AnonymizerRequestWrapper and jsp:includes

flintdk
2011-11-04
2013-05-08
  • flintdk

    flintdk - 2011-11-04

    Hi folks,

    Sometimes (on first connection to my web app, or just after a session was invalidated) I was having a problem with jsp:parameter values being null.  A bit of digging led me to jGuard as the culprit.

    JGuard has a particular request wrapper "AnonymizerRequestWrapper" which overrides the 'getParameter()' method.

    It attempts to manipulate the parameter values if the parameter name is reserved (the "loginField" or "passwordField") but then attempts to evaluate other parameter requests using a stored reference to 'request'.  This does appears to mostly work BUT…

    When processing a RequestDispatcher.forward() or RequestDispatcher.include() call, the container (i.e. Tomcat, Resin, etc.) is required to ensure that any wrapped request (or response) provided by the calling servlet is the very same instance that is handed to the calling servlet (Servlet 2.3 Spec, Section 6.2.2, last paragraph).  Therefore, it is not legal for the container to implement request dispatcher processing by wrapping the request provided by the calling servlet.

    A consequence of this is that your wrapper class *MUST* delegate calls like getServletPath(), getParameter(), etc. to its superclass in order to see the modified values set by the container - which are conceptually performed on the underlying "real" request object itself.  If your application fails to do this, then it is the application's problem that the "wrong" answer is
    returned - just as it would be if you overrode getServletPath() and always returned a null value, or some constant String.

    I got the above little gem from comments on the following bug:
    *   https://issues.apache.org/bugzilla/show_bug.cgi?id=8566
    I didn't see "You MUST delegate" highlighted elsewhere, but it is a natural consequence of the servlet spec. all right.

    The original method is:

      public String getParameter(String parameterName){
        if(loginField.equals(parameterName)||passwordField.equals(parameterName)){
          return SecurityConstants.GUEST;
        }else{
          return super.getParameter(parameterName);
        }
      }
    

    I've updated it as follows:

      public String getParameter(String parameterName){
        if(loginField.equals(parameterName)||passwordField.equals(parameterName)){
          return SecurityConstants.GUEST;
        }else{
          // return req.getParameter(parameterName);     
          return super.getParameter(parameterName);
        }
      }
    

    I also removed all references to the 'req' variable from the class (it's no longer used).

    And it now seems to behave correctly all the time!  Just wanted to post this here so it can be included in version 2.0 of jGuard, if appropriate.  I posted another bug fix in the development forum, hope that was the right place (got no response in that forum, hence posting this one here).

    Comments?

    Regards,

    Tomás.

     
  • Charles Lescot

    Charles Lescot - 2011-11-05

    HI,
    thanks for this excellent feedback!

    the anonymizerRequestWrapper has been modified according to your instructions.

    note that this class is actually only used by the registration code , which will be shortly refactored to be usable again in the next beta release.

    best regards ,

    Charles.

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks