You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Security-related HTTP headers not written if response is committed during INCLUDE dispatch and RequestDispatcher is not obtained via HttpServletRequest object #6414
In #5499 a bug was fixed which caused security-related headers to not appear in HTTP response if that response was commited during INCLUDE dispatch. The solution was to wrap both HttpServletRequest and RequestDispatcher object in order to intercept RequestDispatcher::include call. That fix doesn't work if RequestDispatcher is obtained via some other means than HttpServletRequest::getRequestDispatcher method.
In my particular case it's the SiteMesh 2.x servlet filter that obtains dispatcher via ServletContext::getRequestDispatcher and then calls include method on it. The returned dispatcher is unfortunately not a wrapper created by HeaderWriterFilter which means that no security headers are added to HTTP response.
Actual Behavior
Assuming that security-related headers are enabled in spring-security:
HeaderWriterFilter is invoked and both request and response objects are wrapped.
After that some 3rd party library calls RequestDispatcher::include on dispatcher obtained via some other means than HttpServletRequest::getRequestDispatcher method.
Response is flushed during that INCLUDE dispatch call.
This results in security-related headers not being added to HTTP response.
Expected Behavior
The way of obtaining RequestDispatcher object should not be a factor when adding security-related headers to response.
Configuration
Tomcat 8.5.34
SiteMesh 2.4.2
Spring-based web application which uses JSPs and decorates them using SiteMesh.