tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nadav Katz <>
Subject Tomcat not conforming to Servlet spec 2.4+ in regards to jsp:include
Date Mon, 08 Aug 2011 05:42:27 GMT

I have a filter in place for validating CSRF tokens. I only wish to validate requests coming
from the client, so no validation for dynamic includes or forwards. My web.xml for the filter
looks like this:


Servlet spec 2.4+ states under RequestDispatcher:

"The request is being processed under a request dispatcher representing the Web component
matching the or using an include() call. This is indicated by a element with value INCLUDE."

In other words, my filter shouldn't be invoked for jsp:include calls to SomeServlet since
they are handled by the RequestDispatcher, and I have no explicit mapping for<dispatcher>INCLUDE</dispatcher>...

But somehow it is... My filter intercepts all calls, including "jsp:include"...

This is the (one of the...) problematic calls:

<jsp:include page="/SomeServlet" flush="true" >
        <jsp:param name="action" value="9" />

Can anyone shed any light on this? I tried bypassing the problem by adding a "filtered" param
to the request and checking it later (since the original request is supposed to be forwarded),
but to no avail. It seems Tomcat is creating a new request object. Any ideas anyone? Is it
a configuration issue? A bug in Tomcat? Am I a complete moron??

Thanks for any help,



  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message