Dear Christopher, > But you also don't know what you are doing >If you don't help us again I appreciate your help and you definitely know more about tomcat than I do. IMHO, I do help and I try to focus on what is relevant. It doesn't make sense to put our million lines-of-code and log entries online, does it? What remains is describing in detail what we are doing. If I had a minimal example to show I would...
Follows an example of what we see: access.log (apache) ... [1] 66.249.78.105 <!! hostname !!> - [13/Mar/2014:07:21:03 +0100] "GET /de/dialog-product-pdf.html?productGroupId=220 HTTP/1.1" 200 256 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" "-" [2] 212.243.6.186 <!! hostname !!> - [13/Mar/2014:07:21:04 +0100] "GET /myinterfaces/webstatus/webstatus.xml HTTP/1.1" 404 27851 "-" "Jakarta Commons-HttpClient/3.1" "$Version=0; JSESSIONID=E405CB1E766D20B4C0CE82106797ED3D; $Path=/" ... [1] 66.249.78.105 (google bot) is accessing /de/dialog-product-pdf.html?productGroupId=220 [2] 212.243.6.186 (our monitoring app/site) is accessing /myinterfaces/webstatus/webstatus.xml app.log (tomcat, servlet) ... [1] 2014-03-13 07:21:04,155 ajp-bio-8069-exec-9 WARN ch.mysign.cms.customized.CmsErrorHandler - HTTP error code '404' thrown for request '/myinterfaces/webstatus/webstatus.xml'. Message: Page not found! remote IP: '66.249.78.105', IP-RegExp: '<!! Regex of IPs allowed !!>' ... [1] handling /myinterfaces/webstatus/webstatus.xml we see/get remote address 66.249.78.105 which is not allowed to access this page [and yes I know that IP filtering could be done @apache, BUT for "certain situations" we do this within tomcat] Does this help? We DO NOT manipulate any request-object (no setters, are there ;)) and we DO NOT share a request-object accross requests. "Worst" that could (and does) happen is a request-object (in a velocitycontext) could be accessed for as long as a few minutes IF we spawn out a thread to handle a long running process ... rendering a pdf or alike. What is(was) definitely new to me is the fact that the HttpServletRequest-objects handed into the servlet are not immutable snapshots of the "point of entrance". Or am I wrong here too? Thx Clemens
