4 Replies Latest reply on Jan 2, 2008 9:29 AM by jimmatts2

    J2EE Filter and Request, Form, and URL scoped variables

    jimmatts2
      All,

      My company has developed a J2EE servlet filter that inspects http requests to filter for non-safe text to prevent cross-site scripting, sql injection, and other web attacks. We are trying to leverage this within our CF 6.1 environment.

      We have configured the web.xml to invoke the filter (which should process BEFORE anything else in the CF war executes. The filter is firing as expected, is changing the request parameters, and releasing control back to JRUN (FilterChain) and the CfmServlet to process the CFM template.

      When the CFM template processes, the Request scope has been modified but the URL and FORM scopes have NOT been modified.

      Does anyone know how to access the URL and FORM scopes within a J2EE Filter? Any other ideas?

        • 1. Re: J2EE Filter and Request, Form, and URL scoped variables
          jmmorgan
          Hi -

          I take it you are modifying the HttpServletRequest object in you filter. This would explain why the request scope is altered but not the form and URL variables. As near as I can tell ColdFusion creates the request scope from the HttpServletRequest object. When it creates the form scope it parses the data out of the request input stream not the HttpServletRequest.

          - Jason
          • 2. Re: J2EE Filter and Request, Form, and URL scoped variables
            jimmatts2 Level 1
            Thanks for the response. Yes, I have a class that extends HttpServletRequestWrapper, which is a class implemented by JRun which extends javax.servlet.ServletRequestWrapper (which implements the HttpServletRequest interface).

            While debugging it in Eclipse, the instance of HttpServletRequest is of type jrun.servlet.ForwardRequest which extends jrun.servlet.RequestWrapper which extends HttpServletRequestWrapper.

            Any idea where the request input stream is within those object graphs?
            • 3. Re: J2EE Filter and Request, Form, and URL scoped variables
              jmmorgan Level 1
              Hi -

              The javax.servlet.ServletRequest which HttpServletRequest extends has a method called getInputStream().

              - Jason
              • 4. Re: J2EE Filter and Request, Form, and URL scoped variables
                jimmatts2 Level 1
                Jason ... thanks. Through my research I've been able to identify that the InputStream can be accessed via this channel:

                1) ForwardRequest (a JRUN class) has a method to get the ServletRequest (getRequest())
                2) From that request, you can access the ServletInputStream by invoking the method you mentioned.

                The class that comes out of the ForwardRequest.getRequest() method is of type JRunRequest. This class has a private member called inputStream. Unfortunately it is FINAL so it cannot be modified.

                public final class JRunRequest extends RequestWrapper
                implements HttpConstants {
                private final ServletInputStream inputStream;
                ...
                }

                Therefore, unless someone can point me in another direction I have determined that the URL and FORM scopes CANNOT be modified prior to transferring between the ColdFusion Web App and JRun.