You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2004/03/15 19:03:22 UTC

DO NOT REPLY [Bug 27676] New: - HttpRequestBase doesn't reparse query string after call to setQueryString()

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=27676>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=27676

HttpRequestBase doesn't reparse query string after call to setQueryString()

           Summary: HttpRequestBase doesn't reparse query string after call
                    to setQueryString()
           Product: Tomcat 4
           Version: 4.1.18
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: justinp@motive.com


I ran into this bug on Tomcat 4.1.18, but from inspecting the code it looks 
like it's still in the most recent release.

I subclassed FormAuthenticator to provide single sign-on type functionality 
for my webapp.  My authenticator's authenticate() looks for an authToken in a 
request parameter and, if it's not there, defers to the superclass 
implementation (FormAuthentication).

My call to request.getParameter() triggers code in 
HttpRequestBase.parseParameters() which sets the 'parsed' flag in the request 
object to true.

Later, in the implementation of FormAuthenticator.authenticate(), 
FormAuthenticator.restoreRequest() is called to restore the original request 
after successful login.  In that method, the parameters get blown away and the 
queryString is reset, but the parsed flag is not cleared.  So, every 
subsequent call to request.getParameter() returns null.  It doesn't know that 
it needs to reparse the queryString.

I'm not sure if this is a semantic problem in FormAuthenticator or in 
HttpRequestBase.  I would imagine that it's the former, since it looks an 
HttpRequestBase is not really intended to be reused.  Maybe FormAuthenticator 
should recycle the request object prior to restoring it.  Either way, the 
state of the request becomes inconsistent.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org