Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-6582

XWikiServletURLFactory generates wrong links behind a reverse proxy with https

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0, 3.1 M1
    • Fix Version/s: 2.7.2, 3.1 M2, 3.0.1
    • Component/s: Legacy
    • Labels:
      None
    • Environment:
      Jetty w/ HQL
    • Difficulty:
      Trivial
    • Similar issues:

      Description

      The XWiki API object has a getRequestURL() method to help Velocity templates determine the URL of the current document.

      E.g. take "$xwiki.getRequestURL()" from global.vm:

      #if(!$xcontext.action.startsWith("login"))
      #if($isGuest)
      #set($loginurl = $xwiki.getURL('XWiki.XWikiLogin', 'login', "xredirect=$escapetool.url($xwiki.getRequestURL())"))
      <a class="glink" href="$!loginurl" id="headerlogin">$!msg.get('login')</a>#sep()
      #else
      #set($logouturl = $xwiki.getURL('XWiki.XWikiLogout', 'logout', "xredirect=$escapetool.url($xwiki.getRequestURL())"))
      <a class="glink" href="$!logouturl" id="headerlogout">$!msg.get('logout')</a>#sep()
      #end
      #end

      This helper method is called from several Velocity macros to generate links including the login/logout xredirect link shown above.

      When XWiki is deployed using Jetty or WebLogic behind a reverse proxy Apache server, this particular helper method generates an xredirect value with undesired URL protocol (http instead of https).

      This helper uses the "inside the firewall" URL (seen from Jetty's perspective) instead of "outside the reverse proxy" URL, seen by the end-user's web browser.

      This happens even though xwiki.url.protocol is set, per bug 227. http://jira.xwiki.org/jira/browse/XWIKI-227

      One fix might be to change com.xpn.xwiki.web.XWikiServletURLFactory in http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk. I am assuming Core is still in Subversion; I didn't check git.

      public URL getRequestURL(XWikiContext context)
      {
      final URL url = super.getRequestURL(context);
      try

      { final URL servurl = getServerURL(context); // if use apache mod_proxy we needed to know external host address return new URL(url.getProtocol(), servurl.getHost(), servurl.getPort(), url.getFile()); }

      catch (MalformedURLException ex)

      { // This should not happen ex.printStackTrace(); return url; }
      }


      ==PATCHED==

      public URL getRequestURL(XWikiContext context)
      {
      final URL url = super.getRequestURL(context);
      try { final URL servurl = getServerURL(context); // if use apache mod_proxy we needed to know external host address return new URL(servurl.getProtocol(), servurl.getHost(), servurl.getPort(), url.getFile()); } catch (MalformedURLException ex) { // This should not happen ex.printStackTrace(); return url; }

      }

      Index: XWikiServletURLFactory.java
      ===================================================================
      — XWikiServletURLFactory.java (revision 36361)
      +++ XWikiServletURLFactory.java (working copy)
      @@ -593,7 +595,7 @@
      try

      { final URL servurl = getServerURL(context); // if use apache mod_proxy we needed to know external host address - return new URL(url.getProtocol(), servurl.getHost(), servurl.getPort(), url.getFile()); + return new URL(servurl.getProtocol(), servurl.getHost(), servurl.getPort(), url.getFile()); }

      catch (MalformedURLException ex) {
      // This should not happen
      ex.printStackTrace();

        Attachments

          Activity

            People

            • Assignee:
              sdumitriu Sergiu Dumitriu
              Reporter:
              qconner Quentin Conner
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Date of First Response: