Win a copy of Think Java: How to Think Like a Computer Scientist this week in the Java in General forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Info on Servlet Filters

 
chandra kambham
Ranch Hand
Posts: 74
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I have an WebServer with the Servlet version 2.2 , Can i Use Filters in My WebServer?
After some initial searching i found that Filters are Supported from the Servlet version 2.3 onwards...

Could you please let me know if there is any possibility to use Filters With Servlet 2.2 version.

Many Thanks ,
K.Chandra Sekhar
 
Shailesh Narkhede
Ranch Hand
Posts: 368
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As servlet version 2.2 spacification is not metioned filter in that, so we can not use filter with Servlet 2.2
Could you please let me know if there is any possibility to use Filters With Servlet 2.2 version.

what you want do with the help filter ?

 
chandra kambham
Ranch Hand
Posts: 74
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Shailesh,

Recently our Web App has undergone some security scannings and found cross site scripting vulnerabilities.
The security team has suggested to use a framework which has been developed using the Filters.
So i want to use the Filters to avoid the problems with Cross site scripting..

Please let me know if there is a way to implement the filter functionality even with Servlet 2.2 version..

Many Thanks,
K.Chanrda
 
Ulf Dittmer
Rancher
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If it's security you're concerned about, then I'd say it would probably be a good thing to upgrade the server to a newer version (which would also support a newer Servlet API version). If the server only supports Servlet API 2.2, then it's probably at least 7 years old, and likely hasn't seen security updates in a good long time.
 
chandra kambham
Ranch Hand
Posts: 74
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi Ulf Dittmer,

Thank you very much for your reply.

The servers are pretty old but the application have been running on them fro the past 8 years and the server team don't have any plans to upgrade the servers in near future , but they still want us to workn on these Security vulnerabilities..
Can you please advice me an approach to achieve this..
 
Ulf Dittmer
Rancher
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You don't *need* filters for this; you can sanitize all user inputs at the point where you get them using "getParameter".
 
chandra kambham
Ranch Hand
Posts: 74
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Ulf,


As you siad i don't need a filter to do this.. but there are around 80 Jsps and 40 Servlets in our application and i need to modify all these files to perform the sanitation.
If there is an centralized way of performing the sanitation for all the requests then i don't need to change all the files...
By using filters i can achieve the centralized way of performing the sanitation.

Is there any better approach than modifying each and every file?
 
Ulf Dittmer
Rancher
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
One solution would be to have a utility method that does the sanitizing. Then you can do a search/replace of "request.getParameter(XYZ)" with "Utils.sanitize(request.getParameter(XYZ))" (assuming that the data sanitization needs are the same for all parameters, of course). You'd need to make sure that the method is thread-safe, of course.
 
chandra kambham
Ranch Hand
Posts: 74
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Ulf,

I have implemented a Utility Code that verifies all the request parameters and if there are any possibilities of XSS then i am redirecting the request to an error page.
FOr this i have implemented a seperate jsp and i am just including this jsp in all the existing jsps so that the request paramters get verified..

 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic