On 15.02.2016 11:06, Christoph Nenning wrote:
Perhaps I¹m naïve, but I was looking for a Tomcat provided
³getCurrentURL
()² call, and assumed that nothing else could have that. :-)
Thank you for the SecurityManager suggestion, I hadn¹t thought about
that.
I¹ll look in to how much of a pain that is.
You can rebuild the url with several methods of HttpServletRequest like:
- getScheme()
- getServerPort()
- getContextPath()
- getServletPath()
- getPathInfo()
To figure out the host name you can use the Host header:
getHeader("Host")
Regards,
Christoph
Christoph,
to save the OP (and Mark, and Christopher) some re-explaining, here is a
summary :
- the above is known
- but the question here is that the above cannot be trusted, because the webapp cannot be
trusted, and the webapp could have "wrapped" the original HttpServletRequest with another
object, which could have its own methods overriding the above and returning falsified
responses.
Granted, this is a bit nitpicking, but this being done as part of some security scheme
(the validity of which is not the point of this summary), one needs to take this into
consideration.
André
On 2/11/16, 5:33 PM, "Mark Thomas" <ma...@apache.org> wrote:
On 11/02/2016 22:56, Dougherty, Gregory T., M.S. wrote:
I would like to have a jar file in tomcat/lib that can be called from
any of the running web apps. I need for the code in the jar to behave
differently depending on which web app called it. It is not in this
case possible for the code to ³trust² the caller to tell it the URL of
the caller.
Is it possible for that code to independently determine the URL of
the
caller?
If you can't trust the caller to tell you the URL, you can't trust that
the caller isn't going to tinker with whatever mechanism you do use to
determine the URL.
You'd have a better chance of doing this if you ran under a
SecurityManager but unless you write an application from the start with
the intention of running it under a SecurityManager it is usually a lot
of additional effort to update the app so it runs correctly.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
This Email was scanned by Sophos Anti Virus
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
