You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lenya.apache.org by bu...@apache.org on 2007/10/12 17:50:24 UTC
DO NOT REPLY [Bug 43613] New: - SslRedirectAction produces a "redirect" loop
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43613>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43613
Summary: SslRedirectAction produces a "redirect" loop
Product: Lenya
Version: 2.0
Platform: Other
OS/Version: other
Status: NEW
Severity: normal
Priority: P2
Component: Miscellaneous
AssignedTo: dev@lenya.apache.org
ReportedBy: jann.forrer@id.unizh.ch
Assuem the following proxy settings:
<proxy area="live" ssl="true" url="https://www.example.org"/>
<proxy area="live" ssl="false" url="http://www.example.org"/>
A request for http://www.example.org/secure.html (where secure ist ssl
protected" is redirect to https://www.example.org/secure.html. This request
again is redirect to https://www.example.org/secure.html by the
SslRedirectAction and so on ......
I checked in a fix:
Index: SslRedirectAction.java
===================================================================
--- SslRedirectAction.java (revision 584054)
+++ SslRedirectAction.java (working copy)
@@ -74,7 +74,7 @@
PolicyManager policyManager = accessController.getPolicyManager();
Policy policy =
policyManager.getPolicy(accessController.getAccreditableManager(),
url);
- if (policy.isSSLProtected()) {
+ if (policy.isSSLProtected() &&
!request.getScheme().equals("https")) {
Session session = RepositoryUtil.getSession(this.manager,
request);
LinkRewriter rewriter = new
OutgoingLinkRewriter(this.manager, session, url,
false, true, false);
assuming that if the scheme is already https there is no need to redirect again.
Maybe someone has a better solution for that problem.
BTW I am not sure what happend if we use mod_proxy on a frontend apache server
which does not redirect to tomcat using https??
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org
DO NOT REPLY [Bug 43613] - SslRedirectAction produces a "redirect" loop
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43613>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43613
------- Additional Comments From andreas@apache.org 2007-10-26 06:09 -------
(In reply to comment #1)
> (In reply to comment #0)
> > BTW I am not sure what happend if we use mod_proxy on a frontend apache server
> > which does not redirect to tomcat using https??
>
> I guess then the redirect will fail.
That was bad wording, what I meant was that Lenya won't be informed that the
https protocol is used, and the redirect won't be issued. A workaround might be
to use a "isSecure" session attribute or something like that.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org
DO NOT REPLY [Bug 43613] - SslRedirectAction produces a "redirect" loop
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43613>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43613
------- Additional Comments From jann.forrer@id.unizh.ch 2007-10-26 07:46 -------
As far as i know you have to proxy to https as described in my last Comment and
set: SSLProxyEngine On
I did not found another solutions.
We can update the docu in Freiburg or i will do after the meeting and then close
the bug.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org
DO NOT REPLY [Bug 43613] - SslRedirectAction produces a "redirect" loop
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43613>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43613
------- Additional Comments From jann.forrer@id.unizh.ch 2007-10-26 07:17 -------
if you want to use mod_proxy instead than you have to proxy via https like:
ProxyRequests Off
RewriteEngine On
SSLProxyEngine On
.....
.....
RewriteRule ^/(.*) https://localhost:8443/lenya/unitemplate/live/$1 [P]
ProxyPassReverse / https://localhost:8443/
BTW a session attribute is not enought. That works only the first time a user
tries to access a ssl-page. If he tries to access another ssl-page via http the
session attribute is set and he could access the site via http :-(
Shall we leve the bug open until we have the documentation ready?
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org
DO NOT REPLY [Bug 43613] - SslRedirectAction produces a "redirect" loop
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43613>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43613
------- Additional Comments From jann.forrer@id.unizh.ch 2008-01-29 02:25 -------
Forgot that bug :-(
I will update the docu after thursday. As i said, the only solution i see at the
moment ist to proxy to https for secure connections. You have to be aware of
this if you setup your system (which is not that nice).
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org
DO NOT REPLY [Bug 43613] - SslRedirectAction produces a "redirect" loop
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43613>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43613
------- Additional Comments From andreas@apache.org 2007-10-26 06:07 -------
(In reply to comment #0)
> + if (policy.isSSLProtected() &&
> !request.getScheme().equals("https")) {
Maybe we could use request.isSecure()?
> BTW I am not sure what happend if we use mod_proxy on a frontend apache server
> which does not redirect to tomcat using https??
I guess then the redirect will fail. It should work with mod_proxy_ajp though.
I'll give it a try.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org
DO NOT REPLY [Bug 43613] - SslRedirectAction produces a "redirect" loop
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43613>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43613
------- Additional Comments From andreas@apache.org 2007-10-26 07:36 -------
(In reply to comment #4)
> if you want to use mod_proxy instead than you have to proxy via https like:
>
> ProxyRequests Off
> RewriteEngine On
> SSLProxyEngine On
> .....
> .....
> RewriteRule ^/(.*) https://localhost:8443/lenya/unitemplate/live/$1 [P]
> ProxyPassReverse / https://localhost:8443/
>
> BTW a session attribute is not enought. That works only the first time a user
> tries to access a ssl-page. If he tries to access another ssl-page via http the
> session attribute is set and he could access the site via http :-(
You're right, this wouldn't help. Is there any way to achieve this behaviour
with plain mod_proxy?
> Shall we leve the bug open until we have the documentation ready?
Sure. Would you mind taking a look at the docs and update them if necessary?
http://lenya.zones.apache.org/docu/docs/2_0_x/tutorials/proxy/proxy.html
Maybe can do this together in Freiburg.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org
DO NOT REPLY [Bug 43613] - SslRedirectAction produces a "redirect" loop
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43613>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43613
------- Additional Comments From andreas@apache.org 2007-10-26 06:40 -------
(In reply to comment #1)
> (In reply to comment #0)
>
> > + if (policy.isSSLProtected() &&
> > !request.getScheme().equals("https")) {
>
> Maybe we could use request.isSecure()?
Done, it works with mod_proxy_ajp.
Can we close this issue?
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org
DO NOT REPLY [Bug 43613] - SslRedirectAction produces a "redirect" loop
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43613>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43613
------- Additional Comments From andreas@apache.org 2008-01-28 09:21 -------
Jann, are there any news about this issue?
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org