIRSTIME", "TRUE");
>				}
>				session.setAttribute("USERID", foundUsers[0]
>						.getUseId()+"");
>			}
>			connection.close();
>		} catch (SQLException e) {
>			handleError(e, connection, context);
>			return false;
>		}
>
>		logger.info("ended method: validateUser: " + userOK + " login: "
>				+ login + " passwd: " + password);
>		return userOK;
>	}
>}
>

Re: [WebMacro-user] Session integrity issue?

[Nikolaos P. <nk...@cc...>]

Hi all,

I am sending a cut (but indicative---I hope) version of the core servlet=20
I am using.
The userId variable is set into the session by the validateUser method.
Various other methods have been omitted in this version for readability=20
reasons.
Hope it is clear.

Thank you in advance
Nikolaos Papadakis

P.S. Just for the record the configuration I am using includes:
SuSe ver 10.0
Java 1.4.2
Tomcat 5.0.30 in conjunction with Apache ver 2.0.53.
I also use some customized version of S2J to =E2=80=9Cobjectize=E2=80=9D =
tables and=20
relations in the db.





Keats Kirsch wrote:
> It's not possible to tell from the code snippet what is going wrong. =20
> The concurrency issue that Lane is referring to is fairly obscure=20
> (only affecting the #include directive with dynamic template names if=20
> I recall correctly) and not relevant here.
>
> The code as shown looks OK, but we can't see how the USERID is stored=20
> in the session, or how the user data is stored and retrieved based on=20
> this USERID.  The bug could be in the data access layer or the session=20
> management subsystem (which depends on your Servlet container), or in=20
> some caching mechanism.  It is unlikely, but not impossible that this=20
> could be a WebMacro bug.  If I had to guess, I would suspect that the=20
> code which actually retrieves the user data is not properly synchronize=
d.
>
> Send us a bit more information about your application, and maybe we=20
> can help you track this down.
>
> Keats
>
> Lane Sharman wrote:
>
>> Hi Nikolaos.
>>
>> This is most disturbing to hear about.
>>
>> First, there is a known concurrency issue with WM in 2.0 and possibly=20
>> in prior releases. If you look at the mail thread dating back for 45=20
>> days, you will definitely see it.
>>
>> My concern is that the webmacro instance, shared, and the context,=20
>> not shared, is improperly orchestrated for concurrency. The webmacro=20
>> instance is local to WMServlet. You might consider synchronizing=20
>> access to this variable as a trial fix in your local calls below.=20
>> This will introduce some serialization of web processing but it might=20
>> help to verify the solution.
>>
>> One thing you might consider trying is to use a different cache=20
>> handler. A few years ago, I wrote one and it is a part of the distro.=20
>> I have never had a problem using this cache handler.
>>
>> Lane
>>
>> --- Nikolaos Papadakis <nk...@cc...> wrote:
>>
>> From: Nikolaos Papadakis <nk...@cc...>
>> Date: Sat, 18 Feb 2006 10:50:33 +0200
>> To: web...@li...
>> Subject: [WebMacro-user] [WebMacro-user
>>
>> Hi all,
>>
>> I am using webmacro to develop a web-based application.
>> Things seemed to work fine till yesterday. A customer complained that =
he
>> managed to =E2=80=9Csee=E2=80=9D the account of another customer when =
he logged-in using
>> his own credentials (he send me a screen shot of the =E2=80=9Cview=E2=80=
=9D).
>> By inspecting the log file I found that both users have been logged-in
>> at the same time (the second customer logged in 3 sec after the first
>> customer).
>> The system has more than 1000 customers but this inconvenience happene=
d
>> for the first time yesterday (?).
>> It seems that different sessions have been mixed up.
>> The servlet includes a handle method and uses several other methods
>> (methods that write and read from a database).
>> All methods are defined in the same class (that extends WMServlet).
>> As far as I know servlets must not have instance variables (only local
>> variables -inside methods- to prevent data corruption and
>> inconsistencies). However in my servlet I use only one non local
>> variable (a Logger) and I don't think this is the cause of the problem.
>> As an attached file I send you a fragment of the before mentioned=20
>> servlet.
>> Can instance variables be defined in the case of a servlet that extend=
s
>> WMServlet? (I mean is it safe? or its not a good practice without
>> keeping precautions?)
>> Do you have any idea what can have caused this inconvenience ?
>> Is the use of methods inside the servlet thread-safe ?
>>
>> Please help!!!
>> Nikolaos Papadakis
>> ------------------------------------------------------- This SF.net=20
>> email is sponsored by: Splunk Inc. Do you grep through log files for=20
>> problems? Stop! Download the new AJAX search engine that makes=20
>> searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!=20
>> http://sel.as-us.falkag.net/sel?cmd=3Dk&kid=103432&bid#0486&dat=121642=
=20
>> _______________________________________________ Webmacro-user mailing=20
>> list Web...@li...=20
>> https://lists.sourceforge.net/lists/listinfo/webmacro-user=20
>
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log=20
> files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D103432&bid=3D230486&dat=
=3D121642
> _______________________________________________
> Webmacro-user mailing list
> Web...@li...
> https://lists.sourceforge.net/lists/listinfo/webmacro-user
>
>

Re: [WebMacro-user] [WebMacro-user

[Nikolaos P. <nk...@cc...>]

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content=3D"text/html;charset=3DUTF-8" http-equiv=3D"Content-Type"=
>
  <title></title>
</head>
<body bgcolor=3D"#ffffff" text=3D"#000000">
Hi Lane,<br>
<br>
Lane Sharman wrote:
<blockquote cite=3D"mid...@dm..."
 type=3D"cite"><font style=3D"font-family: arial,helvetica,sans-serif;"
 size=3D"2">Hi Nikolaos.<br>
  <br>
This is most disturbing to hear about.<br>
  </font></blockquote>
<br>
Thank you for replying.<br>
<blockquote cite=3D"mid...@dm..."
 type=3D"cite"><font style=3D"font-family: arial,helvetica,sans-serif;"
 size=3D"2"><br>
First, there is a known concurrency issue with WM in 2.0 and possibly
in prior releases. If you look at the mail thread dating back for 45
days, you will definitely see it.<br>
  </font></blockquote>
<br>
I will take a look at that thread.<br>
<br>
<blockquote cite=3D"mid...@dm..."
 type=3D"cite"><font style=3D"font-family: arial,helvetica,sans-serif;"
 size=3D"2"><br>
My concern is that the webmacro instance, shared, and the context, not
shared, is improperly orchestrated for concurrency. The webmacro
instance is local to WMServlet. You might consider synchronizing access
to this variable as a trial fix in your local calls below. This will
introduce some serialization of web processing but it might help to
verify the solution.<br>
  <br>
  </font></blockquote>
<br>
I will try this tip<br>
<br>
<blockquote cite=3D"mid...@dm..."
 type=3D"cite"><font style=3D"font-family: arial,helvetica,sans-serif;"
 size=3D"2">One thing you might consider trying is to use a different
cache
handler. A few years ago, I wrote one and it is a part of the distro. I
have never had a problem using this cache handler.<br>
  <br>
Lane<br>
  </font></blockquote>
<br>
<br>
Thank you !<br>
<blockquote cite=3D"mid...@dm..."
 type=3D"cite"><font style=3D"font-family: arial,helvetica,sans-serif;"
 size=3D"2"><br>
--- Nikolaos Papadakis <a class=3D"moz-txt-link-rfc2396E" href=3D"mailto:=
nk...@cc...">&lt;nk...@cc...&gt;</a> wrote:<br>
  <br>
From: Nikolaos Papadakis <a class=3D"moz-txt-link-rfc2396E" href=3D"mailt=
o:nk...@cc...">&lt;nk...@cc...&gt;</a><br>
Date: Sat, 18 Feb 2006 10:50:33 +0200<br>
To: <a class=3D"moz-txt-link-abbreviated" href=3D"mailto:webmacro-user@li=
sts.sourceforge.net">web...@li...</a><br>
Subject: [WebMacro-user] [WebMacro-user<br>
  <br>
Hi all, <br>
  <br>
I am using webmacro to develop a web-based application. <br>
Things seemed to work fine till yesterday. A customer complained that
he <br>
managed to =E2=80=9Csee=E2=80=9D the account of another customer when he =
logged-in
using <br>
his own credentials (he send me a screen shot of the =E2=80=9Cview=E2=80=9D=
). <br>
By inspecting the log file I found that both users have been logged-in <b=
r>
at the same time (the second customer logged in 3 sec after the first <br=
>
customer). <br>
The system has more than 1000 customers but this inconvenience happened
  <br>
for the first time yesterday (?). <br>
It seems that different sessions have been mixed up. <br>
The servlet includes a handle method and uses several other methods <br>
(methods that write and read from a database). <br>
All methods are defined in the same class (that extends WMServlet). <br>
As far as I know servlets must not have instance variables (only local <b=
r>
variables -inside methods- to prevent data corruption and <br>
inconsistencies). However in my servlet I use only one non local <br>
variable (a Logger) and I don't think this is the cause of the problem.
  <br>
As an attached file I send you a fragment of the before mentioned
servlet. <br>
Can instance variables be defined in the case of a servlet that extends
  <br>
WMServlet? (I mean is it safe? or its not a good practice without <br>
keeping precautions?) <br>
Do you have any idea what can have caused this inconvenience ? <br>
Is the use of methods inside the servlet thread-safe ? <br>
  <br>
Please help!!! <br>
Nikolaos Papadakis <br>
  </font>-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log
files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
<a class=3D"moz-txt-link-freetext" href=3D"http://sel.as-us.falkag.net/se=
l?cmd=3Dk&kid=103432&bid#0486&dat=121642">http://sel.as-us.falkag.net/sel=
?cmd=3Dk&amp;kid=103432&amp;bid#0486&amp;dat=121642</a>
_______________________________________________
Webmacro-user mailing list
<a class=3D"moz-txt-link-abbreviated" href=3D"mailto:Webmacro-user@lists.=
sourceforge.net">Web...@li...</a>
<a class=3D"moz-txt-link-freetext" href=3D"https://lists.sourceforge.net/=
lists/listinfo/webmacro-user">https://lists.sourceforge.net/lists/listinf=
o/webmacro-user</a>
</blockquote>
</body>
</html>

Re: [WebMacro-user] [WebMacro-user

[Marc P. <ma...@an...>]

On 20 Feb 2006, at 00:57, Lane Sharman wrote:

>
> This is most disturbing to hear about.
>

> First, there is a known concurrency issue with WM in 2.0 and possibly
> in prior releases. If you look at the mail thread dating back for 45
> days, you will definitely see it.
>
> My concern is that the webmacro instance, shared, and the context, not
> shared, is improperly orchestrated for concurrency. The webmacro
> instance is local to WMServlet. You might consider synchronizing  
> access to this variable as a trial fix in your local calls below.  
> This will introduce some serialization of web processing but it  
> might help to verify the solution.

I am slightly alarmed by this also, because I have seen something  
similar happening. On a recent commercial website I did the back-end  
for, using Groovy and WebMacro, I have seen on occasion clients  
submitting data to the site using somebody else's UID.

I'm am not 100% sure there is a definite problem because the times I  
have seen it was during intense activity by a lot of users at the  
same company, so it may have been people sharing each others' PCs (it  
was a promotional game playing event).

Anyway, I will be investigating this further in the next few days and  
will let you know what I find out. Actually my fear is that the  
problem is in Groovy rather than WebMacro (WM being much easier to  
fix!) because WM is not really used to retrieve the session UID  
except in some niche scenarios.

The more work I do the more I realise that sessions are evil and  
problematic... ditch them and pass around a request ID with every  
link is the best solution - especially as it supports multiple  
concurrent workflows/requests.

Cheers

[WebMacro-user] Session integrity issue?

[Keats K. <ke...@xa...>]

It's not possible to tell from the code snippet what is going wrong.  
The concurrency issue that Lane is referring to is fairly obscure (only 
affecting the #include directive with dynamic template names if I recall 
correctly) and not relevant here.

The code as shown looks OK, but we can't see how the USERID is stored in 
the session, or how the user data is stored and retrieved based on this 
USERID.  The bug could be in the data access layer or the session 
management subsystem (which depends on your Servlet container), or in 
some caching mechanism.  It is unlikely, but not impossible that this 
could be a WebMacro bug.  If I had to guess, I would suspect that the 
code which actually retrieves the user data is not properly synchronized.

Send us a bit more information about your application, and maybe we can 
help you track this down.

Keats

Lane Sharman wrote:

> Hi Nikolaos.
>
> This is most disturbing to hear about.
>
> First, there is a known concurrency issue with WM in 2.0 and possibly 
> in prior releases. If you look at the mail thread dating back for 45 
> days, you will definitely see it.
>
> My concern is that the webmacro instance, shared, and the context, not 
> shared, is improperly orchestrated for concurrency. The webmacro 
> instance is local to WMServlet. You might consider synchronizing 
> access to this variable as a trial fix in your local calls below. This 
> will introduce some serialization of web processing but it might help 
> to verify the solution.
>
> One thing you might consider trying is to use a different cache 
> handler. A few years ago, I wrote one and it is a part of the distro. 
> I have never had a problem using this cache handler.
>
> Lane
>
> --- Nikolaos Papadakis <nk...@cc...> wrote:
>
> From: Nikolaos Papadakis <nk...@cc...>
> Date: Sat, 18 Feb 2006 10:50:33 +0200
> To: web...@li...
> Subject: [WebMacro-user] [WebMacro-user
>
> Hi all,
>
> I am using webmacro to develop a web-based application.
> Things seemed to work fine till yesterday. A customer complained that he
> managed to “see” the account of another customer when he logged-in using
> his own credentials (he send me a screen shot of the “view”).
> By inspecting the log file I found that both users have been logged-in
> at the same time (the second customer logged in 3 sec after the first
> customer).
> The system has more than 1000 customers but this inconvenience happened
> for the first time yesterday (?).
> It seems that different sessions have been mixed up.
> The servlet includes a handle method and uses several other methods
> (methods that write and read from a database).
> All methods are defined in the same class (that extends WMServlet).
> As far as I know servlets must not have instance variables (only local
> variables -inside methods- to prevent data corruption and
> inconsistencies). However in my servlet I use only one non local
> variable (a Logger) and I don't think this is the cause of the problem.
> As an attached file I send you a fragment of the before mentioned 
> servlet.
> Can instance variables be defined in the case of a servlet that extends
> WMServlet? (I mean is it safe? or its not a good practice without
> keeping precautions?)
> Do you have any idea what can have caused this inconvenience ?
> Is the use of methods inside the servlet thread-safe ?
>
> Please help!!!
> Nikolaos Papadakis
> ------------------------------------------------------- This SF.net 
> email is sponsored by: Splunk Inc. Do you grep through log files for 
> problems? Stop! Download the new AJAX search engine that makes 
> searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! 
> http://sel.as-us.falkag.net/sel?cmd=k&kid3432&bid#0486&dat1642 
> _______________________________________________ Webmacro-user mailing 
> list Web...@li... 
> https://lists.sourceforge.net/lists/listinfo/webmacro-user 

Re: [WebMacro-user] [WebMacro-user

[Lane S. <la...@op...>]

<html><body><font style=3D"font-family: arial,helvetica,sans-serif;" size=
=3D"2">Hi Nikolaos.<br>
<br>
This is most disturbing to hear about.<br>
<br>
First, there is a known concurrency issue with WM in 2.0 and possibly
in prior releases. If you look at the mail thread dating back for 45
days, you will definitely see it.<br>
<br>
My concern is that the webmacro instance, shared, and the context, not
shared, is improperly orchestrated for concurrency. The webmacro
instance is local to WMServlet. You might consider synchronizing access
to this variable as a trial fix in your local calls below. This will
introduce some serialization of web processing but it might help to
verify the solution.<br>
<br>
One thing you might consider trying is to use a different cache
handler. A few years ago, I wrote one and it is a part of the distro. I
have never had a problem using this cache handler.<br>
<br>
Lane<br><br>--- Nikolaos Papadakis &lt;nk...@cc...&gt; wrote:<br><=
br>From: Nikolaos Papadakis &lt;nk...@cc...&gt;<br>Date: Sat, 18 F=
eb 2006 10:50:33 +0200<br>To: web...@li...<br>Subjec=
t: [WebMacro-user] [WebMacro-user<br><br>Hi all, <br> <br>I am using webmac=
ro to develop a web-based application. <br>Things seemed to work fine till =
yesterday. A customer complained that he  <br>managed to =E2=80=9Csee=E2=80=
=9D the account of another customer when he logged-in using  <br>his own cr=
edentials (he send me a screen shot of the =E2=80=9Cview=E2=80=9D). <br>By =
inspecting the log file I found that both users have been logged-in  <br>at=
 the same time (the second customer logged in 3 sec after the first  <br>cu=
stomer). <br>The system has more than 1000 customers but this inconvenience=
 happened  <br>for the first time yesterday (?). <br>It seems that differen=
t sessions have been mixed up. <br>The servlet includes a handle method and=
 uses several other methods  <br>(methods that write and read from a databa=
se). <br>All methods are defined in the same class (that extends WMServlet)=
. <br>As far as I know servlets must not have instance variables (only loca=
l  <br>variables -inside methods- to prevent data corruption and  <br>incon=
sistencies). However in my servlet I use only one non local  <br>variable (=
a Logger) and I don't think this is the cause of the problem. <br>As an att=
ached file I send you a fragment of the before mentioned servlet. <br>Can i=
nstance variables be defined in the case of a servlet that extends  <br>WMS=
ervlet? (I mean is it safe? or its not a good practice without  <br>keeping=
 precautions?) <br>Do you have any idea what can have caused this inconveni=
ence ? <br>Is the use of methods inside the servlet thread-safe ? <br> <br>=
Please help!!! <br>Nikolaos Papadakis <br></font></body></html>

[WebMacro-user] [WebMacro-user

[Nikolaos P. <nk...@cc...>]

Hi all,

I am using webmacro to develop a web-based application.
Things seemed to work fine till yesterday. A customer complained that he=20
managed to =93see=94 the account of another customer when he logged-in us=
ing=20
his own credentials (he send me a screen shot of the =93view=94).
By inspecting the log file I found that both users have been logged-in=20
at the same time (the second customer logged in 3 sec after the first=20
customer).
The system has more than 1000 customers but this inconvenience happened=20
for the first time yesterday (?).
It seems that different sessions have been mixed up.
The servlet includes a handle method and uses several other methods=20
(methods that write and read from a database).
All methods are defined in the same class (that extends WMServlet).
As far as I know servlets must not have instance variables (only local=20
variables -inside methods- to prevent data corruption and=20
inconsistencies). However in my servlet I use only one non local=20
variable (a Logger) and I don't think this is the cause of the problem.
As an attached file I send you a fragment of the before mentioned servlet.
Can instance variables be defined in the case of a servlet that extends=20
WMServlet? (I mean is it safe? or its not a good practice without=20
keeping precautions?)
Do you have any idea what can have caused this inconvenience ?
Is the use of methods inside the servlet thread-safe ?

Please help!!!
Nikolaos Papadakis

Re: [WebMacro-user] WM license

[<Web...@St...>]

On Sat, 11 Feb 2006, Eric B. Ridge wrote:

| I would vote for the "New BSD-style" license as well.  Or just put it in the
| Public Domain.

I was also thinking PD: The problem with WebMacro as I see it now is that 
it is _dangerously_ close to abandonware. PDing it shouldn't hurt anyone 
very much, I'd assume, and would hopefully just make it more palatable 
than the current licenses do. But BSD (w/o the "advertising clause", aka 
"New") is also good.
  (http://www.gnu.org/philosophy/bsd.html)

To be frank, I wouldn't have touched WebMacro as it stands now with my 
current knowledge of licenses, and given the now-existent competition with 
their simpler license.

| 
| If we were able to make such a change, is Justin the only required to give
| permission?  What about the other contributors?

How many are there? "CVS-dump" all committers.

Regards,
Endre.

Re: [WebMacro-user] WM license

[Eric B. R. <eb...@tc...>]

I would vote for the "New BSD-style" license as well.  Or just put it =20
in the Public Domain.

If we were able to make such a change, is Justin the only required to =20
give permission?  What about the other contributors?

eric

On Feb 9, 2006, at 9:02 AM, Endre St=F8lsvik wrote:

> On Wed, 8 Feb 2006, Keats Kirsch wrote:
>
> | I agree that it would be nice to see the license simplified and =20
> more relaxed;
> | like LGPL or MPL or whatever.  I wonder if Justin is willing to =20
> release his
> | proprietary interest?
>
> "New BSD-style" (or maybe ASL?) would be best for such a "deep =20
> down" yet
> small library. LGPL is slightly bad for java - RMS just won't =20
> clarify the
> wording about "linking" etc and how it regards to java, as I =20
> understand
> the controversy. MPL is about two million difficult lines, and made =20
> for
> Mozilla.
>
> Regards,
> Endre.
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through =20
> log files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD =20
> SPLUNK!
> http://sel.as-us.falkag.net/sel?=20
> cmd=3Dlnk&kid=3D103432&bid=3D230486&dat=3D121642
> _______________________________________________
> Webmacro-user mailing list
> Web...@li...
> https://lists.sourceforge.net/lists/listinfo/webmacro-user

Re: [WebMacro-user] WM license

[<Web...@St...>]

On Wed, 8 Feb 2006, Keats Kirsch wrote:

| I agree that it would be nice to see the license simplified and more relaxed;
| like LGPL or MPL or whatever.  I wonder if Justin is willing to release his
| proprietary interest?

"New BSD-style" (or maybe ASL?) would be best for such a "deep down" yet 
small library. LGPL is slightly bad for java - RMS just won't clarify the 
wording about "linking" etc and how it regards to java, as I understand 
the controversy. MPL is about two million difficult lines, and made for 
Mozilla.

Regards,
Endre.

[WebMacro-user] WM license

[Keats K. <ke...@xa...>]

I agree that it would be nice to see the license simplified and more 
relaxed; like LGPL or MPL or whatever.  I wonder if Justin is willing to 
release his proprietary interest?

Keats

Endre Stølsvik wrote:

>| 
>| >  And the license should be changed. GPL is bad for business when combined
>| > with Java, and "advertising clause" is just too "last century".
>| 
>| Last time I checked WM was not just GPL, you can chose the license you want.
>
>Yes, between one which is "viral" (GPL), and another with advertising 
>clause.
>
>Regards,
>Endre
>
>  
>

Re: [WebMacro-user] concurrency problem with #include as template

[<Web...@St...>]

| 
| >  And the license should be changed. GPL is bad for business when combined
| > with Java, and "advertising clause" is just too "last century".
| 
| Last time I checked WM was not just GPL, you can chose the license you want.

Yes, between one which is "viral" (GPL), and another with advertising 
clause.

Regards,
Endre

Re: [WebMacro-user] concurrency problem with #include as template

[Eric B. R. <eb...@tc...>]

On Feb 7, 2006, at 11:05 AM, Marc Palmer wrote:

> Actually not true. WM's whitespace handling is REALLY REALLY BAD.  
> I've used it in some propery production environments now with split  
> teams and it is hard to justify some of the behaviour, and  
> producing nicely formatted plain text is painful.

yeah, it's terrible.  We use WM for Java-code generation, SQL schema  
generation, and for HTML.  Ya gotta process the output with something  
like Jalopy or HTMLTidy to make readable output.

> I would be very happy for the whitespace to be improved BUT it  
> depends what Eric calls improvement :)

we'll see.  First I've gotta (re)familiarize myself with WM's  
parser.  It's pretty complex.

> Definitely. Perhaps this means branching the parser source into two  
> packages... o.w.parser and o.w.parser2 so that we can just specify  
> in the WM properties which to use :)

Yeah, of course.  we'd have o.w.parser and  
o.w.NewButSlightlyLessSuckyParser.

> I don't imagine Eric would propose such wreckage... although if you  
> make it "WM 3" then you might mitigate this to a degree...  
> especially if we could provide a script that would 100% reliably  
> alter existing templates to produce the same results with the new  
> parser.

Such a script would be nuts!  If I do come up with an improvement we  
can make it configurable.

> You know you have my agreement there :)
>
> WM's strengths are:
>
> * The introspection engine
> * The parser
> * The template rendering
>
> All the rest is basically bloat... existing template providers,  
> caching providers and tools separated out from the core and  
> reorganised a bit would make it a much more attractive package.

In order for this to happen someone actually has to do it.  Endre has  
been complaining about this for as far back as I can remember.  I'm  
not personally motivated to mess with this.  It might be bloat, but  
it doesn't get in my way.  The parser, on the other hand, does.

eric

Re: [WebMacro-user] concurrency problem with #include as template

[Marc P. <ma...@an...>]

On 7 Feb 2006, at 14:26, Endre St=F8lsvik wrote:

> On Mon, 6 Feb 2006, Eric B. Ridge wrote:
>
> | I'm also considering taking my laptop and the WM sources with =20
> me.  I want to
> | play with the parser.  I hate our whitespace handing rules and =20
> have some ideas
> | on making it better.
>
> I think changing the whitespace rules now is a very bad idea. They do
> work, and changes to such fundamental parts of the system is _not_ =20
> welcome
> by pretty much anyone, I believe.

Actually not true. WM's whitespace handling is REALLY REALLY BAD. =20
I've used it in some propery production environments now with split =20
teams and it is hard to justify some of the behaviour, and producing =20
nicely formatted plain text is painful.

I would be very happy for the whitespace to be improved BUT it =20
depends what Eric calls improvement :)

> | The long plane flights will probably give me enough time
> | to work it out.
>
> It will be interesting to se what you come up with - but I believe =20
> you at
> least should have _full_ configurable fallbacks to "as they are now"
> situation.
>

Definitely. Perhaps this means branching the parser source into two =20
packages... o.w.parser and o.w.parser2 so that we can just specify in =20=

the WM properties which to use :)

> Really, everyone's output will be changed!! That just ain't no good =20=

> for
> adoption.
>

I don't imagine Eric would propose such wreckage... although if you =20
make it "WM 3" then you might mitigate this to a degree... especially =20=

if we could provide a script that would 100% reliably alter existing =20
templates to produce the same results with the new parser.

> | I've also discovered a few classes that should probably implement =20=

> the
> | Visitable interface that don't.  I've been working on a little =20
> static analysis
> | tool to find usages of variables and such in templates and link =20
> them back up
> | to known object types... as a way to find and head off template-=20
> level bugs.  I
> | had to revert to some reflection trickery while visiting a few =20
> Template node
> | types.
>
> For my own part, the thing about WebMacro is that there is _Way_ to =20=

> much
> cruft. It should be _entirely_ ripped apart, and then about 90% of it
> should be deleted, and then the remaining parts should be put together
> again as a tight little API. The big idea with the Broker and all =20
> those
> little annoying caching elements and whatnot is just plain =20
> annoying. Then
> one have logging.

You know you have my agreement there :)

WM's strengths are:

* The introspection engine
* The parser
* The template rendering

All the rest is basically bloat... existing template providers, =20
caching providers and tools separated out from the core and =20
reorganised a bit would make it a much more attractive package.

The thing is - are there enough good men to do the work? Is there =20
enough agreement and will to make these tough changes for WM 3? What =20
value can we add with these changes in WM 3?

For the latter, as I've stated before, I think we can add quite a bit:

* JSP integration
* Spring MVC integration
* Bean-style configuration WM instances
* Run-time (mutable) access to all directives, tools, providers and =20
other config, so that you can change properties at runtime, on a new =20
WM instance, and swap that for your current instance (hot swapping =20
the references to avoid threading/sync issues within WM itself)... so =20=

that applications can -conditionally- add custom directives etc as =20
beans created by the application not WM, without manipulating =20
property lists etc

>   And the license should be changed. GPL is bad for business when =20
> combined
> with Java, and "advertising clause" is just too "last century".

Last time I checked WM was not just GPL, you can chose the license =20
you want.