Hi Jacques, On 27 March 2018 at 08:16, Jacques Le Roux <jacques.le.r...@les7arts.com> wrote:
> What makes you think that Tomcat SSO depends on servlet4preview? > Only your words "So when James introduced Tomcat SSO and optionally passed a javax.servlet.http.HttpServletRequest to the userLogin service it did not break. But when I removed HttpServletRequestWrapper from ContextFilter it popped up". In the the analysis I did for https://issues.apache.org/jira > /browse/OFBIZ-10304 I only found that using Tomcat 8.5 (hence > servlet4preview) we no longer can pass a standard HttpServletRequest or > HttpServletResponse with current code. Did you find something else? No. If we now say OFBiz requires Servlet 4.0 and move to Tomcat 9, could we >> then use the >> standard HttpServletRequest? >> > Yes, that would remove the problem and is IMO the best solution. > I hadn't read through OFBIZ-9833 until this morning. My understanding is now: - Tomcat SSO is a red herring. It can be implemented with HttpServletRequest. As you say, it doesn't need Servlet 4 or the servlet4preview package. - HttpServletRequestWrapper implements HttpServletRequest anyway, so whether we use it or not shouldn't affect services that want HttpServletRequest. - The crux of the problem is a one-generation type check in the OFBiz service input checking, which uses Class.getInterfaces(). If a class implements a derived interface, the service type checking doesn't detect that an object of that class is compatible with the base interface of the derived one. One-generation type checking is not foolproof, but probably faster than using recursion to search for base interfaces. OFBiz has been happily running for years without a multi-generation type check. I like Scott's idea: for the tiny fraction of services that accept HttpServletRequest, define the type as Object with a custom validation method. We can probably revert to HttpServletRequest with Tomcat 9, but that is a bigger and more disruptive change. Cheers Paul Foxworthy -- Coherent Software Australia Pty Ltd PO Box 2773 Cheltenham Vic 3192 Australia Phone: +61 3 9585 6788 <+61%203%209585%206788> Web: http://www.coherentsoftware.com.au/ Email: i...@coherentsoftware.com.au