tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Sidney-Woollett <>
Subject http->https url rewrite bug TC 5.0.28?
Date Mon, 15 Nov 2004 15:20:32 GMT
I'm not sure if this is a bug or a misunderstaning on my part - and I've 
been searching the archives and googling for most of the day without 

I've got a problem where URL rewriting is failing to correctly encode 
the URL when switching from an insecure (non-ssl) connection to a secure 
ssl connection FOR THE SAME DOMAIN and where the session already exists 
for the insecure connection and COOKIES ARE DISABLED in the browser. I 
can reproduce this behaviour with different browsers.

An "action" servlet receives the non-ssl request and redirects to 
another secure "action" servlet. The call for the redirect should encode 
the URL as follows in the first servlet's service(request, response) method:

if (gotoCheckout)
	//goto the checkout
	//this generates the URL
	String url = CheckoutAction.getCheckoutActionStartURL(request);

	//make sure the JSESSIONID is appended for non-cookie browsers
	url = response.encodeRedirectURL(url);


Looking at the headers, you can see that the JSESSIONID is not appended 
to the redirect URL when the protocol switches from http to https:

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5a) 
Gecko/20030728 Mozilla Firebird/0.6.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 66

HTTP/1.x 302 Moved Temporarily
Date: Mon, 15 Nov 2004 13:38:23 GMT
Server: Apache/1.3.29
Content-Length: 0
Content-Type: text/plain
Connection: close


Apache 1.3.29 + mod_ssl + mod_jk + tomcat 5.0.28 (unix)

Apache is configured with two virtual directives; one for port 80 and 
one for post 443 and the requests are forwarded by mod_jk to tomcat 
which has the following in its server.xml config:

<Host name="" appBase="/ef02/tc/">
  <Context path="" docBase="ROOT" debug="0" reloadable="false">
   <ResourceLink name="jdbc/D1DB" global="jdbc/D1DB" 

Tomcat possibly nevers "sees" that the request is secure because the SSL 
part of the transaction is handled by mod_SSL, and I don't know if this 
has a bearing on the issue?

My question, should the JSESSIONID be appended in the encoded redirect - 
I think so?

And if it should, am I doing something wrong. Or is there a bug?

If there is a bug, should I manually append the ";jsessionid=xxxxxxx" to 
the URL to workaround the problem.

Can anyone shed any light on this?

Many thanks

John Sidney-Woollett

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message