Bug 43080 - Suspicious url pattern warning logged to wrong webapp
Summary: Suspicious url pattern warning logged to wrong webapp
Alias: None
Product: Tomcat 5
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 5.5.17
Hardware: Other other
: P2 normal (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2007-08-09 15:18 UTC by Marius Scurtescu
Modified: 2008-07-30 13:38 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Marius Scurtescu 2007-08-09 15:18:42 UTC
"Suspicious url pattern" warnings are logged to the wrong webapp, not the one
actually using them.

These log events are coming from SecurityCollection.java.
Comment 1 Remy Maucherat 2007-08-10 00:18:52 UTC
This class is using a static logger, and has no efficient way to access the
webapp logger.
Comment 2 Marius Scurtescu 2007-08-10 00:31:40 UTC
If it cannot get the logger for the proper webapp then why does it log into some
other webapp? At least it should log into catalina.out.

This is a serious issue.

If proper logging is impossible then the whole verification should be removed,
it is useless like this IMHO.

(Not to mention that it is broken -- that's a different bug report. But that
shows that no one really used this information ever.)
Comment 3 Ryan Sweet 2007-08-10 10:30:11 UTC
Marius, do you have a test case that easily generates these log messages?
Comment 4 Marius Scurtescu 2007-08-10 10:43:50 UTC
AFAIK you only need:
- URL patterns like "/foo/*" in you web.xml
- debug level logging

If you have several web apps the log events may show up in the wrong web app log
file, don't know how to trigger that.

See also bug 43079
Comment 5 Mark Thomas 2008-05-04 03:43:40 UTC
This has been fixed in trunk and proposed for 6.0.x and 5.5.x
Comment 6 Mark Thomas 2008-05-15 12:57:44 UTC
This has been fixed in 6.0.x and will be included in 6.0.17 onwards.
Comment 7 Mark Thomas 2008-07-30 13:38:49 UTC
This has been fixed in 5.5.x and will be included in 5.5.27 onwards.