Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-6582

XWikiServletURLFactory generates wrong links behind a reverse proxy with https

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • 2.7.2, 3.1 M2, 3.0.1
    • 3.0, 3.1 M1
    • Legacy
    • None
    • Jetty w/ HQL
    • Trivial

    Description

      The XWiki API object has a getRequestURL() method to help Velocity templates determine the URL of the current document.

      E.g. take "$xwiki.getRequestURL()" from global.vm:

      #if(!$xcontext.action.startsWith("login"))
      #if($isGuest)
      #set($loginurl = $xwiki.getURL('XWiki.XWikiLogin', 'login', "xredirect=$escapetool.url($xwiki.getRequestURL())"))
      <a class="glink" href="$!loginurl" id="headerlogin">$!msg.get('login')</a>#sep()
      #else
      #set($logouturl = $xwiki.getURL('XWiki.XWikiLogout', 'logout', "xredirect=$escapetool.url($xwiki.getRequestURL())"))
      <a class="glink" href="$!logouturl" id="headerlogout">$!msg.get('logout')</a>#sep()
      #end
      #end

      This helper method is called from several Velocity macros to generate links including the login/logout xredirect link shown above.

      When XWiki is deployed using Jetty or WebLogic behind a reverse proxy Apache server, this particular helper method generates an xredirect value with undesired URL protocol (http instead of https).

      This helper uses the "inside the firewall" URL (seen from Jetty's perspective) instead of "outside the reverse proxy" URL, seen by the end-user's web browser.

      This happens even though xwiki.url.protocol is set, per bug 227. http://jira.xwiki.org/jira/browse/XWIKI-227

      One fix might be to change com.xpn.xwiki.web.XWikiServletURLFactory in http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk. I am assuming Core is still in Subversion; I didn't check git.

      public URL getRequestURL(XWikiContext context)
      {
      final URL url = super.getRequestURL(context);
      try

      { final URL servurl = getServerURL(context); // if use apache mod_proxy we needed to know external host address return new URL(url.getProtocol(), servurl.getHost(), servurl.getPort(), url.getFile()); }

      catch (MalformedURLException ex)

      { // This should not happen ex.printStackTrace(); return url; }
      }


      ==PATCHED==

      public URL getRequestURL(XWikiContext context)
      {
      final URL url = super.getRequestURL(context);
      try { final URL servurl = getServerURL(context); // if use apache mod_proxy we needed to know external host address return new URL(servurl.getProtocol(), servurl.getHost(), servurl.getPort(), url.getFile()); } catch (MalformedURLException ex) { // This should not happen ex.printStackTrace(); return url; }

      }

      Index: XWikiServletURLFactory.java
      ===================================================================
      — XWikiServletURLFactory.java (revision 36361)
      +++ XWikiServletURLFactory.java (working copy)
      @@ -593,7 +595,7 @@
      try

      { final URL servurl = getServerURL(context); // if use apache mod_proxy we needed to know external host address - return new URL(url.getProtocol(), servurl.getHost(), servurl.getPort(), url.getFile()); + return new URL(servurl.getProtocol(), servurl.getHost(), servurl.getPort(), url.getFile()); }

      catch (MalformedURLException ex) {
      // This should not happen
      ex.printStackTrace();

      Attachments

        Activity

          People

            sdumitriu Sergiu Dumitriu
            qconner Quentin Conner
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: