You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Christopher Schultz <ch...@christopherschultz.net> on 2012/02/08 21:35:14 UTC
Path parameters and getRequestURI
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
All,
There was a change in 6.0.33 (and it has always been the case in
7.0.x?) that HttpServletRequest.getRequestURI now returns path
parameters as part of the URI. That notably includes the URL-encoded
jsessionid that Tomcat uses when the availability of cookies on the
client is set to be determined.
I have a Filter that checks to see if the user is accessing a
particular set of predefined pages and redirects them if they don't
hit any of them.
Needless to say, without any changes to my code, anyone who hits this
filter who either has cookies disabled or is in the middle of an
authentication ritual that redirects to the original page is going to
have a problem.
Is it safe to simply remove everything after the initial ";" if I'm
not interested in any path parameters? I don't want to just trim-off
that kind of thing blindly if there are any gotchas that I should be
aware of.
Can anyone think of a reason I can't just do that?
Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8y3IIACgkQ9CaO5/Lv0PDjVgCfWtDEaSmK1ctLtYs9hZknXrPM
EiMAn0y4getXGjQAMTa8dGCH6uYJfWnS
=YI6Y
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Path parameters and getRequestURI
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark,
On 2/8/12 4:34 PM, Mark Thomas wrote:
> On 08/02/2012 21:25, Christopher Schultz wrote:
>> Mark,
>
>> On 2/8/12 3:37 PM, Mark Thomas wrote:
>>> On 08/02/2012 20:35, Christopher Schultz wrote:
>>>> Can anyone think of a reason I can't just [chop-off
>>>> everything after the first ";"]?
>
>>> Yes. Path parameters can occur at any part of the path.
>
>> So a URI could look like this:
>
>> /context/something;p1=val;p2=val/morestuff
>
> Yes.
Good to know. I've never seen path parameters in the wild, other than
;jsessionid... which really isn't a path parameter; it feels more like
a hack that was done to avoid interfering with the query string. One
is now just interfering with the path :)
>> Does Tomcat attempt to ignore path parameters when going these
>> types of matches? (I'd read the code, but the mapper is, as you
>> know... complex).
>
> The real trick is knowing that you don't need to look at the
> mapper code :). Of course, it helps if you remember that you wrote
> the code in question ;) Take a look at
> CoyoteAdapter#parsePathParameters()
Yes, it does help :) Thanks for the pointer.
>> Path segments are separated by / characters, so perhaps I could
>> adjust my "ignore the path parameters" algorithm to work like
>> this:
>
>> Starting from the end of the URI, rewind until I hit a "/", then
>> go forward until I hit a ";", then trim forward from the ";".
>
> They can also be on the final path segment (and usually are).
>
>> Or, I could just say "ignore anything like
>> ';jsessionid=[0-9A-Za-z]*'", but that's a little presumptuous and
>> potentially fragile as well.
>
> Indeed.
>
> Unfortunately, the servlet spec is far from clear on how path
> parameters should be handled. I hope to get clarity in 3.1 with
> [1]
If I can throw my two cents into the discussion: it would be nice if
the spec either provided methods that unambiguously returned the
uri-path that was matched (with or, I guess, without path parameters
if they are allowed to be a part of the actual match) or provided
additional utility methods could be provided that would make it easy
to filter-out path parameters. Yes, it's a simple thing to do oneself,
but if everyone implements their own (partially broken) filtering,
then the containers are going to get blamed for breaking everything
Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8y7DQACgkQ9CaO5/Lv0PClRgCeNCGSX5Q25geVI1/0zOCHIiCW
p6kAnR16VT+RxZAx5VO5VITW0is/bDL4
=rWBv
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Path parameters and getRequestURI
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark,
On 2/8/12 4:34 PM, Mark Thomas wrote:
> On 08/02/2012 21:25, Christopher Schultz wrote: Unfortunately, the
> servlet spec is far from clear on how path parameters should be
> handled. I hope to get clarity in 3.1 with [1]
In fact, it might actually contradict itself. Section 3.5 of spec
version 3.0 has this to say about request URI, servlet context, and
servlet path:
"
It is important to note that, except for URL encoding differences
between the request URI and the path parts, the following equation is
always true:
requestURI = contextPath + servletPath + pathInfo
"
I'm fairly sure that "encoding differences" do not include missing (or
present) path parameters -- I assume they mean URL encoding.
In Appendix 8, one of the changes since 2.3 was "Clarification of
handling of path parameters for the mapping (11.1)". That section now
seems to be 12.1 in the 3.0 spec (as you have referred in your
previous post).
12.1 says that the path matched against <url-patterns> in web.xml
comes from the request URL "minus the context path and path
parameters", so that's pretty clear. Nothing else is really clear
other than that invariant equation which is at least suspicious.
Tomcat no longer follows the invariant equation shown above. I hope
the expert group weighs-in on this sooner rather than later.
Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk81O7cACgkQ9CaO5/Lv0PDI1ACdHU6pGVHrEI/dbUV0PeNNawTT
TloAoKGiPK9NbmzUQTn5JBgmLziSxPNY
=Nw5J
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Path parameters and getRequestURI
Posted by Mark Thomas <ma...@apache.org>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/02/2012 21:25, Christopher Schultz wrote:
> Mark,
>
> On 2/8/12 3:37 PM, Mark Thomas wrote:
>> On 08/02/2012 20:35, Christopher Schultz wrote:
>>> Can anyone think of a reason I can't just [chop-off everything
>>> after the first ";"]?
>
>> Yes. Path parameters can occur at any part of the path.
>
> So a URI could look like this:
>
> /context/something;p1=val;p2=val/morestuff
Yes.
> ... and that URI would match /context/something/morestuff as a
> uri-pattern for, say, filter or servlet mappings?
Yes, as per section 12.1 of the 3.0 servlet spec (and equivalent in
earlier versions).
> Does Tomcat attempt to ignore path parameters when going these
> types of matches? (I'd read the code, but the mapper is, as you
> know... complex).
The real trick is knowing that you don't need to look at the mapper
code :). Of course, it helps if you remember that you wrote the code
in question ;) Take a look at CoyoteAdapter#parsePathParameters()
> Path segments are separated by / characters, so perhaps I could
> adjust my "ignore the path parameters" algorithm to work like
> this:
>
> Starting from the end of the URI, rewind until I hit a "/", then
> go forward until I hit a ";", then trim forward from the ";".
They can also be on the final path segment (and usually are).
> Or, I could just say "ignore anything like
> ';jsessionid=[0-9A-Za-z]*'", but that's a little presumptuous and
> potentially fragile as well.
Indeed.
Unfortunately, the servlet spec is far from clear on how path
parameters should be handled. I hope to get clarity in 3.1 with [1]
Mark
[1] http://java.net/jira/browse/SERVLET_SPEC-18
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJPMupgAAoJEBDAHFovYFnnmSYP/2lFZ3r6d1t8o+HnoEfHFYqj
X5ycDq+75DHrX/thLjoQzfYF1BxhtiimEnSJDW+bXgMLC/5dEh10VtE2vpMgh9PX
CxNELhtJ5jFezSPSaqH9lh9L+2v6sCqFM9F4KOuSk3dU+bWenBhqwE8dYxspITU6
KnsXjvYKUnl7pI867eTQji0I3uPnirW5s/RkFKY4YIPtkTniCfwF8Z+x7s6tylOQ
fcWUcT5w3WDsWTnkNxcIngqvAYDMM7olHrS7DToU8RXmd8/8yEpVXyfCS2Ftu5zI
0VzFuYpas9TOOB0Ke6uEwtQvZ1kUbUfwpB4DoUv6iXrLr9sMUufzzAYhV2kC0uOY
++8XaFzGc9jxAZiuJrRpWDF1OuXAvTXbKjVFKY4PSvEZZEofAJbMgPtAcA+IFjVg
VaZzMl68rvzsId7WAzMRhHrNZJl+SvJ1T/z1lrjqyNNuXg6o0eVLSZkvy7QbJ7BR
cPGhCq7YQ7QpqAUOu4xUhPmET0eoCtBgcc9gGiS0oUT4OQKmqfQC3BVUmSJ9eJy9
qYkBTfqVqLXn7YL5XW3U0V/d+J6rZGXHZhhr1Sr0PPXG2vC0fk2w+wJy2JyznWOa
sZlHEddZ5OmxXNnUlQuZSas1hLGcKUCQre3f74KV0Q/ULoa1Kp+xq0+B9XZnvVYH
aT9fN7DspB9aP1mui/GL
=Iwkm
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Path parameters and getRequestURI
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark,
On 2/8/12 3:37 PM, Mark Thomas wrote:
> On 08/02/2012 20:35, Christopher Schultz wrote:
>> Can anyone think of a reason I can't just [chop-off everything
>> after the first ";"]?
>
> Yes. Path parameters can occur at any part of the path.
So a URI could look like this:
/context/something;p1=val;p2=val/morestuff
... and that URI would match /context/something/morestuff as a
uri-pattern for, say, filter or servlet mappings? Does Tomcat attempt
to ignore path parameters when going these types of matches? (I'd read
the code, but the mapper is, as you know... complex).
Path segments are separated by / characters, so perhaps I could adjust
my "ignore the path parameters" algorithm to work like this:
Starting from the end of the URI, rewind until I hit a "/", then go
forward until I hit a ";", then trim forward from the ";".
Or, I could just say "ignore anything like
';jsessionid=[0-9A-Za-z]*'", but that's a little presumptuous and
potentially fragile as well.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8y6C8ACgkQ9CaO5/Lv0PChyQCgjsvYPmYAr1IIuIQa+5ekDpxt
HOoAoINk5GT4+LjEbhGqS6JzcWvRGs+O
=B4T7
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Path parameters and getRequestURI
Posted by Mark Thomas <ma...@apache.org>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/02/2012 20:35, Christopher Schultz wrote:
> All,
>
> There was a change in 6.0.33 (and it has always been the case in
> 7.0.x?) that HttpServletRequest.getRequestURI now returns path
> parameters as part of the URI. That notably includes the
> URL-encoded jsessionid that Tomcat uses when the availability of
> cookies on the client is set to be determined.
>
> I have a Filter that checks to see if the user is accessing a
> particular set of predefined pages and redirects them if they
> don't hit any of them.
>
> Needless to say, without any changes to my code, anyone who hits
> this filter who either has cookies disabled or is in the middle of
> an authentication ritual that redirects to the original page is
> going to have a problem.
>
> Is it safe to simply remove everything after the initial ";" if
> I'm not interested in any path parameters? I don't want to just
> trim-off that kind of thing blindly if there are any gotchas that I
> should be aware of.
>
> Can anyone think of a reason I can't just do that?
Yes. Path parameters can occur at any part of the path.
Mark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJPMt0XAAoJEBDAHFovYFnnqwwP/0rOF5jJeEXWT3CToOgah8hq
gSmRy8fnUbOPIwJlc66Y4M8zv8dRmu2XmY5zfNL+G8QshzV3Bxwg5hK1PssHjMcF
eeyYuafVO7N2GgkqiC/9wnuhjSdijCWCWDNT8PMcAJh64vj+NEJ8Qq3EGwv4rbyq
GT6oXevwayzskYMm+F/QdUBj/APDMiMfwGd0GzcdcRbaW5s5zVtHHofqAJ3u2txQ
iCobCSMlf8/Vqm3CBCHJSUvQDLC7V0B4Imd4J77bg3Cmh+buIBFzKJeZHQdKSIui
dUgouT7IHYtSChkxcf3yBuIkZQYJk4i/qHIrGmWslU1c5G3I1O/3lJuucXDsj/3V
ZWTx4dvedywk3RjtJBEb21Q3q+buWx66+4mqpuHKW2TJlsh0S/hjC4k+Yiw71Xa+
qHWdodS5WCvsaJConMUdlTk+MHYQAXf3iqygYNm3PwrGmgLO2zFpnqdF3mQNIbwR
ZhgtxRpkIXZvmeq2jykZzLk9rDIoXp3bhd7/NO5lYzgc2CLZNp5atfmT6WbPUiWc
YmF2jqhpTkK4L32Y0989XMcNhUg5Lil/YoAPjuOcNhPB0ax47LgSOJiV7Et+0TjK
iSJsAlhBFJhI/whWCo6LHZ2al5wOOolFJD+H/x7F4vmr7UfvxnSOhg67o1pcxrb8
cFVd0+BfBkE8hcmOOjs5
=d1RU
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Path parameters and getRequestURI
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Terrence,
On 2/9/12 5:16 PM, Terence M. Bandoian wrote:
> On 1:59 PM, Christopher Schultz wrote:
>> Is it safe to simply remove everything after the initial ";" if
>> I'm not interested in any path parameters? I don't want to just
>> trim-off that kind of thing blindly if there are any gotchas that
>> I should be aware of.
>
> What about using HttpServletRequest.getServletPath()?
That's a damned good question. I'll have to read more into the docs to
see what that's supposed to do. In a simple test, it seems that I get
everything I want except that I have to re-add the context path to the
beginning of the URI, which isn't a big deal.
If Tomcat has already done the work for me, why not use it?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk80TkEACgkQ9CaO5/Lv0PC1SACfWWE831aTOL9BOwZqw9ulA/u2
MVIAoJwk7gUuqMyOh0HhpndBnV23IaUw
=DFNl
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Path parameters and getRequestURI
Posted by "Terence M. Bandoian" <te...@tmbsw.com>.
On 1:59 PM, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> All,
>
> There was a change in 6.0.33 (and it has always been the case in
> 7.0.x?) that HttpServletRequest.getRequestURI now returns path
> parameters as part of the URI. That notably includes the URL-encoded
> jsessionid that Tomcat uses when the availability of cookies on the
> client is set to be determined.
>
> I have a Filter that checks to see if the user is accessing a
> particular set of predefined pages and redirects them if they don't
> hit any of them.
>
> Needless to say, without any changes to my code, anyone who hits this
> filter who either has cookies disabled or is in the middle of an
> authentication ritual that redirects to the original page is going to
> have a problem.
>
> Is it safe to simply remove everything after the initial ";" if I'm
> not interested in any path parameters? I don't want to just trim-off
> that kind of thing blindly if there are any gotchas that I should be
> aware of.
>
> Can anyone think of a reason I can't just do that?
>
> Thanks,
> - -chris
Hi, Chris-
What about using HttpServletRequest.getServletPath()?
-Terence Bandoian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Path parameters and getRequestURI
Posted by Konstantin Kolinko <kn...@gmail.com>.
2012/2/9 Christopher Schultz <ch...@christopherschultz.net>:
>
> There was a change in 6.0.33 (and it has always been the case in
> 7.0.x?) that HttpServletRequest.getRequestURI now returns path
> parameters as part of the URI. That notably includes the URL-encoded
> jsessionid that Tomcat uses when the availability of cookies on the
> client is set to be determined.
>
> (...)
See this thread:
"Path Parameters - Servlet API"
http://tomcat.markmail.org/thread/ykx72wcuzcmiyujz
Best regards,
Konstantin Kolinko
> I have a Filter that checks to see if the user is accessing a
> particular set of predefined pages and redirects them if they don't
> hit any of them.
>
> Needless to say, without any changes to my code, anyone who hits this
> filter who either has cookies disabled or is in the middle of an
> authentication ritual that redirects to the original page is going to
> have a problem.
>
> Is it safe to simply remove everything after the initial ";" if I'm
> not interested in any path parameters? I don't want to just trim-off
> that kind of thing blindly if there are any gotchas that I should be
> aware of.
>
> Can anyone think of a reason I can't just do that?
>
> Thanks,
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk8y3IIACgkQ9CaO5/Lv0PDjVgCfWtDEaSmK1ctLtYs9hZknXrPM
> EiMAn0y4getXGjQAMTa8dGCH6uYJfWnS
> =YI6Y
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org