All,
On 3/30/23 10:02, Christopher Schultz wrote:
All,
Yes, I could read the code, but I was wondering if the (Session)Manager
configuration attributes sessionAttributeNameFilter and
sessionAttributeValueClassNameFilter are expected to apply to both
clustering AND cross-restart persistence, or only clustering.
The documentation[1] says that these attributes configure "which session
attributes will be *distributed*" (emphasis mine). Is this intended to
only apply to "distribution" (i.e. Clustering) or does it affect all
types of serialization.
If it only affects Clustering, I would suggest that we should change it
to apply to all types of serialization (since these attributes exist to
provide some security controls which should apply in any context). If it
affects both, I think we should update the documentation.
Thanks,
-chris
[1]
https://tomcat.apache.org/tomcat-9.0-doc/config/manager.html#Standard_Implementation and also PersistentManager, which for some reason does not have an entry in the TOC on that page.
After checking the code, it appears that all types of persistence
(clustering, persisting-to-file across restarts, writing to a Store) use
StandardSession.doWriteObject and StandardSession.doReadObject (or their
overridden implementations in DeltaSession), all of which ultimately
check both of these filters.
I would like to update the documentation to make it clear that these
filters apply to all uses of serialization.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
