jsr369-experts@servlet-spec.java.net

[jsr369-experts] Re: [servlet-spec users] Re: Call for discussion: API for apps do discover protocol version/transport?

From: Wenbo Zhu <wenboz_at_google.com>
Date: Tue, 13 Sep 2016 16:19:22 -0700

On Tue, Sep 13, 2016 at 4:13 PM, Greg Wilkins <gregw_at_webtide.com> wrote:

> Note that there are near infinite permutations and combinations of how
> requests can arrive on an application server, as the protocol from the
> client to the app server can be proxied/translated zero or more times.
> Requests can arrive as clear text http, but have a Forwarded header to show
> that they were actually encrypted h2 on the proxy.
>
Agreed .. e.g. a forward proxy (or any extra proxy in the path) could void
the protocol selection as detected on the server end.


>
> The details and importance of each protocol and delivery method is highly
> dependent on every deployment. Should these new methods report the
> Forwarded protocol and if so the RFC does not provide information about
> upgrade etc.
>
> I think it is an admirable idea... but is doomed to failure, because as
> soon as you say what values you want returned, a deployment will come up
> with a way to spoof those values to handle their particular mode.
> Essentially this is what has just happened with the forwarded headers, so
> if we want more information about the connection this pattern will repeat
> and in 10 years time we will have 20 different spoofs, 2 defacto standards
> and an RFC under development, which just as it is accepted we'll think of
> something else desirable to know about the connection and the whole "which
> connection" cycle will repeat.
>
> So I think we are good as is.
>
> However, I think we could say something about how RFC7239 should be
> supported. In fact we could even provide methods to help decode those
> headers.
>
How widely has this been adopted, do you know?


>
> cheers
>
>
>
>
>
>
>
>
> On 14 September 2016 at 08:33, Stuart Douglas <sdouglas_at_redhat.com> wrote:
>
>> On Wed, Sep 14, 2016 at 4:00 AM, Edward Burns <edward.burns_at_oracle.com>
>> wrote:
>> > Hello Volunteers,
>> >
>> > Currently I am not aware of any standard Servlet API to allow apps to
>> > discover the following
>> >
>> > * What protocol version is in use for the current request?
>>
>> Isn't that what javax.servlet.ServletRequest#getProtocol() is supposed
>> to return?
>>
>> >
>> > * How did we get to that protocol version? Straight to h2? Or upgraded
>> > via 101 Switching Protocols?
>> >
>> > * What transport is being used? h2c or h2? Is ServletRequest.isSecure()
>> > enough?
>> >
>> > I think it might be useful to allow apps to answer these questions.
>>
>> Personally I think that a combination of getProtocol() and isSecure()
>> should provide enough information.
>>
>> Stuart
>>
>> >
>> > Thoughts?
>> >
>> > Ed
>> >
>> > --
>> > | edward.burns_at_oracle.com | office: +1 407 458 0017
>>
>
>
>
> --
> Greg Wilkins <gregw@webtide.com> CTO http://webtide.com
>