tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <funk...@joedog.org>
Subject Re: How to programmatically add parameters to ServletRequest objects?
Date Wed, 06 Aug 2008 19:28:42 GMT
I suggest you look at ServletRequest.setAttribute()

In programming Servlets - you can work with parameters which are the fun 
little things which come off the query string or via the POST body. 
These items should be thought readonly - and only set/sent from the 
HttpClient (aka  - the web browser).

As a programmer - you wish to pass extra information along to other 
Servlets, Filters, etc  - the recommended way is to attach that baggage 
to the ServletRequest via setAttribute.

In a typical MVC setting - a servlet will use the request parameters to 
construction objects which are then placed into the ServletRequest via 
setAttribute. Then the servlet forwards to a view and the view pulls all 
needed data from the ServletRequest via getAttribute. Using request 
parameters in the view is typically an invitation to an XSS attack.

-Tim

Jonathan Mast wrote:
> | This is really the only way to do it. The other option is to create a
> | new request object and stuff your own parameters into it (or, better
> | yet, wrap the original request and add your parameters only to the
> wrapper).
> 
> How would I do this?  This is basically what Jakarta Commons HTTPClient
> package (org.apache.commons.httpclient.*) offers, correct?
> 
> I thought such manipulation would be achievable without additional packages.
> 
> 
> | Why do you believe that adding parameters to the URL is not scalable?
> Well, its not scalegent, to coin a term;
> String munging is expensive (scalability), and
> StringBuffer sb = new StringBuffer();
> sb.append("page.jsp?").append("foo=").append(bar).append("&color=").append(myColor).etc()
> is rough to look at (elegent).
> 
> Why not just:
> HashMap myParams = new HashMap();
> myParams.put("foo", bar);
> ...
> pageContext.forward("page.jsp", myParams)   ?
> 
> much more efficient and elegent, imho.
> 
> I understand that it all eventually boils down to a bunch of String munging,
> but the above hypothetical method could take of it that for us and would
> really make my life easier ;-)
> 
> thanks
> 
> 
> 
> On Wed, Aug 6, 2008 at 1:17 PM, Christopher Schultz <
> chris@christopherschultz.net> wrote:
> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Jonathan,
>>
>> Jonathan Mast wrote:
>> | I can't figure out how to use the pageContext.forward() method like it's
>> | equivalent script element:
>>
>> Do you mean that you want to add parameters to a forwarded URL without
>> using JSP?
>>
>> | How do I pass the name-value pair "foo":"bar" using
>> pageContext.forward()? I
>> | thought there would be a method like forward(String path, Map params) but
>> | there isn't.
>>
>> Right: you just forward to another URL.
>>
>> | Nor is there a setParameter(name, value) method available on
>> ServletRequest
>> | or ServletResponse (both of which are passed onto the page pointed to in
>> | pageContext.forward().


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message