[Hippo-cms7-user] doAction, PRG and HTTPS

Ard Schrijvers a.schrijvers at onehippo.com
Wed Dec 12 16:36:36 CET 2012


On Wed, Dec 12, 2012 at 3:35 PM, Wouter Danes <Wouter.Danes at hinttech.com> wrote:
> Hi Woonsan,
>
> Yes, actually. ActionValve could create a protocol-less URL, f.ex
> //home, instead of http://home. That'll work too and default to the protocol that was used to do the get.
> If you want to look at the scheme, you should also look at the x-forwarded-proto http header. Proxies set that to https when it's a https request.
>
> Something like this:
>     private boolean isSecureRequest(HttpServletRequest request) {
>         String scheme = request.getScheme();
>         String forwardedProtocol = request.getHeader("X-Forwarded-Proto");
>         return "https".equalsIgnoreCase(scheme) || "https".equalsIgnoreCase(forwardedProtocol);
>     }

Currently, the absolute URL is created by getting the scheme from the
virtualhost configuration and then appending the forwarded host info
from the request (see VirtualHostService#getBaseURL). Seems indeed
better to of course also use the scheme from the request.

Thus replace in VirtualHostService#getBaseURL

String scheme = this.getScheme();

with your code.

If everything is over https, you could now also try to set https on
your virtualhost configuration

You can create an improvement request if you like in HST

Regards Ard

>
> -----Original Message-----
> From: hippo-cms7-user-bounces at lists.onehippo.org [mailto:hippo-cms7-user-bounces at lists.onehippo.org] On Behalf Of Woonsan Ko
> Sent: woensdag 12 december 2012 15:24
> To: Hippo CMS 7 implementation list
> Subject: Re: [Hippo-cms7-user] doAction, PRG and HTTPS
>
> Hi Wouter,
>
> By default, ActionValve tries to generate an absolute URL for redirection after processing the action phase. ActionValve has an option to use the relative path instead.
> For example, you can redefine the action valve with the property, "alwaysRedirectLocationToAbsoluteUrl", like this:
>
>    <bean id="actionValve" parent="abstractValve"
> class="org.hippoecm.hst.core.container.ActionValve">
>      <property name="alwaysRedirectLocationToAbsoluteUrl" value="false" />
>    </bean>
>
> If you choose the option with relative path redirection, the redirect path will contain the servlet context path (e.g., '/site'), so you'll probably need to configure the proxy configuration with more options between httpd and tomcat.
>
> If you are using https directly to tomcat, then I think there's one thing we can improve in ActionVavle:
>
>      String absoluteRedirectUrl =
> requestContext.getVirtualHost().getBaseURL(servletRequest) + location;
>
> Maybe ActionValve could have read the request scheme (http or https) instead of reading the virtual host configuration.
>
> Regards,
>
> Woonsan
>
>
> On 12/12/12 5:21 AM, Wouter Danes wrote:
>> Hi all,
>>
>> I have a page on HTTPS and I use a doAction to add an object.
>>
>> After that, the originating page is rendered again.
>>
>> Now, Hippo appears to do the following:
>>
>> -Post the request over HTTPS
>>
>> -Redirect to a Get over HTTP
>>
>> -Then my site says "Hey, I should be on HTTPS, let's redirect to HTTPS".
>>
>> I would expect a redirect without a protocol or over HTTPS when the
>> initial POST is over HTTPS, is this possible?
>>
>> Met vriendelijke groet / Yours sincerely,
>>
>> ---
>>
>> Wouter Danes
>>
>> Competence Manager Hippo / Java / Alfresco
>>
>> Hinttech
>>
>> T: +31 6 1158 8264
>>
>> E: wouter.danes at hinttech.com <mailto:wouter.danes at hinttech.com>
>>
>> @wouterdanes
>>
>>
>>
>> _______________________________________________
>> Hippo-cms7-user mailing list and forums
>> http://www.onehippo.org/cms7/support/forums.html
>>
>
>
> --
> w.ko at onehippo.com     www.onehippo.com
> Boston - 1 Broadway, Cambridge, MA 02142 Amsterdam - Oosteinde 11, 1017 WT Amsterdam US +1 877 414 4776 (toll free) Europe +31(0)20 522 4466 _______________________________________________
> Hippo-cms7-user mailing list and forums
> http://www.onehippo.org/cms7/support/forums.html
> _______________________________________________
> Hippo-cms7-user mailing list and forums
> http://www.onehippo.org/cms7/support/forums.html



-- 
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
www.onehippo.com


More information about the Hippo-cms7-user mailing list