Hi Paul,
Inline...
Le 27/03/2018 à 03:42, Paul Foxworthy a écrit :
I hadn't read through OFBIZ-9833 until this morning. My understanding is
now:
- Tomcat SSO is a red herring. It can be implemented with
HttpServletRequest. As you say, it doesn't need Servlet 4 or the
servlet4preview
package.
Yes
- HttpServletRequestWrapper implements HttpServletRequest anyway, so
whether we use it or not shouldn't affect services that want
HttpServletRequest.
Yes
- The crux of the problem is a one-generation type check in the OFBiz
service input checking, which uses Class.getInterfaces(). If a class
implements a derived interface, the service type checking
doesn't detect that an object of that class is compatible with the base
interface of the derived one.
Yes
One-generation type checking is not foolproof, but probably faster than
using recursion to search for base interfaces. OFBiz has been happily
running for years without a multi-generation type check. I like Scott's
idea: for the tiny fraction of services that accept HttpServletRequest,
define the type as Object with a custom validation method. We can probably
revert to HttpServletRequest with Tomcat 9, but that is a bigger and more
disruptive change.
This could be a temporary workaround but we eventually want to update to Tomcat 9 anyway because we don't know which other damages servlet4preview,
which is a temporary incomplete thing, can do.
Jacques
Cheers
Paul Foxworthy
