Uploaded image for project: 'SX Spring Security Extension'
  1. SX Spring Security Extension
  2. SES-39

Metadata displays incorrect URL for proxied requests


    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: saml-1.0.0
    • Fix Version/s: saml-1.0.0.RC1
    • Component/s: saml
    • Labels:


      We're accessing our application via a reverse-proxy (Pound) and running within a Jetty container. It appears that the Jetty code is returning the correct value for HttpServletRequest.getScheme() but not for HttpServletRequest.isSecure(). The MetadataGenerator class uses two separate ways of generating URLs that are nearly identical except for the case that getServerUrl() uses HttpServletRequest.isSecure() to determine the scheme to use while getEntityID() uses HttpServletRequest.getScheme(). As a result, we have metadata with a correct entity ID but incorrect location URLs. I'd like to propose that HttpServletRequest.getScheme() be used in both cases to retrieve the scheme to use. Perhaps I'm missing a nuance regarding why different approaches were used in each case but I'm hoping not.

      I'm providing a patch with this change but I believe a better solution might be to use common code in both cases. So perhaps a method like this:

      private String buildUrl(HttpServletRequest request)

      { StringBuilder url = new StringBuilder(); url.append(request.getScheme()).append("://"); url.append(request.getServerName()).append(":").append(request.getServerPort()); url.append(request.getContextPath()); return url.toString(); }




            • Assignee:
              vsch Vladimir Schäfer
              robmoore Rob Moore
            • Votes:
              0 Vote for this issue
              0 Start watching this issue


              • Created: