sling-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Carsten Ziegeler (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (SLING-8469) Sling forward clears response headers added by sling authentication and sling filters
Date Tue, 04 Jun 2019 04:51:00 GMT

     [ https://issues.apache.org/jira/browse/SLING-8469?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Carsten Ziegeler updated SLING-8469:
------------------------------------
    Fix Version/s: Engine 2.6.20

> Sling forward clears response headers added by sling authentication and sling filters
> -------------------------------------------------------------------------------------
>
>                 Key: SLING-8469
>                 URL: https://issues.apache.org/jira/browse/SLING-8469
>             Project: Sling
>          Issue Type: Bug
>          Components: Engine
>    Affects Versions: Engine 2.6.18
>            Reporter: Andrew Khoury
>            Priority: Major
>             Fix For: Engine 2.6.20
>
>
> In the Sling Engine the RequestDispatcher.forward method, it calls response.reset() \[1]
which clears all headers, but in Apache Tomcat it calls response.resetBuffer() \[2] which
preserves the response headers.  I suspect that the tomcat behavior response.resetBuffer()
is the correct behavior.
> The problem with this behavior comes into play when there is a REQUEST scope javax.servlet.Filter
or an AuthenticationHandler that adds response headers (such as Set-Cookie).  Those headers
aren't preserved when the response is forwarded.
> \[1] https://github.com/apache/sling-org-apache-sling-engine/blob/org.apache.sling.engine-2.6.18/src/main/java/org/apache/sling/engine/impl/request/SlingRequestDispatcher.java#L133
> \[2] https://github.com/apache/tomcat/blob/9.0.20/java/org/apache/catalina/core/ApplicationDispatcher.java#L326
> Clears buffer w/ out clearing all headers:
> https://tomcat.apache.org/tomcat-5.5-doc/servletapi/javax/servlet/ServletResponse.html#resetBuffer()
> The Java Servlet specification is unclear on this as there is no mention of the response
headers:
> https://javaee.github.io/servlet-spec/downloads/servlet-4.0/servlet-4_0_FINAL.pdf
> {quote}
> 9.4 The Forward Method
> The forward method of the RequestDispatcher interface may be called by the
> calling servlet only when no output has been committed to the client. If output data
> exists in the response buffer that has not been committed, the content must be
> cleared before the target servlet’s service method is called. If the response has been
> committed, an IllegalStateException must be thrown.
> The path elements of the request object exposed to the target servlet must reflect the
> path used to obtain the RequestDispatcher.
> The only exception to this is if the RequestDispatcher was obtained via the
> getNamedDispatcher method. In this case, the path elements of the request object
> must reflect those of the original request.
> Before the forward method of the RequestDispatcher interface returns without
> exception, the response content must be sent and committed, and closed by the
> servlet container, unless the request was put into the asynchronous mode. If an error
> occurs in the target of the RequestDispatcher.forward() the exception may be
> propagated back through all the calling filters and servlets and eventually back to
> the container
> {quote}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message