You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@felix.apache.org by "Carsten Ziegeler (JIRA)" <ji...@apache.org> on 2016/08/22 12:35:20 UTC

[jira] [Commented] (FELIX-5309) SslFilter: sendRedirect does not support deliberate protocol changes on the current host

    [ https://issues.apache.org/jira/browse/FELIX-5309?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15430666#comment-15430666 ] 

Carsten Ziegeler commented on FELIX-5309:
-----------------------------------------

FELIX-4420 originally was implemented by overwriting setHeader, it seems that has changed to overwrite both setHeader and sendRedirect.
I think it still makes sense to overwrite both and apply the same logic. If setHeader is called with a relative path, its better to make it absolute using the correct protocol.

Now I agree that if sendRedirect or setHeader is called with an absolute path, no rewriting should happen. I don't know why the rewriting is done nevertheless. I assume, it's because of the initial version relying on sendRedirect calling setHeader

> SslFilter: sendRedirect does not support deliberate protocol changes on the current host
> ----------------------------------------------------------------------------------------
>
>                 Key: FELIX-5309
>                 URL: https://issues.apache.org/jira/browse/FELIX-5309
>             Project: Felix
>          Issue Type: Bug
>          Components: HTTP Service
>    Affects Versions: http.sslfilter-1.0.6
>            Reporter: Konrad Windszus
>
> Consider the case where application A and B are running under the same domain example.com. A is served by an Apache Felix (below https://example.com/A) and only supports HTTPS (being terminated e.g. by a LoadBalancer in front). B is served by some other application server (below https://example.com/B) and only supports HTTP.
> Now I create a link from A towards B with {{HttpServletResponse.sendRedirect("http://example.com/B/somepath")}}.
> This URL is automatically converted by the SslFilter to {{https://example.com/B/somepath}} which is clearly not intended.
> I think the sendRedirect(...) implementation of the SSLFilter from FELIX-4420 is way too aggressive, because it will also rewrite absolute URIs already containing a scheme.
> Actually absolute URIs should never been rewritten by that filter, only relative ones (starting with a "/").



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)