Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-dev] Modifying the client request after the TLS handshake is complete

Hi,

On Thu, Mar 7, 2024 at 12:06 PM Abel Luck via jetty-dev
<jetty-dev@xxxxxxxxxxx> wrote:
>
> Hello jetty devs!
>
> I am a developer working on implementing proof-of-concepts of an
> upcoming IETF standard, a new HTTP authentication scheme called
> Signature auth [0], or sometimes referred to as "Unprompted Auth"
> (because the client sends the authentication request unprompted by the
> server).

Okay.

> * I need to be able to modify the request headers *after* the TLS
> handshake is complete
> * The `onBegin` listener is the last chance to modify the request
> * ..but the `onBegin` listener fires before the TLS handshake is complete
>
> You can see this in my small demo [1].
>
> I've been banging my head against Jetty internals for a few days now and
> would appreciate some ideas from you all.

See https://www.eclipse.org/lists/jetty-users/msg10154.html.

Are you using BouncyCastle?

You would need to "prime" the connection by making a first request.

We do have Destination.newConnection(), and
ConnectionPool.preCreateConnections(), but they only work at the TCP
level (not at the TLS level).
I'm not sure automatic priming would be easy to do, especially
considering other protocols such as the PROXY protocol, but can you
please open an issue about this?

Right now your solution would be:

// Prime the connection.
client.newRequest().send();

client.newRequest()
    .headers(h -> h.put("Authentication: Signature ..."))
    .send();

However, not fool-proof in concurrent environments, as the connection
may be stolen by another request.

Open the issue and we'll discuss options there.

-- 
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.


Back to the top