Path Parameters - Servlet API

[Paul Wilson <pa...@gmail.com>]

Hi there,

I'm trying to understand what has changed w.r.t. Tomcat 6/7 and
returning path parameters from various calls to the HTTPServletRequest
methods. In particular, I'd like to understand which of the four
methods:

 * getServletPath
 * getContextPath
 * getPathInfo
 * getRequestURI

return so-called 'path parameters' across various Tomcat versions. It
appears that something changed around 6.0.33, although I can only find
the following reference in the changelog:

"Improve handling of URLs with path parameters and prevent incorrect
404 responses that could occur when path parameters were present.
(kkolinko)"

Is there any more formal information about this change? Frameworks
that utilise URL-based resource resolution will break if, for example,
;jsessionid is all-of-a-sudden returned from these calls when
previously they were removed.

Regards,
Paul

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Path Parameters - Servlet API

[Mark Thomas <ma...@apache.org>]

On 11/10/2011 12:13, Paul Wilson wrote:
> On 11 October 2011 12:08, Konstantin Kolinko <kn...@gmail.com> wrote:
>> Hm...
>>
>> There are RequestInfoExample servlet and snoop.jsp in the sample webapp.
>>
>> Testing them apparently getPathInfo() still does not return path parameters.
>>
>> http://localhost:8080/examples/jsp/snp;x=y/snoop.jsp
>> http://localhost:8080/examples/servlets/servlet;foo=bar/RequestInfoExample/baz;y=z/d
>>
>> The second one prints:
>> Path Info:      /baz/d
>>
>> both in trunk and in current 6.0.
> 
> Thanks for the information.

There was a clarification from the EG (that never made it into the
specification) that path parameters should not be included in getPathInfo()
https://issues.apache.org/bugzilla/show_bug.cgi?id=25015

I have raised this again as
http://java.net/jira/browse/SERVLET_SPEC-18
along with a bunch of related issues.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Path Parameters - Servlet API

[Paul Wilson <pa...@gmail.com>]

On 11 October 2011 12:08, Konstantin Kolinko <kn...@gmail.com> wrote:
> Hm...
>
> There are RequestInfoExample servlet and snoop.jsp in the sample webapp.
>
> Testing them apparently getPathInfo() still does not return path parameters.
>
> http://localhost:8080/examples/jsp/snp;x=y/snoop.jsp
> http://localhost:8080/examples/servlets/servlet;foo=bar/RequestInfoExample/baz;y=z/d
>
> The second one prints:
> Path Info:      /baz/d
>
> both in trunk and in current 6.0.

Thanks for the information.
Paul

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Path Parameters - Servlet API

[Konstantin Kolinko <kn...@gmail.com>]

2011/10/11 Paul Wilson <pa...@gmail.com>:
> On 11 October 2011 10:43, Konstantin Kolinko <kn...@gmail.com> wrote:
>> I cannot say about "various" versions (because it was a bug that was
>> fixed in 6.0.33).
>
> Was the fixed made available in Tomcat 7 too? (Can't see it in the changelog).
>

I think it was a part of
http://svn.apache.org/viewvc?view=revision&revision=944920

>> My understanding is that getServletPath and getContextPath should not
>> have path parameters, because they reflect mapping upon Servlets, and
>> this mapping ignores path parameters.
>>
>> The getPathInfo and getRequestURI methods provide information about
>> "original" request and thus have the parameters.
>
> And the fix affected both these methods, or just getRequestURI?
>

Hm...

There are RequestInfoExample servlet and snoop.jsp in the sample webapp.

Testing them apparently getPathInfo() still does not return path parameters.

http://localhost:8080/examples/jsp/snp;x=y/snoop.jsp
http://localhost:8080/examples/servlets/servlet;foo=bar/RequestInfoExample/baz;y=z/d

The second one prints:
Path Info: 	/baz/d

both in trunk and in current 6.0.

>
>> The fact that getPathInfo and getRequestURI do return path parameters
>> is explicitly mentioned in Servlet specification - see chapter SRV.3.1
>> in servlet-2_5-mrel2-spec.pdf.
>
> Strange that it mentions GET explicitly. :-/
>

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Path Parameters - Servlet API

[Paul Wilson <pa...@gmail.com>]

On 11 October 2011 10:43, Konstantin Kolinko <kn...@gmail.com> wrote:
> I cannot say about "various" versions (because it was a bug that was
> fixed in 6.0.33).

Was the fixed made available in Tomcat 7 too? (Can't see it in the changelog).

> My understanding is that getServletPath and getContextPath should not
> have path parameters, because they reflect mapping upon Servlets, and
> this mapping ignores path parameters.
>
> The getPathInfo and getRequestURI methods provide information about
> "original" request and thus have the parameters.

And the fix affected both these methods, or just getRequestURI?

> The fact that getPathInfo and getRequestURI do return path parameters
> is explicitly mentioned in Servlet specification - see chapter SRV.3.1
> in servlet-2_5-mrel2-spec.pdf.

Strange that it mentions GET explicitly. :-/

Thanks for your quick response (as always ;-))
Paul

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Path Parameters - Servlet API

[Konstantin Kolinko <kn...@gmail.com>]

2011/10/11 Paul Wilson <pa...@gmail.com>:
> Hi there,
>
> I'm trying to understand what has changed w.r.t. Tomcat 6/7 and
> returning path parameters from various calls to the HTTPServletRequest
> methods. In particular, I'd like to understand which of the four
> methods:
>
>  * getServletPath
>  * getContextPath
>  * getPathInfo
>  * getRequestURI
>
> return so-called 'path parameters' across various Tomcat versions.

I cannot say about "various" versions (because it was a bug that was
fixed in 6.0.33).

My understanding is that getServletPath and getContextPath should not
have path parameters, because they reflect mapping upon Servlets, and
this mapping ignores path parameters.

The getPathInfo and getRequestURI methods provide information about
"original" request and thus have the parameters.

The fact that getPathInfo and getRequestURI do return path parameters
is explicitly mentioned in Servlet specification - see chapter SRV.3.1
in servlet-2_5-mrel2-spec.pdf.


> It appears that something changed around 6.0.33, although I can only find
> the following reference in the changelog:
>
> "Improve handling of URLs with path parameters and prevent incorrect
> 404 responses that could occur when path parameters were present.
> (kkolinko)"
>
> Is there any more formal information about this change?

The change itself - see svn or commit message in dev@ archives. There
was also some discussion on dev@ before it.

http://svn.apache.org/viewvc?view=revision&revision=1149220

> Frameworks
> that utilise URL-based resource resolution will break if, for example,
> ;jsessionid is all-of-a-sudden returned from these calls when
> previously they were removed.

That is essentially their fault. They will break as well when used in
other Servlet containers. In certain scenarios that can even lead to
security issues, like

http://www.springsource.com/security/cve-2010-3700

Workarounds are possible, by using a Filter or Valve to rewrite the URL.

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org