Uploaded image for project: 'SX Spring Security Extension'
  1. SX Spring Security Extension
  2. SES-39

Metadata displays incorrect URL for proxied requests

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: saml-1.0.0
    • Fix Version/s: saml-1.0.0.RC1
    • Component/s: saml
    • Labels:
      None

      Description

      We're accessing our application via a reverse-proxy (Pound) and running within a Jetty container. It appears that the Jetty code is returning the correct value for HttpServletRequest.getScheme() but not for HttpServletRequest.isSecure(). The MetadataGenerator class uses two separate ways of generating URLs that are nearly identical except for the case that getServerUrl() uses HttpServletRequest.isSecure() to determine the scheme to use while getEntityID() uses HttpServletRequest.getScheme(). As a result, we have metadata with a correct entity ID but incorrect location URLs. I'd like to propose that HttpServletRequest.getScheme() be used in both cases to retrieve the scheme to use. Perhaps I'm missing a nuance regarding why different approaches were used in each case but I'm hoping not.

      I'm providing a patch with this change but I believe a better solution might be to use common code in both cases. So perhaps a method like this:

      private String buildUrl(HttpServletRequest request)

      { StringBuilder url = new StringBuilder(); url.append(request.getScheme()).append("://"); url.append(request.getServerName()).append(":").append(request.getServerPort()); url.append(request.getContextPath()); return url.toString(); }

        Activity

        Hide
        vsch Vladimir Schäfer added a comment -

        The getServerURL() method is now constructing the link using a call to getEntityID() and appending an URL suffix. The inconsistencies in the generated entityIDs and URLs should thus be fixed.

        Show
        vsch Vladimir Schäfer added a comment - The getServerURL() method is now constructing the link using a call to getEntityID() and appending an URL suffix. The inconsistencies in the generated entityIDs and URLs should thus be fixed.
        Hide
        robmoore Rob Moore added a comment -

        Thanks, Vladimir!

        Show
        robmoore Rob Moore added a comment - Thanks, Vladimir!

          People

          • Assignee:
            vsch Vladimir Schäfer
            Reporter:
            robmoore Rob Moore
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development