1 2 3 Previous Next 33 Replies Latest reply on Jan 29, 2014 9:04 AM by pirabug

    More lenient HTTP parameter processing

    hd0815

      Hello,

       

      I have the following problem:

      I'm sending an invalid request to a Servlet and while processing the request parameters the AS aborts with the following exception:

      java.lang.IllegalStateException: Parameters processing failed.

          at org.apache.tomcat.util.http.Parameters.processParameters(Parameters.java:407) [jbossweb-7.0.13.Final.jar:]

          at org.apache.tomcat.util.http.Parameters.processParameters(Parameters.java:229) [jbossweb-7.0.13.Final.jar:]

          at org.apache.catalina.connector.Request.parseParameters(Request.java:2874) [jbossweb-7.0.13.Final.jar:]

          at org.apache.catalina.connector.Request.getParameterNames(Request.java:1333) [jbossweb-7.0.13.Final.jar:]

          at org.apache.catalina.connector.RequestFacade.getParameterNames(RequestFacade.java:379) [jbossweb-7.0.13.Final.jar:]

          at foo.bar.MyServlet.doPost(MyServlet.java:80) [classes:]

          at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]

          at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]

          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329) [jbossweb-7.0.13.Final.jar:]

          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.13.Final.jar:]

          at org.jboss.weld.servlet.ConversationPropagationFilter.doFilter(ConversationPropagationFilter.java:62) [weld-core-1.1.5.AS71.Final.jar:2012-02-10 15:31]

          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) [jbossweb-7.0.13.Final.jar:]

          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.13.Final.jar:]

          at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) [jbossweb-7.0.13.Final.jar:]

          at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) [jbossweb-7.0.13.Final.jar:]

          at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]

          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]

          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]

          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]

          at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]

          at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]

          at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]

          at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]

          at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_27]

       

      My request looks like this:

      http://mysite.com/myApp?paramA=A&paramB=B&=&=&paramC=C

       

      This only happens when using JBoss 7.1.1.Final with InternetExplorer (only checked with v9.0 of IE).

       

      I'm not quite sure why a wrong request is sent, but I found out that sending the same request to a JBoss 7.0.2.Final doesn't cause this exception.

       

      I started a discussion at the JBoss AS 7 board (https://community.jboss.org/message/747210).

       

      At this discussion a work around is mentioned. Also Vaibhav N mentioned that he faces this problem in JBoss-EAP-6.0.0.

       

      jaikiran pai told me to try asking for a configuration or parameter which allows a more lenient way of processing the HTTP parameters. A request as mentioned above shouldn't force an HTTP 500 (if the exception isn't caught) since a parameter like '&=' is not considered to be harmful. It should be possible to just ignore such parameters rather than throwing an exception.

       

      As I already said in the other discussion:

      I know that this request is wrong and I know that the application acts right, but I think in this special case an error handling is possible as it should be possible (maybe via configuration) to ignore such parameters.

        • 1. Re: More lenient HTTP parameter processing
          vaibhavnaik

          Yes. I am also facing same issue.

           

          My application throws an exception for IE browser only with "JBoss-as-7.1.1.Final" & "JBoss-eap-6.0.0(Evaluation version)", but it is working correctly for Firefox browser.
          It works fine with "jboss-as-7.1.0.Final" in IE too. Is this an any regression in "JBoss-as-7.1.1"? As jaikiran pai told it's not a JBoss bug but I have created a bug just to track this issue(AS7-5143).

          https://issues.jboss.org/browse/AS7-5143

           

          thanks.

          • 2. Re: More lenient HTTP parameter processing
            jfclere

            The parser has been changed to fix AS7-3898. According to http://tools.ietf.org/html/rfc3986#section-3.4 the query string looks legal even it doesn't make sense.

            • 3. Re: More lenient HTTP parameter processing
              hd0815

              The link doesn't work (at least for me), one should better take this one: http://datatracker.ietf.org/doc/rfc3986/?include_text=1 and navigate to 3.4

               

              Does this mean that there is a chance to get this fixed?

               

              As already mentioned this query is generated by IE. The same page with the same form and the same data in another browser sends a different query...

              • 4. Re: More lenient HTTP parameter processing
                jfclere

                that looks fixable please open a JIRA for it.

                • 5. Re: More lenient HTTP parameter processing
                  hd0815

                  Isn't https://issues.jboss.org/browse/AS7-5143 enough or is it because it's in the wrong JIRA project?

                  I'm willing to file this but only if there is a need to create a new JIRA.

                  • 6. Re: More lenient HTTP parameter processing
                    jfclere

                    then reopen AS7-5143  as it can be considered as a regression.

                    • 7. Re: More lenient HTTP parameter processing
                      jaikiran

                      hd0815 wrote:

                       

                      Isn't https://issues.jboss.org/browse/AS7-5143 enough or is it because it's in the wrong JIRA project?

                      I'm willing to file this but only if there is a need to create a new JIRA.

                      I've updated that JIRA to set the correct component and also add the forum discussion reference

                      • 8. Re: More lenient HTTP parameter processing
                        jfclere

                        Oops I would like to reopen AS7-3898 in fact or at least link it.

                        • 9. Re: More lenient HTTP parameter processing
                          davekago21

                          Not really a jboss issue but an app issue. Had the same problem and was happening only on IE9 (don't know about older IE version but I would presume same result). So question is, should jboss have a configuration to make the parameter processing more lenient or should IE intercept the parameters and strip out invalid parameters before transmitting the request. That is up for discussion.

                           

                          Here is what our cause was:

                           

                          The form in question had jquery validator attached to it. The jquery validator has a submitHandler that swallowed the form submit action and in turn issued a form.submit() command after successful validation. The problem was that our submit input element had no name attached to it, so jquery - or IE for that matter was adding an invalid &={value_of_submit} to the form parameters and then firing the submit command.

                           

                          We went ahead and added a name attribute to the submit button ("hint: refrain from using name="submit" because this will cause the validation to pass but form will not be submitted because form.submit() will inadvertently find the element by name submit and try to perform an invalid action") and this solved the problem. If you do not have jquery validator, check for any client side JavaScript attached to the form or any action attached to the submit command, or better yet, just add the name parameter to all your input elements and you should be fine.

                           

                          If your have legacy code and do not have resources to go through the code and make this simple change, then you can apply a patch and change how jboss handles the parameters but that is not a solution - it is just a work around.

                           

                          Thanks

                          David

                          1 of 1 people found this helpful
                          • 10. Re: More lenient HTTP parameter processing
                            hd0815

                            We also found out, that this caused the problems. We changed the name attribute of some fields via JavaScript and IE created those wrong request queries afterwards. Giving those elements some dummy names (instead of leaving them empty) made it possible for us to send the request without getting this exception.

                            • 11. Re: More lenient HTTP parameter processing
                              albertsese

                              David Kago wrote:

                               

                              Not really a jboss issue but an app issue. Had the same problem and was happening only on IE9 (don't know about older IE version but I would presume same result). So question is, should jboss have a configuration to make the parameter processing more lenient or should IE intercept the parameters and strip out invalid parameters before transmitting the request. That is up for discussion.

                               

                              Here is what our cause was:

                               

                              The form in question had jquery validator attached to it. The jquery validator has a submitHandler that swallowed the form submit action and in turn issued a form.submit() command after successful validation. The problem was that our submit input element had no name attached to it, so jquery - or IE for that matter was adding an invalid &={value_of_submit} to the form parameters and then firing the submit command.

                               

                              We went ahead and added a name attribute to the submit button ("hint: refrain from using name="submit" because this will cause the validation to pass but form will not be submitted because form.submit() will inadvertently find the element by name submit and try to perform an invalid action") and this solved the problem. If you do not have jquery validator, check for any client side JavaScript attached to the form or any action attached to the submit command, or better yet, just add the name parameter to all your input elements and you should be fine.

                               

                              If your have legacy code and do not have resources to go through the code and make this simple change, then you can apply a patch and change how jboss handles the parameters but that is not a solution - it is just a work around.

                               

                              Thanks

                              David

                              I tried this out (adding name to submit button), but it didn't work. Can anyone tell me how to do that "patch jboss-web.jar" thing?

                              • 12. Re: More lenient HTTP parameter processing
                                hd0815

                                Did you also try out what I wrote? Setting the name attribute of a JavaScript field to '' caused the same problem. The following code will cause this too:

                                 

                                document.forms[0].myField.name = '';

                                 

                                To patch the jboss-web.jar, do the following:

                                1. Check out jbossweb from anonsvn: http://anonsvn.jboss.org/repos/jbossweb/trunk
                                2. Navigate to src/main/java/org/apache/tomcat/util/http
                                3. Modify Parameters.java
                                4. Compile the project (with Maven or Ant)
                                5. Overwrite the .class-File in the jboss-web.jar of your JBoss (under $JBOSS_HOME/modules/org/jboss/as/web/main)
                                6. Restart your JBoss
                                • 13. Re: More lenient HTTP parameter processing
                                  albertsese

                                  I would've, but my form has a lot of fields... I guess I can just get all and iterate... But I'll try your steps first. Thank you very much!

                                  • 14. Re: More lenient HTTP parameter processing
                                    albertsese

                                    I got a few errors, mostly missing jar files since they're all referenced from somewhere (\home\remm...)

                                     

                                    I'm already downloading Java 7 since this is the requirement...

                                    1 2 3 Previous Next