Servlet Filter causes problems, but only for POST requests

[mruss]

New poster here, and very new to Java... I have been working on a servlet filter for a few days now, and ran into a strange problem that leads me to think I must be missing something.

I'm using the filter to resolve a security problem in an application; I'm checking for certain parameters in the request, and if they exist, I check them against a whitelist of expected values. If they have an expected value, I just pass the request down the filter chain; if not, I redirect the user to an error page.

The filter works fine for GET requests, but it's causing problems for POSTs. Weird problems. It's not redirecting the user to the error page; the POSTs are simply not working. It appears the POST data is getting mangled somehow before it reaches the application. It's difficult to troubleshoot, because I can't see the request after it leaves the filter, and the app doesn't return a meaningful error; it typically looks like what would happen if you searched for records that don't exist, but I'm clicking on links to existing records...

All I can say for sure is that with my filter enabled, no POSTs work correctly anywhere in the application... and when I disable the filter, they all work fine. Is there something I need to be careful about when dealing with POSTs vs. GETs?

[mruss]

Here's the source for the filter... I'm not actually modifying the request anywhere (at least not intentionally), so this really has me stumped.

Java Code:

import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.util.*;

public class ParamFilter implements Filter {
   FilterConfig fc;
   public void doFilter(ServletRequest request,
                        ServletResponse response,
                        FilterChain chain)
                 throws IOException,
                        ServletException {

      /* Get parameters and expected values from web.xml 
         Check the submitted request parameters against expected vals */  
      boolean badrequest = false;
      String paramName;
      String paramValList;
      boolean valOK;

      for (Enumeration initParams = this.fc.getInitParameterNames(); initParams.hasMoreElements();) {
         paramName = initParams.nextElement().toString();
         if (!paramName.equals("errorURL")) {
            String[] paramVals = request.getParameterValues(paramName);
            if (paramVals != null) {
               String[] expectedVals = this.fc.getInitParameter(paramName).split(",");
               for (int i = 0; i < paramVals.length; i++) {
                  valOK = false;
                  for (String expectedVal : expectedVals) {
                     if (paramVals[i].equals(expectedVal)) {
                        valOK = true;
                        break;
                     }
                  }
                  if (!valOK) {
                     badrequest = true;
                     break;
                  }
               }
            }
         }
         if (badrequest) break;
      }

      /* If any parameter checks failed, redirect to error page */
      if (badrequest) {
         HttpServletResponse resp = (HttpServletResponse) response;
         String errurl = this.fc.getInitParameter("errorURL");
         resp.sendRedirect(errurl);
      } else {
         chain.doFilter(request, response);
      }
   }

   public void init(FilterConfig filterConfig) {
      this.fc = filterConfig;
   }

   public void destroy() {
      this.fc = null;
   }

}

[mruss]

Sorry for the triple-post, but I wanted to post the resolution here to help anybody else who winds up with the same problem.

I started trimming down my filter to just a few lines of code at a time, and found that as soon as I called any function to access the request parameters (getParameter, getParameterValues, etc.), it broke all POSTs in the application.

This is a commercial application that uses another ServletFilter and I have no idea what that does, so my best guess is that my filter was somehow interfering with theirs. I switched to using getQueryString instead and parsing the parameters out myself with regular expressions, and all is working fine now.