Skip to main content


Showing posts from December, 2010

slf4j over sysout not thread safe

I started using it to redirect all sysout and syserr to log files instead of catalina.out but its not thread safe as I started getting below exceptions. Solution was to patch the library and make LoggerAppenderImpl.appendAndLog and LoggerAppenderImpl.append methods synchronized for now as I am relying on assumption that we wont have too many system.out in third party libraries.

java.lang.StringIndexOutOfBoundsException: String index out of range: 117
at java.lang.String.(
at java.lang.StringBuilder.toString(

Jersey mapped to /* but tomcat to serve other static content

Ran into interesting issue where Jersey was to be mapped to /* to make the REST urls easy. I mean instead of the rest urls had to be

But also the JSP and in local dev env all static content needed to be served by tomcat. Was searching for a solution and ran into this Jersey mapped to all url and tomcat to serve JSP.

This thread on nabble made my day as I was looking for this solution for 2-3 days but was trying all wrong options.

Securing JSESSIONID cookie if tomcat is fronted by apache

In my previous post Creating a custom Valve in tomcat I descibed the valve solution I tried to secure the JSESSIONID cookie but it didnt worked so finally I had to patch the tomcat class to get it working. We are using tomcat 5.5.28 so I downloaded the source and modify the class apache-tomcat-5.5.24-src/container/catalina/src/share/org/apache/catalina/connector/ In addCookie method I had to add this code

String cookieName = cookie.getName(); if (request != null && "JSESSIONID".equals(cookieName)) { String clientId = request.getHeader("X-Forwarded-For"); if (clientId != null) { cookie.setSecure(true); } }
Then compile the code and replace the catalina.jar in tomcathome/server/lib

Tomcat creating a custom Valve

I recently tried registering an app with Salesforce and they reported a security vulnerability of JSESSIONID cookie not being secure in it. The app uses https but this JSESSIONID cookie is created by tomcat. The app is fronted by tomcat so the Apache-tomcat connector is not secure. There were various solution like:

1) Adding secure="true" on http connector, but it didnt worked, somehow it used to work in older tomcat but not in the version of tomcat we use.
2)Other solution is to write an apache module to rewrite the Set-Cookie header but that is too complex.
3)I tried implementing a filter and wrapping the HttpServletResponse and overriding setHeader method but unfortunately by the time the call reaches the filter tomcat has already added the cookie in response and if I add another one there were two cookies sent one with secure and other with no secure attribute so that defeats the purpose.

Here I thought Valves comes to rescue so I implemented a tomcat Valve (unfortuntely…