[OWASP-ESAPI] SafeHTTPFilter Does Not Work with Weblogic 8.1

Lei Chen lei.chen.2004 at gmail.com
Tue Mar 24 17:55:03 EDT 2009


Hi Jeff and Team,

You guys have done an excellent job developing this project!! It's something
that I have been looking for the past three years.

I'm currently trying to get SafeHTTPFilter working with my application
running within Weblogic, but I keep getting ClassCastException:


Error 500--Internal Server Error

java.lang.ClassCastException
    at
weblogic.servlet.internal.WebAppServletContext.getOriginalRequest(WebAppServletContext.java:6722)
    at weblogic.servlet.JSPServlet.service(JSPServlet.java:100)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
    at
weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(ServletStubImpl.java:1077)
    at
weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:465)
    at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:28)
    at
weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:27)
   * at org.owasp.esapi.filters.SafeHTTPFilter.doFilter(Unknown Source)*
    at
weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:27)
    at
weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:7053)
    at
weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
    at
weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
    at
weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3902)
    at
weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2773)
    at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:224)
    at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:183)

My guess is somewhere down the filter chain, Weblogic tries to cast the
SafeRequest created by SafeHTTPFilter back to it's own impl type. Of course!
Is there a reason why SafeRequest / SafeResponse is not extending
HttpServletRequestWrapper / HttpServleResponseWrapper? I did a quick
experiment: if I create my own wrappers extending the two Wrapper API within
my own filter and passe them down the filter chain, WL wouldn't complain.


Thanks,
Lei
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090324/b67f2485/attachment.html 


More information about the OWASP-ESAPI mailing list