-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Konstantin,
On 11/7/19 15:20, Konstantin Kolinko wrote: > чт, 7 нояб. 2019 г. в 17:11, Christopher Schultz > <ch...@christopherschultz.net>: >> >> I'm using bin/catalina.sh start to launch Tomcat on Macos. The >> 'ps' command shows the following partial command-line: >> >> [...] - >> -Djava.util.logging.config.file=${CATALINA_BASE}/conf/logging.propert ies >> >> - - -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager [... ] >> >> The file ${CATALINA_BASE}/conf/logging.properties does indeed >> have the changes below. > > OK, good. > > (I hope that `ps` shows the actual path to logging.properties. > There should not be unexpanded reference to a environment variable > above.) Yep. I hand-edited that to shorten the real path. > This reminds me: ClassLoaderLogManager allows each web application > to have its own configuration of logging. If you have a > "logging.properties" file elsewhere in classpath of that web > application, it will have precedence over the default one. > > The recommended use of this technology is to place your > configuration into WEB-INF/classes/logging.properties file of your > web application. My web application DOES have a WEB-INF/classes/logging.properties and it does indeed say nothing about the CsrfPreventionFilter. Since the TCCL is the WebappClassloader during execution of the Filter (it's defined in my app's WEB-INF/web.xml file), it must be using the application's logging.properties and not the global one. This makes sense and is a little irritating to me, but definitely fixable. I'll double-check that this is the case, shortly. I think I'm going to commit my trace logging to CsrfPreventionFilter because I find it helpful to see what's happening in there when trying to deploy CSRF protections. Not being able to see what the class was doing made it hard to figure out what was wrong. In my case, the problem was that my nonce cache wasn't large enough, and hitting my login page caused more than the default=5 nonces to be generated, evicting the first nonce created -- the one which was added to the <form action> for logging-in. So I couldn't even login to my own application :) - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3FfU4ACgkQHPApP6U8 pFgrHA/+NPGf9qhPgIlLpd8tO7k0L7FjA9P4R6zKYhE7dAj5PuVHfotHxnWbqJBl u8wiAem65Va4h6hPqjxS6h8dHz1YGJicukBgkjh1WgywU38W4Bp8HiK3np0OjX/o QFD1RD2jE3h6/J4bdrtXgt3o9ht3UXR9pdNKfzsaarI7AwLdg7gM+ty8QmAah6Mv eHvKzPf8D6moyJlsqDkIADV+FQFU+O+2pDUnoEnrk0fDI+0X332nR6hg4XE/Os94 izKb4TXS5wJUa0Ja5y0tkCnHTvBuW8gdP/yFZEnaXdeGIpv9+vAWxFIwos9ByR74 XRJpoNo7BTsB18v7EZmZ8cd8CzeU6+tisP2LpLN+m0asXlpQopJTARCjEYBiPKWB 4RLKyNwhbw+vSD9XebBa1YG2WUVAi06WAeqGVSGBV75ZLOHEiJP3qSv996XfCSwQ 47E9qECX0rYn+0FlEtrdqIZuFcp82kjCBUpEiYfSRETnBblXPX31h4aAgeXQooW/ 4J5Gr89ibb1nXmEIsM9SijhAghvU0JZ0NCrtBH2SIeGLztL/STr9Eg1jFmT/F1vI TcHbA1gy73PLH6YOGw9f/QpjEbtNIs8E50S4vez0r2bI5DO5WB+b1MlpzXbHc7/G PGjma2w00MLW1X97N/9XWvwEbp7Gn3JXMkk5bfa4oCeuat3G8EE= =NRa6 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org