tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <>
Subject AJP request handliung
Date Mon, 05 May 2008 08:10:04 GMT
The AJP protocol allows forwarding of arbitrary request attributes. For 
instance we allow to send httpd environment variables via JkEnvVar as 
request attributes to the backend.

The attributes can be retrieved on the backend side via 

Unfortunately attributes send via AJP are not included in the list 
produced by request.getAttributeNames().

As far as I can see, mod_jk doesn't use AJP attribute forwarding in any 
internal way. So it should be save (and helpful) to include the request 
attributes forwarded via AJP in request.getAttributeNames().

In catalina/src/share/org/apache/catalina/connector/ we have 
two types of attributes, the internal ones, and the ones belonging to 
the coyoteRequest. The AJP attributes unfortunately belong to the 

When retrieving an attribute via getAttribute(), we first look for an 
internal one

Object attr=attributes.get(name);

and then we query the coyoteRequest:

attr =  coyoteRequest.getAttribute(name);
if(attr != null)
     return attr;

When we list all attribute names in getAttributeNames(), we only return 
the internal ones:

return new Enumerator(attributes.keySet(), true);

Question 1: Are there any secrets or internal attributes hidden in the 
coyoteRequest? If no, I would suggest to return the union of the names 
in the internal attributes and the coyoteRequest ones. If yes, is there 
a robust way of distinguishing the TC private attributes from the public 

Question 2: In removeAttribute() we never pass any key along to the 
coyoteRequest. Either it is an internal attribute, or we don't remove 
it. In putAttribute() we pass it along to the coyoteRequest iff the name 
of the attribute starts with "org.apache.tomcat.". Are there any known 
reasons for the inconsistency? Could we always pass removeAttribute and 
putAttribute along to the coyoteRequest after handling the internal 
attributes, or is therew something we need to protect?

Question 3: there is some special handling for SSL related atributes. 
When one of them is first retrieved, a hook parses the data, sets the 
coyoteRequest SSL attributes and then they are copied from the 
coyoteRequest to the internal attributes. If we add the coyote request 
attributes to the result of getAttributeNames(), we will no longer need 
to copy, because when retrieving via getAttribute() we check 
coyoteRequest anyhow. Right?

Question 4: There are a lot of additional request attribute names 
defined in catalina/src/share/org/apache/catalina/ Are 
those held i either the above Request object or the coyote request? Do 
we need to protect them against overwriting, deletion or even showing 
their existence?

Any help appreciated.



To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message