[
https://issues.apache.org/jira/browse/SLING-8469?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Carsten Ziegeler updated SLING-8469:
------------------------------------
Priority: Blocker (was: Major)
> Sling forward clears response headers added by sling authentication and sling
> filters
> -------------------------------------------------------------------------------------
>
> Key: SLING-8469
> URL: https://issues.apache.org/jira/browse/SLING-8469
> Project: Sling
> Issue Type: Bug
> Components: Engine
> Affects Versions: Engine 2.6.18
> Reporter: Andrew Khoury
> Priority: Blocker
> Fix For: Engine 2.6.20
>
>
> In the Sling Engine the RequestDispatcher.forward method, it calls
> response.reset() \[1] which clears all headers, but in Apache Tomcat it calls
> response.resetBuffer() \[2] which preserves the response headers. I suspect
> that the tomcat behavior response.resetBuffer() is the correct behavior.
> The problem with this behavior comes into play when there is a REQUEST scope
> javax.servlet.Filter or an AuthenticationHandler that adds response headers
> (such as Set-Cookie). Those headers aren't preserved when the response is
> forwarded.
> \[1]
> https://github.com/apache/sling-org-apache-sling-engine/blob/org.apache.sling.engine-2.6.18/src/main/java/org/apache/sling/engine/impl/request/SlingRequestDispatcher.java#L133
> \[2]
> https://github.com/apache/tomcat/blob/9.0.20/java/org/apache/catalina/core/ApplicationDispatcher.java#L326
> Clears buffer w/ out clearing all headers:
> https://tomcat.apache.org/tomcat-5.5-doc/servletapi/javax/servlet/ServletResponse.html#resetBuffer()
> The Java Servlet specification is unclear on this as there is no mention of
> the response headers:
> https://javaee.github.io/servlet-spec/downloads/servlet-4.0/servlet-4_0_FINAL.pdf
> {quote}
> 9.4 The Forward Method
> The forward method of the RequestDispatcher interface may be called by the
> calling servlet only when no output has been committed to the client. If
> output data
> exists in the response buffer that has not been committed, the content must be
> cleared before the target servlet’s service method is called. If the response
> has been
> committed, an IllegalStateException must be thrown.
> The path elements of the request object exposed to the target servlet must
> reflect the
> path used to obtain the RequestDispatcher.
> The only exception to this is if the RequestDispatcher was obtained via the
> getNamedDispatcher method. In this case, the path elements of the request
> object
> must reflect those of the original request.
> Before the forward method of the RequestDispatcher interface returns without
> exception, the response content must be sent and committed, and closed by the
> servlet container, unless the request was put into the asynchronous mode. If
> an error
> occurs in the target of the RequestDispatcher.forward() the exception may be
> propagated back through all the calling filters and servlets and eventually
> back to
> the container
> {quote}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
