• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Replacing Request Parameter Values

 
Ranch Hand
Posts: 751
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi, I was making a wrapper class for my filter class. This class trims, and strips off all the "<" and ">" characters. Before I continue, here's my wrapper and filter classes.




and Here's the Servlet filter



as you can see above, I need to alter the request parameters with the results of getParameterValues(String) from the RequestWrapper class. I was told the getParameterValues(String) method would automatically be invoked when chain.doFilter() is called, but it seems untrue. Is there any way I can alter the request parameter values received by the servlet in any way? Making a request attribute doesn't seem to be the best solution. Thanks!
 
Ranch Hand
Posts: 69
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Creating a wrapper around the request is the correct way to go, now you just need to override

to return your trimmed and < > removed parameters.

You can never replace the original request parameters, you just use a wrapper class to pass back different parameter values.
 
Sheriff
Posts: 14691
16
Eclipse IDE VI Editor Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
As you may have noticed, there is no setParameter() method.
You'll have to figure out another way, like using attributes instead.
 
Timothy Sam
Ranch Hand
Posts: 751
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Darren, Satou thank you very much.


Satou

I am using Struts, creating a request attribute would create so much work for me and would therefore render this feature(of setting of bean properties automatically) useless. There must be another way...

Darren



I already did this, here...




I still can't trim or replace the characters I need to filter. Thank you very much for your answers they were very helpful.
 
Sheriff
Posts: 13411
Firefox Browser VI Editor Redhat
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The getParameterValues method isn't automatically going to be invoked in the filter but it doesn't need to. Since your passing your wrapper to the doChain method, any servlets or JSPs that receive that requestWrapper will use it's getParameterValues instead of the one in the original request.

What problems are you having?
 
Timothy Sam
Ranch Hand
Posts: 751
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Ben, the problem is that the getParameterValues() method is not invoked in my ActionServlet at all... In my Action servlet, the execute method still has the HttpServletRequest as the argument for request. Is that ok? If that's ok, I'm not using the HttpServletRequest implicitly in my execute method since this is automatically done for my by struts. So what I do is...


ApplicantFormBean applicant = (ApplicantFormBean)form;

in the background, this is setting values for the bean, maybe something like this:

applicant.getName().setFirstName( request.getParameter("firstName) );

so, after struts did all the dirty work, I could use the bean method like this...

applicant.getName().getFirstName();

the latter should get the firstName parameter(the trimmed one), however, it doesn't... What do you think is the problem? Thanks a lot, I hope I could hear more answers.
[ July 26, 2006: Message edited by: Timothy Sam ]
 
Darren Edwards
Ranch Hand
Posts: 69
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
By using debug statements in your filter have you established if it is being called? (simple System.out.println(..) statements will write to /logs/catalina.out in tomcat).

I'm not familiar with struts configuration, but it seems as though your filter is not being used.

As an aside - if you are using this to clean invalid data from request parameters it is not a good solution. What happens if some user data actually requires the user to enter trailing whitespace or < > characters? You should be able to setup validation (within struts) on your user data to make sure it does not contain invalid characters. Also make sure you escape user data when displaying it back to the user; use of <c ut value="blah" /> will automatically escape html entities.
 
Timothy Sam
Ranch Hand
Posts: 751
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

use of <c:out value="blah" /> will automatically escape html entities.




Now that seems to be a better solution!


Well, I'm quite certain though that only the single servlet(.do) I mapped will be needing the filter.

I don't know yet if this problem is already solved or not... Got to try again later. Thanks!
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser VI Editor Redhat
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Timothy Sam:
Ben, the problem is that the getParameterValues() method is not invoked in my ActionServlet at all... In my Action servlet, the execute method still has the HttpServletRequest as the argument for request. Is that ok? If that's ok, I'm not using the HttpServletRequest implicitly in my execute method since this is automatically done for my by struts. So what I do is...



The filter, if invoked, should take care of that because it intercepts the request and replaces the servletRequest object with the wrapper object that you've created. When the struts class gets ahold of it IT will call the getParameterValues method.

You may also want to override getParameter to add some debug statements; just to make sure that Struts isn't using it instead of getParameterValues.
 
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
i wonder if this ever worked.

i myself am trying such a thing. i want to escape user input with a overwritten request.getParam*

 
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
For what reason?
 
tibi stibi
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
i have a cms system where users can add information which will be stored in the database.
this information will be used in email marketing campaigns.

to be sure there is no security risk i want to encoded all user input. if i can do it with an request wrapper i'm sure all input from all forms will be encoded.

to do that i have added a filter like this:
public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
EncodingRequestWrapper wrapper = new EncodingRequestWrapper(request);
chain.doFilter(wrapper, response);
}

which adds my encoding request wrapper around the request.

but when struts creates my objects in the action or when i call getRequst() my wrapper is not used

 
Marshal
Posts: 28193
95
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

tibi stibi wrote:to be sure there is no security risk i want to encoded all user input.



Let me just clarify this statement a bit. If I understand it right, you want something like this:

1. The user types some input into the form fields in your HTML.

2. That input passes through the internet and finally arrives in your application.

3. Your application then tries to encode that input to remove all security risk.

4. Your application uses the encoded input.

Have I got that right? I'm asking because it looks peculiar -- the security risks are all going to take place in step 2 and there shouldn't be any security risks in step 4. Of course using SSL reduces the risks involved in step 2 -- but hopefully you're doing that already.
 
tibi stibi
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
it is like this

1. The user types some input into the form fields in your HTML.

2. That input passes through the internet and finally arrives in your application.

3. Your application then tries to encode that input to remove all security risk.

4. the encoded input (text, urls) are stored into the database

5. an email is constructed with the stored text and urls in it and send out to the customers

6. there is an online version of the same email

step 5 and 6 are done by an email program on which i have no control.
 
Paul Clapham
Marshal
Posts: 28193
95
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

tibi stibi wrote:4. the encoded input (text, urls) are stored into the database

5. an email is constructed with the stored text and urls in it and send out to the customers

6. there is an online version of the same email

step 5 and 6 are done by an email program on which i have no control.



Okay. So step 4 is under your control -- so I missed why you have to override the getParameter() method of the request to do that, rather than the more straightforward idea of just calling getParameter() and encoding the result.
 
tibi stibi
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
i can let struts make the objects and than add a mothed encode to encode all the strings. but what happens over a year when some one adds a field and forgets to add the encoding?
so i think its most solid to make a request wrapper so all fields will be default be encoded. if for some reason encoding is not needed or possible than it could be added on an exclude list.
 
That feels good. Thanks. Here's a tiny ad:
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic