[Bug 56555] New: Multiple connection headers for status 400 when "keep-alive" is specified

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=56555

            Bug ID: 56555
           Summary: Multiple connection headers for status 400 when
                    "keep-alive" is specified
           Product: Tomcat 7
           Version: 7.0.53
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: lee.br...@gmail.com

Background/Expected Behavior:
Our application is a RESTful web service, we return error responses with status
code 400 in situations, like for example when a POST to access a request token
contains a valid username but invalid password.  In such cases we return a
specific error message, and we would not like to have the TCP connection closed
(SSL Handshake is very expensive).  In these cases, if we add the header
"Connection: keep-alive" to our outgoing response the assumption is that it
will be honored by the container.  This does not appear to be the case.  

Actual Behavior:
In the above situation, what actually happens is that two Connection headers
are added to the response.  The first, with a value of "keep-alive" from my
exception handler in the application, and the second, with a value of "close"
added by the container.

Analysis:
Looking into the tomcat code, specifically, We can see the following:
--Begin code snippet from AbstractHttp11Processor (lines: 1513-1524)--
        // If we know that the request is bad this early, add the
        // Connection: close header.
        keepAlive = keepAlive && !statusDropsConnection(statusCode);
        if (!keepAlive) {
            // Avoid adding the close header twice
            if (!connectionClosePresent) {
                headers.addValue(Constants.CONNECTION).setString(
                        Constants.CLOSE);
            }
        } else if (!http11 && !error) {
           
headers.addValue(Constants.CONNECTION).setString(Constants.KEEPALIVE);
        }
--End code snippet--

The value for connectionClosePresent comes from the following:
--Begin code snippet from AbstractHttp11Processor (lines: 1546-1552)--
    private boolean isConnectionClose(MimeHeaders headers) {
        MessageBytes connection = headers.getValue(Constants.CONNECTION);
        if (connection == null) {
            return false;
        }
        return connection.equals(Constants.CLOSE);
    }
--End code snippet--

This code only checks for a "Connection: close" header, not for the presence of
a Connection header already.  Should the code from line 1518 ('if
(!connectionClosePresent)') not also check for the presence of a Connection
header to avoid adding multiple conflicting entries, not just duplicate
entries?

Thanks in advance!

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org