On 20/08/2010 22:40, Wesley Acheson wrote: > I'm a bit lost with this thread. Are people suggesting I should submit a > patch. I really wouldn't know where to begin looking.
That's where the discussion was heading. Tomcat is Open Source. The first place to look would be SVN. http://svn.apache.org/repos/asf/tomcat/tc6.0.x/trunk/ p > On Fri, Aug 20, 2010 at 7:47 PM, Pid <p...@pidster.com> wrote: > >> On 20/08/2010 17:35, Christopher Schultz wrote: >>> Pid, >>> >>> On 8/20/2010 8:33 AM, Pid wrote: >>>> On 19/08/2010 20:41, Wesley Acheson wrote: >>>>> On Thu, Aug 19, 2010 at 6:25 PM, Len Popp <len.p...@gmail.com> wrote: >>>>> >>>>>> On Thu, Aug 19, 2010 at 12:01, Christopher Schultz >>>>>> <ch...@christopherschultz.net> wrote: >>>>>>> The servlet specification mandates this behavior. Tomcat simply must >>>>>>> support it. The spec says nothing of configurability, so Tomcat does >> not >>>>>>> provide any. Hence the need to write a filter to achieve your desired >>>>>>> behavior. >>>>>> >>>>>> That's not inviolable dogma. Tomcat does have some settings that make >>>>>> it operate out-of-spec, e.g. non-standard cookie parsing. I don't see >>>>>> why an option couldn't be added to disable JSESSIONID in URLs, if >>>>>> enough people would find it useful. >>>>>> -- >>>>>> Len >>>>> >>>>> >>>>> Is there anywhere we could vote for such a feature? I know Resin has >> it as >>>>> I've stated before. >>> >>>> You could file an enhancement request in Bugzilla, but it would be more >>>> likely to get attention if it came with a patch. I can't comment as to >>>> whether it would be approved or not. >>> >>> This sounds like something that could easily be implemented as a Valve. >>> My understanding is that the only place where the jsessionid can't be >>> removed from URLs by a Filter is during the authentication process. A >>> Valve can be inserted /before/ the authentication/authorization Valve(s) >>> and therefore override the encodeURL behavior to perform /no/ URL >> rewriting. >>> >>> Maybe one of the TC devs can tell us how to insert a Valve /before/ the >>> AAA valves that are automatically set up by the security configuration >>> in web.xml, but never explicitly defined using a <Valve> element >> anywhere. >> >> Maybe look to see how it's implemented in v7.0 and hack something up. >> >> Taking Mark's hint and setting something on the Context, with effect on >> StandardContextValve maybe... >> >> >> p >> >>> -chris >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >> >
0x62590808.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature