tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Res: JSESSIONID Cookie handle customizing
Date Fri, 15 Oct 2010 18:44:56 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pid,

On 10/15/2010 12:19 PM, Pid wrote:
> On 15/10/2010 17:02, Juliano Daloia de Carvalho wrote:
>> I'll inject code using an agent. 
>>
>> The thing is that I need to know for sure the message entering point on Tomcat, 
>> and the leaving point also, so I can be able to sniff if the clients message has

>> the Cookie info with JSESSIONID= or not. and before sending to check if tomcat 
>> sent set-cookie on header so I can make the change needed. 
> 
> Why?  What does the code do that can't be done via a Servlet Filter?

You can't intercept the JSESSIONID in the following scenario:

1. User requests protected resource
2. Tomcat creates HttpSession, replies with Set-Cookie and FORM login page
3. User authenticates
4. User is forwarded/redirected to originally-requested resource from #1

Until step #4, no webapp-defined filter will run :(

This can be done with a Valve, but I'm not exactly sure how to insert a
Valve before the authentication valve, which is (I think) what you'd
have to do.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAky4oSgACgkQ9CaO5/Lv0PCy6ACeNxzO/MDqDjCilfQv8QYyruvx
T1QAoLSaZwrAqfM7miyp6NgMuyiCiRr+
=vjRr
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message