You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by kdombeck <gi...@git.apache.org> on 2017/12/13 22:16:52 UTC

[GitHub] tomcat pull request #96: Remove PUT and DELETE methods from an OPTIONS reque...

GitHub user kdombeck opened a pull request:

    https://github.com/apache/tomcat/pull/96

    Remove PUT and DELETE methods from an OPTIONS request if readOnly is true

    Currently ```DefaultServlet``` is returning all HTTP methods for an OPTIONS call even when the **readOnly** flag is true.
    
    Example:
    ```
    $ curl -v -X OPTIONS localhost:8080
    ....
    < Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS
    ....
    ```
    It should be the following instead if the **readOnly** flag is **true**.
    ```
    $ curl -v -X OPTIONS localhost:8080
    ....
    < Allow: GET, HEAD, POST, OPTIONS
    ....
    ```
    
    As a side note I don't understand the following.
    * Why is a POST allowed when **readOnly** is true?
    * Why does a POST call GET internally?

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/kdombeck/tomcat remove-options

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/tomcat/pull/96.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #96
    
----
commit deb05b2c1c4693b1cb5904e9bba8f46bca18ee7d
Author: Ken Dombeck <kd...@gmail.com>
Date:   2017-12-13T21:55:59Z

    Remove PUT and DELETE methods from an OPTIONS request if readOnly is true

----


---

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] tomcat issue #96: Remove PUT and DELETE methods from an OPTIONS request if r...

Posted by markt-asf <gi...@git.apache.org>.
Github user markt-asf commented on the issue:

    https://github.com/apache/tomcat/pull/96
  
    Lack of response == lazy consensus. I plan to look at applying these patches (or possibly a variation of them) before tagging 9.0.x.


---

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] tomcat issue #96: Remove PUT and DELETE methods from an OPTIONS request if r...

Posted by kdombeck <gi...@git.apache.org>.
Github user kdombeck commented on the issue:

    https://github.com/apache/tomcat/pull/96
  
    @markt-asf I haven't received any responses to the [thread](http://tomcat.10.x6.nabble.com/Change-HTTP-status-code-for-DefaultServlet-with-readOnly-set-to-true-td5070373.html) I started on dev@. I know it was the holidays, so what is the best way to move forward to get consensus on this issue?


---

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] tomcat issue #96: Remove PUT and DELETE methods from an OPTIONS request if r...

Posted by michael-o <gi...@git.apache.org>.
Github user michael-o commented on the issue:

    https://github.com/apache/tomcat/pull/96
  
    @markt-asf I'd second the 405 instead of 403.


---

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] tomcat issue #96: Remove PUT and DELETE methods from an OPTIONS request if r...

Posted by markt-asf <gi...@git.apache.org>.
Github user markt-asf commented on the issue:

    https://github.com/apache/tomcat/pull/96
  
    I've fixed this in trunk. Given the behaviour changes (you can bet someone depends on a 403 rather than a 405 response) I'm not going to back-port it.
    The way I ended up tackling this (WebDAV first then Default) meant I didn't work from the patch but I certainly depended heavily on this discussion.


---

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] tomcat issue #96: Remove PUT and DELETE methods from an OPTIONS request if r...

Posted by markt-asf <gi...@git.apache.org>.
Github user markt-asf commented on the issue:

    https://github.com/apache/tomcat/pull/96
  
    The inconsistency stems from the different status codes used. If TRACE is disabled at the connector, level then a 405 is returned for TRACE requests. If readOnly is set in the DefaultServlet, a 403 is returned for PUT and DELETE. Methods that return a 405 should not be included in an OPTIONS response.
    
    Doing some mailing list archaeology, the readOnly parameter started out in the WebDAV servlet ( http://markmail.org/message/vls7an5nhf7eigwc ) and was refactored to the Default Servlet shortly afterwards ( http://markmail.org/message/vls7an5nhf7eigwc ). All this was back in 2000.
    
    Looking at RFC 2616 (since this code pre-dates RFC7231) there isn't much to choose between 403 and 405. Both look equally applicable. One obvious difference for this use case is that a 405 MUST include an Allow header so on that basis using 403 looks to be the simpler implementation.
    
    RFC 7231 adds some detail on the differences between 403 and 405. In short 405 means 'method never allowed' whereas 403 means 'request not allowed but might be allowed with different credentials'.
    
    In this case it is arguable that 405 is the better response code since if readOnly is true, PUT and DELETE are never going to be allowed (with a similar argument applied to many of the WebDAV methods). We have made changes in 9.0.x to better align with RFC 7231 so I'm not against considering changing the status code used. That would also mean changing the OPTIONS response.
    
    As I have been researching this I noticed that the is scope to clean up the existing code. HttpServlet.doOptions()  could use a StringBuilder and ALLOW_OPTIONS seems unnecessary. DefaultServlet.doOptions() appears to be unnecessary as well. This clean-up assumes the current behaviour is not changed. A switch to using 405 is likely to impact some of that clean-up.
    
    If there is interest in switching the DefaultServlet to use 405 rather than 403 when readOnly is true, I'd suggest that a discussion on the dev@ list is required to ensure there is consensus on this approach.


---

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] tomcat issue #96: Remove PUT and DELETE methods from an OPTIONS request if r...

Posted by markt-asf <gi...@git.apache.org>.
Github user markt-asf commented on the issue:

    https://github.com/apache/tomcat/pull/96
  
    The current OPTIONS behaviour is intentional.
    OPTIONS lists the valid methods, not the permitted methods, for a resource.
    
    The GET/POST issue is before my time with the project. There might be some explanation in the mail archive. I agree with Chris it is unlikely to change.


---

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] tomcat issue #96: Remove PUT and DELETE methods from an OPTIONS request if r...

Posted by kdombeck <gi...@git.apache.org>.
Github user kdombeck commented on the issue:

    https://github.com/apache/tomcat/pull/96
  
    Thanks for the quick responses.
    
    I modeled this change after the changes for TRACE in the next if statement below. Also looking at [issue](https://bz.apache.org/bugzilla/show_bug.cgi?id=60697) this change seemed to be similar to that one.
    
    It would make more sense to me if a user could actually change the request some how to invoke PUT or DELETE (by authenticating for example), but in this case there is nothing the user could do to ever get these 2 methods to work without changing the readOnly flag to false.
    
    I am not adamant that this change should be made. I am just trying to understand what appears to be an inconsistency to me. 


---

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] tomcat pull request #96: Remove PUT and DELETE methods from an OPTIONS reque...

Posted by asfgit <gi...@git.apache.org>.
Github user asfgit closed the pull request at:

    https://github.com/apache/tomcat/pull/96


---

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] tomcat issue #96: Remove PUT and DELETE methods from an OPTIONS request if r...

Posted by markt-asf <gi...@git.apache.org>.
Github user markt-asf commented on the issue:

    https://github.com/apache/tomcat/pull/96
  
    Getting back to whether readOnly should affect POST, my own view is that it should not. readOnly refers to whether the default Servlet can change static content. For static content request parameters (via GET or POST) are irrelevant since they are ignored. Hence why POST defers to GET. Neither change existign content hence neither should be affected by readOnly. If the default Servlet (or WebDAV since it extends the default Servlet) used the request parameters then it might (depending on how they were used) be different.


---

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] tomcat issue #96: Remove PUT and DELETE methods from an OPTIONS request if r...

Posted by markt-asf <gi...@git.apache.org>.
Github user markt-asf commented on the issue:

    https://github.com/apache/tomcat/pull/96
  
    I wanted to clear something up. It is not a case of me being willing to change something or not. I don't get to decide these things on my own. It is a community decision. Normally, we discuss things until we reach a solution we can all accept. In the unlikely event we can't reach an agreed solution then the PMC would have to vote to resolve the impasse. It is extremely rare that things reach that point.


---

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] tomcat issue #96: Remove PUT and DELETE methods from an OPTIONS request if r...

Posted by ChristopherSchultz <gi...@git.apache.org>.
Github user ChristopherSchultz commented on the issue:

    https://github.com/apache/tomcat/pull/96
  
    I think 405 is more appropriate when the method is in fact not allowed (readOnly). As for POST, there is nothing "writey" about POST, whereas PUT and DELETE have definite "write" semantics. The fact that POST refers to GET is an irrelevant implementation detail.
    
    Plenty of (non-WebDAV) GET requests cause irreversible changes on the server (due to the implementation of a particular web application, not a vanilla web server itself) even when the official standard suggests that GET should be idempotent and read-only.


---

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] tomcat issue #96: Remove PUT and DELETE methods from an OPTIONS request if r...

Posted by ChristopherSchultz <gi...@git.apache.org>.
Github user ChristopherSchultz commented on the issue:

    https://github.com/apache/tomcat/pull/96
  
    WRT WebDav, [RFC2618](https://tools.ietf.org/html/rfc2518) says that WebDav is an extension to HTTP/1.1 so I think we are always okay using 405 from `WebDavServlet`. We should, however, take care to adhere to the spec as much as possible, so we should e.g. include an `Allow` header in the response.


---

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] tomcat issue #96: Remove PUT and DELETE methods from an OPTIONS request if r...

Posted by kdombeck <gi...@git.apache.org>.
Github user kdombeck commented on the issue:

    https://github.com/apache/tomcat/pull/96
  
    I started this [thread](http://tomcat.10.x6.nabble.com/Change-HTTP-status-code-for-DefaultServlet-with-readOnly-set-to-true-td5070373.html) on the mailing list to look for consensus.
    
    If consensus is reached would you like me to update this PR or start a different one?


---

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] tomcat issue #96: Remove PUT and DELETE methods from an OPTIONS request if r...

Posted by kdombeck <gi...@git.apache.org>.
Github user kdombeck commented on the issue:

    https://github.com/apache/tomcat/pull/96
  
    @michael-o I don't understand your question. Are you asking why ```PUT``` and ```DELETE``` are not allowed when the **readOnly** flag is true but ```POST``` is allowed?


---

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] tomcat issue #96: Remove PUT and DELETE methods from an OPTIONS request if r...

Posted by kdombeck <gi...@git.apache.org>.
Github user kdombeck commented on the issue:

    https://github.com/apache/tomcat/pull/96
  
    I haven't had any responses in [thread](http://tomcat.10.x6.nabble.com/Change-HTTP-status-code-for-DefaultServlet-with-readOnly-set-to-true-td5070373.html) I started for this issue.
    
    I have updated this PR to return a 405 rather than a 403. With this 405 response an Allow header will also be returned.
    
    I also updated HttpServlet.doOptions() to use a StringBuilder like you asked. I modeled it after this  [HttpServlet.doOptions()](https://github.com/javaee/servlet-spec/blob/master/src/main/java/javax/servlet/http/HttpServlet.java#L522)


---

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] tomcat issue #96: Remove PUT and DELETE methods from an OPTIONS request if r...

Posted by michael-o <gi...@git.apache.org>.
Github user michael-o commented on the issue:

    https://github.com/apache/tomcat/pull/96
  
    @kdombeck Correct.


---

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] tomcat issue #96: Remove PUT and DELETE methods from an OPTIONS request if r...

Posted by ChristopherSchultz <gi...@git.apache.org>.
Github user ChristopherSchultz commented on the issue:

    https://github.com/apache/tomcat/pull/96
  
    Patch looks good to me.
    
    Regarding your questions:
    
    > Why is a POST allowed when readOnly is true?
    
    Probably because the DefaultServlet just delegates POST -> GET, but ...
    
    > Why does a POST call GET internally?
    
    Good question. I suspect because that's what httpd does when making a POST request to a static resource.
    
    That code has not changed since 2006 (the initial import) so at this point, it's "legacy" and "backward-compatible" and extremely unlikely to change.


---

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] tomcat issue #96: Remove PUT and DELETE methods from an OPTIONS request if r...

Posted by michael-o <gi...@git.apache.org>.
Github user michael-o commented on the issue:

    https://github.com/apache/tomcat/pull/96
  
    Why is `POST` not part of the writable commands?


---

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] tomcat issue #96: Remove PUT and DELETE methods from an OPTIONS request if r...

Posted by markt-asf <gi...@git.apache.org>.
Github user markt-asf commented on the issue:

    https://github.com/apache/tomcat/pull/96
  
    No argument with Konstantin's points here. I started to look at implementing this and I realised that the WebDAV is inconsistent with how the allow header is generated. A method may not be included in the allow header but will not generate a 405 if that method is used for the same resource. That seems wrong to me.
    Before I start changing this, I'm going to put together a simple test case to check it and dig out the WebDAV test suite we have used in the past to make sure my changes don't break anything. This is probably going to delay the tag by a day or so.


---

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] tomcat issue #96: Remove PUT and DELETE methods from an OPTIONS request if r...

Posted by michael-o <gi...@git.apache.org>.
Github user michael-o commented on the issue:

    https://github.com/apache/tomcat/pull/96
  
    Alright, did not notice that. Mark has to tell wether he is willing to change this in 9.0. The other version likely won't change.


---

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] tomcat issue #96: Remove PUT and DELETE methods from an OPTIONS request if r...

Posted by kdombeck <gi...@git.apache.org>.
Github user kdombeck commented on the issue:

    https://github.com/apache/tomcat/pull/96
  
    @michael-o I had the exact same question in my original post. The only thing I saw was that the POST delegates to the GET, so they both have the same effect.


---

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] tomcat issue #96: Remove PUT and DELETE methods from an OPTIONS request if r...

Posted by kkolinko <gi...@git.apache.org>.
Github user kkolinko commented on the issue:

    https://github.com/apache/tomcat/pull/96
  
    1) POST fallsback to GET, I think since RFC1945 (HTTP/1.0). Both HEAD and POST were improvements over single GET method supported by original HTTP protocol (0.9).
    2) DefaultServlet can be used as a target of RequestDispatcher.forward(), and such forward does not change the request method.
    
    As such, I think that the behaviour of DefaultServlet.doPost() must not be changed.
    
    I am OK to change 403 to 405 as response code in DefaultServlet.doPut(), doDelete(). It seems reasonable.
    
    Though:
    1) The code 405 is since HTTP/1.1, does not exist in HTTP/1.0
    2) You are correct, that when a server uses code 405 it MUST generate an "Allow" header as well (RFC 7231).
    There are some other places where SC_METHOD_NOT_ALLOWED code is used and no "Allow" header is generated.
    3) This changes behaviour of WebdavServlet.  For a readOnly WebdavServlet it is reasonable to return 403. Though 405 is OK as well.
    4) WebdavServlet has method determineMethodsAllowed(). It should be updated accordingly.


---

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org