tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Reg : Parameter Filters
Date Fri, 06 Sep 2019 18:56:28 GMT
Hash: SHA256


On 9/6/19 06:25, praveen kumar wrote:
> Thanks for quick response and information. Christopher I tried the
> first option you mentioned from the following reference and tried
> to redirect to an customized error page instead of letting the 
> geoserver application spit the exception. But may be I missed
> something in implementation that did not work.
> 1. Copied urlrewritefilter-4.0.3.jar to Web-inf/lib
> 2. urlrewrite.xml in  web-inf directory
> <urlrewrite> <rule enabled="true"> <condition type="query-string"
> operator="equal"></condition> <from>WIDTH=[^0-9]+</from> <to
> type="redirect">error.html</to> </rule> </urlrewrite>

You are mapping from an expression when this needs to map from a URL.
The regex should be in the <condition> like this:

    <condition type="query-string"

Note that this doesn't allow the WIDTH parameter to be empty. Is that
okay? It also allows (probably?) invalid input such as "WIDTH=10xyz".
You will need a more complicated regular expression pattern to get the
job done properly.

Try changing your configuration to:

<rule enabled="true">
  <condition type="query-string"
  <to type="redirect">error.html</to>

> And  3. in web.xml <context-param> <!-- see comments on the
> PARTIAL-BUFFER strategy --> <!-- this sets the size of the buffer.
> default is "50" = 50kb -->
> <param-name>PARTIAL_BUFFER_STRATEGY_SIZE</param-name> 
> <param-value>50</param-value> </context-param>
> <filter> <filter-name>UrlRewriteFilter</filter-name>
> <filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filt
> <param-name>confPath</param-name> 
> <param-value>/WEB-INF/urlrewrite.xml</param-value> </init-param> 
> </filter> <filter-mapping> 
> <filter-name>UrlRewriteFilter</filter-name> 
> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher>

> <dispatcher>FORWARD</dispatcher> </filter-mapping> ... </context>

Consider only mapping the url-rewrite filter to those URL patterns you
actually plan on protecting. This this is all very explicit, and
regular expression evaluation is expensive, you only want to execute
those checks on very specific URL patterns.

> André Warnier I would like to redirect such invalid requests to a
> dummy error page which do nothing. I hope this can be done to just
> drop the invalid requests.

Then I think you want:


Hope that helps,
- -chris

> On Fri, Sep 6, 2019 at 3:44 PM André Warnier (tomcat)
> <> wrote:
>> On 05.09.2019 20:58, Christopher Schultz wrote:
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>> Praveen,
>>> On 9/5/19 05:07, praveen kumar wrote:
>>>> Hello, I am working with an application called geoserver
>>>> which works on Apache Tomcat server. Just for an idea for
>>>> those who donot know, geoserver is an application that serves
>>>> web map services. When I am calling this service I will be
>>>> providing a few parameters about the map like layer name,
>>>> height, width and so on.., Now my requirement is to restrict
>>>> the values passed to these parameters Like for example for
>>>> WIDTH it should only consider an integer, if a request having
>>>> a string for WIDTH should not reach my application. I am
>>>> looking for some redirect rules but I could not succeed. It 
>>>> would be great if some one can help or guide me on this.
>>> LOL this service doesn't actually sanitize its input? Yikes.
>>> The good news is that you can do this in a few ways.
>>> You have 3 options that I can see:
>>> 1. Use a redirect filter 2. Use a reverse-proxy like Apache
>>> with some filtering configured 3. Write it yourself
>>> In order to use a redirect filter, you will have to:
>>> a. Choose a redirect filter (e.g. Tomcat's rewrite[1] or
>>> Tuckey's urlrewrite[2]) b. Configure it with a file. The
>>> configuration depends upon which filter you choose c. Bundle
>>> that filter+config with the application
>>> In order to use a reverse proxy, you'll need to:
>>> a. Choose a reverse proxy (e.g. Apache httpd, nginx, Squid,
>>> etc.) b. Configure it properly (which depends upon your choice
>>> in (a) above)
>>> In order to write it yourself, you will have to:
>>> a. Write a servlet filter in Java b. Package that filter into
>>> the application c. Install that filter into the filter-chain by
>>> modifying the application's WEB-INF/web.xml file
>>> Do you have a preference?
>>> - -chris
>> +1, but I would have to add that first of all, Praveen should
>> have a clear idea of /what he thinks should happen/, if one of
>> the request parameters does not meet expectations. Saying that
>> "the request should not make it to the application" is one thing,
>> but what do you want to happen instead ?
>> ---------------------------------------------------------------------
To unsubscribe, e-mail:
>> For additional commands, e-mail:
Comment: Using GnuPG with Thunderbird -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message