You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Brad McEvoy <br...@fuselms.com> on 2013/02/11 21:14:46 UTC
disable handling of expect:continue
Hi,
I'm the author of milton.io, a webdav server library.
Many webdav clients use the Expect header with value of Continue, for
the purpose of validating authorisation, and if necessary challenging
for a login, prior to uploading files. Unfortunately tomcat sends the
100 Continue response (so the client continues the upload) before
invoking the servlet so the semantics of that header are broken, and any
possible benefit is lost.
I found this discussion from some years ago:
http://mail-archives.apache.org/mod_mbox/tomcat-users/200609.mbox/%3Cc7eb567e0609050746m296ecf19jce1d3dbf54aa0417@mail.gmail.com%3E
With this as the conclusion by Bill Barker
"it's not a parameter, and never will be. Sending "100 Continue" is required
by the HTTP/1.1 RFC, so Tomcat does that."
Has there been any progress with this? Can anyone suggest a way to
disable this "feature" short of hacking tomcat?
Thanks,
Brad
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: disable handling of expect:continue
Posted by Brad McEvoy <br...@fuselms.com>.
Hi Christopher,
Yes, we need Tomcat to let let the servlet send the 100 response
Apparently weblogic doesnt (or didnt) handle Expects so I added it to
milton, and it seems to work ok:
http://lists.justthe.net/pipermail/milton-users/2010-October/000791.html
What would be required from the server side is that when the client
sends the body of the request this appears to the servlet as a second
request but with the same headers as the original request, minus the
Expects header. Eg
Request1
1. Client sends headers to server, including Expect: Continue
2. Server invokes servlet
3. Servlet sees request and responds with status 100
Request2
4. Client sends body to server (ie no headers)
5. Server invokes servlet with original headers (Request2 is on same TCP
connection as Request1)
6. Servlet now has headers and body so executes the request as normal
If its too hard to carry over the headers from Request1 to Request2 then
thats not necessarily a problem, as long as there's some way for the
servlet to connect the two requests. Eg if there's some identifier for
the TCP connection, for example, that would be sufficient.
Thanks,
Brad
On 13/02/13 03:23, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Brad,
>
> On 2/11/13 4:02 PM, Brad McEvoy wrote:
>> On 12/02/13 09:53, Mark Thomas wrote:
>>>>> Can anyone suggest a way to disable this "feature" short of
>>>>> hacking tomcat?
>>> You don't want to disable sending 100 Continue responses.
>>>
>>> Ideally, you want to delay when it is sent until after any
>>> authentication (so the 401 goes back to the client before they
>>> send the body).
>>>
>>> I'm not sure how feasible that would be.
>>>
>>> Is your servlet generating the 401? It it was a standard
>>> authenticator generating the 401 it might be doable. If it is a
>>> user servlet then that is going to be trickier. It doesn't help
>>> that the Servlet API has no mechanism for sending a 101.
>> The milton servlet handles the acknowledgement cycle, including
>> authorisation checks and 401 response if needed.
>>
>> All thats needed is a container wide parameter to simply ignore
>> Expect headers. I'd be happy to poke around in tomcat's innards and
>> perhaps submit a patch. Would this be in the Http11Processor?
>>
>> Yep, sadly the servlet API seems to have completely overlooked this
>> and so everyone has to figure out their own way of dealing with it
> I'm speaking from a fairly ignorant position, but I'm curious: are you
> asking if Tomcat could simply step out of the way in these cases and
> allow the servlet to send its own response when Expect: Continue is
> present in the request?
>
> Mark, at the point in the request-processing when the 100 Continue is
> sent, has the context already been chosen? If so, could we add a
> configuration parameter on the context to disable auto-handling of
> Expect:Continue/100-Continue, or is it not as simple as I make it out
> to be? Is it even possible for a servlet to handle a 100-Continue
> response entirely on its own without collusion with the container?
>
> - -chris
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: disable handling of expect:continue
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Brad,
On 2/11/13 4:02 PM, Brad McEvoy wrote:
> On 12/02/13 09:53, Mark Thomas wrote:
>>>> Can anyone suggest a way to disable this "feature" short of
>>>> hacking tomcat?
>> You don't want to disable sending 100 Continue responses.
>>
>> Ideally, you want to delay when it is sent until after any
>> authentication (so the 401 goes back to the client before they
>> send the body).
>>
>> I'm not sure how feasible that would be.
>>
>> Is your servlet generating the 401? It it was a standard
>> authenticator generating the 401 it might be doable. If it is a
>> user servlet then that is going to be trickier. It doesn't help
>> that the Servlet API has no mechanism for sending a 101.
> The milton servlet handles the acknowledgement cycle, including
> authorisation checks and 401 response if needed.
>
> All thats needed is a container wide parameter to simply ignore
> Expect headers. I'd be happy to poke around in tomcat's innards and
> perhaps submit a patch. Would this be in the Http11Processor?
>
> Yep, sadly the servlet API seems to have completely overlooked this
> and so everyone has to figure out their own way of dealing with it
I'm speaking from a fairly ignorant position, but I'm curious: are you
asking if Tomcat could simply step out of the way in these cases and
allow the servlet to send its own response when Expect: Continue is
present in the request?
Mark, at the point in the request-processing when the 100 Continue is
sent, has the context already been chosen? If so, could we add a
configuration parameter on the context to disable auto-handling of
Expect:Continue/100-Continue, or is it not as simple as I make it out
to be? Is it even possible for a servlet to handle a 100-Continue
response entirely on its own without collusion with the container?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEAREIAAYFAlEaUG0ACgkQ9CaO5/Lv0PBujwCgrz3fI1jZHamTCa13c8QxKOAX
YNMAoJ1yqPLTBqQ0wG/qrB079dVlUF7I
=tfk4
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: disable handling of expect:continue
Posted by Brad McEvoy <br...@fuselms.com>.
On 13/02/13 03:56, Konstantin Kolinko wrote:
> Certainly not. Have you read the source code, or only that old thread?
No, was just looking at the old thread. Its been a while since i dug
around in tomcat.
> The processor is
>
> The method that sends acknowledgment is
> o.a.catalina.connector.Response.sendAcknowledgement().
>
> 1) Acknowledgment happens is StandardContextValve or in FormAuthenticator.
>
> 2) Looking at stacktraces in Bugzilla reports, authentication happens
> before StandardContextValve is involved. Doesn't it already works for
> you?
Milton users normally dont use container managed authentication
>
> How your authentication is configured?
Milton delegates authentication to Resource implementations, and
authorisation is a second step
>
> 3) It probably would not work if Tomcat is behind HTTPD, as AJP
> processors do not have this feature (ActionCode.ACK).
Just to confirm, so are you saying that HTTPD will always send a 100
response?
Thanks!
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: disable handling of expect:continue
Posted by Konstantin Kolinko <kn...@gmail.com>.
2013/2/12 Brad McEvoy <br...@fuselms.com>:
> On 12/02/13 09:53, Mark Thomas wrote:
>>>
>>> >Can anyone suggest a way to
>>> >disable this "feature" short of hacking tomcat?
>>
>> You don't want to disable sending 100 Continue responses.
>>
>> Ideally, you want to delay when it is sent until after any
>> authentication (so the 401 goes back to the client before they send the
>> body).
>>
>> I'm not sure how feasible that would be.
>>
>> Is your servlet generating the 401? It it was a standard authenticator
>> generating the 401 it might be doable. If it is a user servlet then that
>> is going to be trickier. It doesn't help that the Servlet API has no
>> mechanism for sending a 101.
>
> The milton servlet handles the acknowledgement cycle, including
> authorisation checks and 401 response if needed.
>
> All thats needed is a container wide parameter to simply ignore Expect
> headers. I'd be happy to poke around in tomcat's innards and perhaps submit
> a patch. Would this be in the Http11Processor?
Certainly not. Have you read the source code, or only that old thread?
The processor is
The method that sends acknowledgment is
o.a.catalina.connector.Response.sendAcknowledgement().
1) Acknowledgment happens is StandardContextValve or in FormAuthenticator.
2) Looking at stacktraces in Bugzilla reports, authentication happens
before StandardContextValve is involved. Doesn't it already works for
you?
How your authentication is configured?
3) It probably would not work if Tomcat is behind HTTPD, as AJP
processors do not have this feature (ActionCode.ACK).
>
> Yep, sadly the servlet API seems to have completely overlooked this and so
> everyone has to figure out their own way of dealing with it
>
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: disable handling of expect:continue
Posted by Brad McEvoy <br...@fuselms.com>.
On 12/02/13 09:53, Mark Thomas wrote:
>> >Can anyone suggest a way to
>> >disable this "feature" short of hacking tomcat?
> You don't want to disable sending 100 Continue responses.
>
> Ideally, you want to delay when it is sent until after any
> authentication (so the 401 goes back to the client before they send the
> body).
>
> I'm not sure how feasible that would be.
>
> Is your servlet generating the 401? It it was a standard authenticator
> generating the 401 it might be doable. If it is a user servlet then that
> is going to be trickier. It doesn't help that the Servlet API has no
> mechanism for sending a 101.
The milton servlet handles the acknowledgement cycle, including
authorisation checks and 401 response if needed.
All thats needed is a container wide parameter to simply ignore Expect
headers. I'd be happy to poke around in tomcat's innards and perhaps
submit a patch. Would this be in the Http11Processor?
Yep, sadly the servlet API seems to have completely overlooked this and
so everyone has to figure out their own way of dealing with it
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: disable handling of expect:continue
Posted by Mark Thomas <ma...@apache.org>.
On 11/02/2013 20:14, Brad McEvoy wrote:
> Hi,
>
> I'm the author of milton.io, a webdav server library.
>
> Many webdav clients use the Expect header with value of Continue, for
> the purpose of validating authorisation, and if necessary challenging
> for a login, prior to uploading files. Unfortunately tomcat sends the
> 100 Continue response (so the client continues the upload) before
> invoking the servlet so the semantics of that header are broken, and any
> possible benefit is lost.
>
> I found this discussion from some years ago:
> http://mail-archives.apache.org/mod_mbox/tomcat-users/200609.mbox/%3Cc7eb567e0609050746m296ecf19jce1d3dbf54aa0417@mail.gmail.com%3E
>
>
> With this as the conclusion by Bill Barker
> "it's not a parameter, and never will be. Sending "100 Continue" is
> required
> by the HTTP/1.1 RFC, so Tomcat does that."
>
> Has there been any progress with this?
No movement I am aware of.
> Can anyone suggest a way to
> disable this "feature" short of hacking tomcat?
You don't want to disable sending 100 Continue responses.
Ideally, you want to delay when it is sent until after any
authentication (so the 401 goes back to the client before they send the
body).
I'm not sure how feasible that would be.
Is your servlet generating the 401? It it was a standard authenticator
generating the 401 it might be doable. If it is a user servlet then that
is going to be trickier. It doesn't help that the Servlet API has no
mechanism for sending a 101.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org