On 30/03/2023 15:11, Christopher Schultz wrote:
All,
On 3/30/23 10:02, Christopher Schultz wrote:
All,
Yes, I could read the code, but I was wondering if the
(Session)Manager configuration attributes sessionAttributeNameFilter
and sessionAttributeValueClassNameFilter are expected to apply to both
clustering AND cross-restart persistence, or only clustering.
The documentation[1] says that these attributes configure "which
session attributes will be *distributed*" (emphasis mine). Is this
intended to only apply to "distribution" (i.e. Clustering) or does it
affect all types of serialization.
If it only affects Clustering, I would suggest that we should change
it to apply to all types of serialization (since these attributes
exist to provide some security controls which should apply in any
context). If it affects both, I think we should update the documentation.
Thanks,
-chris
[1]
https://tomcat.apache.org/tomcat-9.0-doc/config/manager.html#Standard_Implementation and also PersistentManager, which for some reason does not have an entry in the TOC on that page.
After checking the code, it appears that all types of persistence
(clustering, persisting-to-file across restarts, writing to a Store) use
StandardSession.doWriteObject and StandardSession.doReadObject (or their
overridden implementations in DeltaSession), all of which ultimately
check both of these filters.
I would like to update the documentation to make it clear that these
filters apply to all uses of serialization.
+1
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
