Hi Ashish,
The problem is Servlet is broken. The method:
request.getParameter
does not differentiate between parameters that are query parameters
in the URI and parameters that are form parameters in the body of the
request. Further more if a parameter is of the latter, then servlet
will consume the body of the request message and anything that layers
on top of servet that is required to consume the form parameters in
the request body will fail, as you are observing.
This is rather tricky to untangle by something sitting on top of
servlet that also tries to be independent of the HTTP container layer.
IMHO the Jersey filter API would be the right place for this :-) but
it requires a little of bit of refactoring so you can get easy access
to the query parameters. I should be able to sort this out in a
couple of days.
Note that it might be better to utilize the HTTP authentication
header with your own customization. That way the URLs are not
modified with "secure" and "sessionToken" information.
Paul.
On Aug 23, 2008, at 8:29 PM, Ashish Raniwala wrote:
> Hi Guys,
>
> I need to use filter for custom security implementation. Please
> refer the SecurityFilter below for my filter implementation.
>
> I am facing strange issue with @FormParam. Value of variables with
> @FormParam does not get injected with the filter while it works
> fine without filter.
>
> I also observed that if I do not write any code in doFilterInternal
> method like below, values gets injected fine.
>
> protected void doFilterInternal(HttpServletRequest request,
> HttpServletResponse response, FilterChain chain) throws
> ServletException, IOException {
> chain.doFilter(request, response);
> }
>
> I am not getting any clue of what is wrong here. Please help.
>
>
> public class SecurityFilter extends OncePerRequestFilter {
>
> @Override
> protected void doFilterInternal(HttpServletRequest request,
> HttpServletResponse response, FilterChain chain) throws
> ServletException, IOException {
> String url = request.getServletPath();
> boolean valid = false;
> int errorCode = -1;
> UserSession session = null;
>
> if (url.contains("secure")) {
> valid = true; //Exclude login request from session
> token requirement
> }
> else {
> String sessionToken = request.getParameter
> ("sessionToken");
> String ip = request.getRemoteAddr();
>
> if (sessionToken != null) {
> session = getRestSessionManager
> ().getUserSessionBySessionKey(sessionToken);
> }
> errorCode = RestSecurityUtil.validate(sessionToken, ip,
> session);
>
> valid = (StatusConstants.COMMAND_OK == errorCode);
>
> if(valid && getRestSessionManager().isSessionExpired
> (session)) {
> errorCode = StatusConstants.INVALID_SESSION_TOKEN;
> valid = false;
> }
> }
> chain.doFilter(request, response);
> }
> }
>
> Thanks,
> Ashish
>