cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0
Upvote

J2EE Filter and Request, Form, and URL scoped variables

jimmatts2
New Here ,
Dec 21, 2007 Dec 21, 2007

Copy link to clipboard

Copied

All,

My company has developed a J2EE servlet filter that inspects http requests to filter for non-safe text to prevent cross-site scripting, sql injection, and other web attacks. We are trying to leverage this within our CF 6.1 environment.

We have configured the web.xml to invoke the filter (which should process BEFORE anything else in the CF war executes. The filter is firing as expected, is changing the request parameters, and releasing control back to JRUN (FilterChain) and the CfmServlet to process the CFM template.

When the CFM template processes, the Request scope has been modified but the URL and FORM scopes have NOT been modified.

Does anyone know how to access the URL and FORM scopes within a J2EE Filter? Any other ideas?

TOPICS
Advanced techniques

Views

480

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 4 Replies 4
latest latest Jump to latest reply
jmmorgan
Explorer ,
Dec 21, 2007 Dec 21, 2007

Copy link to clipboard

Copied

Hi -

I take it you are modifying the HttpServletRequest object in you filter. This would explain why the request scope is altered but not the form and URL variables. As near as I can tell ColdFusion creates the request scope from the HttpServletRequest object. When it creates the form scope it parses the data out of the request input stream not the HttpServletRequest.

- Jason

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
jimmatts2
New Here ,
Dec 21, 2007 Dec 21, 2007

Copy link to clipboard

Copied

In Response To jmmorgan
Thanks for the response. Yes, I have a class that extends HttpServletRequestWrapper, which is a class implemented by JRun which extends javax.servlet.ServletRequestWrapper (which implements the HttpServletRequest interface).

While debugging it in Eclipse, the instance of HttpServletRequest is of type jrun.servlet.ForwardRequest which extends jrun.servlet.RequestWrapper which extends HttpServletRequestWrapper.

Any idea where the request input stream is within those object graphs?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
jmmorgan
Explorer ,
Jan 02, 2008 Jan 02, 2008

Copy link to clipboard

Copied

Hi -

The javax.servlet.ServletRequest which HttpServletRequest extends has a method called getInputStream().

- Jason

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
jimmatts2
New Here ,
Jan 02, 2008 Jan 02, 2008

Copy link to clipboard

Copied

LATEST
In Response To jmmorgan
Jason ... thanks. Through my research I've been able to identify that the InputStream can be accessed via this channel:

1) ForwardRequest (a JRUN class) has a method to get the ServletRequest (getRequest())
2) From that request, you can access the ServletInputStream by invoking the method you mentioned.

The class that comes out of the ForwardRequest.getRequest() method is of type JRunRequest. This class has a private member called inputStream. Unfortunately it is FINAL so it cannot be modified.

public final class JRunRequest extends RequestWrapper
implements HttpConstants {
private final ServletInputStream inputStream;
...
}

Therefore, unless someone can point me in another direction I have determined that the URL and FORM scopes CANNOT be modified prior to transferring between the ColdFusion Web App and JRun.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Copyright © 2024 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices