0

Suppose you have the following filter chain:

Filter 1 ====> Filter 2 ====> Filter 3 ====> Our Custom Filter ====> Filter 4 ====> Filter 5

<====Filter 1<====Filter 2<==== Our Custom Filter <====Filter 3<====Filter 4 <==== Filter 5

We are injecting customized data structure ^

The problem is we don't see the injected data in the web browser when doing a "View Source".

So it is obvious to us that either filter 1 or 2 are removing the injected data. In reality there are a lot more filters (possibly 30 or more). We are trying to determine which filter is the culprit filter that removes our injected data.

Is there a way to write data to a HttpServletResponse that cannot be modified, and if a modification is attempted an exception is thrown in Java? This way it will reveal the culprit immediately.

Something like enabling zombies in Objective-C when you are trying to determine when code is trying to access an object that has already been released.

A few more details (in case you are interested):

The data structure we are injecting into the httpservletresponse is a JSON data structure surrounded by "script" tags because we use jQuery to parse it for a bunch of user-interface related things.

Interestingly enough, if we try to inject a random string like "hello stackoverflow" we can see this string when doing a "view source" in the web browser. So our hunch is whatever filter is stripping out our structure is likely looking for malicious scripts and pulls our stuff out.

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
user1068636
  • 1,871
  • 7
  • 33
  • 57

1 Answers1

1

Sure; you could write a read-only response wrapper and continue the filter chain with it.

Trivial response wrapper example (It doesn't do what you want, it just shows how.)

I'm not convinced this is the easiest thing to do when you could just dump the response "in between" the existing filters without having to do any coding, just configuration.

Dave Newton
  • 158,873
  • 26
  • 254
  • 302
  • Hi Dave - how would print "in between" existing filters? Where is this configuration? – user1068636 Jun 07 '12 at 17:45
  • @user1068636 Just insert a filter that examines it; should be doable. – Dave Newton Jun 07 '12 at 17:47
  • Hi Dave - Do you know of an example somewhere online that explains how this can be done? So far, the only thing I have tried is this: http://stackoverflow.com/questions/3242236/capture-and-log-the-response-body however, this only logs the response when it is the current filter in the chain, not "in between" existing filters like you said above. – user1068636 Jun 07 '12 at 20:36
  • @user1068636 *Insert* a filter between the filters you want to know the behavior of. – Dave Newton Jun 07 '12 at 20:38
  • Hi Dave - I inserted the PrintFilter in between each filter in "web.xml". Basically, every time I see two filter-mapping XML elements I would stick the PrintFilter in between. I can see my print statements being called. however, as soon as I login I get the following error "IllegalStateException: getOutputStream() has already been called for this response" – user1068636 Jun 07 '12 at 23:28