Bug 43613 - SslRedirectAction produces a "redirect" loop
Summary: SslRedirectAction produces a "redirect" loop
Status: NEW
Alias: None
Product: Lenya
Classification: Unclassified
Component: Miscellaneous (show other bugs)
Version: 2.0
Hardware: Other other
: P2 normal
Target Milestone: 2.0.1
Assignee: Lenya Developers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-10-12 08:50 UTC by jann forrer
Modified: 2008-02-28 08:12 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description jann forrer 2007-10-12 08:50:24 UTC
Assuem the following proxy settings:

<proxy area="live" ssl="true" url="https://www.example.org"/>
<proxy area="live" ssl="false" url="http://www.example.org"/>

A request for http://www.example.org/secure.html (where secure ist ssl
protected" is redirect to https://www.example.org/secure.html. This request
again is redirect to https://www.example.org/secure.html by the
SslRedirectAction and so on ......

I checked in a fix: 
Index: SslRedirectAction.java
===================================================================
--- SslRedirectAction.java      (revision 584054)
+++ SslRedirectAction.java      (working copy)
@@ -74,7 +74,7 @@
                 PolicyManager policyManager = accessController.getPolicyManager();
                 Policy policy =
policyManager.getPolicy(accessController.getAccreditableManager(),
                         url);
-                if (policy.isSSLProtected()) {
+                if (policy.isSSLProtected() &&
!request.getScheme().equals("https")) {
                     Session session = RepositoryUtil.getSession(this.manager,
request);
                     LinkRewriter rewriter = new
OutgoingLinkRewriter(this.manager, session, url,
                             false, true, false);

assuming that if the scheme is already https there is no need to redirect again.
 Maybe someone has a better solution for that problem. 

BTW I am not sure what happend if we use mod_proxy on a frontend apache server
which does not redirect to tomcat using https??
Comment 1 Andreas Hartmann 2007-10-26 06:07:57 UTC
(In reply to comment #0)

> +                if (policy.isSSLProtected() &&
> !request.getScheme().equals("https")) {

Maybe we could use request.isSecure()?

> BTW I am not sure what happend if we use mod_proxy on a frontend apache server
> which does not redirect to tomcat using https??

I guess then the redirect will fail. It should work with mod_proxy_ajp though.
I'll give it a try.
Comment 2 Andreas Hartmann 2007-10-26 06:09:54 UTC
(In reply to comment #1)
> (In reply to comment #0)

> > BTW I am not sure what happend if we use mod_proxy on a frontend apache server
> > which does not redirect to tomcat using https??
> 
> I guess then the redirect will fail.

That was bad wording, what I meant was that Lenya won't be informed that the
https protocol is used, and the redirect won't be issued. A workaround might be
to use a "isSecure" session attribute or something like that.

Comment 3 Andreas Hartmann 2007-10-26 06:40:37 UTC
(In reply to comment #1)
> (In reply to comment #0)
> 
> > +                if (policy.isSSLProtected() &&
> > !request.getScheme().equals("https")) {
> 
> Maybe we could use request.isSecure()?

Done, it works with mod_proxy_ajp.

Can we close this issue?
Comment 4 jann forrer 2007-10-26 07:17:43 UTC
if you want to use mod_proxy instead than you have to proxy via https like: 

 ProxyRequests Off
 RewriteEngine On
 SSLProxyEngine On
 .....
 .....
 RewriteRule  ^/(.*) https://localhost:8443/lenya/unitemplate/live/$1  [P]
 ProxyPassReverse  / https://localhost:8443/

BTW a session attribute is not enought. That works only the first time a user
tries to access a ssl-page. If he tries to access another ssl-page via http the
session attribute is set and he could access the site via http :-( 

Shall we leve the bug open until we have the documentation ready?
Comment 5 Andreas Hartmann 2007-10-26 07:36:12 UTC
(In reply to comment #4)
> if you want to use mod_proxy instead than you have to proxy via https like: 
> 
>  ProxyRequests Off
>  RewriteEngine On
>  SSLProxyEngine On
>  .....
>  .....
>  RewriteRule  ^/(.*) https://localhost:8443/lenya/unitemplate/live/$1  [P]
>  ProxyPassReverse  / https://localhost:8443/
> 
> BTW a session attribute is not enought. That works only the first time a user
> tries to access a ssl-page. If he tries to access another ssl-page via http the
> session attribute is set and he could access the site via http :-(

You're right, this wouldn't help. Is there any way to achieve this behaviour
with plain mod_proxy?

> Shall we leve the bug open until we have the documentation ready?

Sure. Would you mind taking a look at the docs and update them if necessary?
http://lenya.zones.apache.org/docu/docs/2_0_x/tutorials/proxy/proxy.html
Maybe can do this together in Freiburg.
Comment 6 jann forrer 2007-10-26 07:46:16 UTC
As far as i know you have to proxy to https as described in my last Comment and
set: SSLProxyEngine On

I did not found another solutions. 

We can update the docu in Freiburg or i will do after the meeting and then close
the bug.
Comment 7 Andreas Hartmann 2008-01-28 09:21:52 UTC
Jann, are there any news about this issue?
Comment 8 jann forrer 2008-01-29 02:25:50 UTC
Forgot that bug :-( 
I will update the docu after thursday. As i said, the only solution i see at the
moment ist to proxy to https for secure connections. You have to be aware of
this if you setup your system (which is not that nice). 
Comment 9 jann forrer 2008-02-28 08:12:03 UTC
if (policy.isSSLProtected() && !request.isSecure()) {
     Session session = request.getSession(true);
     ....

works at least for 1.2. That means no redirect loops if using mod_proxy but you have to proxy to https! 

I still need to update the docu. 

Jann