-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 André,
On 2/12/16 1:11 PM, André Warnier (tomcat) wrote: > Sorry, I lost the original message, so I can't respond in-thread. I > only saw the last message, but to that, isn't this what the Op is > asking for : > > http://tomcat.apache.org/tomcat-7.0-doc/servletapi/javax/servlet/http/ HttpServletRequest.html > > > > No matter which jar these things are in, if these methods get > called, they should return the current URI which the client called > to trigger the current webapp, no ? (I'm talking of getRequestURL() > and siblings). Mark's response accurately points out that anything the library does to try to determine which application it's running under can relatively easily be subverted by the application itself. For your example above, it would be easy to simply wrap the HttpServletRequest object and override "getRequestURL" and friends. If you don't trust the code calling you, then you can't trust anything up the stack. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAla+LZYACgkQ9CaO5/Lv0PCAiACbBvXYQkR+9+SRLkvkK0YtiC7o m+4An1hUOlgygT+aQdgk8p+dmW2PI9v4 =V0Ik -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org