Hi! Thx for looking into this :-) On the associated PR, I wondered if checking for an specific, custom, header with the appropriate value for the absolute url would be the way to go, due to uncovered corner cases if we check for "known" headers.
On a second thought, I'm more comfortable if we follow your approach: corner cases with known headers can be solved with the same configuration needed if we go through the custom header route; plus, setting up known headers will raise less eyebrows than setting some app-specific stuff on the web server. Cheers, juan pablo El mar, 3 oct 2023, 20:04, Arturo Bernal <aber...@apache.org> escribió: > HI, > > Maybe we should consider extending the URL construction logic to include > checks for the X-Forwarded-Server header, in addition to X-Forwarded-Host > and X-Forwarded-Proto. This would offer a more comprehensive way to > determine the original server and scheme, particularly in scenarios where > the application is behind a proxy. > > What are your thoughts on this approach? > > Arturo > > > On Tue, Oct 3, 2023 at 6:41 PM Arturo Bernal <aber...@apache.org> wrote: > > > Hi Team, > > > > I hope this email finds you well. I am writing to open a discussion on > the > > issue JSPWIKI-1056 <https://issues.apache.org/jira/browse/JSPWIKI-1056>, > > which concerns the generation of relative URLs in email notifications > sent > > after user registration. > > > > As some of you may know, the emails currently contain relative URLs due > to > > changes in JSPWIKI-1035 > > <https://issues.apache.org/jira/browse/JSPWIKI-1035>. I have submitted a > > pull request (PR #311 <https://github.com/apache/jspwiki/pull/311>) that > > aims to address this by generating absolute URLs. The PR introduces > utility > > methods in HttpUtil for this purpose. > > > > However, there are concerns about how this approach handles different > > deployment scenarios, especially when JSPWiki installations are behind a > > web server like Apache. The issue is that using HttpServletRequest to > > generate the URL could expose internal URLs, which is not intended. > > > > I would like to invite your thoughts on how best to tackle this issue. > > Some options include: > > > > 1. Checking for specific headers that might contain the "external" > > IP/domain. > > 2. Introducing a new configuration option to set the base URL > > explicitly. > > > > I look forward to your input on this matter. Your expertise and insights > > would be invaluable in finding the most robust and flexible solution. > > > > Best regards, > > > > Arturo > > >
