-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Konstantin,
On 11/7/19 15:20, Konstantin Kolinko wrote:
> чт, 7 нояб. 2019 г. в 17:11, Christopher Schultz
> <ch...@christopherschultz.net>:
>>
>> I'm using bin/catalina.sh start to launch Tomcat on Macos. The
>> 'ps' command shows the following partial command-line:
>>
>> [...] -
>> -Djava.util.logging.config.file=${CATALINA_BASE}/conf/logging.propert
ies
>>
>>
- - -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager [...
]
>>
>> The file ${CATALINA_BASE}/conf/logging.properties does indeed
>> have the changes below.
>
> OK, good.
>
> (I hope that `ps` shows the actual path to logging.properties.
> There should not be unexpanded reference to a environment variable
> above.)
Yep. I hand-edited that to shorten the real path.
> This reminds me: ClassLoaderLogManager allows each web application
> to have its own configuration of logging. If you have a
> "logging.properties" file elsewhere in classpath of that web
> application, it will have precedence over the default one.
>
> The recommended use of this technology is to place your
> configuration into WEB-INF/classes/logging.properties file of your
> web application.
My web application DOES have a WEB-INF/classes/logging.properties and
it does indeed say nothing about the CsrfPreventionFilter.
Since the TCCL is the WebappClassloader during execution of the Filter
(it's defined in my app's WEB-INF/web.xml file), it must be using the
application's logging.properties and not the global one.
This makes sense and is a little irritating to me, but definitely
fixable. I'll double-check that this is the case, shortly.
I think I'm going to commit my trace logging to CsrfPreventionFilter
because I find it helpful to see what's happening in there when trying
to deploy CSRF protections. Not being able to see what the class was
doing made it hard to figure out what was wrong. In my case, the
problem was that my nonce cache wasn't large enough, and hitting my
login page caused more than the default=5 nonces to be generated,
evicting the first nonce created -- the one which was added to the
<form action> for logging-in. So I couldn't even login to my own
application :)
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3FfU4ACgkQHPApP6U8
pFgrHA/+NPGf9qhPgIlLpd8tO7k0L7FjA9P4R6zKYhE7dAj5PuVHfotHxnWbqJBl
u8wiAem65Va4h6hPqjxS6h8dHz1YGJicukBgkjh1WgywU38W4Bp8HiK3np0OjX/o
QFD1RD2jE3h6/J4bdrtXgt3o9ht3UXR9pdNKfzsaarI7AwLdg7gM+ty8QmAah6Mv
eHvKzPf8D6moyJlsqDkIADV+FQFU+O+2pDUnoEnrk0fDI+0X332nR6hg4XE/Os94
izKb4TXS5wJUa0Ja5y0tkCnHTvBuW8gdP/yFZEnaXdeGIpv9+vAWxFIwos9ByR74
XRJpoNo7BTsB18v7EZmZ8cd8CzeU6+tisP2LpLN+m0asXlpQopJTARCjEYBiPKWB
4RLKyNwhbw+vSD9XebBa1YG2WUVAi06WAeqGVSGBV75ZLOHEiJP3qSv996XfCSwQ
47E9qECX0rYn+0FlEtrdqIZuFcp82kjCBUpEiYfSRETnBblXPX31h4aAgeXQooW/
4J5Gr89ibb1nXmEIsM9SijhAghvU0JZ0NCrtBH2SIeGLztL/STr9Eg1jFmT/F1vI
TcHbA1gy73PLH6YOGw9f/QpjEbtNIs8E50S4vez0r2bI5DO5WB+b1MlpzXbHc7/G
PGjma2w00MLW1X97N/9XWvwEbp7Gn3JXMkk5bfa4oCeuat3G8EE=
=NRa6
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
