[opencms-dev] question/potential modification to OpenCmsServlet

[Marc Johnson]

Hello list and especially keepers and curators of the opencms source code, this question is mostly for you but it could be for anyone whose worked extensively with OpenCmsServlet.

I inherited an OpenCms project a while back where the previous developer had riddled the Opencms source code with a bunch of mostly unnecessary customization that made it impossible to upgrade to newer versions.  It was stuck at 7.0.1


As I've been settling a ton of technical debt, I've removed all but one src code modification and been upgrading to newer versions of OpenCms but I've carried that one forward in org.opencms.main.OpenCmsServlet that I think could be useful.

in 8.5.1 the invokeHandler goes from

    protected void invokeHandler(HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException {

        String name = OpenCmsCore.getInstance().getPathInfo(req).substring(HANDLE_PATH.length());
        I_CmsRequestHandler handler = OpenCmsCore.getInstance().getRequestHandler(name);
        if (handler != null) {
            handler.handle(req, res, name);
        } else {
            openErrorHandler(req, res, HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
        }
    }

    protected void invokeHandler(HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException {

        String name = OpenCmsCore.getInstance().getPathInfo(req).substring(HANDLE_PATH.length());
        int iIndex = name.indexOf( "/" );
        if ( iIndex >= 0 ) {
        name = name.substring( 0, iIndex );
        }
        I_CmsRequestHandler handler = OpenCmsCore.getInstance().getRequestHandler(name);
        if (handler != null) {
            handler.handle(req, res, name);
        } else {
            openErrorHandler(req, res, HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
        }
    }

essentially it allows for the path to the servlet to still find a match for the handler even if there's some random runtime generated stuff in it that the handler (that you design) will correctly interpret

In my case it's a captcha with the random string generating an image captcha on the fly based upon the value passed to it (/handleCaptcha/148af064124/captcha.jpg)

I thought to rip this whole thing out and use the official captcha code, but it works fine as long as I keep the customization.

Is there some better way for me to do this w/o the customization? (for example can the handler be a regex the way you could specify for a servlet in the web.xml?)

Does this seem insecure to you in any way? 

Is this something that jibes with the purpose/usage of the OpenCmsServlet that you think might be useful to include in upgrades?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://webmail.opencms.org/pipermail/opencms-dev/attachments/20140925/922a4d7e/attachment.htm>