diff options
Diffstat (limited to 'rubbos/app/tomcat-connectors-1.2.32-src/xdocs/ajp/ajpv13ext.xml')
| -rw-r--r-- | rubbos/app/tomcat-connectors-1.2.32-src/xdocs/ajp/ajpv13ext.xml | 686 |
1 files changed, 0 insertions, 686 deletions
diff --git a/rubbos/app/tomcat-connectors-1.2.32-src/xdocs/ajp/ajpv13ext.xml b/rubbos/app/tomcat-connectors-1.2.32-src/xdocs/ajp/ajpv13ext.xml deleted file mode 100644 index d3c8c3a0..00000000 --- a/rubbos/app/tomcat-connectors-1.2.32-src/xdocs/ajp/ajpv13ext.xml +++ /dev/null @@ -1,686 +0,0 @@ -<?xml version="1.0" encoding="ISO-8859-1"?> -<!DOCTYPE document [ - <!ENTITY project SYSTEM "project.xml"> -]> -<document url="ajpv13ext.html"> - - &project; -<copyright> - Licensed to the Apache Software Foundation (ASF) under one or more - contributor license agreements. See the NOTICE file distributed with - this work for additional information regarding copyright ownership. - The ASF licenses this file to You under the Apache License, Version 2.0 - (the "License"); you may not use this file except in compliance with - the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -</copyright> -<properties> -<title>AJPv13 extensions Proposal</title> -<author email="hgomez@apache.org">Henri Gomez</author> -<date>$Date: 2006-12-03 13:55:56 +0100 (Sun, 03 Dec 2006) $</date> -</properties> -<body> -<section name="Introduction"> -<p> -This document is a proposal of evolution of the current -Apache JServ Protocol version 1.3, also known as ajp13. -I'll not cover here the full protocol but only the add-on from ajp13. - -This nth pass include comments from the tomcat-dev list and -misses discovered during developpment. -</p> -<subsection name="Missing features in AJP13"> -<p> -ajp13 is a good protocol to link a servlet engine like tomcat to a web server like Apache: - -<ul> -<li> -use persistants connections to avoid reconnect time at each request -</li> -<li> -encode many http commands to reduce stream size -</li> -<li> -send to servlet engine many info from web server (like SSL certs) -</li> -</ul> -<p> -But ajp13 lacks support for : -</p> -<ul> -<li> - security between web server and servlet engine. - Anybody can connect to an ajp13 port (no login mecanism used) - You could connect, for example with telnet, and keep the remote thread - up by not sending any data (no timeout in connection) -</li> -<li> - context information passed from servlet engine to web server. - Part of the configuration of JK, the web server connector, is to - indicate to the web server which URI to handle. - The mod_jk JkMount directive, told to web server which URI must be - forwarded to servlet engine. - A servlet engine allready knows which URI it handle and TC 3.3 is - allready capable to generate a config file for JK from the list - of available contexts. -</li> -<li> - state update of contexts from servlet engine to web server. - Big site with farm of Tomcat, like ISP and virtuals hosters, - may need to stop a context for admin purposes. In that case the front - web server must know that the context is currently down, to eventually - relay the request to another Tomcat -</li> -<li> - verify state of connection before sending request. - Actually JK send the request to the servlet engine and next wait - for the answer. But one of the beauty of the socket API, is you that - you could write() to a closed connection without any error reporting, - but a read() to a closed connection return you the error code. -</li> -</ul> - -</p> -</subsection> - -<subsection name="Proposed add-ons to AJP13"> -<p> -Let's descrive here the features and add-on that could be added to AJP13. -Since this document is a proposal, a reasonable level of chaos must be expected at first. -Be sure that discussion on tomcat list will help clarify points, add -features but the current list seems to be a 'minimun vital' - -<ul> - -<li> -Advanced login features at connect time -</li> - -<li> -Basic authorisation system, where a shared secret key is -present in web server and servlet engine. -</li> - -<li> -Basic protocol negociation, just to be sure that if functionnalities are added -to AJP13 in the future, current implementations will still works. -</li> - -<li> -Clean handling of 'Unknown packets' -</li> - -<li> -Extended env vars passed from web-server to servlet engine. -</li> - -<li> -Add extra SSL informations needed by Servlet 2.3 API (like SSL_KEY_SIZE) -</li> - -</ul> - -</p> -</subsection> - -<subsection name="Advanced login"> -<p> - -<ol> -<li> -WEB-SERVER send LOGIN INIT CMD + NEGOCIATION DATA + WEB SERVER INFO -</li> -<li> - TOMCAT respond with LOGIN SEED CMD + RANDOM DATA -</li> -<li> - WEB-SERVER calculted the MD5 of RANDOM DATA+SECRET DATA -</li> -<li> - WEB-SERVER send LOGIN COMP CMD + MD5 (SECRET DATA + RANDOM DATA) -</li> -<li> - TOMCAT respond with LOGIN STATUS CMD + NEGOCIED DATA + SERVLET ENGINE INFO -</li> -</ol> - -To prevent DOS attack, the servlet engine will wait -the LOGIN CMD only 15/30 seconds and reports the -timeout exception for admins investigation. - -The login command will contains basic protocol -negociation information like compressing ability, -crypto, context info (at start up), context update at -run-time (up/down), level of SSL env vars, AJP protocol -level supported (level1/level2/level3...) - -The Web server info will contain web server info and -connector name (ie Apache 1.3.26 + mod_ssl 2.8.8 + mod_jk 1.2.1 + mod_perl 1.25). - -The servlet engine will mask the negociation mask with it's own -mask (what it can do) and return it when loggin is accepted. - -This will help having a basic AJP13 implementation (level 1) -on a web-server working with a more advanced protocol handler on -the servlet engine side or vice-versa. - -AJP13 was designed to be small and fast and so many -SSL informations present in the web-server are not -forwarded to the servlet engine. - -We add here four negociations flags to provide more -informations on client SSL data (certs), server SSL datas, -crypto used, and misc datas (timeout...). -</p> -</subsection> - -<subsection name="Messages Stream"> -<p> -<source> -+----------------+------------------+-----------------+ -| LOGIN INIT CMD | NEGOCIATION DATA | WEB SERVER INFO | -+----------------+------------------+-----------------+ - -+----------------+----------------+ -| LOGIN SEED CMD | MD5 of entropy | -+----------------+----------------+ - -+----------------+----------------------------+ -| LOGIN COMP CMD | MD5 of RANDOM + SECRET KEY | -+----------------+----------------------------+ - -+-----------+---------------+---------------------+ -| LOGOK CMD | NEGOCIED DATA | SERVLET ENGINE INFO | -+-----------+---------------+---------------------+ - -+------------+--------------+ -| LOGNOK CMD | FAILURE CODE | -+------------+--------------+ -</source> - -<ul> -<li> -LOGIN INIT CMD, LOGIN SEED CMD, LOGIN COMP CMD, LOGOK CMD, LOGNOK CMD are 1 byte long. -</li> -<li> -MD5, MD5 of RANDOM + SECRET KEY are 32 chars long. -</li> -<li> -NEGOCIATION DATA, NEGOCIED DATA, FAILURE CODE are 32 bits long. -</li> -<li> -WEB SERVER INFO, SERVLET ENGINE INFO are CString. -</li> -</ul> - -The secret key will be set by a new propertie in -workers.properties : secretkey -<source> -worker.ajp13.port=8009 -worker.ajp13.host=localhost -worker.ajp13.type=ajp13 -worker.ajp13.secretkey=myverysecretkey -</source> -</p> -</subsection> - -<subsection name="Shutdown feature"> -<p> -AJP13 miss a functionnality of AJP12, which is shutdown command. -A logout will tell servlet engine to shutdown itself. -<source> -+--------------+----------------------------+ -| SHUTDOWN CMD | MD5 of RANDOM + SECRET KEY | -+--------------+----------------------------+ - -+------------+ -| SHUTOK CMD | -+------------+ - -+-------------+--------------+ -| SHUTNOK CMD | FAILURE CODE | -+-------------+--------------+ -</source> - -<ul> -<li> -SHUTDOWN CMD, SHUTOK CMD, SHUTNOK CMD are 1 byte long. -</li> -<li> -MD5 of RANDOM + SECRET KEY are 32 chars long. -</li> -<li> -FAILURE CODE is 32 bits long. -</li> -</ul> - -</p> -</subsection> - -<subsection name="Extended Env Vars feature"> -<p> -NOTA: - -While working on AJP13 in JK, I really discovered "JkEnvVar". -The following "Extended Env Vars feature" description may not -be implemented in extended AJP13 since allready available in original -implementation. - -DESC: - -Many users will want to see some of their web-server env vars -passed to their servlet engine. - -To reduce the network traffic, the web-servlet will send a -table to describing the external vars in a shorter fashion. - -We'll use there a functionnality allready present in AJP13, -attributes list : - -In the AJP13, we've got : - -<source> -AJP13_FORWARD_REQUEST := - prefix_code 2 - method (byte) - protocol (string) - req_uri (string) - remote_addr (string) - remote_host (string) - server_name (string) - server_port (integer) - is_ssl (boolean) - num_headers (integer) - request_headers *(req_header_name req_header_value) - - ?context (byte string) - ?servlet_path (byte string) - ?remote_user (byte string) - ?auth_type (byte string) - ?query_string (byte string) - ?route (byte string) - ?ssl_cert (byte string) - ?ssl_cipher (byte string) - ?ssl_session (byte string) - - ?attributes *(attribute_name attribute_value) - request_terminator (byte) -</source> - -Using short 'web server attribute name' will reduce the -network traffic. - -<source> -+-------------------+---------------------------+-------------------------------+----+ -| EXTENDED VARS CMD | WEB SERVER ATTRIBUTE NAME | SERVLET ENGINE ATTRIBUTE NAME | ES | -+-------------------+---------------------------+-------------------------------+----+ -</source> - -ie : - -<source> -JkExtVars S1 SSL_CLIENT_V_START javax.servlet.request.ssl_start_cert_date -JkExtVars S2 SSL_CLIENT_V_END javax.servlet.request.ssl_end_cert_date -JkExtVars S3 SSL_SESSION_ID javax.servlet.request.ssl_session_id - - -+-------------------+----+-------------------------------------------+ -| EXTENDED VARS CMD | S1 | javax.servlet.request.ssl_start_cert_date | -+-------------------+----+-------------------------------------------+ -+----+-----------------------------------------+ -| S2 | javax.servlet.request.ssl_end_cert_date | -+----+-----------------------------------------+ -+----+-----------------------------------------+ -| S3 | javax.servlet.request.ssl_end_cert_date | -+----+-----------------------------------------+ -</source> - -During transmission in extended AJP13 we'll see attributes name -containing S1, S2, S3 and attributes values of -2001/01/03, 2002/01/03, 0123AFE56. - -This example showed the use of extended SSL vars but -any 'personnal' web-server vars like custom authentification -vars could be reused in the servlet engine. -The cost will be only some more bytes in the AJP traffic. - -<ul> -<li> -EXTENDED VARS CMD is 1 byte long. -</li> -<li> -WEB SERVER ATTRIBUTE NAME, SERVLET ENGINE ATTRIBUTE NAME are CString. -</li> -<li> -ES is an empty CString. -</li> -</ul> - -</p> -</subsection> - -<subsection name="Context informations forwarding for Servlet engine to Web Server"> -<p> -Just after the LOGON PHASE, the web server will ask for the list of contexts -and URLs/URIs handled by the servlet engine. -It will ease installation in many sites, reduce questions about configuration -on tomcat-user list, and be ready for servlet API 2.3. - -This mode will be activated by a new directive JkAutoMount - -ie: JkAutoMount examples myworker1 /examples/ - -If we want to get ALL the contexts handled by the servlet engine, willcard -could be used : - -ie: JkAutoMount * myworker1 * - -A servlet engine could have many contexts, /examples, /admin, /test. -We may want to use only some contexts for a given worker. It was -done previously, in apache HTTP server for example, by setting by -hand the JkMount accordingly in each [virtual] area of Apache. - -If you web-server support virtual hosting, we'll forward also that -information to servlet engine which will only return contexts for -that virtual host. -In that case the servlet engine will only return the URL/URI matching -these particular virtual server (defined in server.xml). -This feature will help ISP and big sites which mutualize large farm -of Tomcat in load-balancing configuration. - -<source> -+-----------------+-------------------+----------+----------+----+ -| CONTEXT QRY CMD | VIRTUAL HOST NAME | CONTEXTA | CONTEXTB | ES | -+-----------------+-------------------+----------+----------+----+ - -+------------------+-------------------+----------+-------------------+----------+---------------+----+ -| CONTEXT INFO CMD | VIRTUAL HOST NAME | CONTEXTA | URL1 URL2 URL3 ES | CONTEXTB | URL1 URL2 ... | ES | -+------------------+-------------------+----------+-------------------+----------+---------------+----+ -</source> - -We'll discover via context-query, the list of URL/MIMES handled by the remove servlet engine -for a list of contextes. -In wildcard mode, CONTEXTA will contains just '*'. - -<ul> -<li> -CONTEXT QRY CMD and CONTEXT INFO CMD are 1 byte long. -</li> -<li> -VIRTUAL HOST NAME is a CString, ie an array of chars terminated by a null byte (/0). -</li> -<li> -An empty string is just a null byte (/0). -</li> -<li> -ES is an empty CString. Indicate end of URI/URLs or end of CONTEXTs. -</li> -</ul> - -NB:<br/> -When VirtualMode is not to be used, the VIRTUAL HOST NAME is '*'. -In that case the servlet engine will send all contexts handled. -</p> -</subsection> - -<subsection name="Context informations updates from Servlet engine to Web Server"> -<p> -Context update are messages caming from the servlet engine each time a context -is desactivated/reactivated. The update will be in use when the directive JkUpdateMount. -This directive will set the AJP13_CONTEXT_UPDATE_NEG flag. - -ie: JkUpdateMount myworker1 - -<source> -+--------------------+-------------------+----------+--------+----------+--------+----+ -| CONTEXT UPDATE CMD | VIRTUAL HOST NAME | CONTEXTA | STATUS | CONTEXTB | STATUS | ES | -+--------------------+-------------------+----------+--------+----------+--------+----+ -</source> - -<ul> -<li> -CONTEXT UPDATE CMD, STATUS are 1 byte long. -</li> -<li> -VIRTUAL HOST NAME, CONTEXTS are CString. -</li> -<li> -ES is an empty CString. Indicate end of CONTEXTs. -</li> -</ul> - -NB:<br/> -When VirtualMode is not in use, the VIRTUAL HOST NAME is '*'. -STATUS is one byte indicating if context is UP/DOWN/INVALID -</p> -</subsection> - -<subsection name="Context status query to Servlet engine"> -<p> -This query will be used by the web-server to determine if a given -contexts are UP, DOWN or INVALID (and should be removed). - -<source> -+-------------------+--------------------+----------+----------+----+ -| CONTEXT STATE CMD | VIRTUAL HOST NAME | CONTEXTA | CONTEXTB | ES | -+-------------------+--------------------+----------+----------+----+ - -+-------------------------+-------------------+----------+--------+----------+--------+----+ -| CONTEXT STATE REPLY CMD | VIRTUAL HOST NAME | CONTEXTA | STATUS | CONTEXTB | STATUS | ES | -+-------------------------+-------------------+----------+-------------------+--------+----+ -</source> - -<ul> -<li> -CONTEXT STATE CMD, CONTEXT STATE REPLY CMD, STATUS are 1 byte long. -</li> -<li> -VIRTUAL HOST NAME, CONTEXTs are CString -</li> -<li> -ES is an empty CString -</li> -</ul> - -NB:<br/> -When VirtualMode is not in use, the VIRTUAL HOST NAME is an empty string. -</p> -</subsection> - -<subsection name="Handling of unknown packets"> -<p> -Sometimes even with a well negocied protocol, we may be in a situation -where one end (web server or servlet engine), will receive a message it -couldn't understand. In that case the receiver will send an -'UNKNOW PACKET CMD' with attached the unhandled message. - -<source> -+--------------------+------------------------+-------------------+ -| UNKNOWN PACKET CMD | UNHANDLED MESSAGE SIZE | UNHANDLED MESSAGE | -+--------------------+------------------------+-------------------+ -</source> - -Depending on the message, the sender will report an error and if -possible will try to forward the message to another endpoint. - -<ul> -<li> -UNKNOWN PACKET CMD is 1 byte long. -</li> -<li> -UNHANDLED MESSAGE SIZE is 16bits long. -</li> -<li> -UNHANDLED MESSAGE is an array of byte (length is contained in UNHANDLED MESSAGE SIZE) -</li> -</ul> - -NB:<br/> -added UNHANDLED MESSAGE SIZE (development) -</p> -</subsection> - -<subsection name="Verification of connection before sending request"> -<p> -NOTA: This fonctionality may never be used, since it may slow up the normal process -since requiring on the web-server side an extra IO (read) before forwarding -the request..... - -One of the beauty of socket APIs, is that you could write on a half closed socket. -When servlet engine close the socket, the web server will discover it only at the -next read() to the socket. -Basically, in the AJP13 protocol, the web server send the HTTP HEADER and HTTP BODY -(POST by chunk of 8K) to the servlet engine and then try to receive the reply. -If the connection was broken the web server will learn it only at receive time. - -We could use a buffering scheme but what happen when you use the servlet engine -for upload operations with more than 8ko of datas ? - -The hack in the AJP13 protocol is to add some bytes to read after the end of the -service : - -<source> -EXAMPLE OF DISCUSSION BETWEEN WEB SERVER AND SERVLET ENGINE - -AJP HTTP-HEADER (+ HTTP-POST) (WEB->SERVLET) - -AJP HTTP-REPLY (SERVLET->WEB) - -AJP END OF DISCUSSION (SERVLET->WEB) - ----> AJP STATUS (SERVLET->WEB AJP13) -</source> - -The AJP STATUS will not be read by the servlet engine at the end of -the request/response #N but at the begining of the next session. - -More at that time the web server could also use OS dependants functions -(or better APR functions) to determine if there is also more data -to read. And that datas could be CONTEXT Updates. - -This will avoid the web server sending a request to a -desactivated context. In that case, if the load-balancing is used, -it will search for another servlet engine to handle the request. - -And that feature will help ISP and big sites with farm of tomcat, -to updates their servlet engine without any service interruption. - -<source> -+------------+-------------+ -| STATUS CMD | STATUS DATA | -+------------+-------------+ -</source> - -<ul> -<li> -STATUS CMD and STATUS DATA are one byte long. -</li> -</ul> -</p> -</subsection> - -</section> - -<section name="Conclusion"> -<p> -The goal of the extended AJP13 protocol is to overcome some of the original AJP13 limitation. -An easier configuration, a better support for large site and farm of Tomcat, -a simple authentification system and provision for protocol updates. - -Using the stable ajp13 implementation in JK (native) and in servlet -engine (java), it's a reasonable evolution of the well known ajp13. -</p> -</section> - -<section name="Commands and IDs in extended AJP13 Index"> -<p> -Index of Commands and ID to be added in AJP13 Protocol -</p> - -<subsection name="Commands IDs"> -<p> -<table> - <tr><th>Command Name</th><th>Command Number</th></tr> - <tr><td>AJP13_LOGINIT_CMD</td><td>0x10</td></tr> - <tr><td>AJP13_LOGSEED_CMD</td><td>0x11</td></tr> - <tr><td>AJP13_LOGCOMP_CMD</td><td>0x12</td></tr> - <tr><td>AJP13_LOGOK_CMD</td><td>0x13</td></tr> - <tr><td>AJP13_LOGNOK_CMD</td><td>0x14</td></tr> - <tr><td>AJP13_CONTEXT_QRY_CMD</td><td>0x15</td></tr> - <tr><td>AJP13_CONTEXT_INFO_CMD</td><td>0x16</td></tr> - <tr><td>AJP13_CONTEXT_UPDATE_CMD</td><td>0x17</td></tr> - <tr><td>AJP13_STATUS_CMD</td><td>0x18</td></tr> - <tr><td>AJP13_SHUTDOWN_CMD</td><td>0x19</td></tr> - <tr><td>AJP13_SHUTOK_CMD</td><td>0x1A</td></tr> - <tr><td>AJP13_SHUTNOK_CMD</td><td>0x1B</td></tr> - <tr><td>AJP13_CONTEXT_STATE_CMD</td><td>0x1C</td></tr> - <tr><td>AJP13_CONTEXT_STATE_REP_CMD</td><td>0x1D</td></tr> - <tr><td>AJP13_UNKNOW_PACKET_CMD</td><td>0x1E</td></tr> -</table> - -</p> -</subsection> - -<subsection name="Negociations Flags"> -<p> -<table> - <tr><th>Command Name</th><th>Number</th><th>Description</th></tr> - <tr><td>AJP13_CONTEXT_INFO_NEG</td><td>0x80000000</td><td>web-server want context info after login</td></tr> - <tr><td>AJP13_CONTEXT_UPDATE_NEG</td><td>0x40000000</td><td>web-server want context updates</td></tr> - <tr><td>AJP13_GZIP_STREAM_NEG</td><td>0x20000000</td><td>web-server want compressed stream</td></tr> - <tr><td>AJP13_DES56_STREAM_NEG</td><td>0x10000000</td><td>web-server want crypted DES56 stream with secret key</td></tr> - <tr><td>AJP13_SSL_VSERVER_NEG</td><td>0x08000000</td><td>Extended info on server SSL vars</td></tr> - <tr><td>AJP13_SSL_VCLIENT_NEG</td><td>0x04000000</td><td>Extended info on client SSL vars</td></tr> - <tr><td>AJP13_SSL_VCRYPTO_NEG</td><td>0x02000000</td><td>Extended info on crypto SSL vars</td></tr> - <tr><td>AJP13_SSL_VMISC_NEG</td><td>0x01000000</td><td>Extended info on misc SSL vars</td></tr> -</table> - -<br/> - -<table> - <tr><th>Negociation ID</th><th>Number</th><th>Description</th></tr> - <tr><td>AJP13_PROTO_SUPPORT_AJPXX_NEG</td><td>0x00FF0000</td><td>mask of protocol supported</td></tr> - <tr><td>AJP13_PROTO_SUPPORT_AJP13L1_NEG</td><td>0x00010000</td><td>communication could use AJP13 Level 1</td></tr> - <tr><td>AJP13_PROTO_SUPPORT_AJP13L2_NEG</td><td>0x00020000</td><td>communication could use AJP13 Level 2</td></tr> - <tr><td>AJP13_PROTO_SUPPORT_AJP13L3_NEG</td><td>0x00040000</td><td>communication could use AJP13 Level 3</td></tr> -</table> - -<br/> -All others flags must be set to 0 since they are reserved for future use. - -</p> -</subsection> - -<subsection name="Failure IDs"> -<p> -<table> - <tr><th>Failure Id</th><th>Number</th></tr> - <tr><td>AJP13_BAD_KEY_ERR</td><td>0xFFFFFFFF</td></tr> - <tr><td>AJP13_ENGINE_DOWN_ERR</td><td>0xFFFFFFFE</td></tr> - <tr><td>AJP13_RETRY_LATER_ERR</td><td>0xFFFFFFFD</td></tr> - <tr><td>AJP13_SHUT_AUTHOR_FAILED_ERR</td><td>0xFFFFFFFC</td></tr> -</table> -</p> -</subsection> - -<subsection name="Status"> -<p> -<table> - <tr><th>Failure Id</th><th>Number</th></tr> - <tr><td>AJP13_CONTEXT_DOWN</td><td>0x01</td></tr> - <tr><td>AJP13_CONTEXT_UP</td><td>0x02</td></tr> - <tr><td>AJP13_CONTEXT_OK</td><td>0x03</td></tr> -</table> -</p> -</subsection> - -</section> -</body> -</document> |