[OWASP-ESAPI] SafeHTTPFilter Does Not Work with Weblogic 8.1

Lei Chen lei.chen.2004 at gmail.com
Thu Mar 26 22:46:51 EDT 2009


Thanks Jeff. I'm looking forward to next version.

On Tue, Mar 24, 2009 at 11:26 PM, Jeff Williams <jeff.williams at owasp.org>wrote:

>  Hi Lei,
>
>
>
> We chose to simply implement HttpServletRequest and HttpServletResponse in
> order to force ourselves to implement every single method.  It’s pretty
> annoying that they’ve chosen this approach – it must violate the
> specification.  But it’s not a big deal to change this. Consider it done in
> the next version.  Thanks for the heads up!
>
>
>
> --Jeff
>
>
>
>
>
> *From:* owasp-esapi-bounces at lists.owasp.org [mailto:
> owasp-esapi-bounces at lists.owasp.org] *On Behalf Of *Lei Chen
> *Sent:* Tuesday, March 24, 2009 5:55 PM
> *To:* owasp-esapi at lists.owasp.org
> *Subject:* [OWASP-ESAPI] SafeHTTPFilter Does Not Work with Weblogic 8.1
>
>
>
> Hi Jeff and Team,
>
> You guys have done an excellent job developing this project!! It's
> something that I have been looking for the past three years.
>
> I'm currently trying to get SafeHTTPFilter working with my application
> running within Weblogic, but I keep getting ClassCastException:
>
>
> Error 500--Internal Server Error
>
> java.lang.ClassCastException
>     at
> weblogic.servlet.internal.WebAppServletContext.getOriginalRequest(WebAppServletContext.java:6722)
>     at weblogic.servlet.JSPServlet.service(JSPServlet.java:100)
>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
>     at
> weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(ServletStubImpl.java:1077)
>     at
> weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java:465)
>     at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:28)
>     at
> weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:27)
>    * at org.owasp.esapi.filters.SafeHTTPFilter.doFilter(Unknown Source)*
>     at
> weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:27)
>     at
> weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:7053)
>     at
> weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
>     at
> weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
>     at
> weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3902)
>     at
> weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2773)
>     at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:224)
>     at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:183)
>
> My guess is somewhere down the filter chain, Weblogic tries to cast the
> SafeRequest created by SafeHTTPFilter back to it's own impl type. Of course!
> Is there a reason why SafeRequest / SafeResponse is not extending
> HttpServletRequestWrapper / HttpServleResponseWrapper? I did a quick
> experiment: if I create my own wrappers extending the two Wrapper API within
> my own filter and passe them down the filter chain, WL wouldn't complain.
>
>
> Thanks,
> Lei
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090326/0d835475/attachment.html 


More information about the OWASP-ESAPI mailing list