Sorry for the late reply. I really had to think, and then I was working on other things.
I made a wrapper class for request parameters (called RequestParams) that:
- Returns parameters in a single format, regardless of whether those parameters were in the query string, request body, or headers of that request. Code using RequestParams asks for a string, list-of-strings, or file by parameter name. It has a few methods for parsing decimals and booleans too.
- Actually, it doesn't return Strings, it returns TaintedStrings so the type system can be used to enforce that user-supplied input is not trusted. We save and read TaintedStrings to and from the database and have wrappers for each output type that encode that data safely for each type (HTML, JSON, CSV, PDF, etc.)
- It also converts everything to Unicode Normalized Form C.
In order to test this RequestParams class, I needed to be certain that my test harness worked the way my web server worked. I had to make some minor tweaks to RequestParams when I moved from Tomcat to Jetty.
I really didn't know exactly how each kind of request parameter was handled, so with Jetty 9 and then 11, I was able to sort of pick apart the internals to let Jetty parse the raw contents I captured from actual HTTP requests. Now that I had working tests from that experience, I was able to replace all that with FakeParts (for file uploads) or Strings passed through the FakeRequest. It doesn't use Jetty at all and doesn't parse anything. It just implements the Servlet6 interfaces. So that seemed like a big improvement.
Although now I'm questioning whether it needs to take the Servlet6 Request or a Jetty12 Request, but that's another email.