OK to read the request body within a filter?

If I read a request's body within a servlet filter then is the body still going to be available to be read again by the servlet, or can it be read only once?

For example:

1. Filter reads the request body via getInputStream().
2. Filter performs a validation of the body data, and the validation passes.
3. The request moves along to the servlet.
4. The servlet reads the body in order to perform its processing.

In step 4 above is the body again available to the servlet, or does the filter somehow have to replace the body of the request to insure that it's again available to the servlet?

Thanks in advance for any insight.

--James

It can only be read once.

What type of validation are you doing?
Once you're done validating, how are you working with the request in the servet: via request.getParameter() calls?

Its availble in the servlet. Coz the Filter is only the intercepter between the client and the servlet. It passes the same request it gets to the servlet. Hope this answers your question.

Originally posted by Amit M Tank:
Its availble in the servlet. Coz the Filter is only the intercepter between the client and the servlet. It passes the same request it gets to the servlet. Hope this answers your question.

Not true.
You can read the input stream only once.
It doesn't matter if you do it from a filter or a servlet.

In the filter I perform authentication against the body using a signature found in the header. I pull the signature from the header and the payload from the body and then send these two pieces of data to my authenticator which makes sure that they line up. If so then I want to pass along the request as it first arrived to the filter so that the servlet can process the body accordingly.

If the body can't be read again by the servlet after it has already been read by the filter then I need to come up with a better approach -- perhaps by duplicating the body payload in the header, which would enable me to do the authentication using two header values and leaving the body unread. Unfortunately this approach would double the amount of payload data sent with each request, which seems like an inefficient way to go about it. Perhaps someone can suggest a better idea?

--James

What about if I create a HttpServletRequestWrapper and read the body from that? Is the original request unaffected, i.e. the body will be considered unread by the servlet which can then read the body without an IOException?

I'll give this a whirl and report back with my results.

--James

Originally posted by James Adams:
In the filter I perform authentication against the body using a signature found in the header. I pull the signature from the header and the payload from the body and then send these two pieces of data to my authenticator which makes sure that they line up. If so then I want to pass along the request as it first arrived to the filter so that the servlet can process the body accordingly.

If the body can't be read again by the servlet after it has already been read by the filter then I need to come up with a better approach -- perhaps by duplicating the body payload in the header, which would enable me to do the authentication using two header values and leaving the body unread. Unfortunately this approach would double the amount of payload data sent with each request, which seems like an inefficient way to go about it. Perhaps someone can suggest a better idea?

--James

What's in the body; regular post fields or something else?

My bad.

Originally posted by Amit M Tank:
Its availble in the servlet. Coz the Filter is only the intercepter between the client and the servlet. It passes the same request it gets to the servlet. Hope this answers your question.

Not true.
You can read the input stream only once.
It doesn't matter if you do it from a filter or a servlet.

Thanks Ben for correcting me.

The request body should contain XML. The servlet handles RESTful web service requests.

--James

You could have your filter save the xml as a string and bind it to request scope. From there your servlet could retrieve it with request.getAttribute("xmlString");

If you already have lots of servlets reading the input stream, you could wrap the request. In the wrapper create a property that holds the xmlString. Then you could override the getInputStream method with one that returns a stream which reads the xmlString instead of the actual servletInputStream. This would be a lot more work than the first option unless you've already got tons of servlets that already count on being able to read from the inputStream.

I need to be able to put this filter in place transparently, i.e. no code changes whatsoever to the existing services/servlets. There may be instances in which the services are deployed without the authentication filter in front of them, so we can't have a dependency on a filter modifying the requests, since it may or may not be there when the services are deployed.

--James

Originally posted by James Adams:
I need to be able to put this filter in place transparently, i.e. no code changes whatsoever to the existing services/servlets. There may be instances in which the services are deployed without the authentication filter in front of them, so we can't have a dependency on a filter modifying the requests, since it may or may not be there when the services are deployed.

--James

In that case you would want to look into the second suggestion that I made.
If you wrap the request and override the getServletInputStream, the existing servlets would have no idea that you've sent them a wrapper.

Thanks Ben, that's a good idea.

It looks like wrapping the request to do the first read of the payload/body works fine. The second time I read the request body I can get the payload data out with no IOException, so apparently by making a request wrapper you essentially get a duplicate request which leaves the original request alone.

In the authenticator used by my filter I read the request's payload like this:

private String getRequestBody (final HttpServletRequest request) throws AuthenticationException { HttpServletRequestWrapper requestWrapper = new HttpServletRequestWrapper(request); StringBuilder stringBuilder = new StringBuilder(); BufferedReader bufferedReader = null; try { InputStream inputStream = requestWrapper.getInputStream(); if (inputStream != null) { bufferedReader = new BufferedReader(new InputStreamReader(inputStream)); char[] charBuffer = new char[128]; int bytesRead = -1; while ((bytesRead = bufferedReader.read(charBuffer)) != -1) { stringBuilder.append(charBuffer, 0, bytesRead); } } } catch (IOException ex) { log.error("Error reading the request payload", ex); throw new AuthenticationException("Error reading the request payload", ex); } finally { if (bufferedReader != null) { try { bufferedReader.close(); } catch (IOException iox) { // ignore } } } return stringBuilder.toString(); }

In the JUnit test for the authenticator class I run the request through the authenticateRequest() method and then try reading the request's body a second time, and sure enough the payload is still there, no IOException, etc.

public void testPostBodyPayload () throws Exception { try { // use a POST method and set the payload into the request's body instead of the header request.setMethod("POST"); request.setContent(payload.getBytes()); // include the payload signature and client registration ID but not the payload in the request header request.addHeader(RequestAuthenticator.REQ_HEADER_KEY_PAYLOAD_SIGNATURE, payloadSignature); try { // exercise the method requestAuthenticator.authenticateRequest(request); } catch (Exception ex) { fail("Expected authentication failed: " + ex.toString()); } try { // now try reading the request's input stream -- we expect it to be there StringBuilder stringBuilder = new StringBuilder(); InputStream inputStream = request.getInputStream(); BufferedReader bufferedReader = null; if (inputStream != null) { bufferedReader = new BufferedReader(new InputStreamReader(inputStream)); char[] charBuffer = new char[128]; int bytesRead = -1; while ((bytesRead = bufferedReader.read(charBuffer)) > 0) { stringBuilder.append(charBuffer, 0, bytesRead); } } // make sure we read what we expected assertEquals("The body read from the request doesn't match", stringBuilder.toString(), payload); } catch (Exception ex) { fail("The second read of the request body failed: " + ex.toString()); } } catch (Exception ex) { fail("Unexpected exception: " + ex.toString()); } }

My JUnit test uses a MockHttpServletRequest from the Spring framework so perhaps that's somehow helping me out -- hopefully not and this will work the same way with real HttpServletRequests. I'll soon find out once I do a more realistic test using actual web service requests.

--James

My JUnit test uses a MockHttpServletRequest from the Spring framework so perhaps that's somehow helping me out

I suspect it might.

A wrapper is nothing more than a class with the same methods.
Each method simply calls the method of the object that you're wrapping.

private HttpServletRequest wrappedRequest; public String getParameter(String name){ [B]return wrappedRequest.getName(name);[/B] }

In your case, you would want to override the getServletInputStream method with your own. In your method, instead of returning the original inputStream (which would throw an IOException), you would return your own inputStream (you'll have to subclass servletInputStream). This stream would do nothing more than read the stored xmlString that you got from the original input stream when it was read in the filter.

This way, you're only reading the real inputStream once.
You then store it a property of the wrapper class as a string.
You pass the wrapper to the chain.doFilter method instead of the original request.
Then, your servlet will have a the wrapper.
When it calls the getServletInputStream method, it will read it just as if it were the original (it won't know the difference) but will be reading the stored xmlString instead of the original servletInputStream.

Thanks again Ben. Your solution is indeed the way to go about it.

Below is the code used to wrap the request:
/** * Class which is used to wrap a request in order that the wrapped request's input stream can be * read once and later be read again in a pseudo fashion by virtue of keeping the original payload * as a string which is actually what is returned by subsequent calls to getInputStream(). */ public class AuthenticationRequestWrapper extends HttpServletRequestWrapper { private static Logger log = Logger.getLogger(AuthenticationRequestWrapper.class.getName()); private final String xmlPayload; public AuthenticationRequestWrapper (HttpServletRequest request) throws AuthenticationException { super(request); // read the original payload into the xmlPayload variable StringBuilder stringBuilder = new StringBuilder(); BufferedReader bufferedReader = null; try { // read the payload into the StringBuilder InputStream inputStream = request.getInputStream(); if (inputStream != null) { bufferedReader = new BufferedReader(new InputStreamReader(inputStream)); char[] charBuffer = new char[128]; int bytesRead = -1; while ((bytesRead = bufferedReader.read(charBuffer)) > 0) { stringBuilder.append(charBuffer, 0, bytesRead); } } else { // make an empty string since there is no payload stringBuilder.append(""); } } catch (IOException ex) { log.error("Error reading the request payload", ex); throw new AuthenticationException("Error reading the request payload", ex); } finally { if (bufferedReader != null) { try { bufferedReader.close(); } catch (IOException iox) { // ignore } } } xmlPayload = stringBuilder.toString(); } /** * Override of the getInputStream() method which returns an InputStream that reads from the * stored XML payload string instead of from the request's actual InputStream. */ @Override public ServletInputStream getInputStream () throws IOException { final ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(xmlPayload.getBytes()); ServletInputStream inputStream = new ServletInputStream() { public int read () throws IOException { return byteArrayInputStream.read(); } }; return inputStream; } }

And here's how it's being used in the filter:

public void doFilter (ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { // perform request filtering HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest; AuthenticationRequestWrapper authenticationRequestWrapper; try { authenticationRequestWrapper = new AuthenticationRequestWrapper(httpServletRequest); } catch (AuthenticationException ex) { log.warn("Unable to wrap the request", ex); throw new ServletException("Unable to wrap the request", ex); } try { requestAuthenticator.authenticateRequest(authenticationRequestWrapper); } catch (Exception ex) { log.warn("Invalid request", ex); throw new ServletException("Invalid request", ex); } // continue the filter chain filterChain.doFilter(authenticationRequestWrapper, servletResponse); // perform response filtering }

Nice job!
Thanks for posting back with your solution.