Thanks for your answer. 1. Before testing the code below with different Tomcat configurations, I would like to know if there is a better way to do what I want. I'm not really satisfied with this code that is closely related to Tomcat classes.
2. The original problem is that I would like to: a) prevent Tomcat (6.0.x, including versions older than 6.0.30) from adding the ";jsessionid=xxx" string to the URL when there is no cookie named JSESSIONID in the client browser b) prevent jsessionid hijacking via the url, i.e redirect to an error page when the "jsessionid=" string is detected in the URL Lo -----Message d'origine----- De : Mark Thomas [mailto:ma...@apache.org] Envoyé : jeudi 17 avril 2014 11:54 À : Tomcat Users List Objet : Re: Best practice to programmatically get the disableURLRewriting context attribute value On 10/04/2014 14:01, lo lo wrote: > Tomcat version 6.0.x on Linux OS > > Hi all, > > I have an application deployed on several customers Tomcat servers. > > The Tomcat versions are different (6.0.16, 6.0.37, etc.) and asking > all customers to upgrade to the latest Tomcat version would be too tricky. > > I would like to programmatically get the disableURLRewriting context > attribute value, when it exists (i.e Tomcat 6.0.30 onwards). > My purpose is to add a tuckey.org/urlrewrite filter rule that > redirects the user to an error page when the 'jsessionid=' string is detected > in the URL. > if (disableURLRewriting exists and its value is true) -> the filter > rule should be applied if (disableURLRewriting doesn't exist or its > value is false) -> the filter rule should not be applied because > Tomcat 6 adds ';jsessionid=xxx' when there is no cookie in the client > browser > > The only way that I have found to achieve this on different Tomcat > versions is to use Tomcat classes: > > public boolean isDisableURLRewriting(StandardContext standardContext) { > Method isDisableURLRewritingMethod = null; > try { > isDisableURLRewritingMethod = > StandardContext.class.getMethod("isDisableURLRewriting"); > } catch (Exception e) { > // the method does not exist or is not accesible > } > if (isDisableURLRewritingMethod != null) { > try { > return ((Boolean) > isDisableURLRewritingMethod.invoke(standardContext)).booleanValue(); > } catch (Exception e) { > throw new RuntimeException("Unable to invoke the > isDisableURLRewriting method on the standard context"); > } > } > // the method does not exist, we return false > return false; > } > > StandardEngine engine = (StandardEngine) > ServerFactory.getServer().findService("Catalina").getContainer(); > Container container = engine.findChild(engine.getDefaultHost()); > StandardContext standardContext = (StandardContext) > container.findChild(context.getContextPath()); > if (isDisableURLRewriting(standardContext)) { > // apply the rule > } else { > // don't apply the rule > } > > 1. Will this code work for every Tomcat configuration? > (I know that this code works when the context file is in the > conf/Catalina/localhost directory with the default server.xml file, > but I don't know if it will work when several hosts are defined in the > server.xml file, because I'm using engine.getDefaultHost()) So maybe you should test that and see what happens. > 2. Is there a better way to achieve this? (maybe without using Tomcat > classes?) It depends on what you are trying to achieve. You have described a problem with your current solution but not what your original problem is. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
