2011/10/11 Paul Wilson <paulalexwil...@gmail.com>: > Hi there, > > I'm trying to understand what has changed w.r.t. Tomcat 6/7 and > returning path parameters from various calls to the HTTPServletRequest > methods. In particular, I'd like to understand which of the four > methods: > > * getServletPath > * getContextPath > * getPathInfo > * getRequestURI > > return so-called 'path parameters' across various Tomcat versions.
I cannot say about "various" versions (because it was a bug that was fixed in 6.0.33). My understanding is that getServletPath and getContextPath should not have path parameters, because they reflect mapping upon Servlets, and this mapping ignores path parameters. The getPathInfo and getRequestURI methods provide information about "original" request and thus have the parameters. The fact that getPathInfo and getRequestURI do return path parameters is explicitly mentioned in Servlet specification - see chapter SRV.3.1 in servlet-2_5-mrel2-spec.pdf. > It appears that something changed around 6.0.33, although I can only find > the following reference in the changelog: > > "Improve handling of URLs with path parameters and prevent incorrect > 404 responses that could occur when path parameters were present. > (kkolinko)" > > Is there any more formal information about this change? The change itself - see svn or commit message in dev@ archives. There was also some discussion on dev@ before it. http://svn.apache.org/viewvc?view=revision&revision=1149220 > Frameworks > that utilise URL-based resource resolution will break if, for example, > ;jsessionid is all-of-a-sudden returned from these calls when > previously they were removed. That is essentially their fault. They will break as well when used in other Servlet containers. In certain scenarios that can even lead to security issues, like http://www.springsource.com/security/cve-2010-3700 Workarounds are possible, by using a Filter or Valve to rewrite the URL. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
