Skip to content

Commit

Permalink
Fixes #11926 - Authority Customizer. (#12066)
Browse files Browse the repository at this point in the history 
Fixes #11926 - Authority Customizer.

Introduced AuthorityCustomizer to synthesize the authority from the Host header (or serverName:serverPort), and related documentation.

Removed additional check on authority's host in `HttpCompliance`, as it was too strict and in the wrong place (authority checks should be factored out elsewhere for all HTTP protocol versions).

Signed-off-by: Simone Bordet <[email protected]>
  • Loading branch information
@sbordet
sbordet authored Jul 30, 2024
1 parent 497fbf7 commit 87324a7
Show file tree
Hide file tree
Showing 5 changed files with 176 additions and 5 deletions.
12 changes: 12 additions & 0 deletions documentation/jetty/modules/programming-guide/pages/server/http.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -239,6 +239,18 @@ WebSocket over HTTP/2 or over HTTP/3 initiate the WebSocket communication with a

For more information about how to configure `HostHeaderCustomizer`, see also link:{javadoc-url}/org/eclipse/jetty/server/HostHeaderCustomizer.html[the javadocs].

[[request-customizer-authority]]
=== `AuthorityCustomizer`

`AuthorityCustomizer` should be added when Jetty receives HTTP/2 or HTTP/3 requests that lack the `:authority` pseudo-header, and web applications have logic that depends on this value, exposed through the `Request` URI authority via `Request.getHttpURI().getAuthority()`.

The `:authority` pseudo-header may be missing if the request arrived to a proxy in HTTP/1.1 format, and the proxy is converting it to HTTP/2 or HTTP/3 before sending it to the backend server.

`AuthorityCustomizer` will synthesize the authority using the `Host` header field, if present.
If the `Host` header is also missing, it will use the request _server name_ and _server port_, values that may be influenced by the <<request-customizer-forwarded,`Forwarded` HTTP header>> and the <<connector-protocol-proxy-http11,PROXY protocol>>.

The synthesized authority will be exposed as the `Request` URI authority via `Request.getHttpURI().getAuthority()`.

[[request-customizer-proxy]]
=== `ProxyCustomizer`

Expand Down
3 changes: 0 additions & 3 deletions jetty-core/jetty-http/src/main/java/org/eclipse/jetty/http/HttpCompliance.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -402,9 +402,6 @@ public static void checkHttpCompliance(MetaData.Request request, HttpCompliance
for (String hostValue: hostValues)
if (StringUtil.isBlank(hostValue))
assertAllowed(Violation.UNSAFE_HOST_HEADER, mode, listener);
String authority = request.getHttpURI().getHost();
if (StringUtil.isBlank(authority))
assertAllowed(Violation.UNSAFE_HOST_HEADER, mode, listener);
seenHostHeader = true;
}
}
Expand Down
63 changes: 63 additions & 0 deletions .../jetty-http2-server/src/main/java/org/eclipse/jetty/http2/server/AuthorityCustomizer.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
//
// ========================================================================
// Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
//
// This program and the accompanying materials are made available under the
// terms of the Eclipse Public License v. 2.0 which is available at
// https://www.eclipse.org/legal/epl-2.0, or the Apache License, Version 2.0
// which is available at https://www.apache.org/licenses/LICENSE-2.0.
//
// SPDX-License-Identifier: EPL-2.0 OR Apache-2.0
// ========================================================================
//

package org.eclipse.jetty.http2.server;

import org.eclipse.jetty.http.HttpFields;
import org.eclipse.jetty.http.HttpHeader;
import org.eclipse.jetty.http.HttpURI;
import org.eclipse.jetty.server.HttpConfiguration;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.util.HostPort;
import org.eclipse.jetty.util.URIUtil;

/**
* <p>A {@link HttpConfiguration.Customizer} that synthesizes the authority when the
* {@link HttpHeader#C_AUTHORITY} header is missing.</p>
* <p>After customization, the synthesized authority is accessible via
* {@link HttpURI#getAuthority()} from the {@link Request} object.</p>
* <p>The authority is synthesized from the {@code Host} header.
* If the {@code Host} header is also missing, it is synthesized using
* {@link Request#getServerName(Request)} and {@link Request#getServerPort(Request)}.</p>
*/
public class AuthorityCustomizer implements HttpConfiguration.Customizer
{
@Override
public Request customize(Request request, HttpFields.Mutable responseHeaders)
{
if (request.getConnectionMetaData().getHttpVersion().getVersion() < 20)
return request;

HttpURI httpURI = request.getHttpURI();
if (httpURI.hasAuthority() && !httpURI.getAuthority().isEmpty())
return request;

String hostPort = request.getHeaders().get(HttpHeader.HOST);
if (hostPort == null)
{
String host = Request.getServerName(request);
int port = URIUtil.normalizePortForScheme(httpURI.getScheme(), Request.getServerPort(request));
hostPort = new HostPort(host, port).toString();
}

HttpURI newHttpURI = HttpURI.build(httpURI).authority(hostPort).asImmutable();
return new Request.Wrapper(request)
{
@Override
public HttpURI getHttpURI()
{
return newHttpURI;
}
};
}
}
5 changes: 3 additions & 2 deletions ...tp2/jetty-http2-tests/src/test/java/org/eclipse/jetty/http2/tests/AbstractServerTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@

public class AbstractServerTest
{
protected HttpConfiguration httpConfig = new HttpConfiguration();
protected ServerConnector connector;
protected ByteBufferPool bufferPool;
protected Generator generator;
Expand All @@ -49,14 +50,14 @@ public class AbstractServerTest

protected void startServer(Handler handler) throws Exception
{
prepareServer(new HTTP2ServerConnectionFactory(new HttpConfiguration()));
prepareServer(new HTTP2ServerConnectionFactory(httpConfig));
server.setHandler(handler);
server.start();
}

protected void startServer(ServerSessionListener listener) throws Exception
{
prepareServer(new RawHTTP2ServerConnectionFactory(new HttpConfiguration(), listener));
prepareServer(new RawHTTP2ServerConnectionFactory(httpConfig, listener));
server.start();
}

Expand Down
98 changes: 98 additions & 0 deletions ...etty-http2-tests/src/test/java/org/eclipse/jetty/http2/tests/AuthorityCustomizerTest.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
//
// ========================================================================
// Copyright (c) 1995 Mort Bay Consulting Pty Ltd and others.
//
// This program and the accompanying materials are made available under the
// terms of the Eclipse Public License v. 2.0 which is available at
// https://www.eclipse.org/legal/epl-2.0, or the Apache License, Version 2.0
// which is available at https://www.apache.org/licenses/LICENSE-2.0.
//
// SPDX-License-Identifier: EPL-2.0 OR Apache-2.0
// ========================================================================
//

package org.eclipse.jetty.http2.tests;

import java.io.OutputStream;
import java.net.Socket;
import java.nio.ByteBuffer;
import java.util.HashMap;
import java.util.concurrent.CountDownLatch;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicReference;

import org.eclipse.jetty.http.HttpFields;
import org.eclipse.jetty.http.HttpScheme;
import org.eclipse.jetty.http.HttpStatus;
import org.eclipse.jetty.http.HttpVersion;
import org.eclipse.jetty.http.MetaData;
import org.eclipse.jetty.http2.frames.HeadersFrame;
import org.eclipse.jetty.http2.frames.PrefaceFrame;
import org.eclipse.jetty.http2.frames.SettingsFrame;
import org.eclipse.jetty.http2.parser.Parser;
import org.eclipse.jetty.http2.server.AuthorityCustomizer;
import org.eclipse.jetty.io.ByteBufferPool;
import org.eclipse.jetty.server.Handler;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.Response;
import org.eclipse.jetty.util.BufferUtil;
import org.eclipse.jetty.util.Callback;
import org.junit.jupiter.api.Test;

import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertTrue;

public class AuthorityCustomizerTest extends AbstractServerTest
{
@Test
public void testSynthesizeAuthorityFromHost() throws Exception
{
startServer(new Handler.Abstract()
{
@Override
public boolean handle(Request request, Response response, Callback callback)
{
int status = request.getHttpURI().hasAuthority() ? HttpStatus.OK_200 : HttpStatus.BAD_REQUEST_400;
response.setStatus(status);
callback.succeeded();
return true;
}
});
httpConfig.addCustomizer(new AuthorityCustomizer());

ByteBufferPool.Accumulator accumulator = new ByteBufferPool.Accumulator();
generator.control(accumulator, new PrefaceFrame());
generator.control(accumulator, new SettingsFrame(new HashMap<>(), false));
MetaData.Request metaData = new MetaData.Request("GET", HttpScheme.HTTP.asString(), null, path, HttpVersion.HTTP_2, HttpFields.EMPTY, -1);
generator.control(accumulator, new HeadersFrame(1, metaData, null, true));

try (Socket client = new Socket("localhost", connector.getLocalPort()))
{
OutputStream output = client.getOutputStream();
for (ByteBuffer buffer : accumulator.getByteBuffers())
{
output.write(BufferUtil.toArray(buffer));
}

CountDownLatch latch = new CountDownLatch(1);
AtomicReference<HeadersFrame> frameRef = new AtomicReference<>();
Parser parser = new Parser(bufferPool, 8192);
parser.init(new Parser.Listener()
{
@Override
public void onHeaders(HeadersFrame frame)
{
frameRef.set(frame);
latch.countDown();
}
});
parseResponse(client, parser);

assertTrue(latch.await(5, TimeUnit.SECONDS));

HeadersFrame frame = frameRef.get();
MetaData.Response response = (MetaData.Response)frame.getMetaData();
assertEquals(HttpStatus.OK_200, response.getStatus());
}
}
}

0 comments on commit 87324a7

Please sign in to comment.