Tomcat devs,
I've noticed an interesting behaviour when moving some webapp code from Winstone to Tomcat, and I'd like to get an opinion on whether what it's by design, accidental or I've misinterpreted the spec (equal likelihood of any of the above).
The webapp implements access control using a filter and a request wrapper. The filter is mapped to the protected directory, and any request that passes through gets checked for a token. If the token is not found, it dumps the contents of the request into a session object, and forwards to the login servlet. After the login is approved, the token is set, and a client side redirect to the original location is sent with a key added. On this second pass through the filter, the key is used to look up the session object storing the details of the original request. The filter constructs a request wrapper from that session object that makes the new request mimic the original one (eg when getRequestURI is called, it returns what the pre-authentication request's uri was, same for getServletPath, etc)
This approach seems to work well with the first servlet, but if that servlet forwards to another servlet, it breaks down. It seems like on a forward, Tomcat sees that the request object it is handling is not the CoyoteRequestFacade and doesn't bother trying to reset the pathInfo, servletPath etc, so forwarding to a JSP seems to fail.
It works ok on Winstone, because on a forward it unwraps the request until it hits something that's not a wrapper, resets the pathInfo/servletPath/etc, and passes it into the filter chain. It seems (from the outside) like Tomcat doesn't try more than one unwrap attempt. All of this is without yet looking at Tomcat source, so if I'm making a fool of myself just point me at a file and I'll disappear.
My question is this (sorry I took so long to get to it) - what is the correct behaviour here ? Should it unwrap all the way, or only one step ? Is the behaviour I'm seeing expected or is something wrong ?
Thanks in advance,
Rick Knowles
-- Servlet v2.4 container in a single 140KB jar file ? Try Winstone (http://winstone.sf.net/)
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
