On 07/04/2016 16:21, pbenedict_at_apache.org wrote:
> Dear Experts,
>
> I recently had a programmer to do something like the following:
>
> // inside servlet doGet()
> ServletContext scMe = getServletContext()
> ServletContext scOther = scMe.getContext("/other");
> scOther.setAttribute("x", "1");
> scOther.getRequestDispatcher("/").forward(req, res);
>
> The developer was attempting to forward the request to another
> application,
> and pass along some internal information via context attributes. His
> thinking was that the attributes would be a good way to conceal
> some sensitive parameters as an alternative to exposing them in the
> URL.
>
> The forward was to the same local container. It didn't work. I wasn't
> expecting
> it work -- and also never saw anyone attempt his before either. Yet in
> the
> his defense, I find nothing in the API or Specification that would
> prohibit
> what he did.
It would have worked if they tried it in Tomcat. I just wrote a unit
test to confirm what a code review suggested would happen.
I would add that adding what looks like a request scope attribute to the
ServletContext is asking for a concurrency bug in the application but
that is somewhat off-topic for this discussion.
> In the 3.1 Specification, we have:
>
> 4.5: "Any attribute bound into a context is available to any other
> servlet
> that is part of the same Web application."
>
> OK, nothing limiting here. Placing an attribute in another
> application's
> context makes it available to any other servlet in that application.
> It's
> talking about "a context" not "the current context".
>
> 4.5.1: "Context attributes are local to the JVM in which they were
> created.
> This prevents ServletContext attributes from being a shared memory
> store
> in a distributed container"
>
> OK, both contexts are in the same JVM.
>
> Based on my readings, passing context attributes within one JVM between
> applications should be allowed. I do not see any language prohibiting
> this.
> What are your expert opinions on what should be allowed? And is the
> API explicit enough to allow/disallow the situation?
It should be allowed and I see nothing in the spec that would prevent it.
I don't see a need to change the spec. The API is behaving as documented.
> Regarding the API docs, there is a warning on
> ServletRequest::setAttribute
> regarding cross-application usage. There is no such warning on the
> ServletContext::setAttribute. The warning is actually stuffed up in the
>
> class documentation so it's easy to miss... but even then, my situation
> doesn't fall under a "distributed container".
That warning looks to be referring to class loading issues. If the
attribute is set in application A and used in application B and that
usage triggers the loading of a new class, careful coding would be
required to ensure the class was loaded using the correct class loader
to avoid a CNFE.
Mark