Bug 57856 - RemoteIpFilter does not replace Request within Response
RemoteIpFilter does not replace Request within Response
Product: Tomcat 8
Classification: Unclassified
Component: Connectors
PC All
: P2 major (vote)
: ----
Assigned To: Tomcat Developers Mailing List
Depends on:
  Show dependency tree
Reported: 2015-04-24 15:02 UTC by James
Modified: 2015-04-27 20:33 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description James 2015-04-24 15:02:15 UTC
I've noticed an issue with the org.apache.catalina.connector.Response where the toAbsolute method called during a relative redirect is generating the wrong absolute uri.

If you enable the org.apache.catalina.filters.RemoteIpFilter to allow an upstream proxy to control whether the server is available over HTTP/HTTPS by setting an header such as "X-Forwarded-Proto", this state is not replicated within the Response.

Therefore, when the uri is generated, the scheme is not replaced with the value that is actually available within the Request so it will generate for HTTP scheme only.

I believe the RemoteIpFilter should also implement a wrapper for the Response on the sendRedirect method to correctly generate the URI.
Comment 1 Mark Thomas 2015-04-27 13:56:20 UTC
Looking at the code, there will be a similar problem for ports.

There doesn't appear to be an easy/obvious way to fix this as the current sendRedirect() implementation makes extensive use of Tomcat internals. I'm currently looking at various options.
Comment 2 Mark Thomas 2015-04-27 20:33:27 UTC
I found a reasonably simple way to fix this. It isn't as clean as I would like but it should work with any app server and didn't require a large duplication of code or equivalent refactoring.

The fix has been applied to trunk (for 9.0.x), 8.0.x/trunk (for 8.0.22 onwards) and 7.0.x (for 7.0.62 onwards).

Thanks for the report and enjoy the fix.