Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] How to prevent a request URI to be converted to its canonical form? 
Hi,

> We built a RESTful web service on top of Jetty and we don't want
> HTTPChannel to convert URI like "/a/../b" and "/.." into "/b" and "/"
> (or error 400) respectively.

...

> HTTPChannel#onFillable() calls URIUtil.canonicalPath() to convert the
> path.

I was confused -- #onFillable() is a method of HTTPConnection and will
eventually trigger HTTChannel#startRequest().
HTTChannel#startRequest()  will call URIUtil.canonicalPath().


> - Extend HttpChannel to override #onFillable()
> - Extend HttpConnection to replace it's private inner class HttpChannelOverHttp
> - Extend HttpConnectionFactory to override #newConnection()
> - Extend nio.NetworkTrafficSelectChannelConnector's to override the
>   constructor

I think I want to:

1. Make HttpChannelOverHttp a public class
2. Create a sub-class of HttpChannelOverHttp and override #startRequest()
   not to call URIUtil#canonicalPath()
3. Make HttpConnectionFactory#newConnection() to be configurable via
   HttpConfiguration so that it will instantiate the sub-class of
   HttpChannelOverHttp

1 and 3 will be the changes in jetty-server. 2 will be a part of our
web service application.


> Perhaps we should contribute a patch for
> Jetty to make this conversion configurable via HttpConfiguration?
> (e.g. <Set name="canonicalizeUri">false</Set>)

This configuration thing will beak DefaultHandler if we feed URI like
"/..", so it won't be a good solution.


Thanks,
Tatsuya

--
Tatsuya Kawano (Mr.)
Tokyo, Japan


2013/5/27 Tatsuya Kawano:
> Hello,
>
> I've got a question about jetty-server. What will be a good way to
> make HTTPChannel not to convert a request path to its canonical form?
> We built a RESTful web service on top of Jetty and we don't want
> HTTPChannel to convert URI like "/a/../b" and "/.." into "/b" and "/"
> (or error 400) respectively.
>
> We're currently using Jetty 8.1.x, and will move to Jetty 9 soon. We
> developed a list of handlers and don't use the default handlers like
> ContextHandlerCollection.
>
> I checked the source code of Jetty 9 and found that
> HTTPChannel#onFillable() calls URIUtil.canonicalPath() to convert the
> path.
>
> http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/tree/jetty-server/src/main/java/org/eclipse/jetty/server/HttpChannel.java?h=release-9#n431
>
> We'd prefer not to edit Jetty's source code. But the only way I've
> came up with is to extend of HttpCannel and related classes to
> customize the behavior of #onFillable(). This doesn't seem an elegant
> solution as we'll have to extend all of the following classes:
>
> - Extend HttpChannel to override #onFillable()
> - Extend HttpConnection to replace it's private inner class HttpChannelOverHttp
> - Extend HttpConnectionFactory to override #newConnection()
> - Extend nio.NetworkTrafficSelectChannelConnector's to override the
>   constructor
>
> Is there any better way?  Perhaps we should contribute a patch for
> Jetty to make this conversion configurable via HttpConfiguration?
> (e.g. <Set name="canonicalizeUri">false</Set>)
>
> Thanks,
> Tatsuya
>
> --
> Tatsuya Kawano (Mr.)
> Tokyo, Japan

Back to the top