Issue with Undertow Client and SSL
by Thomas Segismont
Hi,
Openshift Origin uses Hawkular Metrics to store node and container data. In
this scenario, Hawkular Metrics calls the Kubernetes master server over
HTTPS to validate the client identity. This is implemented with Undertow
Client, as part of a ServletExtension (inside Wildfly 10) [1]. Works fine
in development and testing.
Now the Openshit team sees errors in the logs [2][3]. I couldn't reproduce
yet. Errors come in pair, first the "UT005001: An exception occurred
processing the request: java.lang.IllegalStateException: XNIO000017: Buffer
was already freed", and just after "XNIO001007: A channel event listener
threw an exception: java.lang.NullPointerException".
Does that ring a bell? I haven't been able to find a starting point by
looking into the source the code.
Thanks
--
Thomas Segismont
JBoss ON Engineering Team
[1] https://git.io/vrNyP
[2] https://issues.jboss.org/browse/HWKMETRICS-408
[3] https://issues.jboss.org/secure/attachment/12405779/hawkular.log
1 week, 5 days
Correctly shutting down a websocket handler
by Robin Anil
When a client disconnects, I see that onClose is not being fired. The only
way this seems to be firing if client sents a close frame.
Is there any way to detect disconnection and immediately close all the
opened resources.
Robin
Robin Anil | Software Engineer
2 years, 5 months
Question regarding max-post-size
by David Robison
I have created a REST interface that receives a continuous stream of JPEGs from a video decoder for the purpose of writing then to a disk file. The service is defined as:
@POST
@Consumes("*/*")
@Path("/Receive/{videoId}")
public Response receiveVideo(@PathParam("videoId") String videoId, InputStream content)
Everything works fine up until it reaches the max-post-size and then the connection is terminated. Is there any way to disable the max-post-size when streaming video to a REST interface?
Thanks, David
David R Robison
Senior Systems Engineer
O. +1 512 247 3700
M. +1 757 286 0022
david.robison(a)psgglobal.net<mailto:david.robison@psgglobal.net>
www.psgglobal.net<http://www.psgglobal.net/>
Prometheus Security Group Global, Inc.
3019 Alvin Devane Boulevard
Building 4, Suite 450
Austin, TX 78741
9 years, 7 months
Problem using two PathHandlers
by electrotype
Hi,
I'm using Undertow 1.2.12.Final (for its Java 7 compatibility).
Let's says I have an /exact /path "/aaa/bbb" for which I want to chain two handlers managed by two
PathHandlers:
- a SecurityInitialHandler
- a ResourceHandler
In other words, the "/aaa/bbb" exact path is a static resource and is protected.
The problem I found is that if the first PathHandler (the one for the SecurityInitialHandler)
matches, then this code is called, in io.undertow.server.handlers.PathHandler#handleRequest(...) :
/exchange.setRelativePath(match.getRemaining());/
The "/aaa/bbb" path fully matches so the exchange's relativePath is set to "" after that match.
Then, the seconds PathHandler (the one for ResourceHandler) is run. The matching is done using:
/match = pathMatcher.match(exchange.getRelativePath());/
Since the relative path is now "", and not "/aaa/bbb", the ResourceHandler for "/aaa/bbb" is not
used, even if it exists.
Worst, since the relative path is now "", the path to match will actually be converted to "/". This
is because of io.undertow.util.PathMatcher#getExactPath(...) :
/return exactPathMatches.get(URLUtils.normalizeSlashes(path));/
The /normalizeSlashes(path)/ method convert "" to "/".
This means that the /default handler/ of the second PathHandler will be used for "/aaa/bbb". If the
"/" static resource exists, it will be served instead of the "/aaa/bbb" resource.
Maybe I'm missing something about PathHandlers though... Any tips?
Thanks!
Julien
9 years, 7 months
Top level access to servlet request
by Jack Ding
Hi,
Is there a method or workaround that would allow the the initial level
Handler (e.g., PathHandler) for an undertow server access
HttpServletRequest and HttpServletResponse? I am trying to switch our
server from Embedded Jetty, in which the initial handler does some
processing using the HttpServletRequest and Response before matching and
delegating to the appropriate ServletContextHandler, however in Undertow it
seems these are not created (via ServletRequestContext) until after the
matching.
Thank you,
Jack
9 years, 8 months
WebSocket sending back pressure
by peter royal
I am finding that sometimes I have WebSocket connections that are unable
to flush messages out the socket at the rate I am generating messages.
I'm using the core.WebSockets class to send messages. Is it possible to
achieve this with what exists currently? My initial guess is no..
conceptually it would be nice for core.WebSockets to return a
CompletableFuture-style object that would let me get a callback when the
message is sent, or have the ability to cancel it if it is still sitting
in the send queue.
I'm happy to help build something into Undertow if it is a welcome
addition.
-pete
--
(peter.royal|osi)(a)pobox.com - http://fotap.org/~osi
9 years, 8 months
Is a large number of IO threads acceptable?
by Chandru
If I have a HTTP service where every request requires a blocking JDBC call,
is it acceptable to increase the number of IO threads to a large value
(say, 10*cores) instead of dispatching to worker thread pool on each
request?
Will configuring such a large number of IO threads lead to any adverse
effect on throughput or latency?
--
Chandra Sekar.S
9 years, 8 months
Asynchronous AuthenticationMechanism
by Oliver Dain
The docs for security (
http://undertow.io/undertow-docs/undertow-docs-1.3.0/index.html#security)
say:
> Security within Undertow is implemented as a set of asynchronous handlers
and a set of authentication mechanisms co-ordinated by these handlers.
However, it appears that the IdentityManager and AuthenticationMechanism
APIs are synchronous. For example, suppose I want to do simple
username/password authentication using FormAuthenticationMechanism. That
will use the IdentityManager on the SecurityContext to determine if the
username/password is valid. For me that would require a database lookup and
I'd like to do that asynchronously. However, the IdentityManager.verify API
requires an immediate response so I have to do a block database lookup.
Since I've been super careful to do everything in all my handlers async and
have exactly 1 thread per core this seems like a significant stumbling
block.
2 questions:
1. Is there a way to do something like I'm describing in an async manner?
2. Why is security "special" using a SecurityContext, different APIs, etc.
Couldn't it all have been implemented in terms of regular HttpHandler? That
would make it the API smaller and make it possible to do async
authentication.
Thanks,
Oliver
--
CTO, Analytic Spot
44 West Broadway #222
Eugene, OR 97401
analyticspot.com • 425-296-6556
www.linkedin.com/in/oliverdain
9 years, 8 months
Redirects during the handshake of a WebSocket upgrade request
by electrotype
Hi,
I see some people think the HTTP request for a WebSocket upgrade shouldn't honnor 301/302 redirects.
But the spec seems to say it is ok:
"/If the status code received from the server is not 101, the//
//client handles the response per HTTP [RFC2616] procedures. In//
//particular, the client might perform authentication if it//
//receives a 401 status code; the server might redirect the client//
//using a 3xx status code (but clients are not required to follow//
//them), etc. Otherwise, proceed as follows/."
"/The server MAY redirect the client using a 3xx status code//
//[RFC2616]. Note that this step can happen together with, before,//
//or after the optional authentication step described above./"
https://tools.ietf.org/html/rfc6455
In the version of Undertow I use, 1.2.12.Final, I see that the redirect response is handled by
/org.xnio.http.HttpUpgrade/ :
private void handleRedirect(final HttpUpgradeParser parser) {
List<String> location = parser.getHeaders().get("location");
future.setException(new RedirectException(msg.redirect(), parser.getResponseCode(), location ==
null ? null : location.get(0)));
}
Is it the same behavior in most recent Undertow releases?
Related discussion: https://github.com/sta/websocket-sharp/issues/42
Thanks,
Julien
9 years, 8 months
permessage-deflate extension is not supported, getInstalledExtensions() returns empty set in ServerWebSocketContainer.java
by PingShan Li
--- Problem:
client's request for compression is ignored.
The client sends the request for compression:
Sec-WebSocket-Extensions: permessage-deflate; client_no_context_takeover; client_max_window_bits\r\n
Webserver receives the client request,
org.springframework.web.socket.server.support.AbstractHandshakeHandler.java:
doHandshake function: try to see if requested extension is supported
String subProtocol = selectProtocol(headers.getSecWebSocketProtocol(), wsHandler);
List<WebSocketExtension> requested = headers.getSecWebSocketExtensions();
List<WebSocketExtension> supported = this.requestUpgradeStrategy.getSupportedExtensions(request);
List<WebSocketExtension> extensions = filterRequestedExtensions(request, requested, supported);
getSupportedExtensions calls into the following function, which always returns empty set for installed extensions.
io.undertow.websockets.jsr.ServerWebSocketContainer.java:
public Set<Extension> getInstalledExtensions() {
return Collections.emptySet();
}
My question is:
how to tell spring framework that the permessage-deflate extension is supported by undertow?
Environement:
Undertow 1.3.22 Final is used by springframework:
+- org.springframework.boot:spring-boot-starter-undertow:jar:1.3.5.RELEASE:compile
[INFO] | | +- io.undertow:undertow-core:jar:1.3.22.Final:compile
[INFO] | | +- io.undertow:undertow-servlet:jar:1.3.22.Final:compile
[INFO] | | +- io.undertow:undertow-websockets-jsr:jar:1.3.22.Final:compile
Thanks
9 years, 8 months
