Java servlet illegal characters

Question

Original Question

I have a Java web application that allows users to create an account and login. For some reason, after someone has sent enough illegal characters to the server, the portion of the application that sends emails become disabled.

Answer 1

To solve this,

I created a master filter that would accept all incoming request. Once a request hit the server, I ran it through this bit of code.

if (request instanceof HttpServletRequest) {
        String url = ((HttpServletRequest)request).getRequestURL().toString();
        String query = ((HttpServletRequest)request).getQueryString();
    }

I created a three tier system that was designed to filter between what was know and unknown.

Tier 1 For request that don't require the user to be logged into the server. exp ~ forgotPassword, createAccount requirements - all base64 parameters, inside active list

Tier 2 For request that require an active login exp ~ my account, edit account, search system requirements - all base64 parameters, inside active list, valid login

Tier 3 For everything else exp ~ login.php is not valid (This is Java)

By checking the url I could determine where the request is going. I could then run it against the first two tiers and see if everything checked out and the query was actually in base64 format. The server requires that all string data be in base64 format. If it is not, do not process the request.