Help get this topic noticed by sharing it on Twitter, Facebook, or email.

Tomcat: BadInputFilter No Longer Works

I asked this question on StackOverflow about a month ago, but so far I have not had any solutions.

The book Tomcat: The Definitive Guide (2nd Edition), O'Reilly, Jason Brittain provides a Tomcat filter (and a valve) to filter out bad user input from HTTP requests to help avoid malicious attacks. I have used the filter for years, and I found it to be a great security tool for web applications running on Tomcat. It used to work with older versions of Tomcat, but with more recent versions of Tomcat, it no longer works. What's worse is that if fails silently. You have to learn through experimentation that it doesn't work.

It appears that the filter is editing a copy of the request parameters, but the actual request parameters are not changed when the request gets to the web server. I tried the valve, but it also fails to work in the same way. You can use the filter or valve to block HTTP requests that have bad data in the parameters, but you can no longer use it to edit the parameters.

Does anyone have a solution to this problem? That is, does there exist a version of BadInputFilter or a substitute for it that will actually modify the request parameters and then send the modified parameters to the web server.
1 person has
this question
  • Hello John,

    I apologize for the delay in responding to you. I have forwarded your question on to our Book Tech staff, so they can help you find a solution. If you ever have any questions or issues with the content of a title, you can also contact them directly at or call them at:

    1-707-827-7019 (outside the USA)
    7:30 am to 5:00 PST

    Kind regards,
    Paul Fichera
    Customer Service Representative
    O'Reilly Media
  • (some HTML allowed)
    How does this make you feel?
    Add Image

    e.g. happy, confident, thankful, excited indifferent, undecided, unconcerned sad, anxious, confused, frustrated kidding, amused, unsure, silly