tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nadav Katz <nadav.k...@oracle.com>
Subject RE: Tomcat not conforming to Servlet spec 2.4+ in regards to jsp:include
Date Mon, 08 Aug 2011 07:00:05 GMT
Thank you for your answer, it hadn't occurred to me to try removing the jsp mapping. Unfortunately
it doesn't work...I removed it, and behavior stays the same. I tried setting the STRICT_SERVLET_COMPLIANCE=true
(hoping the strict request wrapping rules would help), but no go.
This problem is a real headache for me, since with no solution I will need to redesign everything
or break all our dynamic includes which I definitely can't do.
Thanks anyway!
Nadav
 

-----Original Message-----
From: Konstantin Kolinko [mailto:knst.kolinko@gmail.com] 
Sent: Monday, August 08, 2011 8:59 AM
To: Tomcat Users List
Subject: Re: Tomcat not conforming to Servlet spec 2.4+ in regards to jsp:include

2011/8/8 Nadav Katz <nadav.katz@oracle.com>:
\>
> I have a filter in place for validating CSRF tokens. I only wish to validate requests
coming from the client, so no validation for dynamic includes or forwards. My web.xml for
the filter looks like this:
>
> <filter-mapping>
>         <filter-name>CSRFFilter</filter-name>
>         <url-pattern>*.jsp</url-pattern>
>         <servlet-name>SomeServlet</servlet-name>
> </filter-mapping>
>
>(...)
>
> <jsp:include page="/SomeServlet" flush="true" >
>         <jsp:param name="action" value="9" />
>     </jsp:include>
>

What if you remove "<url-pattern>*.jsp</url-pattern>" line from the
above filter-mapping?

BTW, to strictly follow the specs, one has to run Tomcat with
org.apache.catalina.STRICT_SERVLET_COMPLIANCE=true
-- see System Properties page in Configuration Reference. You can add
the above line to catalina.properties. It should not change anything
for this use case though.

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message