[cdi-dev] Which version of HttpServletRequest is injected?
arjan.tijms at gmail.com
Thu Sep 8 07:03:04 EDT 2016
On Thu, Sep 8, 2016 at 12:40 PM, Martin Kouba <mkouba at redhat.com> wrote:
> that's a good question. In Weld, the request object is captured during
> request context activation, i.e. during ServletRequestListener.requestInitialized()
> notification and before any filter or servlet is invoked. So wrappers are
> ignored and the original/first request is used.
Indeed, although do note that some servers (Liberty and WebLogic I think)
send the ServletRequestListener.requestInitialized() notification rather
late, and do that after the application already has seen the request and
has had a chance to wrap it. This by itself is a separate problem. So on
these servers, Weld would receive an early request but not necessarily the
> But TBH I don't think we can fix this easily as I'm not aware of any
> portable way to listen for "wrapping actions".
This would have to happen with Server specific code I guess, just as Weld
now requires an SPI to obtain the current principal for injection.
You could say that the Servlet container could store the request
"somewhere" on a stack structure, just before it invokes the
ServerAuthModule, Filter, Servlet and anything else I may have forgotten,
and then when control flows back to each Servlet, Filter, etc unwind that
At the very least the spec for now should perhaps clarify this?
> Dne 8.9.2016 v 11:02 arjan tijms napsal(a):
>> The CDI spec defines a built-in bean for the type HttpServletRequest. In
>> 3.8 it says:
>> "A servlet container must provide the following built-in beans, all of
>> which have qualifier @Default:
>> a bean with bean type javax.servlet.http.HttpServletRequest, allowing
>> injection of a reference to the HttpServletRequest"
>> An HttpServletRequest however can be wrapped multiple times and by
>> multiple artefacts. I.e. by a ServerAuthModule, Filter and a
>> The question now is; which version of the HttpServletRequest is supposed
>> to be injected?
>> * The first one in the chain?
>> * The last one in the chain?
>> * The current one at a given point in the chain?
>> A little bit of experimenting seems to indicate it's now often "one of
>> the first ones", e.g. the one that happened to be current when e.g. a
>> ServletRequestListener that initialises a specific CDI implementation is
>> I think this is a little confusing, as working with an injected request
>> can now totally ignore the request wrapping that has been done and break
>> an application badly.
>> Kind regards,
>> Arjan Tijms
>> cdi-dev mailing list
>> cdi-dev at lists.jboss.org
>> Note that for all code provided on this list, the provider licenses the
>> code under the Apache License, Version 2 (http://www.apache.org/license
>> s/LICENSE-2.0.html). For all other ideas provided on this list, the
>> provider waives all patent and other intellectual property rights inherent
>> in such information.
> Martin Kouba
> Software Engineer
> Red Hat, Czech Republic
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cdi-dev