[OWASP-ESAPI] SafeRequests within SafeRequests

Jeff Williams jeff.williams at owasp.org
Tue May 26 11:24:18 EDT 2009


Hi Stewart,

Thanks for the feedback - totally agree. We updated the main ESAPIFilter to
handle this before December. However, the SafeHTTPFilter didn't have this
check. It's been fixed in SVN now. Thanks!

	chain.doFilter(ESAPI.currentRequest(), ESAPI.currentResponse());

By the way, this shouldn't happen unless you're calling the filter
repeatedly. I'm curious what is causing this to happen. Do you have the
dispatcher set up to handle FORWARD?

	<filter-mapping>
		<filter-name>ESAPIFilter</filter-name>
		<url-pattern>/*</url-pattern>
		<dispatcher>FORWARD</dispatcher>
		<dispatcher>REQUEST</dispatcher>
	</filter-mapping>

Thanks,

--Jeff

> -----Original Message-----
> From: owasp-esapi-bounces at lists.owasp.org [mailto:owasp-esapi-
> bounces at lists.owasp.org] On Behalf Of Rogan Dawes
> Sent: Tuesday, May 26, 2009 8:24 AM
> To: Stewart Short
> Cc: owasp-esapi at lists.owasp.org
> Subject: Re: [OWASP-ESAPI] SafeRequests within SafeRequests
> 
> Stewart Short wrote:
> >
> >
> > Our web applications are based on WebLogic 8.1 page flows which is a
> > technology built on top of struts. I have recently been looking at
> > integrating OWASP ESAPI (v1.4) and one problem I noticed is that when
> > processing involves a chain of actions, i.e. resulting in *.do
> requests,
> > you end up with SafeRequests within SafeRequests, with one level for
> > each action in the chain. Therefore, should the doFilter method in
> > SafeHTTPFilter only create a new SafeRequest if the request passed in
> is
> > not an instance of SafeRequest?
> 
> Yes, I think so.
> 
> Rogan
> _______________________________________________
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-esapi



More information about the OWASP-ESAPI mailing list