The AJP protocol allows forwarding of arbitrary request attributes. For
instance we allow to send httpd environment variables via JkEnvVar as
request attributes to the backend.
The attributes can be retrieved on the backend side via
request.getAttribute(attributeName).
Unfortunately attributes send via AJP are not included in the list
produced by request.getAttributeNames().
As far as I can see, mod_jk doesn't use AJP attribute forwarding in any
internal way. So it should be save (and helpful) to include the request
attributes forwarded via AJP in request.getAttributeNames().
In catalina/src/share/org/apache/catalina/connector/Request.java we have
two types of attributes, the internal ones, and the ones belonging to
the coyoteRequest. The AJP attributes unfortunately belong to the
coyoteRequest.
When retrieving an attribute via getAttribute(), we first look for an
internal one
Object attr=attributes.get(name);
if(attr!=null)
return(attr);
and then we query the coyoteRequest:
attr = coyoteRequest.getAttribute(name);
if(attr != null)
return attr;
When we list all attribute names in getAttributeNames(), we only return
the internal ones:
return new Enumerator(attributes.keySet(), true);
Question 1: Are there any secrets or internal attributes hidden in the
coyoteRequest? If no, I would suggest to return the union of the names
in the internal attributes and the coyoteRequest ones. If yes, is there
a robust way of distinguishing the TC private attributes from the public
ones?
Question 2: In removeAttribute() we never pass any key along to the
coyoteRequest. Either it is an internal attribute, or we don't remove
it. In putAttribute() we pass it along to the coyoteRequest iff the name
of the attribute starts with "org.apache.tomcat.". Are there any known
reasons for the inconsistency? Could we always pass removeAttribute and
putAttribute along to the coyoteRequest after handling the internal
attributes, or is therew something we need to protect?
Question 3: there is some special handling for SSL related atributes.
When one of them is first retrieved, a hook parses the data, sets the
coyoteRequest SSL attributes and then they are copied from the
coyoteRequest to the internal attributes. If we add the coyote request
attributes to the result of getAttributeNames(), we will no longer need
to copy, because when retrieving via getAttribute() we check
coyoteRequest anyhow. Right?
Question 4: There are a lot of additional request attribute names
defined in catalina/src/share/org/apache/catalina/Globals.java. Are
those held i either the above Request object or the coyote request? Do
we need to protect them against overwriting, deletion or even showing
their existence?
Any help appreciated.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
