tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: enforcing SSL only for external clients
Date Thu, 09 Dec 2010 20:07:13 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

André,

On 12/9/2010 1:50 PM, André Warnier wrote:
> Assume that the upload URL in question is handled by an application
> requiring HTTPS.
> And assume that the web application requires some form of user
> authentication.

Ok.

> Are you telling me that if a user connects for the first time to the
> site using this "upload URL", Tomcat is going to read the entire POST
> request prior to checking if this user is authenticated ?

It might not even need to be an upload URL.

If the authenticator rejects the request, or even if the application
rejects the request for some reason, I believe there's a loop in the
Tomcat code before shutting everything down that looks something like this:

while(in.read())
  ;

That means that you can hold-up a thread as long as you can keep sending
data. I'm not sure what happens if the servlet explicitly closes the
input stream... clearly Tomcat can't drain it once it's closed.

I may be wrong -- this used to be the behavior; it may have changed
since then.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk0BNvEACgkQ9CaO5/Lv0PC5YwCeIzI4s/DEqStd1oftm/AZ/GY3
+RQAmwb5Jq6ZvCH4855VSlez/fxzqvCM
=sjH1
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message