8:49 p.m.
I'm looking at https://issues.jboss.org/browse/RESTEASY-1244 "Resteasy
swallowing Netty Http decoding exceptions". Netty has a limit on header
sizes, but if a too big header arrives, the header just gets ignored. It
turns out that netty passes information about the failure into Resteasy,
which is ignoring that information.
Now, I ran the same test to see what Undertow does, and I get this:
21:43:37.135 ERROR [io.undertow.request] (XNIO-1 I/O-2) UT005006:
Connection from /127.0.0.1:49488 terminated as request header was
larger than 1048576
RESTEASY004655: Unable to invoke request
That is, Undertow closes the connection, and all Resteasy can do on the
client side is ¯\_(ツ)_/¯ . At first, I thought that the server should
send back some useful information, but now I'm thinking that Undertow
suspects a Denial of Service situation.
That seems to make sense. Now, in resteasy-netty4, the fact of the long
header is communicated to Resteasy, and I'm thinking that Resteasy
should do the same thing.
What do you think?
-Ron
--
My company's smarter than your company (unless you work for Red Hat)
3:02 a.m.
I'm looking at https://issues.jboss.org/browse/RESTEASY-1244
"Resteasy
swallowing Netty Http decoding exceptions". Netty has a limit on header
sizes, but if a too big header arrives, the header just gets ignored. It
turns out that netty passes information about the failure into Resteasy,
which is ignoring that information.
Now, I ran the same test to see what Undertow does, and I get this:
> 21:43:37.135 ERROR [io.undertow.request] (XNIO-1 I/O-2) UT005006:
> Connection from /127.0.0.1:49488 terminated as request header was
> larger than 1048576
> RESTEASY004655: Unable to invoke request
This can be controlled by http listener configuration
rsvoboda rs ~ TESTING 710DR13 $ grep -e max-header-size -e max-headers
jboss-eap-7.1/docs/schema/wildfly-undertow_4_0.xsd
<xs:attribute name="max-header-size" type="xs:long"
default="1048576"/>
<xs:attribute name="max-headers" type="xs:long"
default="200"/>
That is, Undertow closes the connection, and all Resteasy can do on
the
client side is ¯\_(ツ)_/¯ . At first, I thought that the server should
send back some useful information, but now I'm thinking that Undertow
suspects a Denial of Service situation.
That seems to make sense. Now, in resteasy-netty4, the fact of the long
header is communicated to Resteasy, and I'm thinking that Resteasy
should do the same thing.
What do you think?
-Ron
--
My company's smarter than your company (unless you work for Red Hat)
_______________________________________________
resteasy-dev mailing list
resteasy-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/resteasy-dev
3:18 a.m.
Il 07/03/2017 10:02, Rostislav Svoboda ha scritto:
> I'm looking at https://issues.jboss.org/browse/RESTEASY-1244
"Resteasy
> swallowing Netty Http decoding exceptions". Netty has a limit on header
> sizes, but if a too big header arrives, the header just gets ignored. It
> turns out that netty passes information about the failure into Resteasy,
> which is ignoring that information.
>
> Now, I ran the same test to see what Undertow does, and I get this:
>
>
>> 21:43:37.135 ERROR [io.undertow.request] (XNIO-1 I/O-2) UT005006:
>> Connection from /127.0.0.1:49488 terminated as request header was
>> larger than 1048576
>> RESTEASY004655: Unable to invoke request
This can be controlled by http listener configuration
rsvoboda rs ~ TESTING 710DR13 $ grep -e max-header-size -e max-headers
jboss-eap-7.1/docs/schema/wildfly-undertow_4_0.xsd
<xs:attribute name="max-header-size"
type="xs:long" default="1048576"/>
<xs:attribute name="max-headers" type="xs:long"
default="200"/>
> That is, Undertow closes the connection, and all Resteasy can do on the
> client side is ¯\_(ツ)_/¯ . At first, I thought that the server should
> send back some useful information, but now I'm thinking that Undertow
> suspects a Denial of Service situation.
>
> That seems to make sense. Now, in resteasy-netty4, the fact of the long
> header is communicated to Resteasy, and I'm thinking that Resteasy
> should do the same thing.
Possibly. However, wouldn't it be a container
(netty here)
responsibility to take this action (closing the connection) ? Anyway,
I'm fine with RESTEasy doing that in this case.
Alessio
>
> What do you think?
>
> -Ron
>
> --
> My company's smarter than your company (unless you work for Red Hat)
>
> _______________________________________________
> resteasy-dev mailing list
> resteasy-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/resteasy-dev
>
_______________________________________________
resteasy-dev mailing list
resteasy-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/resteasy-dev
10:26 a.m.
On 03/07/2017 04:18 AM, Alessio Soldano wrote:
Il 07/03/2017 10:02, Rostislav Svoboda ha scritto:
>> I'm looking at https://issues.jboss.org/browse/RESTEASY-1244 "Resteasy
>> swallowing Netty Http decoding exceptions". Netty has a limit on header
>> sizes, but if a too big header arrives, the header just gets ignored. It
>> turns out that netty passes information about the failure into Resteasy,
>> which is ignoring that information.
>>
>> Now, I ran the same test to see what Undertow does, and I get this:
>>
>>
>>> 21:43:37.135 ERROR [io.undertow.request] (XNIO-1 I/O-2) UT005006:
>>> Connection from /127.0.0.1:49488 terminated as request header was
>>> larger than 1048576
>>> RESTEASY004655: Unable to invoke request
> This can be controlled by http listener configuration
>
> rsvoboda rs ~ TESTING 710DR13 $ grep -e max-header-size -e max-headers
jboss-eap-7.1/docs/schema/wildfly-undertow_4_0.xsd
> <xs:attribute name="max-header-size"
type="xs:long" default="1048576"/>
> <xs:attribute name="max-headers"
type="xs:long" default="200"/>
>
>
>> That is, Undertow closes the connection, and all Resteasy can do on the
>> client side is ¯\_(ツ)_/¯ . At first, I thought that the server should
>> send back some useful information, but now I'm thinking that Undertow
>> suspects a Denial of Service situation.
>>
>> That seems to make sense. Now, in resteasy-netty4, the fact of the long
>> header is communicated to Resteasy, and I'm thinking that Resteasy
>> should do the same thing.
Possibly. However, wouldn't it be a container (netty here)
responsibility to take this action (closing the connection) ?
That makes sense to me, but netty just doesn't do that. Maybe there's a
way to install a user extension to make that happen - I don't know
enough about netty. But in any case, it looks like its default behavior
is just to inform the application about the problem.
Anyway,
I'm fine with RESTEasy doing that in this case.
Ok, good. Thanks, Alessio.
Alessio
>> What do you think?
>>
>> -Ron
>>
>> --
>> My company's smarter than your company (unless you work for Red Hat)
>>
>> _______________________________________________
>> resteasy-dev mailing list
>> resteasy-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/resteasy-dev
>>
> _______________________________________________
> resteasy-dev mailing list
> resteasy-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/resteasy-dev
_______________________________________________
resteasy-dev mailing list
resteasy-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/resteasy-dev
--
My company's smarter than your company (unless you work for Red Hat)
10:23 a.m.
Ok, that's good to know. The behavior seems to be hard coded, though.
That is, I don't think there's an option for telling Undertow to do
something less drastic.
On 03/07/2017 04:02 AM, Rostislav Svoboda wrote:
> I'm looking at https://issues.jboss.org/browse/RESTEASY-1244
"Resteasy
> swallowing Netty Http decoding exceptions". Netty has a limit on header
> sizes, but if a too big header arrives, the header just gets ignored. It
> turns out that netty passes information about the failure into Resteasy,
> which is ignoring that information.
>
> Now, I ran the same test to see what Undertow does, and I get this:
>
>
>> 21:43:37.135 ERROR [io.undertow.request] (XNIO-1 I/O-2) UT005006:
>> Connection from /127.0.0.1:49488 terminated as request header was
>> larger than 1048576
>> RESTEASY004655: Unable to invoke request
This can be controlled by http listener configuration
rsvoboda rs ~ TESTING 710DR13 $ grep -e max-header-size -e max-headers
jboss-eap-7.1/docs/schema/wildfly-undertow_4_0.xsd
<xs:attribute name="max-header-size"
type="xs:long" default="1048576"/>
<xs:attribute name="max-headers" type="xs:long"
default="200"/>
> That is, Undertow closes the connection, and all Resteasy can do on the
> client side is ¯\_(ツ)_/¯ . At first, I thought that the server should
> send back some useful information, but now I'm thinking that Undertow
> suspects a Denial of Service situation.
>
> That seems to make sense. Now, in resteasy-netty4, the fact of the long
> header is communicated to Resteasy, and I'm thinking that Resteasy
> should do the same thing.
>
> What do you think?
>
> -Ron
>
> --
> My company's smarter than your company (unless you work for Red Hat)
>
> _______________________________________________
> resteasy-dev mailing list
> resteasy-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/resteasy-dev
>
_______________________________________________
resteasy-dev mailing list
resteasy-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/resteasy-dev
--
My company's smarter than your company (unless you work for Red Hat)
2807
days inactive
2807
days old
4 comments
3 participants
participants (3)
-
Alessio Soldano -
Ron Sigal -
Rostislav Svoboda