RE: AccessLogValve calling order
Uh, if the Access Log Value logged before the request was complete, how
would it know the number of bytes written to log?
George Sexton
MH Software, Inc.
http://www.mhsoftware.com/
Voice: 303 438 9585
-Original Message-
From: Jason Brittain [mailto:jason.britt...@mulesource.com]
Sent: Friday, November 13, 2009 7:12 PM
To: Tomcat Users List
Subject: Re: AccessLogValve calling order
Hi Chris.
Thanks for diagnosing this problem! It appears you're right that it
logs
only after the session is invalidated (after the request is complete)
on a
logout request. That bug has existed in the code for a very long time,
unnoticed. The AccessLogValve was initially implemented to log only
after
the request processing is complete so that the client never needs to
wait
for the logging to complete. With the new addition of asynchronous
logging,
however, it's quite a bit less important to log only when the request
is
complete. It seems like it would help if the access logger could be
configurable to log either before or after handling the request (I'm
not
sure logging both before and after makes sense). Your ideas for %Sr
and
%{methodName}rm both seem useful as well, though I think the
%{methodName}rm
one has potential security side effect issues. So, I would suggest
implementing your first two ideas. I'm also happy to help you with
that, if
you'd like.
Cheers.
--
Jason Brittain
MuleSoft http://www.mulesoft.com
On Fri, Nov 13, 2009 at 2:22 PM, Christopher Schultz
ch...@christopherschultz.net wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
All,
Amazingly enough, I had my first need to use AccessLogValve today,
and
one of the things I wanted to print was the user's session id. No,
problem: just add %S to the log pattern.
Well, there is one problem: you can't spit-out the session id for
logout
requests because the logic for the AccessLogValve is:
if(enabled)
invoke next valve
print log message
else
invoke next valve
Note that the request has essentially completed when the log message
is
generated. This makes complete sense as you typically want to log
/after/ the request so you can do things like find out how many bytes
were sent, how long the request took, etc.
In my case, I want to have access to the session id before the
session
is invalidated (which happens in the logout servlet).
Another option would be to get the requested session id from the
request
(which can only be done with the current AccessLogValve if the client
is
using cookies), though that can be misleading because anyone can
request
anything... it's not guaranteed to use a useful value.
Anyhow, I was wondering if anyone had any suggestions short of
heavily
modifying the AccessLogValve or developing something from scratch.
I'd also be happy to provide a patch for the AccessLogValve that add
any
or all of the following capabilities:
1. Allow log before or after request (or both?)
2. Add requested session id to standard pattern options (%Sr?)
or
3. Add %{xxx}rm to call ServletRequest.xxx and print the result
(allows ${getRequestedSessionId}rm
Any comments?
Thanks,
- -chris
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AccessLogValve calling order
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
George,
On 11/16/2009 11:35 AM, George Sexton wrote:
Uh, if the Access Log Value logged before the request was complete, how
would it know the number of bytes written to log?
If you read the whole first post, you'd see that I mentioned that.
- -chris
George Sexton
MH Software, Inc.
http://www.mhsoftware.com/
Voice: 303 438 9585
-Original Message-
From: Jason Brittain [mailto:jason.britt...@mulesource.com]
Sent: Friday, November 13, 2009 7:12 PM
To: Tomcat Users List
Subject: Re: AccessLogValve calling order
Hi Chris.
Thanks for diagnosing this problem! It appears you're right that it
logs
only after the session is invalidated (after the request is complete)
on a
logout request. That bug has existed in the code for a very long time,
unnoticed. The AccessLogValve was initially implemented to log only
after
the request processing is complete so that the client never needs to
wait
for the logging to complete. With the new addition of asynchronous
logging,
however, it's quite a bit less important to log only when the request
is
complete. It seems like it would help if the access logger could be
configurable to log either before or after handling the request (I'm
not
sure logging both before and after makes sense). Your ideas for %Sr
and
%{methodName}rm both seem useful as well, though I think the
%{methodName}rm
one has potential security side effect issues. So, I would suggest
implementing your first two ideas. I'm also happy to help you with
that, if
you'd like.
Cheers.
--
Jason Brittain
MuleSoft http://www.mulesoft.com
On Fri, Nov 13, 2009 at 2:22 PM, Christopher Schultz
ch...@christopherschultz.net wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
All,
Amazingly enough, I had my first need to use AccessLogValve today,
and
one of the things I wanted to print was the user's session id. No,
problem: just add %S to the log pattern.
Well, there is one problem: you can't spit-out the session id for
logout
requests because the logic for the AccessLogValve is:
if(enabled)
invoke next valve
print log message
else
invoke next valve
Note that the request has essentially completed when the log message
is
generated. This makes complete sense as you typically want to log
/after/ the request so you can do things like find out how many bytes
were sent, how long the request took, etc.
In my case, I want to have access to the session id before the
session
is invalidated (which happens in the logout servlet).
Another option would be to get the requested session id from the
request
(which can only be done with the current AccessLogValve if the client
is
using cookies), though that can be misleading because anyone can
request
anything... it's not guaranteed to use a useful value.
Anyhow, I was wondering if anyone had any suggestions short of
heavily
modifying the AccessLogValve or developing something from scratch.
I'd also be happy to provide a patch for the AccessLogValve that add
any
or all of the following capabilities:
1. Allow log before or after request (or both?)
2. Add requested session id to standard pattern options (%Sr?)
or
3. Add %{xxx}rm to call ServletRequest.xxx and print the result
(allows ${getRequestedSessionId}rm
Any comments?
Thanks,
- -chris
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAksBu44ACgkQ9CaO5/Lv0PAw4wCguv7l9vhQnpzPn8yNKYLR6GQw
P/YAn2Xhaz3AzZad0J+/5eAxmIXph2C6
=ZMwX
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
AccessLogValve calling order
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
All,
Amazingly enough, I had my first need to use AccessLogValve today, and
one of the things I wanted to print was the user's session id. No,
problem: just add %S to the log pattern.
Well, there is one problem: you can't spit-out the session id for logout
requests because the logic for the AccessLogValve is:
if(enabled)
invoke next valve
print log message
else
invoke next valve
Note that the request has essentially completed when the log message is
generated. This makes complete sense as you typically want to log
/after/ the request so you can do things like find out how many bytes
were sent, how long the request took, etc.
In my case, I want to have access to the session id before the session
is invalidated (which happens in the logout servlet).
Another option would be to get the requested session id from the request
(which can only be done with the current AccessLogValve if the client is
using cookies), though that can be misleading because anyone can request
anything... it's not guaranteed to use a useful value.
Anyhow, I was wondering if anyone had any suggestions short of heavily
modifying the AccessLogValve or developing something from scratch.
I'd also be happy to provide a patch for the AccessLogValve that add any
or all of the following capabilities:
1. Allow log before or after request (or both?)
2. Add requested session id to standard pattern options (%Sr?)
or
3. Add %{xxx}rm to call ServletRequest.xxx and print the result
(allows ${getRequestedSessionId}rm
Any comments?
Thanks,
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkr93D0ACgkQ9CaO5/Lv0PCLuwCeLq+sIqkfrAgDNmW5i1JECVzz
oTwAnRDS6E7oZIRDQEwtzptBKHDju4Op
=rrdK
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AccessLogValve calling order
Hi Chris.
Thanks for diagnosing this problem! It appears you're right that it logs
only after the session is invalidated (after the request is complete) on a
logout request. That bug has existed in the code for a very long time,
unnoticed. The AccessLogValve was initially implemented to log only after
the request processing is complete so that the client never needs to wait
for the logging to complete. With the new addition of asynchronous logging,
however, it's quite a bit less important to log only when the request is
complete. It seems like it would help if the access logger could be
configurable to log either before or after handling the request (I'm not
sure logging both before and after makes sense). Your ideas for %Sr and
%{methodName}rm both seem useful as well, though I think the %{methodName}rm
one has potential security side effect issues. So, I would suggest
implementing your first two ideas. I'm also happy to help you with that, if
you'd like.
Cheers.
--
Jason Brittain
MuleSoft http://www.mulesoft.com
On Fri, Nov 13, 2009 at 2:22 PM, Christopher Schultz
ch...@christopherschultz.net wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
All,
Amazingly enough, I had my first need to use AccessLogValve today, and
one of the things I wanted to print was the user's session id. No,
problem: just add %S to the log pattern.
Well, there is one problem: you can't spit-out the session id for logout
requests because the logic for the AccessLogValve is:
if(enabled)
invoke next valve
print log message
else
invoke next valve
Note that the request has essentially completed when the log message is
generated. This makes complete sense as you typically want to log
/after/ the request so you can do things like find out how many bytes
were sent, how long the request took, etc.
In my case, I want to have access to the session id before the session
is invalidated (which happens in the logout servlet).
Another option would be to get the requested session id from the request
(which can only be done with the current AccessLogValve if the client is
using cookies), though that can be misleading because anyone can request
anything... it's not guaranteed to use a useful value.
Anyhow, I was wondering if anyone had any suggestions short of heavily
modifying the AccessLogValve or developing something from scratch.
I'd also be happy to provide a patch for the AccessLogValve that add any
or all of the following capabilities:
1. Allow log before or after request (or both?)
2. Add requested session id to standard pattern options (%Sr?)
or
3. Add %{xxx}rm to call ServletRequest.xxx and print the result
(allows ${getRequestedSessionId}rm
Any comments?
Thanks,
- -chris
