[
https://issues.apache.org/jira/browse/TINKERPOP-2480?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17637968#comment-17637968
]
ASF GitHub Bot commented on TINKERPOP-2480:
-------------------------------------------
cole-bq commented on code in PR #1838:
URL: https://github.com/apache/tinkerpop/pull/1838#discussion_r1030821110
##########
gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/channel/WebSocketChannelizer.java:
##########
@@ -108,7 +109,7 @@ public void configure(final ChannelPipeline pipeline) {
closeOnProtocolViolation(false).allowExtensions(true).maxFramePayloadLength(settings.maxContentLength).build();
pipeline.addLast(PIPELINE_REQUEST_HANDLER, new
WebSocketServerProtocolHandler(GREMLIN_ENDPOINT,
null, false, false, 10000L, wsDecoderConfig));
-
+ pipeline.addLast("ws-user-agent-handler", new WsUserAgentHandler());
Review Comment:
Unfortunately in my tests, the user agent handler always triggers before the
authentication handler regardless of the order the handlers are added to the
pipeline. This is the order of events as I understand it:
The handshake is completely controlled by Netty's
`WebSocketServerProtocolHandler`. When the handshake is completed, that handler
fires off a `WebSocketServerProtocolHandler.HandshakeComplete` event which
contains the request headers with the user agent. This event is the only
reasonable place I am aware of that the user agent can be extracted. After this
event has fired, the handshake is complete and the connection has been
successfully upgraded to a web socket connection. The authentication and
authorization handlers then do their work by exchanging messages with the
client through the open web socket connection. This cannot be done until after
the web socket has been established.
I don't see any good way to delay the user agent handler from triggering
until after authentication. We will need to rely on the maxHeaderSize config
limiting the size of any incoming header. I have added a change which imposes a
hard limit of 10000 to the number of unique user agents being added to the
metrics to protect against a malicious user trying to fill memory with millions
of garbage user agents.
> User agent for Gremlin drivers
> ------------------------------
>
> Key: TINKERPOP-2480
> URL: https://issues.apache.org/jira/browse/TINKERPOP-2480
> Project: TinkerPop
> Issue Type: Improvement
> Components: driver, server
> Affects Versions: 3.4.8
> Reporter: Divij Vaidya
> Priority: Minor
>
> Currently, a server does not distinguish amongst the different types of
> clients connecting to it. This issue is to add a new feature to add user
> agent field in the HTTP and WebSocket request header which could be used to
> identify the specific client from which the request was made.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
