Bug 51754

Summary: Tomcat7 filters from conf/web.xml are applied after filters defined in WEB-INF/web.xml
Product: Tomcat 7 Reporter: charlie <charlesk40>
Component: Servlet & JSP APIAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED WONTFIX    
Severity: normal CC: areese
Priority: P2    
Version: 7.0.19   
Target Milestone: ---   
Hardware: PC   
OS: Linux   

Description charlie 2011-09-01 19:48:01 UTC 
The behavior of filter ordering for default web.xml (i.e conf/web.xml) and the application filters in WEB-INF/web.xml has been changed from Tomcat 6 to Tomcat 7.

As you can see from the start method in http://www.docjar.com/html/api/org/apache/catalina/startup/ContextConfig.java.html it processes the default web.xml first
and then the application web config.  This makes the filters from the default web.xml excuted before the application provided filters.  We were heavily relying on this behavior for processing the filters.


1040       /**
 1041        * Process a "start" event for this Context.
 1042        */
 1043       protected synchronized void start() {
 1044           // Called from StandardContext.start()
 1045   
 1046           if (log.isDebugEnabled())
 1047               log.debug(sm.getString("contextConfig.start"));
 1048   
 1049           // Set properties based on DefaultContext
 1050           Container container = context.getParent();
 1051           if( !context.getOverride() ) {
 1052               if( container instanceof Host ) {
 1053                   // Reset the value only if the attribute wasn't
 1054                   // set on the context.
 1055                   xmlValidation = context.getXmlValidation();
 1056                   if (!xmlValidation) {
 1057                       xmlValidation = ((Host)container).getXmlValidation();
 1058                   }
 1059                   
 1060                   xmlNamespaceAware = context.getXmlNamespaceAware();
 1061                   if (!xmlNamespaceAware){
 1062                       xmlNamespaceAware 
 1063                                   = ((Host)container).getXmlNamespaceAware();
 1064                   }
 1065   
 1066                   container = container.getParent();
 1067               }
 1068           }
 1069   
 1070           // Process the default and application web.xml files
 1071           defaultWebConfig();
 1072           applicationWebConfig();

So, now with Tomcat 7, its different.

Merging mechanism seeing in Tomcat 7 looks as follows in general:
From http://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk/java/org/apache/catalina/startup/ContextConfig.java

1) Create appWebXml for /WEB-INF/web.xml
2) Create globalWebXml for conf/web.xml
3) orderedFragments are merged to appWebXml ( Merge web-fragment.xml files into the main web.xml)
4) globalWebXml is merged to appWebXml (which means that list of global filters are added to existing application
defined filters)

After going through the Servlet API specs for 2.5 and 3.0, I didn't find anything related to how default web.xml and application provided web.xml should be ordered. (Did I miss anything?)

There is a deployment descriptor fragments introduced in 3.0 but it applies to web.xml and the web-fragment.xml.

Changes in the ordering of filters from Tomcat 6 to 7 creates a lot of issues for us.  Can this be fixed in Tomcat 7? If not, can you provide any suggestions for workaround?
Comment 1 Mark Thomas 2011-09-02 13:10:56 UTC 
The short answer is that this can't be fixed. The comment at the beginning of the webConfig() methods explains why (there were a number of spec breaking bugs introduced by trying to process the global web.xml file earlier).

I am not aware of the spec even mentioning default web.xml settings provided by the container. This is likely to vary from container to container.

I would suggest the following:
- Define a ServletContextListener in conf/web.xml
- Use this to add the filters programmatically during the contexInitialized()
- Use the isMatchAfter parameter of the addMappingXXX methods of FilterRegistration to insert the filters before those defined in any web.xml

Bugzilla isn't really the place to go into details on exactly how to do this. If the above isn't enough, please use the Tomcat users mailing list for further advice.