jsr369-experts@servlet-spec.java.net

[jsr369-experts] Re: [servlet-spec users] Re: Call for discussion: API for apps do discover protocol version/transport?

From: Greg Wilkins <gregw_at_webtide.com>
Date: Wed, 14 Sep 2016 09:13:44 +1000

Note that there are near infinite permutations and combinations of how
requests can arrive on an application server, as the protocol from the
client to the app server can be proxied/translated zero or more times.
Requests can arrive as clear text http, but have a Forwarded header to show
that they were actually encrypted h2 on the proxy.

The details and importance of each protocol and delivery method is highly
dependent on every deployment. Should these new methods report the
Forwarded protocol and if so the RFC does not provide information about
upgrade etc.

I think it is an admirable idea... but is doomed to failure, because as
soon as you say what values you want returned, a deployment will come up
with a way to spoof those values to handle their particular mode.
Essentially this is what has just happened with the forwarded headers, so
if we want more information about the connection this pattern will repeat
and in 10 years time we will have 20 different spoofs, 2 defacto standards
and an RFC under development, which just as it is accepted we'll think of
something else desirable to know about the connection and the whole "which
connection" cycle will repeat.

So I think we are good as is.

However, I think we could say something about how RFC7239 should be
supported. In fact we could even provide methods to help decode those
headers.

cheers








On 14 September 2016 at 08:33, Stuart Douglas <sdouglas_at_redhat.com> wrote:

> On Wed, Sep 14, 2016 at 4:00 AM, Edward Burns <edward.burns_at_oracle.com>
> wrote:
> > Hello Volunteers,
> >
> > Currently I am not aware of any standard Servlet API to allow apps to
> > discover the following
> >
> > * What protocol version is in use for the current request?
>
> Isn't that what javax.servlet.ServletRequest#getProtocol() is supposed
> to return?
>
> >
> > * How did we get to that protocol version? Straight to h2? Or upgraded
> > via 101 Switching Protocols?
> >
> > * What transport is being used? h2c or h2? Is ServletRequest.isSecure()
> > enough?
> >
> > I think it might be useful to allow apps to answer these questions.
>
> Personally I think that a combination of getProtocol() and isSecure()
> should provide enough information.
>
> Stuart
>
> >
> > Thoughts?
> >
> > Ed
> >
> > --
> > | edward.burns_at_oracle.com | office: +1 407 458 0017
> 



-- 
Greg Wilkins <gregw@webtide.com> CTO http://webtide.com
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.