Skip to content

Avoid ClassCastException for CoyoteInputStream in TomcatHttpHandlerAdapter #24707

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
sada-sigsci wants to merge 1 commit into from
Closed

Avoid ClassCastException for CoyoteInputStream in TomcatHttpHandlerAdapter #24707

sada-sigsci wants to merge 1 commit into from

Conversation

@sada-sigsci
Copy link
Contributor

@sada-sigsci sada-sigsci commented Mar 17, 2020
edited by sbrannen
Loading

Servlet filter added in Spring Boot's org.springframework.boot.web.embedded.tomcat.TomcatContextCustomizer may override HttpServletRequestWrapper.getInputStream() and return an object derived from ServletInputStream that is not assignment compatible with Tomcat's CoyoteInputStream.
check instance of CoyoteInputStream
19a3df3 
Servlet filter added in TomcatContextCustomizer may override HttpServletRequestWrapper.getInputStream() and return an object derived from ServletInputStream.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged or decided on label Mar 17, 2020
@sbrannen sbrannen changed the title check instance of CoyoteInputStream Avoid ClassCastException for CoyoteInputStream in TomcatHttpHandlerAdapter Mar 17, 2020
@sbrannen sbrannen added in: web Issues in web modules (web, webmvc, webflux, websocket) status: waiting-for-feedback We need additional information before we can continue labels Mar 17, 2020
@sbrannen
Copy link
Member

sbrannen commented Mar 17, 2020

@sada-sigsci, do you have a concrete use case where you encountered a ClassCastException in conjunction with the TomcatHttpHandlerAdapter?
@sbrannen sbrannen added this to the 5.2.5 milestone Mar 17, 2020
@sbrannen
Copy link
Member

sbrannen commented Mar 17, 2020

Tentatively slated for 5.2.5 since this seems like a potential bug.
@sada-sigsci
Copy link
Contributor Author

sada-sigsci commented Mar 17, 2020

Thank you for reviewing the PR.
Yes, web application security servlet filter middleware we work on reads the POST body and inspects for any anomalies before the HTTP servlet can read the POST body. Unbuffered POST body can be read (ServletInputStream.markSupported() may return false) only once in the filter. So the servlet filter has to extend the ServletInputStream class and wrap the body already read in the filter.
@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Mar 17, 2020
@rstoyanchev rstoyanchev self-assigned this Mar 17, 2020
@rstoyanchev
Copy link
Contributor

rstoyanchev commented Mar 17, 2020

TomcatHttpHandlerAdapter is for use in WebFlux where direct use of the Servlet is not supported. It is expected to use WebFilter instead. For example Spring Security provides a WebFlux integration based on that.

As an aside, when Servlet 3.1 non-blocking I/O is used, as in WebFlux, quite a few other parts of the Servlet API should not be used, or would interfere if used.
@rstoyanchev rstoyanchev added status: waiting-for-feedback We need additional information before we can continue and removed status: feedback-provided Feedback has been provided labels Mar 17, 2020
@rstoyanchev rstoyanchev removed this from the 5.2.5 milestone Mar 17, 2020
@sada-sigsci
Copy link
Contributor Author

sada-sigsci commented Mar 17, 2020

Example application is standard Reactive SpringBootApplication using embedded Tomcat instead of default Netty and customized using component WebServerFactoryCustomizer<TomcatReactiveWebServerFactory>.

Application was throwing ClassCastException when @RestController method tried to read @RequestBody.

TomcatHttpHandlerAdapter wrapped httpHandlerServlet and added to TomcatReactiveWebserver in spring-boot(TomcatReactiveWebServerFactory.java). This fix is required so the servlet httpHandlerServlet is able to read the POST body on behalf of application @RequestBody

Our middleware class derived from ServletInputStream overrides non-blocking i/o methods and ReadListener of servlets 3.1
@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Mar 17, 2020
@rstoyanchev
Copy link
Contributor

rstoyanchev commented Mar 19, 2020

So you are wrapping ServletInputStream and don't want it (e.g. unwrapped and) read more efficiently via CoyoteInputStream writing directly to a ByteBuffer (vs via byte[] first)?
@rstoyanchev rstoyanchev added type: enhancement A general enhancement and removed status: feedback-provided Feedback has been provided status: waiting-for-triage An issue we've not yet triaged or decided on labels Mar 19, 2020
@rstoyanchev rstoyanchev added this to the 5.2.5 milestone Mar 19, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

in: web Issues in web modules (web, webmvc, webflux, websocket) type: enhancement A general enhancement

4 participants

@sada-sigsci @sbrannen @rstoyanchev @spring-projects-issues