jsr369-experts@servlet-spec.java.net

[jsr369-experts] [servlet-spec users] Re: Container protocol concerns Was: Removing headers from the response

From: Mark Thomas <markt_at_apache.org>
Date: Thu, 01 Jan 2015 11:34:45 +0000

On 01/01/2015 10:47, Greg Wilkins wrote:
>
> On 31 December 2014 at 20:22, Mark Thomas <markt_at_apache.org
> <mailto:markt_at_apache.org>> wrote:
>
> > Perhaps there needs to be some standards support for
> > activating/delegating such concerns to the container?
>
> I like it. Apart from compression, what other concerns did you have
> in mind?
>
>
> There are a few protocol mechanisms that it is a little unclear at the
> moment if they are the responsibility of the container or the webapp,
> and I think with HTTP/2 there will be a few more. So it would be good
> for a webapp to be able to declare: yes/no/don'tcare for container
> support for:

Thanks for listing these. Any thoughts on how to express this? I guess
some options in web.xml.

We've had some 'interesting' edge cases with some of these that I'll
expand on below as these may impact on what we want to do with these.

> * Body compression
> * Header compression (HTTP/2 only, where there are some optional ways
> to encode unknown headers that may affect security)
> * Expect 100 handling

Any response > 299 hits an ambiguity in the HTTP/1.1 protocol. Once the
server sends the response it has no way of knowing if the client has
received and processed that response before the client sends the next
packet. Therefore, the server can not tell if the next packet is the
start of a new request or the request body for the current request. This
opens up the opportunity for request smuggling. While the spec doesn't
state this, we currently close the connection for any response with a
response code > 299.

> * Use chunking or EOF for unknown response lengths

If you don't use chunking you can't tell the difference between a
completed request and one that was terminated part way through. We
always use chunking to enable clients to differentiate between these two
cases.

I think it would be helpful to clarify the expected behaviour for the
above edge cases and I offer up Tomcat's current behaviour as a starting
point.

Mark

>
> cheers
>
> --
> Greg Wilkins <gregw_at_intalio.com <mailto:gregw_at_intalio.com>> @ Webtide
> - /an Intalio subsidiary/
> http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales
> http://www.webtide.com advice and support for jetty and cometd.
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.