Return-Path: 
 <user-return-6970-apmail-roller-user-archive=roller.apache.org@roller.apache.org>
X-Original-To: apmail-roller-user-archive@www.apache.org
Delivered-To: apmail-roller-user-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 1D44C1109A
	for <apmail-roller-user-archive@www.apache.org>;
 Tue,  8 Apr 2014 15:36:34 +0000 (UTC)
Received: (qmail 12814 invoked by uid 500); 8 Apr 2014 15:36:33 -0000
Delivered-To: apmail-roller-user-archive@roller.apache.org
Received: (qmail 12558 invoked by uid 500); 8 Apr 2014 15:36:31 -0000
Mailing-List: contact user-help@roller.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@roller.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@roller.apache.org>
List-Post: <mailto:user@roller.apache.org>
List-Id: <user.roller.apache.org>
Reply-To: user@roller.apache.org
Delivered-To: mailing list user@roller.apache.org
Received: (qmail 11059 invoked by uid 99); 8 Apr 2014 15:36:28 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 08 Apr 2014 15:36:28 +0000
X-ASF-Spam-Status: No, hits=1.5 required=5.0
	tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: local policy includes SPF record at
 spf.trusted-forwarder.org)
Received: from [209.85.216.44] (HELO mail-qa0-f44.google.com) (209.85.216.44)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 08 Apr 2014 15:36:23 +0000
Received: by mail-qa0-f44.google.com with SMTP id hw13so1067636qab.17
        for <user@roller.apache.org>; Tue, 08 Apr 2014 08:36:01 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:content-type;
        bh=eBIuLv+y9CZnzFB2T3LWCGNmstn0C/nvQWwzOwdGz0c=;
        b=cadEDRaep8IBoGAVQ79iqJBkK2fmuZoPRFGzlvEMQuE3hSiOOBDLhBriJGPiMM0xvj
         xJul4RKxgmwkkBFvzN/UQuiQD41wybPnWsaLKeSDiAMF4hdCP/XrwyKDFYkHcVdq6tv9
         kBwz/u8m040mgX46Rk4tUBkAyCNa9ykn/38s/XC5thCCvJlW3gn580TcmnNwELMVm/CD
         OzmSJ4mvVRSxV/MzmOFRQeEhHeZzvq+r77repFw97Gc0sw77PuKwsWeyAfpUNoX8rCla
         I0KKy4opxdJiEa8fi/AYyzz2wr4jU89x7cHwGdUmv2IrvrrSVWmQVRiZk/8WA18hcggq
         oJ5g==
X-Gm-Message-State: 
 ALoCoQmmW0Ci82z/IBuOzsa51oUQDCWSFsLkuu28KnEJa0o5JI7n8SEOR/xwv7/dgxqbSA6O6kqk
X-Received: by 10.140.101.244 with SMTP id u107mr3785285qge.107.1396971360847;
 Tue, 08 Apr 2014 08:36:00 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.96.146.105 with HTTP; Tue, 8 Apr 2014 08:35:40 -0700 (PDT)
In-Reply-To: 
 <CAFhCnT7OgeSnR1QzkM0J94pRgwfM-XJSM9VfCujv0Wgfwhy62A@mail.gmail.com>
References: <28EDAEF7-BAA9-4F45-888B-3DA4FA91ADCF@raibledesigns.com>
 <53433E6D.8030107@gmail.com>
 <CAFhCnT4pWXQ40XDxLD3PMCj34Ut7PDezgNiFeMcJWXXWsbV9EQ@mail.gmail.com>
 <CAFhCnT7OgeSnR1QzkM0J94pRgwfM-XJSM9VfCujv0Wgfwhy62A@mail.gmail.com>
From: Matt Raible <matt@raibledesigns.com>
Date: Tue, 8 Apr 2014 09:35:40 -0600
Message-ID: 
 <CAFhCnT4evtzDNfu403oZUzef4HYHc7ZxmT9pa-NAAocYQxyMdA@mail.gmail.com>
Subject: Re: Absolute URL without scheme prefix
To: user <user@roller.apache.org>
Content-Type: multipart/alternative; boundary=001a11c16772b9b74004f689bdb4
X-Virus-Checked: Checked by ClamAV on apache.org

--001a11c16772b9b74004f689bdb4
Content-Type: text/plain; charset=UTF-8

I was successful in fixing my base URL by changing it to:

<base href="$absBaseURL.replace('https:', '')" />

Now everything works with both http and https, provided I change iframes
(and other embedded URLs) to use // instead of http://.

I was unable to get "force HTTPs" to work, either by modifying web.xml or
security.xml.

For web.xml, I tried adding the following:

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>HTTPS resources</web-resource-name>
            <url-pattern>/roller-ui/login.rol</url-pattern>
            <url-pattern>/roller-ui/register.rol</url-pattern>
            <url-pattern>/roller-ui/register!save.rol</url-pattern>
            <url-pattern>/roller-ui/profile.rol</url-pattern>
            <url-pattern>/roller-ui/profile!save.rol</url-pattern>
            <url-pattern>/roller-ui/admin/*</url-pattern>
            <url-pattern>/roller-ui/login-redirect.jsp</url-pattern>
            <url-pattern>/roller-ui/login-redirect.rol</url-pattern>
            <url-pattern>/roller-ui/authoring/userdata</url-pattern>

<url-pattern>/roller-ui/authoring/membersInvite.rol</url-pattern>

<url-pattern>/roller-ui/authoring/membersInvite!save.rol</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

Once I did this, I was redirected, but to port 8443 instead of 443. To fix
this, I changed tomcat/conf/server.xml to the following:

    <Connector port="8118" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443" />

After doing this, I received an infinite loop error in my browser.

Next, I tried modifying security.xml by adding the following:

<intercept-url pattern="/roller-ui/**" requires-channel="https" />

This seems to intercept forwards as well, so when trying to go to the
top-level URL, I was redirected to the following URL and got a infinite
loop error again.

https://raible.kgbinternet.com/roller-ui/rendering/page/rd

It would be nice to force SSL on the editor pages, but it seems impossible
with the current setup - unless I do it at the Apache level with
mod_rewrite.

Cheers,

Matt


On Tue, Apr 8, 2014 at 8:51 AM, Matt Raible <matt@raibledesigns.com> wrote:

> After further inspection, it looks like it's working fine on your blog.
> I'm guessing this is because you're missing a <base> element, whereas I
> have:
>
> <base href="https://raible.kgbinternet.com" />
>
>
> On Tue, Apr 8, 2014 at 8:47 AM, Matt Raible <matt@raibledesigns.com>wrote:
>
>> This seems to get me part of the way there - thanks Glen.
>>
>> To enable SSL and have it work for embedded iframes, it looks like I'll
>> have to change <iframe src="http://..."> to <iframe src="//...">.
>> Another thing I noticed is comments XML doesn't load. Is this because I
>> don't have a valid cert on my site? My certificate is for *.
>> raibledesigns.com - raible.kgbinternet.com is just a test site. If I use
>> the "https" version of the URL below, it works fine.
>>
>> http://raible.kgbinternet.com/rd/entry/developing_an_ios_native_app
>>
>> XMLHttpRequest cannot load
>> https://raible.kgbinternet.com/CommentAuthenticatorServlet. No
>> 'Access-Control-Allow-Origin' header is present on the requested resource.
>> Origin 'http://raible.kgbinternet.com' is therefore not allowed access.
>>
>>
>> On Mon, Apr 7, 2014 at 6:10 PM, Glen Mazza <glen.mazza@gmail.com> wrote:
>>
>>> Hi Matt, I think what I'm doing on my OpenShift blog (http[s]://
>>> web-gmazza.rhcloud.com/) could work for you:
>>>
>>> 1.) On the blog server administration page, "Absolute URL to site (if
>>> required)" field, I have "https://web-gmazza.rhcloud.com"
>>> 2.) I uncommented the <security-constraint/> section at the bottom of
>>> the default web.xml: http://svn.apache.org/viewvc/
>>> roller/trunk/app/src/main/webapp/WEB-INF/web.xml?view=markup
>>>
>>> This gives me both https:// and http:// for the blog reader, but only
>>> the former when I'm creating blogs, logging in, etc.
>>>
>>> HTH,
>>> Glen
>>>
>>>
>>> On 4/7/2014 3:56 PM, Matt Raible wrote:
>>>
>>>> I'm thinking about making my site accessible over http as well as
>>>> https. One thing I noticed is the absolute URL requires a prefix. I tried
>>>> changing it from "http://" to just "//" (so it uses the same scheme as
>>>> the page) and it fails:
>>>>
>>>> java.net.MalformedURLException: no protocol: //localhost:8080
>>>>         at java.net.URL.<init>(URL.java:585)
>>>>         at java.net.URL.<init>(URL.java:482)
>>>>         at java.net.URL.<init>(URL.java:431)
>>>>         at org.apache.roller.weblogger.ui.rendering.velocity.
>>>> deprecated.ContextLoader.loadPathValues(ContextLoader.java:420)
>>>>         at org.apache.roller.weblogger.ui.rendering.velocity.
>>>> deprecated.ContextLoader.setupContext(ContextLoader.java:192)
>>>>         at org.apache.roller.weblogger.ui.rendering.model.
>>>> ModelLoader.loadOldModels(ModelLoader.java:57)
>>>>         at org.apache.roller.weblogger.ui.rendering.servlets.
>>>> PageServlet.doGet(PageServlet.java:436)
>>>>
>>>> Is it possible to enhance the "$absBaseURL" macro to allow no prefix?
>>>>
>>>> I'm using Roller 5.0.3 on Tomcat 7.
>>>>
>>>> Thanks,
>>>>
>>>> Matt
>>>>
>>>
>>>
>>
>

--001a11c16772b9b74004f689bdb4--