When a web servlet receives a request from a client, it must produce some suitable response. Java's HttpServlet provides the HttpServletResponse object to capture a suitable response. This response can be built using an output stream provided by getOutputStream() or a writer provided by getWriter().
A response is said to be committed if its status code and HTML headers have been sent. [J2EE API 2013]. After a response is committed, further data may be added to the response, but certain behaviors become impossible. For example, it is impossible to change the character encoding, because the encoding is included in the HTML header. Some of these illegal operations will yield a IllegalStateException, while others will have no effect. These illegal behaviors include:
- Resetting the stream or re-committing to the stream
- Flushing the stream or writer's buffer
- Invoking either
getWriter()orgetOutputStream() - Redirecting an
HttpServletResponseto another server - Modifying the stream's character encoding, content type or buffer size
This rule is a stub.
Noncompliant Code Example
...
If a servlet's output stream is reset after it has been committed then .., an IllegalStateException usually results, which can cause the servlet's response to be truncated.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
FIO15-J | Low | Probable | Medium | P4 | L3 |
Automated Detection
Detection
...
| Fortify | 6.10.0120 | Multiple_Stream_Commits | Implemented |
Tool | Version | Checker | Description |
|---|
Bibliography
...