Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm
Message-Id: <200008251915.NAA05613@amon.Central.Sun.COM>
Date: Fri, 25 Aug 2000 13:15:41 -0600 (MDT)
From: Arieh Markel <Arieh.Markel@central.sun.com>
Reply-To: Arieh Markel <Arieh.Markel@central.sun.com>
Subject: Issue with SessionUtil.encodeURL on SSL servers
To: tomcat-dev@jakarta.apache.org
MIME-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
Content-MD5: xo4EWdLYBViptn3OrJnGNg==

During my work on adapting my application to work with 3.2 I am running
into a couple of issues.

While browsing through the code, I ran across some problem that
may arise when using SessionUtil.encodeURL under SSL.

The code shows:

	// Encode all relative URLs unless they start with a hash
        if (!url.startsWith("http:")) {
            if (!url.startsWith("#"))
                return (encode(id, url));
            else
                return (url);
        }

        // Encode all absolute URLs that return to this hostname
        String serverName = req.getServerName();
        String match = "http://" + serverName;
        if (url.startsWith("http://" + serverName))
            return (encode(id, url));
        else
            return (url);


What is evident is the hardcoding of http, which is bound not to
work on an SSL enabled Tomcat.

The more appropriate thing is to use the request's schema to use correct
logic.

Arieh
--
 Arieh Markel		                Sun Microsystems Inc.
 Network Storage                        500 Eldorado Blvd. MS UBRM11-194
 e-mail: arieh.markel@sun.COM           Broomfield, CO 80021
 Let's go Panthers !!!!                 Phone: (303) 272-8547 x78547
 (e-mail me with subject SEND PUBLIC KEY to get public key)