You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by lo lo <la...@gmail.com> on 2014/04/10 15:01:50 UTC
Best practice to programmatically get the disableURLRewriting context
attribute value
Tomcat version 6.0.x on Linux OS
Hi all,
I have an application deployed on several customers Tomcat servers.
The Tomcat versions are different (6.0.16, 6.0.37, etc.) and asking all
customers to upgrade to the latest Tomcat version would be too tricky.
I would like to programmatically get the disableURLRewriting context
attribute value, when it exists (i.e Tomcat 6.0.30 onwards).
My purpose is to add a tuckey.org/urlrewrite filter rule that redirects the
user to an error page when the 'jsessionid=' string is detected in the URL.
if (disableURLRewriting exists and its value is true) -> the filter rule
should be applied
if (disableURLRewriting doesn't exist or its value is false) -> the filter
rule should not be applied because Tomcat 6 adds ';jsessionid=xxx' when
there is no cookie in the client browser
The only way that I have found to achieve this on different Tomcat versions
is to use Tomcat classes:
public boolean isDisableURLRewriting(StandardContext standardContext) {
Method isDisableURLRewritingMethod = null;
try {
isDisableURLRewritingMethod =
StandardContext.class.getMethod("isDisableURLRewriting");
} catch (Exception e) {
// the method does not exist or is not accesible
}
if (isDisableURLRewritingMethod != null) {
try {
return ((Boolean)
isDisableURLRewritingMethod.invoke(standardContext)).booleanValue();
} catch (Exception e) {
throw new RuntimeException("Unable to invoke the
isDisableURLRewriting method on the standard context");
}
}
// the method does not exist, we return false
return false;
}
StandardEngine engine = (StandardEngine)
ServerFactory.getServer().findService("Catalina").getContainer();
Container container = engine.findChild(engine.getDefaultHost());
StandardContext standardContext = (StandardContext)
container.findChild(context.getContextPath());
if (isDisableURLRewriting(standardContext)) {
// apply the rule
} else {
// don't apply the rule
}
1. Will this code work for every Tomcat configuration?
(I know that this code works when the context file is in the
conf/Catalina/localhost directory with the default server.xml file, but I
don't know if it will work when several hosts are defined in the server.xml
file, because I'm using engine.getDefaultHost())
2. Is there a better way to achieve this? (maybe without using Tomcat
classes?)
Thanks in advance,
Regards,
Lo
Re: Best practice to programmatically get the disableURLRewriting
context attribute value
Posted by lo lo <la...@gmail.com>.
I will use a filter to remove and prevent the jsessionid in the URL. It's
indeed really simpler!
Thanks for your answer and your suggestions.
Lo
2014-04-18 22:41 GMT+02:00 Christopher Schultz <chris@christopherschultz.net
>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Lo,
>
> On 4/17/14, 10:44 AM, Sauvel Laurent wrote:
> > 1. Before testing the code below with different Tomcat
> > configurations, I would like to know if there is a better way to
> > do what I want. I'm not really satisfied with this code that is
> > closely related to Tomcat classes.
>
> You are trying to fetch a value from a Tomcat-specific
> configuration... why do you think you can do this in a
> non-Tomcat-specific way?
>
> > 2. The original problem is that I would like to:
> >
> > a) prevent Tomcat (6.0.x, including versions older than 6.0.30)
> > from adding the ";jsessionid=xxx" string to the URL when there is
> > no cookie named JSESSIONID in the client browser
>
> Use a Filter, just like everybody else. This will work in any container.
>
> > b) prevent jsessionid hijacking via the url, i.e redirect to an
> > error page when the "jsessionid=" string is detected in the URL
>
> You can do this with a Filter, too. No Tomcat-specific code necessary.
>
> AFAICT, you don't need to sniff/set the disableURLRewriting attribute
> value at all.
>
> Just FYI, preventing "jsessionid hijacking" does not prevent session
> hijacking at all. Forging the JSESSIONID cookie is just as easy as
> forging a jsessiondi URL path parameter. The difference is that you
> can't email a cookie-laden URL to someone.
>
> The real way to prevent session hijacking is to change the session id
> after a login, which is exactly what Tomcat already does for you, so
> you shouldn't have to worry about it at all.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJTUY3dAAoJEBzwKT+lPKRYzgEP/3dXC9Eq0MGpunHdS/iWwbRF
> h83Zodu6Q4VMfj9ugvCdch4MtkAMMoLJCX+eFD9BsDmI+Y+Uou1A1ogL36u/5Lxh
> QyTt8T7BJIs6ZJK/FemCbzKbNPwAfJXZZ0BqWiG/lSE9ZvmI8Pn/DHHIylZZKEMe
> /dTYiNKxEChl7U2qzs/vY5Gh8xzoKnB0JXvVxozVjRgnw9UiWKUlLWy7WvN1YjJF
> 4ET0FcMaRIJbiEIxmPMAaHkQSs8ctApU2WMASUS+zqiNnJ9iLMEfyG+ime5PispG
> JkmR9EAKk2Y/epKy7BAgBIHpGLiHA0H+knEP7ITJj1kWYvZF5IPO9FwR/TMsKTyl
> PhpU80ZF5U8S7du2qAK5K438ms2E/oWTqVAf4yOtsZrIk4C5p5E2ZV4j4anzpwgf
> cTiZHTJhIM6TerYDdReEE11DjH14nPmeV/V/OHLHUEUMhblfhH1TsvDnESsZ0YK3
> fq0qIsmHSgy5Nec2jCe+bUKomYruZBkMzoHL0JbqYW9UYRvoFgRWDJLzs3PVIfZi
> PKArFozMM7+Ggv8irzNSmnyiT/v6TIo8axmIEYrmJAKWXiIHHuQBMdyJ5ntv66+w
> hwm5d/zVn35QVdfGHWMeZG2Cn4z9ch7Gb4zv94M5cJQ9QaIKu5aZPDj9QuJ3RYUM
> R8zWdkTyDumXntA7nJdY
> =tWIu
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Best practice to programmatically get the disableURLRewriting
context attribute value
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Lo,
On 4/17/14, 10:44 AM, Sauvel Laurent wrote:
> 1. Before testing the code below with different Tomcat
> configurations, I would like to know if there is a better way to
> do what I want. I'm not really satisfied with this code that is
> closely related to Tomcat classes.
You are trying to fetch a value from a Tomcat-specific
configuration... why do you think you can do this in a
non-Tomcat-specific way?
> 2. The original problem is that I would like to:
>
> a) prevent Tomcat (6.0.x, including versions older than 6.0.30)
> from adding the ";jsessionid=xxx" string to the URL when there is
> no cookie named JSESSIONID in the client browser
Use a Filter, just like everybody else. This will work in any container.
> b) prevent jsessionid hijacking via the url, i.e redirect to an
> error page when the "jsessionid=" string is detected in the URL
You can do this with a Filter, too. No Tomcat-specific code necessary.
AFAICT, you don't need to sniff/set the disableURLRewriting attribute
value at all.
Just FYI, preventing "jsessionid hijacking" does not prevent session
hijacking at all. Forging the JSESSIONID cookie is just as easy as
forging a jsessiondi URL path parameter. The difference is that you
can't email a cookie-laden URL to someone.
The real way to prevent session hijacking is to change the session id
after a login, which is exactly what Tomcat already does for you, so
you shouldn't have to worry about it at all.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTUY3dAAoJEBzwKT+lPKRYzgEP/3dXC9Eq0MGpunHdS/iWwbRF
h83Zodu6Q4VMfj9ugvCdch4MtkAMMoLJCX+eFD9BsDmI+Y+Uou1A1ogL36u/5Lxh
QyTt8T7BJIs6ZJK/FemCbzKbNPwAfJXZZ0BqWiG/lSE9ZvmI8Pn/DHHIylZZKEMe
/dTYiNKxEChl7U2qzs/vY5Gh8xzoKnB0JXvVxozVjRgnw9UiWKUlLWy7WvN1YjJF
4ET0FcMaRIJbiEIxmPMAaHkQSs8ctApU2WMASUS+zqiNnJ9iLMEfyG+ime5PispG
JkmR9EAKk2Y/epKy7BAgBIHpGLiHA0H+knEP7ITJj1kWYvZF5IPO9FwR/TMsKTyl
PhpU80ZF5U8S7du2qAK5K438ms2E/oWTqVAf4yOtsZrIk4C5p5E2ZV4j4anzpwgf
cTiZHTJhIM6TerYDdReEE11DjH14nPmeV/V/OHLHUEUMhblfhH1TsvDnESsZ0YK3
fq0qIsmHSgy5Nec2jCe+bUKomYruZBkMzoHL0JbqYW9UYRvoFgRWDJLzs3PVIfZi
PKArFozMM7+Ggv8irzNSmnyiT/v6TIo8axmIEYrmJAKWXiIHHuQBMdyJ5ntv66+w
hwm5d/zVn35QVdfGHWMeZG2Cn4z9ch7Gb4zv94M5cJQ9QaIKu5aZPDj9QuJ3RYUM
R8zWdkTyDumXntA7nJdY
=tWIu
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Best practice to programmatically get the disableURLRewriting
context attribute value
Posted by Sauvel Laurent <la...@soprabanking.com>.
Thanks for your answer.
1. Before testing the code below with different Tomcat configurations, I would like to know if there is a better way to do what I want. I'm not really satisfied with this code that is closely related to Tomcat classes.
2. The original problem is that I would like to:
a) prevent Tomcat (6.0.x, including versions older than 6.0.30) from adding the ";jsessionid=xxx" string to the URL when there is no cookie named JSESSIONID in the client browser
b) prevent jsessionid hijacking via the url, i.e redirect to an error page when the "jsessionid=" string is detected in the URL
Lo
-----Message d'origine-----
De : Mark Thomas [mailto:markt@apache.org]
Envoyé : jeudi 17 avril 2014 11:54
À : Tomcat Users List
Objet : Re: Best practice to programmatically get the disableURLRewriting context attribute value
On 10/04/2014 14:01, lo lo wrote:
> Tomcat version 6.0.x on Linux OS
>
> Hi all,
>
> I have an application deployed on several customers Tomcat servers.
>
> The Tomcat versions are different (6.0.16, 6.0.37, etc.) and asking
> all customers to upgrade to the latest Tomcat version would be too tricky.
>
> I would like to programmatically get the disableURLRewriting context
> attribute value, when it exists (i.e Tomcat 6.0.30 onwards).
> My purpose is to add a tuckey.org/urlrewrite filter rule that
> redirects the user to an error page when the 'jsessionid=' string is detected in the URL.
> if (disableURLRewriting exists and its value is true) -> the filter
> rule should be applied if (disableURLRewriting doesn't exist or its
> value is false) -> the filter rule should not be applied because
> Tomcat 6 adds ';jsessionid=xxx' when there is no cookie in the client
> browser
>
> The only way that I have found to achieve this on different Tomcat
> versions is to use Tomcat classes:
>
> public boolean isDisableURLRewriting(StandardContext standardContext) {
> Method isDisableURLRewritingMethod = null;
> try {
> isDisableURLRewritingMethod =
> StandardContext.class.getMethod("isDisableURLRewriting");
> } catch (Exception e) {
> // the method does not exist or is not accesible
> }
> if (isDisableURLRewritingMethod != null) {
> try {
> return ((Boolean)
> isDisableURLRewritingMethod.invoke(standardContext)).booleanValue();
> } catch (Exception e) {
> throw new RuntimeException("Unable to invoke the
> isDisableURLRewriting method on the standard context");
> }
> }
> // the method does not exist, we return false
> return false;
> }
>
> StandardEngine engine = (StandardEngine)
> ServerFactory.getServer().findService("Catalina").getContainer();
> Container container = engine.findChild(engine.getDefaultHost());
> StandardContext standardContext = (StandardContext)
> container.findChild(context.getContextPath());
> if (isDisableURLRewriting(standardContext)) {
> // apply the rule
> } else {
> // don't apply the rule
> }
>
> 1. Will this code work for every Tomcat configuration?
> (I know that this code works when the context file is in the
> conf/Catalina/localhost directory with the default server.xml file,
> but I don't know if it will work when several hosts are defined in the
> server.xml file, because I'm using engine.getDefaultHost())
So maybe you should test that and see what happens.
> 2. Is there a better way to achieve this? (maybe without using Tomcat
> classes?)
It depends on what you are trying to achieve. You have described a problem with your current solution but not what your original problem is.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Best practice to programmatically get the disableURLRewriting
context attribute value
Posted by Mark Thomas <ma...@apache.org>.
On 10/04/2014 14:01, lo lo wrote:
> Tomcat version 6.0.x on Linux OS
>
> Hi all,
>
> I have an application deployed on several customers Tomcat servers.
>
> The Tomcat versions are different (6.0.16, 6.0.37, etc.) and asking all
> customers to upgrade to the latest Tomcat version would be too tricky.
>
> I would like to programmatically get the disableURLRewriting context
> attribute value, when it exists (i.e Tomcat 6.0.30 onwards).
> My purpose is to add a tuckey.org/urlrewrite filter rule that redirects the
> user to an error page when the 'jsessionid=' string is detected in the URL.
> if (disableURLRewriting exists and its value is true) -> the filter rule
> should be applied
> if (disableURLRewriting doesn't exist or its value is false) -> the filter
> rule should not be applied because Tomcat 6 adds ';jsessionid=xxx' when
> there is no cookie in the client browser
>
> The only way that I have found to achieve this on different Tomcat versions
> is to use Tomcat classes:
>
> public boolean isDisableURLRewriting(StandardContext standardContext) {
> Method isDisableURLRewritingMethod = null;
> try {
> isDisableURLRewritingMethod =
> StandardContext.class.getMethod("isDisableURLRewriting");
> } catch (Exception e) {
> // the method does not exist or is not accesible
> }
> if (isDisableURLRewritingMethod != null) {
> try {
> return ((Boolean)
> isDisableURLRewritingMethod.invoke(standardContext)).booleanValue();
> } catch (Exception e) {
> throw new RuntimeException("Unable to invoke the
> isDisableURLRewriting method on the standard context");
> }
> }
> // the method does not exist, we return false
> return false;
> }
>
> StandardEngine engine = (StandardEngine)
> ServerFactory.getServer().findService("Catalina").getContainer();
> Container container = engine.findChild(engine.getDefaultHost());
> StandardContext standardContext = (StandardContext)
> container.findChild(context.getContextPath());
> if (isDisableURLRewriting(standardContext)) {
> // apply the rule
> } else {
> // don't apply the rule
> }
>
> 1. Will this code work for every Tomcat configuration?
> (I know that this code works when the context file is in the
> conf/Catalina/localhost directory with the default server.xml file, but I
> don't know if it will work when several hosts are defined in the server.xml
> file, because I'm using engine.getDefaultHost())
So maybe you should test that and see what happens.
> 2. Is there a better way to achieve this? (maybe without using Tomcat
> classes?)
It depends on what you are trying to achieve. You have described a
problem with your current solution but not what your original problem is.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org