You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2008/05/23 00:26:51 UTC
DO NOT REPLY [Bug 45065] New: RequestDispatcher restricts access to
ApplicationHttpRequest
https://issues.apache.org/bugzilla/show_bug.cgi?id=45065
Summary: RequestDispatcher restricts access to
ApplicationHttpRequest
Product: Tomcat 6
Version: unspecified
Platform: PC
OS/Version: Windows Vista
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: tech@jotobjects.com
This exception is generated when a servlet calls Method.invoke() on the
ServletRequest object when the servlet is run with RequestDispatcher.forward
java.lang.IllegalAccessException: Class
com.jotobjects.demo.formexample.FormExampleShowBean can not access a member of
class org.apache.catalina.core.ApplicationHttpRequest with modifiers "public"
at sun.reflect.Reflection.ensureMemberAccess(Reflection.java:65)
at java.lang.reflect.Method.invoke(Method.java:578)
When the servlet is run with normally with an HTTP request the Request class
is org.apache.catalina.connector.RequestFacade and the method can be invoked
with reflection. But when the method is run with RequestDispatcher the
Request class is org.apache.catalina.core.ApplicationHttpRequest and
IllegalAccessException is raised.
Here is the code that causes the error -
java.lang.reflect.Method m =
request.getClass().getDeclaredMethod("getPathInfo",null);
Object value = m.invoke(getRequest(),null);
Have tried starting with a SecurityManager with AllPermissions
but this does not change the outcome.
Same problem in Tomcat 5 and Tomcat 4.
The same codes works in Tomcat 3 and with Jetty
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 45065] RequestDispatcher restricts access to
ApplicationHttpRequest
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45065
--- Comment #8 from Paul Copeland <te...@jotobjects.com> 2008-05-27 14:45:58 PST ---
You are right. I got it. I need to know the class or interface I am invoking on
and not simply the class of the implementing object. Thanks.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 45065] RequestDispatcher restricts access to
ApplicationHttpRequest
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45065
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
--- Comment #1 from Mark Thomas <ma...@apache.org> 2008-05-26 09:16:17 PST ---
This is by design and is controlled by the catalina.properties file in
%CATALINA_HOME/conf
You'd need to do something like the following:
HttpServletRequest.class.getDeclaredMethod("getPathInfo", null);
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 45065] RequestDispatcher restricts access to
ApplicationHttpRequest
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45065
--- Comment #4 from Paul Copeland <te...@jotobjects.com> 2008-05-27 11:42:25 PST ---
(In reply to comment #3)
The point of the question about forwarding to another context is that the class
loader used to load the forwarded request wrapper may not allow access even
though it was forwarded to the same context in this case.
BTW - one way to keep the open bug list down is to quickly declare obscure
problems as invalid. Or that might be a way to lose track of actual issues. :)
Perhaps this one should remain open with a lowered priority. The bug requires
the combination of forwarding and reflection.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 45065] RequestDispatcher restricts access to
ApplicationHttpRequest
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45065
--- Comment #7 from Mark Thomas <ma...@apache.org> 2008-05-27 14:03:37 PST ---
It is the class that is non-public. There is, simply, no bug here.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 45065] RequestDispatcher restricts access to
ApplicationHttpRequest
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45065
--- Comment #6 from Paul Copeland <te...@jotobjects.com> 2008-05-27 14:00:41 PST ---
(In reply to comment #5)
Um will it is getting interesting.
Are you saying the Request interface is implemented with a non-public method?
Are you sure that is possible? !!!! Things are getting really interesting :)
Also in my application this method is discovered with
java.beans.BeanInfo.getMethodDescriptors() which only returns externally
visible methods.
Seems like we do not quite have a simple answer to this "invalid" bug yet.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 45065] RequestDispatcher restricts access to
ApplicationHttpRequest
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45065
--- Comment #2 from Mark Thomas <ma...@apache.org> 2008-05-27 00:11:25 PST ---
I have done some more digging and there is soemthing odd going on here. The
exception does not require a SecurityManager and does not depend on the
settings in catalina.properties
I don't fully understand what is going on but the suggested work-around does
fix the issue.
We had an issue a bit similar with Geronimo a while back and the solution there
was also to use the spec class. Generally, if you are using reflection, using
the class specified in the interface rather than the actual implementation
class should enable you to avoid these issues.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 45065] RequestDispatcher restricts access to
ApplicationHttpRequest
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45065
Paul Copeland <te...@jotobjects.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |tech@jotobjects.com
--- Comment #3 from Paul Copeland <te...@jotobjects.com> 2008-05-27 11:10:26 PST ---
I found a workaround that does not use reflection in this part of the
application.
The suggested solution requires that you already know the class implements the
HttpServletRequest interface, in which case there is no point in using
reflection to invoke the method. The example code was just to demonstrate the
problem with the simplest case - the problem occurred in a generic reflection
routine. Theoretically you might be able to check all the interfaces
implemented and find one that allows you to invoke the target method. In
practice that might be a performance issue.
Just some guesses - Is the wrapper attempting to handle the case of forwarding
to another context which is optionally allowed if the container supports it?
Hopefully this problem does not occur in filter chains but I have not tried
that.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 45065] RequestDispatcher restricts access to
ApplicationHttpRequest
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45065
--- Comment #5 from Mark Thomas <ma...@apache.org> 2008-05-27 13:09:59 PST ---
It's amazing what a night's sleep does for you. The explanation is simple and
obvious - I should have seen it earlier.
o.a.c.connector.RequestFacade is public
o.a.c.core.ApplicationHttpRequest is not (ie package private)
There is no guarantee in the spec that the classes implementing any of the spec
classes, such as HttpServletRequest, will be public and therefore accessible
for the sort of manipulation via reflection that you are trying to do.
As I indicated earlier, to be sure of not seeing the error, you'll need to use
the appropriate spec class.
I appreciate that this makes generic reflection difficult. The users list is
usually pretty good at coming up with ways around issues like this. I suggest
you post a summary of what you are trying to achieve there and see what ideas
emerge.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org