tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier (tomcat) ...@ice-sa.com>
Subject Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?
Date Mon, 15 Feb 2016 10:26:55 GMT
On 15.02.2016 11:06, Christoph Nenning wrote:
>> Perhaps I¹m naïve, but I was looking for a Tomcat provided
> ³getCurrentURL
>> ()² call, and assumed that nothing else could have that. :-)
>>
>> Thank you for the SecurityManager suggestion, I hadn¹t thought about
> that.
>>   I¹ll look in to how much of a pain that is.
>
>
> You can rebuild the url with several methods of HttpServletRequest like:
> - getScheme()
> - getServerPort()
> - getContextPath()
> - getServletPath()
> - getPathInfo()
>
> To figure out the host name you can use the Host header:
> getHeader("Host")
>
>
> Regards,
> Christoph
>

Christoph,
to save the OP (and Mark, and Christopher) some re-explaining, here is a summary :

- the above is known
- but the question here is that the above cannot be trusted, because the webapp cannot be

trusted, and the webapp could have "wrapped" the original HttpServletRequest with another

object, which could have its own methods overriding the above and returning falsified 
responses.
Granted, this is a bit nitpicking, but this being done as part of some security scheme 
(the validity of which is not the point of this summary), one needs to take this into 
consideration.

André



>
>
>>
>>
>>
>>
>>
>>
>>
>> On 2/11/16, 5:33 PM, "Mark Thomas" <markt@apache.org> wrote:
>>
>>> On 11/02/2016 22:56, Dougherty, Gregory T., M.S. wrote:
>>>> I would like to have a jar file in tomcat/lib that can be called from
>>>> any of the running web apps.  I need for the code in the jar to behave
>>>> differently depending on which web app called it.  It is not in this
>>>> case possible for the code to ³trust² the caller to tell it the URL of
>>>> the caller.
>>>>
>>>> Is it possible for that code to independently determine the URL of
> the
>>>> caller?
>>>
>>> If you can't trust the caller to tell you the URL, you can't trust that
>>> the caller isn't going to tinker with whatever mechanism you do use to
>>> determine the URL.
>>>
>>> You'd have a better chance of doing this if you ran under a
>>> SecurityManager but unless you write an application from the start with
>>> the intention of running it under a SecurityManager it is usually a lot
>>> of additional effort to update the app so it runs correctly.
>>>
>>> Mark
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> This Email was scanned by Sophos Anti Virus
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message