Improving BaseUrlFilter for http/https

Issue #379 wontfix
mastah naleh
created an issue

Currently if you are using the application on a tomcat server (for example) and a reverse proxy, and if the reverse proxy is providing https, the 'force base url' directive misleads you.

To be more specific : tomcat is in http providing service via reverse proxy is in https only providing service via If 'Force base Url' is set for instead of you'll get stuck in a loop of redirection. The application will try to redirect you to

The reason why is because the directive in is comparing the configured baseUrl to the request url. Sadly since tomcat is started in HTTP (in not HTTPS) the request url will look like and not This will always give isBaseUrl to false leading to a loop of redirection.

I suggest that the test isBaseUrl(...) strip the http/https from the compare process.

Method to consider are : BaseUrlFilter.startsWith(...) and BaseUrlFilter.isBaseUrl(...).

PS: you can set 'force base url' to instead of to avoid the problem, but it will result in exiting the secure https process. If the front end server only provide https, you'll have to redirect all traffic from http to https.

This is very particular enhancement. So no need to rush things.

Comments (3)

  1. Sebastian Sdorra repo owner

    The "Force Base URL" parameter is mainly for installations with configured ssl and without reverse proxy to redirect from http to https. If you use a reverse proxy you should do the redirection in the configuration of the reverse proxy e.g. apache with mod_rewrite. I will update the help text of the field to make this more clear.

  2. Log in to comment