Summary: | sending large file with Expect: 100-continue wrong messages order | ||
---|---|---|---|
Product: | Tomcat 8 | Reporter: | Lorenzo Caenazzo <lorenzo.caenazzo> |
Component: | Connectors | Assignee: | Tomcat Developers Mailing List <dev> |
Status: | RESOLVED WONTFIX | ||
Severity: | major | ||
Priority: | P2 | ||
Version: | 8.0.18 | ||
Target Milestone: | ---- | ||
Hardware: | PC | ||
OS: | Linux |
Description
Lorenzo Caenazzo
2015-02-24 11:41:26 UTC
This is only going to work if Tomcat does the authentication otherwise, as you have observed, Tomcat sends the 100 response before passing the request/response to the application for processing. One of the aims for Tomcat 9 is to implement JASPIC which would allow libraries like Spring Security to plug into Tomcat's authentication mechanism allowing for the behaviour you are looking for. The other option would be to add an option to the Context to delegate sending of the 100 response to the application. There are security concerns around expectation handling but as long as Tomcat's current handling stays in place I don't believe this would create any issues. The down side is that if the application does not send the 100 continue response then the client may wait for an unknown period of time before sending the request body any way. If you think such an option (to delegate the sending of 100 response) would be useful, we can move this issue to an enhancement. If not, it will get resolved as WONTFIX. ok, I think the responability to send 100-continue header is not of "contained" application. But if the container send a 100 header I expect which it not closes the soket if the body of the request is "big". Maybe if Tomcat send a 100 continue header it must take and discard (in some case) the request body. Because the client receve the 100 header and say "ok now I can send a lot of data!" but after a while the server hang up the connection. What do you think? P.S. for now I've implemented a preemptive authentication method. Tomcat will swallow the request body up to maxSwallowSize after which Tomcat will close the connection. Most clients will not read the response until the body is fully sent so if maxSwallowSize < request body size then the client will just see a closed connection. You can increase maxSwallowSize to avoid this (at the cost of pointlessly reading more data). Does this currently work when Tomcat /is/ managing the authentication and authorization? If so, then I agree with WONTFIX. Yes. You get the right 4xx response along with a Connection: close header. |