tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Sidney-Woollett <joh...@wardbrook.com>
Subject http->https url rewrite bug TC 5.0.28?
Date Mon, 15 Nov 2004 15:20:32 GMT
I'm not sure if this is a bug or a misunderstaning on my part - and I've 
been searching the archives and googling for most of the day without 
success...

I've got a problem where URL rewriting is failing to correctly encode 
the URL when switching from an insecure (non-ssl) connection to a secure 
ssl connection FOR THE SAME DOMAIN and where the session already exists 
for the insecure connection and COOKIES ARE DISABLED in the browser. I 
can reproduce this behaviour with different browsers.

An "action" servlet receives the non-ssl request and redirects to 
another secure "action" servlet. The call for the redirect should encode 
the URL as follows in the first servlet's service(request, response) method:

[snip]
if (gotoCheckout)
{
	//goto the checkout
	//this generates the URL
	//https://www.mytestsite.com/CheckoutAction?action=start
	String url = CheckoutAction.getCheckoutActionStartURL(request);

	//make sure the JSESSIONID is appended for non-cookie browsers
	url = response.encodeRedirectURL(url);

	response.sendRedirect(url);
	return;
}
[snip]

Looking at the headers, you can see that the JSESSIONID is not appended 
to the redirect URL when the protocol switches from http to https:

REQUEST
=======
POST 
http://www.mytestsite.com/BasketAction;jsessionid=9E490ADF8FB268E3F6BC5FA2FD61E8CF 
HTTP/1.1
Host: www.mytestsite.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5a) 
Gecko/20030728 Mozilla Firebird/0.6.1
Accept: 
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: 
http://www.mytestsite.com/basket;jsessionid=9E490ADF8FB268E3F6BC5FA2FD61E8CF
Content-Type: application/x-www-form-urlencoded
Content-Length: 66
ret=%2Fimage%2F6503740500223&action=upd&butaction=checkout&qty_0=1

RESPONSE
========
HTTP/1.x 302 Moved Temporarily
Date: Mon, 15 Nov 2004 13:38:23 GMT
Server: Apache/1.3.29
Location: https://www.mytestsite.com/CheckoutAction?action=start
Content-Length: 0
Content-Type: text/plain
Connection: close


Setup

Apache 1.3.29 + mod_ssl + mod_jk + tomcat 5.0.28 (unix)

Apache is configured with two virtual directives; one for port 80 and 
one for post 443 and the requests are forwarded by mod_jk to tomcat 
which has the following in its server.xml config:

[snip]
<Host name="www.mytestsite.com" appBase="/ef02/tc/www.mytestsite.com">
  <Context path="" docBase="ROOT" debug="0" reloadable="false">
   <ResourceLink name="jdbc/D1DB" global="jdbc/D1DB" 
type="javax.sql.DataSource"/>
  </Context>
</Host>
[snip]

Tomcat possibly nevers "sees" that the request is secure because the SSL 
part of the transaction is handled by mod_SSL, and I don't know if this 
has a bearing on the issue?

My question, should the JSESSIONID be appended in the encoded redirect - 
I think so?

And if it should, am I doing something wrong. Or is there a bug?

If there is a bug, should I manually append the ";jsessionid=xxxxxxx" to 
the URL to workaround the problem.

Can anyone shed any light on this?

Many thanks

John Sidney-Woollett

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message