Wrong redirect url after logon where tomcat is used in front of Apache with SSL
CITIZENGATE opened this issue · comments
Hi,
We just want to inform you that we faced of a strange trouble when tomcat is used with an Apache front (with SSL) and proxifies tomcat in HTTP (not https).
After accessing the login page with "https://mydomain.com/login.jsp" when the "submit" button is pressed the redirected page is http://mydomain.com/index.jsp and not https://mydomain.com/index.jsp as expected.
It's the case with release 5.3.5 and should be also the same with the last release.
To reproduce:
- install apache with a self signed certificate and configure a mod_proxy to reverse to tomcat
- configure tomcat without SSL (with default port 8080 and no SSL port)
- try to authenticate.
Reason: In class AxelorCallbackFilter, the call context.getSessionStore().get(context, Pac4jConstants.REQUESTED_URL) return an URL with HTTP (eg. http://mydomain.com/index.jsp) instead of the real requested one with HTTPS ( eg. https://mydomain.com/index.jsp).
The way I found to set it is to use the APPLICATION_HOME url as reference and to check inside the AppFilter.computeBaseUrl(...) if the proto is the same. If not, the proto is overrided with the APPLICATION_HOME proto. Moreover, I commented "redirectUrl = requestedUrl" in AuthPac4jModule file line 428.
I don't think it's the right way to fix it but it works.
Axelor deployment type, as described here (customer->proxy = HTTPS, proxy -> tomcat HTTP) is a common practice and Axelor must work with it.
Thank you.