When request attributes are sent by mod_jk from Apache to Tomcat5.0.16's Coyote AJP/1.3 handler, these attributes are not listed by request.getAttributeNames(). They are accesible when specificaly asked for them using request.getAttribute(), but even after this they are not listed by request.getAttributeNames(). Steps to reproduce: 1) set up Apache with SSL support and mod_jk (or mod_jk2) 2) enable sending SSL attributes in httpd.conf using LoadModule jk_module libexec/mod_jk1.2.5.so JkWorkersFile "/etc/httpd/workers.properties" JkLogFile "/var/log/httpd/mod_jk.log" JkLogLevel info JkOptions +ForwardKeySize +ForwardURIEscaped -ForwardDirectories JkExtractSSL On JkEnvVar SSL_PROTOCOL "default" JkEnvVar SSL_VERSION_INTERFACE "default" JkMount /mywebapp/* myworker <Location "/mywebapp/*"> SSLOptions +ExportCertData +StdEnvVars </Location> 3) in Tomcat, in webapplication "mywebapp" create a JSP page with following code: <b>Enumerated request attributes:</b><br> <%java.util.Enumeration en1=request.getAttributeNames(); while(en1.hasMoreElements()) { String name = (String)en1.nextElement(); out.println(name+"="+request.getAttribute(name)+"<br>"); }%> <b>Asked request attributes:</b><br> javax.servlet.request.cipher_suite=<%=request.getAttribute("javax.servlet.request.cipher_suite") %><br> javax.servlet.request.key_size=<%=request.getAttribute("javax.servlet.request.key_size") %><br> javax.servlet.request.X509Certificate=<%=request.getAttribute("javax.servlet.request.X509Certificate") %><br> javax.servlet.request.ssl_session=<%=request.getAttribute("javax.servlet.request.ssl_session") %><br> SSL_PROTOCOL=<%=request.getAttribute("SSL_PROTOCOL") %><br> SSL_VERSION_INTERFACE=${SSL_VERSION_INTERFACE}<br> <b>Again enumerated request attributes:</b><br> <%java.util.Enumeration en2=request.getAttributeNames(); while(en2.hasMoreElements()) { String name = (String)en2.nextElement(); out.println(name+"="+request.getAttribute(name)+"<br>"); }%> 4) access the page from a webbrowser. The page will display: Enumerated request attributes: Asked request attributes: javax.servlet.request.cipher_suite=RC4-MD5 javax.servlet.request.key_size=128 javax.servlet.request.X509Certificate=[Ljava.security.cert.X509Certificate;@199197b javax.servlet.request.ssl_session=78DE7EA098961A94E2C37B410FEFCAEA4B2ACD8D8A15199AF52CED901083D870 SSL_PROTOCOL=TLSv1 SSL_VERSION_INTERFACE=mod_ssl/2.8.15 Again enumerated request attributes: javax.servlet.request.cipher_suite=RC4-MD5 javax.servlet.request.key_size=128 javax.servlet.request.X509Certificate=[Ljava.security.cert.X509Certificate;@199197b It means, that some request attribute names are listed after they were specificaly asked, but not before, and not all of them.
Voting for a bug is stupid ;-) If you care, submit a patch (although I'd say it may not be accepted, the issue is complex). I think this issue may be partially addressed (the parameter will show up in the list), as I see something odd in the getParameter from TC 5 in the adaptor code. For the rest, this may not be fixed; we'll see.
The three standard SSL attributes will now be exposed through getAttributeNames even without calling getAttribute first. As a design decision, all other attributes coming from the native layer will not be exposed through getAttributeNames. Please do nt reopen this report.
*** Bug 27514 has been marked as a duplicate of this bug. ***