Re: Reg : Parameter Filters

Fri, 06 Sep 2019 03:14:47 -0700 

On 05.09.2019 20:58, Christopher Schultz wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Praveen,

On 9/5/19 05:07, praveen kumar wrote:

Hello, I am working with an application called geoserver which
works on Apache Tomcat server. Just for an idea for those who donot
know, geoserver is an application that serves web map services.
When I am calling this service I will be providing a few parameters
about the map like layer name, height, width and so on.., Now my
requirement is to restrict the values passed to these parameters
Like for example for WIDTH it should only consider an integer, if a
request having a string for WIDTH should not reach my application.
I am looking for some redirect rules but I could not succeed. It
would be great if some one can help or guide me on this.


LOL this service doesn't actually sanitize its input? Yikes.

The good news is that you can do this in a few ways.

You have 3 options that I can see:

1. Use a redirect filter
2. Use a reverse-proxy like Apache with some filtering configured
3. Write it yourself

In order to use a redirect filter, you will have to:

a. Choose a redirect filter (e.g. Tomcat's rewrite[1] or Tuckey's
urlrewrite[2])
b. Configure it with a file. The configuration depends upon which
filter you choose
c. Bundle that filter+config with the application

In order to use a reverse proxy, you'll need to:

a. Choose a reverse proxy (e.g. Apache httpd, nginx, Squid, etc.)
b. Configure it properly (which depends upon your choice in (a) above)

In order to write it yourself, you will have to:

a. Write a servlet filter in Java
b. Package that filter into the application
c. Install that filter into the filter-chain by modifying the
application's WEB-INF/web.xml file

Do you have a preference?

- -chris
+1, but I would have to add that first of all, Praveen should have a clear idea of /what he thinks should happen/, if one of the request parameters does not meet expectations. Saying that "the request should not make it to the application" is one thing, but what do you want to happen instead ? 



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to