I had an off-line discussion with Paul McMahan on this topic.
Our thoughts were that it is probably best to fix this problem in both
places if possible. The container fix seems best for not only the
console but also other uses ... but it is outside of our control and may
not be accepted by all containers we might support. Hence, Paul is
working on a solution for the portlet itself. We will continue to
pursue this with the container teams as well but we will ensure the
safety for 1.0.1 in our portlet.
Joe
Matt Hogstrom wrote:
I think the Portlet is the right place to do this. That way the user is
protected from broken containers (of which we currently have 2).
John Sisson wrote:
Paul McMahan wrote:
Either approach should work but I would prefer to address the
vulnerability in the log viewer portlet because it attaches the
solution closest to where the specific problem is at. Also, the
logger will be called on every request and doing the extra string
manipulations could affect the web container's throughput.
Best wishes,
Paul
This reflects my sentiments as well.
John
On 1/17/06, *Joe Bohn* <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
Yes, this sounds like the best way to go.
Regarding the specific problem with the web console displaying
the web
access log I'd like to get some consensus. Is this something
that the
containers should modify when storing the URL as part of a
message in
the appropriate web log? (I have confirmed this is a problem with
both
Tomcat and Jetty)
Or, should we address this within the web access log viewer and/or
management objects to modify the content of the log records when
they
are being displayed.
My preference would be to make the modification at the time the log
record is created.
Joe
--
Joe Bohn
joe.bohn at earthlink.net
"He is no fool who gives what he cannot keep, to gain what he cannot
lose." -- Jim Elliot
