Uploaded image for project: 'SX Spring Security Extension'
  1. SX Spring Security Extension
  2. SES-39

Metadata displays incorrect URL for proxied requests

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: saml-1.0.0
    • Fix Version/s: saml-1.0.0.RC1
    • Component/s: saml
    • Labels:
      None

      Description

      We're accessing our application via a reverse-proxy (Pound) and running within a Jetty container. It appears that the Jetty code is returning the correct value for HttpServletRequest.getScheme() but not for HttpServletRequest.isSecure(). The MetadataGenerator class uses two separate ways of generating URLs that are nearly identical except for the case that getServerUrl() uses HttpServletRequest.isSecure() to determine the scheme to use while getEntityID() uses HttpServletRequest.getScheme(). As a result, we have metadata with a correct entity ID but incorrect location URLs. I'd like to propose that HttpServletRequest.getScheme() be used in both cases to retrieve the scheme to use. Perhaps I'm missing a nuance regarding why different approaches were used in each case but I'm hoping not.

      I'm providing a patch with this change but I believe a better solution might be to use common code in both cases. So perhaps a method like this:

      private String buildUrl(HttpServletRequest request)

      { StringBuilder url = new StringBuilder(); url.append(request.getScheme()).append("://"); url.append(request.getServerName()).append(":").append(request.getServerPort()); url.append(request.getContextPath()); return url.toString(); }

        Attachments

          Activity

            People

            • Assignee:
              vsch Vladimir Schäfer
              Reporter:
              robmoore Rob Moore
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: