You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Bob Riaz <br...@mum.edu> on 2007/12/05 21:22:09 UTC
Request parameters incorrect
Hello all,
We're using the following:
Java 5.0
Tomcat6.0
SQL Server 2000
Our webapp does the following:
Get the request parameters from the request object from a page, concatenate
them into a string, store the string in the db. When we retrieve the string
from the db, we know what parameters to expect to find because we know the
page they came from. This works. In one instance, however, we found
parameters in this string that belonged to a different webapp running on our
server. Would anyone be able to shed any light on this? The parameters we
find in this string come from 3 different pages! We're baffled!!
Many thanks!
Bob
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Request parameters incorrect
Posted by Len Popp <le...@gmail.com>.
If this is a recurring problem, you can try logging the requests at
some other points and compare the logs to see where the parameters are
getting mixed up. The problem may be caused by a proxy between the
client and server, for example.
1. If the params are sent via GET requests, Tomcat's AccessLogValve
will log them before they reach your webapp.
2. Wireshark or similar can show you the requests coming into the server.
3. Log the requests sent by the client, using a browser plug-in or
Wireshark. (This is hard to do unless you can reproduce the problem
easily.)
--
Len
On Dec 5, 2007 4:02 PM, Bob Riaz <br...@mum.edu> wrote:
> Thanks, Chuck.
> We had considered concurrency as an issue. The string in question is entered
> into a logging table - every request gets logged, and the log entry includes
> a timestamp. So we know there was no other request in process concurrent.
> Also, we're not using a Session object to store request-specific data - we
> use hidden fields to identify users, and pass the hidden fields form page to
> page. (We have our reasons for doing it this way!!)
> From the doPost(...) we simply pass the request object to a method that
> does:
>
> Enumeration e = request.getParameterNames();
> while(e.hasMoreElements()){
> String name = (String)e.nextElement();
> strngBldr.append(request.getParameter(name));
> }
> log(strngBldr); //enters the string into the db along with a timestamp
>
> So we're keeping things as simple as possible.
>
> Also, examining this particular string we find that it contains parameter
> name/values from a requqest that was logged hours before this one.
> Your thoughts would be deeply appreciated.
>
> Thanks!
> Bob
>
>
> -----Original Message-----
> From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
> Sent: Wednesday, December 05, 2007 2:27 PM
> To: Tomcat Users List
> Subject: RE: Request parameters incorrect
>
>
> > From: Bob Riaz [mailto:briaz@mum.edu]
> > Subject: Request parameters incorrect
> >
> > The parameters we find in this string come from 3
> > different pages! We're baffled!!
>
> This is pretty much always a problem with incorrect scoping or
> synchronization in the webapp. For example, code processing a Request
> stores request-specific data into the Session or Servlet object, then
> comes back later to find that a different concurrent request has
> overwritten it. Or, two request processing threads are accessing a
> Session field via some method that isn't synchronized appropriately.
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail
> and its attachments from all computers.
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Request parameters incorrect
Posted by Bob Riaz <br...@mum.edu>.
Thanks, Chuck.
We had considered concurrency as an issue. The string in question is entered
into a logging table - every request gets logged, and the log entry includes
a timestamp. So we know there was no other request in process concurrent.
Also, we're not using a Session object to store request-specific data - we
use hidden fields to identify users, and pass the hidden fields form page to
page. (We have our reasons for doing it this way!!)
>From the doPost(...) we simply pass the request object to a method that
does:
Enumeration e = request.getParameterNames();
while(e.hasMoreElements()){
String name = (String)e.nextElement();
strngBldr.append(request.getParameter(name));
}
log(strngBldr); //enters the string into the db along with a timestamp
So we're keeping things as simple as possible.
Also, examining this particular string we find that it contains parameter
name/values from a requqest that was logged hours before this one.
Your thoughts would be deeply appreciated.
Thanks!
Bob
-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: Wednesday, December 05, 2007 2:27 PM
To: Tomcat Users List
Subject: RE: Request parameters incorrect
> From: Bob Riaz [mailto:briaz@mum.edu]
> Subject: Request parameters incorrect
>
> The parameters we find in this string come from 3
> different pages! We're baffled!!
This is pretty much always a problem with incorrect scoping or
synchronization in the webapp. For example, code processing a Request
stores request-specific data into the Session or Servlet object, then
comes back later to find that a different concurrent request has
overwritten it. Or, two request processing threads are accessing a
Session field via some method that isn't synchronized appropriately.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Request parameters incorrect
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Bob Riaz [mailto:briaz@mum.edu]
> Subject: Request parameters incorrect
>
> The parameters we find in this string come from 3
> different pages! We're baffled!!
This is pretty much always a problem with incorrect scoping or
synchronization in the webapp. For example, code processing a Request
stores request-specific data into the Session or Servlet object, then
comes back later to find that a different concurrent request has
overwritten it. Or, two request processing threads are accessing a
Session field via some method that isn't synchronized appropriately.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Request parameters incorrect
Posted by Konstantin Kolinko <kn...@gmail.com>.
> Get the request parameters from the request object from a page, concatenate
> them into a string, store the string in the db.
Do you url-encode the names and the values before concatenating them
into the string?
If not, there might be '&', '=' symbols in the value string that break
your parsing.
Are you displaying the concatenated string somewhere on your pages?
Can it be resubmitted from some hidden form field? Can it be
resubmitted as part of the action url of a form (<form
action="...?name=value">)? Can it be resubmitted if going back/forward
within the browser?
It this problem reproducible for you? Or it just happened once?
> we found parameters in this string that belonged to a different webapp running on our
> server.
Is there any chance that somebody was typing ?name=value&... in the
location bar of the browser, as a joke, as a testing, or in an attempt
to break down your app?
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org