I am charged with fixing security on a large, but not well structured web application. I would like to sanitize all input in the HttpServletRequest before passing it on to the business logic processing. Specifically I want to look at parameters, headers, cookies, and query strings and convert any dangerous characters to HTML equivelents eg. | to | . My question is - how can I make these changes in the HttpServletRequest - there is no setParameters() method? I realize a cleaner way to do this would be to extract these values and pass them on to business logic classes that need not have any awareness of the HttpServletRequest - but that would be a massive recoding effort that the client will not pay for. Ideas?
It sounds like you may want to do some research on the java.servlet.Filter(filtering) as well as the HttpServletRequestWrapper class. Based on your description above, that sounds like the direction you are heading. Craig.
Joined: Apr 08, 2003
Sounds like good advice and will investigate. Unfortunately on this project I am stuck in the stone age with JServe which predates these helpful classes. I may just have to make the sanitizer a servlet itself and then set everything in the HttpResponse and redirect to the appropriate servlet. Seems like over kill.