You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Isaac Li <ti...@gmail.com> on 2011/08/29 10:10:53 UTC
Is empty Content Type of Request allowed in Tomcat?
Hello,
I'm using Cyberduck as client to send request to my web server which using
apache-tomcat-7.0.16 as web container.
When Cyberduck sent a request with an empty Content Type, web server
returned following errors:
HTTP/1.1 400 Bad Request (text/plain)
Bad Content-Type header value: ''
I thought this error is reported by tomcat, since it has not running into my
code.
I've enabled Tomcat debug log, and have no clue, following are some catalina
log:
2011-08-29 15:29:50,031
[ContainerBackgroundProcessor[StandardEngine[Catalina]]] DEBUG
org.apache.catalina.startup.HostConfig- Checking context[/host-manager]
reload resource D:\apache-tomcat-7.0.16\webapps\host-manager\WEB-INF\web.xml
2011-08-29 15:29:50,531 ["http-apr-80"-exec-5] DEBUG
org.apache.catalina.connector.CoyoteAdapter- The variable [uriBC] has value
[/]
2011-08-29 15:29:50,531 ["http-apr-80"-exec-5] DEBUG
org.apache.catalina.connector.CoyoteAdapter- The variable [semicolon] has
value [-1]
2011-08-29 15:29:50,531 ["http-apr-80"-exec-5] DEBUG
org.apache.catalina.connector.CoyoteAdapter- The variable [enc] has value
[ISO-8859-1]
2011-08-29 15:29:50,531 ["http-apr-80"-exec-5] DEBUG
org.apache.catalina.authenticator.AuthenticatorBase- Security checking
request GET /
2011-08-29 15:29:50,531 ["http-apr-80"-exec-5] DEBUG
org.apache.catalina.realm.RealmBase- No applicable constraints defined
2011-08-29 15:29:50,531 ["http-apr-80"-exec-5] DEBUG
org.apache.catalina.authenticator.AuthenticatorBase- Not subject to any
constraint
2011-08-29 15:30:00,031
[ContainerBackgroundProcessor[StandardEngine[Catalina]]] DEBUG
org.apache.catalina.startup.HostConfig- Checking context[] redeploy resource
D:\apache-tomcat-7.0.16\webapps\ROOT
So is it possible to modify tomcat setting to allow empty Content Type of
request? or I should try other ways (I heard someone said adding some
filters?) - and What's the detailed steps?
Thanks
Re: Is empty Content Type of Request allowed in Tomcat?
Posted by Isaac Li <ti...@gmail.com>.
Hi,
On Tue, Aug 30, 2011 at 5:31 PM, Konstantin Kolinko
<kn...@gmail.com>wrote:
>
>
> Attachments are usually dropped by mailing list software. The one you
> mention above is no exception.
>
> > GET / HTTP/1.1
> > Date: Tue, 30 Aug 2011 02:28:50 GMT
> > Content-Type:
> > Authorization: AWS AKIAJHSWPWM6W6KUXAIQ:u4QnOMbP0vuTsgpUXQ0WfXIWz9c=
> > Host: s3.amazonaws.com:80
> > Connection: Keep-Alive
> > User-Agent: Cyberduck/4.1 (8911) (Windows 7/6.1) (x86)
> > Accept-Encoding: gzip,deflate
>
> 1) GET requests cannot have content, and thus having a Content-Type
> header there is confusing.
>
> 2) Content-Type header is defined in section 14.17 of RFC2616 as
>
> Content-Type = "Content-Type" ":" media-type
>
> and
>
> media-type = type "/" subtype *( ";" parameter )
>
> The media-type is not optional and it cannot be empty.
>
Thanks for letting me know and your further explanation!
By the way, my friend has provide me a workaround using filter, post it here
in case some other might need it.
I have tested it locally and it works.
1) CleanHeaderFilter.java
package org.sample;
import java.io.IOException;
import java.util.Collection;
import java.util.Collections;
import java.util.Enumeration;
import java.util.LinkedList;
import java.util.List;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
public class CleanHeaderFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain)
throws IOException, ServletException {
HttpServletRequest httpReq = new
HttpServletRequestWrapper((HttpServletRequest) request) {
@Override
public Enumeration getHeaderNames() {
if ("GET".equalsIgnoreCase(getMethod())) {
Collection<String> c = new LinkedList<String>();
Enumeration headers = super.getHeaderNames();
while (headers.hasMoreElements()) {
String header = (String) headers.nextElement();
if (!"Content-Type".equalsIgnoreCase(header)) {
c.add(header);
} else {
System.err.println("Remove Content-Type for
GET");
}
}
return Collections.enumeration(c);
}
return super.getHeaderNames();
}
};
chain.doFilter(httpReq, response);
}
@Override
public void destroy() {
}
}
2) add following config to your web.xml
<filter>
<filter-name>cleanHeaderFilter</filter-name>
<filter-class>org.sample.CleanHeaderFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>cleanHeaderFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Re: Is empty Content Type of Request allowed in Tomcat?
Posted by Konstantin Kolinko <kn...@gmail.com>.
2011/8/30 Isaac Li <ti...@gmail.com>:
> On Tue, Aug 30, 2011 at 10:00 AM, Isaac Li <ti...@gmail.com> wrote:
>>
>> Thank André and Mark for your quick response, detailed answer and
>> references!
>> I'll try to report this issue to Cyberduck.
>> One more question: when I uses current version of Cyberduck to connect
>> Amazon S3,
>
> See request at No.25 of "Cyberduck_login_amazon_s3_ok.pcap" (attched)
Attachments are usually dropped by mailing list software. The one you
mention above is no exception.
> GET / HTTP/1.1
> Date: Tue, 30 Aug 2011 02:28:50 GMT
> Content-Type:
> Authorization: AWS AKIAJHSWPWM6W6KUXAIQ:u4QnOMbP0vuTsgpUXQ0WfXIWz9c=
> Host: s3.amazonaws.com:80
> Connection: Keep-Alive
> User-Agent: Cyberduck/4.1 (8911) (Windows 7/6.1) (x86)
> Accept-Encoding: gzip,deflate
1) GET requests cannot have content, and thus having a Content-Type
header there is confusing.
2) Content-Type header is defined in section 14.17 of RFC2616 as
Content-Type = "Content-Type" ":" media-type
and
media-type = type "/" subtype *( ";" parameter )
The media-type is not optional and it cannot be empty.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Is empty Content Type of Request allowed in Tomcat?
Posted by Isaac Li <ti...@gmail.com>.
On Tue, Aug 30, 2011 at 10:00 AM, Isaac Li <ti...@gmail.com> wrote:
> Thank André and Mark for your quick response, detailed answer and
> references!
>
> I'll try to report this issue to Cyberduck.
>
> One more question: when I uses current version of Cyberduck to connect
> Amazon S3,
>
See request at No.25 of "Cyberduck_login_amazon_s3_ok.pcap" (attched)
GET / HTTP/1.1
Date: Tue, 30 Aug 2011 02:28:50 GMT
Content-Type:
Authorization: AWS AKIAJHSWPWM6W6KUXAIQ:u4QnOMbP0vuTsgpUXQ0WfXIWz9c=
Host: s3.amazonaws.com:80
Connection: Keep-Alive
User-Agent: Cyberduck/4.1 (8911) (Windows 7/6.1) (x86)
Accept-Encoding: gzip,deflate
> it can accept this kind of invalid request,
>
request at No.31 of Cyberduck_login_amazon_s3_ok.pcap
31 5.805868 207.171.189.80 192.168.1.104 HTTP/XML 64 HTTP/1.1 200 OK
> Is it a kind of fault tolerance design of Amazon S3? Should it be
> encouraged? or I missed something here?
>
Re: Is empty Content Type of Request allowed in Tomcat?
Posted by Mark Thomas <ma...@apache.org>.
On 30/08/2011 03:00, Isaac Li wrote:
> Thank André and Mark for your quick response, detailed answer and
> references!
>
> I'll try to report this issue to Cyberduck.
>
> One more question: when I uses current version of Cyberduck to connect
> Amazon S3, it can accept this kind of invalid request,
> is it a kind of fault tolerance design of Amazon S3?
I assume so.
> Should it be encouraged?
Servers should be tolerant of client errors but that is not an excuse
for clients to violate the spec. It is certainly possible to modify
Tomcat to add an option to ignore the invalid header but given the
rarity of clients that do this, I don't see such a change as a priority.
Mark
> or I missed something here?
>
>
> On Mon, Aug 29, 2011 at 9:44 PM, Mark Thomas <ma...@apache.org> wrote:
>
>> On 29/08/2011 09:10, Isaac Li wrote:
>>> Hello,
>>>
>>> I'm using Cyberduck as client to send request to my web server which
>> using
>>> apache-tomcat-7.0.16 as web container.
>>>
>>> When Cyberduck sent a request with an empty Content Type, web server
>>> returned following errors:
>>
>> Cyberduck is broken and is violating RFC2616.
>>
>>> HTTP/1.1 400 Bad Request (text/plain)
>>>
>>> Bad Content-Type header value: ''
>>>
>>> I thought this error is reported by tomcat, since it has not running into
>> my
>>> code.
>>
>> Tomcat is rejected this request. The request is invalid.
>>
>>> I've enabled Tomcat debug log, and have no clue, following are some
>> catalina
>>> log:
>>
>> If you want a clue, try reading RFC2616.
>>
>>> So is it possible to modify tomcat setting to allow empty Content Type of
>>> request?
>>
>> No.
>>
>>> or I should try other ways (I heard someone said adding some
>>> filters?)
>>
>> Whoever said a filter was a solution to this problem is clueless. The
>> request is rejected long before the filters are reached.
>>
>>> - and What's the detailed steps?
>>
>> 1. Get the bug in Cyberduck fixed.
>> 2. Try again.
>>
>> Mark
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Is empty Content Type of Request allowed in Tomcat?
Posted by Isaac Li <ti...@gmail.com>.
Thank André and Mark for your quick response, detailed answer and
references!
I'll try to report this issue to Cyberduck.
One more question: when I uses current version of Cyberduck to connect
Amazon S3, it can accept this kind of invalid request,
is it a kind of fault tolerance design of Amazon S3? Should it be
encouraged? or I missed something here?
On Mon, Aug 29, 2011 at 9:44 PM, Mark Thomas <ma...@apache.org> wrote:
> On 29/08/2011 09:10, Isaac Li wrote:
> > Hello,
> >
> > I'm using Cyberduck as client to send request to my web server which
> using
> > apache-tomcat-7.0.16 as web container.
> >
> > When Cyberduck sent a request with an empty Content Type, web server
> > returned following errors:
>
> Cyberduck is broken and is violating RFC2616.
>
> > HTTP/1.1 400 Bad Request (text/plain)
> >
> > Bad Content-Type header value: ''
> >
> > I thought this error is reported by tomcat, since it has not running into
> my
> > code.
>
> Tomcat is rejected this request. The request is invalid.
>
> > I've enabled Tomcat debug log, and have no clue, following are some
> catalina
> > log:
>
> If you want a clue, try reading RFC2616.
>
> > So is it possible to modify tomcat setting to allow empty Content Type of
> > request?
>
> No.
>
> > or I should try other ways (I heard someone said adding some
> > filters?)
>
> Whoever said a filter was a solution to this problem is clueless. The
> request is rejected long before the filters are reached.
>
> > - and What's the detailed steps?
>
> 1. Get the bug in Cyberduck fixed.
> 2. Try again.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Is empty Content Type of Request allowed in Tomcat?
Posted by Mark Thomas <ma...@apache.org>.
On 29/08/2011 09:10, Isaac Li wrote:
> Hello,
>
> I'm using Cyberduck as client to send request to my web server which using
> apache-tomcat-7.0.16 as web container.
>
> When Cyberduck sent a request with an empty Content Type, web server
> returned following errors:
Cyberduck is broken and is violating RFC2616.
> HTTP/1.1 400 Bad Request (text/plain)
>
> Bad Content-Type header value: ''
>
> I thought this error is reported by tomcat, since it has not running into my
> code.
Tomcat is rejected this request. The request is invalid.
> I've enabled Tomcat debug log, and have no clue, following are some catalina
> log:
If you want a clue, try reading RFC2616.
> So is it possible to modify tomcat setting to allow empty Content Type of
> request?
No.
> or I should try other ways (I heard someone said adding some
> filters?)
Whoever said a filter was a solution to this problem is clueless. The
request is rejected long before the filters are reached.
> - and What's the detailed steps?
1. Get the bug in Cyberduck fixed.
2. Try again.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Is empty Content Type of Request allowed in Tomcat?
Posted by André Warnier <aw...@ice-sa.com>.
Isaac Li wrote:
> Hello,
>
> I'm using Cyberduck as client to send request to my web server which using
> apache-tomcat-7.0.16 as web container.
>
> When Cyberduck sent a request with an empty Content Type, web server
> returned following errors:
>
> HTTP/1.1 400 Bad Request (text/plain)
>
> Bad Content-Type header value: ''
That is clearly incorrect, so Tomcat would be right to complain.
>
>
> I thought this error is reported by tomcat, since it has not running into my
> code.
>
>
...
>
> So is it possible to modify tomcat setting to allow empty Content Type of
> request?
Why should Tomcat be modifiedt to accept incorrect HTTP requests ?
Tomcat is a HTTP server, so it must follow the HTTP specs. And the HTTP specs probably
say that if a request header is clearly incorrect (as this one is), the server MUST
respond with a 400 error.
or I should try other ways
Yes, fix the client.
(Or report the problem on the Cyberduck mailing list).
(I heard someone said adding some
> filters?)
Would probably not help, as the error may be generated before the filter is ever called.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org