Unable to load log4j.jar in webstart mode

in WebNMS Framework • 11 years ago

My client code uses log4j services.
(Under webstart we redirect the output to the console if file appending is not allowed).
Now if I add log4j.jar to the webstart classpath (clientparameters.conf, which generates the classpath for jnlp), the Java application fails to load, claiming it cannot find 'classes/log4j.jar'.
We have that jar in WebNMS/classes, along with many other jars, so I don't really understand why jnlp cannot find it.

Workaround: copy log4j.jar to another name, redefine the classpath, and all is fine! The log4j2.jar is found and it works as expected.

One idea that crossed my mind (but makes little sense) is that the original log4j.jar is for some reason 'locked' by the server code, but I have trouble believing that could be the case...

I'll appreciate any fresh ideas on this.
Reuben

Replies(13)

Lukas Rypl

Re: Unable to load log4j.jar in webstart mode

11 years ago

Hi Reuben,

we were facing exactly the same problem :)

Have a look at apache/tomcat/conf/web.xml file. The log4j is put inside the security constraints and that is why it is not accessible. I have no idea why it is done that way, maybe someone from Zoho can give us some clue.

Easy (maybe not correct) solution is to remove log4j from this list.

Regards
Lukas

reuben.si..

Re: Re: Unable to load log4j.jar in webstart mode

11 years ago

Thanks, this was great advice.
I was really puzzled

- Reuben

venkatram.. Employee

Re: Unable to load log4j.jar in webstart mode

11 years ago

Reuben!
Lukas is right in pointing out the security-constraints tag.

The entry for a File inside the security-constraints tag depends on whether default WebNMS client need to access that file (in http:// mode)

So, the client jars (28 in number - NMS_ARCHIVE & ARCHIVE tag in client parameters.conf) are not configured in security-constraints tag.

Since default WebNMS client does not need log4j.jar in the client side, we had configured it in security-constraints tag.

As Lukas pointed out, once you remove that entry (corresponding to log4j.jar) from security-constraints tag, you can access it in the web start client.

Hope this clarifies.

Thanks & regards
Venkatramanan

Lukas Rypl

Re: Re: Unable to load log4j.jar in webstart mode

11 years ago

Thank you Venkatramanan for the confirmation.

I wonder if it would be possible to convert the existing blacklist (i..e. list of access denied files) to a whitelist (list of files which are required by the javaws client). Whitelisting seems to be both safer and easier to maintain.

LR

venkatram.. Employee

Re: Unable to load log4j.jar in webstart mode

11 years ago

Dear Lukas

Please note that we make use of what the tomcat configuration provides.
We searched but could not find any such whitelisting option in tomcat (i.e.No such option as Except-these-files-allow-everything-else).
If you could find anything, please update in the same thread.
We will be glad to analyze the same!

Thanks & regards
Venkatramanan

Lukas Rypl

Re: Re: Unable to load log4j.jar in webstart mode

11 years ago

OK, I do not have detailed knowledge of the tomcat server configuration. I could not find anything alowing the whitelisting so far.

Regards,
LR

Lukas Rypl

Re: Unable to load log4j.jar in webstart mode

11 years ago

What one can find at StackOverflow regarding the whitelisting:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Restricted files</web-resource-name>
        <description>No direct access to restricted files.</description>
        <url-pattern>/conf/*</url-pattern>
        <http-method>POST</http-method>
        <http-method>GET</http-method>
    </web-resource-collection>
    <auth-constraint>
        <description>No direct browser access to the restricted files.</description>
        <role-name>NobodyHasThisRole</role-name>
    </auth-constraint>
</security-constraint>

Please verify if this approach is valid.

Thank you.
LR

venkatram.. Employee

Re: Unable to load log4j.jar in webstart mode

11 years ago

Dear Lukas
Even with the above configuration the http access behaves in the same manner. (blocks log4j.jar file)

In addition, please note that WebNMS uses its own authentication which limits the use of certain tags which can be used only with tomcat authentication.

Hence please use the blacklist option alone.

Thanks & regards
Venkatramanan

Lukas Rypl

Re: Re: Unable to load log4j.jar in webstart mode

11 years ago

In addition, please note that WebNMS uses its own authentication which limits the use of certain tags which can be used only with tomcat authentication.

Is it described somewhere? Any documentation I can read?

venkatram.. Employee

Re: Unable to load log4j.jar in webstart mode

11 years ago

//Is it described somewhere? Any documentation I can read?//

Dear Lukas

The fact that WebNMS uses its own authentication & how it is being implemented is documented in WebNMS developer guide.
Hence we cannot use a role-name tag extensively which is specific to Tomcat users.

We believe this answers your query.

Thanks & regards
Venkatramanan

Lukas Rypl

Re: Re: Unable to load log4j.jar in webstart mode

11 years ago

Hi Venkatramanan,

thank you for pointing out that the WebNMS has its own authentication. I have read that particular page of the Developer guide carefully, but I did not find any information about relation between tomcat and WebNMS authentication and authorization.

I think that tomcat is used only for restricting access to certain files and maybe WebNMS is somehow using the tomcat configuration files, but I do not see any way how WebNMS security can influence http access to files on the server.

The only relevant information I have found so far is the chapter

5.34.4 Blocking Web NMS Resources through Web Server

Can you elaborate a bit on the following?

Hence we cannot use a role-name tag extensively which is specific to Tomcat users.

Thanks and Regards,
Lukas Rypl

venkatram.. Employee

Re: Unable to load log4j.jar in webstart mode

11 years ago

Dear Lukas

Administering / Authentication using Tomcat (using tomcat-users.xml) is totally a different topic which WebNMS do not support.
You are welcome to refer Tomcat forums / mailing lists for the same.

Thanks & regards
Venkatramanan

Lukas Rypl

Re: Re: Unable to load log4j.jar in webstart mode

11 years ago

Dear Venkatramanan,

I probably did not get your point in the previous messages.

You have said that the role-name tag can not be used, because it is specific for tomcat. WebNMS uses it's own authentication mechanism. So I thought that the tomcat configuration file is somehow used internally by WebNMS as well and that is why the role-name tag can not be used.

Can you please clarify, why the role-name can not be used?

Thank you.
Lukas

Top Reply

Response title

Attachments

New to this Portal?

Unable to load log4j.jar in webstart mode

Replies(13)

Re: Unable to load log4j.jar in webstart mode

Re: Re: Unable to load log4j.jar in webstart mode

Re: Unable to load log4j.jar in webstart mode

Re: Re: Unable to load log4j.jar in webstart mode

Re: Unable to load log4j.jar in webstart mode

Re: Re: Unable to load log4j.jar in webstart mode

Re: Unable to load log4j.jar in webstart mode

Re: Unable to load log4j.jar in webstart mode

Re: Re: Unable to load log4j.jar in webstart mode

Re: Unable to load log4j.jar in webstart mode

Re: Re: Unable to load log4j.jar in webstart mode

5.34.4 Blocking Web NMS Resources through Web Server

Re: Unable to load log4j.jar in webstart mode

Re: Re: Unable to load log4j.jar in webstart mode

Statistics

Tags

Actions