XWiki Platform
  1. XWiki Platform
  2. XWIKI-6582

XWikiServletURLFactory generates wrong links behind a reverse proxy with https

    Details

    • Type: Bug Bug
    • Status: Closed Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 3.0, 3.1 M1
    • Fix Version/s: 2.7.2, 3.1 M2, 3.0.1
    • Component/s: Legacy
    • Labels:
      None
    • Environment:
      Jetty w/ HQL
    • Difficulty:
      Trivial
    • Similar issues:

      Description

      The XWiki API object has a getRequestURL() method to help Velocity templates determine the URL of the current document.

      E.g. take "$xwiki.getRequestURL()" from global.vm:

      #if(!$xcontext.action.startsWith("login"))
      #if($isGuest)
      #set($loginurl = $xwiki.getURL('XWiki.XWikiLogin', 'login', "xredirect=$escapetool.url($xwiki.getRequestURL())"))
      <a class="glink" href="$!loginurl" id="headerlogin">$!msg.get('login')</a>#sep()
      #else
      #set($logouturl = $xwiki.getURL('XWiki.XWikiLogout', 'logout', "xredirect=$escapetool.url($xwiki.getRequestURL())"))
      <a class="glink" href="$!logouturl" id="headerlogout">$!msg.get('logout')</a>#sep()
      #end
      #end

      This helper method is called from several Velocity macros to generate links including the login/logout xredirect link shown above.

      When XWiki is deployed using Jetty or WebLogic behind a reverse proxy Apache server, this particular helper method generates an xredirect value with undesired URL protocol (http instead of https).

      This helper uses the "inside the firewall" URL (seen from Jetty's perspective) instead of "outside the reverse proxy" URL, seen by the end-user's web browser.

      This happens even though xwiki.url.protocol is set, per bug 227. http://jira.xwiki.org/jira/browse/XWIKI-227

      One fix might be to change com.xpn.xwiki.web.XWikiServletURLFactory in http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk. I am assuming Core is still in Subversion; I didn't check git.

      public URL getRequestURL(XWikiContext context)
      {
      final URL url = super.getRequestURL(context);
      try

      { final URL servurl = getServerURL(context); // if use apache mod_proxy we needed to know external host address return new URL(url.getProtocol(), servurl.getHost(), servurl.getPort(), url.getFile()); }

      catch (MalformedURLException ex)

      { // This should not happen ex.printStackTrace(); return url; }
      }


      ==PATCHED==

      public URL getRequestURL(XWikiContext context)
      {
      final URL url = super.getRequestURL(context);
      try { final URL servurl = getServerURL(context); // if use apache mod_proxy we needed to know external host address return new URL(servurl.getProtocol(), servurl.getHost(), servurl.getPort(), url.getFile()); } catch (MalformedURLException ex) { // This should not happen ex.printStackTrace(); return url; }

      }

      Index: XWikiServletURLFactory.java
      ===================================================================
      — XWikiServletURLFactory.java (revision 36361)
      +++ XWikiServletURLFactory.java (working copy)
      @@ -593,7 +595,7 @@
      try

      { final URL servurl = getServerURL(context); // if use apache mod_proxy we needed to know external host address - return new URL(url.getProtocol(), servurl.getHost(), servurl.getPort(), url.getFile()); + return new URL(servurl.getProtocol(), servurl.getHost(), servurl.getPort(), url.getFile()); }

      catch (MalformedURLException ex) {
      // This should not happen
      ex.printStackTrace();

        Activity

        Hide
        Quentin Conner added a comment -

        patch to com.xpn.xwiki.web.XWikiServletURLFactory

        Show
        Quentin Conner added a comment - patch to com.xpn.xwiki.web.XWikiServletURLFactory
        Hide
        Sergiu Dumitriu added a comment -

        Fixed in 6a020aa0.
        Patch applied without changes, thanks.

        Show
        Sergiu Dumitriu added a comment - Fixed in 6a020aa0. Patch applied without changes, thanks.

          People

          • Assignee:
            Sergiu Dumitriu
            Reporter:
            Quentin Conner
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:
              Date of First Response: