tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hernan Ochoa" <>
Subject Recycling of request objects
Date Tue, 14 May 2002 23:55:27 GMT

I've been taking a look at Tomcat's source code, and following some
advice I found in some security doc at the tomcat web site about
recycling of Request objects, I tried the 'attack' described and I could 
efectivelly 'steal' request from other servlets/users.

I made these tests using Tomcat 3.2.4 and using the JK connector.
I downloaded Tomcat 4.0.2 and I think it also recycles
request objects, I found this on the tomcat's connectors source code:

file /jk/java/org/apache/jk/server/tomcat40/

public int invoke( Msg msg, MsgContext ep )
        throws IOException
        d("Incoming request " );

        BaseRequest req=ep.getRequest();
        Channel ch=ep.getChannel();
        JkRequest40 treq=(JkRequest40)req.getNote( reqNote );
        JkResponse40  tres;
        if( treq==null ) {
            treq=new JkRequest40();
            req.setNote( reqNote, treq );
            tres=new JkResponse40(wEnv);
            treq.setResponse( tres );
            tres.setRequest( treq );
        treq.setEndpoint( ch, ep );
        treq.setBaseRequest( req );
        tres.setEndpoint( ch, ep );

        try {
            container.invoke( treq, tres );
        } catch(Throwable ex ) {
        d("Finishing response");

        return OK;

so, If i'm not mistaken, this is recycling request and response
objects. From the code here I guess there is no way to configure tomcat
not to recycle request objects without modifying the source code.

so my questions would be:

-Is there a way in Tomcat 3.2.4 to configure it not to recycle request 
objects? (I couldn't find one)
-Is there a way in Tomcat 4.0 to do the same thing?
-I guess Tomcat 4.0 still has the problem version 3.2.4 had where a
'malicious servlet' can still information from other servlets/requests, am I

I'll keep investigating this issues by myself but I thought it would be very 
nice to get feedback from the people actually writing the code
that knows the most about the product inner workings.

Thanks a lot for your time!.

Join the world’s largest e-mail service with MSN Hotmail.

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message