dd-trace-java
dd-trace-java copied to clipboard
DataDog
Implement blocking servlet/tomcat/jetty
Implements blocking behavior for servlet/tomcat/jetty. Blocking means a fixed error response is send and request handling is skipped.
Can only be merged after changes in the WAF/default AppSec configuration. Right now, the system tests cannot pass because the WAF returns a blocking instruction and the system tests expect no blocking.
I can see usage of span.markForBlocking() in case of:
- reading/parsing URL
- reading http headers
- reading socket address
but I can't see such blocking ability for:
- http response (we have few rules that check
server.response.status) - parsing request body
Was it skipped intentionally?
I can see usage of IGSpanInfo.isToBeBlocked() as a blocking indicator for Servlet/Tomcat/Undertow, but not for Jetty. I don't really understand how is Jetty aware about blocking?
I can see usage of
span.markForBlocking()in case of:
- reading/parsing URL
- reading http headers
- reading socket address
but I can't see such blocking ability for:
- http response (we have few rules that check
server.response.status)- parsing request body
Was it skipped intentionally?
Yes, it was skipped intentionally. IIRC, the plan is to first only block on ip addresses, and then only on users.
I can see usage of
IGSpanInfo.isToBeBlocked()as a blocking indicator for Servlet/Tomcat/Undertow, but not for Jetty. I don't really understand how is Jetty aware about blocking?
It is used for Jetty. See https://github.com/DataDog/dd-trace-java/pull/3701/files#diff-8d4f557f90cc211125aed1eaf1c1232fec4a1b9be60e96959e77098f08add2a9R76-R81