use_server_errors dropping headers

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

use_server_errors dropping headers

Frederik Nosi
Hi all,

after troubleshoting a problem with missing headers in an app respone
i'm not sure if the behaviour that i'm seeing is a bug or the expected
behaviour.

My configuration is fairly simple:

httpd + mod_jk -> tomcat

Versions:
Apache/2.4.10
mod_jk/1.2.40
Tomcat/8.0.18

(I know i'm not using current versions, no time for now to upgrade this
developement server.)

This said,

The particular rest app when called with certain parameters replies with
a status code 401 and an additional custom header carriyng an error
code, like this:

HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
X-ERR-CODE: XXXXX-N
Content-Type: text/html;charset=ISO-8859-1
Content-Length: XXXXX
Date: Thu, 18 May 2017 11:17:10 GMT

[BODY]

When passing the request through httpd / mod_jk the custom headers are
dropped. When instead calling directly Tomcat we get all the reply headers.

Now, we're using the "use_server_errors=400" on our context definition
in uriworkermaps.properties, dropping or setting it > 401 we get the
custom headers.

The documentation for that parameter is (from
https://tomcat.apache.org/connectors-doc/reference/printer/uriworkermap.html
):

===
The extension use_server_errors allows to let the web server send an
error page, instead of the backend (e.g. Tomcat) error page. This is
useful, if one wants to send customized error pages, but those are not
part of all web applications. They can then be put onto the web server.

The value of use_server_errors is a positive number. Any request send to
the backend, that returns with an http status code bigger or equal to
use_server_errors, will be answered to the client with the error page of
the web server for this status code.
===

So no mention of headers, searching HTTP RFC's on 401 status code i
found no indication in this case either.

Searching around i found this:

https://bz.apache.org/bugzilla/show_bug.cgi?id=51253

seems the header get's dropped here:

/*
========================================================================= */
/* JK Service step
callbacks                                                 */
/*
========================================================================= */

static int JK_METHOD ws_start_response(jk_ws_service_t *s,
                                       int status,
                                       const char *reason,
                                       const char *const *header_names,
                                       const char *const *header_values,
                                       unsigned num_of_headers)
{
    unsigned h;
    apache_private_data_t *p = s->ws_private;
    request_rec *r = p->r;

    /* If we use proxy error pages, still pass
     * through context headers needed for special status codes.
     */
    if (s->extension.use_server_error_pages &&
        status >= s->extension.use_server_error_pages) {
        if (status == HTTP_UNAUTHORIZED) {
            int found = JK_FALSE;
            for (h = 0; h < num_of_headers; h++) {
                if (!strcasecmp(header_names[h], "WWW-Authenticate")) {
                    char *tmp = apr_pstrdup(r->pool, header_values[h]);
                    apr_table_set(r->err_headers_out,
                                  "WWW-Authenticate", tmp);
                    found = JK_TRUE;
                }
            }
            if (found == JK_FALSE) {
                jk_server_conf_t *xconf = (jk_server_conf_t *)
                                         
ap_get_module_config(r->server->module_config,
                                                                &jk_module);
                jk_log(xconf->log, JK_LOG_INFO,
                       "origin server sent 401 without"
                       " WWW-Authenticate header");
            }
        }
        return JK_TRUE;
    }

[...]


For how i read the code, in the 401 case you deliberately dropp all but
the WWW-Authenticate header. I'm curious what's the reason behind this
behaviour?


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]