• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Making Changes In HttpServletRequest

 
Steve Watson
Ranch Hand
Posts: 38
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am charged with fixing security on a large, but not well structured web application. I would like to sanitize all input in the HttpServletRequest before passing it on to the business logic processing. Specifically I want to look at parameters, headers, cookies, and query strings and convert any dangerous characters to HTML equivelents eg. | to | .
My question is - how can I make these changes in the HttpServletRequest - there is no setParameters() method?
I realize a cleaner way to do this would be to extract these values and pass them on to business logic classes that need not have any awareness of the HttpServletRequest - but that would be a massive recoding effort that the client will not pay for.
Ideas?
 
Craig Jackson
Ranch Hand
Posts: 405
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It sounds like you may want to do some research on the java.servlet.Filter(filtering) as well as the HttpServletRequestWrapper class. Based on your description above, that sounds like the direction you are heading.
Craig.
 
Steve Watson
Ranch Hand
Posts: 38
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sounds like good advice and will investigate. Unfortunately on this project I am stuck in the stone age with JServe which predates these helpful classes.
I may just have to make the sanitizer a servlet itself and then set everything in the HttpResponse and redirect to the appropriate servlet. Seems like over kill.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic