You could write a Filter instead of a Valve. In the Filter wrap the ServletRequest and provide a custom ServletInputStream which uses the PushbackInputStream around the real ServletInputStream.
Once security checks have passed you can push back the used bytes and pass on your wrapped ServletRequest down the Filter chain to the 3rd party servlets.
HTH,
Jon
Betts, Chris wrote:
Hi Folks,
I want to write a tomcat security Valve that does content checking of the HTTP body, before anything else happens (e.g. 3rd party destination servlets I have no control over are called).
However, to read the body data I 'use up' the inputStream, and can't find any way to put it back - the result is the final servlet gets an empty body.
Unfortunately, the data is actually HTTP POST data containing SOAP/XML, otherwise I could use the servlet request parameter methods. Since it is SOAP/XML though, I really have to get the body data directly, as no parameters are set.
I've tried mark() and reset() on both the input stream and the reader methods, but no luck (not implemented and no effect respectively). And, coyote doc not withstanding, 'setStream()' is actually a no-op - the source code shows it is an empty method - so I can't reset the stream that way.
I'm getting a 'you can't get there from here feeling' at this stage; does anyone have any clues? I'm using tomcat 4.0.29 at the moment, but the code seems pretty similar in tomcat 5 as well so I don't think switching will help...
thanks heaps in advance :-),
- Chris
Dr Christopher Betts
Web Services Security
Computer Associates
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
