Re: [servlet-dev] CONNECT and getRequestURI ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [servlet-dev] CONNECT and getRequestURI ?

From: Greg Wilkins <gregw@xxxxxxxxxxx>
Date: Wed, 22 Feb 2023 06:42:44 +1100
Delivered-to: servlet-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/servlet-dev/>
List-help: <mailto:servlet-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/servlet-dev>, <mailto:servlet-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/servlet-dev>, <mailto:servlet-dev-request@eclipse.org?subject=unsubscribe>

The main thing is to say that a filter/servlet will never see a connect request. It may be that the server actually handles it or rejects it, but never passes it to the servlet container

On Wed, 22 Feb 2023, 06:01 Mark Thomas, <markt@xxxxxxxxxx> wrote:

It could be either. Making it configurable would be more effort than its
worth.

I have no strong preference for either.

Mark

On 21/02/2023 17:11, Ph. Dinh wrote:
> Can it be either 405 or 501?
> ------------------------------------------------------------------------
> *From:* servlet-dev <servlet-dev-bounces@xxxxxxxxxxx> on behalf of Mark
> Thomas <markt@xxxxxxxxxx>
> *Sent:* Tuesday, February 21, 2023 7:24 AM
> *To:* servlet-dev@xxxxxxxxxxx <servlet-dev@xxxxxxxxxxx>
> *Subject:* Re: [servlet-dev] CONNECT and getRequestURI ?
> On 14/02/2023 23:51, Greg Wilkins wrote:
>>
>> All,
>>
>> I'm not advocating that we support CONNECT. Just asking what should the
>> standard behavior be if we do get a CONNECT request.
>
> Ack.
>
>> Note that the spec saying that CONNECT is not supported is not very
>> strong. It is in the context of the API of the Servlet and not so much a
>> requirement of the server.
>
> Fair enough.
>
>> I'd be happy with a requirement that a CONNECT request be handled with a
>> 405 response.... and then the return from getRequestURI does not matter.
>
> Any objections to a PR to that effect?
>
> Mark
>
>
>>
>> cheers
>>
>>
>>
>>
>> On Tue, 14 Feb 2023 at 22:12, Masao Sato <masato@xxxxxxxxxx
>> <mailto:masato@xxxxxxxxxx <mailto:masato@xxxxxxxxxx>>> wrote:
>>
>>      >I'll note that the Spec document explicitly states that the CONNECT
>>      >method is not supported.
>>
>>     Because of that the CONNECT request could not be treated as a normal
>>     http request,
>>     HttpServlet and HttpServletRequest are not filt to handle it.
>>     The spec has a Servlet and ServletReqeust ( not HttpServletRequest )
>>     interfaces
>>     for generic protocols, all extended methods from ServletRequest except
>>     getMethod()
>>     should throw some exception. and the application should forward to a
>>     servlet which
>>     inherited Servlet ( not HttpServlet ) by calling
>>     ServletRequest#getRequestDispatcher().
>>
>>     Regards,
>>     Masao Sato
>>
>>     2023年2月14日(火) 18:32 Mark Thomas <markt@xxxxxxxxxx
>>     <mailto:markt@xxxxxxxxxx <mailto:markt@xxxxxxxxxx>>>:
>>      >
>>      > On 14/02/2023 00:15, Stuart Douglas wrote:
>>      > > If you don't like null because of the potential for NPEs I
>>     think you
>>      > > could also make a similar argument for the empty string. If
>>     developers
>>      > > are not thinking about connect requests they could assume that
>>     it will
>>      > > always be at least length 1 and you could end up with different
>>     exceptions.
>>      > >
>>      > > Stuart
>>      > >
>>      > > On Tue, 14 Feb 2023 at 11:07, Greg Wilkins <gregw@xxxxxxxxxxx
>>     <mailto:gregw@xxxxxxxxxxx <mailto:gregw@xxxxxxxxxxx>>
>>      > > <mailto:gregw@xxxxxxxxxxx <mailto:gregw@xxxxxxxxxxx
> <mailto:gregw@xxxxxxxxxxx>>>> wrote:
>>      > >
>>      > >
>>      > > So options are now null, "" and "/". Older jetty was "", newer
>>      > > jetty is null and undertow is "/".
>>      > > Where does tomcat land in this? I'm very happy to change
>>     jetty to
>>      > > anything, I just want it to be standard.
>>      > > I think null is probably my least favourite and I'm on
>>     fence with ""
>>      > > vs "/".
>>      >
>>      > Tomcat currently returns a 400 response.
>>      >
>>      > I'll note that the Spec document explicitly states that the CONNECT
>>      > method is not supported.
>>      >
>>      > Unless we think there are web applications that actually want to
>>      > implement CONNECT, I'm leaning towards requiring a 405 response
>>     to all
>>      > CONNECT requests.
>>      >
>>      > I found one request to implement CONNECT on the Tomcat users list
>>     from
>>      > 2016 and I'm not convinced that was the correct solution to the
>>     problem
>>      > the user was facing.
>>      >
>>      > If we do change the spec to permit CONNECT requests, then I think
>>     we'll
>>      > need to:
>>      > - add a doConnect() method to HttpServlet
>>      > - specify the expected value for getRequestURI()
>>      > - specify how the CONNECT request is mapped to a Servlet
>>      >
>>      > Mark
>>      > _______________________________________________
>>      > servlet-dev mailing list
>>      > servlet-dev@xxxxxxxxxxx <mailto:servlet-dev@xxxxxxxxxxx <mailto:servlet-dev@xxxxxxxxxxx>>
>>      > To unsubscribe from this list, visit
>> https://www.eclipse.org/mailman/listinfo/servlet-dev
> <https://www.eclipse.org/mailman/listinfo/servlet-dev>
>>     <https://www.eclipse.org/mailman/listinfo/servlet-dev
> <https://www.eclipse.org/mailman/listinfo/servlet-dev>>
>>
>>
>>
>>     --
>>     レッドハット株式会社
>>     サービス事業統括本部
>>     佐藤将夫
>>
>>     _______________________________________________
>>     servlet-dev mailing list
>>     servlet-dev@xxxxxxxxxxx <mailto:servlet-dev@xxxxxxxxxxx <mailto:servlet-dev@xxxxxxxxxxx>>
>>     To unsubscribe from this list, visit
>> https://www.eclipse.org/mailman/listinfo/servlet-dev
> <https://www.eclipse.org/mailman/listinfo/servlet-dev>
>>     <https://www.eclipse.org/mailman/listinfo/servlet-dev
> <https://www.eclipse.org/mailman/listinfo/servlet-dev>>
>>
>>
>>
>> --
>> Greg Wilkins <gregw@xxxxxxxxxxx <mailto:gregw@xxxxxxxxxxx <mailto:gregw@xxxxxxxxxxx>>> CTO
>> http://webtide.com <http://webtide.com> <http://webtide.com
> <http://webtide.com>>
>>
>> _______________________________________________
>> servlet-dev mailing list
>> servlet-dev@xxxxxxxxxxx
>> To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/servlet-dev
> <https://www.eclipse.org/mailman/listinfo/servlet-dev>
> _______________________________________________
> servlet-dev mailing list
> servlet-dev@xxxxxxxxxxx
> To unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/servlet-dev
> <https://www.eclipse.org/mailman/listinfo/servlet-dev>
>
> _______________________________________________
> servlet-dev mailing list
> servlet-dev@xxxxxxxxxxx
> To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/servlet-dev
_______________________________________________
servlet-dev mailing list
servlet-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/servlet-dev

References:
- [servlet-dev] CONNECT and getRequestURI ?
  - From: Greg Wilkins
- Re: [servlet-dev] CONNECT and getRequestURI ?
  - From: Stuart Douglas
- Re: [servlet-dev] CONNECT and getRequestURI ?
  - From: Greg Wilkins
- Re: [servlet-dev] CONNECT and getRequestURI ?
  - From: Stuart Douglas
- Re: [servlet-dev] CONNECT and getRequestURI ?
  - From: Mark Thomas
- Re: [servlet-dev] CONNECT and getRequestURI ?
  - From: Masao Sato
- Re: [servlet-dev] CONNECT and getRequestURI ?
  - From: Greg Wilkins
- Re: [servlet-dev] CONNECT and getRequestURI ?
  - From: Mark Thomas
- Re: [servlet-dev] CONNECT and getRequestURI ?
  - From: Ph. Dinh
- Re: [servlet-dev] CONNECT and getRequestURI ?
  - From: Mark Thomas

Prev by Date: Re: [servlet-dev] CONNECT and getRequestURI ?
Next by Date: Re: [servlet-dev] [jakartaee-platform-dev] What do we exactly dislike in Servlet?
Previous by thread: Re: [servlet-dev] CONNECT and getRequestURI ?
Index(es):
- Date
- Thread

Breadcrumbs