[jboss-jira] [JBoss JIRA] (JBWEB-238) HTTP Upgrade API Broken

Remy Maucherat (JIRA) jira-events at lists.jboss.org
Fri Apr 13 04:24:47 EDT 2012 

    [ https://issues.jboss.org/browse/JBWEB-238?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12683769#comment-12683769 ] 

Remy Maucherat commented on JBWEB-238:
--------------------------------------

I dislike this change (and the patch is kinda hacky, way more likely to cause problem than fix anything) since it pretty much goes against the event API intended behavior. So you shouldn't plan on supporting the oldest drafts (I see 00 is affected, but 07 already uses a safer process) in the current AS 7 branch since I am not going to put in something too risky.

I am also not convinced the older websocket upgrades fit into the HTTP spec, since 101 does sound like a "no content" status code.

Looking at the 00 spec, it does not look like very good HTTP:
        GET /demo HTTP/1.1
        Host: example.com
        Connection: Upgrade
        Sec-WebSocket-Key2: 12998 5 Y3 1  .P00
        Sec-WebSocket-Protocol: sample
        Upgrade: WebSocket
        Sec-WebSocket-Key1: 4 @1  46546xW%0l 1 5
        Origin: http://example.com

        ^n:ds[4U

And the response is:
        HTTP/1.1 101 WebSocket Protocol Handshake
        Upgrade: WebSocket
        Connection: Upgrade
        Sec-WebSocket-Origin: http://example.com
        Sec-WebSocket-Location: ws://example.com/demo
        Sec-WebSocket-Protocol: sample

        8jKS'y:G*Co,Wxa-

There is no content delimitation at all, so this is not a valid HTTP request/response unless the connection is closed to indicate the end of the content (the servlet itself must also know by itself how many bytes it needs to read otherwise it is certain to block). I would prefer not adding support for something broken.
                
> HTTP Upgrade API Broken
> -----------------------
>
>                 Key: JBWEB-238
>                 URL: https://issues.jboss.org/browse/JBWEB-238
>             Project: JBoss Web
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>    Affects Versions: JBossWeb-7.0.13.GA
>         Environment: Any
>            Reporter: Mike Brock
>            Assignee: Remy Maucherat
>         Attachments: JBossWeb.patch
>
>
> The HTTP Upgrade API currently does not permit reading and writing to the ServetOutputStream and ServletInputStream during the initial negotiation. All of the data is swallowed until after the negotiation and head exchange.
> Unfortunately this is insufficient as some WebSocket Draft Specification rely on data within the body of the request and response as part of the handshake.
> The attached patch fixes this problem.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list