jakarta.servlet.http.HttpServlet Maven / Gradle / Ivy
Show all versions of tomcat-embed-programmatic
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package jakarta.servlet.http;
import java.io.IOException;
import java.io.OutputStreamWriter;
import java.io.PrintWriter;
import java.io.UnsupportedEncodingException;
import java.io.Writer;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.text.MessageFormat;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.List;
import java.util.Locale;
import java.util.ResourceBundle;
import jakarta.servlet.AsyncEvent;
import jakarta.servlet.AsyncListener;
import jakarta.servlet.DispatcherType;
import jakarta.servlet.GenericServlet;
import jakarta.servlet.ServletConfig;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletOutputStream;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.WriteListener;
/**
* Provides an abstract class to be subclassed to create an HTTP servlet suitable for a Web site. A subclass of
* HttpServlet
must override at least one method, usually one of these:
*
* doGet
, if the servlet supports HTTP GET requests
* doPost
, for HTTP POST requests
* doPut
, for HTTP PUT requests
* doDelete
, for HTTP DELETE requests
* init
and destroy
, to manage resources that are held for the life of the servlet
* getServletInfo
, which the servlet uses to provide information about itself
*
*
* There's almost no reason to override the service
method. service
handles standard HTTP
* requests by dispatching them to the handler methods for each HTTP request type (the do
Method
* methods listed above).
*
* Likewise, there's almost no reason to override the doOptions
and doTrace
methods.
*
* Servlets typically run on multithreaded servers, so be aware that a servlet must handle concurrent requests and be
* careful to synchronize access to shared resources. Shared resources include in-memory data such as instance or class
* variables and external objects such as files, database connections, and network connections. See the
* Java Tutorial on Multithreaded
* Programming for more information on handling multiple threads in a Java program.
*/
public abstract class HttpServlet extends GenericServlet {
private static final long serialVersionUID = 1L;
private static final String METHOD_DELETE = "DELETE";
private static final String METHOD_HEAD = "HEAD";
private static final String METHOD_GET = "GET";
private static final String METHOD_OPTIONS = "OPTIONS";
private static final String METHOD_PATCH = "PATCH";
private static final String METHOD_POST = "POST";
private static final String METHOD_PUT = "PUT";
private static final String METHOD_TRACE = "TRACE";
private static final String HEADER_IFMODSINCE = "If-Modified-Since";
private static final String HEADER_LASTMOD = "Last-Modified";
private static final String LSTRING_FILE = "jakarta.servlet.http.LocalStrings";
private static final ResourceBundle lStrings = ResourceBundle.getBundle(LSTRING_FILE);
private static final List SENSITIVE_HTTP_HEADERS =
Arrays.asList("authorization", "cookie", "x-forwarded", "forwarded", "proxy-authorization");
/**
* @deprecated May be removed in a future release
*
* @since Servlet 6.0
*/
@Deprecated(forRemoval = true, since = "Servlet 6.0")
public static final String LEGACY_DO_HEAD = "jakarta.servlet.http.legacyDoHead";
private final transient Object cachedAllowHeaderValueLock = new Object();
/**
* Cached value of the HTTP {@code Allow} header for this servlet.
*/
private volatile String cachedAllowHeaderValue = null;
/**
* Cached value read from {@link HttpServlet#LEGACY_DO_HEAD} system property.
*/
private volatile boolean cachedUseLegacyDoHead;
/**
* Does nothing, because this is an abstract class.
*/
public HttpServlet() {
// NOOP
}
@Override
public void init(ServletConfig config) throws ServletException {
super.init(config);
cachedUseLegacyDoHead = Boolean.parseBoolean(config.getInitParameter(LEGACY_DO_HEAD));
}
/**
* Called by the server (via the service
method) to allow a servlet to handle a GET request.
*
* Overriding this method to support a GET request also automatically supports an HTTP HEAD request. A HEAD request
* is a GET request that returns no body in the response, only the request header fields.
*
* When overriding this method, read the request data, write the response headers, get the response's Writer or
* output stream object, and finally, write the response data. It's best to include content type and encoding. When
* using a PrintWriter
object to return the response, set the content type before accessing the
* PrintWriter
object.
*
* The servlet container must write the headers before committing the response, because in HTTP the headers must be
* sent before the response body.
*
* Where possible, set the Content-Length header (with the {@link jakarta.servlet.ServletResponse#setContentLength}
* method), to allow the servlet container to use a persistent connection to return its response to the client,
* improving performance. The content length is automatically set if the entire response fits inside the response
* buffer.
*
* When using HTTP 1.1 chunked encoding (which means that the response has a Transfer-Encoding header), do not set
* the Content-Length header.
*
* The GET method should be safe, that is, without any side effects for which users are held responsible. For
* example, most form queries have no side effects. If a client request is intended to change stored data, the
* request should use some other HTTP method.
*
* The GET method should also be idempotent, meaning that it can be safely repeated. Sometimes making a method safe
* also makes it idempotent. For example, repeating queries is both safe and idempotent, but buying a product online
* or modifying data is neither safe nor idempotent.
*
* If the request is incorrectly formatted, doGet
returns an HTTP "Bad Request" message.
*
* @param req an {@link HttpServletRequest} object that contains the request the client has made of the servlet
* @param resp an {@link HttpServletResponse} object that contains the response the servlet sends to the client
*
* @exception IOException if an input or output error is detected when the servlet handles the GET request
* @exception ServletException if the request for the GET could not be handled
*
* @see jakarta.servlet.ServletResponse#setContentType
*/
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
String msg = lStrings.getString("http.method_get_not_supported");
sendMethodNotAllowed(req, resp, msg);
}
/**
* Returns the time the HttpServletRequest
object was last modified, in milliseconds since midnight
* January 1, 1970 GMT. If the time is unknown, this method returns a negative number (the default).
*
* Servlets that support HTTP GET requests and can quickly determine their last modification time should override
* this method. This makes browser and proxy caches work more effectively, reducing the load on server and network
* resources.
*
* @param req the HttpServletRequest
object that is sent to the servlet
*
* @return a long
integer specifying the time the HttpServletRequest
object was last
* modified, in milliseconds since midnight, January 1, 1970 GMT, or -1 if the time is not known
*/
protected long getLastModified(HttpServletRequest req) {
return -1;
}
/**
*
* Receives an HTTP HEAD request from the protected service
method and handles the request. The client
* sends a HEAD request when it wants to see only the headers of a response, such as Content-Type or Content-Length.
* The HTTP HEAD method counts the output bytes in the response to set the Content-Length header accurately.
*
* If you override this method, you can avoid computing the response body and just set the response headers directly
* to improve performance. Make sure that the doHead
method you write is both safe and idempotent (that
* is, protects itself from being called multiple times for one HTTP HEAD request).
*
* If the HTTP HEAD request is incorrectly formatted, doHead
returns an HTTP "Bad Request" message.
*
* @param req the request object that is passed to the servlet
* @param resp the response object that the servlet uses to return the headers to the client
*
* @exception IOException if an input or output error occurs
* @exception ServletException if the request for the HEAD could not be handled
*/
protected void doHead(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
if (DispatcherType.INCLUDE.equals(req.getDispatcherType()) || !cachedUseLegacyDoHead) {
doGet(req, resp);
} else {
NoBodyResponse response = new NoBodyResponse(resp);
doGet(req, response);
if (req.isAsyncStarted()) {
req.getAsyncContext().addListener(new NoBodyAsyncContextListener(response));
} else {
response.setContentLength();
}
}
}
/**
* Called by the server (via the service
method) to allow a servlet to handle a PATCH request. The HTTP
* PATCH method allows the client to partially modify an existing resource.
*
* When overriding this method, read the request data and write the response headers, get the response's Writer or
* output stream object, and finally, write the response data. It's best to include content type and encoding. When
* using a PrintWriter
object to return the response, set the content type before accessing the
* PrintWriter
object.
*
* The servlet container must write the headers before committing the response, because in HTTP the headers must be
* sent before the response body.
*
* Where possible, set the Content-Length header (with the {@link jakarta.servlet.ServletResponse#setContentLength}
* method), to allow the servlet container to use a persistent connection to return its response to the client,
* improving performance. The content length is automatically set if the entire response fits inside the response
* buffer.
*
* When using HTTP 1.1 chunked encoding (which means that the response has a Transfer-Encoding header), do not set
* the Content-Length header.
*
* This method is neither safe nor idempotent. Operations requested through PATCH have side effects for which the
* user can be held accountable.
*
* If the HTTP PATCH request is incorrectly formatted, doPost
returns an HTTP "Bad Request" message.
*
* @param req an {@link HttpServletRequest} object that contains the request the client has made of the servlet
* @param resp an {@link HttpServletResponse} object that contains the response the servlet sends to the client
*
* @exception IOException if an input or output error is detected when the servlet handles the request
* @exception ServletException if the request for the POST could not be handled
*
* @see jakarta.servlet.ServletOutputStream
* @see jakarta.servlet.ServletResponse#setContentType
*
* @since Servlet 6.1
*/
protected void doPatch(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
String msg = lStrings.getString("http.method_patch_not_supported");
sendMethodNotAllowed(req, resp, msg);
}
/**
* Called by the server (via the service
method) to allow a servlet to handle a POST request. The HTTP
* POST method allows the client to send data of unlimited length to the Web server a single time and is useful when
* posting information such as credit card numbers.
*
* When overriding this method, read the request data, write the response headers, get the response's Writer or
* output stream object, and finally, write the response data. It's best to include content type and encoding. When
* using a PrintWriter
object to return the response, set the content type before accessing the
* PrintWriter
object.
*
* The servlet container must write the headers before committing the response, because in HTTP the headers must be
* sent before the response body.
*
* Where possible, set the Content-Length header (with the {@link jakarta.servlet.ServletResponse#setContentLength}
* method), to allow the servlet container to use a persistent connection to return its response to the client,
* improving performance. The content length is automatically set if the entire response fits inside the response
* buffer.
*
* When using HTTP 1.1 chunked encoding (which means that the response has a Transfer-Encoding header), do not set
* the Content-Length header.
*
* This method does not need to be either safe or idempotent. Operations requested through POST can have side
* effects for which the user can be held accountable, for example, updating stored data or buying items online.
*
* If the HTTP POST request is incorrectly formatted, doPost
returns an HTTP "Bad Request" message.
*
* @param req an {@link HttpServletRequest} object that contains the request the client has made of the servlet
* @param resp an {@link HttpServletResponse} object that contains the response the servlet sends to the client
*
* @exception IOException if an input or output error is detected when the servlet handles the request
* @exception ServletException if the request for the POST could not be handled
*
* @see jakarta.servlet.ServletOutputStream
* @see jakarta.servlet.ServletResponse#setContentType
*/
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
String msg = lStrings.getString("http.method_post_not_supported");
sendMethodNotAllowed(req, resp, msg);
}
/**
* Called by the server (via the service
method) to allow a servlet to handle a PUT request. The PUT
* operation allows a client to place a file on the server and is similar to sending a file by FTP.
*
* When overriding this method, leave intact any content headers sent with the request (including Content-Length,
* Content-Type, Content-Transfer-Encoding, Content-Encoding, Content-Base, Content-Language, Content-Location,
* Content-MD5, and Content-Range). If your method cannot handle a content header, it must issue an error message
* (HTTP 501 - Not Implemented) and discard the request. For more information on HTTP 1.1, see RFC 2616
* .
*
* This method does not need to be either safe or idempotent. Operations that doPut
performs can have
* side effects for which the user can be held accountable. When using this method, it may be useful to save a copy
* of the affected URL in temporary storage.
*
* If the HTTP PUT request is incorrectly formatted, doPut
returns an HTTP "Bad Request" message.
*
* @param req the {@link HttpServletRequest} object that contains the request the client made of the servlet
* @param resp the {@link HttpServletResponse} object that contains the response the servlet returns to the client
*
* @exception IOException if an input or output error occurs while the servlet is handling the PUT request
* @exception ServletException if the request for the PUT cannot be handled
*/
protected void doPut(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
String msg = lStrings.getString("http.method_put_not_supported");
sendMethodNotAllowed(req, resp, msg);
}
/**
* Called by the server (via the service
method) to allow a servlet to handle a DELETE request. The
* DELETE operation allows a client to remove a document or Web page from the server.
*
* This method does not need to be either safe or idempotent. Operations requested through DELETE can have side
* effects for which users can be held accountable. When using this method, it may be useful to save a copy of the
* affected URL in temporary storage.
*
* If the HTTP DELETE request is incorrectly formatted, doDelete
returns an HTTP "Bad Request" message.
*
* @param req the {@link HttpServletRequest} object that contains the request the client made of the servlet
* @param resp the {@link HttpServletResponse} object that contains the response the servlet returns to the client
*
* @exception IOException if an input or output error occurs while the servlet is handling the DELETE request
* @exception ServletException if the request for the DELETE cannot be handled
*/
protected void doDelete(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
String msg = lStrings.getString("http.method_delete_not_supported");
sendMethodNotAllowed(req, resp, msg);
}
private void sendMethodNotAllowed(HttpServletRequest req, HttpServletResponse resp, String msg) throws IOException {
String protocol = req.getProtocol();
// Note: Tomcat reports "" for HTTP/0.9 although some implementations
// may report HTTP/0.9
if (protocol.length() == 0 || protocol.endsWith("0.9") || protocol.endsWith("1.0")) {
resp.sendError(HttpServletResponse.SC_BAD_REQUEST, msg);
} else {
resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, msg);
}
}
private String getCachedAllowHeaderValue() {
if (cachedAllowHeaderValue == null) {
synchronized (cachedAllowHeaderValueLock) {
if (cachedAllowHeaderValue == null) {
Method[] methods = getAllDeclaredMethods(this.getClass());
// RFC 7230 does not define an order for this header
// This code aims to retain, broadly, the order of method
// tokens returned in earlier versions of this code. If that
// constraint is dropped then the code can be simplified
// further.
boolean allowGet = false;
boolean allowHead = false;
boolean allowPatch = false;
boolean allowPost = false;
boolean allowPut = false;
boolean allowDelete = false;
for (Method method : methods) {
switch (method.getName()) {
case "doGet": {
allowGet = true;
allowHead = true;
break;
}
case "doPatch": {
allowPatch = true;
break;
}
case "doPost": {
allowPost = true;
break;
}
case "doPut": {
allowPut = true;
break;
}
case "doDelete": {
allowDelete = true;
break;
}
default:
// NO-OP
}
}
StringBuilder allow = new StringBuilder();
if (allowGet) {
allow.append(METHOD_GET);
allow.append(", ");
}
if (allowHead) {
allow.append(METHOD_HEAD);
allow.append(", ");
}
if (allowPatch) {
allow.append(METHOD_PATCH);
allow.append(", ");
}
if (allowPost) {
allow.append(METHOD_POST);
allow.append(", ");
}
if (allowPut) {
allow.append(METHOD_PUT);
allow.append(", ");
}
if (allowDelete) {
allow.append(METHOD_DELETE);
allow.append(", ");
}
// Options is always allowed
allow.append(METHOD_OPTIONS);
cachedAllowHeaderValue = allow.toString();
}
}
}
return cachedAllowHeaderValue;
}
private static Method[] getAllDeclaredMethods(Class> c) {
if (c.equals(HttpServlet.class)) {
return null;
}
Method[] parentMethods = getAllDeclaredMethods(c.getSuperclass());
Method[] thisMethods = c.getDeclaredMethods();
if ((parentMethods != null) && (parentMethods.length > 0)) {
Method[] allMethods = new Method[parentMethods.length + thisMethods.length];
System.arraycopy(parentMethods, 0, allMethods, 0, parentMethods.length);
System.arraycopy(thisMethods, 0, allMethods, parentMethods.length, thisMethods.length);
thisMethods = allMethods;
}
return thisMethods;
}
/**
* Called by the server (via the service
method) to allow a servlet to handle an OPTIONS request. The
* OPTIONS request determines which HTTP methods the server supports and returns an appropriate header. For example,
* if a servlet overrides doGet
, this method returns the following header:
*
* Allow: GET, HEAD, TRACE, OPTIONS
*
* There's no need to override this method unless the servlet implements new HTTP methods, beyond those implemented
* by HTTP 1.1.
*
* @param req the {@link HttpServletRequest} object that contains the request the client made of the servlet
* @param resp the {@link HttpServletResponse} object that contains the response the servlet returns to the client
*
* @exception IOException if an input or output error occurs while the servlet is handling the OPTIONS request
* @exception ServletException if the request for the OPTIONS cannot be handled
*/
protected void doOptions(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
String allow = getCachedAllowHeaderValue();
// Tomcat specific hack to see if TRACE is allowed
if (TomcatHack.getAllowTrace(req)) {
if (allow.length() == 0) {
allow = METHOD_TRACE;
} else {
allow = allow + ", " + METHOD_TRACE;
}
}
resp.setHeader("Allow", allow);
}
/**
* Called by the server (via the service
method) to allow a servlet to handle a TRACE request. A TRACE
* returns the headers sent with the TRACE request to the client, so that they can be used in debugging. There's no
* need to override this method.
*
* @param req the {@link HttpServletRequest} object that contains the request the client made of the servlet
* @param resp the {@link HttpServletResponse} object that contains the response the servlet returns to the client
*
* @exception IOException if an input or output error occurs while the servlet is handling the TRACE request
* @exception ServletException if the request for the TRACE cannot be handled
*/
protected void doTrace(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
int responseLength;
String CRLF = "\r\n";
StringBuilder buffer =
new StringBuilder("TRACE ").append(req.getRequestURI()).append(' ').append(req.getProtocol());
Enumeration reqHeaderNames = req.getHeaderNames();
while (reqHeaderNames.hasMoreElements()) {
String headerName = reqHeaderNames.nextElement();
// RFC 7231, 4.3.8 - skip 'sensitive' headers
if (!isSensitiveHeader(headerName)) {
Enumeration headerValues = req.getHeaders(headerName);
while (headerValues.hasMoreElements()) {
String headerValue = headerValues.nextElement();
buffer.append(CRLF).append(headerName).append(": ").append(headerValue);
}
}
}
buffer.append(CRLF);
responseLength = buffer.length();
resp.setContentType("message/http");
resp.setContentLength(responseLength);
ServletOutputStream out = resp.getOutputStream();
out.print(buffer.toString());
out.close();
}
/**
* Is the provided HTTP request header considered sensitive and therefore should be excluded from the response to a
* {@code TRACE} request?
*
* By default, the headers that start with any of the following are considered sensitive:
*
* - authorization
* - cookie
* - x-forwarded
* - forwarded
* - proxy-authorization
*
*
* Note that HTTP header names are case insensitive.
*
* @param headerName the name of the HTTP request header to test
*
* @return (@code true} if the HTTP request header is considered sensitive and should be excluded from the response
* to a {@code TRACE} request, otherwise {@code false}
*
* @since Servlet 6.1
*/
protected boolean isSensitiveHeader(String headerName) {
String lcHeaderName = headerName.toLowerCase(Locale.ENGLISH);
for (String sensitiveHeaderName : SENSITIVE_HTTP_HEADERS) {
if (lcHeaderName.startsWith(sensitiveHeaderName)) {
return true;
}
}
return false;
}
/**
* Receives standard HTTP requests from the public service
method and dispatches them to the
* do
Method methods defined in this class. This method is an HTTP-specific version of the
* {@link jakarta.servlet.Servlet#service} method. There's no need to override this method.
*
* @param req the {@link HttpServletRequest} object that contains the request the client made of the servlet
* @param resp the {@link HttpServletResponse} object that contains the response the servlet returns to the client
*
* @exception IOException if an input or output error occurs while the servlet is handling the HTTP request
* @exception ServletException if the HTTP request cannot be handled
*
* @see jakarta.servlet.Servlet#service
*/
protected void service(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
String method = req.getMethod();
if (method.equals(METHOD_GET)) {
long lastModified = getLastModified(req);
if (lastModified == -1) {
// servlet doesn't support if-modified-since, no reason
// to go through further expensive logic
doGet(req, resp);
} else {
long ifModifiedSince;
try {
ifModifiedSince = req.getDateHeader(HEADER_IFMODSINCE);
} catch (IllegalArgumentException iae) {
// Invalid date header - proceed as if none was set
ifModifiedSince = -1;
}
if (ifModifiedSince < (lastModified / 1000 * 1000)) {
// If the servlet mod time is later, call doGet()
// Round down to the nearest second for a proper compare
// A ifModifiedSince of -1 will always be less
maybeSetLastModified(resp, lastModified);
doGet(req, resp);
} else {
resp.setStatus(HttpServletResponse.SC_NOT_MODIFIED);
}
}
} else if (method.equals(METHOD_HEAD)) {
long lastModified = getLastModified(req);
maybeSetLastModified(resp, lastModified);
doHead(req, resp);
} else if (method.equals(METHOD_POST)) {
doPost(req, resp);
} else if (method.equals(METHOD_PUT)) {
doPut(req, resp);
} else if (method.equals(METHOD_DELETE)) {
doDelete(req, resp);
} else if (method.equals(METHOD_OPTIONS)) {
doOptions(req, resp);
} else if (method.equals(METHOD_TRACE)) {
doTrace(req, resp);
} else if (method.equals(METHOD_PATCH)) {
doPatch(req, resp);
} else {
//
// Note that this means NO servlet supports whatever
// method was requested, anywhere on this server.
//
String errMsg = lStrings.getString("http.method_not_implemented");
Object[] errArgs = new Object[1];
errArgs[0] = method;
errMsg = MessageFormat.format(errMsg, errArgs);
resp.sendError(HttpServletResponse.SC_NOT_IMPLEMENTED, errMsg);
}
}
/*
* Sets the Last-Modified entity header field, if it has not already been set and if the value is meaningful. Called
* before doGet, to ensure that headers are set before response data is written. A subclass might have set this
* header already, so we check.
*/
private void maybeSetLastModified(HttpServletResponse resp, long lastModified) {
if (resp.containsHeader(HEADER_LASTMOD)) {
return;
}
if (lastModified >= 0) {
resp.setDateHeader(HEADER_LASTMOD, lastModified);
}
}
/**
* Dispatches client requests to the protected service
method. There's no need to override this method.
*
* @param req the {@link HttpServletRequest} object that contains the request the client made of the servlet
* @param res the {@link HttpServletResponse} object that contains the response the servlet returns to the client
*
* @exception IOException if an input or output error occurs while the servlet is handling the HTTP request
* @exception ServletException if the HTTP request cannot be handled
*
* @see jakarta.servlet.Servlet#service
*/
@Override
public void service(ServletRequest req, ServletResponse res) throws ServletException, IOException {
HttpServletRequest request;
HttpServletResponse response;
try {
request = (HttpServletRequest) req;
response = (HttpServletResponse) res;
} catch (ClassCastException e) {
throw new ServletException(lStrings.getString("http.non_http"));
}
service(request, response);
}
private static class TomcatHack {
private static final Class> REQUEST_FACADE_CLAZZ;
private static final Method GET_ALLOW_TRACE;
static {
Method m1 = null;
Class> c1 = null;
try {
c1 = Class.forName("org.apache.catalina.connector.RequestFacade");
m1 = c1.getMethod("getAllowTrace", (Class>[]) null);
} catch (ReflectiveOperationException | SecurityException | IllegalArgumentException e) {
// Ignore. Not running on Tomcat. TRACE is always allowed.
}
REQUEST_FACADE_CLAZZ = c1;
GET_ALLOW_TRACE = m1;
}
public static boolean getAllowTrace(HttpServletRequest req) {
if (REQUEST_FACADE_CLAZZ != null && GET_ALLOW_TRACE != null) {
if (REQUEST_FACADE_CLAZZ.isAssignableFrom(req.getClass())) {
try {
return ((Boolean) GET_ALLOW_TRACE.invoke(req, (Object[]) null)).booleanValue();
} catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException e) {
// Should never happen given the checks in place.
// Ignore
}
}
}
return true;
}
}
/*
* A response wrapper for use in (dumb) "HEAD" support. This just swallows that body, counting the bytes in order to
* set the content length appropriately. All other methods delegate to the wrapped HTTP Servlet Response object.
*/
private static class NoBodyResponse extends HttpServletResponseWrapper {
private final NoBodyOutputStream noBodyOutputStream;
private ServletOutputStream originalOutputStream;
private NoBodyPrintWriter noBodyWriter;
private boolean didSetContentLength;
private NoBodyResponse(HttpServletResponse r) {
super(r);
noBodyOutputStream = new NoBodyOutputStream(this);
}
private void setContentLength() {
if (!didSetContentLength) {
if (noBodyWriter != null) {
noBodyWriter.flush();
}
super.setContentLengthLong(noBodyOutputStream.getWrittenByteCount());
}
}
@Override
public void setContentLength(int len) {
super.setContentLength(len);
didSetContentLength = true;
}
@Override
public void setContentLengthLong(long len) {
super.setContentLengthLong(len);
didSetContentLength = true;
}
@Override
public void setHeader(String name, String value) {
super.setHeader(name, value);
checkHeader(name);
}
@Override
public void addHeader(String name, String value) {
super.addHeader(name, value);
checkHeader(name);
}
@Override
public void setIntHeader(String name, int value) {
super.setIntHeader(name, value);
checkHeader(name);
}
@Override
public void addIntHeader(String name, int value) {
super.addIntHeader(name, value);
checkHeader(name);
}
private void checkHeader(String name) {
if ("content-length".equalsIgnoreCase(name)) {
didSetContentLength = true;
}
}
@Override
public ServletOutputStream getOutputStream() throws IOException {
originalOutputStream = getResponse().getOutputStream();
return noBodyOutputStream;
}
@Override
public PrintWriter getWriter() throws UnsupportedEncodingException {
if (noBodyWriter == null) {
noBodyWriter = new NoBodyPrintWriter(noBodyOutputStream, getCharacterEncoding());
}
return noBodyWriter;
}
@Override
public void reset() {
super.reset();
resetBuffer();
originalOutputStream = null;
}
@Override
public void resetBuffer() {
noBodyOutputStream.resetBuffer();
if (noBodyWriter != null) {
noBodyWriter.resetBuffer();
}
}
}
/*
* Servlet output stream that gobbles up all its data.
*/
private static class NoBodyOutputStream extends ServletOutputStream {
private static final String LSTRING_FILE = "jakarta.servlet.http.LocalStrings";
private static final ResourceBundle lStrings = ResourceBundle.getBundle(LSTRING_FILE);
private final NoBodyResponse response;
private boolean flushed = false;
private long writtenByteCount = 0;
private NoBodyOutputStream(NoBodyResponse response) {
this.response = response;
}
private long getWrittenByteCount() {
return writtenByteCount;
}
@Override
public void write(int b) throws IOException {
writtenByteCount++;
checkCommit();
}
@Override
public void write(byte buf[], int offset, int len) throws IOException {
if (buf == null) {
throw new NullPointerException(lStrings.getString("err.io.nullArray"));
}
if (offset < 0 || len < 0 || offset + len > buf.length) {
String msg = lStrings.getString("err.io.indexOutOfBounds");
Object[] msgArgs = new Object[3];
msgArgs[0] = Integer.valueOf(offset);
msgArgs[1] = Integer.valueOf(len);
msgArgs[2] = Integer.valueOf(buf.length);
msg = MessageFormat.format(msg, msgArgs);
throw new IndexOutOfBoundsException(msg);
}
writtenByteCount += len;
checkCommit();
}
@Override
public boolean isReady() {
// Will always be ready as data is swallowed.
return true;
}
@Override
public void setWriteListener(WriteListener listener) {
response.originalOutputStream.setWriteListener(listener);
}
private void checkCommit() throws IOException {
if (!flushed && writtenByteCount > response.getBufferSize()) {
response.flushBuffer();
flushed = true;
}
}
private void resetBuffer() {
if (flushed) {
throw new IllegalStateException(lStrings.getString("err.state.commit"));
}
writtenByteCount = 0;
}
}
/*
* On reset() and resetBuffer() need to clear the data buffered in the OutputStreamWriter. No easy way to do that so
* NoBodyPrintWriter wraps a PrintWriter than can be thrown away on reset()/resetBuffer() and a new one constructed
* while the application retains a reference to the NoBodyPrintWriter instance.
*/
private static class NoBodyPrintWriter extends PrintWriter {
private final NoBodyOutputStream out;
private final String encoding;
private PrintWriter pw;
NoBodyPrintWriter(NoBodyOutputStream out, String encoding) throws UnsupportedEncodingException {
super(out);
this.out = out;
this.encoding = encoding;
Writer osw = new OutputStreamWriter(out, encoding);
pw = new PrintWriter(osw);
}
private void resetBuffer() {
out.resetBuffer();
Writer osw = null;
try {
osw = new OutputStreamWriter(out, encoding);
} catch (UnsupportedEncodingException e) {
// Impossible.
// The same values were used in the constructor. If this method
// gets called then the constructor must have succeeded so the
// above call must also succeed.
}
pw = new PrintWriter(osw);
}
@Override
public void flush() {
pw.flush();
}
@Override
public void close() {
pw.close();
}
@Override
public boolean checkError() {
return pw.checkError();
}
@Override
public void write(int c) {
pw.write(c);
}
@Override
public void write(char[] buf, int off, int len) {
pw.write(buf, off, len);
}
@Override
public void write(char[] buf) {
pw.write(buf);
}
@Override
public void write(String s, int off, int len) {
pw.write(s, off, len);
}
@Override
public void write(String s) {
pw.write(s);
}
@Override
public void print(boolean b) {
pw.print(b);
}
@Override
public void print(char c) {
pw.print(c);
}
@Override
public void print(int i) {
pw.print(i);
}
@Override
public void print(long l) {
pw.print(l);
}
@Override
public void print(float f) {
pw.print(f);
}
@Override
public void print(double d) {
pw.print(d);
}
@Override
public void print(char[] s) {
pw.print(s);
}
@Override
public void print(String s) {
pw.print(s);
}
@Override
public void print(Object obj) {
pw.print(obj);
}
@Override
public void println() {
pw.println();
}
@Override
public void println(boolean x) {
pw.println(x);
}
@Override
public void println(char x) {
pw.println(x);
}
@Override
public void println(int x) {
pw.println(x);
}
@Override
public void println(long x) {
pw.println(x);
}
@Override
public void println(float x) {
pw.println(x);
}
@Override
public void println(double x) {
pw.println(x);
}
@Override
public void println(char[] x) {
pw.println(x);
}
@Override
public void println(String x) {
pw.println(x);
}
@Override
public void println(Object x) {
pw.println(x);
}
}
/*
* Calls NoBodyResponse.setContentLength() once the async request is complete.
*/
private static class NoBodyAsyncContextListener implements AsyncListener {
private final NoBodyResponse noBodyResponse;
NoBodyAsyncContextListener(NoBodyResponse noBodyResponse) {
this.noBodyResponse = noBodyResponse;
}
@Override
public void onComplete(AsyncEvent event) throws IOException {
noBodyResponse.setContentLength();
}
@Override
public void onTimeout(AsyncEvent event) throws IOException {
// NO-OP
}
@Override
public void onError(AsyncEvent event) throws IOException {
// NO-OP
}
@Override
public void onStartAsync(AsyncEvent event) throws IOException {
// NO-OP
}
}
}