-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
André,
On 10/4/2011 4:50 PM, André Warnier wrote:
> I agree with Francis that the way the documentation is written, is
> confusing for anyone not dedicating his life to Java programming
> (like the sysadmins and other perl programmers who have to use this
> to configure Tomcat). In classical regex usage, if you want
> something anchored, you have to say so explicitly. In classical
> regex usage, if you do use anchors such as ^ and $, you expect them
> to take effect, and not to be silently ignored.
I suspect it's not going to change, as that would be an incompatible
change. Since it's security-related, it's not something to be changed
lightly.
> And, it seems that the Pattern class, and its own .matches()
> method, does work in the way that a non-exclusively-java programmer
> would expect, anchors and all.
Does it?
"
Compiles the given regular expression and attempts to match the given
input against it.
An invocation of this convenience method of the form
Pattern.matches(regex, input);
behaves in exactly the same way as the expression
Pattern.compile(regex).matcher(input).matches()
If a pattern is to be used multiple times, compiling it once and
reusing it will be more efficient than invoking this method each time.
"
> So my question is : which of Matcher or Pattern is really used in
> the Valve's code ?
You could read the code :)
> Furthermore, about the Tomcat Valve documentation, I would opine :
>
> - either the documentation remains as it is, and in the code, it
> should use the Pattern class for matching (and thus not
> automatically anchor, but allow the usage of explicit anchors in
> the provided patterns for allow and deny).
Not going to change the code (see above). Also, Pattern.matches is
static and re-compiles the pattern every time. That's also not going
to change.
> - or the documentation should be amended to indicate that the
> expression provided for allow and deny is already automatically
> anchored at the beginning and end of the string. (And also that
> this is not thread-safe, and may occasionally miss a host ?)
Documentation patches are always welcome. Thread-safety is not an
issue (hint:read the code).
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6Lc4wACgkQ9CaO5/Lv0PCySgCgkLqSiAVx4D/F/7RTbKopzQBf
hScAn3VAYSNyoHzgi5jg4h3nDAat0bQt
=QpMq
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
