Hi, On Wed, Feb 27, 2019 at 10:00 PM Chris Colman <chr...@stepaheadsoftware.com> wrote:
> Hi Martin, > > Does this patch address the loss of URL encoding when redirecting to an > external URL or is this just to avoid the CORS error when invoking > RedirectToUrlException from an Ajax request? > > I guess using SC_SEE_OTHER is an adequate workaround but it may not be > obvious to other devs why the premature URL decoding occurs when using > the RedirectToUrlException constructor that only takes the URL. > The decoding happens because of "Url.parse(CharSequence)" call. The logic in ServletWebResponse#sendRedirect() needs to construct an absolute url before passing it to the web container (Tomcat, Jetty). It needs to pass an absolute url because of Microsoft Internet Explorer :-/ There is/was a bug in IE that it didn't follow relative urls in response header "Location". To be able to tell whether the url is absolute or relative Wicket needs to parse it, and thus - decode it. If it is relative it makes the proper calculations to make it an absolute one. Only MOVED_TEMPORARILY could be relative. MOVED_PERMANENTLY and SEE_OTHER are always considered as external/absolute urls so Wicket does not try to encode them. Here by encoding one should understand "add ;jsessionid=asdf" to the url if session tracking via cookies is disabled for some reason. > Regards, > Chris > > > -----Original Message----- > > From: Martin Grigorov [mailto:mgrigo...@apache.org] > > Sent: Thursday, 28 February 2019 6:46 AM > > To: users@wicket.apache.org > > Subject: Re: Undesirable decoding of URL encoded external URL using > > RedirectToUrlException > > > > https://issues.apache.org/jira/browse/WICKET-6638 > > > > Wicket 6.x receives only security related fixes and this one doesn't > count > > as such. > > You will have to use HttpServletResponse in your application. > > > > On Wed, Feb 27, 2019 at 9:09 PM Chris Colman > > <chr...@stepaheadsoftware.com> > > wrote: > > > > > The code that is removing the encoding is in ServletWebResponse: > > > > > > public void sendRedirect(String url) { > > > try { > > > this.redirect = true; > > > > > > >>>> 'encode' is actually performing a decode in this line <<<< > > > url = this.encodeRedirectURL(url); > > > this.disableCaching(); > > > if (this.webRequest.isAjax()) { > > > this.httpServletResponse.setHeader("Ajax-Location", > > > url); > > > > > > > this.httpServletResponse.getWriter().write("<ajax-response><redirect><![ > > > CDATA[" + url + "]]></redirect></ajax-response>"); > > > this.setContentType("text/xml;charset=" + > > > this.webRequest.getContainerRequest().getCharacterEncoding()); > > > this.disableCaching(); > > > } else { > > > this.httpServletResponse.sendRedirect(url); > > > } > > > > > > } catch (IOException var3) { > > > throw new WicketRuntimeException(var3); > > > } > > > } > > > > > > > -----Original Message----- > > > > From: Chris Colman [mailto:chr...@stepaheadsoftware.com] > > > > Sent: Thursday, 28 February 2019 5:05 AM > > > > To: users@wicket.apache.org > > > > Subject: RE: Undesirable decoding of URL encoded external URL > using > > > > RedirectToUrlException > > > > > > > > Actually - I spoke too soon :) > > > > > > > > When I use SC_SEE_OTHER inside an AJAX invoked form submit method > it > > > > works fine if the URL is for the same hostname but when it points > to a > > > > different hostname (external link) the browser refuses to > redirect, > > > > giving a CORS error. > > > > > > > > I could configure CORS on the external server but this is a > redirect > > > so > > > > I am wondering why is CORS an issue? > > > > > > > > Maybe the browsers treats all XMLHttpRequestS as resource accesses > to > > > > display in the current page even if they are not actually > requesting a > > > > resource to be displayed in the current page but invoking redirect > to > > > a > > > > completely new page? > > > > > > > > The redirect 302 doesn't have this problem but then I'm back to > the > > > > undesirable premature decoding of the query parameters. > > > > > > > > It seems like the browser understands that 302 is a proper > redirect > > > (not > > > > a resource fetch for the current page) and so does not raise a > CORS > > > > error. > > > > > > > > That got me thinking that may I could use SC_TEMPORARY_REDIRECT > > > instead > > > > but that results in a: > > > > > > > > java.lang.IllegalStateException: Status must be either 301, 302 or > > > 303, > > > > but was: 307 > > > > > > > > > > > > > -----Original Message----- > > > > > From: Chris Colman [mailto:chr...@stepaheadsoftware.com] > > > > > Sent: Wednesday, 27 February 2019 9:06 PM > > > > > To: users@wicket.apache.org > > > > > Subject: RE: Undesirable decoding of URL encoded external URL > using > > > > > RedirectToUrlException > > > > > > > > > > That works brilliantly! > > > > > > > > > > Thanks Martin > > > > > > > > > > > -----Original Message----- > > > > > > From: Martin Grigorov [mailto:mgrigo...@apache.org] > > > > > > Sent: Tuesday, 26 February 2019 10:46 PM > > > > > > To: users@wicket.apache.org > > > > > > Subject: Re: Undesirable decoding of URL encoded external URL > > > using > > > > > > RedirectToUrlException > > > > > > > > > > > > Hi, > > > > > > > > > > > > It seems you use RedirectToUrlException(String) constructor > which > > > > > > internally uses > > > statusCode=HttpServletResponse.SC_MOVED_TEMPORARILY. > > > > > > If you use RedirectToUrlException(yourUrl, > > > > > > HttpServletResponse.SC_SEE_OTHER) then Wicket will not do its > > > extra > > > > > logic > > > > > > in > > > > > > > > > > > > > > > > > > > org.apache.wicket.protocol.http.servlet.ServletWebResponse#encodeRedirec > > > > > tU > > > > > > RL() > > > > > > and all should be fine. > > > > > > > > > > > > On Mon, Feb 25, 2019 at 8:13 PM Chris Colman > > > > > > <chr...@stepaheadsoftware.com> > > > > > > wrote: > > > > > > > > > > > > > I am using: > > > > > > > > > > > > > > > > > > > > > > > > > > > > throw new RedirectUrlException(externalUrl); > > > > > > > > > > > > > > > > > > > > > > > > > > > > to redirect to an external URL (i.e. > > > > > > > https://hostname/path?param1=value1¶m2=value2 etc.,) > > > > > > > > > > > > > > > > > > > > > > > > > > > > In constructing the URL I have used > java.net.URLEncoder.encode() > > > > to > > > > > > > individual encode the values in each of the query > parameters. > > > > > > > > > > > > > > > > > > > > > > > > > > > > The browser shows the redirected URL with the query > parameters > > > > being > > > > > > > 'decoded' not encoded. > > > > > > > > > > > > > > > > > > > > > > > > > > > > I stepped through in the debugger and saw that Wicket's > > > > > > > org.apache.wicket.util.encoding.UrlDecoder is being used to > > > decode > > > > > the > > > > > > > URL while processing the redirect. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I worked around problem by using the native Servlet API > > > redirect: > > > > > > > > > > > > > > > > > > > > > > > > > > > > HttpServletResponse response = > > > > > > > > > > > > > > > > > > > > (HttpServletResponse)getRequestCycle().getResponse().getContainerRespons > > > > > > > e(); > > > > > > > > > > > > > > try > > > > > > > > > > > > > > { > > > > > > > > > > > > > > response.sendRedirect(url); > > > > > > > > > > > > > > } > > > > > > > > > > > > > > catch(IOException ioe) > > > > > > > > > > > > > > { > > > > > > > > > > > > > > logger.error("Error while attempting > to > > > > > redirect > > > > > > > to: " + url); > > > > > > > > > > > > > > } > > > > > > > > > > > > > > > > > > > > > > > > > > > > However, is there a 'Wicket' way of redirecting to an > external > > > URL > > > > > > > without causing the undesired decoding? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Note: Using Wicket 6.x > > > > > > > > > > > > > > > > > > > > > > > > > > > > Regards, > > > > > > > > > > > > > > Chris > > > > > > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > > > > > For additional commands, e-mail: users-h...@wicket.apache.org > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > > > > For additional commands, e-mail: users-h...@wicket.apache.org > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > > > For additional commands, e-mail: users-h...@wicket.apache.org > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > >
