You can honestly tell who¹s calling you, since you can throw an exception, catch it, then look at the stack trace.
If you have an object, you can get its class, you can get what methods it implements, and you can get its parent class and recurse. So that should let you figure out which class will be implementing the emthod you¹re calling, unless I¹m totally confused. -- Gregory Dougherty Sr. Analyst/Programmer | Information Technology Information Technology (507) 284-8493 | dougherty.greg...@mayo.edu On 2/12/16, 1:35 PM, "André Warnier (tomcat)" <a...@ice-sa.com> wrote: >On 12.02.2016 20:08, Christopher Schultz wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> André, >> >> On 2/12/16 1:11 PM, André Warnier (tomcat) wrote: >>> Sorry, I lost the original message, so I can't respond in-thread. I >>> only saw the last message, but to that, isn't this what the Op is >>> asking for : >>> >>> http://tomcat.apache.org/tomcat-7.0-doc/servletapi/javax/servlet/http/ >> HttpServletRequest.html >>> >>> >>> >>> No matter which jar these things are in, if these methods get >>> called, they should return the current URI which the client called >>> to trigger the current webapp, no ? (I'm talking of getRequestURL() >>> and siblings). >> >> Mark's response accurately points out that anything the library does >> to try to determine which application it's running under can >> relatively easily be subverted by the application itself. >> >> For your example above, it would be easy to simply wrap the >> HttpServletRequest object and override "getRequestURL" and friends. >> >> If you don't trust the code calling you, then you can't trust anything >> up the stack. >> > >Ok, sorry, I have not really followed the thread since the beginning. I >did not realise >that there was a question of not trusting the *code* of the webapps >themselves. >I though it was only not trusting the client (browser or whatever). > >But let me then push the question one level deeper, at the Java level : >is there a way by >which some code about to call a method, could find out if this method is >"the genuine >article", or has been overridden by a wrapper for instance ? > >(And I do realise that this is not really applicable here, it is more by >curiosity) >I mean, the JVM of course must know; but is there a way by which the code >can ask the JVM >about this ? >Or alternatively, can the code "force" the JVM to execute the real method >of the original >parent (in this case HttpServletRequest) instead of a perhaps wrapper >object's method ? > > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
