Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
http-2.2.1, http-2.2.2
-
None
Description
The HTTP SSL Filter service implemented in FELIX-3693 supports revealing the actual protocol used by the client side browser by inspecting a request header and exposing the proper scheme through its ServletRequest.getScheme() implementation if the actual server is operated behind an SSL terminating proxy (i.e. client connects with HTTPS to proxy, proxy forwards request to server over plain HTTP)
The HttpServletRequest.sendRedirect() method is declared to set the Location header to the absolute redirect URL which includes the scheme. In an SSL terminating proxy situation, the servlet container does not know about this fact and hence uses the actual server scheme (HTTP) for the redirect instead of the scheme used by client.
To fix this situation the SSL filter response should implement the HttpServletResponse.sendRedirect() method to use use the client side scheme as extracted from the request instead of the actual server request.
Attachments
Attachments
Issue Links
- breaks
-
FELIX-5309 SslFilter: sendRedirect does not support deliberate protocol changes on the current host
- Closed