25 messages in org.apache.tomcat.usersRe: Form Authentication POST data not...| From | Sent On | Attachments |
|---|---|---|
| Jess Holle | Feb 3, 2012 2:50 pm | |
| Jess Holle | Feb 3, 2012 2:52 pm | |
| Jess Holle | Feb 3, 2012 2:58 pm | |
| Konstantin Kolinko | Feb 3, 2012 3:25 pm | |
| Jess Holle | Feb 3, 2012 4:14 pm | |
| Christopher Schultz | Feb 4, 2012 10:27 am | |
| Christopher Schultz | Feb 4, 2012 10:32 am | |
| Jess Holle | Feb 4, 2012 3:48 pm | |
| Jess Holle | Feb 5, 2012 5:43 am | |
| Konstantin Kolinko | Feb 5, 2012 6:28 am | |
| Jess Holle | Feb 5, 2012 7:07 am | |
| Konstantin Kolinko | Feb 5, 2012 7:26 am | |
| Jess Holle | Feb 5, 2012 7:42 am | |
| Jess Holle | Feb 5, 2012 8:38 am | |
| Jess Holle | Feb 5, 2012 9:12 am | |
| Konstantin Kolinko | Feb 5, 2012 9:14 am | |
| Jess Holle | Feb 5, 2012 9:22 am | |
| Jess Holle | Feb 5, 2012 9:23 am | |
| André Warnier | Feb 5, 2012 10:03 am | |
| Jess Holle | Feb 5, 2012 10:04 am | |
| Konstantin Kolinko | Feb 5, 2012 10:22 am | |
| Jess Holle | Feb 5, 2012 10:22 am | |
| Jess Holle | Feb 5, 2012 10:37 am | |
| Christopher Schultz | Feb 5, 2012 12:53 pm | |
| Jess Holle | Feb 5, 2012 1:14 pm |
| Subject: | Re: Form Authentication POST data not preserved? | |
|---|---|---|
| From: | Jess Holle (jes...@ptc.com) | |
| Date: | Feb 5, 2012 10:37:32 am | |
| List: | org.apache.tomcat.users | |
On 2/5/2012 12:22 PM, Konstantin Kolinko wrote:
2012/2/5 Jess Holle <jes...@ptc.com>:
Also it strikes me that maxSavePostSize should really be backed up by a use of a SoftReference in SavedRequest.
This would allow one to allow relatively large POST bodies to be saved unless/until this threatened to consume the JVM's overall memory resources, at which point the POST bodies could be dropped.
As it stands now one has to choose between vicious treatment of large POST bodies (i.e. dropping all the user's data) and opening oneself wide open to quick and easy (and possibly accidental) DOS attacks.
Interesting idea. I think it is worth filing an enhancement request. Though I see the following caveat:
Using SoftReference here will lead to non-deterministic behaviour. I wonder whether admins will be puzzled by this feature. Though this can be solved by logging an INFO message wrapped by org.apache.juli.logging.UserDataHelper.
Yeah, there is the element of uncertainty as to how strongly a SoftReference really holds on to its data, etc.
This would be nice "opt in" behavior if nothing else.
-- Jess Holle