You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2015/11/26 12:52:10 UTC
[Bug 58655] New: IllegalStateException: calling
HttpServletResponse#sendRedirect() with RemoteIpFilter
https://bz.apache.org/bugzilla/show_bug.cgi?id=58655
Bug ID: 58655
Summary: IllegalStateException: calling
HttpServletResponse#sendRedirect() with RemoteIpFilter
Product: Tomcat 8
Version: trunk
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: cristiklein@gmail.com
Created attachment 33299
--> https://bz.apache.org/bugzilla/attachment.cgi?id=33299&action=edit
stacktrace of error
When calling `HttpServletResponse#sendRedirect()`, if `RemoteIpFilter` is in
use, an `IllegalStateException` is thrown (see attached stack-trace).
The error steams from the way `RemoteIpFilter.XForwardedResponse` tries to
rewrite the 'Location' header. According to the servlet API, a response is
considered committed after calling `sendRequest()` and it is illegal to call
either `reset()` or another `sendRequest()` thereafter.
WORKAROUND:
Comment the code after `super.sendRedirect(location);`. However, this
effectively disables the `RemoteIpFilter` on the response path and makes the
server return an URL with incorrect scheme.
[1]
https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/filters/RemoteIpFilter.java#L679
[2] https://tomcat.apache.org/tomcat-8.0-doc/servletapi/index.html
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 58655] IllegalStateException: calling
HttpServletResponse#sendRedirect() with RemoteIpFilter
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58655
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #3 from Mark Thomas <ma...@apache.org> ---
Thanks for the report.
This has been fixed in 9.0.x (for 9.0.0.M2), 8.0.x (for 8.0.30) and 7.0.x (for
7.0.67).
6.0.x was not affected.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 58655] IllegalStateException: calling
HttpServletResponse#sendRedirect() with RemoteIpFilter
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58655
--- Comment #1 from Cristian Klein <cr...@gmail.com> ---
Forgot to mention, this bug is not triggered with Eclipse's servlet engine (I
think Jetty), but only occurs when the servlet is deployed on Tomcat.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 58655] IllegalStateException: calling
HttpServletResponse#sendRedirect() with RemoteIpFilter
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58655
--- Comment #8 from Konstantin Kolinko <kn...@gmail.com> ---
Is there a reason why one uses RemoteIpFilter ? There exists a RemoteIpValve
that can be used instead.
1. There are redirects that are performed before a request reaches the filter.
E.g. when using a FORM authentication (FormAuthenticator)
It cannot be solved by using a filter. One has to use RemoteIpValve here.
2. There is an edge case. It is allowed to call sendRedirect() with an absolute
URL. With simple implementation (using relative redirects) it won't be
rewritten.
You have to bear with it (such calls are unlikely) or duplicate a lot of code
from o.a.c.connector.Response.sendRedirect() to implement this feature.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 58655] IllegalStateException: calling
HttpServletResponse#sendRedirect() with RemoteIpFilter
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58655
--- Comment #4 from Cristian Klein <cr...@gmail.com> ---
Thanks for the fix. I'm not sure to understand how the fix helps. What line or
what mechanism rewrites the scheme from `http` to `https`?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 58655] IllegalStateException: calling
HttpServletResponse#sendRedirect() with RemoteIpFilter
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58655
--- Comment #6 from Cristian Klein <cr...@gmail.com> ---
Are you sure this works? The "Location" header eventually has to contain the
absolute URL. [1] If this is left to the "non-RemoteIpFilter" code, wouldn't
the scheme be filled incorrectly?
[1] http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 58655] IllegalStateException: calling
HttpServletResponse#sendRedirect() with RemoteIpFilter
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58655
--- Comment #9 from Cristian Klein <cr...@gmail.com> ---
I'm confused. I thought `RemoteIpValve` was deprecated in favour of
`RemoteIpFilter`. Otherwise, I feel they both serve the same purpose.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 58655] IllegalStateException: calling
HttpServletResponse#sendRedirect() with RemoteIpFilter
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58655
--- Comment #2 from Mark Thomas <ma...@apache.org> ---
Using relative redirects (see bug 56917) should make this fixable.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 58655] IllegalStateException: calling
HttpServletResponse#sendRedirect() with RemoteIpFilter
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58655
--- Comment #5 from Mark Thomas <ma...@apache.org> ---
The scheme isn't re-written. If you redirect using an absolute URI with a
specific scheme then that is what you get. If you want the scheme to be
"rewritten"/correct then use a relative redirect.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 58655] IllegalStateException: calling
HttpServletResponse#sendRedirect() with RemoteIpFilter
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58655
--- Comment #7 from Mark Thomas <ma...@apache.org> ---
RFC2616 is obsolete. See RFC7231.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org