mod_jk 1.2.27 and an empty POST

[Henk Fictorie <he...@kpn.com>]

Hi,

I think that I've been bitten by a resolved bug in mod_jk 1.2.27. The
changelog is describing this as:

AJP13: Always send initial POST packet even if the client disconnected after
sending request but before providing POST data. In that case or in case the
client broke the connection in a middle of read send an zero size packet
informing container about broken client connection. (mturk) 


Let me describe our setup.
In our apache we have 2 additional modules, mod_jk and a module for Oracle
SSO webgate. The last plugin takes care of authentication and protecting
URL's.
When an user login to our website, a POST is done containing
username/password to a specific URL. This URL is mounted to Tomcat. The
Oracle SSO webgate plugin intercepts this specific URL and authenticate the
user with the Oracle SSO backend. After authenticating the REMOTE_USER is
set and the URL is processed further (by mod_jk). A nasty side effect is
that the POST body is removed by the Oracle SSO webgate plugin. Our Tomcat
application doesn't have any problems with the empty POST body and responds
normal with a redirection (302). 
In the older mod_jk the 302 was send to the browser and everybody was happy.
In mod_jk 1.2.27 however, I find this in the mod_jk logging:

[Wed Nov 26 13:14:35 2008] [16251:7] [info] ajp_service::jk_ajp_common.c
(2407): (wm9_i) sending request to tomcat failed (unrecoverable), because of
client read error (attempt=1)
[Wed Nov 26 13:14:36 2008] [16251:7] [info] service::jk_lb_worker.c (1347):
service failed, worker wm9_i is in local error state
[Wed Nov 26 13:14:36 2008] [16251:7] [info] service::jk_lb_worker.c (1366):
unrecoverable error 400, request failed. Client failed in the middle of
request, we can't recover to another instance.
[Wed Nov 26 13:14:36 2008] wm9_i POST
/web/restricted/form?formelement=512663 HTTP/1.1 200 1.377267
[Wed Nov 26 13:14:36 2008] [16251:7] [info] jk_handler::mod_jk.c (2469):
Aborting connection for worker=wm9_i_lbworker

So the browser is receiving a HTTP 400-code and displays an empty screen.

Questions:
- Is my problem analysis correct
- Is this a regression bug
- Can I somehow circumvent this (other than not upgrading)


regards Henk Fictorie
-- 
View this message in context: http://www.nabble.com/mod_jk-1.2.27-and-an-empty-POST-tp20699972p20699972.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: mod_jk 1.2.27 and an empty POST

[Henk Fictorie <he...@kpn.com>]

Mladen Turk-3 wrote:
> 
> Henk Fictorie wrote:
>> Hi,
>> 
>> I think that I've been bitten by a resolved bug in mod_jk 1.2.27. The
>> changelog is describing this as:
>> 
>> AJP13: Always send initial POST packet even if the client disconnected
>> after
>> sending request but before providing POST data. In that case or in case
>> the
>> client broke the connection in a middle of read send an zero size packet
>> informing container about broken client connection. (mturk) 
>> 
>>
> 
> Your SSO will have to remember the POST data
> or use the GET for that. In all other cases this
> is security risk of hi-jacking the sessions.
> 
> Regards
> 

I know, this issue will probably end with a service request to Oracle to
solve this bug.
Somewhere between mod_jk 1.2.21 and 1.2.27 the behaviour is changed. It now
signals this as an error instead of leaving this up to tomcat. This is very
reasonable, but it leaves us with an upgrade challenge :-(

regards Henk Fictorie

-- 
View this message in context: http://www.nabble.com/mod_jk-1.2.27-and-an-empty-POST-tp20699972p20770506.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: mod_jk 1.2.27 and an empty POST

[Mladen Turk <mt...@apache.org>]

Henk Fictorie wrote:
> Hi,
> 
> I think that I've been bitten by a resolved bug in mod_jk 1.2.27. The
> changelog is describing this as:
> 
> AJP13: Always send initial POST packet even if the client disconnected after
> sending request but before providing POST data. In that case or in case the
> client broke the connection in a middle of read send an zero size packet
> informing container about broken client connection. (mturk) 
> 
>

Your SSO will have to remember the POST data
or use the GET for that. In all other cases this
is security risk of hi-jacking the sessions.


Regards
-- 
^(TM)

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org