[
https://issues.apache.org/jira/browse/FELIX-5309?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15432304#comment-15432304
]
Konrad Windszus edited comment on FELIX-5309 at 8/23/16 7:35 AM:
-----------------------------------------------------------------
The patch looks good to me. Maybe we should extend the javadoc of
{{sendRedirect}} and {{setHeader}} as well telling under which circumstances
somethings gets rewritten (although probably not too many people will look at
the javadoc of the response being set by the filter). I agree that introducing
a property to configure the behavior of absolute URLs is probably the safest
way. What do you think about a label like "Keep schema of absolute redirect
URLs" with a value of {{false}} as the default?
was (Author: kwin):
The patch looks good to me. Maybe we should extend the javadoc of
{{sendRedirect}} and {{setHeader}} as well telling under which circumstances
somethings gets rewritten (although probably not too many people will look at
the javadoc of the response being set by the filter). I agree that introducing
a property to configure the behavior of absolute URLs is probably the safest
way. What do you think about a label like "Do not rewrite absolute redirect
URLs" with a value of {{false}} as the default?
> SslFilter: sendRedirect does not support deliberate protocol changes on the
> current host
> ----------------------------------------------------------------------------------------
>
> Key: FELIX-5309
> URL: https://issues.apache.org/jira/browse/FELIX-5309
> Project: Felix
> Issue Type: Bug
> Components: HTTP Service
> Affects Versions: http.sslfilter-1.0.6
> Reporter: Konrad Windszus
> Attachments: patch.txt
>
>
> Consider the case where application A and B are running under the same domain
> example.com. A is served by an Apache Felix (below https://example.com/A) and
> only supports HTTPS (being terminated e.g. by a LoadBalancer in front). B is
> served by some other application server (below https://example.com/B) and
> only supports HTTP.
> Now I create a link from A towards B with
> {{HttpServletResponse.sendRedirect("http://example.com/B/somepath";)}}.
> This URL is automatically converted by the SslFilter to
> {{https://example.com/B/somepath}} which is clearly not intended.
> I think the sendRedirect(...) implementation of the SSLFilter from FELIX-4420
> is way too aggressive, because it will also rewrite absolute URIs already
> containing a scheme.
> Actually absolute URIs should never been rewritten by that filter, only
> relative ones (starting with a "/").
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
