[Hippo-cms7-user] doAction, PRG and HTTPS

Wouter Danes Wouter.Danes at hinttech.com
Wed Dec 12 15:35:44 CET 2012


Hi Woonsan,

Yes, actually. ActionValve could create a protocol-less URL, f.ex
//home, instead of http://home. That'll work too and default to the protocol that was used to do the get.
If you want to look at the scheme, you should also look at the x-forwarded-proto http header. Proxies set that to https when it's a https request.

Something like this: 
    private boolean isSecureRequest(HttpServletRequest request) {
        String scheme = request.getScheme();
        String forwardedProtocol = request.getHeader("X-Forwarded-Proto");
        return "https".equalsIgnoreCase(scheme) || "https".equalsIgnoreCase(forwardedProtocol);
    }

-----Original Message-----
From: hippo-cms7-user-bounces at lists.onehippo.org [mailto:hippo-cms7-user-bounces at lists.onehippo.org] On Behalf Of Woonsan Ko
Sent: woensdag 12 december 2012 15:24
To: Hippo CMS 7 implementation list
Subject: Re: [Hippo-cms7-user] doAction, PRG and HTTPS

Hi Wouter,

By default, ActionValve tries to generate an absolute URL for redirection after processing the action phase. ActionValve has an option to use the relative path instead.
For example, you can redefine the action valve with the property, "alwaysRedirectLocationToAbsoluteUrl", like this:

   <bean id="actionValve" parent="abstractValve" 
class="org.hippoecm.hst.core.container.ActionValve">
     <property name="alwaysRedirectLocationToAbsoluteUrl" value="false" />
   </bean>

If you choose the option with relative path redirection, the redirect path will contain the servlet context path (e.g., '/site'), so you'll probably need to configure the proxy configuration with more options between httpd and tomcat.

If you are using https directly to tomcat, then I think there's one thing we can improve in ActionVavle:

     String absoluteRedirectUrl =
requestContext.getVirtualHost().getBaseURL(servletRequest) + location;

Maybe ActionValve could have read the request scheme (http or https) instead of reading the virtual host configuration.

Regards,

Woonsan


On 12/12/12 5:21 AM, Wouter Danes wrote:
> Hi all,
>
> I have a page on HTTPS and I use a doAction to add an object.
>
> After that, the originating page is rendered again.
>
> Now, Hippo appears to do the following:
>
> -Post the request over HTTPS
>
> -Redirect to a Get over HTTP
>
> -Then my site says "Hey, I should be on HTTPS, let's redirect to HTTPS".
>
> I would expect a redirect without a protocol or over HTTPS when the 
> initial POST is over HTTPS, is this possible?
>
> Met vriendelijke groet / Yours sincerely,
>
> ---
>
> Wouter Danes
>
> Competence Manager Hippo / Java / Alfresco
>
> Hinttech
>
> T: +31 6 1158 8264
>
> E: wouter.danes at hinttech.com <mailto:wouter.danes at hinttech.com>
>
> @wouterdanes
>
>
>
> _______________________________________________
> Hippo-cms7-user mailing list and forums 
> http://www.onehippo.org/cms7/support/forums.html
>


-- 
w.ko at onehippo.com     www.onehippo.com
Boston - 1 Broadway, Cambridge, MA 02142 Amsterdam - Oosteinde 11, 1017 WT Amsterdam US +1 877 414 4776 (toll free) Europe +31(0)20 522 4466 _______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html


More information about the Hippo-cms7-user mailing list