Re: a servlet-related Java question

Thu, 22 Apr 2010 14:16:18 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Konstantin,

On 4/22/2010 4:53 PM, Konstantin Kolinko wrote:
> 2010/4/23 Kris Schneider <kschnei...@gmail.com>:
>> On Thu, Apr 22, 2010 at 4:31 PM, Christopher Schultz
>> <ch...@christopherschultz.net> wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> On 4/22/2010 2:37 AM, Bill Barker wrote:
>>>> If [the request/filter] does a forward or include done the line, this
>>>> won't work with any remotely recent version of Tomcat.  These
>>>> versions enforce the spec requirement that the Request has to be a
>>>> subclass of HttpServletWrapper wrapping the original request, or the
>>>> original request.
> 
> SRV.8.2 is enforced when STRICT_SERVLET_COMPLIANCE property is set to true.
> 
> http://tomcat.apache.org/tomcat-6.0-doc/config/systemprops.html#Specification

$ export CATALINA_OPTS=-Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true
$ ant tomcat-start
Buildfile: build.xml

check-local-properties:

build-local-properties:

init:

check-tomcat-config:

prepare-local-tomcat:

tomcat-start:
     [echo] ===============
     [echo] Starting Tomcat
     [echo] ===============
     [echo] JAVA_HOME is /usr
     [echo] JAVA_OPTS is -Xmx64M
     [echo] CATALINA_HOME is /usr/local/apache-tomcat-6.0.26
     [echo] CATALINA_BASE is /xxx
     [echo] CATALINA_OPTS is
- -Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true
- -Djava.library.path=/usr/local/apache-tomcat-6.0.26/server/lib
     [echo] security-option is

BUILD SUCCESSFUL
Total time: 0 seconds
$

Still runs. :p

I double-checked that the system property
"org.apache.catalina.STRICT_SERVLET_COMPLIANCE" = "true" in the running
VM. It is.

I'd love to see the code that enforces this: it shouldn't be that hard
to do, as Tomcat gets to specify the implementation of the original
request and can unwrap any wrapped request to determine if it's legit.

Kris and Bill are right: this shouldn't work, but it does.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkvQvIEACgkQ9CaO5/Lv0PCmBQCfYmmspo4D8/Dvh0G7/QrF5dI7
eQYAoKLfh7XbI6wphEMyxuikqDORthlk
=l+5A
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to