Comments (3)
Given the lack of further response combined with the current behaviour being aligned with the RFCs, I am closing this one.
from servlet.
TL;DR For Servlet <= 6.0, this is an Open Liberty bug that needs to be fixed, not a TCK bug. There is an option to change the Servlet specifcation for Servlet >= 6.1
The Servlet specification, correctly, makes no statement regarding the timing of sending data for the upgraded connection with respect to the HTTP 101 response.
It is RFC compliant to send data for an upgraded connection prior to receiving the HTTP 101 response. Quoting RFC 9110
A client cannot begin using an upgraded protocol on the connection until it has completely sent the request message (i.e., the client can't change the protocol it is sending in the middle of a message).
Nothing in the current RFCs require the client to wait for the upgrade to be confirmed before using the protocol.
A number of RFCs for upgraded protocols do require the client to wait for the upgrade to be confirmed but those are protocol specific requirements, not generic upgrade requirements.
There is a general concern that optimistic upgrade (sending data using the upgraded protocol before the server has confirmed the upgrade) is problematic and there is an RFC in draft that would explicitly require all future upgrade protocols to protect against the security risks associated with optimistic upgrade. However, that RFC does not modify the language in RFC 9110 and optimistic upgrade remains specification compliant.
The TCK test could be improved to send the upgrade request and the data for the upgrade protocol at the same time which would result in a consistent TCK failure for Open Liberty and any similarly implemented servers.
We could modify the Servlet specification to reject any attempt at optimistic upgrade with a 400 response. I'm reluctant to do this as there are scenarios (which are the most likely use cases for a custom HttpUpgradeHandler
) where optimistic upgrade is safe and it provides a performance improvement.
from servlet.
Thanks, Mark. I've passed this back to web dev for rebuttal/acquiescence.
from servlet.
Related Issues (20)
- TCK: Need to add the signature tests HOT 1
- jakarta.servlet-api.jar MANIFEST.MF contains path to builder's current directory HOT 6
- Need to update schema for 6.1.0 release HOT 1
- Servlet 6.1.0 - Tomcat 11.0.0-M19-SNAPSHOT certification request HOT 1
- New home for HttpServletRequest injection requirements
- tests should not be in the jakarta package HOT 6
- ServletResponse.setCharacterEncoding(CharSet encoding) throws NullPointerException if encoding is null
- Blocker for starting EE 11 ballot: TCK user guide, and two folders with a tck-runtime.jar and a tck-utils.jar. I guess an assembly file is needed to create a zip file with those two artefacts, and then we have to add a basic user guide still. HOT 1
- Servlet 6.1.0 - Tomcat 11.0.0-M20 certification request HOT 5
- ServletSecTestServlet imports org.slf4j.Logger but test war doesn't include sl4j HOT 6
- Servlet 6.1.0 - Tomcat 11.0.0-M20 certification request HOT 3
- Finalize the release of Jakarta Servlet 6.1 HOT 8
- Circular dependency between AttributeConverter and JPA HOT 1
- TCK for Servlet 6.1 invalid error code in servlet.tck.api.jakarta_servlet_http.httpservletresponse HOT 2
- TCK for servlet 6.1 servlet/tck/spec/serverpush /ServerPushTests#serverPushCookieTest HOT 1
- Clarify behaviour for container managed HTTP headers HOT 1
- addLinkHeader HOT 1
- Version javax.servlet-api 4.0.1 still can be used HOT 1
- TCK coverage missing for attribute elements of cookie-config introduced since web-common_6_0.xsd
- Should the new Servlet 6.1 `jakarta.servlet.error.method` attribute be added to `Table 10-1 Request Attributes and their types`? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from servlet.