问题描述

似乎是一个愚蠢的问题，答案是不要使用 encodeURL()！"但我正在使用在 JSP 中使用 netui 锚标记的代码库，我需要禁用将 JSESSIONID 写入 URL，因为它存在安全风险.

Seems like a stupid question to which the answer would be "Don't use encodeURL()!" but I'm working with a codebase that uses netui anchor tags in the JSPs and I need to disable the writing of JSESSIONID into the URLs as it is a security risk.

在 WebLogic 中，您可以通过在 weblogic.xml 中配置 url-rewriting-enabled 来配置它(我知道是因为我在 WebLogic 服务器中编写了该功能！).但是，我找不到 Tomcat 的等效配置选项.

In WebLogic, you can configure this by configuring url-rewriting-enabled in weblogic.xml (I know because I wrote that feature in the WebLogic server!). However, I can't find an equivalent config option for Tomcat.

推荐答案

没有想到任何设置.但这很容易通过创建第一个入口 Filter 监听感兴趣的 url-pattern(可能是 /* ?)和将 ServletResponse 替换为 HttpServletResponseWrapper 实现，其中 encodeURL() 返回完全相同的未修改参数.

No setting comes to mind. But this is fairly easy to do by creating a first-entry Filter listening on the url-pattern of interest (maybe /* ?) and replaces the ServletResponse by a HttpServletResponseWrapper implementation where the encodeURL() returns the very same argument unmodified back.

启动示例:

public void doFilter(ServletRequest request, ServletResponse response) throws ServletException, IOException {
    chain.doFilter(request, new HttpServletResponseWrapper((HttpServletResponse) response) {
        public String encodeURL(String url) {
            return url;
        }
    });
}

这篇关于如何配置 Tomcat 在调用 HttpServletResponse.encodeURL() 时不将会话 ID 编码到 URL 中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！