Bug 47679 - Not all headers get passed to Tomcat server from isapi_redirect.dll
Not all headers get passed to Tomcat server from isapi_redirect.dll
Status: RESOLVED FIXED
Product: Tomcat Connectors
Classification: Unclassified
Component: isapi
1.2.28
PC Windows 2000
: P2 normal (vote)
: ---
Assigned To: Tomcat Developers Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2009-08-11 12:31 UTC by Brett Prucha
Modified: 2011-04-11 05:36 UTC (History)
0 users



Attachments
Fix to prevent headers from being dropped (1.11 KB, patch)
2009-08-11 12:31 UTC, Brett Prucha
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Brett Prucha 2009-08-11 12:31:37 UTC
Created attachment 24129 [details]
Fix to prevent headers from being dropped

In Windows 2000 Server with IIS 5.0 when using isapi_redirect.dll as an
extension, the SF_NOTIFY_AUTH_COMPLETE event is not called.  This means the
HTTP_TOMCATURI_XXXXXXXX and HTTP_TOMCATWORKER_XXXXXXXX headers don't exists. 
However the number of headers sent to Tomcat is automatically reduced by 2
assuming these headers exists causing other legitimate headers to get dropped.
Comment 1 Tim Whittington 2010-01-04 11:46:04 UTC
This is interesting - I seem to remember testing on Windows 2000 Server when making changes to this area, and the AUTH_COMPLETE was firing.

Depending on whether your connector was built with automatic notification event detection (mine are, but not sure about the ones available via Tomcat) you may be able to force the use of SF_NOTIFY_PREPROC_HEADERS by setting auth_complete=0 in your configuration.

I don't think your proposed patch will work - trapping the appropriate notify event in HttpFilterProc is necessary for the redirector to work (all of the URI -> worker mapping happens there).

The fix should be to make automatic flag detection work on Windows 2000 (reliably), or simply to use the manual override with an appropriately built connector.

Perhaps some additional error checking in HttpExtensionProc to check if the filter has executed correctly would also be in order.
Comment 2 Brett Prucha 2010-01-08 06:45:29 UTC
I'm not sure you understand what I mean by "extension". I am referring to the IIS application mappings (Website properties / Home Directory / Configuration under Application settings / Mappings / Add mappings of specific extensions to ISAPI dll). In this scenario IIS handles the authentication and isapi_redirect does not use the url mappings.

Unfortunately I am no longer using Windows 2000 server so I can't verify the settings you are talking about though I am quite positive I had auth_complete=0. I initially ran into this problem using the precompiled dll downloaded from the apache website so if that version was built with automatic notification event detection then that is what I was using. Even if that isn't the case I know IIS intercepts the authentication when using the filter as an "extension" so the SF_NOTIFY_AUTH_COMPLETE event does not get called.
Comment 3 Mark Thomas 2011-03-28 04:25:56 UTC
Report on users list of similar issues on windows 2k8/ IIS 7.5:
http://markmail.org/message/obnvxffoc4wwy2x4
Comment 4 Tim Whittington 2011-04-11 05:36:20 UTC
I've committed a fix for this.
The ISAPI Redirector was assuming that it was always running in 'redirector' mode, where the filter part of the redirector was determining whether an incoming URL matched and forwarding that match to the extension part via magic HTTP headers.

The extension code was not accounting for the 'legacy' mode of operation, where those headers were not present.
The downside is an insignificant memory overhead on each request.

Fix will be in 1.2.32