Author: hansbak
Date: Mon Jan 10 08:26:04 2011
New Revision: 1057115
URL:
http://svn.apache.org/viewvc?rev=1057115&view=revLog:
When a load balancer is in front of the ofbiz system and takes care of the ssl certificate, ofbiz is now reading the Header[X-Forwarded-Proto] parameters to check if the request was secure or not. It still works the old way if these request parameters are not present
Modified:
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java?rev=1057115&r1=1057114&r2=1057115&view=diff==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java Mon Jan 10 08:26:04 2011
@@ -183,7 +183,9 @@ public class RequestHandler {
}
boolean forceHttpSession = "true".equals(context.getInitParameter("forceHttpSession"));
// Check if we SHOULD be secure and are not.
- if (!request.isSecure() && requestMap.securityHttps) {
+ String forwardedProto = request.getHeader("X-Forwarded-Proto");
+ boolean isForwardedSecure = UtilValidate.isNotEmpty(forwardedProto) && "HTTPS".equals(forwardedProto.toUpperCase());
+ if ((!request.isSecure() && !isForwardedSecure) && requestMap.securityHttps) {
// If the request method was POST then return an error to avoid problems with XSRF where the request may have come from another machine/program and had the same session ID but was not encrypted as it should have been (we used to let it pass to not lose data since it was too late to protect that data anyway)
if (request.getMethod().equalsIgnoreCase("POST")) {
// we can't redirect with the body parameters, and for better security from XSRF, just return an error message
Locked
