tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier (tomcat) ...@ice-sa.com>
Subject Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?
Date Fri, 12 Feb 2016 19:35:34 GMT
On 12.02.2016 20:08, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> André,
>
> On 2/12/16 1:11 PM, André Warnier (tomcat) wrote:
>> Sorry, I lost the original message, so I can't respond in-thread. I
>> only saw the last message, but to that, isn't this what the Op is
>> asking for :
>>
>> http://tomcat.apache.org/tomcat-7.0-doc/servletapi/javax/servlet/http/
> HttpServletRequest.html
>>
>>
>>
>> No matter which jar these things are in, if these methods get
>> called, they should return the current URI which the client called
>> to trigger the current webapp, no ? (I'm talking of getRequestURL()
>> and siblings).
>
> Mark's response accurately points out that anything the library does
> to try to determine which application it's running under can
> relatively easily be subverted by the application itself.
>
> For your example above, it would be easy to simply wrap the
> HttpServletRequest object and override "getRequestURL" and friends.
>
> If you don't trust the code calling you, then you can't trust anything
> up the stack.
>

Ok, sorry, I have not really followed the thread since the beginning. I did not realise 
that there was a question of not trusting the *code* of the webapps themselves.
I though it was only not trusting the client (browser or whatever).

But let me then push the question one level deeper, at the Java level : is there a way by

which some code about to call a method, could find out if this method is "the genuine 
article", or has been overridden by a wrapper for instance ?

(And I do realise that this is not really applicable here, it is more by curiosity)
I mean, the JVM of course must know; but is there a way by which the code can ask the JVM

about this ?
Or alternatively, can the code "force" the JVM to execute the real method of the original

parent (in this case HttpServletRequest) instead of a perhaps wrapper object's method ?



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message