How to migrate from legacy compliance mode

[dudaerich]

Jetty Version 12.0.9

Jetty Environment ee8

Java Version 21

Question

Hi community, I would like to ask question about Jetty compliance mode. We are in a situation that we use legacy compliance mode for URIs and Cookies as it was easier for us to be backward compatible when we moved our application into Jetty. We are trying to figure out how to move on from this state.

In the first step, we would like to identify requests with violations and only log them so we can investigate origin of the requests and fix it. ComplianceViolation.Listener seems to be a great fit for this use case, but it catches only violations not present in compliance mode. So we cannot be backward compatible and in the same time log the violations.

It would help us if the ComplianceViolation.Listener was invoked even if the violation is present in the compliance mode. What do you think?

[joakime]

I would think that while you are in legacy modes, use the ComplianceViolation.Listener and capture where things are triggering the violations.

Make note of those violations and then work on producing the requests in a way that those violations do not trigger anymore. Once you reach that point, it's safe to turn off the legacy modes and go back to standard.

[dudaerich]

The problem is that while we are in legacy modes, the ComplianceViolation.Listener is not invoked - see https://github.com/jetty/jetty.project/blob/61f773643ee366a52097d02a486696496560f820/jetty-core/jetty-http/src/main/java/org/eclipse/jetty/http/UriCompliance.java#L429C1-L452C6

The listener is invoked only if !compliance.allows(violation).

[joakime]

The listener is invoked only if !compliance.allows(violation).

Yeah, that's a bug. Fixing it now.

[dudaerich]

I can see that the PR with fix is on hold since March. What's the plan with this issue? Thank you.