Read the request stream multiple times

Question

We have a Tomcat ValveBase class implementation that is doing the authentication for our servlet container apps. One way to authenticate our http REST calls is to sign them and then check the signature on the server side. We do this check in the ValveBase class.

The problem is that after we consume the InputStream of the request (for validating the signature), we pass the request (org.apache.catalina.connector.Request) to the next valve implementation and by the time it hits the servlet, the inputStream is gone. No content to be delivered, since it was consumed at the signature verification procedure.

In the javax.servlet api, you can use an HttpServletRequestWrapper to implement your own ServletRequest and pass the real request as a constructor argument. In that case, we were able to avoid the situation where the content was read only once, but in the case of the catalina Request, seemed to be more delicate than we thought. Any ideas? Thanks.

Answer 1

There is a long standing enhancement request open against Tomcat to support wrappers for use in Valves in a similar manner to Filters.

The bug includes a patch that is likely to need updating for Tomcat 7.0.x.

Given that you are already using a custom valve adding the patch may not be too much of a leap. With that patch in place, you should be able wrap the internal Request object and solve this problem in a similar manner to the Filter solution (which I assume involves saving a copy of the request body - watch out for DoS issues).

This is, of course, completely untested. As an incentive to try it, if it does work and you provide the updated patch (attach it to the Bugzilla report) I'll look at getting it included in Tomcat 8.0.x and 7.0.x (providing it doesn't require any changes to the existing API).