[PREVIEW]  Modify ajp-listener to allow specifying pattern for ajp request attributes

In  undertow

Overview

Since UNDERTOW-1667 one can set additional AJP request attribute parsing permission via env variable. However there is no way to set it in WFLY config/model. This RFE’s goal is to make it possible.

Issue Metadata

Issue

Stability Level

  • Experimental

  • [X] Preview

  • Community

  • default

Dev Contacts

QE Contacts

Testing By

  • Engineering

  • [X] QE

Affected Projects or Components

  • undertow

Other Interested Projects

Relevant Installation Types

  • Traditional standalone server (unzipped or provisioned by Galleon)

  • Managed domain

  • OpenShift s2i

  • Bootable jar

Requirements

Hard Requirements

  • Being able to configure pattern via model/xml.

    <subsystem xmlns="urn:jboss:domain:undertow:14.0" default-server="some-server" default-servlet-container="myContainer" default-virtual-host="default-virtual-host" instance-id="some-id" statistics-enabled="true">
   ...
   <server default-host="other-host" name="some-server" servlet-container="myContainer">
      ...
      <ajp-listener ...  allowed_request_attr_pattern="(?:apple|banana)"  .../>
      ...
   </server>
   ...
</subsystem>

Parameters will be present in undertow server element(for standalone: /subsystem=undertow/server=default-server/ajp-listener=myListener): * allowed_request_attr_pattern Default: null Type: String(regex - java.util.regex.Pattern)

Nice-to-Have Requirements

Non-Requirements

Backwards Compatibility

Possibly. Subsystem transformers should be able to handle it.

Default Configuration

No change.

Importing Existing Configuration

No steps should suffice, as it would mean defaulting to 'null', which is default value in undertow source.

Deployments

Not affected.

Interoperability

Not affected.

Implementation Plan

Done.

Security Considerations

Possibly. UNDERTOW-1667 is a CVE, so this RFE should be documented well, in order to warn users of potential exposure.

Test Plan

Unit tests should cover new functionality(there is already test case covering AjpListener).

Community Documentation

Task for WFLY documentation already exist - WFLY-15453. HOwever, this is model change and there is model reference doc generated, so its unclear which approach is better?

Release Note Content

Allow configuration of AJP request attribute pattern with model entry, rather than only via system property.