Jetty doesn't set the date header on error responses #9685
Comments
|
@markslater your analysis of the cause is indeed correct. We've been aware for a while that Now we have a choice between:
I think 2. is least change and probably the correct semantic for when to set the date header. @sbordet thoughts? |
|
Ah, we had already changed resetContent to only reset specific headers: case CONTENT_LENGTH:
case CONTENT_ENCODING:
case CONTENT_LANGUAGE:
case CONTENT_RANGE:
case CONTENT_MD5:
case CONTENT_LOCATION:
case TRANSFER_ENCODING:
case CACHE_CONTROL:
case LAST_MODIFIED:
case EXPIRES:
case ETAG:
case DATE:
case VARY:So why is I think that would be enough. I'm not sure we need to worry about applications that deliberately remove the Date header. |
resetContent does not reset Date Header Signed-off-by: gregw <[email protected]>
resetContent does not reset Date Header Signed-off-by: gregw <[email protected]>
|
This has been fixed in jetty 10,11 and the ee environments of 12. However, in the core APIs, there is only a response reset method that removes all headers. We probably need to modify that to restore (or not remove) any server provided headers. |
Merging #9685 to 12 broke the build as it turned out that the error handling was depending on the attempt to remove the Date header to detect if the response was already committed during a sendError. This fix makes the test for committed explicit, it also fixes which exception is passed to abort.
sendError checks for committed and throws ISE (as per spec javadoc)
Merging #9685 to 12 broke the build as it turned out that the error handling was depending on the attempt to remove the Date header to detect if the response was already committed during a sendError.
* Issue #9648 ServletApiResponse.sendError must check if already committed. * Fix #9685 merge to 12 Merging #9685 to 12 broke the build as it turned out that the error handling was depending on the attempt to remove the Date header to detect if the response was already committed during a sendError. This fix makes the test for committed explicit, it also fixes which exception is passed to abort. * Fix #9685 merge to 12 Merging #9685 to 12 broke the build as it turned out that the error handling was depending on the attempt to remove the Date header to detect if the response was already committed during a sendError. --------- Co-authored-by: Jan Bartel <[email protected]>
|
Closing as it is merged |
Jetty version(s)
11.0.15
Java version/vendor
(use: java -version)openjdk version "11.0.18" 2023-01-17
OpenJDK Runtime Environment (build 11.0.18+10-post-Ubuntu-0ubuntu120.04.1)
OpenJDK 64-Bit Server VM (build 11.0.18+10-post-Ubuntu-0ubuntu120.04.1, mixed mode, sharing)
OS type/version
Linux 5.4.0-147-generic
Description
Jetty's default error responses don't include the
dateheader, but RFC 9110 specifies that it's mandatory for an "origin server with a clock".How to reproduce?
Run the following class:
Navigate to http://localhost:8080 in a browser, and view the response headers. I get:
This appears to be caused by a call to
Response.resetContent()in the default error handling flow, which erases thedateheader that had previously been set byHttpChannel.onRequest(MetaData.Request).The text was updated successfully, but these errors were encountered: