[jira] [Commented] (OFBIZ-10304) The "request" attribute type of the userLogin service is wrong

Sat, 24 Mar 2018 05:08:29 -0700 

    [ 
https://issues.apache.org/jira/browse/OFBIZ-10304?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16412569#comment-16412569
 ] 

Jacques Le Roux commented on OFBIZ-10304:
-----------------------------------------

Here is the right solution for this bug:

Tomcat servlet4preview was introduced with Tomcat 8.5
https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/servlet4preview/package-summary.html

Before James introduced Tomcat SSO, we had only one service passing a 
javax.servlet.http.HttpServletRequest to a service: payPalCheckoutUpdate.

AFAIK, we have actually always passed a 
org.apache.catalina.connector.RequestFacade to services when asking for 
javax.servlet.http.HttpServletRequest in services definition.
Since Tomcat 8.5 RequestFacade implements javax.servlet.http.HttpServletRequest 
indirectly through org.apache.catalina.servlet4preview.http.HttpServletRequest
https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/connector/RequestFacade.html

Since we have no tests on the payPalCheckoutUpdate service we did not spot that 
Tomcat servlet4preview was introduced with Tomcat 8.5

The classes check is done by the deeper interfaceOf() method of the ObjectType 
class using Class.getInterfaces()
https://docs.oracle.com/javase/8/docs/api/java/lang/Class.html#getInterfaces--
Class.getInterfaces() does not recurse and stops at one level up. So in case of 
RequestFacade it returns only servlet4preview.http.HttpServletRequest and not 
javax.servlet.http.HttpServletRequest
So when interfaceOf() compares the Classes it fails.

What happened with my introduction of the HttpServletRequestWrapper in 
ContextFilter is it hid the RequestFacade because HttpServletRequestWrapper 
implements javax.servlet.http.HttpServletRequest
https://docs.oracle.com/javaee/7/api/javax/servlet/http/HttpServletRequest.html

So when James introduced Tomcat SSO and optionally passed a 
javax.servlet.http.HttpServletRequest to the userLogin service it did not break.
But when I removed HttpServletRequestWrapper from ContextFilter it popped up

Summary: it's unfortunate because we have no tests on the payPalCheckoutUpdate 
service.
Because I temporarily introduced HttpServletRequestWrapper James was able to 
pass a javax.servlet.http.HttpServletRequest, like in payPalCheckoutUpdate.
When I reverted (removed HttpServletRequestWrapper  from ContextFilter) I 
discovered that we had a problem with Tomcat 8.5.

I propose this fix which uses 
org.apache.commons.lang3.ClassUtils.getAllInterfaces() and works
http://commons.apache.org/proper/commons-lang/javadocs/api-release/src-html/org/apache/commons/lang3/ClassUtils.html
{code}
Index: framework/base/src/main/java/org/apache/ofbiz/base/util/ObjectType.java
===================================================================
--- framework/base/src/main/java/org/apache/ofbiz/base/util/ObjectType.java    
(révision 1827594)
+++ framework/base/src/main/java/org/apache/ofbiz/base/util/ObjectType.java    
(copie de travail)
@@ -263,7 +263,7 @@
      */
     public static boolean interfaceOf(Class<?> objectClass, Class<?> 
interfaceClass) {
         while (objectClass != null) {
-            Class<?>[] ifaces = objectClass.getInterfaces();
+            List<Class<?>> ifaces = 
org.apache.commons.lang3.ClassUtils.getAllInterfaces(objectClass);
 
             for (Class<?> iface: ifaces) {
                 if (iface == interfaceClass) {
Index: framework/common/servicedef/services.xml
===================================================================
--- framework/common/servicedef/services.xml    (révision 1827594)
+++ framework/common/servicedef/services.xml    (copie de travail)
@@ -379,7 +379,7 @@
     <service name="userLogin" engine="java" 
location="org.apache.ofbiz.common.login.LoginServices" invoke="userLogin">
         <description>Used to Automatically Authenticate a username/password; 
create a UserLogin object</description>
         <implements service="authenticationInterface"/>
-        <attribute name="request" mode="IN" 
type="org.apache.catalina.connector.RequestFacade" optional="true"/>
+        <attribute name="request" mode="IN" 
type="javax.servlet.http.HttpServletRequest" optional="true"/>
     </service>
     <service name="createUserLogin" engine="java" auth="false"
         location="org.apache.ofbiz.common.login.LoginServices" 
invoke="createUserLogin">
{code}

> The "request" attribute type of the userLogin service is wrong
> --------------------------------------------------------------
>
>                 Key: OFBIZ-10304
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-10304
>             Project: OFBiz
>          Issue Type: Bug
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: 17.12.01
>
>
> I commited 
> http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ContextFilter.java?r1=1813679&r2=1813678&pathrev=1813679
>  which I guess forced (or allowed?) James Yong to use the 
> javax.servlet.http.HttpServletRequest  as type of "request" attribute of the 
> userLogin service at 
> http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/common/servicedef/services.xml?r1=1819133&r2=1819132&pathrev=1819133
> Else it would (should?) have been
> <attribute name="request" mode="IN" 
> type="org.apache.catalina.connector.RequestFacade" optional="true"/>
> Now I need to revert/remove the wrapper in ContextFilter which is useless and 
> silly (my bad).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to