Bug 47679

Summary: Not all headers get passed to Tomcat server from isapi_redirect.dll
Product: Tomcat Connectors Reporter: Brett Prucha <bprucha>
Component: isapiAssignee: Tomcat Developers Mailing List <dev>
Severity: normal    
Priority: P2    
Version: 1.2.28   
Target Milestone: ---   
Hardware: PC   
OS: Windows 2000   
Attachments: Fix to prevent headers from being dropped

Description Brett Prucha 2009-08-11 12:31:37 UTC
Created attachment 24129 [details]
Fix to prevent headers from being dropped

In Windows 2000 Server with IIS 5.0 when using isapi_redirect.dll as an
extension, the SF_NOTIFY_AUTH_COMPLETE event is not called.  This means the
However the number of headers sent to Tomcat is automatically reduced by 2
assuming these headers exists causing other legitimate headers to get dropped.
Comment 1 Tim Whittington 2010-01-04 11:46:04 UTC
This is interesting - I seem to remember testing on Windows 2000 Server when making changes to this area, and the AUTH_COMPLETE was firing.

Depending on whether your connector was built with automatic notification event detection (mine are, but not sure about the ones available via Tomcat) you may be able to force the use of SF_NOTIFY_PREPROC_HEADERS by setting auth_complete=0 in your configuration.

I don't think your proposed patch will work - trapping the appropriate notify event in HttpFilterProc is necessary for the redirector to work (all of the URI -> worker mapping happens there).

The fix should be to make automatic flag detection work on Windows 2000 (reliably), or simply to use the manual override with an appropriately built connector.

Perhaps some additional error checking in HttpExtensionProc to check if the filter has executed correctly would also be in order.
Comment 2 Brett Prucha 2010-01-08 06:45:29 UTC
I'm not sure you understand what I mean by "extension". I am referring to the IIS application mappings (Website properties / Home Directory / Configuration under Application settings / Mappings / Add mappings of specific extensions to ISAPI dll). In this scenario IIS handles the authentication and isapi_redirect does not use the url mappings.

Unfortunately I am no longer using Windows 2000 server so I can't verify the settings you are talking about though I am quite positive I had auth_complete=0. I initially ran into this problem using the precompiled dll downloaded from the apache website so if that version was built with automatic notification event detection then that is what I was using. Even if that isn't the case I know IIS intercepts the authentication when using the filter as an "extension" so the SF_NOTIFY_AUTH_COMPLETE event does not get called.
Comment 3 Mark Thomas 2011-03-28 04:25:56 UTC
Report on users list of similar issues on windows 2k8/ IIS 7.5:
Comment 4 Tim Whittington 2011-04-11 05:36:20 UTC
I've committed a fix for this.
The ISAPI Redirector was assuming that it was always running in 'redirector' mode, where the filter part of the redirector was determining whether an incoming URL matched and forwarding that match to the extension part via magic HTTP headers.

The extension code was not accounting for the 'legacy' mode of operation, where those headers were not present.
The downside is an insignificant memory overhead on each request.

Fix will be in 1.2.32