tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Is there a better way to disable JSESSIONID in the URLs?
Date Fri, 20 Aug 2010 16:35:03 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pid,

On 8/20/2010 8:33 AM, Pid wrote:
> On 19/08/2010 20:41, Wesley Acheson wrote:
>> On Thu, Aug 19, 2010 at 6:25 PM, Len Popp <len.popp@gmail.com> wrote:
>>
>>> On Thu, Aug 19, 2010 at 12:01, Christopher Schultz
>>> <chris@christopherschultz.net> wrote:
>>>> The servlet specification mandates this behavior. Tomcat simply must
>>>> support it. The spec says nothing of configurability, so Tomcat does not
>>>> provide any. Hence the need to write a filter to achieve your desired
>>>> behavior.
>>>
>>> That's not inviolable dogma. Tomcat does have some settings that make
>>> it operate out-of-spec, e.g. non-standard cookie parsing. I don't see
>>> why an option couldn't be added to disable JSESSIONID in URLs, if
>>> enough people would find it useful.
>>> --
>>> Len
>>
>>
>> Is there anywhere we could vote for such a feature?  I know Resin has it as
>> I've stated before.
> 
> You could file an enhancement request in Bugzilla, but it would be more
> likely to get attention if it came with a patch.  I can't comment as to
> whether it would be approved or not.

This sounds like something that could easily be implemented as a Valve.
My understanding is that the only place where the jsessionid can't be
removed from URLs by a Filter is during the authentication process. A
Valve can be inserted /before/ the authentication/authorization Valve(s)
and therefore override the encodeURL behavior to perform /no/ URL rewriting.

Maybe one of the TC devs can tell us how to insert a Valve /before/ the
AAA valves that are automatically set up by the security configuration
in web.xml, but never explicitly defined using a <Valve> element anywhere.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkxurrYACgkQ9CaO5/Lv0PD18QCfa1cistS8pfMGe9mcZrWyOmBI
ybwAn2gAE7V/9I7vZIILB1h7hS2EZnWn
=9hMX
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message