The book Tomcat: The Definitive Guide (2nd Edition), O'Reilly, Jason Brittain provides a Tomcat filter (and a valve) to filter out bad user input from HTTP requests to help avoid malicious attacks. I have used the filter for years, and I found it to be a great security tool for web applications running on Tomcat. It used to work with older versions of Tomcat, but with more recent versions of Tomcat, it no longer works. What's worse is that if fails silently. You have to learn through experimentation that it doesn't work.
It appears that the filter is editing a copy of the request parameters, but the actual request parameters are not changed when the request gets to the web server. I tried the valve, but it also fails to work in the same way. You can use the filter or valve to block HTTP requests that have bad data in the parameters, but you can no longer use it to edit the parameters.
Does anyone have a solution to this problem? That is, does there exist a version of BadInputFilter or a substitute for it that will actually modify the request parameters and then send the modified parameters to the web server.
I was unable to find a good answer for this question, so I developed my own answer and published it in a detailed article on JavaWorld. See BadInputFilter revisited for the answer to this question.