Hi Chris,

that #toLowerCase() has been introduced with WICKET-4816.

The commit does not mention anything about the requirement for a lower case comparison, and the test does not enforce it either:


So this has probably been just an unnecessary precaution.

Please open an issue.


On 08.12.20 08:48, Chris Colman wrote:
Tomcat, and presumably other JEE app containers, now allow the specification of the name of the JSESSIONID parameter to use in the URL (even though cookies are largely used in place of this the initial hit on a web site will include the jsessionid parameter by default)

This is done by setting a <Context> attribute called 'sessionCookieName'


<Context sessionCookieName="JSESSIONID-Integration" ... >

This can be specified in mixed case and Tomcat will preserve the case.

Wicket allows a matching value to be specified via a Java -D command line option:



However Wicket's Strings.stripJSessionId() method assumes that the JSESSIONID parameter name is always in lowercase which causes failures if it is not:

public static String stripJSessionId(final String url)
        if (Strings.isEmpty(url))
            return url;

        // http://.../abc;jsessionid=...?param=...
        int ixSemiColon = url.toLowerCase(Locale.ROOT).indexOf(SESSION_ID_PARAM);    <-- seemingly unnecessary, unwanted toLowerCase() call
        if (ixSemiColon == -1)
            return url;



Is there any need for the toLowerCase() method call in there? No app container should be performing a "to lower case" on the parameter name and URLs in general can have case sensitive parameter names in query parameters etc., so the toLowerCase seems redundant and it causes issues as detailed above.



To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Reply via email to