[undertow-dev] Equivalents to Tomcat/JBossWeb valves and options

[James Livingston]

On Tue, 2013-04-30 at 19:00 +1000, Stuart Douglas wrote:
> > The most commonly used Tomcat -D option is
> > org.apache.catalina.STRICT_SERVLET_COMPLIANCE=false. When it's
> > discussed, it always seems to be added for the effect of not enforcing
> > "any wrapped request or response object passed to an application
> > dispatcher will be checked to ensure that it has wrapped the original
> > request or response. (SRV.8.2 / SRV.14.2.5.1)". Undertow enforces that
> > clause.
> 
> I will add this option. I think this should be modifiable per 
> deployment, as well as per server. For a lot of these options I am 
> thinking we have a servlet settings option in the config, which can then 
> be overridden in jboss-web.xml.
> 
> I don't really want to have things setup via system properties.

That sounds good to me, and I agree system properties should be a last
resort.


> At the moment this limit is hard coded, but that should be fixed up 
> soon. This can only be modified on a global level, as this happens 
> before it is dispatched to a servlet application. We also use 
> SecureHashMap in some places, which will throw an exception if there are 
> two many hash collisions. Looks like cookie handler is vulnerable at the 
> moment, I will fix that up tomorrow.

That sounds good. I haven't checked if there are others around, but can
take a look.


> Undertow does not re-size buffers, it uses fixed size direct buffers for 
> the most part. We are still using Jasper for JSP though, so I will look 
> into this option.

I haven't tested, but I think the existing system property would still
get picked up. It wouldn't be as nice as proper configuration options
but I don't think it's changeable without hacking the Jasper code.


Do you want me to go through and file JIRAs for all the things I
mentioned?

-- 
James "Doc" Livingston
JBoss Support Engineering Group