doAction, PRG and HTTPS

classic Classic list List threaded Threaded
22 messages Options
12
Reply | Threaded
Open this post in threaded view
|

doAction, PRG and HTTPS

Wouter Danes-2

Hi all,

 

I have a page on HTTPS and I use a doAction to add an object.

After that, the originating page is rendered again.

Now, Hippo appears to do the following:

-          Post the request over HTTPS

-          Redirect to a Get over HTTP

-          Then my site says “Hey, I should be on HTTPS, let’s redirect to HTTPS”.

 

I would expect a redirect without a protocol or over HTTPS when the initial POST is over HTTPS, is this possible?

 

Met vriendelijke groet / Yours sincerely,

 

---

Wouter Danes

Competence Manager Hippo / Java / Alfresco

Hinttech

 

T: +31 6 1158 8264

E: [hidden email]

@wouterdanes

 


_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: doAction, PRG and HTTPS

Woonsan Ko-3
Hi Wouter,

By default, ActionValve tries to generate an absolute URL for
redirection after processing the action phase. ActionValve has an option
to use the relative path instead.
For example, you can redefine the action valve with the property,
"alwaysRedirectLocationToAbsoluteUrl", like this:

   <bean id="actionValve" parent="abstractValve"
class="org.hippoecm.hst.core.container.ActionValve">
     <property name="alwaysRedirectLocationToAbsoluteUrl" value="false" />
   </bean>

If you choose the option with relative path redirection, the redirect
path will contain the servlet context path (e.g., '/site'), so you'll
probably need to configure the proxy configuration with more options
between httpd and tomcat.

If you are using https directly to tomcat, then I think there's one
thing we can improve in ActionVavle:

     String absoluteRedirectUrl =
requestContext.getVirtualHost().getBaseURL(servletRequest) + location;

Maybe ActionValve could have read the request scheme (http or https)
instead of reading the virtual host configuration.

Regards,

Woonsan


On 12/12/12 5:21 AM, Wouter Danes wrote:

> Hi all,
>
> I have a page on HTTPS and I use a doAction to add an object.
>
> After that, the originating page is rendered again.
>
> Now, Hippo appears to do the following:
>
> -Post the request over HTTPS
>
> -Redirect to a Get over HTTP
>
> -Then my site says “Hey, I should be on HTTPS, let’s redirect to HTTPS”.
>
> I would expect a redirect without a protocol or over HTTPS when the
> initial POST is over HTTPS, is this possible?
>
> Met vriendelijke groet / Yours sincerely,
>
> ---
>
> Wouter Danes
>
> Competence Manager Hippo / Java / Alfresco
>
> Hinttech
>
> T: +31 6 1158 8264
>
> E: [hidden email] <mailto:[hidden email]>
>
> @wouterdanes
>
>
>
> _______________________________________________
> Hippo-cms7-user mailing list and forums
> http://www.onehippo.org/cms7/support/forums.html
>


--
[hidden email]     www.onehippo.com
Boston - 1 Broadway, Cambridge, MA 02142
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: doAction, PRG and HTTPS

Wouter Danes-2
Hi Woonsan,

Yes, actually. ActionValve could create a protocol-less URL, f.ex
//home, instead of http://home. That'll work too and default to the protocol that was used to do the get.
If you want to look at the scheme, you should also look at the x-forwarded-proto http header. Proxies set that to https when it's a https request.

Something like this:
    private boolean isSecureRequest(HttpServletRequest request) {
        String scheme = request.getScheme();
        String forwardedProtocol = request.getHeader("X-Forwarded-Proto");
        return "https".equalsIgnoreCase(scheme) || "https".equalsIgnoreCase(forwardedProtocol);
    }

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Woonsan Ko
Sent: woensdag 12 december 2012 15:24
To: Hippo CMS 7 implementation list
Subject: Re: [Hippo-cms7-user] doAction, PRG and HTTPS

Hi Wouter,

By default, ActionValve tries to generate an absolute URL for redirection after processing the action phase. ActionValve has an option to use the relative path instead.
For example, you can redefine the action valve with the property, "alwaysRedirectLocationToAbsoluteUrl", like this:

   <bean id="actionValve" parent="abstractValve"
class="org.hippoecm.hst.core.container.ActionValve">
     <property name="alwaysRedirectLocationToAbsoluteUrl" value="false" />
   </bean>

If you choose the option with relative path redirection, the redirect path will contain the servlet context path (e.g., '/site'), so you'll probably need to configure the proxy configuration with more options between httpd and tomcat.

If you are using https directly to tomcat, then I think there's one thing we can improve in ActionVavle:

     String absoluteRedirectUrl =
requestContext.getVirtualHost().getBaseURL(servletRequest) + location;

Maybe ActionValve could have read the request scheme (http or https) instead of reading the virtual host configuration.

Regards,

Woonsan


On 12/12/12 5:21 AM, Wouter Danes wrote:

> Hi all,
>
> I have a page on HTTPS and I use a doAction to add an object.
>
> After that, the originating page is rendered again.
>
> Now, Hippo appears to do the following:
>
> -Post the request over HTTPS
>
> -Redirect to a Get over HTTP
>
> -Then my site says "Hey, I should be on HTTPS, let's redirect to HTTPS".
>
> I would expect a redirect without a protocol or over HTTPS when the
> initial POST is over HTTPS, is this possible?
>
> Met vriendelijke groet / Yours sincerely,
>
> ---
>
> Wouter Danes
>
> Competence Manager Hippo / Java / Alfresco
>
> Hinttech
>
> T: +31 6 1158 8264
>
> E: [hidden email] <mailto:[hidden email]>
>
> @wouterdanes
>
>
>
> _______________________________________________
> Hippo-cms7-user mailing list and forums
> http://www.onehippo.org/cms7/support/forums.html
>


--
[hidden email]     www.onehippo.com
Boston - 1 Broadway, Cambridge, MA 02142 Amsterdam - Oosteinde 11, 1017 WT Amsterdam US +1 877 414 4776 (toll free) Europe +31(0)20 522 4466 _______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Ard
Reply | Threaded
Open this post in threaded view
|

Re: doAction, PRG and HTTPS

Ard
On Wed, Dec 12, 2012 at 3:35 PM, Wouter Danes <[hidden email]> wrote:

> Hi Woonsan,
>
> Yes, actually. ActionValve could create a protocol-less URL, f.ex
> //home, instead of http://home. That'll work too and default to the protocol that was used to do the get.
> If you want to look at the scheme, you should also look at the x-forwarded-proto http header. Proxies set that to https when it's a https request.
>
> Something like this:
>     private boolean isSecureRequest(HttpServletRequest request) {
>         String scheme = request.getScheme();
>         String forwardedProtocol = request.getHeader("X-Forwarded-Proto");
>         return "https".equalsIgnoreCase(scheme) || "https".equalsIgnoreCase(forwardedProtocol);
>     }

Currently, the absolute URL is created by getting the scheme from the
virtualhost configuration and then appending the forwarded host info
from the request (see VirtualHostService#getBaseURL). Seems indeed
better to of course also use the scheme from the request.

Thus replace in VirtualHostService#getBaseURL

String scheme = this.getScheme();

with your code.

If everything is over https, you could now also try to set https on
your virtualhost configuration

You can create an improvement request if you like in HST

Regards Ard

>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Woonsan Ko
> Sent: woensdag 12 december 2012 15:24
> To: Hippo CMS 7 implementation list
> Subject: Re: [Hippo-cms7-user] doAction, PRG and HTTPS
>
> Hi Wouter,
>
> By default, ActionValve tries to generate an absolute URL for redirection after processing the action phase. ActionValve has an option to use the relative path instead.
> For example, you can redefine the action valve with the property, "alwaysRedirectLocationToAbsoluteUrl", like this:
>
>    <bean id="actionValve" parent="abstractValve"
> class="org.hippoecm.hst.core.container.ActionValve">
>      <property name="alwaysRedirectLocationToAbsoluteUrl" value="false" />
>    </bean>
>
> If you choose the option with relative path redirection, the redirect path will contain the servlet context path (e.g., '/site'), so you'll probably need to configure the proxy configuration with more options between httpd and tomcat.
>
> If you are using https directly to tomcat, then I think there's one thing we can improve in ActionVavle:
>
>      String absoluteRedirectUrl =
> requestContext.getVirtualHost().getBaseURL(servletRequest) + location;
>
> Maybe ActionValve could have read the request scheme (http or https) instead of reading the virtual host configuration.
>
> Regards,
>
> Woonsan
>
>
> On 12/12/12 5:21 AM, Wouter Danes wrote:
>> Hi all,
>>
>> I have a page on HTTPS and I use a doAction to add an object.
>>
>> After that, the originating page is rendered again.
>>
>> Now, Hippo appears to do the following:
>>
>> -Post the request over HTTPS
>>
>> -Redirect to a Get over HTTP
>>
>> -Then my site says "Hey, I should be on HTTPS, let's redirect to HTTPS".
>>
>> I would expect a redirect without a protocol or over HTTPS when the
>> initial POST is over HTTPS, is this possible?
>>
>> Met vriendelijke groet / Yours sincerely,
>>
>> ---
>>
>> Wouter Danes
>>
>> Competence Manager Hippo / Java / Alfresco
>>
>> Hinttech
>>
>> T: +31 6 1158 8264
>>
>> E: [hidden email] <mailto:[hidden email]>
>>
>> @wouterdanes
>>
>>
>>
>> _______________________________________________
>> Hippo-cms7-user mailing list and forums
>> http://www.onehippo.org/cms7/support/forums.html
>>
>
>
> --
> [hidden email]     www.onehippo.com
> Boston - 1 Broadway, Cambridge, MA 02142 Amsterdam - Oosteinde 11, 1017 WT Amsterdam US +1 877 414 4776 (toll free) Europe +31(0)20 522 4466 _______________________________________________
> Hippo-cms7-user mailing list and forums
> http://www.onehippo.org/cms7/support/forums.html
> _______________________________________________
> Hippo-cms7-user mailing list and forums
> http://www.onehippo.org/cms7/support/forums.html



--
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
www.onehippo.com
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Ard
Reply | Threaded
Open this post in threaded view
|

Re: doAction, PRG and HTTPS

Ard
In reply to this post by Woonsan Ko-3
On Wed, Dec 12, 2012 at 3:24 PM, Woonsan Ko <[hidden email]> wrote:

> Hi Wouter,
>
> By default, ActionValve tries to generate an absolute URL for redirection
> after processing the action phase. ActionValve has an option to use the
> relative path instead.
> For example, you can redefine the action valve with the property,
> "alwaysRedirectLocationToAbsoluteUrl", like this:
>
>   <bean id="actionValve" parent="abstractValve"
> class="org.hippoecm.hst.core.container.ActionValve">
>     <property name="alwaysRedirectLocationToAbsoluteUrl" value="false" />
>   </bean>
>
> If you choose the option with relative path redirection, the redirect path
> will contain the servlet context path (e.g., '/site'), so you'll probably
> need to configure the proxy configuration with more options between httpd
> and tomcat.
>
> If you are using https directly to tomcat, then I think there's one thing we
> can improve in ActionVavle:
>
>     String absoluteRedirectUrl =
> requestContext.getVirtualHost().getBaseURL(servletRequest) + location;
>
> Maybe ActionValve could have read the request scheme (http or https) instead
> of reading the virtual host configuration.

Ah sry Woonsan, I just only now see that you also refer to getBaseURL
: I think we could change the getBaseURL impl to return the request
scheme as done by Wouter instead of taking it from the virtualhost
config

WDYT?

Regards Ard

>
> Regards,
>
> Woonsan
>
>
>
> On 12/12/12 5:21 AM, Wouter Danes wrote:
>>
>> Hi all,
>>
>> I have a page on HTTPS and I use a doAction to add an object.
>>
>> After that, the originating page is rendered again.
>>
>> Now, Hippo appears to do the following:
>>
>> -Post the request over HTTPS
>>
>> -Redirect to a Get over HTTP
>>
>> -Then my site says “Hey, I should be on HTTPS, let’s redirect to HTTPS”.
>>
>>
>> I would expect a redirect without a protocol or over HTTPS when the
>> initial POST is over HTTPS, is this possible?
>>
>> Met vriendelijke groet / Yours sincerely,
>>
>> ---
>>
>> Wouter Danes
>>
>> Competence Manager Hippo / Java / Alfresco
>>
>> Hinttech
>>
>> T: +31 6 1158 8264
>>
>> E: [hidden email] <mailto:[hidden email]>
>>
>> @wouterdanes
>>
>>
>>
>> _______________________________________________
>> Hippo-cms7-user mailing list and forums
>> http://www.onehippo.org/cms7/support/forums.html
>>
>
>
> --
> [hidden email]     www.onehippo.com
> Boston - 1 Broadway, Cambridge, MA 02142
> Amsterdam - Oosteinde 11, 1017 WT Amsterdam
> US +1 877 414 4776 (toll free)
> Europe +31(0)20 522 4466
> _______________________________________________
> Hippo-cms7-user mailing list and forums
> http://www.onehippo.org/cms7/support/forums.html



--
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
www.onehippo.com
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: doAction, PRG and HTTPS

Woonsan Ko-3
On 12/12/12 10:38 AM, Ard Schrijvers wrote:

> On Wed, Dec 12, 2012 at 3:24 PM, Woonsan Ko <[hidden email]> wrote:
>> Hi Wouter,
>>
>> By default, ActionValve tries to generate an absolute URL for redirection
>> after processing the action phase. ActionValve has an option to use the
>> relative path instead.
>> For example, you can redefine the action valve with the property,
>> "alwaysRedirectLocationToAbsoluteUrl", like this:
>>
>>    <bean id="actionValve" parent="abstractValve"
>> class="org.hippoecm.hst.core.container.ActionValve">
>>      <property name="alwaysRedirectLocationToAbsoluteUrl" value="false" />
>>    </bean>
>>
>> If you choose the option with relative path redirection, the redirect path
>> will contain the servlet context path (e.g., '/site'), so you'll probably
>> need to configure the proxy configuration with more options between httpd
>> and tomcat.
>>
>> If you are using https directly to tomcat, then I think there's one thing we
>> can improve in ActionVavle:
>>
>>      String absoluteRedirectUrl =
>> requestContext.getVirtualHost().getBaseURL(servletRequest) + location;
>>
>> Maybe ActionValve could have read the request scheme (http or https) instead
>> of reading the virtual host configuration.
>
> Ah sry Woonsan, I just only now see that you also refer to getBaseURL
> : I think we could change the getBaseURL impl to return the request
> scheme as done by Wouter instead of taking it from the virtualhost
> config
>
> WDYT?

+1

Maybe a new method, HstRequestUtils#getRequestScheme(), can be added to
do the trick from the proxy header.

>
> Regards Ard
>
>>
>> Regards,
>>
>> Woonsan
>>
>>
>>
>> On 12/12/12 5:21 AM, Wouter Danes wrote:
>>>
>>> Hi all,
>>>
>>> I have a page on HTTPS and I use a doAction to add an object.
>>>
>>> After that, the originating page is rendered again.
>>>
>>> Now, Hippo appears to do the following:
>>>
>>> -Post the request over HTTPS
>>>
>>> -Redirect to a Get over HTTP
>>>
>>> -Then my site says “Hey, I should be on HTTPS, let’s redirect to HTTPS”.
>>>
>>>
>>> I would expect a redirect without a protocol or over HTTPS when the
>>> initial POST is over HTTPS, is this possible?
>>>
>>> Met vriendelijke groet / Yours sincerely,
>>>
>>> ---
>>>
>>> Wouter Danes
>>>
>>> Competence Manager Hippo / Java / Alfresco
>>>
>>> Hinttech
>>>
>>> T: +31 6 1158 8264
>>>
>>> E: [hidden email] <mailto:[hidden email]>
>>>
>>> @wouterdanes
>>>
>>>
>>>
>>> _______________________________________________
>>> Hippo-cms7-user mailing list and forums
>>> http://www.onehippo.org/cms7/support/forums.html
>>>
>>
>>
>> --
>> [hidden email]     www.onehippo.com
>> Boston - 1 Broadway, Cambridge, MA 02142
>> Amsterdam - Oosteinde 11, 1017 WT Amsterdam
>> US +1 877 414 4776 (toll free)
>> Europe +31(0)20 522 4466
>> _______________________________________________
>> Hippo-cms7-user mailing list and forums
>> http://www.onehippo.org/cms7/support/forums.html
>
>
>


--
[hidden email]     www.onehippo.com
Boston - 1 Broadway, Cambridge, MA 02142
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: doAction, PRG and HTTPS

Wouter Danes-2
+1 too, although consider the following:

HstRequest already "behaves differently" due to the namespacing of parameters/attributes.
We could make it "transparent" for the "user" and let it return the proxy header value if it exists for HstRequest#getScheme().
You could still get the "real" scheme through HstRequest#getRequestContext().getServletRequest().

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Woonsan Ko
Sent: woensdag 12 december 2012 16:48
To: Hippo CMS 7 implementation list
Subject: Re: [Hippo-cms7-user] doAction, PRG and HTTPS

On 12/12/12 10:38 AM, Ard Schrijvers wrote:

> On Wed, Dec 12, 2012 at 3:24 PM, Woonsan Ko <[hidden email]> wrote:
>> Hi Wouter,
>>
>> By default, ActionValve tries to generate an absolute URL for
>> redirection after processing the action phase. ActionValve has an
>> option to use the relative path instead.
>> For example, you can redefine the action valve with the property,
>> "alwaysRedirectLocationToAbsoluteUrl", like this:
>>
>>    <bean id="actionValve" parent="abstractValve"
>> class="org.hippoecm.hst.core.container.ActionValve">
>>      <property name="alwaysRedirectLocationToAbsoluteUrl" value="false" />
>>    </bean>
>>
>> If you choose the option with relative path redirection, the redirect
>> path will contain the servlet context path (e.g., '/site'), so you'll
>> probably need to configure the proxy configuration with more options
>> between httpd and tomcat.
>>
>> If you are using https directly to tomcat, then I think there's one
>> thing we can improve in ActionVavle:
>>
>>      String absoluteRedirectUrl =
>> requestContext.getVirtualHost().getBaseURL(servletRequest) +
>> location;
>>
>> Maybe ActionValve could have read the request scheme (http or https)
>> instead of reading the virtual host configuration.
>
> Ah sry Woonsan, I just only now see that you also refer to getBaseURL
> : I think we could change the getBaseURL impl to return the request
> scheme as done by Wouter instead of taking it from the virtualhost
> config
>
> WDYT?

+1

Maybe a new method, HstRequestUtils#getRequestScheme(), can be added to do the trick from the proxy header.

>
> Regards Ard
>
>>
>> Regards,
>>
>> Woonsan
>>
>>
>>
>> On 12/12/12 5:21 AM, Wouter Danes wrote:
>>>
>>> Hi all,
>>>
>>> I have a page on HTTPS and I use a doAction to add an object.
>>>
>>> After that, the originating page is rendered again.
>>>
>>> Now, Hippo appears to do the following:
>>>
>>> -Post the request over HTTPS
>>>
>>> -Redirect to a Get over HTTP
>>>
>>> -Then my site says "Hey, I should be on HTTPS, let's redirect to HTTPS".
>>>
>>>
>>> I would expect a redirect without a protocol or over HTTPS when the
>>> initial POST is over HTTPS, is this possible?
>>>
>>> Met vriendelijke groet / Yours sincerely,
>>>
>>> ---
>>>
>>> Wouter Danes
>>>
>>> Competence Manager Hippo / Java / Alfresco
>>>
>>> Hinttech
>>>
>>> T: +31 6 1158 8264
>>>
>>> E: [hidden email] <mailto:[hidden email]>
>>>
>>> @wouterdanes
>>>
>>>
>>>
>>> _______________________________________________
>>> Hippo-cms7-user mailing list and forums
>>> http://www.onehippo.org/cms7/support/forums.html
>>>
>>
>>
>> --
>> [hidden email]     www.onehippo.com
>> Boston - 1 Broadway, Cambridge, MA 02142 Amsterdam - Oosteinde 11,
>> 1017 WT Amsterdam US +1 877 414 4776 (toll free) Europe +31(0)20 522
>> 4466 _______________________________________________
>> Hippo-cms7-user mailing list and forums
>> http://www.onehippo.org/cms7/support/forums.html
>
>
>


--
[hidden email]     www.onehippo.com
Boston - 1 Broadway, Cambridge, MA 02142 Amsterdam - Oosteinde 11, 1017 WT Amsterdam US +1 877 414 4776 (toll free) Europe +31(0)20 522 4466 _______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: doAction, PRG and HTTPS

Woonsan Ko-3
On 12/12/12 10:53 AM, Wouter Danes wrote:
> +1 too, although consider the following:
>
> HstRequest already "behaves differently" due to the namespacing of parameters/attributes.
> We could make it "transparent" for the "user" and let it return the proxy header value if it exists for HstRequest#getScheme().
> You could still get the "real" scheme through HstRequest#getRequestContext().getServletRequest().

There might be a confusion by the name, but HstRequestUtils is mainly a
utility for http servlet request in hst commons, not a utility for
HstRequest only.
And, ActionValve basically deals with http servlet request/response
directly, not hst request/response in a component level. So, I don't
think we have to override HstRequest#getScheme() for this specific need.
It can be another discussion topic though. (And, I'm doubtful about
adding this in HstRequest itself with the proxy specific headers.)

--
[hidden email]     www.onehippo.com
Boston - 1 Broadway, Cambridge, MA 02142
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: doAction, PRG and HTTPS

Wouter Danes-2
Gotcha, makes sense. :)

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Woonsan Ko
Sent: woensdag 12 december 2012 17:01
To: Hippo CMS 7 implementation list
Subject: Re: [Hippo-cms7-user] doAction, PRG and HTTPS

On 12/12/12 10:53 AM, Wouter Danes wrote:
> +1 too, although consider the following:
>
> HstRequest already "behaves differently" due to the namespacing of parameters/attributes.
> We could make it "transparent" for the "user" and let it return the proxy header value if it exists for HstRequest#getScheme().
> You could still get the "real" scheme through HstRequest#getRequestContext().getServletRequest().

There might be a confusion by the name, but HstRequestUtils is mainly a utility for http servlet request in hst commons, not a utility for HstRequest only.
And, ActionValve basically deals with http servlet request/response directly, not hst request/response in a component level. So, I don't think we have to override HstRequest#getScheme() for this specific need.
It can be another discussion topic though. (And, I'm doubtful about adding this in HstRequest itself with the proxy specific headers.)

--
[hidden email]     www.onehippo.com
Boston - 1 Broadway, Cambridge, MA 02142 Amsterdam - Oosteinde 11, 1017 WT Amsterdam US +1 877 414 4776 (toll free) Europe +31(0)20 522 4466 _______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: doAction, PRG and HTTPS

Paul van der Zandt
In reply to this post by Ard
Make it a +1 for me too. We've been struggling with the same issue.

Paul.
________________________________________
Van: [hidden email] [[hidden email]] namens Ard Schrijvers [[hidden email]]
Verzonden: woensdag 12 december 2012 16:38
To: Hippo CMS 7 implementation list
Onderwerp: Re: [Hippo-cms7-user] doAction, PRG and HTTPS

On Wed, Dec 12, 2012 at 3:24 PM, Woonsan Ko <[hidden email]> wrote:

> Hi Wouter,
>
> By default, ActionValve tries to generate an absolute URL for redirection
> after processing the action phase. ActionValve has an option to use the
> relative path instead.
> For example, you can redefine the action valve with the property,
> "alwaysRedirectLocationToAbsoluteUrl", like this:
>
>   <bean id="actionValve" parent="abstractValve"
> class="org.hippoecm.hst.core.container.ActionValve">
>     <property name="alwaysRedirectLocationToAbsoluteUrl" value="false" />
>   </bean>
>
> If you choose the option with relative path redirection, the redirect path
> will contain the servlet context path (e.g., '/site'), so you'll probably
> need to configure the proxy configuration with more options between httpd
> and tomcat.
>
> If you are using https directly to tomcat, then I think there's one thing we
> can improve in ActionVavle:
>
>     String absoluteRedirectUrl =
> requestContext.getVirtualHost().getBaseURL(servletRequest) + location;
>
> Maybe ActionValve could have read the request scheme (http or https) instead
> of reading the virtual host configuration.

Ah sry Woonsan, I just only now see that you also refer to getBaseURL
: I think we could change the getBaseURL impl to return the request
scheme as done by Wouter instead of taking it from the virtualhost
config

WDYT?

Regards Ard

>
> Regards,
>
> Woonsan
>
>
>
> On 12/12/12 5:21 AM, Wouter Danes wrote:
>>
>> Hi all,
>>
>> I have a page on HTTPS and I use a doAction to add an object.
>>
>> After that, the originating page is rendered again.
>>
>> Now, Hippo appears to do the following:
>>
>> -Post the request over HTTPS
>>
>> -Redirect to a Get over HTTP
>>
>> -Then my site says “Hey, I should be on HTTPS, let’s redirect to HTTPS”.
>>
>>
>> I would expect a redirect without a protocol or over HTTPS when the
>> initial POST is over HTTPS, is this possible?
>>
>> Met vriendelijke groet / Yours sincerely,
>>
>> ---
>>
>> Wouter Danes
>>
>> Competence Manager Hippo / Java / Alfresco
>>
>> Hinttech
>>
>> T: +31 6 1158 8264
>>
>> E: [hidden email] <mailto:[hidden email]>
>>
>> @wouterdanes
>>
>>
>>
>> _______________________________________________
>> Hippo-cms7-user mailing list and forums
>> http://www.onehippo.org/cms7/support/forums.html
>>
>
>
> --
> [hidden email]     www.onehippo.com
> Boston - 1 Broadway, Cambridge, MA 02142
> Amsterdam - Oosteinde 11, 1017 WT Amsterdam
> US +1 877 414 4776 (toll free)
> Europe +31(0)20 522 4466
> _______________________________________________
> Hippo-cms7-user mailing list and forums
> http://www.onehippo.org/cms7/support/forums.html



--
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
www.onehippo.com
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.

_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Ard
Reply | Threaded
Open this post in threaded view
|

Re: doAction, PRG and HTTPS

Ard
In reply to this post by Woonsan Ko-3
On Wed, Dec 12, 2012 at 4:48 PM, Woonsan Ko <[hidden email]> wrote:

> On 12/12/12 10:38 AM, Ard Schrijvers wrote:
>>
>> On Wed, Dec 12, 2012 at 3:24 PM, Woonsan Ko <[hidden email]> wrote:
>>>
>>> Hi Wouter,
>>>
>>> By default, ActionValve tries to generate an absolute URL for redirection
>>> after processing the action phase. ActionValve has an option to use the
>>> relative path instead.
>>> For example, you can redefine the action valve with the property,
>>> "alwaysRedirectLocationToAbsoluteUrl", like this:
>>>
>>>    <bean id="actionValve" parent="abstractValve"
>>> class="org.hippoecm.hst.core.container.ActionValve">
>>>      <property name="alwaysRedirectLocationToAbsoluteUrl" value="false"
>>> />
>>>    </bean>
>>>
>>> If you choose the option with relative path redirection, the redirect
>>> path
>>> will contain the servlet context path (e.g., '/site'), so you'll probably
>>> need to configure the proxy configuration with more options between httpd
>>> and tomcat.
>>>
>>> If you are using https directly to tomcat, then I think there's one thing
>>> we
>>> can improve in ActionVavle:
>>>
>>>      String absoluteRedirectUrl =
>>> requestContext.getVirtualHost().getBaseURL(servletRequest) + location;
>>>
>>> Maybe ActionValve could have read the request scheme (http or https)
>>> instead
>>> of reading the virtual host configuration.
>>
>>
>> Ah sry Woonsan, I just only now see that you also refer to getBaseURL
>> : I think we could change the getBaseURL impl to return the request
>> scheme as done by Wouter instead of taking it from the virtualhost
>> config
>>
>> WDYT?
>
>
> +1
>
> Maybe a new method, HstRequestUtils#getRequestScheme(), can be added to do
> the trick from the proxy header.

Yes exactly.

What do others think regarding backwards compatible behavior? I can't
imagine it can ever break if I just replace

 VirtualHostService#getBaseURL the getScheme part with suggestion way
from Wouter Danes.

If no objections, I'll change the method in the 7.8 and 7.7 accordingly

pls let me know

Regards Ard

>
>
>>
>> Regards Ard
>>
>>>
>>> Regards,
>>>
>>> Woonsan
>>>
>>>
>>>
>>> On 12/12/12 5:21 AM, Wouter Danes wrote:
>>>>
>>>>
>>>> Hi all,
>>>>
>>>> I have a page on HTTPS and I use a doAction to add an object.
>>>>
>>>> After that, the originating page is rendered again.
>>>>
>>>> Now, Hippo appears to do the following:
>>>>
>>>> -Post the request over HTTPS
>>>>
>>>> -Redirect to a Get over HTTP
>>>>
>>>> -Then my site says “Hey, I should be on HTTPS, let’s redirect to HTTPS”.
>>>>
>>>>
>>>> I would expect a redirect without a protocol or over HTTPS when the
>>>> initial POST is over HTTPS, is this possible?
>>>>
>>>> Met vriendelijke groet / Yours sincerely,
>>>>
>>>> ---
>>>>
>>>> Wouter Danes
>>>>
>>>> Competence Manager Hippo / Java / Alfresco
>>>>
>>>> Hinttech
>>>>
>>>> T: +31 6 1158 8264
>>>>
>>>> E: [hidden email] <mailto:[hidden email]>
>>>>
>>>> @wouterdanes
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Hippo-cms7-user mailing list and forums
>>>> http://www.onehippo.org/cms7/support/forums.html
>>>>
>>>
>>>
>>> --
>>> [hidden email]     www.onehippo.com
>>> Boston - 1 Broadway, Cambridge, MA 02142
>>> Amsterdam - Oosteinde 11, 1017 WT Amsterdam
>>> US +1 877 414 4776 (toll free)
>>> Europe +31(0)20 522 4466
>>> _______________________________________________
>>> Hippo-cms7-user mailing list and forums
>>> http://www.onehippo.org/cms7/support/forums.html
>>
>>
>>
>>
>
>
> --
> [hidden email]     www.onehippo.com
> Boston - 1 Broadway, Cambridge, MA 02142
> Amsterdam - Oosteinde 11, 1017 WT Amsterdam
> US +1 877 414 4776 (toll free)
> Europe +31(0)20 522 4466
> _______________________________________________
> Hippo-cms7-user mailing list and forums
> http://www.onehippo.org/cms7/support/forums.html



--
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
www.onehippo.com
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Ard
Reply | Threaded
Open this post in threaded view
|

Re: doAction, PRG and HTTPS

Ard
In reply to this post by Wouter Danes-2
On Wed, Dec 12, 2012 at 3:35 PM, Wouter Danes <[hidden email]> wrote:

> Hi Woonsan,
>
> Yes, actually. ActionValve could create a protocol-less URL, f.ex
> //home, instead of http://home. That'll work too and default to the protocol that was used to do the get.
> If you want to look at the scheme, you should also look at the x-forwarded-proto http header. Proxies set that to https when it's a https request.
>
> Something like this:
>     private boolean isSecureRequest(HttpServletRequest request) {
>         String scheme = request.getScheme();
>         String forwardedProtocol = request.getHeader("X-Forwarded-Proto");
>         return "https".equalsIgnoreCase(scheme) || "https".equalsIgnoreCase(forwardedProtocol);

I did not test it yet, but it seems to me you should get
request.getHeader("X-Forwarded-Scheme"); Protocol is something like
HTTP/1.1

Furthermore, I don't think  request.getScheme() makes much sense to
use because it is most of the time just the request the application
gets from something like httpd, which doesn't say anything about the
scheme the visitor is using. Only when the "X-Forwarded-Scheme" is
missing (HTTP/1.0) I think we could fallback to  request.getScheme();

Also see [1] which I created for this

Regards Ard

[1] https://issues.onehippo.com/browse/HSTTWO-2399

>     }
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Woonsan Ko
> Sent: woensdag 12 december 2012 15:24
> To: Hippo CMS 7 implementation list
> Subject: Re: [Hippo-cms7-user] doAction, PRG and HTTPS
>
> Hi Wouter,
>
> By default, ActionValve tries to generate an absolute URL for redirection after processing the action phase. ActionValve has an option to use the relative path instead.
> For example, you can redefine the action valve with the property, "alwaysRedirectLocationToAbsoluteUrl", like this:
>
>    <bean id="actionValve" parent="abstractValve"
> class="org.hippoecm.hst.core.container.ActionValve">
>      <property name="alwaysRedirectLocationToAbsoluteUrl" value="false" />
>    </bean>
>
> If you choose the option with relative path redirection, the redirect path will contain the servlet context path (e.g., '/site'), so you'll probably need to configure the proxy configuration with more options between httpd and tomcat.
>
> If you are using https directly to tomcat, then I think there's one thing we can improve in ActionVavle:
>
>      String absoluteRedirectUrl =
> requestContext.getVirtualHost().getBaseURL(servletRequest) + location;
>
> Maybe ActionValve could have read the request scheme (http or https) instead of reading the virtual host configuration.
>
> Regards,
>
> Woonsan
>
>
> On 12/12/12 5:21 AM, Wouter Danes wrote:
>> Hi all,
>>
>> I have a page on HTTPS and I use a doAction to add an object.
>>
>> After that, the originating page is rendered again.
>>
>> Now, Hippo appears to do the following:
>>
>> -Post the request over HTTPS
>>
>> -Redirect to a Get over HTTP
>>
>> -Then my site says "Hey, I should be on HTTPS, let's redirect to HTTPS".
>>
>> I would expect a redirect without a protocol or over HTTPS when the
>> initial POST is over HTTPS, is this possible?
>>
>> Met vriendelijke groet / Yours sincerely,
>>
>> ---
>>
>> Wouter Danes
>>
>> Competence Manager Hippo / Java / Alfresco
>>
>> Hinttech
>>
>> T: +31 6 1158 8264
>>
>> E: [hidden email] <mailto:[hidden email]>
>>
>> @wouterdanes
>>
>>
>>
>> _______________________________________________
>> Hippo-cms7-user mailing list and forums
>> http://www.onehippo.org/cms7/support/forums.html
>>
>
>
> --
> [hidden email]     www.onehippo.com
> Boston - 1 Broadway, Cambridge, MA 02142 Amsterdam - Oosteinde 11, 1017 WT Amsterdam US +1 877 414 4776 (toll free) Europe +31(0)20 522 4466 _______________________________________________
> Hippo-cms7-user mailing list and forums
> http://www.onehippo.org/cms7/support/forums.html
> _______________________________________________
> Hippo-cms7-user mailing list and forums
> http://www.onehippo.org/cms7/support/forums.html



--
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
www.onehippo.com
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: doAction, PRG and HTTPS

Woonsan Ko-3
On 12/12/12 3:31 PM, Ard Schrijvers wrote:
> I did not test it yet, but it seems to me you should get
> request.getHeader("X-Forwarded-Scheme"); Protocol is something like
> HTTP/1.1
>

It seems that the header value is either 'http' or 'https' according to
the following:

-
http://technosophos.com/content/rewriting-urls-x-forwarded-proto-and-reverse-proxies
- http://pythonpaste.org/wsgiproxy/

And, the header name seems to be either 'X-Forward-Scheme' or
'X-Forward-Proto' or 'X-Forward_Proto'.
Does someone have a good reference for the headers?

Regards,

Woonsan

--
[hidden email]     www.onehippo.com
Boston - 1 Broadway, Cambridge, MA 02142
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: doAction, PRG and HTTPS

Wouter Danes-2
AFAIK, X-Forwarded-Proto is pretty much the defacto standard for this header.

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Woonsan Ko
Sent: woensdag 12 december 2012 21:43
To: Hippo CMS 7 implementation list
Subject: Re: [Hippo-cms7-user] doAction, PRG and HTTPS

On 12/12/12 3:31 PM, Ard Schrijvers wrote:
> I did not test it yet, but it seems to me you should get
> request.getHeader("X-Forwarded-Scheme"); Protocol is something like
> HTTP/1.1
>

It seems that the header value is either 'http' or 'https' according to the following:

-
http://technosophos.com/content/rewriting-urls-x-forwarded-proto-and-reverse-proxies
- http://pythonpaste.org/wsgiproxy/

And, the header name seems to be either 'X-Forward-Scheme' or 'X-Forward-Proto' or 'X-Forward_Proto'.
Does someone have a good reference for the headers?

Regards,

Woonsan

--
[hidden email]     www.onehippo.com
Boston - 1 Broadway, Cambridge, MA 02142 Amsterdam - Oosteinde 11, 1017 WT Amsterdam US +1 877 414 4776 (toll free) Europe +31(0)20 522 4466 _______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Ard
Reply | Threaded
Open this post in threaded view
|

Re: doAction, PRG and HTTPS

Ard


Op 12 dec. 2012 21:56 schreef "Wouter Danes" <[hidden email]> het volgende:
>
> AFAIK, X-Forwarded-Proto is pretty much the defacto standard for this header.

That surprises me as proto does make me think of the protocol and we need the scheme. Either way, let's just test it and see ..

>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Woonsan Ko
> Sent: woensdag 12 december 2012 21:43
> To: Hippo CMS 7 implementation list
> Subject: Re: [Hippo-cms7-user] doAction, PRG and HTTPS
>
> On 12/12/12 3:31 PM, Ard Schrijvers wrote:
> > I did not test it yet, but it seems to me you should get
> > request.getHeader("X-Forwarded-Scheme"); Protocol is something like
> > HTTP/1.1
> >
>
> It seems that the header value is either 'http' or 'https' according to the following:
>
> -
> http://technosophos.com/content/rewriting-urls-x-forwarded-proto-and-reverse-proxies
> - http://pythonpaste.org/wsgiproxy/
>
> And, the header name seems to be either 'X-Forward-Scheme' or 'X-Forward-Proto' or 'X-Forward_Proto'.
> Does someone have a good reference for the headers?
>
> Regards,
>
> Woonsan
>
> --
> [hidden email]     www.onehippo.com
> Boston - 1 Broadway, Cambridge, MA 02142 Amsterdam - Oosteinde 11, 1017 WT Amsterdam US +1 877 414 4776 (toll free) Europe +31(0)20 522 4466 _______________________________________________
> Hippo-cms7-user mailing list and forums
> http://www.onehippo.org/cms7/support/forums.html
> _______________________________________________
> Hippo-cms7-user mailing list and forums
> http://www.onehippo.org/cms7/support/forums.html


_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Ard
Reply | Threaded
Open this post in threaded view
|

Re: doAction, PRG and HTTPS

Ard
Hello,

I tried to implement https://issues.onehippo.com/browse/HSTTWO-2399
but I think there are needed custom httpd rules to actually set the
X-Forwarded-Proto, isn't? I ran the website behind httpd, but all of
the calls below return null. Am I missing something? Should it be
explicitly added to httpd virtualhost config?

I can always fallback on request.getScheme() of course, but would be
nice if by default I could get the scheme of the original request
somehow. Any body?

Regards Ard

        request.getHeader("X-Forwarded-Proto");
        request.getHeader("X-Forwarded-Scheme");
        request.getHeader("Scheme");
        request.getHeader("scheme");
        request.getScheme();

On Wed, Dec 12, 2012 at 9:58 PM, Ard Schrijvers
<[hidden email]> wrote:

>
> Op 12 dec. 2012 21:56 schreef "Wouter Danes" <[hidden email]> het
> volgende:
>
>
>>
>> AFAIK, X-Forwarded-Proto is pretty much the defacto standard for this
>> header.
>
> That surprises me as proto does make me think of the protocol and we need
> the scheme. Either way, let's just test it and see ..
>
>>
>> -----Original Message-----
>> From: [hidden email]
>> [mailto:[hidden email]] On Behalf Of Woonsan Ko
>> Sent: woensdag 12 december 2012 21:43
>> To: Hippo CMS 7 implementation list
>> Subject: Re: [Hippo-cms7-user] doAction, PRG and HTTPS
>>
>> On 12/12/12 3:31 PM, Ard Schrijvers wrote:
>> > I did not test it yet, but it seems to me you should get
>> > request.getHeader("X-Forwarded-Scheme"); Protocol is something like
>> > HTTP/1.1
>> >
>>
>> It seems that the header value is either 'http' or 'https' according to
>> the following:
>>
>> -
>>
>> http://technosophos.com/content/rewriting-urls-x-forwarded-proto-and-reverse-proxies
>> - http://pythonpaste.org/wsgiproxy/
>>
>> And, the header name seems to be either 'X-Forward-Scheme' or
>> 'X-Forward-Proto' or 'X-Forward_Proto'.
>> Does someone have a good reference for the headers?
>>
>> Regards,
>>
>> Woonsan
>>
>> --
>> [hidden email]     www.onehippo.com
>> Boston - 1 Broadway, Cambridge, MA 02142 Amsterdam - Oosteinde 11, 1017 WT
>> Amsterdam US +1 877 414 4776 (toll free) Europe +31(0)20 522 4466
>> _______________________________________________
>> Hippo-cms7-user mailing list and forums
>> http://www.onehippo.org/cms7/support/forums.html
>> _______________________________________________
>> Hippo-cms7-user mailing list and forums
>> http://www.onehippo.org/cms7/support/forums.html



--
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
www.onehippo.com
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: doAction, PRG and HTTPS

Woonsan Ko-3
On 2/13/13 10:33 AM, Ard Schrijvers wrote:
> I tried to implementhttps://issues.onehippo.com/browse/HSTTWO-2399
> but I think there are needed custom httpd rules to actually set the
> X-Forwarded-Proto, isn't? I ran the website behind httpd, but all of
> the calls below return null. Am I missing something? Should it be
> explicitly added to httpd virtualhost config?

http://jbossadmin.blogspot.com/2011/03/setup-x-forwarded-proto-in-apache.html

--
[hidden email]     www.onehippo.com
Boston - 1 Broadway, Cambridge, MA 02142
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: doAction, PRG and HTTPS

b.vanderschans@onehippo.com
In reply to this post by Ard
On Wed, Feb 13, 2013 at 4:33 PM, Ard Schrijvers <[hidden email]> wrote:
Hello,

I tried to implement https://issues.onehippo.com/browse/HSTTWO-2399
but I think there are needed custom httpd rules to actually set the
X-Forwarded-Proto, isn't? I ran the website behind httpd, but all of
the calls below return null. Am I missing something? Should it be
explicitly added to httpd virtualhost config?

I can always fallback on request.getScheme() of course, but would be
nice if by default I could get the scheme of the original request
somehow. Any body?

Regards Ard

        request.getHeader("X-Forwarded-Proto");
        request.getHeader("X-Forwarded-Scheme");

These are quite common to use. You do need to set them of course in your reverse proxy/ssl offloader. It's important that you can configure which header is used, but these two make for a good default setting.

 
        request.getHeader("Scheme");
        request.getHeader("scheme");

You always need to set the "X-" prefix for custom headers. So these are not valid.

 
        request.getScheme();

I'm not sure what magic containers use to get the right value for this property. It might be just on or off for a webapp which is too coarse grained.

Regards,
Bart
 

On Wed, Dec 12, 2012 at 9:58 PM, Ard Schrijvers
<[hidden email]> wrote:
>
> Op 12 dec. 2012 21:56 schreef "Wouter Danes" <[hidden email]> het
> volgende:
>
>
>>
>> AFAIK, X-Forwarded-Proto is pretty much the defacto standard for this
>> header.
>
> That surprises me as proto does make me think of the protocol and we need
> the scheme. Either way, let's just test it and see ..
>
>>
>> -----Original Message-----
>> From: [hidden email]
>> [mailto:[hidden email]] On Behalf Of Woonsan Ko
>> Sent: woensdag 12 december 2012 21:43
>> To: Hippo CMS 7 implementation list
>> Subject: Re: [Hippo-cms7-user] doAction, PRG and HTTPS
>>
>> On 12/12/12 3:31 PM, Ard Schrijvers wrote:
>> > I did not test it yet, but it seems to me you should get
>> > request.getHeader("X-Forwarded-Scheme"); Protocol is something like
>> > HTTP/1.1
>> >
>>
>> It seems that the header value is either 'http' or 'https' according to
>> the following:
>>
>> -
>>
>> http://technosophos.com/content/rewriting-urls-x-forwarded-proto-and-reverse-proxies
>> - http://pythonpaste.org/wsgiproxy/
>>
>> And, the header name seems to be either 'X-Forward-Scheme' or
>> 'X-Forward-Proto' or 'X-Forward_Proto'.
>> Does someone have a good reference for the headers?
>>
>> Regards,
>>
>> Woonsan
>>
>> --
>> [hidden email]     www.onehippo.com
>> Boston - 1 Broadway, Cambridge, MA 02142 Amsterdam - Oosteinde 11, 1017 WT
>> Amsterdam US <a href="tel:%2B1%20877%20414%204776" value="+18774144776">+1 877 414 4776 (toll free) Europe <a href="tel:%2B31%280%2920%20522%204466" value="+31205224466">+31(0)20 522 4466
>> _______________________________________________
>> Hippo-cms7-user mailing list and forums
>> http://www.onehippo.org/cms7/support/forums.html
>> _______________________________________________
>> Hippo-cms7-user mailing list and forums
>> http://www.onehippo.org/cms7/support/forums.html



--
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US <a href="tel:%2B1%20877%20414%204776" value="+18774144776">+1 877 414 4776 (toll free)
Europe <a href="tel:%2B31%280%2920%20522%204466" value="+31205224466">+31(0)20 522 4466
www.onehippo.com
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html



--
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
www.onehippo.com
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: doAction, PRG and HTTPS

Bartosz Oudekerk
Administrator
In reply to this post by Ard
On 13/02/13 16:33, Ard Schrijvers wrote:

> Hello,
>
> I tried to implement https://issues.onehippo.com/browse/HSTTWO-2399
> but I think there are needed custom httpd rules to actually set the
> X-Forwarded-Proto, isn't? I ran the website behind httpd, but all of
> the calls below return null. Am I missing something? Should it be
> explicitly added to httpd virtualhost config?
>
> I can always fallback on request.getScheme() of course, but would be
> nice if by default I could get the scheme of the original request
> somehow. Any body?

Apache HTTPD doesn't set set them by default, so if you use Apache
HTTPD to offload your SSL:

   # Add header
   RequestHeader set X-SSL-Enabled On
   RequestHeader set X-Forwarded-Proto https

Kind regards,
Bartosz
--
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
http://www.onehippo.com/
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: doAction, PRG and HTTPS

Wouter Danes-2
In reply to this post by b.vanderschans@onehippo.com

Nothing to add to what Bartosz said.

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Bart van der Schans
Sent: woensdag 13 februari 2013 16:41
To: Hippo CMS 7 implementation list
Subject: Re: [Hippo-cms7-user] doAction, PRG and HTTPS

 

On Wed, Feb 13, 2013 at 4:33 PM, Ard Schrijvers <[hidden email]> wrote:

Hello,

I tried to implement https://issues.onehippo.com/browse/HSTTWO-2399
but I think there are needed custom httpd rules to actually set the
X-Forwarded-Proto, isn't? I ran the website behind httpd, but all of
the calls below return null. Am I missing something? Should it be
explicitly added to httpd virtualhost config?

I can always fallback on request.getScheme() of course, but would be
nice if by default I could get the scheme of the original request
somehow. Any body?

Regards Ard

        request.getHeader("X-Forwarded-Proto");
        request.getHeader("X-Forwarded-Scheme");

 

These are quite common to use. You do need to set them of course in your reverse proxy/ssl offloader. It's important that you can configure which header is used, but these two make for a good default setting.

 

 

        request.getHeader("Scheme");
        request.getHeader("scheme");

 

You always need to set the "X-" prefix for custom headers. So these are not valid.

 

 

        request.getScheme();

 

I'm not sure what magic containers use to get the right value for this property. It might be just on or off for a webapp which is too coarse grained.

 

Regards,

Bart

 


On Wed, Dec 12, 2012 at 9:58 PM, Ard Schrijvers
<[hidden email]> wrote:
>
> Op 12 dec. 2012 21:56 schreef "Wouter Danes" <[hidden email]> het
> volgende:
>
>
>>
>> AFAIK, X-Forwarded-Proto is pretty much the defacto standard for this
>> header.
>
> That surprises me as proto does make me think of the protocol and we need
> the scheme. Either way, let's just test it and see ..
>
>>
>> -----Original Message-----
>> From: [hidden email]
>> [mailto:[hidden email]] On Behalf Of Woonsan Ko
>> Sent: woensdag 12 december 2012 21:43
>> To: Hippo CMS 7 implementation list
>> Subject: Re: [Hippo-cms7-user] doAction, PRG and HTTPS
>>
>> On 12/12/12 3:31 PM, Ard Schrijvers wrote:
>> > I did not test it yet, but it seems to me you should get
>> > request.getHeader("X-Forwarded-Scheme"); Protocol is something like
>> > HTTP/1.1
>> >
>>
>> It seems that the header value is either 'http' or 'https' according to
>> the following:
>>
>> -
>>
>> http://technosophos.com/content/rewriting-urls-x-forwarded-proto-and-reverse-proxies
>> - http://pythonpaste.org/wsgiproxy/
>>
>> And, the header name seems to be either 'X-Forward-Scheme' or
>> 'X-Forward-Proto' or 'X-Forward_Proto'.
>> Does someone have a good reference for the headers?
>>
>> Regards,
>>
>> Woonsan
>>
>> --
>> [hidden email]     www.onehippo.com
>> Boston - 1 Broadway, Cambridge, MA 02142 Amsterdam - Oosteinde 11, 1017 WT
>> Amsterdam US <a href="tel:%2B1%20877%20414%204776">+1 877 414 4776 (toll free) Europe <a href="tel:%2B31%280%2920%20522%204466">+31(0)20 522 4466
>> _______________________________________________
>> Hippo-cms7-user mailing list and forums
>> http://www.onehippo.org/cms7/support/forums.html
>> _______________________________________________
>> Hippo-cms7-user mailing list and forums
>> http://www.onehippo.org/cms7/support/forums.html


--

Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US <a href="tel:%2B1%20877%20414%204776">+1 877 414 4776 (toll free)
Europe <a href="tel:%2B31%280%2920%20522%204466">+31(0)20 522 4466

www.onehippo.com

_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html



 

--
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
Boston - 1 Broadway, Cambridge, MA 02142

US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
www.onehippo.com


_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
12