1. Sebastian Sebastian
  2. scm-manager
  3. Issues


Issue #379 wontfix

Improving BaseUrlFilter for http/https

mastah naleh
created an issue

Currently if you are using the application on a tomcat server (for example) and a reverse proxy, and if the reverse proxy is providing https, the 'force base url' directive misleads you.

To be more specific : tomcat is in http providing service via reverse proxy is in https only providing service via https://svn.example.com. If 'Force base Url' is set for https://svn.example.com instead of http://svn.example.com you'll get stuck in a loop of redirection. The application will try to redirect you to https://svn.example.com.

The reason why is because the directive in BaseUrlFilter.java is comparing the configured baseUrl to the request url. Sadly since tomcat is started in HTTP (in not HTTPS) the request url will look like http://svn.example.com and not https://svn.example.com. This will always give isBaseUrl to false leading to a loop of redirection.

I suggest that the test isBaseUrl(...) strip the http/https from the compare process.

Method to consider are : BaseUrlFilter.startsWith(...) and BaseUrlFilter.isBaseUrl(...).

PS: you can set 'force base url' to http://svn.example.com instead of https://svn.example.com to avoid the problem, but it will result in exiting the secure https process. If the front end server only provide https, you'll have to redirect all traffic from http to https.

This is very particular enhancement. So no need to rush things.

Comments (3)

  1. Sebastian Sebastian repo owner

    The "Force Base URL" parameter is mainly for installations with configured ssl and without reverse proxy to redirect from http to https. If you use a reverse proxy you should do the redirection in the configuration of the reverse proxy e.g. apache with mod_rewrite. I will update the help text of the field to make this more clear.

  2. Log in to comment