You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by cr...@locus.apache.org on 2000/04/05 21:40:23 UTC
cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/core HttpServletResponseFacade.java
craigmcc 00/04/05 12:40:22
Modified: src/share/org/apache/tomcat/core
HttpServletResponseFacade.java
Log:
Correct the implementation of encodeURL() and encodeRedirectURL() so that
they correctly determine when encoding should take place. For the record,
those rules are as follows:
- We are in a valid session
- The session ID was not requested with a cookie
- The URL to be encoded references a URL within the current
web application (that is, we match on the scheme, host, port,
and context path of the absolute URL that corresponds to
the specified URL if it is relative)
In addition, sendRedirectURL() now absolutizes the specified location,
even though this is already done in the default error handling servlet,
so that the spec rule (that it must be absolutized) will be obeyed even
if the web app has defined their own error page for SC_MOVED_TEMPORARILY
(legal but not likely).
Tested with URLs that are absolute, host relative (that is, starting with
a slash), and request-relative (not starting with a slash). Also passes
the current Watchdog test suite.
PR:174
Submitted by: evan@netsco.com
Revision Changes Path
1.7 +201 -36 jakarta-tomcat/src/share/org/apache/tomcat/core/HttpServletResponseFacade.java
Index: HttpServletResponseFacade.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/HttpServletResponseFacade.java,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- HttpServletResponseFacade.java 2000/03/21 01:27:08 1.6
+++ HttpServletResponseFacade.java 2000/04/05 19:40:20 1.7
@@ -1,7 +1,7 @@
/*
- * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/HttpServletResponseFacade.java,v 1.6 2000/03/21 01:27:08 costin Exp $
- * $Revision: 1.6 $
- * $Date: 2000/03/21 01:27:08 $
+ * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/HttpServletResponseFacade.java,v 1.7 2000/04/05 19:40:20 craigmcc Exp $
+ * $Revision: 1.7 $
+ * $Date: 2000/04/05 19:40:20 $
*
* ====================================================================
*
@@ -103,12 +103,15 @@
}
public String encodeRedirectURL(String location) {
- // rewrite for the same host
- // this is really simplistic matching here, any helper functions?
- if (location.indexOf(response.getRequest().getServerName())!=-1){
- location=encodeURL(location);
- }
- return location;
+
+ System.out.println("CRM: encodeRedirectURL(" + location + ") --> " +
+ toAbsolute(location) + " --> " +
+ isEncodeable(toAbsolute(location)));
+ if (isEncodeable(toAbsolute(location)))
+ return (toEncoded(location,
+ response.getRequest().getRequestedSessionId()));
+ else
+ return (location);
}
/**
@@ -119,33 +122,15 @@
}
public String encodeURL(String url) {
- Request request=response.getRequest();
- // if I have a session
- // System.out.println("XXX " + request.isRequestedSessionIdValid() +" " + request.isRequestedSessionIdFromCookie() +
- // " " + request.getRequestedSessionId();
-
- if (request.isRequestedSessionIdValid()){
- // if first time or cookie not returned
- // XXX need to add support for SSL or other schemas
- if (!request.isRequestedSessionIdFromCookie()) {
- int qidx=url.indexOf( "?" );
- String path=url;
- String qry=null;
- if( qidx >= 0 ) {
- path=url.substring( 0, qidx );
- qry=url.substring( qidx+1 );
- }
- StringBuffer sb=new StringBuffer(path);
- sb.append(";jsessionid=").append(request.getRequestedSessionId());
- if( qry != null )
- sb.append("?").append( qry);
- // System.out.println("RW " + url + " " + sb.toString());
- return sb.toString();
- }
- }
- return url;
+
+ if (isEncodeable(toAbsolute(url)))
+ return (toEncoded(url,
+ response.getRequest().getRequestedSessionId()));
+ else
+ return (url);
+
}
-
+
/**
* @deprecated
*/
@@ -185,8 +170,13 @@
String msg = sm.getString("hsrf.redirect.iae");
throw new IllegalArgumentException(msg);
}
+ System.out.println("CRM: sendRedirect(" + location + ") --> " +
+ toAbsolute(location));
+ // Even though DefaultErrorServlet will convert this
+ // location to absolute (if required) we should do so
+ // here in case the app has a non-default handler
sendError(HttpServletResponse.SC_MOVED_TEMPORARILY,
- location);
+ toAbsolute(location));
}
public void setContentLength(int len) {
@@ -261,4 +251,179 @@
response.setStatus(sc);
}
+ /**
+ * Return <code>true</code> if the specified URL should be encoded with
+ * a session identifier. This will be true if all of the following
+ * conditions are met:
+ * <ul>
+ * <li>The request we are responding to asked for a valid session
+ * <li>The requested session ID was not received via a cookie
+ * <li>The specified URL points back to somewhere within the web
+ * application that is responding to this request
+ * </ul>
+ *
+ * @param location Absolute URL to be validated
+ **/
+ private boolean isEncodeable(String location) {
+
+ // Are we in a valid session that is not using cookies?
+ Request request = response.getRequest();
+ if (!request.isRequestedSessionIdValid())
+ return (false);
+ if (request.isRequestedSessionIdFromCookie())
+ return (false);
+
+ // Is this a valid absolute URL?
+ System.out.println("CRM: isEncodeable(" + location + ")");
+ URL url = null;
+ try {
+ url = new URL(location);
+ } catch (MalformedURLException e) {
+ return (false);
+ }
+ System.out.println("CRM: Valid URL --> " + url.toString());
+
+ // Does this URL match down to (and including) the context path?
+ System.out.println("CRM: Compare " + request.getScheme() +
+ " to " + url.getProtocol());
+ if (!request.getScheme().equalsIgnoreCase(url.getProtocol()))
+ return (false);
+ System.out.println("CRM: Compare " + request.getServerName() +
+ " to " + url.getHost());
+ if (!request.getServerName().equalsIgnoreCase(url.getHost()))
+ return (false);
+ System.out.println("CRM: Compare " + request.getServerPort() +
+ " to " + url.getPort());
+ if (request.getServerPort() != url.getPort())
+ return (false);
+ String contextPath = request.getContext().getPath();
+ System.out.println("CRM: Check context path " + contextPath +
+ " against " + url.getFile());
+ if ((contextPath != null) && (contextPath.length() > 0)) {
+ String file = url.getFile();
+ if ((file == null) || !file.startsWith(contextPath))
+ return (false);
+ }
+
+ // This URL belongs to our web application, so it is encodeable
+ System.out.println("CRM: This URL is encodeable");
+ return (true);
+
+/*
+ // Is this an absolute URL?
+ if (url == null)
+ return (false);
+ int colon = url.indexOf("://");
+ if (colon < 0)
+ return (false);
+
+ // Only HTTP: and HTTPS: URLs are encoded
+ String scheme = url.substring(0, colon).toLowerCase();
+ if (!"http".equals(scheme) && !"https".equals(scheme))
+ return (false);
+
+ // Match on the host name and port number
+ String rest = url.substring(colon + 3);
+ colon = rest.indexOf(":");
+ int slash = rest.indexOf("/");
+ if (slash < 0) {
+ slash = rest.length();
+ rest += "/";
+ }
+ if (colon > slash)
+ colon = -1;
+ String host = null;
+ int port = 80;
+ if (colon >= 0) {
+ host = rest.substring(0, colon);
+ String temp = rest.substring(colon + 1, slash - (colon + 1));
+ try {
+ port = Integer.parseInt(temp);
+ } catch (Throwable t) {
+ return (false); // Invalid port number in absolute URL
+ }
+ } else
+ host = rest.substring(0, slash);
+ if (!host.equalsIgnoreCase(request.getServerName()))
+ return (false);
+ if (port != request.getServerPort())
+ return (false);
+
+ // Match on the context path of this web application
+ rest = rest.substring(slash);
+ String contextPath = request.getContext().getPath();
+ if ((contextPath == null) || (contextPath.length() == 0))
+ return (true);
+ if (rest.startsWith(contextPath))
+ return (true);
+ else
+ return (false);
+*/
+
+ }
+
+
+ /**
+ * Convert (if necessary) and return the absolute URL that represents the
+ * resource referenced by this possibly relative URL. If this URL is
+ * already absolute, return it unchanged.
+ *
+ * @param location URL to be (possibly) converted and then returned
+ */
+ private String toAbsolute(String location) {
+
+ if (location == null)
+ return (location);
+
+ // Construct a new absolute URL if possible (cribbed from
+ // the DefaultErrorPage servlet)
+ URL url = null;
+ try {
+ url = new URL(location);
+ } catch (MalformedURLException e1) {
+ Request request = response.getRequest();
+ String requrl =
+ HttpUtils.getRequestURL(request.getFacade()).toString();
+ try {
+ url = new URL(new URL(requrl), location);
+ } catch (MalformedURLException e2) {
+ return (location); // Give up
+ }
+ }
+ return (url.toString());
+
+ }
+
+
+ /**
+ * Return the specified URL with the specified session identifier
+ * suitably encoded.
+ *
+ * @param url URL to be encoded with the session id
+ * @param sessionId Session id to be included in the encoded URL
+ */
+ private String toEncoded(String url, String sessionId) {
+
+ if ((url == null) || (sessionId == null))
+ return (url);
+
+ String path = null;
+ String query = null;
+ int question = url.indexOf("?");
+ if (question < 0)
+ path = url;
+ else {
+ path = url.substring(0, question);
+ query = url.substring(question);
+ }
+ StringBuffer sb = new StringBuffer(path);
+ sb.append(";jsessionid=");
+ sb.append(sessionId);
+ if (query != null)
+ sb.append(query);
+ return (sb.toString());
+
+ }
+
+
}
Re: cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/core HttpServletResponseFacade.java
Posted by Jason Hunter <jh...@acm.org>.
Craig R. McClanahan wrote:
> you're exposing your session key to a
> (potentially malicious) "other" application
> which can now use it to impersonate
> you on the original app.
> That would not be a Good Thing (tm).
Good Point (tm).
Wonder how many other servers realize this?
-jh-
Re: cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/core
HttpServletResponseFacade.java
Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.
Jason Hunter wrote:
> craigmcc@locus.apache.org wrote:
> >
> > craigmcc 00/04/05 12:40:22
> >
> > Modified: src/share/org/apache/tomcat/core
> > HttpServletResponseFacade.java
> > Log:
> > Correct the implementation of encodeURL() and encodeRedirectURL() so that
> > they correctly determine when encoding should take place. For the record,
> > those rules are as follows:
> > - We are in a valid session
> > - The session ID was not requested with a cookie
> > - The URL to be encoded references a URL within the current
> > web application (that is, we match on the scheme, host, port,
> > and context path of the absolute URL that corresponds to
> > the specified URL if it is relative)
>
> Is that last bullet right? Shouldn't we do encoding for the entire
> server? It wouldn't harm anything. The user would still have different
> HttpSession objects per context, but the user could go from webappA to
> webappB and back without losing their session. We set a cookie for the
> entire site (or at least we used to). Why not do encoding the same way?
>
You're correct that we used to set the cookies for the entire site. The problem
was that you DID lose your session when you went from one webapp to another on the
same machine, because the new webapp scribbled on the old session id cookie (same
name + same host === same cookie as far as the browser was concerned). This was
fixed by setting the "path" property of the cookie to the context path of the
webapp -- in other words, you're effectively creating a cookie per webapp.
On URL encoding, one potential "harm" to encoding based on the same host, instead
of the same host+context path, is that you're exposing your session key to a
(potentially malicious) "other" application, which can now use it to impersonate
you on the original app. That would not be a Good Thing (tm). By the way, the
cookie fix described above avoids this problems for cookies, because the browser
sends only the relevant cookie for whichever webapp you're sending a request to at
the time.
>
> On a related note....
>
> The 2.2 spec says in 11.6 that "a servlet container is required to track
> authentication information at the container level and not at the web
> application level allowing a user who is authenticated against one web
> application to access any other resource managed by the container which
> is restricted to the same security identity."
>
> Considering that form-based auth is commonly based on session tracking,
> how are we to satisfy this requirement between web apps?
>
Its going to have to be done in a container-specific manner outside the servlet
spec -- probably with a site-wide cookie issued by the container. Don't bother to
look at the current Tomcat code for form-based authentication; it's nowhere near
complete yet, and the current architecture makes this particular functionality
pretty difficult to impement.
>
> -jh-
>
Craig
Re: cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/core HttpServletResponseFacade.java
Posted by Jason Hunter <jh...@acm.org>.
craigmcc@locus.apache.org wrote:
>
> craigmcc 00/04/05 12:40:22
>
> Modified: src/share/org/apache/tomcat/core
> HttpServletResponseFacade.java
> Log:
> Correct the implementation of encodeURL() and encodeRedirectURL() so that
> they correctly determine when encoding should take place. For the record,
> those rules are as follows:
> - We are in a valid session
> - The session ID was not requested with a cookie
> - The URL to be encoded references a URL within the current
> web application (that is, we match on the scheme, host, port,
> and context path of the absolute URL that corresponds to
> the specified URL if it is relative)
Is that last bullet right? Shouldn't we do encoding for the entire
server? It wouldn't harm anything. The user would still have different
HttpSession objects per context, but the user could go from webappA to
webappB and back without losing their session. We set a cookie for the
entire site (or at least we used to). Why not do encoding the same way?
On a related note....
The 2.2 spec says in 11.6 that "a servlet container is required to track
authentication information at the container level and not at the web
application level allowing a user who is authenticated against one web
application to access any other resource managed by the container which
is restricted to the same security identity."
Considering that form-based auth is commonly based on session tracking,
how are we to satisfy this requirement between web apps?
-jh-
Re: Help required....
Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.
Mayur wrote:
> Hi All,
>
> I have just joined this forum and am very much excited about contributing
> as much as
> i can to this forum. I will try my best to be actively invlolved in this
> forum.
>
That's good.
>
> I am facing a strange problem when using jsdk2.1 on linux with weblogic
> server 4.5.1 .
That's not so good.
This forum (TOMCAT-DEV@JAKARTA.APACHE.ORG) is for discussions among those who are
developing Tomcat itself, not applications running on Tomcat (use mailing list
TOMCAT-USER@JAKARTA.APACHE.ORG for Tomcat-related user questions) or on a different servlet
container (your best bet is the support newsgroups or mailing lists for that server --
Weblogic in this case).
Craig McClanahan
Help required....
Posted by Mayur <ma...@info-objects.com>.
Hi All,
I have just joined this forum and am very much excited about contributing
as much as
i can to this forum. I will try my best to be actively invlolved in this
forum.
I am facing a strange problem when using jsdk2.1 on linux with weblogic
server 4.5.1 .
If anyone can send some inputs to this it will be highly appreciated.
The problem is to do with HttpSession, i am loosing the session when i call
a jsp page and then go to the servlet.
The sequence flow is
servlet calls--> jsp page calls via HREF ---> servlet
(putting objects (loosing session here) loosing sesssion here also,
in session ) return false, but cannot get objects from session
cannot get objects from session)
If some one can help me in this it will be great. It is urgent. DO i need to
use differnent servlet/jsp engine.
regards
mayur s shah
-----Original Message-----
From: craigmcc@locus.apache.org [mailto:craigmcc@locus.apache.org]
Sent: Wednesday, April 05, 2000 12:40 PM
To: jakarta-tomcat-cvs@apache.org
Subject: cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/core
HttpServletResponseFacade.java
craigmcc 00/04/05 12:40:22
Modified: src/share/org/apache/tomcat/core
HttpServletResponseFacade.java
Log:
Correct the implementation of encodeURL() and encodeRedirectURL() so that
they correctly determine when encoding should take place. For the record,
those rules are as follows:
- We are in a valid session
- The session ID was not requested with a cookie
- The URL to be encoded references a URL within the current
web application (that is, we match on the scheme, host, port,
and context path of the absolute URL that corresponds to
the specified URL if it is relative)
In addition, sendRedirectURL() now absolutizes the specified location,
even though this is already done in the default error handling servlet,
so that the spec rule (that it must be absolutized) will be obeyed even
if the web app has defined their own error page for SC_MOVED_TEMPORARILY
(legal but not likely).
Tested with URLs that are absolute, host relative (that is, starting with
a slash), and request-relative (not starting with a slash). Also passes
the current Watchdog test suite.
PR:174
Submitted by: evan@netsco.com
Revision Changes Path
1.7 +201 -36
jakarta-tomcat/src/share/org/apache/tomcat/core/HttpServletResponseFacade.ja
va
Index: HttpServletResponseFacade.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/HttpServletRespons
eFacade.java,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- HttpServletResponseFacade.java 2000/03/21 01:27:08 1.6
+++ HttpServletResponseFacade.java 2000/04/05 19:40:20 1.7
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/HttpServletRespons
eFacade.java,v 1.6 2000/03/21 01:27:08 costin Exp $
- * $Revision: 1.6 $
- * $Date: 2000/03/21 01:27:08 $
+ * $Header:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/HttpServletRespons
eFacade.java,v 1.7 2000/04/05 19:40:20 craigmcc Exp $
+ * $Revision: 1.7 $
+ * $Date: 2000/04/05 19:40:20 $
*
* ====================================================================
*
@@ -103,12 +103,15 @@
}
public String encodeRedirectURL(String location) {
- // rewrite for the same host
- // this is really simplistic matching here, any helper functions?
- if (location.indexOf(response.getRequest().getServerName())!=-1){
- location=encodeURL(location);
- }
- return location;
+
+ System.out.println("CRM: encodeRedirectURL(" + location + ") --> " +
+ toAbsolute(location) + " --> " +
+ isEncodeable(toAbsolute(location)));
+ if (isEncodeable(toAbsolute(location)))
+ return (toEncoded(location,
+ response.getRequest().getRequestedSessionId()));
+ else
+ return (location);
}
/**
@@ -119,33 +122,15 @@
}
public String encodeURL(String url) {
- Request request=response.getRequest();
- // if I have a session
- // System.out.println("XXX " +
request.isRequestedSessionIdValid() +" " +
request.isRequestedSessionIdFromCookie() +
- // " " + request.getRequestedSessionId();
-
- if (request.isRequestedSessionIdValid()){
- // if first time or cookie not returned
- // XXX need to add support for SSL or other schemas
- if (!request.isRequestedSessionIdFromCookie()) {
- int qidx=url.indexOf( "?" );
- String path=url;
- String qry=null;
- if( qidx >= 0 ) {
- path=url.substring( 0, qidx );
- qry=url.substring( qidx+1 );
- }
- StringBuffer sb=new StringBuffer(path);
- sb.append(";jsessionid=").append(request.getRequestedSessionId());
- if( qry != null )
- sb.append("?").append( qry);
- // System.out.println("RW " + url + " " + sb.toString());
- return sb.toString();
- }
- }
- return url;
+
+ if (isEncodeable(toAbsolute(url)))
+ return (toEncoded(url,
+ response.getRequest().getRequestedSessionId()));
+ else
+ return (url);
+
}
-
+
/**
* @deprecated
*/
@@ -185,8 +170,13 @@
String msg = sm.getString("hsrf.redirect.iae");
throw new IllegalArgumentException(msg);
}
+ System.out.println("CRM: sendRedirect(" + location + ") --> " +
+ toAbsolute(location));
+ // Even though DefaultErrorServlet will convert this
+ // location to absolute (if required) we should do so
+ // here in case the app has a non-default handler
sendError(HttpServletResponse.SC_MOVED_TEMPORARILY,
- location);
+ toAbsolute(location));
}
public void setContentLength(int len) {
@@ -261,4 +251,179 @@
response.setStatus(sc);
}
+ /**
+ * Return <code>true</code> if the specified URL should be encoded
with
+ * a session identifier. This will be true if all of the following
+ * conditions are met:
+ * <ul>
+ * <li>The request we are responding to asked for a valid session
+ * <li>The requested session ID was not received via a cookie
+ * <li>The specified URL points back to somewhere within the web
+ * application that is responding to this request
+ * </ul>
+ *
+ * @param location Absolute URL to be validated
+ **/
+ private boolean isEncodeable(String location) {
+
+ // Are we in a valid session that is not using cookies?
+ Request request = response.getRequest();
+ if (!request.isRequestedSessionIdValid())
+ return (false);
+ if (request.isRequestedSessionIdFromCookie())
+ return (false);
+
+ // Is this a valid absolute URL?
+ System.out.println("CRM: isEncodeable(" + location + ")");
+ URL url = null;
+ try {
+ url = new URL(location);
+ } catch (MalformedURLException e) {
+ return (false);
+ }
+ System.out.println("CRM: Valid URL --> " + url.toString());
+
+ // Does this URL match down to (and including) the context path?
+ System.out.println("CRM: Compare " + request.getScheme() +
+ " to " + url.getProtocol());
+ if (!request.getScheme().equalsIgnoreCase(url.getProtocol()))
+ return (false);
+ System.out.println("CRM: Compare " + request.getServerName() +
+ " to " + url.getHost());
+ if (!request.getServerName().equalsIgnoreCase(url.getHost()))
+ return (false);
+ System.out.println("CRM: Compare " + request.getServerPort() +
+ " to " + url.getPort());
+ if (request.getServerPort() != url.getPort())
+ return (false);
+ String contextPath = request.getContext().getPath();
+ System.out.println("CRM: Check context path " + contextPath +
+ " against " + url.getFile());
+ if ((contextPath != null) && (contextPath.length() > 0)) {
+ String file = url.getFile();
+ if ((file == null) || !file.startsWith(contextPath))
+ return (false);
+ }
+
+ // This URL belongs to our web application, so it is encodeable
+ System.out.println("CRM: This URL is encodeable");
+ return (true);
+
+/*
+ // Is this an absolute URL?
+ if (url == null)
+ return (false);
+ int colon = url.indexOf("://");
+ if (colon < 0)
+ return (false);
+
+ // Only HTTP: and HTTPS: URLs are encoded
+ String scheme = url.substring(0, colon).toLowerCase();
+ if (!"http".equals(scheme) && !"https".equals(scheme))
+ return (false);
+
+ // Match on the host name and port number
+ String rest = url.substring(colon + 3);
+ colon = rest.indexOf(":");
+ int slash = rest.indexOf("/");
+ if (slash < 0) {
+ slash = rest.length();
+ rest += "/";
+ }
+ if (colon > slash)
+ colon = -1;
+ String host = null;
+ int port = 80;
+ if (colon >= 0) {
+ host = rest.substring(0, colon);
+ String temp = rest.substring(colon + 1, slash - (colon + 1));
+ try {
+ port = Integer.parseInt(temp);
+ } catch (Throwable t) {
+ return (false); // Invalid port number in absolute URL
+ }
+ } else
+ host = rest.substring(0, slash);
+ if (!host.equalsIgnoreCase(request.getServerName()))
+ return (false);
+ if (port != request.getServerPort())
+ return (false);
+
+ // Match on the context path of this web application
+ rest = rest.substring(slash);
+ String contextPath = request.getContext().getPath();
+ if ((contextPath == null) || (contextPath.length() == 0))
+ return (true);
+ if (rest.startsWith(contextPath))
+ return (true);
+ else
+ return (false);
+*/
+
+ }
+
+
+ /**
+ * Convert (if necessary) and return the absolute URL that represents
the
+ * resource referenced by this possibly relative URL. If this URL is
+ * already absolute, return it unchanged.
+ *
+ * @param location URL to be (possibly) converted and then returned
+ */
+ private String toAbsolute(String location) {
+
+ if (location == null)
+ return (location);
+
+ // Construct a new absolute URL if possible (cribbed from
+ // the DefaultErrorPage servlet)
+ URL url = null;
+ try {
+ url = new URL(location);
+ } catch (MalformedURLException e1) {
+ Request request = response.getRequest();
+ String requrl =
+ HttpUtils.getRequestURL(request.getFacade()).toString();
+ try {
+ url = new URL(new URL(requrl), location);
+ } catch (MalformedURLException e2) {
+ return (location); // Give up
+ }
+ }
+ return (url.toString());
+
+ }
+
+
+ /**
+ * Return the specified URL with the specified session identifier
+ * suitably encoded.
+ *
+ * @param url URL to be encoded with the session id
+ * @param sessionId Session id to be included in the encoded URL
+ */
+ private String toEncoded(String url, String sessionId) {
+
+ if ((url == null) || (sessionId == null))
+ return (url);
+
+ String path = null;
+ String query = null;
+ int question = url.indexOf("?");
+ if (question < 0)
+ path = url;
+ else {
+ path = url.substring(0, question);
+ query = url.substring(question);
+ }
+ StringBuffer sb = new StringBuffer(path);
+ sb.append(";jsessionid=");
+ sb.append(sessionId);
+ if (query != null)
+ sb.append(query);
+ return (sb.toString());
+
+ }
+
+
}
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org