[OWASP-ESAPI] SafeHTTPFilter Does Not Work with Weblogic 8.1

Jeff Williams jeff.williams at owasp.org
Tue Mar 24 23:26:16 EDT 2009


Hi Lei,

 

We chose to simply implement HttpServletRequest and HttpServletResponse in
order to force ourselves to implement every single method.  It's pretty
annoying that they've chosen this approach - it must violate the
specification.  But it's not a big deal to change this. Consider it done in
the next version.  Thanks for the heads up!

 

--Jeff

 

 

From: owasp-esapi-bounces at lists.owasp.org
[mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Lei Chen
Sent: Tuesday, March 24, 2009 5:55 PM
To: owasp-esapi at lists.owasp.org
Subject: [OWASP-ESAPI] SafeHTTPFilter Does Not Work with Weblogic 8.1

 

Hi Jeff and Team,

You guys have done an excellent job developing this project!! It's something
that I have been looking for the past three years.

I'm currently trying to get SafeHTTPFilter working with my application
running within Weblogic, but I keep getting ClassCastException:


Error 500--Internal Server Error

java.lang.ClassCastException
    at
weblogic.servlet.internal.WebAppServletContext.getOriginalRequest(WebAppServ
letContext.java:6722)
    at weblogic.servlet.JSPServlet.service(JSPServlet.java:100)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
    at
weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(Servle
tStubImpl.java:1077)
    at
weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
:465)
    at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:28)
    at
weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:27)
    at org.owasp.esapi.filters.SafeHTTPFilter.doFilter(Unknown Source)
    at
weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:27)
    at
weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(W
ebAppServletContext.java:7053)
    at
weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubjec
t.java:321)
    at
weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
    at
weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletCo
ntext.java:3902)
    at
weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java
:2773)
    at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:224)
    at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:183)

My guess is somewhere down the filter chain, Weblogic tries to cast the
SafeRequest created by SafeHTTPFilter back to it's own impl type. Of course!
Is there a reason why SafeRequest / SafeResponse is not extending
HttpServletRequestWrapper / HttpServleResponseWrapper? I did a quick
experiment: if I create my own wrappers extending the two Wrapper API within
my own filter and passe them down the filter chain, WL wouldn't complain. 


Thanks,
Lei

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090324/5a1af77a/attachment-0001.html 


More information about the OWASP-ESAPI mailing list