Bug 57856

Summary: RemoteIpFilter does not replace Request within Response
Product: Tomcat 8 Reporter: James <james+apache>
Component: ConnectorsAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: major    
Priority: P2    
Version: 8.0.x-trunk   
Target Milestone: ----   
Hardware: PC   
OS: All   

Description James 2015-04-24 15:02:15 UTC 
I've noticed an issue with the org.apache.catalina.connector.Response where the toAbsolute method called during a relative redirect is generating the wrong absolute uri.

If you enable the org.apache.catalina.filters.RemoteIpFilter to allow an upstream proxy to control whether the server is available over HTTP/HTTPS by setting an header such as "X-Forwarded-Proto", this state is not replicated within the Response.

Therefore, when the uri is generated, the scheme is not replaced with the value that is actually available within the Request so it will generate for HTTP scheme only.

I believe the RemoteIpFilter should also implement a wrapper for the Response on the sendRedirect method to correctly generate the URI.
Comment 1 Mark Thomas 2015-04-27 13:56:20 UTC 
Looking at the code, there will be a similar problem for ports.

There doesn't appear to be an easy/obvious way to fix this as the current sendRedirect() implementation makes extensive use of Tomcat internals. I'm currently looking at various options.
Comment 2 Mark Thomas 2015-04-27 20:33:27 UTC 
I found a reasonably simple way to fix this. It isn't as clean as I would like but it should work with any app server and didn't require a large duplication of code or equivalent refactoring.

The fix has been applied to trunk (for 9.0.x), 8.0.x/trunk (for 8.0.22 onwards) and 7.0.x (for 7.0.62 onwards).

Thanks for the report and enjoy the fix.