[jboss-jira] [JBoss JIRA] (JBWEB-238) HTTP Upgrade API Broken

Remy Maucherat (JIRA) jira-events at lists.jboss.org
Fri Apr 13 12:17:52 EDT 2012 

    [ https://issues.jboss.org/browse/JBWEB-238?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12683988#comment-12683988 ] 

Remy Maucherat commented on JBWEB-238:
--------------------------------------

My biggest problem is the HTTP looks broken :( Are you sure that these really early clients are going to understand the HTTP responses from AS right anyway ? It's a bit more freeform than the binary blobs that were included in the spec "document" back then.

OTOH, I don't see anything in the response header here ...

HTTP/1.1 101 WebSocket Protocol Handshake
Upgrade: WebSocket
Connection: Upgrade
Sec-WebSocket-Origin: http://example.com
Sec-WebSocket-Location: ws://example.com/demo
Sec-WebSocket-Protocol: sample

... that depends on the "^n:ds[4U" thingie from the request "body", which means that strictly speaking the response "body" can be generated later (= in another event after the BEGIN, like a READ with "^n:ds[4U"). Since this is not HTTP, it's not unreasonable, but it does increase complexity of the servlet. I don't know if the IO works with that at the moment, though, I'd need to test it.

Also, it has been stated that the old websocket protocol versions were insecure, I remember Firefox blacklisted websocket at the time for example. Is it really a good idea to support all of them ? (I try to avoid the security people now ...)
                
> HTTP Upgrade API Broken
> -----------------------
>
>                 Key: JBWEB-238
>                 URL: https://issues.jboss.org/browse/JBWEB-238
>             Project: JBoss Web
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>    Affects Versions: JBossWeb-7.0.13.GA
>         Environment: Any
>            Reporter: Mike Brock
>            Assignee: Remy Maucherat
>         Attachments: JBossWeb.patch
>
>
> The HTTP Upgrade API currently does not permit reading and writing to the ServetOutputStream and ServletInputStream during the initial negotiation. All of the data is swallowed until after the negotiation and head exchange.
> Unfortunately this is insufficient as some WebSocket Draft Specification rely on data within the body of the request and response as part of the handshake.
> The attached patch fixes this problem.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list