tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: TCK Issue with Tomcat 5.5.12
Date Thu, 22 Dec 2005 06:45:37 GMT

"Kevan Miller" <kevan.miller@gmail.com> wrote in message 
news:0F56CBAD-618E-4068-A91C-6E84CA37FB77@gmail.com...
> The Geronimo project has encountered a TCK issue running with Tomcat 
> 5.5.12. We'd appreciate your help with the problem.
>

I hope that you know that you've just violated your NDA by posting this on a 
public list :).

> In the test, a POST Request without a message body is being received  and 
> a 403 "The request body was too large to be cached during the 
> authentication process" is being improperly returned by Tomcat.
>
>
> I believe the problem is in 
> o.a.c.authenticator.FormAuthenticator.saveRequest() (or subsequent 
> processing). In 5.5.12, if the message type is POST, saveRequest()  will 
> always attempt to save the Request body. The following code is  new in 
> saveRequest() since 5.5.9.
>
>         if ("POST".equalsIgnoreCase(request.getMethod())) {
>             ByteChunk body = new ByteChunk();
>             body.setLimit(request.getConnector().getMaxSavePostSize());
>
>             byte[] buffer = new byte[4096];
>             int bytesRead;
>             InputStream is = request.getInputStream();
>
>             while ( (bytesRead = is.read(buffer) ) >= 0) {
>                 body.append(buffer, 0, bytesRead);
>             }
>             saved.setBody(body);
>         }
>
> AFAICT, this code is assuming that there will always be a message  body in 
> the POST Request. However, this is not necessarily the case  (and is 
> certainly not true for the problem at hand). Eventually, 
> SocketInputStream.read() is called from within 
> o.a.coyote.http11.InternalReadBuffer.fill(). This call will throw a 
> SocketTimeoutException.
>

Then the test is broken.  It should either have a 'Content-Length: 0' header 
or a 'Transfer-Encoding: chunked' header with a '0' content delimater.  I 
don't do NDAs, so I don't know which it is.  If Sun can't follow the RFC, I 
really don't care.

> The following code in FormAuthenticator.authenticate() interprets  this 
> IOException as a Request body overflow:
>
>             try {
>                 saveRequest(request, session);
>             } catch (IOException ioe) {
>                 log.debug("Request body too big to save during 
> authentication");
>                 response.sendError(HttpServletResponse.SC_FORBIDDEN,
>                         sm.getString ("authenticator.requestBodyTooBig"));
>                 return (false);
>             }
>
>  Thanks for your help...
>
> --kevan 




---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message