What is the expected behaviour for system property: "org.apache.catalina.core.StandardHostValve.ACCESS_SESSION=false"
Hi, I am trying to make a servlet that doesn't extend the session when accessed and it looked like the system property "org.apache.catalina.core. StandardHostValve.ACCESS_SESSION" could do job. To test it out I created a simple project in Netbeans 8.1 with Tomcat 8.5.20 on Windows 10. In the project I have 2 servlets: servletA creates a session and outputs some HTML, servletB only outputs HTML and doesn't call request.getSession(). When I request servletA a session is created and each time I request it again, the last accessed time is updated. When I request servletB which doesn't call getSession(), the last accessed time is updated as well. Note: I'm using the out-of-the box server.xml and other configuration files and there are no filters that call getSession(). If I'm reading the documentation correctly, when set to true is will always update the last accessed time even if getSession() wasn't called. By default ACCESS_SESSION is false because STRICT_SERVLET_COMPLIANCE is not set/false. My question is what is the expected behaviour when it's set to false? I was expecting servletB to not update the last accessed time. Thanks, Kwan
Re: Invalid characters in request header
Is there a way too log whatever the offending header was? On Sep 9, 2017 6:30 AM, "Martynas Jusevičius" wrote: > Well then you're out of luck. Everything is as expected though, at least on > your end -- client sends invalid request, gets error response. What else do > you need? > > On Sat, Sep 9, 2017 at 12:13 PM, Yuval Schwartz > wrote: > > > Is that in my control? The url is not one that appears on my website, > it's > > something that was manually written by some client. > > > > On Sat, Sep 9, 2017 at 1:12 PM, Martynas Jusevičius < > > marty...@atomgraph.com> > > wrote: > > > > > Tomcat is an HTTP sever, and if your client is sending invalid HTTP > > > requests, Tomcat is right to respond with 400. The solution is to fix > the > > > client. > > > > > > On Sat, Sep 9, 2017 at 12:09 PM, Yuval Schwartz < > > yuval.schwa...@gmail.com> > > > wrote: > > > > > > > Hello Martynas, thanks. > > > > > > > > I'm not sure 404 is better than 400. > > > > > > > > Wouldn't it be preferable to validate the url before it has a chance > to > > > > throw the exception? > > > > I guess my only reason for preferring this is because I don't want it > > > > crowding up my logs. > > > > I figure if I can filter it out beforehand then it's not really an > > > > exception? But I would be happy to hear thoughts on this as I'm still > > > > fairly new to programming. I'm not sure what is considered best > > practice > > > > here. > > > > > > > > Thanks. > > > > > > > > On Sat, Sep 9, 2017 at 12:24 PM, Martynas Jusevičius < > > > > marty...@atomgraph.com > > > > > wrote: > > > > > > > > > How is 404 beter than 400? > > > > > > > > > > On Sat, Sep 9, 2017 at 9:46 AM, Yuval Schwartz < > > > yuval.schwa...@gmail.com > > > > > > > > > > wrote: > > > > > > > > > > > Tomcat version:8.0.43 > > > > > > jdk1.8.0_05 > > > > > > > > > > > > Hello, > > > > > > > > > > > > I've asked a similar question in the past about illegal > characters > > in > > > > the > > > > > > http request header (May 15, 2017). > > > > > > > > > > > > Certain users are able to send http requests to my server that > > > contain > > > > > the > > > > > > space character. > > > > > > This character is obviously not allowed. Tomcat recognizes it and > > > > throws > > > > > an > > > > > > IllegalArgumentException and a http response code 400 is returned > > to > > > > the > > > > > > client. > > > > > > From my logs: > > > > > > > > > > > > > > > > > > > > > > > > *Error parsing HTTP request header...* > > > > > > *java.lang.IllegalArgumentException: Invalid character found in > > the > > > > > > request > > > > > > target. The valid characters are defined in RFC 7230 and RFC > 3986* > > > > > > > > > > > > Is there any way to validate the url before it reaches tomcat so > > > that I > > > > > can > > > > > > return a 404 if an invalid character is found in the url? I would > > > just > > > > > like > > > > > > to avoid exceptions being thrown where possible. > > > > > > > > > > > > Thank you. > > > > > > > > > > > > > > > > > > > > >
Re: Invalid characters in request header
Well then you're out of luck. Everything is as expected though, at least on your end -- client sends invalid request, gets error response. What else do you need? On Sat, Sep 9, 2017 at 12:13 PM, Yuval Schwartz wrote: > Is that in my control? The url is not one that appears on my website, it's > something that was manually written by some client. > > On Sat, Sep 9, 2017 at 1:12 PM, Martynas Jusevičius < > marty...@atomgraph.com> > wrote: > > > Tomcat is an HTTP sever, and if your client is sending invalid HTTP > > requests, Tomcat is right to respond with 400. The solution is to fix the > > client. > > > > On Sat, Sep 9, 2017 at 12:09 PM, Yuval Schwartz < > yuval.schwa...@gmail.com> > > wrote: > > > > > Hello Martynas, thanks. > > > > > > I'm not sure 404 is better than 400. > > > > > > Wouldn't it be preferable to validate the url before it has a chance to > > > throw the exception? > > > I guess my only reason for preferring this is because I don't want it > > > crowding up my logs. > > > I figure if I can filter it out beforehand then it's not really an > > > exception? But I would be happy to hear thoughts on this as I'm still > > > fairly new to programming. I'm not sure what is considered best > practice > > > here. > > > > > > Thanks. > > > > > > On Sat, Sep 9, 2017 at 12:24 PM, Martynas Jusevičius < > > > marty...@atomgraph.com > > > > wrote: > > > > > > > How is 404 beter than 400? > > > > > > > > On Sat, Sep 9, 2017 at 9:46 AM, Yuval Schwartz < > > yuval.schwa...@gmail.com > > > > > > > > wrote: > > > > > > > > > Tomcat version:8.0.43 > > > > > jdk1.8.0_05 > > > > > > > > > > Hello, > > > > > > > > > > I've asked a similar question in the past about illegal characters > in > > > the > > > > > http request header (May 15, 2017). > > > > > > > > > > Certain users are able to send http requests to my server that > > contain > > > > the > > > > > space character. > > > > > This character is obviously not allowed. Tomcat recognizes it and > > > throws > > > > an > > > > > IllegalArgumentException and a http response code 400 is returned > to > > > the > > > > > client. > > > > > From my logs: > > > > > > > > > > > > > > > > > > > > *Error parsing HTTP request header...* > > > > > *java.lang.IllegalArgumentException: Invalid character found in > the > > > > > request > > > > > target. The valid characters are defined in RFC 7230 and RFC 3986* > > > > > > > > > > Is there any way to validate the url before it reaches tomcat so > > that I > > > > can > > > > > return a 404 if an invalid character is found in the url? I would > > just > > > > like > > > > > to avoid exceptions being thrown where possible. > > > > > > > > > > Thank you. > > > > > > > > > > > > > > >
Re: Invalid characters in request header
Is that in my control? The url is not one that appears on my website, it's something that was manually written by some client. On Sat, Sep 9, 2017 at 1:12 PM, Martynas Jusevičius wrote: > Tomcat is an HTTP sever, and if your client is sending invalid HTTP > requests, Tomcat is right to respond with 400. The solution is to fix the > client. > > On Sat, Sep 9, 2017 at 12:09 PM, Yuval Schwartz > wrote: > > > Hello Martynas, thanks. > > > > I'm not sure 404 is better than 400. > > > > Wouldn't it be preferable to validate the url before it has a chance to > > throw the exception? > > I guess my only reason for preferring this is because I don't want it > > crowding up my logs. > > I figure if I can filter it out beforehand then it's not really an > > exception? But I would be happy to hear thoughts on this as I'm still > > fairly new to programming. I'm not sure what is considered best practice > > here. > > > > Thanks. > > > > On Sat, Sep 9, 2017 at 12:24 PM, Martynas Jusevičius < > > marty...@atomgraph.com > > > wrote: > > > > > How is 404 beter than 400? > > > > > > On Sat, Sep 9, 2017 at 9:46 AM, Yuval Schwartz < > yuval.schwa...@gmail.com > > > > > > wrote: > > > > > > > Tomcat version:8.0.43 > > > > jdk1.8.0_05 > > > > > > > > Hello, > > > > > > > > I've asked a similar question in the past about illegal characters in > > the > > > > http request header (May 15, 2017). > > > > > > > > Certain users are able to send http requests to my server that > contain > > > the > > > > space character. > > > > This character is obviously not allowed. Tomcat recognizes it and > > throws > > > an > > > > IllegalArgumentException and a http response code 400 is returned to > > the > > > > client. > > > > From my logs: > > > > > > > > > > > > > > > > *Error parsing HTTP request header...* > > > > *java.lang.IllegalArgumentException: Invalid character found in the > > > > request > > > > target. The valid characters are defined in RFC 7230 and RFC 3986* > > > > > > > > Is there any way to validate the url before it reaches tomcat so > that I > > > can > > > > return a 404 if an invalid character is found in the url? I would > just > > > like > > > > to avoid exceptions being thrown where possible. > > > > > > > > Thank you. > > > > > > > > > >
Re: Invalid characters in request header
Tomcat is an HTTP sever, and if your client is sending invalid HTTP requests, Tomcat is right to respond with 400. The solution is to fix the client. On Sat, Sep 9, 2017 at 12:09 PM, Yuval Schwartz wrote: > Hello Martynas, thanks. > > I'm not sure 404 is better than 400. > > Wouldn't it be preferable to validate the url before it has a chance to > throw the exception? > I guess my only reason for preferring this is because I don't want it > crowding up my logs. > I figure if I can filter it out beforehand then it's not really an > exception? But I would be happy to hear thoughts on this as I'm still > fairly new to programming. I'm not sure what is considered best practice > here. > > Thanks. > > On Sat, Sep 9, 2017 at 12:24 PM, Martynas Jusevičius < > marty...@atomgraph.com > > wrote: > > > How is 404 beter than 400? > > > > On Sat, Sep 9, 2017 at 9:46 AM, Yuval Schwartz > > > wrote: > > > > > Tomcat version:8.0.43 > > > jdk1.8.0_05 > > > > > > Hello, > > > > > > I've asked a similar question in the past about illegal characters in > the > > > http request header (May 15, 2017). > > > > > > Certain users are able to send http requests to my server that contain > > the > > > space character. > > > This character is obviously not allowed. Tomcat recognizes it and > throws > > an > > > IllegalArgumentException and a http response code 400 is returned to > the > > > client. > > > From my logs: > > > > > > > > > > > > *Error parsing HTTP request header...* > > > *java.lang.IllegalArgumentException: Invalid character found in the > > > request > > > target. The valid characters are defined in RFC 7230 and RFC 3986* > > > > > > Is there any way to validate the url before it reaches tomcat so that I > > can > > > return a 404 if an invalid character is found in the url? I would just > > like > > > to avoid exceptions being thrown where possible. > > > > > > Thank you. > > > > > >
Re: Invalid characters in request header
Hello Martynas, thanks. I'm not sure 404 is better than 400. Wouldn't it be preferable to validate the url before it has a chance to throw the exception? I guess my only reason for preferring this is because I don't want it crowding up my logs. I figure if I can filter it out beforehand then it's not really an exception? But I would be happy to hear thoughts on this as I'm still fairly new to programming. I'm not sure what is considered best practice here. Thanks. On Sat, Sep 9, 2017 at 12:24 PM, Martynas Jusevičius wrote: > How is 404 beter than 400? > > On Sat, Sep 9, 2017 at 9:46 AM, Yuval Schwartz > wrote: > > > Tomcat version:8.0.43 > > jdk1.8.0_05 > > > > Hello, > > > > I've asked a similar question in the past about illegal characters in the > > http request header (May 15, 2017). > > > > Certain users are able to send http requests to my server that contain > the > > space character. > > This character is obviously not allowed. Tomcat recognizes it and throws > an > > IllegalArgumentException and a http response code 400 is returned to the > > client. > > From my logs: > > > > > > > > *Error parsing HTTP request header...* > > *java.lang.IllegalArgumentException: Invalid character found in the > > request > > target. The valid characters are defined in RFC 7230 and RFC 3986* > > > > Is there any way to validate the url before it reaches tomcat so that I > can > > return a 404 if an invalid character is found in the url? I would just > like > > to avoid exceptions being thrown where possible. > > > > Thank you. > > >
Re: Invalid characters in request header
How is 404 beter than 400? On Sat, Sep 9, 2017 at 9:46 AM, Yuval Schwartz wrote: > Tomcat version:8.0.43 > jdk1.8.0_05 > > Hello, > > I've asked a similar question in the past about illegal characters in the > http request header (May 15, 2017). > > Certain users are able to send http requests to my server that contain the > space character. > This character is obviously not allowed. Tomcat recognizes it and throws an > IllegalArgumentException and a http response code 400 is returned to the > client. > From my logs: > > > > *Error parsing HTTP request header...* > *java.lang.IllegalArgumentException: Invalid character found in the > request > target. The valid characters are defined in RFC 7230 and RFC 3986* > > Is there any way to validate the url before it reaches tomcat so that I can > return a 404 if an invalid character is found in the url? I would just like > to avoid exceptions being thrown where possible. > > Thank you. >
Invalid characters in request header
Tomcat version:8.0.43 jdk1.8.0_05 Hello, I've asked a similar question in the past about illegal characters in the http request header (May 15, 2017). Certain users are able to send http requests to my server that contain the space character. This character is obviously not allowed. Tomcat recognizes it and throws an IllegalArgumentException and a http response code 400 is returned to the client. >From my logs: *Error parsing HTTP request header...* *java.lang.IllegalArgumentException: Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986* Is there any way to validate the url before it reaches tomcat so that I can return a 404 if an invalid character is found in the url? I would just like to avoid exceptions being thrown where possible. Thank you.