Hi Folks, I want to write a tomcat security Valve that does content checking of the HTTP body, before anything else happens (e.g. 3rd party destination servlets I have no control over are called).
However, to read the body data I 'use up' the inputStream, and can't find any way to put it back - the result is the final servlet gets an empty body. Unfortunately, the data is actually HTTP POST data containing SOAP/XML, otherwise I could use the servlet request parameter methods. Since it is SOAP/XML though, I really have to get the body data directly, as no parameters are set. I've tried mark() and reset() on both the input stream and the reader methods, but no luck (not implemented and no effect respectively). And, coyote doc not withstanding, 'setStream()' is actually a no-op - the source code shows it is an empty method - so I can't reset the stream that way. I'm getting a 'you can't get there from here feeling' at this stage; does anyone have any clues? I'm using tomcat 4.0.29 at the moment, but the code seems pretty similar in tomcat 5 as well so I don't think switching will help... thanks heaps in advance :-), - Chris Dr Christopher Betts Web Services Security Computer Associates
