Author: markt Date: Mon Oct 25 17:00:43 2010 New Revision: 1027196 URL: http://svn.apache.org/viewvc?rev=1027196&view=rev Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=49811 Add context option to disable URL re-writing and session parsing from URLs Based on a patch by Wesley.
Modified: tomcat/tc6.0.x/trunk/STATUS.txt tomcat/tc6.0.x/trunk/java/org/apache/catalina/Context.java tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Response.java tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardContext.java tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/mbeans-descriptors.xml tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml tomcat/tc6.0.x/trunk/webapps/docs/config/context.xml Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1027196&r1=1027195&r2=1027196&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/STATUS.txt (original) +++ tomcat/tc6.0.x/trunk/STATUS.txt Mon Oct 25 17:00:43 2010 @@ -225,21 +225,6 @@ PATCHES PROPOSED TO BACKPORT: +1: kkolinko -1: -* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=49811 - Add context option to disable URL re-writing and session parsing from URLs - Based on a patch by Wesley. - https://issues.apache.org/bugzilla/attachment.cgi?id=26135 - +1: markt, kkolinko, kfujino - -1: - kkolinko: minor thoughts, not mandatory: - - I think in CoyoteAdapter.java the added "if (isURLRewritingDisabled(request))" call - should better be moved below setWrapper(..), for better readability. - - Implementation of CoyoteAdapter.isURLRewritingDisabled(request) could call - request.getContext(), because request.setContext(..) was already called, - but I do not insist on such changes. - - Do not remove "// Make sure no session ID is returned" comment. - - Documentation update will be needed. - * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=50072 NIO connector can mis-read request line if not sent in a single pacaket https://issues.apache.org/bugzilla/attachment.cgi?id=26173&action=edit Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/Context.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/Context.java?rev=1027196&r1=1027195&r2=1027196&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/catalina/Context.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/Context.java Mon Oct 25 17:00:43 2010 @@ -325,6 +325,35 @@ public interface Context extends Contain * @param docBase The new document root */ public void setDocBase(String docBase); + + + /** + * Is URL rewriting disabled? + * URL rewriting is an optional component of the servlet 2.5 specification. + * However if set to true this will be non-compliant with the specification + * as the specification requires that there <b>must</b> be a way to retain + * sessions if the client doesn't allow session cookies. + * + * @return true If URL rewriting is disabled. + * + * @see <a href="http://jcp.org/aboutJava/communityprocess/mrel/jsr154/index2.html">Servlet + * 2.5 Specification. Sections SRV.7.1.3 and SRV.7.1.4</a> + * @see javax.servlet.http.HttpServletResponse#encodeURL(String) encodeURL + * @see javax.servlet.http.HttpServletResponse#encodeRedirectURL(String) + * encodeRedirectURL + */ + public boolean isDisableURLRewriting(); + + /** + * Is URL rewriting disabled? + * URL rewriting is an optional component of the servlet 2.5 specification. + * However if set to true this will be non-compliant with the specification + * as the specification requires that there <b>must</b> be a way to retain + * sessions if the client doesn't allow session cookies. + * + * @param disable True to disable URL Rewriting. Default <b>false</b>. + */ + public void setDisableURLRewriting(boolean disable); /** Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java?rev=1027196&r1=1027195&r2=1027196&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java Mon Oct 25 17:00:43 2010 @@ -462,6 +462,13 @@ public class CoyoteAdapter implements Ad connector.getMapper().map(serverName, decodedURI, request.getMappingData()); request.setContext((Context) request.getMappingData().context); + + // Had to do this after the context was set. + // Unfortunately parseSessionId is still necessary as it + // affects the final URL. Safe as session cookies still + // haven't been parsed. + if (isURLRewritingDisabled(request)) + clearRequestedSessionURL(request); request.setWrapper((Wrapper) request.getMappingData().wrapper); // Filter trace method @@ -516,6 +523,13 @@ public class CoyoteAdapter implements Ad return true; } + private boolean isURLRewritingDisabled(Request request) { + Context context = (Context) request.getMappingData().context; + if (context != null) + return (context.isDisableURLRewriting()); + else + return (false); + } /** * Parse session id in URL. @@ -561,18 +575,22 @@ public class CoyoteAdapter implements Ad request.setRequestedSessionURL(true); } catch (UnsupportedEncodingException uee) { // Make sure no session ID is returned - request.setRequestedSessionId(null); - request.setRequestedSessionURL(false); + clearRequestedSessionURL(request); log.warn(sm.getString("coyoteAdapter.parseSession", enc), uee); } } else { - request.setRequestedSessionId(null); - request.setRequestedSessionURL(false); + clearRequestedSessionURL(request); } } + private void clearRequestedSessionURL(Request request) { + request.setRequestedSessionId(null); + request.setRequestedSessionURL(false); + } + + /** * Parse session id in URL. */ Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Response.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Response.java?rev=1027196&r1=1027195&r2=1027196&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Response.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Response.java Mon Oct 25 17:00:43 2010 @@ -1479,12 +1479,14 @@ public class Response * <li>The requested session ID was not received via a cookie * <li>The specified URL points back to somewhere within the web * application that is responding to this request + * <li>If URL rewriting hasn't been disabled for this context * </ul> * * @param location Absolute URL to be validated */ protected boolean isEncodeable(final String location) { - + if (getContext().isDisableURLRewriting()) + return (false); if (location == null) return (false); Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardContext.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardContext.java?rev=1027196&r1=1027195&r2=1027196&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardContext.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardContext.java Mon Oct 25 17:00:43 2010 @@ -341,6 +341,12 @@ public class StandardContext /** + * Has URL rewriting been disabled. + */ + private boolean disableURLRewriting = false; + + + /** * The exception pages for this web application, keyed by fully qualified * class name of the Java exception. */ @@ -1461,6 +1467,37 @@ public class StandardContext this.docBase = docBase; } + + /** + * Is URL rewriting disabled? + * URL rewriting is an optional component of the servlet 2.5 specification. + * However if set to true this will be non-compliant with the specification + * as the specification requires that there <b>must</b> be a way to retain + * sessions if the client doesn't allow session cookies. + * + * @return true If URL rewriting is disabled. + * + * @see <a href="http://jcp.org/aboutJava/communityprocess/mrel/jsr154/index2.html">Servlet + * 2.5 Specification. Sections SRV.7.1.3 and SRV.7.1.4</a> + * @see javax.servlet.http.HttpServletResponse#encodeURL(String) encodeURL + * @see javax.servlet.http.HttpServletResponse#encodeRedirectURL(String) + * encodeRedirectURL + */ + public boolean isDisableURLRewriting() { + return (this.disableURLRewriting); + } + + /** + * Sets the disabling of URL Rewriting. + * @param disable True to disable URL Rewriting. Default <b>false</b>. + */ + public void setDisableURLRewriting(boolean disable){ + boolean oldDisableURLRewriting = this.isDisableURLRewriting(); + this.disableURLRewriting = disable; + support.firePropertyChange("disableURLRewriting", + oldDisableURLRewriting, disableURLRewriting); + + } // experimental public boolean isLazy() { Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/mbeans-descriptors.xml URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/mbeans-descriptors.xml?rev=1027196&r1=1027195&r2=1027196&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/mbeans-descriptors.xml (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/mbeans-descriptors.xml Mon Oct 25 17:00:43 2010 @@ -135,6 +135,11 @@ description="String deployment descriptor " type="java.lang.String"/> + <attribute name="disableURLRewriting" + description="Is URL Rewriting disabled?" + is="true" + type="boolean"/> + <attribute name="docBase" description="The document root for this web application" type="java.lang.String"/> Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1027196&r1=1027195&r2=1027196&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Mon Oct 25 17:00:43 2010 @@ -109,6 +109,10 @@ Provide better web application state information via JMX. (markt) </add> <add> + <bug>49811</bug>: Add an option to disable URL rewriting on a per + Context basis. (markt) + </add> + <add> <bug>49856</bug>: Expose the executor name for the connector via JMX. (markt) </add> Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/context.xml URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/context.xml?rev=1027196&r1=1027195&r2=1027196&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/webapps/docs/config/context.xml (original) +++ tomcat/tc6.0.x/trunk/webapps/docs/config/context.xml Mon Oct 25 17:00:43 2010 @@ -167,6 +167,17 @@ return <code>null</code>.</p> </attribute> + <attribute name="disableURLRewriting" required="false"> + <p>Set to <code>true</code> to disable support for using URL rewriting + to track session IDs for clients of this Context. URL rewriting is an + optional component of the servlet 2.5 specification but disabling URL + rewriting will result in non-compliant behaviour since the specification + requires that there <em>must</em> be a way to retain sessions if the + client doesn't allow session cookies. If not specified, the + specification compliant default value of <code>false</code> will be + used.</p> + </attribute> + <attribute name="docBase" required="true"> <p>The <em>Document Base</em> (also known as the <em>Context Root</em>) directory for this web application, or the pathname --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org