tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rick Knowles <>
Subject Request dispatching question
Date Thu, 05 Aug 2004 02:18:26 GMT
Tomcat devs,

I've noticed an interesting behaviour when moving some webapp code from 
Winstone to Tomcat, and I'd like to get an opinion on whether what it's 
by design, accidental or I've misinterpreted the spec (equal likelihood 
of any of the above).

The webapp implements access control using a filter and a request 
wrapper. The filter is mapped to the protected directory, and any 
request that passes through gets checked for a token. If the token is 
not found, it dumps the contents of the request into a session object, 
and forwards to the login servlet. After the login is approved, the 
token is set, and a client side redirect to the original location is 
sent with a key added. On this second pass through the filter, the key 
is used to look up the session object storing the details of the 
original request. The filter constructs a request wrapper from that 
session object that makes the new request mimic the original one (eg 
when getRequestURI is called, it returns what the pre-authentication 
request's uri was, same for getServletPath, etc)

This approach seems to work well with the first servlet, but if that 
servlet forwards to another servlet, it breaks down. It seems like on a 
forward, Tomcat sees that the request object it is handling is not the 
CoyoteRequestFacade and doesn't bother trying to reset the pathInfo, 
servletPath etc, so forwarding to a JSP seems to fail.

It works ok on Winstone, because on a forward it unwraps the request 
until it hits something that's not a wrapper, resets the 
pathInfo/servletPath/etc, and passes it into the filter chain. It seems 
(from the outside) like Tomcat doesn't try more than one unwrap attempt. 
All of this is without yet looking at Tomcat source, so if I'm making a 
fool of myself just point me at a file and I'll disappear.

My question is this (sorry I took so long to get to it) - what is the 
correct behaviour here ? Should it unwrap all the way, or only one step 
? Is the behaviour I'm seeing expected or is something wrong ?

Thanks in advance,

Rick Knowles

Servlet v2.4 container in a single 140KB jar file ? Try Winstone (

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message