Skip to Main Content
Forums

Java EE (Java Enterprise Edition) General Discussion

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Servlet Filters, Struts and Modifying Request Parameters

843841Dec 10 2007 — edited Oct 31 2008
I have been struggling with this for quite a time, and while I have gotten quite a few hints from reading and web/forum searches, nothing seems to address my specific problem. I am experienced with Java in various forms, but relatively new to servlets, Struts and related technologies.

I am attempting to add a security filter to an existing application. Rather than code my own, I elected to use the OWASP �Stinger� filter to meet my requirement. Stinger is a straight-forward methodology for examining and modifying incoming request information. It implements itself as a servlet filter.

The existing application is Struts based, and from what I have read and seen in the code, it is a fairly �vanilla� implementation (if there is such a thing!).

Simply put, the filter executes as desired, modifying the request parameters. However, the values being received by the Struts objects in the application appear to be the original (unfiltered) values.

I am using debug in Websphere/Eclipse to step through the application, and the request is being passed along from method to method WITH the filtered parameters in place. However, Struts seems to be getting the values using another avenue that is bypassing the filter and ignoring the values in the original request.

I�ve tried to read up on Struts, and while it can get a little complex to follow for someone new to it, it does seem to get it�s information from the request parameters. So, I don�t know why the filtered request is being carried throughout the application, but doesn�t seem to affect the values that actually end up being used.

Any tips/suggestions would be greatly appreciated. I know I could theoretically move this code into Struts itself, but I would prefer the modular/toolbox approach of using an existing application such as Stinger.

It is important to note that since this is an existing application, I am using some older versions of the tools involved. Java 1.14, Struts 1.x, Servlet 2.3, etc. (I can provide more details on other tools if it will help).

I know, for example, that filters on the older version of Servlets will only fire on requests, not forwards or redirects. I think this may be related, but can�t completely understand the flow of traffic, and wonder why the modified HTTPRequest seems to pass through the application with the parameters unread.

Thanks, Chris
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Nov 28 2008
Added on Dec 10 2007
#java-servlet
1 comment
504 views