Author: hansbak
Date: Mon Jan 10 08:26:04 2011
New Revision: 1057115
URL: http://svn.apache.org/viewvc?rev=1057115&view=rev
Log:
When a load balancer is in front of the ofbiz system and takes care of the ssl
certificate, ofbiz is now reading the Header[X-Forwarded-Proto] parameters to
check if the request was secure or not. It still works the old way if these
request parameters are not present
Modified:
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
Modified:
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java?rev=1057115&r1=1057114&r2=1057115&view=diff
==============================================================================
---
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
(original)
+++
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
Mon Jan 10 08:26:04 2011
@@ -183,7 +183,9 @@ public class RequestHandler {
}
boolean forceHttpSession =
"true".equals(context.getInitParameter("forceHttpSession"));
// Check if we SHOULD be secure and are not.
- if (!request.isSecure() && requestMap.securityHttps) {
+ String forwardedProto = request.getHeader("X-Forwarded-Proto");
+ boolean isForwardedSecure =
UtilValidate.isNotEmpty(forwardedProto) &&
"HTTPS".equals(forwardedProto.toUpperCase());
+ if ((!request.isSecure() && !isForwardedSecure) &&
requestMap.securityHttps) {
// If the request method was POST then return an error to
avoid problems with XSRF where the request may have come from another
machine/program and had the same session ID but was not encrypted as it should
have been (we used to let it pass to not lose data since it was too late to
protect that data anyway)
if (request.getMethod().equalsIgnoreCase("POST")) {
// we can't redirect with the body parameters, and for
better security from XSRF, just return an error message
