DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=41696>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41696 Summary: ApplicationDispatcher can't handle alternative HttpRequest-Implementation on forward Product: Tomcat 5 Version: 5.0.16 Platform: All OS/Version: other Status: NEW Severity: normal Priority: P2 Component: Catalina AssignedTo: tomcat-dev@jakarta.apache.org ReportedBy: [EMAIL PROTECTED] Bug or feature? I was trying to write a servlet-filter which should check on all posted request-parameters and replace potential cross-site-scripting attacks from the sent content by harmless equivalents. First I subclassed HttpServletRequestWrapper and overrode getParameter, getParameterMap, getParameterValues and getParameterValues but the applicationdispatcher still used the parametermap from the wrapped request when forwarding the request. This is not nice since the parameters of the forwarded url are not added to the filters parametermap. It happens because appclicationdispatcher internally unwraps all nested requests until an internal type is reached. Everything works as expected as long as I dont forward the request! Next I tried to implement interface HttpServletRequest on my own (simple delegatepattern) because ApplicationDispatcher explicitly does NOT unwrap NON-HttpServletRequestWrapper (ApplicationDispatcher.java line 871). But in this case a ClassCastException is thrown at line 814 when unwrapping the request. At this point Non-HttpServletRequestWrapper are not(!) ignored. So in the end imho it comes down to these questions: 1. HttpServletRequestWrapper delegates calls on every method to it's wrapped request. So in effect when merging requestparameters of the request with the parameters of a forward-url, calls on getParameterMap etc are delegated to the original request anyway as long as these methods are not overridden. I haven't found a part in the spec where it is explicitly forbidden to alter request-parameters when using a wrapper. 2. Should ApplicationDispatcher be able to handle any implementation of HttpServletRequest or does J2EE-Specs allow to rely solely on own implementation types? I ApplicationDispatcher should handle any implementation this should be considered as a bug and the unwrap-method should be fixed! Wolfgang -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
